QUALIFICATION PROGRAMME

Professional Module 13
Business
Assurance
SECOND EDITION

ffirs.indd 1 12/6/2022 3:12:19 PM

 BUSINESS ASSURANCE

MODULE 13
BUSINESS ASSURANCE
Qualification Programme

ffirs.indd 1 12/6/2022 3:12:19 PM

 Second edition 2023

ISBN 9781394158942

Library of Congress Cataloging-in-Publication Data

Library of Congress Cataloging-in-Publication data is available for this book

Published by

John Wiley & Sons, Inc.

111 River Street
Hoboken
NJ 07030, USA

www.wiley.com

The copyright in this publication is jointly owned by

John Wiley & Sons, Inc. and HKICPA.

Cover image: © Lane Oaley/Blue Jean Images/Getty Images

Interior: © Andrey_Popov/Shutterstock

Set in 10/14pt OpenSans by SPi Global, Chennai, India

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form
or by any means, electronic, mechanical, photocopying, recording or otherwise, except as permitted by law. Advice on how
to obtain permission to reuse material from this title is available at http://www.wiley.com/go/permissions.

For details of Wiley’s global editorial offices, customer services, and more information about Wiley products visit us at
www.wiley.com.

Limit of Liability/Disclaimer of Warranty

While the publisher and authors have used their best efforts in preparing this work, they make no representations or
warranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties,
including without limitation any implied warranties of merchantability or fitness for a particular purpose. No warranty may
be created or extended by sales representatives, written sales materials or promotional statements for this work.
The content of this work is for educational purposes and standards and regulations should be referred to as definitive
information sources. The fact that an organization, website, or product is referred to in this work as a citation and/
or potential source of further information does not mean that the publisher and authors endorse the information or
services the organization, website, or product may provide or recommendations it may make. This work is sold with the
understanding that the publisher is not engaged in rendering professional services. The advice and strategies contained
herein may not be suitable for your situation. You should consult with a specialist where appropriate. Further, readers
should be aware that websites listed in this work may have changed or disappeared between when this work was written
and when it is read. Neither the publisher nor authors shall be liable for any loss of profit or any other commercial damages,
including but not limited to special, incidental, consequential, or other damages.

We are grateful to HKICPA for permission to reproduce the Learning Outcomes and past examination questions, the
copyright of which is owned by HKICPA.

©
HKICPA and John Wiley and Sons, Inc.
2023

ii

ffirs.indd 2 12/6/2022 3:12:19 PM

 T able o f C o ntents

T A B L E OF C O N T E N T S

Module 13: Business Assurance

Director’s Message v

Introductionvi

HKICPA Proficiency Levels and Taxonomy vii

Learning Outcomes x

Study Text Key Features xix

PART A PROFESSIONAL STANDARDS AND GUIDANCE 1

CHAPTER 1: 
Ethical Standards, Legislation, and Professional Guidance 3

PART B CORPORATE GOVERNANCE AND RISK MANAGEMENT 99

CHAPTER 2: Corporate Governance 101

PART C ASSURANCE ENGAGEMENTS 147

CHAPTER 3: 
Client and Engagement Acceptance Procedures 149

CHAPTER 4: Quality Management Considerations 207

CHAPTER 5: 
Planning and Risk Assessment 249

CHAPTER 6: 
Audit Procedures and Audit Evidence 343

CHAPTER 7: 
The Audit Programme 423

CHAPTER 8: 
Using the Work of Others 505

CHAPTER 9: 
Major Actions During the Audit Completion 531

CHAPTER 10: Auditor’s Reporting 597

CHAPTER 11: Group Audits 665

CHAPTER 12: Other Assurance Engagement Requirements 713

CHAPTER 13: Computerised Business Systems and Controls 785

iii

ffirs.indd 3 12/6/2022 3:12:20 PM

 BUSINESS ASSURANCE

Further Reading 931

Glossary of Terms 933

Index 943

iv

ffirs.indd 4 12/6/2022 3:12:20 PM

 D IR EC T O R ’ S M E SSA GE

DIRECTOR’S MESSAGE

Congratulations on choosing the Qualification Programme (‘QP’) of the Hong Kong Institute of
Certified Public Accountants (‘HKICPA’) as your pathway to becoming a CPA! You have joined
thousands of others on this exciting and important journey to develop the knowledge, skills
and perspectives you need to succeed in your career and becoming a valued member of the
Institute.

The world is evolving rapidly, so too is the business environment. The Accounting
profession faces a number of challenges and trends including technological enhancement,
regulatory development, changing societal expectations and more.

Professional accountants are no longer left only to deal with numbers, but also to analyse
and advise. We are also expected to be highly strategic, collaborative, and building trust by
demonstrating relevance and value to many aspects of society.

The QP of the HKICPA aims at qualifying accountants with the agility needed to embrace the
changing environment. You will grow and discover a plethora of relevant competencies through
QP by completing training programmes, passing professional examinations and acquiring
practical experience under an authorised employer or supervisor. In the longer term, we hope
that you will succeed not only in accountancy but also in enhancing your employability and
portability so that you will be able to help business and society move forward.

We are delighted to partner with you on your development journey.

The QP consists of three levels of designations:

• The Associate Level aims to build a solid foundation of technical accounting knowledge.

• The Professional Level aims to deepen your technical capabilities and develop core
enabling competences in the workplace.

• The Capstone integrates your knowledge, skills and experiences to resolve business
problems and emerge as a top tier accounting professional.

We have designed this Learning Pack to provide you with the valuable resources for your
development on attaining your CPA designation under the QP. I trust you will be successful and
enjoy your QP journey!

Should you require any assistance at any time, please feel free to contact us on (852) 2287 7228.

Kit Wong
Director of Education and Training
Hong Kong Institute of Certified Public Accountants

ffirs.indd 5 12/6/2022 3:12:20 PM

 BUSINESS ASSURANCE

INTRODUCTION

Successfully preparing for a career in accounting is a significant undertaking. To better prepare

you for this challenging profession, the Hong Kong Institute of Certified Public Accountants
(HKICPA) provides a qualification programme (QP) comprising three progressive levels: A
10-module Associate Level, a four-module Professional Level including workshops and a
Capstone that includes three-day workshops and a final examination.

The Professional Level of the QP comprises four modules. Each of these modules involves
approximately 120 hours of self-study and an open-book module examination. There are also a
total of five workshops to be completed for the Professional Level. They include a prerequisite
Introductory Workshop and a one-day workshop for each Professional Module.

• Module 11: Financial Reporting

• Module 12: Business Finance
• Module 13: Business Assurance
• Module 14: Taxation

While each of the Associate Level and Professional Level modules stands on its own, the
modules are also arranged in a series of ‘verticals’ that map to the CPA competence blueprint.
These verticals are designed to develop an area of knowledge, through two or three modules,
from basic understanding to professional excellence.

The Financial Accounting and Reporting vertical runs from Module 1, through Module 6 to
Professional Level Module 11: Financial Reporting. A second vertical, Management Accounting,
runs from Module 2, via Module 7 to Professional Level Module 12: Business Finance. The
third vertical, Audit and Assurance, develops from Module 8 to Professional Level Module 13:
Business Assurance. The fourth vertical, Taxation, takes students from Module 9 to Professional
Level Module 14: Taxation.

Each Professional Level module of the new QP requires students to sit a three-hour
examination. Two exam sittings are held each year in June session and December session.

Please refer to the Student Handbook for the examination structure and the cut-off rule on
the examinable content.

vi

ffirs.indd 6 12/6/2022 3:12:20 PM

 H K IC P A P R O F IC IENC Y L EV EL S A ND T A X ONOM Y

HKICPA PROFICIENCY LEVELS AND TAXONOMY

The proficiency level indicated in the table below reflects the level at which the topics covered
in particular learning outcome is tested. There are three levels of proficiency:

• Level 1 is the foundational level, covering the skills of knowledge and comprehension.

• Level 2 is the intermediate level, covering the skills of application and analysis.

• Level 3 is the advanced level, covering the skills of integration and evaluation.

You are expected to understand which skill is exercised based on the taxonomy verbs with
which it is associated.

Please note that the list of taxonomy verbs below is for reference only and does not
represent an exhaustive list.

LEVEL 1: FOUNDATION
Skill Verb Definition
Knowledge Define Give the accepted meaning of
The remembering of previously Identify List or ascertaining possibilities before
learned material (recall of facts) analysis; Point to the essential part or
parts
List Provide a concise summary of the
relevant points, often in bullet point
format
Outline Give the main facts about something
State Accurately articulate established
principles, concepts, terms etc.
Comprehension Describe Communicate the key features of
Demonstrative understanding something, present a detailed account
of facts and ideas by organising, of something focusing on depth of
comparing, translating, knowledge
interpreting, giving descriptions Explain Make clear the details of something;
and stating main ideas or show how the reason for, or
underlying cause of, or the means by
which something occurs
Illustrate Offer examples, to show how something
happens, that something happens,
or make concrete a concept by giving
examples
Interpret Make clear the meaning of something
and its implications
Summarise Describe something concisely; bring
together the main facts

vii

ffirs.indd 7 12/6/2022 3:12:20 PM

 BUSINESS ASSURANCE

LEVEL 2: INTERMEDIATE
Skill Verb Definition
Application Account for / Demonstrate Give details of accounting entries to
Using new knowledge. Solve be made for in the context of financial
problems to new situations by reporting or justify (if used in a more
applying acquired knowledge, general context); Demonstrate the
facts, techniques and rules in a accounting treatment by using a set of
different way accounts
Apply Demonstrate knowledge, concepts or
techniques; Use established methods /
tools / procedures to resolve relatively
straightforward scenarios or problems
Calculate / Compute Determine by computation or arrive at
by mathematical means or processes
Prepare Follow established procedures /
methods to create a report of financial
information or commentary (e.g. using a
proforma spreadsheet)
Solve To work out to a result or conclusion
Use Apply in a practical way
Analysis Analyse To examine methodically by
Examine and break information separating into parts and studying the
into parts by identifying motives interrelationships in order to discover
or causes. Make inferences essential features
and find evidence to support Compare Critically consider two or more things,
generalisation emphasising their similarities
Contrast Critically consider two or more things,
emphasising their differences
Classify / Categorise Apply concepts to categorise
information or groups into categories
Justify Explain the reason for recommendation
made, or underlying cause of, based
on an analysis of a range of available
options
Prioritise / Determine Determine the order for dealing with
a series of items or tasks according to
their relative importance e.g. Determine
the priorities / determine the level of
importance

viii

ffirs.indd 8 12/6/2022 3:12:20 PM

 H K IC P A P R O F IC IENC Y L EV EL S A ND T A X ONOM Y

LEVEL 3: ADVANCED
Skill Verb Definition
Integration Construct To form an idea, a process, or procedure
Compile information together by bringing together various theoretical
and conceptual elements
in a different way by combining
elements in a new pattern or Design Develop a procedure/process or course
proposing alternative solutions of action based on selection of the
Design optimum combination from a range of
available options
Develop To bring something into existence that
has not previously existed, or to reshape
something from its initial position into
something more refined; Use judgement
to bring to a more advanced or effective
state or to create a plan
Formulate Devise and put a plan into words
Integrate Combine one aspect of learning with
another to form a holistic understanding of
a process, procedure or course of action
Plan / Propose Formulate a detailed proposal for doing
or achieving something
Produce Draw together similar or disparate items
to form a report containing financial
and/or non-financial information
Evaluation Advise Communicate appropriately the
The ability to judge the value recommended course of action based
of material for a given purpose on an analysis of specific circumstances
in a manner suited to the recipient
Appraise Assess the value or quality of something;
or to assess its performance
Consider Think carefully about something before
making a decision, to look closely or
attentively at something through a
process involving critical thinking
Evaluate Assess and determine the value,
importance or qualities of something,
normally with reference to specific
criteria and draw conclusions
Recommend Select the best course of action or
choice; Advocate a particular outcome or
course of action based on an analysis of
a range of available options

References
Anderson, L. W., Krathwohl, D. R., Airiasian, W., Cruikshank, K. A., Mayer, R. E., & Pintrich, P. R. (2001).
A taxonomy for learning, teaching and assessing: A revision of Bloom’s Taxonomy of educational outcomes:
Complete edition. New York: Longman.
The International Federation of Accountants. (2016). Framework for International Education Standards for
Professional Accountants and Aspiring Professional Accountants. (2015). Retrieved from https://www.ifac.org
The Government of the Hong Kong Special Administrative Region. (2016). Qualification Framework – Generic
Level Descriptors. Retrieved from https://www.hkqf.gov.hk

ix

ffirs.indd 9 12/6/2022 3:12:20 PM

 BUSINESS ASSURANCE

LEARNING OUTCOMES

Each module includes Principal Learning Outcomes and Supporting Learning Outcomes
arranged along a series of proficiency levels.

Module 13

Syllabus area Weighting (%)

Perform assurance engagements 65–75
Explain and analyse the professional standards and guidance applicable to 5–15
assurance engagements
Explain the importance of corporate governance and risk management 5–15
Evaluate and advise on computerized business systems and controls 5–15

The syllabus weighting table indicates the relative weightings of the syllabus areas encompassed
in this module. It serves as a guide to the percentage of study time spent on each syllabus area. In
the long run, the marks allocation in the module examinations would conform to the weightings as
shown above. The exact range of marks allocation in each module examination may deviate from
the weightings for suitably robust questions to be set.

ffirs.indd 10 12/6/2022 3:12:20 PM

 L EA R NING O U T COM ES

Learning Outcomes Proficiency Chapter

Level where
covered
PRINCIPAL LO1: PERFORM ASSURANCE ENGAGEMENTS
LO1.01: P
 repare, plan and develop assurance engagements including 2
the audits of financial statements in accordance with
relevant Hong Kong Standards of Quality Management,
Auditing, Assurance and Related Services, guidance and
legislation with emphasis on:
Other assurance engagement requirements
1.01.01 Explain why users need assurance reports 1 12
1.01.02 D
 escribe the level of assurance and the issues relating to other 1 12
assurance and non-assurance engagements, including:
• Agreed-upon procedures
• Pro-forma financial information
• Investment circular reporting engagements
• Preliminary announcements of annual results
• Continuing connected transaction
• Comfort letters
• Due diligence work
1.01.03 A
 nalyse the potential engagement for the risks it presents to 2 12
the auditor
1.01.04 Prepare an engagement letter 2 12
1.01.05 D
 etermine an approach to gathering sufficient appropriate 2 12
evidence
1.01.06 D
 etermine the methods, timing and content of communication 2 12
with those charged with governance
1.01.07 Analyse the results of evidence collected 2 12
1.01.08 Prepare the engagement report 2 12
LO1.02: Client and engagement acceptance procedures 2
1.02.01 E
 xplain the reasons why entities change their auditors/ 1 3
professional accountants
1.02.02 E
 xplain the requirements relating to the appointment of an 1 3
auditor under the Companies Ordinance
1.02.03 Explain the procedure for a change of an auditor 1 3
1.02.04 E
 xplain the rights of the auditor in the process of a change of 1 3
an auditor
1.02.05 Explain the professional clearance procedures 1 3
1.02.06 A
 nalyse the matters to be considered and the procedures that 2 3
an audit firm/professional accountant should carry out before
accepting a specified new client/engagement including:
• Client acceptance
• Engagement acceptance
• Agreement of the terms of engagement
• Transfer of books, papers and information
• E
 ngagement risk (including: Management characteristics
and integrity, Organisation and management structure,
Nature of the business, Business environment (including
cyber security), Financial results, Business relationships and
related parties and Prior knowledge and experience)

xi

ffirs.indd 11 12/6/2022 3:12:20 PM

 BUSINESS ASSURANCE

Learning Outcomes Proficiency Chapter

Level where
covered
1.02.07 Identify different acceptance/ continuance issues (e.g. self- 1 3
review or familiarity threat) during acceptance procedures and
illustrate safeguard to address those threats
LO1.03: Q
 uality management considerations 3
1.03.01 E
 xplain the principles and purposes of quality management of 1 4
audit and other assurance engagements
1.03.02 A
 nalyse the features of a system of quality management 2 4
relevant to a specific firm
1.03.03 D
 esign quality management procedures relevant to a specific 3 4
audit engagement
1.03.04 C
 onsider whether an engagement has been performed in line 3 4
with professional standards and whether reports issued are
appropriate
LO1.04: P
 lanning and risk assessment 3
1.04.01 E
 xplain the need for planning an audit, the overall audit 1 5
strategy and the audit plan and their relationship
1.04.02 D
 evelop the planning documentation including the audit 3 5
strategy memorandum for a given scenario
1.04.03 A
 pply knowledge to demonstrate how auditors obtain an initial 2 5
understanding of the entity and its environment, including the
use of preliminary analytical review procedures
1.04.04 Explain the components of audit risk 1 5
1.04.05 E
 valuate the entity’s significant risks of material misstatements 3 5
at the financial statement and assertion levels
1.04.06 Identify significant account balances, classes of transactions 1 5
and presentation and disclosure
1.04.07 D
 etermine the effect of fraud and misstatements on audit 2 5
planning and work
1.04.08 E
 xplain the effect of laws and regulations, and non-compliance 1 5
on audit planning and procedures
LO1.05: D
 ocumentation 2
1.05.01 Explain the need for, and importance of, audit documentation 1 6
1.05.02 Explain the procedures required to pull together audit files 1 6
1.05.03 P
 repare the contents of audit work papers on the audit 2 6
permanent and audit engagement files
LO1.06: M
 ateriality 2
1.06.01 A
 pply materiality in the context of financial reporting and 2
auditing
LO1.07: I nternal audit 3
1.07.01 E
 xplain the purpose of an internal audit function and the types 1 8
of work undertaken
1.07.02 R
 ecommend the relevant work that internal audit could 3 8
undertake in an entity
1.07.03 R
 ecommend improvements to an entity’s internal audit function 3 8

xii

ffirs.indd 12 12/6/2022 3:12:20 PM

 L EA R NING O U T COM ES

Learning Outcomes Proficiency Chapter

Level where
covered
LO1.08: A
 udit methodologies 2
1.08.01 S
 ummarise the key features of the following audit methodologies: 1 5
• Risk-based auditing
• Top-down auditing
• System-based auditing
• Systems audit
• Balance sheet approach
• Transaction cycle approach
• Directional testing
1.08.02 A
 nalyse the cost and performance efficiency of different audit 2 5
methodologies
LO1.09: A
 udit procedures 3
1.09.01 Define audit sampling 1 6
1.09.02 Explain the need for sampling 1 6
1.09.03 A
 pply the basic principles of sampling and explain how the 2 6
assessed risk and materiality affect sampling
1.09.04 Analyse and explain the results of sampling 2 6
1.09.05 E
 xplain the importance of internal control to an auditor and the 1 6
execution of tests of control
1.09.06 A
 pply knowledge to demonstrate how an auditor identifies 2 6
weaknesses in internal control systems and how those weaknesses
limit the extent of an auditor’s reliance on those systems
1.09.07 D
 etermine the types of substantive procedures used (including 2 6
big data analytics) and the issues in evaluating the results
obtained
1.09.08 E
 xplain what is meant by analytical review and apply 2 6
knowledge to demonstrate how analytical review procedures
are used in an audit
1.09.09 D
 esign, in response to the assessed risk, the appropriate audit 3 7
tests for:
• Tangible non-current assets
• Intangible non-current assets
• Inventory
• Receivables
• Bank and cash
• Trade payables and accruals
• Non-current liabilities
• Provisions and contingencies
• Capital and other issues
• Long-term investments
• Segment information
• Revenue
• Purchases
• Wages and salaries
• Financial instruments, e.g. derivative or forward contracts
• Treasury (e.g. bank loan/facility)

xiii

ffirs.indd 13 12/6/2022 3:12:20 PM

 BUSINESS ASSURANCE

Learning Outcomes Proficiency Chapter

Level where
covered
1.09.10 D
 esign, in response to the assessed risk, the appropriate 3 6
procedures and relevant disclosure requirements for the
audit of:
• Accounting estimates
• Fair values
• Opening balances
• Comparatives
• Related party transactions
LO1.10: T
 he confirmation procedures, follow up or alternative 2
procedures for non-reply confirmation
1.10.01 A
 pply the confirmation procedures to prepare the external 2 6
confirmation requests
1.10.02 A
 pply the follow up procedures on those replied confirmation 2 6
with disagreements and apply the alternative procedures for
any exceptions or non-reply confirmation
LO1.11: A
 udit evidence 3
1.11.01 E
 xplain the procedures by which audit evidence may be 1 6
obtained
1.11.02 D
 escribe the appropriateness and sufficiency (relevance and 1 6
reliability) of different sources of audit evidence
1.11.03 Identify the information produced by the client which is used 1 6
as audit evidence and describe our work done
1.11.04 P
 lan an approach to gathering sufficient, appropriate audit 3 6
evidence
1.11.05 E
 xplain the assertions contained in the financial statements 1 6
and their use in obtaining evidence
1.11.06 E
 xplain the need to modify the audit strategy and audit plan 1 6
following the results of tests of control
1.11.07 Illustrate why an auditor may rely on the work of others, 1 8
including internal audit, experts (e.g. experts in cyber security)
and service entities
1.11.08 D
 evelop procedures to make use of the work of others, 3 8
including internal audit, experts and service entities
1.11.09 E
 valuate whether sufficient audit evidence has been obtained 3 6
during the audit
LO1.12: C
 ompletion procedures 3
1.12.01 E
 valuate whether sufficient appropriate audit evidence has 3 9
been obtained during the audit

xiv

ffirs.indd 14 12/6/2022 3:12:20 PM

 L EA R NING O U T COM ES

Learning Outcomes Proficiency Chapter

Level where
covered
1.12.02 E
 xplain the purpose of and procedures to be used during audit 1 9, 11
completion:
• A subsequent events review
• A going concern review
• Obtaining written representations from management
• R
 eview of report by component auditors to the group
auditor
• Overall review of the financial statements
• Review of other published information
1.12.03 E
 xplain the procedures required to identify and audit related 1 9
party transactions
1.12.04 Evaluate misstatements identified during the audit 1 9
1.12.05 E
 xplain the follow up on illegal act or fraud found while 1 9
performing an audit especially in the case of money laundering
or corruption
1.12.06 P
 lan the procedures to be conducted at the completion of the 3 9
audit
1.12.07 Communicate with those charged with governance 2 9
LO1.13: R
 eporting 3
1.13.01 P
 repare a management letter to report on internal control 2 9
weaknesses and to make recommendations to overcome those
weaknesses
1.13.02 C
 ommunicate with management or those charged with 2 9
governance
1.13.03 A
 nalyse the format and content of modified and unmodified 2 10
auditor’s reports
1.13.04 R
 ecommend an appropriate audit opinion based on the audit 3 10
evidence collected
1.13.05 Prepare final reports for the audit 2 10
LO1.14: A
 udits of Group Financial Statements (including the work of 3
component auditors)
1.14.01 Explain how consolidated financial statements are produced 1 11
1.14.02 E
 valuate whether a group’s control environment and control 3 11
systems are effective
1.14.03 R
 ecommend control procedures that a group should 3 11
implement over its operations and the preparation of
consolidated financial statements
1.14.04 E
 valuate a potential group audit engagement for the 3 11
acceptance risks it presents to the audit firm
1.14.05 C
 onsider risk of group audit in addition to a single company 2 11
audit (e.g. different accounting policies)
1.14.06 Prepare an audit engagement letter for a group 2 11
1.14.07 P
 lan procedures to develop a sufficient understanding of the 3 11
group, as a client, and a component auditor for audit purposes

xv

ffirs.indd 15 12/6/2022 3:12:20 PM

 BUSINESS ASSURANCE

Learning Outcomes Proficiency Chapter

Level where
covered
1.14.08 R
 ecommend an appropriate planning materiality to be applied 3 11
to components
1.14.09 C
 onsider the significant components and evaluate to 3 11
determine the type of work to be performed on the financial
information of significant components and components that
are not significant
1.14.10 P
 lan an approach to gathering sufficient appropriate audit 3 11
evidence from the component auditor
1.14.11 E
 valuate the information collected about a group to identify the 3 11
significant risks of material misstatement in the group financial
statements
1.14.12 D
 evelop the group audit strategy memorandum for 3 11
communication to a component auditor
1.14.13 P
 lan the methods, timing and content of communication with 3 11
those charged with corporate governance and with component
auditors during the audit
1.14.14 D
 esign procedures to substantively test the group’s 3 11
consolidation
1.14.15 Prepare the group audit completion documents 2 11
1.14.16 R
 ecommend an appropriate audit opinion for the group, 3 11
parent company and component financial statements based on
the audit evidence collected
PRINCIPAL LO2: EXPLAIN AND ANALYSE THE PROFESSIONAL STANDARDS AND GUIDANCE
APPLICABLE TO ASSURANCE ENGAGEMENTS
LO2.01: E
 xplain and analyse the relevant provisions of ethical 2
standards, legislation and professional guidance
2.01.01 D
 emonstrate an understanding of the fundamental auditing 2 1
principles and the conceptual framework approach to auditing
2.01.02 A
 nalyse threats to compliance with the fundamental ethical 2 1
principles
2.01.03 Analyse the effectiveness of available safeguards 2 1
2.01.04 A
 nalyse conflicts in the application of fundamental principles 2 1
for Professional Accountants in practice and in business
2.01.05 E
 xplain the importance of adherence to professional standards 1 1
and guidance
2.01.06 E
 xplain the regulatory framework for assurance and 1 1
non-assurance engagements in Hong Kong
2.01.07 E
 xplain the nature and purpose of assurance and 1 1
non-assurance engagements
PRINCIPAL LO3: EXPLAIN THE IMPORTANCE OF CORPORATE GOVERNANCE AND RISK MANAGEMENT
LO3.01: R
 ecommend appropriate practices an entity should put in 3
place to achieve good corporate governance
3.01.01 E
 xplain the roles of audit committee, auditor and management 1 2
in corporate governance

xvi

ffirs.indd 16 12/6/2022 3:12:21 PM

 L EA R NING O U T COM ES

Learning Outcomes Proficiency Chapter

Level where
covered
3.01.02 E
 xplain the objectives, concepts, relevance and importance 1 2
of corporate governance to capital markets and preventing
corporate failure
3.01.03 D
 escribe the provisions of international codes of corporate 1 2
governance (such as OECD) that are most relevant to auditors
3.01.04 E
 xplain corporate governance developments in Hong Kong and 1 2
the structure of the Code on Corporate Governance Practices
and Corporate Governance Report in Hong Kong and how
these contribute to effective corporate governance
3.01.05 E
 xplain the concept of stakeholder theory in corporate 1 2
governance
3.01.06 D
 escribe the corporate governance requirements as set out 1 2
in the Companies Ordinance and Hong Kong Stock Exchange
Listing Requirements relating to directors’ responsibilities (e.g.
risk management and internal control)
3.01.07 E
 xplain the responsibilities of management within the 1 2
corporate governance framework
3.01.08 A
 nalyse the structure and roles of board committees and 2 2
discuss their drawbacks and limitations
3.01.09 E
 xplain an auditor’s responsibilities to consider and address 1 2
corporate governance requirements
3.01.10 E
 xplain the effect of the Sarbanes-Oxley Act on Hong Kong 1 2
companies and their auditors
3.01.11 E
 valuate the corporate governance arrangements in a given 3 2
scenario and recommend improvements to address identified
weaknesses
PRINCIPAL LO4: EVALUATE AND ADVISE ON COMPUTERISED BUSINESS SYSTEMS AND CONTROLS
LO4.01: E
 valuate and advise on computerised business systems and 3
controls of an entity
4.01.01 Explain how an effective IT department should be structured 1 13
4.01.02 D
 escribe the functions that should be carried out by the IT 1 13
department
4.01.03 Describe the contents of an IT strategy 1 13
4.01.04 Explain the importance of e-commerce to a business 1 13
4.01.05 E
 xplain the characteristics of an entity operating a networked 1 13
computer system
4.01.06 E
 xplain the characteristics of an entity operating with 1 13
standalone PCs
4.01.07 Describe examples of general and application controls 1 13
4.01.08 Prepare documentation of key systems 2 13
4.01.09 Analyse an entity’s controls within selected processes 2 13
4.01.10 D
 esign appropriate procedures to test the operation of an 3 13
entity’s control system, including the IT environment, and the
effectiveness of its cyber security safeguard

xvii

ffirs.indd 17 12/6/2022 3:12:21 PM

 BUSINESS ASSURANCE

Learning Outcomes Proficiency Chapter

Level where
covered
4.01.11 E
 valuate the outcome of the testing of the control system to 3 13
address identified weaknesses
4.01.12 Recommend IT controls that are appropriate to the entity 3 13
4.01.13 Identify and explain the effect of e-commerce on the auditor’s 1 13
risk assessment and audit approach
4.01.14 Identify the knowledge and skills required to audit an entity’s 1 13
e-commerce activities
4.01.15 D
 esign effective business processes including key controls 3 13
activities
4.01.16 Advise on the risks relating to particular business processes 3 13

xviii

ffirs.indd 18 12/6/2022 3:12:21 PM

 S T U D Y T EX T K EY F EA T UR ES

STUDY TEXT KEY FEATURES

Each of the Associate Level and Professional Module texts include a series of pedagogical
features designed to help QP candidates better absorb the material, reach the required
proficiency levels and meet the outlined Learning Outcomes (LOs).

The aim of these features is to help students understand the content while regularly
reinforcing concepts and building the skills necessary to successfully complete each of the
modules and progress through the Associate Level, the Professional Level and the Capstone.

Each chapter includes these features:

• Chapter topic list: A succinct list of the specific topics covered in the chapter.

• Learning outcomes: Outlines the specific knowledge points covered in the chapter and
the specific skills related to each learning outcome (LO) discussed in the chapter.

• Opening case: A case study that aims to relate the material covered in the chapter
to a real-life situation. At times, this opening case may be linked to opening cases in
other chapters.
• Overview: Provides a more detailed preview of the material covered in the chapter.

• Exhibits and charts: Through illustrations and examples, exhibits and charts aim to
convey information in graphic fashion or actual examples of accounting, reporting or
calculations that are likely to be used in actual practice.

• Illustrative examples: Case studies that explore specific issues related to the chapter
topics and further understanding of the LOs.

• Apply and analyse: Exam questions with analysis provided to show how to approach
answering the question and apply what was learned from the concepts presented in
the chapter.

• Ethics in practice: Ethical discussions on issues that may arise during professional practice.

• Key learning point: A concise summary of a salient point that is key to achieving
chapter LOs.

• Knowledge check questions: A set of questions geared at furthering students

understanding of specific topics, work through problems and meet the chapter LOs.

• Summary: A list of the concepts and topics covered in the chapter in an easy-to-
review format.

• Mind map: A graphic depiction of the knowledge conveyed in the chapter to facilitate
understanding of the LOs.

• List of formulas: A compilation of the equations introduced in the chapter.

• Exam practice questions: Questions similar to those likely to be featured in the

examination paper required for each QP module.

xix

ffirs.indd 19 12/6/2022 3:12:21 PM

ffirs.indd 20 12/6/2022 3:12:21 PM
 Part A
Professional
Standards and Guidance

Chapter 1 Ethical Standards, Legislation, and Professional Guidance

c01.indd 1 16-11-2022 18:27:05

c01.indd 2 16-11-2022 18:27:05
 1
Ethical Standards,
Legislation, and
Professional Guidance

CHAPTER TOPIC LIST

1.1 Auditing and Assurance 1.2.2 Hong Kong Standards and

1.1.1 Objectives of Auditing and Guidelines for Auditing
Assurance Services and Assurance
1.1.2 Demands for Auditing and 1.3 International Standards
Assurance Services and Guidelines for Auditing
1.1.3 Financial Statement Users and Assurance
1.2 Auditing and Assurance 1.4 Types of Audits
Standards 1.4.1 External Audits
1.2.1 Role of Regulators and 1.4.2 Internal Audits
Regulation (including
Statutory Audits)

c01.indd 3 16-11-2022 18:27:05

 BUSINESS ASSURANCE

LEARNING OUTCOMES

PRINCIPAL LO2: EXPLAIN AND ANALYSE THE PROFESSIONAL STANDARDS AND GUIDANCE
APPLICABLE TO ASSURANCE ENGAGEMENTS
LO2.01: E
 xplain and analyse the relevant provisions of ethical standards, legislation and
professional guidance
2.01.01 Demonstrate an understanding of the fundamental auditing principles and the conceptual
framework approach to auditing
2.01.02 Analyse threats to compliance with the fundamental ethical principles
2.01.03 Analyse the effectiveness of available safeguards
2.01.04 Analyse conflicts in the application of fundamental principles for Professional Accountants in
practice and in business
2.01.05 Explain the importance of adherence to professional standards and guidance
2.01.06 Explain the regulatory framework for assurance and non-assurance engagements
in Hong Kong
2.01.07 Explain the nature and purpose of assurance and non-assurance engagements

c01.indd 4 16-11-2022 18:27:05

 E thical Standards , L egislation , and Professional Guidance

OPENING CASE

BRIEFING THE AUDIT COMMITTEE OF A NEWLY

LISTED HONG KONG COMPANY

A s audit engagement manager, you have been requested to advise the recently formed
Audit Committee of Keeson Inc, a newly listed company. The company has previously
been developed as a tightly held family business and its senior management have technically
advanced computing skills. None of the senior managers have experience working with
external auditors, regulators, and financial markets. They are aware of the importance of good
governance and wish to earn a good rating in the market for running their operations well. The
senior management team understands the importance of audit and is keen not to be criticised
for their financial accounting or governance.

As part of their governance structure, an Audit Committee has been appointed by

the Board to oversee the financial reporting and auditing functions. It is comprised of
non-executive directors and is trying to understand the nature of auditing and assurance and
what services external auditors provide and what they, as an audit committee, can learn from
the reports and any briefings that arise from these engagements. They too have a technology
background rather than a significant history in financial or accountability matters. They say that
they value the benefits that could come from having external experts, with experience of many
other companies, consider their financial statements, their controls, and, more generally, how
they are developing their operations.

You recognise that Keeson Inc is a very promising company that is likely to require a range
of services. You have been invited to the first meeting of the Audit Committee to explain the
audit and to identify services your firm might provide to the company. At the same time, you
face the task of outlining the limits to providing those services that come from the firm being
the external auditor.

c01.indd 5 16-11-2022 18:27:05

 BUSINESS ASSURANCE

OVERVIEW

INTRODUCTION TO AUDITING
There is an increasing demand for those who are responsible for an activity to be accountable
for their performance to those parties who have a strong interest in the outcome of that
activity. The information that is provided to those interests forms part of the input to assist
in their decision making about those activities. These users of information need to have
confidence that the information provided by those responsible for the activity can be depended
upon. This demand is met in the form of ‘assurance’ reports issued by independent assurance
providers, of which members of the accountancy profession are a major example.

It is important to understand the broad concept of assurance and its role in reducing
information risk for user decision making in accountability and governance relationships.
Exhibit 1.1 provides a map for the coverage of the chapter.

Objectives of
auditing and
assurance
services

The assurance
The regulatory framework,
environment standards and
guidance
The
needs
of users

Non-traditional
Types of
assurance
engagement
services

EXHIBIT 1.1 The assurance environment

This chapter focuses primarily on the nature and purpose of the audit of financial
statements as a common form of assurance engagement. These engagements are subject to
statutory and professional regulation, which will be explained in this section. The chapter will
also cover some different types of assurance engagements that have developed in recent years
as different needs have emerged within the commercial and general community.

Two types of auditors, external and internal auditors, are introduced in this chapter and the
different roles both types have in the accountability and governance process are discussed.

c01.indd 6 16-11-2022 18:27:05

 E thical Standards , L egislation , and Professional Guidance

1 . 1 AUDITING AND ASSURANCE

Assurance engagements can be undertaken on a broad range of financial and non-financial

information. An audit is just one form of assurance engagement, with the financial statement
audit being one of the most common and prominent forms of independent assurance
engagement. It is prominent because the external auditor’s report accompanies the financial
statements that are lodged with corporate regulators and securities exchanges.

It is also important to understand that there is a difference between external and internal
auditors. While many of the techniques and processes used by these two groups of auditors
are similar, their roles and objectives are different.

An external auditor is independent of the entity being audited and is appointed to

express an opinion on a selected subject matter. For example, an auditor appointed under
the Companies Ordinance (Chapter 622) 2014 is to report to shareholders on the company’s
financial statements. Ethical guidance on how an external auditor determines whether they
are independent is provided in the profession’s code of ethics. The Code of Ethics is discussed
further in Section 1.2.2.2.

The concept of independence as it applies to external auditors requires that there is

a clear distinction between those who are responsible for the preparation of the financial
statements (i.e. company management on behalf of those charged with governance (the
Board of Directors)) and the auditor whose role is to provide to external users an opinion on
the financial statements prepared by management/directors. The auditing and accounting
functions are therefore separate activities and the responsibility of different parties in the
accountability process.

An internal auditor undertakes examinations and reviews of the activities of the entity as a
service to the entity’s management. For example, in the context of financial statement auditing,
the internal audit function is generally regarded as part of the internal control system that
assists the management of an entity in preparing reliable financial statements. An internal audit
can, however, have a much broader mandate within an entity and provide a range of services
to management and the directors, which will be dealt with later in Section 1.4. An internal audit
can be conducted by employees of the entity or by external service providers.

1.1.1 Objectives of Auditing and Assurance Services

As a broad concept, assurance is a service that aims to reduce information risk to users
of financial and other information. It aims to provide assurance about the relevance and
representational faithfulness of information so that users can make more informed decisions.
In other words, the assurance is confirming the pertinence of the information as a basis for
the decisions to be made and the correspondence of the information being reported to what
is transpiring. The preparer is making actual or implied assertions about the information being
made available and the assuring party is providing an independent opinion on those assertions
based on appropriate evidence gathered. An audit should assist the reader or user of a
document in determining how much trust they should place in the information that is being
presented to them.

c01.indd 7 16-11-2022 18:27:05

 BUSINESS ASSURANCE

1.1.1.1 Framework for Assurance Engagements

To understand an audit as one form of assurance engagement, it is important to consider the
Hong Kong Framework for Assurance Engagements (Framework) issued by the Hong Kong Institute
of Certified Public Accountants. While this document does not mandate any requirements for
the performance of assurance engagements, it provides the framework for the development
of auditing standards and standards for other assurance services that do establish such
requirements.

Paragraphs 10 and 11 of the Framework define an assurance engagement as:

‘. . . an engagement in which a practitioner aims to obtain sufficient appropriate

evidence in order to express a conclusion designed to enhance the degree of confidence
of the intended users other than the responsible party about the outcome of the
measurement or evaluation of the underlying subject matter against criteria.

The outcome of the measurement or evaluation of the underlying subject matter is the
information that results from applying the criteria to the underlying subject matter’.

Paragraphs 22 and 26 of the Framework identify the following preconditions and elements
for an assurance engagement (Exhibit 1.2):

• A three-party relationship involving an assurance practitioner, a responsible party, being

those who are responsible for accounting for their performance, and an intended user
of the information. The role and responsibilities of these parties should be suitable in
the circumstances such that the engagement serves that accountability relationship.

• Appropriate underlying subject matter. This is the activity or area for which the
responsible party is accountable. Information on the subject matter can be qualitative,
quantitative, historical, and prospective, at a point in time or for a period.

• Suitable criteria as a benchmark for recognising, measuring, and presenting the subject
matter. They need to be suitable to the engagement circumstances. The criteria in
a specific engagement should be available to the intended users to facilitate their
effective use of the subject matter information.

• Sufficient appropriate evidence to support a conclusion as to whether the subject matter

is free of material misstatement. The approach to the planning and performance of
the engagement involves an attitude of professional scepticism involving a critical
assessment of the evidence obtained. It involves applying professional judgement in
considering materiality and determining the nature, timing, and extent of procedures to
obtain the evidence.

Three-party relationship Sufficient audit evidence

- Information preparers, users/potential - Gathered by applying assurance
users and the assurance provider principles and procedures

A subject matter and information

ASSURANCE
- Matter to be addressed and assertions
FRAMEWORK
therein

Criteria Written report

- Prepared in accordance with an - Assurance provider’s independent
applicable framework opinion

EXHIBIT 1.2 The assurance framework

c01.indd 8 16-11-2022 18:27:06

 E thical Standards , L egislation , and Professional Guidance

• A written report containing the practitioner’s conclusion after doing the work required
within the context of a specific type of assurance engagement. The form of the report
is to be appropriate in a reasonable assurance engagement or a limited assurance
engagement.

Assurance engagements can be undertaken on a range of different subject matters that

include, but may not be limited to:

1. Historical financial performance in financial statements,

2. Prospective financial information such as forecasts contained in due diligence or share

offer documents,

3. Adequacy and effectiveness of systems of internal control and IT systems,

4. Physical characteristics such as the capacity of a facility,

5. Compliance with legislation,

6. Greenhouse gas emissions, and

7. The efficiency and effectiveness of the use of an entity’s resources.

This range of subject matter has led to the development of a range of different types of
audit, such as compliance, performance, and comprehensive and social responsibility audits.
These will be addressed later in this chapter.

Apply and Analyse 1

Now consider the situation where the audit committee of Keeson Inc indicates that it has
a short-term concern about the preparation of the first set of financial statements for the
company. They want to know if you can assist in such preparation until all the planned
accounting staffing is hired over the next two years. They would want any of your firm’s
staff working on the financial statements to be separated from the external audit function
and to report to the CFO.

Explain how you would assist the Audit Committee with its request.

Analysis

The audit committee should be advised that as the audit is to be carried out under the
Companies Ordinance, in accordance with HKICPA standards and being mindful of HKEX
requirements, that preparation of the financial statements is the responsibility of the
directors of the company. The external auditor must remain independent of the company
and is to report to users. It is thus not possible for the auditor to assist in the preparation
of the financial statements on which they are reporting.

1.1.1.2 An Audit Assurance Engagement

The focus in this section is on the auditing standards developed under the Framework
described above and as applied to the audit of financial statements. These standards identify the
objective of a financial statement audit and the auditor’s responsibilities when conducting such

c01.indd 9 16-11-2022 18:27:06

 BUSINESS ASSURANCE

an audit. The underlying concept is more broadly discussed in Section 1.4.1 as the basis for
understanding the concepts and standards of auditing covered in later modules.

The elements of the Framework are satisfied for a financial statement audit in the
following manner:

• Three party relationship. For audits under Companies Ordinance there will be the
company directors (responsible party), the company shareholders, creditors and other
Framework third parties (intended users of the financial statements), and the auditor (assurance
27–38 practitioner) appointed by, and reporting to, the shareholders.

• Underlying subject matter. The entity’s financial position, its financial performance and its
Framework cash flows are the ‘subject matter’. The entity’s financial statements comprise the
39–41 ‘subject matter information’.

• Suitable criteria. The criteria will come from the applicable financial reporting framework
relevant to the entity and its business. For example, they will come from the Hong Kong
Framework Financial Reporting Standards and Regulations that are to be complied with when
42–49 preparing the financial statements under the Companies Ordinance.

• Sufficient appropriate audit evidence. The audit principles and procedures applied by the
auditor in accordance with auditing standards will allow the auditor to obtain sufficient
Framework appropriate audit evidence as to whether the financial statements are prepared in
50–82 accordance with the applicable financial reporting framework.

• Written report. The auditor’s written conclusion/opinion will be provided in the auditor’s
Framework report on whether the financial statements have been prepared in accordance with the
83–92 applicable reporting framework.

This relationship is summarised in HKSA 200 Overall Objectives of the Independent Auditor
and the Conduct of an Audit in Accordance with Hong Kong Standards on Auditing, paragraph 3:

‘ The purpose of an audit is to enhance the degree of confidence of intended users in the
financial statements. This is achieved by the expression of an opinion by the auditor on
whether the financial statements are prepared in all material respects in accordance with
an applicable financial reporting framework’.

1.1.1.3 Attest and Direct Reporting Audits

An audit can either be an ‘attest’ or a ‘direct’ reporting engagement.

In paragraph 12 of the Assurance Framework, an attest engagement is described as an

engagement where a party other than the auditor measures or evaluates the subject matter
against the criteria and then presents the information in a written report, that is, as a written
assertion. The auditor then issues a report/opinion as to the appropriateness of that assertion.
The auditor’s report/opinion enhances the credibility of the assertion.

In paragraph 13 of the Framework, a direct engagement is where a party other than the
auditor retains responsibility for the subject matter, but the auditor measures or evaluates the
underlying subject matter against the criteria. The auditor obtains sufficient appropriate evidence
about the outcome of the measurement or evaluation and reports that information and opinion
directly in the auditor’s report. The responsible party does not make a written assertion on the
subject matter. An example could be an auditor reporting on the compliance of a company with a
set of regulations without management/directors having asserted anything in writing.

10

c01.indd 10 16-11-2022 18:27:06

 E thical Standards , L egislation , and Professional Guidance

In most cases, a financial statement audit is an attest audit. This is the case under the
Companies Ordinance where the company’s financial statements are prepared and presented
by the directors, along with a report by the directors that the financial statements have been
prepared as required by the Companies Ordinance, that is, a written assertion.

1.1.1.4 Level of Assurance

The Framework identifies two levels of assurance and assurance engagements:

• Reasonable

• Limited

The objective when designing a reasonable assurance engagement is to reduce the

assurance engagement risk. This is the risk that the assurance provider expresses an
Framework inappropriate conclusion on the subject matter to an acceptably low level in the circumstances
14 of the engagement. In the case of a financial statement audit, the audit objective is to reduce
the risk of not detecting a material misstatement in the financial statements. The risk of material
misstatement exists if there is a reasonable possibility of it occurring (likelihood) and material if
Framework it does occur (magnitude). This is communicated as a positive expression of opinion. For example,
84 under the Companies Ordinance the auditor expresses the opinion that the financial statements
are ‘true and fair in accordance with the financial reporting framework’.

The HKICPA Glossary (Clarified) of Terms Relating to Hong Kong Standards on Quality
HKSA Management, Auditing, Review, Other Assurance Related Services and Framework identify
200.5 reasonable assurance as a high, but not absolute level of assurance. This is the highest level of
assurance provided by an auditor and the level of assurance generally associated with an
audit engagement.

An audit does not provide absolute assurance. While the auditor plans and conducts an
audit to obtain sufficient appropriate evidence on which to base the opinion, much of that
evidence is persuasive rather than conclusive, as there are inherent limitations to an audit.
For example:

• The auditor applies professional judgement in identifying the risks that the subject
matter is materially misstated, selecting the appropriate procedures to apply in the
circumstances and interpreting the evidence gathered during the audit process.

• The audit process generally involves the use of sampling techniques to limit the number
of transactions and events tested. It is often impracticable to test all transactions or
circumstances. The potential for misstatement (sampling error) exists if the entire
population is not tested in this way.

• In many situations the nature of the subject matter involves estimates and judgements
by the responsible party. Corroborative evidence is limited.

• The nature of fraud, which may involve collusion, deception, and attempts to conceal,
means that it may not be detected, even if an audit has been appropriately conducted
and due diligence applied.

• There are inherent limitations to control systems within entities. For example, systems
may fail due to human error or when inappropriately overridden.

11

c01.indd 11 16-11-2022 18:27:06

 BUSINESS ASSURANCE

Therefore, in a financial statement audit, reasonable assurance is the degree of satisfaction

that the evidence obtained by the auditor supports the assertions implicit in the financial
statements; that is, the auditor is sufficiently confident that the financial statements are not
materially misstated. This is conveyed to users in the audit opinion accompanying the financial
statements.

Apply and Analyse 2

Consider, for example, the situation where you have heard the Chair of the Audit
Committee of Keeson Inc say on several occasions that he wants to be sure their financial
statements are correct and free from error. The Audit Committee has responded by
wanting to set a very low bar for materiality for the preparation of financial statements.
If anything is missed by the company, they have expressed the hope that the external
auditor would then find it.

Explain what is implicit in the thinking of the Chair and Audit Committee. Describe how
you would advise the Audit Committee on this matter.

Analysis

Implicit in this view is a misunderstanding by the Audit Committee of the concept of

reasonable assurance. They need to understand that there are limits to the financial
statements that come from volume and complexity. The preparer needs to make many
judgements and have in place systems that capture as much relevant data as possible. The
Audit Committee also needs to understand the notion of ‘reasonable assurance’ from both
an auditor’s perspective and as a preparer, and that there are inherent limitations to the
audit process and that the audit opinion does not provide an absolute level of assurance
that no fraud or error has occurred.

Limited assurance engagements involve situations in which the level of risk of an

inappropriate conclusion is greater than for a reasonable assurance engagement and therefore
the level of assurance provided by the assurance provider cannot be as great. These
engagements are generally referred to as review engagements. The auditor will use audit
expertise and apply fewer audit procedures, primarily enquiry and analytical procedures, and
Framework any knowledge gained from any previous engagements with the client entity. This results in less
15, 16 evidence being obtained on which to form an opinion. The auditor reports in the form of a
negative expression of opinion; for example, the auditor has carried out a review of the financial
statements, but nothing has come to the auditor’s attention to indicate that those statements
Framework are not true and fair in accordance with the accounting framework. This is also known as
86 negative assurance.

Limited assurance engagements typically involve some practical constraint that precludes
the conduct of a full audit. A common example of the subject of such an engagement is an
interim set of financial reports. Such reports are more limited in content than full financial
statements and the timeliness of their issuance is considered critical. The auditor brings an

12

c01.indd 12 16-11-2022 18:27:06

 E thical Standards , L egislation , and Professional Guidance

audit-based knowledge to such an engagement but sets out only to provide limited assurance.
The design of the engagement is decided by the auditor.

Not all engagements undertaken by individuals or firms that commonly provide assurance
services are in fact assurance engagements. One such engagement is an agreed-upon-
procedures engagement. These engagements are covered by related services standard
HKSRS 4400 (Revised) Agreed-Upon Procedures Engagements.

The practitioner applies procedures to which the auditor and entity, and any applicable
third party, have agreed, and that might be used in an audit of a specific subject matter.

For example, a client may have concerns about the fact that some items of equipment are
missing or that the asset records are not accurate. They may ask the auditor to undertake some
procedures in this area and request the following procedures be undertaken, and the auditor
agrees to perform those procedures and report the outcome:

• Check the addition of the asset register and compare the amount to the general
ledger account.

• Check that the asset register has recorded the bar code attached to each asset.

• Select a sample of assets from the asset register and physically sight those assets and
check that the bar code corresponds to the asset register recording.
• Select a random sample of physical assets and check that they are recorded correctly in
the asset register.

• Select a random sample of assets and verify the amount recorded in the asset register
against the original purchase invoice.

• Select a random sample of assets and check the depreciation calculation and the
recording of that amount in the accounting records.

The report provides the client with the factual findings from applying those procedures, but
does not offer a conclusion in the same way as they would for an audit. The client interprets
the factual findings in the context of their business and draws their own conclusions. A report
might find that some items of office equipment are missing from an entity when an assurance
practitioner applies the agreed procedures to an asset register. An entity’s management will
need to interpret those results and decide whether the findings need further investigation for
employee fraud or the accounting controls over their asset recording.

The user therefore derives their own assurance from the information provided. No
assurance is provided by the auditor as the independence requirements of the profession are
not met given that the auditor agrees the procedures with the entity/user rather than having
the ability to determine the nature, timing, and extent of the procedures that they might
require to be able to provide assurance.

Preparation of tax returns and consulting engagements are not assurance engagements
even though the client may take comfort from having a tax expert handle the assignment.

13

c01.indd 13 16-11-2022 18:27:06

 BUSINESS ASSURANCE

Apply and Analyse 3

Understanding that there are a number of potential assurance and non-assurance
engagements that can be provided by an auditor, consider the following in relation
to Keeson Inc. The Board has asked the Audit Committee to request that the external
auditor checks the number of patent applications lodged (granted and pending) and their
correspondence to the company’s register of contracts with co-venturers necessarily
involved in such applications. They are concerned that the application process may have
advanced more quickly than the formal contracting with those co-venturers.

Describe and explain the options that exist for an engagement to be undertaken to
assist with the above issue.

Analysis

The most likely type of engagement that could be entered into with Keeson Inc would
be an agreed-upon-procedures assignment. However, the Auditing Committee needs
to understand that this engagement will report factually on what was discovered and it
will provide no assurance about the state of the register and its correspondence with
applications lodged. For example, the Auditor might report that it tested a selection
of applications received from the client against the register and found that 5 were not
recorded as at the time of checking. The Auditing Committee might then wish to have more
work done by its staff on the register.

Another option would be to undertake a direct assurance review engagement in which

limited assurance would be provided. The auditor could apply limited audit procedures
and report whether anything was found to indicate that the register was inadequate. Given
the concerns of the client in the first place, it is likely that some limitations in the register
will be found and, given the limited procedures applied in a review engagement, the
auditor’s findings may be of limited use.

The third option is to do a direct audit of the register in which all relevant aspects of
the register are subject to a full-scale audit in which the auditor would form an opinion
on the implicit assertion that the register was complete and entered on a timely basis.
However, this may be too costly for the benefit sought by the client in this case.

In summary, a financial statement audit is therefore an engagement where the objective is

to provide a positive expression of opinion that provides a reasonable level of assurance about
the financial statement preparer’s assertion that the financial statements are true and fair
in accordance with the applicable financial reporting framework, in order to enhance the
credibility of that assertion for the users of the financial statements.

A review engagement is one in which the auditor is to provide a negative assurance opinion
that provides only limited assurance. The scope of the engagement is still determined by
the auditor but the auditor gathers less audit evidence and so is constrained in the form of
opinion expressed.

14

c01.indd 14 16-11-2022 18:27:06

 E thical Standards , L egislation , and Professional Guidance

Exhibit 1.3 provides a view of the possible engagements.

Engagements

Assurance Non-assurance

e.g. Account
Attest Direct
preparation

Reasonable Limited Reasonable Limited

No assurance
assurance assurance assurance assurance

EXHIBIT 1.3 Forms of engagement/levels of assurance

Given the array of possible engagements, it is fundamental to the acceptance of an

engagement that the nature of the engagement is clear as to what degree of assurance can or
cannot be provided.

1.1.1.5 Differences Between Auditing, Accounts Preparation, and External

and Internal Auditors
Accountability involves a relationship in which one party is responsible for its actions in
relation to a matter and is to report to another party, internal or external to the entity, as to its
performance in relation to that matter.

In the context of financial reporting under the Companies Ordinance, it is the responsibility
of the directors to provide information to the shareholders to assist shareholders in making
informed judgements about the financial position and performance of the company.

It is important to distinguish the different functions of the participants in that relationship.

There needs to be a clear distinction between the preparers of the financial statements and the
auditor, and between the role of external and internal auditors.

The responsibility for the preparation of financial statements rests with the directors/
management of a company as they have an accountability relationship with the shareholders.
It is the role of the independent external auditor to enhance the degree of confidence of the
shareholders that the financial statements have been prepared in accordance with the
applicable financial reporting framework for use in their decision making (Exhibit 1.4).

The financial statements issued by a company are in effect a summary of all the
transactions and events that have occurred in the past and during the relevant reporting
period, that determine its financial position and performance, and that are presented in
accordance with the applicable financial reporting framework. This framework for companies
comprises accounting standards issued for the preparation of general purpose financial
statements or special purpose financial statements, and any requirements required under the
Companies Ordinance.

15

c01.indd 15 16-11-2022 18:27:07

 BUSINESS ASSURANCE

Management Independent auditor

Transactions
and events

Audit process and

procedures to gather
Process, systems evidence on which to
and internal control form a conclusion
structure to record whether the financial
transactions and events statements are in
accordance with
applicable financial
reporting framework
Summarise
accounting data

Assertions and
representations in the Issue audit report
form of financial to enhance confidence
statements in accordance in the assertions and
with applicable accounting representations in the
framework financial statement

Financial report and

auditor’s report
distributed to
shareholders and
available to other
third-party users

EXHIBIT 1.4 Accounts preparation and audit responsibility

The accounts preparation process involves the company’s accountant, management,

and directors preparing the financial statements from the accounting data contained in
the underlying accounting records, including judgements and estimates where necessary.
Embodied in the financial statements produced in the accounts preparation process are several
assertions that are generally recognised in accounting. In relation to classes of transactions and
events within the period under audit, these assertions are:

• Occurrence. The recorded or disclosed transactions and events have taken place and
relate to the company.

• Completeness. All the transactions and events that should have been recorded have
been recorded, and all related disclosures that should have been included in the
financial statements have been included.

• Accuracy. The transactions and events have been recorded at the appropriate amounts
and related data has been appropriately documented, and related disclosures have
been appropriately measured and described.

• Cut-off. Transactions and events have been recorded in the correct accounting period.

• Classification. The transactions and events have been recorded in the proper accounts.

• Presentation. Transactions and events are appropriately aggregated or disaggregated

and clearly described, and related disclosures are relevant and understandable in the
context of the requirements of the applicable financial reporting framework.

16

c01.indd 16 16-11-2022 18:27:07

 E thical Standards , L egislation , and Professional Guidance

In addition, the account balances and related disclosures at the end of the accounting
period include similar assertions:

• Existence. The recorded assets, liabilities, and equity interests exist.

• Rights and obligations. The entity holds or controls the rights to assets, and liabilities are
the obligations of the entity.

• Completeness. All assets, liabilities, and equity interests have been recorded and all
related disclosures included.

• Accuracy, valuation, and allocation. The financial statements include all assets, liabilities,
and equity interests at appropriate amounts, including the recording of any valuation or
allocation adjustments, and there is appropriate disclosure.

• Presentation. Assets, liabilities and equity interests are appropriately aggregated

or disaggregated and clearly described, and related disclosure are relevant and
understandable in the context of the requirements of the applicable financial reporting
HKSA
315.A190 framework.
(Revised
2019) • Classification. Assets, liabilities, and equity have been recorded in the proper accounts.

Accounts preparation is therefore the responsibility of the directors/management to:

• Establish a process, system, and internal control structure to record the transactions
and events of the company during the appropriate accounting period;

• Summarise the accounting data, maintain adequate accounting records, and

prepare financial statements in accordance with the applicable financial reporting
framework; and

• Present those financial statements to shareholders and other users who have a
vested interest in the company to assist in their decision-making process relating to
the company.

As previously stated, the financial statements are a series of assertions and representations
by the directors/management about the financial position and results of the company.

The independent external auditor is therefore providing an attestation function through the
process of assessing the risk that the assertions and representations in the financial statements
are not in accordance with the relevant financial reporting framework. To achieve this, external
auditors apply a process of gathering evidence about the assertions, evaluating that evidence,
and communicating their conclusion through their audit report as to whether in their opinion
the financial statements present a true and fair view in accordance with the applicable financial
reporting framework.

This therefore fulfils their role in the accountability process of improving the degree of
confidence as to the assertions and representations contained in the financial statements,
thereby enhancing the degree of confidence of the users of financial statements that those
statements have been prepared in accordance with the relevant financial reporting framework.

It is not possible to provide an independent opinion and also to be part of the preparation
and control functions of the party being audited.

As indicated above, it is also important to distinguish different types of auditors Involved

in the assurance process. In addition to the external audit function, there is another key audit
function that often exists within the accountability process, i.e. internal audit.

17

c01.indd 17 16-11-2022 18:27:07

 BUSINESS ASSURANCE

Internal audit is defined in Hong Kong Auditing Standard HKSA 610 (Revised 2013) Using the
Work of Internal Auditors, paragraph 14(a) as:

‘A function of an entity that performs assurance and consulting activities designed to

evaluate and improve the effectiveness of the entity’s governance, risk management and
internal control processes’.

There are three broad areas in which an internal audit could assist an entity:

• Assessing whether the entity achieves its objectives in areas such as ethics, values,
performance management and accountability, communication in relation to risk within
the entity, and communication with external parties such as the external auditor.

• Identification and evaluation of significant exposure to risk and contributing to

improving risk management and internal control, including systems relating to the
financial reporting process and fraud detection.

• Evaluation of internal control by reviewing the control systems and evaluating their
HKSA operation and making recommendations for improvement, in effect providing
610.A1 assurance on controls.

HKSA 610 (Revised 2013) also recognises that the internal audit mandate within an entity could
include examination of financial and operating information produced within an entity, including
detailed testing of transactions and financial statement balances. It also indicates that the internal
function could be involved in the review of the economy, efficiency and effectiveness of an entity’s
operating activities, and compliance with laws and regulations. However, at this point the internal
audit is to be addressed from the viewpoint of the external financial statement auditor. The broader
view of the internal audit in the governance activities of an entity is discussed further in Section 1.4.

Therefore, putting aside the nature of the range of activities that an external auditor and
internal auditor may undertake, the fundamental distinction between these auditors is their
role and status in the accountability process.

The internal audit function is undertaken as part of the accountability, internal control, and
governance processes within an entity in order to assist the entity to meet its objectives. It is
established within an entity by the management and its mandate and specific activities are
determined by the entity. Internal auditors are either employees of the entity or firms who
have been subcontracted by the entity to undertake the function as directed by the entity.
An internal auditor reports to senior levels of management to assist management to meet
its objectives. The internal auditor is therefore an integral part of an entity’s organisational
structure and is accountable to the management of the entity. An entity is not required to have
an internal audit function; it is a decision by the management as to whether to establish the
internal audit function and to establish the nature and scope of its activities within the entity.

The distinction between an external and internal audit is clearly demonstrated by

HKSA 610 (Revised 2013), which is primarily developed from a financial statement audit context,
but the principles are generic (see also Section 8.2.1.3).

This auditing standard recognises that the external auditor can use the work of the
internal auditor to modify the nature, timing, and extent of the external auditor’s procedures
to be performed as part of the evidence gathering process. This can be done either by the
external auditor:

• Using the work of an internal auditor, for example where an internal audit has tested
the operating effectiveness of the internal controls over the accounting system and

18

c01.indd 18 16-11-2022 18:27:07

 E thical Standards , L egislation , and Professional Guidance

accounts preparation process, the external auditor could reduce the extent of audit
testing of the controls.

HKSA
• Using internal audit personnel to provide direct assistance by performing audit
610.8–9 procedures under the direction, supervision, and review of the external auditor.

In either of these circumstances the external auditor must undertake procedures to review and
HKSA
evaluate the work of the internal auditor to ensure that it is adequate and therefore appropriate to
610.15 be relied upon as part of the external auditor’s evidence gathering process.

The external auditor remains responsible for the audit report issued and cannot reduce
that responsibility by using the work of an entity’s internal auditor. While the status of internal
audit in the organisational structure should be established in such a way that it ensures that the
internal auditor is independent of the activities and information that it audits within the entity,
and be objective and competent in undertaking its work, the internal auditor does not achieve
the ‘arm’s length’ level of independence from the entity that is required of the external auditor.

For example, arising from a risk assessment by an entity’s internal auditor, the collection
of accounts receivable was identified as a matter to be addressed. The internal audit plan
therefore included procedures to assess the credit management policy, apply audit procedures
to test the billing and collection systems and controls, review and test the procedures for
dealing with overdue accounts, and reconcile the accounts receivable ledger with the general
ledger. The internal auditor issued a report to management on the outcome, including
recommendations for improvement.

While these are procedures that the external auditor would undertake as part of the
external audit process, the external auditor cannot directly substitute this work for what is
required for the purpose of the external audit. However, the auditor could review the work
done by internal audit and, if deemed of appropriate scope and quality, and provided evidence
that the accounts receivable system and controls were functioning properly, reduce, but not
eliminate, the nature and extent of the audit work in this area.

Apply and Analyse 4

It is important that the role of the internal and external audit is clearly understood by
management. The Audit Committee of Keeson Inc has asked whether an internal audit
function should be established or whether it should be outsourced to your firm. Generally,
they are concerned about their knowledge of the various laws and regulations impacting
listed entities. They want to know if, as external auditor, you can ‘keep them on track’
in all such matters. The Audit Committee recognises that the family behind Keeson
Inc will face many adjustments, including learning how to keep personal and company
matters separate.

Analyse the types of engagement that the company might need in relation to the above
and advise whether your firm could provide them. Your firm has a good deal of relevant
expertise to draw upon, but you are the external auditor.

Analysis

Implicitly, the concerns of the Audit Committee reveal that they do not have a clear
distinction in their minds between the roles of an external and internal audit. They also do
not seem to see how the issues relate to internal control. The company is responsible for

19

c01.indd 19 16-11-2022 18:27:07

 BUSINESS ASSURANCE

Apply and Analyse 4 (continued)

having an internal control system in place that minimises the risk of non-compliance with
laws and regulations. That system also needs to contain checks and balances that minimise
the risks of business and private interests being mixed. Whilst your firm could assist by
providing audit, review, or agreed-upon procedure engagements in the areas of concern,
and can provide feedback in the light of audit findings, the firm cannot become part of the
internal control system.

1.1.2 Demands for Auditing and Assurance Services

The demand for auditing and assurance services derives from the accountability/governance
relationship that exists between individuals, entities, and those that they interact with or have
an obligation to pursue established objectives. That accountability relationship usually generates
a requirement that the responsible party provide information as to their performance to those
with an interest in the outcome of that relationship. The users of that information require some
assurance as to its relevance (i.e. pertinence to purpose) and representational faithfulness (the
information does cover what it purports to) as an input into their decision making about that
relationship.

The need for credibility that is provided by the auditing and assurance function arises
because the users of that performance information are not able to, or do not have the
expertise to, either obtain or produce that information directly, nor assess whether it has been
properly prepared and presented. It is also the case that accountability relationships exist
in situations where the subject matter of the relationship covers financial and non-financial
information. Many users will not have the expertise to conclude on the quality of the
information.

There are also limitations imposed by cost, legal, and time variables that prevent users
from assessing the quality of information.

Also, inherent in a process where one party delegates responsibility to another to act
on their behalf, or in accordance with specified requirements or user expectations, is the
possibility of bias in the information produced. The responsible party has, or may be perceived
as having, a vested interest in preparing information to present a preferred outcome.
Where the user of that information intends to use it in making decisions, the quality of that
information is particularly relevant.

These features of such relationships therefore create a demand for the independent
audit and assurance function to enhance the credibility of the information provided by the
responsible party about its performance to the users of that information.

The demands for information on an increasing range of subject matter are widening the
demand for assurance services. Users of information are concerned that it is relevant and
representationally faithful for their decision making. The increasing demand for assurance
services beyond the financial statement audit arises because of the broad range of subject
matter on which assurance is sought, a more diverse group of users, and an increasing number
of potential users with a range of different interests.

20

c01.indd 20 16-11-2022 18:27:07

 E thical Standards , L egislation , and Professional Guidance

The variables can also influence the level of assurance that users require. Depending on
the significance of the information to the users in their decision-making process, the demand
for assurance can be at the review or audit level. A higher level of credibility will attach to the
information when an audit is undertaken than for a review engagement.

In many jurisdictions this demand is reflected in legislation where public policy and the
public interest require that audit and assurance be mandated, for example the Companies
Ordinance. The legislative imposition of audit and assurance over the accountability and
governance process reflects the variables in a formal manner.

Further consideration of audits under the Companies Ordinance illustrates the rationale
for the demand for audit. The same principles apply to the demand for assurance on other
subject matter.

The demand for audits under the Companies Ordinance arises because of the separation
of the Board of Directors and investors, and the existence of other third parties who interact
with the company. The shareholders and other users of the company’s financial statements
want to be confident that the information they are using in their decision making is reliable and
prepared in accordance with the benchmark established for this information, i.e. accounting
standards and other regulations required by the Companies Ordinance.

In addition, there is a broad economic policy issue that is also important, and that is that
capital markets need to have timely and equitably accessible information for decision making;
otherwise parties with private information can profit at the expense of others. Audited financial
statements help facilitate enhanced resource allocation decisions in capital markets by
supporting improved decision making by users of the financial statements.

Furthermore, the demand for statutory audits reflects a view that audit impacts corporate
conduct. Company management and other company personnel are less likely to attempt to
provide misleading information knowing that it will be subject to an independent audit.

Further consideration of these factors in the context of a financial statement audit

illustrates the rationale for the demand for this service.

The process of converting the data about individual transactions and events into
information from which to prepare financial statements is complex. Financial statements are
prepared in accordance with accounting standards and, if under statute, other regulatory
requirements. While this may reduce the bias of the preparers of financial statements by
directing how information is prepared and presented, most financial statement users do not
have the access or expertise to be satisfied that these criteria have been appropriately applied.
In this sense, users of financial statements therefore require the auditor, as an expert in the
subject matter, to provide assurance. Users value the fact that the auditor’s report comes from
an expert in the subject matter and in the auditing processes required.

In summary, and applying this specific rationale more broadly, the demand for assurance
services arises where information is provided for decision making or accountability and the
user has not directly prepared the information or cannot be satisfied as to its credibility
through their own efforts. The quality of that information is provided by an independent
assurance service report to the user on the credibility of that information measured against an
appropriate benchmark.

21

c01.indd 21 16-11-2022 18:27:07

 BUSINESS ASSURANCE

The demand for assurance services beyond the financial statement audits reflects the fact
that assurance is sought on a broad range of subject matter beyond financial information by a
more diverse group of users and potential users.

1.1.3 Financial Statement Users

Depending on the type of entity preparing financial statements, the range of users and their
need for financial statements can vary. In the case of companies, there is a diverse range of
potential users, for example:

• Existing and potential shareholders

• Creditors

• Suppliers

• Customers

• Bankers and other financial/lending institutions

• Employees

• Regulatory and taxation agencies

• Government
All of these groups may use financial statements as input into their decision making about
the company, current and future dealings, and compliance with statutory requirements.
Governments may also formulate policy based on such statements.

For example, individuals and entities that have shares in companies are the owners of
those companies. Shareholders invest in companies with the expectation that the investment
will prove beneficial in terms of returns via dividends from profits or increases in the value
of those shares. Financial statements provide current shareholders with information about
the company’s financial position and performance and decisions about what actions to take
in relation to their shareholding and management of the company; for example, election of
directors. Potential shareholders use the information as input into their decision to buy shares
in the company.

Other parties that transact with companies also have a vested interest that the entity meets
its obligations. For example, banks and other financial institutions use financial statements to
assess whether a company is meeting its contractual obligations under loan agreements or as
information that forms part of their decision-making process as to the extent of lending, terms
and conditions, and interest rates.

Suppliers of goods and services to a company may use the financial statements as an input
into their credit risk assessment and decision to transact with the company.

Governments are also concerned that the corporate sector is an efficient component of
the broader economy and financial statements facilitate an informed capital market. Taxation
authorities may use financial statements as part of the information for assessing a company’s
tax affairs.

Employees and unions may use financial statements to make decisions in relation to
negotiations relating to employee wages and conditions.

22

c01.indd 22 16-11-2022 18:27:07

 E thical Standards , L egislation , and Professional Guidance

The directors have a specific obligation to be accountable for their stewardship of the resources
under their control and to report the outcome of that stewardship periodically. Users expect that
this information is free from bias, which drives the demand for financial statement audits.

The auditor remains neutral in terms of meeting the needs of different financial statement
users. Company financial statements are prepared in accordance with a defined body of
accounting standards and any regulatory requirements relevant to the company’s status under
the Companies Ordinance. It is the auditor’s responsibility to provide an opinion as to whether
the reporting criteria have been appropriately applied. The auditor remains neutral as to
whether the reporting framework meets the differing needs of all users.

Nevertheless, it is also important that auditors understand the identity of the users, or
potential users, of the financial statements and their audit report. Shareholders, and in some
circumstances third parties, who can demonstrate reliance on audited financial statements in their
decision making, and suffered financial loss due to that reliance, could take legal action against the
auditor. If it is proven that the auditor’s opinion was inappropriate in the circumstances, and the
auditor has breached a duty of care, the users could take legal action to recover those losses.

These liabilities can arise from:

• Contract law, for example where the auditor has in effect entered into a contract
with a company on behalf of the shareholders, with a consequent duty to apply due
professional skill and care.
• Common law, based on court decisions relating to negligence.

• Statute, where the audit is undertaken pursuant to legislation.

This feature of the auditor/user relationship may provide a further indirect factor in
explaining the demand for audit services. Often referred to as the ‘deep pocket theory’, the fact
that financial statement users may have recourse to recover losses from the auditor is a further
factor that gives users added comfort in relation to the audit function.

However, financial statements provide information about management and the directors’
performance, which is useful to a range of users, and the need for that information to be
credible is the primary driver of the demand for financial statement audits.

Knowledge Check Questions

Question 1
Identify and explain how the elements of an assurance engagement are to be found in an
audit of financial statements.

Question 2
Define assurance and explain the difference between reasonable and limited assurance.

Question 3
Identify which of the following is not a feature of an agreed-upon procedures engagement.
A The nature, timing, and extent of procedures is determined by the engaging party.
B The sufficiency and appropriateness of evidence is assessed by the assurance practitioner.
C No conclusion or assurance is provided.
D The report includes details of the nature, timing, and extent of procedures performed.

23

c01.indd 23 16-11-2022 18:27:07

 BUSINESS ASSURANCE

Knowledge Check Questions (continued)

Question 4
Compare the role that financial statement assertions play from a management and audit
perspective in the preparation and audit of financial statements.

Question 5
Identify which of the following describe how the concepts of audit and assurance are
connected.
A An audit and assurance engagement are identical.
B An assurance engagement is one category of audit.
C An audit is one form of assurance engagement.
D An assurance engagement provides a higher level of assurance than an audit.

Question 6
Identify which of the following describes how the company financial statement audit is
useful to users of the audit financial statements.
A The auditor is providing assurance that the company is a sound investment.
B Assurance is provided that no fraud has occurred.
C The information value of the financial statements for decision making has
been enhanced.
D The auditor is providing assurance that management has operated the company
efficiently.

1 . 2 AUDITING AND ASSURANCE STANDARDS

1.2.1 Role of Regulators and Regulation (including Statutory Audits)

In most jurisdictions regulatory policy and regulatory agencies increasingly shape the structure
and conduct of economic activity. Regulation, generally in the form of legislation, affects the
way in which participants in an activity perform. It influences the basis of decision making and
mandates that certain events occur. In substance, regulation reflects an implicit formal contract
between participants and society.
For companies, regulation impacts the conduct of their business and relationships with
various other groups. In the context of corporate governance and accountability, it mandates
requirements for the company and professionals associated with them. The role of regulatory
agencies complements the regulation in terms of implementation and enforcement.

Regulation and regulatory agencies can be either initiatives of government or self-regulation

by those involved in the activity.

24

c01.indd 24 16-11-2022 18:27:07

 E thical Standards , L egislation , and Professional Guidance

In the case of corporate financial reporting and auditing requirements, the primary
government regulation is found in the Companies Ordinance. The main statutory regulatory
bodies are:

• The Securities and Futures Commission of Hong Kong (SFC)

• The Stock Exchange of Hong Kong (HKEX)

In addition, the HKICPA represents a professional accounting organisation of Hong Kong. It is

the only statutory licensing body of accountants in Hong Kong responsible for the professional
training, development, and regulation of the accountancy profession.

The following briefly explains the role of these regulatory bodies:

• The HKICPA was incorporated by the Professional Accountants Ordinance (Cap.50)

(PAO) of the laws of Hong Kong. The PAO was implemented to establish the HKICPA
to provide for the registration and control of the accountancy profession. Under the
PAO, the HKICPA is the statutory body licensed by law to register and grant practicing
certificates to Certified Public Accountants (CPAs). It is responsible for the regulation
of the accountancy profession by regulating the conduct of its members and setting
codes of ethics and auditing and accounting standards. It also regulates entry to the
profession and continuing education programmes. The HKICPA also has a disciplinary
process whereby allegations of misconduct by members are investigated. If proven,
sanctions are applied, for example removal of membership, cancellation of practicing
certificates, and fines.

• The SFC is an independent statutory body established under the Securities and Futures
Ordinance (SFO). The regulatory objectives of the SFC include the development and
maintenance of a competitive, efficient, fair, orderly, and transparent securities market
and to provide protection for the investing public. One of the groups regulated by the SFC
is listed companies. One aspect of this regulation is surveillance of companies to enquire
into suspected inappropriate transactions and the provision of false or misleading
information, as well as reviews to identify corporate misconduct. The SFC also has the
power to take disciplinary measures and prosecute market participants for misconduct.

• The HKEX also has a statutory responsibility to ensure that the Hong Kong securities
market is fair, orderly, and informed. The HKEX supervises companies listed on the
Exchange for compliance with its listing rules and requirements. It also plays a role
in the information that listed companies need to provide. For example, it requires
listed companies to include a corporate governance report in each annual report. That
statement is to indicate whether the company has complied with the principles of the
Hong Kong Code of Corporate Governance Practices or, if not, an explanation as to why.
The Statement should also disclose the auditor’s remuneration for audit and non-audit
services. Further, it should include the nature and extent of the Board’s review of risk
management and internal control systems and whether they consider them to be
effective. It also has statutory powers of investigation and enforcement in relation
to corporate misconduct. The activities of the HKEX are subject to supervision and
monitoring by the SFC.

In considering the legislative requirements for the statutory audit of a company’s financial
statements under the Companies Ordinance, these provisions are found in the Companies
Ordinance, Chapter 622, Part 9, Division 4.

25

c01.indd 25 16-11-2022 18:27:07

 BUSINESS ASSURANCE

The following will be restricted to considering, in summary, the basic provisions as they
relate to the regulation of a public company preparing an annual set of complete financial
statements.

It is the corporate model involving the separation of ownership and control that provides
the rationale for this regulation. The legislation mandates an accountability relationship
whereby the directors are required to communicate with the shareholders, the owners.

The regulation of the accounts preparation process is covered in Sections 373–378. These
require a company to keep accounting records to show the company’s transactions, disclose
the company’s financial position and performance, and enable the directors to prepare
financial statements that comply with the Companies Ordinance.

The records are to be kept at the registered company office or another location approved
by the directors, but must be available for inspection by the directors at all times. The records
can be in hard copy or electronic form and must be held for seven years.

Sections 379–387 contain the requirements for directors to prepare financial statements. In
brief, the directors are required to prepare financial statements of the company that give a true
and fair view of:

• The financial position as at the end of the financial year

• The financial performance for the year

The financial statements must comply with any other requirements specified by the
Companies Ordinance and with accounting standards. Section 380(4)(b) requires that the
accounting standards to be applied are those issued or specified by the HKICPA. These
comprise the Hong Kong Financial Reporting Standards (HKFRS) which include HKFRS
statements, Hong Kong Accounting Standards, and interpretations.

In addition, Section 383 specifies information relating to the company directors that must
be included in the notes to the financial statements, for example the directors:

• Emoluments

• Retirement benefits

• Termination payments

• Loans

The directors must approve and sign the statements.

Sections 388–391 require that the directors prepare, approve, and sign a directors’ report
that includes, for example:

• The directors’ names

• Any material matters relevant to shareholders understanding the company

Sections 429–436 require that the directors send copies of the financial statements and
reports to the shareholders prior to the company’s annual general meeting.

In the context of the elements of an assurance engagement and a financial statement audit
as an assurance engagement, it is clear from these provisions that legislation designates the
directors as the responsible party, the shareholders are the designated users, the financial

26

c01.indd 26 16-11-2022 18:27:07

 E thical Standards , L egislation , and Professional Guidance

statements are the subject matter information, and the criteria are the accounting standards
and other requirements under the Companies Ordinance. The third party in this accountability
relationship is the external auditor.

Part 9, Division 5 subdivision 2 deals with the appointment of auditors.

Section 393 provides that only a practice unit is eligible for appointment as a company
auditor. A practice unit means:

• A firm of Certified Public Accountants practicing accountancy (usually in the form of a

partnership)

• An individual CPA practicing accountancy

• A corporate practice

Any person who is an officer or employee of the company or a partner of such a person
is not eligible for appointment. This is an example of regulating the independence of
the auditors.

The primary statutory requirements for the appointment of an auditor are in Sections
395–400. An auditor must be appointed each financial year by a resolution of the shareholders
at the Annual General Meeting. The directors can appoint an auditor where a casual vacancy
arises. Where a firm is appointed, that is regarded as an appointment of the firm’s partners.
Where the auditor is appointed by the shareholders, Section 404 requires that the
remuneration of the auditor be fixed by a resolution of shareholders at a general meeting or in
the manner specified in such a resolution. If appointed by the directors, it can be determined
by the directors or, if not, by a resolution of the shareholders.

This relationship is formalised further under the requirements of HKSA 210 Agreeing the
Terms of Audit Engagements, which requires the auditor to agree the terms of the engagement
with management or the directors through an engagement letter. This establishes a contractual
relationship with the company that supports the statutory appointment. That letter would
reflect the responsibilities of management, the Board, and the auditor, as required under the
Companies Ordinance.

Sections 405 and 406 require the auditor to report to the shareholders on the
financial statements at the Annual General Meeting. The report must state the auditor’s
opinion whether:

• The financial statements have been properly prepared in accordance with the
Companies Ordinance.

• The financial statements give a true and fair view of the financial position and
performance.

In forming this opinion, it is necessary that the auditor be satisfied that the HKFRSs have
been appropriately applied in the circumstances, with additional disclosure as necessary, to
achieve the true and fair view.

In the case of the accompanying Director’s Report, if the auditor concludes that it is
inconsistent with the financial statements, the report must include that opinion.

27

c01.indd 27 16-11-2022 18:27:07

 BUSINESS ASSURANCE

Section 407 requires the auditor to also form an opinion whether:

• The company has kept adequate accounting records and

• The financial statements agree with the accounting records.

If the auditor concludes that this is not the case, that opinion must be included in the
auditor’s report.

In addition, in situations where the auditor has not been able to obtain all the information
and explanations necessary for the audit, the report must include a statement to that effect.

Where the company failed to disclose the information in relation to directors under
Section 383, this information must be included in the auditor’s report.

It is an offence under the Companies Ordinance if the auditor knowingly or recklessly omits
to report situations where the financial statements are not in accordance with the accounting
records or have not provided all the required information and explanations.

Consideration of some further provisions of the Companies Ordinance demonstrates how

regulation can reinforce the role and independence of the statutory audit function.

Section 410 provides that, in the absence of any malice, the auditor has qualified privilege
from defamation for any statements made or documents issued during the audit. Furthermore,
Section 411 gives the auditor the right to attend the general meeting and to be heard in
relation to audit matters. These provisions give the auditor the ability to communicate with
shareholders and other interested parties and therefore enhance the confidence that users can
have in the role of the statutory auditor.

The provisions dealing with termination of an auditor’s appointment in Subdivisions 6–8

provide the auditor with rights and obligations that support their independence. An auditor’s
appointment can be terminated if:

• The term of office has expired.

• The auditor resigns. In this case the auditor must give the company written notice and
a statement of circumstances that outlines any matters that the auditor believes should
be brought to the attention of the shareholders or creditors, or, if not, a statement to
that effect.

• The auditor is removed from office. This also requires the auditor to provide a
statement of circumstances to shareholders and requires an ordinary resolution of the
company at a general meeting of which special notice has been given and provided to
the auditor and the company Registrar.

• The company is subject to winding up orders.

The ability and obligation to communicate with shareholders and others gives the auditor
a degree of protection to plan and conduct the audit with due diligence and care, without the
potential for undue influence on their independence. Any issues in this regard are subject to a
transparent due process.

The above requirements clearly demonstrate the responsibility for accounts preparation
and the statutory audit function for companies in Hong Kong, and the extent to which regulation
under the Companies Ordinance supports the role of the auditor.

28

c01.indd 28 16-11-2022 18:27:07

 E thical Standards , L egislation , and Professional Guidance

1.2.2 Hong Kong Standards and Guidelines for Auditing and Assurance
1.2.2.1 Professional Standards
One of the attributes of a profession and its status with, and value to, third parties is that it
has formal professional standards that govern the activities and behaviour of its members
and provide a benchmark for the performance of its functions. Such standards also provide
members of the profession with information as to the expected quality of performance.

One of the functions of the HKICPA is the promulgation of Standards for the conduct of
audits and other assurance engagements. The growing demand for assurance on a broad range
of subject matter other than the audit of financial statements has resulted in an extensive body
of audit and assurance standards under the Framework.

Members of the HKICPA must comply with the professional standards. Suspected failure to
comply can be investigated by the HKICPA and lead to disciplinary action, including cancellation
of the CPA’s practising certificate. In that event the member would forfeit the right to conduct
audits and other assurance engagements.

The standards therefore represent a benchmark against which individual auditors can
demonstrate the application of professional competence and due care, and against which third
parties can assess an auditor’s performance.

Section 18A of the Professional Accountants Ordinance (PAO) gives the HKICPA Council the
power to issue standards of practice to be applied by its members. The Council established
the Auditing and Assurance Standards Committee (AASC) to develop HK Quality Management,
Auditing, Review, Other Assurance, and Related Services Pronouncements. In 2001 the Council
mandated that these pronouncements be developed to converge with the International Quality
Management, Auditing, Review, Other Assurance, and Related Services Pronouncements. The
international standards on auditing, assurance and related services are issued by the Auditing
and Assurance Standards Board (IAASB) of the International Federation of Accountants (IFAC).

The Preface to the Hong Kong Quality Management, Auditing, Review, Other Assurance, and
Related Services Pronouncements, states that the objectives of convergence are to establish high
quality standards and guidance for:

• Financial statement audits that are generally accepted by auditors, investors,

governments, regulators; and other key stakeholders,

• Other types of assurance services on both financial and non-financial information,

• Other related services, and

• Quality management covering the scope of services covered by the AASC.

A further objective is to publish other pronouncements on auditing and assurance to

advance public understanding of the roles and responsibilities of auditors and assurance
providers.

Council has, however, taken the view that the HK Standards can include requirements
additional to the international pronouncements and in exceptional cases depart from those
Standards.

The professional standards do not, however, override local laws and regulations.

29

c01.indd 29 16-11-2022 18:27:07

 BUSINESS ASSURANCE

The suite of Standards issued under this structure is extensive, recognising the growing
demand for assurance on a broad range of subject matter and the need for the profession to
ensure that it self-regulates to maintain its role and the confidence of the users of audit and
assurance services.

Standards issued comprise:

• Standards on Quality Management (HKSQMs). This requires a CPA firm to have a system
of quality management with policies to provide reasonable assurance that there is
compliance with professional standards and legal requirements and that reports issued
are appropriate in the circumstances. There should also be procedures to implement
and monitor compliance with the policies.

• Framework for Assurance Engagements. This provides the elements and structure for
all assurance engagements, of which the audit is one (Exhibit 1.5). See Section 4.1.1.1
which describes recent revisions to the Quality Standards.

Pronouncements Issued by the HKICPA, and Their Relationship to Each Other and the Code
The Appendix illustrates the ambit of pronouncements issued by the HKICPA, and their relationship to each other and to
the Code of Ethics for Professional Accountants.
HKICPA Code of Ethics for Professional Accountants

Engagements Governed by the Standards of the HKICPA Engagements Not Governed by the Standards
of the HKICPA
HKSQMs 1–99 Hong Kong Standards on Quality Management

Hong Kong Framework for Assurance Engagements

Audits and Reviews of Other Assurance Related Services Consulting/ Other

Tax
Historical Financial Information Engagements Engagements Advisory Service

HKSAs HKSREs HKSAEs HKSIRs HKSRSs

100–999 2000–2699 3000–3699 100–999 4000–4699
Hong Kong Hong Kong Hong Kong Hong Kong Hong Kong
Standards Standards on Standards on Standards on Standards on
on Auditing Review Assurance Investment Related
Engagements Engagements Circular Services
Reporting
Engagements

PNs 100–9999 HKAPGs, HKREPGs, HKAEPGs, HKRSPGs, Auditing and

Assurance Technical Bulletins, Circulars and
staff publications

EXHIBIT 1.5 Pronouncements issued by the HKICPA

• Standards on Auditing (HKSAs). These are written in the context of financial statement
audits by an independent auditor, to be adapted as necessary when applied to other
historical financial information. These standards contain mandatory requirements
that must be complied with by a member undertaking a financial statement audit. See
Section 1.3 for further information about these standards.

• Standards on Review Engagements (HKSREs).

• Standards on Assurance Engagements (HKSAEs). For example, HKSAE 3000 (Revised)

Assurance Engagements Other than Audits or Reviews of Historical Financial Information and
on specific subject matters such as HKSAE 3410 Assurance Engagements on Greenhouse
Gas Statements.

30

c01.indd 30 16-11-2022 18:27:08

 E thical Standards , L egislation , and Professional Guidance

• Standards on Investment Circular Reporting Engagements (HKSIRs). For example,

HKSIR 500 Reporting on Profit Forecasts, Statement of Sufficiency of Working Capital and
Statement of Indebtedness. This applies to reporting accountants defined as CPAs
engaged to prepare public reports and letters for inclusion in, or in connection with, an
investment circular. It provides standards and guidance when providing such letters on
directors’ profit forecasts and statements of working capital and investment circulars.

• Standards on Related Services (HKSRSs). For example, HKSRS 4410 (Revised) Compilation
Engagements.

The AASC issues Practice Notes (PNs) to address local regulatory and reporting issues. These
provide interpretative guidance and assistance in applying the standards. While not mandatory
in the direct way that standards are, failure to apply the guidance would require the member
to explain how the relevant standards to which any guidance relates have been complied with.
See Sections 1.2.2.2 and 4.1.1.1 which describe recent revisions to the Code of Ethics and the
Quality Standards.

As part of the convergence policy, the AASC requires that International Auditing Practice
Notes issued by the IAASB be regarded as non-authoritative guidance and do not impose
additional requirements. These are designated as Hong Kong Auditing Practice Guidance
(HKAPG). An example is HKAPG 1000 Special Considerations in Auditing Financial Instruments.

They are aimed at assisting in the understanding of the circumstances of an entity and
in the making of judgements about the identification and assessment of risks of material
misstatement, how to respond to those risks, and the appropriate procedures that may be
applied. They may also address issues in relation to the auditor’s opinion and communicating
with management and those charged with the governance.

It is important to recognise that adherence to professional standards is a significant

obligation on members of the HKICPA. However, not all engagements undertaken by
accountants in public practice are assurance engagements, but there are standards that
apply to non-assurance engagements. The example given of an HKSRS deals with compilation
engagements, where no assurance is provided. These engagements involve the use of the
professional accountant’s accounting knowledge and skills rather than auditing expertise.
This standard deals with engagements undertaken in situations where management
requires assistance with the preparation of historical financial information. The accountant
processes and summarises the accounting data and assists with the preparation of the
financial information. It is not an assurance engagement as the accountant does not verify the
accuracy or completeness of the data. Management retains the responsibility for the financial
information resulting from this process. The value to users of this type of engagement is that
professional accounting and financial reporting expertise has been applied by professional
accountants who are subject to professional standards, including ethical requirements.

1.2.2.2 Profession’s Code of Ethics (COE)

A distinguishing mark of the accountancy profession is its acceptance of the responsibility to
act in the public interest. Confidence in the accountancy profession is based on the skills and
COE
Preface values that accountants bring, including adherence to ethical principles. Accountants must
10 comply with the Code of Ethics for Professional Accountants (COE) issued by the HKICPA.

As stated in the Preface to the COE, and consistent with the approach to HKSAs,
Section 18A of the Professional Accountants Ordinance provides that the HKICPA Council may
issue Statements of Ethics to be applied by members. The Council has mandated the Ethics
Committee to develop the HKICPA Code of Ethics for Professional Accountants. As part of its

31

c01.indd 31 16-11-2022 18:27:08

 BUSINESS ASSURANCE

convergence process, the HKICPA has adopted the International Code of Ethics for Professional
Accountants issued by the International Ethics Standards Board for Accountants (IESBA).

Post Implementation Review

The Institute actively participates in post-­implementation reviews (PIR) coordinated by the
IESBA. The objective of a PIR is to determine whether the Code is being consistently understood
and implemented in a manner that achieves the intended purpose. For locally developed
pronouncements, the HKICPA will carry out a review of the references to local regulations and
legislations every two years to consider whether the terms and references need to be updated
as well as whether any consequential change to the contents in the local pronouncements is
warranted. In addition, the HKICPA will identify and address issues arising from the application
of the Code through an analysis of data collected over each three-­year period. The analysis of
the data should identify complex, contentious and/or significant issues.

Audit Committees
A feature of the governance structure of many companies and other entities that has gained
prominence in recent years, and now plays a significant role in assisting auditors meet their
obligations, is the establishment of audit committees. An audit committee is a sub-­committee
of the Board of Directors, often comprising a majority of independent directors. The broad
function of an audit committee is to oversee the financial reporting and auditing functions
within the company. The audit committee takes on the role of an intermediary between the
Board and the auditor. While an audit committee is part of the governance structure within a
company, its responsibilities are directed at protecting the interests of users and other vested
interests, independent of the Board and management.

The audit committee provides the auditor with an independent structure within a company
with which the auditor can communicate and discuss issues affecting the financial statements
and audit, for example:

• Significant or contentious accounting issues and policies, and decisions taken by

management in choosing accounting policies and making judgements and estimates.

• Significant accounting adjustments required by the auditor during the audit process.

• Disagreements with management.

• Deficiencies in the system of internal control or accounting process.

• Difficulties and problems encountered during the audit.

• Ethical issues arising in relation to the client/auditor relationship.

An audit committee is normally involved in making a recommendation as to the

appointment of the external auditor and the adequacy of the audit fee necessary to undertake
the audit in accordance with all requirements. The audit committee also reviews the broad
audit strategy and results.

It is important to note that the Board of Directors cannot delegate its responsibility for the
financial statements to the Committee, and nor does it reduce the obligations of the auditor
to meet all professional and legal responsibilities and obligations. The existence of an effective
audit committee does, however, strengthen the auditor’s independence by providing a function
within the company, independent of management and the Board, to which audit issues can
be dealt with on a timely basis. The auditor would normally also meet with the full Board of
Directors at appropriate times.

32

c01.indd 32 16-11-2022 18:27:08

 E thical Standards , L egislation , and Professional Guidance

The significance of audit committees has been recognised by the HKEX. Under its Listing
Rules, every issuer must establish an audit committee. The Committee is to comprise non-­
executive directors only, with a minimum membership of three. One member must be a
non-­executive director with appropriate professional qualifications or accounting or related
financial management expertise. The Committee must be chaired by an independent non-­
executive Director.

Ethics and The Code

In a broad sense, ethics are concerned with the moral principles that govern an individual’s
behaviour. A Code is a set of rules guiding that behaviour. All professions have their own codes,
and in a sense, their codes define the professions.

Codes of ethics do not, in themselves, cause behaviour to be ethical, but they provide
frameworks within which judgements can be made consistently amongst professionals
subscribing to a particular culture and attitude. Codes can, therefore, be quite influential
and can form the basis for judgements about non-­compliance in both legal and
professional settings.

The COE provides an official and methodological body of principles and rules to promote
appropriate behaviour and relationships between assurance providers, their clients and users
of the assurance reports. It also promotes the notion that where there are conflicts between
COE 100.1
participants in the accountability process, the CPA should put the public interest above their
A1 own interest or the interests of their client.

The COE adopts a conceptual approach to ethics and independence in the recognition
that it is not possible to identify and provide guidance on every specific situation that creates
a threat to compliance with the fundamental ethical principles. The differing nature of
engagements and the range of circumstances facing professional accountants creates a wide
range of threats.

Quality Management and The Code

As indicated above, included in the body of standards issued by the HKICPA is HKSQM1
Quality Management for Firms that Perform Audits or Reviews of Financial Statements, or Other
Assurance or Related Services Engagements. This standard requires that CPA firms implement
and monitor a system of quality management for audits and reviews and other assurance
and related service engagements. The quality management system should comprise policies
that provide reasonable assurance that the firm and its employees comply with professional,
HKSQM 1
legal, and regulatory requirements and that reports issued by the firm are appropriate in the
17–­18 circumstances.

Further, as required by HKSQM 1.29, the firm shall establish quality objectives that address
relevant ethical requirements including independence. The firm, its personnel, others in the
firm’s network, and service providers should all understand and fulfill their responsibilities in
relation to the relevant ethical requirements.

In the context of a financial statement audit, HKSA 200 Overall Objectives of the Independent
Auditor and the Conduct of an Audit in Accordance with Hong Kong Standards on Auditing states
HKSQM 1
that a mandatory fundamental principle of audit is that the audit shall comply with relevant
13–­15 ethical requirements, including those relating to independence.

33

c01.indd 33 16-11-2022 18:27:08

 BUSINESS ASSURANCE

Structure of the Code

HKSQM 1
17–18 The COE includes the following six chapters:

• A – Requirements and Application Material for Professional Accountants, based on the

International Code. It establishes the fundamental principles of professional ethics
and provides a conceptual framework to be applied, with examples and safeguards
to address threats to compliance with the fundamental principles. It also addresses
situations where safeguards cannot address the threats and must be avoided.

• B – Not Used.

• C – Additional Ethical Requirements on specific areas: changes in a professional

appointment, change of auditors of an entity listed on the Stock Exchange of
Hong Kong, ethics in tax practice, and practice promotion (see Section 1.2.2.11).

• D – Comparison with the IESBA Code of Ethics for Professional Accountants. Chapter D
identifies three significant differences between the HKICPA COE Chapter A and the
International COE Chapter A. It is included for information only.

• E – Specialised Areas of Practice such as professional ethics in liquidation and

insolvency (see Section 1.2.2.9).

• F – Guidelines for Anti-­Money Laundering and Counter-­Terrorist Financing for

Professional Accountants (see Section 1.2.2.10).

The following sections highlight important features of the Code. The focus here is mainly
on Chapter A, as this is the most relevant to professional accountants in public practice and
assurance providers. A brief description of COE Chapter C can be found in Section 1.2.2.11.
Similarly, a brief description of COE Chapters E and F is provided to highlight the important
issue of money laundering (Sections 1.2.2.9 and 1.2.2.10).

Chapter A of the Code has the following four parts (Exhibit 1.6):

• Part 1 – Complying with the Code, Fundamental Principles, and Conceptual Framework

• Part 2 – Professional Accountants in Business; for example, members in commerce,

industry, the public sector, education, not-­for-­profit, regulatory, or professional bodies

• Part 3 – Professional Accountants in Public Practice

• Part 4A – Independence for Audit and Review Engagements

• Part 4B – Independence for Assurance Engagements Other Than Audit and Review
Engagements

Extensive guidance for the professional accountant is presented in the Code. In particular,
general and specific obligations on a professional accountant or firm with respect to a subject
matter and stated in the form of ‘shall’ are labelled with the letter ‘R’, while advisory paragraphs
are labelled ‘A’. The advisory paragraphs are described as ‘Application Guidance’ and provide
context, explanations, suggestions for actions, and illustrations, all to be considered when
applying the conceptual framework.

34

c01.indd 34 16-11-2022 18:27:08

 E thical Standards , L egislation , and Professional Guidance

Overview of the code

Glossary
(All professional accountants)

Part 1
Complying with the code, fundamental principles and conceptual framework
(All professional accountants - Sections 100 to 199)

Part 2
Professional accountants in business Part 3
(Sections 200 to 299) Professional accountants in public practice
(Part 2 is also applicable to individual professional (Sections 300 to 399)
accountants in public practice when performing
professional activities pursuant to their
relationship with the firm)
Independence standards
(Parts 4A and 4B)
Part 4A – Independence for audit and review
engagements
(Sections 400 to 899)
Part 4B – Independence for assurance engagements
other than audit and review engagements
(Sections 900 to 999)

EXHIBIT 1.6 Overview of Chapter A of the Code

For example, Part 1, Section 100, Complying with the Code includes the following
requirements and guidance:

• Requirement Paragraph R100.8: A professional accountant who identifies a breach

of any other provisions of the Code shall evaluate the significance of the breach and
its impact on the accountant’s ability to comply with the fundamental principles. The
accountant shall also:

(a) Take whatever actions might be available, as soon as possible, to address the
consequences of the breach satisfactorily, and

(b) Determine whether to report the breach to the relevant parties.

• Application Guidance Paragraph 100.8 A1: Relevant parties to whom such a breach
might be reported include those who might have been affected by it, a professional
body or an oversight authority.

COE 1.2.2.3 Fundamental Ethical Principles

110.1A1
R110.2 The COE identifies five fundamental ethical principles as follows:

1. Integrity. Be straightforward and honest in all professional and business relationships.

This requires a professional accountant not knowingly being associated with reports,
communications, and other information that is believed to be materially false or
misleading, provided recklessly, or omits or obscures information such that it would
COE Para be misleading. The accountant shall take steps to be disassociated from any such
R111.2–­3 information. Integrity requires standing one’s ground in difficult situations and
challenging others, if required.

2. Objectivity. Exercise professional or business judgements without being compromised

by bias, conflict of interest or undue influence of, or undue reliance on individuals,
organisations, technology or other factors.

35

c01.indd 35 16-11-2022 18:27:08

 BUSINESS ASSURANCE

3. Professional competence and due care. Attain and maintain professional knowledge
and skill at the level required to ensure that a client or employer receives competent
professional service based on current technical and professional standards and
relevant legislation. This requires that the professional accountant act diligently in
accordance with applicable technical and professional standards; that those working
in a professional capacity under the accountant’s authority have appropriate training
COE Para and supervision, and ensure that users of the accountant’s professional services
R113.1–­3 or activities are aware of the limitations inherent in the services or activities. When
applied to assurance engagements more broadly, this requires that the assurance
provider has the skills and knowledge relevant to the nature of the subject matter of
the engagement, which often extends beyond financial statements and information. It
also requires that those working in a professional capacity under the supervision of the
accountant’s authority have appropriate training and supervision.

4. Confidentiality. Respect the confidentiality of information acquired because of

professional or business relationships, whether prospective, ongoing or completed. The
accountant should be alert to the possibility of inadvertent disclosure, and maintain
confidentiality within both the firm and the employing organisation. Confidentiality
requires that information should not be used for the personal advantage of the
COE accountant or third parties. The accountant should take steps to ensure that personnel
R114.1–­2 under the accountant’s control also respect the principle of confidentiality. Information
obtained during an audit should not be disclosed to third parties without proper and
specific authority, unless there is a legal or professional right or duty to disclose. Some
provisions of the Companies Ordinance, for example, in relation to disclosures at a
general meeting or in relation to audit appointment and termination, may override this
principle.

5. Professional behaviour. Comply with relevant laws and regulations, behave in a

manner consistent with the profession’s responsibility to act in the public interest
in all professional activities and avoid any conduct that the professional accountant
knows or should know might discredit the profession. When undertaking marketing
or promotional activities, the accountant shall not bring the profession into dispute.
A professional accountant shall be honest and truthful and shall not make exaggerated
claims about services offered, or their own qualifications and experience; or make
disparaging reference to the work of others.

1.2.2.4 Threats to the Fundamental Principles

The COE (Section 120) requires the professional accountant adopt the Conceptual Framework
COE 110, approach to threats to compliance with the fundamental principles set out in the Code
120 (Section 110).

• Identify threats to compliance with the fundamental ethical principles.

• Evaluate identified threats.

• Address the threats by eliminating, or reducing them to an ‘acceptable’ level, by

applying safeguards.

The Conceptual Framework approach is required throughout Chapter A:

• Part 2 Professional Accountants in Business.

• Part 3 Professional Accountants in Public Practice.

36

c01.indd 36 16-11-2022 18:27:08

 E thical Standards , L egislation , and Professional Guidance

• Part 4A Independence for Audit and Review Engagements.

• Part 4B Independence for Assurance Engagements Other than Audit and Review
Engagements.

In applying the Conceptual Framework, a professional accountant must:

• Have an inquiring mind. Consider:

(a) The source, relevance and sufficiency of information obtained.

COE 120.5
A2 (b) New information.

(c) Bias or self-­interest.

(d) Information that is inconsistent with expectations.

(e) If the information supports the conclusion reached, or the possibility of other
reasonable conclusions.

(f) Be open and alert to the need for further investigation

• Exercise professional scepticism.

• Exercise professional judgement by:

(a) Applying relevant training, professional knowledge, skill and experience

commensurate with the relevant facts and circumstances.

(b) Considering if their expertise and experience are sufficient in the circumstances to
reach a conclusion,

(c) Considering if the accountant’s own preconception or bias might be affecting their
professional judgement. Common sources of bias include:

°° Anchoring – evaluating subsequent information against initial information.

°° Automation – favouring output and information generated by automated

systems.

°° Availability – favouring easily acquired information.

°° Confirmation – accepting information that confirms existing beliefs and

rejecting adverse information.

°° Groupthink – discourages original ideas and independent thought.

°° Overconfidence – in one’s own judgement.

°° Representation – assuming a pattern will be repeated.

°° Selective perception – bias created by expectations.

Bias may be mitigated by seeking expert advice or discussion with others, or receiving
training related to identification of bias.

• Use the reasonable and informed third-­party test. The professional accountant should
consider whether a reasonable and informed third party would reach the same
conclusion given what is known or should be known by the accountant. The third party
need not be an accountant, but merely one who is well informed and has sufficient
experience of the matters raised to understand and evaluate the appropriateness of
the accountant’s conclusions in an impartial matter.

37

c01.indd 37 16-11-2022 18:27:08

 BUSINESS ASSURANCE

Identifying Threats
The professional accountant shall identify threats to compliance with the fundamental
principles. Threats fall into one or more of the following categories:

• Self-­interest. The threat that a financial or other interest will inappropriately influence
judgement or behaviour. For example, where a member of the engagement team has
a direct financial interest in the audit client or an audit firm being reliant on total fees
from an audit client.

• Self-­review. The threat that an accountant will not appropriately evaluate the results of
a previous judgement made, or an activity performed by the accountant or by another
member of the accountant’s firm or for a client, on which the accountant will rely
when forming a judgement as part of performing a current activity. For example, a
firm having prepared the original data to produce the accounting records that are the
subject matter of an audit engagement or a member of the engagement team having
recently been an officer of the audit client entity.

• Advocacy. A threat that promoting a client or employer’s position will compromise

the accountant’s objectivity. For example, an audit firm promoting the shares of the
audit client.

• Familiarity. A threat due to a long or close relationship with a client will result in taking a
too sympathetic position in relation to their interests or too accepting of their work. For
example, a member of the audit engagement team having a close family member who
is an officer of the audit client or senior audit personnel having a long association with
the audit client.

• Intimidation. A threat that an accountant may be deterred from acting objectively

because of actual or perceived pressures, including attempts to exercise undue
influence. For example, an audit firm being advised that it will not be appointed to
COE provide other services to the audit client if it continues to disagree with the client’s
120.6.A3 accounting policies for a transaction or transactions.

Evaluating Threats
A threat must be at, or reduced to, an acceptable level. An acceptable level means that a
reasonable and informed third party would likely conclude that the accountant complies
with the fundamental ethical principles. If the professional accountant becomes aware of
new information that might impact whether a threat has been eliminated or reduced to an
acceptable level, the accountant shall re-­evaluate and address that threat accordingly.

Addressing Threats
Where a threat is not at an acceptable level, it must either be eliminated, or reduced to an
acceptable level through the application of appropriate safeguards. If this is not possible, the
accountant may decline the engagement, or ending the professional activity.

1.2.2.5 Safeguards to Threats

The COE describes situations where safeguards may be applicable and other situations
where safeguards may not be available. Safeguards are measures established either through
professional requirements, legislation and regulation, or workplace policy. The COE identifies
the following examples of ways in which safeguards can be developed:

• Professional requirements for entry into the profession relating to education, training,
and experience.

38

c01.indd 38 16-11-2022 18:27:08

 E thical Standards , L egislation , and Professional Guidance

• Ongoing professional development requirements.

• Professional standards.

• Corporate governance regulation.

• Professional or Regulatory Disciplinary Processes.

COE • Monitoring and review procedures at the government, profession, and firm levels.
120.13
A2 (d) • The ethical environment of the firm.

An important contributor to ethical behaviour and successful application of the conceptual

framework is the culture of the accountant’s organisation. An ethical culture comprises:

• Leaders who promote and are accountable for ethical behaviour.

• Established training, performance evaluation and reward systems that promote ethics.

• Encouragement and protection for those who report actual or suspected illegal or
unethical behaviour (whistle-­blowers).

Safeguards not only play a role in reducing threats to an acceptable level but they may act
as a deterrent to unethical behaviour through readily available complaint systems and explicit
requirements to report breaches of the requirements.

1.2.2.6 Ethics for Professional Accountants in Business

Chapter A Part 2 deals with professional accountants in business. It recognises that third
parties such as investors, creditors, employers, governments, and the general public might
rely on professional accountants working in a business, for example, for the preparation of
reliable financial information. The Code requires that those accountants apply the conceptual
framework approach outlined above.

Chapter A Part 2 provides guidance on situations that could create a threat to the
fundamental ethical principles and the need to consider safeguards:

• Conflicts of interest. These situations create a threat to objectivity and may compromise
compliance with other fundamental principles. For example, acting for both parties in a
situation where a partnership is to be terminated or being involved in a management or
governance position in two entities and having access to confidential information about
one of those entities that could be used to the advantage or disadvantage of the other.
In such situations it is recommended that members seek guidance from appropriate
individuals within the entity or externally, such as legal counsel or the HKICPA, in order
to understand their obligations in relation to confidentiality. An appropriate safeguard
COE s.210 could be to withdraw from the decision-­making process.

COE A professional accountant shall remain alert to changes over time in the activities, interests
R210.6 and relationships that might create a conflict of interest.
COE s.220 • Preparation and presentation of information. Members in business often participate in
the preparation of information that is made publicly available or provided to other
parties, for example financial statements, budgets, forecasts, risk analyses and tax
COE
R220.4(a)–(f), returns. Members are responsible for preparing that information fairly and honestly
R220.5,
R220.6, and in accordance with the applicable reporting requirements, and should consider the
R220.7
information’s purpose, context and audience.

39

c01.indd 39 16-11-2022 18:27:09

 BUSINESS ASSURANCE

Intimidation threats may arise, for example, where there is pressure applied by external
parties to prepare information that is misleading. Safeguards against external pressure being
applied to a member are processes to enable consultation with senior personnel within the
entity, the audit committee, or governing body.

When the accountant has reason to believe that information is misleading, they shall
take action to resolve the matter. If after exhausting all options, there is reason to believe
COE
R220.8, that information is still misleading, the accountant shall refuse to be associated with the
R220.9 information.
COE s.230 • Acting with sufficient expertise. This requires that members have the appropriate
training and experience to undertake the task in which they are involved. Threats to
this requirement can arise, for example, where training and expertise is insufficient or
there is insufficient time and resources available to complete a task with the necessary
level of professional competence and due care. Safeguards include obtaining additional
training or obtaining assistance from personnel with the appropriate expertise. If a
COE threat to professional competence cannot be addressed, a professional accountant
R230.4 shall determine whether to decline to perform the duties in question.

• Financial interests, compensation, and incentives linked to financial reporting and decision
COE s.240 making. A professional accountant shall not manipulate information or use confidential
information for personal gain, or for the financial gain of others. Financial interests
create a self-­interest threat to the ethical principles of objectivity and confidentiality.
Threats could arise, for example, where a member’s remuneration includes a bonus
based on the entity’s profit or bonus scheme where the profit or share value could be
affected by decisions being made or influenced by the member. In addition to a self-­
interest threat, there may also be an intimidation threat where more senior personnel
within the entity apply pressure to produce misleading outcomes to enhance their
remuneration. Safeguards include, for example, having remuneration determined by an
COE independent committee within the entity or policies that require disclosure of trading in
R240.3 entity shares.
COE s.250 • Inducements, including gifts and hospitality. Members may be offered inducements
such as gifts, hospitality, entertainment, political donations, friendship, employment,
or preferential treatment. Such offers may be made to unduly influence a member’s
actions or decisions. These situations create self-­interest, familiarity, and intimidation
threats to integrity, objectivity, and professional behaviour. Factors to consider include
the nature, frequency and value of the inducement, its timing in relation to a relevant
action or decision, and the degree of transparency. Safeguards include, for example,
a policy of reporting gifts and hospitality or informing appropriate personnel within the
organisation of such situations. The third-­party test should be applied.

COE A professional accountant shall not offer any inducement with the intent to improperly
R250.7,
COE influence the behaviour of the recipient or of another individual. Similarly, they shall not accept
R250.8 any inducement made to improperly influence their behaviour.

Some inducements are prohibited by law or regulation. These are discussed in the following
paragraph.
COE s.260 • Responding to non-­compliance with laws and regulations. During the course of performing
their duties, members may become aware of non-­compliance or suspected non-­
compliance with laws and regulations that impact the financial statements or operating

40

c01.indd 40 16-11-2022 18:27:09

 E thical Standards , L egislation , and Professional Guidance

aspects of the business; for example, fraud, money laundering, non-­compliance

with accounting standards, tax or environmental laws. The member’s ethical
responsibility is to:

(a) Act in the public interest.

(b) Comply with the principles of integrity and professional behaviour.

(c) Alert management or, where appropriate, Those Charged With Governance of the
employing organisation so as to enable the matter to be rectified, remediated or
mitigated the consequences.

(d) Deter any action that has not yet occurred.

These situations may be subject to self-­interest and intimidation threats. The member
needs to understand whether any legal or regulatory obligations exist to report such matters
to the relevant authorities. This may require seeking advice internally, seeking legal advice, or
consulting with regulatory or professional organisations. Safeguards might include protocols
and procedures within an entity as to how to deal with these matters, such as an internal ethics
policy or a whistle-­blowing mechanism. Depending on the circumstances and those involved,
reporting to the governing body may be required.
COE s.270 • Pressure to breach the fundamental principles. Further to the specific situations already
dealt with, this section covers the broad issue of pressure being exerted on a member
to breach fundamental principles related to conflicts of interest and financial interests,
and provides further examples of those threats. Pressure might be explicit or implicit
COE
and might come from within the employing organisation, for example, from a colleague
R270.3 or superior, or from an external organisation such as the client.

(a) Pressure to influence preparation or presentation of information

°° to report misleading financial results to meet investor, analyst, or lender

expectations;

°° from elected officials to misrepresent programs or projects to voters;

°° to misstate income or expenditure to bias decision-­making on capital projects;

°° from superiors to approve expenditures that are not legitimate business

expenses; and

°° to suppress internal audit reports containing adverse findings.

(b) Pressure to act without sufficient expertise or due care

°° from superiors to inappropriately reduce the extent of work performed, and

°° from superiors to perform a task without sufficient skills or within unrealistic

deadlines.

(c) Pressure related to inducements

°° from others to offer inducements to influence the decision-­making process, and

°° from colleagues to accept a bribe or gift.

(d) Pressure related to non-­compliance with laws and regulations

°° to structure a transaction to evade tax.

41

c01.indd 41 16-11-2022 18:27:09

 BUSINESS ASSURANCE

It is suggested that safeguards to deal with these intimidation threats and of pressure
being exerted on a member include an entity culture and leadership that mitigates against
such behaviour, HR policies and procedures to address pressure, and an environment where
matters can be discussed with others in the entity. Also, a member could request a restructure
or segregation of responsibilities and duties so that the member is no longer involved with
the individual or entity exerting the pressure.

In all cases, the professional accountant should document:

• The facts and circumstances giving rise to the threat.

• Communications with any of the parties involved.

• Courses of actions considered, safeguards applied to address the threat.

• A conclusion explaining how the threat has been reduced to an acceptable level.

1.2.2.7 Ethics for Professional Accountants in Public Practice

Chapter A Part 3 deals specifically with professional accountants in public practice, whether
providing assurance services or not. Part 3 links back to Chapter A Part 2 of the Code in
that it recognises that a professional accountant in public practice has a relationship with
the professional accounting firm of which they are an employee, contractor, or owner, and
requires that they comply with the requirements of Chapter A Part 2 as appropriate to those
relationships.

The Code cites as an example a situation where a professional accountant in public practice
is facing pressure from an engagement partner to incorrectly report chargeable hours for a
client engagement. It requires the professional accountant to apply the procedures identified
in relation to a professional accountant in business facing pressure to act inappropriately, such
as raising the matter at an appropriate senior level within the firm, disclosing the matter under
established procedures for reporting ethical issues, or raising the matter with human resources
personnel.

The first section of Part 3 deals with the application of the conceptual framework by
accountants in public practice (identify and evaluate threats and apply safeguards addressing
threats; see Section 1.2.2.4). The remaining sections of Part 3 identify common areas where
threats arise, and appropriate safeguards that might be used to address those threats. The
following mirrors this approach.

Applying the Conceptual Framework

When evaluating the threats under the conceptual model, the COE requires that consideration
be given to the client type [e.g., Public Interest Entity (PIE)] and the client’s operating
environment (e.g., competence and governance structure). The COE is particularly concerned
with the provision of a non-­assurance service to an audit client where that client is a PIE.
COE 300.7 The threat evaluation for a PIE should be heightened both because a PIE is highly visible and
A2–A4 because user needs are diverse.

Consideration should also be given to the accounting firm and its operating environment,
the nature and scope of the professional service provided, and to new information or changes
in facts and circumstances.

The accountant’s threat assessment is influenced by the professional accounting firm’s

policies and procedures for identifying threats (e.g., self-­interest, self-­review, advocacy,

42

c01.indd 42 16-11-2022 18:27:09

 E thical Standards , L egislation , and Professional Guidance

familiarity and intimidation threats), and for evaluating identified threats posed by the client,
and by the firm and its operating environment. Key factors of the firm’s operating environment
which might mitigate threats include:

• A leadership culture of compliance with the fundamental principles. One which

creates an expectation that engagement team members will act in the public interest.
This could, for example, be established through communications that reflect ethical
values, and actions and decisions by senior personnel that reflect ethical principles.
An inappropriate ‘tone at the top’ could lead to an inappropriate firm culture.

• Documented policies and procedures for monitoring and compliance that emphasise
the conceptual framework requirements to identify and evaluate threats, and to apply
safeguards. For example, such policies would require the disclosure and recording of
relationships between engagement team members and the client entity. Such policies
and procedures encourage and support a commitment to ethical principles.

• Compensation, performance appraisal, and disciplinary policies and procedures that

promote compliance with the fundamental principles. For example, policies that
mitigate the impact that the number of other services provided to an audit client would
affect the audit partners’ performance appraisal and compensation. Inappropriate
incentives and lack of enforcement of policies may encourage unprofessional
behaviour.
• Management of the reliance on revenue received from a single client.

• Authority of engagement partners for decisions concerning compliance with ethical

principles and in relation to client service decisions and prohibiting non-­members of an
audit engagement team influencing the outcome of the engagement.

• Educational, training, and experience requirements. Policies that require engagement

personnel to have the necessary competence and to maintain their skill base through
ongoing professional development support compliance with the fundamental principles.

COE 300.7
• Complaint processes to ensure that concerns are dealt with and disciplinary processes
A5 applied support a compliance culture.

Threats and Safeguards

The discussion of the Conceptual Framework in Chapter A Part 3 is followed by guidance on
safeguards that address a number of common threats. These sections of Part 3 are briefly
summarised below:

• Conflicts of interest. This relates to avoiding situations that could compromise

professional and business judgements, and with threats to objectivity that could
arise where a professional accountant provides services to two or more clients
whose interests are in conflict. For example, preparing a valuation of assets for two
parties who are in an adversarial position with respect to the asset. Another example
offered describes a situation where the accountant is representing two clients in the
same legal dispute, such as dissolving a partnership. The professional accountant is
required to identify the nature of the relationships between the parties involved and
the implications for the relevant parties before accepting a new client. Consideration
needs to be given to whether consent of the parties is appropriate as a safeguard, and,
where consent is not given when considered necessary, the engagement or relationship
should be terminated. The professional accountant should document the matter and
COE s.310 decisions made.

43

c01.indd 43 16-11-2022 18:27:09

 BUSINESS ASSURANCE

• Professional appointments. These can create threats to any of the fundamental

principles, but of most concern are threats to integrity and professional behaviour in
situations involving accepting new clients or changes to an existing engagement. The
requirements are to have knowledge and understanding of the client, management,
and the business and to be aware of issues such as illegal activities and questionable
financial reporting practices. There is also a self-­interest threat to professional
competence and due care if the accountant does not have the appropriate skills and
knowledge for the engagement and business. Examples of safeguards include using
experts who can provide the required knowledge and skills. Where an accountant is
replacing another accountant, it is recommended that there is communication between
the two accountants to identify relevant issues, particularly in an audit or review
situation where communication with the predecessor auditor is required to obtain
information as to whether the incoming auditor should accept the engagement. If
the client does not allow such communication, consideration needs to be given as to
COE s.320 whether to accept the engagement.

• Engagement quality reviewer. A threat to objectivity might arise when an engagement

partner in respect of a public interest entity is assigned responsibility for the engagement
quality review. The Code provides for a cooling-­off period to deal with this threat. Where
an individual acted as the engagement partner for seven cumulative years, the cooling-­
off period shall be five consecutive years (COE R540.11). Where the individual acted in a
COE s.540; number of key roles in relation to the engagement, the code provides guidance about the
COE
R540.11–20 length of an appropriate cooling-­off period (COE R540.12–20).

• Second opinions. This covers situations where a professional accountant’s opinion

is sought for an entity that is not an existing client on the application of accounting,
auditing, reporting, or other standards or principles regarding a specific transaction or
circumstance. This is a self-­interest threat to the fundamental principle of competence
and due care if the opinion is not based on the same facts and circumstances as the
party providing the initial advice. A safeguard would be to obtain client permission to
contact the other accountant. If that permission is not provided it would be appropriate
COE s.321 to consider whether to accept the engagement.

• Fees and other types of remuneration. Quoting fees is not considered unethical.
However, it is recognised that a self-­interest threat to competence can arise if the
quoted fee is so low that it will be difficult to perform an engagement in accordance
with relevant standards. If such a threat is identified, safeguards such as adjusting
fees to an appropriate level, or having an Engagement Quality Review performed by
an appropriate person, could reduce the threat to an appropriate level. This section
also deals with contingent fees, referral fees and commissions. Contingent fees can
be used for some non-­assurance engagements but may create a self-­interest threat to
objectivity. Safeguards are to have the work done by a member not involved with the
engagement or to obtain a written agreement in advance from the client. These could
be referral fees and commissions, for example a commission from a software vendor
for sales of products to clients or a fee for referring a client of another accountant
because of an inability to provide a specific service. These situations can create self-­
interest and professional competence and due care threats. The suggested safeguards
are to disclose the matters to the client and obtain in advance a written agreement with
COE s.330 the client as to the arrangements.

• Inducements including gifts and hospitality. It is recognised that inducements could

create a self-­interest, intimidation or familiarity threat, and non-­compliance with

44

c01.indd 44 16-11-2022 18:27:09

 E thical Standards , L egislation , and Professional Guidance

the fundamental principles of integrity, objectivity, and professional behaviour.

Unless trivial or inconsequential, no inducements should be offered or accepted if a
reasonable and informed third party might conclude that the intent is to improperly
influence behaviour (the reasonable and informed third-­party test). Consideration
must also be given to laws and regulations that may be relevant to the circumstances.
Assessing whether or not the intent of an action is to improperly influence behaviour
COE s.340 involves the exercise of professional judgement which might include considering:

(a) The nature, frequency, value and cumulative effect of the inducement.

(b) Its proximity to the timing of a decision.

(c) Whether it reflects a customary or cultural practice.

(d) Whether it is available to only an individual or a broader group.

(e) The degree of transparency as to its occurrence.

(f) Whether it is an ancillary part of a professional service.

(g) Role or position of the one who offered, or was offered, the inducement.

(h) Whether the accountant knows accepting the inducement would breach firm policy.

(i) Whether the inducement was requested by the recipient.

(j) The known previous behaviour of the offeror.

If it is determined that an action was not intended to unduly influence behaviour, the level
of any threat can be reduced by safeguards such as being transparent about the matter with
senior personnel within the firm, maintaining a log of such matters that is regularly reviewed
by senior personnel, or having the work in relation to the service reviewed by a member not
involved in the engagement. Donating the gifts to charity or reimbursing the cost of gifts and
hospitality could reduce the threats created.

• Custody of client assets. Custody of client monies is not permitted, unless permitted by
law. Custody of assets can create self-­interest threats to professional behaviour and
objectivity. Safeguards include keeping those assets separate from firm assets (e.g., in
trust accounts) and using them only as intended, ensuring that any dividends or gains
COE s.350 are accounted for and comply with relevant laws and regulations.

• Responding to non-­compliance with laws and regulations. Self-­interest or intimidation

threats could undermine the principles of integrity and professional behaviour if a
professional accountant becomes aware of a client’s non-­compliance, or suspected
non-­compliance, with laws and regulations. The accountant’s obligation is to obtain
an understanding of the nature of the matter, the legal requirements facing the client
and the potential harm to the interests of the entity, investors, creditors, employees, or
the public. Any non-­compliance is to be discussed with management, advising them to
take appropriate action if they have not already done so. The accountant should assess
COE s.360 management’s response to determine:

(a) whether further action is required in accordance with relevant laws, regulations and
standards, and

(b) to ensure that any action is in the public interest.

45

c01.indd 45 16-11-2022 18:27:09

 BUSINESS ASSURANCE

Where the professional service concerned is an audit, circumstances, communications,

actions considered, judgements made, actions taken, and outcomes shall all be documented.
COE Where the professional service concerned is other than an audit, documentation of the matters
R360.28 described is encouraged.

1.2.2.8 Ethics and Independence

The Code and the Quality Management Standards require that the professional accountant be
independent when undertaking audits, reviews, and other assurance engagements. Chapter A
Part 4 of the Code deals with Independence. Part 4 comprises Parts 4A and 4B. Part 4A deals
with independence in relation to the provision of audit and review engagements and Part 4B
deals with independence in relation to other assurance engagements.

The structure of Parts 4A and 4B mirrors that of Parts 2 and 3 discussed above. Each
part begins with a section discussing the application of the Conceptual Framework (Identify,
Evaluate, and Address threats; see Section 1.2.2.4), and then a number of sections identifying
common threats and related safeguards. The following material mirrors this approach.

Part 4A Independence for Audit and Review Engagements

Applying the Conceptual Framework
Independence is a fundamental distinguishing feature of the accountancy profession, one
which is critical to its role as an assurance provider. Assurance is only valuable to users of
information if the assurance provider is, and is seen to be, unbiased, objective, and with no
vested interest in the entity or the information about which the assurance is given.

The accountant should demonstrate both independence of mind and independence in

appearance:

• Independence of mind requires unbiased and objective professional judgement,

allowing an individual to act with integrity and the exercise of professional skepticism.

• Independence in appearance requires the reasonable and informed third-­party test.

Professional judgements should be unbiased, but also must appear to be unbiased to well
informed third parties. The appearance of independence demonstrates professional behaviour.

Independence is required during:

• The engagement period, and

• The period covered by the financial statements.

Documentary evidence about judgements made in relation to independence issues (the

auditor’s application of the conceptual framework) must be produced and maintained by the
accounting firm.

Breach of Independence

COE Where there is a breach of the independence requirements of the Code concluded by a firm,
R400.80 the following is required:

• Discontinue the interest or relationship implicated in the independence breach, and

address any consequences.

• Consider any legal or regulatory implications.

46

c01.indd 46 16-11-2022 18:27:09

 E thical Standards , L egislation , and Professional Guidance

• Communicate the breach to appropriate firm personnel.

• Evaluate any impact on the ability to issue an audit report.

• Consider whether to continue the engagement, or the possibility of taking action to

address the breach satisfactorily. Actions that might be considered include:

(a) Removing that relevant individual from the audit team.

(b) Using different individuals to conduct an additional review of the affected work, or
re-­perform that work to the extent necessary.

(c) Recommend that the client engage another firm to review or re-­perform the
affected work to the extent necessary.

(d) If the breach relates to a non-­assurance service that affects the accounting records
or an amount recorded in the financial statements, consider engaging another
firm to evaluate the results of the non-­assurance service or re-­perform the non-­
assurance service.

The significance of a breach of the firm’s independence is determined by factors including:

• Its nature and duration.

• The number and nature of any prior breaches.

• Whether an audit team member had knowledge of the interest or relationship that
created the breach.

• Whether the individual who created the breach is an audit team member.

• The seniority of that individual.

• If the breach was created by providing a professional service, the impact of that service
on the accounting records or financial statements.

• The extent of other threats created by the breach.

The auditor should document facts, circumstances, interests, and relationships that led
to the identification of the breach, actions taken, and decisions made. If the firm determines
that action can be taken to address the breach satisfactorily, the firm shall discuss with Those
Charged With Governance:

• The significance, nature, and duration of the breach.

• How it occurred and how it was identified.

• The action proposed or taken, and how that action satisfactorily addressed the breach
and enabled the firm to issue the audit report.

• The conclusion that objectivity has not been compromised, and the rationale for that
conclusion.

• Steps taken or proposed to avoid the risk of further breaches occurring.

All matters discussed with Those Charged With Governance regarding the breach should be
communicated to them in writing, and they should be asked to concur that action has been or
can be taken to address the breach. In addition, the communication should describe the firm’s
policies and procedures designed to provide assurance that independence is maintained, and

47

c01.indd 47 16-11-2022 18:27:09

 BUSINESS ASSURANCE

the steps taken or proposed to be taken to reduce the risk of future breaches. If Those Charged
With Governance do not concur, the firm should end the engagement. The firm should also
consider the impact of the breach on previously issued audit reports.

Common Threats and Safeguards in Audit and Review Engagements

The discussion of the Conceptual Framework in the first section of Part 4A is followed by
a number of sections, each of which identifies common threats to independence in audit
and review engagements, and relevant safeguards. These sections of Part 4A are briefly
summarised below:

• Fees. Depending on the nature, level, and types of remuneration, audit fees can create
self-­interest and intimidation threats. This could be a concern where the total fees from
one client represent a significant proportion of the total fees of the firm, or of one audit
COE s.410 partner.

Safeguards:

• Increase the client base of the firm or the partner to reduce their reliance on the fees
from that client.

• Have an appropriate reviewer who is not a member of the firm review the work.

• Reduce the extent of services provided to that audit client.

For an audit client that is a PIE, if, for two consecutive years, the total fees charged from
one client represents more than 15% of the total fees of the firm, a pre-­issuance engagement
quality review by a professional accountant not in the firm should be considered. (A ‘pre-­
issuance’ review would be undertaken prior to the issue of the audit opinion for the second
COE
R410.18, year.) In addition, if the fees continue to exceed 15% for five consecutive years, the firm shall
R410.20 cease to be the auditor after the audit opinion for the fifth year is issued.

Similar safeguards exist for audit clients that are not PIEs, except that the threshold for
consideration of an independent review is five consecutive years and 30% of total fees, and the
COE review can be either a pre-­issuance review (before the fifth year’s report) or a post-­issuance
R410.15 review (before the sixth year’s report).

Overdue fees also create a self-­interest threat. If fees are overdue for a long period, they
COE take on the characteristic of a loan to the client, in which case the requirements and application
s.511;
COE material set out in Section 511 ‘Loans and Guarantees’ are applicable) and consideration needs
R410.13 to be given as to whether to continue the engagement, or to be re-­appointed.

A contingent fee is based on the outcome of the service performed. Firms are not permitted
COE to charge contingent fees directly or indirectly for an audit engagement, or to an audit client for
R410.9–­10 non-­assurance services if the fee is material to that firm.

Transparency of Information
The auditor should communicate with Those Charged With Governance of a PIE in relation to:

• Fees paid or payable to the firm or network for the audit.

• Fees for services other than audit fees charged to the client.

• Whether the fees represent more than 15% of the total fees received by the firm.

• Whether any threats created by those fees are at an acceptable level, and if not,
any actions the firm has taken or proposes to take to reduce such threats to an
acceptable level.

48

c01.indd 48 16-11-2022 18:27:10

 E thical Standards , L egislation , and Professional Guidance

The firm may decide not to communicate the information above if the PIE is wholly owned
by another PIE and is consolidated into group financial statements prepared by that PIE
(the owner).

If laws and regulations do not require an audit client to disclose the above information
(audit fees, fees for services other than audit paid or payable to the firm and network firms
and information about fee dependency), the firm shall discuss with Those Charged With
Governance of an audit client that is a PIE:

• The benefit to the client’s stakeholders of the client making such disclosures.

• The information that might enhance the users’ understanding of the fees paid or
payable and their impact on the firm’s independence.

To the extent that the audit client does not make the relevant disclosure, the firm shall
publicly disclose fees paid or payable to the firm and network firms for audit and other
professional services, and any fees paid by related entities over which the audit client has direct
or indirect control.

If applicable, further disclosure should be made of the fact that the total fees received by
the firm from the audit client represent more than 15% of the total fees received by the firm for
two consecutive years, and the year that this situation first arose.

The following is a brief summary and example of the threats and safeguards that could
arise in practice and that are public practice, covered in Part 4A:

• Compensation and evaluation policies. A self-­interest threat may be created where an

engagement team member is evaluated or compensated on the basis of the level of
non-­assurance fees obtained from a client. The threat can be eliminated by revising
the compensation plan or evaluation process for the individual, or by removing the
COE s.411 individual from the engagement team. A safeguard to reduce the threat would involve
reviewing the work of the member involved. A firm shall not evaluate or compensate a
COE
key audit partner based on that partner’s success in selling non-­assurance services to
R411.4 the partner’s audit client.

• Gifts and hospitality. Firms or audit team members cannot accept gifts or hospitality
COE s.420 unless the value is trivial and inconsequential.

• Actual or threatened litigation between the firm and client creates self-­interest and
intimidation threats. Such situations may affect the relationship between management
and the auditor that impedes full and effective disclosure relating to the client’s
business necessary to the audit process. The safeguard available in this case is to have
the audit work reviewed by a member not involved in the audit engagement or the
COE s.430 litigation.

• Financial interests in a client create a self-­interest threat. This threat is seen as significant
and therefore no direct or material indirect financial interest in an audit client can
be held by the firm, network firm, audit engagement team member or any of that
individual’s immediate family, or other partners in the office of the audit engagement
partner or any of that partner’s immediate family or other partner or managerial
employee providing other non-­audit services. Similarly, no financial interest by the firm,
network firm, audit engagement team member of any of that individual’s immediate
family is permitted in an entity controlling an audit client where the client is material

49

c01.indd 49 16-11-2022 18:27:10

 BUSINESS ASSURANCE

to the entity. The same applies to the situation where the firm acts as trustee unless
the interest is immaterial to the trust, or the trustee cannot exert influence over the
COE s.510 audit client.

A firm, or a network firm, or an audit team member, or any of that individual’s immediate
family shall not hold a financial interest in an entity when an audit client also has a financial
COE interest in that entity unless it is immaterial, or the audit client cannot exercise significant
R510.8 influence over the entity.

If a firm, a network firm or a partner or employee of the firm or a network firm, or any
of that individual’s immediate family, receives a direct financial interest or a material indirect
financial interest in an audit client by way of an inheritance, gift, or as a result of a merger
and the interest would not otherwise be permitted to be held under this section, then, if the
individual is an audit team member, it shall be disposed of immediately. Where the interest is
COE received by an individual who is not an audit team member, it shall be disposed of as soon as
R510.9 possible.

• Loans and guarantees create self-­interest threats. A firm or member of an engagement

team cannot make a loan or provide a guarantee to a loan to a client unless it is
immaterial to all parties. A firm or member of an engagement team cannot accept a
loan from a client unless it is made under normal lending procedures, conditions, and
terms, such as a bank overdraft, mortgages, car loans and credit card balances. If the
loan is material the threat may still exist and the safeguard of having the audit work
COE s.511 reviewed by a member not involved in the audit may be necessary. A firm, audit team
COE member, or their immediate family shall not have deposits or brokerage accounts with
R511.6 an audit client that is a bank or broker unless held under normal commercial terms.

• Business relationships. A close business relationship between a firm, a network firm or

an audit engagement team member, or their immediate family, and the audit client
or its management involves a financial interest that could cause a self-­interest or
intimidation threat. For example, in the case of an interest in a joint venture, unless the
financial interest is immaterial or the business relationship insignificant to the client, its
management and the firm or engagement team member, such arrangements should
COE s.520 not be entered into or should be terminated.

A firm, a network firm, an audit team member, or any of that individual’s immediate family
shall not have a business relationship involving the holding of an interest in a closely-­held entity
when an audit client or a director or officer of the client, or any group thereof, also holds an
COE interest in that entity, unless the interest is insignificant, or immaterial, or does not give the
R520.5 investor control of the entity.

The purchase of goods and services from a client may be acceptable if it is in the
normal course of business and undertaken at arm’s length through the normal purchase
process. Consideration as to the nature and magnitude of the purchase may still result in a
determination that the threat remains unacceptable unless the arrangement is modified to be
less significant.

• Family and personal relationships. Where a family or personal relationship exists

between an audit engagement team member and an employee of the audit client, a
COE s.521 self-­interest, familiarity, or intimidation threat may exist.

50

c01.indd 50 16-11-2022 18:27:11

 E thical Standards , L egislation , and Professional Guidance

The COE identifies four relationships of concern. Where an audit team member:

(a) Is an immediate family member of an employee of the audit client who is able to
exert significant influence on the financial position, performance or cash flow of the
client. In this case, the member may not continue as an audit team member.

(b) Is a close family member of an employee of the audit client who is a director
or officer of the client and is able to exert significant influence on the financial
position, performance, or cash flow of the client. The threat posed by a close family
member depends on the nature of the relationship. In this case, the firm should
consider removing the member from the engagement team or restructuring the
responsibilities of the audit engagement team so that they do not deal with matters
for which the family member is responsible.

(c) Has a close personal relationship (but not a family relationship) with an employee
of the client who is a director or officer of the client, or who is able to exert
significant influence on the financial position, performance or cash flow of the
client. In this case, the safeguards suggested are the same as those for a close
family member.

(d) Finally, the COE discusses relationships between partners and employees of
the firm who are not members of the audit team, but have a personal or family
relationship with a director or officer of an audit client, or an employee with
significant influence over the client. In this last case, one suggested safeguard is the
appointment of an appropriate reviewer for the engagement.

• Recent service with an audit client. In situations where a member of the engagement
team had previously been employed by the client and had responsibility for the
preparation of accounting records now subject to audit, self-­interest, self-­review,
and familiarity threats may be created. Depending on the nature and extent of the
involvement of the member, the time period since being employed by the client,
and their role in the engagement team, the member should not be assigned to the
engagement team or, as a safeguard, the work of that member undertaken during the
COE s.522 audit should be reviewed.

• Serving as a director or officer of an audit client. No partner or firm employee should

serve as a director or officer of an audit client, as the self-­review and self-­interest
COE s.523 threats would be so significant as not to be able to be reduced to an acceptable level.

• Employment with an audit client. If a former member of the audit engagement team
joins an audit client and can exert significant influence over the financial reporting
process, and that individual maintains a connection with the audit firm, familiarity and
intimidation threats would compromise independence. If no significant connection
remains, then the significance of the threat depends on, for example, the position taken
by the individual with the client and any ongoing involvement with the engagement
team. Safeguards may be applied, such as modifying the audit plan, to reduce the
COE s.524 threats to an acceptable level.

Where an audit client is a PIE and an individual who was a key audit partner joins the
client as a director or officer, or an employee who is able to exert significant influence, then
independence is compromised unless subsequent to the individual ceasing to be a key audit
COE
partner, the client issued audited financial statements covering at least 12 months and the
R524.6 individual was not an audit team member with respect to those financial statements.

51

c01.indd 51 16-11-2022 18:27:11

 BUSINESS ASSURANCE

• Temporary personnel assignments. A self-­review, advocacy or familiarity threat may be

created where an audit firm provides staff to the audit client. Such staff should not have
management responsibilities and should be directed and supervised by the audit client.
Safeguards include not giving the loaned staff audit responsibility for any function or
activity that the personnel performed during the loaned staff assignment, conducting
additional review of the work performed by the loaned staff, and not including that
COE s.525 member on the audit engagement team.

• Long association with an audit client (including partner rotation). Where audit firm
personnel have been involved with an audit client over a long period, familiarity and
self-­interest threats are created. Safeguards include rotation of audit personnel off
the audit engagement team, review of the work of that member by an individual not
involved in the audit, and internal and external quality reviews of the engagement. For
clients that are PIEs, a member cannot be:

(a) The engagement partner for more than seven years and cannot be involved again
with that client engagement for a further five years.

(b) The Engagement Quality Reviewer (EQR) for more than seven years and cannot be
involved again with that client for a further three years.

COE (c) A key audit partner (other than the engagement partner or EQR) for more than
s.540,
R540.12, seven years and cannot be involved again with that client engagement for a further
R540.13 two years.

Threats and Safeguards for the Provision of Non-­Assurance Services (NAS) to an Audit Client
Chapter 1 Part 4A Section 600 provides guidance on applying the conceptual framework to
identify, evaluate, and address threats to independence when providing non-­assurance services
(NAS) to audit clients. The following sub-­sections provide guidance on threats that might be
created as a result of providing NAS, safeguards which might be applied, and situations in
which NAS are prohibited because threats cannot be effectively addressed:

• Conceptual framework. Before a firm accepts a NAS engagement with an audit client,
the firm shall determine whether providing such a service might create a threat
COE
R600.4, independence. Where appropriate safeguards are not available, the firm should decline
600.6 A38 the NAS or the audit engagement.

• Self-­review. The firm should consider whether providing a NAS to an audit client creates
a self-­review threat when the results will form part of or affect the accounting records,
the internal controls over financial reporting or the financial statements. In addition,
COE the firm should consider whether the audit team will rely on any judgements made or
R600.10 activities performed when providing the NAS.

• Management responsibility. The provision of a NAS that would result in the audit firm or
COE member assuming a management responsibility within the client entity is prohibited.
R600.7,
R600.8, The firm must be satisfied that client management makes all judgments proper to
R600.10 management.

• Prohibitions (non-­PIE). A firm shall not provide valuation services involving significant
subjectivity or material amounts, accounting and bookkeeping, recruiting services,
marketing, planning or opining in favour of a tax treatment associated with tax
COE
R601.5, avoidance, or assisting in the resolution of tax disputes to an audit client that is
R603.4 not a PIE.

52

c01.indd 52 16-11-2022 18:27:12

 E thical Standards , L egislation , and Professional Guidance

COE • Prohibitions (PIE). A firm shall not provide NAS to an audit client that is a PIE if that
R601.6,
R603.5 service might create a self-­review threat. This requirement means that the provision of
R604.6,
R605.5, most NAS to PIEs is prohibited. For example, prohibited services include:
R606.5
(a) accounting and bookkeeping,

(b) valuation services,

(c) the calculation of current and deferred tax balances, tax advisory and tax planning
services, valuations for tax purposes, provision of assistance in the resolution of tax
disputes, tax services that involve assisting in the resolution of tax disputes to an
audit client,

(d) IT services where the IT forms part of the internal control or accounting system,

(e) acting as an expert witness,

(f) providing litigation support or legal advice,

(g) acting in an advocacy role,

(h) internal audit,

(i) recruiting services, and

(j) corporate finance services.

• Recruitment services that are prohibited with respect to directors, officers, or senior
COE management able to exert significant influence over the financial statements include
R609.4,
R609.6, negotiation, searching for candidates, undertaking reference checks, recommending a
R609.7 candidate for appointment, and advising on terms of employment or remuneration.

Examples of permitted services include tax return preparation, proposing adjusting

COE
R603.5, journal entries arising from audit findings, discussing findings regarding internal controls, and
R601.6 discussing the resolution of reconciliation issues.

• Client becomes PIE. A re-­assessment of the threat to independence of NAS currently or

previously provided is required when the client becomes a public interest entity (PIE).

• Communication with Those Charged With Governance. Before a firm that audits the
financial statements of a PIE accepts an engagement to provide NAS the firm shall
inform Those Charged With Governance that the provision of the service is not
prohibited, will not create a threat to the firm’s independence, and provide Those
Charged With Governance with information to enable them to make an informed
COE
R600.21, assessment. Those Charged With Governance must agree with the firm’s conclusion
R600.23 about the threat and agree to the provision of the service.

HKSQM 1 addresses the fulfilment of relevant ethical requirements. The firm may need
to design and implement policies or procedures that prohibit the provision of certain non-­
assurance services to clients that are public interest entities for which the firm performs audits
or reviews of financial statements.

All the examples above relate to the provision of a NAS by a firm to an audit client.
Numerous similar provisions appear in Part 4A regarding network firms (a firm that is part of a
network of accounting firms) providing a NAS to any of a group of entities which include a PIE.
Such a group would include the PIE and any entity that controls the PIE or is controlled directly
or indirectly by the PIE. To summarise, ‘a firm or a network firm shall not provide a NAS to any
of the entities in a group which includes a PIE, without the agreement of Those Charged With
Governance.

53

c01.indd 53 16-11-2022 18:27:12

 BUSINESS ASSURANCE

The following examples cover the majority of non-­assurance services provided by

accounting firms, and illustrate common threats and related safeguards.

• Accounting and bookkeeping. Depending on the nature of the service a self-­review threat
may exist. Accounting services that are mechanical or routine and require minimal
professional judgement, for example payroll calculations based on client data and
approved entries to the trial balance, are acceptable.

Where the service is more substantial, safeguards, such as having the service performed
by a professional that is not part of the audit team or having a review of the audit or services
provided by an independent member of the firm could be applied to reduce the risk to an
acceptable level.

• Administrative. Tasks that are routine and mechanical in the normal course of
operations, such as word processing or preparing statutory forms for client approval,
are acceptable. Managerial tasks are inappropriate.

• Valuation. A valuation service may create a self-­review or advocacy threat where that
valuation relates to an asset, liability, or business, and whether it will have a material
impact on the financial statements. The significance of the threat also depends on
such factors as the availability of established methodologies, the subjectivity of the
data, and the extent of management’s involvement in determining and approving the
methodology. Safeguards include review by a member not involved in the valuation
or the audit, or having the valuation performed by a member not involved in the audit
engagement team.

• Tax. Taxation services cover a range of activities from preparation of the tax return,
calculations for recording the taxes payable and other accounts in the financial
statements, tax planning, and assistance in resolving tax disputes.

Assistance with tax return preparation is acceptable as long as management takes

responsibility for the return and the significant judgements made in its preparation. However,
preparing calculations for items to be included in the financial statements creates a self-­review
threat, the significance of which depends on the materiality of the item, the complexity of the
law, and the level of expertise of the client’s staff involved.

Safeguards include having the service provided by a member who is not part of the
audit engagement team or obtaining external expert advice. Tax planning may also create a
self-­review threat where such advice impacts business operations and items in the financial
statements. Assisting a client to resolve a tax dispute may create an advocacy or self-­review
threat. The same safeguards are again applicable.

• Internal audit. The provision of internal audit services to an audit client creates a self-­
review threat. This arises where the firm provides an internal audit service to assist
the client perform its internal audit activities and that work is relied upon during the
course of the external audit. The extent of the threat depends on the nature and extent
of the internal audit services provided. For example, the firm’s personnel providing the
internal audit service should not take on any management responsibility.

Whether the risk can be reduced to an acceptable level will depend on factors such as the
materiality and likelihood of misstatement in the areas in which the internal audit service was
provided and the degree of reliance to be placed on that work. An appropriate safeguard is to
have the service provided by members who are not part of the audit engagement team.

54

c01.indd 54 16-11-2022 18:27:12

 E thical Standards , L egislation , and Professional Guidance

• Information technology systems. A self-­review threat is created where the firm provides
a service to design or implement hardware or software systems that are integral to
the client entity’s accounting, internal control, and financial reporting systems. These
services are prohibited because the threat cannot be addressed through safeguards.
Services that relate to systems that are unrelated to accounting records or financial
statements, or ‘off-­the-­shelf’ accounting systems requiring minimal customisation are
acceptable. If safeguards are deemed necessary assigning a member not involved in
the audit engagement team can be applied.

IT services are permitted if the firm is satisfied that the client is responsible for all
management decisions with respect to the design and implementation.

• Litigation support. An advocacy or self-­review threat is created when a firm is requested

to assist in resolving a dispute or litigation that materially impacts the financial
statements. This type of service is not permitted. This is a particularly important matter
because, in many jurisdictions, the large accounting firms are the main employers of
legal staff.

• Legal. Depending on the nature of the service and the relationship to the outcome on
the financial statements, providing legal services may create self-­review or advocacy
threats. For example, providing support to complete a transaction. Safeguards
include using a firm member who is not a member of the audit engagement team or
hiring external experts to advise on, or review the matter and its financial statement
implications.

• Recruiting. The provision of recruiting services may create self-­interest, familiarity, or

intimidation threats. Such services are permitted except that the firm should not be
involved in management responsibilities, negotiating on the entity’s behalf or making
hiring decisions.

• Corporate finance. Depending on the nature of the service, advocacy or self-­review

threats may be created. For example, advice on the structuring of a transaction or
financing arrangements that will impact the financial statements may create a self-­
review threat.

Safeguards include having the service provided by a member who is not part of the audit
engagement team, or seeking advice from a professional not involved in providing the service
for financial statement issues would be appropriate. However, where the advice depends
on an accounting treatment with which the audit engagement team is not supportive or the
outcome is material to the financial statements, such a service should not be provided. Services
promoting, dealing in, or underwriting a client’s shares are not permitted.

Part 4B Independence for Assurance Engagements other than Audit and Review Engagements
Applying the Conceptual Framework
Chapter A Part 4B of the code concerns independence for assurance engagements other than
COE
audit and review engagements. Examples of ‘other assurance engagements’ include provision
R900.1 of assurance on:

• Key performance indicators.

• Compliance with law or regulation.

55

c01.indd 55 16-11-2022 18:27:12

 BUSINESS ASSURANCE

• Performance criteria achieved by a public sector body.

• Effectiveness of internal control system.

• Greenhouse gas statements.

• Specific elements, accounts, or items of a financial statement.

Chapter A Parts 4A Independence for Audit and Review Engagements and 4B Independence for
Assurance Engagements other than Audit and Review Engagements are very similar. The table of
contents of the two parts is nearly identical, and the same key threats and related safeguards
are discussed in each part. Additionally, the requirements and advice regarding threats and
safeguards are very similar. Significant matters already discussed in the context of Part 4A
above and which are relevant to Part 4B include the time frame for which independence must
be maintained, documentation requirements, and procedures to be undertaken when a breach
of independence is identified.

Parts 4A and 4B differ because the applicable standards are different:

• Audit engagements are governed by the Standards on Auditing (HKSA).

• Review engagements by the Standards on Review Engagements (HKSRE).

• Other assurance engagements by the Standards on Assurance Engagements (HKSAE).

Additionally, the parts differ because of the nature of the engagements. This means that
the terminology used is different, in particular, the terminology used with regard to other
assurance engagements is more general as it must cover diverse engagements including those
identified in the first paragraph of this section (assurance on KPIs, etc.) and many other types
of assurance some of which are described below. The following illustration compares the more
general terminology used to describe other assurance engagements with the more familiar and
specific terminology used to describe audits:

• Audits: To enhance shareholder’s degree of confidence in financial statements prepared

in accordance with an applicable financial reporting framework.

• Other Assurance: To enhance the intended users’ degree of confidence in the

measurement of a subject matter against criteria.

Clearly, the terminology used to describe other assurance engagements is more general.
Because of the diversity of possible engagements, no specific user, report, or criteria
are named.

Key matters that should be considered in application of the conceptual framework to other
assurance engagements include:

• Materiality. The materiality of the subject matter information.

• Public Interest. The degree of public interest in the assurance engagement.

• Independence. A firm performing an assurance engagement shall be independent of

the client.

COE • Conceptual Framework. Before a firm accepts a NAS engagement with an assurance
R900.12 client, the firm shall apply the conceptual framework.

• Management Responsibility. The provision of a NAS that would result in the assurance
COE provider or member assuming a management responsibility within the client entity is
R950.6 prohibited.

56

c01.indd 56 16-11-2022 18:27:12

 E thical Standards , L egislation , and Professional Guidance

COE
Part 4B recognises that the independence requirements can be modified where the
R990.3 assurance provider’s report includes a restriction on its use and distribution.

Modifications are permitted if:

• The firm communicates with the intended users of the report in relation to the modified
independence requirements.

• The intended users understand the purpose, subject matter information, and
limitations of the report, and explicitly agree to the application of the modifications. The
modifications can only be applied to the aspects of the requirements relating to:

(a) Financial interests.

(b) Loans and guarantees.

(c) Close business relationships.

(d) Family and personal relationships.

Timing

The period during which independence is required to be maintained for an assurance

engagement includes the engagement period and the period covered by the subject matter
information. The engagement period starts when the team begins to perform assurance
services and ends when the assurance report is issued, or, for recurring engagements, later of
the notification by either party that the professional relationship has ended or when the final
assurance report is issued.

If an entity becomes an assurance client during or after the period covered by the subject
matter information, the firm shall consider threats to independence during the period
covered by the subject matter information and up to the date that the entity became an
assurance client.

A threat to independence is created if a non-­assurance service was provided to the

assurance client during or after the period covered by the subject matter information, but
COE
00.31, before the engagement period began. The firm shall only accept the assurance engagement if
R900.32 the threat is reduced to an acceptable level.

1.2.2.9 Code of Ethics Chapter A Part E – Specialised Areas of Practice Such

as Liquidation and Insolvency
This section applies to insolvency practitioners undertaking or preparing to undertake
liquidation and insolvency appointments and sets out the standards of conduct of those
practitioners.

It requires the insolvency practitioner to comply with the same fundamental principles of
the COE applicable to other members, that is, integrity, objectivity, professional competence
and due care, confidentiality, and professional behaviour.

It notes that objectivity is the fundamental principle that creates most ethical dilemmas
and provides more specific guidance in this area. It notes that the preservation of objectivity
is to be demonstrated by the maintenance of independence from influences that could affect
objectivity and to recognise both actual and perceived objectivity.

57

c01.indd 57 16-11-2022 18:27:12

 BUSINESS ASSURANCE

Part E adopts the conceptual framework approach to ethical issues: Identify, Evaluate and
Address threats. Specific and detailed guidance is provided in relation to:

• Accepting or not accepting appointments, covering such matters as conflicts of interest,

practice mergers, transparency, professional competence, and due care.

• Professional and personal relationships.

• Dealing with the assets of an entity.

• Obtaining specialist advice and services.

• Fees and other types of remuneration.

• Obtaining appointments.

• Gifts and hospitality.

• Record keeping.

The chapter includes a section that provides examples of specific circumstances that
create threats to compliance with the framework principles. For example, it indicates that
a practitioner should not take on an appointment (other than a voluntary liquidation) if the
COE ch. E practice or an individual practitioner within the practice has previously carried out audit-­related
s.500 work within the last two years. It deals with a range of other specific circumstances.

1.2.2.10 Code of Ethics Chapter A Part F – Guidelines for Anti-­Money Laundering

and Counter-­Terrorist Financing for Professional Accountants
Chapter A Part F is derived from the Anti-­Money Laundering and Counter-­Terrorist Financing
(Financial Institutions) Ordinance 2018 (AML/CFT). It should be noted that many of the
requirements in Part F are required by the profession.

The Guidelines apply primarily to public practices and members working in public practice.
Practices are expected to have in place customer due diligence procedures to minimise the
risk of involvement in money laundering and terrorist financing. Practices will therefore be
expected by the community to have in place adequate CDD or ‘know your client’ procedures
and arrangements for maintaining documentation, to minimise any risk of involvement in
AML/CFT. Practices that pay insufficient attention to the AML/CFT issues covered in these
Guidelines could be at greater risk of becoming unwittingly associated with AML/CFT activities,
with potentially serious consequences, such as criminal prosecution and loss of reputation.
It is in the interests of practices to familiarise themselves with these Guidelines and to take on
board the relevant Financial Action Task Force Recommendations within their risk management
programmes.

While the Guidelines do not have the force of law, they would be admissible in any court
proceedings under the AML/CFT Ordinance. The Guidelines are intended to:

• Provide general guidance on AML/CFT requirements.

• Indicate good practice in relation to Financial Action Taskforce requirements.

• Summarise relevant legislative provisions on AML/CFT.

• Ensure compliance by members with prescribed requirements to prevent money

laundering and terrorist financing activities.

58

c01.indd 58 16-11-2022 18:27:12

 E thical Standards , L egislation , and Professional Guidance

The Guidelines include the following sections:

• AML/CFT Policies, Procedures, and Controls. This requires practices to have internal
policies, procedures, and other controls to address money laundering and terrorist
financing concerns and compliance with legal requirements. Adoption of a risk-­based
approach is suggested as being the most effective approach.

• Customer Due Diligence (CDD). Implementation of procedures to form a reasonable

belief that practitioners know the true identity of the client, the types of business and
transactions that the client is likely to have, and the source and intended use of funds.

• Ongoing Monitoring Implementation. Implementation of controls that require periodic

review of documents, data, and information, paying attention to transactions for
consistency with knowledge of the client and business, identifying transactions that are
complex or unusual, and examining their background and purpose.

• Making Suspicious Transactions Reports (STRs) as required by the laws and regulations.

• Financial Sanctions and Terrorist Financing. Comply with legal obligations and the need
to lodge STRs, when, for example, clients are listed by the UN in relation to imposed
restrictions.

• Record Keeping. Maintenance of relevant documentation, which is to be kept for

five years.
• Staff Hiring and Training Policies. To ensure that the staff understands AMLO
requirements.

For practices providing the following services, the Guidelines in relation to policies,
procedures and controls, CDD and ongoing monitoring, and suspicious transactions reporting
and financial sanctions, staff hiring are mandatory:

The preparation or carrying out for a client a transaction involving:

• Buying and selling real estate.

• Managing client money, securities or other assets.

• Management of bank savings or securities accounts.

• Organisation of contributions for creation, operation, or management of a company or

legal persons.

• Buying and selling business entities.

In addition, providing trust or company services including:

• Forming corporations.

• Acting as a director or secretary of a company.

• Providing a registered office for a company.

• Acting as a trustee of an express trust.

• Acting as a nominee shareholder for a person whose securities are listed on a

recognised stock market.

59

c01.indd 59 16-11-2022 18:27:12

 BUSINESS ASSURANCE

When a practice is providing other services, the Guidelines represent good practice except
for the requirements in relation to suspicious transactions reporting and sanctions that remain
mandatory for those practices.

AML/CFT Policies, Procedures, and Controls

Practices must have in place internal policies, procedures, and other controls to address AML/
CFT concerns, and compliance with the existing legal requirements on AML/CFT. Practices
should communicate these policies and procedures clearly to employees. Policies relevant to
AML/CFT include:

• Risk assessment and management.

• Customer due diligence.

• Ongoing monitoring.

• Suspicious transactions reporting.

• Record keeping.

• Compliance management, including designating a Money Laundering Reporting Officer

(MLRO) at the management level.

COE ch. • Staff hiring, ongoing training, and communication.

F s.610.1,
s.610.1.1 • Group policy, where appropriate.

With respect to AML/CFT policies, procedures and controls, the Guidelines recommend a
risk-­based approach that takes into consideration circumstances such as:

• Types of clients involved and their geographical location.

• Services/products offered.

• Mode of delivery of the service/products.

• Size of the practice.

Such an approach would require classifying the money laundering and terrorist financing
risks of the client and establishing reasonable measures based on the identified risks. Practices
can then apply appropriate controls and oversight to clients in relation to:

• The extent of CDD to be performed on the client, the extent of the measures to be
applied to identify any beneficial owner and any person purporting to act on the
client’s behalf.

• The level of ongoing monitoring to be applied to the relationship.

• Measures to mitigate any identified risks.

Client risk assessments need to be monitored and adjusted as information is obtained and
the extent and frequency of CDD reviewed in the context of the client’s circumstances.

Senior management is responsible for compliance with the AML/CFT, and as part of the
arrangements must appoint a partner, director, or equivalent as a Compliance Officer (CO) to
review and oversee the Practice’s AML/CFT systems and controls. The practice must be satisfied
that the AML/CFT controls are capable of addressing the practice’s identified risks. Procedures
should be undertaken to verify the integrity of any new employees.

60

c01.indd 60 16-11-2022 18:27:12

 E thical Standards , L egislation , and Professional Guidance

Senior management must also appoint a senior member of the practice’s staff as the MLRO
(who can be the same individual as the Compliance Officer. The MLRO deals with identifying
and reporting suspicious transactions. The responsibilities include:

• Review of internal disclosures and exception reports and determining whether the
circumstances warrant making an STR to the Joint Financial Intelligence Unit (JFIU).

• Maintaining records related to the internal reviews.

• Providing guidance on how to avoid ‘tipping off’ the client.

COE ch. F
s.610.3.1 • Acting as the main point of contact with the JFIU and other relevant authorities.

The compliance function of a practice should monitor and review the AML/CFT controls to
ensure effectiveness. The frequency and extent of the review should reflect the identified AML/
CFT risks of the practice. Where practical, the compliance function should be independent and
report directly to senior management. Practices with overseas branches must adopt a group
AML/CFT policy to ensure all branches have the same AML/CFT procedures in place.

Customer Due Diligence (CDD)

The focus of CDD measures is to reduce the risk of a client not being who they appear to be
and to find out who the client is. The CDD can be either ‘Enhanced CDD’ (EDD) for high-­risk
individuals, including foreign politically exposed persons, or ‘Simplified SDD’ (SDD) for low-­risk
individuals. Practices must perform the following CDD measures:

• Identify the client using evidence provided by a government body or other reliable,
independent source.

• Identify the beneficial owner, where there is one, and take reasonable steps to verify
their identity, ensuring an understanding of complex legal and ownership structures.
A beneficial owner is an individual, or individuals, who ultimately own or control the
client, or on whose behalf a service is being provided. A beneficial owner in relation to a
corporation is an individual who owns or controls, directly or indirectly, more than 25%
COE ch. F
of the issued share capital or voting rights, or who exercises ultimate control over the
s.620.6 management of the corporation.

• Identify and take reasonable measures to verify any person purporting to act on behalf
of the client. Practice should take reasonable measures to verify the person’s identity
on the basis of documents, data or information provided by a governmental body or
COE ch. F
any other source generally recognised as being reliable and independent. They should
s.620.7 also verify the person’s authority to act on behalf of the client.

• Understand and obtain information on the purpose and intended nature of the
business relationship (if any) to be established with the practice. Relevant information
may include:

(a) The nature and details of the business/occupation/employment.

(b) The anticipated level and nature of the activity that is to be undertaken through the
relationship (e.g., the services that are likely to be required).

(c) Location of client.

(d) The expected source and origin of any funds to be used in the relationship.
COE ch.F
s.620.9 (e) Initial and ongoing source of wealth or income.

61

c01.indd 61 16-11-2022 18:27:12

 BUSINESS ASSURANCE

Three interrelated factors are identified in relation to CDD. They are client risk, country/
geographic risk, and service risk, including delivery channel risk.

The judgement as to whether there is a higher level of client risk will take into account:

• Indications that the client is attempting to obscure understanding of its business,

ownership, or the nature of its transactions.

• Indications of certain transactions, structures, geographical locations, international

activities, or other factors that are inconsistent with the practice’s understanding of the
client’s business or economic position.

• The client’s operations, such as operating in industries, sectors, or categories where

opportunities for money laundering or terrorist financing are common.

Higher geographical risk can include circumstances where clients are located in, or are
sending funds to, a country subject to sanctions or identified as lacking an appropriate AML/
CTF regime, or are identified as having a significant level of corruption or of supporting terrorist
activities. Appendix B to the Guidelines provides further examples of risk factors.

The CDD process must be completed:

• Before establishing a business relationship with a client.

• Before carrying out an occasional transaction involving an amount equal to or above

HK$120,000 and whether the transaction is carried out in a single operation or in
several operations that appear to be linked.

• Where there may be a suspicion of ML/TF.

• When there is doubt about the veracity or adequacy of information obtained for
identifying the client or verifying the client’s identity.

For all new clients, practices must be satisfied as to the intended purpose and reason for
establishing the relationship and document that information. Once the client identification
has been verified it does not need to be revisited although the process should ensure that
information remains up to date and relevant.

Where SDD is applied, the measures to be implemented will reflect the lower risk profile,
for example, the beneficial ownership can be established after the client relationship is in
place. The SDD approach may be applied, for example, where reliable information about the
client is publicly available the practice has previously dealt with the client and is familiar with
the AML/CFT controls, or the client is a listed company that is subject to regulatory disclosure
requirements.

EDD requires additional measures to mitigate the risk and must include:

• Senior management’s approval to commence or continue the relationship.

• Taking reasonable steps to establish the wealth source of the relevant clients or
beneficial owners, or other measures to mitigate the risk, such as obtaining additional
information about expected account activity, regular updating of the client profile, and
performing stronger monitoring of the relationship through increasing the number and
timing of the controls applied and selecting patterns of transactions that need further
examination.

62

c01.indd 62 16-11-2022 18:27:12

 E thical Standards , L egislation , and Professional Guidance

Practices should attempt to establish whether a beneficial owner is a Politically Exposed

Person (PEP), as the risk is higher with these individuals, being regarded as more prone to
corruption, especially foreign PEPs.

Identified PEP risk factors include:

• The PEPs country of origin.

• Unexplained sources of wealth or income.

• Receipts of large sums from government bodies or state-­owned entities.

• Commission earned on government contracts.

• Requests for secrecy in relation to a transaction.

• Use of government accounts as the source of transaction funds.

A practice can rely on an intermediary to perform CDD such as an accountant or lawyer,

including an appropriate overseas intermediary, but the practice retains ultimate responsibility
for it. COE ch.F s.620

Ongoing Monitoring
The Guidelines note that effective monitoring is essential to understanding the client’s business
and is integral to effective controls. The extent of monitoring is a function of the client’s risk
profile established through the risk assessment, and practices are therefore required to
monitor the client business relationships by:

• Periodically reviewing documents, data, and information to ensure they are up to date
and relevant.

• Paying attention to transactions undertaken for the client to ensure that they are
consistent with knowledge of the client and the nature of the business, risk profile,
source of funds, and looking for unusual activity.

COE ch. F
• Identifying and examining complex, large, or unusual transactions that have no
s.630 apparent legal or economic purpose, and recording the findings.

Making Suspicious Transaction Reports

A Suspicious Transaction Report (STR) must be made to the JFIU as soon as practicable where
indications of money laundering exist. While confidentiality remains a fundamental ethical
principle, the obligation to make an STR overrides this, and in fact it is an imprisonable offence
for the MLRO to have knowledge or suspicion of money laundering and fail to make an STR.
The Hong Kong legislation on STRs is not limited and applies to all services provided by a firm.

Practices need to be careful to ensure that their line of enquiry with the client cannot
be construed as alerting the client, as this carries a penalty of a maximum of three years
imprisonment and a fine of up to $500,000. Employees are protected if they did not know or
COE ch.F suspect that money laundering was occurring or that law enforcement was investigating. From
s.640.
2.16, an employee perspective, the employee should have enough knowledge of the client’s business
s.670.1.11 to recognise suspicious transactions, and their obligation is to report to the MLRO.

Effective internal reporting requires that staff know the identity of the MLRO and should
normally make their reports directly to the MLRO, although they may consult with managers
or supervisors prior to doing so. Such reports must be documented and acknowledged by the
MLRO with a reminder to avoid tipping off the client.

63

c01.indd 63 16-11-2022 18:27:12

 BUSINESS ASSURANCE

The MLRO evaluates the report to establish whether there are grounds for suspicion
COE ch.F and whether a report to the JFIU is required. The MLRO needs to document the basis for any
s.640 decision.

Financial Sanctions and Terrorist Financing

Practices must also be alert to the existence of targeted financial sanctions, such as those made
by the United Nations and implemented in Hong Kong.

A maximum seven year’s imprisonment and a fine of an unlimited amount applies for
an offence of making funds or financial assets available to individuals or entities subject to
sanctions. The HKICPA may inform members of the targets of such sanctions through the
Government Gazette and against which practices can undertake name checks of their clients
and beneficial owners.

Regarding terrorist financing, the Secretary of Security of the Hong Kong Special
COE ch. F Administrative Region can freeze suspected terrorist property. Practices should not make
s.650 property or financial services available to such persons/entities.

Record Keeping
Normal practice documentation systems may be sufficient to meet Guideline requirements to
maintain and retain records of their relationships and transactions. Records must be sufficient
to ensure that:
• Any client/beneficial owner can be identified.

• The audit trail for specific transactions is clear and complete.

• The original or suitable copies of all relevant records are available on a timely basis.

• Practices are able to provide evidence with any relevant requirements of the Guidelines.

COE ch. F They must be retained for at least five years after the end of a business relationship or
s.660 transaction.

Staff Hiring and Training

Employee hiring and training must be included in a practice’s AML/CFT policies, procedures,
and controls. Practices must undertake appropriate staff training as an important component
of preventing and detecting AML/CFT activities. MLROs may require more specific training
COE ch. F to effectively meet their responsibilities. Records must be kept of staff training and should
s.670 monitor its effectiveness.

1.2.2.11 Code of Ethics Chapters B and C

Chapter B of the Code is not used.

Chapter C covers additional requirements to be applied using the conceptual framework

approach. It covers:

• Changes in professional appointment.

• Change of auditors of a listed issuer of the Stock Exchange of Hong Kong.

• Unlawful acts or defaults by clients of members.

• Unlawful acts of defaults by or on behalf of a member’s employer.

• Ethics in tax practice.

64

c01.indd 64 16-11-2022 18:27:12

 E thical Standards , L egislation , and Professional Guidance

• Corporate financial advice.

• Use of designations and institute’s logo.

• Practice promotion.

• Client’s monies.

Knowledge Check Questions

Question 7
The assurance framework identifies a number of elements necessary for an engagement
to be classified as an assurance engagement. Identify which of the following is not an
element of the assurance framework that is identified in the reporting and audit provisions
of the Companies Ordinance.
A The legislation identifies the responsible party.
B The legislation identifies the intended users.
C The legislation defines the level of assurance to be required to be provided by the auditor.
D The legislation identifies the reporting criteria.

Question 8
An auditor appointed under the Companies Ordinance has to report on a range of matters.
Identify which of the following is not a reporting obligation of an auditor.
A Whether the emoluments paid to company directors and disclosed in the notes to the
financial statements are adequate for the services provided.
B The company has kept adequate accounting records and the financial statements agree
with those records.
C The financial statements have been properly prepared in accordance with the Companies
Ordinance.
D Circumstances where the Director’s Report is inconsistent with the financial statements.

Question 9
Identify which of the following is responsible for sending the financial statements and
reports to shareholders under the Companies Ordinance.
A The audit committee
B The company’s directors
C The external auditor
D The company’s chief financial officer

65

c01.indd 65 16-11-2022 18:27:12

 BUSINESS ASSURANCE

Knowledge Check Questions (continued)

Question 10
External auditing is a function performed by the accountancy profession. Identify which
of the following is not a role that auditing standards play in supporting the value of the
profession to third parties.
A Standards provide a public benchmark for the performance of audits that provides users
with a level of confidence about audit quality.
B Standards inform members of the profession as to the expected quality of performance.
C Standards provide the directors with a framework for management to approve the
audit plan.
D Standards provide a basis for disciplinary action against auditors.

Question 11
Identify which of the following is inconsistent with the audit principles of an
external auditor.
A The auditor must exercise a significant level of professional judgement.
B The auditor’s firm must have a system of quality management to provide reasonable
assurance that professional standards are complied with.
C If using the work of an internal auditor in the audit process the auditor should evaluate
that work.
D The auditor can assist their client’s management design and implement the hardware
and software for a new accounting information technology system and related controls.

Question 12
Identify which of the following is not normally the responsibility of an audit committee of a
company regulated by the Companies Ordinance.
A Considering problems encountered by the independent financial statement auditor
during the audit.
B Assess whether the provision of other services by the external auditor could affect the
auditor’s independence.
C Approving and signing the entity’s financial statements on behalf of the directors.
D Making a recommendation as to the appointment of the external auditor.

Question 13
Identify which of the following explains why it is important that the auditor be independent
of the entity being audited.
A It is a suggestion in the profession’s COE.
B It supports the auditor in providing unbiased assistance to management in preparing the
financial statements.
C To ensure the audit opinion is not, or is not seen to be, influenced by any relationship
between the auditor and the entity, allowing the auditor to be unbiased and give an
honest opinion on the entity’s financial statements.
D To enable the auditor to act as a third party advocate for the entity in a litigation action
against the entity that may be material to the financial statements.

66

c01.indd 66 16-11-2022 18:27:12

 E thical Standards , L egislation , and Professional Guidance

Knowledge Check Questions (continued)

Question 14
By referring to the COE, review each of the following situations and identify which of the
fundamental principles of the COE are threatened and the nature of the potential threat to
be assessed.
(a) A senior audit manager in your firm has requested that the remuneration policy
of that manager takes into account the amount of fees from non-audit services
obtained from the manager’s audit clients.

(b) One of your audit partners has advised of a potential new client that if accepted
would constitute a significant proportion of that partner’s audit fees.

(c) The consulting division of your firm has indicated that it may become involved in
litigation with an audit client.

(d) An audit partner receives a personal loan from an audit client, which is a financial
institution.

(e) One of your partners has shares in a company that has no association with your
firm but is about to enter into a joint venture with a company that is an audit client.

(f) The managing director of one of your audit clients is a long-time tennis partner of
the engagement partner.

(g) The husband of the engagement partner of an audit client has inherited shares in
the audit client.

(h) One of your audit clients is having difficulty completing its financial statements so
your firm agrees to provide staff to the audit client on a temporary basis to assist.

(i) Your firm has recently lost some audit clients to other audit firms and is looking to
regain its market share. Accordingly, fee quotes are very low relative to the size of
the prospective clients in order to obtain clients.

(j) You firm has recently prepared for an audit client a periodic valuation of a
significant asset under the terms of the audit client’s loan agreement with a financial
institution that requires confirmation with the terms of the agreement, and which
the management of the audit client will include in the financial statements.

(k) Your audit client is involved in a transaction with a major supplier and has
requested that your firm provide legal support to complete the transaction.

(l) One of your audit partners has been the auditor of a client for many years and is
reluctant to change as he regards his friendly relationship with management as
facilitating a timely audit outcome.

(m) Your firm is providing accounting and bookkeeping services to an audit client
that involve the preparation of payroll using data from the client and processing
accounting entries approved by the client.

(n) Your firm is providing your audit client assistance in preparing the company’s tax
return for which management takes responsibility for the outcome.

67

c01.indd 67 16-11-2022 18:27:12

 BUSINESS ASSURANCE

1.3 INTERNATIONAL STANDARDS AND GUIDELINES

FOR AUDITING AND ASSURANCE

The demand for audit and assurance standards at the international level reflects the
globalisation of business and other activities. The fact that organisations operate in several
jurisdictions means that there is a need for the services provided by assurance service
providers to be harmonised to achieve a uniform level of quality. The International Federation
of Accountants (IFAC) was established in 1977 to facilitate this. It represents over 175 members
and associates, of which the HKICPA is one, in over 130 countries.

The IFAC website (www.ifac.org) states:

‘IFAC is the global organisation for the accountancy profession dedicated to serving the
public interest by strengthening the profession and contributing to the development of
strong international economies’.

The website states its vision as:

‘. . . the global accountancy profession be recognised as essential to strong and

sustainable organisations, financial markets, and economies’.

To achieve its mission, it:

• Supports the development of high-quality international standards;

• Promotes adoption and implementation of those standards;

• Builds the capacity of professional accountancy organisations; and

• Speaks out on public interest issues.

To achieve these goals in auditing and assurance services, IFAC established the IAASB, one
of its operational Boards. The IFAC website states:

‘The IAASB is an independent standard-setting body that serves the public interest by
setting high quality international standards for auditing, assurance and other related
areas, and by facilitating their adoption and implementation. In doing so, the IAASB
enhances the quality of practice throughout the world and strengthens public confidence
in the global auditing and assurance profession’.

To this end, the IAASB has issued an extensive set of auditing, assurance, and other
related standards. As indicated in the previous section, they are the basis on which the HKICPA
standards are developed and issued, a policy adopted in many of the IFAC member countries.

The structure of the standards issued by the IAASB, and therefore the HKICPA Standards,
has been modified over the years. It is important to understand this structure in understanding
the obligation to comply with them.

68

c01.indd 68 16-11-2022 18:27:12

 E thical Standards , L egislation , and Professional Guidance

To achieve greater consistency in the application of the auditing standards globally, the
IAASB undertook a project to restructure the auditing standards into a ‘clarity’ format. While
some of the other standards have a different structure, the auditing standards, and therefore
the HKICPA auditing Standards, have the following structure:

• Introduction. Sets out scope of standards and the effective date.

• Objectives. Sets out the objectives to be achieved by the auditor.

• Definitions.

• Requirements. These are the mandatory requirements with which the auditor must
comply. If, in exceptional circumstances, the auditor judges it necessary to depart from
a relevant requirement, alternative procedures are to be performed to achieve the
requirement. If an objective cannot be achieved the auditor evaluates whether the overall
audit objective can be achieved. If not, the auditor’s opinion will need to be modified or, if
possible, under law or regulation, the auditor might withdraw from the engagement.

• HKICPA standards have a section on Conformity and Compliance with International

Standards on Auditing. This identifies any additions or departures from the
International Standard.

• Application and other explanatory material. This provides authoritative guidance and
explanation on the application of the requirements. This material aims to assist
auditors’ understanding of the requirements and provides illustrative audit procedures
and practical examples to improve consistent implementation of the requirements.

Through this process and the issue of these standards, the IAASB has sought to achieve
global best practice.

The process of harmonisation has also been applied in relation to ethical pronouncements
where IFAC ethical statements are adopted, amended as necessary by the HKICPA.

Through the extensive implementation of a harmonisation policy by national professional

accountancy organisations, users of audit and assurance services have greater confidence in
the services provided by auditors and assurance service providers.

This internationalisation of assurance and auditing standards has been significant for
auditors who audit companies with subsidiaries or components, such as a branch or division,
that operate in different countries. When multinational companies are required to prepare
consolidated financial statements, the financial information from the subsidiary companies
is generally provided by those subsidiaries and audited in the country in which they operate.
The auditor of those consolidated financial statements needs to be satisfied that the audit of
the subsidiary undertaken in another country is of an appropriate quality, and provides the
required level of assurance to the financial information provided by the overseas entity in order
that it can be used to prepare the consolidated financial statements.

HKSA 600 (Revised) Special Considerations – Audits of Group Financial Statements (Including the
Work of Component Auditors) paragraph 11 states:

‘The group engagement partner is responsible for the direction, supervision and
performance of the group audit engagement in compliance with professional standards
and applicable legal and regulatory requirements, and whether the auditor’s report that
is issued is appropriate to the circumstances’.

69

c01.indd 69 16-11-2022 18:27:12

 BUSINESS ASSURANCE

This requires that the group auditor evaluates the work of the component auditor and is
satisfied that the component auditor is competent and the work of that auditor complies
with relevant ethical and auditing standards. Where the component auditor operates in
a jurisdiction that adopts international auditing and ethical standards and is subject to
appropriate professional and regulatory oversight, the group auditor can, through appropriate
communication, enquiry, use of questionnaires and checklists, determine whether sufficient
appropriate audit evidence has been obtained from the component entity and auditor for the
purpose of preparing the group financial statements.

This process of internationalisation has also facilitated the operation of global accounting
firm networks. Within these international firms with practices or affiliates in various countries,
they have developed international audit methodologies that comply with the international
auditing and ethical standards. Therefore, there is greater certainty that there is a uniform level
of audit quality for multinational audit clients and facilitates the communication of the outcome
of audits in different geographical areas.

Similarly, securities regulators have also recognised the benefits of international standards.
The International Organisation of Securities Commissions (IOSCO), of which the SFC is a
member, encourages securities regulators to accept audits performed and reported in
accordance with international auditing standards for cross-border offerings and listings.

Knowledge Check Question

Question 15
Explain the convergence policy of the HKICPA as it applies to auditing standards. Describe
the objective of the convergence/harmonisation policy.

1 . 4 TYPES OF AUDITS

1.4.1 External Audits

1.4.1.1 Financial Statement Audits
The HKSA 200 objective of financial statement audits has been identified in Section 1.1.2.

However, neither that Standard nor the Glossary includes a stand-alone definition of
auditing. This section outlines the broad foundations of auditing as a discipline as a basis for
further understanding the auditing generally and the audit concepts and standards covered in
later Modules.

As a generic concept, an early and accepted definition of auditing can be found in

A Statement of Basic Accounting Concepts issued by the American Accounting Association (AAA) in
1972. It defined auditing as:

‘A systematic process of objectively obtaining and evaluating evidence regarding

assertions about economic actions and events to ascertain the degree of correspondence

70

c01.indd 70 16-11-2022 18:27:12

 E thical Standards , L egislation , and Professional Guidance

between those assertions and established criteria and communicating the results to
interested users’.

It is evident from the above material that this definition underpins what has become one
of the most common forms of audit engagement undertaken by professional accountants in
public practice in many jurisdictions, i.e. the independent audit of financial statements. The
HKSAs are a body of professional requirements in effect to operationalise this definition.

It is therefore useful to understand the elements in this early definition as they are
concepts that underpin the study of contemporary standards on financial statement auditing.

• Systematic process. The audit process is dealt with in detail in the large number and
volume of requirements and guidance contained in the HKSAs. These documents detail
a structure under which such engagements are to be conducted. An audit involves
developing an overall audit strategy by identifying the risks of possible misstatements
in the financial statements and then applying that strategy to develop an audit plan and
audit programme detailing the detailed audit procedures to be applied.

• Objectivity. An essential element of the financial statement audit concept is that the
auditor be independent of the entity and financial statements being audited. To this
end the professional standards include a requirement that the auditor comply with
professional ethical requirements relating to independence. As indicated, the COE has
specific requirements in relation to independence for audit and review engagements
(Part 4A). There is also a requirement that auditors exercise professional scepticism
when planning and performing the audit, recognising that the financial statements
may be misstated. The professional requirements in relation to objectivity are aimed
at promoting freedom from bias, conflicts of interest, or undue influence by others or
undue reliance on others.

• Evidence. Many of the standards dealing with the audit process are directed at
requirements and processes to gather sufficient (quantity) appropriate (quality)
audit evidence to support the conclusions on which the opinion of the financial
statements is based.

• Assertions about economic events and actions. The evidence requirements are focussed
on the appropriateness of the assertions in the financial statements. HKSA 200 is
consistent with this element in its definitions in paragraphs 13(f) and (g). It defines
financial statements in terms of a structured representation of historical financial
information to communicate in relation to an entity’s economic resources or
obligations. Historical information is that derived from the accounting system about
past economic events and economic conditions.

• Established criteria. HKSA 200 recognises that financial statements are to be prepared
in accordance with the applicable financial reporting framework appropriate to the
circumstances and objective of the financial statements, e.g. accounting standards
or prescribed by law or regulation. This is the benchmark against which the financial
statements are assessed by the auditor.

• Communication. The auditing standards require that the auditor issue a written report
containing the opinion as to whether the financial statements have been prepared in
accordance with the applicable financial reporting framework. That communication
includes various permutations depending on the conclusions drawn by the auditor
because of evaluating the evidence obtained from the audit process.

71

c01.indd 71 16-11-2022 18:27:13

 BUSINESS ASSURANCE

The current concept of an independent financial statement audit is derived from this early
AAA definition of audit. As indicated above, it is a common audit function required by corporate
statutory regulation and subject to extensive self-regulation through international and national
auditing standards. It is a significant element of the accountability relationship between those
who manage financial resources on behalf of others and the providers of those resources who
need reliable information for financial decision making.

The HKSA series of Standards deal with the audit of financial statements. Consistent with the
above background, HKSA 200 applies these concepts and identifies the main principles for
these types of audits. It reinforces the view that the financial statements subject to audit are
those of the entity, prepared by management on behalf of those charged with governance.
HKSAs do not impose requirements on those charged with governance and notes that an audit
does not relieve them from their responsibilities. HKSAs require the auditor to obtain
HKSA reasonable assurance that the financial statements, as a whole, are free from material
200.4,5 misstatement whether due to fraud or error.

HKSA 200 requires that the auditor apply materiality in planning and performing the audit
and assessing the impact of misstatements on the audit and financial statements. It recognises
that misstatements are material if, individually or in aggregate, in the auditor’s judgement, they
could reasonably be expected to influence the economic decisions of users of the financial
statements. That judgement is made in the light of the circumstances and the auditor’s
perception of the financial information needs of users of the financial statements, and both the
HKSA size and nature of any misstatement. It notes that the auditor’s opinion is on the financial
200.6,7
and HKSA
statements as a whole and that the auditor is not responsible for detecting misstatements that
200.14–17 are not material to the financial statements as a whole. The Standard establishes the basic
principles of financial statement audits as:

• Ethical requirements. Requires compliance with the HKICPA ethical standards.

• Professional scepticism. The audit is to be planned and performed with an attitude

of professional scepticism, recognising that circumstances may exist that cause the
financial statements to be materially misstated.

• Professional judgement. Professional judgement is to be applied in the planning and

performance of an audit.

• Sufficient appropriate audit evidence and audit risk. To obtain reasonable assurance,
sufficient appropriate audit evidence is to be obtained to reduce audit risk to an
acceptably low level to enable the auditor to draw reasonable conclusions on which to
base an opinion.

• Conduct an audit in accordance with HKSAs. All HKSAs relevant to the circumstances of
the audit are to be complied with. This requires the auditor to understand the entire
content of the standards, including the application and other explanatory material.
The auditor cannot represent compliance with HKSAs in the auditor’s report unless all
HKSAs relevant to the audit have been complied with. The auditor is also required to
assess whether, to achieve the objectives stated in any HKSA, additional procedures
to those required by the HKSAs are necessary to obtain sufficient appropriate audit
evidence. An HKSA or a requirement in an HKSA need not be complied with if in the
circumstances of the engagement the standard is not relevant or the condition in a
standard is not applicable. In exceptional circumstances, if the auditor determines
that a specific procedure in a standard would not be effective, the auditor can depart
from the standard and perform an additional procedure. If an auditor cannot achieve

72

c01.indd 72 16-11-2022 18:27:13

 E thical Standards , L egislation , and Professional Guidance

an objective in a relevant HKSA, the auditor needs to consider whether the overall
objective of the audit can be achieved and whether the auditor needs to modify the
opinion or, if possible, withdraw from the engagement.

While an audit involves the exercise of a high degree of professional judgement, as a body
of standards, the HKSAs are comprehensive in establishing the objectives and requirements for
planning, performing, and reporting for a financial statement audit (Exhibit 1.7). The HKSAs cover:

• The audit objectives, requirements in relation to documentation, detection of fraud and

error, consideration of laws and regulations, and communication with those charged
with corporate governance.

• The audit planning process involving understanding the entity and identifying the risks
of material misstatement, the role of materiality, addressing the assessed risks in the
performance of the audit, and evaluating risks identified during the audit.

• Audit evidence in relation to specific items such as inventory, segment information,

litigation and claims, use of external confirmation, analytical procedures, sampling and
evidence, and issues arising in relation to related parties, going concerns, and reviewing
events subsequent to the balance date that impact the financial statements.

• Using the work of internal auditors or experts and the work of subsidiary auditors in a
group situation.
• Audit conclusions and reporting, including where the auditor is required to issue
a modified opinion and the auditor’s responsibility for other information that
accompanies the audited financial statements.

Objectivity
Independence,
ethics,
professional
scepticism

Established criteria Systematic process

Applicable financial Apply
reporting HKSAs/professional
framework judgement

Financial
statement
audit

Evidence
Sufficient
Assertions appropriate audit
Financial statements evidence - Apply
HKSAs/professional
judgement

Communication
Audit report -
HKSAs/professional
judgement

EXHIBIT 1.7 Relationship between the basic elements of

a financial statement audit and HKSAs

73

c01.indd 73 16-11-2022 18:27:13

 BUSINESS ASSURANCE

The standards also deal with audits of financial statements prepared in accordance with
a reporting framework other than Hong Kong Financial Reporting Standards, such as financial
statements prepared in accordance with a special purpose financial reporting framework.
There are also standards on audits of specific elements or individual accounts of a financial
statement and summary financial statements.

As indicated earlier, the audit of financial statements is one of the most common forms of
assurance engagement undertaken by members of the HKICPA. It is subject to a high level of
professional and statutory regulation. The HKSAs and COE are a significant body of knowledge
in understanding this type of audit and the requirements for undertaking such an engagement.

1.4.2 Internal Audits

1.4.2.1 Objective of the Internal Audit
The nature of the internal audit function within an entity has been evolving over time. The
narrow and traditional view that its role was to review and assess the effectiveness of an
entity’s internal control has been superseded by a more contemporary and broader view.

The interaction between internal and external auditors has been dealt with in
Section 1.1.1.1 and HKSA 610 (Revised 2013). This section explains further the role that an
internal audit can play within an entity.
Like the professional accountancy profession, the internal audit profession has established
an international body, the Institute of Internal Auditors Inc (IIA) to establish ethics and
standards applicable to its members. The IIA Inc Mission (www.theiia.org) states:

‘To enhance and protect organisational status by providing risk-based and objective
assurance advice and insight’.

The Institute of Internal Auditors of Hong Kong, established in 1979, is affiliated with that
international organisation.
The IIA defines internal auditing as:

‘. . . an independent, objective assurance and consulting activity designed to add value

and improve an organisation’s operations. It helps an organisation accomplish its
objectives by bringing a systematic, disciplined approach to evaluate and improve the
effectiveness of risk management, control, and governance processes’.

Within that definition, the role and responsibilities of an internal audit function within
an individual entity is governed by its Charter. An internal audit Charter is developed by the
management of an entity to govern the role of internal audit. The IIA Glossary defines the
charter as:

‘. . . a formal document that defines the Internal Audit activities, purpose, authority and
responsibility. The Internal Audit Charter establishes the internal audit activities within
the organisation, authorises access to records, personnel and physical properties relevant
to the performance of engagements and defines the scope of internal audit activities’.

To understand the role and objectives of an internal audit, the elements of the IIA definition
need to be considered further.

74

c01.indd 74 16-11-2022 18:27:13

 E thical Standards , L egislation , and Professional Guidance

Independence and objectivity, while related, are different concepts.

Independence is the same concept as for an external auditor, i.e. that the internal auditor
should be, and be seen to be, unbiased. However, as internal auditors are engaged by an entity
as employees or sub-contractors and are an integral part of the entity, their independence
derives from their organisational independence. This is essentially derived from their mandate
and Charter. The Charter should give internal auditors appropriate status and authority within
the entity, for example reporting to senior management or the audit committee, adequate
resources and budgets, autonomy and authority to access records, personnel, and explanations
as internal audit deems necessary. The internal auditor should not be associated with any of
the activities that it audits.

In many entities, where as part of the governance process an audit committee has been
established, that committee can have as part of its mandate oversight of the internal audit
function. The independence of the internal auditor can be enhanced in those situations.

Objectivity is a personal attribute that requires an unbiased attitude and approaching an

investigation without a preconceived position, nor having to be subordinate to the judgements
of others.

Both independence and objectivity require that the internal auditor have appropriate skills
and knowledge of the subject matter of the audit.
Assurance and consulting. Assurance is a concept similar to that applicable for the public
accounting profession. The objective is to improve the credibility of the outcomes of activities
within an entity and information relating to those activities. It is defined in the IIA Glossary as:

‘An objective examination of evidence for the purpose of providing an independent

assessment on governance, risk management and control processes for the
organisation. . .’.

‘. . . for example, compliance with company policies, contractual conditions, laws and
regulations’.

Consulting is essentially an advisory function to identify problems and provide

possible solutions to management, but without any responsibility for implementing any
recommendations, an obligation that remains with management. It includes providing counsel,
advice, facilitation, and training.

Add Value. This is the feature of internal audit that directly links it to the interests of
management and other stakeholders in an entity. Depending on the nature and scope of
the internal audit function it adds value when it provides objective and relevant assurance
and facilitates the effectiveness and efficiency of governance, risk management, and
control systems.

Systematic and disciplined approach. This again is a similar attribute to that required for
external financial statement audits and other assurance engagements undertaken in the
public accountancy profession. To achieve its goals, internal audit needs to approach each
investigation with a structured approach with a clear plan and programme to obtain sufficient
appropriate audit evidence on which to base its findings, conclusions, and recommendations.
The IIA has developed standards for internal auditors to facilitate this outcome.

75

c01.indd 75 16-11-2022 18:27:13

 BUSINESS ASSURANCE

Control risk management and governance processes. The expanded role of an internal audit
into improving these processes is recognition of the fact that the role of management in these
areas has increased in significance in recent times.

Not all entities will have an internal audit function, and the nature and extent of the internal
audit function will vary between entities depending on size, type of business and industry, etc.
It is recognised, however, that an internal audit has a broad objective of adding value within an
entity by contributing to the risk management, governance, and control processes.

Arising from this broader role, several different types of audit have evolved:

• Compliance audits

• Performance audits

• Comprehensive audits

• Corporate Social Responsibility audits

These types of audits are not restricted to an internal audit. They can and are undertaken
by external auditors in the public accountancy profession and in the public sector where a public
accountability obligation arises.

1.4.2.2 Compliance Audits

The activities of an entity comprise relationships with various parties both within and
external to the entity. These impose obligations and responsibilities on entity employees and
management to comply with company policies, achieve operational targets, and for the entity
to comply with contractual arrangements and laws and regulations.

The added value provided by compliance audits undertaken by internal auditors is that
they provide assurance that those within the entity and the entity are complying with the
relevant operational policies, laws, and regulations.

Such engagements undertaken by external auditors or public-sector auditors generally

arise, for example, where an entity has an obligation to comply with laws and regulations and
is required to provide an independent auditors report on compliance to an external party. An
external auditor could be engaged by an entity to report to a client’s lending institution that it
has complied with the terms and conditions of a loan agreement.

1.4.2.3 Performance Audits

Performance audits are often referred to under different titles, for example ‘value for money
audits’, ‘operational audits’, or ‘efficiency auditing’.

These engagements are common in the public sector and can also be undertaken in the
private sector by both external and internal auditors. However, under the broad internal audit
mandate discussed above, they have become an integral component of the internal audit
function. They are concerned with the economy, efficiency, and effectiveness with which an entity
achieves its goal and objectives.

These audits have developed from the governance principle that management of an
entity should give due consideration to improving the achievement of the entity’s objectives
efficiently, effectively, and economically, and, in an external reporting context, being
accountable for that performance. Performance audits are therefore consistent with the
accountability and governance concepts that underpin the concepts of audit and assurance.

76

c01.indd 76 16-11-2022 18:27:13

 E thical Standards , L egislation , and Professional Guidance

The degree of symmetry between the broad internal audit function and this type of audit in
the public sector can be found in the example of this type of mandate in the Mission statement
of the Hong Kong Audit Commission (www.aud.gov.hk). That Mission is, through the provision
of independent audit services, to enhance public sector performance and accountability. In
addition to regulatory audits of government financial reporting, the Commission undertakes
‘value for money’ audits to provide government with independent advice and assurance about
the economy, efficiency, and effectiveness with which government entities have discharged
their functions.

Like all audit and assurance engagements undertaken by external and internal auditors,
they require a subject matter, and suitable criteria against which to evaluate that subject
matter. In these engagements they extend beyond financial statements and accounting
standards to potentially encompass all areas of the entity’s activities and operations.

It is therefore important to clearly establish the objectives of the audit and what
information is expected to be provided by the auditor.

The criteria that will provide the basis for the conclusion can often be more subjective
than for financial statement audits or be drawn from non-traditional sources. For example,
they could be developed by benchmarking against industry standards or trends, management
objectives and performance indicators, and codes of practice, or may need to be specifically
developed and agreed by the auditor with management. The reporting phase is generally
extended beyond just the expression of a conclusion to identifying potential improvements and
developing recommendations for implementation.

It is important to understand the difference between the three areas of audit within these
engagements:

• Economy focusses on resource acquisition and whether the appropriate quality and
quantity of resources have been obtained at the lowest cost (for example, whether
an entity has implemented appropriate policies and procedures for the acquisition of
resources).

• Efficiency addresses issues of resource usage and whether maximum output has been
achieved for a given input without decreasing effectiveness (for example, whether
employment practices avoid overstaffing or duplication of effort).

• Effectiveness related to outcomes and whether the entity’s resources and operations
have achieved the relevant objectives (for example, whether a product or service meets
customer needs).

Like all audit and assurance engagements, performance audits require a structured and
systematic approach involving a strategy, planning, audit programme and procedures, evidence
gathering evaluation and analysis of the evidence, and reporting. However, the varied nature
of the subject matter may require the use of a wider variety of different evidence gathering
techniques (for example, the use of surveys, structured interviews, and market research).
Consistent with other types of audits, the planning and conduct of these engagements involve a
high level of professional judgement.

The extent to which an internal audit function addresses these issues will depend on the
Charter establishing that function within an entity. For external auditors, any such engagements
would be normally undertaken as a specific contractual engagement.

77

c01.indd 77 16-11-2022 18:27:13

 BUSINESS ASSURANCE

For examples of a publicly available performance audit report refer to the Hong Kong Audit
Commission referenced above and search ‘performance audits’. These reports are illustrative of
the nature of these engagements and the reporting outcome.

1.4.2.4 Comprehensive Audits

These audits derive from a mandate that comprises a combination of the different audit types
covered to date, i.e. financial statement, compliance, and performance. They are common in
the public sector and can be established under a broad internal audit Charter.

1.4.2.5 Corporate Social Responsibility Audits

These types of audits are relatively new and can be complex. They arise because of the
internationalisation of business and increasing public scrutiny of the impact that business can
have on, for example, the environment and human rights, obligations for product safety and
employee health and safety, ethical business practices, and community involvement.

These issues are important to a business, as poor social responsibility can impact the
sustainability and profitability of an entity through, for example, adverse publicity and
reputational damage, lawsuits and government intervention, and regulation and workplace
disruption.

Social issues are therefore areas that require risk assessment and strategic management.
These audits have elements of both compliance and performance auditing. Corporate
social responsibility auditing addresses an entity’s environmental, social, or governance
risks to assess the policies and processes to identify and manage those risks. That role is
consistent with the broad role that an internal audit can play within an entity. A corporate social
responsibility mandate could be integrated into an internal audit Charter to address policies,
projects, control and review processes, performance measures and risk management in
sensitive areas for a particular entity, and to the extent to which an entity impacts society and
stakeholders in the entity.

The nature of some of the subject matter of these audits means that suitable criteria
may be difficult to identify, but as codes, standards, and management policies and practices
develop, these audits have the potential to be a significant value adding component of the
internal audit function.

An interesting example of this type of reporting and audit engagement can be found in
the Corporate Social Responsibility Report issued by the HKEX (www.hkexgroup – refer to
the Corporate Social Responsibility Report, Section 2017 Report). Included in this Report is a
‘Verification Report’ issued by the Hong Kong Quality Assurance Agency. The Verification Report
indicates that the engagement has been undertaken in accordance with the IFAC International
Standard on Assurance Engagements ISAE 3000 Assurance Engagements Other than Audits or
Reviews of Historical Financial Information. It is stated that it provides ‘reasonable assurance’.

In summary, the range of assurance engagements and subject matter that can be provided
by internal and external auditors continues to evolve.

78

c01.indd 78 16-11-2022 18:27:13

 E thical Standards , L egislation , and Professional Guidance

Apply and Analyse 5

Consider the situation where certain younger members of the Board of Directors of
Keeson Inc have strong views about the company playing a positive role in the community.
They have asked the Audit Committee to consider recommending metrics to assess the
company’s financial performance and the impact of new technology being developed by
the company on certain disadvantaged groups. They have asked the Audit Committee to
enquire whether the external auditor can help develop financial and non-financial metrics.
Describe what advice could be given to the Audit Committee about:

(a) the possible provision of metrics for:

i. Financial performance

ii. Socially oriented performance

(b) and who could undertake a performance audit in either of these areas.

Analysis

The key to these areas is whether they overlap with, or complement, financial reporting
and the purpose of the audit. The financial performance metrics are highly likely to relate
to the financial statements and constitute other information that the external auditor
needs to read to ensure it contains nothing that is inconsistent with what is in the financial
statements. They may impact management decision making and remuneration. Thus, it is
unlikely that the external firm will be able to assist with the design of financial performance
metrics due to their interrelationship with the financial statements subject to audit.
However, again, those metrics developed independently of the external auditor could be
the subject of other forms of assurance and non-assurance engagements.

A performance audit could be carried out in relation to both sets of metrics. It would
be an audit of the implied assertions that the metrics are properly measuring the two
types of performance.

Knowledge Check Questions

Question 16
HKSAs contain mandatory requirements that the auditor must comply with when
conducting an audit. Identify which of the following describes a situation where a
mandatory requirement need not be followed.
A The application and other explanatory material in the HKSA overrides the requirement.
B In exceptional circumstances specific to a particular audit.
C The international auditing standard provides an alternative requirement.
D The auditor applies professional judgement to apply an alternative procedure preferred
by the auditor on all engagements for a particular issue.

79

c01.indd 79 16-11-2022 18:27:13

 BUSINESS ASSURANCE

Knowledge Check Questions (continued)

Question 17
Identify which of the following is not an attribute you would expect is needed for an
external financial statement audit.
A Understanding the HKICPA ethical standards.
B Applying an attitude of professional scepticism.
C An audit plan agreed with management.
D Understanding the audit objectives in the HKSAs.

Question 18
Identify which of the following is unlikely to be included in an internal audit charter of a
large business entity.
A Reviewing the entity’s social responsibility risk management.
B Assurance engagements to report to external third parties.
C Reviewing accounting controls to report to management.
D Testing compliance with the entity’s statutory requirements to report to management.

Question 19
Internal audit is defined as an independent, objective assurance and consulting function
within an entity to assist management. Identify which of the following is not an attribute of
an internal audit function that is necessary to support independence and objectivity.
A The director of internal audit has direct access to senior management and the Board.
B Regular training and performance assessments.
C Internal auditors not having operating responsibilities in addition to their internal
audit role.
D An appropriate mandate and organisational status with audit committee oversight.

Question 20
For each of the following, categorise whether the features are common to or different
from a financial statement audit and a performance audit and explain why this is the
case for each.
(a) Subject matter and information that can be broad and varied.

(b) Professional judgement is required during the audit process.

(c) A benchmark of appropriate criteria is required for the auditor to form a conclusion.

(d) Qualitative evidence requires a broadening of the range of audit techniques.

(e) There is a defined subject matter, which is derived from an accountability

relationship.

(f) The sources of suitable evidence vary and are often developed for the specific audit.

(g) The conclusions and basis of reporting are the result of a systematic process to
obtain sufficient appropriate audit evidence.

80

c01.indd 80 16-11-2022 18:27:13

 E thical Standards , L egislation , and Professional Guidance

Knowledge Check Questions (continued)

Question 21
A performance audit requires suitable criteria to measure and evaluate the subject matter.
Identify which of the following would be least likely to be the source of appropriate criteria.
A Best practice established by the profession’s or industry organisations.
B The auditor’s personal experience.
C Best practice among other entities involved with the same activities and subject matter
as the auditee entity.
D Formal entity objectives developed by management with expert consultants.

81

c01.indd 81 16-11-2022 18:27:13

 BUSINESS ASSURANCE

SUMMARY

This chapter addressed the nature of assurance and the assurance and audit services provided
by independent external assurance providers, with an emphasis on external audits of financial
statements. It also examined the nature and role of the internal audit.
The chapter has dealt with the following:
• The nature and elements of assurance engagements and the application of those to
understanding a financial audit.
• The difference between attest and direct audits has been explained as well as the different
levels of assurance that can be provided, being reasonable (audit) or limited (review) assurance.
• The responsibility of management and those charged with governance for the responsibility
to prepare financial statements was differentiated from the role of the external auditor to
provide an opinion on whether the financial statements have been properly prepared in
accordance with the appropriate reporting framework.
• The demand for assurance and audit services being sought and provided recognises the
need to reduce information risk in decision making by users of financial and non-financial
information where an accountability relationship exists or governance structure requires
information on performance to be reported.
• The role of regulation, both professional self-regulation and statutory, exists in a co-regulatory
environment in Hong Kong. The professional requirements under the auditing standards
issued by the HKICPA and the statutory requirements under the Companies Ordinance play
a significant role in regulating the independent financial statement audit environment. The
HKSAs are a product of the internationalisation of auditing standards aimed at achieving a
high quality and uniform approach to auditing.
• The nature and extent of the professional ethical requirements as they apply to professional
accountants and firms, and independence in relation to audit and assurance engagements.
Explanation of the conceptual approach applied in evaluating compliance with the
fundamental ethical principles that are significant in maintaining the profession’s status and
role as assurance providers.
• The steps of a financial statement audit were broken down to provide greater insight into the
process of financial statement audit.
• Internal audit was described and the differences between the internal audit and external audit
processes were outlined.
• The different types of audits that practitioners may conduct for clients were discussed. These
include compliance audits, performance audits, comprehensive audits, and corporate social
responsibility audits. Each of these audits has a different purpose.
The application of auditing standards in financial statement audits needs to reflect the
circumstances under which those engagements are undertaken. The advent of the Covid 19
pandemic is an example of circumstances that require consideration. Guidance on this can be
found in the HKICPA Alert, Issue 22 (February 2020) ‘Updates on financial reporting, auditing
and ethics’ and on the IFAC website (www.ifac.org) ‘Summary of Covid 19 Audit Considerations’,
3 June 2020.

82

c01.indd 82 16-11-2022 18:27:13

 E thical Standards , L egislation , and Professional Guidance

MIND MAP
AUDITING AND ASSURANCE INTERNATIONAL STANDARDS AND
GUIDELINES FOR AUDITING AND ASSURANCE
Objectives of Auditing and Assurance Services
• Framework for assurance engagement IFAC
• An audit assurance engagement HKICPA
• Attest and direct reporting audits
• Level of assurance
• Differences between auditing, account
preparation, external and internal auditors
Demands for Auditing and Assurance Services
Financial Statement Users
ETHICAL STANDARDS,
AUDITING AND ASSURANCE STANDARDS LEGISLATION, AND
Role of Regulators and Regulation PROFESSIONAL
GUIDANCE
Hong Kong Standards and Guidelines for
Auditing and Assurance
• Professional standards
• Profession’s code ethics
• Fundamental ethical principles TYPES OF AUDITS
• Threats to the fundamental principles External Audits
• Safeguards to threats • Financial statement audits
• Ethics for professional accountants in business Internal Audits
• Ethics for professional accountants in public practice • Objective of the internal audit
• Ethics and independence • Performance audits
• Specialised areas of practice such as liquidation • Comprehensive audits
and insolvency • Corporate social responsibility audits
• Guidelines for anti-money laundering and counter
terrorism financing for professional accountants

Answers to Knowledge Check Questions

Question 1
There is a three-party relationship, being management as preparers of the financial
statements, users being the shareholders, potential shareholders, and other third parties, and
the auditor who provides an independent opinion on the financial statements to those users.
The financial statements are the subject matter and provide information in relation to
an entity’s financial position and performance.
The financial statements are prepared in accordance with an applicable financial
reporting framework, generally accounting standards, which are the criteria against which
the auditor assesses the financial statements and forms a conclusion.
The auditor applies a process and a range of procedures to gather evidence on which
to form a conclusion.
The auditor issues an audit report containing an opinion on whether the financial
statements have been prepared in accordance with the applicable financial reporting
framework.

Question 2
Assurance is a service provided by assurance practitioners with the objective of enhancing
the credibility of information to users of that information to improve its usefulness in
decision making.
Reasonable assurance is the level of assurance the auditor obtains from the evidence
gathered during the audit process and conveyed to users by the assurance provider.
Reasonable assurance is associated with audit engagements and is the highest level of
assurance provided by an auditor.

83

c01.indd 83 16-11-2022 18:27:14

 BUSINESS ASSURANCE

The auditor has assessed the risks that the information subject to audit could be
materially misstated and, based on the evidence obtained, has formed a conclusion that
the risk of giving an incorrect opinion is at an acceptably low level. This is expressed in the
form of a positive opinion that the information is in accordance with the relevant criteria. It
is not absolute assurance because of the level of judgement and other inherent limitations
involved in the audit process.
In a limited assurance engagement, the assurance practitioner applies procedures that
are less extensive than applied in a reasonable assurance engagement and therefore the
evidence on which the opinion is expressed is less. Accordingly, the risk of an inappropriate
opinion being given is higher and therefore the level of assurance provided is less. This is
expressed in the form of a negative expression of opinion.

Question 3
Answer A is incorrect. The engaging party is responsible for determining the nature, timing,
and extent of the procedures to be applied. The engaging party identifies what work it
wants undertaken to meet its information requirements.
Answer B is correct. The practitioner undertakes the procedures determined by the
engaging party who has identified those procedures as providing the evidence required
for their purpose. The practitioner undertakes those procedures as instructed and is not
responsible for making any assessment of the resulting evidence.
Answer C is incorrect. The practitioner reports the factual findings resulting from the
procedures applied and does not report any conclusion or provide any opinion/assurance.
Answer D is incorrect. The report includes details of the procedures applied as determined
by the engagement party.

Question 4
Management is responsible for maintaining accounting records and systems to record
the transactions and events of the entity for the accounting period to prepare financial
statements in accordance with the relevant financial reporting framework. Those systems
should be directed at ensuring that the financial report assertions are embodied in the
resulting financial records and statements.
The audit process is directed at obtaining sufficient appropriate audit evidence to
provide assurance that those assertions are appropriately embodied in the financial
statements subject to audit. The assertions therefore provide the elements inherent
in the financial statements that form the basis of the nature, timing, and extent of the
audit procedures to be applied to gather evidence that the financial statements are in
accordance with the financial reporting framework. The auditor’s task in relation to each
assertion then is to consider the evidence available to support or contradict the assertion,
select a method of obtaining the evidence, and then collect and evaluate that evidence.

Question 5
Answer A is incorrect. Assurance engagements cover a range of subject matter and levels
of assurance, for example a review engagement.
Answer B is incorrect. Assurance engagements is the overriding category of engagements
where an assurance practitioner provides some level of assurance on a subject matter. An
audit is one form of assurance engagement.

84

c01.indd 84 16-11-2022 18:27:14

 E thical Standards , L egislation , and Professional Guidance

Answer C is correct. As indicated in B, an audit is one form of assurance engagement.

Answer D is incorrect. ‘Assurance engagements’ is the generic term for engagements that
provide different levels of assurance – for example, limited assurance for reviews and
reasonable assurance for an audit.

Question 6
Answer A is incorrect. The financial statements reflect the results of the transactions and
events of the historical reporting period and are not necessarily indicative of the future
financial performance of the company. The auditor’s opinion is on whether the financial
statements have been prepared reflecting the historical results in accordance with the
relevant financial reporting requirements.
Answer B is incorrect. While an auditor will assess the risk of fraud affecting the financial
statements as part of the audit process, and include procedures to reduce the risk that
fraud has resulted in a material misstatement in the financial statements, the nature of
fraud, which generally involves collusion, deception, and attempts to conceal the activity
and manipulation of records, means that it may remain undetected, even if the audit has
been properly conducted.
Answer C is correct. Assurance improves the quality of information by providing an
independent opinion that it has been prepared in accordance with the applicable financial
reporting framework. Accordingly, it improves the decision-making process by providing
more reliable information.
Answer D is incorrect. The auditor’s opinion is whether the financial statements have been
prepared in accordance with the applicable financial reporting framework. It provides users
with information that indicates that the information is reliable to assist decision making
about their investment or potential investment in a company, not that the auditor has
formed any conclusion about whether management has managed the company efficiently.

Question 7
Answer A is incorrect. The legislation identifies that the directors are responsible for the
preparation of the financial statements and are therefore the responsible party.
Answer B is incorrect. The legislation identifies the shareholders as the intended users
as the financial statements and audit reports are to be sent to shareholders prior to a
company’s annual general meeting.
Answer C is correct. While the legislation requires the financial statements to be audited,
it does not prescribe the level of assurance that is associated with an audit. The level of
assurance, that is ‘reasonable’ assurance associated with an audit, is a concept developed
by the profession based on the nature of the audit process.
Answer D is incorrect. The legislation requires that the financial statements be prepared in
accordance with Hong Kong accounting standards, which are the criteria for measuring the
subject matter.

Question 8
Answer A is correct. The auditor is not required to form an opinion or report on the
adequacy of the emoluments but only whether they are properly reported.
Answers B, C, and D are incorrect. These are requirements under the Companies Ordinance.

85

c01.indd 85 16-11-2022 18:27:14

 BUSINESS ASSURANCE

Question 9
Answer A is incorrect. An audit committee generally has oversight of the external audit
function to manage the relationship between the Board and the auditor and review of
the financial statement preparation process, but it does not have any authority under the
Companies Ordinance to issue reports to the shareholders or assume the responsibilities of
the directors.
Answer B is correct. The Companies Ordinance gives the responsibility for distribution of the
reports to the company directors as the directors’ accountability is to the shareholders. In
addition, the directors must approve and sign the financial statements.
Answer C is incorrect. The auditor provides the audit report to the directors to distribute to
the shareholders with the financial statements.
Answer D is incorrect. While the CFO would be involved in the preparation of the financial
statements for the directors, the directors are ultimately responsible for the financial
statements and providing the reports to the shareholders as they are accountable to the
shareholders. The CFO in most cases will be an employee of the company and accountable
to the directors.

Question 10
Answer A is incorrect. Professional standards are a fundamental component of a
profession that prescribes a level of performance. Users of the audit function derive
comfort from the fact that the provision of audit services are subject to a benchmark that
govern the auditor’s activities and quality of work.
Answer B is incorrect. Standards provide members of the profession with information
about the quality of work to be performed.
Answer C is correct. The responsibility for the audit plan is that of the auditor and the basis
of the independent audit function is that it is free from the influence of management.
Management has no role in the approval of the audit plan.
Answer D is incorrect. Members of the HKICPA must comply with auditing standards.
Failure to comply can be investigated by the HKICPA and can lead to disciplinary action
including the cancellation of a member’s practising certificate and therefore the right to
undertake audit engagements.

Question 11
Answer A is incorrect. HKSA 200 requires that the auditor apply professional judgement in
planning and performing an audit. Professional judgement is applied within the context of
auditing principles and standards.
Answer B is incorrect. The HKICPA Standard on quality management mandates that a
CPA firm has a system of quality management to provide reasonable assurance that
professional standards and legal requirements are complied with and that there are
procedures to monitor compliance.
Answer C is incorrect. While the internal auditor often applies procedures similar to the
external auditor in areas where the external auditor needs to obtain evidence and can
provide the external auditor with evidence relevant to the work of the external auditor, given
that the internal audit function is an integral part of the entity being audited, that work must
be tested by the external auditor as to its appropriateness for use as external audit evidence.

86

c01.indd 86 16-11-2022 18:27:14

 E thical Standards , L egislation , and Professional Guidance

Answer D is correct. This activity would create a self-review threat to independence where
such systems are integral to the client’s accounting and internal control systems. There are
no safeguards that would adequately address that threat.

Question 12
Answer A is incorrect. The audit committee provides a forum for the auditor to discuss,
with a body within the company, independent of those directly responsible for the
management of the company and preparation of the financial statements, any problems
arising during the audit. For example, any lack of co-operation or failure to provide
explanations or evidence. The Committee can seek to redress these problems.
Answer B is incorrect. The audit committee should be aware of, and discuss with the
auditor, any management or Board requests to provide other services and whether such
services would affect the auditor’s independence. This provides a further level of scrutiny
over the independence of the audit function.
Answer C is correct. The audit committee is a sub-committee of the Board. The Board and
its individual directors cannot abrogate or delegate their statutory responsibilities to the
audit committee. The Committee can assist directors to fulfil their responsibilities and
facilitate decision making but is not the body designated in the statute to approve and sign
the financial statements.
Answer D is incorrect. The audit committee can play a role in providing a recommendation
as to the appointment of the auditor. The committee can assess the overall audit strategy
and capabilities of different auditors as they apply to the circumstances of the company,
for example experience in the industry in which the company operates. The Committee
cannot appoint the auditor, as that is the role for shareholders, but they can facilitate an
informed decision.

Question 13
Answer A is incorrect. Independence is a fundamental principle that is a mandatory
requirement of the COE and not merely a suggested attribute.
Answer B is incorrect. Management is responsible for the preparation of the financial
statements and the auditor should not be involved in that process.
Answer C is correct. The fundamental principle is that the auditor be independent in fact
and perception.
Answer D is incorrect. This would create advocacy and self-interest threats that would be
perceived as inconsistent with the auditor being perceived as providing an unbiased and
objective expression of opinion.

Question 14
(a) Fundamental principle that being breached: Objectivity
Threat created: self-interest threat.
The manager’s decisions and audit judgement may be affected in an attempt to
have the clients engage the firm to undertake other services.
(b) Fundamental principle that being breached: Objectivity
Threat created: self-interest threat.
The dependence on the client and concerns about losing the client may
influence the partners audit decisions and judgements, especially if the partners
remuneration is significantly affected by the level of fees generated.

87

c01.indd 87 16-11-2022 18:27:14

 BUSINESS ASSURANCE

(c) Fundamental principles that being breached: Integrity and objectivity

Threats created: Intimidation – self-interest threats.
By being laced in a potentially adversarial position with management,
the relationship and exchange of information and disclosure between
management and the auditor may break down and pressure exerted to favour a
particular outcome.
(d) N
 o threat if under normal lending criteria, terms, and conditions and immaterial to
the partner and audit client. If not, then objectivity is being breached, a self-interest
threat exists, and the situation is unacceptable. Having a financial obligation to the
client may impact audit judgements and the perception of independence.
(e) Fundamental principle that being breached: Objectivity
Threats created: self-interest or intimidation.
This would effectively involve the partner having a financial and business
interest in a client entity. This could impact the partner’s audit judgements to
favour a particular outcome or be subject to pressure from the entity.
(f) Fundamental principle that being breached: Objectivity
Threats created: familiarity and self-interest.
A personal relationship may result in the audit partner not applying an
appropriate degree of skepticism to information and explanations provided by the
managing director or placing maintenance of the relationship above the interests
of an audit judgement.
(g) Fundamental principle that being breached: Objectivity
Threat created: self-interest.
By the family having a financial interest in the client entity the decisions of the
audit partner may be influenced toward the enhancement of that investment.
(h) Fundamental principle that being breached: Objectivity
Threat created: self-review.
The work undertaken by the staff would be reviewed by the auditor but may
not be subject to the same level of scrutiny as the work of the client’s staff.
(i) Fundamental principle that being breached: Professional competence and due care
Threats created: self-interest and intimidation.
Fees should be commensurate with the work required to undertake an
appropriate audit. Where fees are not commensurate with the audit, appropriate
audit procedures may not be applied and the auditor may succumb to client
pressure in relation to preferred client outcomes.
(j) Fundamental principle that being breached: Objectivity
Threat created: self-review and advocacy.
The audit client is responsible for the preparation of the financial statements
and the items and valuations in those financial statements. A valuation prepared
by the audit firm would be subject to review by the audit team during the audit,
which creates a self-review threat. Providing a valuation to a third party on behalf
of the client may also be seen as being to be acting as an advocate for the client.
(k) Fundamental principle that being breached: Objectivity
Threats created: self-review and advocacy.

88

c01.indd 88 16-11-2022 18:27:14

 E thical Standards , L egislation , and Professional Guidance

This potential threat could arise because the outcome of the service may need
to be reviewed as part of the audit and the firm could be seen as an advocate of
the entity’s interest.
(l) Fundamental principle that being breached: Objectivity
Threat created familiarity.
The partner may not apply the same level of scepticism to information and
explanations when considering audit evidence because of the close relationship
with the entity.
(m) No threat as the services are routine and no professional judgement is involved.
(n) N
 o threat as management takes responsibility for the returns including any
significant judgements made.

Question 15
Convergence is the policy adopted by the HKICPA to use the International Standards
on Auditing issued by the IAASB of IFAC as the basis for developing HKSAs and related
guidance materials. The Hong Kong AASC adopts a due process that integrates with the
IAASB and provides input to the development of international auditing standards. Once
issued by the IAASB, the AASC assesses the standard and issues the equivalent HKSA, with
any additional material deemed appropriate and, if necessary, amended to reflect local
circumstances such as laws or regulations.
The objective of convergence, referred to as harmonisation at the international
level, is to develop and support the implementation of a set of uniform standards to be
applied internationally in order to provide quality audit services. At the national level, it
is to establish a body of high-quality national standards that support CPAs and promote
the professional accountant’s status and acceptance with users and regulators and are
recognised internationally.

Question 16
Answer A is incorrect. The Application and Other Explanatory Material is authoritative
guidance but is included to assist auditors understand the Requirements of the standard
and provide illustrative procedures and practical guidance to enhance the consistency
of implementation of the Requirements. The guidance does not override the mandatory
Requirements or provide alternative Requirements.
Answer B is correct. Some Requirements are to be applied only when certain circumstances
are identified during an audit. Where such a situation occurs, this is an exceptional
circumstance where the Requirement does not have to be applied. For example, if the
client does not have an internal audit function, HKSA 610 (Revised 2013) does not apply or
if the client does not have segment reporting, the audit Requirements in that area do not
apply. An exceptional circumstance could also arise where it is judged necessary to depart
from a relevant Requirement and apply alternative procedures where, due to the specific
circumstances of the audit, an audit procedures would be ineffective in achieving the aim of
the Requirement.
Answer C is incorrect. HKSAs are based on international auditing standards. In the rare
case where an HKSA has adopted a different Requirement from an international standard,
this will be identified in the HKSA in a section dealing with conformity and compliance
with international standards. The Requirement adopted in the HKSA is the mandatory
Requirement for audits under the HKSAs. The international standard does not override the
HKSA Requirement.

89

c01.indd 89 16-11-2022 18:27:14

 BUSINESS ASSURANCE

Answer D is incorrect. The auditor’s preference does not override a mandatory

Requirement. The exercise of professional judgement to not comply with a Requirement
can only occur if the matter subject to the Requirement is immaterial in the financial
statements being audited or the exceptional circumstance criteria apply, and not just
because an auditor has a preferred approach.

Question 17
Answer A is incorrect. It is mandatory under the HKSAs that the COE be complied with by
auditors, including the independence requirements.
Answer B is incorrect. HKSA 200 requires that the auditor plans and performs the audit
with professional scepticism, being an attitude that includes a questioning mind and being
alert to conditions that may indicate potential misstatements due to fraud and error and a
critical assessment of audit evidence.
Answer C is correct. The detailed audit plan developed from the audit strategy is the
responsibility of the auditor. It does not require the approval of company management as
the auditor is required to be independent and not subject to any management bias.
Answer D is incorrect. Each HKSA has an audit objective to be achieved by the auditor. The
auditor must apply the mandatory Requirements to achieve that objective, unless there
are exceptional circumstances that justify alternative procedures.

Question 18
Answer A is incorrect. Because of the increasing impact that business has in relation to
social issues, entities are more aware of the scrutiny and responsibility they face in relation
to their impact in this regard. An internal audit could play a role in assisting management’s
risk assessment and controls in this area.
Answer B is correct. Because an internal audit is a function established within the entity
to evaluate the activities of the entity to assist management, and is regarded as part of
the control environment, it is unlikely that third parties would accept internal reports as
providing an acceptable level of independent assurance.
Answer C is incorrect. This is a function undertaken by an internal audit to assist management.
Answer D is incorrect. An internal audit is a function established within an entity to
assist management. Reviewing compliance with statutory requirements and reporting to
management is a function that the internal audit could undertake to assist management
meet its responsibilities by providing a level of assurance that the entity is complying with
the relevant requirements.

Question 19
Answer A is incorrect. This supports the internal auditor meeting responsibilities in an
unbiased manner and the ability to act with appropriate authority.
Answer B is correct. This relates to the quality of work and may not prevent undue
influence on actions and decisions.
Answer C is incorrect. Objectivity requires individuals within an internal audit having
an impartial, unbiased attitude and not be, or seen to be, in a position whereby their
judgement could be impaired. Having operating responsibilities outside the internal audit
role could create conflicts of interest or be seen to undermine the perception that the
individual is objective.

90

c01.indd 90 16-11-2022 18:27:14

 E thical Standards , L egislation , and Professional Guidance

Answer D is incorrect. A mandate that gives the internal function a broad role in an
entity with a status that allows the internal audit function to undertake its tasks with
an appropriate degree of authority, access, and resources, along with audit committee
oversight, gives the function independence within the entity.

Question 20
(a) D
 ifferent. The financial statement audit deals with a defined subject matter being
the financial statements, whereas a performance audit can be undertaken on a
broad range of subject matter.

(b) Common. Both types of audit require the exercise of professional judgement in
developing audit strategies and plans and applying audit procedures relevant to
the specific engagement circumstances, and in evaluating the evidence obtained to
form a conclusion.

(c)  ommon. All assurance engagements require a benchmark of appropriate criteria

C
as the basis on which the auditor develops a conclusion. The criteria provide a
basis for the evaluation and measurement of the subject matter and indicate to
the intended users the basis on which the conclusion was formed. In the case of a
financial statement audit, this is accounting standards and for a performance audit,
criteria appropriate for the subject matter of the audit.

(d) D
 ifferent. Because performance audits can cover a broader range of subject matter
and the evidence available can often be more subjective and qualitative, a broader
range of evidence-gathering techniques needs to be applied in these engagements.

(e) Common. Both types of audit are aimed at providing assurance on a particular
subject matter and arise due to an accountability relationship where a party
responsible for the subject matter is accountable to others in relation to the
matters covered by the subject matter.

(f)  ifferent. Financial statement audits have some criteria based on some form of
D
accounting model, whereas because performance audits can cover a broad range
of subject matter, suitable criteria are drawn from a range of different sources and
are developed for the specific engagement subject matter.

(g) C
 ommon. Both types of audits require a systematic process to be applied to gather
sufficient appropriate evidence on which to form a conclusion and report. The
basic audit methodology, expertise and techniques of audit are applicable to both
types of engagement.

Question 21
Answer A is incorrect. This is an external source that provides a determinable benchmark
indicating what is being applied as best practice.
Answer B is correct. The auditor’s experience may be limited and may not reflect best
practice or entity objectives.
Answer C is incorrect. This is an external source that is indicative of what is acceptable for
the subject matter involved.
Answer D is incorrect. The use of expert consultants provides evidence that the practices
adopted by management reflect relevant principles and are an available benchmark of
objectives to be achieved by the entity.

91

c01.indd 91 16-11-2022 18:27:14

 BUSINESS ASSURANCE

EXAM PRACTICE

QUESTION 1
Your client is a large shareholder in a private company that manufactures car parts.
The company is expanding and has requested that your client consider providing a large
loan to the company to facilitate the expansion. Your client has not been active in the
operations of the company but has been satisfied with the return on investment through
dividends received in recent years, and with receiving the monthly management accounts
approved by the management and prepared as special purpose financial statements on a
modified cash basis.

There have been some changes to the senior management team in recent months and
management has indicated to the shareholder that the expansion process has commenced
and is having a more significant negative impact on cash flows than anticipated.

Your client has decided that the monthly management accounts are not sufficient to
make a decision as to whether to provide the loan being sought and that more significant
information needs to be provided. Your client has requested and management has agreed
to provide the following:

• A complete set of financial statements prepared in accordance with Hong Kong

accounting standards for the preceding six months ending at the end of the current
month approved by management.

• Management’s approved cash flow forecast for the next 12 months.

Your client also wants to be satisfied that any large cash payments incurred during the
last three months are due to normal operations or the expansion project.

Your client has also decided that some level of assurance over the information to be
provided is necessary and asks your advice on the types of engagements that would be
appropriate.
Required:

Explain and justify to your client what levels of assurance would be appropriate to add
credibility to the information being sought.

QUESTION 2
The regulatory process for corporate financial reporting and auditing in Hong Kong is
described as a co-regulatory model. Explain the basis for this description.

QUESTION 3
As audit partner you are preparing to present to the audit committee of a prospective
audit client required to report under the Companies Ordinance for the first time. The audit
committee chairman asks that your tender document include your reporting responsibilities
and rights to communicate with shareholders under the Ordinance.

Required:

(a) Summarise the matters that would be included relating to your reporting and
communication with shareholders in preparing your tender document.

(b) The Companies Ordinance gives the auditor qualified privilege in relation to defamation
for any statements made or documents used during the audit. Explain in your tender
document why this is important.

92

c01.indd 92 16-11-2022 18:27:14

 E thical Standards , L egislation , and Professional Guidance

QUESTION 4
Your client is a private company for which you have been providing a review engagement
on their annual financial statements for some years. Some company shareholders have
requested the company provide a higher level of assurance on the financial statements and
the chairman of the Board has indicated that he intends to engage you to conduct an audit
in future reporting periods. The chairman has indicated to you that this absolute level of
assurance will satisfy the shareholders that the company remains a good investment and
that the financial statements are correct.

Required:

Respond to the chairman’s view and explain your reasons.

QUESTION 5
(a) An external financial statement auditor needs to be independent in both mind and
appearance. Explain the two concepts and why independence is a fundamental
principle of auditing.

(b) Explain the difference between independence as it applies to the external and internal
audit functions.

(c) For the following situations identify the nature of any threats to the fundamental
principle of independence for an external financial statement auditor and advise
safeguards, if any, that may mitigate those threats.

I. You are the engagement partner for a large audit client and it has come to your
attention that the senior audit manager assigned to the audit team was recently
employed by the client company as a senior accountant. It has been suggested that
the manager’s knowledge of the client will facilitate and enhance the audit process.

II. It has come to your attention that for the prior year, and this current financial
reporting period, the fees from one of your public interest audit clients will
represent more than 15% of the total audit fees of your firm.

III. Your audit client is seeking your assistance in structuring a financing arrangement
with a financial institution.

IV. Your firm has been approached by an audit client to enter into a joint venture to
supply and market computer software.

V. You are aware that one of your audit clients is looking to undertake a recruitment
process as a result of the expansion of your business and you offer to provide them
with a recruitment service.

QUESTION 6
The COE has been developed requiring a conceptual approach to ethical decision making by
accountants in public practice.

Required:

(a) Explain why a conceptual approach has been adopted.

(b) Explain what is involved in applying the conceptual approach to ethical issues.

93

c01.indd 93 16-11-2022 18:27:14

 BUSINESS ASSURANCE

ANSWERS TO EXAM PRACTICE

QUESTION 1
As your client does not regard the management accounts as significant in their own right to
the decision to invest, a review engagement would be appropriate. A review engagement
provides limited assurance as fewer audit procedures are performed and less evidence
is gathered. The review report would state whether anything has come to the auditor’s
attention to indicate that the accounts have not been prepared in accordance with the
modified cash basis. This would be more cost effective compared to an audit. It would be
an attest engagement as the special purpose financial statements have been approved by
management.

As the information in relation to the large cash transactions and the financial statements
are significant to your client’s decision making, an audit engagement is recommended. This
would provide a reasonable (high) level of assurance as to whether there are any unusual
cash transactions and whether the financial statements have been prepared in accordance
with the accounting standards.

The audit of the transactions would be a direct audit as there is no representation/

assertion by management that all transactions are in the normal course of business or are
project related. The auditor’s report would include information about the nature of the
transactions as well as the auditor’s opinion.
The audit of the financial statements would be an attest audit, as the signing of the
financial statements by management provides a written assertion.

The focus on cash flows indicates that the cash flow forecast is significant information
for the decision making of your client. However, due to the nature of forecast information
being more subjective and reflecting future estimates, only negative assurance can be
provided through a review engagement.

QUESTION 2
The model is described as co-regulatory because the actions of a company and auditor
subject to the requirements of the Companies Ordinance are governed by both the statutory
requirements of the Ordinance and mandatory professional requirements that apply to
members of the HKICPA.

The Companies Ordinance imposes statutory requirements on companies for the

preparation and presentation of financial statements and to appoint an auditor to audit
those financial statements and report to shareholders.

The legislation imposes statutory requirements on auditors appointed under the

legislation in terms of their responsibilities and reporting obligations.

Both the companies and auditors are regulated by the Securities & Futures Commission
of Hong Kong.

Auditors appointed pursuant to the Ordinance are private sector organisations and
accredited by the HKICPA. The HKICPA is a professional organisation that mandates
requirements that its members must comply with when appointed as a statutory auditor.
This represents a self-regulatory aspect to the accountability process. The self-regulatory
aspect requires an auditor to comply with the professional standards that govern the

94

c01.indd 94 16-11-2022 18:27:14

 E thical Standards , L egislation , and Professional Guidance

activities and behaviour of its members and provides a benchmark for the performance of
its members. For audits, the primary standards are the HKSAs, HKSQM 1, and the COE.

Under both components of the model, failure to comply can result in sanctions. Non-
compliance with statutory requirements by a company or auditor would be investigated
by the Securities Commission and non-compliance with professional standards would be
investigated by the HKICPA. In both cases the action taken could result in penalties. In the
case of auditors under the HKICPA process this could include cancellation of the members
Practicing Certificate and right to conduct audits.

Co-regulation is therefore a combination of mandatory statutory requirements and

sanctions and professional standards and sanctions.

QUESTION 3
(a) The following reporting and communication responsibilities would be included when
preparing the tender document:

• Reporting to shareholders an opinion on whether the financial statements have

been prepared in accordance with the Companies Ordinance and give a true and fair
view of financial position and performance in accordance with HKFRSs.

• Report if the Director’s Report is inconsistent with the financial statements.

• If the company has not kept adequate accounting records and/or the financial
statements do not agree with the accounting records, this must be reported.

• Report if unable to obtain all the information and explanations necessary for
the audit.

• The audit report would include details of any failure by the directors to report
in the notes to the financial statements their emoluments, retirement benefits,
termination payments, and loans.

• In addition to these matters the Companies Ordinance gives the auditor the right to
attend the company general meeting and to be heard in relation to audit matters.

(b) The ability to communicate with shareholders creates confidence in the role of the
statutory auditor and protection to plan and conduct the audit with due care and
diligence and supports audit independence. This protection supports this position.

QUESTION 4
The audit requested will provide a reasonably (high) level of assurance that the financial
statements are not materially misstated. This is not an absolute level of assurance. While
an audit is planned and conducted to obtain sufficient appropriate evidence on which to
support the opinion, much of that evidence is persuasive rather than conclusive.

There are limitations to the audit process that involve the auditor making professional
judgements to identify risks that the financial statements are materially misstated and
determining the nature and extent of the audit procedures to be applied.

The auditor generally applies sampling techniques that limit the number of transactions
tested for cost and efficiency reasons. As not all transactions are tested there is the potential
for misstatement.

95

c01.indd 95 16-11-2022 18:27:14

 BUSINESS ASSURANCE

The financial statements themselves involve the preparers making judgements and
estimates, and the evidence is limited by the nature of that process.

There are inherent limitations of the system of internal control over the preparation of
the financial statements. For example, human error or deliberate override of the system
may lead to transactions not being recorded correctly.

A properly conducted audit may not detect fraud due to its nature, which involves
collusion and attempts to conceal it.

Accordingly, a properly conducted audit in accordance with auditing standards does not
provide absolute assurance, but the standards are designed to result in a reasonable/high
level of assurance.

QUESTION 5
(a) Independence in mind requires the auditor to avoid circumstances that would influence
or compromise professional judgement, and therefore allows the auditor to act with
integrity, objectivity, and professional scepticism.

Independence in appearance involves the auditor avoiding circumstances that

a reasonable and informed individual would be likely to conclude that the auditor’s
objectivity and professional scepticism has been compromised.

Independence is necessary to maintain the confidence of financial statement users.

As an audit is undertaken to enhance the intended users’ degree of confidence in the
information audited, the audit function must have credibility to support the value of
the function as a useful assurance service. That credibility derives from the situation
whereby the auditor has no involvement in the preparation of the information and no
vested interest in the outcome and therefore would be, and would be perceived to be,
objectives in expressing the auditor’s opinion.

(b) It is important that both external and internal auditors would be, and would be
perceived to be, independent and objective. From the perspective of the external audit
function, it involves being independent from the entity being audited and being able to,
and be seen to, have no vested interest that would compromise audit judgement and
outcomes to give that function credibility for the intended users of the auditor’s report.
From the internal audit perspective, the concept is similar, except that the internal audit
is part of the entity and the internal auditor is an employee of the entity. Independence
in the sense that it applies to an external auditor cannot be achieved. Internal audit
independence is therefore related to the role that it has in the entity as defined by its
charter such that it has appropriate authority and reporting lines to act with autonomy
or bias within the entity, and is not involved in the areas and activities of the entity that
it audits. It also involves ensuring that internal audit staff can bring an objective attitude
to their role by not having operational responsibilities of conflicts of interest within
the entity.

(c) I.  his potentially creates self-interest, self-review, and familiarity threats to

T
independence of the senior audit manager. Partner further information should
be sought as to the nature and extent of the team members’ involvement in the
financial statement preparation process within the client and the role to be played in
the audit team. If the manager had a significant role at the client, that person should

96

c01.indd 96 16-11-2022 18:27:14

 E thical Standards , L egislation , and Professional Guidance

not be assigned to the audit team or as a safeguard the work of that member should
be reviewed during the audit process.

II. This situation creates self-interest and intimidation threats. Under the COE this
fact must be disclosed to the client management and a pre-issuance engagement
quality review should be undertaken by a member not in the firm or by a
professional body. A pre-issuance review would be undertaken before the issues of
the audit opinion were made for the second year.

III. As such a transaction is likely to affect the financial statements, this creates a
self-review threat. A safeguard would be to have this service provided by another
member of the firm not involved in the engagement team.

IV. Unless the financial interest is immaterial this relationship could create self-interest
or intimidation threats and should not be entered into.

V. This may create self-interest, familiarity, or intimidation threats. You can offer such
services under the conditions that you do not take on management responsibilities
negotiating on management’s behalf or making the hiring decision.

QUESTION 6
A conceptual approach recognises that there is a large number of different circumstances
that a professional accountant could encounter in their relationship with a client, and a
range of different services and activities that could affect the behaviour and actions of the
accountant. It is not possible to specifically identify and provide rules for every possible
situation that might arise. The conceptual approach avoids situations where a potentially
inappropriate behaviour or activity that could contravene the fundamental ethical principles
of the profession may be seen as appropriate because it is not specifically prohibited.

The conceptual approach involves the professional accountant:

• Identifying threats to compliance with the fundamental principles of integrity,

objectivity, professional competence, confidentiality. and professional behaviour;

• The threats are self-interest, self-review, advocacy, familiarity, and intimidation;

• Evaluating the significance of those threats and applying safeguards to eliminate

the threat or reduce it to an acceptable level, and making a judgement based on a
reasonable and informed third party test; and

• Where appropriate safeguards are not available, the relationship or circumstances

creating the threat must be eliminated or the engagement declined or discontinued.

97

c01.indd 97 16-11-2022 18:27:14

c01.indd 98 16-11-2022 18:27:14
 Part B
Corporate Governance
and Risk Management

Chapter 2 Corporate Governance

99

c02.indd 99 16-11-2022 18:27:53

c02.indd 100 16-11-2022 18:27:53
 2
Corporate Governance

CHAPTER TOPIC LIST

2.1 Roles in Corporate Governance 2.3 Provisions of International

2.1.1 Serving Stakeholders Codes of Corporate Governance
2.1.2 Having an Effective (such as the Organization for
Audit Committee Economic Cooperation and
2.1.3 Working Closely with
Development (‘OECD’)) That Are
Most Relevant to Auditors
the Auditor
2.1.4 Managing Strategically 2.3.1 Limitation of International
Codes
2.2 Background of Corporate
Governance 2.4 Corporate Governance
Developments in Hong Kong and
2.2.1 Importance to Capital
the Structure of the Code on
Markets and Preventing
Corporate Governance Practices
Corporate Failure and Corporate Governance
2.2.2 Fairness Report in Hong Kong
2.2.3 Openness and Transparency
2.4.1 Structure of the Corporate
2.2.4 Independence
Governance Code
2.2.5 Probity and Honesty
2.4.2 Corporate Governance Report
2.2.6 Responsibility
2.2.7 Accountability 2.5 Directors’ Role and
2.2.8 Reputation Responsibilities
2.2.9 Judgement 2.5.1 What Is the Role of a Director?
2.2.10 Integrity 2.5.2 The Legal Responsibilities
of Directors

101

c02.indd 101 16-11-2022 18:27:53

 BUSINESS ASSURANCE

2.5.3 Board Committees’ Structure 2.7 Sarbanes–Oxley Act Effect on

and Roles and Drawbacks and Hong Kong Companies and
Limitations Their Auditors
2.5.4 Internal Control (ISO)
2.8 Corporate Governance
2.6 Auditor’s Responsibilities in Arrangement’s Analysis and
Regard to Corporate Governance Improvement Recommendations

102

c02.indd 102 16-11-2022 18:27:53

 C orporate G o v ernance

LEARNING OUTCOMES

PRINCIPAL LO3: EXPLAIN THE IMPORTANCE OF CORPORATE GOVERNANCE AND RISK

MANAGEMENT
LO3.01: R
 ecommend appropriate practices an entity should put in place to achieve good
corporate governance
3.01.01 Explain the roles of audit committee, auditor, and management in corporate governance
3.01.02 Explain the objectives, concepts, relevance, and importance of corporate governance to
capital markets and preventing corporate failure
3.01.03 Describe the provisions of international codes of corporate governance (such as OECD) that
are most relevant to auditors
3.01.04 Explain corporate governance developments in Hong Kong and the structure of the Code on
Corporate Governance Practices and Corporate Governance Report in Hong Kong and how these
contribute to effective corporate governance
3.01.05 Explain the concept of stakeholder theory in corporate governance
3.01.06 Describe the corporate governance requirements as set out in the Companies Ordinance and
Hong Kong Stock Exchange Listing Requirements relating to directors’ responsibilities (e.g.
risk management and internal control)
3.01.07 Explain the responsibilities of management within the corporate governance framework
3.01.08 Analyse the structure and roles of board committees and discuss their drawbacks and
limitations
3.01.09 Explain an auditor’s responsibilities to consider and address corporate governance
requirements
3.01.10 Explain the effect of the Sarbanes–Oxley Act on Hong Kong companies and their auditors
3.01.11 Evaluate the corporate governance arrangements in a given scenario and recommend
improvements to address identified weaknesses

103

c02.indd 103 16-11-2022 18:27:53

 BUSINESS ASSURANCE

OPENING CASE

88 TANDI COMPANY

8 8 Tandi Company is in a pre-IPO position and the current seven directors, who are all
executive directors, are trying to determine what effect listing will have on the way the
business is run, managed, and controlled.

88 Tandi is a very successful hotel chain that is looking to expand across Asia and into
the lucrative United States (US) market. Given the boutique and quintessentially Chinese feel
of the hotels, the directors believe listing on the Hong Kong Stock Exchange (‘HKEx’) will help
successfully finance the planned expansion.

The directors also want to consider what is required from a corporate governance
perspective if they were to also list in the US. Not only are the directors in current discussions
with lawyers as the preparation for the IPO continues, but also with their auditors, Quality
Audit Firm (‘Quality’), as the directors want to further understand the likely external audit
ramifications of a listing on the HKEx and also a potential listing in the US.

104

c02.indd 104 16-11-2022 18:27:53

 C orporate G o v ernance

OVERVIEW

Corporate governance has become one of the most talked about areas of today’s corporate
world. Large corporate failures, such as those of Enron, WorldCom, Polly Peck International,
Barings Bank, Lehman Brothers, and Carillion plc, have made it a predominant issue with
various governments, led by the UK and the US. Regulatory authorities have made efforts
to install more stringent governance regimes to ensure the smooth running of corporate
organisations for all stakeholders and to reduce the risk of such failures. Corporate governance
systems have been developed around the world on the basis of country-specific frameworks of
legal, institutional, and cultural factors that shape the patterns of influence that shareholders
(or stakeholders) can exert on managerial decision making. Though developed on a country-by-
country basis, these frameworks have influenced each other. In this chapter, we are going to
explore the specific framework for Hong Kong as well as looking at those of the OECD and the
Sarbanes–Oxley requirements in the US.

The importance to auditors of corporate governance frameworks and the effectiveness of

implementation links directly to the auditor’s risk assessment to identify the risk of material
misstatement at the financial statement and assertion levels as required by HKSA 315 (Revised
2019), Identifying and Assessing the Risks of Material Misstatement. Auditors have obligations in
relation to other information in financial statements, which is where a considerable amount
of disclosure is made in relation to an entity’s corporate governance activities and compliance
with the corporate governance requirements in Hong Kong. While auditors do not have any
direct responsibilities in relation to assessing the effectiveness of the corporate governance
activities of entities, this chapter will highlight how good corporate governance can assist
the auditor.

2 . 1 ROLES IN CORPORATE GOVERNANCE

Outside of the board and board committees, which will be explored later in this chapter, there
are four dimensions that are important to the success or otherwise of a corporate governance
framework.

2.1.1 Serving Stakeholders

The concept of serving stakeholders, while not a new concept, is now one that is very much
built on the historical focus on service shareholders exclusively.

An early stakeholder model was detailed by Ian Mitroff in his book Stakeholders of the
Organizational Mind, published in 1983. This book identifies and models the groups that

105

c02.indd 105 16-11-2022 18:27:54

 BUSINESS ASSURANCE

are stakeholders of a corporation, and both describes and recommends methods by which
management can give due regard to the interests of those groups. In short, it attempts to
address the ‘principle of who or what really counts’. Stakeholder theory argues that there
are other parties involved, not just shareholders, including employees, customers, suppliers,
financiers, communities, governmental bodies, political groups, trade associations, trade
unions, and sometimes competitors, who are counted as stakeholders. The nature of what
represents a stakeholder is highly debated. Whatever the merits of these stakeholder theories,
community attitudes and legal systems have increasingly recognised that the needs of a broad
group of interested parties require the attention of directors.

It is noteworthy that the conceptual framework for financial reporting in Hong Kong
(and globally through the International Accounting Standards Board) identifies a range of users
that should be served by financial reporting. The reporting by auditors, in turn, expresses an
opinion in the context of the applicable accounting framework. It is therefore evident that
stakeholder thinking has gained widespread support and influences both financial reporting
and auditing.

From the viewpoint of corporate governance, the existence of a range of stakeholders

means that there are multiple dimensions to the conduct of business operations, the gathering
of information, the design of controls, and the forms of accountability. The auditor needs to
understand those dimensions in the context of particular entities, in order to comply with HKSA
315 (Revised 2019).

2.1.2 Having an Effective Audit Committee

The audit committee plays a major role in corporate governance regarding a company’s
financial direction, control, and accountability. As a representative of the full board of directors
and main part of the corporate governance mechanism, the audit committee is involved
in a company’s strategy in relation to its internal audit function and is responsible for the
appointment of the company’s external auditors. The audit committee receives reports from
management on internal control, accounting and financial reporting, regulatory compliance,
and risk management.

The audit committee monitors the integrity of a listed company’s financial statements
(annual and interim) and of the accounting records supporting those forms of reporting to
users, but the full board has overall responsibility for the financial statements.

The audit committee needs to have the full cooperation of management and to be provided
with sufficient information and reasonable resources to carry out its role and function in
accordance with its terms of reference. An effective audit committee will take an active interest
in, and take a proactive approach towards, understanding the affairs of the entity and will take
the appropriate actions when there are indicators of unplanned issues and risks.

The roles of the audit committee are, therefore, very relevant to the auditor when designing
and carrying out audit procedures, and critically when communicating with the full board.

2.1.3 Working Closely with the Auditor

One of the primary roles of external auditors in corporate governance is protecting the interests
of shareholders and other stakeholders through forming an independent opinion on the truth
and fairness of the financial reports in the context of the applicable accounting framework.

106

c02.indd 106 16-11-2022 18:27:54

 C orporate G o v ernance

The expressing of that opinion provides assurance to the users of the financial reports. The
provision of this assurance is only possible because the external auditor’s opinions and reports
are developed independently of the company’s influence. Indirectly, the work of the external
auditor contributes to the board itself, helping to ensure that they receive relevant and
representationally faithful information. The board may also question the auditor’s views and
assessment of the appropriateness of the accounting policies and controls used by an entity.
They value the experience and expertise of auditors gained through working with a great variety
of entities.

Good governance is characterised by a strong mutual respect between the board of

directors and the auditor. Conversely, where the relationship between them is adversarial or
the audit is treated as a compliance exercise deserving little attention, it is most unlikely that
governance will be strong.

2.1.4 Managing Strategically

The CEO and other management are the conduit for the board’s responsibility for good
corporate governance, strategy, and the delivery of the activities that support this objective.
One of the key roles of the board of directors is to appoint the best CEO possible for the entity.
This is also a key decision for the governance of the entity.

The auditor needs to have a good understanding of the way in which an entity is managed
strategically and its business model, in line with the requirements of HKSA 315 (Revised 2019).
The auditor has a vital interest in how the board and management interact, a critical feature of
corporate governance.

A key focus of a board, and one very relevant to the auditor to observe, is monitoring,
evaluating, and confirming decisions made by the CEO and how they are implemented by
senior management.

This focus can be served if all the following conditions are met:
• Directors are satisfied that appropriate systems and policies are in place and have
been demonstrated to be effective. The important point is demonstration or evidence
of effectiveness rather than just the assurance of the CEO or other members of
management.

• Directors are satisfied that information reported by the CEO includes relevant indicators
and other information that directly reflects the integrity of the activities of management.

• Directors are able to exercise critical and independent judgement.

Knowledge Check Questions

Question 1
Identify which of the following is not a key role of the audit committee.
A Conduit between the full board and management.
B Takes full responsibility for the accuracy of the financial statements.
C Involved in the direction of the internal audit.
D Corresponds with the external auditors.

107

c02.indd 107 16-11-2022 18:27:54

 BUSINESS ASSURANCE

2 . 2 BACKGROUND OF CORPORATE
GOVERNANCE

Corporate governance failures resulting in corporate failure have demonstrated several

common behavioural traits that work against corporate success. This section outlines the
behaviours that need to be demonstrated to support corporate governance effectiveness and
reduce the risks to auditors of fraudulent activity.

2.2.1 Importance to Capital Markets and Preventing Corporate Failure

Corporate governance supports the accountability of an entity and is intended to reduce the
vulnerability of the entity to severe or unexpected risks. Poor governance can lead to the
circumstances that destroyed energy giant Enron and bankrupted many of its stakeholders and
employees, as well as leading to the demise of its well-credentialled auditor.

In terms of business, an entity with good corporate governance is widely accepted by the
public. This is mostly due to the disclosure and transparency that comes with good corporate
governance. With full disclosure and the ability for people who work in the business to get
information, as well as investors and the general public, there is a higher degree of trust
built with all stakeholders. Diligent attention to corporate governance by the board and
management can lead to a lower chance of unexpected risks emerging, fraud, or company-wide
criminal activity.

An entity’s corporate reputation is extremely important to the board and the entity’s
operations and financing. Profitability alone does not necessarily bring a good reputation.
Entities are judged on many factors. Making sure there is a high level of awareness
of management about stakeholders’ needs, making ethical behaviour the norm, and
understanding what the public wants are all aspects of good corporate governance.

Illustrative Example 1
The Volkswagen controversy is a good example of the impacts that poor corporate
governance can have on a global brand and reputation. In 2015, the United States
Environmental Protection Agency (EPA) found that Volkswagen had fitted cars with
‘defeat devices’ – software that could detect test conditions and cut its emissions
accordingly to improve results. The technology allowed cars to continue to emit up to
40 times the permissible levels of harmful nitrogen oxide during driving, whilst the cars
apparently met tests.

Volkswagen has since admitted that about 11 million cars worldwide were fitted with
the ‘defeat device’.

The scandal reportedly cost the auto giant as much as US$30 billion in fines, settlements,
and remediation, making it by far the biggest business crisis in its 80-year history.

108

c02.indd 108 16-11-2022 18:27:54

 C orporate G o v ernance

Illustrative Example 1 (continued)

US prosecutors went on to accuse former Volkswagen executive Oliver Schmidt of
participating in ‘one of the largest corporate fraud schemes in American history’.

This is a case in which a very successful and profitable company, with an iconic global
brand, through the lack of good corporate governance, saw its market value falling
by US$30 billion initially, not to mention significant erosion of consumer confidence.
Commentators noted at the time that a company’s corporate governance can often prove
instructive on whether trouble lies ahead.

2.2.2 Fairness
Fairness means treating people equally and respectfully. It entails avoiding bias towards one or
more parties as compared to others.

For boards, being fair can be difficult in some circumstances as stakeholders can have
competing interests. When a company is engaged in an acquisition or reconstruction, for
instance, it can be very hard to be as fair to individual stakeholders when maximising the
outcome for stakeholders as a whole. For this reason, many companies are turning to what is
known as ‘fairness or second opinions’. This involves calling in an independent knowledgeable
entity to assess a transaction and give an opinion on its fairness. In the law, sometimes there
are requirements for such an opinion (e.g. when recommending considering acceptance of an
offer from a potential acquirer).

2.2.3 Openness and Transparency

Openness and transparency are central qualities of processes, media, and reporting by
an entity that chooses as it shares information with its stakeholders. This openness and
transparency of an entity helps to engender trust and confidence in the entity. On the other
hand, defensiveness and secrecy lead to stakeholders building greater allowances for risk into
their assessments and pricing.

After the global economic crisis of 2008, many governments across the world called for
entities to demonstrate greater transparency to rebuild the trust lost in financial institutions in
the first instance and then more broadly.

2.2.4 Independence
In corporate governance, independence is important in several contexts. At the most basic
level, the board and management need to have a commitment to stakeholders and the
community to pursue ethical directions that are independent of self-interest. Individuals need
to be able to stand up for values without fear.

It is equally vital that external auditors are independent of their clients, that internal
auditors are independent of the aspects of the business they are auditing, and that
non-executive directors have a degree of independence from the executive directors on a
board and from senior management.

109

c02.indd 109 16-11-2022 18:27:54

 BUSINESS ASSURANCE

Independence is a quality that can be possessed by individuals and is an essential element

of professionalism and professional behaviour. It is the avoidance of being unduly influenced
by a vested interest and being free to bring expertise and experience to bear without any
constraints that would prevent an appropriate decision to be made or course of action
undertaken. It is an ability to ‘stand apart’ from inappropriate influences and to be free of
managerial capture.

A common problem in many entities is ensuring independence where it could represent an

ethical threat if absent. In the real world, friendships and networks build up over many years
in which relationships exist at several different levels of intensity. Audit engagement partners
can get to know clients very well over many years, for example, and serving together on boards
can cement friendships between the non-executive directors and executive directors of a board.
The benefits of those relationships should not be allowed to be offset by a lack of independence.

2.2.5 Probity and Honesty

Probity is the quality of having values based on strong moral principles, including honesty and
decency. For entities, probity requires the setting of policies about values at an organisation
level, and then ensuring implementation of those policies through effective communications
and examples and, where appropriate, codes of practice. It is then for management to
demonstrate those values through leadership, to positively reinforce the values, and also to
ensure compliance with, and enforcement of, the values. Stakeholders need to see the entity
as honest.

The issuance of self-serving or misleading information is inconsistent with probity

and honesty.

The conduct of individuals on a board can raise several probity issues. Unless managed
effectively, probity issues, whether perceived, potential, or actual, can damage the reputation of
an entity and reflect poorly on the reputations of board members or the entire board.
There are a number of common strategies that can be adopted to avoid issues at board
level. These include having policies on handling conflicts of interest, having annual declarations
of interests by directors, and having clear delegation authorities in place.

2.2.6 Responsibility
Directors and management have significant power to approve transfers and distributions of
assets in the ordinary course of business without shareholder approval, including distributions,
asset purchases and sales, deployment of corporate property, contributions to charity, and
managerial compensation. This is a great responsibility. Directors can decide whether to
recommend extraordinary transactions to the shareholders, including the sale of substantial
corporate assets, acquisitions, spin-offs, mergers, dissolution, and charter amendments. The
board can not only screen entity-level transactions but also impede the shareholders from
transferring control by enacting strong defences to hostile takeovers. The important question
is how management can be made accountable to the shareholders or anyone else in exercising
their substantial powers within the constraints of the corporate form.

The increasing challenge for boards and management are the expectations around corporate
social responsibility (CSR). Prioritising CSR, and holding corporations accountable for effecting
social change with their business beliefs, practices, and profits, is of increasing importance to

110

c02.indd 110 16-11-2022 18:27:54

 C orporate G o v ernance

entity stakeholders. In fact, some will even turn their back on entities if they believe they are not
taking a stand for societal and environmental issues.

Recognising how important social responsibility is to their customers, many companies now
focus on and practise a few broad categories of CSR:

• Environmental efforts. The environment is a primary focus of CSR. All entities,

regardless of size, have a large environmental footprint. Any steps they can take to
reduce these footprints (e.g. reducing carbon emissions) are considered good for the
entity and society.

• Ethical labour practices. Entities demonstrate their CSR by treating employees fairly and
ethically.

• Philanthropy. Donating money, products, or services to social causes is another way

that entities practise social responsibility. Larger entities tend to have resources that
can benefit charities and local community programmes.

• Volunteering. Entities can express their sincere concern for specific issues and support
for certain organisations by doing good deeds, like volunteering, without expecting
anything in return.

Again, the auditor needs to understand how social responsibilities are being addressed by
companies and their impact on culture and on the design, implementation, and monitoring
of controls. For example, if the auditor knew that a company had voluntarily decided on
environmental performance targets beyond those required by law, but found middle management
was ignoring the policy, it would raise serious questions about how the board was monitoring the
implementation of policy, specifically for the policy in question and perhaps more broadly.

2.2.7 Accountability
Accountability is the responsibility of management to provide the information that is useful to
the needs of the variety of stakeholders. It is a very important pillar of corporate governance
as it helps form the basis for the principle and agent relationship between stakeholders and
management. With that basis, the confidence of stakeholders in management can be increased.

Accountability can be taken at different levels depending on how much trust there is
between the parties to that relationship. There are three key components to accountability:

• Delegation. This occurs when responsibility for a decision or a task is given to someone
else in the expectation that they will ensure its correct fulfilment.

• Responsibility. A sense of obligation to ensure that a task that has been delegated is
fulfilled and to the standards expected.

• Legitimacy. Accountability of the ‘right’ of those demanding such an ‘account’ to make

that demand.

Accountability should have both an internal and an external focus, and to be truly effective
it must be recognised and accepted by all within an entity.

The auditor is intrinsically involved with management’s discharge of its responsibility

to be accountable, as the auditor’s primary responsibility is to provide assurance about the
assertions of management in financial statements and in other assurance circumstances
involving external reporting.

111

c02.indd 111 16-11-2022 18:27:54

 BUSINESS ASSURANCE

2.2.8 Reputation
Reputation or brand is one of an entity’s most valuable assets. According to a 2012 study by the
World Economic Forum, on average approximately 25% of an entity’s market value is directly
attributable to its reputation. Holding on to a good reputation or brand is critical to the value of
a company and thus significant focus should be placed on protecting and enhancing it. Where
companies have been seen to have done the wrong things economic losses can be significant.

The board has a major role to play in helping advise management and the entity of the
potential reputational risks associated with the strategic directions of the company set by
the board. Non-executive directors (‘NEDs’) can be very beneficial in this process as they can
bring their external perspectives and experiences to assist in this process. Often the board will
require management to undertake sensitivity analysis or scenario development to determine
possible impacts that a strategy may have on the reputation of the company. The board
should play an active role in this assessment by providing perspective and feedback that could
ultimately lead to changes to the strategy and the associated identified risks and opportunities.

Entities often look internally to strengthen their ability to detect and mitigate reputation
problems. An effective whistle-blower programme, for example, can help bring to light problems
within the entity that may be compromising its reputation. Entities must, however, be aware of
what is being said about them by parties outside the entity as well, which can often be achieved
through engaging in dialogue with brokers or doing broad surveys of stakeholders.

The auditor can look at the ways in which an entity guards its reputation and better
understands the motivations and actions of management. Positively, commitment
to a strong reputation is likely to be a characteristic of strong corporate governance.
Negatively, preoccupation with reputation can see management being unwilling to candidly
reveal bad news.

2.2.9 Judgement
Judgement can take two perspectives. Firstly, there is the quality of decision making by the
board and management of an entity and, secondly, by parties outside the entity linked to
an assessment of the decisions made by the entity, when determining whether to become a
stakeholder of the entity. Judgements will be made on an entity’s delivery on all the corporate
governance principles addressed in this chapter. The value of any entity is only as good
as how it is driven and maintained. Poor internal judgements around strategy, risk, and
corporate governance can have a long-lasting detrimental effect on the underlying value of
an entity.

Respect by an auditor for the judgement of a board and senior management will be
influential in how an auditor goes about forming an independent opinion. Expressed,
differently, a lack of regard for judgement is likely to see the auditor’s risk assessment increase,
resulting in seeking more evidence for assertions made by management.

112

c02.indd 112 16-11-2022 18:27:54

 C orporate G o v ernance

2.2.10 Integrity
Integrity is generally understood to describe moral virtue. A person of integrity is one who
observes a steadfast adherence to a moral or ethical code notwithstanding any other pressures
on him or her to act otherwise.

Integrity is very important in the corporate governance framework for a number of reasons:

1. Corporate governance will not cover every situation the company may face. The
maintenance of good corporate governance will sometimes depend on judgement that
the areas of most significance to stakeholders are being sufficiently managed. In this
instance, integrity would play an important role.

2. Integrity is partly about proper dealing in relationships, which is key to managing and
maintaining relationships with all stakeholders.

3. Good corporate governance is also about maintaining confidence that the company is
being run honestly and that the directors have integrity. This will promote confidence in
the entity.

As with the other characteristics described above, the presence of integrity is critical for the
quality of corporate governance and for how the external auditor designs an audit.

Ethics in Practice 1
The characteristics and behavioural traits discussed above of good corporate governance
are consistent with the HKICPA’s Code of Ethics for Professional Accountants. Expressed
differently, they are also of vital importance to auditors in understanding their clients
and in providing their professional auditing services.

Key Learning Point

The behavioural traits of individuals within an entity are critical to the success or otherwise
of corporate governance. Entities should articulate very clearly their expectations of the
behaviours that should be exhibited by all personnel, including board members.

Knowledge Check Questions

Question 2
Explain why a company’s reputation is important and how good corporate governance can
assist in maintaining or improving the company’s reputation.

113

c02.indd 113 16-11-2022 18:27:54

 BUSINESS ASSURANCE

2 . 3 PROVISIONS OF INTERNATIONAL CODES

OF CORPORATE GOVERNANCE (SUCH
AS THE ORGANIZATION FOR ECONOMIC
COOPERATION AND DEVELOPMENT
(‘OECD’)) THAT ARE MOST RELEVANT
TO AUDITORS

There are several international codes relating to corporate governance that have relevance
for auditors. The OECD code covered here and the ISO codes covered in Section 2.5.4 have an
indirect relevance. The provisions of the Sarbanes–Oxley Act covered in Section 2.7 have direct
relevance where Hong Kong entities are listed on a US stock exchange or for subsidiaries in
Hong Kong of US listed entities.

The OECD started considering the need for a corporate governance code in the 1990s,
partly as a result of corporate scandals but partly in response to the needs of a rapidly
expanding global marketplace.

The G20/OECD Principles of Corporate Governance help country level policy makers
evaluate and improve the legal, regulatory, and institutional framework for corporate
governance. They also provide guidance for stock exchanges, investors, corporations, and
others that have a role in the process of developing good corporate governance. The Principles
were first issued in 1999 and endorsed by the G20, an international forum for the governments
and central banks of the twenty richest countries in the world, with the aim to discuss
policy pertaining to the promotion of international financial stability. They have become the
international benchmark in corporate governance. The Principles have been adopted as one of
the Financial Stability Board’s key standards for sound financial systems and have been used by
the World Bank Group in more than 60 country reviews worldwide. They also serve as the basis
for the guidelines, issued by the Basel Committee on Banking Supervision, on the corporate
governance of banks.

Many individual jurisdictions have issued their own corporate governance principles, which
can create difficulties where entities operate across several jurisdictions.

The six OECD principles are:

1. The corporate governance framework should promote transparent and fair markets
and the efficient allocation of resources. It should be consistent with the law and
support effective supervision and enforcement.

2. The corporate governance framework should protect and facilitate the exercise of
shareholders’ rights and ensure the equitable treatment of all shareholders, including
minority and foreign shareholders. All shareholders should have the opportunity to
obtain effective redress for violation of their rights.

3. The corporate governance framework should provide sound incentives throughout the
investment chain and provide for stock markets to function in a way that contributes to
good corporate governance.

114

c02.indd 114 16-11-2022 18:27:54

 C orporate G o v ernance

4. The corporate governance framework should recognise the rights of stakeholders

established by law or through mutual agreements and encourage active co-operation
between corporations and stakeholders in creating wealth, jobs, and the sustainability
of financially sound enterprises.

5. The corporate governance framework should ensure that timely and accurate
disclosure is made of all material matters regarding the corporation, including the
financial situation, performance, ownership, and governance of the company.

6. The corporate governance framework should ensure strategic guidance of the

company, the effective monitoring of management by the board, and the board’s
accountability to the company and the shareholders.

A number of the provisions supporting the six OECD principles are relevant to external
auditors. These discussions are outlined in Exhibit 2.1.

The duties The provisions provide a reinforcement that should indirectly assist external
of directors auditors as they encourage independence, integrity, and due care, which if
applied appropriately could reduce the likelihood of fraud.
Division of It is stated that they should be clearly articulated and designed to serve
responsibilities public interest. This could help external auditors if the control mechanisms
surrounding the divisions are considered to be effective.
Related party These are to be approved and conducted in a manner that ensures proper
transactions management of conflicts of interest and protects the interest of the company
and its shareholders. There should be adequate disclosures and minority
shareholders should be protected. If followed, this principle may assist external
auditors with their obligations under HKSA 550, Related Parties.
Acquisitions, They should be clearly communicated so that investors understand their rights
mergers, and sales and recourse. Transactions should occur at transparent prices and under fair
conditions. If effectively implemented, this principle may assist the external
auditor with their obligations under HKFRS 3 (Revised), Business Combinations,
and HKSA 540 (Revised), Auditing Accounting Estimates and Related Disclosures.
Stakeholders Including individual employees and their representative bodies, being able to
freely communicate their concerns about illegal or unethical practices to the
board and to the competent public authorities, and their rights should not be
compromised for doing this. If effectively implemented, this principle might
assist the external auditor with their obligations under the COE in relation
to Non-compliance with Laws and Regulations (NOCLAR) and the obligations
under HKSA 240, The Auditor’s Responsibilities Relating to Fraud in an Audit of
Financial Statements.
Open disclosure • Remuneration of members of the board and key executives.
of financial and • Foreseeable risk factors.
operating results
• Issues regarding employees and other stakeholders.
of the company
including: • Governance structures and policies including content of any corporate
governance code or policy and the process by which it is implemented.
The provisions could assist external auditors in determining the
completeness and accuracy of financial information to be presented in the
entity’s financial statements.
The preparation of Needs to be in line with reputable accounting standards. If effectively
financial statements implemented this would facilitate the completion of an audit.

EXHIBIT 2.1 Provisions supporting OECD principles

115

c02.indd 115 16-11-2022 18:27:54

 BUSINESS ASSURANCE

The audit Conducted by an independent, competent, and qualified auditor in accordance

with high-quality auditing standards in order to provide an external and
objective assurance to the board and shareholders that the financial statements
fairly represent the financial position and performance of the company in all
material respects in accordance with the applicable accounting framework. This
complies with auditing standards.
External auditors Need to be accountable to the shareholders and owe a duty of care to the
company. This is compatible with long-established auditing principles.
Channels for Provision of equal, timely, and cost-efficient access to relevant information by
disseminating users. Auditors will need to be mindful of the various means of communication
information to ensure that what is said is not incompatible with the audited financial
statements.

EXHIBIT 2.1 (Continued )

2.3.1 Limitation of International Codes

The inherent limitation of international codes is that they are not linked specifically to the laws,
regulations, and culture of any one country. More specifically, they are not written for Hong
Kong. While the OECD or other jurisdictional codes can act as an excellent reference base, it is
important that their key themes are moulded to the relevant jurisdiction.

Knowledge Check Questions

Question 3
Nominate the five supporting provisions to the OECD principles that should register with
external auditors the most and explain why.

2 . 4 CORPORATE GOVERNANCE DEVELOPMENTS

IN HONG KONG AND THE STRUCTURE OF
THE CODE ON CORPORATE GOVERNANCE
PRACTICES AND CORPORATE GOVERNANCE
REPORT IN HONG KONG

In Hong Kong, the first formal corporate governance initiative was launched in 1992 when
the HKEx introduced the corporate governance project, leading to the Code of Best Practice in
1993. In 2005, the HKEx adopted the Code of Corporate Governance in place of the Code of Best
Practice. The current code was last updated in 2016; however, further improvements based on
the outcomes of a review undertaken by HKEx became effective from 1 January 2019 and will
be discussed in Section 2.8 later in this chapter.

116

c02.indd 116 16-11-2022 18:27:54

 C orporate G o v ernance

One of the roles of the HKEx is to provide a sound and effective corporate governance
framework for issuers in the furtherance of investor protection. The HKEx achieves this through
a combination of Listing Rules and other provisions in the Corporate Governance Code.

The Listing Rules require a mandatory standard of corporate governance for all Hong Kong
Listed Companies (‘issuers’). Breaches may lead to sanctions.

2.4.1 Structure of the Corporate Governance Code

The Code sets out the principles of good corporate governance and two levels of
recommendations:

• Code provisions

• Recommended best practices.

Issuers are expected to comply with, but may choose to deviate from, the code provisions.
The recommended best practices are for guidance only. Issuers have the option of devising
their own code on corporate governance on the terms they believe appropriate. This should
not be at a lower level than the code, unless adequately disclosed.

Issuers must state whether they have complied with the code provisions for the relevant
accounting period in their interim reports (and summary interim reports, if any) and annual
reports (and summary financial reports, if any).
Every issuer must carefully review each code provision and, where it deviates from any of
them, it must give considered reasons:

• In annual reports (and summary financial reports), in the Corporate Governance

Report, and

• In interim reports (and summary interim reports), either:

° By giving considered reasons for each deviation or

° To the extent it is reasonable and appropriate, by referring to the Corporate

Governance Report in the preceding annual report, and providing details of any
changes with considered reasons for any deviation not reported in that annual
report. The references must be clear and unambiguous and the interim report
(or summary interim report) must not contain only a cross-reference without any
discussion of the matter.

Issuers are encouraged, but not required, to state whether they have complied with the
recommended best practices and give considered reasons for any deviation.

The Code consists of six sections:

A. Directors;

B. Remuneration of directors and senior management;

C. Accountability and audit;

D. Delegation by the board;

E. Relationships with shareholders and other stakeholders; and

F. Company secretary.

117

c02.indd 117 16-11-2022 18:27:54

 BUSINESS ASSURANCE

A summary of the focus points in each of the six sections are as follows:

A. Directors

There should be structure around the everyday function of the board, to instill
stakeholder confidence in the overall governance of the entity. To this end there should
be specific arrangement in relation to:

• Major roles and functions of the board;

• Board process;

• Roles and responsibilities of the chairman and chief executive;

• Board composition (number, diversity);

• Appointment, election, and removal of directors;

• Independence of directors (executive versus non-executive directors);

• Responsibilities and the expected conduct of directors;

• Supply of and access to financial and non-financial information; and

• Board evaluation.

B. Remuneration of directors and senior management

The remuneration policy of an entity should be as transparent as possible, particularly
that of the directors and senior management. This is in order to demonstrate the
objective of attracting and retaining high-quality personnel to deliver the long-term
growth and sustainability of the entity. The entity should consider the following:

• The major role and function of the remuneration committee.

• The overall remuneration policy for the entity.

• Remuneration structure.

• Share-based payment offerings.

C. Accountability and audit

The board has the ultimate responsibility for ensuring the integrity of the entity’s
financial statements, accounting policies, financial reporting systems, and internal
controls, as well as effective systems of risk management. The board must ensure
that it is given sufficient and appropriate information to enable it to discharge its
responsibilities. The board through the audit and risk committees needs to set:

• Internal audit, charter, methodology, and process, including assessing who best to
conduct such a role, whether internal or external.

• Understand and respond to the findings of the internal audit function.

• The criteria for appointment of the external auditor. This should include an outline
and understanding of the objectivity and independence of the external auditor.

• Policy on the provision on non-assurance services provided by the external auditor.

• The board through the audit committee needs to consider the recommendations
of the external auditor on the operational and financial risks identified through the
audit process at the half year and the full year.

118

c02.indd 118 16-11-2022 18:27:54

 C orporate G o v ernance

D. Delegation by the board

The responsibilities of board members are vast and often an entity’s board comprises
people from varying backgrounds, knowledge, skills, and experience. To direct an
entity that is listed on any of the Hong Kong exchanges can be very complex, and key
messages from the business could be lost if dealt with in detail only when the full
board meets. Over the years there has been strong recognition of the need for more
specialised meetings of board sub-committees, which are normally as follows:

Board Committees:

• Audit committee;

• Corporate social responsibility committee;

• Executive committee;

• Investment advisory committee;

• Nomination and governance committee;

• Panel member selection committee; and

• Risk committee.

E. Relationships with shareholders and other stakeholders

Candid and constructive communication with shareholders and wider stakeholders is
critical in a system of good corporate governance. The following should be considered:

• Particulars of shareholders’ rights and, if applicable, obligations.

• Limitation on shareholding is applicable.

• Shareholder communication policy.

• Structure of the conduct of general meetings.

• Shareholder guide.

• Stakeholder communication policy.

F. Company secretary

The company secretary supports the chairman in promoting the highest standards
of corporate governance and facilitating the effective functioning of the board and
its committees, where appropriate. One of the key roles the company secretary plays
is to ensure that all applicable laws and regulations are complied with by each of the
directors on the board.

2.4.2 Corporate Governance Report

Listed companies are required to include a Corporate Governance Report (CGR) in each annual
report and summary financial report, if any. (These can be viewed in Appendix 14, Main Board
Listing Rules of the HKEx, and Appendix 15 of the GEM Listing Rules of the HKEx.) There are two
levels of disclosure set out by a CGR: mandatory disclosure requirements (Sections G to Q) and
recommended disclosures (Sections R to T).

119

c02.indd 119 16-11-2022 18:27:54

 BUSINESS ASSURANCE

Auditors, while not opining on the content of the CGR, have responsibilities for other
information disclosed in the annual reports, such as HKSA 720 (Revised), The Auditor’s
Responsibilities Relating to Other Information. HKSA 720 (Revised) requires the auditor to read
and consider other information for material inconsistencies with the financial statements
or with the auditor’s knowledge (this topic is covered in detail in Chapter 10 of this module).
Auditors therefore need to be aware of the full extent of the annual report disclosures in order
to meet the requirements of HKSA 720 (Revised).

2.4.2.1 Mandatory Disclosure Requirements

These disclosure requirements have been established to increase transparency, with the
following information needing to be included for each accounting period, supplemented by
information about significant subsequent events up until the date of publication of the Annual
Report (including the audited financial statements):

G. Corporate governance practices

(a) A narrative statement explaining how the issuer has applied the principles in the Code,
enabling its shareholders to evaluate how the principles have been applied;

(b) A statement as to whether the issuer meets the code provisions. If an issuer has
adopted its own code that exceeds the code provisions, it may draw attention to this
fact in its annual report; and
(c) For any deviation from the code provisions, details of the deviation during the financial
year (including considered reasons).

H. Directors’ securities transactions

For the Model Code set out in Appendix 10 of the Main Board Listing Rules of the HKEx and
Appendix 14 of the GEM Listing Rules:

(a) Whether the issuer has adopted a code of conduct regarding directors’ securities
transactions on terms no less exacting than the required standard set out in the
Model Code;

(b) Having made a specific enquiry of all directors, whether the directors of the issuer
have complied with, or whether there has been any non-compliance with, the required
standard set out in the Model Code and its code of conduct regarding directors’
securities transactions; and

(c) For any non-compliance with the required standard set out in the Model Code, if
any, details of these and an explanation of the remedial steps taken by the issuer to
address them.

I. Board of directors

(a) Composition of the board, by category of directors, including name of chairman,

executive directors, non-executive directors, and independent non-executive directors;

(b) Number of board meetings held during the financial year; and

(c) Attendance of each director, by name, at the board and general meetings.

120

c02.indd 120 16-11-2022 18:27:54

 C orporate G o v ernance

Notes:

1. Subject to the issuer’s constitutional documents and the law and regulations of its
place of incorporation, attendance by a director at a meeting by electronic means
such as telephonic or video-conferencing may be counted as a physical attendance.

2. If a director is appointed part way during a financial year, his attendance should be
stated by reference to the number of board meetings held during his tenure.

(d) For each named director, the number of board or committee meetings he attended and
separately the number of board or committee meetings attended by his alternative.
Attendance at board or committee meetings by an alternative director should not be
counted as attendance by the director himself;

(e) A statement of the respective responsibilities, accountabilities, and contributions of

the board and management. In particular, a statement of how the board operates,
including a high-level statement on the types of decisions taken by the board and those
delegated to management;

(f) Details of non-compliance (if any) with rules 3.10(1) and (2), and 3.10A (GEM Listing
Rules 5.05(1) and (2), and 5.05A) and an explanation of the remedial steps taken to
address non-compliance. This should cover non-compliance with appointment of a
sufficient number of independent non-executive directors and appointment of an
independent non-executive director with appropriate professional qualifications, or
accounting or related financial management expertise;

(g) Reasons why the issuer considers an independent non-executive director to be

independent where they fails to meet one or more of the guidelines for assessing
independence set out in rule 3.13 (GEM rule 5.09);

(h) Relationship (including financial, business, family, or other material/relevant

relationship(s)), if any, between board members and, in particular, between the
chairman and the chief executive; and

(i) How each director, by name, complied with A.6.5 of the Code (GEM same reference).

J. Chairman and chief executive

(a) The identity of the chairman and chief executive; and

(b) Whether the roles of the chairman and chief executive are separate and exercised by
different individuals.

K. Non-executive directors

The term of appointment of non-executive directors.

L. Board committees

The following information for each of the remuneration committee, nomination committee,
audit committee, risk committee, and corporate governance functions:

(a) The role and function of the committee;

(b) The composition of the committee and whether it comprises independent

non-executive directors, non-executive directors, and executive directors (including
their names and identifying the chairman of the committee);

121

c02.indd 121 16-11-2022 18:27:55

 BUSINESS ASSURANCE

(c) The number of meetings held by the committee during the year to discuss matters and
the record of attendance of members, by name, at meetings held during the year; and

(d) A summary of the work during the year, including:

(i) For the remuneration committee, determining the policy for the remuneration of
executive directors, assessing performance of executive directors and approving
the terms of executive directors’ service contracts, performed by the remuneration
committee. Disclose which of the two models of remuneration committee described
in B.1.2(c) of the Code (GEM same reference) was adopted;

(ii) For the nomination committee, determining the policy for the nomination of
directors, performed by the nomination committee or the board of directors (if
there is no nomination committee) during the year. The nomination procedures
and the process and criteria adopted by the nomination committee or the board
of directors (if there is no nomination committee) to select and recommend
candidates for directorship during the year. If the nomination committee (or the
board) has a policy concerning diversity, this section should also include the board’s
policy or a summary of the policy on board diversity, including any measurable
objectives that it has set for implementing the policy, and progress on achieving
those objectives;

(iii) For corporate governance, determining the policy for the corporate governance of
the issuer, and duties performed by the board or the committee(s) under D.3.1 of
the Code (GEM same reference); and

(iv) For the audit committee, a report on how it met its responsibilities in its review
of the quarterly (if relevant), half-yearly, and annual results, and unless expressly
addressed by a separate risk committee, or the board itself, its review of the risk
management and internal control systems, the effectiveness of the issuer’s internal
audit function, and its other duties under the Code. Details of non-compliance with
rule 3.21 (if any) (GEM rule 5.28 (if any)) and an explanation of the remedial steps
taken by the issuer to address non-compliance with establishment of an audit
committee; and

(v) For the risk committee (if any), a report on how it met its responsibilities in its
review of the risk management and internal control systems and the effectiveness
of the issuer’s internal audit function.

M. Auditor’s remuneration (all GEM references in this section are the same)

An analysis of remuneration in respect of audit and non-audit services provided by the

auditors (including any entity that is under common control, ownership, or management
with the audit firm or any entity that a reasonable and informed third party having
knowledge of all relevant information would reasonably conclude as part of the audit firm
nationally or internationally) to the issuer. The analysis must include, in respect of each
significant non-audit service assignment, details of the nature of the services and the
fees paid.

Note that the code provisions expect issuers to make certain specified disclosures
in the Corporate Governance Report. Where issuers choose not to make the expected

122

c02.indd 122 16-11-2022 18:27:55

 C orporate G o v ernance

disclosure, they must give considered reasons for not doing so under paragraph G(c) of the
Code. For ease of reference, the specific disclosure expectations of the code provisions are:

1. Directors’ acknowledgement of their responsibility for preparing the accounts

and a statement by the auditors about their reporting responsibilities (C.1.3 of
the Code);

2. Report on material uncertainties, if any, relating to events or conditions that may cast
significant doubt upon the issuer’s ability to continue as a going concern (C.1.3 of
the Code);

3. A statement that the board has conducted a review of the effectiveness of the internal
control system of the issuer and its subsidiaries (C.2.1 of the Code); and

4. A statement from the audit committee explaining its recommendation and the
reason(s) why the board has taken a different view from the audit committee on
the selection, appointment, resignation, or dismissal of external auditors (C.3.5 of
the Code).

N. Company secretary

(a) Where an issuer engages an external service provider as its company secretary, its
primary corporate contact person at the issuer (including they name and position); and
(b) Details of non-compliance with rule 3.29 (GEM rule 5.15).

O. Shareholders’ rights

(a) How shareholders can convene an extraordinary general meeting;

(b) The procedures by which enquiries may be put to the board and sufficient contact
details to enable these enquiries to be properly directed; and

(c) The procedures and sufficient contact details for putting forward proposals at
shareholders’ meetings.

P. Investor relations

Any significant changes in the issuer’s constitutional documents during the year.

Q. Risk management and internal control

Where an issuer includes the board’s statement that it has conducted a review of its risk
management and internal control systems in the annual report under code provision C.2.1
(GEM same reference), it must disclose the following:

(a) Whether the issuer has an internal audit function;

(b) How often the risk management and internal control systems are reviewed, the
period covered, and where an issuer has not conducted a review during the year, an
explanation why not; and

(c) A statement that a review of the effectiveness of the risk management and internal
control systems has been conducted and whether the issuer considers them effective
and adequate.

123

c02.indd 123 16-11-2022 18:27:55

 BUSINESS ASSURANCE

2.4.2.2 Recommended Disclosures

The disclosures set out in the following paragraphs (Section R to T) on corporate governance
matters are provided for issuers’ reference. They are not intended to be exhaustive or
mandatory. They are intended to show the areas on which issuers may comment in their
Corporate Governance Report. The level of detail needed varies with the nature and complexity
of issuers’ business activities. Issuers are encouraged to include the following information in
their Corporate Governance Report:

R. Share interests of senior management

The number of shares held by senior management (i.e. those individuals whose
biographical details are disclosed in the annual report).

S. Investor relations

(a) Details of shareholders by type and aggregate shareholding;

(b) Details of the last shareholders’ meeting, including the time and venue, major items
discussed, and voting particulars;

(c) Indication of important shareholders’ dates in the coming financial year; and

(d) Public float capitalisation at the year end.

T. Management functions
The division of responsibility between the board and management.

Note that issuers may consider that some of the information recommended under
paragraphs R to T is too lengthy and detailed to be included in the Corporate Governance
Report. As an alternative to full disclosure in the Corporate Governance Report, issuers may
choose to include some or all of this information:

(a) On its website highlight to investors where they can:

(i) Access the soft copy by giving a hyperlink direct to the relevant webpage; and/or

(ii) Collect a hard copy of the relevant information free of charge; or

(b) Where the information is publicly available, by stating where the information can be
found. Any hyperlink should be direct to the relevant webpage.

Knowledge Check Questions

Question 4
List the considerations a board should address when establishing governance pertaining to
shareholders and other stakeholders.

Question 5
Describe what must be disclosed in the Corporate Governance Report in relation to
corporate governance practices.

124

c02.indd 124 16-11-2022 18:27:55

 C orporate G o v ernance

Knowledge Check Questions (continued)

Question 6
Identify which of the following is not a recommended disclosure in the Corporate
Governance Report.
A Share interests of senior management
B Investor relations
C Share interests of directors
D Management functions.

2.5 DIRECTORS‘ ROLE AND RESPONSIBILITIES

2.5.1 What Is the Role of a Director?

Directors are responsible for corporate governance. While the board of directors has overall
responsibility for governance, individual directors may oversee different elements of corporate
governance depending on their expertise. Corporate governance includes many processes
by which an organisation is directed, controlled and held accountable. The aim of corporate
governance is to build an environment of trust, transparency and accountability for all
stakeholders, in order to foster long-­term investment, financial stability and business integrity.

Corporate governance has two main elements: planning and monitoring. Planning includes
setting strategic objectives and making strategic plans designed to achieve these objectives. Key
aspects of planning include a focus on value creation and risk assessment.

The board is responsible for oversight of the conduct of the business and the supervision of
management. Monitoring is carried out to ensure compliance with the organisation’s strategic
objectives and strategic plans, and with relevant legislation and other regulations that apply
to the business. Monitoring includes management of significant risks and the identification of
breaches of compliance and their rectification. The organisation’s internal control and internal
audit systems are fundamental contributors to the monitoring process.

The HKEx Listing Rules address the board’s responsibilities for planning and monitoring.
Some of these responsibilities are summarized below:

Planning

• Leading, directing and supervising the issuer’s affairs to enable long-­term success of
the issuer.

• Setting strategic objectives with appropriate focus on value creation and risk
management. Risk management is a key element of a director’s role and of corporate
governance.

125

c02.indd 125 16-11-2022 18:27:55

 BUSINESS ASSURANCE

Monitoring

• Reporting: Appropriate and adequate reporting in annual reports including financial

statements, corporate governance, and environmental social and governance (ESG)
disclosures of the board’s practices and policies.

• Resources: Ensuring adequacy of resources, staff qualifications and experience,

especially for the issuer’s accounting, internal audit and financial reporting systems.

• Training: It is the responsibility of all directors to ensure that they keep abreast of
the latest developments in the laws and regulations as they pertain to the issuer to
enable them to discharge their responsibilities. Directors should undertake appropriate
training to maintain their skills at an adequate level.

• Expertise: Directors should have an appropriate level of knowledge to understand

matters raised at board meetings and be able to actively probe and otherwise discharge
their responsibilities.

• Investigate: Directors should carry out sufficient due diligence on matters and not
simply rely on representations of management or reliance on professional advisors
or experts.

The rules setting out the powers and functions of directors are usually encompassed in the
company’s constitution. A director has an obligation to ensure that a company operates at the
highest possible standards, complies with the relevant legislation governing corporations and
that it attends to basic ‘housekeeping’ tasks appropriately. The penalties that can be applied to
directors who fail to meet these obligations are considerable.

2.5.2 The Legal Responsibilities of Directors

The HKEx Listing Rules and the Companies Ordinance address the legal responsibilities of
directors. Some of these responsibilities are summarized below.
A director has a duty to the company, including its shareholders, employees, creditors,
regulators and other stakeholders to:

1. Act with reasonable care, skill and diligence, including:

• Act honestly and carefully;

• Know what the company is doing;

• Take care when handling other people’s money;

• Act in the company’s best interests.

2. Use any information gained through the director’s position properly and ethically:

• Disclose material transactions. If a director, or an entity connected with a director,

is interested in a significant transaction, and the director’s interest is material, the
director must declare their interest to the other directors.

Notes to the financial statements must disclose material interests of directors in

transactions entered into by the company.

126

c02.indd 126 16-11-2022 18:27:55

 C orporate G o v ernance

3. Ensure that proper financial records are kept, normally including:

• General ledgers recording all the company’s transactions and balances;

• Cash records, e.g. bank statements, deposit books and petty cash records;

• Debtor and sales records, e.g. delivery dockets, invoices and statements, lists of
debtors and their balances and lists of all sales transactions;

• Creditor and purchases records, e.g. purchase orders, invoices and statements
received and paid, lists of creditors and lists of all purchases;

• Wages and superannuation records;

• A register of property, plant and equipment showing transactions and balances in

relation to individual items;

• Inventory records;

• Investment records, e.g. contract notes, dividend or interest notices;

• Tax returns and calculations;

• Deeds, contracts and agreements.

4. And make sure the company can pay its debts.

As described elsewhere in this chapter, there are many components to a corporate
governance framework, not only the board and the requirements of the board, but also
management and board committees. Board committees are established to give deeper
consideration to certain areas of the business, e.g. the audit committee. The following section
will explore a number of the board committees that a listed entity would be expected to have.

2.5.3 Board Committees’ Structure and Roles and Drawbacks

and Limitations

2.5.3.1 Nomination Committee

The composition of the Nomination Committee is a minimum of five independent
non-executive directors.

The expectations of the Nomination Committee as set out in the HKEx Listing Rules are:

(1) The nomination committee’s key role is board recruitment. It must evaluate and assess
the best mix of skills and knowledge of the board, taking into consideration the entity’s
agreed strategies and objectives. The nomination committee focuses on the skills that
are available as a board, and determines whether these are appropriate for the current
situation that the entity is in, the challenges it might be facing, and the opportunities
that it might wish to explore.

127

c02.indd 127 16-11-2022 18:27:55

 BUSINESS ASSURANCE

Note that for Amendments to the Corporate Governance Code with effect on 1 January
2019 in addition to the above there should be an established policy on how to identify
potential directors. The selection process should be transparent and fair. Issuers are
encouraged to select from a broad range of candidates who are outside those known to
the entity, and reference should be made to the entity’s diversity policy.

(2) Developing a list of desirable skills is a strategic way of determining what to look for in
director candidates. There is an increasing trend for boards to complete a skills matrix,
with the process being either internally or externally arranged.

(3) The nomination committee not only assesses potential board candidates but also
should assess the performance of the existing board members, including the chairman.
Many directors historically have not been assessed and remain on boards for lengthy
periods of time. The nomination committee or nominated external party should
annually review whether directors have met their obligations successfully or take
appropriate action. The nomination committee should be mindful of the need to
refresh the board regularly enough to avoid entrenchment and bias and to attract new
and fresh thinking in line with where the entity is moving strategically. The committee
should also consider and have a policy in place for succession planning to ensure the
long-term success of the entity.

The nomination committee is dependent on the quality of potential candidates in the

marketplace to fill board positions. The nomination committee may at times need
external assistance in ensuring that the board has the right mix of skills, diversity, and
experience.

The nomination committee must be very transparent with its performance assessment
of board members, including the chairman, or its effective governance may be
questioned or reduced.

2.5.3.2 Audit Committee

The composition of the Audit Committee is prescribed by Section 3.21 of the Main Board Listing
Rules as follows:

• Comprise non-executive directors only.

• A minimum of three non-executive directors.

• A minimum of one independent non-executive director who has the appropriate

professional qualifications.

• The majority of the committee members must be independent non-executive directors.

• The chair of the committee must be one of the independent non-executive directors.

The expectations of the Audit Committee as set out in the HKEx Listing Rules are:

(1) The audit committee has the important functions of monitoring the integrity of
the entity’s financial statements, annual and interim reports and accounts, risk
management (if there is not a separate committee, which in the case of a larger entity
or groups there arguably should be), and internal control, as well as maintaining an
appropriate relationship with the entity’s external auditors. The audit committee should
have a primary focus on the integrity of financial reporting.

128

c02.indd 128 16-11-2022 18:27:55

 C orporate G o v ernance

(2) The audit committee has the responsibility of ensuring that the internal audit function
is resourced adequately with personnel with appropriate qualifications, experience,
integrity, and independence of mind. The audit committee should ensure that the
internal audit function operates effectively in line with the internal audit charter set by
the entity’s full board.

(3) The audit committee should ensure full co-operation with management and be
supplied with sufficient information to carry out its role. The audit committee must take
an active interest and be proactive and probing in understanding the financial affairs of
the entity and be able to see red flags where they exist.

(4) The audit committee should have a detailed understanding of the judgements of key
assumptions underlying critical accounting estimates. The often-material impact such
estimates can have on the entity’s financial statements explains the need for such
knowledge.

(5) The audit committee should meet with the auditors at least twice a year. Practically
speaking this is normally at the planning phase of an external audit and at its
completion for any accounting period.

(The role of the external auditor is important to ensure the integrity of the entity’s financial
reporting. How this is achieved by the external auditor will be explored in detail through
this module.)
(6) The independence of the external auditor should be reviewed by the audit committee
annually. Focus should be placed where the external auditor also provides non-audit
services. The audit committee should specifically consider:

(a) The nature of the non-audit services;

(b) Whether there are appropriate safeguards in place to ensure that there is not
a threat to the fundamental principles and independence as set out in the
HKICPA COE; and

(c) The aggregate fees paid to the external auditors and the breakdown of the fees
paid for audit and non-audit services for the financial period should be understood.

(7) The audit committee should also monitor the change process and execution of
implementing new accounting standards. There should be appropriate skill to
understand and keep up to date with tax legislation and other regulatory developments
in relation to financial reporting.

The audit committee is only as effective as the skills that sit on the committee and only as
effective as the information that it requests and receives from management, internal audit, and
the external auditors.

2.5.3.3 Remuneration Committee

The composition of the Remuneration Committee is prescribed by Section 3.25 of the Main
Board Listing Rules as follows:

• The majority of the members of the remuneration committee must be independent

non-executive directors.

• The committee must be chaired by one of the independent non-executive directors.

129

c02.indd 129 16-11-2022 18:27:55

 BUSINESS ASSURANCE

The expectations of the Remuneration Committee as set out in the HKEx Listing Rules are:

(1) The main role of the remuneration committee is to assist and advise the board
on the remuneration of the board and senior management. In achieving this the
remuneration committee should have a clear policy as well as documented formal
and transparent procedures to implement the policy. The key objective is to attract,
motivate, and retain the best talent for the entity, so as to maximise shareholder
and stakeholder value.

• The remuneration committee should consider all aspects of remuneration by:

(a) Researching what salaries, time commitments, and employment

responsibilities are undertaken by comparable entities.

(b) Ensuring the fairness of employment and termination terms for directors
and senior management.

(c) Ensuring a reasonable and appropriate compensation arrangement relating

to the dismissal or removal of directors for misconduct.

One of the limitations that the committee needs to focus on avoiding is that of
being compromised in setting commercial levels of remuneration or favouring directors
through a dismissal process. The other is ensuring confidentiality of the discussions and
the resulting remuneration outcomes.

2.5.4 Internal Control (ISO)

Internal control play an important role in corporate governance systems. Controls help a
company prepare financial statements for each reporting period (including interim periods
as needed by the company). A company may also limit, or protect against, operating risks by
implementing functional controls.

The International Organization of Standardisation (‘ISO’) based in Geneva has been

responsible for developing and publishing a wide range of international standards for many
aspects of business since the 1940s. Effective adoption of ISO standards enables companies
to demonstrate a higher level of corporate governance, which is again enhanced if adoption is
audited and certified.

The two ISO standards where effective adoption would maximise the brand strength of a
company and work seamlessly within the corporate governance framework are:

• The ISO 9001 family of standards, which sets out the criteria for a quality management
system. The standards provide guidance and tools for companies who want to ensure
that their products and services consistently meet customers’ requirements and that
quality is consistently improved; and

• ISO 31000 provides principles, framework, and a process for managing risk. It can be
used by any organisation regardless of its size, activity, or sector.

Using ISO 31000 can help companies increase the likelihood of achieving objectives,
improve the identification of opportunities and threats, and effectively allocate and use
resources for risk treatment. Companies using it can compare their risk management
practices with an internationally recognised benchmark, providing sound principles for
effective management and corporate governance.

130

c02.indd 130 16-11-2022 18:27:55

 C orporate G o v ernance

Apply and Analyse 1

In the current environment of 88 Tandi Company looking to conduct an IPO, the current
directors will need to make a number of changes to the corporate governance model to
meet the requirements of the Companies Ordinance and Hong Kong Stock Exchange Listing
Rules in relation to the Board structure and activities.

Analysis

During the listing process the directors should be advised that they will need to ensure
that the following changes are made to their current board structure and activities and the
requirements for committees:

• If the number of board members is to stay at the current level of seven, then there
will need to be a change in composition to ensure at least one-third are INEDs.
These INEDs should be appointed at least two months prior to the IPO.

• There may need to be a skills assessment completed to ensure that the board
has the appropriate balance of skills to manage the company now and with its
growth strategy.

• The directors must be made aware that, in the performance of their duties as
directors, they act honestly and in good faith, in the interests of the issuer as a
whole, and avoid actual and potential conflicts of interest.

The board, when establishing its sub-committees, must be aware that:

Audit Committee

• Only has NEDs as members.

• Minimum of one INED.

• The chair must be an INED with appropriate knowledge and experience.

Nomination Committee

• NEDs only.

• Minimum of three members.

Remuneration Committee

• Majority INEDs.

• The chair must be one of the INEDs.

131

c02.indd 131 16-11-2022 18:27:55

 BUSINESS ASSURANCE

Knowledge Check Questions

Question 7
Explain what a duty to exercise reasonable care, skill, and diligence means.

Question 8
Advise when a director must declare material interests.

Question 9
Determine which of the following is the responsibility of all directors.
A All directors must be independent.
B Involvement with management and everyday responsibilities.
C Be industry experts.
D Keeping abreast of the latest developments with laws and regulations in relation to
the entity.

Question 10
Analyse the structure and roles of board committees and discuss their drawbacks and
limitations.

2 . 6 AUDITOR’S RESPONSIBILITIES IN REGARD

TO CORPORATE GOVERNANCE

The auditor does not have direct corporate governance responsibility but rather provides a
check on the information aspects of the governance system.

Therefore, where does the auditor fit in?

Corporate governance involves decision making, accountability, and monitoring (Exhibit 2.2).

Internal Audit Shareholders

Audit Committee Board of Directors Stakeholders

External Auditor Regulators

EXHIBIT 2.2 Corporate governance within an organisation

(Note: solid lines represent formal communication relationships. The dotted
line represents informal communication relationships.)

132

c02.indd 132 16-11-2022 18:27:55

 C orporate G o v ernance

• Decisions require relevant and representationally faithful information.

• Accountability is the responsibility of management to provide that information.

• Monitoring involves using surveillance systems and managing feedback.

The auditor’s primary role is to provide assurance by forming an independent

opinion as to whether the financial information given to shareholders is relevant and
representationally faithful.

The relationship between the board and the auditor is an important one. To meet
its obligations to shareholders, the board must ensure that it receives relevant and
representationally faithful information. Auditors, though appointed to serve the needs of users
of financial statements, indirectly assist the board in achieving this goal. There must be open
and frank dialogue between the auditors and the board with independence of the auditor
always maintained. The auditors must maintain a similar relationship with the board audit
committee.

Key Learning Point

The key learning point is therefore that, while auditors do not have a direct corporate
governance responsibility, the independent nature of the role an external auditor plays
brings confidence in a company when an unmodified auditor’s opinion is issued.

2 . 7 SARBANES–OXLEY ACT EFFECT ON HONG

KONG COMPANIES AND THEIR AUDITORS

The Sarbanes–Oxley Act of 2002 (or ‘SOX’ as it is referred to) is a United States federal law
that set expanded requirements for all US public company boards, management, and public
accounting firms. The Act, which contains 11 sections, was enacted following several major
corporate and accounting scandals, including Enron and WorldCom. Sections of the Act cover
the responsibilities of a public corporation’s board of directors.

SOX increased the oversight role of boards of directors and the independence of the
outside auditors who review the accuracy of corporate financial statements.

It created a new, quasi-public agency, the Public Company Accounting Oversight Board
(PCAOB), charged with overseeing, regulating, inspecting, and disciplining accounting firms
in their roles as auditors of public companies. The act also covers issues such as auditor
independence, corporate governance, internal control assessment, and enhanced financial
disclosure.

For Hong Kong, SOX applies to any company that is also listed on a United States (US)
exchange and has more than 500 US-based shareholders. Companies not listed in Hong
Kong that are subsidiaries of US listed companies may also need to be compliant with the
requirements of SOX when they are material to the overall group or when the rotational

133

c02.indd 133 16-11-2022 18:27:55

 BUSINESS ASSURANCE

testing rules are applied to subsidiaries that are not material. For any company in Hong Kong
listed on a US exchange, the board must build into its governance framework the compliance
requirements of SOX.

The most important Sarbanes–Oxley sections for compliance are listed below. Note
that certification and specific public actions are required by companies to remain in SOX
compliance.

(1) SOX Section 302: Corporate Responsibility for Financial Reports. The following must be
stated in the Section 302 declaration in the Financial Report that the:

(a) CEO and CFO have reviewed all financial reports.

(b) Financial report does contain any misrepresentations.

(c) Information in the financial report is ‘fairly presented’.

(d) CEO and CFO are responsible for the internal accounting controls.

(e) CEO and CFO must report any deficiencies in the internal accounting controls or any
fraud involving the management of the audit committee.

(f) CEO and CFO must pay attention to any material changes in internal
accounting controls.

(2) SOX Section 401: Disclosures in Periodic Reports. All financial statements and their
requirements are to be accurate and presented in a manner that does not contain
incorrect statements or omission of material information. Such financial statements
should also include all material off-balance sheet liabilities, obligations, and
transactions.

(3) SOX Section 404: Management Assessment of Internal Controls. All annual financial
reports must include an Internal Control Report stating that management is responsible
for an ‘adequate’ internal control structure and an assessment by management of the
effectiveness of the control structure. Any shortcomings in these controls must also
be reported. In addition, registered external auditors must attest to the accuracy of
the company management’s assertion that internal accounting controls are in place,
operational, and effective.

(4) SOX Section 409: Real Time Issuer Disclosures. Companies are required to disclose
on an almost real-time basis information concerning material changes in its financial
condition or operations.

(5) SOX Section 806: Protection for Employees of Publicly Traded Companies Who Provide
Evidence of Fraud. This section deals with whistle-blower protection.

(6) SOX Section 902: Attempts and Conspiracies to Commit Fraud Offenses. It is a crime
for any person to corruptly alter, destroy, mutilate, or conceal any document with the
intent to impair the object’s integrity or availability for use in an official proceeding.

(7) SOX Section 906: Corporate Responsibility for Financial Reports. Section 906 addresses
criminal penalties for certifying a misleading or fraudulent financial report. Under SOX
906, penalties can be upwards of US$5 million in fines and 20 years in prison.

To conduct an audit of a company required to report under SOX, the auditor must be
registered with the PCAOB and be adequately educated in the requirements of US Accounting

134

c02.indd 134 16-11-2022 18:27:55

 C orporate G o v ernance

and Auditing standards. This is not easy to achieve if an auditor is not part of a global
accounting network. The PCAOB has very complex criteria for registration.

An auditor of a SOX report must in effect conduct two audits, one for the purpose of
issuing the Section 404 attestation on management’s Section 302 declaration on the control
environment and the auditor’s opinion on the financial statements as a whole. In reality, the
firm’s conduct is what is generally referred to as an integrated audit to affect both conclusions.

For a company in Hong Kong that must report under SOX there is a significant amount
of work for both management and those charged with governance to enable a Section 302
declaration and for the auditor who must take the integrated approach noted above.

2 . 8 CORPORATE GOVERNANCE
ARRANGEMENT’S ANALYSIS AND
IMPROVEMENT RECOMMENDATIONS

As has been demonstrated throughout this chapter, the HKEx has long seen the need for the
corporate governance principles for Hong Kong and has had a programme for constant review
and improvement. To this end on 27 July 2018, the HKEx published its latest conclusions on its
review of the Corporate Governance Code and Related Listing Rules.

In addition to the changes noted in Section 2.5 of this chapter, the following listing rule
amendments are required to be followed from 1 January 2019.

(1) Issuers are to have a policy on diversity of board members and to disclose the policy or
a summary of the policy in their corporate governance reports.

(2) Extended cooling-off periods:

(a) For a director, partner, or principal or employee of a former professional advisor,

the period between being with that advisor and appointment as an independent
director (INED) has been extended from one to two years.

(b) For a former partner of an issuer’s existing audit firm, that intervening period has
also been extended from one year to two years before becoming a member of the
issuer’s audit committee.

° For persons with previous material interests in the issuer’s principal business
activities, an intervening period of one year has been introduced before being
eligible to become an INED.

(3) New disclosure requirements as to reasons why proposed directors are considered
independent, including when they hold cross-directorships and have significant
links with other directors through involvements in other companies or bodies
(new recommended best practice).

It should be noted that changes in Listing Rules amendments have been made both
to the Main Board Listing Rules and to the GEM Listing Rules.

135

c02.indd 135 16-11-2022 18:27:55

 BUSINESS ASSURANCE

For companies looking to improve their corporate governance outside the recommendations
above the following factors should be considered:

• Reviewing the corporate governance reports of other companies listed on the relevant
board in Hong Kong;

• Learning from the directors on the company’s board what other boards they are sitting
on are doing in this space (this would need to be on a no names confidential basis);

• Keeping abreast of the changes to laws and regulations;

• Ensuring the organisational culture is aligned with the strategy of the company and the
governance framework established by the board;

• Take a balanced scorecard approach when setting KPIs for how well the company
complies with the requirements of the HKEx, which is well beyond simply assessing
director performance;

• Seek external advice and review to ensure best practice; and

• At least annually, conduct a formal review of the corporate governance framework and
feedback into it any improvements that can be made.

Apply and Analyse 2

Assume that the changes were made in line with the analysis in Apply and Analyse 1 in
Section 2.5. The board now need to consider what further changes they may need to make
given the recent changes to demonstrate their compliance with the Corporate Governance
Code and Related Listing Rules.

Analysis

The board needs to make sure of the following:

• To have a policy and actively demonstrate diversity of board members. Make policy
disclosures in the corporate governance statement.

• Ensure all directors with previous contact with the company in a professional
capacity apply the appropriate cooling-off periods to be able to have the
designated INED.

• Disclose reasons why proposed directors are considered independent, including

when they hold cross-directorships and have significant links with other directors
through involvements in other companies or bodies.

136

c02.indd 136 16-11-2022 18:27:55

 C orporate G o v ernance

SUMMARY

Effective corporate governance has to be seen as a pre-requisite for entities to be viable.

Corporate failures have demonstrated the consequences of not having such governance. The
key aspects of a strong corporate governance framework are:

• The behavioural traits that need to be present in the culture of an entity.

• Following the requirements of the Companies Ordinance (Cap.622), the Listing requirements of
the HKEx and the Corporate Governance Code.

• Understanding the importance of the role of the board of directors and their sub-committees
and the degree of interactions with management in the delivery of the corporate governance
requirements.

• Ensuring a strong internal control framework.

• Understanding the requirements when doing business in jurisdictions outside Hong Kong.

137

c02.indd 137 16-11-2022 18:27:55

 BUSINESS ASSURANCE

MIND MAP

ROLES IN CORPORATE GOVERNANCE DIRECTORS’ RESPONSIBILITIES AS DEFINED BY

COMPANIES ORDINANCE AND HONG KONG
Serving Stakeholders
STOCK EXCHANGE LISTING RULES
Having an Effective Audit Committee
Management Responsibilities within
Working Closely with the Auditor
Corporate Governance
Managing Strategically
Board Committees’ Structure and Roles
BACKGROUND OF CORPORATE GOVERNANCE and Drawbacks and Limitations
• Nomination Committee
Importance to Capital Markets and • Audit Committee
Preventing Corporate Failure • Remuneration Committee
Fairness Internal Control (ISO)
Openness and Transparency
AUDITORS' RESPONSIBILITIES IN REGARD TO
Independence
CORPORATE CORPORATE GOVERNANCE
Probity and Honesty
GOVERNANCE Decision making
Responsibility
Accountability
Accountability
Monitoring
Reputation
Judgement SARBANES–OXLEY ACT EFFECT ON HONG KONG
Integrity COMPANIES AND THEIR AUDITORS
Section 302 – Corporate Responsibility for
PROVISIONS OF INTERNATIONAL CODES OF
Financial Reports
CORPORATE GOVERNANCE
Section 401 – Disclosures in Periodic Reports
The Organization for Economic Cooperation Governance
and Development (’OECD’)
Section 404 – Management Assessment of
Limitation of International Codes Internal Controls
CORPORATE GOVERNANCE DEVELOPMENTS Section 409 – Real Time Issuer Disclosures
IN HONG KONG AND THE STRUCTURE OF Section 806 – Protection for Employees of
THE CODE ON CORPORATE GOVERNANCE Publicly Traded Companies Who Provide
PRACTICES AND CORPORATE GOVERNANCE Evidence of Fraud
REPORT IN HONG KONG Section 902 – Attempts and Conspiracies to
Structure of the Corporate Governance Code Commit Fraud Offenses
Corporate Governance Report Section 906 – Corporate Responsibility for
Financial Reports
CORPORATE GOVERNANCE ARRANGEMENT’S
ANALYSIS AND IMPROVEMENT
RECOMMENDATIONS
Disclosures in corporate governance reports
Extended cooling-off periods
New disclosure requirements for
independence of directors

Answers to Knowledge Check Questions

Question 1
Answer A is incorrect. The audit committee is a conduit to the full board.
Answer B is correct. The full board and not just the audit committee members have full
responsibility for the accuracy of the financial statements.
Answer C is incorrect. The audit committee plays a key role in directing the efforts of the
internal audit.
Answer D is incorrect. The audit committee should correspond with the external auditors.

138

c02.indd 138 16-11-2022 18:27:56

 C orporate G o v ernance

Question 2
Reputation or brand is one of an entity’s most valuable assets – according to a 2012 study
by the World Economic Forum, on average approximately 25% of an entity’s market value
is directly attributable to its reputation. Holding on to a good reputation or brand is critical
to the value of a company, and thus significant focus should be placed on protecting and
enhancing it. Where companies have been seen to have done the wrong things economic
losses can be significant.
The board has a major role to play in helping advise management and the entity of the
potential reputational risks associated with the strategic directions of the company set by
the board. Non-executive directors (‘NEDs’) can be very beneficial in this process as they
can bring their external perspectives and experiences to assist in this process. Often the
board will require management to undertake sensitivity analysis or scenario development
to determine possible impacts that strategy may have on the reputation of the company.
The board should play an active role in this assessment by providing perspective and
feedback that could ultimately lead to changes to the strategy and the associated identified
risks and opportunities.
Entities often look internally to strengthen their ability to detect and mitigate
reputational problems. An effective whistle-blower programme, for example, can help
bring to light problems within the entity that may be compromising its reputation. Entities
must, however, be aware of what is being said about them by parties outside the entity
as well. This can often be achieved through engaging in dialogue with brokers or doing
surveys of broad stakeholders.

Question 3
The following five supporting principles are the ones that should register with external
auditors the most and why:

• Related party transactions should be approved and conducted in a manner that

ensures proper management of conflicts of interest and protects the interest of the
company and its shareholders. There should be adequate disclosures and minority
shareholders should be protected. If complete and effective this may assist external
auditors with their obligations under HKSA 550, Related Parties.
• Open disclosure of financial and operating results of the company, including:

°° Remuneration of members of the board and key executives.

°° Foreseeable risk factors.

°° Issues regarding employees and other stakeholders.

°° Governance structures and policies including content of any corporate

governance code or policy and the process by which it is implemented.

This could assist external auditors in determining the completeness and

accuracy of financial information to be presented in the entity’s financial
statements.

• Preparation of financial statements should be in line with reputable accounting

standards. If effective, this could make the completion of an audit more
straightforward for the external auditor.

139

c02.indd 139 16-11-2022 18:27:56

 BUSINESS ASSURANCE

• An annual audit should be conducted by an independent, competent, and qualified

auditor in accordance with high-quality auditing standards in order to provide an
external and objective assurance to the board and shareholders that the financial
statements fairly represent the financial position and performance of the company
in all material respects.
• External auditors should be accountable to the shareholders and owe a duty of care
to the company.

Question 4
The critical thing for the Board to think about is communication with both shareholders
and other stakeholders. The following should specifically be addressed in the governance
framework:
• The rights and obligations of shareholders;
• Any limitations on the levels of shareholding;
• Shareholder communication policy;
• Structure of the conduct of the general meetings;
• Shareholder guide; and
• Stakeholder communication policy.

Question 5
1. A narrative statement explaining how the issuer has applied the principles in the
Code, enabling its shareholders to evaluate how the principles have been applied;

2. A statement as to whether the issuer meets the code provisions. If an issuer has
adopted its own code that exceeds the code provisions, it may draw attention to
this fact in its annual report; and

3. For any deviation from the code provisions, details of the deviation during the
financial year (including considered reasons).

Question 6
Answer A is incorrect. It is a recommended disclosure.
Answer B is incorrect, It is a recommended disclosure.
Answer C is correct. It is a required disclosure.
Answer D is incorrect. It is a recommended disclosure.

Question 7
Section 465 of the Companies Ordinance (Cap.622) defines a duty to exercise reasonable
care, skill, and diligence as:

(1) A director of a company must exercise reasonable care, skill, and diligence.

(2) Reasonable care, skill, and diligence means the care, skill, and diligence that would
be exercised by a reasonably diligent person with:

(a) The general knowledge, skill, and experience that may reasonably be expected
of a person carrying out the functions carried out by the director in relation to
the company; and

(b) The general knowledge, skill, and experience that the director has.

140

c02.indd 140 16-11-2022 18:27:56

 C orporate G o v ernance

(3) The duty specified in subsection (1) is owed by a director of a company to

the company.

(4) The duty specified in subsection (1) has effect in place of the common law rules
and equitable principles as regards the duty to exercise reasonable care, skill, and
diligence, owed by a director of a company to the company.

(5) This section applies to a shadow director as it applies to a director.

(6) For the purposes of subsection (5), a body corporate is not to be regarded as a
shadow director of any of its subsidiaries by reason only that the directors, or
a majority of the directors, of the subsidiary are accustomed to act in accordance
with its direction or instructions.

Question 8
Section 536 of the Companies Ordinance (Cap.622) states that the following must be
declared in terms of directors’ material interests:
(1) If a director of a company is in any way, directly or indirectly, interested in a
transaction, arrangement, or contract, or a proposed transaction, arrangement, or
contract, with the company that is significant in relation to the company’s business,
and the director’s interest is material, the director must declare the nature and
extent of the director’s interest to the other directors in accordance with Sections
537, 538, and 539.

(2) If an entity connected with a director of a public company is in any way, directly
or indirectly, interested in a transaction, arrangement, or contract, or a proposed
transaction, arrangement, or contract, with the company that is significant in
relation to the company’s business, and the connected entity’s interest is material,
the director must declare the nature and extent of the connected entity’s interest
to the other directors in accordance with Sections 537, 538, and 539.

(3) If a declaration made under subsection (1) or (2) proves to be, or becomes,
inaccurate or incomplete, the director must make a further declaration in
accordance with Sections 537, 538, and 539.

(4) This section does not require a director to declare an interest:

(a) If the director is not aware of the interest or the transaction, arrangement, or
contract in question; or

(b) If, or to the extent that, the interest concerns the terms of the director’s service
contract that have been or are to be considered by:

(i) A meeting of the directors; or

(ii) A committee of the directors appointed for the purpose under the company’s
articles.

(5) For the purposes of subsection (4)(a), a director is to be regarded as being aware of
matters of which the director ought reasonably to be aware.

(6) This section does not affect the operation of any other Ordinance or rule of law
restricting a director of a company from having any interest in a transaction,
arrangement, or contract with the company.

141

c02.indd 141 16-11-2022 18:27:56

 BUSINESS ASSURANCE

Question 9
Answer A is incorrect. Executive directors are not independent, and nor are NEDs; only
INEDs have to be independent.
Answer B is incorrect. Only executive directors should be involved in the everyday
responsibilities of management.
Answer C is incorrect. Industry expertise is not required of all directors; different directors
bring different skills to the board.
Answer D is correct. All directors should keep abreast of the latest developments with laws
and regulations that affect the entity.

Question 10
The two key roles of the nomination committee are to:
• Develop a list of desirable skills in a very strategic way to determine what to look
for in director candidates. There is an increasing trend to complete a skills matrix
internally or outsource the process.
• The nomination committee not only assesses potential board candidates but also
should assess the performance of the existing board members, including the
chairman. Many directors historically have not been assessed and remain on boards
for lengthy periods of time. The nomination committee or nominated external party
should annually review whether directors have met their obligations successfully or
take appropriate action. The nomination committee should be mindful of the need
to refresh the board regularly enough to avoid entrenchment and bias and to attract
new and fresh thinking in line with where the entity is moving strategically. The
committee should also consider and have a policy in place for succession planning to
ensure the long-term success of the entity.

EXAM PRACTICE

QUESTION 1
Describe why accountability is such an important pillar of Corporate Governance.

QUESTION 2
Maxwell Park LLP is a listed entity on the New York Stock Exchange, as well as the Hong
Kong Main Board. Management is about to present their reports for the financial period to
the board. At the same time, the board has decided to purchase a considerable number of
hotel properties in New York, Chicago, Boston, and Los Angeles, which will have a significant
impact on the company.

1. Under SOX, describe the responsibility of management.

2. Describe the corporate responsibilities for the financial reports of the CEO and CFO.

3. Identify the responsibilities under SOX the board has for their decision to purchase the
hotel properties.

142

c02.indd 142 16-11-2022 18:27:56

 C orporate G o v ernance

QUESTION 3
Explain why having an effective audit committee is important to a good corporate
governance framework.

QUESTION 4
List the areas that a board could delegate some of the more specialised discussions.

QUESTION 5
(Adapted from Module C December 2016 Paper)

The Code on Corporate Governance Practices (the ‘HK Code’) published by the Hong Kong
Stock Exchange contains a combination of broad principles, specific code provisions, and
recommended best practices. Company A is a garment manufacturing company and
plans for an initial public offering (‘IPO’) in the coming year. Company A is primarily owned
by Mr. Lee and Mr. Chung, who are the Chairman and Chief Executive Director (‘CEO’) of
Company A, respectively. You are the auditor of Company A. During the audit planning
meeting, Mr. Lee and Mr. Chung seek your advice as to how Company A should comply with
the HK Code to prepare Company A to be listed on the Hong Kong Stock Exchange.

Company A’s board of directors consists of seven members including Mr. Lee, Mr. Chung,
and one independent non-executive director who meet on a regular basis to discuss key
business matters. Company A’s board of directors consists of members who have extensive
experience in the textiles industry and strong finance backgrounds.

Company A has an internal audit team but has yet to set up any audit committee or any
other committees to support the board. The head of the internal audit team reports directly
to Mr. Lee.

Company A’s company secretary is a third-party service provider who provides Mr. Lee
and Mr. Chung with the latest corporate governance information on a regular basis.

The prior year audit evidenced that Company A has set a good practice at the top and
introduced a clear business code of conduct to all of its employees. The tests of controls also
indicated that Company A’s key controls over financial reporting were effective.

Required:

(a) Explain the current approach required by the Hong Kong Stock Exchange for a listed
company in Hong Kong when applying the HK Code.

(b) Identify which elements of the current corporate governance structure indicates that
Company A is in compliance with the HK Code.

(c) Recommend how Company A can improve its corporate governance in preparation
for the IPO.

ANSWERS TO EXAM PRACTICE

QUESTION 1
Without it, the agency problem would be hard to defeat. With it, the confidence of
stakeholders is increased. It is achieved through faithfulness in various aspects of corporate
governance, especially reporting.

143

c02.indd 143 16-11-2022 18:27:56

 BUSINESS ASSURANCE

Financial accounting imposes obligations to show how money has been used within an
organisation. However, there are wider meanings for accountability in financial accounting.

There is a sense of responsibility that goes with the feeling of obligation. The essence
of accountability is the moral relationship between those who delegate authority and those
who receive it.

Accountability takes different forms depending on the quality of the relationship and the
degree of trust between the parties to that relationship. There are three key components to
an accountability relationship:

• Delegation. This occurs when the management of a task or a decision is handed over
to another with the expectation that it is completed. This can involve a lesser or greater
degree of discretion.

• Responsibility. This is the view from the other side of the relationship. This involves the
sense of obligation to ensure that a task that has been delegated is implemented, and
to the standards expected.

• Legitimacy. This involves a recognition on the part of those being held to account of the
‘right’ of those demanding such an ‘account’ to make that demand, and it is the heart of
the accountability relationship.

Accountability should have both an internal and external focus and to be truly effective must
be recognised and accepted by all within an entity.

QUESTION 2
1. Section 404 of SOX requires management’s assessment of internal controls. All annual
financial reports must include an Internal Control Report stating that management
is responsible for an ‘adequate’ internal control structure and an assessment by
management of the effectiveness of the control structure. Any shortcomings in these
controls must also be reported.

2. SOX Section 302, Corporate Responsibility for Financial Reports, is to be asserted by the
CEO and CFO as follows:

(a) CEO and CFO must review all financial reports.

(b) Financial report does not contain any misrepresentations.

(c) Information in the financial report is ‘fairly presented’.

(d) CEO and CFO are responsible for the internal accounting controls.

(e) CEO and CFO must report any deficiencies in internal accounting controls or any
fraud involving the management of the audit committee.

(f) CEO and CFO must indicate any material changes in internal accounting controls.

3. Section 409 of SOX requires companies on an almost real-time basis information

concerning material changes in its financial conditions or operations. Such a disclosure
would be required for the purchase of the hotels, given its material nature.

QUESTION 3
The audit committee plays a major role in corporate governance regarding a company’s
financial direction, control, and accountability. As a representative of the full board of
directors and main part of the corporate governance mechanism, the audit committee is

144

c02.indd 144 16-11-2022 18:27:56

 C orporate G o v ernance

involved in a company’s strategy in relation to its internal audit function and is responsible
for the appointment of the company’s external audits. The audit committee receives reports
from management on internal control, accounting and financial reporting, regulatory
compliance, and risk management.

The audit committee monitors the integrity of a listed company’s financial statements
(annual and interim) and of the accounting records supporting those forms of reporting to
users, but the full board has overall responsibility for the financial statements.

The audit committee needs to have the full cooperation of management and to be provided
with sufficient information and reasonable resources to carry out its role and function in
accordance with its terms of reference. An effective audit committee will take an active interest
in, and take a proactive approach towards, understanding the affairs of the entity and will take
the appropriate actions when there are indicators of unplanned issues and risks.

QUESTION 4
There has been a strong recognition over the years of the need for more specialised
meetings of the board, so board sub-committees were established. The most common
committees where this is facilitated are:

• Audit committee

• Corporate social responsibility committee

• Executive committee

• Investment advisory committee

• Nomination and governance committee

• Risk committee.

QUESTION 5
(a) Listed companies in Hong Kong are required to adopt the ‘comply or explain’ approach
to the HK Code. They are required to confirm their compliance with the HK Code or,
where they do not comply, to provide explanations for any variation in practice.

(b) The following indicates that Company A is in compliance with the HK Code: Company A
has a balanced board of directors, which is evidenced by the following:

• Company A’s board of directors consists of different members who have relevant
expertise and experience in the garment manufacturing/textiles industry. The board
also consists of members who have expertise in finance.

• Company A’s board of directors also meets regularly to discuss key business matters.

• Company A’s Chairman and CEO are different persons. Mr. Lee and Mr. Chung
are the Chairman and CEO of Company A, respectively, so they can balance the
power of each other in the board. Company A maintains a sound system of internal
control to safeguard shareholders’ investments and the company’s assets, which is
evidenced by the following:

° Company A has an internal audit team, with good practice at the top and a clear
business code of conduct to employees.

° The prior year audit also indicated that Company A’s key controls over financial
reporting were effective.

145

c02.indd 145 16-11-2022 18:27:56

 BUSINESS ASSURANCE

(c) The recommendations should include:

• At least one-third of an issuer’s board should be independent non-executive

directors.

• Company A has only one independent non-executive director out of seven board of
directors. Company A should consider increasing the number of independent non-
executive directors in the composition of the board.

• Company A should set up an audit committee, nomination committee, and a

remuneration committee that consist of independent non-executive directors.

• Company A’s internal audit team should report to the audit committee but not
report to Mr. Lee directly.

• Company A should hire an in-house company secretary who has day-to-day

knowledge of Company A’s affairs but not out-source the company secretary’s role
to a third-party service provider. The company secretary should provide advice
to the board on board procedures and ensure the board follows applicable law,
rules, and regulations. The company secretary should not just report to Mr. Lee and
Mr. Chung.

• Issuers are to have a policy on the diversity of board members and to disclose the
policy or a summary of the policy in their corporate governance reports.
For companies looking to improve their corporate governance outside the
recommendations above, the following factors should be considered:

• Reviewing the corporate governance reports of other companies listed on the

relevant board in Hong Kong;

• Learning from the directors on the company’s board what other boards they
are sitting on are doing in this space (this would need to be on a no names
confidential basis);

• Keeping abreast of the changes to laws and regulations;

• Ensuring the organisational culture is aligned with the strategy of the company and
the governance framework established by the board;

• Take a balanced scorecard approach when setting KPIs for how well the company
complies with the requirements of the HKEx; this is well beyond simply assessing
director performance;

• Seek external advice and review to ensure best practice; and

• At least annually conduct a formal review of the corporate governance framework

and feedback into it any improvements that can be made.

146

c02.indd 146 16-11-2022 18:27:56

 Part C
Assurance Engagements

Chapter 3 Client and Engagement Acceptance Procedures

Chapter 4 Quality Management Considerations
Chapter 5 
Planning and Risk Assessment
Chapter 6 
Audit Procedures and Audit Evidence
Chapter 7 
The Audit Programme
Chapter 8 
Using the Work of Others
Chapter 9 
Major Actions During the Audit Completion
Chapter 10 
Auditor’s Reporting
Chapter 11 Group Audits
Chapter 12 Other Assurance Engagement Requirements
Chapter 13 Computerised Business Systems and Controls

147

c03.indd 147 16-11-2022 18:40:51

c03.indd 148 16-11-2022 18:40:51
 3
Client and Engagement
Acceptance Procedures

CHAPTER TOPIC LIST

3.1 Client and Engagement 3.2.5 The Announcement to be Made

Acceptance Procedures by the Listed Issuer on the
3.1.1 Auditor Appointment Change of Auditor
Requirements 3.3 Procedures for Accepting a New
3.1.2 Auditor Appointment Guidance Engagement Overview
and Guidelines 3.3.1 Standards Affecting Auditor
3.2 Change of Auditor Appointments
3.2.1 Auditor Resignation 3.3.2 Key Procedures Performed
3.2.2 Communication with the Audit Prior to Accepting an
Committee and the Board of Engagement
Directors (Outgoing Auditor) 3.3.3 Terms of the Engagement
3.2.3 The Incoming Auditor’s Considerations
Requirements 3.3.4 Opening Balances – Initial
3.2.4 Change of Auditor of a Listed Engagement
Issuer of the Stock Exchange
of Hong Kong

149

c03.indd 149 16-11-2022 18:40:52

 BUSINESS ASSURANCE

LEARNING OUTCOMES

PRINCIPAL LO1: PERFORM ASSURANCE ENGAGEMENTS

LO1.02: Prepare, plan and develop assurance engagements including the audits of financial
statements in accordance with relevant Hong Kong Standards of Quality Management,
Auditing, Assurance and Related Services, guidance and legislation with emphasis on:
Client and engagement acceptance procedures
1.02.01 Explain the reasons why entities change their auditors/professional accountants
1.02.02 Explain the requirements relating to the appointment of an auditor under the
Companies Ordinance
1.02.03 Explain the procedure for a change of an auditor
1.02.04 Explain the rights of the auditor in the process of a change of an auditor
1.02.05 Explain the professional clearance procedures
1.02.06 Analyse the matters to be considered and the procedures that an audit firm/professional
accountant should carry out before accepting a specified new client/engagement including:
• Client acceptance
• Engagement acceptance
• Agreement of the terms of engagement
• Transfer of books, papers and information
• Engagement risk (including: Management characteristics and integrity, Organisation and
management structure, Nature of the business, Business environment (including cyber
security), Financial results, Business relationships and related parties and Prior knowledge
and experience)
1.02.07 Identify different acceptance/ continuance issues, e.g. self review or familiarity threat, during
acceptance procedures and illustrate safeguard to address those threats

150

c03.indd 150 16-11-2022 18:40:52

 Client an d Engagement A cceptance P roce dures

OPENING CASE

BRIEFING TO AUDIT COMMITTEE OF

YAY MANUFACTURING COMPANY LIMITED,
AN ESTABLISHED LISTED HONG KONG COMPANY,
ON APPOINTING AN AUDITOR

A s lead audit partner of Jin & Co, you have been requested to advise the Audit Committee
of Yay Manufacturing Company Limited (‘Yay’), an established company listed on the
Stock Exchange of Hong Kong (SEHK), the steps necessary to appoint you as their external
auditor under the Companies Ordinance (Cap.622) and any other applicable requirements
under the Hong Kong Institute of Certified Public Accountants (HKICPA). You understand that
Jiang & Co have been the existing auditors of Yay for the past five years. Jiang & Co’s audit
opinion on the most recent Yay, 31 December 20X6, financial statements was unqualified.
Yay’s Audit Committee have explained to you that they want to change auditor to ensure
auditor independence, given that Yay have been the incumbent for five years. The first financial
statements subject to a new auditor will be the financial year ended 31 December 20X7.

Yay are principally engaged in the manufacture of battery components used in the
manufacture of consumer mobile devices, with the majority of its manufacturing facilities
located in mainland China. Due to a continued worldwide economic boom in mobile device
sales, demand for Yay’s components has increased significantly in the last two years, resulting
in Yay doubling the capacity of their facilities, with a consequential uplift in their revenue
of more than 40%. Most of Yay’s customers are located in mainland China and other Asian
countries.

While members of the Audit Committee are experienced non-executive directors, they have
little prior experience in working with external auditors, regulators, and financial markets. As
part of your advice to the Audit Committee you will need to explain the statutory requirements
of the Companies Ordinance in terms of both the new auditor appointment and the outgoing
auditor obligations, as well as the requirements of applicable auditing and ethical standards
of the HKICPA. They would also like to understand what initial audit procedures, if any, you
will need to perform to facilitate your understanding of the Yay business and its financial
statements, and to ensure a smooth, professional, transition from Jiang & Co to your firm,
Jin & Co.

151

c03.indd 151 16-11-2022 18:40:52

 BUSINESS ASSURANCE

OVERVIEW

This chapter focuses on the client acceptance and engagement procedures required for audits,
being reasonable assurance engagements.

The auditor’s engagement acceptance procedures depend on whether:

(a) The engagement is to continue as the auditor of an established company;

(b) An initial engagement for a newly established company; or

(c) A prospective new engagement of an established company seeking to change

auditor.

In all scenarios, the requirements for appointing and removing an auditor are mandated
by the relevant legislation, being the Companies Ordinance (Cap.622) (Companies Ordinance)
(specifically Part 9 ‘Accounts and Audit’, and the Professional Accountants Ordinance (Cap.50), which
mandates compliance with HKICPA accounting, auditing and assurance, and ethical standards).
In terms of the hierarchy of legislation, the requirements of the Companies Ordinance take
precedence over any conflicting requirements contained in the HKICPA’s standards.

Additionally, for entities listed on the SEHK, the Securities and Futures Ordinance requires
that entities and their auditor comply with specific Listing Rules in respect of the appointment
and resignation of an auditor. These entities are referred to as ‘listed issuers’ in this chapter.

3 . 1 CLIENT AND ENGAGEMENT ACCEPTANCE

PROCEDURES

3.1.1 Auditor Appointment Requirements

3.1.1.1 Who Can Be Appointed as an Auditor?
The Companies Ordinance specifies the legal requirements for who can be appointed an auditor
of a company. All section references are to the Companies Ordinance unless otherwise specified.
As auditor of the company, the auditor is responsible for reporting on the company’s financial
statements.

As covered in Chapter 1, an auditor can be a natural person or a firm. Only a ‘practice unit’
is eligible for appointment (being a firm of certified public accountants, an individual certified
public accountant practising accounting, or a corporate practice). In all cases, the auditor must

152

c03.indd 152 16-11-2022 18:40:52

 Client an d Engagement A cceptance P roce dures

be a certified practising accountant (CPA) and a member of the HKICPA. There are certain
persons disqualified from being an auditor:

(a) A person who is an officer or employee of the company.

(b) A person who is a partner or employee of a person mentioned in paragraph (a).

(c) A person who:

(i) Is, by virtue of paragraph (a) or (b), disqualified for appointment as auditor of any
other undertaking that is a subsidiary undertaking, or a parent undertaking, of the
company, or is a subsidiary undertaking of that parent undertaking; or
Cap.622
s.393 (ii) Would be so disqualified if the undertaking were a company.
Cap.622
s.394 An auditor must be appointed by a company for each financial year.

If the company appoints a firm as auditor, the firm’s appointment is regarded as an

appointment of persons within that firm who are the partners in the firm from time to time
Cap.622 during the currency of the appointment and eligible for, and not disqualified from, appointment
s.399 as auditor of the company under Section 393 of the Companies Ordinance.

3.1.1.2 Who Can Appoint the Auditor?

The company has an ‘indisputable’ right to choose its auditor and to also change them if they
so choose.

The Companies Ordinance (Chapter 622, Part 9, Division 5, Subdivision 2) sets out the
formal appointment requirements of an auditor and specifies who can appoint the auditor in
different circumstances. These circumstances are if it is an initial appointment of an auditor
for a newly established company or an ongoing appointment of an existing auditor for an
established company.

Regardless of who appoints the auditor, the auditor is ordinarily appointed to hold office
until the conclusion of the next general meeting at which financial statements are submitted.
An auditor is entitled to attend the annual general meeting to answer questions about the
conduct of the audit, the preparation and content of their auditor’s report, the accounting
policies, and auditor independence.

Provided the relevant statutory procedure within the Companies Ordinance is followed, the
members of the company are entitled in the general meeting to appoint an auditor other than
the existing auditor.

Auditor Appointed by the Directors of the Company

Directors can appoint the initial (first) auditor of a newly incorporated company or fill a
casual vacancy.

The directors may appoint the first auditor:

Cap.622
s.610 (a) If the company is required to hold an annual general meeting in respect of its first
financial year, the directors may appoint the auditor of the company for that first
financial year at any time before the annual general meeting; or

153

c03.indd 153 16-11-2022 18:40:52

 BUSINESS ASSURANCE

(b) If the company is not required to hold an annual general meeting (in accordance with
Section 610 of the Companies Ordinance) in respect of its first financial year, the
Cap.622
directors may appoint the auditor of the company for that first financial year at any
s.395 time before the appointment period in relation to the next financial year.

The directors may appoint a person to fill a casual vacancy in the office of auditor of the
company. If the directors have not done so within one month after the casual vacancy occurs,
Cap.622
the members may, by a resolution passed at a general meeting, appoint a person to fill the
s.397 casual vacancy.

Auditor Appointed by the Company’s Members

A company must appoint the auditor of the company for a financial year by a resolution passed
Cap.622
at the annual general meeting held in respect of the previous financial year, unless an annual
s.396 general meeting is not required to be held under Section 612 of the Companies Ordinance.

A company must appoint the auditor of the company for a financial year, by a resolution
passed at a general meeting, if no annual general meeting is required and no person is deemed
to be reappointed as auditor of the company for the financial year. If, at the annual general
meeting held in respect of the previous financial year, a company has not appointed the
Cap.622 auditor of the company for a financial year, the company must make the appointment by a
s.396 resolution passed at another general meeting.
Auditor Appointed by the Court
The Court may, on application by a member of a company, appoint the auditor of the company
for a financial year in two circumstances. These circumstances are:

(a) In the case of a company required to hold an annual general meeting in respect of
the previous financial year at the annual general meeting, when no person has been
appointed as auditor of the company for the financial year or no annual general
meeting has been held; or

(b) In the case of a company not required to hold an annual general meeting at the end of
the appointment period in relation to the financial year, when no person has been
Cap.622 appointed as auditor of the company for the financial year and no person is deemed to
s.398 be reappointed as auditor of the company for the financial year.

Key Learning Point

The auditor can be appointed by different persons associated with the company,
depending on the circumstances of the company.

3.1.1.3 The Legislative Process of Appointing an Auditor

The Companies Ordinance specifies the formal reporting requirements for appointing
and removing a company auditor. This section has been dealt with earlier in Chapter 1

154

c03.indd 154 16-11-2022 18:40:52

 Client an d Engagement A cceptance P roce dures

(Section 1.2.1: ‘Role of Regulators and Regulation (Including Statutory Audits)’). Briefly, these
requirements include:

Cap.622 1. The formal reporting process for changing an auditor, including the resolution notice
s.401 required.

2. The key reporting requirements of the incoming auditor’s appointment, including

the notice resolution, remuneration, and key statutory responsibilities in respect of the
financial statements (including their rights to access accounting records, access the
company’s information and persons to perform the audit, their right to attend the
Cap.622
ss.402–405, annual general meeting, and their right to ‘qualified privilege’ in performing their
410–413 auditor duties).

Cap.622 3. The process for reporting the resignation or termination of an existing auditor’s
ss.416–420 appointment, including their rights.

3.1.2 Auditor Appointment Guidance and Guidelines

Pre-engagement procedures performed prior to accepting the auditor appointment are
discussed in detail in Section 3.3.

The COE, Chapter A, Part 3, Section 320 (Professional Appointments) and Chapter C,
Section 200 (Changes in a Professional Appointment) deal with the requirements for the
appointment of professional accountants. Requirements include:

• Professional clearance procedures by the incoming auditor prior to accepting the

auditor nomination.

• Joint auditors.

• Filling a casual vacancy auditor appointment.

• Business acquired by a new company.

• Any unpaid fees of a previous auditor.

• Outgoing auditor’s transfer of audit books and papers and providing relevant
information to the incoming auditor.

• Reference to relevant statutory provisions of the Companies Ordinance.

3.1.2.1 Appointment as Joint Auditor

If an auditor is invited to accept a nomination as a joint auditor of the company with another
auditor, the same procedures should be followed as if they had been invited to accept a
nomination as the sole auditor. Such appointments give rise to ‘common law joint and several’
responsibility for the audit between the joint auditors.

The proposed withdrawal or displacement of a joint auditor creates a circumstance in

which the nature of the appointment is substantially changed, such that a ‘surviving’ joint
auditor should communicate formally with all fellow joint auditors as though they were being
asked to undertake a completely new appointment.

155

c03.indd 155 16-11-2022 18:40:52

 BUSINESS ASSURANCE

3.1.2.2 Filling a Casual Vacancy

If an auditor is invited to accept a nomination to fill a casual vacancy as auditor of the company,
the same procedures should be followed as if they had been invited to accept an ongoing
nomination, adapted to the individual engagement circumstances.

3.1.2.3 Appointment by a Company Acquired by a New Company

If an auditor is invited to accept a nomination of a new company formed to acquire an existing
business, and the ownership of the company is substantially the same as it was of the acquired
business, the same procedures should be followed as if they had been invited to accept an
ongoing nomination, adapted to the individual engagement circumstances.

3.1.2.4 Previous Auditor Unpaid Fees

If an auditor is invited to accept a nomination of a company that has not paid outstanding fees
to the previous auditor, this does not preclude, in itself, acceptance of the nomination. If the
nomination is accepted, the auditor could assist in achieving a satisfactory resolution of the
unpaid fees to the previous auditor.

3.1.2.5 Providing Information to the Incoming Auditor

The outgoing auditor has obligations to provide certain information to the incoming auditor
to assist in a smooth transition audit handover process. This information includes any books
and papers of the company held by the outgoing auditor and any other reasonable, requested
information connected to the audit.

In respect of the transfer of any company held books and papers, the outgoing auditor is
required to provide the incoming auditor with all books and papers in their possession that are
the property of the company (unless they are entitled to exercise a lien when their audit fees
are unpaid/outstanding). An auditor’s lien under common law would enable them to retain
possession of some of their client’s records/books until all their audit fees are paid. There
are specific conditions under which a lien will be able to be exercised. All conditions must be
satisfied. These conditions include: the client’s records/books retained by the auditor must be
owned by the company itself and obtained by the auditor by ‘proper means’ (i.e. during the
course of the audit and in connection with the audit), the auditor must have completed the
audit work and issued their fee invoice in connection with that work, and, lastly, the fee invoice
must relate to the client’s retained records/books.

Duty to provide other information – the outgoing auditor should promptly provide, free of
charge, any requested information to the incoming auditor in respect of the company, unless
there is an unusual amount of work involved (i.e. the information should be reasonable carry-
over information from the audit).

Allow access to audit working papers (part of the audit file) – these are owned by the
auditor who generated the papers within the final audit file as evidentiary support for their
issued auditor’s report. While there is no legal obligation for the outgoing auditor to provide
the incoming auditor with access to their working papers, they do have an ethical obligation
to promptly provide information related to the incoming auditor’s specific enquiries, which
would ordinarily include providing audit working papers on matters of continuing accounting

156

c03.indd 156 16-11-2022 18:40:52

 Client an d Engagement A cceptance P roce dures

significance, and in determining consistent application of accounting principles. This assists

with ensuring continuity of the company affairs. (Note that the company does not have
a right to access the audit working papers given they are owned by the auditor and not
the company.)

3.1.2.6 Statutory Provisions

There are various statutory provisions in the Companies Ordinance covering auditor’s reporting
and communication rights when the auditor resigns, the job is terminated, or the auditor
ceases to act as auditor of the company.

An outgoing auditor is entitled, by the Companies Ordinance, to be able to communicate

with members of the company or its creditors over matters connected with ceasing to hold
office (whether by resigning, retiring, or being terminated) and which they consider should be
brought to their notice.

Auditor Resigns (Withdrawal)

If the auditor determines it is appropriate to resign, the auditor should discuss this decision
with the appropriate level of the company’s management and those charged with governance
and explain if the resignation is a withdrawal from the audit engagement or from both the
engagement and the client relationship. They should also explain the reasons for the
withdrawal. An auditor may resign by giving the company a notice in writing that is
accompanied by the required statement. The statement should explain whether there are any
circumstances connected with the resignation that should be brought to the attention of the
company’s members or creditors, include a statement of those circumstances or whether there
are no such circumstances. The resignation shall be effective at the end of the day on which
notice is given to the company or else a specified time for resignation to be effective. The
company must then deliver the notification to the Company Registrar within 15 days beginning
Cap.622 on the date on which the company receives a notice of resignation; if not, the company would
s.417 be penalised.

Cap.622 The auditor’s term of office expires at the end of the day on which the notice is given to the
s.417(1) company or at a later date as specified in the notice.

Refer to Section 3.2.1, Auditor Resignation, for considerations the auditor makes prior to
formally resigning before the term of appointment ends.

The resigning auditor may, by another notice given to the company with the notice of
resignation, require the directors to convene a general meeting of the company. The meeting
purpose is for members to receive and consider the auditor’s explanation of the circumstances
connected with the resignation that the auditor places before the meeting. The directors must
convene a general meeting for a date falling within 28 days after the date on which the notice
convening the meeting is given. Every director who failed to take all reasonable steps to secure
that a general meeting was convened as required is liable for a penalty.

(Note that, in circumstances where the auditor has withdrawn from the audit
engagement, under the COE Chapter C, ‘Responding to Non-Compliance with Laws and
Regulations’, Sections R360.21, 360.21 A1, and 360.21 A2, at the request of the incoming
auditor, the outgoing auditor is still required to provide all facts and other information

157

c03.indd 157 16-11-2022 18:40:52

 BUSINESS ASSURANCE

concerning the identified or suspected non-compliance with laws and regulations to

the incoming auditor. The company’s consent to such communications is not required,
unless required by law or regulation. Such information provided is to be held by
the incoming auditor in strict confidence. Where there has been failure or refusal
by the company to supply the existing auditor with information properly required
for the performance of duties, the existing auditor should so inform the proposed
new auditor.)

If a general meeting is convened under Section 421(2) of the Companies Ordinance, the
resigning auditor:

(a) May give the company a statement that sets out, in reasonable length, the
circumstances surrounding the resignation.

(b) May request the company to comply with the requirement:

(i) To state, in every notice of the meeting given to the members, that the statement
has been made; and

(ii) To send a copy of the statement to every member to whom a notice of the meeting
is or has been given; or

(iii) If the company has not sent a copy of the statement to every member to whom a
notice of the meeting is or has been given, to ensure that the statement is read out
at the meeting.

(c) Is entitled to be given every notice of, and every other item of, communication relating
to the general meeting, to attend the general meeting, and to be heard at the general
Cap.622 meeting on any part of the business of the meeting that concerns the last appointed
s.422(1) auditor.

Further, the resigning auditor:

• May give the company a statement that sets out in reasonable length the circumstances
surrounding the resignation (i.e. cessation statement).

• May request the company to state in every notice of the meeting given to the members
that the cessation statement has been made and to send a copy of the cessation
statement to every member to whom a notice of the meeting is or has been given, if the
company receives the statement on a date that is more than two days before the last
day on which notice may be given to call the general meeting.

• May request the company to ensure that the cessation statement is read out at the
meeting, if the company has not sent a copy of the cessation statement to every
member to whom a notice of the meeting is or has been given.

• Is entitled to be given every notice of, and every other item of, communication, relating
to the general meeting, that a member of the company is entitled to be given.

• Is entitled to attend the general meeting and to be heard at the general meeting on
any part of the business of the meeting that concerns the person as auditor or former
auditor of the company.

158

c03.indd 158 16-11-2022 18:40:52

 Client an d Engagement A cceptance P roce dures

In respect of the resigning auditor making those statements in the course of performing
duties as auditor of the company, Section 410 of the Companies Ordinance gives that auditor
‘qualified privilege’. This means, in the absence of malice, an auditor is not liable for defamation
in respect of any cessation statement or statement of circumstances connected with their
cessation of office.

An auditor who resigns from office must, on the resignation, give the company:

(a) If the auditor considers that there are circumstances connected with the resignation
that should be brought to the attention of the company’s members or creditors, a
statement of those circumstances; or

Cap.622 (b) If the auditor considers that there are no such circumstances, a statement to that
s.424 effect.

Auditor Ceases to Act

The auditor may cease to be the auditor of the company if they cease to be eligible, or becomes
disqualified, for appointment as auditor of the company. This means that the auditor
immediately ceases to be auditor of the company and notifies the company of the cessation in
Cap.622 writing within 14 days from the date of the cessation. A failure to comply results in a penalty to
s.418 the auditor.

Auditor Is Terminated
An auditor can be terminated/removed from the office of auditor by the company by an
ordinary resolution passed at a general meeting. This is despite any agreement between the
auditor and the company or anything in the company’s articles.

A special notice is required for an ordinary resolution and, on receipt of a special notice, the
company must send a copy of it to the auditor proposed to be removed. The company must
deliver a notice in the specified form of that fact to the Registrar for registration within 15 days
beginning on the date on which it is passed. If not so delivered, the company will be penalised.
Cap.622 The terminated auditor can still claim any compensation or damages in respect of the cessation
s.419 as auditor.

Additionally, when special notice is given by the company for a resolution for appointing an
incoming auditor, the outgoing auditor may:

(a) Give the company a statement that sets out, in reasonable length, the circumstances
surrounding the termination of the appointment as auditor (i.e. cessation statement).

(b) Request the company to state in every notice of the meeting given to the members
that the statement has been made and to send a copy of the statement to every
member to whom a notice of the meeting is or has been given, if the company receives
the statement on a date that is more than two days before the last day on which notice
may be given to call the general meeting.

(c) Request the company to ensure that the statement is read out at the meeting, if the
company has not sent a copy of the statement to every member to whom a notice of
the meeting is or has been given.

159

c03.indd 159 16-11-2022 18:40:52

 BUSINESS ASSURANCE

(d) Is entitled:

• To be given every notice of, and every other item of communication relating to, the
general meeting, that a member of the company is entitled to be given;

• To attend the general meeting; and

Cap.622 • To be heard at the general meeting on any part of the business of the meeting
s.422(2) that concerns the person as auditor or former auditor of the company.

When a proposed written resolution is given by the company for appointing an incoming
auditor in place of the outgoing auditor, the outgoing auditor:

(a) May give the company a statement that sets out, in reasonable length, the
circumstances surrounding the proposed termination of the appointment as auditor
(i.e. cessation statement); and

(b) May require the company to send a copy of the statement to every member at the
Cap.622 same time when the written resolution is circulated under Section 550 or 552 of the
s.423 Companies Ordinance.

In circumstances where the auditor is terminated (the terminated auditor) and is not
re-appointed immediately after termination for a term immediately following the expiry term,
the auditor must give a statement to the company:
(a) If the terminated auditor considers that there are circumstances connected with the
termination that should be brought to the attention of the company’s members or
creditors, a statement of those circumstances; or

(b) If the terminated auditor considers that there are no such circumstances, a statement
to that effect.

The terminated auditor must send a statement to the company so that it will be received by
the company at least 14 days before the end of the appointment period in relation to the next
Cap.622 financial year or, in any other case, within 14 days beginning on the date of termination. If the
s.425 terminated auditor fails to send the statement, the auditor will be penalised.

If the terminated auditor makes such a statement, the company must, within 14 days
beginning on the date on which it receives the statement, send a copy of the statement to every
member of the company or apply to the Court for an order directing that copies of the
statement are not to be sent when it receives the statement. A terminated auditor who claims
to be aggrieved may, within 14 days beginning on the date on which the company receives the
Cap.622 statement, apply to the Court for an order directing that copies of the statement are not to
s.426 be sent.

If the Court is satisfied that the terminated auditor has abused the use of the statement of
circumstances or is using the statement to secure needless publicity for a defamatory matter,
the Court must direct that copies of the statement are not to be sent and may order the
Cap.622 terminated auditor, though not a party to the application, to pay the applicant’s costs on the
s.427 application in whole or in part.

160

c03.indd 160 16-11-2022 18:40:52

 Client an d Engagement A cceptance P roce dures

An overview of the statutory provisions in the Companies Ordinance is summarised in

Exhibit 3.1.

Has the auditor resigned, been terminated, or ceased to act?

Auditor was terminated

Auditor resigned
by the company and will Auditor has ceased to act
(withdrawal)
not be re-appointed
(Section 418)
(Section 417)
(Section 419)

Company advises auditor

Auditor advises the
Auditor resigns by issuing of intention to terminate
company that they are
the company a notice of their appointment as
no longer eligible to
resignation in writing. auditor at a general
act or have become
meeting.
disqualified.

Auditor can require Auditor may prepare a

company directors to Statement to be provided
convene a general Auditor immediately
to company shareholders ceases to be the auditor
meeting within 28 days either prior to or at the
of their resignation notice. once they have notified
general meeting. the company.
Statement includes either
circumstances regarding
the termination that the
Auditor may prepare a
auditor considers should
Statement to be provided
be brought to the
to company shareholders
attention of members
either prior to or at the
or creditors or that there
general meeting.
are no circumstances to
Statement includes either report.
circumstances regarding
the resignation that the
auditor considers should
be brought to the Auditor can attend the
attention of members general meeting and is
or creditors or that there able to answer any
are no circumstances questions regarding
to report. the audit.

Auditor can attend the Company shareholders

general meeting and is then pass ordinary
able to answer any resolution at a general
questions regarding meeting to terminate the
the audit. auditor’s appointment.

EXHIBIT 3.1 Summary of statutory provisions

Key Learning Point

There are various Companies Ordinance provisions dealing with circumstances in which the
existing auditor resigns, is terminated by the company, or ceases to act.

161

c03.indd 161 16-11-2022 18:40:53

 BUSINESS ASSURANCE

Knowledge Check Questions

Question 1
Identify whether a company (i.e. its shareholders) is able to change an auditor at any point
during the existing auditor’s term of appointment.
A No, the company has to wait until the end of the existing auditor’s term.
B Yes, the company is able to change auditor at any point during the existing auditor’s
term of appointment provided the relevant statutory procedure is followed.
C No, the company must get permission from the existing auditor before they can
change auditor.
D Yes, the company is able to change auditor at any point during the existing auditor’s
term of appointment provided they give the existing auditor formal notice of the reason
for the change.

3 . 2 CHANGE OF AUDITOR

Companies seek to change their existing auditor for different reasons (which are not required
to be disclosed):

• To comply with the COE requirements – for example, due to auditor rotation
independence reasons or to enable the outgoing auditor to provide specific consulting
services not previously allowed when they were the appointed auditor.

• A professional relationship breakdown between the company and the auditor. This
could have arisen due to prior disagreements over a significant matter (e.g. accounting
policy choices/interpretations, litigation, audit approach, audit opinion issued).

• Seeking a reduction in their audit fees in a competitive market – providing the entity
with the ability to make significant cost savings (e.g. in switching from a ‘Big 4’ auditor to
a ‘mid-tier’ auditor).

• Seeking to access perceived improved quality of audit services from another audit
provider, e.g. for enhanced data analytics capabilities or possessing specific industry
knowledge.

• Strategic reasons – may want to have a Big 4 auditor for the value of the ‘professional
name’ rather than a mid-tier auditor (e.g. if intending to list on the exchange in the
short term).

Entities may make the change by terminating their auditor’s existing appointment before
the end of term or at the end of term.

Additionally, there are various other reasons for an auditor’s appointment to come to an
end, being the current auditor’s term of office has expired, they resigned or have ceased to
be the auditor. For example, the auditor may resign after performing the pre-engagement

162

c03.indd 162 16-11-2022 18:40:53

 Client an d Engagement A cceptance P roce dures

risk assessment. Refer to Section 3.3.2, Key Procedures Performed Prior to Accepting an
Engagement, for further details.

The legislative provisions within the Companies Ordinance that govern when the existing
auditor resigns, retires, or is terminated were explained in detail in Section 3.1.2.6, Statutory
Provisions, and by way of brief reminder are as follows:
Cap.622
s.417 • The person resigns from office.
Cap.622
s.418 • The person ceases to be the auditor.
Cap.622
s.419 • The person is removed (terminated) from office.

• A winding-up order is made in respect of an auditor that was appointed as a firm in

circumstances where every person who is regarded as being appointed as auditor by
virtue of Section 399 of the Companies Ordinance:

° Ceases to be a partner in the firm before the term of office expires; or

° Ceases to be eligible, or becomes disqualified, for appointment as auditor of

the company;

° Before the term of office expires;

° Where a body corporate is appointed as auditor of a company, the appointment is

also terminated;

° If the body corporate is dissolved (Section 416 of the Companies Ordinance).

3.2.1 Auditor Resignation

Prior to taking the step of formally resigning their office before their term ends, the
auditor should attempt as much as possible to resolve any issues that are leading to them
contemplating resigning. Under Sections 300.8 and 300.9 of Chapter C of the COE, the auditor
is reminded that they have a duty to the company’s members (shareholders) to report to
them on the financial statements and should make every reasonable effort to discharge this
duty. An auditor should not attempt to avoid the responsibility of reporting on the financial
statements by simply resigning. The auditors’ proper course of action, once appointed, is to
report on the financial statements. If they are considering resigning during their term of office,
they should discuss any contentious issues that may lead to their resignation with the audit
committee and seek the audit committee’s assistance to resolve the issues with management
and to complete the audit. Having completed the audit, if they do not wish to be re-appointed,
they should decline to stand for re-appointment when their term of office expires.

Such issues may be the result of:

• Prior disagreement with management over a significant matter(s) which calls into
question management’s integrity (e.g. chosen accounting policy, discussions over the
appropriateness of the audit opinion, concerns over the degree of control of decision
making exercised by a dominating individual member of management).

• Management have taken an action that the auditor disagrees with that adversely
and significantly affects the relationship between the auditor and management
(e.g. restricting or withholding access to information or persons, trying to impose a
limitation/deadline on when the auditor can complete fieldwork, intimidating audit staff).

163

c03.indd 163 16-11-2022 18:40:53

 BUSINESS ASSURANCE

• Evidence of ongoing poor governance at the company (e.g. significant internal control
weaknesses previously identified that remain unaddressed).

• A litigation matter (threatened or actual).

• The audit fee is commercially unsustainable (e.g. due to a change in nature or structure
of the company and a fee adjustment was unable to be agreed).

Additionally, an auditor may:

• Simply wish to retire.

• Be required to rotate and lacks appropriate competence within the audit firm to do so;
there are new independence/perceived conflict of situations.

• Considers they cannot appropriately perform the audit as the company has:

° Grown substantially and the auditor cannot commit the required resources to the
audit or perform the audit; or

° Diversified into industries where the auditor does not have the appropriate
competency or capability (or access to them) to perform the audit.

If the auditor resigns for professional, legal or regulatory reasons, the auditor should
consider if there are any requirements to advise appropriate regulatory authorities of their
withdrawal from the engagement, together with the reasons for the withdrawal.

3.2.2 Communication with the Audit Committee and the Board of

Directors (Outgoing Auditor)
Regardless of the circumstances in which the auditor becomes the outgoing auditor
(resignation, termination), Section 300 of Chapter C of the COE, ‘Change of Auditors of a Listed
Issuer of the Stock Exchange of Hong Kong’, requires the auditor to prepare a letter (‘Letter
of Resignation or Termination’) addressed to the company’s Audit Committee and the Board
of Directors, detailing the circumstances (occurrences) that in their opinion affected their
relationship with the company and led to them becoming the outgoing auditor. The outgoing
auditor need not be concerned with breaching with their professional duty of confidentiality
owed to the company by sharing information with the incoming auditor as this is permitted
under the COE.

Disagreements are essentially unresolved differences of opinion between the auditor

and the company. They are related to the audit of the listed issuer’s most recently completed
financial year or any period subsequent to the most recently completed financial period for
which an auditor’s report has been issued up to the date of the resignation/termination.

Disagreements could be any matter of audit scope, accounting principles or policies, or

financial statement disclosures that, if not resolved to the satisfaction of the outgoing auditor,
would have resulted in a qualification in the auditor’s report.

It is not necessary for there to have been an argument between the auditor and the
company for there to be a disagreement. Initial differences of opinion that have since been
resolved to the auditor’s satisfaction by the supply of additional facts or information are also
not included here.

164

c03.indd 164 16-11-2022 18:40:53

 Client an d Engagement A cceptance P roce dures

‘Unresolved’ differences of opinion refer to matters that came to the outgoing auditor’s
attention and that, in the outgoing auditors’ opinion, materially impact on the financial
statements or the auditor’s reports (or that could have a material impact on them), and where
the outgoing auditor has already advised the listed issuer about the matter and:

(a) The outgoing auditor has been unable to fully explore the matter and reach a
conclusion as to its implications prior to their resignation or termination;

(b) The matter was not resolved to the outgoing auditor’s satisfaction prior to their
resignation or termination; or

(c) The outgoing auditor is no longer willing to be associated with the financial statements
prepared by the listed issuer’s management. This is in relation to circumstances
described in HKSA 560 Subsequent Events when it becomes effective on ‘Facts which
become known to the auditor after the financial statements have been issued’,
resulting in the withdrawal of the relevant auditor’s report.

In determining if a matter is ‘unresolved’, the persons involved should be those responsible

for key decision-making activities, reflecting the seriousness of the matter. In the entity’s case
it should be those persons responsible for the finalisation of its financial statements and, from
the auditor, those responsible for authorising the issuance of the auditor’s report.

3.2.2.1 Sharing the Resignation Letter with the Incoming Auditor of a Listed Issuer
All incoming auditors are aware that the outgoing listed company auditor is required to provide
a Letter of Resignation or Termination to the company. It is not appropriate for the outgoing
auditor to directly share their Letter of Resignation/Termination directly with the incoming
auditor as the letter is required to be sent to the company’s Audit Committee/Board of Directors.

Instead, as part of the professional clearance process, the outgoing auditor should refer the
incoming auditor to their letter. The incoming auditor should then request a copy of the letter
(and any correspondence referred to in the letter) directly from the company and assess if they
should accept the appointment. If the listed issuer refuses to provide the incoming auditor
with a copy of the Letter of Resignation or Termination and any correspondence referred to
in the Letter of Resignation or Termination, the incoming auditor should decline to accept the
nomination. From the outgoing auditor’s perspective this reference effectively discharges the
requirement of providing details of any unusual circumstances surrounding the proposed
change of auditor in accordance with Section 200 ‘Changes in a Professional Appointment’ of
Chapter C of the COE.

3.2.2.2 Professional Clearance

Incoming Auditor Responsibility to Request
A prospective incoming auditor is required by Section 200.1 of Chapter C of the COE to
request a professional clearance from the outgoing auditor before accepting the auditor
appointment. Such a request must be made after the prospective client company has granted
permission to contact the existing auditor. In circumstances where such permission has not
been granted, the prospective incoming auditor is not allowed to accept the appointment.
Additionally, if the change process has not been dealt with by the company in accordance with
the Companies Ordinance, the prospective incoming auditor is also not allowed to accept the
appointment.

165

c03.indd 165 16-11-2022 18:40:53

 BUSINESS ASSURANCE

The purpose of the clearance letter is for the prospective incoming auditor to understand
if there are any professional or other reasons (e.g. unusual circumstances) that should be
considered before accepting the appointment as the auditor.

Examples of such circumstances could be:

• Has had significant disagreement with the existing auditor that they consider is the
reason the company may be seeking to appoint a new auditor, or any perceived
impropriety in the conduct of its affairs.

• Where the existing auditor is aware of unsatisfactory business practices of

the company.

• Has suspicions of unlawful acts by directors that have not yet been proved.

The outgoing auditor is required to respond to a professional clearance request letter sent
by the prospective incoming auditor. Such information provided in the letter is to be held by
the incoming auditor in strict confidence.

If the outgoing auditor provides circumstances to the prospective incoming auditor

that relate to significant disagreement with the company, that auditor should provide all
relevant details about the disagreements and their full views on those disagreements.
This is to enable the prospective incoming auditor to consider these matters, discuss them
with the company where appropriate, and decide if it is ethically appropriate to accept the
appointment. The prospective incoming auditor will, for example, need to be assured that the
company will accept their right to a contrary opinion, and, if appropriate, expression of it in
the auditor’s report. If the prospective incoming auditor is unsatisfied with the handling of the
disagreements, the nomination for appointment should be declined.

In respect of any other circumstances (e.g. suspicions of unlawful acts by directors that
have not been proved or unsatisfactory business practices), the outgoing auditor should advise
the prospective incoming auditor immediately if there is any professional or other reason
(together with fully disclosing the circumstances for the reason) that they should be aware of
in deciding whether to accept the auditor’s appointment (e.g. nature of unlawful actions that
should be investigated). It is acceptable for the outgoing auditor to explain the circumstances
orally rather than in writing.

For the outgoing auditor, providing audit-related information to the incoming auditor
(appointed but not yet commenced or offered but not yet appointed), Section 414 of the
Companies Ordinance clarifies that they do not contravene any duty. This is providing that the
information came from knowledge gained in the capacity of being the auditor and that it is
provided in good faith and the outgoing auditor believes that the information is relevant to the
performance of the incoming auditor’s duties as auditor.

Failure to Receive a Response to the Request for Clearance

If the proposed incoming auditor does not receive a response to the clearance letter from the
outgoing auditor within a reasonable time, that auditor is able to follow up the outgoing auditor
by other means. If unable to do so, or unable to obtain a satisfactory outcome in this way, the
prospective incoming auditor should send a further letter, preferably by recorded delivery
service, stating that, unless a reply is received within a specified time, they will assume that
there are no matters of which they should be aware before deciding whether to accept. In any
case, the proposed incoming auditor should be prepared to accept nomination only if satisfied
it is ethically appropriate to do so.

166

c03.indd 166 16-11-2022 18:40:53

 Client an d Engagement A cceptance P roce dures

Failure of the Incoming Auditor to Request a Clearance Letter

In the absence of the incoming auditor sending the formal request for professional clearance,
the outgoing auditor is under no obligation to share any information with the incoming auditor.

Example of Clearance Letter (Appendix of HKICPA Code of Ethics for Professional Accountants)

Dear Sirs,

We have been nominated to act as auditor of .................... Limited.

In order to assist us in determining whether to accept such nomination, we should be grateful if

you would advise if there are any circumstances surrounding the proposed change of which we
should be aware.

Yours faithfully,

Firm name

Key Learning Point

Professional clearance letters are required to be requested for every audit engagement
where there is a change of auditor.

3.2.3 The Incoming Auditor’s Requirements

The incoming auditor, having requested the professional clearance letter and obtained and
evaluated the outgoing auditor’s response, should inquire of the company whether the change
of auditor has been made in accordance with applicable legislation (Companies Ordinance)
and then obtain permission to contact the outgoing auditor for confirmation. If the incoming
auditor has any issues with these matters, they need to discuss them with the company to
identify the appropriate remedial action. If significant concerns are not resolved, the incoming
auditor is required to decline the appointment.

The incoming auditor should also ensure their appointment is valid by inspecting a
copy of the resolution noting their appointment (passed by resolution at the company’s
general meeting).

3.2.4 Change of Auditor of a Listed Issuer of the Stock Exchange

of Hong Kong
Section 300 of Chapter C of the COE specifies additional requirements for appointing and
removing a listed issuer’s auditor, and the auditor’s rights to attend the listed issuer’s annual
general meeting. (This section should be read in conjunction with Section 200 ‘Changes in a
Professional Appointment’ under Chapter C.)

The outgoing auditor of a listed issuer who has resigned or had their appointment
terminated should include in their required Letter of Resignation or Termination

167

c03.indd 167 16-11-2022 18:40:53

 BUSINESS ASSURANCE

(Sections 417/424 of the Companies Ordinance – discussed in Section 3.1.2.6, Statutory

Provisions) a reminder to the company of the company’s responsibility to make an
announcement in accordance with the Listing Rules in respect of the change of auditor. The
outgoing auditor should include in their Letter of Resignation or Termination an express
consent to the letter being supplied to the SEHK.

3.2.4.1 Appointing an Auditor

Under SEHK Rule 13.88 of the Main Board Listing Rule and Rule 17.100 of the GEM (Growth
Enterprise Market) Listing Rule, a listed issuer must, at each annual general meeting,
appoint an auditor to hold office from the conclusion of that meeting until the next annual
general meeting.

3.2.4.2 Removing an Auditor

The listed issuer must not remove its auditor before the end of the auditor’s term of office
without first obtaining shareholders’ (members’) approval at a general meeting. A listed
issuer must send a circular proposing the removal of the auditor to shareholders, together
with any written representations from the auditor, not less than 10 business days before the
general meeting.

3.2.4.3 Auditor to Attend Annual General Meeting

A listed issuer must allow the auditor to attend the general meeting and make written and/or
verbal representations to shareholders at that general meeting. Under Code Provision E.1.2 in
Appendix 14 of the Main Board Listing Rule and Appendix 15 of the GEM Listing Rule, a listed
issuer’s management should ensure that the auditor attends the annual general meeting to
answer questions about the conduct of the audit, the preparation and content of their auditor’s
report, the accounting policies, and auditor independence.

3.2.5 The Announcement to be Made by the Listed Issuer on the Change

of Auditor
There are requirements of the Main Board and GEM Listing Rules (Listing Rules) regarding
changes in audit appointments for listed issuers.

These include that the listed issuer is required to make an announcement pursuant to the
Listing Rules setting out the reason(s) for the change of auditor and any other matters that
need to be brought to the attention of holders of securities of the issuer (including, but not
limited to, circumstances set out in the outgoing auditor’s Letter of Resignation or Termination
in relation to the change of auditor). It is advisable that prior to the listed issuer making the
announcement, practically, and without delay, they consult with the outgoing auditor and agree
on the details related to the communication of the reasons for the auditor change.

The outgoing auditor should read and assess whether the circumstances as reported in
their Letter of Resignation or Termination, which, in their opinion, need to be brought to the
attention of the listed issuer’s shareholders, are reflected in the announcement made by the
listed issuer. In the event that the outgoing auditor considers that the circumstances leading
to Resignation or Termination, as announced by the listed issuer, are materially different from
the circumstances as reported by the auditor in the Letter of Resignation or Termination, the

168

c03.indd 168 16-11-2022 18:40:53

 Client an d Engagement A cceptance P roce dures

outgoing auditor should write to the Audit Committee and Board of Directors of the listed
issuer indicating those differences.

If the listed issuer takes no adequate action in response to the outgoing auditor’s letter, the
outgoing auditor should consider whether the market has been adequately informed as to the
circumstances leading to the Resignation or Termination. If not, the outgoing auditor should
consider whether these should be brought to the attention of the relevant regulatory authority;
that is, the Securities and Futures Commission (SFC). Should the outgoing auditor decide it
necessary to report those matters to the SFC, they will be subject to the protection of Sections
380 and 381 of the Securities and Futures Ordinance.

(Note that Sections 380 and 381 of the Securities and Futures Ordinance provide immunity
to a person who is, or was, an auditor of a company which is listed, or any associated
company of the company, who reports to the SFC matters that come to their attention
that suggest that, at any time since the formation of the listed company, its shareholders
have not been given all the information with respect to its affairs that they might
reasonably expect.)

The outgoing auditor is advised to always consult their lawyer before any communications
with the SFC.

Apply and Analyse 1

Yay Manufacturing Company Limited is a company listed on the SEHK. Yay Manufacturing
Company and its subsidiaries (‘Yay’) are principally engaged in the manufacture of battery
components used in the manufacture of consumer mobile devices. Yay’s customers are
mostly technology companies in mainland China and other Asian countries. As at 31
December 20X7, over 90% of Yay’s manufacturing assets were located in mainland China.

As a result of the continued worldwide economic boom in sales of mobile devices

worldwide, Yay decided, two years ago, to more than double the size of its manufacturing
facilities to accommodate the increased demand. Consequently, revenue increased
more than 40%.

Yay’s previous auditor, Jiang & Co, was re-appointed in April 20X7 after it reported on
Yay’s financial statements for the year ended 31 December 20X6. However, Jiang & Co
resigned in October 20X7. Jiang & Co had been Yay’s auditor for five years.

Jiang & Co had proposed a doubling of the Yay audit fee. However, Yay would not
accept the increase. According to Yay, they wanted to change auditor periodically to ensure
independence. According to Jiang & Co, they had been prepared to rotate the engagement
partner in accordance with quality management standards.

The directors of Yay approached Jin & Co in November 20X7 and proposed to appoint
them as the auditor of Yay’s financial statements for the year ended 31 December 20X7.

Explain what Jiang & Co’s ethical obligations are in relation to Yay’s request for the
change in auditor.

169

c03.indd 169 16-11-2022 18:40:53

 BUSINESS ASSURANCE

Apply and Analyse 1 (continued)

Analysis

Jiang & Co, as Yay’s outgoing auditor, must comply with the ethical obligations in relation
to the change in auditor that Yay set out in the COE. In particular, Jiang & Co must comply
with the requirements of Section 300 ‘Change of Auditors of a Listed Issuer of the Stock
Exchange of Hong Kong’ under Chapter C of the COE since Yay is listed on the SEHK.
According to Section 300 under Chapter C of the COE, Jiang & Co should prepare a Letter of
Resignation addressed to Yay’s Audit Committee and the Board of Directors.

The Letter of Resignation should disclose all the circumstances that, in the opinion of
Jiang & Co, affect the relationship between Yay and Jiang & Co. Such circumstances include,
but are not limited to, ‘disagreements’ and/or ‘unresolved issues’.

According to the COE, Jin & Co should make a request in writing to Jiang & Co to ask
if there are any unusual circumstances surrounding the proposed change which Jin & Co
should be aware of, so that Jin & Co may determine whether it should accept the audit
nomination. On receipt of the written request, Jiang & Co should act promptly.

If there are no professional or other reasons why Jin & Co should not accept the
nomination, Jiang & Co should reply to Jin & Co’s written request without delay.

Apply and Analyse 2

Explain why Jiang & Co may wish to discuss the circumstances of the change of auditor
with Jin & Co.

Analysis

Jiang & Co might wish to discuss Yay’s affairs with Jin & Co due to circumstances
surrounding the change of auditor. Prior to this, Jiang & Co should first request Yay’s
permission to do so freely. If permission is not granted, Jiang & Co should report that
fact to Jin & Co (who in turn should not accept the nomination). Once Yay’s permission
is granted, Jiang & Co may inform Jin & Co of those factors or circumstances of which,
in the opinion of Jiang & Co, Jin & Co should be aware (e.g. the audit fee change request
and partner rotation offer). Jiang & Co may, for example, inform Jin & Co that the reasons
advanced by Yay for the change in auditor are not in accordance with their understanding
of the facts, given Jiang & Co had proposed a rotation of the engagement partner as an
appropriate safeguard against the familiarity threat to independence, and that Yay did not
accept the proposed increase in audit fee. Once Jin & Co have considered these facts, it is
then up to them to decide if it remains ethically appropriate for them to accept the auditor
appointment.

170

c03.indd 170 16-11-2022 18:40:53

 Client an d Engagement A cceptance P roce dures

Knowledge Check Questions

Question 2
If a company is unhappy with the timeliness, professionalism, and level of service their
existing auditor is providing to them, explain whether they can decide to change auditor
half-way through the auditor’s term.

Question 3
As part of your professional obligations as incoming auditor of Zhang Limited you sent
a professional clearance request to the existing auditor for their response. The existing
auditor’s response included a range of issues, including issues that had previously caused
significant disagreement with the company and also advising them of the fact they had
some suspicions regarding the company’s business practices in its shipping department.
Describe how you respond as prospective incoming auditor to the issues raised by the
existing auditor.

Question 4
If the outgoing auditor does not respond to the incoming auditor’s professional clearance
letter request, identify what the incoming auditor should do.
A Accept the engagement.
B Decline the engagement.
C Try to contact the outgoing auditor again by another means.
D Resend the request.

3 . 3 PROCEDURES FOR ACCEPTING A NEW

ENGAGEMENT OVERVIEW

3.3.1 Standards Affecting Auditor Appointments

There are mandatory HKICPA auditing and ethical standards that also impact accepting auditor
appointments, being:

• HKSQM1 Quality Management for Firms that Perform Audits or Reviews of Financial
Statements, or Other Assurance or Related Services Engagements.

• HKSA 220 (Revised) Quality Management for an Audit of Financial Statements.

• Code of Ethics for Professional Accountants (Revised 2022).

171

c03.indd 171 16-11-2022 18:40:53

 BUSINESS ASSURANCE

3.3.1.1 HKSQM 1
HKSQM 1.30 and A67–A74 set out the requirements for Acceptance and Continuance of Client
Relationships and Specific Engagements. The firm’s quality objectives should establish that
judgements by the firm about whether to accept or continue a client relationship or specific
engagement are based on:

• Information obtained about the nature and circumstances of the engagement and the
integrity and ethical values of client management, and those charged with governance
that is sufficient to support the judgment.

• The firm’s ability to perform the engagement in accordance with professional standards
and applicable legal and regulatory requirements.

• The financial and operational priorities of the firm do not lead to inappropriate
judgments about whether to accept or continue a client relationship or specific
engagement.

The firm is required to ensure that:

• It is competent to perform the engagement.

• Has the capabilities, including time and resources.

• Can comply with relevant ethical requirements (Code).

The firm is also required:

• To obtain such information as it considers necessary before accepting an engagement

with a new client.

• To consider whether there is a potential conflict of interest.

• To document any issues identified when the firm was deciding to accept or continue the
client relationship or a specific engagement.
HKSA 220 (Revised) paragraphs 22–24 require the audit engagement partner to be
satisfied that appropriate procedures regarding the acceptance and continuance of a
client have been performed and that conclusions reached from those procedures were
appropriate. If the engagement partner obtains information that would have caused them
to decline the engagement, they are required to advise the firm so that appropriate action
can be taken.

If the firm obtains information after accepting that may have caused it to decline the
engagement, the auditor is to consider the professional and legal responsibilities that apply
to the circumstances, including whether there is a requirement for the firm to report to the
person or persons who made the appointment or, in some cases, to regulatory authorities,
and the possibility of withdrawing from the engagement or from both the engagement and the
client relationship. See also Chapter 4, Section 4.2.7.

172

c03.indd 172 16-11-2022 18:40:53

 Client an d Engagement A cceptance P roce dures

3.3.1.2 HKSA 220 (Revised)

HKSA 220 (Revised) applies to audit engagements. It establishes that:

• The firm’s system of quality management (SOQM) should be consistent with the
provisions of HKSQM 1.

• The engagement team ensures the audit complies with professional standards and
applicable legal and regulatory requirements.

• The auditor’s report is appropriate in the circumstances.

Specifically, HKSA 220 (Revised) paragraphs 12–13 and A8 require the engagement partner
to be satisfied that appropriate procedures regarding the acceptance and continuance of
a client have been performed and that conclusions reached from those procedures were
appropriate. If the engagement partner later obtains information that would have caused them
to decline the engagement, they are required to advise the firm so that appropriate action can
be taken. Information such as the following is recommended:

• The integrity of the owners, key management and those charged with governance.

• Whether the engagement team is competent to perform the audit and can comply
with the Code.

Significant matters that have arisen during the current or previous audit.

3.3.1.3 The Code of Ethics (Revised 2021)

The Code of Ethics is mandatory to apply to all engagements conducted by members of the
HKICPA, including audit engagements. It has six chapters (A to F): two general chapters
(Chapters C and D) that apply to all engagements regardless of type and four specific
chapters (Chapters A, B, E, and F) that apply to certain types of engagements undertaken.
Additionally, Chapter A ‘Professional Accountants in Public Practice’ has four parts (Parts 1 to
3, 4A and 4B).
Of particular application to auditor appointments in the general part is:

• Chapter A, Part 3 ‘Professional Accountants in Public Practice’, Section 320

‘Professional Appointments’;

• Chapter A, Part 4A ‘Independence for Audit and Review Engagements’; and

• Chapter C, Section 300 ‘Change of Auditors of a Listed Issuer of the Stock Exchange of
Hong Kong’ (SEHK).

A summary of the COE, Section 320 and Part 4A is provided directly below. The detail of
Section 300 under Chapter C is found in Section 3.1.2 ‘Auditor Appointment Guidance and
Guidelines’ and for Section 300 in Section 3.2.2 ‘Communication with the Audit Committee and
the Board of Directors (Outgoing Auditors)’.

173

c03.indd 173 16-11-2022 18:40:53

 BUSINESS ASSURANCE

Chapter A, Part 3, Section 320 ‘Professional Appointment’

This section sets out the client acceptance and continuance requirements for professional
accountants in terms of determining if acceptance could create any threats to the fundamental
principles of the COE (integrity, objectivity, professional competence and due care,
confidentiality, and professional behaviour). These were previously explained in Chapter 1,
Section 2.2.2 of the COE and are not repeated here.

Chapter A, Part 4A ‘Independence for Audit and Review Engagements’

The overarching principle in Chapter A, Part 4A of the COE is to require the auditor to be
independent of audit clients. Independence is critical to the auditor performing an unbiased,
impartial, and non-conflicted audit engagement (independence of mind and in appearance).
Part 4A provides detailed examples to assist the auditor and ensure they are independent,
as it is recognised that independence is an area requiring the auditor to exercise significant
professional judgement.

In essence, the auditor must not accept any audit engagement where the auditor cannot
be independent. It is therefore critical for the auditor to identify threats to independence prior
to accepting the audit engagement, evaluate any threats, and apply appropriate safeguards
when necessary to eliminate those threats or at least reduce them to an acceptable level.
Threats can be direct or indirect and be financially based or non-financially based and be actual
or perceived. They include threats that relate to self-interest, self-review, familiarity, advocacy,
or intimidation threats. In some cases, there may be no safeguards that can be put in place to
ensure independence; in which case the auditor declines to accept the auditor’s appointment
or, if already appointed, resigns/withdraws.

Key Learning Point

The auditor’s independence is fundamental to accepting a new appointment as company
auditor and to continuing with an existing auditor appointment. If the auditor assesses that
their independence is, or has been, threatened, and they have not identified and put in
place an appropriate safeguard to effectively mitigate or eliminate that threat, the auditor
must decline accepting or continuing the auditor appointment.

3.3.2 Key Procedures Performed Prior to Accepting an Engagement

The three areas the auditor should consider prior to accepting an engagement are:

1. Assess the two preconditions for the audit (Section 3.3.1.1).

2. Perform the engagement risk assessment on the company (Section 3.3.1.2).

3. Assess if the auditor can comply with the relevant ethical requirements
(Section 3.3.1.3).

174

c03.indd 174 16-11-2022 18:40:53

 Client an d Engagement A cceptance P roce dures

An auditor should, prior to commencing work on a continuing audit engagement,

consider the risk of continuing to accept the engagement due to any change in circumstances
of the company or the auditor. The continuing auditor, therefore, re-assesses each of
the three areas annually. Although the engagement risk assessment in Section 3.3.2.2 is
written from the perspective of a new engagement, it can be readily adapted to a continuing
engagement.

An auditor should prior to accepting a new audit engagement consider the risk of accepting
the engagement with that company (client). Note that this risk is different from the engagement
risk assessment, which is used by the auditor, post-acceptance, to design procedures based
on the company risks (its inherent risk, control risk, and detection risk) to enable them to
conclude on the audit and achieve the desired level of reasonable assurance. The COE contains
the relevant ethical requirements the auditor must comply with for each audit and must be
considered at pre-engagement to ensure the auditor can accept the engagement. These are
already covered in detail in Chapter 1 of this module.

The engagement risk assessment should be made by the auditor prior to engagement
acceptance to ensure that they are fully informed of, and understand the nature of, the
company. This allows the auditor to make an informed professional judgement as to whether
they wish to be the company’s appointed auditor.

3.3.2.1 Assess Preconditions for the Audit

The two preconditions for the audit involve the auditor considering:

1. The acceptability of the financial reporting framework selected by those charged with
governance as the basis to prepare the financial statements; and

2. Whether management will agree to acknowledging and accepting responsibility for:

(a) The preparation of the auditable financial statements;

(b) Internal controls relevant to those financial statements to ensure they are free
from material misstatement (whether due to fraud or error); and

(c) Providing the auditor with access to all information relevant to preparation of
the financial statements and any information the auditor requests for audit and
unrestricted access to any person within the company the auditor requests so they
can obtain audit evidence (see HKSA 210, paragraph 6).

In respect of the auditor evaluating whether the company’s financial reporting framework
is acceptable, the auditor considers the purpose for which the financial statements have been
prepared, Companies Ordinance, and the requirements of the legislation in terms of what type
of financial statements are required to be prepared (e.g. general-purpose financial statements
in accordance with HKFRS).

3.3.2.2 Perform Engagement Risk Assessment

In assessing the specific engagement risk, the following considerations are a helpful checklist
that can be used.

175

c03.indd 175 16-11-2022 18:40:53

 BUSINESS ASSURANCE

The auditor’s assessment is made based on the knowledge and understanding they have
obtained of the company primarily through a review of relevant information (sourced from a
wide range of different reputable sources) and discussions with relevant persons (including the
current auditor, the company’s management, and those charged with governance and internal
audit, and key service providers of the company including lawyers, bankers, and, if appropriate,
the regulatory authority). The outcomes of these considerations may cause the auditor to
question the auditor’s ability to accept the engagement on the basis of threats to independence
that cannot be appropriately safeguarded. Refer to Section 3.1.2 Auditor Appointment
Guidance and Guidelines for the earlier discussion on independence.

Management Characteristics and Integrity

The auditor needs to understand who the key management personnel of the company are
(and, if there have been recent changes, what they are and why they occurred). The auditor
also needs to obtain reputable external references, if those personnel are not known to
the auditor, to enable the assessment of their ‘business reputation’ and integrity. This may
include assessing key known related parties of management. (Refer to HKSA 550 Related
Parties, paragraph 10(b) for a definition of a related party of a reporting entity. To understand
who management’s related parties may be substitute ‘reporting entity’ for ‘management’.)

The auditor is to consider management’s attitude towards compliance with regulatory

or contractual obligations, whether their known business practices are satisfactory, and if
there has been any indication of money laundering or other criminal activity committed by
management. This includes being aware of any ongoing poor governance at the company
(e.g. significant internal control weaknesses previously identified, which remain unaddressed
by management). It is critical that the auditor assesses the overall ‘tone at the top’ at the
company, its workplace cultural values, and the impacts (if any) of these on the audit. The
auditor should consider corporate governance policies, public announcements, listings of
related parties, and other relevant information obtained from appropriate sources (e.g. via
the company website). A poor culture in the company (e.g. a culture where there is fraud,
misconduct, or employee disregard for approved company policies and procedures, without
consequence) substantially increases the audit risk of material misstatement as the company
lacks an effective internal control system. Consequently, the auditor would not accept the
auditor appointment.

The auditor needs to consider whether there is any indication of management’s intention
to try to limit the scope of the audit and whether management’s attitude towards the
interpretation of accounting standards is aggressive or that its maintenance/focus on the
internal control environment is lax.

The auditor should consider if there are any incentives (financial or otherwise) and
opportunities for management to engage in fraudulent financial reporting (e.g. to achieve
bonus conditions). Consideration should also be given to whether management decisions are
unduly dominated by one person or a small group of persons, leading to possible issues with
key decision-making processes.

The auditor should try to determine whether there have been any instances of fraud
committed by management and whether the circumstances that enabled the fraud are still
present (indicating a lack of management willingness to be committed to good governance via a
strong internal control environment).

176

c03.indd 176 16-11-2022 18:40:53

 Client an d Engagement A cceptance P roce dures

Overall, the auditor needs to conclude in their assessment whether those charged with
governance/management of the company exhibit appropriate integrity and attitudes towards
governance at the company (internal control environment), its financial reporting processes,
and the respect for the audit process.

Organisation and Management Structure

The auditor should assess the legal structure of the company and whether it is suitable for the
type of business the company conducts (e.g. is it simple or overly complex due to the use of
many subsidiaries or trusts, or complex alliances and joint ventures?).

The internal management structure of the company is also of interest to the auditor. Is it
suitable for the company and its operations or is it unduly top heavy or multilayered? Does
management appear to have sufficient professional expertise in the company’s business to
make appropriate business decisions? Are appropriately qualified people employed in all the
company’s areas of operation? Is there any potential for a few members of management to
dominate the day-to-day running of the company by virtue of their position? Is there a high
staff turnover, indicating issues in how the company is being run?

If the company is a group audit, and the auditor is to be a group auditor, the auditor needs
to consider if there are any known issues in conducting the group audit. For example, will the
auditor audit all the entities in the group or have to deal with different component auditors
and in different jurisdictions? In such cases, the auditor would need to consider the component
auditor’s professional competence and also take into consideration the jurisdictional
differences they operate in (e.g. there may be regulatory differences on what information they
can provide to the auditor as group auditor and also different professional requirements to
those of the HKICPA that will have to be assessed).

If the company is a group audit, and the auditor is to be the component auditor, the auditor
needs to consider if there are any known issues affecting the way in which they will be required
to report component results to the group auditor in terms of regulatory or professional
accounting requirements. Chapter 11 of this module considers in detail group audits, including
the situation of component auditors.

Nature of the Business

The auditor needs to consider the industry in which the company operates and whether that
presents any professional reputational issues for the auditor. For example, the industry may be
highly controversial by virtue of its nature or its known accepted business practices.

It is also important to consider the company’s related parties and associates (both locally
and internationally), and if there is any evidence of the company being economically dependent
on other parties including financiers.

The auditor will need to ascertain whether the business faces any significant litigation
claims or contingent liabilities and whether the nature of the business suggests a finite
business life. Is there any indication of the company being in economic difficulties? Are there
any significant financing covenants that the company has to regularly re-negotiate or has a
history of missing? The auditor will also consider whether the company is in a competitive
industry or is a monopoly provider of goods/services.

177

c03.indd 177 16-11-2022 18:40:53

 BUSINESS ASSURANCE

If the company, or the group, operates in a diverse range of industries, the auditor will need
to assess whether the company’s personnel have the technical expertise and experience to
operate in those industries. Does the mix of industries the company is engaged in make sense,
given the company’s prior history (e.g. are there synergies of management skills and does the
mix achieve horizontal/vertical integration)?

Additionally, the auditor needs to consider whether the company operates in a highly
volatile, highly complex, and/or highly regulated environment (e.g. where the company faces
requirements in addition to the Companies Ordinance), has been the subject of regulatory or
government inquiries (and their outcomes, if known), and whether there have been significant
transactions/events and issues involving significant management assumptions or estimates.

If the company is a group of companies, the auditor needs to consider and apply the
considerations to each of the companies in the group.

IT Environment (Including Cyber Security)

The auditor needs to consider whether there are any unusually high business risks associated
with the company – any announced complex or risky transactions, aggressive deals or
diversifications into markets or areas where the company does not have known expertise or
known issues with the stability of its IT environment.

Of interest to the auditor will be whether the company has significant legacy (old) computer
systems upon which the company is heavily reliant to record/maintain its data, which have
not been upgraded and/or are unsupported. Generally, does the company regularly patch
updates of key software to reduce security vulnerabilities? How well maintained are the
systems? Additionally, for systems that the company is heavily reliant on, the auditor should
consider how long the company could effectively operate without these systems in the event
they suddenly stopped operating or became inaccessible, and what plans exist for addressing
this risk (e.g. having regular backups of data stored offsite, a parallel system housed offsite,
alternate premises used to store emergency computers).

In particular, the auditor will need to consider whether the company has the capabilities
in-house, or through its consultants, to manage the security of its data. Does it have
appropriate IT general and security controls to protect its data internally and externally? Is
there the possibility of risks of cyber-attacks on the company given the nature of the data it
holds (valuable, sensitive, one-of-a-kind data)? Does the company have adequate cyber security
policies, protocols, and prevention and detection tools to manage their cyber security? Also,
does the company have appropriate data protection policies in compliance with applicable
data privacy legislation? Does the company have a functioning disaster recovery plan that
is regularly tested, and does it perform regular stress testing and penetration testing of
key vulnerable systems? Does the company have a history of promptly remedying any
issues identified? Does it have an appropriate business continuity plan (covering loss of key
employees, suppliers, customers, IT systems (hardware and software), and unplanned outages
or acts of cyber-attacks, such as attacks caused by denial of service (DoS), phishing, malware
(malicious software), man-in-the-middle (MITM) attacks, a database SQL injection (inserting a
command into a database with nefarious intent), and/or zero day attacks that exploit previously
unknown weaknesses).

178

c03.indd 178 16-11-2022 18:40:53

 Client an d Engagement A cceptance P roce dures

Financial Results
A basic requirement is that the auditor needs to obtain and review available financial
statements to understand the company’s historical financial position, profitability, cash flow,
and other key financial indicators of the company’s health. The auditor will need to consider if
there are any significant matters (e.g. disclosures of commitments, litigation, or post-balance
date events) that are of consequence to a future audit and whether the financial statements
comply with accounting standards and other requirements.

The auditor will need to assess whether the company has any going concern issues that
may call into question their future viability.

As well as looking at past financial statements, the auditor will need to consider if there
have been any significant changes in the company’s financial condition or circumstances in the
current year as compared to prior years (e.g. deterioration of financing loan covenants that
affects its liquidity or future viability/prospects or significant divestments of business units or
changes in strategic direction).

Business Relationships and Related Parties of the Company

The auditor needs to consider who the company’s substantial business relationships are
with, including suppliers, creditors, shareholders, customers, financial institutions, associates,
and/or lawyers. The auditor needs to assess these relationships for any possible conflicts of
interest and to consider the completeness and adequacy of any disclosures in the financial
statements. The auditor should also consider their impact on the company’s ongoing viability
and professional reputation (as might come from significant transactions entered into by the
company with those entities with known poor business reputations).

The auditor also needs to consider the company’s related parties. These are essentially
entities with direct or indirect control or significant influence over the company, as defined in
HKSA 550 Related Parties, paragraph 10(b).

Prior Knowledge and Experience

The auditor will need to consider any issues in the prior year audit engagement that call into
question whether the auditor wants to be the appointed auditor. Some of these issues have
already been covered here and in Section 3.2 ‘Change of Auditor’ as reasons why an existing
auditor may consider resigning from the audit.

For example:

• Were there significant disagreements with management on accounting policy

judgements/choices or other significant matters affecting the financial statements?

• Did management pursue aggressive accounting standard interpretations?

• Were there issues with accessing information or persons when required and on a
timely basis?

• Did the auditor have difficulty obtaining sufficient appropriate evidence to support
material balances?

179

c03.indd 179 16-11-2022 18:40:53

 BUSINESS ASSURANCE

• Was the company the subject of adverse findings in legal cases or government
inquiries?

• Were there any actions identified that called into question management’s integrity
(e.g. failure to remedy known significant internal control deficiencies or action of a
known fraud)?

• Were there any attempts to limit the scope of audit work in certain sensitive areas?

• Did the company have difficulty paying the prior year’s audit fee or have disagreements
over paying the audit fee?

Legal and Professional Issues

The auditor needs to be sure of being professionally qualified to act and that there are no legal,
regulatory, or technical barriers to the appointment. For example, was the outgoing auditor’s
resignation/termination properly conducted in accordance with the Companies Ordinance
or is the auditor aware that the company has not complied with the Companies Ordinance
requirements? Was the professional clearance process satisfactorily completed? The auditor
should obtain a copy of all notices and documentation from the company in respect of their
appointment and the prior auditor’s resignation/termination to ensure they are valid. Lastly,
the auditor needs to consider whether there are any legal impediments to accepting the
engagement (statute, contract, or common law).
Audit Administration Related Issues
The auditor needs to have appropriate and adequate audit resources to conduct a quality
audit. In making this assessment, the auditor needs to consider the availability of an
appropriate engagement quality reviewer and whether assigned staff have the appropriate
competence, capability (industry knowledge, experience with relevant regulatory, or reporting
requirements), time availability, subject matter expertise, and ability to meet the statutory
report deadline of the company.

Also, the auditor needs to consider if the proposed audit fee is reflective of the work effort
required to conduct a quality audit. Quality cannot be sacrificed due to difficulties in having
the fee paid, for example when a company acts aggressively to keep audit fees below what is
reasonable.

3.3.2.3 Assess Whether the Auditor Can Comply with the Ethical Requirements
The auditor is required to assess all the information obtained from the pre-conditions and
the results of the engagement risk assessment to conclude whether the ethical requirements
can be met and the auditor can accept an audit engagement. That is, the auditor must
conclude that there is independence from the company and there are no conflicts of interest,
no issues with management’s integrity, and no concerns about being associated with
the company.

A high-level discussion on auditor independence considerations is already covered in

Chapter 1, Ethical Standards, Legislation, and Professional Guidance, Section 1.1, Auditing and
Assurance, and in this chapter in Section 3.1.2, Auditor Appointment Guidance and Guidelines
(independence) and Section 3.2.2.2, Professional Clearance (assessing the information received
from the outgoing auditor).

180

c03.indd 180 16-11-2022 18:40:53

 Client an d Engagement A cceptance P roce dures

Possible threats to independence (in mind and appearance) may arise from the work
the auditor already performs for the company. In this regard, does the auditor need to
consider any non-assurance or consulting engagement services provided that impact the
financial statements to be audited? Common examples of such services include preparing the
financial statements, preparing the tax effect accounting entries for inclusion in the financial
statements, providing accounting valuation services on property plant and equipment/
specialised assets, providing internal audit services to the company, and/or providing
accounting advice on the proposed treatment of a material transaction that has occurred or
the interpretation of a new accounting standard for implementation in the current financial
year. Given the nature of these services, and assuming they have been provided in respect of
the current financial results for incorporation into the financial statements to be audited, they
represent threats that are highly unlikely to be mitigated, for the current financial statements,
through appropriate safeguards.

The rule of thumb to remember is that the auditor should not audit anything that
the auditor has prepared or provided advice on (to avoid self-review, self-interest, and
advocacy threats).

The auditor also needs to consider other possible threats to independence, such as those
detailed in Chapter 1. Examples include considering relationships between the auditor and
the company’s management/those charged with governance, over-reliance on the company,
economic dependence on the company due to the audit fee’s size, financial interests, and any
inducements received.

Key Learning Point

The auditor needs to perform and document their engagement risk assessment conclusion
prior to accepting any new auditor appointment and prior to commencing work on a
continuing audit engagement. This is a far-reaching assessment that cannot be treated as
being a matter of process.

3.3.3 Terms of the Engagement Considerations

The auditor needs to set down the terms of the engagement with the company in an
engagement letter, as evidence of the contractual relationship. The company has to accept
that letter.

3.3.3.1 Components of Acceptance of the Engagement

HKSA 210 Agreeing the Terms of Audit Engagements sets out the requirements for the auditor
in formalising the agreed terms of the assurance engagement between the company and
those charged with governance (directors or management as appropriate) as required by the
Companies Ordinance.

181

c03.indd 181 16-11-2022 18:40:53

 BUSINESS ASSURANCE

3.3.3.2 Agreed Engagement Terms

Under HKSA 210, before the start of any professional work, the auditor and its company should
agree, in writing, the scope and nature of the work to be undertaken. This ensures there can
be no misunderstanding of the audit engagement, confirms the respective responsibilities,
confirms the applicable financial reporting framework used for the preparation of the financial
statements, and explains audit reporting outcomes and fee arrangements.

All first-time engagements require this letter to be prepared by the auditor and agreed with
management.

If management requests a change in the scope or objectives of the audit, then it is up to

the auditor to decide on acceptance of such a change. In such circumstances, the engagement
letter is to be updated and re-issued to evidence the change.

When to Issue an Engagement Letter

For new clients, the engagement letter should be sent before any professional work has been
started. If the audit is of a group, the auditor will send an engagement letter relating to the
group and identify the components for which the auditor is appointed.

For recurring audits, the auditor needs to decide if circumstances require that the letter
be updated and re-sent to management. Generally, whenever there is a significant change in
circumstances, a revised engagement letter should be sent. Significant changes include:
• The company has changed its name or financial year or there is a significant change in
the company’s ownership.

• The audit engagement partner has changed.

• The members of the company’s board or key management personnel have changed.

• Required management responsibilities have changed.

• Agreed fee, billing arrangements, or key deliverables have changed.

• The agreed audit scope or engagement terms have changed (e.g. the audit fees have
changed or the auditor feels it is appropriate to re-issue to the company to remind
them of their responsibilities).

• A significant change in the nature or size of the company’s business.

• Changes in the legal structure or form of the company (e.g. there are new or divested
entities or the company became a listed company).

• A change in the financial reporting framework is adopted in the preparation of the

financial statements or other significant regulatory changes have impacted the audit.

For an audit already in progress, if there has been a change in terms of the audit
engagement needing to be agreed between the auditor and management, these should be set
out in an updated engagement letter.

Key Learning Point

An engagement letter must be current and agreed by both the auditor and those charged
with governance/management (as appropriate) and include certain minimum terms for all
audit engagements.

182

c03.indd 182 16-11-2022 18:40:53

 Client an d Engagement A cceptance P roce dures

3.3.3.3 Contents of an Engagement Letter

HKSA 210, paragraph 10, contains the minimum requirements for the content of the
engagement letter:

(a) Objectives of services

• To audit the financial statements of the company.

• To provide reasonable assurance (explaining what that means and the inherent
limitations of the engagement) on those financial statements to conclude whether
as a whole they are free from material misstatement (whether due to fraud or
error) and to issue an auditor’s report that includes an opinion.

(b) Responsibilities of the directors

• To prepare financial statements for the company and its subsidiaries (if applicable)
that are in accordance with the applicable financial reporting framework, including,
where relevant, their fair presentation.

• To keep sufficient accounting records to support the financial statements.

• To prepare financial statements that comply with the disclosure requirements of

the Companies Ordinance (Cap.622 s.383) and associated ‘Disclosure of information
about Benefits of Directors’ regulation (Cap.622G) in respect of directors’
emoluments (all benefits received from the company, e.g. emoluments, retirement
benefits, termination payments, and loans).

• To establish such internal control as is necessary for the preparation of the financial
statements free of material misstatement.

• To provide the auditor with access to all information requested in connection with
the audit, all information relevant to the financial statement preparation, and
unrestricted access to persons within the company to enable the auditor to obtain
audit evidence.

• To provide the auditor with copies of any proposed (on or before circulation) and
passed written resolutions (together with related documents) that are required to
be sent to the member of the company.

• To prepare and approve the directors’ report in accordance with the Companies
Ordinance.

(c) Responsibilities of the auditor

• To prepare the auditor’s report and form an opinion on whether the company’s
financial statements dated XX are in accordance with the requirements of the
applicable financial reporting framework and comply with the Companies Ordinance.

• To also provide an opinion on whether the company has kept adequate accounting
records and whether those records agree with the financial statements.

• To include in the auditor’s report:

° A statement if they have not been able to obtain all information necessary and
material for the audit.

183

c03.indd 183 16-11-2022 18:40:54

 BUSINESS ASSURANCE

° A statement of the details required to comply with the requirements of the

Companies Ordinance (Cap.622 s.383) and associated ‘Disclosure of information
about Benefits of Directors’ regulation (Cap.622G) in respect of directors’
emoluments in the event that the company does not disclose this.

• To report if the financial statements do not comply with the applicable financial
reporting framework (either the HKICPA’s issued financial reporting standards or
the financial reporting standard for private entities).

• To read the information included in the directors’ report for any inconsistencies
with the financial statements and to report if they exist.

• To read the other information included in the annual report and consider whether
it is materially inconsistent with the financial statements and/or knowledge the
auditor obtained through the audit process.

(d) Scope of audit

The engagement letter is to indicate that the audit is to:

• Be conducted in compliance with HKICPA auditing standards, including ethical

requirements.

If applicable, the engagement letter is to reference a requirement for the auditor to

communicate key audit matters (KAMs) in the auditor’s report (for a listed company)
in compliance with HKSA 701 Communicating Key Audit Matters in the Independent
Auditor’s Report. (Note that it is optional for the auditor to adopt and report KAMs
for a non-listed company, and this is usually done in conjunction with the company
through discussions and agreement.)

• Obtain sufficient appropriate evidence to provide a basis for the audit opinion.

• Obtain an understanding of internal controls relevant to the audit (i.e. the audit of
the financial statements).

• Evaluate the appropriateness of the accounting policies the company has selected
and the reasonableness of the accounting estimates and related disclosures.

• Conclude on the appropriateness of the use of the going concern basis of

preparation of the financial statements and consider related disclosures to assess
the impact, if any, on the form and content of the auditor’s report.

• Evaluate the overall presentation, structure and content of the financial statements
and whether they represent the company’s underlying transactions and events in a
manner that achieves fair presentation.

The engagement letter should also point out that the audit is subject to inherent
limitations, as is the company’s internal control, and that the audit may not detect all
material misstatements. If applicable, for group audits, the engagement letter should
include statements that the auditor:

• Has the right to obtain information/explanations from any related company of the
company under Section 412 of the Companies Ordinance to assist the auditor in the
performance of their duties as auditor of the holding company.

184

c03.indd 184 16-11-2022 18:40:54

 Client an d Engagement A cceptance P roce dures

• Will communicate with any auditor of a subsidiary, joint arrangement, or

associate to satisfy themselves that there is accounting policy uniformity (as far
as is practicable); that the consolidated financial statements contain information
as required by the Companies Ordinance, applicable accounting standards, and
any other relevant legislative requirements; and that all material aspects of the
consolidated financial statements have been subject to the audit in order to allow
them to form an opinion on those consolidated financial statements.

• Further, the engagement letter should indicate that the auditor:

° Will request written confirmation of representations obtained during the audit.

° Will request access to specific documents including the chairman’s statement,

operating, and financial review and the director’s report, which are issued with
the financial statements.

• Finally, the engagement letter should include statements that:

° The company is responsible for safeguarding its assets, prevention and

detection of fraud, error, and non-compliance with law or regulations. The
auditor will, however, plan the audit to give them a reasonable expectation
of detecting material misstatements that may result from fraud or error or
non-compliance with the law or regulations.

° The auditor will not share information gained from the audit with any members
of our firm other than those engaged on the audit.

° The auditor’s responsibilities end when the auditor’s report is issued on the
financial statements.

(e) Reporting

The engagement letter should include the expected form and content of the auditor’s
report and include a caveat that the report may need to be amended for the
circumstances.

(f) Other services

If applicable, the engagement letter should outline what other services have been
requested and that these are dealt with in a separate letter. (The auditor needs to
ensure that these other services are permissible by applicable law and do not pose a
conflict of interest/threat to their independence with the audit.)

(g) Fees

The engagement letter should set out the agreed fee for the audit (including out-
of-pocket expenses) and how the fees will be billed progressively throughout the
audit process.

(h) Agreement of terms

The engagement letter should indicate that it is effective from one audit appointment
to another, unless updated.

The company should be requested to sign and return the letter as

acknowledgement and agreement of its terms. If applicable, it should be indicated that

185

c03.indd 185 16-11-2022 18:40:54

 BUSINESS ASSURANCE

the engagement letter covers all subsidiaries of the company and that the company
should forward a copy of the letter to the board of directors of all subsidiaries so they
can confirm acceptance of the letter as well.

Apply and Analyse 3 – Adapted from Module C June 2016 Paper and
Appendix 1 to HKSA 210 Agreeing the Terms of Audit Engagements
Yay Manufacturing Company Limited is your new audit client and a listed company,
and prepares general purpose financial statements. They are not consolidated. You are
engaged to perform the audit of its financial statements for the year ended 31 December
20X7. Based on a discussion with the Chief Financial Officer of Yay Manufacturing Company
Limited, your audit engagement manager has prepared the following draft engagement
letter for your review:

[On Jin & Co Letterhead]

[Date]

To the Board of Directors of Yay Manufacturing Company Limited,

Objective of Services

You have requested that we audit the financial statements of Yay Manufacturing Company
Limited for the year ended 31 December 20X7. We are pleased to confirm our acceptance
and our understanding of this audit engagement by means of this letter.

The objectives of our audit are to obtain reasonable assurance about whether the
financial statements as a whole are free from material misstatement, whether due to fraud
or error, and to issue an auditor’s report that includes our opinion. Reasonable assurance
is a high level of assurance but is not a guarantee that an audit conducted in accordance
with Hong Kong Standards on Auditing (‘HKSAs’) will always detect a material misstatement
when it exists. Misstatements can arise from fraud or error and are considered material
if, individually or in the aggregate, they could reasonably be expected to influence the
economic decisions of users taken on the basis of these financial statements.

Scope of Audit

Our audit will be conducted in accordance with HKSAs issued by the Hong Kong Institute
of Certified Public Accountants. Those standards require that the auditor complies
with ethical requirements. As part of an audit in accordance with HKSAs, we exercise
professional judgement and maintain professional scepticism throughout. We also:

(a) Identify and assess the risks of material misstatement of the financial statements,
whether due to fraud or error, design and perform audit procedures responsive to
those risks, and obtain audit evidence that is sufficient and appropriate to provide
a basis for our opinion. The risk of not detecting a material misstatement resulting
from fraud is higher than for one resulting from error, as fraud may involve collusion,
forgery, intentional omissions, misrepresentations, or the override of internal control.

186

c03.indd 186 16-11-2022 18:40:54

 Client an d Engagement A cceptance P roce dures

Apply and Analyse 3 (continued)

(b) Obtain an understanding of internal control relevant to the audit in order to
design audit procedures that are appropriate in the circumstances, but not for the
purpose of expressing an opinion on the effectiveness of the company’s internal
control. However, we will communicate to you in writing concerning any significant
deficiencies in internal control relevant to the audit of the financial statements that
we have identified during the audit. Any such report may not be provided to third
parties without our prior written consent. Such consent will be granted only on the
basis that such reports are not prepared with the interests of anyone other than
the company in mind and that we accept no duty or responsibility to any other
party as concerns the reports.

(c) Evaluate the appropriateness of accounting policies used and the reasonableness
of accounting estimates and related disclosures made by you.

(d) Conclude on the appropriateness of your use of the going concern basis of
accounting and, based on the audit evidence obtained, whether a material
uncertainty exists related to events or conditions that may cast significant doubt
on the company’s ability to continue as a going concern. If we conclude that a
material uncertainty exists, we are required to draw attention in our auditor’s
report to the related disclosures in the financial statements or, if such disclosures
are inadequate, to modify our opinion. Our conclusions are based on the audit
evidence obtained up to the date of our auditor’s report. However, future events
or conditions may cause the Company to cease to continue as a going concern.

(e) Evaluate the overall presentation, structure, and content of the financial
statements, including the disclosures, and whether the financial statements
represent the underlying transactions and events in a manner that achieves fair
presentation.

Because of the inherent limitations of an audit, together with the inherent limitations
of internal control, there is an unavoidable risk that some material misstatements may
not be detected, even though the audit is properly planned and performed in accordance
with HKSAs.

Fees

Our fees are computed on the basis of the time spent on your affairs by the partners and
our staff and on the levels of skill and responsibility involved plus out-of-pocket expenses.
Unless otherwise agreed, our fees will be billed at appropriate intervals during the course
of the audit and will be due on presentation.

We propose an audit fee of HK$250,000.

Agreement of Terms

Once it has been agreed, this letter will remain effective, from one audit appointment
to another, until it is replaced. Please sign and return the enclosed copy of this letter to

187

c03.indd 187 16-11-2022 18:40:54

 BUSINESS ASSURANCE

Apply and Analyse 3 (continued)

indicate your acknowledgement of, and agreement with, the arrangements for our audit of
the financial statements including our respective responsibilities.

Yours faithfully,

Jin & Co.

Certified Public Accountants

Date

We agree to the terms of this letter.

(Signed)

................................. Director, for and on behalf of the Board of Yay Manufacturing

Company Limited

Date

Required

Advise as to whether this draft engagement letter is compliant with HKSA 210 Agreeing the
Terms of Audit Engagements or, if not, what other information it should contain.

Analysis

Under HKSA 210 Agreeing the Terms of Audit Engagements, before the start of any
professional work, the auditor and the audited company should agree, in writing, the
scope and nature of the work to be undertaken. Paragraph 11 of HKSA 210 requires that
the agreed terms of the audit engagement must be in writing and in the form of a written
agreement. It further requires certain terms to be included in the engagement letter
including (but not limited to):

(a) The objective and scope of the audit of the financial statements;

(b) The responsibilities of the auditor;

(c) The responsibilities of management;

(d) Identification of the applicable financial reporting framework for the preparation of
the financial statements;

(e) Reference to the expected form and content of any reports to be issued by the
auditor; and

(f) A statement that there may be circumstances in which a report may differ from its
expected form and content.

188

c03.indd 188 16-11-2022 18:40:54

 Client an d Engagement A cceptance P roce dures

Apply and Analyse 3 (continued)

Based on these requirements, the draft engagement letter, as prepared by your audit
manager, does not meet the requirements of the standard. The following have not been
included in the draft engagement letter and are required:

• The ‘responsibilities of management’ section – setting out their acknowledgement

and understanding of their key responsibilities related to the audit including
that they are responsible for the preparation of the financial statements in
compliance with the named applicable financial reporting framework (which
on the facts should be the Hong Kong Financial Reporting Standards), for keeping
sufficient accounting records to explain the company’s transactions, for ensuring
compliance with relevant requirements of the Companies Ordinance, for internal
controls relevant to ensuring the financial statements prepared are free from
material misstatement (whether due to fraud or error) and agreeing to allow
the auditor access to all information and persons requested in connection with
the audit.

• The ‘responsibilities of the auditor’ section – setting out the auditor’s own
acceptance of key responsibilities, including that they will issue an auditor’s report
to the company’s members containing their opinion of the truth and fairness of the
financial statements the company has prepared as compared to the requirements
of the applicable financial reporting framework, whether the financial statements
are in compliance with director’s emoluments disclosures required by the
Companies Ordinance, if they have obtained all required information necessary
to the audit, and if they have identified any inconsistence between the financial
statements and any other information included in the annual report or the
director’s report.

• Identification of the applicable financial reporting framework for the preparation

of the financial statements (as noted above this would be the Hong Kong Financial
Reporting Standards given the circumstances).

• Include a reference to the expected form and content of any reports to be issued
by the auditor.

• Include a statement that there may be circumstances in which a report may differ
from its expected form and content.

Key Learning Point

The incoming, newly appointed auditor must perform audit work on the opening balances,
regardless of whether those balances have been audited by another auditor, in order to
provide the newly appointed auditor primarily with sufficient appropriate audit evidence
that the opening balances do not contain material misstatements that could affect the
current period balances.

189

c03.indd 189 16-11-2022 18:40:54

 BUSINESS ASSURANCE

3.3.4 Opening Balances – Initial Engagement

A new auditor of a continuing company will have to perform work on the opening balances in
the financial statements as part of their audit planning procedures as required by HKSA 510
Initial Audit Engagements – Opening Balances (Exhibit 3.2). This is the case when:

• The financial statements for the prior period were not audited.

• The financial statements for the prior period were audited by a predecessor auditor.

PERFORM OPENING BALANCES WORK ON NEW AUDIT ENGAGEMENT

Obtain sufficient
Review appropriate audit
The most recent financial evidence about whether
statements. the opening balances
The predecessor auditor’s contain misstatements
report. that materially affect the
Other relevant documents. current period’s financial
statements.

Closing balances from Accounting policies If prior year financial Current period
prior year application statements were • Evaluate whether
Have prior period’s • Have opening audited audit procedures
closing balances been balances reflected • Review the performed in the
correctly brought the application of predecessor auditor’s current period
forward to the current appropriate working papers. provide evidence on
period? accounting policies? • Consider the opening balances or
• Have accounting professional performing other
policies been competence and specific procedures
consistently applied? independence of the set out in Section
predecessor auditor. 3.3.4.1, Key
• Have changes in
Procedures Required
accounting policies
If prior year financial on Opening Balances.
been accounted
for and disclosed? statements were not
audited
• Include a statement
in the auditor’s
report that the
corresponding figures
are unaudited.

EXHIBIT 3.2 Performing opening balances work on a new audit engagement

The work performed is designed to provide the incoming auditor with sufficient appropriate
audit evidence that the opening balances do not contain material misstatements that affect
the current period’s financial statements and the accounting policies adopted in the opening
balances have been consistently applied in the current period’s financial statements or, if there
have been changes, they have been appropriately accounted for and adequately presented and
disclosed in accordance with the applicable financial reporting framework.

Opening balances are defined in HKSA 510, paragraph 4 ‘as those account balances
that exist at the beginning of the period. Opening balances are based upon the closing

190

c03.indd 190 16-11-2022 18:40:54

 Client an d Engagement A cceptance P roce dures

balances of the prior period and reflect the effects of transactions and events of prior periods
and accounting policies applied in the prior period. Opening balances include matters
requiring disclosure that existed at the beginning of the period, such as contingencies and
commitments’.

Below are the specific procedures required by HKSA 510:

(a) The auditor is to read the most recent financial statements, if any, and the predecessor
auditor’s report thereon, if any, for information relevant to opening balances, including
disclosures.

(b) The auditor is to obtain sufficient appropriate audit evidence about whether the
opening balances contain misstatements that materially affect the current period’s
financial statements by:

i. Determining whether the prior period’s closing balances have been correctly
brought forward to the current period or, when appropriate, have been restated;

ii. Determining whether the opening balances reflect the application of appropriate
accounting policies; and

iii. Performing one or more of the following:

1. Where the prior year financial statements were audited, reviewing the
predecessor auditor’s working papers to obtain evidence regarding the
opening balances;

2. Evaluating whether audit procedures performed in the current period provide

evidence relevant to the opening balances; or

3. Performing specific audit procedures to obtain evidence regarding the

opening balances.

(c) The auditor is to obtain sufficient appropriate audit evidence about whether the
accounting policies reflected in the opening balances have been consistently applied
in the current period’s financial statements and whether changes in the accounting
policies have been appropriately accounted for and adequately presented and
disclosed in accordance with the applicable financial reporting framework.

3.3.4.1 Procedures Required on Opening Balances

If the prior period’s financial statements were audited by a predecessor auditor and there was
a modification to the opinion, the auditor is required to evaluate (under HKSA 315 (Revised
2019), Identifying and Assessing the Risks of Material Misstatement) the effect of the matter giving
HKSA rise to the modification in assessing the risks of material misstatement in the current period’s
510.9 financial statements.

For current assets and liabilities some audit evidence may be obtained as part of
performing the current period’s audit procedures. For example, the collection (payment) of
opening accounts receivable (accounts payable) during the current period will provide some
audit evidence of their existence, rights and obligations, completeness, and valuation assertions
at risk at the beginning of the period. In the case of inventories, however, the current period’s
audit procedures on the closing inventory balance provide little audit evidence regarding
inventory on hand at the beginning of the period.

191

c03.indd 191 16-11-2022 18:40:54

 BUSINESS ASSURANCE

Therefore, additional audit procedures may be necessary and one or more of the following
may provide sufficient appropriate audit evidence:

(a) Observing a current physical inventory count and reconciling it back to the opening
inventory quantities.

(b) Performing audit procedures on the valuation of the opening inventory items.
HKSA
510.A6 (c) Performing audit procedures on gross profit and cut-off.

For non-current assets and liabilities, some audit evidence may be obtained by examining
the accounting records and other information underlying their opening balances. In certain
cases, the auditor may be able to obtain some audit evidence regarding opening balances
HKSA through confirmation with third parties, e.g. for long-term debt and investments. In other cases,
510.A7 the auditor may need to carry out additional audit procedures.

Results of Audit Work

If the auditor obtains audit evidence that the opening balances contain misstatements that
could materially affect the current period’s financial statements, the auditor shall perform such
additional audit procedures as are appropriate in the circumstances to determine the effect on
the current period’s financial statements. If after the additional procedures the auditor
concludes that such misstatements exist in the current period’s financial statements, the
auditor shall communicate the misstatements with the appropriate level of management and
HKSA those charged with governance in accordance with HKSA 450 Evaluation of Misstatements
510.7 Identified During the Audit. Chapter 10 in this module deals with audit reporting in detail.

Effect on Auditor’s Opinion

The auditor either concludes that there are no issues with opening balances, that they are
unable to obtain sufficient appropriate evidence to form an opinion on a certain area, there is a
material misstatement in respect of one or more opening balances, or that there is a continuing
issue with a balance(s) carried forward from the prior auditor.

If the auditor is unable to obtain sufficient appropriate audit evidence regarding the
opening balances, the auditor modifies their opinion in accordance with HKSA 705 (Revised)
HKSA Modifications to the Opinion in the Independent Auditor’s Report and expresses a qualified opinion
510.10 or disclaimer and opinion on the financial statements, as appropriate.

Below are illustrative examples of the inability to obtain evidence.

Illustrative Example 1 – HKSA 510 Illustration 1

If the auditor did not observe the counting of the company’s physical inventory (which is
material) at the beginning of the current period, he or she was therefore unable to obtain
sufficient appropriate audit evidence regarding the opening balances of inventory. The
possible effect is material but not pervasive to the company’s financial performance and
cash flows, and the financial position at the year end is fairly stated.

192

c03.indd 192 16-11-2022 18:40:54

 Client an d Engagement A cceptance P roce dures

Illustrative Example 1 (continued)

Extract from Auditor’s Report of the qualification wording to reflect the above situation:

Qualified opinion

In our opinion, except for the possible effects of the matter described in the Basis for
Qualified Opinion paragraph, the financial statements give a true and fair view of the state
of the company’s affairs as at 31 December 20X1, and of its profit and cash flows for the
year then ended in accordance with Hong Kong Financial Reporting Standards and have
been properly prepared in accordance with the disclosure requirements of the Companies
Ordinance.

Basis for qualified opinion

We were appointed as auditor of the Company on 30 June 20X1 and thus did not observe the
counting of the physical inventories at the beginning of the year. We were unable to satisfy
ourselves by alternative means concerning inventory quantities held at 31 December 20X0. Since
opening inventories enter into the determination of the profit and cash flows, we were unable to
determine whether adjustments might have been necessary in respect of the profit for the year
reported in the statement of profit or loss and other comprehensive income and the net cash
flows from operating activities reported in the statement of cash flows.

Illustrative Example 2 – HKSA 510 Illustration 2

If the auditor did not observe the counting of the company’s physical inventory (which
is material) at the beginning of the current period, he or she was therefore unable to
obtain sufficient appropriate audit evidence regarding the opening balances of inventory.
The possible effect is material but not pervasive to the company’s financial performance
and cash flows, and the financial position at year end is fairly stated. An opinion that is
qualified regarding the financial performance and cash flows and unmodified regarding
the financial position is considered appropriate in the circumstances.

Extract from Auditor’s Report of the qualification wording to reflect the above situation:

Qualified opinion on the financial performance and cash flows

In our opinion, except for the possible effects of the matter described in the Basis for
Qualified Opinion section of our report, the statement of profit or loss and other
comprehensive income and statement of cash flows give a true and fair view of the financial
performance and cash flows of the Company for the year ended 31 December 20X1 in
accordance with Hong Kong Financial Reporting Standards issued by the Hong Kong Institute
of Certified Public Accountants and have been properly prepared in compliance with the
Companies Ordinance.

193

c03.indd 193 16-11-2022 18:40:54

 BUSINESS ASSURANCE

Illustrative Example 2 (continued)

Opinion on the financial position

In our opinion, the statement of financial position gives a true and fair view of the state
of the Company’s affairs as at 31 December 20X1 in accordance with Hong Kong Financial
Reporting Standards and have been properly prepared in accordance with the Companies
Ordinance.

Basis for qualified opinion, including basis for qualified opinion on the financial
performance and cash flows

We were appointed as auditor of the Company on 30 June 20X1 and thus did not observe the
counting of the physical inventories at the beginning of the year. We were unable to satisfy
ourselves by alternative means concerning inventory quantities held at 31 December 20X0. Since
opening inventories enter into the determination of the profit and cash flows, we were unable to
determine whether adjustments might have been necessary in respect of the profit for the year
reported in the statement of profit or loss and other comprehensive income and the net cash
flows from operating activities reported in the statement of cash flows.

If the auditor concludes that the opening balances contain a misstatement that
materially affects the current period’s financial statements, and the effect of the
misstatement is not appropriately accounted for or not adequately presented or disclosed,
HKSA the auditor is required to express a qualified opinion or an adverse opinion, as
510.11 appropriate.

If the auditor concludes that:

(a) The current period’s accounting policies are not consistently applied in relation
to opening balances in accordance with the applicable financial reporting
framework; or

(b) A change in accounting policies is not appropriately accounted for or not

adequately presented or disclosed in accordance with the applicable financial
reporting framework

HKSA the auditor is required to express a qualified opinion or an adverse opinion as appropriate
510.12 in accordance with HKSA 705 (Revised).

If the predecessor auditor’s opinion regarding the prior period’s financial statements
included a modification to the auditor’s opinion that remains relevant and material to the
current period’s financial statements, the auditor is required to modify the auditor’s
opinion on the current period’s financial statements in accordance with HKSA 705 (Revised)
HKSA and HKSA 710 Comparative Information – Corresponding Figure and Comparative Financial
510.13 Statements.

194

c03.indd 194 16-11-2022 18:40:54

 Client an d Engagement A cceptance P roce dures

Apply and Analyse 4 – Adapted from Module C December 2013 Paper

You are Andy Jin, an audit partner of Jin & Co (‘Jin’). Recently you accepted a new audit
engagement of an established listed company, Yay Manufacturing Company Limited (‘Yay’).
The predecessor auditor issued an unmodified opinion for the most recent audited annual
financial statements. Yay manufactures battery components used in consumer mobile
devices and has an annual turnover exceeding US$700 million.

Its organisation structure is simple, with two manufacturing plants in China and a
trading company in Hong Kong. Yay’s business has experienced high growth given the
continued worldwide high demand for mobile devices. Due to more than doubling the
plant’s output in the last two years, revenue has increased more than 40%, with Yay’s
overall financial position improving due to the increased cashflow. Accounts receivables
have remained stable as Yay are very proactive in collecting their debts within their
required 60-day payment period.

Below is an extract of Yay’s significant statement of financial position items from the
prior year’s audited financial statements for the year ended 31 December 20X6. Assume
other items are regarded as insignificant.

US$ m
Property, plant, and equipment 1,500
Accounts receivables 100
Inventory 200
Cash 30
Accounts payable 240

You are now considering the overall audit approach for the opening balances.

Required

(a) Propose your overall opening balance audit strategy, with consideration that the
last appointed auditor might have had performance issues.

(b) Propose, with explanations, the audit procedures for each of the statements of
financial position items listed above.

Analysis

Answer to Part (a)

We should make reference to the Standard, HKSA 510 Initial Audit Engagements – Opening
Balances, which provides guidance on an opening balance audit when conducting an initial
engagement. Procedures to perform include:

• Given the last appointed auditor might have had performance issues, we should
question and carefully consider the competence and independence of the last
appointed auditor.

• We may consider a review of the last appointed auditors’ working papers and plan
to conduct certain re-performance of their work.

195

c03.indd 195 16-11-2022 18:40:55

 BUSINESS ASSURANCE

Apply and Analyse 4 (continued)

• We should assess whether the prior period’s closing balances have been correctly
brought forward to the current period.

• We should evaluate the appropriateness of the accounting policies applied –

including whether the opening balances reflect the application of appropriate
accounting policies, if accounting policies have been consistently applied, and
whether any changes in accounting policies have been accounted and disclosed.

• We should also consider if we need to plan to perform current period audit

procedures to provide audit evidence on opening balances.

Answer to Part (b)

Given the significance of the following statement of financial position items, suggested
additional procedures to perform include:

• Property, plant, and equipment. Additional procedures to perform include:

° Given that the property, plant, and equipment balance is so materially

significant, we should validate the title of respective significant non-current
assets by examining their legal documents to verify the rights and obligations
assertion. A physical inspection of the property, plant, and equipment may also
provide some audit evidence as to the existence of the non-current assets at
the beginning of the period;

° Recalculating depreciation expense to ensure the depreciation policy is

consistently applied. Reviewing significant disposals during the year and checking
these are included in the opening balance of property, plant, and equipment; and

° Reviewing and assessing evidence in respect of the valuation of property, plant,

and equipment.

• Accounts receivables – The collection of opening accounts receivables tested during

the current period may provide some audit evidence as to their existence and
valuation at the beginning of the period. However, additional procedures may be
required, such as sending receivables confirmations on a sample basis to confirm
the existence and valuation of the larger balances with the larger customers at the
beginning of the period.

• Accounts payable – The payment of opening accounts payables tested during

the current period may provide some audit evidence as to their completeness
and valuation at the beginning of the period. However, additional procedures
may be required, such as sending confirmation on a sample basis to confirm the
completeness and valuation of the larger balances with the major suppliers at the
beginning of the period.

• Inventory – The current period’s audit procedures for the closing inventory balance
provide little audit evidence regarding the inventory on hand at the beginning of
the period. Additional procedures are necessary, for example:

° Observing a current physical inventory count and reconciling it with the

opening inventory quantities;

196

c03.indd 196 16-11-2022 18:40:55

 Client an d Engagement A cceptance P roce dures

Apply and Analyse 4 (continued)

° Performing audit procedures on the valuation of the opening inventory items; or

° Performing audit procedures on gross profit and cut-off.

• Cash – Consider sending bank confirmations to confirm the existence and accuracy
of the opening bank balance if it is believed that the last auditor’s work does not
provide sufficient audit evidence as to the opening bank balance.

Knowledge Check Questions

Question 5
Explain why it is important to perform an assessment of engagement risk prior to
accepting the auditor’s appointment to the company.

Question 6
Chan & Co have been auditors of Ly Distribution Company for three years and have relied
on the same engagement letter issued when they were first appointed auditors of the
company, rather than re-issuing the letter each financial year. This has been on the basis
that nothing of audit significance has changed to require a new engagement letter being
issued. However, during the current financial year, Ly appointed a new Chief Executive
Officer. Explain whether this appointment warrants Chan & Co needing to issue a new
engagement letter.

197

c03.indd 197 16-11-2022 18:40:55

 BUSINESS ASSURANCE

SUMMARY

Exhibit 3.3 shows a summary of the client and engagement procedures covered in the chapter.

ACCEPT THE ENGAGEMENT?

Consider any
• Ethical issues
• Legal or regulatory issues
• Entity specific issues

Prospective new client? Existing client?

Audit procedures Audit procedures

Obtain details of last appointed auditors Consider continuing pre-engagement risk.
and consult with them.
Consider pre-engagement risk.

Accept (or continue to accept) the engagement?

YES NO

Audit procedures
Ensure outgoing auditor’s removal/resignation
was properly conducted.
Obtain and review special notice.
Perform professional clearance procedures.
Prepare and submit engagement letter.
Verify opening balances.

EXHIBIT 3.3 Client and engagement procedures

198

c03.indd 198 16-11-2022 18:40:55

 Client an d Engagement A cceptance P roce dures

MIND MAP

CLIENT AND ENGAGEMENT ACCEPTANCE PROCEDURES FOR ACCEPTING A NEW

PROCEDURES ENGAGEMENT OVERVIEW
Auditor appointment requirements Standards affecting auditor appointments
• Who can be appointed as an auditor? • HKSQM
• Who can appoint the auditor? • HKSA 220 (Revised)
• Legislative process of appointing an auditor • COE
Auditor appointment guidance and guidelines Key procedures performed prior to accepting
• Appointment as joint auditor an engagement
• Filling a casual vacancy • Assess preconditions for the audit
• Appointment by a company acquired by • Perform engagement risk assessment
a new company • Assess if the auditor can comply with
• Previous auditor unpaid fees the ethical requirements
• Providing information to the incoming auditor Terms of the engagement considerations
• Statutory provisions • Components of acceptance of the engagement
CLIENT AND • Agreed engagement terms
CHANGE OF AUDITOR ENGAGEMENT • Contents of an engagement letter
Auditor Resignation ACCEPTANCE
Opening balances – initial engagement
PROCEDURES
Communication with the Audit Committee and
the Board of Directors (Outgoing Auditor)
The Incoming Auditor’s requirements
Change of Auditor of a Listed Issuer of
the Stock Exchange of Hong Kong
The Announcement to be made by the Listed
Issuer on the Change of Auditor

Answers to Knowledge Check Questions

Question 1
Answer A is incorrect. The company can change at any point.
Answer B is correct. The company is able to change auditor at any point during the
existing auditor’s term of appointment provided they have followed the correct statutory
procedure.
Answer C is incorrect. The company has complete ability to change auditor at any time and
does not need the existing auditor’s permission in order to change auditor.
Answer D is incorrect. The company is not required to give the existing auditor any
formal notice of the reasons for the change. They may give reasons informally, but this is
not required.

Question 2
Yes, the company is able to change their auditor at any time during the existing auditor’s
term, and for any reason, provided they adhere to the process set out in the Companies
Ordinance.

Question 3
You would contact the existing auditor to obtain additional information about the
issues raised in order to understand their impact, if any, on future audits and assess
their response when received. If appropriate, you would discuss with the company to
understand their perspective on the issues raised and to ascertain their position if the
issues have implications for future audits. Based on the information obtained from both
sources you would then decide whether it was still appropriate to accept the auditor
appointment.

199

c03.indd 199 16-11-2022 18:40:56

 BUSINESS ASSURANCE

Question 4
Answer A is incorrect. The auditor cannot accept the engagement if the outgoing auditor
has not responded to the letter request.
Answer B is incorrect. The incoming auditor is able to contact the outgoing auditor by other
means before deciding to decline the engagement.
Answer C is correct. Try contacting the incoming auditor again by other means.
Answer D is incorrect. The incoming auditor is required to resend the request but by other
means to have the best opportunity of receiving a response.

Question 5
The auditor may become aware of issue(s) they were previously unaware of, that they
consider in their professional judgement represent threats to the auditor’s independence,
which cannot be appropriately safeguarded. This in turn will cause the auditor to have to
decline the auditor appointment of the company.

Question 6
Yes, Chan & Co should issue a new engagement letter as the appointment of a new Chief
Executive Officer represents a significant change in key management personnel of Ly
Distribution Company and it is important that the new Chief Executive Officer understands,
acknowledges, and accepts the terms of the audit engagement on the company’s financial
statements. Consequently Chan & Co should attend to re-issuing the engagement letter to
the Chief Executive Officer.

EXAM PRACTICE

QUESTION 1
(Adapted from Module C June 2013 Paper)

You are the audit partner of Jintian CPA Hong Kong and have just received a request from
Jintian CPA London regarding a fee proposal for the audit of Mark Hong Kong Limited, a
material subsidiary of Peter Limited, which is the potential audit client of Jintian CPA London
for the year ending 30 June 20X7. During your firm’s standard client acceptance procedures,
you have identified that the spouse of a tax partner in your office is the Chief Financial
Officer of Mark Hong Kong Limited.

Required:

Analyse and explain the independence issues for the acceptance of the audit engagement of
Mark Hong Kong Limited and advise as to any relevant safeguards.

QUESTION 2
(Adapted from Module C September 2008 Paper)

YYY Holdings Limited (‘YYY’) is a listed company on the Main Board of the SEHK and was
established ten years ago. YYY manufactures and sells a wide range of electronic products
including portable speakers, sound bars, and TVs. YYY has over 6,000 employees located at
its four factories in mainland China.

200

c03.indd 200 16-11-2022 18:40:56

 Client an d Engagement A cceptance P roce dures

Ms. Kim Au is the founder (and the Chief Executive) of YYY and has always placed a great
emphasis on her company producing innovative and quality products. In May 20X8, YYY’s
previous auditor (Yau and Co) retired and therefore declined to stand for re-appointment
after reporting on the financial statements for the year ended 31 December 20X7 at YYY’s
annual general meeting. In August 20X8, Ms. Au invited Ms. Pear Or’s firm (Bright and Co) to
be the new auditor. Ms. Au had previously met Ms. Or (an audit partner of Bright and Co) at
a charity dinner in 20X8, which YYY was sponsoring.

Ms. Or is in the process of assessing whether to accept this prospective audit

engagement. YYY’s Chief Financial Officer, Mr. Lim, has provided Ms. Or with the most recent
audited financial statements (from the year ended 31 December 20X8) and also provided the
current unaudited management accounts for the eight months ended 31 August 20X9.

Required:

(a) Consider what pre-engagement audit procedures (other than the independence
considerations) Bright and Co should carry out as prospective auditors before accepting
YYY’s audit engagement.

(b) Following on from part (a), explain how Ms. Or should assess the integrity of Ms. Au and
the key management of YYY.

(c) Explain the ethical obligations of Bright and Co regarding the change in auditor.

QUESTION 3
Your firm, Zhau and Company CPAs (‘Zhau’), currently provides a range of consulting services
to Industrial Transformers Group Pty Ltd (‘the Group’), a mid-sized private company with its
head office in Hong Kong and with two manufacturing plants in Zhejiang in mainland China.
The Group manufactures high quality electrical transformers (ISO 9001 certified) for use
in large scale industrial factories throughout China and has been growing steadily yearly
since it started over four years ago. These consulting services have included tax advisory,
corporate finance services (for acquisitions), internal audit services (co-sourced with their
internal audit function), and performing the ISO 9001 quality assurance accreditation
review. These services have been provided by Zhau’s advisory services practice and have
not involved any external auditors. You are aware that the group want to list on the SEHK in
the next year or two, due to their continued strong growth. Recently the new Chief Executive
Officer, Mr. Wong, approached you, as the senior audit partner of Zhau, to accept the
engagement to audit the Group for the next financial year, 31 December 20X9. The current
auditors are only a small CPA firm with one audit partner and Mr. Wong considers the group
have got to the size that the current auditors can no longer appropriately service their audit
requirements. The most recent auditor’s report issued on the 31 December 20X8 financial
year was unmodified and the fee appeared reasonable from what you understand of the
Group. Additionally, Mr. Wong is conscious that they intend to list the Group on the SEHK
within a couple of years and would like a firm of your size and reputation as auditors in
anticipation of this.

Required:

Describe the issues, if any, that Zhau and Company CPAs will have in accepting the auditor’s
appointment. Explain how they may mitigate these issues.

201

c03.indd 201 16-11-2022 18:40:56

 BUSINESS ASSURANCE

QUESTION 4
Your firm, Chiang Partners CPAs, have been the appointed auditors of Chen Manufacturing
Company Limited for the past three years and you have been the audit partner. Chen
manufacture clothes hangers and are the largest manufacturer in Shandong province.
Their financial position is solid and they have experienced modest growth in the last three
years. They have not expanded or acquired any other businesses in the last three years, but
you are aware they are looking to acquire the third largest Shandong manufacturer in the
next year to further improve their economies of scale and increase profitability. You have
just issued the new engagement letter for the upcoming 31 December 20X9 audit, with an
unchanged audit fee, and reflecting the recent appointment of a new Chief Financial Officer,
Ms. Deng. Having now received the letter, Ms. Deng has contacted you seeking a meeting to
discuss the proposed audit fee, with a view to you reducing the fee by 20%. Her reason for
the request is that she does not see the value in the financial statement audit process and is
focused on saving on compliance costs wherever possible.

Required:

Explain your position with respect to accepting Ms. Deng’s proposed 20% audit fee reduction
for the 31 December 20X9.

ANSWERS TO EXAM PRACTICE

QUESTION 1
A family member of a partner of Jintian CPA Hong Kong is an officer of Mark Hong Kong
Limited and this constitutes a serious threat to independence. These are familiarity threat,
self-interest threat, and intimidation threat due to the family and personal relationships. The
significance of the threats is assessed against the following criteria:

• The individual’s responsibilities on the assurance engagement. The tax partner is

a member of the audit engagement team and would provide taxation advice on
the audit.

• The closeness of the relationship. As a ‘spouse’ is an immediate family member as

defined in the COE, there is a close relationship.

• The role of another party at the company. We need to assess the responsibilities of
the Chief Financial Officer in the company. Normally, the Chief Financial Officer is
responsible for the accounting and financial functions of the company who will prepare
the accounting information for the audit.

Based on the above assessment, the threat should be considered to be significant.

Jintian CPA Hong Kong should inform Jintian CPA London of the threat and determine the
appropriate measures to eliminate the threats such as:

• Removing the tax partner from the engagement team, any other engagements with the
company, or within the company’s industry.

• Considering if removing the tax partner is sufficient in itself to sufficiently mitigate the
threat of perceived conflict of independence or the perception of bias by Jintian CPA
Hong Kong in respect of the audit of both Mark Hong Kong Limited and Peter Limited.

202

c03.indd 202 16-11-2022 18:40:56

 Client an d Engagement A cceptance P roce dures

• Moving the tax partner’s spouse from the Mark Hong Kong Limited Chief Financial
Officer role to another position within the company that does not involve the
accounting and financial functions of the company or make significant decisions that
have consequences for the Mark Hong Kong Limited financial statements (unlikely).

• Declining the engagement.

Jintian CPA Hong Kong should not provide any assurance services to Jintian CPA London
on its services rendered on Mark Hong Kong Limited, including group reporting, as long as
the threat still exists.

QUESTION 2
(a) Bright and Co as a firm should already have established documented policies and
procedures for the acceptance and continuance of client relationships and specific
audit engagements in accordance with HKSQM1 Quality Management for Firms that
Perform Audits or Reviews of Financial Statements or Other Assurance or Related Services
Engagements.

In respect of this individual prospective audit engagement, Bright and Co should

also ensure that appropriate procedures regarding the acceptance of the new client
relationships are performed and that conclusions on those procedures are appropriate
and documented, in accordance with HKSA 220 (Revised) Quality Management for an
Audit of Financial Statements.

With the facts provided, Bright and Co should consider the following matters:

• The integrity of Ms. Au (founder and the Chief Executive).

• The integrity of other principal shareholders, key management personnel, and

those charged with governance. Bright and Co should also consider the extent of
influence by Ms. Au on those parties given she is the founder of YYY and also the
Chief Executive.

• Whether the engagement team has the competence and expertise to perform an
audit of a business operating in the fast-moving consumer electronic products
industry and has the necessary time and resources to perform a quality audit
(noting that Bright and Co is short of manpower).

• Whether Bright and Co and the engagement team can comply with the ethical
requirements. The engagement team should obtain such information as it
considers necessary in the circumstances before accepting an engagement by YYY
as a new client. Where issues have been identified and Bright and Co has decided
to accept the client relationship with YYY (in particular, the audit of its financial
statements for the year ended 31 December 20X8), Bright and Co should document
how the issues were appropriately resolved.

(b) Ms. Pear Or should consider the following when assessing the integrity of Ms. Au:

• The known business reputation of Ms. Au as founder and Chief Executive, other key
members of management, any significant related parties, and those charged with
YYY’s governance.

• The nature of YYY’s operations, e.g. whether or not YYY has engaged in any
speculative activities, accepted any unusually high business risks, has business

203

c03.indd 203 16-11-2022 18:40:56

 BUSINESS ASSURANCE

dealings with questionable third parties, or engaged in complex transactions

or aggressive deals that make the determination of the effects on the financial
statements unnecessarily highly subjective. These factors could all suggest that the
management is not acting in the best interests of YYY.

• Assess Ms. Au’s knowledge, attitude, and commitment towards matters related to
governance, internal control, and compliance with regulatory requirements and
contractual obligations. For example, do YYY have an aggressive interpretation of
certain accounting standards affecting their business, is there any evidence that YYY’s
internal control environment is poor or non-existent, or that Ms. Au may be able to
exercise her authority to override internal controls unnecessarily. Additionally, Ms.
Pear Or should conduct appropriate enquiries to assess if there is any indication of
money laundering and/or other criminal activities by Ms. Au (or YYY).

• Confirm whether the reason for the non-appointment of Yau and Co related to any
issues to do with the integrity of Ms. Au.

(c) Under the Code of Ethics for Professional Accountants (Revised 2021) (the Code) Chapter
A, Part 3, Section 200, Changes in a Professional Appointment, Bright and Co should
confirm whether the change of auditor has been properly dealt with in accordance with
the Companies Ordinance or other legislations/regulations.

If the change of auditor has not been properly dealt with, Bright and Co should not
accept the invitation to be appointed auditor of YYY. Bright and Co should also request
YYY’s permission to communicate with the outgoing auditor, Yau and Co. Bright and
Co should not accept the invitation without first sending Yau and Co a professional
clearance request as required by Chapter A, Part 3, Section 200 of the Code. This
request is to inquire if Yau and Co raise any issue/circumstance with Bright and Co in
respect of the proposed auditor change that Bright and Co should be aware of when
deciding whether or not to accept the auditor appointment nomination.

Since YYY is a listed company, the change in auditor is also governed by Chapter
A, Part 3, Section 300 of the Code, Change of Auditors of a Listed Issuer of the Stock
Exchange of Hong Kong. In accordance with Chapter A, Part 3, Section 300 of the Code,
Bright and Co should request a copy of the letter of resignation and any correspondence
referred to in the letter directly from YYY for consideration in addition to the professional
clearance from Yau and Co before accepting the appointment. If YYY refuses to provide
Bright and Co with a copy of the letter of resignation and any correspondence referred to
in the letter of resignation, Jiang and Co should decline the appointment.

QUESTION 3
First, Zhau needs to consider if any of the consulting services currently provided would
prevent them from accepting the auditor’s appointment due to perceived or actual conflicts
of interest in independence.

You would need further information on the exact nature and scope of each of the
consulting engagements (tax advisory, contractual assistance, internal audit services, and
quality assurance accreditation) that would be performed by members of your advisory
service practice.

You would then need to consider if any of the consulting work already performed by the
advisory services practice would be required to be audited through the financial statement

204

c03.indd 204 16-11-2022 18:40:56

 Client an d Engagement A cceptance P roce dures

audit process, due to their material impact on individual financial statement line items.
Any engagements where you or your external team could be auditing your own firm’s work
as part of the financial statement audit work would be inappropriate (conflict of interest)
and Zhau can only mitigate this by either not accepting the audit appointment until such
time as you would not be auditing such work and cease to perform the consulting work,
or continuing, or simply not accepting, the audit appointment and continue providing
consulting services to the Group. This decision would be made by the firm.

QUESTION 4
As the audit partner, you should not automatically accept the proposed fee reduction
as it is without basis, other than the new Chief Financial Officer, Ms. Deng, does not see
value in your statutory audit process. If you, as an audit partner, consider the reduced fee
reasonable and still enables you to perform a quality, compliant audit in accordance with the
HKSAs, then you can consider accepting the proposed fee reduction. If you do not consider
the reduced fee to be reasonable, refuse to accept the reduction and find Ms. Deng insists,
then you should first discuss the proposal with Chen’s board of directors to assess if there is
any possibility of continuing the audit engagement on the current fee arrangement basis. If
you assess they agree with Ms. Deng, you have the following options:

• Further discussing with Ms. Deng, subsequent to your discussion with the board of
directors, her approach to the audit process to assess if you are satisfied you will be
able to conduct a compliant, quality audit.

• If you are satisfied by the outcome of your discussions with Ms. Deng, accept the
reduced fee. If this option is chosen, you would need to consider the impact on the
audit of a Chief Financial Officer who does not see the value of the audit process.
You would assess her attitude to the audit process and how committed she is to a
smooth audit process such that you can meet your required deadline for issuing the
auditor’s report. To this end, you would assess any prior knowledge of her from her
prior company(s) (if known or publicly available) and whether she appears to have a
commitment to quality financial statements being prepared by her finance team for
audit. For example, you would potentially increase your professional scepticism in your
dealings with her, including designing additional procedures to perform to corroborate
information she may have prepared or that you obtained directly from her. You may
also consider the impact of her attitude on whether there is an increased risk of her,
in her management role, and with such a cost focus, streamlining processes and
approvals, and potentially overriding key established internal controls to save time and
therefore money. Again, you would consider designing and performing additional audit
procedures to appropriately respond to any risk of this occurring.

• If you are not satisfied by the outcome of your discussions with Ms. Deng, decline to
continue as Chen’s auditor and resign before your end of term, due to the reduced
fee proposed by Chen. This is the most likely option as client’s seeking an arbitrary
reduction in audit fees, without basis, and simply from a cost control perspective may
not be willing to accept their responsibilities as outlined in HKSA 210 Agreeing the Terms
of Audit Engagements. Also, when you consider the additional procedures you may have
to perform (as outlined in the bullet point above), on a reduced fee base, the audit may
simply not be economically feasible to accept and still conduct an HKSA compliant,
quality audit.

205

c03.indd 205 16-11-2022 18:40:56

c03.indd 206 16-11-2022 18:40:56
 4
Quality Management
Considerations

CHAPTER TOPIC LIST

4.1 Quality Management 4.2.11 The Monitoring and

4.1.1 Hong Kong Institute of Certified Remediation Process
Public Accountants (HKICPA) 4.2.12 Engagement Quality Reviews
4.1.2 IFAC and the IAASB 4.2.13 Summary of Quality
4.1.3 Scope Management Standards

4.2 Quality Management 4.3 Documentation of the System

Requirements of Quality Management
4.2.1 HKSQM 1 4.4 Conformity and Compliance
4.2.2 HKSQM 2 with International
4.2.3 HKSA 220 (Revised) Standards on Quality
4.2.4 The Firm’s Risk Management Overview
Assessment Process 4.4.1 International Forum
4.2.5 Governance and Leadership of Independent Audit
4.2.6 Relevant Ethical Requirements Regulators (IFIAR)
4.2.7 Acceptance and Continuance 4.4.2 Strengthening Regulation
of Client Relationships in Hong Kong – the Financial
and Specific Engagements Reporting Council (FRC)
4.2.8 Engagement Performance
4.2.9 Resources
4.2.10 Information and Communication

207

c04.indd 207 16-11-2022 18:40:57

 BUSINESS ASSURANCE

LEARNING OUTCOMES

PRINCIPAL LO1: PERFORM ASSURANCE ENGAGEMENTS

LO1.03: P
 repare, plan and develop assurance engagements including the audits of financial
statements in accordance with relevant Hong Kong Standards of Quality Management,
Auditing, Assurance and Related Services, guidance and legislation with emphasis on:
Quality management considerations
1.03.01 Explain the principles and purposes of quality management of audit and other assurance
engagements
1.03.02 Analyse the features of a system of quality management relevant to a specific firm
1.03.03 Design quality management procedures relevant to a specific audit engagement
1.03.04 Consider whether an engagement has been performed in line with professional standards
and whether reports issued are appropriate

208

c04.indd 208 16-11-2022 18:40:57

 Qualit y M anagement C onsid erations

OPENING CASE

CHINA FOODS LTD

C hina Foods Ltd (CFL) operates in mainland China and is listed in Hong Kong. CFL’s stock
price crashed by 95% after an investment analyst said the company was worth nothing.
CFL’s management had made fraudulent statements in its earnings reports and overstated its
capital spending on farm acquisitions. Its chairman was accused of embezzling RMB 200 million
in company funds.

Before joining CFL, the company’s chief financial officer had worked for CFL’s auditor for
10 years. At CFL, he received an annual salary of RMB eight million. News of CFL’s stock price
collapse came after its auditor, a large CPA firm, had approved the company’s past three annual
reports. According to CFL’s most recent annual report, the audit fee was RMB seven million.
How did the auditor fail to detect the fraud?

An investment analyst could not have convinced CFL to assist in its investigation, and yet
the analyst worked out that CFL’s stock was worthless. In contrast, the auditor had unrestricted
access to CFL’s books and could also ask for external confirmation of the company’s finances
from banks, lawyers, customers and others. Are auditors truly so incompetent that they failed
to notice anything wrong? Or were they complicit in the CFL fraud?

209

c04.indd 209 16-11-2022 18:40:57

 BUSINESS ASSURANCE

OVERVIEW

To perform audits, auditors, like other professionals, must be licensed by governments and
professional associations. As explained by public interest theory, auditors provide a social good
when they report reliable information to regulators, markets and other stakeholders about
businesses and other organisations. This information is valuable because, as reported in PWC’s
Global Economic Crime and Fraud Survey 2020 (https://www.pwc.com/gx/en/services/forensics/
economic-­crime-­survey.html):

• 47% of companies experienced fraud in the last two years.

• Companies reported an average of six frauds.

• The most common frauds were customer fraud, cybercrime and asset
misappropriation.

• The split between internal and external perpetrators was 50/50.

• 13% of companies experiencing fraud lost $50 million or more.

• The estimated total cost was $42 billion.

In order to provide this important public service, an auditor’s report must possess the
characteristics of any good performance measure. It must be reliable, relevant, timely,
complete and clear. Such a report can only be achieved by a high-­quality audit. Audit quality is
critical to the stakeholders – the shareholders, customers, employees, regulators, markets and
others – who rely on the information auditors provide.

Audit risk is a measure of the likelihood of audit failure – the risk that the auditor’s opinion
will state that the financial statements are free of material misstatement when they are not.
High-­quality audits reduce audit risk and the frequency of audit failure. They enhance the
reputation of the profession and ensure its economic viability.

In contrast, low-­quality audits increase audit risk and the frequency of audit failure; the
reputation of the profession is damaged, audit firms are sued for negligence and audit firm
profitability is threatened. Audit quality is fundamental to the usefulness of the auditor’s report
and the reputation and economic viability of the profession.

Many mechanisms exist that support audit quality. These exist at the individual, firm,
professional, national and international levels. This chapter discusses mechanisms that
operate at all of these levels with a focus on those under the control of the auditor, the audit
firm and the profession. Section 4.1 introduces some quality management mechanisms at
the professional (HKICPA and IAASB) level. Sections 4.2 and 4.3 provide a summary of the
requirements of the quality management standards provided by these same two bodies for
audit firms and audit engagements. Finally, Section 4.4 discusses recent developments in
national (Hong Kong’s Financial Reporting Council, or FRC) and international (International
Forum of Independent Audit Regulators) regulatory mechanisms.

210

c04.indd 210 16-11-2022 18:40:57

 Qualit y M anagement C onsid erations

Key Learning Point

The objective of an audit is to provide assurance on information relevant to market
participants. This objective can only be achieved by a high-­quality audit. Poor-­quality audits
lead to audit failure, damage to the reputation of the profession and lawsuits against
auditors.

4 . 1 QUALITY MANAGEMENT

Many factors contribute to or influence the quality of audit, and chief among them are the skills
and experience of the people doing the audit. Another is the rigour of the audit methodology.

Quality management (QM) is a broad concept. For a public accounting firm, QM

comprises:

• All of those policies and procedures adopted and carried out by the firm to ensure it
meets its responsibilities to its clients and to the public interest.
• Policies and procedures that ensure the firm meets its responsibilities to national
and international regulators (e.g. the FRC and the Hong Kong Stock Exchange), to the
profession (HKICPA and the International Federation of Accountants, or IFAC) and
under the law (in Hong Kong, the Companies Ordinance and the Professional Accountants
Ordinance).

4.1.1 Hong Kong Institute of Certified Public Accountants (HKICPA)

4.1.1.1 Standards
The Hong Kong Quality Management Standards include:

• Hong Kong Standard on Quality Management 1, Quality Management for Firms that
Perform Audits or Reviews of Financial Statements, or Other Assurance or Related Services
Engagements.

• Hong Kong Standard on Quality Management 2, Engagement Quality Review.

• HKSA 220 (Revised), Quality Management for an Audit of Financial Statements.

In general, the standards

• Strengthen and modernize the audit firm’s approach to quality management.

• Address an evolving and increasingly complex audit ecosystem, including growing

stakeholder expectations and a need for quality management systems that are
proactive and adaptable to new technology, networks and the use of external service
providers.

• Improve the scalability of the standards by promoting adoption of QM systems tailored

to the nature and circumstances of the firm and its engagements.

• Increase firm leadership responsibilities and accountability and improve firm

governance.

211

c04.indd 211 16-11-2022 18:40:57

 BUSINESS ASSURANCE

• Provide more rigorous monitoring of quality management systems and on remediation

of deficiencies.

• Enhance the engagement partner’s responsibility for audit engagement leadership and
audit quality.

• Address the robustness of engagement quality reviews, including engagement

selection, documentation and performance.

Changes to the Quality Standards

The IAASB replaced the International Standard on Quality Control (ISQC 1) with the
International Standards on Quality Management (ISQM 1 and ISQM 2) and revised the auditing
standard ISA 220, effective December 15, 2022. (See Section 4.4, Conformity and Compliance
with International Standards on Quality Management Overview.)

• ISQM 1 focuses and builds on the existing quality management elements introduced in
ISQC 1 and introduces quality risk assessment for all assurance engagements.

• ISQM 2 focuses on the role and responsibilities of the Engagement Quality Reviewer.

• ISA 220 (Revised) is similar to ISQM 1, but applies specifically to audit engagements and
the responsibilities of the engagement partner.

In Hong Kong, the IAASB’s new and revised Quality Management Standards have been
adopted and are also effective from 15 December 2022. While many of the requirements of the
prior standards (HKSQM 1 and HKSA 220) have been retained, significant new requirements
have been added. The requirements of the quality management standards are discussed in
Sections 4.2 and 4.3 below.

The HKICPA is involved in other aspects of quality management; notably, their practice
review programme, their publication programme and their education programme for the
qualification of new CPAs and the professional development of members.

4.1.1.2 Practice Review

Practice review is a quality assurance programme for audit and other assurance services
provided in Hong Kong by audit firms. The Institute first introduced practice review in 1992
under the Professional Accountants Ordinance. Practice review can encourage and assist
practice units to improve adherence to professional standards and raise the quality of auditing.
The results from the practice review programme provide valuable content to the Institute’s
programmes of education. Practice review can be constructive and helpful to members while
still effectively fulfilling an important regulatory role.

The review process has a focus on risk in the selection of audit firms and audit
engagements for review. Attention is paid to firms that are engaged in auditing listed entities
and public interest entities. Practices with listed entity client(s) are visited at least once every
three years. In the most recent year, the Quality Assurance Department carried out over 300
practice reviews.

Some of the common concerns that surface during practice reviews are summarised in the
latest Quality Assurance Department report.

212

c04.indd 212 16-11-2022 18:40:57

 Qualit y M anagement C onsid erations

A practice review complaint may result in the cancellation of the practising certificate of the
respondent. Practice units should make quality and compliance a prime concern in their audit
work and cooperate with the practice review process.

In October 2018, a programme of monitoring of compliance with the Guidelines on

Anti-­Money Laundering (AML) and Counter-­Terrorist Financing for Professional Accountants
was introduced as part of the practice review programme.

4.1.1.3 Publications
A useful public education publication of the HKICPA is Audit Committees and Audit Quality. A key
component of good corporate governance, and of audit quality, is the audit committee. The
guide is designed to foster better communication, interaction and understanding between
audit committees, board members and their external auditor.

The HKICPA maintains a useful Resource Centre (https://www.hkicpa.org.hk/en/Standards-­

and-­regulation/Standards/Resource-­centre). The Resource Centre contains much information
relevant to auditors regarding the standards and regulations.

Key Learning Point

The main quality management mechanisms established by the accounting profession are
their standard setting activities, their educational programmes for new entrants and for
members, their practice review programme and their publication programme.

4.1.2 IFAC and the IAASB

The International Federation of Accountants (IFAC) is a global organisation for the accountancy
profession dedicated to serving the public interest by strengthening the profession and
contributing to the development of strong international economies. IFAC consists of over
175 members and associates in more than 130 countries and jurisdictions. This represents
almost three million accountants in all areas and industries.

IFAC, through the International Forum of Independent Audit Regulators (IFIAR), collects
information from audit regulators throughout the world about deficient audit engagements
and audit firms. This information is compiled and used to guide the improvement of existing
standards. See Section 4.4.1.

IFAC oversees four independent standard setting bodies:

• The IAESB (education standards).

• The IESBA (ethics standards),

• The IPSASNB (public sector standards) and

• The IAASB (audit and assurance standards).

The International Auditing and Assurance Standards Board (IAASB) is an independent

standard-­setting body that serves the public interest by setting high-­quality international
standards for auditing, quality management, review, other assurance and related services, and
by facilitating the convergence of international and national standards.

213

c04.indd 213 16-11-2022 18:40:58

 BUSINESS ASSURANCE

A useful publication relating to audit quality is the IAASB’s First Time Implementation
Guide for the International Standard on Quality Management 1, Quality Management for Firms
that Perform Audits or Reviews of Financial Statements, or Other Assurance or Related Services
Engagements (June 2021). The publication compares the content of ISQC 1 and ISQM 1, and
highlights the new content. It also provides numerous illustrations of how the requirements
of ISQM 1 are to be applied. A First Time Guide is also available for ISQM 2 Engagement
Quality Reviews: https://www.ifac.org/system/files/publications/files/IAASB-­ISQM-­1-­first-­time-­
implementation-­guide-­quality-­management.pdf.

Many more IAASB print, podcast and video resources regarding quality management are
available at https://www.iaasb.org/focus-­areas/quality-­management.

Key Learning Point

The IAASB has published ‘First Time Guides’ for both HKSQM 1 and 2. These guides,
while not authoritative, point out differences between the new and old quality standards
and provide guidance on the reasons for the changes and how to implement the new
standards.

4.1.3 Scope
Compliance with the professional standards is an important part of quality management (QM),
but an effective system of QM is far broader and affects many aspects of a public accounting
firm’s activity.

However, QM policies and procedures cannot be universally prescribed. Appropriate

systems of QM are determined by many variables including firm size, number of offices,
network affiliations, regulatory requirements and the nature of the work performed by the firm.

Illustrative Example 1
A multinational CPA firm performing complex audits in multiple jurisdictions controlled
by numerous regulators and legal codes would be expected to have a very extensive
system of QM. In contrast, a much simpler system of QM would be appropriate to a
small CPA firm serving a number of small audit clients in a single jurisdiction. While very
different, when appropriately designed, both firm’s QM systems would comply with the
professional standards and relevant regulations.

Knowledge Check Questions

Question 1
Describe in what ways professional associations ensure the quality of audits.

Question 2
Explain the benefits of high-­quality audit work.

214

c04.indd 214 16-11-2022 18:40:58

 Qualit y M anagement C onsid erations

4 . 2 QUALITY MANAGEMENT REQUIREMENTS

As noted above, the main professional standards dealing with quality management include:

• HKSQM 1 Quality Management for Firms that Perform Audits or Reviews of Financial
Statements, or Other Assurance or Related Services Engagements

• HKSQM 2 Engagement Quality Reviews

• HKSA 220 (Revised) Quality Management for an Audit of Financial Statements

Section 4.2 addresses the requirements of the three key quality management (QM)
standards. The objective of the section is to provide a useful and readable introduction
to the standards. It is, however, incomplete. Some of the requirements and supporting
explanations found in the standards are not mentioned. In particular, the application of the
requirements of the standards to network firms, and to other relatively complex situations
is not fully addressed. It is intended that the information provided here will give readers a
familiarity with the standards that will facilitate future reference as required.

Sections 4.2.1 to 4.2.3 below provide an overview of the standards. The following
sections 4.2.4 to 4.2.11 discuss the eight components of a System of Quality Management
(SOQM). These components form the basic structure of both HKSQM 1 and HKSA 220 (Revised).
Section 4.2.12 discusses HKSQM 2 Engagement Quality Reviews (EQR).

4.2.1 HKSQM 1
HKSQM 1 deals with QM at the firm level. It requires the firm to design, implement and operate
a system of QM (the SOQM) to manage the quality of all assurance engagements performed by
the firm (audits and reviews of financial statements and other assurance and related services
engagements). The firm’s SOQM enables and supports engagement teams in performing
quality engagements.

Under HKSQM 1, firms are required to:

• Design, implement and operate an SOQM to manage the quality of engagements

performed by the firm. This shift in focus from quality control (HKSQM 1) to quality
management is achieved by incorporating a risk-­based approach, i.e. managing risks to
quality (see Section 4.2.3).

• Increase firm leadership responsibilities and accountability and improve firm

governance.

• Take into consideration the evolving and increasingly complex environment, including
addressing the impact of technology, networks and the use of external service
providers.

• Monitor their QM systems and remediate deficiencies.

• Evaluate the SOQM at least annually.

215

c04.indd 215 16-11-2022 18:40:58

 BUSINESS ASSURANCE

4.2.2 HKSQM 2
An important aspect of engagement performance is the Engagement Quality Review, which
is, in part, implemented by the firm to address professional judgment and professional
scepticism. HKSQM 2 Engagement Quality Review deals with this matter. See Section 4.2.12.

HKSQM 2 deals specifically with engagement quality reviews, which are a key part of the
firm’s SOQM. HKSQM 2 includes specific requirements for:

• The appointment and eligibility of the engagement quality reviewer.

• The performance of the engagement quality review.

• The documentation of the engagement quality review.

4.2.3 HKSA 220 (Revised)

HKSA 220 (Revised) is an auditing standard (not a quality standard) and so applies to audits
of financial statements and deals with the responsibilities of the auditor regarding QM at the
engagement level and the responsibilities of the engagement partner. It makes clear that the
engagement partner is responsible for:

• Managing and achieving quality at the engagement level, including implementing the
firm’s responses to quality risks.
• Determining that there are sufficient and appropriate resources made available on a
timely basis.

• Determining the nature, timing and extent of direction, supervision and review.

• Determining whether they have done enough to take overall responsibility for
managing and achieving quality on the audit and whether their involvement has been
sufficient and appropriate (a ‘stand-­back’ provision).

HKSA 220 (Revised) also clarifies other important quality management related issues:

• The public interest role of audits.

• The appropriate application of professional judgment and the exercise of professional

skepticism.

• Changes in audit delivery models and the use of technology.

Unsurprisingly, a comparison of the content of HKSQM 1 and HKSA 220 (Revised) shows
much similarity. The fundamental requirement of both standards is that the responsible party
(the assurance firm in HKSQM 1 and the audit engagement partner in HKSA 220 (Revised)) shall
establish and maintain a SOQM that addresses each of the eight components of a SOQM as
defined in HKSQM 1.

The following list of components is taken from HKSQM 1.6. Sections 4.2.4 through 4.2.11 of
this chapter discuss each of these components in turn. Components one and seven (The firm’s
risk assessment process and Information and communications) have been introduced in HKSQM 1
and were not part of the prior quality standard HKSQC 1. The change of the title of the standard
HKSQM from the quality control to quality management is based on the inclusion of the risk
1.6 management component, simply, QC + risk management = QM.

216

c04.indd 216 16-11-2022 18:40:58

 Qualit y M anagement C onsid erations

Components of an SOQM

1. The firm’s risk assessment process

2. Governance and leadership

3. Relevant ethical requirements

4. Acceptance and continuance of client relationships and specific engagements

5. Engagement performance

6. Resources

7. Information and communication

8. The monitoring and remediation process

In HKSA 220 (Revised), the relevant components of an SOQM are the same as those listed
above. Differences between the two standards arise largely as a matter of the level addressed
by the two standards (the firm level in HKSQM 1 vs. the engagement level in HKSA 220
(Revised)).

It should be noted that a firm’s SOQM is not required to be designed around these
8 components. Alternative designs are acceptable as long as all of the components are
effectively included.

Key Learning Point

HKSQM 1 and HKSA 220 (Revised) are both structured around the eight components of an
SOQM. The standards differ mainly because of their focus: on the firm (HKSQM 1) and on
audit engagements (HKSA 220 (Revised)).

4.2.4 The Firm’s Risk Assessment Process

HKSQM 1 23–27, This component identifies the process the firm is required to follow in implementing a
34, A39–A54;
HKSA 220 risk-­based approach to quality management. The process consists of:
(Revised) A12.
• Establishing quality objectives,

• Identifying and assessing quality risks to the achievement of the quality objectives and

• Designing and implementing responses to address the assessed quality risks (see
Exhibit 4.1).

Establish Identify and Design and Identify information

quality assess implement indicating need to
objectives quality risks responses add/ modify quality
objectives, quality
risks or responses

EXHIBIT 4.1 The firm’s risk assessment process

217

c04.indd 217 16-11-2022 18:40:58

 BUSINESS ASSURANCE

How the firm goes about establishing quality objectives, identifying and assessing quality
risks, and designing and implementing responses will vary from firm to firm. The approach is
influenced by the nature and circumstances of the firm, including how the firm is structured
and organized. Information sources to enable the risk assessment process include:

• The results of the firm’s monitoring and remediation process (SOQM Component 8).

• Information from the firm network about network services.

• Complaints and allegations.

• External inspections.

• Information from regulators about client entities.

• Changes in the SOQM.

HKSQM 1.25 and 1.34 identify a number of potential sources of risks:

• Changes in the SOQM or the firm.

• Complexity.

• The business model of the firm.

• Types of engagements and client entities.

• Management style.

• Human, technical and intellectual resources.

• Leadership responsibilities are not clearly defined.

• Environment – laws, regulations and standards.

• The firm network.

HKSQM 1.34 provides examples of risks that might arise and appropriate responses that
might be adopted. Examples include non-­compliance with the Code of Ethics, independence
breaches, complaints, non-­compliance with firm policy and significant information about a
client relationship. Responses may operate at the firm or engagement level, or both. Responses
might require changing, or adding to, the quality objectives, or a reassessment of the
quality risks.

Apply and Analyse 1

Review the opening case on China Foods Ltd and identify the quality risks.

Analysis

The analysis below identifies key information from the case (1–5), in each instance followed
by a risk analysis.

1. Management had made fraudulent statements in its earnings reports and

overstated its capital spending on farm acquisitions. Its chairman was accused of
embezzling RMB 200 million in company funds.

218

c04.indd 218 16-11-2022 18:40:58

 Qualit y M anagement C onsid erations

Apply and Analyse 1 (continued)

• Senior management at CFL were criminals and lacked integrity. The auditor’s
client continuance procedures were clearly deficient.

• The case raises questions about both the competence and the ethics of the
auditor. Either the auditor made a very obvious error or was complicit in
the fraud.

• The law and the litigation environment failed to deter either the criminal
activity of CFL’s senior management or the negligence of the audit firm.

• The corporate governance of CFL was inadequate.

2. The company’s CFO had worked for CFL’s auditor for 10 years.

• A significant independence threat (familiarity) because the CFL’s CFO was a 10-
year employee of the audit firm. Auditor rotation procedures were deficient or
inadequate.

3. The CFO received an annual salary of RMB eight million.

• A significant self-­interest threat.

4. Its auditor, a large CPA firm, had approved the company’s past three
annual reports.

• Given the repeated audit failures, we can conclude that the evidence gathering
processes and the reporting procedures carried out by the auditor were
deficient.

• Audit regulators in Hong Kong, and the profession, failed to prevent, or to

detect and correct, the auditor’s poor-­quality work and the audit failure.

5. The audit fee was RMB seven million.

• If a significant portion of the income of the audit firm, it is likely that

commercial considerations influenced the auditor.

Key Learning Point

All firms are required to have a risk-­based SOQM in place effective by December 15, 2022
and to evaluate the system by the end of the following 12 month period.

4.2.5 Governance and Leadership

HKSQM This component deals with matters such as the firm’s culture, leadership responsibility and
1 20,28,
A55–A61; accountability, the firm’s organizational structure, assignment of roles and responsibilities, and
HKSA 220
(Revised) resource planning and allocation.
13–15, A28.

219

c04.indd 219 16-11-2022 18:40:58

 BUSINESS ASSURANCE

Leadership is dealt with briefly in HKSA 220 (Revised), which states that audit quality is
the responsibility of the engagement partner. In HKSQM 1, paragraph 20 states that the firm’s
system of quality management is the ultimate responsibility of the firm’s CEO or board of
management. Where responsibility is delegated to another person by the responsible party,
appropriate policies must exist to ensure that the person has appropriate authority, experience
and ability to carry out the role effectively.

HKSQM 1 emphasises the importance of a quality culture that recognises and reinforces
the public interest, ethics and the priority of quality in the firm’s strategic decision making. The
firm’s leadership significantly influences the firm’s quality culture. The promotion of a quality-­
oriented internal culture depends on recognition and rewards for high-­quality work.
Appropriate professional values and attitudes include a professional manner, a commitment to
HKSQM teamwork and continual improvement, maintaining an open mind, social responsibility and
1.A55–61 pursuit of excellence.

QM policies should show:

• How performance evaluation, compensation and promotion all reflect the firm’s
overriding commitment to quality.

• That commercial considerations do not override the quality of work performed.

• Provision of resources for the development, documentation, and support of quality.

Key Learning Point

The Governance and leadership component of the SOQM requires firms to establish and
promote a quality culture. Clear, consistent and frequent actions and communications at
all levels collectively contribute to a quality culture.

4.2.6 Relevant Ethical Requirements

This component deals with the fulfilment of ethical requirements by the firm and its personnel
and, where required, by others external to the firm.

HKSQM Chapter 1 of this Module is titled Ethical Standards, Legislation and Professional Guidance. All
1.29,
A62–A66; of the important QM issues relating to ethics and independence are dealt with in Section 1.2.2.2
HKSA 220
(Revised)
of Chapter 1. The following is a brief summary of material relevant to the SOQM from
16–21, Chapter 1.
A38–A48.

HKSQM 1 includes several paragraphs relating to ethics and makes reference to the
authority of the Code, and to other laws and regulations (HKSQM 1.A65).

Paragraph 29 requires firms to establish policies and procedures designed to provide

reasonable assurance that:

• The firm and its personnel comply with relevant ethical requirements, i.e. the Code of
Ethics for Professional Accountants (Code).

220

c04.indd 220 16-11-2022 18:40:58

 Qualit y M anagement C onsid erations

• The firm and its personnel maintain independence where required by the Code, laws
and regulations.
HKSA 220
(Revised).16–21; • Others, including network firms and service providers, understand and fulfill their
A38–A48 responsibilities in relation to ethical requirements.

HKSA 220 (Revised) paragraphs 16–21 and A38–A48 deal with ethics in the audit
engagement. The content here is very similar to HKSQM 1.

HKSA 220 (Revised) paragraphs 16–21 mirror the requirements of the Code. The audit
engagement partner is required to monitor engagement personnel’s ethical behaviour
and to act when necessary. The engagement partner must identify and evaluate threats to
independence and act to eliminate or reduce any identified threats to an acceptable level, or
withdraw from the audit.

Key Learning Point

Independence is fundamental to audit quality. The Code of Ethics for Professional Accounts
provides an extensive discussion on independence. The Code first identifies threats to
independence and then safeguards what might be used to reduce or eliminate these
threats.

Apply and Analyse 2

Refer to the opening case of China Foods Ltd. In that case, it was noted that:

• Before joining CFL, the company’s chief financial officer had worked for CFL’s audit
firm for 10 years.

• According to CFL’s most recent annual report, the audit fee was RMB seven million.

Describe the safeguards that should have been put in place by the auditor to deal with
these threats to the auditor’s independence.

Analysis

The first point above is a familiarity threat; the second is an intimidation threat and a self-­
interest threat.

• Familiarity. Safeguards regarding familiarity suggest the rotation of senior audit

staff including the engagement partner and the EQ Reviewer.

• Intimidation and self-­interest. Safeguards regarding audit fees suggest that if a

client’s fees represent a significant proportion of the revenue of one partner, the
firm should have the partner’s work reviewed by another partner. For a client that
is a listed entity (CFL is listed), an EQR is required.

221

c04.indd 221 16-11-2022 18:40:58

 BUSINESS ASSURANCE

4.2.7 Acceptance and Continuance of Client Relationships

and Specific Engagements
This component deals with the firm’s judgments about whether to accept or continue a client
HKSQM
1 30, relationship or specific engagement. Chapter 3 of this Module is titled Client and Engagement
A67–A74;
HKSA 220 Acceptance Procedures. All of the important QM issues relating to client engagement and
Revised
22–24,
acceptance are dealt with in Section 3 of that chapter. The following is a brief summary of
A49–A58. relevant material from Chapter 3.

The firm is required to ensure that the assurance provider:

• Is competent to perform the engagement.

• Has the capabilities, including the time and resources, to perform the engagement.

• Can comply with relevant ethical requirements.

• Has considered the integrity of the client and does not have information that would
lead them to conclude that the client lacks integrity.

The firm should consider whether the engagement involves a potential conflict of interest
and if the engagement should be declined. Where a potential conflict of interest exists and
the engagement is accepted, the firm must document how the conflict has been resolved. In
particular, the firm is required to address the financial and operational priorities of the firm in
the context of making decisions about whether to accept or continue a client relationship or
specific engagement (e.g. when the client lacks integrity and ethical values).

If the firm obtains information after accepting a client that may have caused it to decline
the engagement, the firm is to consider the professional and legal responsibilities that apply to
the circumstances and the possibility of withdrawing from the engagement.

HKSA 220 (Revised) paragraphs 22–24 require the engagement partner to be satisfied
that appropriate procedures regarding the acceptance and continuance of a client have
been performed and that conclusions reached from those procedures were appropriate. If
the engagement partner obtains information that would have caused them to decline the
engagement, they are required to advise the firm so that appropriate action can be taken.

Key Learning Point

When accepting or continuing a client engagement, the firm must consider its own capabilities
and the independence of its personnel, but also the integrity of client management.

4.2.8 Engagement Performance

This component deals with the firm’s actions to promote and support the consistent
performance of quality engagements. Key elements of engagement performance include
HKSQM
1 31, assignment of personnel, direction, supervision, review, consultation and resolution of
A75–A85;
HKSA 220 differences of opinion. Engagement performance also includes the firm’s support for
(Revised)
29–38,
engagement teams in exercising professional judgment and professional scepticism. See
A80–A108. Section 4.4.1 for a listing of deficiencies in auditor’s performance as reported by the IFIAR.

222

c04.indd 222 16-11-2022 18:40:58

 Qualit y M anagement C onsid erations

Direction and supervision means:

• Tracking the progress of the engagement.

• Considering the competence and capabilities of personnel, whether they have sufficient
time to carry out their work, whether they understand their instructions, and whether
the work is being carried out in accordance with the engagement plan.

• Addressing matters arising during the engagement, considering their significance and
modifying the plan appropriately.

• Identifying matters for consultation or consideration by more experienced engagement

team members during the engagement.

Review means:

HKSQM • The work of less experienced team members is reviewed by more

1.A76 experienced members.

• The work has been performed in accordance with professional standards and
applicable legal and regulatory requirements.

• The work performed supports the conclusions reached and is appropriately

documented.

Consultation means:
• Consultation includes discussion with individuals who have specialised expertise.

Appropriate recognition of consultation in the firm’s policies and procedures helps to

promote a culture in which consultation is recognised as a strength and encourages personnel
to consult on difficult or contentious matters.

Effective consultation on significant technical or ethical matters can be achieved when

those consulted are given all the relevant facts and have appropriate knowledge, seniority and
experience, and when conclusions resulting from consultations are appropriately documented
and implemented.

HKSA 220 HKSA 220 (Revised) mainly concerns the responsibilities of the engagement partner.
(Revised)
29–38 HKSA 220 (Revised) makes it clear that all aspects of engagement performance are the
responsibility of the engagement partner. Some of those listed include:

• The direction and supervision of the members of the engagement team and the review
of their work, and determine that the nature, timing and extent of dection, supervision
and review is planned and performed in accordance with the firm’s policies, with
professional standards and applicable legal and regulatory requirement.

• On or before the date of the auditor’s report, be satisfied that sufficient appropriate
audit evidence has been obtained to support the conclusions reached, and for the
auditor’s report to be issued.

• Undertake consultation on difficult or contentious matters and be satisfied that

members of the engagement team have undertaken appropriate consultation and that
conclusions resulting from such consultations have been implemented.

223

c04.indd 223 16-11-2022 18:40:58

 BUSINESS ASSURANCE

• For audits of financial statements of listed entities, ensure that an Engagement Quality
Reviewer has been appointed, discuss significant issues and do not date the auditor’s
report until the completion of the EQR.

Key Learning Point

Satisfactory engagement performance is achieved when the engagement partner ensures
that sufficient appropriate evidence has been obtained to support the conclusions reached
and for the assurance report to be issued. Engagement performance includes three key
activities: supervision, review and consultation.

4.2.9 Resources
HKSQM This component deals with obtaining, developing, using, maintaining, allocating and assigning
1 31;
A75–85. resources in a timely manner to enable the design, implementation and operation of the
HKSA 220
(Revised)
SOQM. Resources required by the SOQM include:
29–38;
A80–108 • Financial,

• Technological,
• Intellectual,

• Human resources and

HKSQM 1 • Service providers.
32, A86–
A108;
HKSA220 Financial resources are discussed as part of the Leadership component of the SOQM. Each
(Revised)
25–28, of the other types of resources listed is discussed in HKSQM A86–108. A similar discussion can
A59–A79. be found in HKSA 220 (Revised) A59–A79.

Human Resources

Human resources include the hiring, developing and retaining of personnel, and of their
competence and capabilities. Procedures that support the development of competence and
capability include training programs, evaluation mechanisms and compensation, promotion,
disciplinary action and other incentives for those associated with the SOQM. Professional
standards and laws mandating professional education, continuing professional development
and licensing are also important.

HKSA 220 (Revised) addresses the responsibility of the engagement partner to ensure
that sufficient and appropriate human and other resources are made available to perform
the engagement and that members of the engagement team, network auditors, component
auditors, any auditor’s external experts and internal auditors who provide direct assistance
have appropriate competence and capability. In assessing the engagement team’s competence
and capability, the engagement partner should consider the members of the engagement team
(HKSA 220 (Revised) A71):

• Training and experience in accounting, auditing and firm policy.

• Understanding of professional standards and regulatory requirements.

• Specialised expertise in accounting and auditing, and in IT.

224

c04.indd 224 16-11-2022 18:40:58

 Qualit y M anagement C onsid erations

• Industry knowledge and experience.

• Ability to exercise skepticism and judgment.

If the resources made available are insufficient, the engagement partner should consider
changing the audit plan, extending reporting deadlines, or withdrawing from the audit
engagement.

Technological Resources

Technological resources include the firm’s IT applications, network, operating systems,

databases, hardware and software, and the supporting processes and human resources.
Processes include access management, change management and operations. Technological
resources relevant to the SOQM include those that are used directly in the SOQM, those that
are used directly in the performance of engagements and the resources required to support
the SOQM and engagement performance.

Intellectual Resources

Intellectual resources are information used in the SOQM or engagement performance. They
include policy and procedure documents, audit guides, templates, checklists, industry guides,
accounting guides, standardized documentation, questionnaires and subscriptions.

Service Providers
Service providers are used by firms when the firm lacks the resources required for an
engagement. Individuals may be hired to perform monitoring activities or engagement quality
reviews, to consult on technical matters or to audit components. The firm’s SOQM is required
to identify and assess quality risks associated with the work of service providers. Relevant
information includes, for example, the firm’s prior experience of the service provider and the
provider’s experience, reputation and qualifications.

Apply and Analyse 3

Refer to the opening case of China Foods Ltd. In the case it was noted that ‘CFL
management had made fraudulent statements in its earnings reports and overstated
its capital spending on farm acquisitions. Its chairman was accused of embezzling RMB
200 million in company funds.’

(a) Explain the effect of these three material misstatements on CFL’s financial
statements.

(b) Describe the engagement performance requirements in HKSQM 1 and HKSA 220
(Revised) that the auditor failed to meet.

225

c04.indd 225 16-11-2022 18:40:58

 BUSINESS ASSURANCE

Apply and Analyse 3 (continued)

Analysis

(a) Material misstatements.

1. ‘Fraudulent statements in its earnings reports’. This indicates either an

overstatement of revenue or an understatement of expenses. An overstatement of
revenue is a very common form of fraud.

2. ‘Overstated its capital spending on farm acquisitions’. This indicates an

overstatement of property, plant and equipment (PPE). The company either
recorded the purchase of non-­existent farms or recorded a fraudulently high price
for the farms.

3. ‘Its chairman was accused of embezzling RMB 200 million’. It is likely that the
embezzlement occurred in connection with the farm acquisition transactions.
Non-­existent farms were purchased or an excessive price was paid for the farms,
and the chairman pocketed the full purchase price or the excessive amount.

(b) Engagement performance failures. The relevant requirements of HKSQM 1 and

HKSA 220 (Revised) are very similar.

From HKSQM 1.

The evidence obtained and conclusions made are sufficient and appropriate to
support the report and the objectives of the engagement have been achieved.

From HKSA 220 (Revised).

On or before the date of the auditor’s report, be satisfied that sufficient

appropriate audit evidence has been obtained to support the conclusions reached
and for the auditor’s report to be issued.

4.2.10 Information and Communication

HKSQM This component deals with obtaining, generating or using information regarding the
1 33, A109–
A115; SOQM, and communicating information within the firm and to external parties on a timely
HKSA220
(Revised)
basis to enable the design, implementation and operation of the SOQM. Information and
A31–A32. communication are pervasive to all components of the SOQM. Firms’ information and
communications systems are diverse and the requirements of HKSQM 1 are ‘scalable’, that is,
flexible with respect to the size and nature of the firm. HKSQM A112–115 suggests that the
firms establish ‘communication channels’ to facilitate communications that might include
information, including complaints and allegations:

• Obtained during the client acceptance and continuance process relevant to the
engagement team and the engagement plan.

• Obtained during the engagement relevant to the client relationship or to the

engagement quality reviewer.

226

c04.indd 226 16-11-2022 18:40:58

 Qualit y M anagement C onsid erations

• About non-­compliance with laws to the appropriate authority.

• Relevant to network firms or to service providers.

• About failure to perform work in accordance with professional standards.

4.2.11 The Monitoring and Remediation Process

Evaluate findings and

Design and perform identify deficiencies, Respond to identified
Communicate
monitoring activities and evaluate identified deficiencies
deficiencies

EXHIBIT 4.2 The firm’s monitoring and remediation process

This component deals with providing the firm with relevant, reliable and timely information
HKSQM about the design, implementation and operation of the SOQM. It addresses the importance of
1 35–47,
A138–A174; taking appropriate actions to respond to deficiencies such that deficiencies are remediated on
HKSA220
(Revised) 39, a timely basis. The monitoring process should be assigned to partners or others with
A109–A112. experience and authority.

Monitoring

Monitoring comprises a process of ongoing consideration and evaluation of the SOQM. The
nature, timing and extent of monitoring activities are affected by the size, structure and
organisation of the firm, the involvement of the firm network and the IT applications used.
Monitoring considers:

• The assignment of responsibilities for the SOQM.

• The design of the firm’s risk assessment process including the establishment of quality
objectives, identification and assessment of quality risks and responses to those risks.

• Incorporation of new developments in professional standards.

• Documentary evidence of compliance of personnel with independent policies.

• The design and effectiveness of training programmes.

• Decisions regarding client acceptance and continuance.

• Corrective actions taken, and improvements made, to the SOQM.

• Communication to appropriate firm personnel of weaknesses identified in the SOQM, in

the level of understanding of the system and compliance with it.

• Follow-­up by appropriate firm personnel so that necessary modifications are promptly

made to the quality management policies and procedures.

In designing and performing monitoring activities, the firm should take into account:

• Identified quality risks and firm responses to quality risks.

• Changes to the SOQM.

227

c04.indd 227 16-11-2022 18:40:59

 BUSINESS ASSURANCE

• Results of previous monitoring activities.

• Complaints and allegations about failure to perform work in accordance with

professional standards or with firm policy.

While the firm may undertake multiple monitoring activities, firm policy regarding the
selection of engagements for inspection, and their frequency, is critical. The selection of
engagements for inspection should be determined by:

• The size and complexity of the firm and the number and geographic locations.

• The results of previous inspections including inspections by independent bodies

(e.g the HKICPA).

• The types of engagements performed.

• The experience and tenure of the engagement partner, and any complaints or
significant deficiencies known about the engagement partner.

• Engagements for entities in an industry requiring high levels of complexity or judgment.

• The degree of risk associated with specific clients and engagements, for example, listed
entities or entities operating in emerging industries.

Matters considered in an inspection should be determined by the firm’s policies and

procedures in respect of engagement performance. Inspections of engagements provide
information of the firm’s SOQM. For example:

• Whether there are quality risks that have not been identified.

• Whether engagement teams have implemented firm policy and addressed quality risks.

• Whether the SOQM requires modification.

• The quality of engagements and the firm’s quality culture.

• Whether engagement partners have fulfilled their overall responsibility.

Selection of personnel to perform monitoring activities should avoid any self-­review threat
that might arise from selecting a member of the engagement team or the engagement quality
reviewer. Where firm personnel do not have the competence or objectivity to perform the
engagement inspection, the firm should use network services or a service provider.

Other types of monitoring activities include:

• Inspecting in-­process engagements.

• Interviewing firm personnel.

• Consider the propriety of the values and the quality focus in leadership
communications.

• Inspect contracts and other documents regarding service providers.

• Check records of attendance at training events.

• Inspect time records of engagement partners to assess the sufficiency of their activities.

228

c04.indd 228 16-11-2022 18:40:59

 Qualit y M anagement C onsid erations

Deficiencies

Deficiencies noted should be evaluated in terms of the SOQM’s quality objectives and identified
quality risks. In some cases, additional information may be required. Deficiencies related
to leadership actions may be significant due to the pervasive effect this could have on the
SOQM. Similarly, where findings indicate a trend or systematic issue, they are more likely to be
significant. Other factors that should be considered include:

• The nature of the deficiency.

• Whether the deficiency relates to the design, implementation or operation

of the SOQM.

• The root cause of the deficiency, including firm characteristics such as complexity, size,
geographic dispersion and structure.

• Magnitude and frequency.

Remediation

Deficiencies noted during the monitoring process may be one-­off or systematic. The latter
especially require prompt remedial action. Actions may involve:

• The retraining or disciplining of an individual employee,

• Changes to the employee training programme or

• Changes to the SOQM, including the firm’s quality objectives and its risk assessment
process.

Where monitoring procedures indicate that an engagement report may be inappropriate or

that procedures were omitted during the performance of an engagement, the firm should act
to comply with professional standards and legal requirements and consider whether to obtain
legal advice.

The firm shall communicate to senior personnel, at least annually, a description of the
monitoring procedures carried out and conclusions drawn so that these individuals can
take prompt and appropriate action on deficiencies. Communications should also describe
actions taken.

Where firms within a network operate under common monitoring policies and procedures,
the same procedures as described earlier in this chapter regarding evaluating, communicating,
and rectifying deficiencies must be carried out on a network-­wide basis.

Key Learning Point

QM policies and procedures must be monitored to ensure the SOQM is relevant, adequate
and operating effectively. Relevance refers to adherence to professional standards and
the law.

229

c04.indd 229 16-11-2022 18:40:59

 BUSINESS ASSURANCE

4.2.12 Engagement Quality Reviews

HKSQM 1 34, An Engagement Quality Review (EQR) provides an objective evaluation, on or before the date
A133–AS137;
HKSQM of the auditor’s report, of the significant judgments made by the engagement team and their
2 (all);
HKSA 220
conclusions reached in formulating the report. As such, the EQR is an important part of the
(Revised) 36, Engagement Performance component of the SOQM and contributes to other components
A103–A106.
(e.g. Monitoring and Remediation; Information and Communications).

The reviewer’s evaluation of significant judgments is performed in the context of

professional standards and legal and regulatory requirements. The reviewer is not a member
of the engagement team, does not direct or supervise the team and does not obtain evidence
regarding the engagement report – though the engagement team may collect evidence in
response to queries from the EQ Reviewer.

HKSQM 1 requires the firm to:

• Address the EQR in accordance with HKSQM 2, including matters of reviewer eligibility,
appointment, performance and documentation of the review and

• Establish policy to address which engagements require an EQR.

As noted in HKSQM 1.34, the firm is required to undertake an EQR for audits of financial
statements for listed entities, for engagements where laws or regulations may require an
EQR (e.g. public interest entities, entities in liquidation, financial institutions) and for other
engagements where an EQR is considered an appropriate response to address a quality risk.
For example, audit of entities that

• Have a high degree of estimation uncertainty (e.g. banks).

• Require specialised skills in measurement (e.g. a resource extraction company).

• Have recurring inspection findings, deficiencies in internal control or material

restatement of information.

• Had a disagreement with the previous auditor.

• Operate in emerging industries.

• Have a high public profile.

• Hold significant assets in a fiduciary capacity (e.g. pension funds).

• Are large public sector entities.

HKSQM 2, Engagement Quality Reviews deals with an individual’s eligibility to perform an

EQR, the appointment of the reviewer and the performance and documentation of the review.

The firm must establish policies and procedures setting out the nature, timing and extent
of an EQR. The extent of an EQR depends on the complexity of the engagement, whether the
entity is a listed entity and the risk of an inappropriate report. The performance of an EQR does
not reduce the responsibilities of the engagement partner.

230

c04.indd 230 16-11-2022 18:40:59

 Qualit y M anagement C onsid erations

Eligibility

The EQ Reviewer must

• Have the competence, capability and authority to carry out the EQR.

• Comply with relevant ethical requirements including objectivity and independence.

• Have a cooling-­off period of two years before being appointed where they previously
served as an engagement partner.

Firm policy regarding the eligibility of the EQ Reviewer should specify:

• The degree to which an EQ Reviewer can be consulted on the engagement without

compromising the reviewer’s objectivity.

• The replacement of the EQ Reviewer where the reviewer’s objectivity is impaired.

Performance

The EQ Reviewer should obtain an understanding of information obtained from:

• The engagement team regarding the nature of the engagement and significant
judgments made in planning, performing and reporting on the engagement.

• The engagement team’s evaluation of the firm’s independence in relation to the specific
engagement.
• The firm’s view about deficiencies in the SOQM that may affect significant judgments
made by the engagement team.

The EQ reviewer should also review the engagement documentation relating to significant
judgments, the financial statements or other subject matter information and the report
appropriate to the engagement. Based on this information, the EQ reviewer should evaluate:

• The basis for making the judgments, including the exercise of professional skepticism.

• Whether the documentation supports the conclusions reached and the appropriateness
of the conclusions.

• Whether appropriate consultation has taken place regarding differences of opinion.

In addition, for audit engagements, evaluate the engagement partner’s determination that:

• Independence requirements have been met.

• The partner’s involvement has been sufficient and appropriate throughout the
engagement.

Where the EQ Reviewer has concerns that judgments made or conclusions reached are not
appropriate, they should notify the engagement partner. If such concerns are not resolved, the
reviewer should notify the appropriate individual in the firm that the EQR cannot be completed.

Alternatively, If the EQ Reviewer determines that the requirements of HKSQM 2 have been
met, they should Inform the engagement partner that the EQR is complete. At this point the
engagement partner may sign the engagement report.

231

c04.indd 231 16-11-2022 18:40:59

 BUSINESS ASSURANCE

Documentation

HKSQM 2.30 requires the EQ Reviewer to document the basis for their determination and
notifications made to the engagement partner and others.

• Where the EQR could not be completed, the reasons therefore and

• If the requirements of the quality standards have been met, the date of completion
of the EQR.

Other matters to be included in EQR documentation include:

• The names of the engagement quality reviewer and individuals who assisted in
the review.

• The engagement documentation reviewed.

• The date of the completion of the EQR.

The auditing standard HKSA 220 (Revised) 36; A103–A106 discusses some of the matters
raised above in the context of the audit and the engagement partner’s responsibilities for
the audit.

Key Learning Point

An EQR provides an objective evaluation of the engagement team’s judgments made
and conclusions reached in formulating their report. The extent of an EQR depends on
engagement complexity and risk. An EQR is required for all audits of financial statements
of listed entities and for significant ‘public interest’ entities.

4.2.13 Summary of Quality Management Standards

The Hong Kong Quality Management Standards include:

HKSQM 1 • HKSQM 1, Quality Management for Firms that Perform Audits or Reviews of
and 2 and
HKSA 220 Financial Statements, or Other Assurance or Related Services Engagements.
(Revised)
• HKSQM 2, Engagement Quality Review.

• HKSA 220 (Revised), Quality Management for an Audit of Financial Statements.

HKSQM 1 and HKSQM 2 are new quality standards, replacing HKSQC 1, and HKSA 220 has
been revised. The new and revised standards:

• Strengthen and modernize the audit firm’s approach to quality management by

introducing a system of quality risk assessment.

• Build on the six elements of a QC system introduced in HKSQC 1 by introducing the

eight components of an SOQM.

• Address increased stakeholder expectations and a need for QM systems that respond
to new technology, networks and the use of external service providers.

232

c04.indd 232 16-11-2022 18:40:59

 Qualit y M anagement C onsid erations

• Improve scalability by promoting QM systems tailored to the nature of the firm.

• Increase firm leadership responsibilities and improve firm governance.

• Provide for rigorous monitoring of SOQMs and on remediation of deficiencies.

• Increase the engagement partner’s responsibility for audit engagement leadership and
audit quality.

• Improve EQRs, including engagement selection, reviewer eligibility, documentation and

performance requirements.

Audit Firm QM
• Leadership
• Ethics
• Client acceptance
• Human resources
• Performance
- EQR
• Monitoring
• Documentation

Regulator Client
• FRC • Integrity
• Law • Governance
• Inspection - Audit committee
Audit Quality
Quality auditors
↓
Quality processes
↓
Quality reports

Environment Profession
• Litigation • Education
• Culture • Inspection
• Technology • Standards
• Business practice - IAASB
- IFIAR

EXHIBIT 4.3 Framework for quality management

Knowledge Check Questions

Question 3
Explain what a quality management system is and identify its components.

Question 4
After accepting an engagement, an audit firm realises that they are not competent to deal
with some significant aspects of the client’s operation. Explain what the firm should do.

Question 5
Describe the quality management policies that should be established regarding the
assignment of personnel to an audit engagement.

233

c04.indd 233 16-11-2022 18:40:59

 BUSINESS ASSURANCE

Knowledge Check Questions (continued)

Question 6
Describe an Engagement Quality Review.

Question 7
List the criteria for the eligibility of an Engagement Quality Reviewer.

Question 8
You are the audit engagement partner for Yang Co, a company listed on the Hong Kong
Stock Exchange that operates clothing factories in mainland China. Explain your quality
management responsibilities regarding the performance of the engagement.

Question 9
Define the term monitoring (in relation to quality management). Identify the key
monitoring policies and procedures that should be included in an assurance firm’s system
of quality management.

4 . 3 DOCUMENTATION OF THE SYSTEM

OF QUALITY MANAGEMENT

HKSQM HKSQM 1 does not prescribe every matter that needs to be documented by the firm because
1 57–60,
A202–A206; the nature and extent of documentation will vary with a number of factors including the
HKSQM
2 28–30, size and complexity of the firm and the types of engagements performed by the firm.
A50–A53; Rather, HKSQM 1 requires the firm to prepare documentation to achieve three principles,
HKSA220
(Revised) 41, understanding, implementation and evaluation:
A117–A 120.
1. Understanding. Support a consistent understanding of the System of Quality
Management (SOQM) by personnel, including an understanding of their roles and
responsibilities with respect to the SOQM and the performance of engagements.

2. Implementation. Support the consistent implementation and operation of the

responses to quality risks.

3. Evaluation. Provide evidence of the design, implementation and operation of the

responses, to support the evaluation of the SOQM by the individual(s) assigned ultimate
responsibility and accountability for the SOQM.

The firm is required to document evidence about the existence, implementation and
evaluation of each of the components of its SOQM. Firm policies should require retention

234

c04.indd 234 16-11-2022 18:40:59

 Qualit y M anagement C onsid erations

of documentation sufficient to permit the completion of monitoring procedures, or longer if

required by regulation.

Appropriate documentation includes, for example:

• Evidence of adherence to professional standards and applicable legal and regulatory

requirements.

• Complaints and allegations, and the firm’s response.

HKSQM 1 requires the firm to prepare specific documentation for components of the
SOQM. For example:

Regarding the firm’s risk assessment process:

• The individuals assigned responsibility for the SOQM.

• The quality objectives.

• The quality risks.

• A description of responses to the quality risks.

• How the responses address the quality risks.

Regarding monitoring and remediation:

• Evidence of monitoring activities performed.

• Evaluation of findings, identified deficiencies and root causes.

• Remedial actions.

• Communications about monitoring and remediation.

HKSQM 2 requires the firm to document:

• The name of the EQ Reviewer and any assistants.

• The engagement documentation reviewed.

• The basis for the EQ Reviewer’s determination that the EQR has been completed and
the date of completion.

• Notifications sent regarding the completion or non-­completion of the review.

HKSA 220 (Revised). Audit documentation relevant to the SOQM should include:

• Issues identified with respect to the engagement team’s compliance with relevant
ethical and independence requirements, and how issues were resolved.

• Conclusions reached regarding the acceptance and continuance of client relationships

and audit engagements.

• The nature and scope of, and conclusions resulting from, consultations undertaken
during the course of the audit engagement.

235

c04.indd 235 16-11-2022 18:40:59

 BUSINESS ASSURANCE

4 . 4 CONFORMITY AND COMPLIANCE

WITH INTERNATIONAL STANDARDS
ON QUALITY MANAGEMENT OVERVIEW

In the early 2000s, the Hong Kong Institute of Certified Public Accountants (HKICPA) decided
that Hong Kong standards should fully converge with international standards. HKICPA
developed due process for the successful convergence of Hong Kong Quality Management,
Auditing, Review, Other Assurance, and Related Services Pronouncements with the
international standards. See Section 4.1 for a summary of these new standards, which are
effective from December 15, 2022.

4.4.1 International Forum of Independent Audit Regulators (IFIAR)

The IFIAR is an international leader in audit quality matters.

Every year, the IFIAR convenes a meeting for member representatives to discuss emerging
regulatory issues, challenges facing the audit profession and strategic approaches to sustainable
audit quality. The IAASB’s projects for the improvement of auditing standards are to a large
extent driven by the findings of the IFIAR’s annual survey of member organisations. This survey
summarises the findings of audit inspections carried out by regulators in member countries
throughout the world. Significant deficiencies in audit quality noted in the most recently released
IFIAR survey of inspections of audit firms and audit engagements are summarised in Exhibit 4.4.

Audit Firms Engagement Performance

• Insufficient engagement quality management review (EQR) and
• Failure to establish and/or implement policies and procedures for sufficient,
timely engagement supervision and review.
Human Resources
• Non-­compliance with the firm training and learning plan and
• Failure to evaluate audit quality as part of partner performance evaluation.
Independence and Ethical Requirements
• Failure to maintain independence due to the existence of financial relationships,
• Failure to apply firm or partner rotation rules,
• Failure to monitor firm staff and partner personal independence,
• Failure to consider and evaluate threats created by non-­audit (consulting) services
provided to issuer,
• Failure to implement a reliable system for tracking business relationships and
• Failure to communicate to the audit committee relationships that bear on
independence.
Monitoring
• Failure to analyse the root cause of deficiencies and to take remedial actions and
• Failure to identify audit performance issues.

EXHIBIT 4.4 Deficiencies in audit quality (Source: IFIAR Survey of Inspection Findings 2018.)

236

c04.indd 236 16-11-2022 18:40:59

 Qualit y M anagement C onsid erations

Audit • For Accounting Estimates, failure to assess the reasonableness of management

Engagements assumptions, including consideration of contrary or inconsistent evidence.
• For Internal Control Testing, failure to obtain sufficient evidence to support
reliance on manual internal controls and controls over data or reports produced
by management.

EXHIBIT 4.4 (Continued)

Key Learning Point

IFIAR is the International Forum of Independent Audit Regulators. The IAASB’s projects
for the improvement of auditing standards are to a large extent driven by the findings of
IFIAR’s annual survey of national regulators’ inspection programmes.

Apply and Analyse 4

Review the opening case of China Foods Ltd and examine the audit deficiencies listed in
Exhibit 4.4. Identify those deficiencies that might apply to the CFL audit engagement.

(Assume that the audit firm was merely incompetent, and not complicit in the fraud.)

Analysis

Based on the limited information provided in the case, the following deficiencies might be
indicated in the CFL audit engagement.

Engagement Performance

• Insufficient engagement quality management review.

• Failure to establish and/or implement policies and procedures for sufficient, timely
engagement supervision and review.

• For internal control testing, failure to obtain sufficient evidence to support reliance
on controls over data or reports produced by management.

Independence and Ethical Requirements

With respect to CFL’s CFO:

• Failure to monitor audit firm staff and partner personal independence.

• Failure to implement a reliable system for tracking business relationships.

Monitoring

• Failure to identify audit performance issues.

237

c04.indd 237 16-11-2022 18:40:59

 BUSINESS ASSURANCE

4.4.2 Strengthening Regulation in Hong Kong – the Financial Reporting

Council (FRC)
The FRC was established in 2006. Its role is:

• To conduct independent investigations into possible auditing or reporting irregularities

by auditors of listed entities.

• To enquire into possible non-­compliance with accounting requirements by

listed entities.

In 2013, consultants of the FRC carried out a study with an aim to identify the key gaps
between Hong Kong and other IFIAR and European Commission (EC) equivalence requirements
and propose possible approaches. Since 2013, some of the regulatory functions previously
carried out by the HKICPA have been taken over by the FRC, but, until recently, the FRC’s
powers have been limited.

In 2019, the Financial Reporting Council (Amendment) Bill 2018 was enacted. The FRC has
new powers to inspect, investigate, discipline and oversee the HKICPA, thereby enhancing audit
quality and investor protection in Hong Kong. Auditors who commit offences such as producing
false working papers now face penalties including jail terms of up to seven years and fines of
up to HK$10 million.

In 2021, the Secretary for Financial Services and the Treasury announced further reform
of the regulatory regime of accounting profession. The changes proposed by the Reform are
extensive and significant.

Key Learning Point

The Financial Reporting Council is a Hong Kong government body that investigates auditing
or reporting irregularities by auditors of listed entities. The FRC has recently been given
new powers to oversee the HKICPA and to penalise auditors who commit offences.

Knowledge Check Questions

Question 10
List the advantages and disadvantages of regulation of the audit profession.

Question 11
Describe the way in which the 2018 Hong Kong legislation relating to the FRC changes the
responsibilities of the FRC.

238

c04.indd 238 16-11-2022 18:40:59

 Qualit y M anagement C onsid erations

SUMMARY

Audit objective. The objective of an audit of financial statements is to form an opinion based
on evidence about the existence of material misstatements. Quality audits. Users can only be
confident that this objective has been achieved if a quality audit has been performed.

Audit quality is supported by broader cultural factors which include:

• Technology,

• Practices of the business community and

• The litigation environment.

Reporting supply chain. Audit quality is the responsibility of:

• The audit firm,

• The audit engagement partner,

• The Engagement Quality Reviewer,

and other parties in the reporting supply chain including:

• Regulators and lawmakers,

• Professional associations at the national and international levels and

• The management and audit committee of the audit client.

Regulatory framework. Lawmakers, regulators and the profession provide a framework of

laws, regulations, standards and other guidance to govern and facilitate the auditor’s work.

Compliance. In order to ensure compliance with the regulatory framework, and to meet the
objective of an audit, audit firms must establish SOQMs as specified in HKSQM 1, HKSQM 2 and
HKSA 220 (Revised).

Components of the SOQM. Both HKSQM 1 and HKSA 220 (Revised) are structured around the
eight components of an SOQM as identified in HKSQM 1:

1. The firm’s risk assessment process

2. Governance and leadership

3. Relevant ethical requirements

4. Acceptance and continuance of client relationships and specific engagements

5. Engagement performance

6. Resources

7. Information and communication

8. The monitoring and remediation process

Each of the components is discussed in Section 4.2 of the chapter, with additional references to
Chapter 1 (ethics) and Chapter 3 (client acceptance and continuance).

239

c04.indd 239 16-11-2022 18:41:00

 BUSINESS ASSURANCE

Engagement performance. Sufficient appropriate evidence must be obtained to support the

conclusions reached and for the assurance report to be issued. Engagement performance
includes three key activities:

• Supervision,

• Review and

• Consultation.

EQR. An EQR provides an objective evaluation of the engagement team’s:

• Judgements made and

• Conclusions reached.

The extent of an EQR depends on engagement:

• Complexity and

• Risk.

An EQR is required for all audits of financial statements of:

• Listed entities and

• Significant ‘public interest’ entities.

Monitoring and remediation. QM policies and procedures must be monitored to ensure the
QM system is:

• Relevant,

• Adequate and

• Operating effectively.

Relevance refers to adherence to professional standards and the law.

Improving regulation and oversight. In 2018, Hong Kong has amended its regulation of
auditors. The FRC has been given new powers to inspect, investigate, discipline and oversee
the HKICPA, thereby enhancing audit quality and investor protection in Hong Kong. Further
changes to the FRC’s mandate are pending.

240

c04.indd 240 16-11-2022 18:41:00

 Qualit y M anagement C onsid erations

MIND MAP

PROFESSIONAL QUALITY MANAGEMENT DOCUMENTATION OF THE SYSTEM OF

QUALITY MANAGEMENT
Standards
• HKSQM 1 HKSQM 1 Firm’s documentation of system
• HKSQM 2 of quality management
• HKSA 220 (Revised)
HKSQM 2 EQR Documentation
Practice review
HKSA 230 Audit documentation
Publications
IAASB Framework CONFORMITY AND COMPLIANCE WITH
QUALITY MANAGEMENT INTERNATIONAL STANDARDS ON
FIRM QUALITY SYSTEM CONSIDERATIONS QUALITY MANAGEMENT OVERVIEW
Leadership responsibilities International Forum of Independent Audit
Relevant ethical requirements Regulators (IFIAR)
Acceptance and continuance of client Financial Reporting Council (FRC)
relationships and specific engagements
Human resources
Engagement performance
Monitoring

Answers to Knowledge Check Questions

Question 1
Professional associations include both national organisations like the HKICPA and
international organisations like IFAC. The HKICPA ensures audit quality mainly through
their education programme for entry level accountants and members, through their
publication programme and through their inspection programme. IFAC’s main role is the
production of the international standards governing accounting and auditing that form
the basis of most country’s standards. IFAC also collects information from audit regulators
throughout the world about deficient audit engagements and audit firms. This information
is compiled and used to guide the improvement of existing standards.

Question 2
High-­quality audits reduce the audit risk of audit failure – the risk that the auditor’s opinion
will describe the financial statements as fairly stated when they contain material errors.
Higher quality audits will:

1. Reduce the incidence of lawsuits against auditors.

2. Improve the reputation of the audit profession.

3. Reduce the agency problem in organisations by providing relevant, reliable and

timely information to shareholders.

4. Increase the efficiency of markets.

241

c04.indd 241 16-11-2022 18:41:00

 BUSINESS ASSURANCE

Question 3
A quality management system is a set of policies and procedures designed to improve the
overall quality of a product. In the case of the audit, an SOQM will reduce the incidence of
audit failure and so improve the reliability of the auditor’s opinion and report. The eight
components of an SOQM are identified in HKSQM 1 and include:

1. The firm’s risk assessment process.

2. Governance and leadership.

3. Relevant ethical requirements.

4. Acceptance and continuance of client relationships and specific engagements.

5. Engagement performance.

6. Resources.

7. Information and communication.

8. The monitoring and remediation process.

Question 4
The firm should consider ways in which their level of competence might be improved. Staff
training or the hiring of an auditor’s expert competent in areas where the firm is deficient
are possible options. If the firm believes that they are unable to achieve an acceptable level
of competence, they should consider withdrawing from the engagement.

Question 5
HKSA 220 (Revised) deals with the ‘Assignment of Engagement Teams’. The engagement
partner must ensure the team has the competence and capabilities to perform the audit in
accordance with professional standards and legal and regulatory requirements, and that
an appropriate report can be issued. A competent engagement team should have:
• Practical experience with similar audit engagements and knowledge of the
client’s industry.
• Expertise with relevant IT and specialised areas of accounting or auditing.
• The ability to apply professional judgment.
• Understanding of the firm’s QM policies and procedures.

Question 6
An EQR provides an objective evaluation, on or before the date of the auditor’s report, of
the significant judgments made by the engagement team and their conclusions reached in
formulating the report. It is carried out by a senior auditor who is not otherwise associated
with the audit.

242

c04.indd 242 16-11-2022 18:41:00

 Qualit y M anagement C onsid erations

Question 7
To be eligible to carry out an EQR, the reviewer should not be associated with the audit to a
degree to which it might compromise the reviewer’s objectivity, and should have:
• The technical qualifications required to perform the role.
• The necessary experience and authority.
• Where the reviewer has been the engagement partner, a cooling-­off period of
two years.

Question 8
As engagement partner for the Yang Co audit, your QM responsibilities include:
• The direction, supervision and performance of the audit engagement are in
compliance with professional standards and applicable legal and regulatory
requirements.
• On or before the date of the auditor’s report, be satisfied that sufficient appropriate
audit evidence has been obtained to support the conclusions reached and for the
auditor’s report to be issued.
• Undertake consultation on difficult or contentious matters and be satisfied that
members of the engagement team have undertaken appropriate consultation and
that conclusions resulting from such consultations have been implemented.
• Because Yang Co is a listed entity, ensure that an EQM Reviewer has been
appointed. Discuss significant issues with the EQM Reviewer. Do not date the
auditor’s report until completion of the EQR.

Question 9
Monitoring is an ongoing process for the consideration, evaluation and remediation of the
firm’s system of QM. It should provide the firm with reasonable assurance that its system
of QM is operating effectively. Key monitoring policies include:
• The periodic inspection of engagements.
• Analysis of changes to professional standards and their appropriate application.
• Collecting evidence of compliance of personnel with independence policies.
• Assessment of the effectiveness of training programmes.
• Inspection of documentation of decisions regarding client acceptance and
continuance.
• Review of corrective actions taken, and improvements made, to the QM system.

Question 10
Advantages of regulation:
• Where audit engagements and audit firms are deficient, independent regulation
can ensure that audit quality is upheld through the imposition of sanctions
and penalties.
• Standard setters like the IFIAR and the IAASB collect information from regulators
and use this to guide the development of programmes for the improvement
of standards.

243

c04.indd 243 16-11-2022 18:41:00

 BUSINESS ASSURANCE

Disadvantages of regulation:
• Regulation is costly.
• In some cases, the regulations being enforced may be deficient or
counterproductive.
• Regulators are subject to pressure from industry groups and the profession to
minimise their activities, and so may be ineffective or promote special interests at
the expense of the public interest.

Question 11
The FRC was given new powers to inspect, investigate, discipline and oversee the HKICPA,
thereby enhancing audit quality and investor protection in Hong Kong. Auditors who
commit offences in breach of the new law, such as failing to produce working papers or
producing false or misleading work, face severe penalties, including jail terms of up to
seven years or penalties of up to HK$10 million.

EXAM PRACTICE

QUESTION 1
FashBiz is a clothing manufacturer based in mainland China and listed in Hong Kong. Audit
Co is the FashBiz auditor. Li has been the audit engagement partner for five years and Ann
the audit manager for 10 years. Yang, another Audit Co partner, has been newly assigned
as the EQ Reviewer. The audit engagement team has a good relationship with the FashBiz
management team.

During the year, the performance of FashBiz deteriorated significantly as FashBiz lost
several major customers. There is a risk of impairment of FashBiz’s fixed assets. However,
management and the audit engagement team agree that no impairment of fixed assets
should be recorded.

Required:

(a) Explain the differences in the roles and responsibilities of Li and Yang regarding the
quality of FashBiz’s audit.

(b) In response to the facts and circumstances above, recommend what Yang should do to
discharge his responsibilities as the EQ Reviewer.

QUESTION 2
New Co is a company that is dually listed on the stock exchanges of both mainland
China and Hong Kong. Every five years, New Co is required to change its auditor. Your
accounting firm has been approached to act as the auditor of New Co for the year ending
31 December 202X.

Required:

Describe the quality management procedures that you should perform before accepting
New Co as an audit client.

244

c04.indd 244 16-11-2022 18:41:00

 Qualit y M anagement C onsid erations

QUESTION 3
You have recently been assigned to lead the audit team on the audit of Wing Ltd. It has
become apparent that last year’s audit was deficient. That audit had been carried out by a
single auditor who had left your audit firm following that engagement. It appears that the
auditor recorded work that was not carried out. Non-­existent documents were referenced
and audit findings are inconsistent with your understanding of Wing Ltd’s business.

Required:

(a) Describe the quality management deficiencies of this situation.

(b) Explain how the situation described above could have been avoided.

ANSWERS TO EXAM PRACTICE

QUESTION 1
(a) As the audit engagement partner, the full responsibility for the overall quality of the FashBiz
audit engagement falls on Li. Li should communicate the importance of audit quality to the
audit engagement team in the following ways:

• Complying with the quality management policies and procedures of Audit Co.
• Issuing an appropriate auditor’s report for the circumstances.

• Allowing the audit engagement team to raise issues without fear of reprisals.

(b) Li and Yang should discuss significant matters and ensure the audit report is not
issued until the quality management review has been completed and any contentious
matters resolved.

Yang has responsibility for the following:

• Reviewing the proposed auditor’s report and the financial statements.

• Discussing any significant matters with Li.

• Reviewing selected audit documentation relating to the significant judgments the audit
team made and the conclusions reached.

• Evaluating the conclusion reached in compiling the auditor’s report.

Since FashBiz is a listed company, Yang should also consider the following:

1. The audit engagement team’s evaluation of the firm’s independence in relation to

the audit engagement. As Li has only been working on the audit engagement for five
years, he is not subject to the rotation requirement. However, he and Ann maintain
a very good relationship with the management team. Yang should remind the audit
engagement team to thoroughly assess the audit engagement team’s familiarity threat
and if there is a need to reconsider the team mix. The audit engagement team should
document thoroughly their consideration and conclusion regarding independence.

• Yang should review the relevant assessment documented by the audit engagement
team and review its correspondence with those charged with governance on such
matters (e.g. relevant discussion in the Audit Committee report).

245

c04.indd 245 16-11-2022 18:41:00

 BUSINESS ASSURANCE

2. Whether appropriate consultation has taken place on matters involving differences of

opinion or other difficult or contentious matters and the conclusions arising from those
consultations.

• Discuss with the audit team their review of management’s assessment of fixed asset
impairment and audit evidence obtained that supported the audit engagement
team’s conclusion.

• Review the auditor’s report and financial statements to ensure relevant and
sufficient disclosure relating to the fixed asset impairment has been made.

• Ensure the audit engagement team has sufficient communication with those
charged with governance (e.g. the Audit Committee) about the fixed asset
impairment.

QUESTION 2
The incoming auditor can perform the following quality management procedures before
accepting New Co as its audit client:

• Risk assessment and Client acceptance. Review New Co’s previously published
financial statements and other relevant information regarding managers or directors’
reputations to determine if there have been integrity problems in the past.

• Information and Communication and Client acceptance. Consult the prior auditors
to ensure that there are no reasons behind the vacancy that the new auditors
should know.

• Resources. Evaluate your firm’s competence to perform the engagement and whether
you have the capabilities, time and resources to do the engagement.

• Engagement performance. A different financial reporting framework may be required

since New Co is a dual-­listed company in mainland China and Hong Kong. If an overseas
regulatory requirement is relevant, the incoming auditor should assess if they have
the expertise to carry out the audit of New Co. In addition, they should ensure that the
audit can be carried out consistent with laws and regulations, e.g. the requirement for a
professional qualification in mainland China.

• Ethics. The incoming auditor should ensure that there are no independence issues that
are a barrier to accepting this audit client. For example, if the auditor has a business
relationship with New Co that may create a self-­interest threat.

• Termination and any correspondence issued by the last auditors of New Co. If New Co
refuses to send the incoming auditor the letter of resignation/termination, the auditor
should decline the nomination.

QUESTION 3
(a) The audit firm has failed in its ‘engagement performance’ responsibilities. In particular,
the firm has failed to properly supervise and review the auditor’s work. The QM system
is clearly deficient and the senior personnel responsible for the QM system need to
investigate whether this is an isolated incident or systematic. If systematic, the QM system
needs revision and improvement. In either case, the individuals responsible for this lapse
should be disciplined or should undertake additional training as to their engagement
performance responsibilities.

246

c04.indd 246 16-11-2022 18:41:00

 Qualit y M anagement C onsid erations

Where monitoring procedures indicate that an engagement report may be

inappropriate or that procedures were omitted during the performance of an engagement,
the firm should act to comply with the requirements of the standards (properly complete
the audit) and obtain legal advice.

(b) A properly functioning system of QM consistent with the quality standards and HKSA 220
(Revised) would have ensured that supervision and review of engagement performance
had been undertaken in an appropriate and timely manner. In particular, timely monitoring
procedures would have identified the deficiencies in the audit work before the completion
of the audit.

In this context, (monitoring) the engagement partner was deficient in their work. The
work of the auditor should have been reviewed by the partner assigned to the engagement
both at the planning stage and before the signing of the audit report at the very least. The
engagement partner is ultimately responsible for engagement quality.

247

c04.indd 247 16-11-2022 18:41:00

c04.indd 248 16-11-2022 18:41:00
 5
Planning and
Risk Assessment

CHAPTER TOPIC LIST

5.1 Planning an Audit 5.5 Audit Risk Components

5.1.1 Audit Strategy and Audit Plan 5.5.1 Inherent and Control Risk
5.2 Planning Documentation 5.5.2 Detection Risk
Development 5.6 Risk Assessment Procedures and
5.2.1 Preliminary Engagement Related Activities
Activities 5.6.1 Understanding the Entity and
5.2.2 Planning Activities its Environment
5.3 Gaining Initial Understanding of 5.6.2 Internal Control and Control
the Entity and Its Environment, Environment
Including the Use of Preliminary 5.6.3 Impact of Fraud and
Analytical Review Procedures Misstatement on Audit Planning
Considerations
5.4 The Entity’s Business Model
5.6.4 Consideration of Laws and
5.4.1 Organizational and External Regulations in an Audit of
5.4.2 Financial Performance Financial Statements
5.4.3 Financial Reporting Framework
5.7 Materiality
5.4.4 System of Internal Control
5.4.5 Audit Strategy 5.7.1 Setting Materiality Limits
5.4.6 Information Sources for 5.7.2 Relationship to Relevance in
Obtaining an Understanding Financial Reporting
5.4.7 Entity Level 5.8 Audit Methodologies
5.4.8 Industry Level 5.8.1 Risk-Based Auditing
5.4.9 Economy Level 5.8.2 Top-Down Auditing

249

c05.indd 249 16-11-2022 18:41:05

 BUSINESS ASSURANCE

5.8.3 System-Based Auditing 5.8.6 Transaction Cycle Approach

5.8.4 Systems Audit 5.8.7 Directional Testing
5.8.5 Balance Sheet (Statement of 5.8.8 Performance of Different Audit
Financial Position) Approach Methodologies

250

c05.indd 250 16-11-2022 18:41:06

 Pla nn i ng a n d R isk A ssessment

LEARNING OUTCOMES

PRINCIPAL LO1: PERFORM ASSURANCE ENGAGEMENTS

LO1.04: P
 repare, plan and develop assurance engagements including the audits of financial
statements in accordance with relevant Hong Kong Standards of Quality Management,
Auditing, Assurance and Related Services, guidance and legislation with emphasis on:
Planning and Risk Assessment
1.04.01 Explain the need for planning an audit, the overall audit strategy and the audit plan and their
relationship
1.04.02 Develop the planning documentation including the audit strategy memorandum for a
given scenario
1.04.03 Apply knowledge to demonstrate how auditors obtain an initial understanding of the entity
and its environment, including the use of preliminary analytical review procedures
1.04.04 Explain the components of audit risk
1.04.05 Evaluate the entity’s significant risks of material misstatements at the financial statement
and assertion levels
1.04.06 Identify significant account balances, classes of transactions and presentation and disclosure
1.04.07 Determine the effect of fraud and misstatements on audit planning and work
1.04.08 Explain the effect of laws and regulations, and non-compliance on audit planning and
procedures
LO1.06: P
 repare, plan and develop assurance engagements including the audits of financial
statements in accordance with relevant Hong Kong Standards of Quality Management,
Auditing, Assurance and Related Services, guidance and legislation with emphasis on:
Materiality
1.06.01 Apply materiality in the context of financial reporting and auditing
LO1.08: P
 repare, plan and develop assurance engagements including the audits of financial
statements in accordance with relevant Hong Kong Standards of Quality Management,
Auditing, Assurance and Related Services, guidance and legislation with emphasis on:
Audit Methodologies
1.08.01 Summarise the key features of the following audit methodologies:
• Risk-based auditing
• Top-down auditing
• System-based auditing
• Systems audit
• Balance sheet approach
• Transaction cycle approach
• Directional Testing
1.08.02 Analyse the cost and performance efficiency of different audit methodologies

251

c05.indd 251 16-11-2022 18:41:06

 BUSINESS ASSURANCE

OPENING CASE

HWA LTD – PLANNING THE AUDIT ENGAGEMENT

H WA is a listed public company that manufactures components for the IT industry. The
company has been operating for three years and has been profitable during that period.

HWA’s customers are all domestic and it has several short-term contracts with significant
manufacturers of IT equipment and mobile phones.

The management is highly regarded in the industry and the company has a reputation of
being well managed. Management is well remunerated, including a generous share bonus plan
based on a specified return on total assets. The company’s share price has been steadily rising
with a consistent dividend stream and a strong demand for the shares.

The company’s technical staff have a strong reputation for being technically competent and
progressive and are supported by good research and development funding.

You have been the audit partner of HWA since its inception and have not had any
significant audit issues during that time. Your assessment of the internal control systems in the
past has allowed you to take an audit approach that places a heavy reliance on those systems
and performs minimal substantive procedures.

To date, the company has not sought any other services from your audit firm.

Your engagement team over the three years has changed. This year’s team will include a
new audit manager and two new junior staff members.

252

c05.indd 252 16-11-2022 18:41:06

 Pla nn i ng a n d R isk A ssessment

OVERVIEW

A financial report audit has been described in Chapter 1 as a systematic process of objectively
obtaining and evaluating evidence about the assertions in financial statements with the
objective of providing reasonable assurance that enhances the credibility of those statements.

An efficient and effective audit requires adequate planning, the nature and extent of
which varies according to the size and complexity of the audit client and the auditor’s previous
experience with the client.

While planning is a process that continues throughout the audit engagement and must
react to changing circumstances during the audit, the auditing standards outline requirements
that are to be undertaken at the commencement of that process. This chapter explains those
requirements and their objectives.

The audit process under auditing standards is primarily a ‘risk-based’ methodology

requiring the auditor to obtain an understanding of the client and its environment in order to
identify the areas in the financial statements and the underlying financial statement assertions
that are at risk of material misstatement. This methodology is focused on ensuring that the
audit is directed towards the areas of significance in the client’s financial statements.

This chapter focuses on the steps involved in implementing this approach and the matters
to be considered in identifying the risks of material misstatement at the initial planning phase
of the audit.

Planning commences with a decision as to whether the auditor should accept a new client
or continue the ongoing relationship with an existing client.

The process then proceeds to the gaining of an understanding of the client and its activities
so as to develop an overall audit strategy, with a detailed audit plan to implement that
strategy. This involves the engagement partner and key members of the engagement team
using their experience and insights to develop an efficient and effective planning process,
including discussions with other team members. Much of the information about the client and
its business is obtained through discussion with management and other client staff involved in
the financial reporting process.

Developing a strategy requires consideration of the level of acceptable audit risk, being
the risk of issuing an inappropriate opinion. This consideration forms part of the audit process,
as do the judgements about materiality, in determining the nature, timing, and extent of
audit procedures necessary to obtain sufficient appropriate audit evidence on which to base
an opinion.

253

c05.indd 253 16-11-2022 18:41:06

 BUSINESS ASSURANCE

5 . 1 PLANNING AN AUDIT

In Chapter 1, financial statement auditing was identified as a systematic process to gather

sufficient appropriate evidence on which to form a conclusion and express an opinion on
whether an entity’s financial statements are prepared and presented in accordance with the
applicable financial reporting framework.

The objective was stated as being to enhance the degree of confidence that users have in
the financial statements to assist their decision-making.

To operationalise this concept, and to conduct an efficient and effective audit, the
process involves planning and the development and implementation of an audit strategy
(the audit judgement about scope and approach to be taken in the audit, based on an
understanding of the client and its environment) and audit plan (the documented plan for
the nature, timing and extent of specific audit procedures to implement the strategy).

HKSA 300 Planning an Audit of Financial Statements identifies the following benefits of
planning to the audit:

• Giving appropriate attention to important areas of the audit.

• Assisting with identifying and resolving potential problems on a timely basis.

• Properly organising and managing the audit.

• Selecting an engagement team that has the appropriate levels of skills and competence
to respond to anticipated risks, and properly assign tasks to them.

• Directing and supervising engagement team members and reviewing their work.

• Coordinating the work of component auditors and experts.

The first phase of the audit planning process is to apply the provisions of HKSA 220
(Revised) Quality Management for an Audit of a Financial Statements and an evaluation
of whether:

• To accept an entity as a new audit client.

• To continue to provide audit services to an existing client.

This step in the process of client acceptance or continuing an audit relationship also
includes evaluating the auditor’s compliance with the professional ethical standards, including
independence.

In a recurring engagement, the auditor has the benefit of previous knowledge and
experience with that client, which provides an ongoing basis for the audit strategy and plan.

In an initial audit engagement, the auditor does not have the same level of knowledge and
understanding of the client and its business and systems. Planning for an initial engagement
therefore involves additional steps as compared with a recurring engagement. For example,
the auditor should communicate with the previous auditor to identify any relevant issues and
obtain an understanding of the client and audit approach, and, if possible, review that auditor’s
working papers.

254

c05.indd 254 16-11-2022 18:41:06

 Pla nn i ng a n d R isk A ssessment

The next step in the process is issuing an engagement letter as required by HKSA 210
Agreeing the Terms of Audit Engagements to ensure that the terms and scope of the engagement
are understood.

The planning process involves a discussion involving the engagement partner and key
members of the audit team to take advantage of their experience and expertise and ensure
that the strategy and plan is effective and efficient. For example, the engagement team should
use their knowledge of the client to discuss the areas for potential material misstatement in
the financial statements. The outcome of these discussions is then communicated to other
members of the engagement team.

The auditor should also include discussions with management and the audit committee in
gaining an understanding of potential issues, but it must be remembered that the audit scope
remains the sole responsibility of the auditor. Any discussions with management should not
be at a level that would compromise the effectiveness of the audit; for example, it would not
involve any discussion as to the nature of timing and the extent of detailed audit procedures
that would make them predictable to the client.

As the client’s audit committee has oversight of the financial reporting and auditing
activities within an entity, the auditor will generally advise the committee of the broad strategy
to facilitate the coordination of the audit fieldwork and audit process with the client.

In addition to the above, the professional requirements for implementing an audit planning
process are found primarily in the following auditing standards:

• HKSA 315 (Revised 2019) Identifying and Assessing the Risks of Material Misstatement

• HKSA 320 Materiality in Planning and Performing an Audit

• HKSA 330 The Auditor’s Response to Assessed Risks

From these requirements, the planning process can be summarised as comprising the
following steps:

• Understanding the entity and its environment

• Understanding the applicable financial reporting framework and the entity’s

accounting policies

• Understanding the entity’s system of internal control

• Identifying and assessing the risk of material misstatement

• Developing a response to assessed risks

More details in relation to each of these steps will be considered throughout this chapter.

While the generic planning process for developing an overall audit strategy and plan is
standardised through the requirements of the above-mentioned HKSAs, the strategy and
plan is specific to the individual entity’s circumstances. For example, the size of the entity, its
governance structures, the complexities of its business and operating environments, IT systems,
and accounting and internal control systems will have an impact on the strategy and plan.

The planning process is continuous throughout the audit, and generally commences early
in the financial reporting period. The audit strategy and plan are dynamic in nature. They are
to be reviewed and revised as the audit progresses if conditions change or the results of audit
procedures produce unexpected results.

255

c05.indd 255 16-11-2022 18:41:06

 BUSINESS ASSURANCE

In summary, audit planning involves developing an audit strategy that establishes the
scope and direction of the audit. The strategy in turn governs the development of the detailed
audit plan, which documents the nature, timing, and extent of the audit procedures to obtain
sufficient appropriate audit evidence on which the audit opinion and report are based.

Apply and Analyse 1

As the audit partner, you are about to start planning for the current year’s audit of
HWA Ltd. Your new junior staff members ask when they can attend the client premises
and start the audit fieldwork testing. Some are keen to have the chance to perform certain
audit procedures to improve their knowledge. Explain what your response would be.

Analysis

You should advise these members of the engagement team that before any fieldwork
occurs you must be satisfied that the pre-conditions for audit exist and that it is
appropriate to continue the relationship with the client, and to then meet with the client
management to develop an audit strategy and plan.

You should explain that you have to be satisfied that nothing has occurred since the
completion of the last audit that would indicate that any concerns with the integrity of
management, any issues with ethical requirements, including independence with the
change in the engagement team or other circumstances, whether the staff resources are
adequate and competent to deal with the client in the industry in which it operates, or
any other issues that may indicate that it would be inappropriate to continue with the
engagement.

In addition, you would indicate that you have to decide whether a new engagement
letter is needed to ensure that management understands their responsibilities and
the terms of the engagement. To do this you need to consider whether there has been
any change in management, whether the client is seeking to change the terms of the
engagement, any changes in the nature and size of the business, or new regulatory or
reporting requirements.

You should also indicate that an audit strategy and plan will be needed to begin, and
they will specify how the audit will proceed. You should caution them that learning to be an
auditor is not just about learning how to apply audit procedures.

5.1.1 Audit Strategy and Audit Plan

As indicated, the overall audit strategy sets the scope, timing, and direction of the engagement
and provides the foundation for the development of the more detailed audit plan and specific
audit procedures. (The audit plan is often referred to as the ‘audit programme’. The term ‘audit
plan’ will be used in this chapter.)

HKSA 300 indicates the matters that must be addressed in developing the overall audit
strategy and includes a detailed list of matters that could be considered. You should refer to
HKSA 300 Appendix ‘Considerations in Establishing the Overall Audit Strategy’ for an extensive
listing of specific matters that could affect the audit strategy.

256

c05.indd 256 16-11-2022 18:41:06

 Pla nn i ng a n d R isk A ssessment

The following are the broad matters that need to be addressed and some selected
examples of the relevant factors to be addressed:

• The characteristics of the audit engagement that define its scope, such as the required
financial reporting framework, industry-specific reporting requirements, and the entity
structure in terms of the existence and location of subsidiary companies, branches, or
divisions.

• The timetable for the various phases of the audit fieldwork, which usually occur in
identifiable steps throughout the financial reporting period, and the proposed reporting
of interim and final results and communications with management.

• The auditor’s judgement in relation to factors governing the focus of the audit team’s
activities; for example, identifying material classes of transactions and account
balances, identifying areas of potential high risk of material misstatement, as well
as the impact of the assessed risk of material misstatement at the overall financial
statement level and how these affect the audit process. Also to be considered is an
initial consideration of factors that influence the extent to which the auditor may place
reliance on the entity’s accounting and internal control systems and the testing thereof
in the audit process, including the internal audit function.

• The results of preliminary engagement activities identified in HKSA 220 (Revised) and,
where applicable, knowledge obtained by the engagement partner in the provision of
other services to the entity.

• The nature, timing, and extent of resources required, for example selecting an
engagement team with the appropriate experience and assigning work in the areas
of higher risk of material misstatement to more senior staff, and considering whether
specialists will be required because of the nature of some transactions and account
balance calculations, such as an actuary for the calculation of employee entitlement
provisions.

As an illustration, following the initial planning phase, the audit strategy could fall at
either end of the strategy spectrum. If the initial audit judgement based on the preliminary
assessments of the entity’s internal control system, materiality, audit risk, and the evidence
required to form the opinion is that the entity’s accounting and control systems is likely to
be effective, then the strategy would be to emphasise a controls-based audit approach. This
would consequently lead to less reliance on extensive substantive testing of transaction details,
accounts, and balance, and a strategy to obtain a detailed understanding of the internal control
system and extensive testing as to the effectiveness of that system.

If, however, the initial assessment is that the accounting and internal control systems are likely
to be ineffective, the strategy would be to adopt a more substantive-based approach relying on
extensive tests of details, accounts, and transactions and analytical procedures to gather sufficient
appropriate audit evidence. An audit must always involve some level of substantive testing. Thus,
even in a controls-based approach, there will be a combination of controls testing and substantive
testing and the strategy should indicate the balance between the two approaches.

There are several differing audit methodologies available to an auditor. The strategy will
also determine whether the audit approach is to be ‘risk-based’, ‘top down’, ‘system-based‘,
or a ‘balance sheet’ or ‘transaction cycle’ model. The auditing standards prescribe a ‘risk-
based’ methodology, but within that the other methodologies can be integrated to achieve
the strategy. In some cases, the engagement circumstances may warrant the application of a
combination of these approaches. These will be explained further in Section 5.7.

257

c05.indd 257 16-11-2022 18:41:06

 BUSINESS ASSURANCE

Having established the broad audit strategy, the auditor implements this strategy through
the development of the audit plan, which specifies in detail the natural timing and extent of
the audit procedures to be undertaken during the audit in each area of the financial statement
account categories, such as inventory, accounts receivable, fixed assets, accounts payable, loan
liabilities, and shareholders’ equity.

If the strategy was that the audit needed to be heavily reliant on evidence from substantive
testing, the audit plan would detail the nature, timing, and extent of the specific audit
procedures to be applied at the assertion level for each account balance.

If the initial assessment was that the internal control system was strong and able to be
relied upon to produce reliable financial information at the assertion level, the development
of the plan requires that the auditor gain a deeper understanding of the entity’s accounting
system and controls. For example, the extent of IT processing and the extent to which the
system may be automated to initiate, record, and process transactions would be reflected
in the audit plan emphasising the detailed procedures to test that system to ensure that it is
operating as expected and is effective.

The procedures specified in the audit plan are directed at providing audit evidence to draw
reasonable conclusions on which to base the auditor’s opinion. Following on from the audit
strategy, the procedures include:

• Tests of controls (assuming the initial assessment is that reliance can be placed on
internal controls).

• Substantive procedures, including tests of account balance, transactions, and

analytical procedures applied at the assertion level.

HKSA 500 Audit Evidence identifies the following procedures:

• Inspection of records, documents, or physical items.

• Observation of the performance of processes or procedures, including the performance

of control procedures.

• External confirmation in writing from third parties.

• Re-calculation for mathematical accuracy.

• Re-performance by the auditor of controls originally performed as part of the client’s

internal controls.

• Analytical procedures and investigation of any fluctuations or departures from expected

financial statement relationships or values.

• Inquiry of personnel internal and external to the entity.

The audit plan would specify the combination of these procedures and the extent and
timing of these procedures, while recognising that information may only be available at discrete
points in time where client activities occur only at certain times during the financial period (for
example, the auditor’s observation of the client’s physical inventory count).

In effect, the audit plan documents the auditor’s response to the risks identified during the
process of obtaining information about the client and developing the audit strategy. HKSA 330
The Auditor’s Responses to Assessed Risks requires the auditor to design and implement an
overall response to the assessed risk at both the financial statement and assertion levels.
The response is to be in the form of tests of controls, where appropriate, and substantive
procedures to obtain sufficient appropriate audit evidence regarding the assessed risks.

258

c05.indd 258 16-11-2022 18:41:06

 Pla nn i ng a n d R isk A ssessment

In summary, the audit strategy is the initial audit judgement as to the scope and broad
approach to be taken during the audit process, based on an understanding of the entity and its
business. It involves a preliminary assessment of materiality, the risk of material misstatement
at the financial statement level, an understanding of the accounting and internal control
system, and the requirements for obtaining sufficient appropriate audit evidence. The audit
plan then operationalises the strategy by detailing the nature, timing, and extent of the specific
audit procedures to be applied at the financial statement assertion level.

Exhibit 5.1 shows an overview of the planning through the audit process.

• Audit preconditions
P • Understanding the entity and
L
A its environment
N • Internal controls
N • Risk assessment of material
I misstatement
N
G

• Overall audit scope, audit

approach and methodology
Audit to be applied to address risks
Strategy of material misstatement at
the financial report level

• Audit programme: setting out nature,

Audit timing and extent of specific audit
Plan procedures to implement audit plan
and detect material misstatements
at the assertion level
I
N
T
E • Testing effectiveness of internal
R controls and business processes
I • Initial substantive testing
M

Ongoing
review of
Audit Plan

F
I • Tests of detail of transactions
E
L and balances and substantive
D analytical procedures on final
W financial statement results
O
R
K

• Final review of financial

Review and
statements and audit
completion
working papers

Audit opinion

EXHIBIT 5.1 Audit process – the role of planning

259

c05.indd 259 16-11-2022 18:41:06

 BUSINESS ASSURANCE

Knowledge Check Questions

Question 1
Identify which of the following is normally used to communicate the responsibilities of the
auditor and client.
A Audit strategy
B Audit plan
C Engagement letter
D Meeting with the client

Question 2
Identify which of the following factors is not relevant to the auditor’s consideration as to
whether to accept a new engagement or continue with an existing client relationship.
A The integrity of management.
B The likelihood that the client may subsequently require other services from the
audit firm.
C The engagement team’s knowledge and skills relevant to undertaking the audit.
D Whether the audit firm can comply with relevant ethical requirements.

Question 3
Identify which of the following is true of adequate planning.
A It leads to a reduction in the audit fee.
B It reduces the level of substantive testing of account details and transactions.
C It ensures that the audit addresses significant areas of the audit and areas of potential
risk of material misstatement.
D It allows management to be involved in all areas of the audit process.

Question 4
Identify which of the following primarily determines the nature, timing and extent of audit
procedures necessary to obtain sufficient appropriate audit evidence on which to base the
audit opinion.
A The audit plan
B The audit strategy
C Auditing standards
D The auditor’s judgement

260

c05.indd 260 16-11-2022 18:41:06

 Pla nn i ng a n d R isk A ssessment

5 . 2 PLANNING DOCUMENTATION
DEVELOPMENT

The requirement to document the planning and conduct of an audit is a fundamental principle
of auditing. HKSA 230 Documentation states:

The auditor shall prepare audit documentation on a timely basis.

Documentation is defined as the record of audit procedures performed, relevant audit

evidence obtained, and conclusions the auditor reached. It is often referred to as audit
‘working papers’ and can be developed and kept in paper, electronic, or other media form.
This documentation evidences the auditor’s basis for the audit report and that the audit was
planned and performed in accordance with professional auditing standards and any legal or
regulatory requirements.

Documentation also assists the engagement team’s planning and conduct of the audit and
facilitates the supervision and review of work completed during the engagement for quality
management during the audit process. It also provides the material necessary for firms to meet
their responsibilities for engagement quality review and inspections under the firm’s overall
quality management programme or for any external inspections required under legislation.

The documentation is to be of a quality that would enable an experienced auditor not

involved in the audit to:

• Understand the nature, timing, and extent of procedures undertaken in accordance

with auditing standards.

• The results of the audit procedures and the evidence obtained.

• The significant matters dealt with during the audit.

• The matters on which audit judgements were required.

• The conclusions reached during the audit.

The workpapers should be prepared on a timely basis; that is, contemporaneously as the
audit work is undertaken. This allows the review process in relation to the evidence obtained
and conclusions reached at various stages of the audit to be undertaken, and the audit plan
and process to be updated as necessary, during the course of the audit. It is also important
that all relevant matters are documented so that the audit evidence and conclusions can be
reviewed prior to finalising the audit report.

The nature and extent of documentation is a matter for professional judgement in the
specific engagement circumstances. HKSA 230, paragraph A2, identifies the following factors
that determine the form content and extent of audit documentation:

• Size and complexity of the entity.

• Nature of the audit procedures performed.

• The risk of material misstatement identified.

• The significance of the audit evidence obtained.

261

c05.indd 261 16-11-2022 18:41:06

 BUSINESS ASSURANCE

• The nature and extent of exceptions identified.

• The audit methodology and tools used during the audit.

For example, the documentation for the audit of a smaller entity will be less extensive than
for a larger entity. The nature and extent of the entity’s IT systems will also affect the nature
and extent of the audit documentation, as will the extent to which audit software is used
during the audit process. Many audit firms have special audit software for preparing audit
documentation.

The following are examples of audit documentation:

• Planning memorandums and checklists.

• Audit programmes.

• Analyses and summaries of significant issues.

• Engagement budgets and staffing requirements and allocations.

• Audit fee calculations.

• Checklists.

• Correspondence.

• Abstracts or copies of client records.

• Reviews of the work of internal audit or experts used during the audit.

The fundamental principle for documentation is specifically reiterated in the auditing

standard on planning. HKSA 300, paragraph 12, requires documentation of:

• The overall audit strategy.

• The audit plan.

• Any significant changes to the strategy or plan made during the audit and the reasons
for those changes.

5.2.1 Preliminary Engagement Activities

As indicated, the initial phases of planning involve acceptance or continuance of audit
engagements and agreeing the terms of the engagement. In both cases the requirement for
documentation is applied.

In relation to client relationships, the documentation must include:

• How any issues relating to compliance with ethical standards were resolved.

• The basis for the conclusion that the independence requirements have been met.

• The conclusions reached regarding acceptance and continuance.

When applied specifically to client acceptance and continuance, this involves

documentation that the pre-conditions for an audit outlined in HKSA 210 have been complied
with. The documentation should include:

• The basis for the auditor’s assessment that the financial reporting framework to be
applied in the preparation of the financial statements is acceptable.

262

c05.indd 262 16-11-2022 18:41:06

 Pla nn i ng a n d R isk A ssessment

• Evidence that management has acknowledged its responsibility for the preparation
of the financial statements in accordance with the appropriate financial reporting
framework that is free from material misstatement, and for the accounting and internal
control systems supporting the preparation of those financial statements.

• Evidence that the auditor is satisfied that access will be given to all information available to
management in preparing the financial statements, any additional information requested
by the auditor will be provided and access to entity personnel will not be impeded.

This documentation evidences compliance with HKSA 220 (Revised) in ensuring that the
client relationship is appropriate and that there is a sound basis for the audit to be properly
conducted and to comply with professional standards. See Section 4.1.1.1 which describes
recent revisions to the Quality Standards.

Similarly, the audit engagement letter is part of the planning documentation process.
HKSA 210 requires that the auditor agree the terms of the engagement with those charged
with governance/management (the term management will use throughout this chapter) in an
engagement letter or other form of written agreement.

The letter includes the objective and scope of the audit, the responsibilities of both the
auditor and management, and identifies the applicable financial reporting framework and
details of the reports to be issued.
This document is sent by the auditor to the client requiring a copy signed by management
to be returned to the auditor. This document is prepared and provided for the client after the
pre-conditions for the audit have been satisfied and confirms the common understanding
of the engagement terms. It effectively documents the outcome of these deliberations and
establishes them in a contractual sense with the client management and becomes part of the
audit workpapers.

5.2.2 Planning Activities

5.2.1.1 Overall Audit Strategy
When applied to the development of the overall strategy, the documentation requirements
reflect the process outlined above, for example, documenting the discussions with engagement
staff, management, the basis for the judgements in relation to materiality, internal control, the
combination of control testing and substantive testing, timing, and assessment of the risk of
misstatement.

The outcome of this process is generally a strategy memorandum that summarises the
strategy and approach to be taken in developing the audit plan.

The strategy memorandum will be developed based on the specific entity circumstances
but will generally include narrative covering the following matters:

• Confirmation of the pre-conditions for the audit. A statement is produced that is based
on a review of the relationship with the client entity and audit firm policies and shows
that the professional independence and other ethical requirements have been met and
that there are no issues with management integrity that may impact the auditor’s ability
to continue the engagement. It would also include confirmation that the client has been
advised and understands the terms of the engagement. Details of any other services
provided to the client would be disclosed.

263

c05.indd 263 16-11-2022 18:41:07

 BUSINESS ASSURANCE

• The scope of the audit work is made in terms of the financial reporting framework
that provides the criteria for measuring and evaluating the financial statements and
the nature and objective of the reporting obligations. This would include details of the
financial reporting framework applicable to the financial statements being audited;
for example, the Hong Kong financial reporting standards and any other mandated
statutory, industry, or legal reporting requirements. This would also identify any
significant changes in these reporting requirements during the reporting period or in an
ongoing client relationship, as well as changes since the prior audit.

• The key judgements as to the significant risks identified in terms of potential material
misstatements in the financial statements, whether due to fraud or error, and the audit
approach to mitigating those risks. This would summarise the outcome of the meetings
with management to gain an understanding of their view of the business and financial
reporting risks as compared with the auditor’s preliminary knowledge obtained
during the process of obtaining an understanding of the client and its business (for
example, information in relation to the entity’s operating structure, including the
number and location of components and, where applicable, the relationship between
parent and subsidiary entities and changes in the entity’s business operations and key
management). Details would be given of significant business developments impacting
the entity, including changes in IT, key management, any business acquisitions or
divestments, and changes in the legal and industry environment affecting the entity,
would also be documented.

• The nature of the evidence to be obtained in key areas of the financial statements and
any indications of potential restrictions that may arise. In an ongoing audit situation,
this includes the expected use of audit evidence obtained from the prior audit period;
for example, evidence relating to risk assessment procedures and tests of controls, the
nature of identified deficiencies and evidence of the actions taken to address them.

• The nature of the audit methodology to be applied; for example, the combination
of tests of controls and substantive procedures in the context of risk-based,
systems-based, etc. In the case of a risk-based approach, where the audit focus is on
aspects of the business that have a higher risk of material misstatement (such as those
affected by management judgement and estimation, application of new or amended
reporting requirements, changes in operations or where material errors have been
found in the past) these would be identified and the planned response outlined. For
example, management override of controls may be identified as a significant risk in
relation to fraud and judgement issues. The planned response could be identified as
more extensive procedures to be applied to material accounting estimates and journal
entries and the review of unusual or significant transactions outside the normal course
of business.

• Where a risk-based approach is to be applied, details are needed as to the transactions

and balances based on prior year audit work and/or a preliminary assessment of
controls and the extent to which the controls are to be tested and reliance placed.
There should be identification of areas where controls are not appropriately designed
or where it is determined to be more efficient to take a substantive approach to testing.

• The preliminary identification of significant and material classes of transactions,

account balance and disclosures and an indication of the preliminary overall and
performance materiality levels, the basis of their determination, and the factors that

264

c05.indd 264 16-11-2022 18:41:07

 Pla nn i ng a n d R isk A ssessment

team members need to be continuously monitored as to the ongoing appropriateness.

Details of any potential significant risk areas where materiality may need to be
set specifically for a financial statement account; for example, senior employee
remuneration may be given a specific materiality level different to the overall level.

• The use of experts. For example, one of the areas of significant risk of material
misstatement may be pension liabilities based on estimates and judgements and
actuaries engaged by the client to assist in their calculation. The memorandum
would outline the nature and extent to which the auditor would engage or use their
own actuarial experts to provide assurance as to the work of the client’s actuary.
Other auditors may be involved where a parent subsidiary structure is involved and
information as to the relationship between the auditors would be included, such as the
basis for assessing the work of the other auditor and the timing of any meetings and
reporting arrangements.

• The relationship with an internal audit and the nature and extent of any reliance on the
work of the internal audit and the review and testing of that work. This could include
details of the specific areas of the controls and/or financial statements on which
reliance will be placed, the nature and extent of the testing, and the projected timing of
that work by the external auditor.

• The nature, extent, and timing of IT resources required in both the controls testing and
substantive testing processes where applicable.

• The structure and composition of the engagement team in terms of the quantity of
resources and the required competencies and experience, and the assignment of those
resources to areas of the audit commensurate with those attributes. This includes
specifying the assignment of appropriately experienced team members to areas where
there may be higher risks of material misstatement.

• The timetable for the various phases of the audit, including key communication
dates and the parties involved. This would be a schedule of proposed meetings with
management and the audit team concerning such matters as the availability of client
data and personnel necessary for the audit and the expected dates for the nature
and timing of reports. This would also include the timing of the work programme;
for example, the timing of the interim phase of documenting systems and controls,
walk-through procedures, controls testing, including IT, early substantive testing, and
liaison with group auditors. The fieldwork phase involves reviewing draft financial
statements, substantive testing, reassessing the strategy and revising it, if necessary,
communicating on emerging issues, and dealing with those issues. The completion
phase involves final review, communicating with the audit committee, reviewing of post
balance date events, and the signing and issuing of the audit opinion.

• The audit budget and fee and arrangements for any other services would be provided.
The budget should identify the time allocated to various phases and elements of the
audit and be consistent with an allocation that reflects the areas where there may be
higher risk.

In summary, the audit strategy documentation should meet the fundamental test required
under HKSA 230 in that an experienced auditor would be able to understand how the audit is
to be approached, the nature of the major risks to be mitigated, the basis for the judgements
made, and how the strategy will be operationalised into a complementary audit plan.

265

c05.indd 265 16-11-2022 18:41:07

 BUSINESS ASSURANCE

5.2.1.2 Audit Plan Development

The audit plan is a detailed list of the specific audit procedures applied to obtain the required
evidence for specific account balance assertions or classes of transactions.

HKSA 300, paragraph 9, states:

The auditor shall develop an audit plan that shall include a description of:

(a) The nature, timing and extent of planned risk assessment procedures . . .

(b) The nature, timing and extent of planned further audit procedures at the assertion
level . . .

(c) Other planned audit procedures that are required to be carried out so that the
engagement complies with HKSAs.

In addition, the plan:

• Provides a record of proper planning of the audit work in a form that can be reviewed
and approved prior to the work being performed and then amended as necessary.

• Directs the work of the engagement team, especially junior staff, as to the specific
procedures to be undertaken.

• Evidences the work undertaken by having the engagement team member sign off on
each task completed and indicating the outcome.

• Provides documentation that facilitates the supervision and review processes by senior
staff as the audit progresses so that the plan can be updated as circumstances may
change during the audit.

The documentation of the plan can be in the form of a standard audit firm programme and
audit checklists modified to reflect the client circumstances or a plan developed specifically
for the circumstances of the client and unique to the client. The plan will specify the audit
objectives for the component of the financial information being audited and the procedures
to gather, document, and evaluate the evidence. Where sampling is to be used it should
address the number of transactions to be tested and the population from which the sample is
to be drawn.

For example, a basic audit programme for accounts payable could be as follows.

Audit Objectives
1. The accounts payable are financial obligations of the entity.

2. All accounts payable are recorded and accounted for.

3. Related party balances are identified and properly accounted for.

4. Accounts payable are properly presented and disclosed in the financial report.

Audit Procedures
• Obtain a listing of accounts payable, check the additions, and compare the total to the
general ledger.

• Select a sample of recorded accounts payable and check against the creditor’s
statement.

266

c05.indd 266 16-11-2022 18:41:07

 Pla nn i ng a n d R isk A ssessment

• Select a sample of creditors invoices and check that they have been correctly recorded.

• Select a sample of accounts payable and confirm the amount with the creditor.

• Identify any balances outstanding for a lengthy period and obtain an explanation.

• Examine a sample of invoices recorded after the balance date and ensure that they
have been recorded in the correct accounting period.

• Examine a sample of payments after the balance date and check that the accounts
payable were recorded in the correct accounting period.

Depending on the nature and complexity of the client’s computer systems, these
procedures may need to be completed using audit software.

Whether completed through a paper trail or electronically, the member of the engagement
team completing the procedures will record that the procedure has been completed and record
the details of the transactions and balances tested and the results of the testing.

The documentation of the testing and the outcome will be reviewed to determine whether
the audit plan needs to be amended to include more and/or different procedures, or whether
the results are consistent with the auditor’s expectations and the evidence obtained is sufficient
and appropriate to support a conclusion on the specific financial statement assertions reflected
in the audit objectives for that identified financial statement item.

In summary, the audit plan specifies the audit objective(s) and detailed procedures to be
performed to gather and document the evidence, and the basis for the conclusions drawn from
evaluating that evidence in relation to specific financial report assertions.

Knowledge Check Questions

Question 5
Auditing standards require that auditors prepare documentation as evidence to support the
basis for the audit opinion. Explain what an experienced auditor, without any connection
with the audit, should be able to understand by reviewing the audit workpapers.

5 . 3 GAINING INITIAL UNDERSTANDING

OF THE ENTITY AND ITS ENVIRONMENT,
INCLUDING THE USE OF PRELIMINARY
ANALYTICAL REVIEW PROCEDURES

The first step in developing the overall audit strategy is to obtain an understanding of the
entity and its business and the environment in which it operates, including any regulatory
requirements and the associated business and financial reporting risks.

267

c05.indd 267 16-11-2022 18:41:07

 BUSINESS ASSURANCE

This understanding is critical to the auditor making sound judgements as to the areas of
audit focus and the risk of material misstatement in the financial statements as a whole. This in
turn determines the nature, timing, and extent of the detailed audit procedures to be included
in the audit plan in relation to individual financial statement assertions, which are determined
to be significant to understanding the financial statements and to obtain sufficient appropriate
audit evidence to support the auditor’s opinion. This will also identify the resourcing
requirements, including any potential reliance on the internal audit or, in the case of a client
with subsidiaries or branches, the work of other auditors.

HKSA 315 (Revised 2019) Identifying and Assessing the Risks of Material Misstatement,
paragraph 11, states:

The objective of the auditor is to identify and assess the risks of material misstatement, whether
due to fraud or error, at the financial report and assertion levels, thereby providing a basis for
designing and implementing responses to the assessed risks of material misstatement.

HKSA 315 (Revised 2019) requires the auditor to obtain an understanding of the
entity and its environment, the applicable financial reporting framework and the entity’s
accounting policies and reasons for changing those policies, the susceptibility of assertions
to misstatement due to inherent risk and the entity’s system of internal control. This provides
the foundation for developing initial expectations about the classes of transactions, account
balances and disclosures relevant to developing an audit strategy and plan. These matters
are regarded as being interdependent and facilitate the identification and assessment of the
preliminary expectation of risk. The audit strategy and plan may be modified as the initial
understanding and risk expectations are enhanced as a result of applying audit evaluations
during the audit process.

Obtaining this required understanding means the auditor needs to determine and assess
the factors that may affect the business risks facing the entity. Business risk is the risk that an
entity may not achieve its business objectives or implement its strategies due to internal and
external conditions, events or circumstances, actions or inactions. Understanding business
risk and the extent to which it has financial consequences is a factor in assisting the auditor to
identify and assess the potential for material misstatements in the financial statements, and
identifying transactions and events that may require specific or more detailed procedures when
developing the audit plan.

Applying HKSA 315 (Revised 2019), to understand business risk includes assessing
information about a range of matters including the state of the industry within which the entity
operates and its position in that industry, the applicable financial reporting framework and
accounting policies applied, regulatory requirements, the entity’s operations, ownership and
governance structure, its business model and the extent to which that model integrates IT,
business strategies and policies, types of investments, and financing structure. Paragraphs A56-
84 of HKSA 315 (Revised 2019) contain an extensive explanation and listing of these matters
and are summarized in the following Sections.

268

c05.indd 268 16-11-2022 18:41:07

 Pla nn i ng a n d R isk A ssessment

5 . 4 ­T HE ENTITY’S BUSINESS MODEL

One of the significant features of the entity and its environment that affects business risk is the
entity’s business model. Appendix 1 to HKSA 315 (Revised 2019) identifies the considerations
for understanding the entity and its business model. It notes that the business model includes
strategies by which management plans to achieve its objectives and address the risks and
opportunities facing the entity. The model could include, for example, the scope and scale of
the entity’s operations, the markets or geographical or demographic areas of interest in which
it operates, the resources necessary for success and its use of IT. A business risk can arise from
these characteristics and can impact the risk of material misstatement at the assertion level.
The following characteristics arising from an entity’s business model are matters that may
indicate a business risk, and may need to be considered when obtaining an understanding of
the entity, for example:

• Business operations, nature of products, services, involvement in e-commerce, joint

ventures, geographic dispersion and location of production facilities

• Investments and investing activities such as planned acquisitions, investments in or

disposal of securities and loans

• Financing and financing activities such as changes in structure of subsidiaries, debt

structure, leasing arrangements and the use of derivatives.

The entity’s business model and strategies also indicate the ability of the entity to react to
changes in the circumstances facing the entity and the business risks that could increase the
susceptibility to the risk of material misstatement.

5.4.1 Organizational and External

In applying the requirement to obtain an understanding of the entity and its environment, in
addition to understanding the entity’s business model, HKSA 315 (Revised 2019) identifies the
following factors that need to be considered:

• The complexity of the entity’s structure, for example whether the entity is a single entity
or includes subsidiaries or other components in multiple locations. The more complex
the structure the greater the potential for material misstatement;

• The relationship between owners and other entities and individuals (which may, among
other matters, indicate the existence of related parties);

• The distinction between the owners, those charged with governance and management.
For example, in a less complex entity the owners may also be the managers compared
with a listed entity where there is a clear distinction between the management, owners
and directors;

269

c05.indd 269 16-11-2022 18:41:07

 BUSINESS ASSURANCE

• The organizational structure and governance, for example where those charged with
governance hold positions such as directors, and the existence of sub-groups such as
an audit committee (which may say much about how controls and performance are
regarded and assessed);

• The structure and complexity of the IT environment, for example the level of integration
of IT systems (which may indicate whether a complex IT environment needs to be
addressed);

• Regulatory changes such as tax laws and prudential requirements (which may require
changes in financial systems and reporting); and,

• The entity’s basis and processes for selecting and applying accounting policies and the
reasons for any changes (which may draw attention to significant transactions such as a
business combination).

5.4.2 Financial Performance

Understanding the basis of how the entity’s financial performance is measured internally
and externally is also important as a factor to be considered as it creates pressure on entity
management to meet financial targets. For example, financial institutions may need to
meet regulatory requirements such as capital adequacy and liquidity ratios. The auditors
understanding of these matters would identify the risk of material misstatement to ensure that
such targets are met.

5.4.3 Financial Reporting Framework

The understanding of the applicable financial reporting framework involves considering the
basis for the selection and application of accounting policies and changes thereto and the
reasons why. For example, the auditor would consider industry specific practices, accounting
for unusual transactions and new accounting standards.

Based on the auditor’s understanding of the identified in sections 5.4.1–5.4.3, the auditor
gains an understanding about how inherent risk factors could impact compliance with the
applicable financial reporting framework. This is dealt with further in Section 5.6.

5.4.4 System of Internal Control

HKSA 315 (Revised 2019), paragraph 12(m), defines the system of internal control as: ‘The system
designed, implemented and maintained by those charged with governance, management and other
personnel, to provide reasonable assurance about the achievement of the entity’s objectives with
regard to reliability of financial reporting, effectiveness and efficiency of operations, and compliance
with applicable laws and regulations.’

The auditor is mainly concerned with those aspects of the internal control system that
concern the reliability of financial reporting, but also compliance with laws and regulations
insofar as this might impact on the financial statements.

5.4.4.1 Planning and Risk Assessment

A key aspect of planning the audit of an entity is identifying and assessing the risks of material
misstatement. Misstatements may arise because of error, theft or fraud. The audit plan is

270

c05.indd 270 16-11-2022 18:41:07

 Pla nn i ng a n d R isk A ssessment

designed to focus on areas of high inherent risk, that is, risks associated with the entity’s
business model, its personnel and its environment. The entity’s internal control system exists to
ensure that misstatements are prevented, or are detected and corrected.

An effective control system, one that provides a low level of control risk, can greatly
increase the efficiency of an audit because an efficient audit plan will emphasise tests of
controls rather than substantive tests of details. Before such a plan can be adopted, however,
the auditor must assess the level of control risk. Only when the entity’s control system is
operating effectively can a control-­based audit be adopted.

It is normal for some of an entity’s accounts, typically those with large volumes of similar
transactions, like the sales account, to be well controlled with automated systems. In contrast,
accounts characterised by small volumes of unique transactions like share capital, will be
controlled more or less informally by the executive function. An audit plan for such an entity
will accordingly rely mainly on tests of controls for the high-­volume accounts and substantive
tests of detail for the low volume accounts.

5.4.4.2 Limitations of Control Systems

While well-­designed control systems are effective in reducing audit risk, they have a number of
inherent limitations: their failure to address low volume accounts is noted above, and errors in
human judgement, lack of understanding and failure of personnel to take appropriate action
are all common. Additionally, controls can be circumvented by collusion of employees, collusion
between employees and outsiders or management override. A third limitation arises when
control systems are inadequate because they are under-­resourced. Effective control systems
are expensive to design, implement and operate, and management may not appreciate their
importance until serious problems arise.

5.4.4.3 The Audit of Control Systems

HKSA 315 (Revised 2019) identifies five components of an internal control system, and requires
the auditor to obtain an understanding of and evaluate the effectiveness of each component.

It is important to note that the five components of a system of internal control identified
in HKSA 315 (Revised 2019) are unlikely to reflect an entity’s actual system of internal
control. A huge variety of internal control systems exists. Even where two entity’s businesses
are very similar in size, structure and activity, their control systems are unlikely to be similar.
However, it is important for auditors to determine whether the appropriate characteristics
of a control system as identified in HKSA 315 (Revised 2019) are present and effective.

Also noteworthy is the issue of scalability as addressed in HKSA 315 (Revised 2019)
paragraphs A99–100. Auditors should not expect the internal control systems of small and large
organisations to be similar. While the five components of internal control should be addressed
by all organisations, the way that this is achieved will differ widely, in terms of system structure,
documentation and resourcing. Large organisations would be expected to have sophisticated,
highly automated, well-­documented and well-­resourced control systems, while small
organisations are likely to rely on a simpler and cheaper system with little or no automation or
documentation. What is important is that all five internal control components are addressed in
every organisation in a way appropriate to its needs, and that the auditor is able to identify any
risks of material misstatement that may exist.

271

c05.indd 271 16-11-2022 18:41:07

 BUSINESS ASSURANCE

In the remainder of this section, each of the five internal control system components is
described. The key understandings of the component to be sought by the auditor are identified
and the evaluation that must be carried out by the auditor to determine the adequacy of the
component is described. The evaluation enables the auditor to achieve their key audit planning
objective: to identify risks of material misstatement that may exist in the entity’s financial
statements.
HKAS 315 Component 1. The Control Environment
(Revised
2019) 21,
A99–A108, The control environment is fundamental. Other components of the control system may appear
and
Appendix 3 adequate, but without the foundation of an appropriate control environment, the adequacy of
para 4–6 controls cannot be assumed. The control environment incorporates the following elements:

• The entity’s culture and management’s commitment to ethical values.

• The board’s independence from management and their level of oversight of the internal
control system.

• The assignment of authority and responsibility to key personnel.

• Policies for the recruiting, training and the regular appraisal of qualified, experienced
and ethical personnel.

• Establishment of performance measures, incentives and disciplinary procedures for

those responsible for the entity’s system of internal control.

Audit evidence and risk evaluation

The control environment is defined by the attitudes, awareness and actions of the board
and management regarding the entity’s system of internal control. The auditor shall obtain
an understanding of the control environment relevant to the preparation of the financial
statements. Key information includes:

• How management’s oversight responsibilities are carried out, including the entity’s
culture and commitment to integrity and ethical values.

• The board’s oversight of management’s control activities.

• How the entity attracts, develops and retains competent individuals.

• How the entity holds individuals accountable for their control system responsibilities.

The auditor shall evaluate whether:

• Management, with the oversight of the board, has created and maintained a culture of
ethical behaviour.

• Deficiencies identified in the control environment undermine the other components of

the entity’s system of internal control.

HKAS 315 Component 2. The Entity’s Risk Assessment Process

(Revised
2019) 22–23,
A109–
Risk assessment is a process carried out by an entity to identify and analyse risks that might
A113, and affect the achievement of its objectives. Identification and analysis are the first two steps in the
Appendix 3
para 7–9 entity’s risk management process. With respect to financial reporting, risk assessment is
focused on fraud and error in the application of the entity’s financial reporting framework.

272

c05.indd 272 16-11-2022 18:41:07

 Pla nn i ng a n d R isk A ssessment

Risks may arise due to many factors:

• New personnel, technology, products, activities or competitors;

• New or updated information systems and IT;

• Expansion of the size or location of operations;

• Changes in the operating environment;

• Corporate restructuring; or

• Changes in the financial reporting framework.

Audit evidence and risk evaluation

The auditor shall determine if the entity’s risk assessment process is adequate to the
preparation of the financial statements by:

• Identifying business risks relevant to financial reporting objectives;

• Assessing their significance and the probability of their occurrence; and

• Addressing those risks.

If the auditor identifies risks of material misstatement that management failed to identify,
the auditor shall determine whether any such risks are of a kind that the auditor expects should
have been identified by the entity’s risk assessment process and, if so, obtain an understanding
of why the entity’s risk assessment process failed.
HKAS 315 Component 3. The Entity’s Process for Monitoring the System of Internal Control
(Revised
2019) 24,
A114– Monitoring is a process of systematic and iterative review. An entity must monitor its internal
A122, and
Appendix 3 control system to ensure controls are operating as intended and to take remedial action on a
para 10–14 timely basis where controls are not working. For example, an important internal control carried
out by most entities is the bank reconciliation. Management would monitor this control by
regularly checking that the reconciliation is prepared on a timely basis, and by checking the
accuracy of the reconciliation. Where the reconciliation is not timely or accurate, management
would take action to rectify the situation.

In many instances, monitoring is carried out by automated systems that report on transactions
that exceed established limits or that involve parties unknown to the entity. Monitoring may be
carried out by review of the reports or by testing the system through intentional entry of out of
limit transactions to ensure these are appropriately identified by the system.

Important sources of information for monitoring include complaints and enquiries

submitted by customers, regulators, external auditors and other external parties.

Monitoring activities will vary depending on the risks faced by the entity. In a dynamic
environment, monitoring is most likely to be an ongoing activity and is often carried out by the
entity’s internal audit function.

273

c05.indd 273 16-11-2022 18:41:07

 BUSINESS ASSURANCE

Audit evidence and risk evaluation

The auditor shall obtain an understanding of the monitoring of the system of internal control
relevant to the preparation of the financial statements by identifying the entity’s:

• Process for review of monitoring activities;

• Information used;

• System for identification and remediation of control deficiencies;

• Internal audit function, including its nature, responsibilities and activities;

• The basis upon which management considers the information to be sufficiently reliable
for the purpose; and

• Evaluating whether the entity’s process for monitoring the system of internal control is
appropriate given the nature and complexity of the entity.
HKAS 315 Component 4. The Information System and Communication
(Revised
2019) 25,
A123– The information system relevant to the preparation of the financial statements consists of
A146, and
Appendix 3 policy documents and of accounting and supporting records such as journals and invoices. The
para 15–19 purpose of the information system is to:

• Initiate, record and process entity transactions:

°° transactions arising with external parties (e.g. sales) and internally through business
processes (e.g. manufacturing).

• Identify and correct processing errors.

• Accumulate processed transactions in a general ledger.

• Capture, process and disclose information about events other than transactions (e.g.
depreciation).

• Maintain accountability for assets, liabilities and equity.

• Ensure information required by the financial reporting framework is appropriately

reported in the financial statements.

Communication refers to the transmission of documentary (e.g. policy manuals, exception

reports, financial reports) or oral information. Communication in the context of this component
of the internal control system would focus mainly on the communication of information
relevant to individual roles and responsibilities.

Audit evidence and risk evaluation

The auditor shall obtain an understanding of the entity’s information system and communications
relevant to the preparation of the financial statements by identifying the entity’s:

• Information processing activities, including its data and information.

• The resources, including IT resources, to be used in information processing activities.

• The accounting policies for significant classes of transactions that define account
balances and disclosures.

The auditor shall determine how information flows through the entity’s information system,
including:

• How transactions are initiated.

274

c05.indd 274 16-11-2022 18:41:07

 Pla nn i ng a n d R isk A ssessment

• How information about transactions is recorded, processed, corrected as necessary and

incorporated in the general ledger and in the financial statements.

• How information about events and conditions, other than transactions, is captured,
processed and disclosed in the financial statements.

• The financial reporting process used to prepare the entity’s financial statements,
including disclosures.

• How the entity communicates significant matters relevant to the financial statements
and the system of internal control within the entity, between management and the
board and with external parties.

And finally, the auditor shall evaluate whether the entity’s information system and
communications appropriately support the preparation of the entity’s financial statements.
HKAS 315 Component 5. Control Activities
(Revised
2019) 26,
A147– Control activities relevant to this component of the internal control system include information
A181, and
Appendix 3
processing controls and general IT controls. Information processing controls are designed to
para 20–21 address risks to the completeness, accuracy and validity of transactions and other information
at the assertion level. Where an entity uses automated information processing controls, general
controls over IT applications are also important.
Examples of control activities include:

• Authorisations and approvals verify the validity of a transaction (e.g. a sale).

• Reconciliations compare two or more data elements for agreement (e.g. the bank
balance and the cash account).

• Verifications compare an item with a policy (e.g. a sales price with a price list).

• Automated transactions (e.g. ordering of inventory at the economic order quantity).

• Segregation of duties (e.g. between initiating transactions, recording transactions and

access to assets).

• Physical (e.g. locks).

• Logical (e.g. passwords).

• Counts (e.g. of cash or inventory).

Audit evidence and risk evaluation

The auditor shall obtain an understanding of control activities by identifying controls that
address risks of material misstatement at the assertion level including:

• Controls that address a significant risk.

• Controls over journal entries, including journal entries used to record non-­recurring,
unusual transactions or adjustments.

• Controls that will affect the auditor’s determination of the nature, timing and extent of
substantive testing.

275

c05.indd 275 16-11-2022 18:41:07

 BUSINESS ASSURANCE

Note that where multiple controls address the same risk, it is not necessary to identify all of
those controls. Based on the significant controls identified above, the auditor should:

• Identify the IT applications used, the risks arising from the use of IT and the entity’s
general IT controls that address the risks.

• Evaluate whether the control activity, whether individually or in combination with other
controls, is designed effectively to address the risk of material misstatement at the
assertion level.

• Determine whether the control has been implemented by performing procedures in

addition to inquiry of the entity’s personnel. Such procedures might include observation
or reperformance.

5.4.5 Audit Strategy

Within the framework outlines in Section 5.4.3, the initial understanding of the components
of internal control is to assess whether the design of controls is consistent with the objective
of effectively preventing, detecting, or correcting material misstatements in the accounting
system and related operational systems. It is important to understand the extent to which the
control system comprises manual and automated components, as this affects the auditor’s risk
assessment and the basis for determining further audit procedures; for example, whether the
audit strategy should recognise the need for specialist IT resources in the audit team or the use
of audit software and how this will flow through to the audit plan.

Understanding and subsequently assessing the effectiveness of internal controls allows the
auditor to consider the effect of internal control weaknesses and potential errors that might
occur in the financial reporting process. This is significant to developing the audit strategy as
the auditor needs to make a judgement as to the extent that reliance can be placed on the
system of internal control, which affects the nature timing and extent of the more detailed
audit procedures to be included in the audit plan, including the extent of testing of the
control system.

For example, if the initial assessment of internal control is that it can be relied upon, the
audit strategy will be to test the system, thereby reducing the nature, timing, and extent of
substantive tests of transactions and balances and analytical procedures. On the other hand,
if the understanding of the system indicates that it is a weak system and reliance cannot be
placed on it, then the audit strategy will be one based on substantive procedures involving
extensive testing of transactions and balance and analytical procedures, and the audit plan is
developed accordingly.

Obtaining an understanding of the entity and the environment in which it operates is

important because it impacts the auditor’s assessment of risk from which the auditor devises
specific audit procedures to be applied to those areas of the financial statements that are
at risk of material misstatement. If the auditor does not gain a sufficient understanding, a
thorough risk assessment is unlikely and hence audit risk (the risk that the auditor expresses an
incorrect opinion on the financial statements) is increased.

HKSA 315 (Revised 2019) recognises that the nature and extent of risk assessment
procedures used by the auditor and the way in which the entity’s system of internal control is
designed, implemented and maintained are scaleable (that is, they differ according to the size
and complexity of the entity), and will also vary based on the nature of the entity (for example,
for a financial institution that takes customer deposits compared to a manufacturing entity).

276

c05.indd 276 16-11-2022 18:41:07

 Pla nn i ng a n d R isk A ssessment

5.4.6 Information Sources for Obtaining an Understanding

Exhibit 5.2 indicates the broad sources of information that provide an understanding of an
entity, its environment, and controls.

Information from Information from

the firm external sources

Partner Websites
Manager Trade press
Last year’s team Credit agencies
Last year’s audit file Public filing records
Industry experts

Discussion
Observation
Prior experience
Website
Brochures

Information from Information from

the auditor the client

EXHIBIT 5.2 Sources of information that provide an

understanding of an entity, its environment, and its controls

In particular, the auditor’s understanding of the client and its environment can be obtained
through discussion with entity management and operational personnel, including internal
audit, review of entity documentation, correspondence, manuals, legal correspondence,
industry publications, budgets, board minutes, significant agreements and contracts,
observation of operations and inspection of the plant and facilities, and the application of
preliminary analytical procedures on entity data.

Within the broad framework identified earlier from HKSA 315 (Revised 2019),
the understanding of the matters relating to the entity and its environment
can be addressed at three levels. The following is a brief summary of the levels
at which those matters can be addressed.

1. Entity Level

The auditor is required to gain an understanding as to the nature of the entity,

which includes:

• Its operation.

• Its ownership and governance structures.

• Its business model

• The types of investments it makes.

• The way it is structured and financed.

277

c05.indd 277 16-11-2022 18:41:07

 BUSINESS ASSURANCE

In addition, HKSA 315 (Revised 2019) requires the auditor to understand:

• The entity’s selection and application of accounting policies.

• The entity’s objectives, strategies, and related business risks.

• The measurement and review of the entity’s financial performance.

• The internal controls relevant to the audit.

If the entity has an internal audit function, the auditor must also obtain an
understanding of that function; in particular, the role that internal audit plays in
monitoring the entity’s internal control environment over financial reporting.

2. Industry Level

The auditor must obtain an understanding of the entity at the industry level. This
requires a much broader understanding of the business and the impact of external
factors than at the entity level, for example:

• The market and competition, including demand, capacity, and price competition.

• Cyclical or seasonal activity.

• Product technology relating to the entity’s products.

• Energy supply and cost.

Linked to risks at the industry level are regulatory factors that the auditor must
also consider. HKSA 315 (Revised 2019) recognises that the industry in which the entity
operates may give rise to specific risks of material misstatement arising from the
nature of the business or the degree of regulation. For example, long-term contracts
may involve significant estimates or revenues and expenses that give rise to risks of
material misstatement. The auditor may consider the following matters arising from the
regulatory environment:

• Accounting principles and industry-specific practices.

• The regulatory framework for a regulated industry, including disclosure

requirements.

• Legislation and regulation that impact the entity’s operations, including direct
supervisory activities.

• Taxation (corporate and other).

• Government policies currently affecting the entity’s business, such as monetary

policy, foreign exchange, fiscal policy, tariffs or other trade restriction policies.

• Environmental requirements.

3. Economy Level

When gaining an understanding of the client the auditor assesses how economy-level
factors affect the client. This includes an assessment of economic upturns and
downturns (recession), a change in interest rates, and currency fluctuations. Here the
auditor is concerned with the entity’s susceptibility to any changes and its ability to deal
with economic pressures.

278

c05.indd 278 16-11-2022 18:41:07

 Pla nn i ng a n d R isk A ssessment

When the economy is strong, entities are generally under pressure to perform well
or, at the very least, better than their competitors. Company shareholders, for example,
will expect an improvement in profits, and therefore the focus of the auditor’s attention
will be overstatement of revenue and understatement of expenses because the
inherent risk is that management wish to meet shareholders’ expectations and report
a healthy profit and strong balance sheet position.

When the economy is poor, management may purposefully understate profits

by maximising write-offs as a fall in profits can be easily explained as a downturn in
the economy. Here, the auditor’s focus is on the risk of understated revenues and
overstatement of expenses.

In addition to inquiries of management and other appropriate entity personnel,

and observation and inspection, HKSA 315 (Revised 2019), paragraph 14(b), mandates
analytical procedures as one of the risk assessment procedures to be applied in the
planning process.

Analytical procedures are defined as:

. . . evaluations of financial information through analysis of possible relationships

among both financial and non-financial data. Analytical procedures also encompass
such investigation as is necessary of identified fluctuations or relationships that are
consistent with other relevant information or that differ from expected values by a
significant amount.

Analytical procedures are applied at various phases of the audit process, i.e. in
planning, as a substantive test during the audit fieldwork to obtain evidence about
account balance or class of transactions assertions, and during the final stage of the
audit as part of an overall review of the financial statements.

When applying analytical review as a risk assessment procedure, HKSA 315 (Revised
2019) notes that analytical review may assist in identifying and assessing the risks
of material misstatement by directing attention to matters of which the auditor may
be unaware or understanding how inherent risk factors, such as change, impact the
potential for assertions to be misstated. This assists the auditor to focus on these areas
of potential concern when planning the audit.

Analytical procedures involve comparing recorded amounts or ratios developed

from recorded amounts to plausible expected outcomes established by the auditor
based on the auditor’s knowledge of the entity and its business. For example, the
following information may be used to develop the auditor’s expectations:

• Financial information from corresponding prior accounting periods.

• Predicted results based on budgets, forecasts, or interim financial results projected

for the full accounting period.

• Plausible relationships between components of the financial statements, such as

sales and accounts receivable.

279

c05.indd 279 16-11-2022 18:41:07

 BUSINESS ASSURANCE

• Industry information, trends, and statistics.

• Economic conditions and statistics.

• Analysts’ reports.

• The correlation between financial and non-financial information.

The advantages of applying preliminary analytical procedures at the planning

stage are:

• The auditor needs to obtain information about the entity and its industry to
implement these procedures, such as identifying the relevant industry data.

• The procedures identify potential risks, unusual transactions, and events or trends
that may indicate the risk of material misstatement in the financial statement and
that require attention during the audit, thereby facilitating the determination of the
nature, timing, and extent of audit procedures on a timely basis.

• Attention may be drawn to matters of which the auditor was unaware, requiring
further enquiries and investigation.

It must be remembered that the effectiveness of analytical procedures is a function

of the reliability of the data on which they are based. For example, data from external
sources are usually more reliable than internal data and internal data are more reliable
if the system of internal control is sound.

Common analytical procedures include:

• Comparisons with prior period data, industry statistics, or expectations.

• Ratio analysis involving calculations of ratios of one element of financial statement

data to another related element.

• Trend analysis involving the comparison of account balances over a period.

• Models based on, for example, time series modelling and regression analysis. These
are more complex techniques that can incorporate client operational data, external
industry, or economic data to predict account balances.

Apply and Analyse 2

As an audit partner, you and the new audit manager have just met with the management
of HWA Ltd and they have provided you with the following information:

• New competitors have entered the market and have managed to secure contracts
with some HWA customers and selling prices and profit margins are under pressure.

• The process of renewing contracts is very competitive and HWA is reacting

accordingly.

• The key member of the technical staff in product development has left to work for
one of the new competitors and has yet to be replaced.

280

c05.indd 280 16-11-2022 18:41:07

 Pla nn i ng a n d R isk A ssessment

Apply and Analyse 2 (continued)

• As a result of the increasing competitiveness in the industry, management is in
the process of expanding the business by diversification into the importation and
wholesaling of electrical appliances, a market and activity in which it has not been
involved before.

• The new product activity has been established as a new division within the
company with separate sales and purchasing staff, but integrated with the central
administrative function. The new division has been put in place and is about to
commence operations.

• Management has indicated that it may need to seek additional services from your
firm in relation to its move into the new industry.

Explain the implications of this information for your planning.

Analysis

The above are matters that the auditor would need to address in applying the
requirements of HKSA 315 (Revised 2019) in updating the understanding of the entity’s
organizational structure, governance, business model and use of IT. The auditor would
need to assess these events in terms of updating the assessment of the risk of material
misstatement.

The change in the entity’s organizational structure and business model indicates
that the client’s business risk has increased from prior years and indicates that the audit
strategy will need to be focused on the risk of material misstatement in the financial
statements in areas that were not as significant as in the past. Management’s inexperience
in the new area of the business and the challenges in managing the business in an
environment that they are not used to dealing with increases the inherent risk. The auditor
would need to review the systems, processes, and controls that management has in place
to manage both the increasingly competitive environment for its existing business and the
transition into the new business and industry, including any regulatory matters associated
with the new division and product.

The auditor will need to undertake a more extensive review of the business strategies
and updated business plan that management has put in place to deal with the change in
circumstances and whether the internal control systems and integration of IT are robust
enough to deal with the changes in circumstances and the potential for fraud and error.

The auditor will also need to assess how the entity has communicated its plans
and changes within the entity to address the risk that controls will be effective and that
the information system and other components of the system of internal control are
understood and implemented.

Attention will need to be given to the controls over the physical purchasing and sale of
the new products and inventory, as well as the accounting systems for those transactions.
Consideration will need to be given to a strategy that involves more extensive substantive
testing of account balance details and classes of transactions.

281

c05.indd 281 16-11-2022 18:41:07

 BUSINESS ASSURANCE

Apply and Analyse 2 (continued)

Areas that may require more audit attention as a result of the increased risk of
material misstatement are:

• Inventory obsolescence and valuation as sales may be declining and inventory

turnover may be declining or may not be meeting new technical requirements if
product development may not be as strong as in the past.

• Inventory valuation for the new products.

• Revenue recognition and recording.

• The recognition and accounting treatment of the costs of establishing the

new division.

• The risks associated with foreign exchange transactions on the products imported
by the new division.

• Cash flow and financing and the recognition and recording of accounts payable.

In addition, consideration will need to be given to what other services HWA may be
requesting and the implications for audit independence.

The change in circumstances indicates that the level of audit work that will need to
be undertaken will increase from previous years and the audit budget and fee will need to
be reassessed.

The composition of the engagement team will need to be addressed as to whether

the team has the knowledge to understand the transactions and events associated
with the new products and market or whether there will be a need for the use of experts
during the audit process. The level of supervision and review of junior staff may need to be
increased during the audit fieldwork as the risk of material misstatement has increased.

5.4.7 Entity Level

Bear in mind that the preliminary analytical review for planning will generally be undertaken at
an early point in the financial period under audit. Common techniques applied at this point are
the more basic comparisons and ratio analysis using data available at that early stage, which
will generally be unaudited, and interim data available at the time of the planning.

The auditor will need to use the results of these procedures in conjunction with other
information gained during the process of gaining an understanding of the entity, and
knowledge from the prior audit in a continuing engagement, as to whether any fluctuations
or variances from expected relationships warrant further investigation and discussion
with management. Maintaining an attitude of professional skepticism is important during
this process.

At this stage, comparing amounts from prior periods to identify significant changes in
account balances or against industry averages and budgets and investigating the reasons
for those changes provides useful information for planning purposes. For example, a simple

282

c05.indd 282 16-11-2022 18:41:07

 Pla nn i ng a n d R isk A ssessment

comparison of the level of accounts receivable compared with the same time for the prior
period, and indicating a significant increase in that balance while sales are at the same level for
the prior period, may indicate a problem with accounts receivable collection. This may suggest
that the provision for doubtful debts is an area of risk of material misstatement that needs
audit attention.

Similarly, significant variations from calculation of ratios and comparison with prior years,
budgets, and industry averages can highlight potential risks of misstatement and lead to
relevant inquiries about the client’s current activities and business conditions. It should be
understood, however, that ratios are calculated at a point in time when they are most useful
when compared over time and also when the relationship between the ratios are assessed for
consistency.

The basic ratios that may be useful at this point focus on entity internal relationships.
For example, the following ratios are often used:

Current ratio Current assets / Current liabilities

This ratio is often referred to as the working capital ratio and provides an indication of
an entity’s ability to meet short-term obligations. A ratio of less than 1 may indicate that the
entity does not have short-term resources to meet short-term obligations. A ratio of greater
than 1 may indicate that the entity is solvent in the short term. It is important to consider the
components of this ratio in considering what it indicates; for example, a high ratio may be
the result of the fact that the entity does not collect accounts receivable quickly or has high
levels of inventory.

The nature of the business can also mean that the size or sign of the ratio differs. For
example, a business that collects and invests proceeds quickly, but pays creditors slowly, and
may even have negative working capital at certain times of the trading cycle. However, the
pattern of inflows of proceeds may be such that there are no difficulties paying creditors in
due course.

It is important then, when assessing ratios, to have a good understanding of the business
and of how the ratios appear over time.

Quick ratio Liquid assets / Current liabilities

This ratio provides an indication of short-term liquidity and the ability of an entity to meet
its short-term obligations with its most liquid assets that can be quickly realised ,such as cash
and short-term investments. Items such as Inventory would be excluded. Low ratios or a
declining ratio may indicate that the client is having difficulty in meeting its current obligations
or that there is a risk of material misstatement in the relevant account balances. Equally, a high
ratio or increase may indicate the risk of accounting issues in the component balances.

Accounts receivable turnover Credit sales / Accounts receivable

283

c05.indd 283 16-11-2022 18:41:08

 BUSINESS ASSURANCE

This ratio can help in identifying the effectiveness of an entity’s credit sales policy and
in collecting accounts receivable. It measures how many times an entity collects receivables
during the period over which it is measured. A decline in this ratio may indicate problems with
collections or issues with the credit control system and the risk of material misstatement in the
provision for doubtful debts.

Inventory turnover Cost of goods sold / Inventory balance

Inventory management is important as it can indicate how well the sales process is in
generating sales of inventory. This ratio indicates the frequency with which inventory is turned
over in terms of the cost of manufacturing during the period. If the ratio is declining compared
with prior periods, or industry averages, it may indicate obsolete or slow-moving inventory and
raise issues of inventory valuation.

Gross profit Gross profit / Net sales

Unexpected or changing results in this ratio could occur for several reasons in the areas of
sales and inventory. It is a measure of how good an entity is in creating a product and selling
it. Unless circumstances change, the gross profit margin should remain relatively stable over
time and needs to be adequate to allow for the payment of operating expenses. It is a useful
ratio to compare business models with competitors, for example in terms of the costs of
manufacture.

Net profit Net profit / Revenue

This ratio is a measure of how much profit each dollar of sales generates. This measures
profitability after all expenses, with variations in the ratio indicating potential issues with the
recognition and recording of expenses.

Return on assets Net profit / Total assets

This measures how profitable an entity is relative to the total assets. The higher the ratio
the greater is the efficiency with which assets are used to generate revenue. Net profit is
usually calculated before interest and taxes.

Debt to equity Total liabilities / Shareholders equity

This ratio looks at the extent to which an entity is debt funded in financing its assets.
Increases in this ratio or the ratio being high relative to industry standards may indicate risks in
the areas of interest expense, cash flows, and the ability to meet financial commitments.

284

c05.indd 284 16-11-2022 18:41:09

 Pla nn i ng a n d R isk A ssessment

Any changes noted during the review of comparisons or ratios can highlight risks of
misstatement and should be discussed with management in order to seek an explanation. In
conjunction with other information obtained by the auditor, significant indicators of potential
misstatement should be reflected in the audit strategy and plan.

The developments in IT technology also provide sources of information that could be used
for analytical purposes at the planning stage. The availability of databanks and data analytics
provide accessible information that can identify an array of relationships relevant to a client’s
business and financial reporting issues.

Databanks (data warehousing) provide a repository of aggregated information relating to

specific aspects of a client’s business and transactions. These databanks can be maintained
internally by the client as part of their business management systems or externally produced
and publicly available online, providing data about the industry in which the client operates.

More sophisticated data analytics are also available that use computer systems to identify
relationships that can be used in audit planning. These techniques take large volumes of raw
data and use software to, for example, apply algorithms that identify trends and relationships,
anomalies and comparisons with industry data.

These sources of information provide auditors of large clients who utilise these facilities,
or auditors who have the IT capacity to use this technology, with a broader range of analytical
procedures at the planning stage.
All the information, explanations, and decisions in terms of the impact on the strategy
and plan obtained during this phase of planning the audit should be documented in the audit
workpapers.

5.4.8 Industry Level

Preliminary analytical review at the industry level involves:
• Comparison of client ratios and other information with industry data.

• Direct use of industry publications and statistics to establish trends, expectations, or

understand developments in the industry sector(s) in which the company operates.

Both may identify potential problems or assist the auditor in understanding trend and
issues facing the client that should be reflected in the entity level data. Industry information can
often be more focused on qualitative information about the nature and developments in the
industry. For example, if through industry publications it is evident that technological advances
have recently made the industry riskier unless participants adapt their products quickly, the
audit strategy would need to recognise inventory obsolescence and valuation as areas of
potential risk.

5.4.9 Economy Level

As in the case of industry sources, data and statistics about the level of economic activity, and
general economic factors within the jurisdiction(s) in which the client operates, are relevant
analytical input for the strategy and plan. Depending on the nature of the client’s services and
products, the client’s business risk is impacted by trends in economic activity. Knowledge of this

285

c05.indd 285 16-11-2022 18:41:09

 BUSINESS ASSURANCE

through government publications or reports by economic analysts provides the auditor with
information that assists in developing informed expectations about relationships in areas of
the client’s business and financial reporting. Government policies may also impact the client’s
business risk. For example, government policy and economic factors may affect currency
exchange rates. A client involved in transactions with overseas entities will face risks due to
currency fluctuations that would affect account balances and the recording of transactions. The
risk of material misstatement and the client’s controls in this area would need to be addressed
in the strategy and plan.

Another example would be information about credit conditions when assessing the
collectability of loans in a financial institution. International Financial Reporting Standard
IFRS 9 Financial Instruments requires that expected losses be measured by evaluating a range
of possible outcomes, time value of money, and information relating to past events, current
conditions, and forecasts of future economic conditions. The standard requires that expected
credit losses be based on the probability of a loss occurring or not occurring. The loss model
therefore requires information about economic conditions.

In summary, preliminary analytical procedures provide a basis for identifying risks and
developing expectations about the client’s financial statement account balances, especially over
time. The development of an effective audit strategy and audit plan based on an understanding
of the entity and its environment is enhanced through the appropriate use of analytical
information.

Apply and Analyse 3

Following the meeting with HWA management, you undertake some preliminary analytical
procedures on the interim financial information to date and obtain the following results:

• The current ratio is 2 to 1, which is comparable to the prior year.

• The quick asset ratio is 0.5 to 1 and has declined from 1 to 1 in the prior year.

• The accounts receivable turnover ratio is steady at 12 compared with the industry
average of 6 in both its existing business and the new division.

• The inventory turnover ratio is 11 compared with 15 in the prior year and an
industry average of 13.

• The gross profit ratio is 45% compared to 50% in the prior period and the industry
average is 45%.

• The net profit ratio is 30% and remains similar to the previous period and a little
higher than the industry average.

• The return on assets ratio is 30% and is similar to prior periods.

• The debt to equity ratio is 1.5 compared to the prior year of 1.10 and the industry
average of 1.2.

In conjunction with the other information already provided by HWA, explain what
impact these results have on your planning considerations.

286

c05.indd 286 16-11-2022 18:41:09

 Pla nn i ng a n d R isk A ssessment

Apply and Analyse 3 (continued)

Analysis

HKSA 315 (Revised 2019) analytical procedures are to be applied, in the risk assessment, to
identify unusual or unexpected relationships, transactions and trends that may have audit
implications and identify risks of material misstatement.

The level of the current ratio is indicative of a sound short-term liquidity position
and HWA’s ability to meet its current obligations. However, the decline in the quick ratio
suggests that the short-term liquidity position is not as strong as it has been. As the quick
asset ratio excludes inventory it may suggest that the sound current ratio is due to large
inventory holdings. Given the concerns expressed earlier about inventory obsolescence
and slow-moving inventory from the discussions with management, inventory is an area
of the audit that will need to be given increased attention in terms of control testing and
substantive testing.

The accounts receivable turnover ratio converts to receivables being collected within
30 days (365/12) compared with the industry average of 60 days (365/6). This is a high ratio
and indicates that the company is efficient in collecting its accounts receivable and has a
good customer base in terms of quick payment for goods supplied. It may also indicate
that it has a conservative credit policy in terms of offering credit sales. However, given the
increasingly competitive environment and the move into a new market, HWA may need
to change its approach to maintain or attract new customers, as indicated by the industry
average for the current business. The audit strategy will need to give greater attention to
this area and the provision for doubtful debts.

The inventory turnover ratio indicates a decline in the speed of moving inventory.
Converted to days in inventory (i.e. the number of days it takes to sell inventory), the
ratio has increased from 24 days (1/15 × 365) to 36 days (1/10 × 365) and is higher than
the industry average of 28 days (1/13 × 365). This again supports the possibility that
inventory is now becoming more difficult to move, which may point to a risk of obsolete
inventory. It also indicates that HWA may be incurring additional costs in holding inventory.
The audit strategy should also include consideration as to whether the controls and
business processes over production are reflecting the changing market circumstances and
product demand.

The gross profit ratio has declined, which is to be expected due to the pressure on
profitability and higher inventory levels, and is consistent with other firms in the industry.

The net profit ratio seems inconsistent with expectations based on the information
provided and the analytical results. As profitability is under pressure in the existing
business and the new division has yet to commence operations but has been established
and costs incurred, it would be expected that the ratio would be declining. This indicates
that consideration needs to be given to the recognition and accounting for expenses and
the costs of the new division.

The return on assets ratio is inconsistent with expectations given the competitive
pressures and expenses being incurred to establish the new division. This could indicate
a risk of material misstatement and warrants increased audit attention to revenue

287

c05.indd 287 16-11-2022 18:41:09

 BUSINESS ASSURANCE

Apply and Analyse 3 (continued)

and expense recognition and recording. This is especially significant given that the
management’s bonus share scheme is based on the company achieving a specified return
on assets.

The debt to equity ratio is declining, which indicates that HWA has increased its debt
levels in recent times to support its ongoing contracts and to fund the establishment of
the new division. The audit strategy will need to indicate a focus on auditing the terms and
conditions of new financing arrangements and the recording of increased borrowing costs,
which would also be expected to be reflected in a lower net profit ratio. Audit planning
should also indicate the need to consider HWA’s ability to meet its financial commitments
and the ability to generate revenue and cash flows and any loan covenants that may
now exist.

In summary, the preliminary analytical review has identified several issues that indicate
that the risk of material misstatement in the financial statements has increased from the
prior year. The audit strategy will need to address these matters, including the evaluation
of the impact of the establishment of the new division on the internal control systems and
greater reliance on substantive testing in the areas identified above.

The audit will also need to focus on the business model and processes and controls
that management have applied to support its ongoing viability and the ability to generate
future revenue streams to meet its financial commitments.

Knowledge Check Questions

Question 6
Identify why the auditor obtains an understanding of the entity and its environment.
A To understand the transactions and events that could affect the client’s financial
statements.
B To provide the client with recommendations to improve the system of internal control.
C To assess the level of known misstatements to determine whether the financial
statements overall are materially misstated.
D To understand how professional skepticism relates to the financial statement assertions.

Question 7
Identify which of the following is a client’s business risk.
A The risk that an entity may not achieve its business objectives due to internal and
external factors
B The risk that some account balances and transactions are inherently more susceptible to
error due to the nature of the client’s business.
C The risk that the auditor will face litigation arising from the audit.
D The risk that the auditor will give an incorrect audit opinion.

288

c05.indd 288 16-11-2022 18:41:09

 Pla nn i ng a n d R isk A ssessment

Knowledge Check Questions (continued)

Question 8
Identify which of the following is not a typical analytical procedure.
A Reviewing the correlation between financial and non-financial information.
B Comparing client financial information with relevant industry information.
C Comparing the amount of recorded sales with the entity’s budget.
D Comparing the recorded amount of material cash payments with related invoices.

Question 9
Explain why analytical procedures are applied at the planning stage of the audit.

Question 10
The auditor is required to obtain an understanding of the entity’s organizational structure
and ownership. Identify which of the following is a matter to which this risk assessment
procedure is directed.
A The entity’s information processing activities
B The financial reporting process used to prepare the financial statements
C The distinction between the owners, those charged with governance and management
D The controls in place to determine the significant risks of material misstatement.

Question 11
The auditor designs and performs risk assessment procedures to obtain audit evidence to:
A Identify and assess the risk of material misstatement at the financial statement and
assertion levels
B Develop an audit strategy and plan appropriate to the entity’s circumstances
C Develop further audit procedures relevant to the entity’s circumstances
D Determine the form of the audit opinion to be issued.

5 . 5 AUDIT RISK COMPONENTS

Audit risk is a concept that is integral to audit planning and the process of developing an audit
strategy and plan. Its assessment requires an understanding of the entity and its environment,
the financial reporting framework and the entity’s system of internal control, including the
client’s business strategy and risks. With an understanding of these, the auditor can focus on
the potential impact on financial report assertions and the impact on audit risk. Audit risk is
assessed by the auditor at the planning stage and that assessment is reviewed as the audit
progresses.

289

c05.indd 289 16-11-2022 18:41:09

 BUSINESS ASSURANCE

Audit risk is defined in HKSA 200 Overall Objectives of the Independent Audit and the Conduct
of an Audit in Accordance with Hong Kong Auditing Standards, paragraph 13, as:

. . . the risk that the auditor expresses an inappropriate audit opinion when the financial
report is materially misstated. Audit risk is a function of the risks of material misstatement and
detection risk.

Paragraph 17 of HKSA 200 states:

To obtain reasonable assurance, the auditor shall obtain sufficient appropriate audit evidence to
reduce audit risk to an acceptably low level and thereby enable the auditor to draw reasonable
conclusions on which to base the auditor’s opinion.

Audit risk (AR) is a function of the risk of material misstatement and detection risk (DR).
HKSA 200, paragraph 13 states that the risk of material misstatement comprises inherent risk
(IR) and control risk (CR).

The risk of material misstatement exists at both the overall level, which impacts the whole
financial report and many assertions, and the assertion levels for classes of transactions,
balances, or disclosures.

Assessment of the risk of material misstatement at the assertion level forms the basis for
determining the nature, timing, and extent of audit procedures to obtain sufficient appropriate
audit evidence. The auditing standards recognise that there are different acceptable
approaches to assessing the risk of material misstatement. However, the relationship between
elements of the audit risk model is generally summarised as:

AR IR CR DR

and application of the model can be in quantitative (percentages) or non-quantitative terms.

This will be illustrated further at the end of this section.

5.5.1 Inherent and Control Risk

As indicated in Section 5.5, the auditor is required to perform risk assessment procedures
to obtain an understanding of the entity and its environment and the applicable financial
reporting framework, including the entity’s accounting policies and the reasons for changes to
those policies. As a result, the auditor has a basis for understanding how inherent risk factors
may impact the likelihood and magnitude of misstatement for financial statement assertions to
be misstated.

Having identified risks of material misstatement at the financial statement level and
whether such risks affect risks at the assertion level, HKSA 315 (Revised 2019) paragraph
31 states:

'For identified risks of material misstatement at the assertion level, the auditor shall assess
inherent risk by assessing the likelihood and magnitude of misstatement. In doing so, the
auditor shall take into account how, and the degree to which:

(a) Inherent risk factors affect the susceptibility of relevant assertions to misstatement; and

290

c05.indd 290 16-11-2022 18:41:09

 Pla nn i ng a n d R isk A ssessment

(b) The risks of material misstatement at the financial statement level affect the
assessment of inherent risk of material misstatement at the assertion level.

'Inherent risk (IR) acknowledges that some account balance, transaction, and disclosure
assertions are more susceptible to misstatement, whether due to fraud or error, due to their
inherent nature or the client’s business and environment that creates complexity, subjectivity,
uncertainty or changes in events or conditions affecting the entity and before consideration
of any related controls. For example, complex and technical calculations are more likely to
have errors than simple calculations, and accounts based on estimates are inherently riskier.
The auditor needs to identify these areas and reflect the higher inherent risk in the audit
plan. Inherent risk can also be impacted because of external factors affecting the entity’s
business risk. Changes in economic conditions that create pressure on the entity’s business
and consequent uncertainty in relation to cash flows and working capital could, for example,
increase the risk of misstatement in order to maintain compliance with debt covenant ratios.
Similarly, the nature of the entity’s business itself may have inherent business risks that affect
inherent risk. An entity that operates in an industry that is subject to rapid technological
change, for example, faces a higher level of inherent risk in relation to inventory obsolescence.
Factors within the entity can also impact inherent risk. For example, an entity whose business
operations are highly IT dependent has a higher level of inherent risk than an entity that relies
on IT only for its financial accounting functions.

The greater the level of inherent risk due to complexity, subjectivity, change or uncertainty,
the greater is the susceptibility to misstatement. This is exacerbated by any management bias.
The auditor needs, in such circumstances, to apply professional skepticism. Management bias
may arise, either intentionally or unintentionally where significant management judgement
is involved, for example in making accounting estimates or forming conclusions about
methodology, data and assumptions.

Depending on the degree to which inherent risk factors affect the susceptibility of
misstatement of an assertion, the level of inherent risk varies on a scale referred to as the
spectrum of inherent risk, and can be measured in quantitative or qualitative terms.

The following inherent risk factors are taken from Appendix 2 to HKSA 315 (Revised 2019)
which contains detailed guidance on understanding inherent risk factors in the following
categories:

• Complexity, for example a business model that includes joint ventures

• Subjectivity, for example where the applicable financial reporting framework allows a
range of possible measurement criteria such as depreciation

• Change, for example operations exposed to volatile markets such as futures trading

• Uncertainty, for example pending litigation and contingent liabilities

• Management bias or other fraud risk factors for example a significant amount of
non-routine transactions such as intercompany transactions at year end.

Control risk (CR) is defined in the auditing standards as the risk that a material misstatement
in an assertion about a class of transactions, account balance, or disclosure and that could
be material, either individually or when aggregated with other misstatements, will not be
prevented, detected, or corrected on a timely basis by the entity’s internal control.

291

c05.indd 291 16-11-2022 18:41:09

 BUSINESS ASSURANCE

This is a function of the design, implementation, maintenance, and monitoring of

internal control by management to address risks that threaten the achievement of the
entity’s objectives relevant to preparation of the entity’s financial statements. This recognises
the possibility that errors in recording may occur and not be detected during the normal
accounting process or that some assertions may be subject to a higher risk because of
weaknesses in control. For example, poor credit controls may result in some accounts
receivables not being collectible.

Control risk can vary between classes of transactions. For example, routine transactions
such as the recording of sales may be strong, but controls over non-routine transactions such
as foreign currency transactions may be weaker. There will always be some internal control risk
because of the inherent limitations of internal control systems.

The Canadian Institute of Chartered Accountants’ (CICA) Research Study, ‘Extent of Audit
Testing’, identified four major factors affecting the level of control risk, which are as follows:

1. Evaluation of internal control. In general, the stronger the internal controls, the lower
the risk. After the assessment of control risk, auditors should carry out a test of control
to obtain reasonable assurance that the internal control on which they intend to rely is
operating effectively during the reporting period.

2. Work performed by internal and other auditors. If the audit client has an internal audit
function and the auditors decided to rely on work performed by the internal auditors
after the assessment, the control risk can be adjusted to lower. In addition, if the
auditor can rely on the work performed by another independent auditor in the case of
subsidiaries or branches, the control risk can also be lowered.

3. The nature of the audit trail. As defined by CICA, audit trail refers to the documentary
evidence either of compliance with internal control procedures or of the transfer of
accounting information from its point of origin through intermediate records to its final
inclusion in the general ledger. Lack of an audit trail suggests a high control risk.

4. Computerised accounting system. The existence of such a system and the use of the
computer as an audit tool will affect the assessment of control risk made by the auditor.

The combined risk of IR and CR is that a material misstatement has occurred and remains
undetected in the accounting records prior to the audit. These risks are the client’s risks and
exist independently of the audit of the financial statements, and, as such, cannot be changed
by the auditor. The auditor must make a preliminary assessment of these risks during
the planning stage of the audit based on the auditor’s understanding of those risks. That
assessment will then be reflected in the nature, timing, and extent of the audit procedures
detailed in the audit plan, which is the element of the model that the auditor does control, and
a final assessment will be determined as a result of the tests of control undertaken during the
audit process.

Paragraph A40 of HKSA 200 notes that the auditing standards do not ordinarily refer
to inherent risk and control risk separately, but rather to a combined risk of material
misstatement. However, elements need to be assessed separately at the assertion level to
determine a basis for developing a basis for designing further audit procedures as part of the
audit plan.

292

c05.indd 292 16-11-2022 18:41:09

 Pla nn i ng a n d R isk A ssessment

5.5.2 Detection Risk

The third element of the audit risk approach is detection risk. This is defined in HKSA 200,
paragraph 13, as:

. . . the risk that the procedures performed by the auditor to reduce audit risk to an acceptably low
level will not detect a misstatement that exists and that could be material, either individually or
when aggregated with other misstatements.

At the planning stage detection risk is determined for each significant assertion and
would be revised during the audit if evidence indicates that the initial inherent and control
risks change.

Detection risk can arise from either:

• Sampling risk where the sample may not be representative of the population and
therefore any conclusion would be different had the entire population been subject
to the audit procedure. This risk can be reduced by increasing the sample size or
stratifying the population into sub-populations of items with a particular characteristic.
This should be addressed while developing the audit plan when considering IR and CR.

• Non-sampling risk is an incorrect conclusion due to the application of inappropriate

or ineffective audit procedures, not applying the procedures correctly, or drawing
incorrect conclusions.

Detection risk relates to the inability of the auditors to examine all evidence. Audit evidence
is usually persuasive rather than conclusive, so some detection risk is usually present, allowing
the auditors only to seek ‘reasonable assurance’, not absolute assurance.

Detection risk can be controlled by the auditor through adequate planning, the selection
of an appropriate engagement team, and the nature, timing, and extent of audit procedures
selected when developing the audit plan. Throughout the audit process, detection risk is
evaluated on an ongoing basis, through the supervision and review process and the application
of professional skepticism, to ensure that the procedures are effectively applied, and
appropriate conclusions are being drawn.

In summary, the greater the risk of material misstatement (because of a high IR and/or CR),
the more detection risk must be set at a lower level. This will need to be reflected in the nature,
timing, and extent of the audit procedures in the audit plan.

HKSA 315 (Revised 2019), paragraph 13, requires that the risk assessment procedures be
designed and performed in a manner that is not biased towards obtaining audit evidence that
may be corroborative or towards excluding evidence that may be contradictory.

The following are examples of a non-quantitative application of the audit risk model. Let us
assume that:

AR IR (High) CR (High) DR (Low )

There is an inverse relationship between the risk of material misstatement (IR and CR) and
detection risk. In the example, the risk of material misstatement is high:

293

c05.indd 293 16-11-2022 18:41:10

 BUSINESS ASSURANCE

• The auditor has made a preliminary assessment that the client’s system of internal control
is weak in relation to the transactions and account balance assertion being addressed.

• The nature of the transaction is inherently difficult or there is some motivation to

misstate the account balance.

Accordingly, detection risk needs to be kept low to reduce audit risk. The auditor will have
to plan to apply more substantive procedures to directly test the account balance. Testing the
operation of internal controls where those controls are weak would not provide the auditor
with any reliable evidence.

Assume now that the assessments were as follows:

AR IR (Low ) CR (Low ) (DR ) (High)

In this case, as the risk of material misstatement is low and as the input into the relevant
account balance is assessed as reliable, a higher detection risk can be accepted while keeping
audit risk at an acceptable level. The audit plan would focus on testing the control system and
only a minimal amount of work directly on the account balance. If, however, subsequent testing
of the internal control system found that it was not working as initially assessed, the CR would
need to be adjusted and the audit plan amended accordingly.
Some other potential relationships could include:

AR IR (Medium) CR (High) DR (Low )

AR IR (Low ) CR (Medium) DR (High)

The judgements made at the planning stage are based on the auditor’s understanding of
the client’s business and its environment and need to be documented.

Exhibit 5.3 illustrates the elements of audit risk described in this section.

Audit risk

Risks of material Detection risks

misstatement

At financial At assertion
statement level

Inherent risks Control risks

Auditors perform risk assessment procedures Auditors perform

to undertand the entity and its environment procedures in
and than assess the risks response to assessed
risks to reduce audit
risks to an acceptably
low level.

EXHIBIT 5.3 Audit risk

294

c05.indd 294 16-11-2022 18:41:10

 Pla nn i ng a n d R isk A ssessment

The relationship between the components of audit risk is further elaborated in Exhibit 5.4.
It illustrates that the overall level of inherent risk of potential material misstatements is
mitigated through the entity’s internal control to prevent such misstatements, which is assessed
and tested by the auditor as to its effectiveness. The auditor then applies audit procedures to
accounts balances and classes of transactions to also detect material misstatements. Audit risk
is the residual to the extent that the internal control system and audit procedures fail to detect
material misstatements and that the risk of expressing an inappropriate opinion is to be kept to
an acceptably low level.

Auditor’s assessment of potential risks

Inherent risk of misstatements due to the nature of
client’s business

Control effectiveness – misstatements

Control risk
not detected by internal control

Detection risk Audit procedures

Remaining misstatements not detected

Audit risk
by the auditor

EXHIBIT 5.4 Audit risk as a residual

Apply and Analyse 4

Your discussions with management and your engagement team have revealed that the
risk of material misstatement in HWA’s financial statements has increased from prior years
due to a change in industry market conditions. Management has put in place a strategy to
deal with declining profits by creating a new division and expanding into a new market in
which they have no previous experience. To accommodate this there have been changes to
the system of internal control. Your preliminary analytical review also indicates that there
are potential risks of misstatement in the financial statements, particularly in the areas of
inventory, revenue, costs of the new division, foreign exchange fluctuations, and issues
arising from increased debt levels.

Based on the information obtained from management and the results of the
preliminary analytical procedures in relation to HWA Ltd, explain how you would reflect
this in the audit risk model.

295

c05.indd 295 16-11-2022 18:41:11

 BUSINESS ASSURANCE

Apply and Analyse 4 (continued)

Analysis

Due to the changes in the market for its established products and its moving into a new
market in which it has no experience, and some anomalies in the ratios, an assessment
of IR as high on the spectrum would appear warranted. There are several financial report
assertions that have been impacted by the change in circumstances.

Control risk would seem to warrant a medium risk classification. While no issues were
found in prior periods, the introduction of the new division would require changes to the
accounting and internal control systems that will need to be evaluated and, depending on
that evaluation, tested as to their effectiveness. This will need to be reflected in the audit
strategy and subsequently in the detailed procedures in the audit plan.

Based on these variables, DR would need to be classified as low to keep AR to an

acceptably low level.

AR IR (High) CR (Medium) DR (Low )

In terms of the audit strategy, this suggests greater reliance on substantive tests of the
details of account balances, classes of transactions, and analytical procedures to obtain
sufficient appropriate audit evidence on which to base the audit opinion.

HKSA 200 indicates that reducing detection risk requires that the audit be well planned,
appropriate personnel be assigned to the engagement team and be properly supervised
and work reviewed, professional skepticism be applied, the nature, timing, and extent
of audit procedures be appropriate to the circumstances, and that they be effectively
performed and the results evaluated.

In the context of HWA, therefore, this suggests more extensive substantive tests of the
details of account balances and classes of transactions than in prior years, and that the
less experienced staff be closely supervised, and their work regularly reviewed.

Knowledge Check Questions

Question 12
Your client manufactures computer and photocopier printer cartridges and has a growing
problem of theft. Identify which of the following is the key audit risk that should be
addressed at the year-end.
A Recording of inventory purchases and sales
B Inventory existence
C Legal rights in relation to inventory
D Inventory valuation

296

c05.indd 296 16-11-2022 18:41:11

 Pla nn i ng a n d R isk A ssessment

Knowledge Check Questions (continued)

Question 13
An auditor wishes to maintain audit risk at the level determined during the planning phase.
However, audit testing reveals that the initial level of control risk needs to be increased.
Identify what the auditor would need to do.
A Increase the tests of controls
B Increase inherent risk
C Decrease substantive testing
D Decrease detection risk.

Question 14
Explain what detection risk is and why it cannot be reduced to zero.

Question 15
Identify which of the following will increase inherent risk.
A There is evidence of incorrect reconciliations in the debtor’s statements.
B An entity has a new technological product and entered a volatile market in which it has
not previously operated.
C An entity operates in a stable and developed market.
D The entity’s management is renowned for its integrity.

5 . 6 RISK ASSESSMENT PROCEDURES

AND RELATED ACTIVITIES

As indicated above, the planning process under the auditing standards requires the auditor to
obtain an understanding of the client, its business, and the environment in which it operates.
This provides a basis for the identification and assessment of the risk of material misstatement
at the overall financial statement and assertion levels. This section deals in more depth with
various aspects of the risk assessment process.

5.6.1 Understanding the Entity and its Environment

Discussions with management and other entity personnel involved in the financial statement
preparation process, observation and inspection, and preliminary analytical procedures
provide the basis for the risk assessment. This is supplemented by information obtained
during the acceptance or continuance process and the auditor’s previous experience with the
client from prior audits or the provision of other services. The audit partner also discusses the
susceptibility of the client’s financial statements having material misstatements with the senior
engagement team members.

297

c05.indd 297 16-11-2022 18:41:11

 BUSINESS ASSURANCE

Furthermore, as indicated in Section 5.3, HKSA 315 (Revised 2019), this requires that the
auditor obtain an understanding of the entity and its environment which was addressed
extensively in that Section and can be summarized as:

• Relevant industry, regulatory, other external factors, and the applicable financial
reporting framework, for example supplier and customer relationships, technological
developments, and seasonal activity.

• The entity organization structure, operations, and ownership and governance

structures, types of investments, and financing arrangements.

• The basis for the entity’s selection and application of accounting policies and the
rationale for any changes.

• The entity’s objectives and business model and strategies and plans to achieve those
objectives. Business risks that might result in this regard may ultimately have financial
consequences and create risks of material misstatement; for example, the risks
associated with new products or services.

The auditor then uses this understanding in assessing how inherent risk factors affect the
potential misstatement of financial statement assertions.

This process also involves an initial assessment of the client’s system of internal control
relevant to financial reporting, and whether the entity has a process for identifying, assessing,
and dealing with business risks relevant to financial reporting. In combination with the
procedures identified in Sections 5.1 to 5.4 of this chapter, these are also elements included in
understanding theentity and its environment and the risk assessment process.

HKSA 315 (Revised 2019), paragraph 13, requires the auditor to evaluate the risk of
material misstatement, whether due to fraud or error, at both the financial statement level and
individual account balance assertion level. The risk of material misstatement at the financial
statement level are risks that are pervasive to the financial statements as a whole and could
impact a number of financial statement assertions. For example, circumstances conducive to
management override of internal control or the lack of competent management would increase
the risk of material misstatement at the assertion level generally, but not initially be identifiable
with a specific financial statement assertion. They may be extremely relevant to analysis of
the risks of material misstatement due to fraud.

HKSA 315 (Revised 2019), paragraph 13, requires the auditor to identify the risks of
material misstatement at the assertion level for classes of transactions, account balances, and
disclosures. This provides a more detailed framework for developing specific audit objectives
for material account balances and disclosures. These assertions fall into the following
categories:

1. Assertions about classes of transactions and events, and related disclosures, for the
period under audit:

a. Occurrence – transactions and events that have been recorded or disclosed have
occurred, and such transactions and events pertain to the entity.

b. Completeness – all transactions and events that should have been recorded have
been recorded and all related disclosures that should have been included in the
financial statements have been included.

298

c05.indd 298 16-11-2022 18:41:11

 Pla nn i ng a n d R isk A ssessment

c. Accuracy – amounts and other data relating to recorded transactions and events
have been recorded appropriately and related disclosures have been appropriately
measured and described.

d. Cutoff – transactions and events have been recorded in the correct

accounting period.

e. Classification – transactions and events have been recorded in the proper accounts.

f. Presentation – transactions and events are appropriately aggregated or

disaggregated and clearly described and related disclosures are relevant and
understandable in the context of the requirements of the applicable financial
reporting framework.

2. Assertions about account balances, and related disclosures, at the period end:

a. Existence – assets, liabilities and equity interests exist.

b. Rights and obligations – the entity holds or controls the right to assets and liabilities
are the obligations of the entity.

c. Completeness – all assets, liabilities and equity interests that should have been
recorded have been recorded and all related disclosures that should have been
included in the financial statements have been included.
d. Accuracy, valuation and allocation – assets, liabilities and equity interests have
been included in the financial statements at appropriate amounts and any resulting
valuation or allocation adjustments have been appropriately recorded and related
disclosures have been appropriately measured and described.

e. Classification – assets, liabilities and equity interests have been recorded in the
proper accounts.

f. Presentation – assets, liabilities and equity interests are appropriately aggregated

or disaggregated and clearly described, and related disclosures are relevant and
understandable in the context of the requirements of the applicable financial
reporting framework.

Consideration of the risks of material misstatement in this way provides information and
a framework for developing the audit strategy and plan specific to the issues relevant to the
entity’s financial statements. HKSA 315 (Revised 2019), in paragraphs 31 and 32, requires
that the auditor, when assessing inherent risk in relation to the susceptibility of assertions to
misstatement, to determine whether any of the risks are significant.

In addition to providing input for developing the audit strategy and audit plan, part of the
risk assessment process is for the auditor to make a judgement as to whether any of the risks
identified are significant. This judgement is made without consideration of identified internal
controls related to the risk.

HKSA 315 (Revised 2019), paragraph 12, defines a significant risk as:

. . . an identified and assessed risk of material misstatement that, in the auditor’s judgement,
requires special consideration.

299

c05.indd 299 16-11-2022 18:41:11

 BUSINESS ASSURANCE

(i) For which the assessment of inherent risk is close to the upper end of the spectrum of
inherent risk due to the degree to which inherent risk factors affect the combination
of the likelihood of a misstatement occurring and the magnitude of the potential
misstatement should that misstatement occur; or

(ii) That is to be treated as a significant risk in accordance with the requirements of

other HKSAs.

Consideration needs to be given as to whether the risk:

• Is a risk of fraud.

• Relates to recent significant economic, accounting, or other external developments.

• Reflects the complexity of transactions.

• Involves significant transactions with related parties.

• Reflects the degree of subjectivity in the measurement of financial information and

measurement uncertainty.

• Relates to significant transactions that are outside the normal course of business or
are unusual.

This category of risks often relates to non-routine transactions or events that occur
periodically rather than recurring transactions; for example, dealing with a lawsuit or the
calculation of depreciation, or matters that require significant judgement, such as accounting
estimates, for example management estimates of doubtful debts.

If risks are identified, the auditor must obtain an understanding of the controls relevant to
that risk.

HKSA 315 (Revised 2019) para.22(a)(ii) requires that the auditor’s understanding of the
entity’s risk assessment process include how the entity assesses the significance of risks and
the likelihood of their occurrence to the preparation of the financial statements.

While it is the case that non-routine and judgemental matters are less likely to be subject
to the routine internal control system, the auditor needs to consider whether management
has implemented controls for these transactions and events, such as the referral of matters to
appropriate experts or the review of assumptions by senior management or experts.

In addition to the documentation requirements identified under the planning process,

HKSA 315 (Revised 2019) requires that the audit workpapers document:

• The discussion with the engagement team and the significant decisions reached.

• The major matters identified from the gaining of an understanding of the client’s
industry, regulatory environment, operations, ownership structure, governance,
business model, financial performance measures, financing, accounting policies, and
business risks, and the sources of that information.

• The understanding of the control environment, the entity’s risk assessment process,
its process for monitoring the system of internal control and its information and
communication processes.

• Risk assessment procedures performed.

300

c05.indd 300 16-11-2022 18:41:11

 Pla nn i ng a n d R isk A ssessment

• The identified risks of material misstatement at both the financial statement and
assertion levels.

• The significant risks identified and the understanding of relevant controls.

• The risks for which substantive procedures alone will not provide sufficient appropriate
audit evidence.

• The rationale for significant judgements.

Apply and Analyse 5

Based on the changed circumstances facing by HWA Ltd noted in Section 5.3, identify the
risk of material misstatement in relation to the financial report assertions associated with
inventory.

Analysis

In relation to the inventory for existing products, the usual assertions in relation to the
existence of the inventory, rights and obligation, and completeness would not seem to
be affected from prior periods. However, the valuation and allocation assertion would be
subject to a greater risk of material misstatement due to the inventory being slow moving
and of greater risk of obsolescence given the nature of the products. This would require
more extensive audit procedures on the identification of inventory items and the valuation
policies applied by the entity.

In relation to the new inventory that will be introduced during the financial reporting
period under audit, the risk of material misstatement exists at a high level for all the
financial report assertions at the account balance level. As the inventory involves new
items, the existence assertion is subject to greater risk in the sense of the auditor being
satisfied that what is recorded in the financial statements is represented and identified as
physically on hand. As the inventory to be imported, the completeness assertion is subject
to the risk that there may be items in transit or stored at another location, but which
should be recorded in the inventory. This also incorporates the rights and obligations
assertion, which faces a greater risk of material misstatement on the basis of when the
entity has the legal right to control of inventory in transit. The valuation and allocation
assertion is at a greater risk of material misstatement given that the products are new to
the entity’s business and subject to transit costs, etc., that will need to be addressed as
part of the inventory valuation process, and consideration as to whether the sales of the
new products are at levels to ensure that HWA Ltd is not left with inventory that becomes
obsolete or slow moving and that might warrant valuation adjustments.

5.6.2 Internal Control and Control Environment

HKSA 315 (Revised 2019), in paragraphs 21–26, requires the auditor to obtain an understanding
of the components of the entity’s system of internal control relevant to the preparation of the
financial statements.

A client’s internal control system is a fundamental component of a client’s governance and

risk management function. The quality of internal control affects the reliability of financial data
as well as the ability of the client to manage operational and business risk situations.

301

c05.indd 301 16-11-2022 18:41:11

 BUSINESS ASSURANCE

The system of internal control has been defined earlier and the following components
identified in Sections 5.4 and 5.5:

• The control environment

• The risk assessment process

• The monitoring process

• The information system including the related business processes relevant to financial
reporting and communication

• The control activities

The following elaborates on each of these components based on the application

paragraphs identified in Section 5.6. They are indicative of matters the auditor would consider
in applying risk assessment procedures to understand the system of internal control at the
planning stage of the audit to support the preparation of the detailed audit plan. The extent
to which the matters raised are relevant in an audit depends on the size and complexity of the
entity being audited.

5.6.2.1 Control Environment

The control environment represents the foundation for other elements of the internal control
system. It includes management oversight processes and the attitude and culture established
by management, as well as their commitment to support a strong control culture. Obtaining
an understanding of the control environment would include, for example, considering
communication and enforcement, commitment to competence relevant to the tasks assigned,
management’s operating style, and human resource policies and practices. These components
are summarised in the following paragraphs and are indicative of the issues that would be of
interest to an auditor in understanding the control environment.

The effectiveness of internal control policies and procedures is strongly linked to the
integrity and ethical values of the personnel who create, administer, and monitor them.
Those values derive from an entity’s ethical and behavioural standards and how they are
communicated and reinforced. They include management’s actions to remove or mitigate
incentives to become involved in dishonest, illegal, or unethical activities.

The control environment is also affected by management’s commitment to ensuring that

individuals have the competence, knowledge, and skills to undertake their individual tasks.

Participation of management in the oversight of policy development and effective operation

of procedures that influences control consciousness within the entity, including the process
for reviewing the effectiveness of internal control. This could also include whistleblower
procedures and at the corporate level the establishment of an audit committee.

Management’s philosophy and operating style. This involves management’s approach to

achieving entity objectives and how their activities are perceived within the entity. For example,
management’s attitude and how it deals with financial reporting and the conservative or
aggressive selection of accounting policies and preparation of accounting estimates, as well as
management’s attitude to following up identified problems.

An organizational structure that has appropriate lines of responsibility, authority, and

communication consistent with the entity’s size and the nature of operations is essential

302

c05.indd 302 16-11-2022 18:41:11

 Pla nn i ng a n d R isk A ssessment

to effective control. This variable is important in controlling risk, for example the degree to
which individuals within the entity can commit the entity to transactions such as approving
expenditure and how the risk of transactions and events that are inconsistent with the entity’s
objectives can be reduced. This element also relates to the assignment of authority and
responsibility and policies relating to appropriate business practices and communicating to
facilitate personnel understanding of the entity’s objectives and matters to which individuals
will be held accountable.

Human resource policies and practices relating to recruiting, training, promotion, and
compensation demonstrate an entity’s commitment to competence and personnel that are
expected to meet their responsibilities and facilitate the control processes within the entity.

An internal control function provides management with a control function to evaluate the
effectiveness of other controls and risk management processes.

Evidence for understanding this component is usually obtained through a combination

of inquiries and other risk assessment procedures such as observation and inspection
of documents. The understanding of the extent to which management demonstrates its
commitment to integrity and ethical issues can be obtained from inquiries of management and
employees, communication processes and inspecting written codes of conduct and observation
of management and employee activities. The extent to which considerations about the control
environment are relevant depends on the complexity of governance, for example in an
owner-manager situation not all considerations would be applicable.

5.6.2.2 Risk Assessment Process

This involves understanding how management establishes what are the business risks
relevant to financial reporting to be managed, evaluating their significance, and deciding
how to address the risks. It covers the plans, programmes, or actions that management
has in place or may take to identify, for example, changes in the operating environment,
rapid growth, changes in technology, expanded foreign operations, and new accounting and
regulatory requirements.

This involves the auditor considering for example the precision and clarity with which
management has specified the entity’s objectives to enable the assessment of the risks arising
from those objectives, how management analyses the risks to determine how to manage them
and consider the potential for fraud. This assists the auditor in understanding where the entity
has identified risks that may occur and responded to those risks and therefore whether the
risks are being identified, assessed and addressed appropriately.

The auditor needs to understand the basis upon which management determine the risks to
be managed that arise from both internal and external transactions or circumstances and how
they assess the potential impact for financial reporting purposes. Risks can arise or change for
example due to changes in the regulatory or economic environment that change competitive
pressures and generate different risks.

In the context of financial reporting, the auditor’s understanding is directed at the entity’s
risk assessment process to address risks relevant to the preparation of the financial statements
in accordance with the applicable financial reporting framework and how they are addressed.
For example, how the entity deals with the possibility of unrecorded transactions and identifies
significant estimates to be included in the financial statements.

303

c05.indd 303 16-11-2022 18:41:11

 BUSINESS ASSURANCE

5.6.2.3 Monitoring of controls

The auditor needs to understand the entity’s process to monitor the system of internal
control. The focus is on how the entity oversees the design and operation of controls and
corrects any deficiencies. Management is responsible for establishing and maintaining
internal control on an ongoing basis. It is their responsibility to establish procedures to
monitor the effectiveness of the control procedures and rectify any deficiencies. This can
be done through reviews of system operations and checking that procedures and policies
are being applied. Monitoring may occur on an ongoing or periodic basis through separate
evaluations with the auditor considering the frequency and timeliness of monitoring and how
identified deficiencies are addressed.

A monitoring activity is different from a control in the information system that is in place to
deal with a specific risk to detect and correct errors. A monitoring activity would assess whether
controls are operating as intended and address why errors occur and the actions to fix the
process to prevent future errors.

The auditor needs to understand the sources and reliability of the information used by
management to monitor the system. Communications from external parties, for example, may
also provide information as to the operation of internal controls. Information from customers
or other parties dealing with an entity can indicates areas where controls are ineffective. For
example, complaints from debtors that their accounts are incorrect may indicate that the
controls over sales and/or accounts receivable are ineffective. Management needs to monitor
their business activities and be aware of any such issues and address the cause.

If the entity has an internal audit function, that function’s role also needs to be addressed.
Appendix 4 to HKSA 315 (Revised 2019) contains guidance on understanding an entity’s
internal audit function. In summary, the role of internal audit varies within entity’s depending
on the size, complexity and structure of the entity and the requirements of management. If
the responsibilities of internal audit include providing assurance to management about the
design and effectiveness of risk management, the system of internal control and governance
processes it can play an important role in the monitoring process. Inquiries of appropriate
individuals within the function may provide the auditor with useful information about
aspects of the entity and its environment and system of internal control and the risks of
material misstatement. The work of internal audit may have identified business risks, control
deficiencies and other matters that assist the auditor’s understanding. These inquiries are
made irrespective of whether the auditor expects to use the work of internal audit. If the
auditor’s inquires indicate internal audit findings that are relevant to the financial reporting
process, the auditor would read the relevant internal audit reports and consider how consider
how management has responded to the findings and recommendations, and whether they
have been implemented and subsequently evaluated by internal audit.

Not only does understanding the role of internal audit assist the auditor in understanding
the control environment, but provides input in to the decision as to whether to use the work
of internal audit to modify the nature, timing and extent of procedures undertaken directly by
the auditor.

The auditor needs to understand and assess the effectiveness of internal controls to
be able to determine the extent to which errors or irregularities may go undetected within
the accounting process and recording system, and ultimately the potential for material
misstatement in the financial statements. To that end understanding the entity’s monitoring

304

c05.indd 304 16-11-2022 18:41:11

 Pla nn i ng a n d R isk A ssessment

process assists in understanding other components of the system of internal control and the
risks of material misstatement at the financial statement and assertion levels.

The auditor’s understanding of internal control and the assessment of its potential to
prevent and detect the risk of material misstatement is part of the information used to develop
the audit strategy and plan. As indicated earlier in this chapter, the determination of the
nature, timing and extent of audit procedures to test the effectiveness of internal control and
substantive testing of transactions and account balances is based on that understanding.

5.6.2.4 The information processing system including the related business processes
relevant to financial reporting and communication
The information system needs to be understood to the extent that it relates to the preparation
of financial statements. It consists of activities, policies and accounting and supporting records
used to initiate, record or support transactions, and controls designed to resolve incorrect
processing and document system overrides.

This understanding includes the use of information technology and the recording of
unusual transactions. A major focus here is on the controls over the maintenance of the
general ledger and preparation of journal entries (in electronic or manual form).

This component also involves the processes by which client personnel are made aware of
and understand their role within the financial reporting process, and how they communicate
within the entity on matters such as exceptions. It includes policy manuals supporting these
activities.

Where extensive use of IT is a feature of the information system, the control environment
extends to ensuring that policy manuals and related documentation establish appropriate
controls to ensure that all transactions are captured on a timely basis and processed
appropriately. This includes controls that maintain the quality of system-generated information
that is used by management to make decisions about the entity’s operations and preparation
of the financial statements.

The auditor is required to understand this component because understanding the policies
relating to the flow of transactions and the entity’s information processing relevant to the
preparation of the financial statements provides input as to whether the auditor’s assessment
of risks at the assertion level is supported. It may also identify risks of material misstatement
at the financial statement level that are inconsistent with expectations about the system
of internal control based on information obtained during the engagement acceptance or
continuance process.

The auditor’s understanding at this level may confirm or further impact the auditor’s
expectations about significant classes of transactions, account balances and disclosures
identified during the process of understanding the entity and its environment. This
understanding also provides information that the auditor uses to identify controls in the control
activities component that need to be identified and to be focused upon.

In understanding this component, the auditor should also recognize that the entity’s
application of internal control in relation to the entity’s operations and compliance objectives
may have aspects that impact financial reporting, and these integrated policies and systems
need to be considered. Similarly, the auditor needs to understand the entity’s business
processes because these result in transactions that are recorded, processed and reported by

305

c05.indd 305 16-11-2022 18:41:11

 BUSINESS ASSURANCE

the information system, for example the sale and distribution of products and compliance with
laws and regulations.

Another important area that the auditor should consider in understanding this component
is the resources available to support the information processing activities such as the
competence of the personnel undertaking the work, whether there are adequate resources and
appropriate segregation of duties.

5.6.2.5 Control Activities

These are the specific control activities that are designed to ensure the proper application
of policies in all other components of the system of internal control and are focused on
information processing controls. Understanding the entity’s policies for its information
processing and identification of related control activities influences the identification of the
risks of material misstatement at the assertion level. These are the control processes that
the auditor judges to be relevant to assess the risk of material misstatement at the assertion
level and require further audit procedures to respond to those risks. They are the policies and
procedures to help ensure that management directives are carried out. Whether within an IT
or manual system, the activities generally include authorisation and approval, reconcillations,
review, processing, verification, physical and logic controls, and segregation of duties.

This component includes controls that are expected to be identified in all audits; that is,
controls over journal entries being the mechanism by which transactions are processed into
the general ledger.

In addition to routine control activities, this component can include management controls
to address material misstatements that may arise relating to disclosures required under the
reporting framework, including information that is obtained outside the general and subsidiary
ledgers. They also include controls that address significant risks, and over journal entries for
non-routine, unusual transactions or adjustments.

These controls are those that the auditor when planning the audit identifies for testing for
operating effectiveness and for determining the basis for substantive testing, including controls
where the auditor’s assessment of inherent risk at the assertion level has identified significant
risks. For example, where there are large volumes of homogenous transactions the auditor
may plan to test the operating effectiveness of controls over those transactions as an efficient
and effective way to obtain evidence as to the completeness and accuracy of the information.

Irrespective of whether the auditor intends to test the operating effectiveness of controls
that address significant risks, the understanding obtained by the auditor about management’s
approach assists the auditor in determining how to approach those risks. In the case of non-
routine matters, they are less likely to be subject to routine controls, but understanding this
may lead to understanding that risks in such matters are addressed by management through
other procedures for example, documenting processes for accounting estimates and the review
of assumptions by management or experts.

Where systems are IT-based, these controls comprise both general and application
controls. General controls affect the overall information system and the effective operation
of the application controls; for example, data centre controls, software acquisition and
change, programme change, and access security. Application controls cover the processing
of transactions within a specific accounting area to ensure that accounting data are

306

c05.indd 306 16-11-2022 18:41:11

 Pla nn i ng a n d R isk A ssessment

completely and accurately processed; for example, payroll preparation and sales invoicing.
Controls include edit checks of input data and exception reports. HKSA 315 (Revised 2019), in
paragraphs 26(b) and (c), requires the auditor to understand the risks associated with using IT,
and the general IT controls to address those risks.

HKSA 315 (Revised 2019), in Appendices 5 and 6, provides detailed guidance for
understanding IT and general IT controls and are addressed in Chapter 13.

In summary, when planning the audit, and based on the auditor’s understanding of
the components of the system of internal control, the auditor plans to test the operating
effectiveness of controls that address the risks of material misstatement at the assertion level
where it is not possible to obtain sufficient appropriate audit evidence through substantive
procedures alone.

5.6.3 Impact of Fraud and Misstatement on Audit Planning

Considerations
Integral to the process of understanding the entity and its environment to identify the risks
of material misstatement is the identification of significant risks. The auditor is required to
specifically consider whether there is a risk of fraud when making a judgement as to which risks
are significant. The considerations in Section 5.5.1 above in relation to significant risks also
apply here.
HKSA 240 The Auditor’s Responsibilities Relating to Fraud in an Audit of a Financial Statement,
paragraph 16, states:

When performing risk assessment procedures and related activities to obtain an understanding
of the entity and its environment, the applicable reporting framework and the entity’s system of
internal control . . . the auditor needs to obtain information for use in understanding the risk of
material misstatement due to fraud.

HKSA 240, paragraph 25, states that, in accordance with HKSA 315 (Revised 2019), the
auditor shall identify and assess the risk of material misstatement due to fraud at the financial
statement and assertion levels. HKSA 240, paragraph 27, requires that assessed risks of
material misstatement of fraud be treated as significant risks and that the auditor evaluates the
design and implementation of controls that address such risks. While the responsibility for the
prevention and detection of fraud rests with management, HKSAs 240 and 315 (Revised 2019)
require the auditor to be proactive and specifically consider the risk of material misstatement
due to fraud.

Fraud is defined in HKSA 240, paragraph 11, as:

. . . an intentional act by one or more individuals among management, those charged with
governance, employees, or third parties, involving the use of deception to obtain an unjust or illegal
advantage.

Fraud risk factors are conditions that suggest a motivation or pressure to perpetrate or
provide the opportunity to commit fraud.

While fraud as a legal concept is broad, the auditor’s concern is focused on fraud that
causes a material misstatement in the financial statements arising from either fraudulent
financial reporting or misappropriation of assets.

307

c05.indd 307 16-11-2022 18:41:11

 BUSINESS ASSURANCE

Fraudulent financial reporting involves deliberate misstatements to mislead financial

statement users. This may arise, for example, where management is under pressure to achieve
an earnings target or financial position or meet targets under a management compensation.
Actions could include:

• Manipulating, falsifying, or altering financial records or documents from which the

financial statements are prepared.

• Omitting transactions from the accounting records.

• Intentionally misapplying accounting policies.

Misappropriation of assets includes:

• Embezzling receipts.

• Stealing physical assets or intellectual property.

• Facilitating the entity to pay for goods and services not received.

• Using entity assets for personnel use.

The auditor needs to distinguish between misstatements due to fraud rather than
error. Error is the result of unintentional mistakes such as the misinterpretation of facts or
unintentional misapplication of accounting policies. Fraud by its nature is inherently more
difficult to detect as it generally involves schemes to conceal it, collusion, or override of the
internal control system. When aware of circumstances that might indicate misstatements due
to fraud or error, the auditor needs to maintain an attitude of professional skepticism when
evaluating the fraud risk factors, circumstances, and explanations provided as to the potential
for misstatement.

Appendix 1 to HKSA 240 contains an extensive listing of fraud risk factors relating to
misstatements arising from fraudulent financial reporting and misappropriation of assets.

The fraud risk assessment process involves:

• A discussion with the engagement partner and team as to the vulnerability of

the entity’s financial report to material misstatement due to fraud and how that
might occur based on their experience and knowledge of the client. For example,
circumstances that might be indicative of earnings management and how that might be
implemented, knowledge of any factors that may create pressure to commit fraud, or
unusual changes in management or employee behaviour.

• Enquiries of management as to their assessment of the controls in place to prevent

and detect fraud and how they respond to any instances of fraud, and whether there is
communication within the entity of appropriate management policies and conduct in
relation to fraud risk. Enquiries of management and internal audit as to whether they
have knowledge of any suspected or actual fraud having occurred within the entity.

• Evaluation of any unusual or unexpected relationships identified from the

preliminary analytical procedures or from other information obtained during the
planning process.

It is recognised that the risk of fraud is greater for some financial statement items than
others. HKSA 240 formalises this in relation to revenue recognition and requires a presumption
of fraud risk in relation to the financial statement assertions in this area. The auditor must

308

c05.indd 308 16-11-2022 18:41:11

 Pla nn i ng a n d R isk A ssessment

evaluate this risk specifically to determine whether the presumption is applicable in the
circumstances of the engagement. The auditor’s conclusion and reasons must be documented.

When planning the audit, fraud risk is a specific matter that must be considered in
applying the inherent and control risk elements of the audit risk model. If the assessed risk
of material misstatement due to fraud is identified as a significant risk, the auditor needs to
obtain an understanding of the internal controls relevant to address that risk. Effective control
reduces the inherent risk due to fraud; however, the nature of fraud makes it susceptible to
management override of controls and the assessment of control risk should be determined
accordingly.

HKSA 240 identifies examples of management override and includes:

• Recording fictitious journal entries, especially close to the end of the reporting period,
in order to manipulate results or achieve other objectives.

• Inappropriately adjust assumptions and change judgements used to estimate

account balances.

• Omit, advance, or delay recognition in the financial statements of events and

transactions that have occurred during the reporting period.

• Conceal or not to disclose facts that could affect the amounts recorded in the financial
statements.
• Engage in complex transactions that are structured to misrepresent the entity’s
financial position or performance.

• Alter records and terms related to significant and unusual transactions.

If fraud risk is determined to be significant, the audit plan needs to be modified accordingly
to include proactive substantive procedures to search for fraud.

HKSA 240 also requires the discussion among the engagement team members, in relation
to audit planning, to include specific emphasis on the risk of material misstatement due to
fraud and how fraud might occur. The discussion would address the audit team member’s
views about the existence of incentives or pressures and opportunities to commit fraud, and
the attitude or ability to rationalise fraud. The discussion could include, for example, such
matters as:

• An exchange of ideas about how and where they believe the client’s financial
statements could be susceptible to material misstatement due to fraud and how
management could perpetrate and conceal fraudulent financial reporting. For example,
awareness of complex transactions and management discussions as to interpretations
of accounting standards that team members would see as potentially inappropriate
or concern that assumptions and judgements used in accounting estimates are
intentionally biased.

• How assets could be misappropriated due to the volume and nature of cash
transactions and handling or the type of inventory the entity holds that may be
susceptible to theft.

• Circumstances that might be indicative of earnings management, such as management

bonus schemes linked to the entity’s financial performance or individual’s private
wealth tied to the entity’s performance and survival, and the practices that
management might employ to achieve this.

309

c05.indd 309 16-11-2022 18:41:11

 BUSINESS ASSURANCE

• Known internal and external factors affecting the entity that could create an incentive
or pressure for management or others to commit fraud, provide the opportunity
for fraud to be perpetrated, and indicate a culture or environment that enables
management or others to rationalise committing fraud. For example, the entity may be
struggling to maintain its working capital to comply with debt covenants or the industry
has become more competitive and the entity is struggling to maintain its position within
the industry.

• Unusual or unexplained changes in the behaviour or lifestyle of management or others

that has come to the auditor’s attention.

• The types of circumstances that, if encountered, might indicate the possibility of fraud;
for example, significant related party transactions, high turnover of key accounting
department personnel, frequent changes in legal advisors.

The documentation of the understanding of the entity and its environment at the audit
planning and strategy development stages should include the significant decisions made during
the meeting of the engagement team in relation to fraud risk and the identified risks of material
misstatement due to fraud at both the financial statement and assertion levels. This should
include the identified controls in the control activity component of the system of internal
control. This should also include how that risk has been addressed in the audit plan.

Apply and Analyse 6

Based on the information provided about HWA, and as part of the audit planning process,
you and your audit manager are discussing the risk that the financial statements may be
misstated due to fraud. Explain what factors might be significant in this regard.

Analysis

While management has a sound reputation for integrity and there have been no audit issues
in prior periods, the change in circumstances and the fact that management’s remuneration
includes a generous share bonus scheme, there is an incentive for management to
manipulate the financial statement outcome in terms of maintaining the return on assets
ratio at the required level and to try to maintain the share price. This indicates that
management’s override of controls may be a risk factor that should be considered.

HKSA 240 requires several audit procedures to be applied during the audit that,
depending on the outcome, will indicate whether management override is a significant
risk and whether further audit procedures are warranted. The audit strategy and plan
should reflect an approach that ensures that these procedures are emphasised and the
appropriate level of professional skepticism applied. These include, for example, testing
the appropriateness of journal entries and adjustments made in the preparation of the
financial statements, the review of accounting estimates and the judgements and decisions
made by management, and the evaluation of unusual transactions outside the normal
course of the business.

Further, HKSA 240 requires that when identifying and assessing the risks of material
misstatement due to fraud there should be a presumption that there is a risk of fraud
in revenue recognition. Given the information available in relation to HWA Ltd, this
presumption should be reflected in the audit strategy.

310

c05.indd 310 16-11-2022 18:41:11

 Pla nn i ng a n d R isk A ssessment

5.6.4 Consideration of Laws and Regulations in an Audit of

Financial Statements
When gaining an understanding of the entity and its environment for audit planning, specific
attention must also be given to the laws and regulations under which the entity operates. Laws
and regulations can directly affect the financial reporting framework governing the preparation
and presentation of the financial statements. They can also establish the fundamental structure
under which the client conducts its business. In heavily regulated industries such as the
finance and pharmaceutical industries, non-compliance with laws and regulations can result
in significant fines, litigation, and legal penalties that could affect the client’s business and
financial statements. Audit planning involves consideration of illegal acts that have a material
impact on the financial statements.

The auditor’s responsibilities are mandated in HKSA 250 (Revised) Consideration of Laws and
Regulations in an Audit of Financial Statements.

The Standard (paragraph 12) defines non-compliance with laws and regulations as:

Acts of omission or commission, intentional or unintentional, committed by the entity, or by

those charged with governance, by management or by other individuals working for or under the
direction of the entity, which are contrary to the prevailing laws and regulations.

HKSA 250 (Revised), paragraph 13, requires:

As part of obtaining an understanding of the entity and its environment . . . the auditor shall obtain
a general understanding of:

(a) The legal and regulatory framework applicable to the entity and the industry or
sector in which the entity operates; and

(b) How the entity is complying with that framework.

It is recognised, however, that some laws and regulations have a more direct effect on the
client’s financial statements than others, and the auditor’s responsibilities can be differentiated
accordingly.

For laws and regulations that directly affect the amounts or disclosures in the financial
statements, for example tax law, the audit plan should include detailed audit procedures to
obtain sufficient appropriate audit evidence to support the client’s compliance with those laws
and regulations.

For other laws and regulations that the entity must comply with to continue its business
and avoid material penalties that may ultimately affect the financial statements, the
auditor’s responsibility is limited. In this case, procedures would be directed at identifying
any non-compliance that may impact the financial statements and include inquiries of
management as to whether the entity complies with relevant laws and regulations and reviews
of correspondence with regulatory authorities.

HKSA 250 (Revised), paragraph 17, requires the auditor to request a written representation
from management as to whether all relevant matters have been disclosed to the auditor.

311

c05.indd 311 16-11-2022 18:41:11

 BUSINESS ASSURANCE

The Standard does recognise that while the auditor is responsible for obtaining reasonable
assurance that the financial statements as a whole are free of material misstatement due
to error or fraud, the risk that the auditor may not detect material misstatements due to
non-compliance with laws and regulations is greater because:

• Many of the laws relate to client operating matters and do not affect the financial
statements and are not part of the system and controls relevant to financial reporting.

• Non-compliance often involves conduct to conceal the matter, for example collusion,
override of controls, and misrepresentation.

• The effectiveness of audit procedures is affected by the inherent limitations of internal

control and by the use of testing.

• Much of the audit evidence obtained by the auditor is persuasive rather than conclusive
in nature.

It is important therefore that in obtaining an understanding of the entity and its

environment for planning the audit, that the auditor obtains information about the laws and
regulations under which the entity operates. For those laws and regulations that directly affect
the financial statements, the audit strategy and plan should reflect a proactive assessment
of the risk of material misstatement and obtain sufficient appropriate audit evidence as to
compliance with those provisions.
HKSA 250 (Revised), paragraph A15, identifies the following procedures to bring instances
of non-compliance or suspected non-compliance to the auditor’s attention:

• Reading minutes.

• Inquiring of the entity’s in-house and/or external legal counsel in relation to any
litigation, claims, and assessments.

• Performing substantive tests of details of transaction, account balances, or disclosures.

The following matters may be an indication of non-compliance with laws and regulations:

1. Investigation by regulatory organisations and government departments or payment of

fines or penalties.

2. Payments for unspecified services or loans to consultants, related parties, employees,

or government employees.

3. Sales commissions or agent’s fees that appear excessive in relation to those ordinarily
paid by the entity or in its industry or to the services actually received.

4. Purchasing at prices significantly above or below market price.

5. Unusual payments in cash, purchase in the form of cashier’s checks payable to the
bearer, or transfers to numbered bank accounts.

6. Unusual transactions with companies registered in tax havens.

7. Payments for goods and services made other than to the country from which the goods
or services originated.

312

c05.indd 312 16-11-2022 18:41:11

 Pla nn i ng a n d R isk A ssessment

8. Payments without proper exchange control documentation.

9. Existence of an information system that fails, whether by design or accident, to provide

an adequate audit trail or sufficient evidence.

10. Unauthorised transactions or improperly recorded transactions.

11. Adverse media comment.

In the absence of identified or suspected non-compliance, the auditor is not required

to perform audit procedures to identify non-compliance, but must remain alert to this
possibility when performing other audit procedures and apply professional skepticism where
circumstances suggest a risk may exist.

If the auditor becomes aware of an instance of non-compliance or suspected

non-compliance, the auditor must pursue the matter and obtain an understanding of the
circumstances that has led to this situation, and evaluate the potential impact on the financial
statements. The matter needs to be discussed with management and, depending on the
appropriateness of the response, consideration given as to whether legal advice, from
either the company’s in-house legal counsel or external counsel, is required. The existence of
non-compliance or suspected non-compliance should also cause the auditor to re-assess prior
risk assessment judgements.

Knowledge Check Questions

Question 16
Identify which of the following describes the auditor’s responsibility in relation to the
risk of fraud.
A Provide reasonable assurance that the financial statement is not materially misstated
due to fraud.
B Be satisfied that no fraud has occurred before issuing a clean audit opinion.
C Develop the audit plan to reflect the expectations of users of the financial statements in
relation to the auditor’s responsibility to detect fraud.
D Develop the audit plan to ensure that all instances of fraud are detected.

Question 17
Identify the sources of client information the auditor would use to assess fraud risk.

Question 18
Identify which of the following is not an indicator of an increased risk of fraud.
A There is evidence of management override of controls.
B There is a need to obtain additional working capital from financial institutions.
C The entity is subject to a new and complex accounting standard.
D The IT system is subject to poor access controls.

313

c05.indd 313 16-11-2022 18:41:12

 BUSINESS ASSURANCE

Knowledge Check Questions (continued)

Question 19
Explain how each circumstance listed below impacts the auditor’s assessment of risk.
(a) The client has opened an overseas branch.
(b) Management’s remuneration is strongly influenced by financial results.
(c) The client operates in a rapidly changing technology market.
(d) Recent management decisions have adversely affected their reputation for integrity in
the industry.
(e) The quick ratio has declined significantly.
(f) The wages and salaries account was misstated in previous years.
(g) Management is inexperienced.
(h) The client has material-related party transactions.
(i) The provision for warranties is material and complex.
(j) The client has several unusual transactions that are not processed through the normal
accounting system process.

Question 20
Identify which of the following is not a responsibility of an auditor in relation to detecting
non-compliance by a client with laws and regulations.
A Obtaining sufficient appropriate audit evidence regarding compliance with laws and
regulations that directly affect the financial statements.
B Performing audit procedures to identify non-compliance with all laws and regulations
relevant to the client’s business.
C Seeking a written representation from management that all know instances of
non-compliance with laws and regulations affecting the financial statements that have
been disclosed to the auditor.
D Remaining alert during the audit for non-compliance with laws and regulations that may
be identified as a result of other audit procedures.

5 . 7 MATERIALITY

Materiality is defined in the HKICPA Conceptual Framework for Financial Reporting (Revised) (June
2018), paragraph 2.11:

Information is material if omitting it or misstating it could influence decisions that the primary
users of general purpose financial reports . . . make on the basis of the reports, which provide
financial information about a specific reporting entity. In other words, materiality is an entity-
specific aspect of relevance based on the nature, or both, on the items to which information relates
in the context of an individual entity financial report. Consequently, the HKICPA cannot specify
a uniform quantitative threshold for materiality or predetermine what could be material in a
particular situation.

314

c05.indd 314 16-11-2022 18:41:12

 Pla nn i ng a n d R isk A ssessment

The overall objective of an audit of a financial statement is to obtain reasonable assurance

that the financial report is free of material misstatement, whether due to fraud or error. A
fundamental component of the planning process therefore is making a preliminary estimate of
materiality to provide reasonable assurance that material misstatements will be detected.

The determination of a materiality level is an audit judgement to be made based on the

auditor’s understanding of the entity and its environment, including the auditor’s perception
of who are, or are likely to be, the main users of the financial statements and their information
needs. In effect it is the auditor’s judgement as to the maximum level of misstatement that
those users would tolerate or cause them to make a different decision if they were aware of the
misstatement.

This judgement is significant in the planning as it provides the foundation for:

• Determining the nature, timing, and extent of risk assessment procedures.

• Identifying and assessing the risks of material misstatement.

• Determining the nature, timing, and extent of further audit procedures.

5.7.1 Setting Materiality Limits

HKSA 320 Materiality in Planning and Performing an Audit, paragraph 10, establishes the primary
role that materiality plays in the audit process.
When establishing the overall audit strategy, the auditor shall determine materiality for the
financial statements as a whole. If, in the specific circumstances of the entity, there is one or more
particular classes of transactions, account balances, or disclosures for which misstatements
of lesser amounts than materiality for the financial statements as a whole could reasonably
be expected to influence the economic decisions of users taken on the basis of the financial
statements, the auditor shall determine the materiality level or levels to be applied to those
particular classes of transactions, account balances or disclosures.
Determining materiality requires consideration of both quantitative and qualitative factors.

HKSA 320 requires the auditor to set a level of performance materiality for assessing
the risks of material misstatement and determining the nature, timing, and extent of audit
procedures.

Performance materiality recognises that planning the audit on the basis of detecting only
individual material misstatements does not recognise that single immaterial misstatements
when aggregated could result in the financial statements being materially misstated. In
addition, the possibility of undetected misstatements needs to be considered. Performance
materiality is therefore set to reduce to an appropriately low level the probability that the
aggregate of uncorrected and undetected misstatements exceeds the materiality level for the
financial statements as a whole.

As indicated, the setting of materiality levels is a matter of professional judgement based

on the circumstances of each audit engagement. The auditing standards do not prescribe any
specific levels or base for materiality.

The method for determining materiality at the planning stage varies between audit firms
and ranges from formulas to rules of thumb or leaving the decision to the judgement of the
individual engagement auditor.

315

c05.indd 315 16-11-2022 18:41:12

 BUSINESS ASSURANCE

At the basic level, materiality is a relative concept where generally the level is set by
establishing a percentage that is applied to a given base, for example net profit, total revenue,
or total assets. Often cited rules of thumb are:

• 5–10% of net profit

• 0.5–1% of revenue

• 0.5–1% of total assets

Under the above, for example, an account balance would be considered significant if it
represents 1% of total assets, and therefore this item would be reflected in the development of
the audit strategy and plan.

Alternatively, a material misstatement may be determined to be an amount that is 5% of

net profit and this would form part of the decision making that is reflected in the audit plan.

Application of the performance materiality requirement would see the percentage

materiality level lowered to reduce the probability that the aggregate of uncorrected
or undetected misstatements in the financial statements does not exceed the overall
materiality level.

The judgement as to the level of performance materiality to be used is affected by a number

of factors, such as the control environment, the history and nature of errors, engagement risk,
and changes in the entity’s business and operations. For example, if internal control is assessed
as effective this would increase the percentage level of performance materiality.

A rule of thumb approach often sees this adjustment set at 60% for high-risk clients and
80% for low risk. For example, if a judgement is made for materiality at the 5% level of net
profit and that figure is $HK10 million, and the client is assessed as high risk, the performance
materiality is $HK6 million (HK$10 million × 60%).

The base chosen should be one that is relatively stable over time to avoid fluctuations
between audits and relevant to the nature of the entity’s activities. For example, net profit
may not be a relevant base for not-for-profit entities (even though a loss may be), but is
usually significant for publicly listed entities as this is a determinant of dividends to be paid
to shareholders and an entity’s share price. However, because net profit can fluctuate from
one period to another it is not as stable a base as total assets or total revenue as entity size is
less variable than profit, the calculation of which can be affected by a number of variables and
economic fluctuations.

An entity’s financing arrangements can also affect the appropriateness of the base
chosen. For example, the base chosen for an entity that has debt covenants associated
with its financing arrangements that reflect working capital levels will focus on that working
capital base.

It is also important that the auditor considers the entity’s ownership structure when
establishing a materiality base. All stakeholders should be considered as some transactions
may be of greater significance to some groups than others and the base chosen should be
such that the level of materiality would lead to the auditor considering the specific financial
transactions of interest to those stakeholders.

The preliminary materiality judgement for the overall financial statements at the planning
stage identifies elements of the financial statements that warrant specific attention when
developing the audit plan. A lower level of materiality will result in more extensive testing.

316

c05.indd 316 16-11-2022 18:41:12

 Pla nn i ng a n d R isk A ssessment

It is also important to understand that the relationship between materiality and audit risk
is fundamental to the audit process. At the transaction and account balance level, the greater
the audit risk, the lower will be the materiality level set by the auditor. For significant account
balances the auditor’s tolerance of error is low and therefore the materiality level would be set
at a low level. This means that when developing the audit plan the extent of audit procedures
would be increased or more effective procedures selected.

In addition to the quantitative element of materiality, the auditor needs to consider

the qualitative nature of transactions and account balances. For example, related party
transactions are significant because by nature they are open to manipulation and, because
of the relevance of the information about those transactions, they require specific disclosure
in the financial statements. Materiality would generally be set at a low level and the nature,
timing, and extent of audit procedures applied to this element of the financial report would be
more extensive, irrespective of the recorded amount of those transactions.

The materiality level is used throughout the audit and is adjusted where circumstances
and the results of audit procedures applied indicate that the initial planning determination is
no longer appropriate. This could arise, for example, due to a change in the entity’s operations
during the audit period, new information becoming available, or a change in the auditor’s
understanding of the entity and its business as a result of performing audit procedures.

An appropriate materiality level is important as it is used to evaluate the outcome of audit

procedures and to identify what action is appropriate to deal with detected misstatements.

5.7.2 Relationship to Relevance in Financial Reporting

As indicated above, the concept of materiality is fundamental to the nature and purpose of
auditing. The auditor is to report whether the financial statements are presented in all material
respects in accordance with the applicable reporting framework. Accordingly, the audit should
be planned and performed to reduce the risk of material misstatement to an acceptably
low level.
The Glossary defines a misstatement as:

A difference between the amount, classification, presentation, or disclosure of a reported financial

statement item and the amount, classification, presentation, or disclosure that is required for the
item to be in accordance with the applicable financial reporting framework. Misstatements can be
from fraud or error.

The applicable financial reporting framework prescribes the basis for the preparation and
presentation of the financial statements. The framework is based on the presumption that
the information provided in the resultant financial statements is relevant to the users of the
financial statements for economic decision making. A material misstatement would mean
that the financial information does not faithfully represent the conditions of the business and
the relevance of the information in the financial statements would be adversely impacted.
Accordingly, underlying this concept in auditing is the auditor’s judgement as to what is
important to the users of financial statements.

The auditor applies materiality to evaluate the effect of any identified misstatement and
uncorrected misstatements in forming an opinion on the financial statements. In effect the
auditor is evaluating whether the effect of the misstatement will affect the decisions of the
users of the financial statements.

317

c05.indd 317 16-11-2022 18:41:12

 BUSINESS ASSURANCE

Integral to the audit process for determining materiality is understanding who the users
or potential uses of the financial statements are and how the information in the financial
statements is to be used.

The nature and purpose of financial reporting and the presentation of financial statements
in accordance with the applicable reporting framework is therefore integral to establishing
materiality in auditing. Therefore, as part of gaining an understanding of the client and
its environment, the auditor needs to consider all stakeholders that may use the financial
statements.

This judgement is made on the basis of users as a group and not just individuals.
It assumes that the users have a reasonable knowledge of business, economics, and accounting
standards and will apply reasonable diligence in studying the financial statements. Also, it is
assumed that the users understand that financial statements are prepared and audited to a
level of materiality and involve estimates and judgements relating to future events.

In summary, materiality reflects relevance in financial reporting to the extent that the
audit focus is on misstatements that could reasonably be expected to influence the economic
decisions of users or potential users of the financial statements.

Apply and Analyse 7

Your firm has determined that the base to be used for the determination of materiality
can be chosen from net profit, total revenue, total assets, and equity and is a matter of
judgement by the engagement partner depending on the client’s circumstances. In the
past you have used net profit for the HWA audit because the focus of the users of financial
statements will be on profitability of the entity, which also influences the level of dividends
to be paid and the share price. However, this year you decide to use total assets for setting
planning materiality because of your concern as to the stability of the net profit. The rule of
thumb applied by your firm for this base is 0.75–1% of total assets.

Explain to your engagement team how you would determine performance materiality
for this year’s audit of HWA Ltd.

Analysis

The relationship between materiality and audit risk results in a lower materiality level
where the audit risk is high. In this case, due to the changing circumstances, AR has
increased and could be classified as high. In that case a base materiality level closer to the
0.75% of total assets would seem appropriate. Performance materiality is generally set
at a lower level than base materiality to reduce the risk that aggregated uncorrected or
undetected misstatements do not exceed the base level. A judgement needs to be applied
to such an adjustment to the base materiality level. For example, in the case of HWA it may
be appropriate to adjust the level to 70% of the base. This would result in a performance
materiality level of 0.525 of total assets. This reduces the level of error that can be
tolerated and reflects the nature, timing, and extent of audit procedures.

318

c05.indd 318 16-11-2022 18:41:12

 Pla nn i ng a n d R isk A ssessment

Knowledge Check Questions

Question 21
Identify which of the following describes the level of performance materiality.
A The level set by management when preparing the financial statements to make
judgements as to whether the financial statements are materially misstated.
B The level established by an audit firm as a rule of thumb to be applied in all audit
engagements.
C The level adjusted to ensure that individual misstatements in aggregate do not exceed
overall materiality.
D The overall level of materiality that considers both quantitative and qualitative factors.

Question 22
By comparing the concepts of audit risk and materiality, justify the statement that under
the risk-based approach to auditing materiality is inextricably linked.

5 . 8 AUDIT METHODOLOGIES

The approach to auditing has changed over many years from an audit of all transactions
to recognition that accounting and control systems, and the manner in which entities are
organised and operated, can be used to produce reliable financial information. This is reflected
in the current audit objective of obtaining reasonable assurance that the financial statements
are not materially misstated. In conjunction with this, different audit methodologies have
evolved, and this section identifies some of those different audit processes.

5.8.1 Risk-Based Auditing

This approach to auditing is reflected in the current auditing standards. As indicated above, it
involves the auditor gaining an understanding of the client entity, environment, and system of
internal control to identify the risks of material misstatement and the processes and controls
the entity has in place to identify and address those risks in order to develop an audit strategy
and plan that concentrates audit attention on the areas of greatest risk.

Over time it has evolved from a methodology that focused on the risk of material
misstatement through the processing and recording of transactions to also include a broader
business risk focus and how management deals with those risks and to understand the impact
that has on the financial statements.

319

c05.indd 319 16-11-2022 18:41:12

 BUSINESS ASSURANCE

5.8.1.1 Advantages and Disadvantages

The primary advantage of this approach is that it requires the auditor to have a broad
understanding of the entity and the range of risks that it faces due to the nature of its activities,
the business environment in which it operates, and how the components of its system of
internal control are designed and implemented to identify and address those risks. This
means that the auditor is more likely to become aware of a broader range of potential risks of
misstatement and can evaluate their potential impact on the financial statements.

The nature of the process facilitates an outcome whereby the audit strategy and plan
should result in the selection of the most efficient and effective audit procedures being applied
to the most significant accounts, and minimises the possibility of material misstatement going
undetected. Integral to the audit risk model is that specific attention is given to inherent risk
and control risk and a systematic approach to applying the judgements that need to be made
as to risk and materiality. It also ensures that auditors give due regard to the positive effect that
internal control can have in reducing the risk of material misstatement.

The requirement to apply the risk analysis at two levels, i.e. at the financial statement level
and at the level of account balances assertions, facilitates an integrated approach. By assessing
risk at the financial statement level, risks that could affect many assertions can be identified.
This context enhances the identification of risk and the risk assessments at the individual
assertion level for account balances, classes of transactions, and disclosures. The nature,
timing, and extent of audit procedures are therefore more likely to be directed at the areas
of greatest potential concern. The audit focus is on ‘what could go wrong’ rather than over
auditing assertions that are at a low risk of material misstatement.

The potential disadvantages of this model are similar to those that apply to all audit
methodologies, but are more significant in a risk-based approach. The approach is reliant on
the quality of several subjective judgements to be made and on the information used to make
those judgements. A risk-based audit requires that the audit resources be sufficiently skilled
and experienced to understand and interpret the relationships inherent in the information
about the client and its environment, and that the audit is properly planned, supervised, and
reviewed. Audit teams must be business aware.

5.8.2 Top-Down Auditing

This approach is essentially a controls-based approach. Its focus is on determining the
individual controls over the preparation of financial statements to be tested.

Under this approach, matters to be considered include:

• The control environment. for example, management’s attitude and commitment to the
control function and the organisational structure supporting the internal functions.

• The entity’s risk assessment process. for example, how business risks relevant to the
financial statements are identified, assessed, and addressed.

• Monitoring of controls. for example, how the entity monitors controls relevant to
financial reporting and initiates remedial actions to address deficiencies, and the
involvement of internal audit in this process.

320

c05.indd 320 16-11-2022 18:41:12

 Pla nn i ng a n d R isk A ssessment

• The information system and related business processes relevant to financial reporting.

• Controls over the end of year accounting process.

This approach also involves the auditor identifying the material accounts and classes of
transactions and related assertions and the risk of material misstatement. The auditor then
identifies the control objectives relevant to the significant assertions and drills down to the
specific controls relevant to each assertion. Through this process the auditor retains the
relationship between the financial statements and internal control and can readily understand
the effect of a particular control on the related financial statement assertion.

As a result, the auditor then tests the specific controls that address the risk of material
misstatement.

5.8.2.1 Advantages and Disadvantages

The advantage of this approach is that the testing of controls is directed specifically at those
controls relevant to the financial statements and that have been assessed as relevant to
the audit. Rather than obtaining an understanding of all controls, controls over immaterial
accounts and transactions and assertions that are irrelevant are eliminated. The intended
result is an efficient audit approach.

This approach also requires that the auditor focuses on the design of controls. By first
establishing control objectives and then identifying controls to achieve the objectives, the
auditor must consider whether the controls are designed effectively to achieve the objectives. If
the controls are ineffective, the auditor can adjust the nature, timing, and extent of other audit
procedures to achieve the audit objective.

As indicated under the risk-based approach, this model requires skilled and experienced
audit resources, as well as specific expertise where the controls systems are heavily IT based.

5.8.3 System-Based Auditing

This approach is the forerunner to the current risk-based approach. Like the risk-based
approach, it recognises that the accounting records provide the underlying evidence and
data from which the financial statements are prepared. This approach addresses the types of
transactions the entity enters into and how they are processed through the system.

The process focuses on the structure of the information system and the internal controls
supporting the flow of the documents and their recording in the accounting records. The
auditor tests transactions for compliance with the controls. Like the risk-based approach, if
the controls are found to be operating effectively in a particular subsystem in the accounting
process, the auditor places reliance on those controls and reduces the nature, timing, and
extent of substantive procedures.

5.8.3.1 Advantages and Disadvantages

The advantage of this approach is that, like the risk-based method, it recognises that systems
of internal control can be used by auditors to improve the efficiency of the audit process. This
approach, however, is not as directly focused on ‘at risk’ assertions but more on document
flows within an overall system, for example the payroll or accounts receivable system. As such,
the extent of internal control testing may be greater than under a risk-based approach.

321

c05.indd 321 16-11-2022 18:41:12

 BUSINESS ASSURANCE

5.8.4 Systems Audit

A systems audit is a process to determine whether a particular system is designed and
operating to achieve stated objectives and whether the effectiveness of the system could be
improved. It is most often used as a management tool to obtain objective evidence that the
entity’s policies and objectives are being met. To be constructive, such audits need to include
judgements as whether the system subject to audit is effective, not just that the elements
within the system have been complied with. Effectiveness requires that the system protects
the entity’s information assets and makes information available only to authorised personnel.
These audits can be used by management to improve an entity’s performance as a result of the
focus on determining whether the systems are both implemented effectively and are suitable
to achieve the stated organisational objectives.

Given that the focus of these audits is on whether the elements of the system are
appropriate and effective, and have been developed and documented in accordance with
specified requirements, particular attention is given to management policy and whether this
is adequately documented and complied with. It is also important that particular attention
be given to evaluating whether these elements are updated as the system changes. The
effectiveness of systems generally relies upon appropriate segregation of duties so that
no individual has incompatible functions, for example in relation to transactions that the
authorisation, recording, and custody functions are separate. Systems audits would focus on
these matters. Another area of particular focus in these audits is system security in order to
ensure that there are effective policies in place and that they are complied with.

These audits can be undertaken for a range of reasons, for example:

• To evaluate an entity’s system against an industry standard.

• To establish whether the system conforms with defined criteria.

• To satisfy legal or regulatory requirements.

5.8.4.1 Advantages and Disadvantages

From the perspective of an external audit of financial statements, these audits are of limited
value. While they provide evidence as to the reliability of systems and controls, the objectives
that the system is directed to achieving may not relate to financial reporting issues and they
do not provide evidence of a substantive nature in terms of detailed tests of transactions
and balances.

5.8.5 Balance Sheet (Statement of Financial Position) Approach

This approach involves the application of audit procedures to obtain sufficient appropriate
audit evidence to verify the asset, liability, and equity accounts in an entity’s statement of
the financial position at the end of the financial reporting period. The underlying premise is
that if these accounts are not materially misstated, then the corresponding transactions that
produced the year end balances comprising the statement of financial performance are also
likely to be appropriately recorded.

The focus is therefore on assertions relating to completeness, existence, valuation rights,

and obligations inherent in the statement of financial position items that are the result of the
accounting system, rather than the system and process. Because the audit deals with balances

322

c05.indd 322 16-11-2022 18:41:12

 Pla nn i ng a n d R isk A ssessment

outstanding at the end of the financial reporting period, the audit procedures are concentrated
at the year end. Any evidence as to the operation of internal controls during the period
inherent in the final balances being correct is therefore limited.

5.8.5.1 Advantages and Disadvantages

This approach has advantages where an entity is just commencing business or has large
accounts and a small number of transactions.

It does not, however, address fraud risk or misclassification or errors where amounts
are netted off and therefore affect the preparation and presentation of financial statements.
It does not give due consideration to the importance of the statement of profit or loss and
other comprehensive income and the fact that entities with many transactions and complex
accounting systems must be capable of processing data over the complete accounting
period and the importance of a sound system of effective internal controls to ensure that all
transactions are appropriately recorded during that period.

5.8.6 Transaction Cycle Approach

This approach recognises that a transaction cycle involves a series of linked transactions that
reflect an operational process and that result in account balances. For example, the following
are generally recognised as the financial statement cycles that most business transactions in a
business that buys and sells goods can be aggregated:

• Sales collection cycle – sales-accounts receivable-cash receipts. The entity receives an

order, assesses the customer’s credit rating, delivers the goods, issues a sales invoice,
records the receivable. and collects the cash payment.

• Purchasing cycle – purchase-inventory-accounts payable-cash payment. The entity

issues a purchase order, receives the goods, records the inventory, receives an invoice,
records the payable, and pays the invoice.
• Payroll cycle.

• Other purchase cycles, for example assets.

• Finance cycle.

Understanding the flow of transactions and their conversion under accrual accounting,
and the reports generated, is a useful means of understanding the accounting system and
related control procedures. Tests of transactions involve the application of audit procedures
to the accounting record of transactions by examining the evidential support for them with
procedures such as tracing, vouching, and recomputation. The audit process is designed to test
the internal controls over the related transactions within each operating cycle, but can also be
used as a substantive test.

5.8.6.1 Advantages and Disadvantages

This approach is considered more cost effective for large entities than the balance sheet
approach as, through the testing of the processing of transactions, there is a relatively lower
level of testing of the large number of transactions comprising the balance sheet accounts at
year end. As it focuses on testing of controls there is a higher probability of fraud detection.
Because it deals with identifiable and common transaction cycles, it lends itself to the

323

c05.indd 323 16-11-2022 18:41:12

 BUSINESS ASSURANCE

development of standardised internal control checklists applicable across several audit clients.
This has the disadvantage of giving less emphasis to the individual circumstances and risks
facing individual clients. This approach is therefore seen as less effective than the business risk
approach where the audit strategy is more directly focused on where the risk of misstatements
is greatest.

5.8.7 Directional Testing

This approach has its foundations in the double-entry accrual accounting model, where for
every debit there must be an equal credit in the accounting records, and the relationship
between account balances. It involves testing transactions or balances and confirming, for
example, the debit balances in a trial balance; if they are found to be correct, so also should be
the credits, although the evidence is indirect.

This method is directed at testing for either overstatements or understatements

separately from each other. One side of a transaction is examined at a time, either a debit
or a credit, and after selecting the direction, considering whether there is an overstatement
or an understatement in other account balances. Assets are most commonly tested for
overstatement, primarily whether transactions have occurred. For example, if accounts
receivable is overstated revenue may be overstated. These tests use the underlying financial
statement records as the starting point and check back to supporting documents. Liabilities are
commonly tested for understatement, primarily whether all transactions have been recorded.
Unrecorded liabilities may indicate understatement of expenses or assets. These tests start
from reviewing underlying documents and checking to ensure that the transactions and events
have been recorded in the accounting records.

5.8.7.1 Advantages and Disadvantages

This approach is seen as leading to greater audit efficiency in that it focuses on accounts that
are more likely to be materially misstated in a particular direction because of their nature or
indications of management motivation to misstate the financial statements. The evidence
obtained by an auditor as to whether an account balance is materially misstated comes from a
variety of sources, and directional testing assists the auditor to understand the significance of
different individual pieces of evidence.

Whether the method improves efficiency depends on the nature of the evidence
available as an indicator of over- or understatement and the extent of testing that needs to
be undertaken. The evidence in relation to the other side of the ‘directional’ outcome is only
indirect and requires further audit procedures.

5.8.8 Performance of Different Audit Methodologies

The preceding sections have briefly outlined a number of different methodologies that have
been developed over the years. They can still be utilised if the circumstances warrant.

However, as is evident, in most cases the methodologies would not by themselves provide
sufficient appropriate audit evidence on which an auditor could base an opinion on a set of
financial statements, nor meet the requirements of the auditing standards.

324

c05.indd 324 16-11-2022 18:41:12

 Pla nn i ng a n d R isk A ssessment

In a sense the different approaches represent alternative means of auditing individual

assertions.

The audit of some entities, because of their nature, requires a particular approach. For
example, the extent of controls and their documentation within smaller entities may be limited
and not provide the auditor with a basis on which to rely on the testing of controls. In these
cases, a substantive approach/balance sheet approach may be the most effective.

In most financial statement audits, the risk-based methodology required by the auditing
standards would result in a combination of review and testing of the system of internal control
combined with substantive tests of transactions and balances and analytical procedures. For
example, the approach to the review and testing of internal control could be undertaken using
a top-down or transaction cycle approach, supported by substantive procedures that reflect
audit procedures that would be used under the balance sheet approach.

What is cost effective is a function of the circumstances of the engagement and the nature
of the client’s business and systems and the strength or weakness of the client’s system of
internal control and use of IT.

Knowledge Check Questions

Question 23
Identify which of the following explains why the risk-based methodology is cost effective:
A It does not require the use of the balance sheet approach, which may lead to
over-auditing.
B It focuses on an entity’s transactions cycles to determine their effectiveness.
C The business risk strategy directs the audit to areas where the real risk of misstatement
may occur.
D Audit fieldwork can be spread more evenly over the financial reporting period.

Question 24
An audit client has advised that they are uncertain as to whether the internal control
system over property plant and equipment account was effective due to staff changes for a
three month period. They are seeking assurance that the account and related depreciation
account is correctly recorded. Explain how the transaction cycle approach could be used to
provide assurance that the controls were effective during that period.

325

c05.indd 325 16-11-2022 18:41:12

 BUSINESS ASSURANCE

SUMMARY

This chapter addressed the importance of planning the audit of a financial statement to
support the conduct of an efficient and effective audit. It recognises that under auditing
standards the planning process is essentially the application of risk-based audit methodology.
The planning approach is based on the auditor gaining an understanding of the client and its
environment, including the system of internal control to identify the potential risks of material
misstatement at both the overall financial statement level and at the level of account balance
assertions.

The information obtained about the client’s circumstances and the initial audit
judgements based on that information are formalised in the development of an audit
strategy. The strategy document identifies the areas of audit focus in terms of the risk of
material misstatement and the audit approach as to the relative emphasis on the reliance
on internal control testing and substantive procedures to obtain sufficient appropriate audit
evidence on which to base the audit opinion. This is then reflected in a detailed audit plan
to respond to the risk of material misstatement in financial statement assertions and which
documents the detailed audit procedures to be performed during the audit. Both the audit
strategy and plan are dynamic in nature and are reviewed and updated as necessary as the
audit progresses based on the results of the application of the audit procedures undertaken
during the audit.

The chapter has dealt with the following:

• Engagement acceptance and continuance as the first step in establishing the audit
relationship and basis for planning.

• Implementing the risk-based audit methodology as required under auditing standards.

• The importance of planning in identifying the matters that should be given the greatest audit
attention and determining the audit resources needed to perform the audit.

• The process of gaining an understanding of the client and its environment, and the system
of internal control, as the basis for identifying the risks of material misstatement in financial
statements and for developing the audit strategy and audit plan.

• The relationship between the audit strategy and audit plan. outlining that the relationship
starts with the audit strategy documenting the balance between the reliance on a controls-
based approach and substantive approach with the plan implementing that approach by
documenting the detailed tests of control and substantive procedures to obtain sufficient,
appropriate, audit evidence.

• The audit risk model as a means of formalising the components of risk and implementing the
risk-based audit methodology.

• Within the risk-based audit approach the requirement in the auditing standards to specifically
address the risk of fraud and to consider non-compliance with laws and regulations.

326

c05.indd 326 16-11-2022 18:41:12

 Pla nn i ng a n d R isk A ssessment

• The role of materiality in both qualitative and quantitative terms in planning the audit
and identifying the significance of individual transactions and balances and evaluating the
aggregate of misstatements.

• The role of documentation in the audit planning process.

• Identification of different audit methodologies that are available and that can be used as a
discrete approach or in combination to achieve a particular audit objective, depending on the
circumstances.

327

c05.indd 327 16-11-2022 18:41:12

 BUSINESS ASSURANCE

MIND MAP

PLANNING AN AUDIT RISK ASSESSMENT PROCEDURES AND

RELATED ACTIVITIES
Audit Strategy and Audit Plan
Audit planning Understanding the Entity and its Environment
• Understanding the entity and its Internal Control and Control Environment
environment Impact of Fraud and Misstatement on
• Understanding the entity’s internal control Audit Planning Considerations
structure and systems
Consideration of Laws and regulations in
• Identifying and assessing the risk of material
an Audit of Financial Statements
misstatement
• Developing a response to assessed risks MATERIALITY
PLANNING DOCUMENTATION DEVELOPMENT PLANNING AND Setting Materiality Limits
Preliminary Engagement Activities RISK ASSESSMENT Relationship to Relevance in Financial
Reporting
Planning Activities
• Overall Audit Strategy AUDIT METHODOLOGIES
- Confirm preconditions
- Audit scope, approach and methodology Risk-based Auditing
- Identify significant risks Top-down Auditing
- Resourcing, budget and audit timetable System-based Auditing
• Audit Plan Development
System Audit
- Nature, timing and extent of detailed
audit procedures Balance Sheet (Statement of Financial
- Direct work of engagement team and Position) Approach
evidence of work completed Transaction cycle approach
- Review and supervision of audit work Directional Testing
GAINING INITIAL UNDERSTANDING OF Performance of Different Audit Methodologies
THE ENTITY AND ITS ENVIRONMENT
Entity Level
Industry Level
Economy Level

AUDIT RISK COMPONENTS

Inherent and control risk
Detection risk

Answers to Knowledge Check Questions

Question 1
Answer A is incorrect. The audit strategy is developed by the auditor and represents the
basis upon which the auditor expects to conduct the audit and from which the more
detailed audit plan is developed. It is an audit document.
Answer B is incorrect. The audit plan specifies the nature, timing, and extent of the detailed
audit procedures to implement the audit strategy. It provides the audit team with a set of
instructions as to how to vary the audit and is not available to management.
Answer C is correct. The engagement letter is the formal communication between
the auditor and client management that documents the auditor’s acceptance of the
engagement, its scope, and the extent of the auditor’s and management’s responsibilities.
Answer D is incorrect. While the auditor will meet with the client to discuss the audit
arrangements and expectations of both parties, this is formalised through the written
engagement letter.

Question 2
Answer A is incorrect. Lack of integrity may indicate that management is likely to produce
misleading financial statements and an association with a client whose management lacks
integrity may affect the auditor’s reputation and should be avoided.

328

c05.indd 328 16-11-2022 18:41:12

 Pla nn i ng a n d R isk A ssessment

Answer B is correct. Whether a client may or may not request additional services from
the audit firm is not relevant to whether the auditor can accept or continue an audit
relationship. That is a decision based on the auditor’s ability to conduct an appropriate
audit and having an appropriate client relationship for that purpose. Any subsequent
request by the client for the audit firm to provide other services would be a decision to be
made at the time, albeit that it would be subject to ensuring that ethical standards are not
contravened.
Answer C is incorrect. An audit engagement should not be accepted or continued if the
auditor and engagement team do not have the appropriate skills and knowledge of
the client’s business and industry to understand the financial statement implications.
The auditor would not be competent to conduct an audit in accordance with auditing
standards without the skills and knowledge of the client’s business.
Answer D is incorrect. Compliance with the profession’s ethical standards is mandatory for
members of the HKICPA in order to accept appointment or to continue as an auditor.

Question 3
Answer A is incorrect. The audit fee should reflect the cost of the audit based on the audit
plan, i.e. the plan is the means of determining the fee in the first place.
Answer B is incorrect. The plan determines the level of substantive procedures required to
obtain sufficient appropriate audit evidence in conjunction with other audit procedures.
Answer C is correct. The audit plan is based on the auditor’s understanding of the client
and its business, and from this identifying the areas of potential material misstatement
in the financial statements and developing a strategy and plan to address the risk. The
formal risk-based planning requirements ensure that this process focuses attention on the
significant areas of the audit.
Answer D is incorrect. The audit strategy and plan are the responsibility of the auditor and
are developed to facilitate and direct the audit process. While an auditor will discuss issues
with management during the planning process to obtain information about the client and
its business, and which is relevant to planning the audit, the audit must be planned and
performed independently of management.

Question 4
Answer A is incorrect. While the audit plan (programme) documents the audit procedures
to be applied in performing the audit, it is derived from the audit strategy and based on
judgements made by the auditor in developing that strategy.
Answer B is incorrect. The audit strategy is developed from the auditor’s understanding of
the client and its environment and does not include detailed audit procedures.
Answer C is incorrect. Auditing standards identify the requirements that an auditor
must comply with when undertaking an audit, and the types of procedures available
to an auditor to obtain evidence, but they do not provide a standardised set of audit
procedures to be applied in individual engagements. The standards require that the
audit procedures be tailored to reflect the specific engagement circumstances.
Answer D is correct. The audit strategy and plan are based on the auditor’s judgement as
to the risk of material misstatement in the financial statements and financial statement

329

c05.indd 329 16-11-2022 18:41:12

 BUSINESS ASSURANCE

assertions based on their knowledge of the client and its environment. The specific
procedures to be applied to address those risks are based on the auditor’s professional
judgement as to what is necessary to obtain sufficient appropriate audit evidence.

Question 5
The auditor should be able to:
• Understand the nature, timing, and extent of procedures undertaken in
accordance with the auditing standards.

• Ascertain the results of audit procedures and the evidence obtained.

• Identify the significant matters dealt with during the audit.

• Identify the matters on which judgement was required.

• The conclusions reached during the audit.

Question 6
Answer A is correct. In order to develop an audit strategy and plan and to direct the audit
to the areas of potential risk of material misstatement, the auditor needs to understand
the transactions and events that affect the financial statements.
Answer B is incorrect. While an auditor might identify weaknesses in a client’s internal controls
during the performance of an audit and report them to management, this is a by-product of
the audit. The understanding is to achieve audit objectives and facilitate the audit process.
Answer C is incorrect. The process of assessing known misstatements occurs after
the auditor has performed the planned audit procedures and obtained evidence that
identifies misstatements. Understanding the client and its environment is the initial
process of identifying the risks and determining the procedures to be applied to detect
misstatements.
Answer D is incorrect. The auditor must apply an attitude of professional skepticism
throughout the audit, but understanding the client and its environment does not develop
that attitude. It is a process to gather information about the client, not how the auditor
should apply skepticism.

Question 7
Answer A is correct. This is the risk that at the overall business level are risks that the entity
may not achieve its business objectives and are factors that could identify areas within the
client’s financial statements that may be subject to the risk of material misstatement due
to these business variables.
Answer B is incorrect. This is the risk that at the more detailed level, and due to the nature
of the business, some specific transactions and events are inherently more at risk of being
materially misstated.
Answer C is incorrect. This is a risk that may arise as a result of the auditor not meeting
their audit obligations.
Answer D is incorrect. This would occur where the auditor has not applied due care and
diligence when performing an audit.

330

c05.indd 330 16-11-2022 18:41:12

 Pla nn i ng a n d R isk A ssessment

Question 8
Answer A is incorrect. Financial information reflects the outcome of transactions and
events comprising goods and services. There should be a relationship between the
information about the underlying transactions and events and the financial reporting that
enables a comparison to be made that would reveal any unusual differences.
Answer B is incorrect. Any differences between a client’s ratios and those of the industry in
which the client operates indicate areas that may require audit attention.
Answer C is incorrect. Deviations of actual amounts from the budget direct the auditor’s
attention to areas that require audit attention.
Answer D is correct. This is an audit procedure to obtain direct evidence as to the recording
of an amount in the accounting records.

Question 9
Because analytical procedures involve the analysis of plausible relationships between both
financial and non-financial information, identified fluctuations or relationships that are
inconsistent with other relevant information or expectations provide information about
the entity and its operations. This may identify issues of which the auditor may otherwise
not be aware at this stage of the audit, and assists in identifying areas of potential risk
requiring audit attention in developing the audit strategy and plan, including the nature,
timing, and extent of audit procedures.

Question 10
Answer A is incorrect. This is a matter arising from the auditor’s understanding of the
entity’s information system and communication component of the system of internal
control through performing risk assessment procedures.
Answer B is incorrect. This is a matter arising from understanding the entity’s information
and communications component of the system of internal control.
Answer C is correct. This is an element of the entity’s organizational and governance
tructure that the auditor is required to obtain an understanding under HKSA 315
(Revised 2019).
Answer D is incorrect. This is a matter arising from understanding the control activities
component of the entity’s system of internal control.

Question 11
Answer A is correct. This facilitates the audit process being focused on areas which are
susceptible to material misstatement.
Answer B is correct. The initial audit strategy and plan reflects evidence obtained during
the initial risk assessment process which identifies the areas of susceptibility to material
misstatement and the entity’s policies and procedures to deal with those matters.
Answer C is correct. The audit strategy and plan identify the audit process and the
nature, timing and extent of further audit procedures appropriate to obtaining sufficient
appropriate audit evidence on which to base the audit opinion.

331

c05.indd 331 16-11-2022 18:41:12

 BUSINESS ASSURANCE

Answer D is incorrect. The audit opinion issued at the conclusion of the audit is based
on all of the evidence obtained during the audit process as a result of applying all of the
audit procedures arising from the implementation of the test of control and substantive
procedures developed from the risk assessment process.

Question 12
Answer A is incorrect. The assertion that all purchase and sales relating to inventory have
been recorded is not affected by inventory theft.
Answer B is correct. Theft would result in recorded inventory being no longer physically
available to the client.
Answer C is incorrect. The client has not lost the right to the inventory as an asset, but
no longer has access to that right. This assertion is affected by theft, but flows from the
existence assertion.
Answer D is incorrect. This assertion relates to inventory being recorded at an appropriate
amount at the time of acquisition.

Question 13
Answer A is incorrect. As the system of internal control has not proven to be as strong as
initially planned and therefore less reliance can be placed on it, increasing tests of control
will not be effective in providing reliable audit evidence.
Answer B is incorrect. Inherent risk has not changed as it the risk of an assertion
about a class of transactions or account balance being misstated due to the nature
of transactions and events without considering internal control. The nature of the
transactions and events has not changed but the control system has proven to be
weaker than anticipated.
Answer C is incorrect. As less reliance can be placed on the system of internal control
to provide evidence as to the reliability of the financial information produced by the
accounting system, substantive testing would need to be increased to provide sufficient,
appropriate audit evidence.
Answer D is correct. As less reliance can be placed on internal control, detection risk would
need to be decreased through applying more substantive procedures.

Question 14
Detection risk is the risk that an auditor’s substantive procedures will not detect a material
misstatement in an account balance or class of transactions. It cannot be reduced to zero
due to sampling risk where there is a risk that a sample may not be representative of
the population and the conclusion drawn from a sample may not be the same as if the
whole population of transactions in an account balance had been tested. There is also the
possibility of non-sampling risk where the auditor may draw an incorrect conclusion by not
applying effective audit procedures or drawing incorrect conclusions from the evidence
obtained. Further, much of the evidence available to the auditor is persuasive and not
conclusive.

332

c05.indd 332 16-11-2022 18:41:13

 Pla nn i ng a n d R isk A ssessment

Question 15
Answer A is incorrect. This affects control risk as it increases the risk of misstatement in
that account balance.
Answer B is correct. As the entity is operating with products of which it has limited
knowledge at this point and a market that it is unfamiliar with and which is subject to rapid
change, there are risks associated with financial report assertions in relation to inventory
obsolescence and valuation.
Answer C is incorrect. This will decrease inherent risk as the entity’s activities are likely
to be more predictable and stable and their financial statement issues more reliable to
predict and manage.
Answer D is incorrect. This will reduce inherent risk as it indicates that management is less
likely to attempt to produce materially misstated financial statements.

Question 16
Answer A is correct. The nature of fraud means that it is difficult to detect as it generally
involves attempts to conceal it, collusion, or overriding of controls. The auditor must assess
the risk of material misstatement due to fraud and to address those risks in developing the
audit strategy and plan. The overall audit objective is to provide an opinion on the financial
statements that provides reasonable assurance that the financial statements are not
materially misstated and that gives the level of assurance that no material fraud has occurred.
Answer B is incorrect. Refer to Answer A.
Answer C is incorrect. While many financial report users have an expectation that an audit
will detect all fraud, the objective of the audit is to provide an opinion on the financial
statements. In that context the auditor’s responsibility is to apply reasonable skill and care
in planning and conducting the audit.
Answer D is incorrect.

Question 17
The auditor would enquire of management as to the nature, extent, and frequency of their
assessment of material misstatement due to fraud, their process for identifying fraud, and
how they respond to fraud that they become aware of. The auditor should ask whether
management has identified any actual or expected fraud or been made aware of any
such matters. The auditor would also consider management’s communication within the
entity as to its attitude and behavioural expectations in relation to fraud. Where there is
an internal audit function, enquiries would be made as to whether the internal audit was
aware of any actual expected fraud and their views as to the risk of fraud.

Question 18
Answer A is incorrect. This indicates that reliance on the system of internal control
is weakened and that management may have been involved in activities that could
involve fraud.
Answer B is incorrect. This is indicative of pressure within the entity and on management
to meet the expectations of other parties external to the entity.

333

c05.indd 333 16-11-2022 18:41:13

 BUSINESS ASSURANCE

Answer C is correct. This is an indicator of a higher inherent risk as the implementation of

a new and complex accounting standard increases the risk that a material misstatement
may occur.
Answer D is incorrect. Lack of control over IT provides the opportunity for manipulation of
information.

Question 19
(a) Inherent risk is increased as transactions involving foreign currency are subject to
gains and losses due to foreign exchange fluctuations. If the client enters into foreign
exchange risk transactions, they may be complex. Given the lack of experience with
accounting for these transactions and the accounting requirements associated with
foreign exchange transactions the possibility of errors occurring is increased.
(b) There is an incentive for management to produce good results. Depending on other
factors, the fraud risk is increased as management may seek to manipulate accounting
policies or reporting of transactions.
(c) The inherent risk is increased because of the nature of the business. The nature
of the product indicates an inherent risk of industry obsolescence due to changing
technology.
(d) Lack of management integrity increases the risk that they may be prepared to produce
materially misstated financial statements through, for example, overriding controls.
(e) A decrease in the quick asset ratio suggests cash flow and liquidity problems. This
increases the risk that the client may seek to produce financial results that reflect a
position that appears better than it is.
(f) Accounts that were previously misstated are at a higher risk of again being misstated
unless the causes of the previous misstatement have been addressed by the client. The
auditor may need to look more closely at control risk in these areas.
(g) Inexperienced management increases the risk that the financial statements may be
materially misstated. Poor decision-making may also increase the pressure to engineer
a better financial result.
(h) Related party transactions by their nature have a higher risk as they are not
undertaken at arm’s length and so are open to manipulation. As such, they are subject
to specific accounting standards requirements and disclosures, which adds complexity
and increases the risk of fraud and error.
(i) Accounts that require complex calculations and subjective judgements are more likely
to contain errors and have an increased risk of manipulation.
(j) Transactions processed outside the normal system have an increased risk of error
and fraud.

Question 20
Answer A is incorrect. The auditor needs to be satisfied that the financial statements
comply with the applicable financial reporting framework and undertake audit procedures
to form a conclusion that laws and regulations affecting the preparation and presentation
of the financial statements have been complied with.

334

c05.indd 334 16-11-2022 18:41:13

 Pla nn i ng a n d R isk A ssessment

Answer B is correct. In the absence of identified or suspected non-compliance, the auditing

standards do not require the auditor to undertake procedures to detect all non-compliance
with laws and regulations.
Answer C is incorrect. Because the effect on the financial report of laws and regulations
can vary considerably, seeking written confirmation from management is necessary given
their responsibility for complying with laws and regulations, albeit that this does provide
sufficient appropriate audit evidence on its own.
Answer D is incorrect. As non-compliance with laws and regulations could impact the
financial statements, the auditor needs to remain alert to any circumstances that may
affect the financial statements, including non-compliance with laws and regulations.

Question 21
Answer A is incorrect. Performance materiality is an audit concept to be applied by
the auditor. Management should prepare the financial statements ensuring that all
transactions and events are appropriately recorded.
Answer B is incorrect. Materiality is a matter of judgement and rules of thumb provided
by audit firms are only guidance to their audit staff to facilitate their decision-making in
relation to materiality in the circumstances of each engagement.
Answer C is correct. This is the amount or amounts set by the auditor at less than the
materiality for the financial statements as a whole to reduce to an acceptably low level the
probability that the aggregate of individually uncorrected or undetected misstatements
exceeds materiality for the financial statements as a whole.
Answer D is incorrect. Materiality overall requires consideration of both quantitative and
qualitative factors, not just performance materiality.

Question 22
The risk-based approach requires the auditor to identify the risk that an account balance
is misstated and then develop and adapt procedures appropriate to minimising the
possibility that misstatement due to fraud or error will not be detected. If the risk
assessment is appropriate this results in an efficient and effective audit that concentrates
the audit process on the most important accounts and minimises the potential that
misstatement will not be detected.
Audit risk is the risk that the auditor expresses an inappropriate audit opinion when
the financial statements are materially misstated. Materiality is the concept that identifies
the significance of financial statement items that, if omitted or misstated, could affect
resource allocation decisions made by financial statement users. The audit is planned to
reduce audit risk to an acceptably low level and to limit the risk of audit procedures not
detecting material misstatements. The audit is therefore planned based on the nature,
timing, and extent of audit procedures reflecting the level of materiality established by the
auditor. The relationship between audit risk and materiality is inverse in that the greater
the audit risk the lower the materiality level is set by the auditor. This has implications,
for example, for the extent of audit procedures and the need to select more effective
procedures or performing procedures closer to the balance date where the materiality
level is low (i.e. even a low level of error in the account balance cannot be tolerated).

335

c05.indd 335 16-11-2022 18:41:13

 BUSINESS ASSURANCE

The concepts are therefore inextricably linked with materiality, reflecting the precision
of the audit procedures required, audit risk, and the degree of certainty achieved.

Question 23
Answer A is incorrect. The audit risk model under auditing standards requires some level
of substantive testing, even where internal controls are found to be effective. Substantive
procedures applied under the risk-based methodology include some of the audit
procedures that would be used under the balance sheet approach.
Answer B is incorrect. While the approach to the review and testing of internal controls
may reflect an entity’s transaction cycles, this approach does not directly focus on the
areas of greatest risk of material misstatement, and may result in more extensive testing of
internal controls than a risk-based approach.
Answer C is correct. Because the risk-based approach is a business risk model based on
identifying the areas of the financial statements that are most susceptible to material
misstatement, the audit approach is more direct and focused on those risk areas.
Answer D is incorrect. The timing of fieldwork is a matter of audit scheduling once the
audit strategy and plan have been developed. It is the process of implementing the audit
methodology and not developing the methodology.

Question 24
The transactions involved in this cycle would commence with an order document or
contract to purchase an item of property plant or equipment, an invoice for payment,
payment for the acquisition, and a depreciation calculation once the item is received based
on its useful life. It also involves transactions relating to repairs and maintenance and a
decision as to whether to capitalise or expense such amounts.
The transaction cycle approach would involve selecting the transactions recorded in
the PP&E account during the three month period and comparing them to the underlying
supporting documents being an order/contract and invoice to confirm that the amounts
recorded are correct and the items recorded are appropriate for inclusion in the PP&E
account. Physical inspection of the items purchased would confirm their existence.
Similarly, the amount of repairs and maintenance recorded as capitalised as PP&E would
be traced back to the underlying documents to confirm that they have been appropriately
accounted for. Transactions recorded in the repairs and maintenance account during that
period would also be selected and compared with the underlying documents, such as
orders and invoices to ensure that no PP&E amounts were expensed.
Recalculation of the depreciation expense for that period would confirm the
depreciation expense.
If the results did not identify any misstatements, this would provide assurance that the
controls were effective during that period and that the PP&E and related accounts were
correctly stated during that period.

336

c05.indd 336 16-11-2022 18:41:13

 Pla nn i ng a n d R isk A ssessment

EXAM PRACTICE

QUESTION 1
Tong Tan Ltd is a company listed on the Hong Kong Stock Exchange and manufactures
cardboard containers and packaging. It has operated successfully in the industry for many
years and its management is experienced and stable, and is regarded within the industry as
having a high level of integrity.

To date the company’s products are sold to local manufacturers. However, during your
discussions with management as part of planning this year’s audit, they advise you that the
industry has become very competitive and profit margins have declined in recent months.

The company has sought to improve its performance by seeking additional markets, and
has secured some short-term contracts with overseas customers to provide a limited range
of packaging designed specifically for each customer. However, as yet, the profit margins
are not high.

The company is also seeking to raise additional finance to support its move into the
international market and has been advised by its bank that such finance is available based
on the bank’s assessment of its future profitability.

The company’s total revenue is $HK10 billion, total assets $HK14 billion, net assets
$HK8 billion, and net profit $HK456 million.
Your firm adopts the flowing rule of thumb materiality levels:

5–10% of net profit

0.5–1% of revenue

0.5–15% of total assets

You have audited the company for the last three years and have not experienced any
major audit complications and have found their system of internal control to be effective.
Additional controls have been implemented to deal with the move to expand into the
international market.

Required:

(a) Based on the above information, identify and explain the factors that would impact
your assessment of risk and determining materiality when planning this year’s audit.

(b) In the past you have used net profit as the base for setting the materiality level for
the audit. Explain why this base has been used and using you firm’s rule of thumb
approach, apply your judgement to establish the performance materiality level at the
financial report level.

QUESTION 2
You are the auditor of MU Ltd, a mining company with mines in various countries. During
the planning of the audit for the current financial year, you have become aware that one
of the mines remains shut down after being closed two months ago due to a breach of
environmental regulations. The company has incurred significant fines, and as the company
has not been able to meet its contractual supply obligations from this mine in recent times,
it is also facing litigation claims.

337

c05.indd 337 16-11-2022 18:41:13

 BUSINESS ASSURANCE

Your preliminary analytical procedures also indicate that despite the mine being closed
for a period, the revenue streams are greater than expected.

This information impacts the areas involving non-compliance with laws and regulations
and fraud.

Required:

Explain your responsibility as auditor in these two areas.

QUESTION 3
(a) Identify the benefits of audit planning and the broad steps involved in that process.

(b) Identify who should be involved in the planning process.

QUESTION 4
(a) Explain what is meant by the audit strategy and outline the information you would
expect to find in an audit strategy memorandum.

(b) As audit partner, you are undertaking the preliminary planning for a continuing audit
client and have had initial discussions with management and the audit committee and
senior members of the audit team. You are preparing the audit strategy memorandum
to be provided to the members of the audit team. During the discussions, a number of
matters were identified including the following two issues:
• The company has contracted to demolish and replace one of its processing plants
to increase its production capacity. Demolition and site work will commence during
the current financial reporting period.

• The company is in the process of implementing a more advanced IT general ledger

and accounts payable and receivable system. The financial statements for the
current financial reporting period will be prepared using the new system.

Using your understanding of the risk-based audit methodology, develop a narrative

that would be included in your audit memorandum to the audit team for these two
matters. While the wording of the narrative will be a matter of personal style, the
content should be developed to reflect the relevant audit issues to be communicated.

ANSWERS TO EXAM PRACTICE

QUESTION 1
(a) As For a publicly listed company, materiality should be set at the lower level as the
financial statements will be more broadly distributed to a range of users and subject to
various forms of regulatory requirements affecting its financial reporting. This increases
inherent risk.

The changing domestic market conditions suggest that inventory valuation may be
an issue as well as the decline in profit margins. That, combined with the uncertainty
about the new international market and the specialised nature of the products, also
suggests risks with inventory and profit. This indicates a decrease in materiality and a
higher inherent risk.

338

c05.indd 338 16-11-2022 18:41:13

 Pla nn i ng a n d R isk A ssessment

Transactions involving foreign currency and exchange rate risks would indicate a
lower materiality level and higher inherent risk.

As the company is seeking to increase its debt levels, this indicates that a lower level
of materiality would be appropriate and increases inherent risk.

Some mitigating factors are the fact there has been a positive experience with
the company over the previous years that supports a higher materiality level and the
absence of any errors reduces inherent risk.

The experienced and respected management indicates that it is likely to be

able to manage the current environment and change and is less likely to make
mistakes, thereby reducing inherent risk. The changes made to the control system for
international transactions also reduces control risk.

The fact that the company has been proactive and been able to expand its market
and to have further finance available to support this suggests that it has a viable
product base with the potential for expansion, which reduces its business and inherent
risks. This supports lower business and inherent risks and higher materiality.

(b) As the company is publicly listed, net profit is likely to be of most interest to financial
statement users as it relates to the compensation to shareholders and is a determinant
of the share price. However, as profit has become less stable due to the increased
competition, the asset base may be more reliable. However, as the company has
considered future profitability as a basis for further lending, that also indicates that a
primary user is interested in that base.

Taking into account both quantitative and qualitative factors, a judgement that
recognises that there are factors that both increase and decrease audit risk would place
the materiality at the middle of the net profit range of 5–10%, i.e. approximately $HK34
million. As audit risk would also be at the middle range, performance materiality could
be set at 70% to give a materiality level of $HK23,800,000.

QUESTION 2
The responsibilities in relation to non-compliance with laws and regulations are dealt with in
HKSA 250 (Revised). In the absence of identified or suspected non-compliance, the auditor
is not required to perform audit procedures in relation to laws and regulations, other than
to obtain an understanding of the relevant laws and regulations affecting the entity and
to obtain evidence as to compliance with those laws and regulations directly affecting the
financial statements.

However, having become aware of the non-compliance, the auditor should evaluate the
implications for other aspects of the audit, including the risk assessment and the reliability
of representations by management in relation to compliance with laws and regulations.
The auditor should obtain an understanding of the circumstances under which the action
occurred and what actions management has taken to address the situation.

The auditor should review the correspondence between the regulator and the
company as to how long the mine will remain closed and what remedial actions need to be
undertaken to re-open the mine.

339

c05.indd 339 16-11-2022 18:41:13

 BUSINESS ASSURANCE

Depending on the information provided during discussions with management, the

auditor may need to consult with the company’s in-house legal counsel or external counsel
regarding the application of the laws and regulations.

The effects on the financial statements must be assessed and evidence obtained
as to the completeness and accuracy of the recording of the fines and penalties, and
consideration given to any disclosure of the litigation claims.

During the audit, the auditor must remain alert to the possibility of other
non-compliances. The auditor would request a written representation that all known
instances of non-compliance have been disclosed.

The fraud aspect is covered in HKSA 240 and requires the auditor when performing risk
assessment procedures and obtaining an understanding of the client and its environment,
including internal control, to consider the risk of material misstatement due to fraud. The
standard requires a presumption of fraud risk in relation to revenue and that the auditor
evaluates the types of revenue and revenue transactions and assertions to determine
whether that presumption is applicable.

As the preliminary analytical review indicates an unexpected result, the auditor will
need to address this matter with management by seeking an explanation and undertake
procedures to obtain evidence as to whether revenue assertion for that mine is materially
misstated. For example, it may be that even though the mine is closed, there was a stockpile
of mine output that could be used to meet supply commitments for part of the period
subject to closure. The auditor would need to document the procedures undertaken and the
reason for the conclusion drawn as to the presumption of fraud.

QUESTION 3
(a) Audit planning facilitates the organisation and management to support the conduct of
an efficient and effective audit. Planning judgements, decisions, and conclusions should
be documented to facilitate the control and review of the audit process through an
audit strategy and audit plan.

Planning directs the auditor to significant areas of the audit to which attention should
be given. It enables potential problems to be identified and resolved on a timely basis.

Understanding the issues to be addressed during the audit forms the basis for
determining the audit resources necessary to conduct the engagement. An engagement
team with the appropriate skills and experience can be identified and audit work
allocated to members of the team appropriate to their competencies and experience.
Planning identifies whether there is a need for experts in particular areas to be involved
or other auditors will be involved where the client has operations in other locations.

Planning provides a framework for the direction and supervision of engagement

team members and the review of their work.

Planning ultimately results in developing an overall audit strategy for the expected
scope and conduct of the audit and from that the development of the audit plan that
contains the specific nature, timing, and extent of audit procedures to be undertaken
during the audit, including determination of materiality levels and management of
audit risk.

340

c05.indd 340 16-11-2022 18:41:13

 Pla nn i ng a n d R isk A ssessment

The planning process involves the following steps:

• Understanding the client and its environment and applicable financial reporting
framework to provide the auditor with information to be able to identify
and evaluate the entity’s business risks that have an affect on the financial
statements and the potential for the risk of material misstatement to the
financial statements.

• Understanding the client’s risk assessment process, internal control and

information systems to assist in identifying the types of potential misstatements
and risk factors, and determining the nature, timing, and extent of further audit
procedures. This includes information relevant to the strategy in terms of the
relative reliance on controls testing and substantive procedures.

• Identifying and assessing the risk of material misstatement whether due to

fraud or error.

• Developing a response to assessed risks through the development of the

audit plan.

(b) Planning involves discussions between the engagement partner and key members of
the engagement team to take advantage of their experience and insights. The outcome
of the planning process is conveyed to any team members not involved in the initial
planning meetings through the audit strategy and plan and communication with the
members involved in the process. The auditor may discuss elements of planning with
management to facilitate the co-ordination of the work of the client and audit staff.

QUESTION 4
(a) The audit strategy defines the scope, timing, and direction of the audit and is the
foundation for the detailed audit plan.

A strategy memorandum would normally cover such matters as:

• Confirmation that the pre-conditions for the audit have been met, including
independence requirements.

• The scope of the audit in terms of the financial reporting requirements

and the financial statement reporting obligations to be met by the client.
This establishes the subject matter and reporting criteria that the auditor is
concerned with and the boundaries of the audit engagement.

• The outcome of meetings with the client’s management and the information
obtained about the client and its environment, including the results of the
preliminary analytical procedures.

• The key judgements made in relation to the significant risks identified that could
result in material misstatements in the financial statements arising from either
fraud or error and how those risks are to be addressed during the audit. The
basis for the initial materiality judgement and management of audit risk.

• The nature of the evidence to be obtained in key areas of the audit.

• The audit methodology to be applied and the decisions made as to the

combination of tests of control and substantive procedures.

341

c05.indd 341 16-11-2022 18:41:13

 BUSINESS ASSURANCE

• The planned use of experts and other auditors where the client has operations
in other locations or a parent/subsidiary structure.

• The relationship with internal audit and the extent of any reliance on the work
of internal audit and the testing of that work.

• The nature and extent of IT resources required in the testing of internal control
and substantive procedures.

• The structure and composition of the engagement team in terms of the

quantity, competencies, and experience and how the work is to be assigned
commensurate with those attributes.

• The timetable for the various phases of the audit being interim testing of
controls, substantive testing, completion, and review.

• The audit budget and fee arrangements and the nature of any other services to
be provided to the client.

(b) The following concepts should be included in the memorandum.

As the demolition and construction is a potentially large and non-routine event,

there is a high risk of material misstatement. The accounting policy applied to the
treatment of the demolition and constructions costs will need to be discussed with
management and assessed as to compliance with the Hong Kong financial reporting
standards. The control system to manage recording of the project and associated costs
will need to be documented and assessed to ensure that all costs are appropriately
recorded and reported in accordance with the accounting policy. The audit programme
should include tests of compliance with the controls implemented. In the absence of
appropriate internal controls over the project, substantive testing will need to be more
substantial at the year end to ensure that the asset recorded for the work undertaken
is appropriate. The audit plan should include substantive testing for any outstanding
liabilities under the contract at the balance sheet date.

The audit plan should include procedures designed to obtain assurance that the
transfer of data from the old system to the new system has been effective and reliable.
The review and testing of internal control on the new system should be as extensive as
would be applied to an initial review of a client’s system. As this system is an advanced
system, our firm’s IT specialist division will need to be involved in the review and testing
phases of the audit and should be contacted to arrange for the appropriate level of
resources and timetable for their involvement. Any issues arising from this review and
assessment should be communicated to management immediately for remedial action.

342

c05.indd 342 16-11-2022 18:41:13

 6
Audit Procedures
and Audit Evidence

CHAPTER TOPIC LIST

6.1 Evidence and Assertions 6.4.2 Tests of Details

6.1.1 Risk 6.4.3 Confirmations
6.1.2 Evidence 6.5 Other Audit Evidence
6.1.3 Assertions 6.5.1 Accounting Estimates
6.2 Tests of Controls 6.5.2 Fair Values
6.2.1 Internal Control Components 6.5.3 Initial Engagements and
6.2.2 Control Activities Opening Balances
6.2.3 Control Tests 6.5.4 Comparative Information
6.2.4 Cycle Approach 6.5.5 Related Party Transactions
6.3 Sampling 6.6 Documentation
6.3.1 Sampling Risk 6.6.1 The Work Papers
6.3.2 Sample Evaluation 6.6.2 Preparation of Working Papers
6.3.3 ‘Big Data’ 6.6.3 Completion of Audit
Documentation
6.4 Substantive Procedures
6.4.1 Analytical Procedures

343

c06.indd 343 11/17/2022 10:16:43 PM

 BUSINESS ASSURANCE

LEARNING OUTCOMES

PRINCIPAL LO1: PERFORM ASSURANCE ENGAGEMENTS

LO1.05: P
 repare, plan, and develop assurance engagements including the audits of financial
statements in accordance with relevant Hong Kong Standards of Quality Management,
Auditing, Assurance and Related Services, guidance and legislation with emphasis on:
Documentation
1.05.01 Explain the need for, and importance of, audit documentation
1.05.02 Explain the procedures required to pull together audit files
1.05.03 Prepare the contents of audit work papers on the audit permanent and audit
engagement files
LO1.09: Prepare, plan, and develop assurance engagements including the audits of financial
statements in accordance with relevant Hong Kong Standards of Quality Management,
Auditing, Assurance and Related Services, guidance and legislation with emphasis on:
Audit procedures
1.09.01 Define audit sampling
1.09.02 Explain the need for sampling
1.09.03 Apply the basic principles of sampling and explain how the assessed risk and materiality
affect sampling
1.09.04 Analyse and explain the results of sampling
1.09.05 Explain the importance of internal control to an auditor and the execution of tests of control
1.09.06 Apply knowledge to demonstrate how an auditor identifies weaknesses in internal control
systems and how those weaknesses limit the extent of an auditor’s reliance on those systems
1.09.07 Determine the types of substantive procedures used (including big data analytics) and the
issues in evaluating the results obtained
1.09.08 Explain what is meant by analytical review and apply knowledge to demonstrate how
analytical review procedures are used in an audit
1.09.10 Design, in response to the assessed risk, the appropriate procedures and relevant disclosure
requirements for the audit of:
• Accounting estimates
• Fair values
• Opening balances
• Comparatives
• Related party transactions.
LO1.10: Prepare, plan, and develop assurance engagements including the audits of financial
statements in accordance with relevant Hong Kong Standards of Quality Management,
Auditing, Assurance and Related Services, guidance and legislation with emphasis on: The
confirmation procedures, follow up, or alternative procedures for non-reply confirmation
1.10.01 Apply the confirmation procedures to prepare the external confirmation requests
1.10.02 Apply the follow up procedures on those replied confirmation with disagreements and apply
the alternative procedures for any exceptions or non-reply confirmation

344

c06.indd 344 11/17/2022 10:16:44 PM

 A u d it P ro c ed u r es and A u d it E v i d ence

LO1.11: P
 repare, plan, and develop assurance engagements including the audits of financial
statements in accordance with relevant Hong Kong Standards of Quality Management,
Auditing, Assurance and Related Services, guidance and legislation with emphasis on:
Audit evidence
1.11.01 Explain the procedures by which audit evidence may be obtained
1.11.02 Describe the appropriateness and sufficiency (relevance and reliability) of different sources of
audit evidence
1.11.03 Identify the information produced by the client which is used as audit evidence and describe
our work done
1.11.04 Plan an approach to gathering sufficient, appropriate audit evidence
1.11.05 Explain the assertions contained in the financial statements and their use in
obtaining evidence
1.11.06 Explain the need to modify the audit strategy and audit plan following the results of tests
of control
1.11.09 Evaluate whether sufficient audit evidence has been obtained during the audit

345

c06.indd 345 11/17/2022 10:16:44 PM

 BUSINESS ASSURANCE

OPENING CASE

G&E MUSIC (GEM)

T he GEM case will be used throughout this chapter and Chapter 7 (The Audit Programme) to
illustrate analytical review procedures, and procedures relating to major acquisitions.

GEM is an established electronics retailer. It has two distribution channels: an online store
and 300 retail stores. GEM holds significant market-share in many of its product categories
which include:

• Consumer electronics including televisions, audio equipment, computers, and

telecommunications products;

• Homewares including furniture, kitchen products, small appliances, and heaters and
coolers; and

• Software (CDs, DVDs, and games).

346

c06.indd 346 11/17/2022 10:16:45 PM

 A u d it P ro c ed u r es and A u d it E v i d ence

O VERVIE W

The overall objective of an audit of financial statements is to obtain reasonable assurance

about whether the financial statements as a whole are free from material misstatement,
so the auditor can express an opinion on those statements. Financial statements may be
misstated because accounts are under- or over-stated, or because disclosure is inadequate.
Misstatements arise from both error and fraud. Financial statement fraud is typically
distinguished from other forms of fraud associated with theft, though both are motivated by
self-interest, and fraud and theft frequently occur together.

The modern approach to auditing is ‘risk-based’. As was explained in Chapter 5, the auditor
plans the audit by first understanding the entity and its environment, the applicable financial
reporting framework, and system of internal control. This process includes designing and
performing risk assessment procedures to identify inherent risks and control risks which might
contribute to the misstatement of the client’s financial report, and second, by designing an
audit programme to assess these risks.

Section 6.1 of this chapter briefly reviews risk analysis, then introduces the framework
of assertions that comprise the financial statements and the evidence-gathering procedures
used by the auditor to test these assertions. Sections 6.2–6.4 discuss and provide illustrative
examples of the main techniques used by auditors to gather evidence: tests of internal controls,
sampling, and substantive testing.

• The client’s internal control system is tested to confirm the auditor’s assessment of
control risk, and the audit strategy.

• Sampling is used to increase audit efficiency.

• Substantive procedures are audit procedures for detecting material misstatements at

the assertion level. Two main types of substantive procedures are used by auditors:

°° Substantive analytical procedures; and

°° Tests of details.

Section 6.5 of the chapter discusses audit issues where the auditor is required to make
subjective and complex professional judgements. Examples include the audit of fair value
estimates and of related party transactions. Section 6.6 of the chapter discusses the auditor’s
responsibilities regarding documentation of the planning of the audit, the evidence gathered,
and the auditor’s conclusions regarding the financial statements.

347

c06.indd 347 11/17/2022 10:16:45 PM

 BUSINESS ASSURANCE

6 . 1 EVIDENCE AND ASSERTIONS

6.1.1 Risk
As discussed in Chapter 5, audit risk is the risk that the auditor expresses an inappropriate
audit opinion when the financial statements are materially misstated.

Illustrative Example 1
Assume an audit firm’s policy regarding audit risk is that a 10% audit risk is acceptable
(zero risk, while desirable, is impossible – some ‘acceptable’ level of risk is unavoidable).
Some audit firms set lower levels of audit risk, say 5%, but lower risk entails more
evidence gathering, and more expensive audits. This is a low risk but low profit business
model. In contrast, other audit firms accept a high level of audit risk, say 20%. This
enables a less extensive and less costly audit. This latter business model is profitable
but risky.

Audit risk is a function of inherent risk, control risk, and detection risk as illustrated in the
audit risk model:

AR ~ IR CR DR

• Inherent risk – The susceptibility of an assertion about a class of transaction, account

balance, or disclosure to a material misstatement either individually, or when
aggregated with other misstatements, before considering any internal controls.

• Control risk – The risk that a misstatement that could occur in an assertion and that
could be material will not be prevented, or detected and corrected on a timely basis by
the entity’s control system.

• Detection risk – The risk that the auditor’s procedures will fail to identify a material
misstatement.

HKSA 315 (Revised 2019) indicates that inherent risk arises from the characteristics of the
entity and its environment such as its organisational structure and governance, the entity’s
business model, the accounting policies, and changes thereto, regulatory and industry factors,
and financial reporting measures to assess performance. These factors result in financial
report calculations that are complex, require subjective judgements, or have a degree of
uncertainty because of the nature of the data available on which to base calculations. This
could, for example, create opportunities for error and theft, and management’s bias towards

348

c06.indd 348 11/17/2022 10:16:46 PM

 A u d it P ro c ed u r es and A u d it E v i d ence

overstatement of assets, revenues, and profits, and understatement of liabilities and expenses.
Control risk is determined by the quality of the entity’s control system. Detection risk is
controlled by the auditor through the audit plan.

The audit strategy and the audit plan are risk-based. They reflect assessments of inherent
and control risks. Where the auditor’s risk assessment procedures to understand the entity and
its environment and financial reporting requirements indicate inherent risk factors indicative of
susceptibility of assertions to misstatement, the auditor develops the audit strategy and plan
appropriate to obtaining sufficient appropriate audit evidence on which to base an opinion
on the financial statements. The audit strategy depends on the extent to which the system of
internal control addresses the inherent risk which is reflected in an assessment of control risk.
Where control risk is low, a control-based audit strategy will be adopted, and the audit plan will
include extensive testing of key controls. Where control risk is high, an audit strategy based
mainly on substantive procedures will be adopted.

Where the risk of a material misstatement is high, the audit plan will require the auditor
to collect more audit evidence, and better-quality evidence, about the assertions at risk.
Performing more extensive and higher-quality audit procedures lowers detection risk.

In terms of the audit risk model presented above, this is equivalent to saying:

Where inherent and/or control risk are high, detection risk must be low to achieve
the desired level of audit risk.

Illustrative Example 2
Applying the model at the broad level, an audit firm’s policy with regard to audit risk is
10% indicating that the risk of an incorrect opinion is one in ten. A risk analysis of GEM,
their audit client, reveals medium inherent risk (50%) and medium control risk (50%).
Using the equation above to calculate detection risk, we see DR must be 40%. This means
the auditor must plan the audit to reduce detection risk to 40% – a 40% risk that the
auditor’s procedures will fail to detect a material misstatement.

AR IR CR DR 10% = 50% 50% DR

Solving for DR, 0.1 / (0.5 x 0.5) = 0.4 or 40%.

Why 40%? Some audit risk is removed because inherent risk is less than 100%, and
some because control risk is less than 100%. The remaining audit risk is reduced to the
10% target by the auditor’s procedures.

As an alternative example, if inherent risk were 100% because the auditor expected a
material error in the accounts, and control risk were 100% because the control system was
ineffective or non-existent, then detection risk would have to be reduced to 10%.

349

c06.indd 349 11/17/2022 10:16:47 PM

 BUSINESS ASSURANCE

6.1.2 Evidence
To form an opinion, the auditor must obtain sufficient and appropriate audit evidence by
performing audit procedures that address identified risks. Sufficiency refers to the amount,
quantity, or extent of evidence. Obviously, more evidence is better than less.

The appropriateness or quality of evidence is determined by its relevance and reliability.

HKSA HKSA 500 identifies relevance and reliability as the main contributors to the quality of audit
500.A5 evidence.

Relevance – Relevant evidence is that which provides information about the specific
assertion at risk as identified by the auditor. For example, inspection of a building provides
HKSA
500.A27– relevant evidence about its existence, but provides no evidence as to its valuation. The key to
A30 understanding relevance is the type, or the nature, of the evidence.

Procedure Assertion
Inspection of physical objects, e.g. buildings, machinery, and inventory Existence
Inspection of documents and records including contracts, invoices, Various
journals, etc.
Observation of people and activities, e.g. the carrying out of a control Various
activity or the counting of inventory
Inquiry (verbal) or confirmation (documentary) of various internal and Various
external parties about a variety of information.
Re-performance, e.g. of control procedures Various
Re-calculation, e.g. of a bank reconciliation Valuation; accuracy
Analysis and analytical procedures, e.g. analysis of the trade receivables Various
ageing or review of comparative information from prior years
Vouching (back to source documents from the accounting records) Existence; occurrence;
(e.g. vouch sales journal entries back to invoices and then vouch an valuation; accuracy
invoice back to shipping records and approved price lists)
Tracing (from source documents forward to the accounting records) Completeness; valuation;
(e.g. trace shipping records forward to the invoice and the sales journal) accuracy

EXHIBIT 6.1 Types of evidence

HKSA 500
A14-A25 The auditor gathers a range of types of evidence. Many of these are noted in Exhibit 6.1.

Reliability – Reliable evidence is trustworthy, and so is related to its source. For example,
bank statements are provided by a well-informed third party and are considered reliable.
Information provided to the auditor by management is more likely to be biased, and so is less
reliable.

Key sources of evidence include:

• The accounting records of the entity – journals, ledgers, and supporting calculations;
these are termed ‘primary evidence’;

350

c06.indd 350 11/17/2022 10:16:47 PM

 A u d it P ro c ed u r es and A u d it E v i d ence

• Other records of the entity – invoices, purchase orders, contracts, etc.; these are termed
secondary sources of evidence.

• Entity employees – who respond to the auditor’s written and oral enquiries.

• Third parties – knowledgeable parties who respond to the auditor’s written and oral
enquiries, and provide documentary evidence such as bank statements and invoices.

• The auditor.

In general:

• Regarding source, evidence obtained by the auditor is more reliable than third party
supplied evidence, which is in turn more reliable than that obtained from management
of the entity; and

• Regarding type, physical evidence is more reliable than documentary evidence, which
is in turn more reliable than oral evidence. Photocopies and digitised records are less
reliable than original documents.

• Both source and type are significantly affected by controls over the preparation and the
storage of the information.

• To achieve reasonable assurance, the auditor should always seek corroborating

evidence, that is seek multiple sources and types of evidence regarding an assertion.

HKSA
• The greater the detection risk associated with an assertion, the higher the quality of
500.A31 evidence required.

To understand reliability better, see Exhibit 6.2.

Type of evidence Reliability

Physical
Documentary
Oral
Source of evidence Management Third parties Auditor

EXHIBIT 6.2 Reliability of evidence

Following these guidelines about source and type of evidence, it should be clear that:

• A test count of inventory performed by the auditor is the most reliable type of audit
evidence – it is physical evidence gathered by the most trusted source (the auditor).

• At the other extreme, oral evidence provided by management of the entity, while
certainly important and useful, is the least reliable type of evidence.

• Documentary evidence provided by management (e.g. the inventory sub-ledger) is of

intermediate quality.

351

c06.indd 351 11/17/2022 10:16:47 PM

 BUSINESS ASSURANCE

Timing – Timing refers to the date of performance of audit procedures. For items
appearing in the statement of financial position, evidence gathering procedures performed
close to the financial year-end date are most relevant and reliable. For items appearing in the
income statement and for tests of controls, evidence gathering procedures are most relevant
when performed throughout the period.

Evaluation – When evaluating audit evidence consideration should be given to the

following:

• The work has been performed in accordance with the relevant professional standards
and the legal and regulatory requirements of Hong Kong;

• The auditor’s understanding of the entity and its internal control system;

• Experience gained in prior audits;

• Inherent and control risks identified during the audit planning process have been
appropriately addressed throughout the audit;

• Having designed and performed audit procedures to verify assertions in the financial
statements, the nature, timing, and extent of the procedures performed provided
relevant and reliable audit evidence capable of supporting the auditor’s opinion;

• Any significant matters identified (e.g. fraud or error) have been addressed
appropriately and the matter and outcomes have been documented;

• The work performed supports the conclusions reached and has been appropriately
documented;

• Where a reviewer decided that further audit work was required, that the nature
and extent of the further work was documented and subjected to a follow up
review; and

• Appropriate consultations have taken place within the audit team and with
HKSA
management. Appropriate decisions were implemented and are supported by
330.A62 documentation.

See Chapter 9, Section 9.1.1 for further discussion of the adequacy of audit evidence.

6.1.3 Assertions
While the auditor aims to express an opinion on the financial statements as a whole, most
audit procedures are applied at the assertion level. Audit procedures applied at the financial
statement level like the management representation letter and the legal counsel’s letter are
discussed in Chapter 9. These overall procedures are mainly carried out at the concluding stage
of the audit.

352

c06.indd 352 11/17/2022 10:16:47 PM

 A u d it P ro c ed u r es and A u d it E v i d ence

Exhibit 6.3 lists the assertions about classes of transactions, account balances, and related
disclosures used by the auditors to consider the different types of potential misstatements that
may occur.

Assertions about account balances, and Assertions about classes of transactions

related disclosures and events, and related disclosures
(assertions about account balances) (assertions about transactions)
Existence: assets, liabilities, and equity interests Occurrence: transactions and events that have
exist been recorded or disclosed, have occurred, and
such transactions and events pertain to the
entity
Accuracy, valuation, and allocation: assets, Accuracy: amounts and other data relating to
liabilities and equity interests have been included recorded transactions and events have been
in the financial statements at appropriate recorded appropriately, and related disclosures
amounts and any resulting valuation or allocation have been appropriately measured and
adjustments have been appropriately recorded, described
and related disclosures have been appropriately
described
Completeness: all assets, liabilities, and equity Completeness: all transactions and events that
interests that should have been recorded have should have been recorded have been recorded,
been recorded, and all related disclosures that and all related disclosures that should have been
should have been included in the financial included in the financial statements have been
statements have been included included
Rights and obligations: the entity holds or Cut-off: transactions and events have been
controls the rights to assets, and liabilities are the recorded in the correct accounting period
obligations of the entity
Presentation: assets, liabilities, and equity Presentation: transactions and events are
interests are appropriately aggregated or appropriately aggregated or disaggregated and
disaggregated and clearly described, and related clearly described, and related disclosures are
disclosures are relevant and understandable in relevant and understandable in the context of
the context of the requirements of the applicable the requirements of the applicable financial
financial reporting framework reporting framework
Classification: assets, liabilities, and equity Classification: transactions and events have been
interests have been recorded in the proper recorded in the proper accounts
accounts

EXHIBIT 6.3 Assertions

The following illustrative example identifies those assertions that are relevant to the audit
of the inventory account.

353

c06.indd 353 11/17/2022 10:16:48 PM

 BUSINESS ASSURANCE

Illustrative Example 3
GEM’s inventory is high risk because consumer products are frequently stolen, both by
customers and by employees. Stolen consumer products can be easily sold online. When
auditing the inventory account in the statement of financial position at GEM, the auditor’s
procedures will be designed to provide evidence that:

• Existence: inventory exists (it is not fraudulent, and the number of items is not
overstated);

• Accuracy, valuation, and allocation: inventory is properly valued (it is not obsolete,
and valuation is the lower of cost or market rule);

• Completeness: inventory is complete (all inventory items have been brought to

account – none is missing, and the account is not understated);

• Rights and obligations: inventory is owned by the entity (rights);

• Presentation: presentation and disclosure are consistent with the applicable

accounting framework (e.g. Hong Kong Accounting Standard 2 – Inventories);

• Classification: inventory is properly classified as raw materials, work in process, and

finished goods.

It should be noted that the two types of assertions – assertions about balances and
assertions about transactions – in Exhibit 6.3 – are identical, or are very similar.

• Completeness, classification, and presentation appear in both columns of Exhibit 6.3;

and

• While existence in the first column (assertions about account balances) is different from
occurrence in the second column (assertions about transactions), they are similar in
concept. Illustrative Example 4 shows the similarity between the existence of inventory
assertion and the occurrence of purchases assertion.

Illustrative Example 4
An auditor would need to test assertions regarding both the existence of inventory and
the occurrence of purchase transactions. These assertions are clearly linked because
a purchase increases inventory (Dr Inventory, Cr Accounts payable). Evidence of the
occurrence of a purchase is obtained from warehouse receiving reports. The existence of
inventory is verified by an inventory count. The auditor’s conclusion regarding the tests,
assuming the tests are successful, would be:

• Inventory exists at the period end date; and

• Purchase transactions occurred during the period.

Note that the existence and occurrence assertions provide information only about
quantities, not value.

354

c06.indd 354 11/17/2022 10:16:48 PM

 A u d it P ro c ed u r es and A u d it E v i d ence

Knowledge Check Questions

Question 1
You find your client’s inventory turnover has decreased significantly during the year.
Identify which of the following assertions you would be least concerned with.
A Existence of inventory.
B Presentation of inventory.
C Accuracy, valuation, and allocation of cost of goods sold and inventory.
D Completeness of inventory.

Question 2
In auditing trade payables, identify which of the following assertions that an auditor
considers a potential misstatement would most likely occur.
A Existence of accounts payable.
B Rights and obligations regarding accounts payable.
C Completeness of accounts payable.
D Occurrence of accounts payable.

Question 3
Identify which of the following is the least important objective of the auditor in undertaking
substantive audit procedures for current assets.
A Determine the completeness of the current assets.
B Establish the existence of the current assets.
C Determine the adequacy of internal controls.
D Determine that the entity holds or controls the right to the current asset.

Question 4
Identify which of the following assertions an auditor would most likely address by making
enquiries of production and sales personnel concerning possible obsolete or slow-moving
inventory.
A Accuracy, valuation, and allocation of inventory.
B Rights and obligations regarding inventory.
C Existence of inventory.
D Completeness of inventory.

Question 5
Identify which of the following assertions regarding the cash account when tracing from a
sample of remittance advices in determining whether all remittances are recorded in the
cash receipts journal.
A Completeness of cash.
B Occurrence of cash.
C Rights and obligations of cash.
D Accuracy, valuation, and allocation of cash.

355

c06.indd 355 11/17/2022 10:16:48 PM

 BUSINESS ASSURANCE

Knowledge Check Questions (continued)

Question 6
Identify which of the following assertions for ending inventory is at risk of material
misstatement if gross profit is higher than last year.
A Existence of ending inventory.
B Completeness of ending inventory.
C Presentation of ending inventory.
D Accuracy of ending inventory.

Question 7
Consider the following three types of evidence collected by an auditor as part of their
examination of trade receivables.
A A schedule prepared by the client showing the ageing of trade receivables.
B Positive confirmations of year-end balances returned by 10% of customers.
C A schedule prepared by the auditor comparing the current allowance for doubtful debts
with the prior year’s audited balance.

For each of the three types of evidence, consider its reliability and relevance in terms of
source, type, timing, and extent.

6 . 2 TESTS OF CONTROLS

Internal control is a huge topic. Whole textbooks are devoted to the subject. Auditors’ internal
control questionnaires for an audit engagement may be as much as 100 pages long! This
section cannot provide a comprehensive description of an internal control system, nor can it
provide a comprehensive list of internal controls and appropriate tests for those controls.

What this section does provide is:

• An introduction to internal control, control system components, and common control

activities;

• A description of some of the key controls which might be included in an organisation’s

sales transaction cycle; and

• Examples of tests that might be applied to those controls by an auditor.

The aim of this section is to familiarise students with the different types of controls
which might exist in the sales transaction cycle, and provide examples of tests of these
controls, so that students can apply this knowledge of controls and tests to other transaction
cycles and accounts. Chapter 7 includes control tests relevant to other accounts.

356

c06.indd 356 11/17/2022 10:16:48 PM

 A u d it P ro c ed u r es and A u d it E v i d ence

6.2.1 Internal Control Components

During the planning stage of the audit, the auditor makes a preliminary investigation of the
entity’s internal control system and documents the understanding of the five components
of the system in the audit working papers. Understanding the entity’s system of internal
control is required under HKSA 315 (Revised 2019) as part of the process of performing
risk assessment procedures to identify and assess the risk of material misstatement at the
financial statement and assertion levels. For identified risks of material misstatement at the
assertion level HKSA 315 (Revised 2019) requires a separate assessment of inherent risk and
control risk.

The five components were introduced in Chapter 5, Section 5.2 when the topic of
control risk was discussed. The five components identified in HKSA 315 (Revised 2019),
paragraph 12(m), are:

1. The control environment, for example how management creates and maintains the
entity’s culture, demonstrates its commitment to integrity and ethical values, and
assigns authority and responsibility;

2. The entity’s risk assessment process, for example how the entity’s risk assessment
process identifies and manages new information systems, new products, rapid growth,
and new accounting requirement;

3. The entity’s process to monitor the system of internal control, for example the activities
of an internal audit function;

4. The information system and communication, for example activities and policies and
records to initiate and record transactions and maintain accountability for related
assets and liabilities, and resolve incorrect processing; and

5. Control activities, for example controls over authorisation and approval of transactions,
reconciliations, and verifications.

These components have been addressed in detail in Chapter 5, Section 5.3 and 5.5.

The auditor’s preliminary investigation of the control system enables the auditor to make a
preliminary conclusion about control risk – whether it is high, medium, or low.

CR = High. High control risk means that there is a high risk that the control system will fail
to prevent, or fail to detect and correct on a timely basis, an error. Where control risk is high,
an audit strategy based on substantive procedures will be adopted and no control tests are
required. In the case of small organisations, control systems are often inadequate, and the
auditor can assess control risk as ‘high’ with little investigation and an audit strategy based on
substantive procedures will be adopted.

CR = Low. Where control risk is low, the auditor believes that the control system will, to an
extent, prevent, or detect and correct on a timely basis, an error. The audit plan will include
testing of key controls along with substantive procedures. This audit strategy is often called a
‘lower assessed level of control risk approach’, or more simply a combined approach. This latter
term will be used in what follows.

357

c06.indd 357 11/17/2022 10:16:48 PM

 BUSINESS ASSURANCE

The auditor is required to test any new or changed controls in the current audit period.
Where controls have been tested in prior years’ audits, and no changes to the control system
HKSA
have taken place in the current year, the auditor is required to test all controls every third year,
330.14(b) with some of the controls being tested in each audit period. If the auditor plans to rely on
controls over a risk the auditor has determined to be a significant risk, the auditor shall test
those controls in the current period.

Most large organisations invest heavily in their control systems, and the auditor is likely to
make a preliminary assessment of control risk as ‘low’. An audit strategy based on both testing
controls and on substantive testing will be adopted.

CR = Medium. In between the extremes of small and large organisations are many
organisations whose control systems are good in some ways, and poor in others, and the
auditor will classify control risk as medium. The auditor is likely to adopt a mixed audit
strategy here. Poorly controlled accounts will be subject solely to substantive testing, and
well-controlled accounts will be subject to a combined approach. Those accounts most likely
to be well controlled are those with a high volume of similar transactions (e.g. Cash, Trade
Receivables, Inventory, Trade Payables, and Payroll). In contrast, accounts with few and
dissimilar transactions (e.g. Property, plant, and equipment) are less likely to be well controlled
and are most efficiently audited with substantive procedures.

Section 2 discusses those aspects of the audit plan unique to a combined approach – the
control tests. The flow of the auditor’s activities should first be to understand the design of
the business process and the relevant controls. Then, the auditor determines whether the
design of the controls is effective by performing a walkthrough test of significant types of
transactions. This walk-through follows key transactions – like a sale – and associated controls,
from initiation to conclusion. If the controls appear effective in reducing control risk, the
auditor will then perform tests to see whether the controls have been performed effectively
throughout the year.

For efficiency, the auditor will most often carry out control tests of an account or a
transaction cycle at the same time as the planned substantive tests. These are called
‘dual-purpose’ tests. For example, an auditor may examine an invoice for evidence of approval
HKSA
(a control) and trace the invoice total to the trade receivables sub-ledger (a substantive test).
330.A23 However, for simplicity, this section will address control tests exclusively.

To validate the preliminary control risk assessment and the anticipated audit strategy,
the auditor must ensure that all five components of the control system are appropriately
designed and are operating effectively. Section 6.2.2 focuses on the ‘control activities’
component because this component includes controls that are designed to ensure the proper
application of policies in all other components and have a direct effect on individual assertions
(e.g. existence of inventory). Control activities are fundamental to the design of the auditor’s
procedures.

HKSA 315 (Revised 2019), paragraph 26, requires that the auditor gains an understanding
of the control activities component of the system of internal control through performing risk
assessment procedures and that the auditor then evaluates whether the controls are effectively
designed to address the risk of material misstatement at the assertion level or to support other
controls and determine whether they have been implemented.

358

c06.indd 358 11/17/2022 10:16:48 PM

 A u d it P ro c ed u r es and A u d it E v i d ence

6.2.2 Control Activities

As indicated in Chapter 5, the components of the system of internal control are inter-related.
The control activities component includes controls designed to ensure the proper application of
policies in other components and controls that address the risk of material misstatement at the
assertion level.

The information system and communication components are more directly focused
on activities and policies covering the financial reporting process. The information system
component deals with information processing within the entity.

As noted in HKSA 315 (Revised 2019), the audit focus in the control activities component is
therefore on the identification and evaluation of information processing controls directed at
the integrity of information in terms of the completeness accuracy, and validity of transactions.
In combination these components focus on information processing relevant to preparing the
entity’s financial statements.

Specifically, the auditor’s focus under the control activities component is identified in HKSA
315 (Revised 2019), paragraph 26, as evaluating the design effectiveness and implementation of
controls at the assertion level that:

• Address significant risks.

• Cover journal entries, including non-standard entries and unusual transactions or

adjustments as the primary source of transaction processing into the accounting
records in all audits.

• Represent controls that the auditor plans to test operating effectiveness in determining
the nature, timing, and extent of substantive procedures.

• Deal with the identification and assessment of the risk of material misstatement.

• Relate to assertions covered by IT applications and the risk of the use of IT and the
general IT controls that deal with those risks.

The auditor first evaluates the design of a control by considering whether the control,
individually or in combination with other controls, is capable of preventing, detecting, and
correcting material misstatements. Evaluating implementation involves establishing whether
the control exists and the entity is applying the control. The risk assessment procedures to
obtain evidence on these matters include performing procedures additional to enquiring of
entity personnel, for example inspection of documents and reports, and observation of the
application of controls.

The following are the types of control activities identified in HKSA 315 (Revised 2019),
Appendix 3, para 20:

• Authorisation and approvals. An authorisation affirms that a transaction is valid (i.e. it

represents an actual economic event or is within an entity’s policy). An authorisation
typically takes the form of an approval by a higher level of management or of
verification and a determination if the transaction is valid. For example, a supervisor
approves an expense report after reviewing whether the expenses seem reasonable
and within policy. An example of an automated approval is when an invoice unit

359

c06.indd 359 11/17/2022 10:16:48 PM

 BUSINESS ASSURANCE

cost is automatically compared with the related purchase order unit cost within a
pre-established tolerance level. Invoices within the tolerance level are automatically
approved for payment. Those invoices outside the tolerance level are flagged for
additional investigation.

• Reconciliations. Reconciliations compare two or more data elements. If differences are

identified, action is taken to bring the data into agreement. Reconciliations generally
address the completeness or accuracy of processing transactions.

• Verifications. Verifications compare two or more items with each other or compare
an item with a policy, and will likely involve a follow-up action when the two items do
not match or the item is not consistent with policy. Verifications generally address the
completeness, accuracy, or validity of processing transactions.

• Physical or logical controls, including those that address the security of assets against
unauthorised access, acquisition, use or disposal. Controls that encompass:

°° The physical security of assets and records.

°° The authorisation for access to computer programs and data files (i.e.
logical access).

°° The periodic counting and comparison with amounts shown on control records
(for example comparing the results of cash, security and inventory counts with
accounting records).

• Segregation of duties. Assigning different people the responsibilities of:

°° Authorising transactions;

°° Recording transactions; and

°° Maintaining custody of assets.

Segregation of duties is intended to reduce the opportunities to allow any person to

be in a position to both perpetrate and conceal errors or fraud in the normal course of the
person’s duties. For example, a manager authorising credit sales should not be responsible
for maintaining accounts receivable records or handling cash receipts. If one person is able to
perform all these activities the person could, for example, create a fictitious sale that could go
undetected.

Apply and Analyse 1

Jones Pty. Ltd (JPL) is a food wholesaler that imports goods from an overseas
manufacturer. The accounts payable clerk handles all purchases of inventory, buying
in bulk to achieve maximum discounts. She updates the stock records and the
accounts payable sub-ledger when goods are delivered and approves the payment of
supplier’s invoices.

1. Identify the main control system weakness evident in this situation. Explain
your choice.

2. Identify four assertions at significant risk and explain your choice.

360

c06.indd 360 11/17/2022 10:16:48 PM

 A u d it P ro c ed u r es and A u d it E v i d ence

Apply and Analyse 1 (continued)

Analysis:

1. The control issue is segregation of authorisation, recording, and access to assets.

The AP clerk can initiate transactions, post the AP and inventory sub-ledgers, and
make payments. This would enable her to order goods from a fictitious entity,
record the receipt of those fictitious goods, and record and make payments to that
entity (herself).

2. A number of assertions are at significant risk (existence and valuation of inventory;

existence and obligations of accounts payable; accuracy of cost of goods sold):

1. Existence of inventory and payables. The clerk could create a fraudulent

purchase and pay themselves or a related party rather than the named
supplier. Fraudulent invoices and receiving reports would provide evidence for
a fraudulent obligation.

2. Valuation of inventory and payables. The clerk could initiate a legitimate

purchase transaction and alter the supplier’s invoice to indicate excessive
prices. The excess amount could be paid to the clerk or a related party.

3. Accuracy of COGS. The COGS amount would be incorrect if the inventory

account was overstated by the value of any fraudulent purchases.

6.2.3 Control Tests

Risk assessment involves obtaining evidence from a number of different sources and
procedures. As part of the risk assessment process to gain an understanding of the entity
and its environment and system of internal control, a preliminary examination of the control
system is undertaken as input into the development of the audit strategy and audit plan.
The auditor identifies and documents the key controls that they intend to rely on to reduce
control risk. In order to rely on these controls, the effectiveness of each must be tested. Before
performing these control tests the auditor should perform a walkthrough to confirm their
understanding of the entity’s system and key internal controls. A ‘walkthrough’ is the act of
going slowly through the steps of a process in order to learn it.

The testing of controls will vary with the type of transaction, the recording process, and the
design of the control. Differing approaches to testing controls will be taken depending on:

• Whether controls are automated or manual;

• Whether controls pertain to common transactions like sales or purchases, or less
common transactions like adjusting entries and accounting estimates (e.g. depreciation
expense, goodwill, or fair values); and

• The degree of reliance the auditor intends to place on the controls.

The auditor should make inquiries and obtain other evidence about key controls to
determine how the controls are applied, the consistency of application throughout the period,
and the personnel and systems involved. Testing should be performed at a particular time, or
throughout the period depending on the level of reliance anticipated in the audit plan. Where
evidence is obtained at an interim period, further evidence should be obtained regarding any

361

c06.indd 361 11/17/2022 10:16:48 PM

 BUSINESS ASSURANCE

changes to the controls and the effectiveness of their application in the subsequent period. If
controls have not changed since evidence was last obtained about their effectiveness, the time
period before further testing is carried out should take into account:

• The effectiveness of other elements of the entity’s control system including the control
environment, monitoring systems, and risk assessments;

• The effectiveness of general IT controls;

• The nature and extent of control deviations noted in previous audits;

• Personnel changes that might have affected the application of the control;

• Whether controls continue to be relevant in light of changing circumstances; and

HKSA
330.10–13 • The risk of material misstatement and the extent of reliance on the control.

6.2.3.1 Automated Controls

Most accounting systems are computerised to some extent. In accordance with HKSA 315
(Revised 2019), paragraphs 26(a), (b), and (c), the auditor identifies the risks arising from the use
of IT applications and the general IT controls to manage those risks. Understanding the risks
arising from the use of IT is an important input into the auditor’s decision about whether to
test the operating effectiveness of controls to address the risk of material misstatement at the
assertion level.
Even the smallest business is likely to use an accounting package like QuickBooks which
provides controls such as:

• Access controls (e.g. passwords);

• Security controls (e.g. backups);

• Bank reconciliations; and

• Processing controls to ensure that transactions entered into the system are properly
and accurately carried forward to the ledger and the financial report.

Accounting systems designed for larger businesses replace most traditional manual
aspects of accounting and control systems with programmed procedures and controls. While
the control objectives and the auditor’s objectives are the same in manual and computerised
environments, the nature of the control procedures and the audit approach to testing those
controls will differ.

When IT applications relevant to the information system are being used by the entity,
the auditor, in making a decision to rely on automated controls, needs to understand
and evaluate whether the general IT controls (for example controls to prevent or detect
unauthorised program changes or access to IT applications) are effectively designed and
implemented. To the extent that the auditor intends to rely on information produced by IT
applications and system-generated reports, the testing of general and application controls
is a function of the IT risk. Where IT applications include automated controls, those controls
need to be tested.

362

c06.indd 362 11/17/2022 10:16:48 PM

 A u d it P ro c ed u r es and A u d it E v i d ence

Audit procedures for automated control activities might include the following:

• Test system processing by submitting test transactions (both normal and with error
conditions) to determine that transactions are processed properly, or, where error
conditions exist, the transactions are rejected and reported (a test data approach).

• Casting (addition) and cross-casting (multiplication) of transactions and sub-ledgers.

• Review exception (error) reports for accuracy and evidence of the follow-up of errors.

• Take a random sample of transactions and examine evidence that key controls are
working as planned (e.g. authorisation controls).

• Search for duplicate entries, whether by transaction number or another identifier.

• Search for accounting entries that were posted at unusual times – like at night or on
weekends, or just before year-end.

• Search for transactions with missing information fields.

• Search for transactions with unusual sources. For example, debits to cash should
normally have a matching credit to trade receivables. Entries to either account without
the expected matching entry should be flagged for examination.

• Search for credit entries in expense accounts.

Audit procedures for manual control activities might include the following:

• Take a random sample of transactions and examine supporting documentary evidence

(e.g. sales orders, shipping documents, invoices, cash receipts listing) that key controls
are working as planned (e.g. authorisation).

• Observe and make enquiries of client personnel about the performance of accounting
and control activities (e.g. observe segregation of duties).

Audit procedures for controls over adjusting entries and accounting estimates:

• View documentation to ensure the reason for the entry is explained and is valid,
that the calculation of the amount is based on reliable sources, and that the entry is
authorised.

Apply and Analyse 2

You are auditing the mortgage revenue account for a large financial institution where the
regular business transactions are initiated, recorded, and processed in a highly automated
IT system with little manual intervention.

What audit issues would arise from the risk assessment process that would impact the
audit of this account?

Answer

Audit evidence may only be available in electronic form and its sufficiency and
appropriateness is generally a function of controls over the accuracy and completeness of
processing.

363

c06.indd 363 11/17/2022 10:16:48 PM

 BUSINESS ASSURANCE

Apply and Analyse 2 (continued)

There is the potential for material misstatement occurring and for it not to be detected
if controls are not operating effectively.

Substantive procedures alone would not be effective as evidence is not in observable

form.

The audit approach would require extensive testing of controls over the accuracy, and
validity of transactions, to ensure that the entity’s information processing system correctly
records the revenue.

6.2.3.2 Degree of Reliance

If the auditor’s planned reliance on a control is low, then a simple test such as inquiry of
personnel or observation of evidence of the performance of the control may be adequate.

If the auditor’s planned reliance is high, a more effective test is required.

Illustrative Example 5
A common key control over the recognition of revenue is the matching of a customer
sales order and shipping document before the revenue is recognised (and a sales invoice
issued). Performance of this control might be indicated by the sales clerk’s initials on the
sales invoice. The auditor might perform a simple test like examining the sales invoices
for the clerk’s initials, or a stronger test like matching the three documents – in effect
re-performing the actions of the clerk. Re-performance is a strong control test.

6.2.4 Cycle Approach

To carry out control tests efficiently, a cycle approach is normally adopted. A transaction cycle
is a chain or sequence of related transactions. For example, a customer order, a shipment,
recording the sale and receivable, and lastly, recording the cash receipt. The transaction cycle
can be extended by including a sales return or allowance, an allowance for bad debts, and a
bad debt write-off.

Accounts within a cycle can be audited together efficiently because the audit evidence
associated with each transaction in the cycle is related and can be accessed through
common identifiers like a sales order number or a purchase order number. Examples of key
cycles include:

• The revenue cycle

°° Accounts affected: sales, trade receivables, cash receipts, sales returns and
allowances, allowance for doubtful debts, and bad debts expense.

364

c06.indd 364 11/17/2022 10:16:48 PM

 A u d it P ro c ed u r es and A u d it E v i d ence

• The purchases cycle

°° Accounts affected: inventory, cost of goods sold, manufacturing expenses, prepaid

expenses, selling expenses, administrative expenses, cash payments, accounts
payable, and purchase discounts.

• The payroll and personnel cycle

°° Accounts affected: cash, payroll expenses, payroll withholdings, and

payroll accruals.

Other cycles exist and audit procedures including both control tests and substantive tests
for these are described in Chapter 7. What follows is a description of the first of these cycles,
the revenue cycle. This description reflects a generic type of business much like GEM, the
music retailer introduced at the beginning of the chapter. While all entities have a revenue
cycle, some variety is to be expected depending on the nature and size of the entity, and
its industry.

6.2.4.1 The Revenue Cycle

The key accounts are:

• Sales;

• Trade receivables; and

• Cash.

Other accounts in the revenue cycle are likely to include:

1. Sales returns and allowances;

2. The allowance for doubtful debts;

3. Bad debts expense;

4. Warranty expense;

5. Warranty liability; and

6. Sales commissions expense.

These other accounts may not be material in terms of their value, but they are high risk
because the accounting entries involve subjectivity and estimation. For example, a common
source of overstatement error in trade receivables is the understatement of the allowance for
doubtful debts.

Risk
Sales revenue and the associated trade receivables and cash accounts are highly susceptible
to fraud and the misappropriation of assets, and fraud is common. The revenue area is
one in which the normal expectation that auditors will be unbiased in their investigations is
abandoned, and auditors are required to presume the existence of revenue fraud in designing
their audit plan. A key aspect of the audit plan for revenue is the assumption of a high level of
risk of revenue fraud, which would include the risk of management override of controls in the
revenue cycle.

365

c06.indd 365 11/17/2022 10:16:48 PM

 BUSINESS ASSURANCE

Illustrative Example 6
An analyst says push for structural reforms in the economy appears to have sparked a
backlash in the form of companies inflating their profitability. Some state-owned firms
that were audited have in recent years inflated their revenues by more than RMB 200
billion (US$29 billion) and boosted their profits by RMB 20 billion with faked business and
manipulated books.

Evidence gathering procedures designed to address revenue fraud would include:

• Searching for, and enquiring about, unusual journal entries;

• Reviewing accounting estimates for evidence of bias; and

• Reviewing prior years’ accounting estimates.

While understatement fraud and error may occur in sales, trade receivables, and cash,
fraudulent overstatement is the critical audit risk. There are several common ways that
revenues and trade receivables are misstated. Exhibit 6.4 identifies some of these, explains
the motivation for the fraud or theft, and identifies the assertion at risk of misstatement.

Risk Reason for fraud/theft Assertions at risk

Recording non-existent Overstatement of sales/profit/ Existence of Trade receivables;
(fraudulent) sales net assets occurrence of Sales
Early recognition of sales (e.g. Overstatement of sales/profit/ Cut-off of sales; Existence of
before the shipment of goods) net assets A/R occurrence of sales
Failing to record sales Theft of sales revenue (cash or Completeness of Trade
cheques) receivables and Sales
Recording sales below Theft of revenue, or receiving Valuation and allocation of
authorised prices kickbacks from customers Trade receivables; accuracy of
sales
Other inappropriate revenue Overstatement of sales/profit/ Rights and obligation of trade
recognition (e.g. when the net assets receivables; occurrence of sales
customer has the right of
return) (see below)
Manipulation of accounting Overstatement of sales/profit/ Valuation of Trade receivables;
adjustments/estimates (e.g. net assets accuracy of sales
understatement of the sales
returns and allowances account
leads to an overstatement of
sales)

EXHIBIT 6.4 Inherent risk in the revenue cycle

Revenue recognition and risk

The initiating transaction in the revenue cycle is the sale. While many retail businesses have
simple and well-controlled sales systems, other businesses’ sales are complex and not easily
controlled.

366

c06.indd 366 11/17/2022 10:16:48 PM

 A u d it P ro c ed u r es and A u d it E v i d ence

Illustrative Example 7
1. Project businesses. Consider a business that builds urban rail systems. Such
large projects might extend over multiple years, and contracts with government
authorities might include thousands of pages of specifications and legal
documentation. Appropriate recognition of revenue in these circumstances will
involve judgement in interpretation of the contract terms, and uncertainty in
estimates of the appropriate timing and the amounts to be recognised.

2. Online sellers. Another common risk in revenue recognition arises with online
sellers. Companies like Amazon provide a marketplace where buyers and sellers
can transact and provide for a secure payment system. The goods are shipped to
the customer directly from the manufacturer. Amazon does not take title to the
products or handle them. For this service, Amazon takes a commission on the sale.
The revenue recognised by the online seller should be the commission amount,
and not the full sales price.

6.2.4.2 Assertions, Controls, and Tests of Controls

As noted above, internal controls depend on the extent of automation of the accounting system
and the control environment. Before describing common control activities and tests of controls
of the sales transaction cycle, a brief description of the transaction cycle is offered.

In what follows, documents referred to may be either paper or electronic. In the past, a
manual accounting system meant the use of paper documents and the absence of computer
processing. This is no longer the case. Paper-based systems are uncommon. A manual or
traditional system today implies a significant level of intervention in the recording process
by personnel and a moderate level of computer processing. An ‘electronic’ system is highly
automated, with little intervention by personnel.

The common steps in the revenue cycle include:

1. The cycle begins with the receipt of a purchase order (PO) from an authorised
customer (paper or electronic), or the completion of a sales order (SO) by a salesperson
(if the transaction is initiated by the customer PO, a sales order is then generated in
response).The sales orders should:

• Be pre-numbered;

• Provide for evidence of authorisation of the sale and credit approval;

• Describe the item, price, and shipping terms; and

• Provide authorised billing and shipping addresses.

2. A shipping document listing the items to be shipped and showing the customer
identification is generated from the authorised sales order and forwarded to
the warehouse. After packing a completed packing list is forwarded to the billing
department.

367

c06.indd 367 11/17/2022 10:16:49 PM

 BUSINESS ASSURANCE

3. Invoices are prepared when notification is received that goods are shipped. Invoice
items, quantities, and prices should be agreed to the sales order and shipping
document (manually or electronically).

4. Cash receipts are of four main types: cash, credit card payments, cheques, and
electronic transfers. Each type of receipt has its own control challenges.

I. Cash receipts are deposited daily by stores at a local bank branch. Deposits are
reconciled daily with sales (cash register) listings.

II. Credit card payments are controlled by the card issuer for a fee. Listings of
approved credit card payments are provided to the business daily for reconciliation
with recorded sales.

III. Cheques received are accompanied by a customer remittance advice. Where no

advice is received, one is created. Scanners may read the two documents so that
identified differences can be reconciled and corrected. The cheques and remittance
advices are batched: cheques are deposited, and remittance advices posted to
the trade receivables sub-ledger. Controls include segregation of cheques and
remittance advices for deposit and posting; reconciliation of postings and deposits;
and computer edit tests to identify errors.

IV. Electronic transfers. Detailed remittance advices are forwarded by the bank to the
client daily for posting to trade receivables. Controls include reconciliation of daily
deposits with trade receivables postings, and with sales listings; review by internal
audit or treasury; comparison to the cash budget; and follow-up of discrepancies
reported by customers.

Exhibit 6.5 identifies the key revenue related assertions, controls that may be used to
ensure the accuracy of the assertions, and audit tests of controls that may be carried out to
verify the proper operation of the controls. Exhibits 6.6 and 6.7 provide the same information
for the other key accounts in the revenue cycle – Trade receivables and Cash.

Assertion Control Tests of controls

Occurrence Invoices are prepared and recorded Match sales invoices to shipping
after evidence of shipment of goods. documents and customer sales orders.
Goods shipped are agreed to customer Examine sales orders for evidence of
sales orders. approval and note dates to ensure that
invoicing followed shipping.
Sales are made to approved customers.
Agree customers to approved customer
list. Review approval process.
Accuracy Sales prices are taken from an approved Observe approved price list. Review
price list. approval process.
Reconciliation of sales journal. Inquire about reconciliation.
Completeness Pre-numbered invoices and shipping Review sales journal for missing invoice
documents. numbers.
Trace shipping documents to invoices to
ensure all shipments have been invoiced.
Cut-off Revenue recognition policies are Review revenue recognition policy and
properly established and followed. examine revenue transactions and
estimates to test compliance.

EXHIBIT 6.5 Sales – key risk is overstatement (occurrence and accuracy)

368

c06.indd 368 11/17/2022 10:16:49 PM

 A u d it P ro c ed u r es and A u d it E v i d ence

Assertion Control Tests of controls

Existence Sales are made to approved Review approval process.
customers. Send a confirmation letter to customers in the
trade receivables sub-ledger.
Accuracy, Sales to customers do not exceed Observe customer credit limits.
valuation, and their approved credit limit.
allocation Sales prices are taken from an Observe the approved price list.
approved price list.
New customer approval. Inquire about the customer approval process
Overdue accounts are referred to Inquire about credit policy and role of credit
the credit manager. manager.
Completeness Pre-numbered invoices and Trace invoices to the sales journal checking that
shipping documents. all invoice numbers appear.
Send a confirmation letter to customers in the
trade receivables sub-ledger. Include significant
customers from the prior year who do not
appear in the current sub-ledger.
Rights and Pre-numbered sales orders. Select shipments and review shipping
obligations documents to ensure goods were sent to
customers who submitted a sales order.

EXHIBIT 6.6 Trade receivables – key risk is overstatement (existence and valuation)

Assertion Control Tests of control

Existence Daily banking of cash receipts. Observe bank deposit process.
Bank reconciliation. Observe preparation and review bank
reconciliation.
Accuracy, Agree cash, cheques, electronic Examine evidence of check or observe
Valuation and transfers, and credit card receipts with check.
allocation daily sales listing.
Bank reconciliation. Review bank reconciliation for
completeness and approval.
Completeness Cash register or point-of-sale Observe that equipment is working and
terminals display the sale amount to that operators are using it properly.
the customer and provide a printed Observe customers being given receipts.
receipt for the customer and a listing Inquire about cash management process.
of transactions for the business.
Bank reconciliation. Review bank reconciliation.
Cash receipts are deposited daily. Observe preparation/performance of bank
deposits.
Rights and Bank account. Review bank statement; request bank
obligations confirmation.

EXHIBIT 6.7 Cash – key risk is overstatement (existence and valuation)

369

c06.indd 369 11/17/2022 10:16:49 PM

 BUSINESS ASSURANCE

6.2.5 Evaluation of Tests of Controls

Where control tests identify control failures or deviations, the auditor compares the actual
deviation rate with the tolerable deviation rate. The tolerable deviation rate for a control is a
similar concept to materiality for an account (see Chapter 5).

To illustrate, where the auditor tests an account for material misstatement and discovers a
total error in excess of performance materiality, the auditor cannot conclude that the account is
free from material misstatement. In a similar way, if the rate of control deviations exceeds the
tolerable deviation rate for that control, the auditor will conclude that the control is ineffective,
and that control risk is higher than originally assessed.

The auditor will determine if alternative controls exist, and if so, test those controls. If no
alternative controls exist:

1. The control risk assessment will be increased to medium or high for the affected
assertions/accounts;

2. The audit strategy will be reassessed; and

3. The audit plan will be revised to include a higher level of substantive testing.

Knowledge Check Questions

Question 8
After assessing control risk of an entity, identify which of the following would most likely
explain why an auditor decided not to perform tests of controls.
A Limited tests of controls with analytical procedures would be more efficient than
detailed substantive testing.
B Control risk should be assessed as low for key financial report assertions.
C The level of detection risk exceeded the level of control risk.
D The evidence that could be obtained through tests of controls would not support an
assessment of control risk as low.

Question 9
Identify which of the following describes what assessing control risk at a level below high
would most likely involve.
A Identifying internal controls relevant to specific assertions.
B Changing the timing of substantive tests by omitting interim testing and performing the
tests at year-end.
C Reducing inherent risk for most of the assertions relevant to significant
account balances.
D Performing more extensive substantive tests with larger sample sizes than
originally planned.

370

c06.indd 370 11/17/2022 10:16:49 PM

 A u d it P ro c ed u r es and A u d it E v i d ence

Knowledge Check Questions (continued)

Question 10
Identify which of the following is not a key segregation of duties for the revenue process.
A Different parties should prepare shipping orders and prepare bills of landing.
B Different parties should perform the credit and billing functions.
C Different parties should perform the shipping and billing functions.
D Different parties should receive cash and adjust trade receivables.

Question 11
When undertaking tests of controls for revenues, identify which of the following explains
why auditors are more concerned with controls associated with the occurrence assertion
than they are with the completeness assertion.
A Clients are more likely to understate than overstate revenues.
B Clients are more likely to overstate than understate revenues.
C The allowance for doubtful accounts is often understated.
D It is difficult to determine when services have been performed.

Question 12
An auditor selects a sample from the file of shipping documents to determine whether
invoices were prepared. Identify which assertion for revenue this test is used to assess.
A Accuracy, valuation, and allocation.
B Completeness.
C Cut-off.
D Occurrence.

Question 13
Identify what ‘dual-purpose tests’ involve.
A Tests of controls that address both the design of the control procedures and their
operating effectiveness.
B Tests of transactions that include substantive procedures as well as tests of controls.
C Tests that address both balances and transaction classes.
D Tests performed because of client expectations as well as for gathering audit evidence.

Question 14
A company’s payroll is computerised and is handled by one payroll clerk who is responsible
for entering employees’ weekly time reports into the computer system. The payroll
system is password protected so that only the payroll clerk can change pay rates or add/
delete personnel to/from the payroll file. Employees are paid weekly, and the payroll clerk
schedules bank transfers for each employee.
Identify two control weaknesses in the following description of a company’s payroll
procedure. For each weakness identified, propose appropriate controls.

371

c06.indd 371 11/17/2022 10:16:49 PM

 BUSINESS ASSURANCE

Knowledge Check Questions (continued)

Question 15
Identify which of the following risk assessment procedures HKSA 315 (Revised 2019)
needs to be supported by other procedures to obtain evidence about the design and
implementation of identified controls in the control activities component of an entity’s
system of internal control.
A Inquiry of entity personnel.
B Observation of entity operations.
C Inspection of internal documents and reports.
D Information from external sources.

Question 16
Applying HKSA 315 (Revised 2019), identify which of the following controls an auditor is not
required to identify and evaluate the design and implementation.
A Controls determined to be appropriate to identify and assess the risk of material
misstatement.
B All individual controls that achieve the same risk of material misstatement at the
assertion level.
C Controls that address significant risks and controls over journal entries.
D Controls the auditor plans to test for operational effectiveness.

Question 17
Which controls that address the risks of material misstatement at the assertion level would
be expected to be identified in all audits.

Question 18
HKSA 315 (Revised 2019) requires the auditor to obtain an understanding of the control
activities through performing risk assessment procedures (including identifying risks
arising from the use of IT and the general IT controls implemented to address those risks).
List the audit matters that may be affected as a result of the auditor’s understanding of
these general IT controls.

6 . 3 SAMPLING

Sampling was mentioned in the preceding section on control testing. Sampling is commonly
used for both control tests and substantive tests. All auditors use sampling because the
alternative is the examination of 100% of all transactions. In the past, 100% examination was
impossible given the cost and time constraints of the audit. Today, though, ‘big data’ analysis
techniques have made 100% examination a possibility, and it is becoming more common

372

c06.indd 372 11/17/2022 10:16:49 PM

 A u d it P ro c ed u r es and A u d it E v i d ence

(see Section 6.3.3). Sampling is particularly efficient when the number of items in a population
is large because the number of items in a population has little bearing on the size of the sample
required to make meaningful inferences about that population.

Sampling takes place when an auditor applies audit procedures to a subset of a population
to understand the characteristics of that population (e.g. the extent of monetary misstatement
in the inventory account). To make valid inferences about a population, it is important
that the sample characteristics reflect those of the population – that the auditor selects a
‘representative’ sample.

Of course, the auditor is not interested in ‘populations’ in the biological sense, but in
accounts. Populations of interest to the auditor include cash, trade receivables, inventory,
accounts payable, etc. Items making up a population are called ‘sampling units’. For each
relevant population, the auditor chooses a sampling unit that facilitates the desired test.

For example, if the auditor wanted to test a control over the existence of trade
receivables by:

• Vouching all customers to an approved customer list, then the sampling unit would be
defined as the customers comprising the trade receivables sub-ledger.

• Vouching sales invoices to shipping documents, then the sampling unit would be
defined as those invoices outstanding at year-end date.
• Sending confirmation letters to customers, then the sampling unit might be defined
as the dollars in the trade receivables balance (monetary unit sampling or MUS).
An MUS approach would ensure that letters were sent to the customers with the
largest balances. (More on MUS later in this section.)

What is clear in the example above is that a variety of sampling units – customers, invoices,
or dollar units – may define a population. Regardless of how the sampling unit is defined, the
total of all sampling units in the population, whether customer accounts, invoices, or dollar
units, will equal the population total.

6.3.1 Sampling Risk

Sampling risk is the risk that sample characteristics will not represent the population.
Where an auditor’s conclusions about an account or a control are based on testing an
unrepresentative sample, then the auditor might make conclusions adversely affecting the
audit opinion (the risk of incorrect acceptance) that:

• A control is effective when it is not – meaning actual control risk is higher than assessed
control risk; or

• An account is fairly stated when a material error exists – meaning actual inherent risk
exceeds assessed inherent risk.

Alternatively, the auditor might make conclusions adversely affecting audit efficiency (the
risk of incorrect rejection):

• A control is ineffective when it is effective; or

• An account has material errors when it does not.

373

c06.indd 373 11/17/2022 10:16:49 PM

 BUSINESS ASSURANCE

Sampling risk can be reduced by using a higher quality approach to sample selection, or by
increasing sample size (where an entire population is tested, sampling risk is zero).

An important source of sampling risk is inadequate sample size. The result of testing an
inadequate sample may lead the auditor to make the wrong conclusion about the population.

Illustrative Example 8
An auditor tested the controls over issuing invoices by randomly selecting 20 invoices
and found that four invoices (20%) were incorrectly issued. They concluded that the
control was ineffective.

The auditor was concerned about the possibility of incorrect rejection, so selected
a second sample of 1,000 invoices. The auditor again found that four invoices were
incorrectly issued. The error rate in the second sample was just 0.4% and in this second
case the auditor correctly concluded that the control was effective.

6.3.1.1 Sample Quality

HKSA 530. Two approaches may be taken in sampling, statistical sampling and judgemental or
App. 4 non-statistical sampling. Statistical sampling offers key benefits. It allows the auditor to
calculate sampling risk when planning the sample, and again when evaluating the sample.
Non-statistical sampling is not scientific in this sense: sample size is selected and evaluated using
‘professional judgement’, which is highly subjective and differs between auditors. It is not
possible to accurately assess the level of sampling risk provided by non-statistical sampling.

Non-statistical samples may be selected in three ways:

1. Haphazard selection has no obvious rule in sample selection.

2. Block selection focusses on a group of sampling units with a common characteristic

(e.g. all sales in January).

3. Directed selection follows some relevant criterion of interest to the auditor (e.g. all
overdue customer accounts in Trade receivables).

Statistical samples may be selected in two ways, both of which ensure that every sampling
unit in a population has an equal chance of selection:

1. Random selection using a random number generator.

2. Systematic selection using a random start and a calculated sampling interval to select
the sample.

For example, if the trade receivables sub-ledger has 500 customer accounts and
a sample of 25 customers is required, the sampling interval can be calculated as
500/25=20. A random start of 3 might be chosen, so customer numbers 3, 3+20=23, 43,
63, . . . 483 will be selected – achieving a sample of 25 customers for examination.

Monetary unit sampling (MUS) and stratification are sampling techniques which can
be combined with either random or systematic selection. The key characteristic of MUS is the
definition of the sampling unit as $1. For example, if the trade receivables balance is $1M, then
1M sampling units exist.

374

c06.indd 374 11/17/2022 10:16:49 PM

 A u d it P ro c ed u r es and A u d it E v i d ence

MUS is particularly useful in substantive testing for overstatement errors because it

increases the probability of selecting high value items in a population – like customer accounts
with a high balance. Accounts most likely to be overstated and subject to MUS are revenues
and assets. For this same reason, MUS is ineffective for understatement tests. Accounts most
likely to be understated are expenses and liabilities.

Stratification is used to increase sampling efficiency. Sampling units are grouped, or

‘stratified’, and separate samples are selected from each stratum (e.g. the trade receivables
sub-ledger could be stratified into small, medium, and large accounts, effectively separating
into three distinct populations before a sample is selected from each. There must be a
characteristic (e.g. size) that differs significantly between the sub-populations for stratification
to be validly used. A smaller overall sample size is achieved because the variance of the items
in each stratum is lower than that of the population, and population variance is one of the main
determinants of sample size. Stratification might reduce overall sample size by 20%, hence
increasing audit efficiency.

An important issue with stratification is in the assessment of sample results. When strata
are sampled and tested, the results of the tests, and the auditor’s conclusions, pertain only
to that stratum. Overall results for the population are obtained by combining the results
of the testing from each stratum. See HKSA 530 Appendix 1 for a discussion of MUS and
stratification.

6.3.1.2 Sample Size

Sampling has a positive effect on audit efficiency because the number of sampling units in
a population has little effect on sample size. Very large populations (e.g. a revenue account
including hundreds of millions of sales transactions might be encountered in the audit of a
supermarket chain) can be effectively tested by examining just a few hundred transactions.
In fact, the effective sample size does not change appreciably for any population with over 5000
sampling units.

Factors that do affect sample size are summarised in Exhibit 6.8. While these factors are
similar for control tests and substantive tests, these two are listed separately following the
approach in HKSA 530 Appendix 2 (Control tests) and Appendix 3 (Substantive tests).

Tests of Controls Substantive Tests

↑ A high level of reliance by the auditor on ↑ A high level of reliance by the auditor on the
controls (a combined audit strategy) substantive tests
↑ The expected error rate in the population ↑ The expected misstatement in the population
(control risk) (inherent risk and control risk)
↓ The tolerable (acceptable) error rate in the ↓ Application of other substantive procedures to that
population population
↓ Performance materiality for the account
↓ Stratification
(↑ indicates a larger sample, ↓ indicates a smaller sample)

EXHIBIT 6.8 Factors that affect sample size

375

c06.indd 375 11/17/2022 10:16:49 PM

 BUSINESS ASSURANCE

While HKSA 530 discusses factors affecting sample size, as shown above, the calculation of
sample size is not explained or illustrated in the standard, and so is beyond the scope of this
textbook. Students wishing additional information about statistical calculations should see the
American Institute of CPAs Audit Guide: Audit Sampling, 2017.

6.3.2 Sample Evaluation

Control tests provide evidence of ‘deviations’ – the failure of a control to operate effectively.
Substantive tests, in contrast, provide evidence of errors or misstatements. This fundamental
difference leads to different conclusions about the characteristics of the population from which
the sample was drawn.

6.3.2.1 Control Tests

When carrying out control tests, the auditor collects evidence that the control has been carried
out as designed. If deviations are discovered, it does not mean that an error has occurred in the
account, simply that the control has not been performed as designed. The failure of a control
may or may not lead to an error in the account.

HKSA 530 requires the auditor to investigate the nature and cause of any control deviations
and evaluate their possible effect on their assessment of control risk and the audit plan. Where
the auditor considers a sample deviation to be an anomaly (e.g. the absence of the person who
HKSA normally performed the control), the auditor shall obtain evidence that the deviation is not
530.12–13 representative of the population by performing additional audit procedures.

After performing control tests on a sample, the auditor calculates the sample deviation rate
for each control:

Sample deviation rate actual deviations/sample size.

For example: sample size = 100; deviations = 2; sample deviation rate = 2/100 = 2%.

The sample deviation rate is used to estimate the population deviation rate. The estimated
population deviation rate will exceed the sample deviation rate and depends on factors like the
sample size and the quality of the control test employed. In the example above the estimated
population deviation rate chosen might be 3%.

The estimated population deviation rate is then compared with the auditor’s tolerable
deviation rate (a concept similar to account materiality). Where the population deviation
rate is less than the auditor’s tolerable deviation rate, the auditor may conclude the control’s
operation is ‘consistent with their preliminary assessment of control risk for the assertion in
question’ – that is, the control is effective.

Continuing the example above, assume that the control in question is a key control for the
account. In this case, the auditor would set a low tolerable deviation rate, perhaps 1%. As the
estimated population deviation rate is 3%, and this exceeds the tolerable deviation rate, the
auditor would conclude that the control was ineffective, and evaluate the possible effect of this
on their assessment of control risk and the audit plan.

376

c06.indd 376 11/17/2022 10:16:50 PM

 A u d it P ro c ed u r es and A u d it E v i d ence

Apply and Analyse 3

The auditor designed tests of the following controls. The auditor expected a low failure
rate as each control is important.

# Control Failures Notes

1 Credit approval 1 All new customers; approved by division
sales manager; company profit is down;
bonus implications for manager
2 Sales price from 2 All approved by one salesperson; all
approved price list discounts 10%; bonus implications
3 A shipping document 1 No shipping documents found
for each invoice

1. Explain how the auditor should follow up on the sample findings.

2. If the follow-up shows a consistent pattern, explain how this will affect the design
of substantive procedures.

3. Describe whether any of the control weaknesses would be considered significant

or material.

Analysis:

1. Deviations from prescribed controls may be caused by such factors as changes in

key personnel, seasonal fluctuations in volume, and human error. The detected
rates of deviation may indicate that the controls cannot be relied on to reduce risk
at the assertion level to that required by the auditor. In such a case the auditor will
reconsider the validity of the tests performed, and whether additional tests of the
controls are necessary.

2. If, in further testing, the deviation rate remains unacceptably high, the auditor will
determine if alternative controls exist, and if so, test those controls. If no suitable
controls exist, substantive testing will be increased.

3. Given the fraud risk factors (see the Notes column in the table – company
profitability down; bonus plans) all deviations are significant, and the auditor’s
assessment of control risk should be reconsidered.

6.3.2.2 Substantive Tests

After performing substantive tests on a sample, the auditor determines the net misstatement
in the sample, that is, the sum of the understatement (negative) and overstatement (positive)
errors. This net error is then projected to the population. The projection procedure differs
between non-statistical and statistical samples.

377

c06.indd 377 11/17/2022 10:16:50 PM

 BUSINESS ASSURANCE

Illustrative Example 9
If the net error discovered in the sample is $5,000, the recorded value of the sample is
$100,000, and the book value of the account is $500,000, then the projected error is:

(sample error /sample total) population total estimated population error

($5, 000/$100,000) $500,000 $25,000

For a statistical sample, the error projection process is more complex, and is beyond
the scope of this module. Briefly, it involves the identification of several variables, including
detection risk, the sample reliability factor, the sampling interval, and the tainting factor. A
series of calculations using these variables is then performed on each identified error, and
the sum of these individual errors is the projected population error. Advanced auditing
texts provide examples of this calculation (see American Institute of CPAs Audit Guide: Audit
Sampling, 2017). Most often, specialised audit software will automatically perform the relevant
calculation.

In either case, non-statistical or statistical, the projected error plus an allowance for
sampling risk will be compared with the account performance materiality. If the projected error
is higher than performance materiality, the auditor might decrease detection risk by:

• Increasing the sample size.

• Performing additional tests on areas of identified concern (a directed sample).

Additionally, the auditor should consider the relevance of the identified errors to:

• The internal control system and the control risk assessment; and

• The inherent risk in related accounts in the transaction cycle (e.g. revenue/receivables/
cash).
And finally, the auditor should ask management to correct the errors.

6.3.3 ‘Big Data’

‘Big data’ is a phrase used for the study of data sets that are so big and complex that traditional
data processing software is unable to deal with them. Such data sets are common in business,
for example, one prominent retailer has more than 1 million customer transactions every hour
and gathers data from them.

Quantities of data available are increasingly large, but that is not the most relevant
characteristic of this big data paradigm. Big data is accompanied by predictive analytics used
to impact decision-making and even to cause automated actions, rather than simply to tabulate
characteristics.

378

c06.indd 378 11/17/2022 10:16:51 PM

 A u d it P ro c ed u r es and A u d it E v i d ence

Predictive models are models of the relationship between a sampling unit and one or more
known attributes of that unit designed to assess the likelihood that a similar unit will exhibit the
same characteristics. In auditing, these models capture relationships among many factors and
can enable the identification of high-risk transactions.

Predictive modelling can be also used to identify high-risk fraud candidates. For example:

• In the franchisee sales reports of an international fast-food chain, each location is

scored using 10 predictors. The 10 scores are then weighted to give an overall risk score
for each location.

• Internal revenue services in various countries use predictive analytics to ’mine’ tax
returns and identify tax fraud.

6.3.3.1 Issues
Big data analytics results are only as good as the model on which they are predicated. Specific
criticisms of big data applications include:

• Neglecting statistical principles such as choosing a representative sample.

• Big data analysis is often shallow compared to analysis of smaller data sets. In many big
data projects, the main challenge is to extract and transform the data in preparation
for analysis.
• Big data analysis poses the same challenges as those for small data sets; adding more
data does not solve problems of bias.

Regression models are the mainstay of predictive analytics and big data. Regression is a
statistical technique used extensively by auditors. It is discussed further in Section 6.4.1.

Knowledge Check Questions

Question 19
Identify which of the following describes audit sampling.
A Using statistical methods to evaluate the propriety of the account balance.
B Testing less than 100% of the items to evaluate some characteristics of a balance.
C Applied to items selected randomly.
D Done on a test basis.

Question 20
Identify which of the following contributes to sampling risk.
A Choosing a sample size that is too small.
B Choosing an audit procedure inconsistent with the audit objective.
C Failing to detect a deviation on a document that has been inspected by the auditor.
D Failing to undertake an audit procedure in the sampling plan.

379

c06.indd 379 11/17/2022 10:16:51 PM

 BUSINESS ASSURANCE

Knowledge Check Questions (continued)

Question 21
Identify which of the following best describes statistical sampling.
A It provides a means for measuring the uncertainty that results from examining part of a
population.
B It requires the examination of a smaller number of supporting documents.
C It is evaluated in terms of statistical mean and random selection.
D It reduces the problems associated with the auditor’s judgement of materiality.

Question 22
An auditor tested the valuation of a client’s investments (balance $HK2.5M) using a
non-statistical sampling approach. The sample size was 100 items with a total dollar value
of $HK900,000. Six errors were identified for a total error of $HK93,000. Estimate the error
in the investment account and explain how you would proceed.

6 . 4 SUBSTANTIVE PROCEDURES

Substantive procedures are audit procedures designed to detect material misstatements at

the assertion level. They differ from control tests because a control deviation indicates that
the control has not been performed correctly. Incorrect performance of a control does not
mean that an error exists in the accounts, it simply indicates the failure of the control and the
possibility of an error. In contrast, substantive procedures identify errors directly.

Substantive procedures are carried out in response to inherent risks identified at the
planning stage of the audit. While inherent risk is strongly related to the business strategy of
the entity, certain inherent risks are always relevant:

• Errors often occur in accounts that are poorly controlled, typically those accounts
with large, infrequent, or unusual transactions. The direction of errors, whether
understatement or overstatement, cannot be predicted.

• Misappropriation of assets. Thieves steal cash, inventory, and other assets. Frauds
designed to conceal theft result in the overstatement of those accounts. Assertions at
risk are existence and valuation.

°° A common theft is the ‘kickback’ which occurs where purchasing managers or other
senior managers with purchasing responsibilities purchase inventory or fixed assets
at inflated prices and receive a cash payment (the kickback) from the supplier. The
asset account is likely to be overvalued due to the inflated prices, and valuation is
the key assertion at risk.

°° Another common theft is the payment of fictitious employees – resulting in the

overstatement of wages expense. Occurrence is the assertion at risk.

380

c06.indd 380 11/17/2022 10:16:51 PM

 A u d it P ro c ed u r es and A u d it E v i d ence

• Fraudulent financial reporting is intentional misstatement of the financial

statements. Fraudulent reports typically show better financial results than those
achieved in order to facilitate the payment of excessive management bonuses or
conceal breaches of debt covenants. Some entities will understate profits in order to
evade taxation.

Any fraud that will increase net assets or net profit might be encountered. In
general terms, revenues and assets are likely to be overstated, while expenses
and liabilities are likely to be understated. Probably the most common fraud is
overstatement of revenue, and auditors are required to design their audit plan to test
for this possibility. The occurrence of revenue is always considered a high-risk assertion.

Where the risk of misstatement in an account or assertion is high, extensive and high-
quality substantive audit procedures will be necessary. Regardless of the level of assessed risk
however, some substantive procedures are always required for material accounts, and those
substantive procedures must include tests of details: ‘Irrespective of the assessed risks of
HKSA
material misstatement, the auditor shall design and perform substantive procedures for each
330.18 material class of transactions, account balance, and disclosure.’

Two types of substantive procedures exist:

1. Substantive analytical procedures; and

HKSA
330.4 2. Tests of details (of classes of transactions, account balances, and disclosures).

6.4.1 Analytical Procedures

Analytical procedures must be carried out at the planning and completion stages of the audit.
They are not required at the evidence gathering stage but are commonly used. Well-designed
analytical procedures are powerful tests for material misstatement and are relatively efficient.
When auditors use effective analytical procedures, the number and/or quality of substantive
tests of details may be reduced.
Analytical procedures are overall tests rather than tests of details. They compare account
balances, ratios, and other information derived from the financial statements with the auditor’s
expectations. Where analytical procedures indicate a potential misstatement, they must be
followed up by tests of details. Only tests of details can identify and quantify specific errors.

When considering the use of analytical procedures, the auditor should consider:

• Their suitability for the assertion in relation to identified risks;

• The auditor’s substantive tests of details for that same assertion; and

• The reliability of data from which the auditor’s expectations are developed, taking
account its source, comparability, nature, relevance, and controls over its preparation.

Analytical procedures include:

• Simple comparisons;

• Time series (e.g. monthly) or cross sectional (e.g. stores/outlets/restaurants) comparisons;

• Comparisons of financial ratios; and

• Other comparisons, including non-financial measures.

381

c06.indd 381 11/17/2022 10:16:51 PM

 BUSINESS ASSURANCE

6.4.1.1 Simple Comparisons

At the most basic level, a simple comparison is a reasonableness test which involves calculating
the expected value of an item and comparing that with its actual value. For example, the
current inventory account balance – the balance being audited – should be compared with
the prior year’s audited balance. The assumption being that if the two balances are nearly
the same then the current balance is unlikely to be materially misstated. In contrast, a
significant difference between the two might indicate a material misstatement. Such simple
comparisons are likely to be valid when relevant aspects of the business have not changed in
the two-year period.

If the business has altered in some significant way during the two years, however, a more
sophisticated approach to developing the auditor’s expectations might be required. For
example, where relevant price levels have changed (that is, the value of the monetary unit
has dropped due to inflation), the auditor might take inflation into account in developing their
expectations.

It should be noted that the inflation rate that is commonly discussed and publicised
pertains to household assets and expenses. Other classes of assets inflate at different rates
and these rates may be found on the Hong Kong Census and Statistics Department website.

Other simple comparisons commonly used include comparing the financial statements with
budgeted financial statements and comparing entity statistics with industry statistics.

6.4.1.2 Multi-period Comparisons

Trend analysis and regression analysis are examples of techniques that facilitate multi-period
comparisons. Trend analysis offers the benefit of smoothing yearly or monthly fluctuations to
establish long-term expectations. Any of the simple comparisons mentioned above could be
extended to multi-period comparisons. Caution is advised because comparisons with older
data may not be relevant if the characteristics of the business have changed significantly over
the years. In general, the older the data, the less relevant they will be.
Linear regression analysis is useful for testing the consistency of the relationship between
key variables like sales and cost of goods sold in a time series analysis. Regression of cost of
sales against sales for the past 24 months will quickly identify months where the relationship is
unusual, and where the likelihood of a misstatement in sales or cost of sales is high.

Regression can also be used for cross-sectional analysis (across stores). A cross-sectional
analysis approach would be appropriate for the opening case G&E Music (GEM). With 300
stores, regression analysis of sales revenue against store area for all stores would identify
stores with unusual relationships for investigation. Other useful regressions across all 300
stores might include sales revenue against cost of goods sold or sales revenue against
wages expense.

6.4.1.3 Comparisons of Financial Ratios

Most accounting students will be familiar with the calculation of financial ratios like the gross
profit ratio or the inventory turnover ratio. Substantive testing is an important application of
ratio analysis.

382

c06.indd 382 11/17/2022 10:16:51 PM

 A u d it P ro c ed u r es and A u d it E v i d ence

For example, the auditor might calculate the trade receivables turnover:

A /R turnover sales/average receivables

For the current and the prior year, with the expectation that the ratio would be stable.
Significant changes in the ratio might indicate misstatement in sales, trade receivables, or the
allowance for doubtful debts. If the A/R turnover had increased from six times last year to
seven times this year, a misstatement is indicated, for example:

• Overstatement of sales; or

• Understatement of trade receivables.

Ratio analysis can be applied to both simple year-on-year comparisons, as shown in the
turnover example above, and to multi-period analysis. Ratio analysis is a frequently used form
of analytical review.

6.4.1.4 Other Comparisons

Many further analytical procedures might be designed by the auditor. For example,
non-financial measures such as number of employees might be usefully compared with wages
expense to help the auditor judge the potential for misstatement in the wages expense account
at individual stores. Where the number of employees was stable, the auditor would expect that
the wages expense would be stable. If the employee number grew by 10%, the auditor might
expect a matching 10% growth in wages. As noted above, adjustments for inflation, for new
employment contracts, and for other changes affecting the wages account should be included
to help develop the auditor’s expectations.

6.4.1.5 Analytical Procedures in the Revenue Cycle

6.4.1.5.1 Simple Comparisons
Simple comparisons that can be done include:

• The balance of all the accounts in the revenue cycle will be compared with prior years’
audited balances, and with the current budget.

• The ageing of the trade receivables sub-ledger should be compared with the
prior period, or multiple prior periods in order to assess the adequacy of the
allowance account.

• Growth in trade receivables can be compared with the growth in sales.

• Revenue growth and gross margin should be compared with industry statistics.

Illustrative Example 10
Recall the Opening Case G&E Music (GEM) presented at the beginning of this chapter.
Exhibit 6.9 is drawn from the GEM case and shows simple comparisons between the
current and past (audited) financial statements. As can be seen, all revenue and profit
accounts other than A/R are similar in their growth.

383

c06.indd 383 11/17/2022 10:16:52 PM

 BUSINESS ASSURANCE

Illustrative Example 10 (continued)

Trade receivables growth is above expectations. Inquiries of management are
necessary in this case. Perhaps new credit policies have been implemented. On the other
hand, because the increase in the accounts receivable balance is only 0.5% of revenue and
10.7% of net profit, the risk of a material error in A/R is not high. This is a common feature
of retail businesses: few purchases are on store credit and most customers use their own
credit facility (credit cards) to pay at the store or online prior to delivery.

6.4.1.5.2 Comparisons of Financial Ratios

Key financial ratios associated with the revenue cycle should be compared to the prior year.
These include:

• Return on sales.

• Gross profit margin.

• Trade receivables turnover.

• Allowance for doubtful debts, bad debts expense, and sales returns and allowances, all
as a percentage of sales.

Exhibit 6.9 shows simple comparisons of financial ratios for GEM. (Ratio calculations are
assumed knowledge for this module.) The ratio comparisons show a conservative pattern
consistent with the account comparisons as would be expected.

GEM Account Comparisons GEM Ratio Comparisons

(000,000)
Account 20X2 20X1 Growth Ratio 20X2 20X1 Growth
% % % %
Revenue 3950 3650 8.2 Gross profit margin 21.7 21.9 –1
Cost of Sales 3090 2850 8.4 A/R turnover* 39.5 45.6 –6.1
Gross profit 860 800 7.5 Return on Sales 4.7 4.8 –2
ROS
Sales and Mkt 405 375 8 Revenue/store $19.75M $19.2M 2.8
Expense
Net Profit 186 174 6.9 Gross profit/store $4.3M $4.2M 2.4
Receivables 100 80 25
Stores 200 190 5

* Calculated as Sales / A/R due to lack of complete data.

EXHIBIT 6.9 GEM Revenue cycle analytical review

384

c06.indd 384 11/17/2022 10:16:52 PM

 A u d it P ro c ed u r es and A u d it E v i d ence

As noted above, the account that stands out is A/R, and this has affected the A/R turnover
ratio. This has decreased by 6.1%. Again, this requires investigation. Factors might include GEM
credit policy or the popularity of sales finance companies like Afterpay.

6.4.1.5.3 Multi-period Comparisons

As GEM has grown substantially over the years both in terms of number of stores and average
sales revenue per store, a multi-year (or monthly) trend analysis might be useful in establishing
expectations. Other independent variables like the strength of the local economy or disposable
incomes might also be used to establish expectations.

6.4.1.5.4 Other Comparisons

Regression analysis of the relationship between sales and store area would identify stores with
unusual sales results for further investigation.

6.4.2 Tests of Details

Recall that substantive procedures are audit procedures to detect material misstatements at
the assertion level. Analytical procedures are one form of substantive procedures and were
discussed in Section 6.4.1. This section deals with the other form of substantive tests, tests of
details. Two main types of tests are identified: tests of details of classes of transactions and
tests of detail of account balances. The first type are tests for revenue and expense accounts,
and the second for asset, liability, and equity accounts. These are introduced Sections 6.4.2.1
and 6.4.2.2.

6.4.2.1 Tests of Details of Classes of Transactions

Transaction-related assertions were introduced in Section 6.1.3 of this chapter. These
assertions include:

• Occurrence;

• Accuracy;
• Completeness;

• Cut-off;

• Presentation; and

• Classification.

Like control tests, tests of details of transactions are performed on transactions throughout
the period, rather than just those transactions that comprise period-end balances.

For efficiency, tests of controls are combined with tests of transactions and tests of
balances (hence the ‘combined’ audit approach). Evidence of controls like authorisation and
segregation (names or initials of the approver) can be found on documents like purchase
orders and sales orders. These same documents also provide monetary evidence regarding
assertions relating to transactions and balances (e.g. existence/occurrence).

385

c06.indd 385 11/17/2022 10:16:52 PM

 BUSINESS ASSURANCE

Illustrative Example 11
Control test. A credit manager will perform a credit check on a customer before
authorising a sale to that customer (a control over occurrence). The credit approval
will be indicated on the sales order. The auditor can test the control by sighting
(examining) the evidence of approval on the sales order document (whether paper
or electronic).

Substantive tests – accuracy and completeness. The sales order will also identify
the goods ordered, the quantity ordered, and the agreed price. The auditor can trace
these details to the sales invoice, and the invoice total to the sales journal, as tests of the
accuracy of the sales transaction and the completeness of the sales journal (substantive
tests of details regarding accuracy and completeness).

Substantive tests – occurrence and cut-off. The auditor would also select a sample
of transactions from the sales journal and vouch the transactions to the three key
supporting documents – the invoice, the sales order, and the shipping document – to test
the occurrence of the sale and the cut-off (additional substantive tests of details regarding
occurrence and cut-off).

6.4.2.2 Tests of Details of Account Balances

Tests of details of balances are tests of the assertions about balances. These assertions
include:

• Existence;

• Valuation and allocation;

• Completeness;

• Rights and obligations;

• Presentation; and

• Classification.

Tests of balances differ from control tests and tests of transactions because they test the
account balance on a unique day – the end of the accounting period. Common tests of balances
are confirmations with third parties (e.g. cash with the bank or trade receivables with the
customer; see Section 6.4.3), counting (e.g. inventory or cash), and inspection (e.g. Property,
plant, and equipment).

Exhibit 6.10 identifies common tests of details for both assertions about balances and
assertions about transactions relevant to the revenue cycle.

386

c06.indd 386 11/17/2022 10:16:52 PM

 A u d it P ro c ed u r es and A u d it E v i d ence

Assertion Substantive procedures – test of details

(Transaction T; Balance B)
Existence/occurrence T Vouch sales invoice to sales order and shipping document
B Confirm trade receivables balances or outstanding invoices with customers1
T/B Examine subsequent (to balance date) cash receipts2
T Check for duplicate entries in the sales journal
Valuation/accuracy T Verify arithmetic accuracy of sales invoices
T Vouch prices to authorised price list
B Confirm trade receivables balances with customers1
T Trace invoice totals to sales journal
T Cast the sales journal and B trade receivables sub-ledger, and tie to general
ledger accounts
B Review the schedule of the ageing of trade receivables and the adequacy of
the allowance for doubtful debts
T Check year-end sales cut-off (sales invoiced on or after shipment date)
Completeness T/B Trace shipping documents to invoice, sales journal, and trade receivables
sub-ledger
T Check for missing invoices in the sales journal
Rights/obligations B Identify related party transactions and review terms
Cut-off T/B Review sales terms and contracts for appropriate recognition
criteria – normally sales and trade receivables are recognised upon shipment
of goods or the provision of a service
Classification T Review invoice or remittance advice to ensure revenue is properly classified
as operating or other (e.g. interest)
B Review invoice or contract to ensure receivables are properly classified as
current or long-term
Presentation/ T Review revenue recognition criteria
disclosure B Review correct trade receivables classification – current or long-term
Notes

1. Confirmation, as with many other audit procedures, provides evidence about more than one assertion – in this
case existence and valuation of trade receivables.
2. While this is a test of cash, its purpose is to test the existence of trade receivables at the year-end date, and the
occurrence of revenue.

EXHIBIT 6.10 Audit assertions and tests of details for the Revenue cycle

Apply and Analyse 4

The following is a list of procedures performed in the audit of the revenue cycle. For each
procedure indicate the control or substantive testing objective that is accomplished, and
identify the assertion tested.

1. Select a sample of shipping notices and trace to invoices.

2. Select a sample of entries in the sales journal and trace to sales orders and
shipping notices.

387

c06.indd 387 11/17/2022 10:16:52 PM

 BUSINESS ASSURANCE

Apply and Analyse 4 (continued)

3. Recompute the invoice total for a sample of sales invoices.

4. Review client documentation to determine their policy for credit approval.

Analysis:

The objective is to ensure:

1. All shipments are invoiced; completeness of revenue and trade receivables.

2. All entries in the sales journal are real; occurrence of revenue.

3. The invoices are correctly extended and cast; accuracy of revenue.

4. That controls exist over credit approval; occurrence of revenue, existence of trade
receivables.

6.4.3 Confirmations
Confirmations are commonly used substantive procedures. An external confirmation is a
response to an auditor’s request for information directly from a ‘confirming external party’.
Confirmations provide reliable evidence to the auditor because of their source (a third party)
and type (documentary).

For example, if management is under pressure to meet earnings expectations, there may
be a risk that management is inflating sales by recognising sales revenue before goods are
shipped. In these circumstances, the auditor may design external confirmation procedures
not only to confirm outstanding amounts at year-end but also to confirm the terms of sales
agreements, including due date, any rights of return, and delivery terms.

When considering the use of confirmations, the auditor considers:

• The confirming party’s knowledge of the subject matter.

• Issues which may affect the reliability of the confirmation.

Confirmations can take either a positive or a negative form. A positive form request asks
the third party to respond directly to the auditor (not the audit client) regarding a balance, or
regarding their agreement or disagreement with information provided by the auditor in the
request – for example, the amount owing to the client in a debtor’s confirmation. Where the
responder disagrees, details of the difference are requested. Negative form requests ask the
third party to respond only if the confirming party disagrees with the information provided
in the request. Negative confirmations provide a weaker form of audit evidence than positive
confirmations because it must be assumed that a non-response indicates agreement, and this
is a weak assumption.

In determining whether external confirmation procedures are to be performed as

substantive audit procedures, factors that may assist the auditor include:

• Knowledge of the subject matter by the confirming party – the reliability of the
responses is better when provided by a person at the confirming party with the
requisite knowledge about the information being confirmed.

388

c06.indd 388 11/17/2022 10:16:52 PM

 A u d it P ro c ed u r es and A u d it E v i d ence

• The ability or willingness to respond by the intended confirming party – for example,
the confirming party:

°° May have concerns about the potential legal liability resulting from responding;

°° May not accept responsibility for responding to a confirmation request;

°° May consider responding too costly or time consuming;

°° May operate in an environment where responding to confirmation requests is not a

significant aspect of day-to-day operations; or

°° May account for transactions in different currencies.

In such situations, confirming parties may not respond, may respond in a casual
manner, or may attempt to restrict the reliance placed on the response.

• The objectivity of the intended confirming party – responses to confirmation requests

may be less reliable if the confirming party is a related party of the entity as related
parties are not actually independent third parties.

To assure the reliability of external confirmation procedures, the auditor must maintain
control over external confirmation requests including:

• The information content;

• The selection of the confirming parties;

• Verification of the existence and mailing address of the confirming parties;

• The mailing process; and

• The receipt of the responses.

HKSA 505 Appendices 1 and 2 provide local guidance on bank confirmation requests sent
to members of the Hong Kong Association of Banks and other financial institutions. A sample
‘External Confirmation Request’ for banks is provided in Appendix 2. Bank confirmations
seek information on deposits, loans, and their contractual terms, collateral for loans, and any
contingent liabilities (guarantees).

Accounts commonly confirmed include the current assets and liabilities including
cash, accounts receivable, inventory on consignment, and accounts payable. Accounts, the
confirming external party, and the assertion tested are shown in Exhibit 6.11.

Account Confirming external party Assertions addressed

Cash and bank borrowings Bank or other financial institution Existence, valuation, and rights
Trade receivables Customer (debtor) Existence and valuation
Inventory (at remote locations) Consignee or custodian Existence and rights
Accounts payable Supplier/vendor Occurrence and obligations

EXHIBIT 6.11 Confirmations

389

c06.indd 389 11/17/2022 10:16:52 PM

 BUSINESS ASSURANCE

When positive confirmation requests sent to customers and suppliers ask respondents
to provide a balance due, in many instances the response will not match the client’s records.
Reasons for discrepancies might include timing issues because goods are in transit, returned
goods, items in dispute, or errors and irregularities. All exceptions need to be followed up by
the auditor, and their resolution documented in the audit working papers.

Where no reply is received by the auditor, alternative procedures must be undertaken.

A simple and effective alternative procedure for trade receivables is the review of cash receipts
subsequent to balance date to ensure that outstanding amounts have been paid. A less
satisfactory alternative is the vouching of outstanding invoices to shipping documents and
sales orders.

Knowledge Check Questions

Question 23
A positive trade receivables confirmation was returned saying the ‘balance owed as of
30 June was paid on 9 July 20X7’. Identify which of the following describes what the auditor
should do.
A Re-confirm the balance as of 9 July 20X7.
B Determine whether there were any changes in the account between 1 July and 9
July 20X7.
C Check subsequent cash receipts to confirm that the amount was received.
D Determine whether a trade discount was taken by the customer.

Question 24
Identify which of the following is the best argument against the use of negative trade
receivables confirmations.
A The inference drawn from receiving no reply may be incorrect.
B There is no way of knowing if they were received.
C Recipients are likely to feel that the confirmation is a request for payment.
D The cost-per-response is high.

Question 25
Identify which of the following analytical procedures should be used for the statement of
profit or loss and other comprehensive income.
A Obtain from the proper client representatives the beginning and ending inventory
amounts that were used to determine costs of sales.
B Select sales and expense items and trace amounts to related supporting documents.
C Compare the actual revenues and expenses with the corresponding figures of the
previous year and investigate significant differences.
D Ascertain that the net income amount in the statement of cash flow agrees with the net
income amount in the statement of profit or loss and other comprehensive income.

390

c06.indd 390 11/17/2022 10:16:52 PM

 A u d it P ro c ed u r es and A u d it E v i d ence

Knowledge Check Questions (continued)

Question 26
In determining the adequacy of the allowance for doubtful debts, identify which of the
following should be relied on the least.
A Ratios calculated showing the past relationship of trade receivables to net credit sales.
B An ageing schedule of past due accounts.
C Collection experience of the client’s collection agency.
D The credit manager’s opinion.

Question 27
Identify what an aged trial balance of trade receivables is usually used by the auditor to do.
A Evaluate the allowance for doubtful debts.
B Ensure that all trade receivables are recorded.
C Evaluate the results of tests of controls for the revenue cycle.
D Verify the existence of recorded receivables.

Question 28
An auditor proposes that sales be audited by comparing the relationship of sales and cost
of sales with the previous two years of audited figures. Explain whether this would be a
good test of the sales account.

6 . 5 OTHER AUDIT EVIDENCE

Many account balances are based on estimates, appraisals, or management assumptions.

Examples include:

• Warranty liabilities;

• The allowance for doubtful accounts;

• Pension costs;

• Fixed assets; and

• Goodwill.

While these account balances are inherently uncertain, estimates should always be based
on objective and verifiable data. Unfortunately, estimates are often subject to management
bias, earnings management, and fraud, and accounts based on estimates should be considered
to have high inherent risk. Controls over estimates are often deficient or non-existent, and
control risk is likely to be high.

391

c06.indd 391 11/17/2022 10:16:52 PM

 BUSINESS ASSURANCE

6.5.1 Accounting Estimates

Accounting estimates have always been required in the preparation of accounts. The need
to deal with uncertainty and exercise professional judgement is one of the main ways that
accounting differs from mere bookkeeping. Two main types of accounting estimates are
common. The first concerns a forecast of a future event or the outcome of a transaction. Many
accounts require this type of estimation because they are affected by uncertain future events.
For example:

• The allowance for doubtful debts and trade receivables are affected by future economic
conditions and the actions of customers;

• Depreciation; accumulated depreciation; and property, plant, and equipment accounts

are affected by the useful life and salvage value of the asset; and

• Inventory is subject to obsolescence.

The second type of estimate concerns the fair values of assets or liabilities at the end of an
accounting period. Fair values are discussed in Section 6.5.2.

The auditor’s approach to accounting estimates is well established (see HKSA 540
(Revised) Auditing Accounting Estimates and Related Disclosures). Management is responsible
for the financial statements, and it is their responsibility to prepare relevant estimates and
related disclosures. The nature and reliability of the information available to management to
support their accounting estimates varies widely. The degree of estimation uncertainty may
be significant, and this affects the risk of material misstatement of the financial statements –
including their susceptibility to unintentional or intentional management bias. Account balances
comprising accounting estimates are examples of components of a financial statement that
would be high on the spectrum of inherent risk due to factors such as complexity, subjectivity,
and uncertainty associated with their calculation.

The auditor should obtain management’s working papers that identify management’s:

• Method used in making the estimate, and any change in method from prior periods;

• Controls over estimations;

• Use of a management’s expert;

• Assumptions underlying the estimate;

• Sources of data used; and

• Assessments of risk.

In examining management’s estimate, the auditor should consider:

• If the method used by management was appropriate;

• Whether appropriate controls were in place and operating effectively;

• The work of the management’s expert (Chapter 8, Section 8.3.4);

• The reasonableness of management’s assumptions;

• The relevance and reliability of data; and

• The adequacy of management’s risk assessment.

392

c06.indd 392 11/17/2022 10:16:53 PM

 A u d it P ro c ed u r es and A u d it E v i d ence

Indicators of management bias with respect to accounting estimates may include changes
in the method used, assumptions that are inconsistent with the marketplace, assumptions that
yield an estimate favourable to management’s objectives, unreliable data sources, or failure to
provide a balanced risk assessment.

If, in the auditor’s judgement, management has not adequately addressed the effects of
estimation uncertainty on the accounting estimates, the auditor should consider developing a
point estimate or a range to compare with management’s estimate. In this context the auditor
should consider whether it is necessary to use an auditor’s expert (Chapter 8, Section 8.3.1).
The comparison will enable the auditor to evaluate the degree of uncertainty associated with
management’s estimate and to determine whether estimates that are highly uncertain give rise
to significant risks of material misstatement.

6.5.2 Fair Values

While estimates and associated professional judgements have always been an important
aspect of accounting (Section 8.5.1), measurements and disclosures based on fair value are
becoming increasingly prevalent in financial reporting frameworks. Increasing numbers of
accounts in the statement of financial position are required to be assessed at fair value, and
disclosures need to provide information about these fair value estimates.

Auditing fair valued accounts and disclosures requires auditors to adopt the approach
described above for accounting estimates, an approach based on the auditor’s analysis
of management’s working papers. Management’s estimates will incorporate external and
future-oriented data and assumptions about the market, the industry, future cash flows, and
capital costs. Future-oriented estimates are inherently risky because, as with any prediction of the
future, error is both unavoidable and impossible to accurately quantify – except in retrospect.

The main criteria related to the audit of fair values are included in HKSA 540 (Revised)
Auditing Accounting Estimates and Related Disclosures and are summarised below.
1. Fair value is the price that would be received to sell an asset, or paid to transfer a
liability, in an orderly transaction between market participants at the measurement
date. It is an exit price.

2. Fair value is a current market-based measurement, not an entity-specific measurement.

3. An entity uses the assumptions that market participants would use when pricing the
asset or liability.

4. An entity’s intention regarding the asset or liability is not relevant.

5. Fair value measurement requires an entity to determine the following:

• The particular asset or liability;

• For a non-financial asset, the best use of the asset;

• The market in which an orderly transaction would take place; and

• The appropriate valuation technique to use when measuring fair value. The
technique used should maximise relevant observable inputs and minimise
unobservable inputs.

Section 6.5.2.1 discusses the audit procedures to be applied to fair value estimates and
disclosures.

393

c06.indd 393 11/17/2022 10:16:53 PM

 BUSINESS ASSURANCE

6.5.2.1 Audit Procedures for Fair Values

As discussed in Section 6.5.1 above, the auditor’s objective is to make a conclusion about
the reasonableness of management’s fair value estimates and related disclosures. Three
circumstances can be identified that will determine the auditor’s valuation approach.

1. An active market with quoted prices exists (e.g. publicly traded shares or bonds). Here,
determination of a current and accurate fair value is simple, and easily verified by the
auditor. Caution is advised because markets are volatile and temporary changes may
not reflect fair value.

2. While an active market may or may not exist, market information about similar items
is available (e.g. similarly situated buildings in a city). Here estimates of fair value are
possible and detection risk is low to medium. The auditor might consider the use of an
expert (e.g. a real estate valuer) in these circumstances.

3. Markets do not currently exist or are illiquid (e.g. asset and liability values during an
economic recession). In this case fair values estimates must be based on discounted
cash flow or other models. Model-based fair value calculations are highly subjective and
detection risk is high.

In order to assess the reasonableness of management’s fair value estimates, the auditor
must ensure each estimate meets the following criteria:
• It provides an exit price;

• Is market-based;

• Identifies the relevant market;

• Is based on the valuation assumptions used by market participants;

• Is based on reasonable assumptions;

• Is not influenced by managements’ intentions regarding the asset;

• Is specific to a particular asset (or liability);

• Identifies the best use of the asset; and

• Is based on an appropriate valuation model using to the greatest extent possible

observable inputs.

The auditor should also:

• Develop a point estimate or range to assess management’s estimate.

• Obtain written representations from management stating they believe significant

assumptions used in making accounting estimates are reasonable.

394

c06.indd 394 11/17/2022 10:16:53 PM

 A u d it P ro c ed u r es and A u d it E v i d ence

Illustrative Example 12
When an asset is unique, then no market can be said to exist. Such circumstances might
arise when an entity owns a large percentage of the publicly traded shares of another
company. In these circumstances, the available market price may not be relevant
as it represents the value of the shares in a retail market characterised by a large
number of small transactions. Significant shareholdings confer significant influence or
control over the company, and these benefits increase the fair value of the asset. The
auditor might consider the use of an ‘auditor’s expert’ in these circumstances (e.g. an
investment banker).

In this example, management’s fair value estimate would likely be based on a

discounted cash flow model. Where fair values are based on modelling, it is important
for the auditor to ensure that models are developed in a rigorous fashion so that the
calculations and assumptions underlying the model can be evaluated by the auditor.

Apply and Analyse 5

Holden announced in 2012 that it was closing its assembly plant in Melbourne. The
one-storey plant covered three hectares of commercially zoned property close to freeways
and rail lines.

1. State the fair value classification that is applicable to the plant.

2. Explain management’s responsibility in determining the fair value of the plant.

3. If management is unable to value the plant, identify if this constitutes an internal

control weakness.

4. If management provides an estimate of the fair value of the plant, explain whether
the auditor should test management’s estimate, hire an external valuer, or both.

Analysis:

1. The plant is a level 2 asset. A market for similar assets (commercial property in
Melbourne) will exist and sales information will be available that will permit an
estimate to be made.

2. Management is responsible for making fair value estimates. An appropriate system

should be in place to ensure this is carried out.

3. If no system is in place to estimate the fair value of items and accounts, this is
a control weakness. If management does not have the expertise to make such
valuations, a ‘management’s expert’ should be employed by Holden.

4. The auditor should test management’s estimate (or the estimate of the
management’s expert) using the criteria listed above. The auditor might consider
hiring an auditor’s expert to perform an appraisal if recent sales of equivalent
properties are not readily available.

395

c06.indd 395 11/17/2022 10:16:53 PM

 BUSINESS ASSURANCE

6.5.2.2 Goodwill

The valuation of goodwill is a major concern for auditors. Goodwill represented 36% of all the
assets of major US corporations in 2008! For example, AOL-Time Warner took a $54 billion
goodwill write-down, and a further $28 billion in 2008.

Goodwill is subject to an annual impairment test. As goodwill is not a marketable asset,

and each entity’s goodwill is unique, valuation of goodwill is reliant on expert valuations and
discounted cash flow models as explained in Section 6.5.2.1. Discounted cash flow models are
based on a number of assumptions about discount rates, future cash flows, and estimates
of future prospects for the economy, the industry, and the business. These assumptions
and estimates are long-term, and as such are highly subjective and impossible to verify. This
account would also be categorised as high on the spectrum of inherent risk.

The first step in valuing goodwill is to determine if the market value of the entity is
less than the carrying value of its assets. Assuming that the assets are properly valued, a
deficiency indicates goodwill impairment. However, assessing the market value of the entity
is problematic. While the share market provides a market value for small share transactions,
this market value does not reflect the value of an entire company, or a significant interest in a
company. Typically, in company take-overs, a significant premium is paid by the acquirer.

A second confounding issue in market valuation is that the goodwill account in a company’s
statement of financial position represents only purchased goodwill – goodwill that has arisen
due to a take-over. If the acquired company remains intact, then its value can be estimated
by expert valuers, most likely by reference to valuation models created at the time of the
take-over. For example, if revenue growth was originally estimated at 10%, and actual growth
has been 12%, this fact will increase the original valuation.

If, however, the acquired company has been integrated with the parent company – which
is common – then no identifiable business unit exists. Goodwill valuations will be based on a
range of assumptions about competitors, the economy, and product life-cycles, assumptions
which will be difficult to verify.

Audit procedures for goodwill valuation and impairment are similar to those concerning
accounting estimates and fair values. Further discussion can be found in Chapter 7, Section 7.6.2.

6.5.3 Initial Engagements and Opening Balances

An initial audit engagement takes place when the prior period financial statements were
not audited, or were audited by a predecessor auditor. The auditor’s objectives in an initial
engagement are to ensure that the opening balances are not misstated in a way that will
materially affect the current financial statements, and accounting policies reflected in the
opening balances have been consistently applied, or changes have been appropriately applied
and disclosed.

In order to achieve these objectives, the auditor should:

1. Obtain and read the prior period’s financial statements and the auditor’s
report thereon;

2. If the predecessor auditor’s report was modified, consider the effect of the modification
on the current financial statements;

3. Ensure the prior year’s closing balances have been brought forward appropriately; and

396

c06.indd 396 11/17/2022 10:16:53 PM

 A u d it P ro c ed u r es and A u d it E v i d ence

4. Do one of the following to obtain evidence about the opening balances:

• Review the predecessor auditor’s working papers; or

• Perform procedures to obtain evidence about the opening balances.

°° For current assets and liabilities audit evidence about opening balances may
be obtained as part of the current period’s audit procedures. For example,
the payment of accounts payable or collection of opening trade receivables
during the current period will provide some audit evidence of their existence,
completeness, valuation, and rights and obligations at the beginning of
the period.

°° In the case of inventories, the auditor might observe a physical inventory count
and reconcile it to the opening inventory quantities, test the valuation of the
opening inventory items by comparison with subsequent sales, or perform
analytical procedures on gross profit.

°° For non-current assets and liabilities, such as investments; long-term debt; and
property, plant, and equipment, audit evidence may be obtained by examining
the accounting records and other information underlying the opening balances,
or through confirmation with third parties.

6.5.4 Comparative Information

The terminology relating to comparative information can cause confusion. Make sure
you understand the three key terms which appear in the title of HKSA 710: Comparative
Information – Corresponding Figures and Comparative Financial Statements. It is particularly
important that you follow the definitions in the auditing standards because different
terminology is used in, for example, the Hong Kong Main Board Rules Appendix 16, paragraph
45(1), where ‘comparative figures’ are referred to – a term that does not appear in the auditing
standard. Fortunately, however, this matter is clarified by Lam and Lau (2012), who state that
the requirement for comparative figures in the Main Board Rules is what HKSA 710 refers to
as ‘corresponding figures’. While this distinction may seem trivial, it is important to both the
auditor’s procedures and the content of the audit report.

The following points summarise the key aspects of the definitions found in paragraph 6
of HKSA 710:

• Comparative information refers to amounts and disclosures in respect of prior

periods (normally just one prior period).

There are just two types of comparative information:

1. Corresponding figures;

2. Comparative financial statements.

• Corresponding figures are only relevant as an aid to understanding the current

period’s financial statements. They are not complete financial statements. Typically, but
not always, this means that the prior financial statements are included, but the notes
are excluded – so the prior financial statements are incomplete.

397

c06.indd 397 11/17/2022 10:16:53 PM

 BUSINESS ASSURANCE

• Comparative financial statements are, or are close to, identical in form to the current
period’s financial statements, and are complete financial statements (including the
notes). If audited, they are referred to in the current auditor’s opinion.

Audit procedures relating to the audit of comparative information require the auditor to
determine whether:

• The financial statements include the appropriate comparative information.

• The comparative information agrees with the amounts and other disclosures presented
in the prior period.

• The accounting policies reflected in the comparative information are consistent with the
current period.

• If the auditor becomes aware of a possible material misstatement in the comparative

information, the auditor shall determine whether a material misstatement exists.

The auditor shall also request written representations from management regarding any
restatement made to correct a material misstatement in prior period financial statements that
affect the comparative information.

See Chapter 10 Section 10.7 for the reporting requirements relating to comparative
information.

6.5.5 Related Party Transactions

Chapter 9, Section 9.4 provides a thorough discussion of related party issues. This section
provides a summary of these matters with an emphasis on audit procedures.

Relevant standards include HKSA 550 Related Parties, and HKAS 24, Related Party Disclosures.
Related parties are frequently involved in fraudulent financial transactions, so both HKSA 315
(Revised 2019), Identifying and Assessing the Risks of Material Misstatement through Understanding
the Entity and Its Environment and HKSA 240, The Auditor’s Responsibilities Relating to Fraud in an
Audit of Financial Statements are also relevant.

A related party is a person or entity that is related to the entity that is preparing its
financial statements (the reporting entity). Related parties include both relatives of individuals
who have some control or influence over an entity, entities that are members of a company
group, and a variety of parties to other relationships.

A related party transaction is a transfer of resources, services, or obligations between a

reporting entity and a related party, regardless of whether a price is charged.

The objectives of the auditor are to obtain an understanding of related party relationships
and transactions sufficient to be able to recognise fraud risk factors, and to obtain sufficient
appropriate audit evidence about whether related party relationships and transactions
have been appropriately identified, accounted for, and disclosed in the financial statements
in accordance with the HKAS and the HKFRS. Audit procedures should, first, identify and
examine all transactions with disclosed related parties and, second, search for large or unusual
transactions with undisclosed related parties. The existence of undisclosed related parties
should be considered a fraud risk.

398

c06.indd 398 11/17/2022 10:16:53 PM

 A u d it P ro c ed u r es and A u d it E v i d ence

The auditor should make enquiries of management regarding:

• The identity of the entity’s related parties;

• The nature of the relationships between the entity and the related parties;

• Whether the entity entered into any transactions with the related parties during the
period, and the purpose of those transactions; and

• Controls management has established to identify related parties and to authorise

related party transactions.

Where management fails to disclose related parties or related party transactions, the
auditor should increase their assessment of inherent risk relating to fraud.

Related party transactions might include:

• Transactions with family members including transactions with accountants or lawyers,

or the rental of business premises;

• Transactions with trusts;

• Non-arm’s-length purchases or sales;

• Unusually low or high interest rate loans, or unsecured loans;

• Purchase of goods and services not clearly required by the entity;

• Poorly documented or overly complex transactions;

• Excessive travel or entertainment expenses;

• Large discounts given or received; or

• Inter-company transfers of funds.

Auditors should search for unidentified related parties and undisclosed related party
transactions by reviewing:

• Bank documents (loans, guarantees);

• Legal confirmations (the legal letter);

• Minutes of board and management meetings;

• Significant contracts, transactions, and journal entries;

• Prior year’s listing of related parties and related party transactions;

• Regulatory returns (tax, stock exchange); and

• Records of the entity’s investments.

Where auditors identify significant transactions outside the entity’s normal course of
business, they should enquire whether related parties are involved. If so, the transactions
should be treated as significant risks.

399

c06.indd 399 11/17/2022 10:16:53 PM

 BUSINESS ASSURANCE

Knowledge Check Questions

Question 29
Explain fair value and describe when fair value concepts are applied.

Question 30
Explain how the fair value concept is applicable to the inventory; trade receivables; and
property, plant, and equipment accounts.

Question 31
Three levels of evidence may be used to assess fair value. Briefly describe each of
the three.

Question 32
Explain the process by which an auditor makes judgements about management’s fair value
estimates.

Question 33
Describe the approach the auditor should take to identify and audit related party
transactions.

Question 34
Describe the audit risks associated with related party transactions.

Question 35
An entity’s pension obligations disclosed in the financial statements are based on a
management estimate.
(a) Identify data, assumptions, and risks that would be relevant to calculating the
liability.
(b) Describe audit evidence that should be gathered to assess the accuracy of
the estimate.
(c) If the auditor’s estimate is significantly different from management’s, explain how
the auditor can identify bias in the management’s estimate.

Question 36
The CEO of a large organisation (revenue of HK$36 billion) used corporate funds to
purchase an apartment and make loans to key executives that were subsequently forgiven.
(a) Explain whether the auditor should look for these types of transactions in
every audit.
(b) Describe the audit procedures that might have identified these transactions.

400

c06.indd 400 11/17/2022 10:16:53 PM

 A u d it P ro c ed u r es and A u d it E v i d ence

6 . 6 DOCUMENTATION

The requirement to document the planning and conduct of an audit is a fundamental principle
of auditing. HKSA 230 Documentation and Chapter 5, Section 5.2 provided a comprehensive
discussion of audit documentation, with an emphasis on the documentation of audit planning
procedures. This section provides a brief review of this earlier material and illustrates at
greater length the documentation of the evidence gathering procedures undertaken by
an auditor.

Audit documentation is the written record that forms the basis for the auditor’s
conclusions. Also known as work papers or working papers, audit documentation facilitates
the planning, execution, and supervision of the audit, and enables a review of the audit work by
senior auditors and regulators.

6.6.1 The Work Papers

Work papers are typically separated into an engagement (current) file and a permanent file. The
permanent file contains information with ongoing relevance for future audits. The permanent
file would typically contain:

• Accounting policies

• Articles of incorporation

• By-laws

• Chart of accounts

• Director list

• History of the client organisation

• Internal controls documentation

• Organisation chart

• Prior period’s audit reports

• Loan and lease agreements

• Fixed asset register

• Share register.

Work papers record information relevant to the current audit engagement:

• The entity’s trial balance and adjustments thereto;

• Evidence of planning;

401

c06.indd 401 11/17/2022 10:16:53 PM

 BUSINESS ASSURANCE

• The audit programme;

• The work done including control tests, analytical procedures and tests of details; the
auditor who completed the work; the reviewer; and the dates of the work and review;

• Evidence obtained including copies of key documents;

• The auditor’s analysis of the evidence; and

• Conclusions formed.

Documentation of the audit planning process was covered in Chapter 5, Section 5.2. Audit
planning documentation would include:

• Discussions with senior management.

• Inherent and control risk analyses.

• Initial analytical procedures.

• Identification of accounts and assertions requiring special attention.

• The auditor’s assessment of materiality, the audit strategy, and staffing needs.

The audit programme is the most important item of documentation in the audit
engagement. The audit programme specifies procedures to be performed in gathering
evidence for each account and provides a record of the completion of each procedure. Each
section of the programme will provide a description of the evidence obtained, the auditor’s
analysis of the evidence, judgements made by the auditor in relation to the evidence, and a
conclusion about the account or assertion that is the subject of the work paper. Other items
retained in the work papers include key documents such as:

• Minutes of board meetings

• Responses to confirmation requests

• The management representation letter.

6.6.2 Preparation of Working Papers

Good audit documentation should have the following characteristics:

• A table of contents or index.

• On each work paper, the name of the client, the balance date, and the account.

• Identification of the auditor and the reviewer, and the dates of their work.

• A description of the tests performed and findings.

• A conclusion regarding the possibility of material misstatement.

• Cross-referencing to related documentation.

402

c06.indd 402 11/17/2022 10:16:53 PM

 A u d it P ro c ed u r es and A u d it E v i d ence

Exhibit 6.12 illustrates an appropriate work paper for testing inventory existence.

Work Paper Inventory extenstion test Preparer BAC

Client Retail Co. Date 20 July 20XX
Balance date 30 June 20XX Reviewer ATV
Date 25 July 20XX

Item # Item name Count Inventory Difference $ Cost/ Extenstion Error

sub-ledger unit
1 stamp machine 3* 3➀ 0 1000 3000➁
11 electric motor 15* 14➀ 1 120 1600➁ 120
21 motor housing 14* 15➀ –1 50 750➁ 50
31 rack 20* 20➀ 0 10 200➁
41 repair kit 10* 10➀ 0 25 250➁
Total tested 6000
Item not tested 50000
Total 56000➀ 170
^ ^
Memo Five items were tested comprising 6000/56000 = 10.7% of the inventory balance.
A total error of $170 was identified. The population error is projected at $170/10.7% = $1589➂.
This is immmaterial and the inventory count is judged accurate.
* test count by auditor
➀ agreed to inventory sub-ledger
➁ tested extension
➂ Note that this error projection is that commonly applied to a judgemental sample.
^ footed

EXHIBIT 6.12 Work paper for inventory existence

6.6.3 Completion of Audit Documentation

The auditor is required to assemble the audit documentation on a timely basis after the date of
the auditor’s report – normally 60 days. The completion does not involve the performance of
any new audit procedures. Changes to documentation may be made if they are of an
HKSA 230.
administrative nature, for example, sorting, collating, and cross-referencing working papers, or
A21–A24 documenting oral audit evidence obtained before the date of the auditor’s report.

After the final audit file has been completed, the auditor must not delete or discard audit
documentation of any nature before the end of its retention period – normally five years.
Where it is necessary to modify or add new audit documentation after the audit file has been
completed, the auditor shall document the reasons for the modifications, the date, and the
HKSA names of both preparer and reviewer. For example, new documentation may be added to a file
230.14–16 in response to comments received during monitoring inspections.

403

c06.indd 403 11/17/2022 10:16:54 PM

 BUSINESS ASSURANCE

Knowledge Check Questions

Question 37
List the main contents of an engagement file.

Question 38
Explain the purpose of audit documentation.

Question 39
List the elements that each audit document should contain.

404

c06.indd 404 11/17/2022 10:16:54 PM

 A u d it P ro c ed u r es and A u d it E v i d ence

SUMMARY

• Auditing is a process of objectively gathering and evaluating evidence about management’s

assertions which comprise the financial statements. This process provides a basis for the
auditor’s opinion.

• In planning an audit, the auditor must decide what evidence gathering procedures to perform,
when those procedures should be performed, and how much evidence is needed – the
nature, timing, and extent of procedures.

• Understanding the components of the entity’s system of internal control through performing
risk assessment procedures is part of the process of assessing inherent and control risks and
the risk of material misstatement at the financial statements and assertion levels.

• For identified risks of material misstatement at the assertion level a separate assessment of
inherent risk and control risk is required under HKSA 315 (Revised 2019).

• Control risk is an important part of the audit risk model. The auditor needs to understand the
system of internal control and control risk to plan the substantive audit procedures they will
use to test transactions and balances.

• Auditors are not required to test controls unless they plan to rely on them to reduce the
extent of substantive testing, but if a combined audit strategy is adopted, audit procedures
must include tests of controls that address the risk that internal controls are deficient.

• The auditor cannot test every transaction that occurs in an accounting period. This would be
both pointless and inefficient. Tools to improve audit efficiency include sampling to carry out
tests of controls and tests of details, and analytical review to provide evidence of the overall
reasonableness of account balances.

• Sampling is efficient because sample size is only weakly associated with population size.
This means that millions of transactions can be tested effectively with a sample of perhaps
300 items.

• Much audit work involves objective testing of documents and other evidence relating
to historic transactions; but auditors are also required to make complex and subjective
judgements relating to issues like fair values or related party transactions. Audit procedures
relating to estimated or fair valued accounts involve an examination of management’s
estimates of account balances for compliance with a range of criteria. Fundamentally,
management’s estimates must be based on reasonable assumptions.

• Audit documentation provides evidence that the audit is properly planned and executed,
and that the auditor’s opinion is properly supported by sufficient and appropriate evidence.
Proper documentation will ensure that the work of the audit team can be meaningfully
assessed by senior auditors and by regulators.

405

c06.indd 405 11/17/2022 10:16:54 PM

 BUSINESS ASSURANCE

MIND MAP

EVIDENCE AND ASSERTIONS SUBSTANTIVE PROCEDURES

Risk Analytical procedures
Evidence Tests of detail
Assertions Confirmations
AUDIT OTHER AUDIT EVIDENCE
TESTS OF CONTROLS
PROCEDURES AND
Internal control components AUDIT EVIDENCE Accounting estimates
Control activities Fair values
Control tests Initial engagements and opening balances
Cycle approach Comparative information
Evaluation of test results Related party transactions

SAMPLING DOCUMENTATION
Sampling risk Permanent file
Sample evaluation Work papers record
Big data Audit planning documentation

L IST O F F O R M U L A S
1. Audit risk (AR) is a function of Inherent risk (IR), Control risk (CR), and Detection risk (DR)

AR ~ IR x CR x DR

2. Sampling

a. Population deviation rate = sample deviation rate + sampling risk adjustment

b. Sample deviation rate = actual deviations / sample size

c. Estimated population error = (sample error / sample total) x population total

3. Trade receivables turnover

A/R TO = sales / average receivables

Answers to Knowledge Check Questions

Question 1
Answer A is incorrect because Existence is a concern as inventory is higher than expected.
Answer B is incorrect because Presentation is not associated with inventory turnover.
Answer C is incorrect because Valuation errors would affect both Inventory and COGS in
the ratio and the auditor would be concerned that if turnover were slower the inventory
could be over-valued.
Answer D is the incorrect answer, because if inventory turnover has decreased, then
inventory is higher than expected. Completeness is associated with an understatement of
the account, so it would be the least likely to be misstated.

406

c06.indd 406 11/17/2022 10:16:54 PM

 A u d it P ro c ed u r es and A u d it E v i d ence

Question 2
Answer A is incorrect because if the payables are recorded then they likely exist.
Overstatement of liabilities is unlikely.
Answer B is incorrect because the key risk for liabilities is that they are understated.
A recorded payable implies Obligations is fairly stated.
Answer C is the correct answer because Understatement of liabilities is always a risk.
Answer D is incorrect because Occurrence relates to transactions and not
account balances.

Question 3
Answer A is the correct answer because understatement is a minor risk with
asset accounts.
Answer B is incorrect because existence is the main risk with asset accounts.
Answer C is incorrect because substantive tests are not used as control tests.
Answer D is incorrect because rights are an important assertion relating to current assets.

Question 4
Answer A is the correct answer because Valuation is at risk of overstatement if inventory
is obsolete.
Answer B is incorrect because Rights is not associated with obsolescence.
Answer C is incorrect because Existence is not an issue with obsolescence.
Answer D is incorrect because Completeness is not at issue with obsolescence.

Question 5
Answer A is the correct answer because Tracing is a procedure associated with
completeness tests. It verifies that all cash remittances received ended up recorded in the
cash receipts journal.
Answer B is incorrect because Occurrence would be tested by vouching, that is vouching
entries in the cash receipts journal back to the original remittance advices.
Answer C is incorrect because Rights would be tested by sighting the recipient on the
remittance advice.
Answer D is incorrect because Accuracy would be tested by agreeing the amounts on the
remittance advice with the journal.

Question 6
Answer A is the correct answer because if gross profit is overstated then COGS may be
understated and ending inventory may be overstated, hence breaching Existence.
Answer B is incorrect because Understatement of inventory would lead to an
overstatement of COGS and hence a lower gross profit.
Answer C is incorrect because presentation would not affect the gross profit.
Answer D is incorrect because Accuracy is not an assertion about balances.

407

c06.indd 407 11/17/2022 10:16:54 PM

 BUSINESS ASSURANCE

Question 7

Evidence A. Ageing B. Confirmation C. Comparison

Criteria
Source Management Third Party Auditor
Nature/Type Document Document Document
Timing Year-end Best if year-end Year-end
Extent Single 10% is reasonable; Single
depends on prior
misstatements (risk)
Relevance Valuation Existence, rights, and Valuation, existence
valuation
Reliability Questions arise as to Follow up of unreturned High as the comparison is
its completeness due items important with an audited balance and
to its source it is prepared by the auditor

Question 8
Answer A is incorrect because this describes a combined audit approach.
Answer B is incorrect because if control risk were low then the auditor would have
proceeded with the control tests.
Answer C is incorrect because the two risk levels are not comparable.
Answer D is the correct answer because the auditor’s preliminary assessment of control
risk must have been high, i.e. controls are not effective, so testing was of no purpose.

Question 9
Answer A is the correct answer because, where control risk is less than high, key controls
are identified for testing.
Answer B is incorrect because year-end substantive tests are performed when the audit
strategy is substantive.
Answer C is incorrect because control risk has no relationship to inherent risk.
Answer D is incorrect because a lower level of control risk would decrease the planned
level of substantive testing.

Question 10
Answer A is the correct answer because these are similar functions.
Answer B is incorrect because credit is approving a transaction and billing is recording a
transaction, and so require segregation.
Answer C is incorrect because shipping is custody of an asset and billing is recording a
transaction, so segregation is required.
Answer D is incorrect because cash is custody of an asset and adjustments are recording a
transaction, so segregation is required.

408

c06.indd 408 11/17/2022 10:16:54 PM

 A u d it P ro c ed u r es and A u d it E v i d ence

Question 11
Answer A is incorrect because understatement of revenue is low risk.
Answer B is incorrect because overstatement of revenue is a common misstatement.
Answer C is incorrect because this relates to the assertion of valuation and allocation for
the trade receivables balance.
Answer D is incorrect because it relates to cut-off and not occurrence.

Question 12
Answer A is incorrect because accuracy of the invoices would be tested concurrently.
Answer B is incorrect, because this ensures that for sure each shipment a sales invoice was
prepared to support the recording of the sale.
Answer C is incorrect because Cut-off relates to timing. Any year-end shipments would also
be tested for correct cut off.
Answer D is incorrect because the occurrence test would select a sample of invoices and
vouch them back to the related shipping documents.

Question 13
Answer A is incorrect because this is a two-control test.
Answer B is the correct answer because a dual-purpose test is one that is simultaneously a
test of control and a substantive test of a transaction.
Answer C is incorrect because this type of test is not called a dual-purpose test.
Answer D is incorrect because no tests are completed on behalf of the client.

Question 14
This is a segregation of duties problem. Duties to be segregated include recording,
authorisation, and access to assets.

Weakness 1
The clerk who processes the payroll (recording) should not be able to enter new
employees or change rates of pay (authorisation).

Control 1
A second person with no recording responsibilities should be in control of pay rates
and employee entry (authorisation). Separate passwords should be maintained.

Weakness 2
The bank transfers should not be completed (access to assets) by the payroll clerk,
because they could make payments to themselves or to fraudulent employees and
cover these up with fraudulent entries.

Control 2
A third person (independent) with no payroll responsibilities should process the bank
transfers to employees.

409

c06.indd 409 11/17/2022 10:16:54 PM

 BUSINESS ASSURANCE

Question 15
Answer A is the correct answer. HKSA 315 (Revised 2019), paragraph 26(d)(ii), indicates that
determining whether a control has been implemented requires procedures in addition to
inquiry of entity personnel. This does not provide visible or observable evidence.
B, C, and D are incorrect as these are identified in HKSA 315 (Revised 2019) as possible
risk assessment procedures. They provide visible and observable evidence that would
supplement inquiry.

Question 16
Answer A is incorrect because the audit objective is to identify and assess the risk of
material misstatement.
Answer B is the correct answer. When multiple controls achieve the same objective, it is
unnecessary to identify each control.
Answer C is incorrect because these controls provide a basis for the auditor determining
the nature, timing, and extent of substantive procedures to the assessed risk of material
misstatement.
Answer D is incorrect because the result of this determines the approach to substantive
testing, including controls that address risks for which substantive tests do not provide
sufficient appropriate audit evidence.

Question 17
Controls over journal entries, whether standard, non-standard, or automated would be
expected to be identified for all audits because of the manner in which entities incorporate
information from transaction processing into the general ledger.

Question 18
As general IT controls support the continued proper operation of the IT environment
and support the continued effective functioning of information processing controls,
understanding these controls facilitates the auditor’s development of an audit strategy for
testing information that involves IT applications and the assessment of inherent risk at the
assertion level. It also impacts the assessment of control risk and in deciding whether to
test the operational effectiveness of controls to address the risk of material misstatement
at the assertion level.

Question 19
Answer A is incorrect because it only refers to statistical sampling.
Answer B is the correct answer because this is the definition of sampling.
Answer C is incorrect because random selection is one type of sample selection.
Answer D is incorrect because this describes all audit procedures.

Question 20
Answer A is the correct answer because if a sample is too small it might not be
representative of the population.
Answer B is incorrect because this is part of detection risk, not sampling risk.
Answer C is incorrect because this is part of detection risk, not sampling risk.
Answer D is incorrect because this is part of detection risk, not sampling risk.

410

c06.indd 410 11/17/2022 10:16:54 PM

 A u d it P ro c ed u r es and A u d it E v i d ence

Question 21
Answer A is the correct answer because this is the main benefit of statistical sampling.
Answer B is incorrect because typically non-statistical samples are smaller than statistical
samples, where the number of sampling units examined can be calculated.
Answer C is incorrect because these are not measures of statistical sampling.
Answer D is incorrect because statistical sampling does not reduce the auditor’s judgement
involved in determining materiality.

Question 22
The total misstatement in the sample was 10.33% of the value of items sampled (93,000 /
900,000 = 10.33%). This means that the potential misstatement in the account is 10.33%
x $2.5M = $258,000. This may be considered material. If so, the auditor might extend the
sample, or request the client to review the account for further errors. The auditor should
also request that management adjust the account.

Question 23
Answer A is incorrect because there is no need to reconfirm as the initial confirmation was
correct and can be clarified. A second confirmation is unnecessary and therefore would be
costly and inefficient.
Answer B is incorrect because this time period is not relevant.
Answer C is the correct answer because examining subsequent cash receipts would clarify
the reply and prove the balance.
Answer D is incorrect because trade discounts are not relevant. The objective of
confirmations is to verify an outstanding receivable balance. That balance would already
reflect any discount.

Question 24
Answer A is the correct answer because the auditor does not know the reason for the non-
response. Non-replies might indicate a correct balance, but also they indicate disinterest,
or that the confirmation was not received. Negative confirmations are not a strong form
of evidence.
Answer B is incorrect. While the statement itself may be true, it does not offer the best or
most complete argument, which is given in A above.
Answer C is incorrect. Recipients are not likely to feel that the confirmation is a request
for payment.
Answer D is incorrect because negative confirmations are relatively low cost.

Question 25
Answer A is incorrect because this is a substantive test of details.
Answer B is incorrect because this is a substantive test of details.
Answer C is the correct answer. This simple comparison is a fundamental analytical
procedure for the statement of profit or loss and other comprehensive income.
Answer D is incorrect because this is a substantive test of details.

411

c06.indd 411 11/17/2022 10:16:54 PM

 BUSINESS ASSURANCE

Question 26
Answer A is incorrect because analytical review of the prior year’s collection experience is a
useful test for doubtful debts.
Answer B is incorrect because the ageing is a useful audit test for doubtful debts.
Answer C is incorrect because evidence from a third party is more reliable than
management opinion.
Answer D is the correct answer because the least reliable source of evidence is
management. The auditor is required to make the determination, not to rely on
management’s opinion.

Question 27
Answer A is the correct answer because the ageing is used to evaluate account
collectability, and hence the valuation of the allowance.
Answer B is incorrect because the aged trial balance provides no evidence as to whether all
receivables have been recorded, i.e. this is not a completeness test.
Answer C is incorrect because the aged trial balance has nothing to do with control tests.
Answer D is incorrect because the aged trial balance provides no evidence as to the
existence of receivables.

Question 28
This test, as with other analytical procedures, assumes little change in client business
operations, industry, or economic conditions. These matters should be established
before proceeding with analytical tests. The test is useful in identifying risks for further
examination. If the ratio has not changed, this provides some assurance that the accounts
are properly stated. Further substantive tests of detail for accuracy, completeness, and
occurrence are still required.
If the ratio has, for example, increased compared to prior years, then there is risk
that either sales is overstated, cost of sales is understated, or both. Increased substantive
testing will be required for the occurrence and accuracy of sales, and the completeness
and accuracy of cost of sales.

Question 29
Fair value is current market value. Fair value concepts are applied when assets or liabilities
are impaired.

Question 30
Inventory is adjusted for obsolescence using the lower of cost or market test. Trade
receivables are adjusted for estimated uncollectible debts. Property, plant, and equipment
is adjusted for impairment.

Question 31
Level 1 is where quoted prices are available on identical items. At level 2, information is
available about similar items. An expert valuer will most likely be consulted. At level 3, no
active market exists, and discounted cash flow models are likely to be used for valuations.

412

c06.indd 412 11/17/2022 10:16:54 PM

 A u d it P ro c ed u r es and A u d it E v i d ence

Question 32
In order to assess the reasonableness of management’s fair value estimates, the auditor
must ensure each estimate meets the following criteria:
• It provides an exit price;
• Is market-based;
• Identifies the relevant market;
• Is based on the valuation assumptions used by market participants;
• Is based on reasonable assumptions;
• Is not influenced by management’s intentions regarding the asset;
• Is specific to a particular asset (or liability);
• Identifies the best use of the asset; and
• Is based on an appropriate valuation model using to the greatest extent possible
observable inputs.

Question 33
The auditor should:
• Request management to provide a list of related parties, and transactions with those
related parties.
• Search documents like leases, loan agreements, and board minutes for evidence of
related parties or related party transactions.
• Be alert for unusual transactions – those that appear overly complex, poorly
documented, or inconsistent with the objectives of the client business.

Question 34
The main risks are fraud and theft leading to misstatement of the financial reports. A
secondary risk is failure to comply with accounting standards relating to the full disclosure
of related parties and related party transactions.

Question 35
(a) Data: Number of employees; expected and current age at retirement;
expected income at retirement; pension contract terms; pension legislation;
discount factor.
Assumption: Legislation regarding pensions will not change. The pension contract
with employees will not change. Past experience of retirement age will be relevant.
A discounted cash flow model will be appropriate.
Risk: Legislation regarding pensions may change; the pension contract may change;
employees may retire earlier/later than current experience; interest rates may
change.

(b) Consider the relevance and reliability of the data. All data should be agreed to
source documents (payroll; contracts; legislation; etc.).
Inquire into the use of a management’s expert; consider the use of an auditor’s
expert. In the case of pensions, an actuary might be used.

413

c06.indd 413 11/17/2022 10:16:54 PM

 BUSINESS ASSURANCE

Inquire about controls over-estimates.

Consider the reasonableness of management’s assumptions and the adequacy of
management’s risk assessment.
(c) Indicators of management bias with respect to accounting estimates may
include changes in the method used from prior periods, interest rates that are
inconsistent with the entity’s cost of capital, assumptions about retirement age,
and future salaries that yield an estimate favourable to management’s objectives of
maximising profits and bonuses, or failure to provide a balanced risk assessment
addressing the risks identified in part (a) above.

Question 36
(a) Related party transactions are often associated with misappropriation of assets
and financial reporting fraud. A search for, and examination of the substance of,
related party transactions is an important part of the auditor’s fraud detection
procedures. Although the transactions noted above are not material (the
materiality level in this company would likely be 0.5 to 1% of revenue, so in
the hundreds of millions), their existence points to inadequacies in the control
environment and an increase in control risk.
(b) Two approaches are taken to the identification of related party transactions.
i. Where appropriate controls exist, management should be asked for a list of
related parties and associated transactions.
ii. Further procedures include the examination of all large or unusual
transactions, and the examination of contracts, minutes of management
meetings, investments, etc. for evidence of related parties and associated
transactions.

Question 37
Audit documentation provides a record of:
• Evidence of audit planning (risk analysis).
• A plan for evidence gathering procedures to be completed (the audit programme).
• Work done, personnel involved, and timing.
• Evidence gathered.
• Audit judgements made.
• Conclusions about assertions, accounts, and the financial statements.

Question 38
The purpose of this documentation is to:
• Provide evidence to senior auditors or regulators that the audit has been properly
completed.
• Demonstrate that the auditor’s conclusions are based on verifiable evidence.

414

c06.indd 414 11/17/2022 10:16:54 PM

 A u d it P ro c ed u r es and A u d it E v i d ence

Question 39
Audit documentation should contain:
• Descriptive title.
• Name of client and balance date.
• Name of preparer and reviewer, and the dates of completion of these activities.
• Evidence obtained.
• Copies of key documents.
• Analysis of evidence.
• Conclusion regarding the assertion or account being tested.

EXAM PRACTICE

QUESTION 1
Micro Limited (Micro) is a subsidiary of Giant, a multinational. Micro provides administrative
and finance support to Giant’s subsidiaries in Asia. Micro has three staff including the
general manager, the financial controller, and a clerk. The accounting software used by
Micro for daily book-keeping is Easydone which is a simple software package. All three staff
have editing and posting access in Easydone and they use the same ID and password. All
cash payment vouchers are kept in paper format. Both the preparers and reviewer are
required to sign the paper vouchers.

Required:

As the auditor of Micro:

(a) Identify and explain two likely causes of material misstatements in the financial
statements caused by control weaknesses in segregation of duties and system access.

(b) Explain whether you would adopt a combined audit strategy including substantive
procedures and tests of controls.

QUESTION 2
After forgetting to retrieve his cash from an automatic teller machine (ATM) at a branch of
his bank during a withdrawal, a man returned to the ATM but was not able to find his cash.
As he was anxious to get his money back, he told the bank that no cash came out from the
ATM’s cash dispenser. After investigating the case and reviewing the branch records, the
police arrested a near-by street sweeper on charges of theft.

Required:

For ATM cash withdrawal activities, identify general and application controls, in a
computer-related environment, to protect the bank and customers from the theft of cash.

415

c06.indd 415 11/17/2022 10:16:54 PM

 BUSINESS ASSURANCE

QUESTION 3
As at 31 December 20X4, you have a client who has significant outstanding trade receivables
due from its customers. As such, you have determined that external confirmation
procedures should be performed. After the audit confirmation results are provided to you
by the audit engagement senior, explain how you would advise and explain the appropriate
follow-up audit procedures in response to each of the following scenarios.

(a) The audit engagement team noted that there was a new customer from India and that
this new customer contributed 10% of the outstanding trade receivables at year-end.
The finance manager refused the auditor’s request to send a confirmation letter to the
new customer.

(b) One of the confirmation replies was mailed directly to the company. The finance
manager transferred it to the auditor without opening the sealed envelope containing
the confirmation.

(c) One of the confirmation replies identified a minor difference and the audit engagement
senior decided no follow-up procedure was required.

QUESTION 4
You have recently been appointed as the auditor of Messy Limited. During the audit, you
note that the prior period comparatives for the year ended 31 December 20X3 were not
audited and no stock take was performed by management at 31 December 20X3.

Below is a summary extract from the financial statements of Messy Limited:

Statement of financial position 31 December 20X4 31 December 20X3

HK$ HK$
(unaudited)
Fixed assets 5,000 –
Inventories 150,000 100,000
Cash at bank 25,000 1,000
180,000 101,000
Trade payables (300,000) (100,000)
(120,000) 1,000
Share capital 1,000 1,000
Retained earnings (121,000) –
(120,000) 1,000
Statement of profit or loss Year ended Year ended
Revenue 500,000 –
Cost of goods sold (508,000) –
Gross loss (8,000) –

416

c06.indd 416 11/17/2022 10:16:55 PM

 A u d it P ro c ed u r es and A u d it E v i d ence

Statement of financial position 31 December 20X4 31 December 20X3

HK$ HK$
(unaudited)
Selling expenses (55,000) –
Administrative expenses (47,000) –
Loss before tax (110,000) –
Tax (11,000) –
Loss after tax (121,000) –

Required:

Suggest the audit procedures for Messy Limited’s opening balances as at 1 January 20X4.

QUESTION 5
Trade Co. is a privately owned retailer with sales of $12 million and a year-end trade
receivables balance of $2 million. The trade receivables sub-ledger contains 500 customer
accounts. The auditor is planning the confirmation of trade receivables and will use a sample
size of 40 accounts.

Required:

(a) Explain the use of monetary unit sampling to select customers for confirmation.

(b) List the criteria that should be used to select customers for confirmation using
non-statistical sampling.

QUESTION 6
Queensland Co. is a distributor of hardware. The company has excellent internal controls
over sales and uses an automated system for document control. Pre-numbered shipping
documents are used for every sale. Goods are shipped only upon presentation of an
authorised shipping document. After shipment, a copy of the shipping document is sent
to the accounting department, which prepares an invoice for the customer. The shipping
document number is noted on the invoice. In some instances, more than one shipping
document will be used for a single invoice. In the current year, 20,000 invoices and 25,000
shipping documents were issued.

Required:

(a) Identify an effective sampling procedure for testing whether shipments have been
billed. Identify the sampling unit for this audit procedure.

(b) Identify one other revenue control test that could be performed with the same sample.
Describe the test and its objective.

(c) Explain whether the auditor would be able to test the occurrence of sales using the
same sample.

417

c06.indd 417 11/17/2022 10:16:55 PM

 BUSINESS ASSURANCE

QUESTION 7
An automobile company announced that it was closing its assembly plant. The plant covered
three hectares of commercially zoned property.

Required:

(a) Identify three classes of fair value evidence, and the nature of the audit evidence
gathered for each class.

(b) State which of the fair value classifications is applicable to the plant.

(c) Describe management’s responsibility to determine the fair value of the plant.

(d) If management has an estimate of the fair value of the plant, describe the procedures
the auditor should undertake.

A NS W ERS T O E X A M P R A CTICE

QUESTION 1
(a) Segregation of duties. Micro has only three staff. Such a lean reporting structure may
hinder the company in setting up a proper segregation of duties. There may be a risk
that the same person prepares the data, feeds it into the computer, supervises the
processing, and acts as end user. This leads to enhanced opportunities for fraud.

Access. ‘Easydone’ is readily available to all three staff of Micro and their access to
the system is not well controlled as they share the same user ID and password. This
may increase the opportunity and the risk of accounting records being fraudulently
altered or amended.

(b) In view of the small scale of operation and lean reporting structure of Micro, it is
unlikely that Micro has sufficient controls to reduce the risks of material errors. It is
more cost effective to use substantive procedures. Auditors may use more extensive
physical examination and confirmation of assets, more tests of transactions, larger
sample sizes, etc.

QUESTION 2
General computer controls:

• Testing of ATM hardware and software before deployment.

• Updated user manual and training of staff operating ATMs.

• Physical protection of ATMs.

• CCTV designed to capture activity of ATM machines.

• Firewall or hacker protection measures.

• Controlled cash count and replenishment procedures.

• Indemnity agreement signed by ATM customer.

• Customer access by card and password.

• Data transfers between an ATM and the main computer system are encrypted and
processed through secured communication lines.

418

c06.indd 418 11/17/2022 10:16:55 PM

 A u d it P ro c ed u r es and A u d it E v i d ence

Application controls:

• Transaction activity log.

• Computer sensor and programming to forfeit cash left idle in the cash dispenser at
expiry of waiting period.

• ATMs are linked so that a person cannot obtain the maximum cash withdrawal from
multiple machines.

QUESTION 3
(a) The auditor should ask the finance manager for the reasons for the refusal and
consider if there are valid reasons for the request and obtain evidence to support this.
The auditor should consider the integrity of the finance manager and possible reasons
for any concealment, including fraud, given the customer was a new customer who had
just started trading with the company recently, but had a significant balance of trade
receivables at year-end.

(b) Since the confirmation reply was not directly received by the audit engagement team,
the audit engagement team should consider the reliability of the confirmation reply. As
the confirmation reply was sealed, a lower risk of the confirmation being amended is
implied. To verify the reliability of the confirmation reply, the audit engagement team
should consider alternative procedures. For example, the customer can be directly
contacted to confirm if the confirmation originated from the customer with the amount
confirmed or vouch the balance to subsequent receipts.

(c) The auditor should ask management to reconcile the difference between the
customer’s record and the client’s record and obtain evidence to support the reconciling
items identified. This is because an immaterial difference may not necessarily imply
there is no accounting error, or that similar errors do not exist.

QUESTION 4
HKSA 510 states that when the auditor conducts an initial audit engagement the objective
with respect to opening balances is to obtain sufficient appropriate audit evidence
about whether:

(a) Opening balances contain misstatements that materially affect the current period’s
financial statements;

(b) Appropriate accounting policies reflected in the opening balances have been
consistently applied in the current period’s financial statements; and

(c) If changes are made, whether these changes are appropriately accounted for and
adequately presented and disclosed in accordance with the applicable financial
reporting framework.

The suggested audit procedures for Messy Limited’s opening balances are:

Fixed assets

• Vouch the purchases of fixed assets to ensure that fixed assets were recorded in
the proper accounting period (i.e. fixed assets were purchased in the current year
but not in the prior year).

419

c06.indd 419 11/17/2022 10:16:55 PM

 BUSINESS ASSURANCE

• If evidence indicates that purchase of fixed assets should have been recorded in the
prior year, consider whether the depreciation charge might have been understated
and created a consequential impact on the opening balances.

Inventories

• Observe the current physical inventory count and reconcile it back to the opening
inventory quantities.

• Perform audit procedures on the valuation of the opening inventory items.

• Perform audit procedures on gross profit and inventory cut-off (examination of

inventory transactions near balance date to ensure recording in the proper period).

Trade payables

• Trace opening trade payables balances to payments during the current period.

• Review the suppliers’ invoices and/or circularise confirmation to the key suppliers to
confirm the balances as at 1 January 20X4.

Cash at bank

• Obtain a bank statement and/or confirm the balances as at 1 January 20X4 to agree
the balance with the cash ledger.
Revenue and expenses

• Perform the sales and purchases cut-off tests as of 1 January 20X4.

• Review the collection of receivables and payment of expenses in January 20X4 (the
subsequent period) to ensure a proper cut-off had been done as of 1 January 20X4.

Statutory review

• Review of the statutory records of Messy Limited.

• Review the incorporation certificate of Messy Limited.

• Review the minutes of Messy Limited for the prior year.

• Review any material contracts to see if there was any non-disclosure of

contingencies or commitments at the prior year-end date.

QUESTION 5
(a) Monetary unit sampling is based on a sampling unit of $1. Because Trade Co.’s trade
receivable balance is $2 million, the population has 2 million sampling units. A sample
size of 40 implies a sampling interval of 2,000,000 / 40 = $50,000. A random start
between 1 and 50,000 is chosen and the sample selected by adding through the
trade receivable sub-ledger. Each time the addition reaches a multiple of 50,000, that
customer is selected for confirmation. For example, assume a random start of $24,000.
A customer is selected for confirmation at $24,000, $74,000, . . . $1,974,000.

(b) Non-statistical sampling can be based on haphazard, block, or directed selection.

A directed approach enables the auditor to focus on high risk accounts – those with
significant balances, overdue accounts, accounts with error conditions in prior years,
and overseas accounts.

420

c06.indd 420 11/17/2022 10:16:55 PM

 A u d it P ro c ed u r es and A u d it E v i d ence

QUESTION 6
(a) This is a test for the completeness of sales. The auditor’s objective is to ensure that all
shipments are invoiced. The sampling unit is the shipping document. The auditor would
check that those items appearing on the selected shipping document appeared on
an invoice.

(b) A follow-up test, also for the completeness of sales, would involve tracing the sales
invoice identified in the test above to the sales journal. The objective would be to
determine that all invoices have been recorded in the revenue account.

(c) No. In order to verify the occurrence of sales a sample would be taken from the sales
journal and the sample items vouched to the supporting documents – the invoice
and shipping document. The direction of the test is in the opposite direction to those
described in (a) and (b) where we trace from the source documents to the accounts.

QUESTION 7
(a) The three classes of fair value evidence relate to the market:

1. An active market exists, and market transaction data are publicly available;

2. An active market does not exist but information on comparable transactions can be
sourced; and

3. No relevant market exists for the asset, and estimates must be based on cash flow
or other models.

(b) An active market is likely to exist for commercially zoned property.

(c) In estimating the fair value of the plant, management should meet the following criteria:

• Fair value is the price that would be received to sell an asset in an orderly transaction
between market participants at the measurement date. It is an exit price.

• Fair value is a current market-based measurement, not an entity-specific

measurement.

• An entity uses the assumptions that market participants would use when pricing
the asset.

• An entity’s intention regarding the asset is not relevant.

• Fair value measurement requires an entity to determine the following:

a. The best use of the asset; and

b. The market in which an orderly transaction would take place.

(d) The auditor should obtain management’s working papers that identify management’s:

• Method used in making the estimate;

• Controls over estimations;

• Use of a management’s expert;

• Assumptions underlying the estimate;

• Sources of data used; and

• Assessments of risk.

421

c06.indd 421 11/17/2022 10:16:55 PM

 BUSINESS ASSURANCE

In examining management’s estimate, the auditor should consider:

• If the method used by management was appropriate;

• Whether appropriate controls were in place and operating effectively;

• The work of the management’s expert (Chapter 8, Section 8.3.4);

• The reasonableness of management’s assumptions;

• The relevance and reliability of the data; and

• The adequacy of management’s risk assessment.

422

c06.indd 422 11/17/2022 10:16:55 PM

 7
The Audit Programme

CHAPTER TOPIC LIST

7.1 Revenue Cycle 7.3.5 Audit Assertions and Tests

7.1.1 Key Accounts of Details
7.1.2 Risk 7.4 Bank and Cash
7.1.3 Assertions, Controls and Tests 7.4.1 Key accounts
of Controls 7.4.2 Risk
7.1.4 Analytical Procedures 7.4.3 Assertions, Controls and Tests
7.1.5 Audit Assertions and Tests of Controls
of Details 7.4.4 Analytical Procedures
7.2 Purchases Cycle 7.4.5 Audit Assertions and Tests
7.2.1 Key Accounts of Details
7.2.2 Risks 7.5 Financial Instruments
7.2.3 Assertions, Controls and Tests 7.5.1 Key accounts
of Controls 7.5.2 Risk
7.2.4 Analytical Procedures 7.5.3 Assertions, Controls and Tests
7.2.5 Audit Assertions and Tests of Controls
of Details 7.5.4 Analytical Procedures
7.3 Payroll for Marketable Financial
7.3.1 Key Account Instruments
7.3.2 Risks 7.5.5 Audit Assertions and Tests of
7.3.3 Assertions, Controls and Tests Details for Marketable Financial
of Controls Instruments
7.3.4 Analytical Procedures

423

c07.indd 423 16-11-2022 18:46:10

 BUSINESS ASSURANCE

7.6 Non-current Assets 7.7 Liabilities and Equity

7.6.1 Property, Plant and 7.7.1 Debt Securities
Equipment (PPE) 7.7.2 Share Capital
7.6.2 Goodwill and Other 7.7.3 Provisions and Contingencies
Intangible Assets 7.8 Segment Information
7.6.3 Interests in Other Entities

424

c07.indd 424 16-11-2022 18:46:10

 The A u d it Pro g ram me

LEARNING OUTCOMES

PRINCIPAL LO1: PERFORM ASSURANCE ENGAGEMENTS

LO1.09: P
 repare, plan and develop assurance engagements including the audits of financial
statements in accordance with relevant Hong Kong Standards of Quality Management,
Auditing, Assurance and Related Services, guidance and legislation with emphasis on:
Audit procedures
1.09.09 Design, in response to the assessed risk, the appropriate audit tests for:
• Tangible non-current assets
• Intangible non-current assets
• Inventory
• Receivables
• Bank and cash
• Trade payables and accruals
• Non-current liabilities
• Provisions and contingencies
• Capital and other issues
• Long-term investments
• Segment information
• Revenue
• Purchases
• Wages and salaries
• Financial instruments, e.g. derivative or forward contracts
• Treasury (e.g. bank loan/facility)

425

c07.indd 425 16-11-2022 18:46:10

 BUSINESS ASSURANCE

OPENING CASE

G&E MUSIC (GEM)

T he GEM case introduced in Chapter 6 will be used in Chapter 7 to illustrate audit

procedures.

Recall that GEM has two distribution channels, 300 retail stores and an online store.

GEM holds significant market share in many of its product categories, which include:

• Consumer electronics including televisions, audio equipment, computers and

telecommunications products;

• Housewares including furniture, cooking products, heating and cooling products and
small appliances; and

• Software including CDs, DVDs and games.

Exhibit 7.1 shows GEM’s 20X1 (audited) and 20X2 (current) statement of profit and loss and
statement of financial position. This information will be used to provide illustrative examples of
analytical procedures in the following sections.

426

c07.indd 426 16-11-2022 18:46:10

 The A u d it Pro g ram me

GEM Statement of profit and loss GEM Statement of financial position

20X2 20X1 20X2 20X1
HK$M HK$M HK$M HK$M
Revenue 3950 3650 Current Assets
Cost of Goods Sold 3090 2850 Cash 52 50
Gross Profit 860 800 Trade Receivables 100 80
Sales and Marketing 405 375 Inventory 550 480
Occupancy 175 160 Non-Current Assets
Administration 25 25 Property, Plant and Equipment 185 175
Finance 4 6 Intangibles 85 85
Profit Before Tax 251 234 Total Assets 972 870
Tax 65 60 Current Liabilities
Net Profit 186 174 A/P 385 325
Provisions 45 40
Non-Current Liabilities
Borrowings 110 140
Total Liabilities 540 505
Net Assets 432 365
Equity
Share Capital 50 55
Reserves 57 40
Retained Earnings 325 270
Total Equity 432 365

EXHIBIT 7.1 GEM 20X2 Financial statements

427

c07.indd 427 16-11-2022 18:46:10

 BUSINESS ASSURANCE

OVERVIEW

The audit programme is fundamental to an audit engagement. An audit programme:

• Identifies the audit procedures to be performed to respond to the assessed risks of

material misstatements in the audit plan.

• Organises and distributes audit work to the audit team.

• Monitors the progress of the audit.

• Records audit work performed and audit evidence gathered.

• Reviews the completeness and persuasiveness of audit evidence.

Chapter 7 is focused on the first of these aspects of the audit programme, the audit
procedures. Procedures that might be used to collect evidence for the audit of the financial
statements of an electronics retailer are identified in this chapter.

Audit procedures are designed to suit the client entity – the entity’s nature, its control
system and the auditor’s risk assessment. Entities are extraordinarily diverse, and audit
programmes reflect this diversity.

Controls and tests of controls described in this chapter are commonly used, but great
variety exists in the design and structure of internal control systems, and controls and control
tests noted here will not be encountered in all audits. Similarly, many evidence-gathering
strategies are available to the auditor, and those substantive procedures noted below may not
be included in every audit programme.

As noted in Chapter 5 Section 5.5.2, the auditor’s control risk assessment determines the
audit strategy. Where control risk is high, a mainly substantive approach is adopted, and when
control risk is low or medium, a combined strategy will be adopted. The audit programme
illustrated in this chapter assumes the adoption of a combined strategy. Two types of audit
procedures are required when a combined audit strategy is adopted, tests of controls and
substantive tests. Tests of controls provide the auditor with evidence about the level of
control risk and substantive procedures provide evidence about the inherent risk of material
misstatements in the financial statements.

Audit programmes often reflect the client entity’s transaction cycles. This approach can
enhance audit efficiency because the accounts in a transaction cycle use the same set of
supporting documents and personnel. For example, the revenue transaction cycle incorporates
the following documents: sales orders, shipping documents, invoices, bank deposits and credit
notes; and these personnel: customer, sales manager, credit manager, warehouse manager
and the trade receivables clerk.

428

c07.indd 428 16-11-2022 18:46:10

 The A u d it Pro g ram me

In addition, standard audit procedures like customer confirmations (see Section 6.4.3 of
Chapter 6) provide evidence regarding assertions for multiple accounts in the cycle (e.g. the
existence of trade receivables and the occurrence of sales) and for both control tests and
substantive procedures.

While the transaction cycle audit programmes that follow are not uncommon, other
transaction cycles might be relevant depending on the nature of the client entity and the
auditor’s standard approach.

Students should note that Sections 7.2 through 7.7 of this chapter adopt, as far as is
possible, the same structure and approach as that introduced in Section 7.1. The sections differ
mainly in terms of the transaction cycle, or the group of accounts, addressed.

7 . 1 REVENUE CYCLE

This section is based on information provided in sections 6.2 and 6.4 of Chapter 6. Section 6.2
discussed tests of controls and Section 6.4 discussed substantive tests. Throughout the two
sections, explanations were illustrated by reference to the revenue cycle. The present section
now draws together the content of the two parts of Chapter 6 to illustrate a coherent and
focussed audit programme for the revenue cycle.

The audit programme illustrated here has five parts:

1. The accounts that comprise the cycle and a brief description of the cycle,

2. Key risks affecting the accounts and assertions,

3. Controls and control tests relevant to the accounts and assertions,

4. Commonly used analytical procedures, and

5. Tests of details relevant to the accounts and assertions.

The first two of the five parts listed above are not normally included in an audit programme
but would be documented in the risk analysis section of the permanent and current
engagement files. The information is included here to provide background about the accounts,
accounting activities and risks relevant to the transaction cycle so that students have some
context for understanding the procedures that follow.

Please note that any reference to documents applies equally to physical or

electronic media.

7.1.1 Key Accounts

Key accounts include:

• Sales,

• Trade receivables (A/R), and

• Cash.

429

c07.indd 429 16-11-2022 18:46:10

 BUSINESS ASSURANCE

Other accounts include:

• Sales returns and allowances,

• The allowance for doubtful debts,

• Bad debts expense,

• Warranty expense,

• Warranty liability and

• Sales commissions expense.

The revenue cycle has five steps:

1. The cycle begins with the receipt of a purchase order from an authorised customer and
the completion of a sales order by a salesperson. The sales orders should:

• Be pre-numbered,

• Provide for evidence of authorisation of the sale and credit approval,

• Describe the item, price and shipping terms, and

• Provide an authorised billing address.

2. Sales approval verifies that:

a. The customer exists, and is approved,

b. The sale does not exceed the customer’s credit limit, and

c. The selling prices agree with an approved price list.

4. A shipping document listing the items to be shipped and showing the customer
identification is prepared from the approved sales order and forwarded to the
warehouse. After packing, a packing list is forwarded to billing.

5. Invoices are prepared when notification is received that goods are shipped. Invoice
items, quantities and prices are agreed to the sales order and shipping document. An
accounting entry to revenue/trade receivables is completed at this point.

6. Receiving cash is the final step of the revenue cycle. The cash receipt relieves the trade
receivables account. Section 4 of this chapter discusses the audit of cash.

7.1.2 Risk
Sales revenue and the associated trade receivables and cash accounts are susceptible to fraud
and misappropriation of assets. Such frauds are common. While understatement error may
occur in sales, trade receivables and cash, fraudulent overstatement is a critical audit risk.
There are several ways that these accounts may be misstated. Exhibit 7.2 identifies some of
these, explains the motivation for the fraud or misappropriation of assets and identifies the
assertion at risk of misstatement.

430

c07.indd 430 16-11-2022 18:46:11

 The A u d it Pro g ram me

Risk Reason for fraud/theft Assertions at risk

Recording non-existent (fraudulent) sales Overstatement of sales/profit/ Existence of A/R;
net assets occurrence of sales
Early recognition of sales (e.g. before Overstatement of sales/profit/ Cut-off of sales, existence
the shipment of goods, when goods are net assets of A/R, occurrence of
on consignment, or when bill and hold sales
arrangements are in place)
Failing to record sales Theft of sales revenue (cash Completeness of A/R and
or cheques) sales
Recording sales below (or above) Theft of revenue or receiving Valuation and allocation
authorised prices kickbacks from customers of A/R; accuracy of sales
Other inappropriate revenue recognition Overstatement of sales/profit/ Rights and obligation of
(e.g. when the customer has the right of net assets A/R; occurrence of sales
return)
Manipulation of accounting adjustments/ Overstatement of sales/profit/ Valuation of A/R;
estimates (e.g. understatement of the net assets accuracy of sales
sales returns and allowances account
leads to an overstatement of sales)

EXHIBIT 7.2 Inherent risk in the revenue cycle

7.1.3 Assertions, Controls and Tests of Controls

In Exhibit 7.3, unless otherwise stated, it is assumed that audit tests should be applied to
samples, as discussed in Chapter 6 Section 6.3. Increasingly, however, computerised audit
procedures may enable efficient testing of an entire population.

Sales – key risk is overstatement (occurrence and accuracy)

Assertion Control Test
Occurrence Invoices are prepared and recorded Test IT system check of appropriate sequence
after evidence of shipment of of invoice and shipping dates using test data
goods. (inappropriate dates).
Goods shipped are agreed to Examine sales orders for evidence of approval
customer sales orders. and note dates to ensure that invoicing
followed shipping.
Sales are made to approved Agree customers to approved customer list.
customers. Review approval process.
Accuracy Sales prices are taken from an Obtain approved price list. Review approval
approved price list. process.
Reconciliation of sales journal. Inquire about reconciliation.
Completeness Pre-numbered invoices and Review sales journal for missing invoice
shipping documents. numbers.
Review shipping documents to ensure each
shipment has been invoiced.
Cut-off Revenue recognition policies are Review policy and examine sales transactions
properly established and followed. to test compliance.

EXHIBIT 7.3 Assertions, controls and tests of controls in the revenue cycle

431

c07.indd 431 16-11-2022 18:46:11

 BUSINESS ASSURANCE

Trade receivables – key risk is overstatement (existence and valuation)

Assertion Control Test
Existence Sales are made to approved Review approval process.
customers. Send a confirmation letter to customers in the
A/R sub-ledger to verify the existence of the
customer.
Accuracy, Sales to customers do not exceed Observe customer credit limits.
valuation and their approved credit limit.
allocation Sales prices are taken from an Observe the approved price list.
approved price list.
New customer approval. Inquire about the customer approval process
Overdue accounts are referred to Inquire about credit policy and role of credit
the credit manager. manager.
Completeness Pre-numbered invoices and Trace invoices to the general ledger checking
shipping documents. that all invoice numbers appear.
Send a confirmation letter to customers in the
A/R sub-ledger. Include significant customers
from the prior year who do not appear in the
current sub-ledger.
Rights and Pre-numbered sales orders. Select shipments and review shipping
obligations documents to ensure they were sent to
customers who submitted a sales order.

EXHIBIT 7.3 (Continued )

7.1.4 Analytical Procedures

Analytical procedures are not required at the evidence gathering stage of the audit but are
commonly used. Well-designed analytical procedures are powerful indicators of material
misstatement and are relatively efficient. Because analytical procedures are based on
comparisons of account balances, financial ratios and other information derived from the
financial statements with the ‘auditor’s expectations’, these tests are not exact measures,
but indicators. When an auditor finds that an analytical procedure indicates the existence
of error, this must be followed up by tests of detail to quantify the error. When auditors use
effective analytical procedures, the number and/or quality of substantive tests of detail may
be reduced.

Illustrative Example 1
The table below shows simple comparisons between the current and past (audited)
financial statements for GEM’s revenue cycle accounts. As can be seen, all revenue and
profit accounts are very similar in their growth. Only Trade receivables growth is above
expectations. Inquiries of management are necessary. Perhaps new credit policies have
been implemented.

432

c07.indd 432 16-11-2022 18:46:11

 The A u d it Pro g ram me

Illustrative Example 1 (continued)

The table below also shows comparisons of financial ratios. The ratios show a
conservative pattern consistent with the account comparisons. As noted above, the decline
in the A/R turnover requires investigation.

GEM Revenue cycle analytical review

GEM Account comparisons GEM Ratio comparisons

Account 20X2 20X1 Growth Ratio 20X2 20X1 Growth
% % % %
Revenue 3950 3650 8.2 Gross 21.7 21.9 –1
profit
margin
Cost of sales 3090 2850 8.4 A/R TO* 39.5 45.6 –6.1
Gross profit 860 800 7.5 Return on 4.7 4.8 –2
sales ROS
Sales and 405 375 8 Revenue/ HK$19.75M HK$19.2M 2.8
market expense store
Net profit 186 174 6.9 Gross HK$4.3M HK$4.2M 2.4
profit/
store
Receivables 100 80 25
Stores 200 190 5

* Calculated as sales/A/R due to lack of 20X0 data.

Multi-period comparisons: As GEM has grown substantially over the years, both in
terms of number of stores and average sales revenue per store, a multi-year trend analysis
would be useful in establishing expectations. Other independent variables like the strength
of the local economy or disposable incomes might also be used to establish expectations.

Comparisons of accounts: See the table above. All comparisons are simple
comparisons of current data with the prior year’s audited figures. Operating items
including revenue (+8.2%), revenue per store (+2.8%), gross profit (+7.5%), gross profit per
store (+2.4%) and net profit (+6.9%) are all consistent with each other, and with increases
in key drivers of profitability, which include the number of stores (+5%) and sales and
marketing expenses (+8%).

One item of note is receivables. The increase of 25% is inconsistent with the
profit-related measures, though it should be noted that in the retail industry, most
customers do not use GEM’s credit facility and receivables are relatively low compared
to sales. In any case, inquiries should be made of management as to why the receivables
increase is inconsistent with other data. Overstatement is a possibility. The receivables TO
ratio reflects this anomaly.

Other comparisons: Regression analysis (linear regression) of the relationship

between sales and store area would identify stores with unusual sales results for further
investigation. Regressions are often carried out on monthly data. Months that do not
conform to the regression line (outliers) are indicative of error conditions, which can be
followed up through tests of detail.

433

c07.indd 433 16-11-2022 18:46:11

 BUSINESS ASSURANCE

7.1.5 Audit Assertions and Tests of Details

In Exhibit 7.4, unless otherwise stated, it is assumed that audit tests should be applied to
samples. In some instances, computerised audit procedures may enable efficient testing of an
entire population.

Assertion Substantive test of detail

Existence of A/R; Confirm* trade receivables balances or outstanding invoices with
occurrence of sales customers by sending confirmations.
Examine subsequent cash receipts.
Vouch sales invoices to sales orders and shipping documents.
Check for duplicate entries in the sales journal.
Valuation of A/R; accuracy Verify arithmetical accuracy of sales invoices.
of sales Vouch sales invoices and match the prices to the authorised price list.
Confirm trade receivables balances with customers by sending
confirmations.
Trace sales invoices to the sales journal.
Cast the sales journal and the trade receivables sub-ledger; reconcile both
to the general ledger accounts.
Review the aging of trade receivables and the adequacy of the allowance.
Completeness of Sales Trace shipping documents to sales invoices and sales journal.
Check for missing invoices in the sales journal.
Rights and obligations Identify related party transactions and review terms.
regarding trade Review sales terms and contracts to ensure revenue recognition criteria are
receivables properly applied and are consistent with the accounting standards.
Cut-off of sales and trade Check year-end sales cut-off (sales should be invoiced on or after the
receivables shipment date – review shipping documents).
Classification and Review revenue recognition criteria.
presentation Review correct classification -–current or long-term, for trade receivables.

*Note. See Chapter 6 Section 6.4.3 for a discussion of confirmations.

EXHIBIT 7.4 Tests of details in the Revenue cycle

Apply and Analyse 1

You are the auditor of Think Limited, which is a furniture manufacturer with a factory in
Dongguan, China. The growth of the furniture industry as well as the market demand on
furniture in China remain at a minimal and steady level in the past few years. The major
part of sales of Think Limited are on credit and the company recognises a certain level of
doubtful debts in the past few years. During the planning of the audit for the year ended
31 March 2021, you obtained the following financial information:

434

c07.indd 434 16-11-2022 18:46:11

 The A u d it Pro g ram me

Apply and Analyse 1 (continued)

2020 2021 Change

HK$M HK$M HK$M %
Revenue 285 525 240 84
Cost of goods sold 242 350 108 45
Gross profit 43 175 132 307
Accounts receivable 75 232 157 209
Accounts payable 105 155 40 38

Required:

a. Evaluate the risk of material misstatement relating to revenue and account

receivables for the year ended 31 March 2021.

b. Propose the audit procedures for the occurrence and accuracy assertions of
revenue, and the existence and valuation assertions of account receivables.

Analysis:

a. The risk of materials misstatements lies in the occurrence and accuracy of revenue
and in the existence and valuation of account receivables. The occurrence of
revenue assertion is management’s assertion that the revenue transactions
recorded in the sales journal for the period occurred – they happened and they are
real transactions. Occurrence is not concerned with the value of the transaction.
The auditor must test both the occurrence and accuracy assertions as the
overstatement of revenue is always a high-­level risk and overstatement of revenue
is a common fraud. Normally the existence and valuation of accounts receivable
are tested at the same time as the relevant revenue assertions because revenue
and accounts receivable controls are based on the same documents and policies –
e.g. sales orders, shipments, credit limits and invoices.

The question contains no information about controls over the overstatement

of revenue. Common controls that are relevant to both revenue and accounts
receivable include:

• Invoices are prepared and recorded after evidence of shipment of goods.

• Goods shipped are agreed to customer sales orders.

• Sales are made to approved customers.

• Customer credit limits are compared to outstanding balances before approval

of a sale.

• Sales prices are taken from an approved price list.

• Reconciliation of sales journal.

435

c07.indd 435 16-11-2022 18:46:11

 BUSINESS ASSURANCE

Apply and Analyse 1 (continued)

• New customer approval.

• Overdue accounts are referred to the credit manager.

Tests of these controls are noted below in part (b).

In the absence of control information, the analysis must focus on an analytical

review. Refer to the information provided in the question and the following points
stand out:

• Revenue has increased by 84% while the cost of goods sold has increased by
only 45%. Normally, we would expect similar increases, raising questions about
the occurrence of the revenue.

• Revenue has increased significantly while the industry growth and market
demand are kept at a minimal and steady level. Normally, we would expect the
increase in revenue to be in line with the industry growth and market demand,
all of the above result in high risk of material misstatement in the occurrence of
the revenue.

• While revenue has increased by 84%, accounts receivable and its turnover days
has increased by 209% and 65 days respectively. Since the company recognised
doubtful debts in the past few years, the significant increase in account
receivables result in high risk of material misstatement in the valuation of the
account receivables.

b. Propose the audit procedures for occurrence and accuracy of revenue and the
existence and valuation of accounts receivables.

Inquiries of management

• Explain the market situation. What has led to the significant increase in sales and
accounts receivables, and why is this same increase not reflected in the cost of goods
sold.

• Ask the credit manager:

1. About the collectability of accounts receivable, given the 209% increase over the
prior year.

2. About their assessment of bad and doubtful debts.

• Ask operational management about changes in the business’ operating procedures,

and how they dealt with the increased demand.

Tests of controls

• Match sales invoices to shipping documents and customer sales orders.

• Examine sales orders for evidence of approval and note dates to ensure that
invoicing followed shipping as required by HKFRS 15 Revenue from Contracts with
Customers.

• Agree customers to approved customer list. Review approval process.

436

c07.indd 436 16-11-2022 18:46:11

 The A u d it Pro g ram me

Apply and Analyse 1 (continued)

• Compare customer accounts receivable balance with credit limits.

• Obtain approval price list. Review approval process.

• Inquire about the sales journal reconciliation.

• Review approval process of sales transactions.

• Inquire about new customer approval process.

• Inquire about credit policy and the role of the credit manager.

Comparisons

• Perform an industry comparison and analysis to document whether the change in

gross profit margin is in agreement with the current market trends and situation.

Substantive tests of detail

• Select invoices from the sales ledger and vouch transactions to shipping
documents, sales orders and the approved price list.

• Confirm specific sales with customers.

• Confirm accounts receivables balances or individual invoices with customers.

• Examine subsequent cash receipts.

• Check for duplicate entries in the sales journal.

• Verify arithmetical accuracy of sales invoices.

• Trace sales invoices to the sales journal.

• Cast the sales journal and trade receivables sub-­ledger; reconcile both to the
general ledger accounts.

• Review the aging of the trade receivables and the adequacy of the allowance.

7 . 2 PURCHASES CYCLE

7.2.1 Key Accounts

Key accounts include:

• Inventory,

• Cost of goods sold,

• Trade payables, and

• Expenses.

437

c07.indd 437 16-11-2022 18:46:11

 BUSINESS ASSURANCE

Other accounts include:

• Purchase discounts;

• Purchase returns;

• Purchase allowances;

• Lower of cost and net realisable value provision; and

• Obsolescence provision.

7.2.1.1 Inventory
The diversity of items, volume of activity, risk of obsolescence, frequency of purchase returns
and allowances, and the existence of multiple valuation methods all contribute to the
complexity of accounting for inventory. Additionally, many types of inventory are easily stolen.
For example, GEM is an electronics retailer where inventory theft is a high-level inherent risk.

Inventory may be held at numerous locations including stores, warehouses and increasingly
at retailers’ premises. Difficulties may arise in accounting for inventory in-transit between
locations and in determining ownership rights where inventory is held on consignment or is
subject to repurchase agreements.

Specialised inventories like gems or oil reserves may require the assistance of an expert to
measure quantities or to value the stock.

A perpetual inventory system is an important control as it provides information about

current stock levels, items that require re-ordering, and slow moving and obsolete products.
Control of the perpetual inventory system is achieved through test counts and concurrent
inspection of goods.

Many manufacturers use standard costing systems to value their inventory. The audit of
the raw materials, work-in-process and finished goods inventory accounts of a manufacturing
business is complex. Issues include the accuracy of standard costs, disposition of standard cost
variances and accounting for joint products, by-products, scrap and wastage. Internal inventory
transfer requisitions are an important control.

7.2.1.2 The Purchases Cycle

The purchases cycle is involved in the purchase of inventory and a broad range of expense
items. The traditional approach to purchasing follows these six main steps:

1. A purchase requisition is completed and forwarded to the purchasing department

by user departments. The purchasing department should not be permitted to make
requisitions. User’s budgetary allocations provide approval for purchases.

2. The purchasing department is responsible for identification and approval of vendors

(suppliers). The purchasing department negotiates the price and other terms, and
completes a pre-numbered purchase order (PO), which is submitted to the vendor,
to the accounting department, to the user/initiating department and to the ordering
department. Procedures should be in place to obtain the best price through competitive
tendering.

In some organisations, purchase orders are automatically generated when stock

levels reach an ‘economic order quantity’ or EOQ.

438

c07.indd 438 16-11-2022 18:46:11

 The A u d it Pro g ram me

3. The supplier ships the goods and a (pre-numbered) goods received report is generated
when the goods arrive at the client’s warehouse or store. Warehouse/receiving staff
should agree the shipment with the PO.

4. The goods received report, PO and the vendor’s invoice are forwarded to the
accounting department who record the purchase (inventory or expense) and trade
payables. Many organisations employ a voucher system. A voucher is a (pre-numbered)
file established for each invoice received. The voucher contains the invoice, receiving
report and PO. Only completed vouchers should be posted to A/P.

5. The account is paid by credit card, cheque or electronic transfer according to the
purchase terms.

6. A key document for the auditor in the purchases cycle is the supplier statement, which
provides an independent monthly report on transactions and balances. Reconciliation
of the accounts payable balance with supplier statements is a key control.

7.2.1.3 The modern purchasing system

Used by many large organisations, this is part of an automated ‘supply chain management’
process. It is quite different from the traditional purchasing system. Here, repetitive purchases
of raw materials and components for manufacturing businesses, or of stock for retail
businesses, are governed by long-term supply contracts with preferred vendors.
Such systems permit the negotiation of favourable prices and other terms without risk
of interruption to delivery. Deliveries are based on production schedules or on suppliers
delivering quantities of goods based on turnover statistics provided by the purchaser. Suppliers
are paid on the basis of production, or on the basis of recorded sales at the retailer, rather
than for the quantity of goods actually delivered. This approach to purchases management
eliminates the need to account for deliveries.

In some instances, the supplier may be responsible for shelf stocking at the retailer’s
premises, effectively operating their own store within the retailer’s premises. Title to the
goods on the shelves at the retailer will not pass to the retailer until the goods are purchased
by a customer at the checkout. In effect, the retailer will never have rights to the goods and
ownership will pass from the supplier directly to the customer. In this situation, identification
and verification of inventories on consignment is an important audit issue. Very little of the
stock in a retail store may actually belong to the retailer (rights).

Suppliers will typically have monitoring controls for examination of stock at retailer
locations. In the absence of strong supplier controls, the auditor should confirm inventories
with the retailer or examine subsequent payments from retailers.

It is important that the auditor examines the contract between the supplier and retailer to
determine obligations to take delivery of merchandise or any buy-back obligations. Any unusual
circumstances regarding sales or purchases might require additional disclosure.

7.2.2 Risks
7.2.2.1 Materiality
Inventories are often the largest item in the statement of financial position and the cost of
goods sold the second largest item in the statement of profit or loss.

439

c07.indd 439 16-11-2022 18:46:11

 BUSINESS ASSURANCE

7.2.2.2 Misappropriation of Assets

Some inventory items are portable and can be sold online. Such items are often stolen by both
customers and employees. Large-scale thefts or thefts of large items by employees or others
are common.

Employees may make purchases from fictitious vendors (with payments flowing to
themselves) or collude with vendors to pay inflated prices and receive kickbacks.

Management and employees may pay for personal expenses (e.g. travel and entertainment)
with company funds.

Payments may be made to senior managers in the form of loans that are subsequently
forfeited.

7.2.2.3 Recognition
A key issue in the purchases cycle is appropriate recognition of the transaction – the point at
which the control of the inventory passes to the purchaser, along with the obligation to pay for
that purchase or the point at which the cost of goods sold is recognised for a sale.

7.2.2.4 Fraud
Inventory overstatement, with a matching cost of goods sold understatement, is a common
management fraud designed to overstate assets and profits. This may be achieved by:
• Where standard costing systems are employed, inventory valuations may be affected by
inaccurate overhead allocations or inappropriate adjustments for manufacturing cost
and efficiency variances.

• Another common fraud is the misclassification of expense items as inventory.

• Mislabeled or empty boxes (or even shipping containers) masquerading as

inventory – auditors should look inside the box!
The most common financial statement frauds are overstatement of assets and revenues,
and understatement of liabilities and expenses. Accordingly, the assertions most at risk in the
purchases cycle are the existence of inventory and the completeness of accounts payable,
cost of goods sold and other expenses. (Reminder: vouching tests existence and tracing tests
completeness.)

Fraud indicators include:

• Inventory growing faster than sales.

• Gross margin above the industry average.

• Expenses above or below industry norms.

• Expense accounts with credit entries.

Fraudulent purchases are common, often involving collusion with suppliers.

7.2.2.5 Inventory Valuation Errors

Obsolescence is common, especially with short life-cycle products. The application of the ‘lower
of cost and net realisable value’ rule is subject to error. Indicators that a write-down is required
include a fall in selling prices, slow moving stock or obvious physical deterioration.

440

c07.indd 440 16-11-2022 18:46:11

 The A u d it Pro g ram me

Different inventory valuation methods are used and may be misapplied (e.g. FIFO, weighted
average and/or standard costing). Standard costing systems commonly used in manufacturing
organisations are highly complex and subject to error, often because they are not updated in a
timely manner for changes to products or manufacturing processes.

Exhibit 7.5 below summarises the risks identified above, the perpetrator’s motivation and
the financial statement assertion(s) at risk of misstatement.

Risk Reason for fraud/theft Assertions at risk

Recording non-existent (fraudulent) Payments to employees Existence of inventory and trade
purchases masquerading as suppliers payables
Late recognition of purchases Overstatement of sales/ Occurrence of purchases
(e.g. after the sale of the goods) profit/net assets Completeness of trade payables
and inventory
Failing to record purchases Theft of inventory Completeness of inventory and
trade payables
Recording purchases above Receiving kickbacks from Valuation of inventory and trade
authorised prices suppliers payables
Failing to record, or understating, Overstatement of profit/net Existence of inventory
the cost of goods sold assets Completeness of cost of goods
Recording expenses as inventory or sold or expense accounts
other assets
Failing to record obsolete inventory Overstatement of profit/net Valuation of inventory; accuracy
or mark inventory items down to assets of cost of goods sold
net realisable value
Inaccurate standard costing Misstatement of inventory Valuation of inventory; accuracy
systems or inaccurate application of of cost of goods sold
FIFO or weighted average valuations

EXHIBIT 7.5 Risk in the purchases cycle

7.2.3 Assertions, Controls and Tests of Controls

A useful control over purchasing is the supplier’s statement. Most suppliers submit monthly
statements and these can be used by the auditor to verify the existence and completeness of
trade payables. Segregation of the requisition, purchasing, recording and custody functions is
also an important control.

Where manufacturers use standard costing systems, costs of work-in-process and finished
goods inventories are based on engineering specifications. Auditors need to test controls
designed to ensure that the engineering specifications reflect the realities of the manufacturing
environment and that changes to specifications are approved. Where the standard cost system
generates large variances, controls over standard costs may be inadequate.

Exhibit 7.6 below identifies common controls in the purchases cycle and some of the ways
that the auditor might test those controls.

441

c07.indd 441 16-11-2022 18:46:11

 BUSINESS ASSURANCE

Inventory – key risk is overstatement (existence and valuation)

Assertion Control Test of control
Existence Inventory count – cycle count of perpetual Review count procedures and attend
records or a full inventory count at year stock count (see Section 7.2.5.1)
end or other time (see Section 7.2.5.1)
Segregation of purchase requisition, Inquire about appropriate segregation
approval, ordering, receiving, recording and of duties
custody of the inventory
Authorised supplier database Test purchase orders to authorised
supplier listing
Computer generated purchase orders Inquire about review by purchasing
department
Matching of invoice, purchase order and Test vouchers for completeness to
receiving report before recording inventory ensure only good received are recorded
(existence of a voucher system)
Valuation Procedures for identification of obsolete or Review procedures and observe
slow-moving inventory – at count application of these procedures
An aging of inventory items Test inventory aging and review
procedures for the identification of
obsolete items
Voucher system as described above Compare subsequent period sales price
with recorded cost
For manufacturers, the engineering Inquire about regular update of the
specifications that determine the cost of specifications and the approval process
products should be subject to timely review
for relevance and accuracy and be subject
to approval
Completeness Pre-numbered receiving reports, inventory Sequence check of receiving reports,
transfer requisitions, purchase orders and purchase orders and vouchers
vouchers
Reconciliation of inventory sub-ledger(s) Review evidence of reconciliation
with general ledger
Rights Standard purchase terms; long-term supply Review purchasing policy and examine
contracts transactions or contracts to test
compliance

Accounts payable – key risk is understatement (completeness)

Assertion Control Test
Existence Purchases are made from approved Review approval process and test
suppliers transactions for approved supplier
Segregation of ordering, recording, Review segregation policy and duties
payment and custody of the asset
The use of competitive tenders Review purchasing policy
Valuation Price is negotiated or based on long-term Review negotiation or competitive
contracts bidding process and test transactions
for compliance and approval
Review terms of long-term purchase
contracts

EXHIBIT 7.6 Assertions, controls and tests of controls in the purchases cycle

442

c07.indd 442 16-11-2022 18:46:11

 The A u d it Pro g ram me

Accounts payable – key risk is understatement (completeness)

Assertion Control Test
Completeness Pre-numbered receiving reports Sequence check of receiving reports
Reconcile A/P balances to supplier Observe reconciliation of supplier
statements statements to A/P sub-ledger
Obligations Authorisation of purchases Agree supplier invoices to purchase
orders and approved purchase
requisitions
Cost of goods sold – key risk is understatement (completeness)
Controls over purchases were described earlier – segregation, budgetary approval, competitive
tendering, voucher systems, etc. All of these controls are relevant to the cost of goods sold account.
Additionally, where the opening and closing balances of inventory are verified by the auditor, and the
purchase transactions are properly controlled and tested, then the balance of the cost of goods sold
can be directly calculated. Unexpected variations can be assessed through analytical procedures, as
explained in the following section.
In manufacturing organisations, appropriate disposition of material variances should be verified.
Expenses – key risk is understatement (completeness)
Operating expense and other expense items are acquired through the purchases cycle. Controls over
purchases were described earlier – segregation, budgetary approval, competitive tendering, voucher
systems, etc.
Many operating expenses are highly predictable and analytical procedures comparing these expenses
with budgets and with prior periods provide reliable audit evidence. These analytical procedures are
described in the following section.
Some expense categories are less predictable and are high risk. Examples include travel and
entertainment expenses, marketing expenses and research and development expenses. These
expenses may change significantly from year to year depending on the priorities of management and
available resources. The audit approach required here is like that required for management estimates.
Important controls include documentation, approvals and company guidelines on appropriate
expenditure. All of these controls should be tested.
In addition, the auditor should examine all credits to expense accounts. Where material, these entries
should be investigated for theft and fraud.
In manufacturing organisations, many expenses are classified as manufacturing overheads and
allocated to work in process or finished goods inventories per engineering specifications. Where
material, the appropriate classification of overheads and other expenses should be reviewed, and the
reasonableness of the overhead allocation to products should be tested.

EXHIBIT 7.6 (Continued)

7.2.4 Analytical Procedures

Analytical procedures are particularly useful for the cost of goods sold because of the
predictable relationship between the cost of goods sold and sales. The same applies to many
other expense accounts.

Simple comparisons:

• All the accounts in the purchases cycle are compared in dollar and percentage terms
with prior years’ audited balances, with industry norms and with the current budget.

• A common-size statement of profit or loss and other comprehensive income can aid in
identifying the cost of goods sold or other expense accounts that are inconsistent with
the auditor’s expectations.

443

c07.indd 443 16-11-2022 18:46:11

 BUSINESS ASSURANCE

• Growth in inventory and trade payables can be expected to be consistent. Similarly,

growth in inventory should reflect sales growth.

Multi-period comparisons:

• As GEM has grown substantially over the years, both in terms of number of stores and
sales per store, a multi-year trend analysis might be useful in establishing expectations
for inventory, cost of goods sold, expenses and payables growth. Other independent
variables like the strength of the local economy or household disposable incomes
should be used to establish the auditor’s expectations. Where particular stores fail to fit
the overall trend, further enquiries are necessary to explain deviations.

• Regression analysis over multiple periods is a very useful technique in identification of

errors in these same accounts. Month end inventory and A/P should be regressed on
sales and outliers reviewed for errors.

Comparisons of financial ratios – Key financial ratios associated with the purchases cycle
should be compared to the prior year. These include:

• Gross profit margin,

• Inventory turnover and

• Purchase returns as a percentage of purchases.

Other comparisons: Cross-sectional regression analysis of stores (in contrast to time-series
regression) of the relationship between inventory and cost of goods sold would identify stores
with unusual results (outliers) for further investigation.

Illustrative Example 2
As shown in the table below, trade payables have increased by 18.5%. This is somewhat
consistent with the inventory increase of 14.6 %. Inquiries should be made about the
difference.

While inventory has increased by 14.6%, inventory per store is up by just 8.7% and
inventory turnover has dropped by 5.1%. As noted earlier, where inventory has increased,
a risk of overstatement exists. The reduced turnover is also an indicator of this risk.

Overstatement of inventory is associated with understatement of COGS and a

consequent overstatement of profit. Fraud risk in inventory should be considered, as
should the risk of inventory obsolescence in this short product life-cycle business. If control
risk is medium or high, additional substantive procedures related to inventory existence
and valuation should be undertaken.

The major expense categories in the Statement of Profit and Loss are Sales and
Marketing, Occupancy and Administration. The first two have increased by 8% and 9.4%
respectively. This is consistent with the increase in sales of 8.4% and cost of goods sold of
7.5%. The increase in the number of stores is just 5.3%, however, and inquiries should be
made in this respect. Administration expenses have not changed from the prior year and,
again, inquiries should be made.

444

c07.indd 444 16-11-2022 18:46:11

 The A u d it Pro g ram me

Illustrative Example 2 (continued)

GEM Purchases cycle analytical review

GEM Account comparisons GEM Ratio comparisons

Accounts 20X2 20X1 Growth Ratios 20X2 20X1 Growth
(HK$,000) (HK$,000) % % % %
Cost of sales 3090 2850 8.4 Gross 21.7 21.9 –0.9
profit
margin
Gross profit 860 800 7.5 Inventory 5.6 5.9 –5.1
TO*
Net Profit 186 174 6.9 Inventory/ 2.75 2.53 8.7
store
Inventory 550 480 14.6
Trade 385 325 18.5
payables
Sales and 405 375 8.0
marketing
Occupancy 175 160 9.4
Admin 25 25 0
Stores 200 190 5.3

* Calculated as (COGS/Ending inventory) due to lack of 20X0 data.

7.2.5 Audit Assertions and Tests of Details

The fifth part of the purchases cycle audit programme identifies common substantive tests of
details for each relevant audit assertion (Exhibit 7.7).

Substantive tests of details for inventory

Assertion Substantive test of detail
Existence Vouch entries from the inventory sub-ledger to vouchers and supporting documents
(invoices, purchase orders and receiving reports)
Examine purchase vouchers to ensure they include all required documentation and
check the voucher sequence for duplicates
Review the inventory count procedures (see Section 7.2.5.1); observe the count; test
inventory count; trace count to inventory sub-ledger
Where material amounts of inventory are held at multiple locations, or held by
others on consignment, consider visiting these locations to perform a test count or
sending confirmation letters to the custodians
Where manufacturers use standard cost systems, management’s estimation of the
stage of completion of the work-in-process inventory is important in determining
existence and completeness. The auditor should make enquiries about this process
and observe selected WIP inventory at the year end to confirm management’s
estimates

EXHIBIT 7.7 Substantive tests of details for the purchases cycle

445

c07.indd 445 16-11-2022 18:46:11

 BUSINESS ASSURANCE

Substantive tests of details for inventory

Assertion Substantive test of detail
Valuation and Vouch entries in the inventory sub-ledger to vouchers and supporting purchase
allocation orders, supplier invoices and supplier statements
Review subsequent year sales to ensure recorded inventory cost is below net
realisable value
Review procedures to identify and mark down or write off obsolete inventory. Review
write-off and trace to inventory sub-ledger
Inspect inventory for evidence of age (dust, damage or date labels) during the count
Create, or test, the inventory aging
Where manufacturers use standard cost systems, the auditor must ensure that the
standard costs as detailed in the engineering specifications are updated to reflect
current material, labour and overhead costs, and that overhead allocations are
reasonable
Completeness Select inventory from the floor and trace to the inventory listing
Total inventory sub-ledger and trace to the general ledger
(’Total’ is used in this chapter along with the synonyms ‘cast’, ‘foot’ and ‘add’. All are
common accounting terms. Warning: Auditors must ensure that client software
totals are tested. It should never be assumed that computer generated totals are
accurate. They are completely dependent on the software. A client’s inventory ‘total’
could be the total of the sub-ledger plus an extra HK$5M. The same fraud might exist
in any account.)
Review voucher sequence for missing items. Trace vouchers to sub-ledger
Review receiving report sequence for missing items. Trace receiving reports to
vouchers
Make inquiries about inventories held at other locations and inventory on
consignment. Confirm inventories held remotely
Inquire about expected returns and test significant transactions in the purchase
returns and allowances account
Cut-off Check year-end purchases and sales cut-off. Review especially shipments received or
sent near the year-end
Review purchase and sales terms and contracts
Rights Identify related party transactions and review terms
Review purchase and sales terms and contracts
Inquire about customer’s rights to return merchandise
Presentation/ Review disclosure of the inventory valuation method
disclosure Review correct classification – current or long-term
Substantive tests of detail for accounts payable
Assertion Substantive test of detail
Existence Vouch entries in the accounts payable sub-ledger to vouchers and supporting
documents: supplier invoices, purchase orders and receiving reports
Review the reconciliation, or reconcile, year-end payables balances to supplier
statements
Examine purchase vouchers to ensure they include all required documentation and
check the voucher sequence for duplicates
Examine subsequent cash payments and reconcile to the accounts payable sub-
ledger

EXHIBIT 7.7 (Continued )

446

c07.indd 446 16-11-2022 18:46:12

 The A u d it Pro g ram me

Substantive tests of details for accounts payable

Assertion Substantive test of detail
Valuation Vouch trade payables entries to vouchers and supporting documents: purchase
orders, supplier invoices and supplier statements
Completeness Total trade payables sub-ledgers and trace to the general ledger
Inquire about expected returns and review the purchase returns and allowances
account
Review voucher sequence for missing items. Trace vouchers to the sub-ledger
Review receiving report sequence for missing items. Trace receiving reports to
vouchers
Reconcile supplier balances to supplier statements
Confirm supplier balances from the accounts payable listing with suppliers. As the
main risk of misstatement for accounts payable is an understatement, suppliers
should be selected for confirmation randomly from the current period’s sub-ledger
and also from the prior period’s records. Any supplier with a material balance in the
prior period but a low or zero balance in the current period might be understated
and should be included. Previously active but currently low or zero balance suppliers
should provide confirmations and also provide evidence of existence, obligations and
valuation (see Chapter 6, Section 6.4.3 for a discussion of confirmations)
Cut-off Check year-end purchases cut-off; review especially shipments received prior to the
year-end
Obligations Identify related party transactions and review terms
Review purchase terms and contracts with suppliers
Inquire about rights to return merchandise to suppliers
Presentation/ Review correct classification – current or long-term
disclosure

EXHIBIT 7.7 (Continued)

Apply and Analyse 2

Assume you are an audit senior assigned to the audit of Greenwood Ltd, a clothing retailer.
This is a highly competitive industry sector, but Greenwood’s sales have increased by 20%
in last 12 months because Greenwood opened several new stores.

You have been asked to audit Greenwood’s inventory. The closing balances of the
inventory account at 30 June were:

20X8 20X7 20X6

HK$ 1,256,000 HK$ 1,456,000 HK$ 1,500,000

(a) Identify four substantive tests of details you would use to verify the balance in the
Inventory account as at 30 June 20X8.

(b) For each test that you have identified in part (a), describe the assertion(s) being
tested.

(c) Identify the type of evidence you will gather for each of the tests you identified in
part (a).

447

c07.indd 447 16-11-2022 18:46:12

 BUSINESS ASSURANCE

Apply and Analyse 2 (continued)

Analysis

Test (a) Assertion (b) Type of Evidence (c)

Observe stock take Existence Physical inventory items
and documented count
procedures
Select some inventory items from Existence Physical inventory items
the sub-ledger, verify the quantity in
the warehouse
Compare cost to current sales price Valuation and allocation Document – recent
sales invoices
Check deliveries around year-end Cut-off (existence and Document – shipping
and trace to posting in the correct completeness) documents (sales); receiving
accounting period reports (purchases)
Check the reconciliation of the Valuation and allocation Document – ledger and
inventory control account to the sub-ledger
sub-ledger
Check the casting of the inventory Valuation and allocation Re-calculation
sub-ledger

7.2.5.1 Inventory Count

HKSA 501 Audit Evidence – Specific Considerations for Selected items states that where inventory
is material, auditors must obtain sufficient appropriate audit evidence regarding its existence
and condition by attending the physical inventory count, unless this is impracticable. Other
audit procedures are also performed by the auditors over the entity’s final inventory records to
determine whether they accurately reflect actual inventory count results.

Depending on the auditor’s risk assessment, audit approach and the other procedures
carried out, procedures performed during the attendance at physical inventory counting can be
tests of control or substantive procedures.

Ensuring that inventory figures in the accounts represent inventory that exists and
inventory that is owned by the entity is always a responsibility of management. Attendance
at an inventory count gives evidence of the existence (though not necessarily ownership) of
inventory and assists in identifying obsolete, damaged or out-of-date stock.

The count may be completed at year-end, at an interim date, or continuously throughout

the year (a perpetual inventory system). Where an interim date is chosen, roll-forward
(or roll-back) procedures are required.

If a perpetual inventory system is used, auditors will verify that management does the
following:

(a) Maintains adequate and up-to-date inventory records.

(b) Counts all inventory items at least once a year and has adequate procedures for
inventory counts and test-counts.

448

c07.indd 448 16-11-2022 18:46:12

 The A u d it Pro g ram me

(c) Controls inventory movements during the count.

(d) Investigates and corrects all material differences.

(e) Segregates inventory recording, authorisation of changes and access.

With a perpetual inventory system, the auditor focuses on tests of controls, but will also
attend one or more counts as appropriate.

Planning the Auditor’s Attendance

Before the physical inventory count the auditors should review the permanent file, the prior
year’s audit file and the current file’s inventory risk analysis. Items of interest include:

• The count instructions.

• The nature and volume of the inventory.

• Risks:

°° Inventories at multiple locations,

°° Inventories of small size but high value or that are easily transportable and
otherwise subject to theft,

°° Items with similar appearance,

°° Inventories requiring special storage,

°° Inventories requiring special knowledge to value.

• Method of accounting for inventory:

°° Manufactured goods that require identification of stage of completion for work in

process and allocation of overhead costs to finished goods.

• Internal controls and the inventory accounting system.

• Arrangements to obtain confirmation of inventory held by others.

Attendance procedures

During the count, the auditors should:

• Check the count is being carried out according to instructions,

• Carry out test counts,

• Scan for third party inventory and cut-off problems.

In the case of work-in-progress, its stage of completion should be noted to ensure that it is
later valued appropriately.

When carrying out test counts the auditors should select items from the management’s
count records and from the physical inventory and check one to the other. Tracing and
vouching provide evidence for completeness and existence. The auditors should concentrate
on high value inventory.

The auditor should observe:

• Restriction of inventory movements during the count.

• Identification of damaged, obsolete, slow-moving, third party and returnable inventory.

449

c07.indd 449 16-11-2022 18:46:12

 BUSINESS ASSURANCE

• Serial numbering, control, approval and return of all inventory count sheets.

• Recording of last numbers of goods inwards and outwards records and of internal
transfers to assist in verifying cut-off.

Documentation of count procedures

The auditor should document details of observations and tests including:

• Details of test counts performed.

• Results of cut-off tests.

• Identification of obsolete or consignment stock.

• The manner in which points that are relevant and material to the inventory being
counted or measured have been dealt with by the entity.

• Observations of the client’s count procedures including instances where the entity’s
procedures have not been satisfactorily carried out.

• Items for subsequent testing.

• The auditors’ conclusions regarding the count.

Follow-up
• Trace items that were test counted to final inventory listing.

• Observe whether all count records including consignment inventories have been
included in the final inventory listing.

• Vouch for the final inventory listing to the count records.

• Ensure that perpetual inventory records have been adjusted to the amounts physically
counted or measured.

• Confirm the cut-off by checking sales invoices and supplier invoices.

• Review replies from third parties about inventory held by, or for, them.

• Confirm that the final valuation of inventory has been calculated correctly.

7 . 3 PAYROLL

7.3.1 Key Account

The key account is payroll expense.

Other accounts include:

• Payroll liability;

• Commissions;

• Bonuses;

450

c07.indd 450 16-11-2022 18:46:12

 The A u d it Pro g ram me

• Holiday pay, other leave;

• Pension or medical liabilities.

7.3.1.1 The Payroll Process

The payroll system is similar to the purchases system. Payments are made to authorised
suppliers – the employees – for contracted services. However, it is discussed separately from
purchases both because it is material and because the personnel and payroll systems are
normally separated from the purchases system. In many organisations, payroll is outsourced.

The traditional approach to payroll is based on the following documents:

• Personnel record – personal details of employees;

• Deduction authorisations – pension, union, etc.;

• Time record for hourly employees, output for piece-rate employees;

• Remittance advice;

• Payroll journal – records payroll for each pay period;

• Earnings record – records payroll to date for the entity’s financial year;

• Statement of earnings – taxation year return for the employee; and

• Payroll tax return – entity taxation year return for the Inland Revenue.

7.3.2 Risks
7.3.2.1 Materiality
Payroll is a major expense category for many entities. As payroll is paid frequently, associated
liabilities for wages, salaries and payroll deductions like tax, holiday pay and pensions are less
likely to be material. Key risks are existence – overpayment to fraudulent employees or to
management personnel – and completeness – underpayment of employees (wage theft).

7.3.2.2 Misappropriation of Assets

A common fraud is a ‘horse on the payroll’ – meaning that fraudulent employees will appear
on the payroll master file and will be paid a regular salary. This ‘person’ might be a relative of
the payroll manager or accountant, or an alias used by these individuals to make unauthorised
payments to themselves or accomplices.

Managers may approve excessive payments to employees and demand kickbacks from
those employees.

Underpayment of employees (wage theft) occurs when employees are not paid for
overtime or actual hours worked, or are paid an hourly rate less than that in their employment
agreement.

Another form of misappropriation is unauthorised payments to senior managers including

bonuses, loans that are subsequently forgiven, and travel or entertainment expenses.

451

c07.indd 451 16-11-2022 18:46:12

 BUSINESS ASSURANCE

7.3.2.3 Fraud
Fraud can take these forms:

• Recording payroll expenses as inventory or other assets with the aim of understating
expenses and overstating profits.

• Fraudulent employees on the payroll.

• Failure to record payroll-related liabilities – pension, etc.

Fraud indicators include:

• Inventory growing faster than sales.

• Gross margin above the industry average (due to understatement of payroll expense).

• Payroll expenses above or below industry norms.

• Payroll expense accounts with credit entries.

Exhibit 7.8 below summarises the risks identified above, the perpetrator’s motivation and
the financial statement assertion(s) at risk of misstatement.

Risk Reason for fraud/theft Assertions at risk

Wage/salary payments to fictitious Misappropriation of assets Occurrence of payroll expense
employees; payment of unauthorised
expenses
Late recognition of payroll expense at Overstatement of sales/ Completeness of payroll; cut-off
year end; recording payroll expenses profit/net assets of payroll expense and liability
as inventory
Underpayment of employees by Wage theft Completeness of payroll
paying a low rate or failing to pay for
all hours worked.

EXHIBIT 7.8 Risk in payroll

7.3.3 Assertions, Controls and Tests of Controls

The main control over payroll transactions is the segregation of duties between the personnel
department (also called Human Resources), the payroll department and accounting. Personnel
is responsible for authorisation of employees and payroll for their payment. Personnel
maintains a ‘personnel master file’. Access to this file should be restricted. Periodic review of
changes to the file should be carried out by a personnel manager with no access privileges. The
segregation between personnel and payroll minimises fraudulent payments to non-existent
employees – though of course collusion is always an issue in fraud and is not easily controlled.

Wages and salaries expenses are normally well controlled. For employees paid hourly
wages, time records are kept through the use of electronic security identification cards and
are approved by supervisors. Approved time records are forwarded to payroll who calculate
wages, appropriate deductions from wages and other payroll-related expenses as specified in
the personnel master file. This calculation process may be automated. For salaried employees,
payments are similarly made by reference to data in the personnel master file.

452

c07.indd 452 16-11-2022 18:46:12

 The A u d it Pro g ram me

The payroll is subject to computer edit checks of the employee number and limit checks
on hours and wages. The completed payroll is paid through electronic bank transfers. Bank
transfers should be authorised by a senior finance manager who is not involved in preparing
the payroll. Whether paid by transfer or cheque, a separate bank account should be set up and
all payroll payments made through this to control payments and facilitate reconciliation.

This section does not address control issues that arise when employees are paid in cash.
This procedure introduces many control risks and is seldom used.

7.3.3.1 Outsourcing to a Service Organisation

Many organisations outsource their payroll function to service organisations such as banks.
HKSA 402 Audit Considerations Relating to an Entity Using a Service Organisation expands on
how HKSA 315 (Revised 2019) Identifying and Assessing the Risks of Material Misstatement is
applied in understanding the control risk associated with a service organisation. The auditor
must understand the services provided and how they impact on the client’s internal controls
over transactions and the financial statements. The auditor’s risk assessment activities
are discussed in Chapter 5 Section 5.5 and the use of service organisations in Chapter 8
Section 8.3.4.

Exhibit 7.9 identifies assertions relevant to payroll, relevant controls and tests of controls.

Payroll – key risks are overstatements through misappropriation of assets

(occurrence and accuracy) and fraudulent understatements (completeness)
Assertion Control Test
Occurrence Segregation of payroll and personnel Inquire about segregation
functions
Authorisation of entries and changes Select active employees from the
to the personnel file – particularly for personnel file and confirm their existence
starters and leavers
Approval of time cards or piecework Examine time cards for evidence of
counts approval
Approval of bank transfers or cheque Inquire re bank transfer approval
payments by senior finance manager
Process to remove ‘leavers’ from Review ‘leaver’ process
personnel file
Accuracy Segregation of payroll preparation Review payroll preparation to ensure that
the preparer is independent and has no
access to cash or the ability to change the
personnel file
Appropriate authorisations of salaries/ Review authorisation and reconciliation
wages and withholdings including both procedures and test evidence of their
supervisory review and independent performance
reconciliation of the payroll record to the
bank
Comparison of budget to actual payroll Enquire about comparisons. Review
variances

EXHIBIT 7.9 Assertions, controls and tests of controls in payroll

453

c07.indd 453 16-11-2022 18:46:12

 BUSINESS ASSURANCE

Payroll – key risks are overstatements through misappropriation of assets

(occurrence and accuracy) and fraudulent understatements (completeness)
Assertion Control Test
Completeness Reconciliation of the HR personnel file Review reconciliation
to the employee earnings record for the
year
Process to record ‘starters’ Review ‘starter’ process. Observe evidence
of approval of starters
Cut-off Process for recording starting and Review process; select starters and leavers
leaving employees from personnel records and vouch their
payroll entries to their personnel records
and salaries or time cards to verify
their pay
Allocation of end of year payroll Inquire about allocation process

EXHIBIT 7.9 (Continued )

7.3.4 Analytical Procedures

Analytical procedures are particularly useful for payroll because of the predictable relationships
that often exist between payroll, personnel numbers and sales.

Simple comparisons – All payroll accounts are compared in dollar and percentage terms
with prior years’ audited balances, with industry norms and with the current budget.

Multi-period comparisons – As GEM has grown substantially over the years both in
terms of number of stores and sales per store, a multi-year trend analysis might be useful in
establishing expectations for payroll. Other independent variables, like the strength of the local
economy, household disposable incomes or the inflation rate, might also be used to establish
expectations.

As payroll is paid bi-weekly or monthly, regression analysis over multiple periods is useful.
Payroll can be compared with the number of employees, production or sales, whichever is most
appropriate. Outliers are often indicative of errors.

Comparisons of financial and other ratios include:

• Wages per employee;

• Hours worked per employee.

7.3.5 Audit Assertions and Tests of Details

The fifth part of the payroll audit programme identifies common substantive tests of details for
each relevant audit assertion (Exhibit 7.10).

454

c07.indd 454 16-11-2022 18:46:12

 The A u d it Pro g ram me

Assertion Substantive test of detail

Occurrence To identify leavers who are still being paid, or non-existent employees, vouch wages
and salaries expense to the payroll journal and to the personnel master file
Select leavers from the personnel file and verify their termination date and
termination payment. Review subsequent periods for further payments
Scrutinise payroll and investigate unusual or large entries
Observe time recording procedures; review approval process
Accuracy Vouch senior management salaries and bonuses to board minutes.
Vouch employee pay rates to the personnel file and to the employment agreement,
and hours worked to approved time cards. Recalculate gross pay, withholdings
and net pay. Pay particular attention to periods when the normal payroll clerk
was absent and when pay periods are of unusual lengths (end of month or year,
or public holidays). Analytical review procedures as described above can identify
periods of interest.
Agree the payroll records to information on the annual return to the Inland
Revenue Department.
Completeness Review payroll accruals for other liabilities such as pension obligations Recalculate
the material (normally apply an analytical review). Reconcile the payments in the
payroll journal with the bank statement. Prove the bank reconciliation.
Wage theft is a key issue. Note the ‘recalculation’ procedure listed under accuracy
above – which is also a test for completeness.
Cut-off Ensure the first payroll for the subsequent period is appropriately allocated to the
current period (normally, a bi-weekly payroll will pertain to days in both periods).

EXHIBIT 7.10 Substantive tests for the payroll cycle

7 . 4 BANK AND CASH

7.4.1 Key accounts

Key accounts include:

• Cash

• Marketable securities

Other accounts include:

• Gain or loss on investments

• Dividend income

• Interest income

This section discusses cash and cash equivalents (highly liquid assets). Both are managed
by the treasury function. The objectives of treasury are to ensure cash is available to:

• Pay liabilities as they come due,

• Arrange finance for operations and asset purchases,

455

c07.indd 455 16-11-2022 18:46:12

 BUSINESS ASSURANCE

• Invest excess cash holdings,

• Reduce financial risk (e.g. through foreign currency hedges), or

• Speculate.

See Section 7.5 below for a discussion of financial instruments other than highly liquid or
cash equivalent instruments.

7.4.1.1 Cash
The cash balance at year end is highly variable and seldom material. In many instances, a credit
balance will exist. The material aspect of cash is the extremely large number and high total
value of cash receipt and payment transactions. These transactions are typically examined in
the audit program for the revenue cycle (Section 1 Receipts) and the purchases cycle (Section 2
Payments). Cash transactions affect all transaction cycles – sales, purchases, payroll, capital
acquisitions, etc.

There are four main types of receipt and payment transactions. Each type of transaction
presents its own control challenges:

1. Cash is counted and deposited daily by stores at a local bank branch. Deposits are
reconciled daily with sales (cash register) listings and postings.

Cash payments are unusual and may be controlled by a ‘petty cash’ system.
2. Credit card receipts are controlled by the card issuer (e.g. Visa) for a fee. Listings of
approved credit card transactions are provided daily for reconciliation with recorded
sales and postings.

Credit card purchases/payments may be made by authorised management employees

in accordance with budget allocations.

3. Cheque receipts are accompanied by a customer remittance advice. Where no advice

is received, one is created by the entity. In automated systems, scanners read the
two documents and differences are reconciled and corrected. The documents are
batched: cheques are deposited in the bank and remittance advices posted to the trade
receivables sub-ledger. Controls include segregation of cheques and remittance advices
for deposit and posting; reconciliation of postings and deposits; and computer edit
tests to identify errors.

Cheque payments are normally controlled with voucher systems as described in

Section 2, the Purchases cycle.

4. Electronic transfers. Listings of remittances and payments are forwarded by the bank
to the client daily for posting to trade receivables and trade payables. Controls include:
reconciliation of cash deposits with postings and/or with sales listings as appropriate;
review by internal audit or treasury; comparison to the cash budget; and the follow-up
of discrepancies reported by customers. It is expected that electronic transfers will
replace most other approaches to cash management in the future.

456

c07.indd 456 16-11-2022 18:46:12

 The A u d it Pro g ram me

7.4.2 Risk
While understatement errors may occur in cash, fraudulent overstatement of the asset is a
key audit risk. Another major risk is unauthorised payments, as illustrated below. Valuation is
not an issue – cash is itself a measure of value – unless transactions denominated in a foreign
currency are common.

Illustrative Example 3
A private equity fund company that was involved in the largest sale of shopping centres
in Hong Kong became the city’s biggest victim of email fraud in 2017 after being conned
out of HK$39 million. The Link Reit, the largest real estate investment trust in Asia,
announced the sale of properties including 17 shopping centres in Hong Kong to Gaw
Capital for HK$23 billion. A fraudster – posing as a client – sent a deceptive email to the
manager of a Gaw Capital branch in Causeway Bay, requiring the firm to withdraw HK$5
million from its account and transfer the amount to a local bank account. The firm only
realised it was a scam when the genuine client contacted the company.

Exhibit 7.11 identifies some of the motivations for overstatement and the assertions at risk
of misstatement.

Risk Reason for fraud/theft Assertions at risk

Overstatement of cash Meeting debt covenants; Existence and valuation
liquidity
Payment of false invoices or Misappropriation of assets; Occurrence of payment
inflated invoices kickbacks transactions; existence of cash
Omitting outstanding cheques Embezzlement Existence and valuation
from, or under-footing, the
bank reconciliation to hide
misappropriation of assets
Double counting of transfers Overstatement of cash to hide Existence and valuation
between bank accounts (kiting) misappropriation of assets or
conceal a negative cash balance

EXHIBIT 7.11 Inherent risk in cash

7.4.3 Assertions, Controls and Tests of Controls

Most organisations have good controls over cash because it is easily stolen and because
the main cause of business bankruptcy is running out of cash – a liquidity crisis – so that the
business is unable to pay its suppliers and employees. Where controls are good and control
risk is low, the audit of cash will focus on testing controls. The main controls over cash include
the bank reconciliation, segregation of those with access to cash from others who record cash
transactions and from those who authorise deposits, withdrawals and transfers.

457

c07.indd 457 16-11-2022 18:46:12

 BUSINESS ASSURANCE

Exhibit 7.12 provides descriptions of some key controls over cash payments and receipts,
and tests the auditor might apply to those controls.

Cash receipts – key risk is overstatement (existence and valuation)

Assertion Control Test
Existence Daily banking of cash receipts Observe agreement of bank deposits to
daily sales listing
Bank reconciliation Observe preparation and review of bank
reconciliation
Valuation Agree cash, cheques and credit card Examine evidence of check or observe
receipts with daily sales listing check
Bank reconciliation Observe preparation and review of bank
reconciliation
Foreign exchange translation Review procedures to ensure compliance
procedures and consistency with accounting standard
HKAS 21 The Effects of Changes in Foreign
Exchange Rates
Completeness Cash register or point-of-sale terminals Observe that equipment is working and
display the sale amount to the customer that operators are using them properly.
and provide a printed receipt. They Observe customers being given receipts.
provide a listing of transactions for the Ensure cash is counted and agreed to the
business. daily sales listing.
Bank reconciliation Observe preparation and review of bank
reconciliation
Cash receipts are deposited daily Observe preparation and performance of
bank deposits
Rights Bank account Bank confirmation

Cash payments – key risk is overstatement (existence and valuation)

Assertion Control Test
Existence Bank reconciliation Observe preparation and review of bank
reconciliation
Approval. Review of supporting Observe check of supporting
documentation and approved supplier documentation by approvers
list by cheque signers or approver of
bank transfers
Comparisons with cash budgets or with Enquire about cash budgets and the
long-term contracts with suppliers frequency and reporting of variances
Cancellation of documents to prevent Observe cancellation of invoices
duplicate payments
Access controls for approved supplier Enquire about access controls
database
Independent review of supplier queries Inquire about review

Impress bank accounts for payroll and Bank confirmation; enquiry

dividend payments

EXHIBIT 7.12 Controls and tests for cash receipts and cash payments

458

c07.indd 458 16-11-2022 18:46:13

 The A u d it Pro g ram me

Cash payments – key risk is overstatement (existence and valuation)

Assertion Control Test
Valuation Foreign exchange translation Review procedures to ensure compliance
procedures and consistency with accounting standard
HKAS 21 The Effects of Changes in Foreign
Exchange Rates.
Completeness Pre-numbered cheques or bank Perform (re-perform) a sequence check for
transfers missing (or duplicate) payments
Observe preparation and review of bank
Bank reconciliation reconciliation
Rights Bank account Confirm bank account (also provides
evidence for existence and valuation)
Presentation Foreign exchange procedures Ensure consistency with accounting
standard HKAS 21 The Effects of Changes in
Foreign Exchange Rates

EXHIBIT 7.12 (Continued)

7.4.4 Analytical Procedures

Analytical procedures are seldom used in the audit of cash. Cash accounts are highly variable
and the auditor cannot expect consistency from one period to the next. Possible analytical
procedures include:

• Many organisations have high-quality, even daily, cash budgeting procedures.

Comparisons with budgets may provide reliable evidence and

• Multi-period comparison of items on the bank reconciliation (e.g. deposits in transit or

unpresented cheques).

7.4.5 Audit Assertions and Tests of Details

Substantive tests for cash include:

• Confirming balances, loans and terms of agreements with the client’s bank,

• Testing the accuracy and completeness of the bank reconciliation,

• Testing the cut-off with reference to the subsequent bank statement and

• Counting cash on hand.

Each of the tests listed above provides evidence about multiple assertions. For example, all
of the above provide evidence about existence.

Bank confirmations are similar to trade receivable confirmations discussed in Chapter 6.

A letter is sent to all client banks asking for the year-end balance of all accounts and loans,
and the terms of contracts. Bank confirmations are reliable evidence as they are provided by
informed third parties.

The cut-off assertion for cash is tested by reviewing payments and deposits occurring in
the period around the balance date. The confirmed bank balance will most often be different

459

c07.indd 459 16-11-2022 18:46:13

 BUSINESS ASSURANCE

from the entity balance and the entity’s bank reconciliation will list ‘deposits in transit’ and
‘unpresented cheques’. The auditor should at least ensure that deposits and payments
recorded by the entity on the last day of the financial year appear in the bank statement on
the subsequent business day. Unexpected delays may be indicators of ‘income smoothing’ or
the fraudulent overstatement of cash. Where cash balances on hand at the balance date are
potentially material, the auditor may conduct a cash count. For a retailer like GEM, cash may be
held at a large number of locations, both as petty cash and sales receipts. The count requires a
high level of coordination as the count should be carried out at all locations simultaneously.

Count cash balances held and agree balances to the petty cash book and cash register
receipts. During the count, verify that appropriate security is in place (safes or locked cash
registers) and that access is limited to appropriate personnel. The count should be supervised
by responsible parties like the store accountant or manager. Obtain a certificate of cash-in-
hand from the responsible person. As a follow-up, confirm that bank and cash balances are
reconciled and trace these to the financial statements.

Exhibit 7.13 lists some of the common substantive tests of details for cash.

Assertion Substantive test of details

Existence/occurrence Send bank confirmation
Test bank reconciliation
Examine bank account transfers at year end to ensure transfers are not
included in two accounts (kiting)
Review all large and unusual cash receipts and payments recorded near the
year end
Valuation/accuracy Send bank confirmation
Cash count (see below)
Completeness Send bank confirmation
Trace subsequent cash payment to the final and subsequent bank statements
as appropriate, to ensure payments were recorded in the correct period
Cut-off Cut-off test on cash receipts and payments. The main source of evidence is the
subsequent bank statement
Rights/obligations Send bank confirmation

EXHIBIT 7.13 Substantive tests of details for cash

Apply and Analyse 3

The following are weaknesses in controls over cash. For each weakness, identify the
audit procedure that should be used to determine whether any material misstatements
have occurred.

1. The person who opens the mail prepares the bank deposit.

2. Sometimes the documents supporting cash disbursements are not cancelled.

460

c07.indd 460 16-11-2022 18:46:13

 The A u d it Pro g ram me

Apply and Analyse 3 (continued)

Analysis

1. As noted in Section 7.4.3, a key control over cash is the segregation of those with
access to cash from others who record cash transactions. In this case, the person
opening the mail should prepare a listing of cheques for forwarding to accounting
and pass the cheques to another individual who then prepares the bank deposit.
The cheque listing should be reconciled with the bank deposit in the accounting
department.

In this case, the person opening the mail AND making the deposit could steal
cheques. The audit procedure that would detect this theft is confirmation of
accounts receivable balances with the customer. The customer balance in the A/R
sub-ledger would be higher than the amount confirmed by the customer.

2. The supplier invoice should be cancelled when paid to ensure that it is not paid
twice. In order to detect this error, the accounts payable balance for the supplier
should be reconciled to the supplier’s statement. If supplier statements are not
available, an alternative procedure is confirmation of the supplier’s accounts
payable balance.

7 . 5 FINANCIAL INSTRUMENTS

Financial instruments include both financial assets and financial liabilities.

Financial assets are liquid assets because the economic resources or ownership can be
converted into something of value such as cash. The value of the asset is determined by
the demand and supply of such assets in the market. These are classified according to the
features of the cash flow associated with them. Examples include Certificates of Deposit (CD),
bonds, shares, cash, bank deposits, loans, receivables and derivatives. Derivatives are financial
assets whose value is derived from other underlying assets.

Financial liabilities are contractual obligations to deliver cash or equity. Examples of

financial liabilities are accounts payable, loans and derivatives. Normally, what is a financial
asset for one party to a transaction will be a financial liability for the counterparty (e.g. a
receivable for a seller and a payable for the buyer).

Accounting and auditing for most classes of financial instruments is straightforward and
has been discussed in other sections of this chapter and in Chapter 6 (e.g. cash, purchases,
payables, receivables, debt securities and equities). However, accounting for derivatives and the
audit of derivative accounts is a complex matter. HKFRS 9 Financial Instruments is a very long and
detailed standard which has been updated in stages over the last decade. Different definitions
of financial instruments continue to exist among financial reporting frameworks. Much of
HKFRS 9 is concerned with definitions of different categories of financial instruments, specific

461

c07.indd 461 16-11-2022 18:46:13

 BUSINESS ASSURANCE

inclusions and exceptions within each category, and associated accounting requirements for
each category. These specific accounting procedures and the accounting standard are not
assumed knowledge for this subject.

Relevant auditing standards include:

• HKSA 540 (Revised) Auditing Accounting Estimates and Related Disclosures, which is
discussed in Chapter 6 Sections 6.5.1, Accounting Estimates, and 6.5.2, Fair Values, and

• HKSA 620 Using the Work of an Auditor’s Expert, which is discussed in Chapter 8
Section 8.3.

These two standards are supported by professional guidance found in HKAPG 1000 Special
Considerations in Auditing Financial Instruments. HKAPG 1000 does not deal with simpler financial
instruments like cash, loans, trade receivables and payables or insurance contracts.

The complexity of the area, and its inter-relationship with other standards, is demonstrated
in the introduction to HKSA 540 (Revised) (para 1), which states that the standard ‘includes
requirements and guidance that refer to, or expand on, how HKSA 315 (Revised 2019), HKSA
330, HKSA 450, HKSA 500 and other relevant HKSAs are to be applied in relation to accounting
estimates’. The professional guidance HKAPG 1000 is similarly complex.

The general audit approach to the audit of financial instruments is explained in HKSA 540
(Revised). In brief, valuation is the key risk and the auditor will collect evidence to confirm
management’s estimate or, if that is not possible, will develop their own estimate.

The following is a brief review of the audit of accounting estimates (see also Chapter 6
Section 6.5.1).

The auditor must ensure an estimate:

1. Provides an exit price,

2. Is market-based,

3. Identifies the relevant market,

4. Is based on reasonable assumptions,

5. Is not influenced by managements’ intentions,

6. Identifies the best use of the asset (liability) and

7. Is based on an appropriate valuation model using to the greatest extent possible

observable inputs.

The auditor should also:

8. Develop a point estimate or range to assess management’s estimate.

9. Obtain written representations from management on whether they believe significant

assumptions used in making accounting estimates are reasonable.

7.5.1 Key accounts

Key accounts include:

• Marketable securities

• Derivatives – including both financial assets and liabilities

462

c07.indd 462 16-11-2022 18:46:13

 The A u d it Pro g ram me

Other accounts include:

• Gain or loss on investments,

• Dividend income and

• Interest income.

7.5.2 Risk
Risks relating to most established financial instruments like receivables or equity have been
discussed in other sections of this chapter. This section will focus mainly on derivatives that,
in general, have a high inherent risk, especially when used for speculation. Today, literally
hundreds of types of derivatives exist and each has unique features relating to risk, all of which
need to be considered by the auditor in their analysis of inherent risk (credit risk, market risk,
liquidity risk, basis risk, operational risk and legal risk; see HKAPG 1000 Special Considerations
in Auditing Financial Instruments para 18/19). In many cases high interest rates are offered to
compensate for a lack of collateral. Derivatives are described as marketable securities, but
many markets are thin and market quotations may be unreliable. Market values may fluctuate
on a minute-to-minute basis and markets can become illiquid. While issuers of securities may
guarantee to repurchase the security at some future date, this transaction depends on the
liquidity of the issuer, which cannot be guaranteed.
Management’s fair value estimates of these instruments can be highly subjective and risky
and such assets present the auditor with the highest possible level of detection risk, i.e. the
auditor’s procedures will fail to detect a misstatement (see Section 7.5.6 below). Valuations
are risky for many reasons. HKAPG 1000 Special Considerations in Auditing Financial Instruments
para 85–105 provides useful guidance. Some key points are noted below:

• Management and those charged with governance may be unfamiliar with derivative
transactions, valuation methods or the requirements of the accounting standards
regarding financial instruments.
• The client’s finance personnel responsible for derivative transactions often
have very significant incentive plans tied to profits on derivative trades and may
overstate profits.

• During difficult financial market conditions, management may engage in fraudulent

financial reporting to hide fraud or error, to hide breaches of regulatory, liquidity or
borrowing limits, or to avoid reporting losses.

• Management may rely on valuations provided by brokers or other dealers

(management’s experts). These brokers may be competent with the valuation of some
classes of derivatives, but not others.

• Brokers may be unable to provide auditors with evidence sufficient to support their
valuations or to identify the assumptions underpinning their models.

• Brokers’ valuations may not be prepared in a timely fashion – reflecting current market
conditions (see Chapter 8 Section 8.3.5, Management’s Experts).

463

c07.indd 463 16-11-2022 18:46:13

 BUSINESS ASSURANCE

It should be noted that the risk of loss of a financial instrument may exceed the value
recognised on the balance sheet. For example, a sudden fall in the price of a commodity may
force an entity to close a position. The losses may create going concern issues or failure of
the business.

Exhibit 7.14 identifies some of the motivations for misstatement of financial instruments
and related accounts, and the assertions at risk of misstatement.

Risk Motivation for Assertion at risk

misstatement
Tax and accounting Underpayment of tax Completeness and accuracy
requirements (regulatory risk) of tax expense; presentation
and disclosure of financial
instruments
Lack of corporate policy Speculation to maximise profits Valuation of financial
and controls regarding the instruments
purpose of the instrument, the
acceptable risks and limits on
investment
The importance of continual Non-disclosure of fair values and Valuation, existence and
monitoring of market value and losses completeness of financial
risk instruments
Default risk – continual Non-disclosure of fair values and Valuation, existence and
monitoring of the counterparty losses completeness of financial
risk instruments
Collateral risk – procedures Overvalue financial assets Existence, valuation and rights
for taking possession of any regarding collateral assets
associated collateral
Management capacity to Unwillingness to hire or contract Valuation of financial
understand, manage and value for expensive professional instruments
financial instruments assistance
Bonus/incentives schemes for Maximising incentives Valuation, existence and
personnel engaged in trading completeness of financial
derivatives instruments

EXHIBIT 7.14 Inherent risk in financial instruments

7.5.3 Assertions, Controls and Tests of Controls

While some long-term financial instruments are recorded at amortised cost, those considered
most risky are recorded at fair value. The audit of assets recorded at fair value was discussed
in Chapter 6 Section 6.5.2. As noted in that section, the auditor’s objective with fair values is to
make a conclusion about the reasonableness of management’s fair value estimates and related
disclosures. Two circumstances were identified that determine the auditor’s approach.

1. A relevant and active market with quoted prices exists (e.g. publicly traded shares or
bonds, currency hedges and options). Here, inherent risk is low, and determination
of a current and accurate fair value is simple and easily verified by the auditor. The
auditor proceeds by first examining the controls relating to segregation of duties
and the authorisation of purchase and sale transactions and examining transaction
documentation to ensure that controls are both operating and effective.

464

c07.indd 464 16-11-2022 18:46:13

 The A u d it Pro g ram me

2. Where active markets do not exist, or are illiquid, fair values estimates must be
based on the market for similar assets, or discounted cash flow or other models.
Determination of what may be considered a ‘similar’ asset is highly subjective, and fair
values based on models are likely to have high inherent and control risk. Estimation risk
is likely to be high.

Where low volumes of financial instrument transactions are undertaken by the client,
adequate controls are unlikely to exist and a substantive approach will be required.

The Appendix to HKAPG 1000 Examples of Controls Relating to Financial Instruments provides
useful guidance on key controls that may exist in an entity that deals with a high volume of
financial instrument transactions (e.g. banks, finance companies or pension funds). Some of
these are listed here and in Exhibit 7.15.

Marketable securities and financial instruments – key risk is overstatement

(existence and valuation). In some instances, a going concern risk
Assertion Control Test
Existence Approval Review corporate policy. Acquisitions and
disposals should be monitored by the board or
a senior official for compliance with policy
Safekeeping. Share certificates, Review board minutes for evidence of approval
bonds and contracts should be Inspect share certificates, etc. held by entity
kept in a safe
Valuation Management procedures for Inquire about management procedures for
determining fair value identifying fair values
Completeness Purchase approval by CFO or Enquire about purchase approval process
board Review independent market information for
stock splits, stock dividends or rights issues and
trace to investment register
Rights Assets held by trustee or service Confirm title with trustee
organisation

EXHIBIT 7.15 Assertions, controls and tests of controls – marketable securities and financial
instruments

• Relevant expertise or competence within the entity;

• Policies regarding risk appetite and risk management activities including the types of
financial instruments to be used and their purpose, whether hedging or speculation;

• Policies for the valuation of financial instruments and disclosure of related

measurement uncertainty;

• Requirements for key employees to take leave, so as to prevent and detect fraud;

• The use of service organisations (e.g. brokers) for purchasing, selling, recording and
valuing financial instruments. See Chapter 8 Section 8.3 for a discussion of the auditor’s
responsibilities when clients use service organisations;

465

c07.indd 465 16-11-2022 18:46:13

 BUSINESS ASSURANCE

• Policies to monitor outstanding positions and to reduce risk exposure if necessary,

including timely reporting of these matters;

• Design and approval of information systems are critical. When financial instrument
trades are carried out by a small number of personnel, they may use spreadsheets that
are insecure and include complex models of dubious accuracy;

• Authorisations identifying the amount, nature and purpose of the transaction;

• Segregation of duties including execution of the transaction, payment, recording, and

monitoring positions and valuations;

• Reconciliation of transactions to bank and broker records.

7.5.4 Analytical Procedures for Marketable Financial Instruments

For financial instruments with stable and active markets, analytical procedures are useful.
However, it is difficult to establish expectations for other financial instruments.

Simple comparisons – Compare balances of investment accounts by class of investment

with the prior year. Compare interest and dividend income with the prior year. Note significant
changes in the investment/securities register for follow-up tests of details.

Multi-period comparisons – Interest-bearing securities or dividend-paying shares

often provide consistent payments over many years. Multi-year comparisons may provide
useful evidence.

7.5.5 Audit Assertions and Tests of Details for Marketable Financial

Instruments
A key consideration in audits involving complex financial instruments is the competence of the
auditor. The audit may require the involvement of one or more auditor experts. Auditor experts
may include:

• Accountants, because differing interpretations of the accounting standards exist, the

accounting approach is currently under development, and complexity;

• Legal experts may be required to understand the contractual, regulatory and tax
implications of financial instruments and

• A finance expert may be required to gather evidence to support management’s

estimates, or to develop a point estimate or a range for comparison with management’s
estimates, especially when fair value is determined using a complex model.

Because financial instruments arise from legal contracts, many of the auditor’s procedures
will address a number of assertions. For example, verifying the accuracy of the recording of the
transaction will also test existence, occurrence, rights and obligations, and cut-off.

Exhibit 7.16 identifies substantive tests of details for each assertion relating to the
marketable financial instruments account. These, and many other relevant procedures, can be
found in HKAPG 1000 Examples of Controls Relating to Financial Instruments para 103-137. A large
number of these paragraphs address the important valuation issue.

466

c07.indd 466 16-11-2022 18:46:13

 The A u d it Pro g ram me

Assertion Substantive test of detail

Existence/occurrence Investment schedule items are verified by inspection of the securities and
contracts or by confirmation with the trustee or broker.
Review purchase and sale transactions for compliance with the contract terms
and appropriate classification of the instrument.
Review unusual end of period journal entries.
Valuation/accuracy The auditor may test a valuation model by:
• Evaluating the design and operation of the model: 1. Is the model used
by others, and does it operate as intended? 2. Does the model take into
account all relevant forms of risk (e.g. counterparty risk, market risk)?
• Testing the assumptions and data used in the model, and
• Comparing its output to an estimate developed by the auditor.
Original cost and fair value are confirmed by reference to contracts, broker
statements or independent market quotations.
Interest income is re-calculated and dividend income may be confirmed by
reference to press or company announcements.
Disposals and information relevant to the calculation of gains or losses should
appear on broker statements. Recalculate income and gain/loss.
Consider the possibility of impairment.
Consider the use of an auditor’s expert.
Completeness All material purchase and sale transactions other than normal sales or
inventory purchase transactions should be reviewed to see if they should
have been recorded as investments. Performance materiality is likely to be set
at a low level.
Rights/obligations Confirm with a trustee or broker. Review contracts and invoices. Consult
board minutes.

EXHIBIT 7.16 Tests of details for marketable financial instruments

Illustrative Example 4
A common financial instrument is an asset backed security. The familiar ‘home
mortgage’ is an example. These are often valued on the basis of level 1, 2 and 3 inputs
and models as illustrated below. It is necessary for a valuer to understand:

• The nature and value of the security or ‘collateral’ (the value of the home) (level 2);

• The rights of the lender in the event of loan default (level 1);

• The contracted cash flows (the interest rate and the amortisation period, which
together determine the monthly mortgage payment) (level 1);

• Pre-payment risk, which is related to the interest rate risk (home owners are likely
to pre-pay their mortgages if interest rates drop) (level 3) and

• Default risk, which is related to the future value of housing, the future
unemployment rate and the quality of the borrower (level 3).

467

c07.indd 467 16-11-2022 18:46:13

 BUSINESS ASSURANCE

Apply and Analyse 4

1. Describe the role collateral plays in valuing marketable securities.

2. Explain whether an audit of marketable securities would ever require an audit of

the underlying collateral.

Analysis

1. The role of collateral is to provide security (and reduce risk) for the lender/holder
in the event of the issuer of the security being unable to fulfil the terms of the
instrument – where they are unable to pay the agreed interest or dividends, or
repay the original investment at the termination of the contract.

2. In order for the collateral to be meaningful, the investor must have clearly
established rights to the collateral as determined by the contract with the seller
of the instrument (the borrower). Additionally, it is important that the collateral
offered by the seller of the instrument exists, is properly valued and is owned or
controlled by the seller. The stability and liquidity of the seller are major concerns.

In order to verify these matters, the auditor should review the contract to
test the rights of the purchaser in the result of default, and investigate the seller’s
current ownership rights, and the existence and valuation of the asset. Enquiries
should also be made as to the financial stability of the seller.

7 . 6 NON-CURRENT ASSETS

The three main classes of non-current assets include PPE, goodwill and other intangible assets
and investments (interests in other entities):

• Auditing procedures for PPE are straightforward and little inherent risk exists.

• Auditing intangibles are more challenging because valuations involve fair value
estimates and accounting standards are complex.

• Interests in other entities (also ‘long-term investments’ or ‘variable interest entities’)

include investments in subsidiaries, joint ventures, joint operations, associates,
unconsolidated structured entities, etc. These interests are extraordinarily diverse,
disclosure requirements are extensive and inherent risk is high.

7.6.1 Property, Plant and Equipment (PPE)

Other accounts include:

• Depreciation expense,

• Accumulated depreciation,

468

c07.indd 468 16-11-2022 18:46:13

 The A u d it Pro g ram me

• Maintenance and repairs expense,

• Gain or loss on disposal.

PPE are assets that have expected lives of more than one year and are used in the business
(e.g. land, buildings, computers, machinery, furniture or vehicles). The key accounting record
is the asset register. Assets should be purchased through the purchases system and these
purchases will be subject to the same controls, control tests and substantive tests as other
purchase transactions. Large non-routine purchases, especially large capex, should be subject
to separate controls, not those routine controls applied to high-volume routine transactions.
Typically, this involves authorisation/approval at the board level.

Because of the long life of PPE assets and the infrequency and the materiality of asset
purchases and sales, the audit programme is focused on additions and disposals during the
period, and the assessment of impairment as required by HKAS 36 Impairment of Assets.

7.6.1.1 Risk
Exhibit 7.17 identifies some of the risks inherent in the PPE account, motivations for fraudulent
activity and the assertion at risk

Risk Reason for fraud/theft Assertions at risk

Purchase of assets for personal use Misappropriation of assets Existence of PPE
of management.
Understatement of depreciation Overstatement of profit Valuation of PPE
expense
Failure to record asset impairment, Overstatement of profit Existence; valuation of PPE
disposal or discontinued operations,
or to make an accrual for asset
decommissioning costs
Misclassification of maintenance and Overstatement of profit Valuation; existence of PPE;
repairs expense (or other expenses) as completeness of maintenance
property, plant and equipment expense

EXHIBIT 7.17 Inherent risk in PPE

Illustrative Example 5
China Medical was placed into liquidation in 2012 by courts in the Cayman Islands, New
York and Hong Kong following accusations that the NASDAQ-listed firm was a fraud.
Company liquidators presented evidence showing the company’s management had
stolen at least HK$355 million through fraudulent technology acquisitions. KPMG was
China Medical’s auditor between 2005 and 2009 and provided unqualified audit opinions
for the financial statements during that period.

469

c07.indd 469 16-11-2022 18:46:13

 BUSINESS ASSURANCE

7.6.1.2 Assertions, Controls and Tests of Controls

Key controls over additions and disposals of PPE are approvals and segregation of duties.
Exhibit 7.18 provides descriptions of controls over PPE and tests the auditor might apply to
those controls.

PPE – key risk is overstatement (existence and valuation)

Assertion Control Test
Existence Inspect items in the asset register to confirm Inquire about procedures to maintain
existence and identify obsolete equipment asset register
for write down
Approval procedures for purchases and Review approval process
disposals

Contracts for purchase and sale of assets Review contracts

Valuation Authorisation of purchases by senior Inquire about authorisation
management or board procedures
Competitive tendering Sight evidence of approval and board
minutes
Authorisation and ongoing review of useful Inquire about competitive tendering
life estimate for depreciation calculation policy
Contracts for purchase and sale of assets Review depreciation schedule
and inquire about alterations and
additions
Procedures for estimating asset impairment Review contracts
Review impairment estimation
procedures
Completeness Policy re purchase approval and update of Review minutes for reference to PPE
asset register purchases. Review maintenance
expense account
Rights Purchase contracts Review contracts

EXHIBIT 7.18 Controls and control tests for PPE

7.6.1.3 Analytical Procedures

Simple comparisons: PPE, depreciation, accumulated depreciation and maintenance accounts
should be compared with prior years.

Multi-period comparisons: As PPE are long-lived assets, the depreciation expense and
accumulated depreciation should show a consistent pattern over the asset’s life.

Comparisons of financial ratios – Key financial ratios associated with PPE include:

• Depreciation expense as a proportion of PPE

• Accumulated depreciation as a proportion of PPE

470

c07.indd 470 16-11-2022 18:46:13

 The A u d it Pro g ram me

Illustrative Example 6
A simple comparison of GEM’s PPE account with the prior year’s audited figure shows an
increase of 6% (HK$175 m to HK$185 m). This is consistent with the percentage increase
in the number of stores (5%). It is not unreasonable to think that the average price of
establishing a new store would be greater than past costs (due to inflation). Additions
(and deletions) in the asset register should be examined and vouched to supporting
documents and contracts.

7.6.1.4 Audit Assertions and Tests of Details

Exhibit 7.19 identifies some common substantive tests of details relevant to the PPE account.

Assertion Substantive test of detail

Existence/ Obtain the asset register. Verify its accuracy and test additions and disposals to
occurrence contracts, minutes and other approvals.
Tour plant noting new equipment, deleted products and equipment, and idle
equipment. Trace to asset register.
Inspect/observe assets.
Valuation/ Review contracts and board minutes. Verify estimates of useful life and salvage value.
accuracy Recalculate the gain or loss on disposal.
Review cost records for self-constructed assets.
Inquire about asset impairment tests. Review conclusions.
Review management’s fair value estimates.
Recalculate depreciation expense.
Ensure decommissioning costs are accrued over the life of the asset.
Consider the use of an auditor’s expert for complex valuation matters.
Completeness Review repair and maintenance expenditures and lease expenses to identify items
that should be capitalised.
Trace and reconcile the asset register to the general ledger.
Inspect client facilities and trace all significant assets to the asset register.
Rights/ Review contracts and inspect title deeds and land registry certificates.
obligations Inquire about assets pledged as collateral.
Inspect registration documents for vehicles.
Presentation/ Ensure presentation is consistent with HKAS 36 Impairment of Assets.
disclosure Review correct classification – current or long-term.

EXHIBIT 7.19 Substantive tests of details for PPE

471

c07.indd 471 16-11-2022 18:46:13

 BUSINESS ASSURANCE

Apply and Analyse 5

The auditor of a manufacturing company has reviewed the prior years’ working papers and
found that:

1. Some items of expenditure were capitalised as Property, Plant and Equipment, and
some PPE expenditures were recorded as Maintenance Expense.

2. Management had no procedures for identifying and writing down impaired assets.

Identify audit procedures for PPE that should be included in the current programme to
deal with these issues.

Analysis

1. Overstatement of PPE is a significant risk as management are likely to capitalise

expense items in order to inflate profits. Alternatively, some entities may expense
PPE transactions in order to reduce their income tax liability.

The auditor should obtain a copy of the client’s asset register and select additions
for examination. These should include material additions and some others. These
additions should be verified as to their existence, valuation and rights by reference
to purchase contracts or invoices, purchase requests and purchase orders, and
by observation. Entries to the maintenance and repair expense account should be
searched for items that should be capitalised.

2. Asset impairment is seen negatively by management as it reduces profit. It is often

ignored unless a new management group wishes to maximise current expenses
with the expectation of improved future profits. It is, however, management’s
responsibility to make impairment estimates and management should be asked
to provide their analyses to the auditor. The auditor should also tour the factory in
order to identify idle equipment. Other indicators of impairment should be sought,
including the competitive environment in the industry and the wider economy.

Impairment estimates are highly subjective as the market for old equipment is
inactive. Property markets tend to be more liquid. Where a market does exist,
some impairment estimate is possible. Where no active market exists for used
equipment, replacement equipment values may be sought and adjusted for the
age of the current equipment. The auditor should consider using an auditor’s
expert.

7.6.2 Goodwill and Other Intangible Assets

Other accounts include:

• Amortisation expense

• Accumulated amortisation

• Revaluation surplus

• Gain or loss on disposal

472

c07.indd 472 16-11-2022 18:46:13

 The A u d it Pro g ram me

7.6.2.1 Goodwill
Goodwill is the difference between the price paid in a business acquisition and the market
value of the tangible and intangible assets acquired. As such, the initial value may be easily
calculated and audited as long as the auditor can be satisfied as to management’s fair value
estimates of the assets acquired (see Sections 6.5.1 and 6.5.2 of Chapter 6).

Valuation of goodwill may be difficult if the purchase is made via shares rather than cash or
the purchase price is contingent on future outcomes.

Difficulties in goodwill valuation can also arise subsequent to the acquisition because
goodwill must be tested annually for ‘impairment’ or a decline in value (see HKAS 36 Impairment
of Assets). Two main factors affect the impairment test:

1. If the acquired entity continues as a discrete operating unit or, alternatively, is

integrated into the buyer’s operations.

2. If the original purchase was based on a capital budgeting model incorporating

estimates of expected future cash flows.

Where the acquired entity is a discrete unit and the purchase price was based on the
discounted value of future cash flows, then management’s impairment test is relatively
straightforward and can be verified by the auditor. Management simply recalculates the
value of goodwill on the basis of updated estimates. If the value of goodwill is materially
impaired, a write down is indicated. The audit programme for impairment focusses on tests of
management’s estimate – assumptions, data and risk assessment.

Where the conditions noted above do not apply, then management’s impairment estimates
will be highly subjective. This often occurs when the acquired entity is merged with existing
operations and so no longer exists as a discrete operating unit. The difficulties that arise for
the auditor in auditing management’s estimates in these circumstances were discussed in
Chapter 6 Section 6.5.2, Fair Values.

7.6.2.2 Other Intangible Assets

Companies acquire other assets including licenses, intellectual property, market knowledge,
trademarks, brand names and scientific or technical knowledge, and they design and
implement new processes or systems. Some of these acquisitions will qualify as intangible
assets and will be recognised and amortised (or not) in accordance with HKAS 38 Intangible
Assets (Revised January 2017). HKAS 38 is lengthy and deals extensively with issues of
recognition and measurement of different types of intangible assets and expenses, both
purchased and internally created. A number of useful examples are provided in the standard.

As with goodwill, intangible assets must be assessed regularly for impairment (see HKAS
36 Impairment of Assets). In addition, some intangibles will have limited lives and must be
amortised, while others will have unlimited lives and no amortisation is required. Many
subjective judgements must be made by management in dealing with intangibles, and
the auditor’s assessment of management’s valuations will require high-level professional
judgements. The assistance of an auditor’s expert may be required.

The audit programme for other intangible assets first requires the auditor to have a
good understanding of both HKAS 36 and 38, and also HKFRS 13 Fair Value Measurement,
and then to follow the guidelines of HKSA 540 (Revised) Auditing Accounting Estimates,

473

c07.indd 473 16-11-2022 18:46:13

 BUSINESS ASSURANCE

and Related Disclosures. The audit of management’s estimates was discussed in Section 6.5.1
of Chapter 6.

7.6.2.3 Risk
A high level of subjectivity is involved in management’s assessment of fair values and in
the recording of both the original cost and the impairment of intangible assets. Because
of the natural bias of management to the overstatement of assets and revenues, and
the understatement of liabilities and expenses, the inherent risk in intangible asset
accounts is high.

Audit risk is further increased because transactions relating to intangibles are diverse,
complex, material, and infrequent, so controls over management’s estimates are seldom of
good quality. In many cases management will not understand what is required and will employ
an expert valuer, most likely at the acquisition stage. For the auditor, detection risk must be set
at a low level and the use of an auditor’s expert is an important option.

A broad range of risk factors should be considered when assessing impairment. These
might include:

• Increased competition,

• Loss of key personnel,

• An expectation of the sale of the operating unit,

• Decline in operations or revenue and

• Decline in the industry or economy.

7.6.2.4 Assertions, Controls and Tests of Controls

Where a client has a number of similar intangible assets, like trademarks or patents, a register
of these assets will be maintained and appropriate controls are likely to exist for the approval
of acquisitions and disposals, and the assessment of impairment. The auditor should review
these controls and in the unlikely event that the volume of transactions is high, testing of
controls should be considered. It is likely, however, that a substantive audit programme will
be adopted.

7.6.2.5 Analytical procedures

Due to the unique nature of many intangible assets and infrequent transactions, analytical
procedures other than simple comparisons are of little relevance in the audit of intangibles.

Simple comparisons: Goodwill, other intangible assets, amortisation expense,

accumulated amortisation and revaluation surplus accounts should be compared with
prior years.

Illustrative Example 7 – GME

According to GEM’s statement of financial position, the intangible assets balance remains
unchanged from the prior year. Inquiries should be made as to additions and disposals,
and as to the fair value of the existing intangibles.

474

c07.indd 474 16-11-2022 18:46:13

 The A u d it Pro g ram me

7.6.2.6 Audit Assertions and Tests of Details

Refer to the discussion of accounting estimates and fair values in Sections 6.5.1 and 6.5.2 of
Chapter 6.

Exhibit 7.20 identifies some common substantive tests of details for intangible asset
accounts.

Assertion Substantive test of detail

Existence Obtain the asset register. Verify its accuracy and test additions and disposals to
occurrence contracts or purchase records as appropriate.
Ensure assets satisfy recognition criteria per HKAS 38.
Valuation Review contracts and board minutes. Verify estimates of useful life.
accuracy Recalculate the gain or loss on disposal.
Review cost records for internally developed assets.
Test asset impairment per HKAS 36. (For goodwill this requires testing the fair market
value of all relevant tangible and intangible assets in the operating segment.)
Recalculate the amortisation expense.
Completeness Review minutes for acquisitions.
Rights Review contract terms.
obligations
Presentation Review correct classification – current or long-term.
disclosure Ensure assets satisfy recognition criteria per HKAS 38.
Review disclosure.

EXHIBIT 7.20 Substantive tests of details for intangible assets

Apply and Analyse 6

A start-up pharmaceutical company (SUPC) had a number of drugs in the development
stage. The company was very popular and its share price rose rapidly in its early years.
In 2006, SUPC acquired another pharmaceutical company (PC2) for HK$100 million in order
to acquire its patents. SUPC recorded goodwill on acquisition of HK$28 milion. In the global
recession of 2008, the SUPC’s share price crashed and the goodwill was written off due to
impairment. Subsequently, the SUPC’s share price recovered.

1. Explain how the auditor would have tested for the impairment of goodwill in this
situation.

2. Analyse the method used by the auditor to test goodwill impairment.

Analysis

1. The auditor’s test for goodwill impairment is based on a comparison of the fair
value of the reporting entity with the carrying value of the entity. Because of the
market crash, the fair value (based on the market value) was considered to be
impaired and a write-off was carried out.

475

c07.indd 475 16-11-2022 18:46:13

 BUSINESS ASSURANCE

Apply and Analyse 6 (continued)

2. A problem is indicated with the approach as the market decline was temporary.
While in normal times the share market is an ‘active’ market, during the recession
in 2008, the market was not liquid or sufficiently active to justify using market
values as a basis for fair values in the goodwill impairment test. Of course, the
market decline could have been a long-term event and the impairment test
appropriate.

7.6.3 Interests in Other Entities

Accounting standards relevant to accounting for other entities include:

• HKFRS 10 Consolidated Financial Statements;

• HKFRS 11 Joint Arrangements;

• HKFRS 12 Disclosure of Interests in Other Entities.

7.6.3.1 Other Entities

Other entities, also called ‘variable interest entities’, include subsidiaries, joint ventures, joint
operations, associates and unconsolidated structured entities. Each of these classes of other
entities are carefully defined in the accounting standards, and it is important, but sometimes
difficult, to distinguish between them. Within each class, the variety of different forms is
extreme. The accounting approach required for each type of entity is based on definitions of
control that have changed over the years and are still contentious. See also Chapter 11 on
Group Audits.

7.6.3.2 Risk
Existence, completeness and valuation are significant risks for ‘other entities’. The accounting
standards also point to the importance of disclosure: HKFRS 11 para 20 specifies:

An entity shall disclose information that enables users of its financial statements to
evaluate:

(a) the nature, extent and financial effects of its interests in joint arrangements and
associates, including the nature and effects of its contractual relationship with the other
investors with joint control of, or significant influence over, joint arrangements and
associates; and

(b) the nature of, and changes in, the risks associated with its interests in joint ventures
and associates.

7.6.3.3 Audit Procedures

Given the unique nature of other entities, controls and analytical procedures are seldom
encountered or useful. The auditor should:

• Inquire about the client’s procedures for approving the purchase of an interest in an
‘other entity’. Review worksheets and documentation.

476

c07.indd 476 16-11-2022 18:46:13

 The A u d it Pro g ram me

• Inquire about the client’s procedures for identifying other entities and determining the
correct accounting approach and disclosures.

• Obtain the client’s listing of other entities.

• Obtain a listing of all transactions with the other entities, determine the purpose of the
transactions and consider the appropriateness of disclosures.

• See Chapter 6 Section 6.5.5 Related party transactions. Other entities may be, or may
be controlled by, related parties and transactions with other entities may be related
party transactions.

• Test asset impairment per HKAS 36.

• Determine whether transactions, or other entities, were designed to develop fraudulent

financial statements.

Apply and Analyse 7

Companies may have significant relationships with other entities that do not involve
ownership, but may involve control issues.

Explain the nature of these relationships.

Analysis

‘Other entities’ are legal structures designed to provide capital for businesses that lack
equity investors. Financial support, often in the form of loans or loan guarantees, is
provided by other companies. For example, two businesses might form a joint venture to
use technologies of both entities to create new products.

In some instances, other entities may be structured so that they do not have to be
consolidated with the sponsoring business. The sponsoring company is thus able to keep
debt related to the activities of the other entity off its books.

7 . 7 LIABILITIES AND EQUITY

Key accounts include:

• Debt securities

• Share capital

• Provisions and contingencies

477

c07.indd 477 16-11-2022 18:46:14

 BUSINESS ASSURANCE

Other accounts include:

• Reserves

• Interest expense

• Interest payable

• Dividends expense

• Dividends payable

Capital is comprised of loan capital and share capital. Entities have few capital transactions
and most are material. Bonds and shares are the most common type of capital and many
variations exist (e.g. bonds that are convertible to equity or mandatory redeemable preferred
shares). Completeness and classification are the main audit risks.

Illustrative Example 8
During the year, GEM acquired a similar retail chain comprising 100 stores. As part of
the funding of the acquisition, GEM undertook a 1 for 5 pro rata share offer which raised
HK$390 m. Approximately 15,000,000 new shares were issued. GEM also obtained a new
HK$450 million debt facility. GEM’s financial covenants include leverage and fixed charge
cover ratios.

7.7.1 Debt Securities

Debt securities may be called loans, notes, bonds or debentures. The terminology is not clearly
defined and debt agreements can be diverse. Bonds are typically secured, while debentures
have no specific collateral. Debt security transactions are infrequent but material.

Other accounts include interest expense.

7.7.1.1 Risk
Completeness is the main assertion at risk.

Agreements with bondholders are called bond indentures. If the terms of the indenture are
not met (the debt covenants), the bonds are immediately due and payable – in other words,
the bonds no longer exist and the obligation has become current. Covenants might include
restrictions on the payment of dividends, a minimum working capital ratio or a maximum
debt-to-equity ratio. The auditor must ensure the client is in compliance with indenture terms
or that non-compliance is disclosed and debts are correctly classified.

Valuation of a number of other long-term liabilities (e.g. pension obligations or

restructuring reserves) require significant subjective judgements. Chapter 6 Section 6.5.1
Accounting estimates and Section 6.5.2 Fair values provide a discussion of audit issues relating
to these types of accounts.

478

c07.indd 478 16-11-2022 18:46:14

 The A u d it Pro g ram me

Payments of interest and dividends, and repayment of debt, are controlled through the
cash payments system. The use of imprest accounts is common.

Exhibit 7.21 identifies some risks associated with the debt securities account, motivations
for fraud and the assertion at risk.

Inherent risk Reason for fraud/theft Assertions at risk

Failure to comply with the terms of Complexity and error Valuation and disclosure of
the bond indenture Desire to conceal non-compliance liabilities
due to the risk of bankruptcy
Liabilities requiring subjective Understatement of liabilities Valuation; completeness of
judgement liabilities
Incorrect computation of interest Understatement of expenses Accuracy of interest
expense expense
Accounting for gains and losses on Overstatement of profit Accuracy; completeness of
debt refinancing or conversion comprehensive income
Non-disclosure of the terms Overstatement of assets and profit Completeness of liabilities;
of debt agreements, liabilities, presentation and disclosure
reserves of liabilities

EXHIBIT 7.21 Inherent risk in debt securities

Illustrative Example 9
Xinjiang Production Construction 6th Shi State-owned Assets Management (Xinjiang)
is a company owned by Xinjiang Production and Construction Corps (XPCC) and is an
example of a local government financing vehicle (LGVF). LGVFs are set up by regional
authorities to raise money for infrastructure projects. LGVF and similar bonds with
high yields are favoured by hedge funds, but not by institutions, as they have been the
focus of worries over the amount of debt in China’s financial system and the risk that
they carry.

In 2018, Xinjiang failed to pay a 500 million RMB (US$73 million), 270-day note that
was due. Besides the defaulted note, it had four notes maturing in the following seven
months totalling 2 billion RMB. A result of the default was a sell-off of Xinjiang and XPCC-
related bonds.

7.7.1.2 Assertions, Controls and Tests of Controls

Authorisation of debt issue and repayment transactions is a key control. Authorisation should
be carried out at the board level. A register of debt securities is maintained and periodically
reconciled to the General Ledger. Debt agreements should be securely retained.

Cash payments including interest and repayments are controlled in the same way as other
cash payments – through the cash cycle.

479

c07.indd 479 16-11-2022 18:46:14

 BUSINESS ASSURANCE

Exhibit 7.22 identifies common controls over debt securities and relevant audit tests for
those controls

Debt securities – key risk is understatement (completeness)

Assertion Control Test
Existence Securities register, bond indentures, Review board minutes for evidence of
board minutes. approval of new entries in the securities
register and the related terms as identified
in the indenture agreements.
Valuation Cash payments should be processed Inquire about control over cash payments.
through the cash cycle, or by a
trustee.
Completeness Reconcile securities register with Review reconciliation.
general ledger.
Interest payments are made by a Enquire about payment with trustee; review
trustee or through an imprest bank imprest bank account reconciliation.
account.
Rights and Debt agreements should be securely Sight new debt agreements. Verify
obligations retained. covenants. Retain permanent file copies.

EXHIBIT 7.22 Controls and control tests for debt securities

7.7.1.3 Analytical Procedures

Simple comparisons: Compare the securities register with the prior year. Compare interest
payments with prior years.

Financial ratios: Where indenture agreements specify minimum working capital ratios or
maximum debt/equity ratios, these ratios must be reviewed.

Illustrative Example 10 – GEM

GEM’s statement of profit and loss shows that finance expense is down 50% (HK$6
million to HK$4 million). It should be noted that these costs are not likely to contribute to
a material error in the financial statements as the net profit is HK$186 million. Materiality
is likely to be between HK$9 million and HK$18 million (5% to 10% of net profit).
However, inquiries should be made as to the terms of the loans and the applicable
interest rates.

GEM’s statement of financial position shows that borrowings have declined 21%
(HK$140 million to HK$110 million). To a degree this explains the reduction in the finance
expense. Repayment of these liabilities should be agreed to board minutes, the bank
confirmation and other loan documentation.

A question arises about the accuracy of the finance expense. The interest rate appears
low as the cost is HK$4 million and the average borrowings are HK$110 million + HK$140
million/2 = HK$125 million. The indicated interest rate is HK$4 million/ HK$125 million =
3.2%. Further inquiries are indicated.

480

c07.indd 480 16-11-2022 18:46:14

 The A u d it Pro g ram me

7.7.1.4 Audit Assertions and Tests of Details

Exhibit 7.23 identifies substantive tests of details relevant to assertions associated with the
long-term liability accounts.

Assertion Substantive test of detail

Existence Obtain direct confirmation from lenders.
Ensure that instruments are not in default by reviewing management’s working
papers or re-calculating to ensure compliance with debt covenants.
Obtain the securities register and vouch additions to debt agreements to indenture
documents and board minutes.
Valuation/ Vouch entries in the securities register to receipts in the bank statement and the debt
accuracy agreement. Review underwriting agreements.
Recalculate interest expense and trace to the cash payments journal or confirm with
the trustee.
The use of an auditor’s expert may be required (e.g. an actuary for pension
obligations).
Completeness Vouch debt repayments to the bank statement.
Review transactions near the year end for proper cut-off.
Review material cash receipts transactions.
Review board minutes and cash book to confirm that all loans have been recorded.
Trace new debt agreements to the securities register and the general ledger.
Review material cash payment transactions.
Obligations Review debt indentures.
Classification Ensure that instruments are not in default by reviewing management’s working
papers or re-calculating to ensure compliance with debt covenants. If breached, the
instrument may be a current obligation.

EXHIBIT 7.23 Tests of details for debt securities and long-term liabilities

7.7.2 Share Capital

Shareholder’s equity includes both share capital and reserves. A variety of different classes of
preference and ordinary shares may be issued and each should be appropriately disclosed. A
share register and a register of members should be maintained. In many cases, these records
will be retained by third parties (brokers).

Other accounts include:

• Dividends declared

• Dividends payable

• Retained earnings and reserves

481

c07.indd 481 16-11-2022 18:46:14

 BUSINESS ASSURANCE

7.7.2.1 Risk
There are relatively few share transactions, but these are often very material. Auditors will most
likely verify all transactions. Transactions should be detailed in board minutes. In some cases,
shares will be issued to purchase a subsidiary or other asset and risk exists about the value
of the asset obtained. When shares are issued for cash, controls should be exercised over the
allotment monies until all the conditions of the share issue have been met.

Legal relationships between shareholders and the entity make compliance with regulations
an important consideration for the auditor.

Valuation and disclosure assertions are most at risk. Numerous disclosures are required
for each class of shares, including the number of shares issued, share options and convertible
features. These matters affect the proper calculation and presentation of earnings-per-share
disclosures (see HKAS 33 Earnings per Share).

An entity is only permitted to pay dividends from realised profits less realised losses. A
significant risk in equity is the creation of fraudulent or otherwise inappropriate reserves. Such
reserves have been used to manipulate profit. Reserves must be valid and consistent with the
accounting standards.

In some cases, doubt exists about whether an instrument qualifies as debt of share capital.
Proper classification is important.
Exhibit 7.24 identifies common risks associated with the share capital account.

Inherent risk Reason for fraud/theft Assertions at risk

Payment of share or cash Dividends can only be paid from Occurrence of dividends
dividends appropriate reserves
Purchase and sale of treasury Misappropriation of assets Existence; completeness of
stock treasury stock
Adjustments to retained Overstatement of profit Existence; valuation of retained
earnings earnings
Inappropriate reserves Overstatement of profit Existence; valuation of reserves

EXHIBIT 7.24 Inherent risk in share capital

7.7.2.2 Assertions, Controls and Tests of Controls

Authorisation of share issue and repurchase transactions and agreements, including options,
warrants and rights, and of dividend payments, is a key control. Authorisation should be
carried out at the board level. Segregation of duties including authorisation, record-keeping
and custody of cash and share certificates is important. Cash payments including dividends and
repurchases of shares are controlled in the same way as other cash payments – through the
cash cycle. Imprest accounts are often used for dividend payments.

482

c07.indd 482 16-11-2022 18:46:14

 The A u d it Pro g ram me

A company search provides information about share movements during the year.

Exhibit 7.25 identifies common controls over share capital and audit tests that might be
applied to those controls.

Share capital – key risks are valuation and disclosure

Assertion Control Test
Existence Approval of new share issues and Sight approval of new entries and other
other share transactions transactions in board minutes and articles
Inquire about new issues
Valuation Cash payments should be processed Inquire about control over cash payments
through the cash cycle or a trustee or
broker
Completeness Reconcile share register with GL Review reconciliation
Rights and Articles of incorporation – provisions Review articles for compliance
obligations for capital

EXHIBIT 7.25 Controls and control tests for share capital

Note: 1. A company search can be obtained from the HK Companies Registry Cyber Search
Centre. Some of the information provided includes:

• Organisation name

• Unique identification number

• Type of company

• Registration date

• Locality of registered office

• Share capital

• Roles and relationships

7.7.2.3 Analytical Procedures

Simple comparisons: Compare share capital, reserves, dividend expense and other relevant
accounts with prior year.

Illustrative Example 11
GEM’s statement of financial position shows that the Share Capital account has declined
by 9% (by HK$5 million). This is unusual and may indicate a share buy-back. Inquiries are
necessary.

The Reserves account shows an increase of 42% (HK$40 million to HK$57 million).
Inquiries are necessary. The increase may be linked to a revaluation of assets.

483

c07.indd 483 16-11-2022 18:46:14

 BUSINESS ASSURANCE

7.7.2.4 Audit Assertions and Tests of Details

Exhibit 7.26 provides a listing of common substantive tests of details for the share capital
account.

Assertion Substantive test of detail

Existence Obtain a schedule of share transactions for the year (including options, treasury
stock, etc.) and vouch additions to the company search.
Agree new issues to board minutes and articles of incorporation.
Review material cash receipts and payment transactions.
Valuation/ Vouch share issues to receipts in the bank statement.
accuracy Recalculate dividend expense and trace to the cash payments journal, the bank
statement and retained earnings.
Ensure dividend payment does not exceed distributable reserves.
Review all entries to retained earnings for conformity with HKAS.
Completeness Review transactions near the year end for proper cut-off.
Review material cash receipts.
Review dividend payment obligations relating to cumulative preference shares.
Rights and Review statutory books and records. Review compliance with terms of issue for each
obligations class of shares.

EXHIBIT 7.26 Tests of details for share capital

7.7.3 Provisions and Contingencies

This section of Chapter 7 does not mirror the format of those above because provisions and
contingencies are unusual and available audit procedures are limited.

Provisions are liabilities caused by past events where some uncertainty exists at the exact
timing or amount of the liability. Provisions may be recognised in the accounts (see below).
Contingent liabilities and assets are similar, but the outcome is dependent on a future event,
and so they are not recognised in the financial statements, but they are disclosed in the notes.
HKAS 37 Provisions, Contingent Liabilities and Contingent Assets provides the following definitions:

• Provisions are liabilities of uncertain timing or amounts arising from a past event.
Provisions are recognised when an outflow of resources is probable, and a reliable
estimate can be made.

• Contingent liabilities are possible obligations arising from past events that will be
confirmed by an uncertain future event. Contingent liabilities are not recognised (they
do not qualify as provisions) because either the outflow of resources is not probable or
no reliable estimate is possible. Contingent liabilities should be disclosed.

• Contingent assets are possible assets arising from past events that will be confirmed
by an uncertain future event (e.g. a legal claim). Contingent assets are not recognised
and should only be disclosed where an inflow is probable.

Provisions and contingencies typically arise in litigation. Other sources include debt
guarantees, sales or purchase commitments, possible expropriation of assets, or agreements
to repurchase receivables that have been sold.

484

c07.indd 484 16-11-2022 18:46:14

 The A u d it Pro g ram me

7.7.3.1 Audit Programme for Provisions and Contingencies

Inquiries of management are the primary source of information about provisions and
contingencies. When required, further information can be sought from the entity’s legal
counsel. For information about procedures required when communicating with the client’s legal
counsel, see HKSA 501 Audit Evidence – Specific Considerations for Selected Items.

Audit procedures relevant to provisions and contingencies include:

• Inquire about management’s procedures for identifying provisions and contingencies.

• Review corporate minutes, contracts and bank confirmations.

• Obtain management’s schedule of provisions and contingencies, including legal claims.

• Communicate with the client’s legal counsel(s). The legal counsel should be asked to
comment on the completeness and substance of management’s listing of legal issues.
The counsel should also be asked to describe progress to date and estimate the likely
loss (or benefit).

• Consider the appropriateness of recognition and/or disclosures consistent with HKAS

37 Provisions, Contingent Liabilities and Contingent Assets.

• Examine management’s estimates for provisions. See Chapter 6 Sections 6.5.1 and 6.5.2
for audit procedures related to accounting estimates and fair values.
• Compare the amount provided with any post year-end payments and with any amount
paid in the past for similar items.

Illustrative Example 12
GEM’s statement of financial position shows a provision account that has increased by
13% over the prior year (HK$40 million to HK$45 million). Reference should be made to
the permanent audit file in which the details of the prior year’s provision will be found,
and inquiries should be made of management as to their current estimate. It is possible
that the prior year’s estimate has been revised or that new matters have arisen.

Apply and Analyse 8

An audit client is being sued for HK$5 million. Identify the action the auditor should take
following each of the responses to the auditor’s letter of inquiry received from the client’s
legal counsel.

1. The counsel stated that there is only a remote chance that the client would lose the
case. The client did not accrue any loss or make any disclosures.

2. The counsel stated that the client would probably lose the case and the loss would
be between HK$2.5 million and HK$5 million. The client did not accrue any loss but
did disclose the situation.

3. The counsel stated that the client would probably lose the case and the loss would
be between HK$2.5 million and HK$5 million, but most likely HK$4 million. The
client accrued a contingent loss of HK$2.5 million and made disclosures.

485

c07.indd 485 16-11-2022 18:46:14

 BUSINESS ASSURANCE

Apply and Analyse 8 (continued)

Analysis

1. The existence of the legal case means there is a possible obligation that will be
determined by an uncertain future event. It is not a provision because no reliable
estimate can be made and also because an outflow of resources is not probable. It
is therefore a contingency. Contingencies should be disclosed. The auditor should
ask management to provide the disclosure.

2. The existence of the legal case means there is a possible obligation. While an
outflow is probable, it is not a provision because no reliable estimate can be made.
It is therefore a contingency. Contingencies should be disclosed. The auditor
should review management’s disclosure.

3. The existence of the legal case means there is a possible obligation. An outflow
is probable and a reliable (most likely) estimate can be made, so it is a provision
and should be disclosed. As management’s accrual is less than the legal counsel’s
estimate, the auditor should ask management to adjust the accrual. The auditor
should also review management’s disclosure.

7 . 8 SEGMENT INFORMATION

This section of Chapter 7 does not mirror the format of those above because the auditor is not
required to perform audit procedures that would be necessary to express an opinion on the
segment information and required audit procedures are limited.

HKFRS 8 Operating Segments requires management to report segment financial information

in a manner consistent with the operating segments of the business, and other segment
information as appropriate (e.g. by geographic area or by product line). Segment information
must be reconciled to the financial statements.

HKSA 501 Audit Evidence-Specific Considerations for Selected Items provides brief guidance
for the audit of segment information (para. 13 and A27). The auditor shall obtain evidence
regarding the presentation and disclosure of segment information by understanding the
methods used by management in determining segment information. Where appropriate, the
auditor should test the application of management’s methods.
Audit procedures might include:

• Ensure that segments meet the definition of an operating segment. Generally, financial
information is required to be reported on the same basis as is used internally by the
client for evaluating operating segment performance.

• Ensure appropriate disclosure of the way the operating segments were determined and
the products and services provided by the segments.

486

c07.indd 486 16-11-2022 18:46:14

 The A u d it Pro g ram me

• Test reconciliations of amounts disclosed for reportable segments with the entity’s
financial statements. In this context, ensure appropriate elimination of sales, transfers
and charges between segments and elimination of inter-segment amounts.

• Perform analytical procedures appropriate in the circumstances, like comparisons with

budgets or consistency with prior periods.

Knowledge Check Questions

Question 1
To test for unsupported entries in the ledger, identify the starting point for audit testing.
A Select a sample from the journal entries.
B Select a sample from the ledger entries.
C Select a sample from the original source documents.
D Select a sample from externally-generated documents.

Question 2
A bookkeeper recorded the receipt of a long-term bank loan by a debit to cash and a credit
to sales. Identify which of the following is the most effective procedure for detecting this
type of misstatement.
A Analyse bank confirmation information.
B Analyse the notes payable journal.
C Prepare a year-end bank transfer schedule.
D Prepare a year-end bank reconciliation.

Question 3
Identify what an auditor determines by tracing information on inventory count tags to the
physical inventory sheets.
A Inventory sheets do not include untagged inventory items.
B The final inventory is valued at cost.
C The inventory on the inventory sheets is complete.
D All inventory represented by an inventory tag exists.

Question 4
Your client sells a product that is subject to frequent technological improvements. Identify
on which of the following assertions you should concentrate your audit procedures for
inventory.
A Accuracy, valuation and allocation.
B Existence.
C Completeness.
D Rights and obligations.

487

c07.indd 487 16-11-2022 18:46:14

 BUSINESS ASSURANCE

Knowledge Check Questions (continued)

Question 5
When perpetual inventory records are maintained and control risk for inventory is high,
identify what the auditor would do.
A Insist that the client perform physical counts several times during the year.
B Want the client to schedule the inventory count at the end of the year.
C Increase tests of controls around sales and purchases.
D Increase the extent of tests for unrecorded liabilities at the end of the year.

Question 6
A client’s physical count of inventory was higher than the inventory per the perpetual
records. Identify what this situation could be the result of the failure to record.
A Sales discounts.
B Sales.
C Purchase returns.
D Purchases.

Question 7
Identify which of the following assertions is addressed by confirming holdings of
marketable securities.
A Recorded securities are properly classified on the statement of financial position.
B Recorded securities are the property of the client.
C Recorded securities are appropriately valued in accordance with accounting standards.
D The internal control system for recorded securities is functioning effectively for the
period of the audit.

Question 8
Identify what is likely if an auditor discovers significant debits to accumulated depreciation.
A The prior year’s depreciation charges were understated.
B There were numerous fixed asset retirements during the year.
C There were numerous fixed asset purchases during the year.
D A reserve for possible loss on retirement has been recorded.

Question 9
In violation of company policy, your client capitalised the cost of painting its warehouse.
Identify when you would most likely detect this.
A Examining maintenance expense accounts.
B Observing during the inventory observation that the warehouse had been painted.
C Examining the construction work orders supporting items capitalised during the year.
D Discussing the capitalisation policies with the client’s financial controller.

488

c07.indd 488 16-11-2022 18:46:14

 The A u d it Pro g ram me

Knowledge Check Questions (continued)

Question 10
Identify what is one of the major reasons for preparing a reconciliation between interest-
bearing obligations outstanding during the year and interest expense.
A Ascertain the reasonableness of accrued interest.
B Detect unrecorded liabilities.
C Determine the validity of prepaid interest expense.
D Assess control risk for securities.

Question 11
When a client does not maintain its own share records, identify which of the following
should the auditor obtain a confirmation.
A Shares subject to agreements to repurchase.
B Guarantees of preferred share liquidation value.
C Restrictions on the payment of dividends.
D The number of shares issued and outstanding.

Question 12
Identify why substantive testing is typically used to audit shareholders’ equity.
A The number of transactions is small.
B Controls over equity transactions are weak.
C A reliance strategy is most efficient.
D The control environment over equity is usually strong.

Question 13
Identify which of the following audit procedures is least likely to detect an unrecorded
liability.
A Re-computation of depreciation expense.
B Re-computation of interest expense.
C Reading of the minutes of meetings of the board of directors.
D A bank confirmation request.

Question 14
Identify which of the following is an audit procedure to test dividend income on
investments in marketable securities.
A Tracing deposits of dividends to the cash receipts book.
B Comparing the amounts received with the preceding year.
C Reconciling amounts received with published dividend records.
D Re-computing dividend schedules and reconciling to the general ledger.

489

c07.indd 489 16-11-2022 18:46:14

 BUSINESS ASSURANCE

Knowledge Check Questions (continued)

Question 15
A manufacturer of building hardware has engaged you to complete an audit of their
financial report. The company maintains a computerised inventory application that is
updated from receiving reports and sales invoices. The company conducts an annual
inventory count.
You note:
1. Some containers in the warehouse are empty.

2. Some items in the warehouse appear to be very old.

3. It is not clear that the stock is correctly valued at the lower or original cost or
market (net realisable) value.

Required: For each of the issues identified above, state the financial report assertion at risk
and identify one substantive test to reduce the risk to an appropriate level.

Question 16
Jones Pty Ltd (JPL) is a food wholesaler that imports goods from an overseas manufacturer.
The accounts payable clerk handles all purchases of inventory, buying in bulk to achieve
maximum discounts. She updates the stock records and the accounts payable sub-ledger
when goods are delivered and approves the payment of supplier’s invoices.
Identify one assertion that is at significant risk. Explain your choice and identify one
substantive test that would provide evidence about this risk.

Question 17
Identify three audit assertions that would apply to the audit of trade receivables. For
each assertion, list two specific types of audit evidence that would address the auditor’s
objective regarding that assertion.

490

c07.indd 490 16-11-2022 18:46:14

 The A u d it Pro g ram me

S UMM A R Y

• Audit procedures are used by the auditor to gather and evaluate audit evidence. Together, the
audit procedures used in an audit engagement comprise the audit programme.

• The aim of Chapter 7 was to illustrate an audit programme for a typical audit engagement
and familiarise candidates with established audit procedures used for testing management’s
assertions (e.g. existence, occurrence, accuracy, rights, etc.).

• Each audit is unique and standardised audit programmes are adjusted to reflect the nature of
the client’s business and industry, and the identified inherent and control risks presented by
the client.

• As is common in audit engagements, the audit programme presented in Chapter 7 was

organised around transaction cycles and groups of accounts that use the same documents
and informants. For example, the revenue cycle is based around sales, trade receivables, sales
returns and allowances, the allowance for doubtful debts and other related accounts; revenue
cycle informants include customers, the sales manager, the credit manager and others.

• Each section of Chapter 7, as far as possible, used the same structure and format for each
group of accounts.

°° First, relevant accounts were identified and a brief description of the accounting cycle
is provided.

°° The second part of the section provided a description of common risks that might be
encountered by the auditor in the audit of those accounts.

°° The remaining three parts of the section provided examples of audit procedures for
testing the management’s assertions that comprise the financial statements. Part three
illustrated tests of controls, part four illustrated analytical procedures and part five
illustrated tests of details.

• Tests of controls are designed to provide evidence about the effectiveness of control activities
and control risk. Substantive tests include analytical procedures and tests of details and are
designed to provide evidence of misstatements in the financial statements and inherent risk.

• In selecting audit procedures, the auditor must balance the potential effectiveness, relevance
and reliability of the procedures in meeting the objectives of the audit against the cost
(efficiency) of the procedures. Common procedures include inspection of documents or
physical evidence, tracing, vouching, observation of procedures, written or oral inquiry,
confirmation, re-calculation, re-performance and analytical procedures.

491

c07.indd 491 16-11-2022 18:46:14

 BUSINESS ASSURANCE

MIND MAP

REVENUE CYCLE FINANCIAL INSTRUMENTS

Risk Risk
Controls and tests of controls Controls and tests of controls
Analytical procedures Analytical procedures
Tests of detail Tests of detail
PURCHASES CYCLE Illiquid financial instruments
Risk NON-CURRENT ASSETS
Controls and tests of controls Risk
Analytical procedures Controls and tests of controls
Tests of detail Analytical procedures
PAYROLL THE AUDIT Tests of detail
Risk PROGRAMME LIABILITIES AND EQUITY
Controls and tests of controls Risk
Analytical procedures Controls and tests of controls
Tests of detail Analytical procedures
BANK AND CASH Tests of detail
Risk SEGMENT INFORMATION
Controls and tests of controls Key audit procedures
Analytical procedures
Tests of detail

Answers to Knowledge Check Questions

Question 1
Answer A is incorrect. This is because it would only provide evidence about the journal
entries and not the ledger entries, as specified in the question.
Answer B is correct. To test whether entries in the ledger are supported, the auditor selects
ledger entries and vouches them back to the original source documents. This verifies the
assertion of existence (for the ledger entry) and occurrence for the original transaction.
Answer C is incorrect. It describes tracing, where the direction of testing is opposite to that
required to test whether ledger entries are supporting. By starting with source documents
and tracing to the ledger entries, the auditor verifies the assertion of completeness.
Answer D is incorrect. This is for the same reason explained in C above.

Question 2
Answer A is correct. The bank confirmation would show new bank loans. The auditor would
then be able to identify that it had not been recorded as a loan liability.
Answer B is incorrect. As the credit entry has been incorrectly recorded as a sale, it is likely
the notes payable journal was also in error.
Answer C is incorrect. A schedule of bank transfers for ‘kiting’ would result in an
overstatement of cash. It would not therefore detect the incorrect credit to sales.
Answer D is incorrect. The bank reconciliation focuses on the cash account. The cash
account was not in error as the debit was correctly recorded, so the bank reconciliation
would not pick up this error in sales.

492

c07.indd 492 16-11-2022 18:46:16

 The A u d it Pro g ram me

Question 3
Answer A is incorrect. It is describing testing in the opposite direction to that stated in the
question. This option describes a test for existence, which would vouch backwards from
the sheets to the tags.
Answer B is incorrect. This test focuses on inventory quantity and not on dollar value.
Answer C is correct. This is because tracing forward is a common completeness test.
The procedure verifies that all inventory counted and tagged ends up recorded on the
inventory count sheets.
Answer D is incorrect. Although a tag indicates that the inventory physically exists, the
question focused on why the tags were traced to the inventory listing.

Question 4
Answer A is correct. Frequent technological improvements can result in stock becoming
obsolete and obsolete stock is generally overvalued.
Answer B is incorrect. While obsolete stock may exist, the key assertion at risk is valuation.
Changes in technology will not affect the existence of inventory.
Answer C is incorrect. Completeness (or understatement) is a minor risk with inventory.
Answer D is incorrect. This is because obsolescence will not affect ownership rights of
the stock.

Question 5
Answer A is incorrect. Cycle counts are common, but in this case they do not replace the
need for a year-end count.
Answer B is correct. The quality of substantive tests of accounts in the statement of the
financial position is enhanced when tests are carried out at the balance date. The high
control risk indicates the need for more reliable evidence and evidence at the balance date
is the most reliable for testing the year-end balance.
Answer C is incorrect. Although these are related issues, they do not directly address the
inventory risk.
Answer D is incorrect. Although unrecorded liabilities are possibly related to unrecorded
purchases, these tests do not directly address the key risk to the inventory.

Question 6
Answer A is incorrect. The failure to record sales discounts would lead to inventory
valuation being misstated, but would not affect completeness.
Answer B is incorrect. Not recording sales would lead to lower inventory quantities on hand
than those shown in the sub-ledger.
Answer C is incorrect. Not recording purchase returns would lead to lower inventory
quantities on hand than those shown in the sub-ledger.
Answer D is correct. Unrecorded purchases would lead to stock quantities in excess of the
inventory listing.

493

c07.indd 493 16-11-2022 18:46:16

 BUSINESS ASSURANCE

Question 7
Answer A is incorrect. The confirmation does not provide evidence about classification.
Classification of marketable securities is normally as current.
Answer B is correct. The third party will identify only those securities owned by the client.
Answer C is incorrect. The valuation of marketable securities at fair value is obtained from
market quotations and not from confirmations.
Answer D is incorrect. External trustees are an external control mechanism and not part of
the internal control system.

Question 8
Answer A is incorrect. While this is possible, it is not the most likely explanation. If assets
were not disposed of (see answer B) then the auditor should follow up to ensure expenses
are not understated.
Answer B is correct. When assets are disposed of, the related accumulated depreciation
account is debited.
Answer C is incorrect. This is because purchases would lead to credits (increases) to
accumulated depreciation and not debits.
Answer D is possible, but a more appropriate approach would be to increase the
depreciation expense. Follow up is required.

Question 9
Answer A is incorrect. The painting cost would not appear in the maintenance account. This
is the error, as it has been incorrectly capitalised.
Answer B is incorrect. This is because observing the new paint job does not provide
evidence on how it was accounted for.
Answer C is correct. Invoices and work orders would identify the nature of the expenditure
and reveal the error.
Answer D is incorrect. While the matter may be revealed through this conversation, it is
possible that the controller may not be aware of the error.

Question 10
Answer A is incorrect. While the reconciliation may raise issues about the interest expense,
the major objective of the procedure is to test the completeness of the liability.
Answer B is correct. Where the interest expense has increased, new liabilities are
anticipated and should be in the liability listing.
Answer C is incorrect. The question does not involve prepaids.
Answer D is incorrect. While the reconciliation is one type of control procedure, a
combined audit is unlikely for long-term liabilities. The more common strategy is a
substantive audit.

494

c07.indd 494 16-11-2022 18:46:16

 The A u d it Pro g ram me

Question 11
Answer A is incorrect. Such share agreements are likely to be internal to the client and
unknown to the registrar.
Answer B is incorrect. These matters are found in the details of the incorporation
documents. A confirmation is not needed as evidence.
Answer C is incorrect. These matters are likely to be found in the details of debt
indentures. An external confirmation is not needed as evidence.
Answer D is correct. The trustee or registrar will have information about shares issued and
outstanding.

Question 12
Answer A is incorrect. This is a supporting reason for the correct answer B.
Answer B is the correct answer, because this is the main reason a substantive approach is
taken to any account.
Answer C is incorrect. An audit strategy is either combined or substantive. A reliance
strategy is not defined.
Answer D is incorrect. A strong control environment is unlikely due to the size, complexity
and infrequency of transactions, and a strong control environment would lead to a
combined not a substantive testing audit strategy.

Question 13
Answer A is correct. Depreciation expense may be related to new assets and new debt, but
this is the most indirect means of identifying new (unrecorded) debt.
Answer B is incorrect. Interest expense is likely to fluctuate with total debt and increases in
the expense indicating new debt.
Answer C is incorrect. Minutes should record intentions/approvals of new debt and hence
could identify unrecorded liabilities.
Answer D is incorrect. Bank confirmations will detail and identify bank-related debts
(liabilities of the client to the bank).

Question 14
Answer A is incorrect. This procedure does not test the completeness of dividend income.
Answer B is incorrect. This analytical review procedure provides some weak evidence but is
not a direct test of existence or completeness in the current year.
Answer C is correct. It is the most reliable procedure, as it relies on third party information.
Answer D is incorrect. Re-computing provides some evidence but does not deal with the
completeness risk.

Question 15
Assertions below are suggestions; other possibilities exist:
• Empty containers: Existence of inventory. Test: Observe inventory count
procedures to ensure the containers are opened and the contents are checked.
• Old items: Valuation of inventory. Test: Inquire about management’s procedures
for identifying obsolete stock.
• Net realisable value: Valuation of inventory. Test: Use sales records to identify stock
items that have a very slow turnover. Test recent sales price against recorded cost.

495

c07.indd 495 16-11-2022 18:46:16

 BUSINESS ASSURANCE

Question 16
A number of assertions are at risk. Existence of both inventory and accounts payable are
illustrated here. The clerk could create a fraudulent purchase and pay themselves or a
related party on the basis of a fraudulent invoice and receiving report.
• A test for the existence of inventory is to vouch a sample of inventory sub-ledger
entries to the inventory count sheets.
• A test for the existence of accounts payable is to vouch sub-ledger entries to the
supplier’s monthly statements.

Question 17
Three of the following:
• Existence. Select a sample from the inventory records and agree to the physical
inventory. Look for empty containers during the sample count.
• Valuation and allocation. Identify slow-moving stock from the inventory records.
Examine them, and make enquiries, to determine if they are damaged or obsolete.
Alternatively, undertake a general observation of inventory in the warehouse,
looking for obsolete or damaged stock.
• Valuation and allocation. Check subsequent or year-end sales prices and compare
with recorded cost to ascertain whether the correct valuation method (lower of
cost and NRV) has been applied.
• Completeness. Select inventory items from the count sheets, or from receiving
reports, and trace the items to the inventory sub-ledger.
• Rights. Select purchase requisitions or purchase orders and ensure that the
purchaser is the client entity. Trace items to the supplier invoice and ensure that
this is addressed to the client.

EXAM PRACTICE

QUESTION 1
All Best Corporation (ABC) is an online home appliance distributor that offers more than
a million items for sale on its website. You are the auditor of ABC and are now planning
the information technology (IT) audit process. ABC has implemented the following three IT
applications:

1. ‘FIN’ is the accounting system.

2. ‘BUY’ is the sales system that processes the orders placed by the customers.

3. ‘CUS’ is a standalone system that contains all details of ABC’s customers and is used for
marketing.

The following is an excerpt of the documentation prepared by the audit team:

Customer orders: Each customer has a user account in the BUY system. The customer is
required to log on to the BUY system with a passcode before placing an order.

496

c07.indd 496 16-11-2022 18:46:16

 The A u d it Pro g ram me

Checking: A customer is required to key in the item code and the requested quantities.
All the goods are stored in ABC’s warehouse. The BUY system checks the inventory list
to ensure there is stock available. If available, the BUY system will confirm the order and
an invoice number with a bar code will be assigned. The customer then pays by credit
card. Once payment is confirmed, the BUY system will arrange delivery of the item to
the customer.

Delivery: Goods are delivered by an external logistics company. For each completed
order, the BUY system sends the logistics company with a delivery note with the same bar
code printed on it. When goods are delivered, the logistics company scans the bar code on
the delivery note to evidence the delivery. Every day, the logistics company sends ABC an
electronic file of all the scanned bar codes.

Posting of sales: The BUY system reconciles the bar codes sent from the logistics company
with its own records. Sales are recognised and posted to FIN when the bar codes sent by the
logistics company are matched to invoices recorded in the BUY system.

Required:

(a) Propose audit procedures to test the effectiveness of the general controls of ABC’s IT
applications.

(b) If the general controls of ABC’s IT application(s) that you advised to test in part (a)
are found to be effective, advise what application controls you will test for the sales
process of ABC.

QUESTION 2
You are the auditor of Think Limited, which is a furniture manufacturer with a factory in
Dongguan, China. An analysis of the company’s control system reveals that controls are
generally good and control risk should be low. During the planning of the audit for the year
ended 31 March 20X4, you obtained the following financial information:

20X4 20X3
HK$ million HK$ million
Revenue 525 285
Cost of goods sold 350 242
Gross profit 175 43
Property, plant and equipment 425 495
Trade receivables 232 75
Trade payables 155 105

Required:

Provide an audit programme for the occurrence of revenue.

497

c07.indd 497 16-11-2022 18:46:16

 BUSINESS ASSURANCE

QUESTION 3
House Store Limited (‘House’) is a mini-store selling household accessories. As at
31 December 20X5 and 20X4, House had the following key trade payables:

20X5 20X4
Amount Amount
Suppliers Nature of balance HK$ HK$
A Accessories supply 20,000 25,000
B Accessories supply 30,000 35,000
C Accessories supply – 50,000
D Accessories supply 35,000 –
E Construction 13,000 13,000
Other with balance less
than HK$1,000 each 30,000 35,000
Total 128,000 158,000

You are the auditor of House for the year ended 31 December 20X5. The risk of material
misstatement for the completeness of trade payables is high. Your audit strategy will be
based mainly on substantive tests.

Required:

Propose substantive audit procedures to test the completeness of trade payables.

QUESTION 4
Rent Limited (RL) supplies portable restrooms which are widely used at construction sites
and corporate functions. You are the audit engagement senior and have been asked to plan
the year- end audit procedures for the fixed assets of RL.

• Over 70% of RL’s total assets are sanitation equipment.

• RL’s sanitation equipment (i.e. over 300 portable restrooms and pumping systems)
are all rented out most of the time. These items of sanitation equipment are usually
held at the customers’ premises and RL keeps a good record of the locations of
these items of sanitation equipment.

• RL has been very profitable and received very good comments from its customers
on service quality.

• RL’s office and warehouse are located in the New Territories. RL has a team
responsible for equipment cleaning and maintenance.

• During the year, the management of RL purchased 100 more portable restrooms
and spent a significant amount on 100 existing portable restrooms to improve their
facilities and design.

Since most parts of the sanitation equipment are very durable, RL adopts a depreciation
policy that is comparable to other industry players. The sanitation equipment is depreciated
over 10 years.

498

c07.indd 498 16-11-2022 18:46:16

 The A u d it Pro g ram me

Required:

(a) Assess the risks of material misstatements of fixed assets in terms of the existence and
valuation assertions and explain your views.

(b) Propose the relevant audit procedures in response to the risks identified in part (a) over
the existence assertion.

QUESTION 5
The following issues were discovered during the audit of the cash account.

1. The company had overstated cash by transferring funds at year end to another account,
but failed to record the withdrawal until after the year end (kiting).

2. The controller took cash for personal purposes. The cover-up was executed by
understating outstanding cheques in the monthly bank reconciliation.

3. A check written to a supplier had been recorded twice in the cash payments journal to
cover a cash shortage.

Required:

For each issue,

(a) Identify the audit procedure that most likely would have led to the discovery of the
error.

(b) Identify a control that would have prevented or detected the issue.

QUESTION 6
Lau Co. Ltd Issued HK$100 million of 12% convertible debt instruments on 1 January 20X1.
The debt instruments are registered in Hong Kong. The redemption date is 31 December
2015 and conversion can take place in January of any year.

Required:

Design an audit program for Lau Co.’s securities for the current year ending 31 December
20X1.

ANSWERS TO EXAM PRACTICE

QUESTION 1
(a) General controls are tested to ensure that controls and procedures are adequate
to provide secure and effective design and operation of the computer facilities. The
auditor may perform the following procedures:

• Verify there is segregation of duties (e.g. computer programming and operating) to

reduce the risk of employee fraud.

• The auditor can inspect the entity’s standards over the system design, programming
and documentation.

499

c07.indd 499 16-11-2022 18:46:16

 BUSINESS ASSURANCE

• Verify by inquiry and inspection that there are comprehensive written procedures
for IT operations and that any changes are appropriately documented. The auditor
could inspect program logs.

• Verify the access to computer terminals is properly authorised and controlled by

passwords or scan cards.

(b) If the general controls are effective, the auditor can identify and test the effectiveness
of the application controls. Application controls are particular to an application and
may have a direct impact on the processing of individual transactions. They include
controls that help to ensure the proper authorisation, completeness and accuracy of
transactions. Applications relevant to the audit include FIN and BUY.

• Check for duplicate customer accounts in BUY.

• Check the existence of the transactions by vouching the sales journal in FIN to the
delivery report from the logistics company and to the credit card receipts.

• Check the password control in BUY to confirm secure log-in of customers.

• Check the authorisation of sales transactions in BUY by vouching each sale to the
inventory records and to the credit card payment.

• Check the reconciliation of the bar codes reported by the external logistics
company. Verify that errors or mismatches are followed up.

°° Inspect reports on unprocessed/ uncleared transactions (e.g. unpaid invoices).

QUESTION 2
The audit programme for the occurrence of revenue should be based on the auditor’s
assessment of inherent and control risks affecting that assertion. While no information
regarding control risk is available in the question, a combined audit strategy is initially
assumed here.

The large increase in revenue (84%) and gross profit (307%) compared with the prior
year indicates a risk of overstatement. Audit procedures may include:

Analytical review (see table below)

Perform an analytical review of the fluctuation of revenue and the gross profit margin.

• Ask management for the reasons for the increases in revenue and gross profit margin
with reference to the market situation. For example, has management initiated new
credit policies or cost cutting measures? Have new markets been entered?

• Perform an industry comparison and analysis to document whether the change in gross
profit margin is consistent with current market trends.

20X4 20X3 Increase

Account HK$ million HK$ million %
Revenue 525 285 84
Cost of goods sold 350 242 45
Gross Profit 175 43 307
PPE 425 495 14
Trade receivables 232 75 209
Trade payables 155 105 48

500

c07.indd 500 16-11-2022 18:46:16

 The A u d it Pro g ram me

Controls. Perform control tests.

• Test for approvals of sales orders.

• Observe whether appropriate segregation of duties exists for custody of inventory and
cash, recording and approval.

• Test for approval of customers and their credit limits.

Where control tests prove unsatisfactory, it will be necessary to alter the audit
programme in order to emphasise substantive tests of details.

Substantive procedures.

• Select a sample from the sales journal and vouch to shipping documents, invoices and
sales orders to test occurrence and cut-off.

• Send confirmations to high-volume customers to confirm the total sales amount

for the year.

• Check sequence of sales journal for duplicate entries.

Presentation and disclosure.

• Review whether the entity has applied accounting standards for revenue recognition
consistently throughout the period.

QUESTION 3
The substantive audit procedures to test the completeness of trade payables include:

• Test the mathematical accuracy of the listing of trade payables and reconcile the total
of HK$128,000 with the general ledger

• Vouch supplier accounts to supplier statements. Reconcile differences.

• Consider whether there could be significant unrecorded liabilities by making inquiries

of management.

• Ask management about balances with significant fluctuations, such as the balance with
Supplier C, which had decreased from the previous year from HK$50,000 to zero at the
current year end.

• Ask management about unusual items, such as the balance due to Supplier E, which is
construction in nature and is not related to House’s business.

• Examine files of unmatched purchase orders and supplier invoices for any unrecorded
liabilities.

• Examine post year-end transactions and subsequent payments and compare the actual
dates with the dates they were recorded in the ledger to check whether the cut-off has
been applied correctly.

• Confirm the balances with Suppliers A, B, D and E, and the balance with Supplier C

(zero balance) and a few suppliers with balances less than HK$1,000.

• Perform confirmations of trade payables. Perform follow-up procedures for those

confirmations that disagree with the information in the request and confirmations
without a reply.

501

c07.indd 501 16-11-2022 18:46:16

 BUSINESS ASSURANCE

• Perform comparisons of the following accounts to check for reasonableness:

°° Current year balances for trade payables and accruals with the previous year.

°° The amounts owed to a sample of individual suppliers in the trade payables listing
to amounts owed to these suppliers in the previous year.

°° The payables’ turnover and payables’ days with the previous year and with
industry data.

QUESTION 4
(a) The risk of material misstatement of fixed assets in terms of existence is high because
the carrying value of sanitation equipment represents a significant part of the
company’s total assets and the amount of new additions of fixed assets during the year
is large.

The risk of material misstatement of fixed assets in terms of valuation is low

because the company has been profitable, and its sanitation equipment is rented to
customers most of the time during the year which indicates the fixed asset impairment
risk is low. The company’s depreciation policy is comparable to other industry players.

(b) In response to the risk of material misstatement of fixed assets in terms of existence
assertion identified in part (a), the relevant audit procedures should include:
• Ask the management to confirm whether they have physically inspected all the
sanitation equipment in the fixed asset register each year.

• Review the management’s physical count instructions and attend the

physical count.

• Obtain the fixed asset register from the management and reconcile the opening
and closing balances in terms of number of units and dollar value.

• Perform a physical inspection of a sample of the equipment. Ensure the inspected

items do exist, are in use and good condition and have the correct serial numbers.

• Test the current year’s fixed assets additions by inspecting supporting documents
such as supplier invoices and delivery notes.

• Arrange to obtain from third parties’ confirmations of the sanitation equipment

they hold.

QUESTION 5

Issue a. Audit procedure b. Control

1 To test the cut-off of the bank accounts, the Independent review (e.g. internal audit)
auditor should examine transfers between of bank transfers at year end.
accounts around the end of the year.
2 A sample of cash payments should be Segregation. The bank reconciliation
vouched to supplier invoices. should be prepared by a person with no
access to cash.
3 Review of cash payments journal for Reconciliation of cash payments to
duplicate entries. supplier accounts in the journal.

502

c07.indd 502 16-11-2022 18:46:16

 The A u d it Pro g ram me

QUESTION 6
Audit programme for debt securities:

• Obtain a continuity schedule listing debt securities’ opening and closing balances and
movements during the period. Cast the listing and trace it to the general ledger. Agree
the opening balance to the prior year’s audited balance.

• Agree details of the securities listing to the bond agreement, minutes of the board and
the registration document. These should be filed in the permanent file. Review the note
disclosure for consistency with documents.

• Vouch the sale of the securities to cash receipts and the bank statement. If a broker
was used, confirm details of the transactions with the broker or agree to the broker’s
statement.

• Re-calculate the interest payable and agree to the cash disbursement.

• Inquire about the conversion of any of the securities and review the registration
document to ensure it reflects the conversion.

503

c07.indd 503 16-11-2022 18:46:16

c07.indd 504 16-11-2022 18:46:16
 8
Using the Work
of Others

CHAPTER TOPIC LIST

8.1 Reliance on the Work of Others 8.3 Experts and Service

Organisations
8.2 Internal Auditors
8.3.1 Determining the Need for
8.2.1 Using the Work of Internal
an Auditor’s Expert
Auditors
8.3.2 Audit Procedures Applied to the
8.2.2 Documentation
Work of an Auditor’s Expert
8.2.3 Recommended Improvements
8.3.3 Evaluating the Adequacy of the
to the Internal Audit
Work of the Auditor’s Expert
8.3.4 Management’s Expert
8.3.5 Service Organisations

505

c08.indd 505 16-11-2022 18:46:15

 BUSINESS ASSURANCE

LEARNING OUTCOMES

PRINCIPAL LO1: PERFORM ASSURANCE ENGAGEMENTS

LO1.07: P
 repare, plan and develop assurance engagements including the audits of financial
statements in accordance with relevant Hong Kong Standards of Quality Management,
Auditing, Assurance and Related Services, guidance and legislation with emphasis on:
Internal Audit
1.07.01 Explain the purpose of an internal audit function and the types of work undertaken
1.07.02 Recommend the relevant work that internal audit could undertake in an entity
1.07.03 Recommend improvements to an entity’s internal audit function
LO1.11: P
 repare, plan and develop assurance engagements including the audits of financial
statements in accordance with relevant Hong Kong Standards of Quality Management,
Auditing, Assurance and Related Services, guidance and legislation with emphasis on:
Audit Evidence
1.11.07 Illustrate why an auditor may rely on the work of others, including internal audit, experts
(e.g. experts in cyber security) and service entities
1.11.08 Develop procedures to make use of the work of others, including internal audit, experts
and service entities

506

c08.indd 506 16-11-2022 18:46:15

 Using the W ork of Others

OPENING CASE

FLASH LTD

F lash is a jewellery retailer and gemstone wholesaler. The company’s head office is in
Hong Kong and it has a chain of stores in major Asian and European cities from which they
sell jewellery to the public and gemstones to independent jewellers. The company buys their
stock mainly through auction at international trade shows. Their buying group comprises
specialists in diamonds, opals, emeralds, and other precious and semi-precious gems. Given its
inventory and international business, Flash’s functional currency is US dollars. Each of their 50
stores holds a stock of jewellery valued at approximately US$5 million and gemstones valued at
approximately US$3 million. The value of a gemstone is influenced mainly by its weight, shape,
colour, and consistency.

An additional gemstone inventory valued at US$100 million is held by Secure Co, a security
company. Secure Co keeps the inventory in highly secure premises in Zurich and delivers gems
as required to Flash stores throughout Europe and Asia. Secure Co also manages the security at
all of Flash’s stores.

Flash has an internal audit department. The internal audit’s role includes a review of
organisational efficiency, monitoring of the organisation’s control system, and oversight of
the security of the inventory, which comprises 80% of the assets of the company. The internal
audit department employs one gemstone valuation expert and two qualified internal auditors,
together with eight support staff.

507

c08.indd 507 16-11-2022 18:46:15

 BUSINESS ASSURANCE

OVERVIEW

This chapter deals with four scenarios where the external auditor of an entity relies on the work
of others.

1. The first scenario arises when the external auditor uses the work of the client’s internal
auditor to improve audit efficiency.

2. The second arises when the external auditor uses an auditor’s expert to perform
audit procedures that the auditor is unable to perform for themselves; for example, the
valuation of gemstones.

3. The third scenario arises when management employ or acquire the services of a
management’s expert to provide information that affects their financial statements
(e.g. financial instrument valuers, property valuers, or actuaries).

4. The fourth scenario arises when the client outsources some activities that affect their
financial statements to a service organisation because the service organisation is
able to provide the service at a lower cost than could be obtained by providing the
service in-house.

8 . 1 RELIANCE ON THE WORK OF OTHERS

Three main auditing standards directly address the auditor’s reliance on the work of others:

1. HKSA 610 (Revised 2013) Using the Work of Internal Auditors.

2. HKSA 620 Using the Work of an Auditor’s Expert.

3. HKSA 402 Audit Considerations Relating to an Entity Using a Service Organisation.

Other auditing standards that have an indirect bearing on using the work of others include:

1. HKSA 200 Overall Objectives of the Independent Auditor and the Conduct of an Audit in
Accordance with Hong Kong Standards on Auditing.

2. HKSA 220 (Revised) Quality Management for an Audit of Financial Statements.

3. HKSA 315 (Revised 2019) Identifying and Assessing the Risks of Material Misstatement.

4. HKSA 500 Audit Evidence.

The following sections discuss matters specific to each type of ‘other’ party. Using the work
of each of the three types presents the auditor with similar concerns. The main things that
must be kept in mind are that the ‘others’ may lack the objectivity and independence required
of an auditor, and that the auditor remains solely responsible for the audit opinion.

508

c08.indd 508 16-11-2022 18:46:15

 Using the W ork of Others

8 . 2 INTERNAL AUDITORS

An internal audit helps a company ensure that it has the proper controls, governance, and
risk management processes in place. By nature, it is an independent activity carried out by a
person or team that can present objective findings and make recommendations for corrective
measures. Basic internal audit functions include:

• Assess risks and determine how effectively they are managed;

• Evaluate the efficiency and effectiveness of controls;

• Assess the effectiveness and efficiency of operations in achieving organisational

objectives; and

• Promote ethics.

Normally internal auditors have a role in monitoring the quality of an organisation’s internal
control system. HKSA 315 (Revised 2019), paragraph 24, requires that an auditor understand the
nature, responsibilities and activities of an entity’s internal audit function when performing the
assessment of the risk of material misstatements, Internal control systems can be very broad in
their scope, but the internal controls of interest to external auditors are the controls over financial
reporting.

While external auditors have a clearly defined role in providing assurance to third parties,
internal auditors may provide a wide range of services. Where those services overlap with those
of the external auditors, that is where internal auditors monitor internal controls and provide
assurance on financial reporting, then the internal auditor’s work will be relevant to the external
audit. Other internal audit work of interest might include risk analysis and fraud investigation.

Many larger companies have a significant internal audit department. Other companies
outsource their internal audit function wholly or partially to accounting firms. This approach
COE may create a self-review threat if companies outsource their internal audit function to their
S605.1 external audit firm. Small companies may not have an internal audit function.

8.2.1 Using the Work of Internal Auditors

The internal audit function can make two main contributions to the external audit.

1. Internal auditors may provide direct assistance to external auditors in carrying out
audit procedures. Internal auditors are well placed to provide this service because of
their knowledge of the organisation and their familiarity with accounting and auditing.
On the other hand, potential conflicts of interest arise because they lack independence
from the client company that is their employer, and because they may be asked to
review work already performed by the internal audit department (self-review).

2. HKSA 315 (Revised 2019) regards internal audit as a component of the entity’s process for
monitoring the system of internal control to be understood as part of the auditor’s risk
assessment process. Where the internal auditor is judged to provide a reliable service,
then the external auditor’s assessment of control risk can be reduced and audit efficiency
increased. However, tests of controls must still be performed to obtain assurance that the
internal audit function is performing as expected. HKSA 315 (Revised 2019) Appendix 4

509

c08.indd 509 16-11-2022 18:46:15

 BUSINESS ASSURANCE

identifies considerations for understanding the entity’s internal audit function.

According to Appendix 4, an internal audit function varies depending on the entity’s
size, structure, management, and governance requirements. An internal audit charter
or terms of reference can clarify the objectives and scope of the internal audit function.
Responsibilities may include providing assurance to management by performing
procedures and evaluating results, evaluating the design and effectiveness of risk
management and evaluating internal control and governance processes. Internal auditors
may also monitor the entity’s internal controls. Finally, they may evaluate the economy,
efficiency, and effectiveness of an entity’s operations. The internal auditor may also
consider management’s response to the audit function’s findings and recommendations.

An internal auditor’s inquiries provide deep insight about an entities operations and
risks. Regardless of whether or how the internal auditor expects to use the work of the
internal audit function, such inquiries should be made. An internal auditor may also
read related reports, strategy and planning documents and other reports prepared for
managing and governing bodies that describe the internal audit function’s findings. This
includes regular meetings with other internal audit personnel.

Regardless of the involvement of an internal audit in the external audit engagement, the
auditor’s opinion and report remain the sole responsibility of the external auditor.

8.2.1.1 Determining Whether Internal Auditors Can Be Used

Internal auditors are employees of the entity and so may be subject to management influence
that may impair the objectivity of their reports. Additionally, while the Institute of Internal Auditors
is a respected international professional association, some internal auditors may not have
professional qualifications. Factors that determine whether internal auditors can be used include:

• The internal auditor’s organisational status and policies and procedures that support
the objectivity of the internal auditors;

• The level of competence of the internal audit function; and

• Whether the internal audit function applies a systematic and disciplined approach,
including quality management.

Regarding objectivity, the internal audit function should ideally report to the audit committee,
and not to the CFO or other management personnel. Similarly, the employment or performance
review of internal audit staff should not be subject to management discretion. Where the auditor’s
assessment of the internal audit function reveals shortcomings in objectivity, competence, or
approach, the auditor should consider their ability to rely on the internal auditor’s work.

8.2.1.2 Using the Work of the Internal Audit Function

The external auditor should only use work performed by the internal auditor that is relevant to
the external auditor’s audit strategy and audit plan. The internal auditor’s work should not be
used in high-risk areas, or in areas where significant professional judgement is required.

Normally, the internal audit work of most interest to the external auditor concerns control
risk assessment and the testing of controls. An effective internal audit function in the control
domain can lead the auditor to reduce their control risk assessment and adopt a more efficient
control-based audit strategy. Where the internal auditor’s work also includes substantive
testing of accounts, this work can be relied upon to further increase audit efficiency.

510

c08.indd 510 16-11-2022 18:46:15

 Using the W ork of Others

The external auditor should read the internal audit reports to obtain an understanding
of the nature and extent of audit procedures performed and their findings, then perform
sufficient audit procedures to determine their adequacy. Considerations include whether:

• The work had been properly planned, performed, supervised, reviewed, and documented;

• Sufficient evidence has been obtained;

• Conclusions reached are appropriate; and

• Reports prepared are consistent with the work performed.

HKSA In addition, the external auditor should take a sample of items examined by the internal
610.24 auditor and reperform their procedures in order to corroborate their findings and conclusions.

8.2.1.3 Determining Whether Internal Auditors Can Be Used for Direct Assistance
Direct assistance is the use of internal auditors to perform audit procedures under the
direction, supervision, and review of the external auditor. In order for the external auditor
to use the work of the internal auditor for direct assistance, the external auditor must carry
out a review of the internal audit function. The relevant procedures are detailed in HKSA 610
(Revised 2013) Using the Work of Internal Auditors.

Key matters that the external auditor must investigate include:

• The reporting level or organisational status:

°° Ideally, to ensure independence from management and freedom from bias, the
internal auditor should report to the audit committee.

°° Employment decisions regarding the head of internal audit should be made at the
board level.

°° The internal auditor should not report to the CFO.

• The scope of the internal audit function:

°° Must include the monitoring of controls over financial reporting.

°° Other useful functions might include:

• Testing for fraud;

• Testing for compliance with the law and regulations, and with company policy; and

• Performing IT and security audits.

• Technical competence and professional attitude, by considering:

°° Training and qualifications;

°° Periodic evaluations of the internal audit department; and

°° Policies to promote ethical behaviour and prevent conflicts of interest.

• The internal auditor’s working papers ensure that:

°° Procedures are carried out appropriately;

°° Conclusions are consistent with the results of the procedures; and

°° Documentation is complete.

• Reperforming some of the internal auditor’s tests to confirm conclusions.

511

c08.indd 511 16-11-2022 18:46:15

 BUSINESS ASSURANCE

Apply and Analyse 1

An external auditor is considering relying on the work of an internal auditor. A review of
the internal audit function reveals:

• The internal auditor undergoes periodic external quality reviews and has received
favourable assessments.

• The internal audit function hires high-quality and technologically competent staff.

Based on this information, explain whether the external auditor should rely on the
internal audit function and whether additional information should be sought.

Analysis

The review of the internal audit function is not sufficient to determine the auditor’s
reliance. While the two items mentioned are important in the evaluation of the internal
audit function, a number of other factors must be considered. These include:

• The reporting level.

• The scope of the internal audit function.

• Qualifications.
• Professional attitude (ethics).

• The supervision, review, and documentation of the function.

8.2.1.4 Determining the Nature and Extent of Work of the Internal Audit Function That
Can Be Used
Before using internal auditors for direct assistance, the external auditor should obtain written
assurances from management that the internal auditors are assigned to follow the instructions
of the external auditor without intervention of the company, and that internal auditors will
keep matters confidential as directed by the external auditor.

When the external auditor uses internal auditors to carry out tests of controls or
substantive testing, the internal auditor’s assignment should emphasise areas where testing
is objective (e.g. existence of inventory). The internal auditor’s work should be planned,
supervised, and reviewed by the external auditor, and the review of the internal auditor’s work
should be of a different nature and more extensive than if members of the engagement team
had performed the work.
For accounts where detection risk must be low (i.e. where inherent risk and/or control
risk are high), and where estimates are required, testing should be performed mainly by
the external auditor (e.g. allowance for doubtful accounts). Decisions requiring professional
judgement should be performed solely by the external auditor. Such decisions would include
assessment of the:

• Integrity of management;

• Inherent and control risk;

• Materiality;

• Accounting estimates and fair values;

512

c08.indd 512 16-11-2022 18:46:16

 Using the W ork of Others

• Sufficiency and appropriateness of evidence;

• Adequacy of disclosures;

• Related party transactions;

• Contingencies; and

• Subsequent events.

Apply and Analyse 2

Flash Ltd Part 1 – Internal Audit
As noted in the opening case:

• Each of Flash’s 50 stores holds a stock of jewellery valued at approximately

US$5 million, and gemstones valued at approximately US$3 million. The value of a
gemstone is influenced mainly by its weight, shape, colour, and consistency.

• An additional gemstone inventory valued at approximately US$100 million

is held for Flash by Secure Co. Secure Co also manages the security at all of
Flash’s stores.

• Flash has an internal audit department. The internal audit’s role includes review
of organisational efficiency, monitoring of the organisation’s control system, and
particularly with controls over the existence, valuation, and rights to the inventory,
which comprises 80% of the assets of the company. The internal audit department
employs one gemstone valuation expert and two qualified internal auditors.

As Flash’s external auditor, you are considering using the internal audit function to
provide direct assistance for the inventory audit. Explain (i) whether it would be appropriate
to use internal audit for this purpose and (ii) your own responsibilities should this occur.

Analysis

(i) The key assertions at risk for inventory are existence, rights, and valuation. The first
two are easily audited by a count, and by reference to purchase documentation,
respectively. These procedures require little judgement. The valuation assertion
requires a high level of professional judgement and the inventory account is very
material (80% of assets). It may not be appropriate to use an internal audit for
valuation. If the auditor decides to use an internal audit for valuation, they might
consider using an auditor’s expert to check some of the internal auditor’s work
(see Section 8.3).

(ii) • If the internal auditor is used for valuation, their expertise in valuation should
be confirmed by inquiries about their experience and qualifications.

• The auditor must also review a number of additional issues relating to the
internal auditor’s competence, objectivity, and approach.

• The auditor should seek assurances from management about the internal
auditor’s responsibilities and confidentiality.

• The auditor should consider reperforming the internal auditor’s tests

or performing alternative tests of valuation, to confirm the conclusions
documented by the internal auditor.

513

c08.indd 513 16-11-2022 18:46:16

 BUSINESS ASSURANCE

8.2.2 Documentation
The external auditor must document their findings as to the internal auditor’s:

• Objectivity

• Competence

• Approach and quality of work.

Other matters to be documented in the engagement file include:

• The nature and extent of work assigned to the internal auditor;

• Procedures performed by the external auditor to evaluate the internal auditor’s work;

• Work papers prepared by the internal auditors; and

• Agreements regarding confidentiality and the reporting of the responsibilities of the

internal auditor.

8.2.3 Recommended Improvements to the Internal Audit

HKSA 265 Communicating Deficiencies in Internal Control to Those Charged with Governance and
Management makes no specific reference to internal audit. However, where an internal audit
function exists, it is likely to be an important part of the internal control system and it may be a
significant contributor to the entity’s control over financial reporting.

A review of the internal audit function should be undertaken by an auditor as part of

their control risk assessment during the planning stage of the audit (see Chapter 5). Where
deficiencies are noted in the internal audit function during the control risk assessment, when
the auditor considers using the internal auditor to reduce their control risk assessment, or to
provide direct assistance in accordance with HKSA 610 (Revised 2013), then the guidance in
HKSA 265 regarding communicating these deficiencies should be followed.

The auditor should communicate deficiencies promptly, and also provide a written
communication to those charged with governance, which would include:

• A description of the deficiency and its potential effects;

• The purpose of the communication – to assist those charged with governance;

• The context in which the deficiency was discovered – an external audit to provide an
opinion on the financial statements; and

• That the deficiency was identified as part of the auditor’s planning activities and not for
the purpose of expressing an opinion on internal control.

Knowledge Check Questions

Question 1
List the factors an external auditor considers when assessing the objectivity of a client’s
internal audit function.

514

c08.indd 514 16-11-2022 18:46:16

 Using the W ork of Others

Knowledge Check Questions (continued)

Question 2
Describe for what types of assertions and accounts it is likely that an external auditor will
rely on the work of an internal auditor. Describe the types of accounts where reliance
is unlikely.

Question 3
Explain whether the internal auditor can achieve the same level of objectivity as an
external auditor.

8 . 3 EXPERTS AND SERVICE ORGANISATIONS

This section deals with two forms of outsourcing relevant to the audit. The first occurs when
an auditor outsources some audit procedure to an auditor’s expert (Sections 8.3.1 to 8.3.3).
The second occurs when the client outsources some accounting information system services
relevant to the audit to a management’s expert (Section 8.3.4) or to a service organisation
(Section 8.3.5).

8.3.1 Determining the Need for an Auditor’s Expert

The auditor does not generally have expertise specific to other professions. In many audits, it
is necessary to employ the services of an auditor’s expert who can provide audit evidence in a
specialised area. Experts may be hired externally (an external expert) or they may be employed
by an audit firm.

Accountants and auditors who provide specialised services on audits, for example experts
in consolidation of financial reports, are not considered auditor’s experts and their use is not
governed by HKSA 620 Using the Work of an Auditor’s Expert. Similarly, the standard does not
apply to an expert hired by management (a management’s expert) to assist in preparing the
entity’s financial report.

Experts commonly used by auditors include:

• IT or tax experts;

• Valuers and appraisers to provide evidence about valuation or impairment of

assets, property, plant and equipment, artworks, complex financial instruments, or
precious stones;

• Geologists and engineers to provide information about mineral deposits, oil reserves,
or environmental liabilities (clean-up costs);

• Quantity surveyors to provide information on stockpiles (inventory);

• Actuaries to provide estimates of life insurance or superannuation liabilities; and

• Lawyers to provide estimates of the outcome of litigation or advice on contract terms.

515

c08.indd 515 16-11-2022 18:46:16

 BUSINESS ASSURANCE

An auditor’s expert may be needed to assist the auditor at the:

• Planning (obtaining an understanding of the entity and its environment, the applicable
financial reporting framework and the entity’s system of internal control);

• Performance (testing of controls or substantive tests); or

• Reporting stages of the audit.

Services provided by an auditor’s expert are generally of two types.

1. To assess the assumptions, methods and data used by management or a

management’s expert in preparing an estimate for the financial report.

2. To develop a point estimate or a range for comparison with a management estimate.

8.3.2 Audit Procedures Applied to the Work of an Auditor’s Expert

The engagement partner must be satisfied that the engagement team and any auditor’s
experts have the competence and capability to perform the audit engagement. When engaging
an expert, the auditor should consider:

• Competence: the expert’s professional qualifications, degree of experience regarding

the matter at hand, and professional reputation:

°° Also important is the competence of the auditor’s expert with respect to relevant
accounting and auditing requirements;

• Capability: location, time, and resources;

• Objectivity: any business, personal, or financial relationship with the client that might
cause a conflict of interest;

• Whether the nature, scope, and objectives of the work to be performed are consistent
with the audit strategy and plan; and
• The auditor’s ability to evaluate the adequacy of the expert’s work, which includes:

°° Knowledge of assumptions and models used; and

°° Knowledge of the nature and adequacy of data used.

Information may be obtained from:

• Prior experience of the expert.

• Discussions with the expert or with other auditors.

• Discussions with management about financial interests or personal relationships with

the auditor’s expert:

°° It may be appropriate to obtain a written representation from an auditor’s external

expert about relationships with the entity.

• The expert’s qualifications, areas of specialisation, professional associations, and

publications.

516

c08.indd 516 16-11-2022 18:46:16

 Using the W ork of Others

During the course of the audit, it may be necessary to reconsider the initial evaluation of
the competence, capabilities, and objectivity of the auditor’s expert.

Where threats to the objectivity of the auditor’s expert exist and the expert’s work is
significant to the audit, safeguards may be found in external structures (for example, in the
expert’s profession or in regulation), or in quality management policies and procedures.
However, there may be some circumstances in which safeguards cannot reduce threats to an
acceptable level; for example, if the auditor’s expert is also a management’s expert.

The auditor’s understanding of the expert’s work will be less than that of the expert, but the
auditor may obtain knowledge of the required scope of the work, and the ability to evaluate
it, through:

• Relevant experience in other audits;

• Discussion with other auditors who have relevant experience; or

• Undertaking training related to the expert’s field of work.

The extent of audit procedures performed by the auditor on the work of the auditor’s
expert depends on:

• The degree of risk of material misstatement;

• The auditor’s prior experience of the expert’s work; and

• The degree of subjectivity and judgement required.

Since the auditor has sole responsibility for the audit opinion, the auditor needs to be
satisfied about:

• Reduction of the risks of material misstatement to an acceptable level;

• Sufficiency of the tests performed;

• Significant accounting estimates; and

• Adequacy of disclosures in the financial statements.

The Appendix of HKSA 620 Using the Work of an Auditor’s Expert suggests matters that might
be included in an agreement with an auditor’s expert. These include:

• The nature, scope, and objectives of the expert’s work, including the requirements of
relevant accounting standards (e.g. HKFRS 13 Fair Value Measurement);

• The respective roles and responsibilities of the auditor and expert;

• Communication and reporting: the nature, timing, and extent of communication

between the auditor and that expert, including the form of any report to be provided by
that expert; and

• Confidentiality.

517

c08.indd 517 16-11-2022 18:46:16

 BUSINESS ASSURANCE

Apply and Analyse 3

Flash Ltd Part 2 – Auditor’s Expert
As noted in the opening case:

• Flash is a jewellery retailer and gemstone wholesaler. The company has a chain
of stores in major Asian and European cities from which they sell jewellery to the
public, and gemstones to independent jewellers. The company buys their stock
mainly through auction at international trade shows. Their buying group comprises
specialists in diamonds, opals, emeralds, and other precious and semi-precious
gems. Each of their 50 stores holds a stock of jewellery valued at approximately
US$5 million, and gemstones valued at approximately US$3 million.

• A gemstone inventory valued at approximately US$100 million is held for Flash by

Secure Co.

(i) Explain whether Flash’s external auditor should hire an auditor’s expert to assist
with the valuation of Flash’s inventory.

(ii) If an auditor’s expert is hired, describe the responsibilities of the external auditor.

Analysis
(i) The external auditor is unlikely to be an expert in the valuation of gemstones. Due to
the materiality of the gemstone inventory, an expert valuer should be hired to either:

• Assess the assumptions, methods, and data used by management in valuing

inventory; or

• Provide an estimate of the inventory value for comparison with the inventory
account balance.

(ii) The external auditor must be satisfied that the expert has the relevant competence
and objectivity to carry out the work. The auditor must also ensure that the scope
of the expert’s work is appropriate, and that they have the expertise to understand
the expert’s report and conclusions. In order to fulfil this last requirement, the
auditor must have some experience in similar gemstone audits, be guided by
another auditor with such experience, or seek training in these matters.

When an auditor’s expert is engaged, the auditor’s responsibilities regarding their

conclusions and the audit report do not change. The auditor should carry out procedures
to corroborate the expert’s valuation. These might include:

• Analytical procedures on the sales account and the gross profit ratio (see Chapter 6,
Section 6.4.1, Analytical Procedures);

• Comparisons with external market information on changes in the price of precious

metals; or

• Comparing the selling price of recently sold items that bear a similarity (e.g. weight
and quality of stone) to those in the inventory to test the ‘lower of cost or market’ rule.

It is important for the auditor to ensure that the expert understands that the auditor’s
objective is to determine the fair value of the gemstones and is familiar with the requirements
of HKFRS 13 Fair Value Measurement (see Chapter 6, Section 6.5.1, Accounting Estimates and
Section 6.5.2, Fair Values).

518

c08.indd 518 16-11-2022 18:46:16

 Using the W ork of Others

8.3.3 Evaluating the Adequacy of the Work of the Auditor’s Expert

In evaluating the adequacy of the expert’s work, the auditor undertakes procedures to
understand the:

• Reasonableness of the expert’s conclusions in the light of any errors discovered;

• Consistency of the expert’s findings with other audit evidence;

• Reasonableness of the expert’s assumptions and methods; and

• Relevance, completeness, and accuracy of the expert’s source data.

Where the expert’s work is considered inadequate, the auditor should indicate agreement
with the expert on the nature and extent of further work to be performed by the expert, or the
auditor should perform additional audit procedures appropriate to the circumstances.

Where the auditor issues an unmodified opinion, no reference to the expert’s work should
be made. Where reference is made to the expert’s work because of legal requirements, or to
HKSA aid in the understanding of a modification to the auditor’s report, the auditor shall indicate that
620.12–15 such reference does not reduce the auditor’s responsibility for that opinion.

8.3.4 Management’s Expert

If management does not possess the necessary expertise to prepare the financial statements, a
management’s expert may be used to provide information relevant to the financial statements.
As a management’s expert is employed or hired by the entity, a threat to objectivity exists.
Where the auditor lacks the expertise to audit the work of the management’s expert, it may
be necessary for the auditor to hire an auditor’s expert to provide this service. In any case, in
reviewing the work of the management’s expert, inherent risk should be evaluated as high and
appropriate high-quality audit procedures applied.

The auditor’s responsibilities regarding the financial statement assertions are not altered
HKSA by the fact that some information in the financial statements has been prepared by a
500.8 management’s expert. As noted in HKSA 500 Audit Evidence, paragraph 8, if information to be
used as audit evidence has been prepared by a management’s expert, the auditor should:

• Evaluate the competence, capabilities, and objectivity of the management’s expert;

• Obtain an understanding of the work of the management’s expert; and

• Evaluate the appropriateness of that expert’s work as audit evidence for the relevant
assertion.

The auditor’s decision on whether to use an auditor’s expert in this case may be
influenced by:

• The nature, complexity, scope, and objectives of the management expert’s work.

• The risk of material misstatement.

• Management’s control over of the work of the management’s expert.

• The objectivity and competence of the management’s expert.

• Whether the management’s expert is subject to safeguards provided by professional or

industry requirements.

519

c08.indd 519 16-11-2022 18:46:16

 BUSINESS ASSURANCE

8.3.5 Service Organisations

Many entities outsource activities to other organisations possessing expertise that is not
available to the entity or that could only be provided internally at a high cost. For example:

• Many organisations outsource their payroll to banks;

• Many small businesses outsource their entire accounting function;

• The assets of some entities are held by others (e.g. assets held for security); and

• The assets of some entities are managed by others (e.g. investments or rental
properties).

Where outsourced activities like those above are a source of risk of misstatement in the
financial report, the auditor must be satisfied that the risk is reduced to an acceptable level by
performing appropriate audit procedures. Whether the use of a service organisation increases
or decreases the risk of material misstatement depends on the nature of the services provided
and the controls over those services.

HKSA 402 Audit Considerations Relating to an Entity Using a Service Organisation identifies a
user entity as an entity that uses a service organisation, a user auditor as the external auditor
of a user entity, and a service auditor as the auditor of the service organisation. A service
organisation is considered part of the user entity’s information system if its work affects any of
the following:

• Transactions and other events significant to the financial statements.

• Procedures for the initiation, recording, and processing of transactions.

• Accounting records.

• Significant accounting estimates and disclosures.

• Controls over journal entries.

As part of the audit planning process (see Chapter 5), the user auditor must understand
and document the relationship between the service organisation’s work and the user entity’s
information system in order to identify risks of misstatement.

The auditor would first examine the internal controls at the user entity. This examination
would be a part of the auditor’s assessment of control risk for the entity. If the user entity’s
controls over the information provided by the service organisation are deficient the auditor
should acquire additional audit evidence about controls from the service organisation by:

• Obtaining a Type 1 report (on the service organisation’s controls);

• Obtaining a Type 2 report (on the service organisation’s controls and their effectiveness);

• Using another auditor to perform procedures at the service organisation; or

• Visiting the service organisation to perform procedures.

Type 1 and Type 2 reports should include information about:

• The flow of significant transactions through the service organisation to determine

the points in the transaction flow where material misstatements in the user entity’s
financial statements could occur.

520

c08.indd 520 16-11-2022 18:46:16

 Using the W ork of Others

• The controls at the service organisation that may affect the processing of the user
entity’s transactions and that are relevant to the user entity’s financial statement
assertions.

• The design and implementation of controls at the service organisation that act to
prevent or detect errors that could result in material misstatements in the user entity’s
financial statements.

Additionally, both reports should include an assurance report prepared by the service
auditor on the service organisation’s control system.

The two types of reports differ because a Type 1 report does not provide any evidence
of the operating effectiveness of the relevant controls, while a Type 2 report does address
effectiveness.

Key Learning Point

Only a Type 2 report includes information on the service organisation’s control system’s
effectiveness. If a Type 1 report is obtained, then further work to test the effectiveness of
controls is required if the user auditor intends to rely on those controls.

Where the user auditor relies on a Type 1 or 2 report, they should ensure that the report
covers the appropriate time period, and that the report provides sufficient and appropriate
evidence about the service organisation’s controls relevant to the user entity’s identified risks.

Illustrative Example 1
Banks often use a service organisation to respond to confirmation requests. In this
circumstance, the auditor will need to rely on the service organisation’s internal control
process. It is important that the auditor is satisfied with the controls over the information
sent to the service organisation and the controls applied during data processing and
sending the confirmation response to the auditor. A service auditor’s report on the
internal controls at the service organisation would assist the auditor in evaluating the
controls with respect to that process.

After the user auditor has carried out their control risk assessment and tested key
controls as appropriate, further substantive procedures must be performed to address
identified risks. Service organisations provide a diverse range of services, and while specific
procedures cannot be detailed, general procedures might include:

• Inspection of records and documents.

• Obtaining confirmations from the service organisation.

• Performing analytical procedures on reports obtained from the service organisation.

• Performing, or using another auditor to perform, further procedures at the service

organisation.

521

c08.indd 521 16-11-2022 18:46:16

 BUSINESS ASSURANCE

8.3.5.1 Responding to the Assessed Risk of Material Misstatement

When evaluating a service auditor’s report, questions might arise as to:

1. The time period covered by the tests and the time elapsed since their performance;

2. The scope of the service auditor’s work including:

• The services and processes covered;

• The controls tested, or the tests that were performed; and

• The way in which tested controls relate to the user entity’s controls; and

3. The service auditor’s opinion on the operating effectiveness of the controls.

To address Item 1 above regarding the timing of the service auditor’s report, the user
auditor might respond by carrying out further tests covering the period relevant to the audit of
the user entity, or by requesting others to carry out further testing, as well as making enquiries
about changes to controls outside the period covered by the service auditor’s report. Where
the service entity’s audit period is entirely outside that of the user organisation, that service
auditor’s report cannot be relied upon.

To address Item 2, possible deficiencies in the scope of the service auditor’s work, the
user auditor may supplement their understanding of the service auditor’s procedures and
conclusions by contacting the service organisation, through the user entity, to request a
discussion with the service auditor about the scope and results of the service auditor’s
work. Alternatively, the user auditor might request that the service auditor perform further
procedures at the service organisation.

Finally, where the service auditor’s report is modified or notes significant exceptions, the
user auditor should seek further information from the service auditor regarding the impact of
these matters on the user entity.

The user auditor’s responsibilities regarding the assurance report on an entity using a service
organisation do not differ from those described in Chapter 10, except that the user auditor shall
not refer to the work of the service auditor when providing an unmodified opinion. However,
when the user auditor expresses a modified opinion because of a modified opinion in a service
auditor’s report, the user auditor may refer to the service auditor’s report if this assists in
explaining their modified opinion. The user auditor may need the consent of the service auditor.

Apply and Analyse 4

Flash Ltd Part 3 – Secure Co
As noted in the opening case, a gemstone inventory valued at US$100 million is held for
Flash by Secure Co, a security company. Secure Co keeps the inventory in highly secured
premises in Zurich and transports gems as required by Flash throughout the supply chain.
Secure Co also manages the security of inventory at all of Flash’s stores. Security controls
include vetting of employees, set-up and monitoring of surveillance systems, provision of
safes and other secure facilities, and security patrols.

522

c08.indd 522 16-11-2022 18:46:16

 Using the W ork of Others

Apply and Analyse 4 (continued)

(i) Explain whether Secure Co’s activities have an impact on Flash’s information
system and financial statements.

(ii) Describe the audit procedures that should be carried out by Flash’s external
auditor with regard to Secure Co.

Analysis

(i) Secure Co holds a material portion of Flash’s inventory. In addition, they provide
security over the transport and holding of inventory at all of Flash’s 50 stores and
throughout the supply chain. Any deficiencies in Secure Co’s performance of these
activities are a risk to the existence, rights, and valuation of Flash’s inventory.

(ii) Flash’s external auditor should seek a Type 2 report regarding Secure Co’s controls
over the inventory held in Zurich, the transportation of inventory throughout the
supply chain, and their contribution to the control of inventory at Flash’s stores.
This report would detail the existence, adequacy, and effectiveness of Secure Co’s
controls and provide assurance to that effect. If no Type 2 report is available, the
auditor would consider carrying out, or hiring another auditor to carry out, a review
and test of Secure Co’s control system.

Substantive tests would also be carried out. These might include confirmation
with Secure Co of their holdings of Flash’s inventory or hiring an auditor’s expert to
carry out substantive procedures addressing the risks to existence and valuation of
that inventory.

Knowledge Check Questions

Question 4
Explain when an auditor would use an auditor’s expert.

Question 5
Describe the procedures an auditor should carry out in assessing the objectivity,
competence, and approach of an auditor’s expert.

Question 6
When an entity uses the work of a service organisation the user auditor may obtain a
Type 1 or Type 2 report from the service organisation. Describe the content of a Type 1
report and explain how this differs from a Type 2 report.

523

c08.indd 523 16-11-2022 18:46:16

 BUSINESS ASSURANCE

SUMMARY

Internal Audit (IA)

• An IA may be used to reduce the auditor’s control risk assessment or for direct assistance.

• Threats in using IA include self-review and self-interest.

• The auditor must evaluate the IA’s objectivity, reporting level, competence, qualifications, and
the scope and quality of their work.

°° The scope of the IA’s work should include the monitoring of internal controls and financial
reporting.

°° The auditor should reperform some of the IA’s procedures in the relevant area.
• When used for direct assistance:

°° The IA should be used for objective procedures and not for procedures involving
professional judgement.

°° A written agreement should be obtained from management about the IA’s assignment to
assist the external auditor and confidentiality.

Auditor’s Expert (AE)

• An AE is a lawyer, geologist, or other specialist employed by the external auditor to

assess a management’s estimate or to provide an estimate for comparison with the
management’s estimate.

• The auditor must evaluate the expert’s competence and objectivity, and the scope of the work
to be performed.

• An agreement with an AE should address the scope and objectives of the work, the roles of
the AE and the auditor, the use of the AE’s work, and confidentiality.

• The external auditor must have or obtain sufficient knowledge of the area to be able to review
the AE’s work.

• Considerations for the review of the AE’s work include the consistency of the AE’s report with
other audit evidence, and its reasonableness, relevance, and completeness.

Service Organisation (SO)

• An SO is used by an entity (the user) to provide accounting or other services that impact on its
financial statements. The SO is part of the user’s information system.

• The user auditor must assess the inherent and control risks associated with the use of the SO,
and obtain audit evidence to reduce these risks to an acceptable level.

524

c08.indd 524 16-11-2022 18:46:16

 Using the W ork of Others

• Procedures include:

°° First, assess user controls. These may be adequate; otherwise

°° Assess SO controls by:

–– Obtaining a Type 1 report (adequacy) or a Type 2 report (adequacy and
effectiveness);

–– Auditing relevant SO controls; and

–– Performing substantive tests of the SO including inquiries, confirmations, analytical

reviews, and tests of detail.

Exhibit 8.1 shows the key concepts of the chapter summary.

Internal audit Auditor’s expert Service organisation

Purpose Reduce control risk Assess management’s estimate Provide info for
Direct assistance financial statements

Threats Self-review
Self-interest
Evaluate Competence Competence Scope
Objectivity Objectivity Quality of work
Scope Scope
Quality of work Quality of work
Agreement Assignment to Scope, data and objectives
external auditor Roles
Confidentiality Use of report
Confidentiality
Auditor Plan Knowledge to review AE’s work Assess risks
Supervise Consistency with other evidence Assess user controls
Review Reasonableness Assess SO controls
Relevance • Type 1 or 2 report
Completeness • Audit controls
• Substantive tests

EXHIBIT 8.1 Using the work of others

525

c08.indd 525 16-11-2022 18:46:16

 BUSINESS ASSURANCE

MIND MAP

RELIANCE ON THE WORK OF OTHERS EXPERTS AND SERVICE ORGANISATIONS

Main Standards Determining the Need for an Auditor’s Expert
• HKSA 610 (Revised 2013) Audit Procedures Applied to the Work of
• HKSA 620 an Auditor’s Expert
• HKSA 402
Evaluating the Adequacy of the Auditor’s
Other Standards Expert’s Work
• HKSA 200
Management’s Expert
• HKSA 220 (Revised)
• HKSA 315 (Revised 2019) Service Organisations
• HKSA 500
INTERNAL AUDITORS USING THE WORK
OF OTHERS
Using the work of Internal Auditors
• Determining whether internal auditors
can be used
• Using the work of the internal audit function
• Determining whether internal auditors
can be used for direct assistance
• Determining the nature and extent of work of
the internal audit function that can be used
Documentation
Recommend improvements to internal audit

Answers to Knowledge Check Questions

Question 1
Key considerations in assessing objectivity include:
• The professional qualifications of the internal auditor.
• The reporting level – ideally the audit committee.
• The entity policy regarding the independence of the internal audit function.

Question 2
The auditor is likely to rely on the work of the internal auditor for accounts involving
routine transactions and well-documented controls. These will most likely include Cash,
Trade Receivables, Inventory, and Accounts Payable. Reliance is unlikely for accounts and
assertions that require estimates involving subjectivity and judgement.

Question 3
While the internal auditor is likely to be a member of a professional association and
guided by the ethical and other rules of that association, the internal auditor’s objectivity is
compromised by their relationship to their employer – a self-interest threat.

Question 4
An auditor’s expert would be used when the subject matter of the audit is outside the
auditor’s expertise; that is, when knowledge particular to other professions is required
(e.g. lawyers, investment bankers, geologists, actuaries). Such instances mainly arise in
relation to the valuation of inventories or other assets, or of liabilities, contingencies, and
other matters requiring a high level of judgement.

526

c08.indd 526 16-11-2022 18:46:17

 Using the W ork of Others

Question 5
The auditor should make inquiries of the expert, and of others who are familiar with the
expert’s work. The auditor should review the expert’s qualifications and professional
associations. The auditor should review the ethical policies of the expert’s professional
association and make inquiries about any conflict of interest, whether business, personal,
or financial, that might affect the expert’s work.

Question 6
A Type 1 report provides a description of the service organisation’s controls and includes
an assurance report prepared by the service auditor on the service organisation’s control
system. A Type 2 report is more extensive. In addition to those matters contained in a
Type 1 report, a Type 2 report provides an assessment of the effectiveness of the control
system, and the service auditor’s report provides assurance on effectiveness.

EXAM PRACTICE

QUESTION 1
You are the auditor of Space Limited. As at 31 December 20X4, Space Limited recorded
identifiable intangibles and goodwill of HK$400 million. The intangibles and goodwill arose
this year when Space Limited acquired Star Limited. The management of Space Limited
engaged an external valuer to test for impairment of goodwill and the identifiable intangibles
arising from the acquisition. The external valuer used a discounted cash flow model.

In planning the audit, you plan to use your firm’s valuation expert to assist the audit
team with the valuation of the identifiable intangibles.

Required:

(a) Explain your considerations relating to determining the use of the firm’s valuation
expert in the valuation of identifiable intangibles.

(b) You decided to use the firm’s valuation expert after the assessment in part (a). Explain
your responsibilities relating to the use of the valuation expert.

QUESTION 2
Inter Co’s main activity is selling home improvement products to the public. Products include
building materials, fasteners, paint, tools, garden supplies, and furniture. Products are
purchased from over 300 suppliers and are sold at 100 stores in three countries.

Inter Co has a professional internal audit department that reports regularly to the audit
committee. Internal auditors:

• Attend the year-end inventory count;

• Review internal controls over purchasing; and

• Review the marketing department’s operations.

527

c08.indd 527 16-11-2022 18:46:17

 BUSINESS ASSURANCE

Required:

(a) Describe the ways the external auditor can use the work of the internal auditor.

(b) If the external auditor were to use the internal auditor’s work to reduce control risk,
describe the procedures that should be carried out.

(c) If the external auditor were to use the internal audit department to provide direct
assistance, describe the procedures that should be carried out.

ANSWERS TO EXAM PRACTICE

QUESTION 1
(a) Issues to be considered:

• The key issue to be considered is the task of assessing the carrying amounts of
identifiable intangibles and goodwill acquired. If this task is an accounting matter,
and the expert is an accounting expert, then they are not an auditor’s expert as
defined in HKSA 620. If, on the other hand, the expert’s area of specialisation
is business valuation, then they may be considered an auditor’s expert and
HKSA 620 applies.

• The competency of the auditor’s expert should be considered including the expert’s
professional certification and experience in the field.

• The capability of the auditor’s expert. Capability is the auditor’s expert’s ability to
exercise competence in the engagement, including their availability.

• The objectivity of the auditor’s expert. The auditor should inquire as to the interests
and relationship that may create a threat to that expert’s objectivity. As the expert is
an employee of the accounting firm, this threat is unlikely.

• The risk of material misstatement in the matter. This is based on the nature and
complexity of the matter.

• The significance and impact of the expert’s work in the audit.

(b) In accordance with HKSA 620 the auditor should obtain sufficient appropriate audit
evidence to conclude whether the accounting estimate of impairment assessment
made by the management is reasonable in the circumstances. In order to do this, the
auditor should:

• Consider their ability to evaluate the adequacy of the expert’s work, which includes
knowledge of assumptions and models used, and knowledge of the nature of
data used.

• In evaluating the expert’s work, the auditor undertakes procedures to

understand the:

° Reasonableness of the expert’s conclusions in light of any errors discovered;

° Consistency of the findings with other audit evidence;

528

c08.indd 528 16-11-2022 18:46:17

 Using the W ork of Others

° Reasonableness of the expert’s assumptions and methods; and

° Relevance, completeness, and accuracy of the source data.

• Where the auditor issues an unmodified opinion, no reference to the expert’s work
should be made.

QUESTION 2
(a) Work of the internal auditor.

The external auditor could use the internal auditor’s work in two ways:

(i) To reduce their control risk assessment regarding inventory and purchasing; and

(ii) To provide direct assistance in the audit of inventory and purchases.

(b) Procedures associated with control risk reduction.

The external auditor must assess the competence, objectivity, and the quality of the
work of the internal audit function; and reperform some of the internal auditor’s work
in order to confirm its reliability. Key issues include:

• The reporting level or organisational status;

• The scope of the internal audit function;

• Technical competence and professional attitude; and

• Adequacy of the internal auditor’s working papers.

(c) Procedures associated with direct assistance.

The external auditor must assess the competence, objectivity, and the quality of
the work of the internal audit function (see b above), make an agreement with
management about the internal auditor’s responsibilities regarding confidentiality and
reporting, and plan, supervise, and review the internal auditor’s work.

529

c08.indd 529 16-11-2022 18:46:17

c08.indd 530 16-11-2022 18:46:17
 9
Major Actions During
the Audit Completion

CHAPTER TOPIC LIST

9.1 Audit Completion 9.4 Related Parties

9.1.1 Sufficient Appropriate 9.4.1 Auditor’s Objectives
Audit Evidence 9.4.2 Definition of a Related Party
9.2 Plan the Procedures to Be 9.4.3 Risk Assessment Procedures
Conducted at the Completion and Related Activities
of the Audit 9.4.4 Responses to the Risks
of Material Misstatement
9.3 Explain the Purpose of and Associated with Related Party
Procedures to be Used During
Relationships and Transactions
Audit Completion
9.4.5 Evaluation of the Accounting
9.3.1 A Going Concern Review for and Disclosure of Identified
9.3.2 A Subsequent Events Review Related Party Relationships and
9.3.3 Obtaining Written Transactions
Representations from 9.4.6 Written Representations and
Management Documentation
9.3.4 Overall Audit of Financial 9.4.7 Communication with Those
Statements Charged with Governance
9.3.5 Review of Other Published
Information 9.5 Discovery of Illegal Acts or Fraud
Discovered During the Audit
9.3.6 Evaluation of Misstatements
Identified During the Audit 9.5.1 The Auditor’s Responsibilities
9.3.7 Communicating with Those Relating to Fraud in an Audit of
Charged with Governance Financial Statements
9.5.2 Consideration of Laws and
Regulations in an Audit of
Financial Statements

531

c09.indd 531 16-11-2022 18:48:59

 BUSINESS ASSURANCE

LEARNING OUTCOMES

PRINCIPAL LO1: PERFORM ASSURANCE ENGAGEMENTS

LO1.12: P
 repare, plan and develop assurance engagements including the audits of financial
statements in accordance with relevant Hong Kong Standards of Quality Management,
Auditing, Assurance and Related Services, guidance and legislation with emphasis on:
Completion Procedures
1.12.01 Evaluate whether sufficient appropriate audit evidence has been obtained during the audit
1.12.02 Explain the purpose of and procedures to be used during audit completion:
• A subsequent events review
• A going concern review
• Obtaining written representations from management
• Review of report by component auditors to the group auditor
• Overall review of the financial statements
• Review of other published information
1.12.03 Explain the procedures required to identify and audit related party transactions
1.12.04 Evaluate misstatements identified during the audit
1.12.05 Explain the follow up on illegal act or fraud found while performing an audit especially in the
case of money laundering or corruption
1.12.06 Plan the procedures to be conducted at the completion of the audit
1.12.07 Communicate with those charged with governance
LO1.13: P
 repare, plan and develop assurance engagements including the audits of financial
statements in accordance with relevant Hong Kong Standards of Quality Management,
Auditing, Assurance and Related Services, guidance and legislation with emphasis on:
Reporting
1.13.01 Prepare a management letter to report on internal control weaknesses and to make
recommendations to overcome those weaknesses
1.13.02 Communicate with management or those charged with governance

532

c09.indd 532 16-11-2022 18:48:59

 M a jo r A c t io ns D u r ing t h e A u dit Complet ion

OPENING CASE

AUDIT OF HUNG FU BANK INTERNATIONAL

Q uality auditor (‘Quality’) is a firm of certified public accountants (practicing) registered

with the Hong Kong Institute of Certified Practicing Accountants (‘HKICPA’). Quality has
been undertaking the audit of Hung Fu Bank International (‘Hung Fu’), a publicly listed financial
institution on the Hong Kong Stock Exchange (‘HKEx’), for some years.

Hung Fu engages in retail banking, wealth management, commercial banking, and global
banking and is seeking to also move into the insurance sector, as many other banks have done,
in order to obtain lucrative returns on their investments. Hung Fu has invested heavily in its
digital banking platforms to ensure the bank is seen as a market leader in its offerings to its
customers.

In the last couple of years, Hung Fu has incurred collectively assessed impairment charges
against its credit card and personal loan portfolios. Hung Fu’s focus of recent times has been
directed towards the small- to medium-sized enterprises (‘SMEs’) and growing their share
in that market. Hung Fu would have guarantees and irrevocable letters of credit pledged as
collateral security.

Quality recognises the complex environment in which financial institutions operate and has
specialist banking and finance professionals assigned to the audit of Hung Fu to ensure that the
audit risks are identified and that the skills needed to mitigate those risks to an acceptable level
of Quality are applied.

The current year’s audit, for the year ended 31 December 20X1, is coming to its conclusion
and the audit partner Chin Ling has asked her team for a meeting to discuss the audit progress
and how the audit team intends to bring the audit to its completion. (Note that this audit
process does not cover any of the compliance audits required of the banking and insurance
industries in Hong Kong.)

The Agenda for this meeting is set out in Exhibit 9.1.

533

c09.indd 533 16-11-2022 18:48:59

 BUSINESS ASSURANCE

AGENDA
Audit Completion Meeting: Hung Fu Bank International
Date: 20 March 20X2 at 10.00 a.m., Hong Kong Office, Queens Road, Central
Present at Meeting: Chin Ling – audit partner; LauLam – audit manager;
Lee Liang – audit manager; Manchu Kang – audit supervisor
Agenda item Issues identified Actions required
Outcomes from There have been some significant Full assessment needed, as part of
the Going Concern compliance issues within Hung the completion stages, by Lau Lam in
Assessment Fu’s lending departments. conjunction with Chin Ling.
Evaluation of Hung Fu has been very resistant to Lee Liang to discuss further with Chin Ling
adjusted and discussing the errors identified by with the aim of having a further discussion
non-adjusted the audit team this year. with those charged with governance about
errors identified the likely implications of the errors for
throughout the the auditor’s opinion if not adjusted in the
audit process financial statements.
Draft financial The first draft of the financial Manchu Kang to do the first review of the
statements statements has been received (230 financial statements and then Lau Lam
pages in length). Historically, there will complete the second review. The
have been substantial omissions team needs to determine when the firm’s
and errors in the drafts presented technical department should become
to Quality. involved in the completion process. That
department has assisted on a number of
possible reporting issues during the period.
Contingent liabilities It has been noted in the current Lee Liang needs to investigate the areas
assessment year that the guarantees pledged identified and determine that all contingent
by Hung Fu had increased liabilities have been identified and the
considerably and that there are disclosures in the financial statements are
a number of legal matters that at appropriate.
year end are unresolved.
Other commitments From the review of the minutes Manchu Kang is to collect audit evidence
of Board meetings, Quality has for other commitments and ensure that the
identified that Hung Fu has appropriate disclosures have been made.
committed to constructing a
second building at North Point.
Subsequent events Outstanding. Chin Ling is aware Chin Ling to follow up with the audit team.
of a significant development post
year end that she will discuss
further with the audit team when
she finds out the details from
board members of Hung Fu.
Related parties Hung Fu management had Chin Ling to determine with the
represented to Lau Lam that the engagement managers what the next steps
only related party was a broking are, inclusive of re-assessing the level of
business. Lau Lam has determined audit risks previously identified.
that several loans to director-
related entities had been made
during the period.
Fraud and No frauds or illegal acts were Chin Ling emphasised to team members
illegal acts noted to date in the audit process. that they should stay alert during
completion to the possibility of fraud.

EXHIBIT 9.1 Agenda for audit completion meeting

534

c09.indd 534 16-11-2022 18:48:59

 M a jo r A c t io ns D u r ing t h e A u dit Complet ion

OVERVIEW

The completion stage of an audit is of crucial importance. It is during this stage that the auditor
stands back and reflects on the status of the audit and aligns the conclusions obtained to date
with thinking about the auditor’s opinion that may be issued. It is also a further opportunity
to ensure that there are no further changes needed to the risk assessment conducted under
HKSA 315 (Revised 2019), Identifying and Assessing the Risks of Material Misstatement, and that the
audit response under HKSA 330, The Auditor’s Responses to Assessed Risks, has been appropriate.

Before continuing with this chapter, you are encouraged to reflect on the earlier phases of
the audit process already outlined in Chapters 1 to 8 of this module. The completion phase of
the audit brings together all the learning you have achieved in the previous chapters.

This chapter will introduce you to several HKICPA auditing standards and will return you to
some of the standards you have already covered during this module.

The audit procedures commonly undertaken at the completion stage of the audit include
the following, which will be explored in depth in this chapter:

• Going concern assessment completion.

• Subsequent events.

• The written representations that auditors need to obtain.

• Final overall audit of the financial statements.

• Evaluation of misstatements and the likely impact where the misstatements are
material and management do not want to make the changes.

• Required communications with those charged with governance.

• Identification of related parties.

• Discovery of illegal acts or fraud discovered during the audit.

9 . 1 AUDIT COMPLETION

The auditor is responsible for drawing conclusions based on the audit work completed up to
the completion phase of the audit.

9.1.1 Sufficient Appropriate Audit Evidence

Regulators and other reviewers of auditors’ work look for documentation of the auditor having
gained ‘sufficient appropriate audit evidence’ to form opinions. A common stance of these

535

c09.indd 535 16-11-2022 18:48:59

 BUSINESS ASSURANCE

parties is that if such evidence was not documented, then it was not obtained. This stance can
lead to severe conclusions about the quality of the audit. We are going to explore the nature of
such evidence here.

In HKSA 500, Audit Evidence, audit evidence is defined as ‘information used by the auditor
in arriving at the conclusions on which the auditor’s opinion is based. Audit evidence includes
HKSA both information contained in the accounting records underlying the financial statements and
500.5(c) information from other sources’. Sufficiency is defined as ‘the measure of the quantity of audit
evidence. The quantity of the audit evidence needed is affected by the auditor’s assessment of
HKSA the risks of material misstatement and also by the quality of such audit evidence’.
500.5(e) Appropriateness is defined as ‘The measure of the quality of audit evidence; that is, its
HKSA relevance and its reliability in providing support for the conclusions on which the auditor’s
500.5(b) opinion is based’.

What does this mean in practice though?

If you consider a bucket as a repository for audit evidence and water represents audit evidence,
how much clean water does an auditor need in the bucket to be happy that for a certain area
and for the appropriate audit assertions (see Chapter 3) there is sufficient appropriate audit
evidence to reduce detection risk (see Chapter 4) to an acceptable level? This is a complex
question and in practice the answer will vary considerably. The overall objective of the auditor
is to be very efficient in obtaining water by obtaining only the audit evidence necessary to be
satisfied that detection risk is at an acceptable level. This process is cumulative in nature over
the entire audit process.

Some of the key elements that will contribute to the sufficiency and quality of audit
evidence are:

• Source of evidence – external. Externally and independently derived audit evidence, in

most cases, has a greater level of credibility and effectiveness than internally generated
evidence. This evidence usually takes the form of confirmations, expert reports,
analyst’s reports, and benchmarking data. These sources will either act as primary
evidence or serve to corroborate management’s assertions. This source of evidence in
most cases would result in a ‘smaller amount of water’ needing to be collected.

• Source of evidence – internal. This is audit evidence derived from the entity’s accounting
records and its controls. Inter-relationships between internally sourced data can
provide a degree of corroboration.

• How the audit evidence was obtained and evaluated. Inspection, observation,
recalculation re-performance, analytical procedures, and inquiry can be applied, as
appropriate, to the circumstances.

• Relevance to the risks and assertions being audited. Logical connection needs to
be achieved between the evidence gathered and the risks and assertions being
considered.

Therefore, as the image above portrays, the auditors at the completion stage of the audit
are determining whether or not they are satisfied that each bucket (aspect of the audit) has the
right quality and level of clean water (sufficient and appropriate audit evidence) in it.

536

c09.indd 536 16-11-2022 18:48:59

 M a jo r A c t io ns D u r ing t h e A u dit Complet ion

Apply and Analyse 1

When Lau Lam, an audit manager of the Hung Fu audit, was discussing with Manchu Kang
the audit evidence he had obtained in relation to the creditor’s balance of HK$40 million at
31 December 20X1 (a material balance, with some significant balances making up the total,
with a medium inherent risk rating over the relevant assertions), Manchu explained the
following:

1. He had completed the lead sheet summarising the balances and had obtained
an explanation from the accountant as to the reasons for the movements in
balances between the years and documented what the accountant had said on the
lead sheet.

2. A copy of the creditor’s reconciliation was obtained and agreed to the subsidiary
ledger and Manchu confirmed it had been reviewed by a more senior accountant.

3. Manchu then conducted audit sampling by randomly choosing ten creditors from
the creditors’ subsidiary ledger totalling HK$ million. He agreed the creditor’s
balances to the original invoices and found no exceptions.

Analysis

Lau Lam would have concluded fairly quickly that Manchu had not obtained sufficient
appropriate audit evidence to reduce the risk of material misstatement. (To simplify the
analysis, the fact that controls in the context of a Bank are critical to achieve audit comfort
has been excluded.) The level of testing is far too low to support a conclusion about the
population from which the sample was drawn. Manchu should have considered non-
statistical sampling of the largest creditor balances with external confirmations as his
first step and then used audit sampling for the rest of the creditor population to a level
appropriate to the level of audit risk remaining. There is no evidence from what Manchu
has said in relation to whether he tested for completeness and whether he had considered
how the cut-off for creditors had been applied.

All audit work should be subject to at least one level of review by a suitably qualified
audit team member. This is the basic quality management requirement of HKSA 220
(Revised) Quality Management for an Audit of Financial Statements, and serves to ensure that
sufficient appropriate audit evidence has been obtained in respect of transactions and
events, balances, and disclosures included in the financial statements.

When evaluating audit evidence, consideration should be given to ensure the following:

• The work has been performed in accordance with the relevant professional
standards and the legal and regulatory requirements of Hong Kong;

• The risks identified during the planning process have been appropriately
addressed throughout the audit;

• Having designed and performed audit procedures to verify assertions in the

financial statements, the outcome of the procedures constituted relevant and
reliable audit evidence that is capable of supporting the auditor’s opinion;

• Any significant matters identified have been addressed appropriately and the
matter and outcomes have been documented appropriately;

537

c09.indd 537 16-11-2022 18:48:59

 BUSINESS ASSURANCE

Apply and Analyse 1 (continued)

• The work performed supports the conclusions reached and has been appropriately
documented;

• Where a reviewer evaluated that further audit, work was needed to be completed,
that the nature and extent of further work was documented and subjected to a
follow-up review; and

• Appropriate consultations have taken place and the outcomes were implemented
and supported by documentation.

During the completion phase of the audit, it is critical that an engagement partner is
satisfied that the accumulation of audit evidence through the audit process supports the
proposed opinion of the auditor.

Ethics in Practice 1
The auditor must always exercise professional competence, due care, and professional
behaviour (Sections 113 and 115 of The Code of Ethics for Professional Accountants
(Revised)). This can be challenging as the audit process comes to completion and
the audit report deadline looms. To ensure that the ethical principles of professional
competence, due care, and professional behaviour are met the auditor must not be
tempted to take ‘short cuts’ in completing the audit in line with the relevant professional
standards and the legal and regulatory requirements of Hong Kong.

Knowledge Check Questions

Question 1
Describe what you believe to be the key factors an auditor should think about when
gathering audit evidence.

9 . 2 PLAN THE PROCEDURES TO BE CONDUCTED

AT THE COMPLETION OF THE AUDIT

When developing the overall audit strategy and audit plan, the auditor should consider what
needs to be done in the completion phase of the audit. As HKSA 300, Planning an Audit of
Financial Statements, outlines, planning should not be seen as a discrete and separate part
of the overall audit, and as the audit progresses could be subject to change dependent on
unforeseen circumstances that may occur.

As has been noted earlier in this module, an initial risk assessment will be completed in
the early phases of the audit, which may highlight matters that are more likely to be subject to

538

c09.indd 538 16-11-2022 18:48:59

 M a jo r A c t io ns D u r ing t h e A u dit Complet ion

detailed audit procedures towards the completion of the audit. Typically, these risks could be a
going concern, subsequent events, and prior period misstatements (errors).

Factors that can also be planned earlier on in the audit process are the timing of the
auditor’s opinion and timing of communications with those charged with governance, including
the closing report and management letter distribution.

While written representations from management or those charged with governance are
obtained by the auditor as close as possible to the date of the auditor’s report, as the audit
progresses the auditor should be ensuring that any matters that need specific coverage in the
representation letter are identified and kept current.

9.3 EXPLAIN THE PURPOSE OF AND PROCEDURES

TO BE USED DURING AUDIT COMPLETION

9.3.1 A Going Concern Review

Note that the overarching responsibility for the assessment of an entity’s ability to continue as
a going concern is that of management. Specifically, Hong Kong Accounting Standard (HKAS) 1,
HKAS Presentation of Financial Statements, requires management to make an assessment of an entity’s
1.25–26 ability to continue as a going concern. Directors in certain circumstances are required under
the Companies Ordinance (Cap.622) to make a solvency statement (confirming that debts can be
met as and when they fall due).

It should be noted that the going concern assessment undertaken for financial reporting
purposes is not intended to provide a guarantee that the entity will remain a going concern for
12 months from the date of the current financial statements. The assessment is a judgement
based on what is known at the date of the financial statements.

9.3.1.1 Auditor’s Objectives

HKSA 570 (Revised), Going Concern, sets out that under a going concern basis of accounting,
the financial statements are prepared on the assumption that the entity is a going concern
and will be able to pay its debts as and when they fall due. Alternatively, but relatively rarely,
management may state in the financial statements their intention to liquidate the entity or
cease operations. More problematical are the circumstances in which management are hoping
and planning to continue but the risks of this not being so are becoming quite material.

To this end the objectives of the auditor are to:

• Obtain sufficient appropriate audit evidence regarding the appropriateness of the use
of the going concern basis of accounting in management’s preparation of the financial
statements;

• Conclude on whether a material uncertainty exists based on audit evidence obtained

related to events or conditions that may cast significant doubt on the entity’s ability to
continue as a going concern; and

• Draw conclusions and form an opinion on whether the entity is a going concern, based
on the requirements of HKSA 570 (Revised).

539

c09.indd 539 16-11-2022 18:48:59

 BUSINESS ASSURANCE

9.3.1.2 Requirements
HKSA 570 (Revised) notes that the going concern assessment is made at the date of the
financial statements and takes into account the relevant facts and circumstances known at that
date. Judgements need to be made by both management and the auditor.

HKSA HKSA 570 (Revised) sets out four key aspects for the auditor to consider when undertaking
570.9-16 a going concern assessment. These relate to:

1. Risk assessment procedures and related activities.

2. Evaluating management’s assessment.

3. Considering the period beyond management’s assessment.

4. Designing and implementing additional audit procedures.

9.3.1.3 Risk Assessment Procedures and Related Activities

The auditor needs to consider going concern at the early stages of the audit, in particular when
performing the risk assessment procedures required under HKSA 315 (Revised 2019), Identifying
and Assessing the Risks of Material Misstatement. This assessment should extend to considering
whether there are events or conditions that are in existence that may cast significant doubt on
the going concern basis of accounting. This assessment will normally be based on the auditor’s
knowledge of the industry, the history of the entity itself, a review of draft financial statements
or trial balance, and known events from the current period and the post balance date period.

It is the auditor’s responsibility to discuss concerns with management and determine the
level of risk such that the response to the risk can be planned and performed in line with HKSA
330, The Auditor’s Responses to Assessed Risks.

The auditor will look for relationships between amounts that indicate risk. The auditor will
consider not only the absolute amounts involved but also the trend in those amounts. Some
warning signs that are commonly taken into account by the auditor in the risk assessment of
the going concern assumption include the following.

Financial
• Current liabilities exceed current assets.

• Total liabilities exceed total assets.

• Net cash outflows from operating activities.

• Current and historical operating losses.

• Cash on delivery terms required by creditors.

• Unusual financing arrangements (e.g. unusual amounts sourced from off-shore entities
of questionable repute).

• Significant legal costs and pending cases.

• Bank or other covenant breaches.

• Significant increases in ‘own credit’ risk implied in the value of financial liabilities.

540

c09.indd 540 16-11-2022 18:48:59

 M a jo r A c t io ns D u r ing t h e A u dit Complet ion

Operational
• Long lead times on sales of both current and non-current assets.

• Significant amounts of debt due and payable.

• The number of day’s credit implied in creditor balances is extending or contracting

materially.

• Supply chain issues.

• Increases in competition.

• Loss of major customers.

Other
• Recent economic or environmental trends, events, and disasters.

• Changes in laws and regulation.

• Non-insurable events occurring.

9.3.1.4 Evaluating Managements Assessment

The focus of the auditor’s work should be to obtain sufficient appropriate audit evidence to
evaluate management’s assessment of the entity’s ability to continue as a going concern.
Management should be able to present to the auditor any or all of the following when
the auditor is seeking support for management’s assessment that a going concern basis of
accounting is appropriate (this list is not exhaustive but acts as a guide only):

• Obtain the budgets and forecasts prepared by management and analyse the underlying
assumptions and appropriateness of their use.

• Obtain and inquire of management’s plans and minutes supporting changes to

operating strategies and plans, and evaluate whether the management’s assumptions
are reasonable.

• Consider obtaining written agreement from creditors or financiers stating that they will
not call back what is owed to them for at least 12 months from the date of the financial
statements.

• Obtain proof of support from related parties that they can underwrite any payments
of debts as and when they fall due for 12 months from the date of the financial
statements.

• Determine if management can obtain further funding from creditable financiers.

Management’s assessment should cover at least 12 months from the date of the financial
statements and the auditor’s assessment should cover the same period. The auditor must
ensure that they do not take management’s assessment at face value and that sufficient
appropriate audit evidence is obtained including, where necessary, evidence that support
offered is reasonable given the financial position of the support giver.

9.3.1.5 Period Beyond Management’s Assessment

The auditor shall inquire of management as to its knowledge of events and conditions beyond
the period of management’s assessment, which may cast significant doubt on the entity’s ability
to continue as a going concern.

541

c09.indd 541 16-11-2022 18:48:59

 BUSINESS ASSURANCE

9.3.1.6 Additional Audit Procedures When Events or Conditions Are Identified

If, after completing the risk assessment at the planning stage and after the evaluation of
management’s assessment, the auditor has identified events or conditions have been identified
that may cast significant doubt on the entity’s ability to continue as a going concern, the auditor
shall obtain sufficient appropriate audit evidence to determine whether or not a material
uncertainty exists related to events or conditions that may cast significant doubt on the entity’s
ability to continue as a going concern (hereinafter referred to as ‘material uncertainty’) through
performing additional audit procedures, including consideration of mitigating factors. These
procedures shall include:

a. Where management has not yet performed an assessment of the entity’s ability to
continue as a going concern, requesting management to make its assessment.

b. Evaluating management’s plans for future actions in relation to its going concern
assessment, whether the outcome of these plans is likely to improve the situation and
whether management’s plans are feasible in the circumstances.

c. Where the entity has prepared a cash flow forecast, and analysis of the forecast is
a significant factor in considering the future outcome of events or conditions in the
evaluation of management’s plans for future actions:

(i) Evaluating the reliability of the underlying data generated to prepare the
forecast and

(ii) (Determining whether there is adequate support for the assumptions underlying
the forecast.

d. Considering whether any additional facts or information have become available since
the date on which management made its assessment.

e. Requesting written representations from management and, where appropriate, those

charged with governance, regarding their plans for future actions and the feasibility of
these plans.

9.3.1.7 Audit Conclusion

Based on the audit evidence obtained, the auditor will conclude whether in the auditor’s
judgement a material uncertainty exists in relation to events or conditions that individually or
collectively may cast significant doubt on the entity’s ability to continue as a going concern.

If a material uncertainty does exist and the auditor determines that management’s use
of the going concern basis of accounting is appropriate, the auditor will determine whether
adequate disclosure has been made by management in the financial statements outlining how
management plans to deal with the events or conditions.

9.3.1.8 Implications for the Auditor’s Report

The auditor has several distinct conclusions that can be reached on a going concern. Those
conclusions determine the type of auditor’s report that could be issued. A detailed assessment
of the auditor’s report options is provided in Chapter 10.

542

c09.indd 542 16-11-2022 18:49:00

 M a jo r A c t io ns D u r ing t h e A u dit Complet ion

The following outlines the general conclusions as outlined in HKSA 570 (Revised):

1. If the auditor concludes that management’s use of the going concern basis of
accounting is appropriate in the circumstances, but that a material uncertainty exists,
the auditor shall determine whether the financial statements:

a. Adequately disclose the principal events or conditions that may cast significant
doubt on the entity’s ability to continue as a going concern and management’s plans
to deal with these events or conditions and

b. Disclose clearly that there is a material uncertainty related to events or conditions

that may cast significant doubt on the entity’s ability to continue as a going concern
and, therefore, that it may be unable to realise its assets and discharge its liabilities
in the normal course of business.

2. If events or conditions have been identified that may cast significant doubt on the
entity’s ability to continue as a going concern but, based on the audit evidence
obtained the auditor concludes that no material uncertainty exists, the auditor shall
evaluate whether, in view of the requirements of the applicable financial reporting
framework, the financial statements provide adequate disclosures about these events
or conditions.

3. If the financial statements have been prepared using the going concern basis of
accounting but, in the auditor’s judgement, management’s use of the going concern
basis of accounting in the preparation of the financial statements is inappropriate, the
auditor shall express an adverse opinion.

4. If adequate disclosure about the material uncertainty is made in the financial

statements, the auditor shall express an unmodified opinion and the auditor’s report
shall include a separate section under the heading ‘Material Uncertainty Related to
Going Concern’ to:

a. Draw attention to the note in the financial statements that discloses the matters set
out in 1 above and

b. State that these events or conditions indicate that a material uncertainty exists that
may cast significant doubt on the entity’s ability to continue as a going concern and
that the auditor’s opinion is not modified in respect of the matter.

5. If adequate disclosure about the material uncertainty is not made in the financial
statements, the auditor shall:

a. Express a qualified opinion or adverse opinion, as appropriate, in accordance with

HKSA 705 (Revised) and

b. In the Basis for Qualified (Adverse) Opinion section of the auditor’s report, state that
a material uncertainty exists that may cast significant doubt on the entity’s ability
to continue as a going concern and that the financial statements do not adequately
disclose this matter.

6. If management is unwilling to make or extend its assessment when requested to do so

by the auditor, the auditor shall consider the implications for the auditor’s report.

543

c09.indd 543 16-11-2022 18:49:00

 BUSINESS ASSURANCE

Illustrative Example 1
Three examples are included below with the wording of the relevant paragraphs in the
auditor’s report from the Appendix to HKSA 570 (Revised). There are many different
examples depending on the particular circumstances surrounding a significant
uncertainty and how it has been treated and/or disclosed by those charged with
governance.

Unmodified auditor’s opinion with a material uncertainty paragraph:

Basis for Opinion

We conducted our audit in accordance with Hong Kong Standards on Auditing (HKSAs)
issued by the HKICPA. Our responsibilities under those standards are further described
in the Auditor’s Responsibilities for the Audit of the Financial Statements section of our
report. We are independent of the Company in accordance with the HKICPA’s Code of
Ethics for Professional Accountants (‘the Code’) and we have fulfilled our other ethical
responsibilities in accordance with the Code. We believe that the audit evidence we have
obtained is sufficient and appropriate to provide a basis for our opinion.

Material Uncertainty Related to Going Concern

We draw attention to Note XXX in the financial statements, which indicates that the
Company incurred a net loss of ZZZ during the year ended 31 December 20X1 and, as
of that date, the Company’s current liabilities exceeded its total assets by YYY. As stated
in Note ZZ, these events or conditions, along with other matters as set forth in Note
ZZ, indicate that a material uncertainty exists that may cast significant doubt on the
Company’s ability to continue as a going concern. Our opinion is not modified in respect
of this matter.

Qualified Opinion When a Material Uncertainty Exists and the Financial Statements Are
Materially Misstated Due to Inadequate Disclosure

Qualified Opinion

We have audited the financial statements of ABC Company (‘the Company’) set out on
pages . . . to . . ., which comprise the statement of financial position as at 31 December
20X1, and the statement of profit or loss and other comprehensive income, statement of
changes in equity, and statement of cash flows for the year then ended, and notes to the
financial statements, including a summary of significant accounting policies.

In our opinion, except for the incomplete disclosure of the information referred to in
the Basis for Qualified Opinion section of our report, the financial statements give a true
and fair view of the financial position of the Company as at 31 December 20X1, and of
its financial performance and its cash flows for the year then ended in accordance with
Hong Kong Financial Reporting Standards (HKFRSs) issued by the Hong Kong Institute of
Certified Public Accountants (HKICPA) and have been properly prepared in compliance with
the Companies Ordinance.

Basis for Qualified Opinion

As discussed in Note YY, the Company’s financing arrangements expire and amounts
outstanding are payable on 19 March 20X2. The Company has been unable to conclude

544

c09.indd 544 16-11-2022 18:49:00

 M a jo r A c t io ns D u r ing t h e A u dit Complet ion

Illustrative Example 1 (continued)

re-negotiations or obtain replacement financing. This situation indicates that a material
uncertainty exists that may cast significant doubt on the Company’s ability to continue as
a going concern. The financial statements do not adequately disclose this matter.

We conducted our audit in accordance with Hong Kong Standards on Auditing (HKSAs)
issued by the HKICPA. Our responsibilities under those standards are further described
in the Auditor’s Responsibilities for the Audit of the Financial Statements section of our
report. We are independent of the Company in accordance with the HKICPA’s Code of
Ethics for Professional Accountants (‘the Code’) and we have fulfilled our other ethical
responsibilities in accordance with the Code. We believe that the audit evidence we have
obtained is sufficient and appropriate to provide a basis for our qualified opinion.

Adverse Opinion When a Material Uncertainty Exists and Is Not Disclosed in the
Financial Statements

Adverse Opinion

We have audited the financial statements of ABC Company (‘the Company’) set out on
pages . . . to . . ., which comprise the statement of the financial position as at 31 December
20X1 and the statement of profit or loss and other comprehensive income, the statement
of changes in equity and statement of cash flows for the year then ended, and notes to the
financial statements, including a summary of significant accounting policies.

In our opinion, because of the omission of the information mentioned in the Basis for
Adverse Opinion section of our report, the financial statements do not give a true and fair
view of the financial position of the Company as at 31 December 20X1, and of its financial
performance and its cash flows for the year then ended in accordance with Hong Kong
Financial Reporting Standards (HKFRSs) issued by the Hong Kong Institute of Certified
Public Accountants (HKICPA). In all other respects, in our opinion the financial statements
have been properly prepared in compliance with the Companies Ordinance.

Basis for Adverse Opinion

The Company’s financing arrangements expired and the amount outstanding

was payable on 31 December 20X1. The Company has been unable to conclude
re-negotiations or obtain replacement financing and is considering filing for bankruptcy.
This situation indicates that a material uncertainty exists that may cast significant doubt
on the Company’s ability to continue as a going concern. The financial statements do not
adequately disclose this fact.

We conducted our audit in accordance with Hong Kong Standards on Auditing (HKSAs)
issued by the HKICPA. Our responsibilities under those standards are further described
in the Auditor’s Responsibilities for the Audit of the Financial Statements section of our
report. We are independent of the Company in accordance with the HKICPA’s Code of Ethics
for Professional Accountants (‘the Code’) and we have fulfilled our ethical responsibilities
in accordance with the Code. We believe that the audit evidence we have obtained is
sufficient and appropriate to provide a basis for our adverse opinion.

545

c09.indd 545 16-11-2022 18:49:00

 BUSINESS ASSURANCE

9.3.1.9 Communication with Those Charged with Governance

It is important for the auditor to communicate with those charged with governance on a timely
basis in circumstances when the auditor determines that there is a significant uncertainty
pertaining to the going concern. This communication is important as the auditor may want to
issue an unmodified auditor’s opinion with a materiality uncertainty related to the going
concern paragraph or a modified opinion. (The different auditor’s opinions are outlined in
detail in Chapter 10). When a material uncertainty relating to the going concern is identified, it
is likely to be the subject of multiple communications between the auditor and those charged
HKSA with governance. These need to be documented. Specifically, HKSA 570 (Revised) requires the
570.25 following communications.

Unless all those charged with governance are involved in managing the entity the auditor
shall communicate with those charged with governance events or conditions identified
that may cast significant doubt on the entity’s ability to continue as a going concern. Such
communication with those charged with governance shall include the following:

a. Whether the events or conditions constitute a material uncertainty;

b. Whether management’s use of the going concern basis of accounting is appropriate in

the preparation of the financial statements;

c. The adequacy of related disclosures in the financial statements; and

d. Where applicable, the implications for the auditor’s report.

Apply and Analyse 2

During the planning phase of the audit of Hung Fu it was discovered by Chin Ling that
the Bank had received a number of warnings from the Hong Kong Monetary Authority
(HKMA) in relation to its compliance with its lending policies and procedures. Lending
constitutes a significant portion of the Bank’s profitability and its receivable balances.
Chin Ling has requested that the board of directors provide information in relation to the
Bank’s responses to the warnings and an assessment of the potential impact if lending
was significantly curtailed for the Bank, and what impact this would have on the Bank’s
ability to continue as a going concern. Chin Ling is most concerned about this situation,
particularly as the lessons from the Global Financial Crisis and the Barings Bank collapse
are at the front of her mind.

Analysis

Chin Ling has conducted all assessments that she should have performed under HKSA 570
(Revised) to this point. Chin Ling will need to receive sufficient appropriate audit evidence
from the HKMA, either addressed to management or directly to the auditor, in relation
to their proposed actions against Hung Fu, if any, and how those actions may impact the
ongoing viability of the Bank. Management should be supplying Chin Ling with budgets
and forecasts based on current levels of Bank business and projected operational changes,
as well as budgets and forecasts should the lending sector of the Bank be limited or
discontinued. Chin Ling and her team would need to be more alert to any other potential
issues with banking compliance throughout the audit process.

546

c09.indd 546 16-11-2022 18:49:00

 M a jo r A c t io ns D u r ing t h e A u dit Complet ion

9.3.2 A Subsequent Events Review

The subsequent events review stage of the audit process is vital to ensuring that all items with a
material consequence have been appropriately reflected up to the date of the auditor’s opinion.

9.3.2.1 Objectives of the Auditor

HKSA 560 Subsequent Events requires the auditor to perform audit procedures to obtain
sufficient appropriate audit evidence that all events occurring between the date of the financial
statements and the date of the auditor’s report that require adjustment of, or disclosure in, the
financial statements have been identified and appropriately accounted for and/or disclosed in
the financial statements.

Exhibit 9.2 illustrates when the subsequent events period occurs during the timeline of the
auditor’s report.

Start of Date of financial statements Date of auditor’s

financial period (aka balance date) report

Subsequent-Events
Reporting Period
Period

Cut-Off

EXHIBIT 9.2 Timeline of the auditor’s report

The auditor must also respond to facts that become known after the date of the auditor’s
report and that, if the auditor had known at the time of the auditor’s opinion, would have
amended the opinion, and consider reissuing the audit opinion.

9.3.2.2 Types of Subsequent Events

There are two types of subsequent events:

1. Those that provide further evidence of conditions that existed at the end of the financial
period, known as adjusting subsequent events.

2. Those that provide evidence of conditions that arose after the end of the financial
period, known as non-adjusting subsequent events. Though not adjusted, they are the
subject of disclosure requirements.

The most common disclosure of non-adjusting subsequent events in Hong Kong listed
entity financial statements is of a dividend, or special dividends, declared post period end.

547

c09.indd 547 16-11-2022 18:49:00

 BUSINESS ASSURANCE

Illustrative Example 2
The Board of directors of Ming Wa Company have participated in a number of highly
confidential board meetings during the current accounting period that ended on 31
December 20X0. The basis of discussion was associated with the potential closure of a
major manufacturing plant and terminating the employment of all 500 people employed
at the plant. These discussions followed a review by external consultants late in the
fourth quarter that seriously questioned the viability of the plant and recommended
impairment charges. The discussions of the Board have been minuted.

Scenario 1. The Board makes a final decision on 1 January 20X1 that the manufacturing
plant will be closed and that the contracts of all 500 employees will be terminated, having
already completed a management assessment of the impairments required to assets and
the provisions required for termination payments before 31 December 20X0. In this case,
the circumstances being considered were the result of conditions that existed prior to the
period end, despite the final decision being made on 1 January. In this case the financial
impact of the subsequent (adjusting) event would need to be adjusted in the financial
statements for the period ending 31 December 20X0.

Scenario 2. The Board continues its discussions into 20X1. One week prior to the
signing of the financial statements for 31 December 20X0, a potential purchaser has signed
a deed of intent to conduct due diligence procedures to potentially purchase the plant
and continue to employ the 500 people currently working at the plant. There is no deed
of confidentiality and given the rumours surrounding the plant and its employees, the
Board decided to release what they knew of the potential purchase to the market via an
announcement through the HKEx. Given the potential purchase arose after the year-end,
but the potential outcomes would be material, appropriate disclosures should be made
in the notes to the financial statements explaining to users the facts as they are known at
the date of the financial statements (non-adjusting event). Further consideration would
need to have been made by the auditor during the audit process as to the carrying value of
assets of the plant and whether or not the uncertainty as to the future of the plant creates
a going concern issue.

9.3.2.3 Requirements
The auditor shall perform audit procedures designed to obtain sufficient appropriate audit
evidence that all events occurring between the date of the financial statements and the date
of the auditor’s report that require adjustment of, or disclosure in, the financial statements
have been identified. The auditor is not, however, expected to perform additional audit
procedures on matters to which previously applied audit procedures have provided satisfactory
conclusions.

9.3.2.4 Audit Procedures

When looking at the audit procedures that should be conducted to meet the requirements of
HKSA 560, the auditor can divide this work into three key time periods:

1. Events occurring between the date of the financial statements and the date of the
auditor’s report;

548

c09.indd 548 16-11-2022 18:49:00

 M a jo r A c t io ns D u r ing t h e A u dit Complet ion

2. Facts that become known to the auditor after the date of the auditor’s report but prior
to the date of issue of the financial statements; and

3. Facts that become known to the auditor after the financial statements have
been issued.

Events Occurring Between the Date of the Financial Statements and the Date of the
Auditor’s Report
If the auditor determines that there have been events occurring between the date of the
financial statements and the date of the auditor’s report, the auditor needs to refer to their
initial risk assessment undertaken under the requirements of HKSA 315 (Revised 2019), and
updated as appropriate throughout the audit process, to determine the appropriate extent
of additional audit procedures that need to be undertaken. It is important to note that audit
procedures undertaken should be completed as close to the date of the auditor’s report as
possible. The procedures may include:

• Gaining an understanding of how management has identified and assessed the

subsequent events and the reasonableness of the assumptions used by management
in drawing their conclusions;

• Enquiring of management and potentially the Board to establish if any events or

circumstances have occurred that may have a financial impact on the entity;
• Reading minutes from Board meetings and management meetings to identify any
events that have occurred which may have impact on the entity’s financial statements;

• Reviewing trial balances produced after the period end; and

• Contacting legal counsel to determine whether anything has come to their attention
since sending their written confirmation. (Note that often regulators expect, although
not written in law or the auditing standards, that such a follow-up should be made a
maximum of seven days before the date of the auditor’s opinion.)

If, after having completed the procedures noted above, the auditor becomes aware of a
material subsequent event, the auditor will need to determine whether it is an adjusting event
or non-adjusting event and ensure the financial statements appropriately include and/or
disclose the event.

Facts That Become Known to the Auditor after the Date of the Auditor’s Report but Prior to
the Date of Issue of the Financial Statements
The auditor has no obligation to perform any audit procedures in relation to the financial
statements after the auditor’s report has been signed. However, if the auditor becomes aware
of an event that, if known at the date of the auditor’s report, would have caused the auditor
to amend the opinion, the auditor should determine whether the financial statements should
be amended.

If the financial statements should be amended and management makes the necessary
amendments, then the auditor should perform the appropriate audit procedures over the
amendments and a new auditor’s report issued. The auditor should include an emphasis
of matter paragraph or other matter paragraph (the basis for these types of paragraphs is
outlined in Chapter 10) to draw users’ attention to the change in subsequent events after the
first signing of the auditor’s report.

549

c09.indd 549 16-11-2022 18:49:00

 BUSINESS ASSURANCE

If management refuses to amend the financial statements and the auditor believes the
financial statements should be amended, the auditor should modify the auditor’s opinion in line
with HKSA 705 (Revised). (More detail is provided on the types of auditor’s reports issued under
HKSA 705 (Revised) in Chapter 10.) The auditor should ensure that those charged with governance
include the revised auditor’s opinion with the financial statements. If the financial statements
are issued with the original auditor’s opinion, the auditor will need to take appropriate action to
prevent reliance on the original auditor’s report, which depends upon the auditor’s legal rights and
obligations. Consequently, the auditor may consider it appropriate to seek legal advice.

Facts that Become Known to the Auditor after the Financial Statements Have
Been Issued
The same procedures for time period 2 would apply. Depending on the timing of the discovery
of the situation, the auditor may determine that the issue would be rightly corrected in the
following year’s financial statements or, for listed entities, in the following interim financial
statements.

Apply and Analyse 3

Chin Ling has called together all those present at the audit completion meeting on 20
March 20X2 to explain what she has discovered subsequent to the period end on which
Quality is reporting, being 31 December 20X1. A material fraud has been discovered in
the loans department, while completing the planned audit procedures, where several
employees have been approving loans to themselves for millions of Hong Kong dollars
over the course of the last financial year and up until the point of discovery, being 28
February 20X2.

Analysis

Chin Ling would instruct one of her managers to undertake audit procedures to determine
the financial impact caused by the fraud. The material nature of the fraud would heighten
the entire risk assessment process for Hung Fu. The risk assessment would need to
be formally reviewed in line with the requirements of HKSA 315 (Revised 2019) and a
determination made as to whether further audit procedures would need to be undertaken,
which would likely be additional tests of detail in the loans department.

For the purposes of determining the appropriate treatment of the subsequent event,
given that the effects of the fraud took place in the current period being audited, it is an
adjusting subsequent event that would require amendments to the financial statements as
well as further note disclosures about the actions taken by the bank.

9.3.3 Obtaining Written Representations from Management

For the purpose of this section HKSA 580, Written Representations, is the relevant audit standard.
Please note that despite the HKSA reference to written representations, other common
terminology used for the same letter is a management representation letter (or ‘rep’) or a letter
of representation.

550

c09.indd 550 16-11-2022 18:49:00

 M a jo r A c t io ns D u r ing t h e A u dit Complet ion

9.3.3.1 Objectives of the Auditor

HKSA 580 requires the auditor to obtain written representations from management and,
where appropriate, those charged with governance. Audit evidence is all the information used
by the auditor to arrive at the conclusion on which the auditor’s report will be based. Written
representations are necessary information required by the auditor in connection with the audit
of the financial statements. Therefore, similar to responses by management to enquiries made
by the auditor, written representations are audit evidence. Although written representations
provide necessary audit evidence, on their own they do not provide sufficient appropriate audit
evidence on the matters covered in the letter. Furthermore, the fact that management has
provided written representations must not affect the nature of other audit evidence the auditor
obtained in relation to management’s obligations.

The objectives of the auditor are:

a. To obtain written representations from management and, where appropriate, those

charged with governance, that they believe that they have fulfilled their responsibility
for the preparation of the financial statements and for the completeness of the
information provided to the auditor;

b. To support other audit evidence relevant to the financial statements or specific

assertions in the financial statements by means of written representations, if
determined by the auditor or required by other HKSA; and
c. To respond appropriately to written representations provided by management and,
where appropriate, those charged with governance, or if management or, where
appropriate, those charged with governance do not provide the written representations
requested by the auditor.

Illustrative Example 3
Quality obtained written representations from those charged with governance of Hung
Fu in relation to the impairment losses against its credit card loan portfolio. This written
representation is not a substitute for other audit evidence that Quality could expect to
be reasonably available. Quality would need to plan for and conduct appropriate audit
procedures to conclude whether the impairment loss recorded in the current period is
sufficient. If Quality is unable to obtain sufficient appropriate audit evidence regarding
the recognition of the impairment loss and believes that the differences identified could
have a material effect on the financial statements, this could result in a modification to
the auditor’s opinion expressed by Quality notwithstanding the written representations
obtained on the matter from those charged with governance of Hung Fu.

9.3.3.2 Written Representations about Management’s Responsibilities

Though the items included in the written representation letter will vary depending on the audit
engagement and the nature and basis of the financial statements, some commonly addressed
items are:

• Management’s acknowledgement of its responsibility for the proper preparation of the

financial statements in accordance with the Hong Kong Financial Reporting Standards.

551

c09.indd 551 16-11-2022 18:49:00

 BUSINESS ASSURANCE

• The availability of books and records.

• The completeness and availability of all minutes of meetings of directors and associated
board committees.

• Management’s assurance that it has made available all letters from regulatory agencies
concerning non-compliance with, or deficiencies in, financial reporting practices.

• Management’s assurance that there are no unrecorded transactions.

• Management’s acknowledgement of its responsibility for the design and

implementation of controls and for the system of financial controls.

• Management’s assurance that it has disclosed all liens and other encumbrances on
its assets.

• Management’s assurance that all material transactions have been

appropriately recorded.

• That significant assumptions used by us in making accounting estimates, including

those measured at fair value, are reasonable (HKSA 540 (Revised)).

• Related party relationships and transactions have been appropriately accounted for
and disclosed in accordance with the requirements of Hong Kong Financial Reporting
Standards HKSA 550.
• All events subsequent to the date of the financial statements and for which Hong Kong
Financial Reporting Standards require adjustment or disclosure have been adjusted or
disclosed (HKSA 560).

• The effects of uncorrected misstatements are immaterial, both individually and

in the aggregate, to the financial statements as a whole. A list of the uncorrected
misstatements is attached to the representation letter (HKSA 450).

• Any other matters that the auditor may consider appropriate.

The following additional management representations are applicable to audits of

companies incorporated under the Companies Ordinance (‘We’ being management):

1. We acknowledge that Section 380 of the Companies Ordinance requires us to prepare

financial statements that give a true and fair view of the financial position of the
company as at the end of the financial year and of the financial performance of the
company for the financial year.

2. We are responsible for taking all reasonable steps to ensure the company keeps proper
accounting records that are sufficient to show and explain the company’s transactions,
disclose with reasonable accuracy at any time the company’s financial position and
financial performance, and to ensure that the financial statements comply with the
Companies Ordinance.

3. The financial statements comply with Section 383 (Notes to Financial Statements to
Contain Information on Directors’ Emoluments, etc.) of the Companies Ordinance, which
must contain in the notes to the financial statements the information prescribed by
the Companies (Disclosure of Information about Benefits of Directors) Regulation
(Cap. 622G).

552

c09.indd 552 16-11-2022 18:49:00

 M a jo r A c t io ns D u r ing t h e A u dit Complet ion

4. We are responsible for the preparation of the director’s report that:

a. Complies with Sections 390 (Contents of Directors’ Report: General) and 543(2)
(Disclosure of Management Contract) and Schedule 5 (Contents of Directors’ Report:
Business Review) of the Companies Ordinance;

b. Contains the information prescribed by the regulations made under Section 452(3)
(Financial Secretary May Make Other Regulations) of the Companies Ordinance; and

c. Complies with other requirements prescribed by the regulations made under

Section 452(3) of the Companies Ordinance.

The date of the written representation letter should be as close as possible, but not after
the date of the auditor’s report on the financial statements. In practice, the auditor normally
requests that the directors sign the director’s report and issue the written representation letter
on the same date as the auditor’s report. The written representation letter should be for all
financial statements and period(s) referred to in the auditor’s report.

The auditor should not agree to any changes management may wish to make to the written
representation letter, if the written representation letter is to be accepted as contributing
to audit evidence. Any such changes would undermine the representations made by
management.

9.3.3.3 Written Representations Required by Other HKSAs

HKSA 580 Appendix 1 contains a list of HKSA containing requirements for written
representations, showing their respective additional requirements. That list is outlined below.
However, there may be circumstances over and above those listed below that are relevant
to the circumstances of the audit that the auditor should consider including in the written
representation letter.
HKSA
240.39 HKSA 240 The Auditor’s Responsibilities Relating to Fraud in an Audit of Financial Statements
The auditor shall obtain written representations from management and, where appropriate,
those charged with governance that:

a. They acknowledge their responsibility for the design, implementation, and maintenance
of internal control to prevent and detect fraud;

b. They have disclosed to the auditor the results of management’s assessment of the risk
that the financial statements may be materially misstated as a result of fraud;

c. They have disclosed to the auditor their knowledge of fraud, or suspected fraud,
affecting the entity involving:

−− Management;

−− Employees who have significant roles in internal control; or

−− Others where the fraud could have a material effect on the financial
statements; and

d. They have disclosed to the auditor their knowledge of any allegations of fraud,
or suspected fraud, affecting the entity’s financial statements communicated by
employees, former employees, analysts, regulators, or others.

553

c09.indd 553 16-11-2022 18:49:00

 BUSINESS ASSURANCE

HKSA HKSA 250 (Revised) Consideration of Laws and Regulations in an Audit of

250.17 Financial Statements
‘The auditor shall request management and, where appropriate, those charged with
governance, to provide written representations that all known instances of non-
compliance or suspected non-compliance with laws and regulations whose effects should
be considered when preparing financial statements have been disclosed to the auditor’.
HKSA
450.14 HKSA 450 Evaluation of Misstatements Identified During the Audit
‘The auditor shall request a written representation from management and, where
appropriate, those charged with governance whether they believe the effects of
uncorrected misstatements are immaterial, individually and in aggregate, to the financial
statements as a whole. A summary of such items shall be included in or attached to the
written representation’.
HKSA
501.12 HKSA 501 Audit Evidence – Specific Considerations for Selected Items
‘The auditor shall request management and, where appropriate, those charged with
governance to provide written representations that all known actual or possible litigation
and claims whose effects should be considered when preparing the financial statements
have been disclosed to the auditor and accounted for and disclosed in accordance with
the applicable financial reporting framework’.
HKSA
540.22 HKSA 540 (Revised) Auditing Accounting Estimates and Related Disclosures
‘The auditor shall obtain written representations from management and, where
appropriate, those charged with governance whether they believe significant
assumptions used in making accounting estimates are reasonable’.
HKSA
550.26 HKSA 550 Related Parties
‘Where the applicable financial reporting framework establishes related party
requirements, the auditor shall obtain written representations from management and,
where appropriate, those charged with governance that:

(a) They have disclosed to the auditor the identity of the entity’s related parties and all the
related party relationships and transactions of which they are aware; and

(b) They have appropriately accounted for and disclosed such relationships and
transactions in accordance with the requirements of the framework’.
HKSA
560.9 HKSA 560 Subsequent Events
‘The auditor shall request management and, where appropriate, those charged with
governance, to provide a written representation in accordance with HKSA 580 that all
events occurring subsequent to the date of the financial statements and for which the
applicable financial reporting framework requires adjustment or disclosure have been
adjusted or disclosed’.

554

c09.indd 554 16-11-2022 18:49:00

 M a jo r A c t io ns D u r ing t h e A u dit Complet ion

HKSA HKSA 570 (Revised) Going Concern

570.16(e)
‘Requesting written representations from management and, where appropriate, those
charged with governance, regarding their plans for future actions and the feasibility of
these plans’.

HKSA
HKSA 710 Comparative Information – Corresponding Figures and Comparative Financial
710.9 Statements
‘As required by HKSA 580, the auditor shall request written representations for all periods
referred to in the auditor’s opinion. The auditor shall also obtain a specific written
representation regarding any restatement made to correct a material misstatement in
prior period financial statements that affect the comparative information’.
HKSA
720.13(c) HKSA 720 (Revised) The Auditor’s Responsibilities Relating to Other Information
‘When some or all of the document(s) determined in (a) will not be available until
after the date of the auditor’s report, request management to provide a written
representation that the final version of the document(s) will be provided to the auditor
when available, and prior to its issuance by the entity, such that the auditor can
complete the procedures required by this HKSA’.

9.3.3.4 Written Representations Required by New Companies Ordinance (Cap.622)

Section 436 of the Companies Ordinance (Cap.622), Requirement in connection with publication
of ‘specified financial statements’ and ‘non-statutory accounts’, introduces new requirements
dealing with the publication of a company’s ‘non-statutory accounts.

Section 436 requires that:

(a) When Hong Kong incorporated companies make their ‘specified financial statements’
available to others, they must always ensure that they are accompanied by the auditor’s
report on those financial statements and

(b) When Hong Kong incorporated companies make any ‘non-statutory accounts’ available
to others they must be accompanied by a statement that includes the information
required by Section 436(3) and must not be accompanied by the auditor’s report on its
‘specified financial statements’ for the same financial year.

When an auditor is undertaking an auditor of ‘specified financial statements’ in line with

Section 436, the auditor will need to ensure that the written representations letter from
management includes the requirements of management under Section 436.

9.3.3.5 Form of Written Representations

Written representations are required to be included in a representation letter addressed to
the auditor.

A formal statement of compliance with a law or regulation, or of approval of the financial

statements, would not contain sufficient information for the auditor to be satisfied that all
necessary representations have been consciously made. The expression of management’s
responsibilities in law or regulation is also not a substitute for the requested written
representations.

555

c09.indd 555 16-11-2022 18:49:00

 BUSINESS ASSURANCE

Illustrative Example 4 – Adapted from HKSA 580 Appendix 2

Below is an example of a form of written representation for the auditor of ABC Company.

(Entity Letterhead)

(To Auditor) (Date)

This representation letter is provided in connection with your audit of the financial
statements of ABC Company for the year ended 31 December 20X2 for the purpose of
expressing an opinion as to whether the financial statements are presented fairly, in all
material respects (or give a true and fair view), in accordance with Hong Kong Financial
Reporting Standards.

We confirm the following, to the best of our knowledge and belief, having made such
inquiries as we considered necessary for appropriately informing ourselves).

Financial Statements

We have fulfilled our responsibilities, as set out in the terms of the audit engagement
dated [insert date], for the preparation of the financial statements in accordance with
Hong Kong Financial Reporting Standards; in particular, the financial statements are fairly
presented (or give a true and fair view) in accordance therewith.

• Significant assumptions used by us in making accounting estimates, including

those measured at fair value, are reasonable (HKSA 540 (Revised)).

• Related party relationships and transactions have been appropriately accounted

for and disclosed in accordance with the requirements of Hong Kong Financial
Reporting Standards HKSA 550.

• All events subsequent to the date of the financial statements and for which Hong
Kong Financial Reporting Standards require adjustment or disclosure have been
adjusted or disclosed (HKSA 560).

• The effects of uncorrected misstatements are immaterial, both individually and

in the aggregate, to the financial statements as a whole. A list of the uncorrected
misstatements is attached to the representation letter (HKSA 450).

• We have provided you with:

°° Access to all information of which we are aware that is relevant to the

preparation of the financial statements, such as records, documentation, and
other matters;

°° Additional information that you have requested from us for the purpose of the
audit; and

°° Unrestricted access to persons within the entity from whom you determined it
necessary to obtain audit evidence.

• All transactions have been recorded in the accounting records and are reflected in
the financial statements.

• We have disclosed to you the results of our assessment of the risk that the financial
statements may be materially misstated as a result of fraud (HKSA 240).

556

c09.indd 556 16-11-2022 18:49:00

 M a jo r A c t io ns D u r ing t h e A u dit Complet ion

Illustrative Example 4 (continued)

• We have disclosed to you all information in relation to fraud or suspected fraud
that we are aware of and that affects the entity and involves:

°° Management;

°° Employees who have significant roles in internal control; or

°° Others where the fraud could have a material effect on the financial statements
(HKSA 240).

• We have disclosed to you all information in relation to allegations of fraud, or

suspected fraud, affecting the entity’s financial statements communicated by
employees, former employees, analysts, regulators, or others (HKSA 240).

• We have disclosed to you all known instances of non-compliance or suspected

non-compliance with laws and regulations whose effects should be considered
when preparing financial statements HKSA 250 (Revised).

• We have disclosed to you the identity of the entity’s related parties and all the
related party relationships and transactions of which we are aware HKSA 550.

• (Insert any other matters that the auditor may consider necessary.)

................................................................ ......................................................................

Management Management

9.3.3.6 Doubt About the Reliability of Written Representations or When not Provided
In the case of identified inconsistencies between one or more written representation and
audit evidence obtained from other sources, the auditor should consider whether the risk
assessment remains appropriate and, if not, revise the risk assessment and determine the
nature, timing, and extent of further audit procedures that might be required to respond to the
assessed risks.

Concerns about the competence, integrity, ethical values or diligence of management, or

about its commitment to or enforcement of these, may cause the auditor to conclude that
the risk of management misrepresentation in the financial statements is such that an audit
cannot be properly conducted. In such a case, the auditor may consider withdrawing from
the engagement, if possible, under an applicable law or regulation, unless those charged with
governance put in place appropriate corrective measures. Such measures, however, may not
be sufficient to enable the auditor to issue an unmodified audit opinion.

HKSA 230, Audit Documentation, requires the auditor to document significant matters arising
during the audit, the conclusions reached thereon, and significant professional judgements
made in reaching those conclusions. The auditor may have identified significant issues
relating to the competence, integrity, ethical values, or diligence of management, or about
its commitment to or enforcement of these, but concluded that the written representations
are nevertheless reliable. In such a case, this significant matter is documented in accordance
with HKSA 230.

557

c09.indd 557 16-11-2022 18:49:00

 BUSINESS ASSURANCE

9.3.4 Overall Audit of Financial Statements

9.3.4.1 Audit of Financial Statement Disclosures
Auditors are required to express an opinion on the financial statements as a whole. This
includes the notes to the financial statements which, as they provide additional information
on balances and transactions and other relevant information, are an integral part of those
statements.

When the first draft of financial statements are given to the auditor, they normally include
the statement of financial position, the statement of profit and loss, and, when appropriate,
other comprehensive income and the statement of changes in equity and the basic note
disclosures, such as details of cash at Bank, receivables, and property plant and equipment.
They may also include a draft Statement of Cash Flows. The more complex disclosures are
often left until late in the audit cycle. On this basis, the first step should be to ensure the
financial statements replicate the numbers that have been audited and documented on the
audit file. This will normally be, in the first instance, the aggregated quantitative totals and then
the disaggregated quantitative totals. As a base requirement, this involves cross-referencing the
financial statements to the audit file.

Generally speaking, the level of audit procedures that have been applied over financial
statement presentation and disclosures has been the subject of much focus by regulators and
the International Auditing and Assurance Standards Board (IAASB). Both have been concerned
that the level of audit has been inconsistent in relation to whether financial statements always
satisfy accounting standard disclosure requirements. The auditor must carefully review the
financial statement disclosures for completeness and accuracy and ensure compliance with
HKFRS issued by the HKICPA and that they are in compliance with the Companies Ordinance,
where applicable.

The auditor should consider the following key points when auditing financial statement
disclosures:

Disclosures of Amounts (quantitative) disclosures:

• Disaggregated information that has been subject to management judgement, for

example, operating leases, financial instruments, and financial assets designated at
fair value.

• Segment reporting of revenues, profit, and certain other items.

• The amounts of related party transactions.

• Summarised financial information in relation to associates and joint ventures.

Disclosures of related information, including qualitative disclosures:

• Descriptions of significant accounting policies and critical accounting estimates,

including note disclosure when there has been any change in accounting policies or
critical accounting estimates.

• Information about the identity of related parties.

• Description of the basis for impairment losses recognised in the financial statements.

558

c09.indd 558 16-11-2022 18:49:00

 M a jo r A c t io ns D u r ing t h e A u dit Complet ion

• Information about application of the going concern assumption when appropriate.

• Information about the circumstances leading to contingent liability disclosures.

Judgement is needed to help determine whether qualitative disclosures are material or not.

Auditors should also be focused on instances in which management has proposed

providing excessive disclosure, sometimes of immaterial matters and sometimes covering
matters more appropriately dealt with in the annual report outside of the financial
statements or elsewhere. Undisciplined disclosures can make it difficult for the readers of the
financial statements to focus on the important matters. They can also include matters not
subject to audit.

Auditors should, as part of the planning phase of the audit process, remind management
of their responsibility to make available information related to financial statement disclosures,
as early as possible so that audit procedures can be applied in the same way for classes of
transaction, events, and account balances. Early consideration should also be given to matters
such as significant new or revised disclosures.

9.3.4.2 Compliance with Accounting Regulations

All section references below are to the Companies Ordinance (Cap.622), specifically in Part 9,
Accounts and Audit.
Section 379: A company’s directors must prepare, for each financial year, statements
that comply with Sections 380 and 383.

Section 380: General Requirements for Financial Statements

1. The annual financial statements for a financial year:

a. Must give a true and fair view of the financial position of the company as at the end
of the financial year and

b. Must give a true and fair view of the financial performance of the company for the
financial year.

2. The annual consolidated financial statements for a financial year:

a. Must give a true and fair view of the financial position of the company, and all the
subsidiary undertakings, as a whole as at the end of the financial year and

b. Must give a true and fair view of the financial performance of the company, and all
the subsidiary undertakings, as a whole for the financial year.

3. The financial statements for a financial year must comply with:

a. If the company falls within the reporting exemption for the financial year, Part 1 of
Schedule 4 or

b. If the company does not fall within the reporting exemption for the financial year,
Parts 1 and 2 of Schedule 4.

4. The financial statements for a financial year must also comply with:

a. Any other requirements of this Ordinance in relation to the financial statements and

b. The accounting standards applicable to the financial statements.

559

c09.indd 559 16-11-2022 18:49:01

 BUSINESS ASSURANCE

5. If, in relation to any financial statements, compliance with Subsections 3 and 4 would be
insufficient to give a true and fair view under Subsection 1 or 2, the financial statements
must contain all additional information necessary for that purpose.

6. If, in relation to any financial statements, compliance with Subsection 3 or 4 would be

inconsistent with a requirement to give a true and fair view under Subsection 1 or 2, the
financial statements:

a. Must depart from Subsection 3 or 4 (as the case may be) to the extent necessary for
it to give a true and fair view and

b. Must contain the reasons for, and the particulars and effect of, the departure.

7. Subsections 1, 2, 5, and 6 do not apply if the company falls within the reporting
exemption for the financial year.

8. In this section:

a. Accounting standards means statements of standard accounting practice issued or

specified by a body prescribed by the Regulation and

b. A reference to accounting standards applicable to any financial statements is a

reference to accounting standards as are, in accordance with their terms, relevant
to the company’s circumstances and to the financial statements.
Section 405: Auditor’s Duty to Report
A company’s auditor must prepare a report for the members on any financial statements
prepared by the directors, a copy of which is laid before the company in a general meeting
under Section 429 or is sent to a member under Section 430 or otherwise circulated, published,
or issued by the company, during the auditor’s term of office.

Section 406: Auditor’s Opinion on Financial Statements, Directors’ Report, etc.

1. An auditor’s report must state, in the auditor’s opinion:

a. Whether the financial statements have been properly prepared in compliance with
this Ordinance and

b. In particular, whether the financial statements:

(i) In the case of annual financial statements of a company that does not fall within
the reporting exemption for the financial year, give a true and fair view of the
financial position and financial performance of the company as required by
Section 380 or

(ii) In the case of annual consolidated financial statements of a company that does
not fall within the reporting exemption for the financial year, give a true and fair
view of the financial position and financial performance of the company and all
the subsidiary undertakings as required by Section 380.

2. If a company’s auditor is of the opinion that the information in a directors’ report for
a financial year is not consistent with the financial statements for the financial year,
the auditor

a. Must state that opinion in the auditor’s report and

b. May bring that opinion to the members’ attention at a general meeting.

560

c09.indd 560 16-11-2022 18:49:01

 M a jo r A c t io ns D u r ing t h e A u dit Complet ion

As explained in the Preface to Hong Kong Financial Reporting Standards, the term ‘Hong Kong
Financial Reporting Standards’ includes all HKFRS, Hong Kong Accounting Standards (HKAS), and
Interpretations issued by the HKICPA.

HKFRS set out recognition, measurement, presentation, and disclosure requirements

dealing with transactions and events that are important in general purpose financial
statements. HKFRS are based on The Framework for the Preparation and Presentation of Financial
Statements, which addresses the concepts underlying the information presented in general
purpose financial statements.

The appropriate application of HKFRS, with additional disclosure when necessary, results, in
virtually all circumstances, in financial statements that give a true and fair view.

9.3.4.3 Review for Consistency and Reasonableness

During the completion stage of auditing, the financial statements final analytical procedures
should be conducted in line with HKSA 520, Analytical Procedures. One of the objectives of
the auditor in complying with HKSA 520 is to design and perform analytical procedures near
the end of the audit that assist in forming an overall conclusion as to whether the financial
statements as a whole are consistent with the auditor’s understanding derived from conducting
the audit during the current period.

The analytical procedures carried out at this stage of the audit are no different to those
performed at the planning stage (see Chapter 5). The auditor should perform a ratio analysis,
comparisons with the prior period financial statements and look for the trends that are
expected based on the knowledge obtained throughout the audit process and the expectations
built as a result of the economic and business environment the business operates in. These
procedures should be designed to highlight unusual transactions and balances that may
indicate a risk of material misstatement. Taken together, if the auditor is unable to explain any
of the issues that have been highlighted by the analytical procedures, the reasonableness of
the financial statements as a whole should be questioned.

When the analytical procedures performed near the completion of the audit uncover
further previously unrecognised risk/s of a material misstatement, the auditor is required to
revise the previously assessed risk of material misstatement and modify the planned audit
response appropriately. This could result in the auditor having to perform further audit
procedures in relation to matters that have been identified as having a higher risk.

9.3.4.4 Treatment of Errors

The treatment of errors is dependent on the accounting period to which the error relates.
An error is a misstatement in financial statements that should not have occurred based on
information available at the time the misstatement occurred. A change in an accounting
estimate, where more information becomes available, is not an error (HKAS 8, Accounting
Policies, Changes in Accounting Estimates and Errors).

If the error is discovered in the current accounting period subject to audit and is material,
it should be adjusted by management so that the financial statements are free from material
misstatement. If management are unwilling to adjust for the error the auditor would need to
consider the impact this would have on the auditor’s opinion.

If the error discovered relates to prior accounting periods and is material, the comparative
figures for prior periods, or opening balances for the current period, should be restated as

561

c09.indd 561 16-11-2022 18:49:01

 BUSINESS ASSURANCE

specified in accounting standards. If management are unwilling to adjust for the error the
auditor would need to consider the impact this would have on the auditor’s opinion, in line
with HKAS 8.

Refer to Section 9.3.6 for further details on Evaluation of Misstatements Identified During
the Audit.

Apply and Analyse 4

Manchu Kang has been assigned the first level of review of the financial statements of
Hung Fu for the year ended 31 December 20X1. Manchu is aware of the complexities of
the financial statements of a Bank and the first draft presented to him is lengthy (230
pages). Manchu is also alert to the fact that Quality has a consultation policy that requires
mandatory consultation with the firm’s technical department for financial statements of all
Banks and financial institutions.

Analysis

Manchu would need to start the review process as early as possible. It is still likely that his
role would include referencing what he could from the financial statements back into the
audit file. It would also be likely that he would make sure that the balances add up and
cross reference to the note disclosures. Manchu should involve Lau Lam in line with what
was agreed in the audit completion meeting as early as possible, as the disaggregated
quantitative and qualitative disclosures will be significant. The technical department (the
internal experts that Quality have in the areas of financial reporting and audit methodology
that sit outside the audit division) of Quality will also need to be placed on notice in order
that their review and clearance is given at the appropriate time.

9.3.5 Review of Other Published Information

9.3.5.1 Contingent Liabilities and Commitments
HKSA 540 (Revised), Auditing Accounting Estimates and Related Disclosures, is the reference
standard when assessing contingent liabilities as, by their nature, contingent liabilities involve
an accounting estimate in most instances. Commitments may be more straightforward for the
auditor to finalise as they are normally based on contractual obligations.

From a definitional perspective, the following helps the understanding of the difference
between a contingent liability and a commitment.

A contingent liability is an existing liability (actual or asserted) for which the general
recognition criteria for liabilities cannot as yet be met. Confirmation of the liability depends
on the outcome of another uncertain future event (e.g. a ruling in a coming court case).
A contingent liability is disclosed in the notes to the financial statements until the recognition
criteria are met; that is, an outflow of assets becomes probable and the amount of the liability
can be reasonably estimated.

562

c09.indd 562 16-11-2022 18:49:01

 M a jo r A c t io ns D u r ing t h e A u dit Complet ion

A commitment is an agreement that is equally and proportionately unperformed by the

parties to the agreement. It relates to a future transaction such as the acquisition of property,
plant and equipment, and future outlays for infrastructure for a joint venture. Until one of the
parties performs, the commitments do not meet the definition of a liability.

Information about contingent liabilities and commitments informs users about future cash
flows of the entity.

9.3.5.2 Auditor’s Objectives

Contingent Liabilities
The objective of the auditor is to obtain sufficient appropriate audit evidence about whether
accounting estimates associated with contingent liabilities and related disclosures in the
financial statements are reasonable and in line with HKFRS (value). The other principal objective
is to ensure that all material contingent liabilities have been appropriately identified, measured,
and disclosed in the financial statements (completeness).

Commitments
Similarly, the key objective of the auditor for commitments is to ensure that they are supported
by sufficient appropriate audit evidence about their value and completeness, and that they
have been appropriately identified, measured, and disclosed in the financial statements.

9.3.5.3 Requirements and Procedures

The auditor, as part of understanding the entity and its environment as required by HKSA 315
(Revised 2019), should consider knowledge of the industry and historical and current activities
of the entity to determine the likely contingent liabilities and commitments. The auditor should
also obtain an understanding of how the entity applies HKAS 37, Provisions, Contingent Liabilities
and Contingent Assets, in developing its contingent liability and commitment notes.

The following are examples of audit procedures to determine the completeness and
accuracy of contingent liabilities:

• An external confirmation issued in line with HKSA 505, External Confirmations, to legal
counsel and banks. The types of information the auditor might ask for includes:

°° A list and progress report of any pending or imminent litigation to which legal
counsel has given substantial attention.

°° A list of other claims such as warranties and guarantees, including comment from
legal counsel on their opinion of probability and HKD outcome.

°° Bank guarantees.

• Examination of the minutes of the board of directors to determine if, for example, any
guarantees have been approved against loans.

• Examination of any environmental reviews and their likely outcomes for the entity.

• Consider industry practices. For example, for mining companies, it is common that
contracts will include ‘make good’ (restoration) clauses, which, as events occur (e.g. as
damage occurs to the relevant environment), the recognition criteria for liabilities could be
met (as the need to restore an asset could become probable and be reliably estimated).

• Product warranty arrangements to determine whether commitments and contingencies

are appropriately recognised.

563

c09.indd 563 16-11-2022 18:49:01

 BUSINESS ASSURANCE

The following are examples of audit procedures to determine the completeness and
accuracy of commitments:

• Determine the amounts and time allocations for payments under operating leases.
(HKAS 16, Leases, became effective in 2019, which means that operating leases will
be recognised in the balance sheet and cease to be a commitment requiring note
disclosures. Refer to the financial reporting module for further information.)

• Determine whether there are any commitments for capital expenditure contracted for
future periods through discussion with management and review of minutes.

• Determine whether there are any licensing costs subject to commitment.

Illustrative Example 5
The example below illustrates contingent liabilities disclosed in a set of financial
statements.

32 Contingent liabilities
2018 2017
US$m US$m
Associates and Joint iventures1 1,588 1,784
Subsidiaries and Joint operations 1
1,915 1,825
Total 3,503 3,609
1
 here are a number of matters, for which it is not possible at this time to provide a range of possible
T
outcomes or a reliable estimate of potential future exposures, and for which no amounts have been included
in the table above.

A contingent liability is a possible obligation arising from past events and whose
existence will be confirmed only by occurrence or non-occurrence of one or more
uncertain future events not wholly within the control of the Group. A contingent liability
may also be a present obligation arising from past events but is not recognised on the
basis that an outflow of economic resources to settle the obligation is not viewed as
probable, or the amount of the obligation cannot be reliably measured.

When the Group has a present obligation, an outflow of economic resources is

assessed as probable and the Group can reliably measure the obligation, a provision is
recognised.

The Group has entered into various counter-indemnities of bank and performance
guarantees related to its own future performance, which are in the normal course of
business. The likelihood of these guarantees being called upon is considered remote.

The Group presently has tax matters, litigation and other claims, for which the timing of
resolution and potential economic outflow are uncertain. Obligations assessed as having
probable future economic outflows capable of reliable measurement are provided
at reporting date and matters assessed as having possible future economic outflows
capable of reliable measurement are included in the total amount of contingent liabilities
above. Individually significant matters, including narrative on potential future exposures
incapable of reliable measurement, are disclosed below, to the extent that disclosure
does not prejudice the Group.

564

c09.indd 564 16-11-2022 18:49:01

 M a jo r A c t io ns D u r ing t h e A u dit Complet ion

Illustrative Example 5 (continued)

Uncertain tax and The Group is subject to a range of taxes and royalties across many
royalty matters 
jurisdictions, the application of which is uncertain in some regards.
Changes in tax law, changes in interpretation of tax law, periodic
challenges and disagreements with tax authorities, and legal
proceedings result in uncertainty of the outcome of the application of
taxes and royalties to our business. Areas of uncertainty at reporting
date include the application of taxes and royalties (including transfer
pricing) to the Group’s cross-border operations and transactions.
Details of uncertain tax and royalty matters have been disclosed in
note 5 ‘Income tax expense’. To the extent uncertain tax and royalty
matters give rise to a contingent liability, an estimate of the potential
liability is included within the table above, where it is capable of reliable
measurement.

Semarco contingent The table above includes contingent liabilities related to the Group’s
liabilities 
equity accounting investment in Samarco to the extent they are
capable of reliable measurement. Details of contingent liabilities
related to Samarco are disclosed in note 3 ‘Significant events – Samarco
dam failure’.

Demerger of South32  s part of the demerger of South32 Limited (South32) in May 2015,
A
certain indemnities were agreed under the Separation Deed. Subject
to certain exceptions, BHP Billiton Limited indemnifies South32 against
claims and liabilities relating to the Group Businesses and former Group
Businesses prior to the demerger and South32 indemnifies the Group
against all claims and liabilities relating to the South32 Businesses
and former South32 Businesses. No material claims have been made
pursuant to the Separation Deed as at 30 June 2018.

Source: BHP Annual Report 2018.

Apply and Analyse 5

It was noted through discussions during the audit completion meeting for the audit of
Hung Fu that the engagement team had identified, through the audit process, a number of
areas that in their belief should result in disclosures of both contingent liabilities and other
commitments.

Analysis

The engagement team, having industry expertise in the financial institutions sector,
anticipated that the Bank would have guarantees and irrevocable letters of credit pledged
as collateral security. The engagement would need to audit management’s calculations
of these balances in line with HKSA 330, to ensure that the risks associated with this
contingency has been mitigated.

565

c09.indd 565 16-11-2022 18:49:01

 BUSINESS ASSURANCE

Apply and Analyse 5 (continued)

The engagement team, knowing that there are a number of legal matters outstanding,
would need to ensure that the confirmations and dialogue with external legal counsel
satisfied them and that they could conclude that the level of disclosure and the estimation
of the likely monetary outcome was reliable.

9.3.6 Evaluation of Misstatements Identified During the Audit

HKSA 450, Evaluation of Misstatements Identified During the Audit, is the reference standard for
this section. The auditor would normally be assessing misstatements throughout the entire
audit process; however, a final evaluation is critical in completing the audit to determine
whether identified misstatements might have an impact on the auditor’s report.

9.3.6.1 Auditor’s Objectives

The auditor should evaluate:

1. The effect of misstatements, both individually or in aggregate, identified during the

audit process, to the financial statements as a whole and

2. The effect of uncorrected misstatements identified on the financial statements

(i.e. misstatements will not be corrected by management).

By way of definition, HKSA 450 states that a misstatement is ‘A difference between the
reported amounts, classification, presentation, or disclosure of a financial statement item
and amount, classification, presentation, or disclosure that is required for the item to be in
accordance with the applicable financial reporting framework. Misstatements can arise from
error or fraud.

When the auditor expresses an opinion on whether the financial statements are presented
fairly, in all material respects, or give a true and fair view, misstatements also include those
adjustments of amounts, classifications, presentation, or disclosures that, in the auditor’s
HKSA judgement, are necessary for the financial statements to be presented fairly, in all material
450.4(a) respects, or to give a true and fair view.

9.3.6.2 Accumulation of Identified Misstatements

Materiality assessed in line with HKSA 320 is key in the consideration of current-year
misstatements. Before concluding on the potential effects of identified misstatements, the
auditor should ensure that the assessment is being completed against the most appropriate
materiality level. The auditor should also be clear on what the clearly trivial level is.

HKSA 450 requires the auditor to accumulate individual misstatements identified during
the audit process, except for amounts that are clearly trivial. The auditor should confirm that all
misstatements have been documented in the ‘one repository’ to ensure completeness for the
evaluation of the misstatements that have been identified.

566

c09.indd 566 16-11-2022 18:49:01

 M a jo r A c t io ns D u r ing t h e A u dit Complet ion

Illustrative Example 6

Summary of Unadjusted Differences

Performance materiality HK$ XX

Clearly, trivial misstatements under HK$ XX will not be recorded.

Description Assets Liabilities Equity Profit & Corrected? W/P ref.

DR/(CR) (DR)/CR (DR)/CR Loss
(DR)/CR
Total corrected
adjusting
journal entries
Unrecorded
misstatements – factual
Unrecorded
misstatements –
projected
Unrecorded
misstatements –
judgemental
Total uncorrected
misstatements
Effect of uncorrected
misstatements from
prior periods
Uncorrected
misstatements to be
carried forward

The summary here alludes to potentially three types of unrecorded misstatements that
the auditor may need to communicate to management throughout the audit process:

Factual misstatements are those about which there is no doubt. The amount or
disclosure is materially incorrect.

Projected misstatements are the auditor’s best estimate of misstatements in

populations, involving the projection of misstatements identified in audit samples to the
entire population from which the samples were drawn.

Judgemental misstatements are those arising from the judgements taken by

management concerning accounting estimates and/or accounting policies that the auditor
disagrees with. These misstatements can in many cases cause some debate between
management and the auditor.

9.3.6.3 Prior-Year Misstatements

Management may have, with the agreement of the auditor, determined not to correct
misstatements that occurred in one or more prior periods because, in the judgement of the
auditor at the time, the financial statements were not materially misstated.

567

c09.indd 567 16-11-2022 18:49:01

 BUSINESS ASSURANCE

As noted from the above illustration, the auditor needs to ensure that unadjusted prior
year misstatements are carried forward and documented in the current period. Should the
auditor determine that the cumulative effect of prior period unadjusted misstatements
taken with the audited results of the current period, if left unadjusted, result in a material
misstatement to the current period financial statements, the auditor would need to seek to
have the relevant adjustment made.

9.3.6.4 Qualitative and Quantitative Considerations for Misstatements

As noted earlier in this section, the level of assessed materiality is central to the quantitative
consideration for misstatements. The auditor is required to determine whether uncorrected
misstatements are material, individually or in the aggregate.

Some misstatements may be evaluated as material, individually or when considered

together with other misstatements accumulated during the audit, even if they are lower than
materiality because of their qualitative nature. For example:

• Misstatements which might affect compliance with regulatory requirements.

• Misstatements that impact on debt covenants.

• Misstatements that hide a change in earnings or other trends.

• Previous communications about forecast earnings to users of the financial statements.

• Misstatements that affect ratios used to evaluate the entity’s financial position, results,
or cash flows, or

• Classification errors.

9.3.6.5 Evaluating the Effect of Uncorrected Misstatements

If the auditor concludes that uncorrected misstatements either individually or in the aggregate
are material, this should be brought to the attention of management and/or those charged
with governance as soon as possible. The auditor shall request that the material uncorrected
misstatements be corrected. If the financial statements are adjusted for the material
misstatements, then the auditor will normally conclude that the auditor’s opinion will not
need to be modified. If, however, the financial statements are not adjusted for the material
misstatements assessed by the auditor, this may affect the auditor’s opinion. This scenario
will generally result in a form of modified auditor’s opinion. (Refer to Chapter 10 for Auditor’s
Reporting.)

Ethics in Practice 2
Before an auditor concludes that there are uncorrected misstatements that are material
to the financial statements and that a modified auditor’s opinion should be issued, the
auditor will normally enter into significant discussion with management and/or those
charged with governance. It is important that the respective views of management and
the auditor are clearly understood.

This discussion can at times result in pressure being placed on the auditor not to issue
a modified auditor’s opinion (this can be applied to all forms of modified auditor’s opinions).
The auditor must stand their ground in order to meet the requirements of the HKSAs,

568

c09.indd 568 16-11-2022 18:49:01

 M a jo r A c t io ns D u r ing t h e A u dit Complet ion

Ethics in Practice 2 (continued)

the HKFRSs, and the Companies Ordinance, where applicable. It is recognised that this can
sometimes be difficult when a client threatens to engage another firm for a second opinion
or threatens to change the auditor after the current audit is complete.

To also meet the ethical principles of integrity, objectivity, professional competence

and due care, and professional behaviour (Sections 111, 112, 113, and 115 of the Code
of Ethics for Professional Accountants (Revised)), the auditor must not be tempted to issue
an unmodified auditor’s opinion in circumstances where a reasonable third party would
conclude that a modified auditor’s opinion should be issued.

9.3.7 Communicating with Those Charged with Governance

HKSA 260 (Revised), Communication with Those Charged with Governance, requires the auditor
to engage in communications with management and/or those charged with governance, as
appropriate throughout the audit process.

9.3.7.1 Auditor’s Responsibilities

The first consideration is to whom the communication should be directed. HKSA 260 (Revised)
does not specify this exactly, but states that ‘governance is the term used to describe the role
of persons entrusted with the supervision, control and direction of an entity’. This implies that
the communication should be with the highest level of management, including the executive
and non-executive directors, and the audit committee, where relevant. The identity of the
relevant person(s) to whom the communication will be addressed may be clarified in the
engagement letter.

The auditor should aim for an effective two-way communication with those charged with
governance to enable:

• The auditor to communicate clearly with those charged with governance the
responsibilities of the auditor in relation to the audit of the financial statements and
an overview of the planned scope of the audit and the timing of the relevant aspects
of the audit (for example if interim procedures will be undertaken and then when final
procedures will take place).

• The auditor to be assured of obtaining from those charged with governance all the
information relevant to the audit of the financial statements.

• The auditor to provide those charged with governance with timely observations
obtained in relation to the financial statement audit that are significant, including when
a fraud has been uncovered by the auditor.
9.3.7.2 Matters to be Communicated
The auditor should consider the type of issues that should be communicated. HKSA 260
(Revised) provides some guidance as to the matters that ordinarily could be incorporated in the
communication, including:

• The overall approach and scope of the audit, including any limitations on the scope of
the audit.

569

c09.indd 569 16-11-2022 18:49:01

 BUSINESS ASSURANCE

• The accounting policies, and any changes to them, that could materially affect the
financial statements.

• For listed companies, Key Audit Matters. (Refer to Chapter 10 for further details on Key
Audit Matters.)

• Adjustments arising as a result of audit procedures that could materially impact the
financial statements.

• Material events or uncertainties that could jeopardise the going concern status and that
require disclosure within the financial statements.

• Disagreements with management over accounting treatments or disclosures.

• Any expected modifications to the auditor’s report.

• Material weaknesses discovered in the internal systems and controls.

The communication to those charged with governance should not just contain findings
from the audit but should cover the range of issues related to the audit that the auditor may
want to raise with management. Such matters may include:

• Details of any threats to independence and objectivity, and of any safeguards adopted.

• Explanations of the audit approach used (for example the concept of materiality and its
application to the audit process).
• A summary of business risks identified, including an assessment of the likelihood of the
risks materialising.

• A review of the contents of written representations.

• Recommendations, where relevant, to help improve the entity’s internal systems

and controls.

Apply and Analyse 6

Jiang Ling has noted from the interim audit procedures that Lau Lam documented a
number of issues with one of the digital Banking platforms of Hung Fu. The issues seem to
be a result of the Bank’s strategy to adopt an ‘inside out’ approach, which is not supported
by the internal skills of personnel to support such a strategy. The lack of expertise has
resulted in periods of digital disruption, with customers not being able to access their
financial data.

Analysis

Jiang Ling has determined that the issues noted by Quality in relation to the digital Banking
platforms should be communicated to those charged with governance. Jiang Ling provided
a written report to those charged with governance after the completion of the interim
procedures. Her recommendation was that Hung Fu should consider adopting an ‘outside
in’ approach to digital transformation as digital platforms are constantly changing and the
Bank may be better served with the knowledge and skills of external digital providers to
ensure a reduction in digital disruptions.

570

c09.indd 570 16-11-2022 18:49:01

 M a jo r A c t io ns D u r ing t h e A u dit Complet ion

9.3.7.3 The Communication Process

The auditor should communicate matters to those charged with governance on a timely basis,
in order for management to react to the matters raised as soon as possible. Findings from the
audit relevant to the accounting and financial reporting function should be communicated
before the approval of the financial statements by management. This means that material
errors can be corrected by management prior to the audit report being issued, thus avoiding a
possible modification to the auditor’s report. HKSA 260 (Revised) discusses the various forms
that the communication should take. In most cases, the communication will be in writing.
HKSA 260 (Revised) requires a communication to be issued even if there are no matters that the
auditor wishes to bring to the attention of those charged with governance. The communication
would state that there are no significant findings from the audit to be communicated. The
communication could be made orally. In this situation, it is important that the auditor has a
written record within the audit working papers of the discussion of significant matters with
management. Whichever method is used to formally communicate the matters, oral or written,
the process should be seen as a two-way dialogue. Management should have the opportunity
to respond to the auditor regarding the matters raised.

The communication with those charged with governance should be viewed as a crucial
reporting ‘output’ of the audit. It allows management to be informed of significant matters
arising from the audit process, and allows management the chance to respond to the
auditor regarding these matters. In understanding this, learning outcome 1.01.09 will have
been achieved.

Knowledge Check Questions

Question 2
List some aspects of an entity’s financial situation that may alert an auditor that there may
be a significant uncertainty in relation to the use of the going concern basis of accounting.

Question 3
Identify which of the following describes when subsequent event audit procedures should
be carried out by the auditor.
A From the year end date until the date the directors sign the financial statements.
B From the auditor’s report date until the directors sign the financial statements.
C From the year end date until the signing of the auditor’s report.
D From the year end date and for the following months until the end of the following
accounting period.

Question 4
Explain the key difference between adjusting and non-adjusting subsequent events.

Question 5
Identify the three key objectives of the auditor in obtaining the written representation
letter from those charged with governance.

571

c09.indd 571 16-11-2022 18:49:01

 BUSINESS ASSURANCE

Knowledge Check Questions (continued)

Question 6
Identify the minimum that management should include in their written
representation letter.

Question 7
Outline what the auditor should do if concerned about the reliability and completeness of
written representations from management.

Question 8
Summarise what financial statement disclosures would normally be deemed to be
qualitative in nature.

Question 9
Summarise what audit procedures an auditor may undertake to determine completeness
and accuracy of contingent liabilities.

Question 10
List the audit procedures an auditor should consider to determine the completeness and
accuracy of commitments.

Question 11
Explain how the auditor should accumulate misstatements throughout the current year’s
audit process.

Question 12
Describe the three types of unrecorded misstatements that the auditor may need to
communicate to management throughout the audit process.

Question 13
Summarise at least five types of issues that an auditor should communicate to those
charges with governance.

9 . 4 RELATED PARTIES

For the purpose of this section, HKSA 550, Related Parties, is the relevant audit standard. The
identification and audit of related party transactions has been an area of focus by standard
setters and regulators for some time, as auditors have been inconsistent when applying the
requirements of HKSA 550. Auditors often leave the consideration of related party relationships
and transactions required by HKAS 24, Related Party Disclosures, until the end and consider
them more a disclosure consideration than responding to the risk of material misstatement as
a result of fraud or error.

572

c09.indd 572 16-11-2022 18:49:01

 M a jo r A c t io ns D u r ing t h e A u dit Complet ion

Related parties can be used to hide transactions, not be at arm’s length, and thus resulting
in fraudulent financial reporting, as highlighted in several major corporate scandals and
collapses, such as Enron. Transactions with related parties can hide the economic substance
of transactions or fraud in companies and the recoverability of related party receivables
or payables.

In any case, the accounting standards require disclosures of related party transactions so
that users can assess whether the entity would be in a comparable and sustainable position
but for their existence.

The audit of related party relationships and transactions can be particularly difficult for
auditors because:

• Related party relationships are not always easy to identify and the auditor has to rely on
management in the identification process.

• Transactions may be hard to find even when the audit testing is targeted.

• The internal controls around related party transactions are often weak, so the auditor is
unlikely to obtain any audit comfort through a test of controls.

Auditors of smaller companies may find it difficult to identify related party relationships
and transactions because management may not understand the significance of related
party transactions to an auditor. This is particularly the case in family run businesses where
transacting with related parties is the norm. It is therefore important for auditors to be
clear about the extent of disclosures required so that they can advise management on their
responsibility to prepare financial statements that comply with HKFRS.

While larger companies and listed companies might have a better understanding of the
importance of disclosing related party relationships and transactions and may have some
relevant controls in place, they may also transact in more complex areas that can be more
difficult for auditors to understand and follow. The structure and transactions between related
entities of Enron is an excellent example of a group structuring itself in such a way that the
auditors could not understand or trace transactions.

9.4.1 Auditor’s Objectives

The objectives of the auditor are:

1. To obtain an understanding of related party relationships and transactions sufficient

to be able:

a. To recognise fraud risk factors, if any, arising from related party relationships and
transactions that are relevant to the identification and assessment of the risks of
material misstatement due to fraud and

b. To conclude, based on the audit evidence obtained, whether the financial

statements, insofar as they are affected by those relationships and transactions:

(i) Achieve fair presentation (for fair presentation frameworks) or

(ii) Are not misleading (for compliance frameworks).

3. To obtain sufficient appropriate audit evidence about whether related party

relationships and transactions have been appropriately identified, accounted for and
disclosed in the financial statements in accordance with HKFRS.

573

c09.indd 573 16-11-2022 18:49:01

 BUSINESS ASSURANCE

9.4.2 Definition of a Related Party

A related party is a person or entity that is related to the entity that is preparing its financial
statements (referred to here as the ‘reporting entity’).

1. A person or a close member of that person’s family is related to a reporting entity if

that person:

a. Has control or joint control of the reporting entity;

b. Has significant influence over the reporting entity; or

c. Is a member of the key management personnel of the reporting entity or of a

parent of the reporting entity.

2. An entity is related to a reporting entity if any of the following conditions applies:

a. The entity and the reporting entity are members of the same group (which means
that each parent, subsidiary, and fellow subsidiary is related to the others).

b. One entity is an associate or joint venture of the other entity (or an associate or
joint venture of a member of a group of which the other entity is a member).

c. Both entities are joint ventures of the same third party.

d. One entity is a joint venture of a third entity and the other entity is an associate of
the third entity.

e. The entity is a post-employment benefit plan for the benefit of employees of either
the reporting entity or an entity related to the reporting entity. If the reporting
entity is itself such a plan, the sponsoring employers are also related to the
reporting entity.

f. The entity is controlled or jointly controlled by a person identified in 1.

g. A person identified in 1a has significant influence over the entity or is a member of

the key management personnel of the entity (or of a parent of the entity).

h. The entity, or any member of a group of which it is a part, provides key

management personnel services to the reporting entity or to the parent of the
reporting entity.

A related party transaction is a transfer of resources, services, or obligations between a

reporting entity and a related party, regardless of whether a price is charged.

Close members of the family of a person are those family members who may be expected
to influence, or be influenced by, that person in their dealings with the entity and include:

1. That person’s children and spouse or domestic partner;

2. Children of that person’s spouse or domestic partner; and

HKAS
24.9 3. Dependants of that person or that person’s spouse or domestic partner.

9.4.3 Risk Assessment Procedures and Related Activities

HKSA 315 (Revised 2019) and HKSA 240, The Auditors Responsibilities Relating to Fraud in an Audit
of Financial Statements, set out the framework that the auditor should adopt when obtaining

574

c09.indd 574 16-11-2022 18:49:01

 M a jo r A c t io ns D u r ing t h e A u dit Complet ion

information relevant to identifying the risk of material misstatements associated with related
party relationships and transactions.

The audit team discussion that HKSA 315 (Revised 2019) and HKSA 240 require shall include
specific consideration of the susceptibility of the financial statements to material misstatement
due to fraud or error that could result from the entity’s related party transactions. All members
of the audit team must be made aware of the identity of related parties.

The auditor should make enquires with management regarding:

• The identity of the entity’s related parties. Note that related parties can change from
period to period so no assumptions should be made in relation to the identity of related
parties from prior periods;

• The nature of the relationships between the entity and the related parties; and

• Whether the entity entered into any transactions with the related parties during the
period and, if so, the type and purpose of the transactions.

The auditor should also enquire of management and others within the entity to obtain
an understanding of the controls if any management has established to manage the risks
associated with the identity and transactions of related parties.

The auditor shall remain alert during the audit process when inspecting books, records, and
documents that may indicate the existence of related party relationships or transactions that
management had not previously disclosed to the auditor. If management had not previously
disclosed to the auditor the existence of a related party, the auditor will need to consider what
impact if any such an identification may have on the overall risk assessment undertaken in line
with HKSA 315 (Revised 2019) and HKSA 240 and the planned responses to the risks identified.

Exhibits 9.3 and 9.4 provide some examples of indicators of the existence of related parties
and difficulties in identifying them.

Characteristics of entities Indicators of the existence of related parties

and transactions
Owner dominance Involvement of family members – identification can be
Involvement of family members in difficult if family names are not the same.
the business Under Trust arrangements, Trustees or beneficiaries
Trading with other family businesses may not be identified and transactions with them may
not be identified.
Use of family contacts in accounting, legal, or
other advisors There is usually sensitivity around disclosure of the
identity of other businesses that are trading with the
Owners with other business interests
company when they are related, or disclosure of loans
Owner can override controls by or to the company.
Purchase or sale of assets or goods that are not at
arm’s length.
Services rendered by family members such as
consultancy, design, office lease.
Purchase of assets or goods surplus to the needs of
the entity.
Loans at nil or significantly reduced rates of interest.
Provision of unsecured loans.

EXHIBIT 9.3 Characteristics and indicators for smaller and/or owner-managed entities

575

c09.indd 575 16-11-2022 18:49:01

 BUSINESS ASSURANCE

Characteristics of entities Indicators of the existence of related parties

and transactions
Owner dominance Continuous roll-over of loans with no repayment.
Involvement of family members in Lack of documentation supporting loans.
the business Significant cash outflows that have been expensed in an
Trading with other family businesses unusual manner.
Use of family contacts in accounting, legal, or Overly complex joint venture arrangements, where
other advisors terms do not make commercial sense.
Owners with other business interests Unexplained movement of funds around a group.
Owner can override controls Fictitious employees.
Management charges between companies that do not
make sense.
Credit card bills used to support purchases without
description.
High levels of entertainment expenses.
Change of major suppliers with no tender sought and
informal documentation.
Large unexplained discounts being given or received.
Limited documentation supporting major transactions
such as purchase or sale of assets, lease agreements,
plant, and equipment.
The existence of suspense accounts and
contra accounts.
Difficulty in reconciling intercompany balances.

EXHIBIT 9.4 Characteristics and indicators for larger or more complex entities

HKSA 550 requires auditors to obtain an understanding of related party relationships and
transactions sufficient to be able to recognise and assess the risks of material misstatement
due to fraud.

HKSA 550 also requires that all members of the Engagement team understand who the
related parties are at any one client. This knowledge should then be linked to the fraud risks
identified at the client

Auditors are more exposed by fraud risks relating to undisclosed related party transactions
than by minor disclosure errors in known transactions. All audit engagement staff should
remain alert throughout the audit to this possibility that there are related party transactions
that have not been disclosed by management. If undisclosed related parties are identified on
further investigation, auditors should reconsider their overall risk assessment, update their
audit strategy, and amend their audit procedures accordingly.

9.4.4 Responses to the Risks of Material Misstatement Associated with

Related Party Relationships and Transactions
It is important for auditors to understand and evaluate the procedures management has
in place for identifying, properly accounting for, and disclosing related party transactions. If
the auditor has audited the company for a number of years it is likely that understanding in
this area would have accumulated. The risks in a first-year audit would be higher, which may
require a greater level of audit procedures to reduce the risk of material misstatement to an
acceptable level.

576

c09.indd 576 16-11-2022 18:49:01

 M a jo r A c t io ns D u r ing t h e A u dit Complet ion

HKSA 550 requires that auditors ask management and others in the entity, and perform
other risk assessment procedures as appropriate, to obtain an understanding of the controls, if
any, in place to:

• Identify, account for, and disclose related party relationships and transactions;

• Authorise and approve significant related party transactions and arrangements; and

• Authorise and approve significant transactions and arrangements outside the normal
course of business.

Testing for completeness and existence of related party relationships and transactions
can be difficult, especially when it is discovered that management has not identified such
transactions. HKSA 550 requires that auditors search for unidentified and undisclosed related
party relationships and transactions by, for example:

• Inspecting Bank documents;

• Obtaining legal confirmations;

• Reviewing minutes of shareholder and management meetings;

• Reviewing regulatory returns; or

• Reviewing records of the company’s investments, particularly ones that are overseas.
If auditors identify issues suggesting the existence of related party relationships or
transactions that management has not previously identified or disclosed, they need to
investigate these. HKSA 550 specifically requires the auditors to:

• Promptly communicate the information to team members;

• Request that management identify all transactions with the newly identified
related parties;

• Enquire as to why the entity’s controls over related party relationships and transactions
failed to enable the identification or disclosure of the related party relationships or
transactions;

• Perform appropriate substantive audit procedures relating to such newly identified

related parties or significant related party transactions;

• Reconsider the risk that other related parties or significant related party transactions
may exist that management has not previously identified or disclosed to the auditor,
and perform additional audit procedures as necessary; and

• If the non-disclosure by management appears intentional (and therefore indicative of a

risk of material misstatement due to fraud), evaluate the implications for the audit.

These procedures should be performed at both the planning stage and during the
course of the audit and reassessed at the conclusion of the audit. It is important to ask
the right questions, of the right people, and be professionally skeptical at all times. The
term ‘related parties’ is an accounting technical term and may need to be explained to less
experienced clients.

An arm’s-length transaction is an agreement made by two parties freely and independently

of each other, and without some special relationship, such as being a relative, having another
deal on the side, or one party having complete control of the other. It becomes important to

577

c09.indd 577 16-11-2022 18:49:01

 BUSINESS ASSURANCE

determine if an agreement was freely entered into to show that the price, requirements, and
other conditions were fair and real. It can often be difficult to determine whether transactions
are conducted at arm’s length. Auditors need to consider the bargaining power of each party
and use their judgement, by considering similar transactions or the market price of similar
goods or services. Professional skepticism is a key behavioural trait that is required throughout
the audit process by the entire audit team, but arguably should be heightened in the area of
auditing related parties and related party transactions.

Where auditors identify significant transactions outside the entity’s normal course of
business, they should establish by inquiry whether related parties could be involved. Some
examples might be geologists working to find deposits for the company, external payroll
services owned by persons related to senior people in the company, foreign investment
vehicles, or investment in property not aligned with the core business.

If such significant related party transactions outside the normal course of business
are identified, they should be treated as significant risks. For such transactions, auditors
should inspect the underlying contracts or agreements and evaluate whether there is a true
commercial basis for the transactions (which may otherwise suggest fraud or misappropriation
of assets), understand and document the controls surrounding these transactions, and validate
the accounting treatment of the transactions.

Factors affecting an auditors’ independent assessment of the commercial basis of a

transaction include the complexity of the transaction, whether it has unusual terms, whether
its processing involved a limited number of senior personnel, or whether it involves previously
unidentified related parties. At all times the auditor should be cognisant of the risk of fraud.

Apply and Analyse 7

Hung Fu management had represented to Lau Lam of Quality that the only related party
was a broking business, which had been disclosed in prior period financial statements. Lau
Lam has determined that Hung Fu had made a number of loans to director related entities
during the period subject to audit. Explain what Lau Lam should do.

Analysis

Lau Lam would need to revisit the overall risk assessment process to determine whether
this discovery of information heightens the risk of material misstatement in the financial
statements as a whole. Lau Lam asked management why the related parties and related
party transactions had not been identified to Quality.

• Management represented that they had not considered the effect of the loans as
they had not previously made such loans.

• No further loans have been made other than the ones identified by Quality.

Lau Lam should ask to see the loan agreements to make a determination on whether
the transactions were made at arms-length.

Lau Lam should further determine whether Quality is satisfied that no further related
parties have been identified and that there are no further transactions.

Financial statement disclosures should also be considered by the Quality audit team to
ensure completeness and accuracy.

578

c09.indd 578 16-11-2022 18:49:01

 M a jo r A c t io ns D u r ing t h e A u dit Complet ion

9.4.5 Evaluation of the Accounting for and Disclosure of Identified

Related Party Relationships and Transactions
The auditor shall conclude on the appropriateness of the accounting for related party
transactions. The identity and transactions should be disclosed in line with HKAS 24 (Revised),
Related Party Disclosures. If the auditor is not satisfied that all related parties have been
identified or that not all related party transactions have been identified, then the auditor will
need to assess the likely impact this may have on the auditor’s report.

9.4.6 Written Representations and Documentation

In the auditor’s letter of representation, the auditor shall obtain specific representation that:

1. Management has disclosed to the auditor the identity of the entity’s related parties and
all the related party relationships and transactions of which they are aware and

2. Management has appropriately accounted for and disclosed such relationships and
transactions in accordance with the requirements of the framework.

Auditors are required to document the names of identified related parties and the nature
of the related party relationships in their working papers. This documentation, while required,
is a helpful platform for subsequent audits.

9.4.7 Communication with Those Charged with Governance

It is important for auditors to communicate to management and, where different, those
charged with governance, significant matters relating to related parties that they have identified
during the course of an audit. This might include undisclosed related parties or related party
transactions or disagreements with management over the disclosure of significant related party
transactions.

Unless all of those charged with governance are involved in managing the entity, auditors
should communicate significant matters arising during the audit with those charged with
governance.

Knowledge Check Questions

Question 14
Describe at least six indicators of the existence of related parties and transactions for a
larger entity or group.

Question 15
Identify and explain what substantive audit procedures are to be performed over the
identity of related parties and related party transactions.

579

c09.indd 579 16-11-2022 18:49:01

 BUSINESS ASSURANCE

9 . 5 DISCOVERY OF ILLEGAL ACTS OR FRAUD

DISCOVERED DURING THE AUDIT

9.5.1 The Auditor’s Responsibilities Relating to Fraud in an Audit of

Financial Statements
As described in earlier chapters of this module, the auditor has a number of responsibilities
that pertain to the audit in relation to fraud. The reference standard relating to fraud is
HKSA 240, The Auditors Responsibilities Relating to Fraud in the Audit of Financial Statements.

If the auditor identifies a misstatement, the auditor shall evaluate whether such a
misstatement is indicative of fraud. If there is such an indication, the auditor shall evaluate
the implications of the misstatement in relation to other aspects of the audit, particularly the
reliability of management representations, recognising that an instance of fraud is unlikely to
be an isolated occurrence.

If the auditor identifies a misstatement, whether material or not, and the auditor has
reason to believe that it is or may be the result of fraud and that management (in particular,
senior management) is involved, the auditor shall re-evaluate the assessment of the risks of
material misstatement due to fraud and its resulting impact on the nature, timing, and extent
of audit procedures to respond to the assessed risks. The auditor shall also consider whether
circumstances or conditions indicate possible collusion involving employees, management, or
third parties when reconsidering the reliability of evidence previously obtained.

If the auditor has identified a fraud or has obtained information that indicates that a fraud
may exist, the auditor shall communicate these matters on a timely basis to the appropriate
level of management in order to inform those with primary responsibility for the prevention
and detection of fraud of matters relevant to their responsibilities.

Unless all of those charged with governance are involved in managing the entity, if the
auditor has identified or suspect’s fraud involving:

a. Management,

b. Employees who have significant roles in internal control, or

c. Others where the fraud results in a material misstatement in the financial statements,

The auditor shall communicate these matters to those charged with governance on a timely
basis. If the auditor suspects fraud involving management, the auditor shall communicate these
suspicions to those charged with governance and discuss with them the nature, timing, and
extent of audit procedures necessary to complete the audit.

The auditor shall communicate with those charged with governance any other matters
related to fraud or illegal acts that are, in the auditor’s judgement, relevant to their
responsibilities.

If the auditor confirms that, or is unable to conclude whether, the financial statements are
materially misstated as a result of fraud, the auditor shall evaluate the implications for the
audit and the potential auditor’s report that should be issued.

580

c09.indd 580 16-11-2022 18:49:02

 M a jo r A c t io ns D u r ing t h e A u dit Complet ion

9.5.2 Consideration of Laws and Regulations in an Audit of Financial

Statements
With the changes to the Code of Ethics for Professional Accountants (COE) issued by HKICPA, the
auditor’s responsibilities in relation to the identification and reporting against non-compliance
with laws and regulations (NOCLAR) have changed. Previously the overarching responsibility
in relation to confidentiality made it very difficult for auditors to determine whether or not to
report NOCLAR to a relevant authority.

Section 260 of COE sets out the following responsibilities of auditors:

• If an auditor of financial statements becomes aware of information concerning NOCLAR

or suspected NOCLAR, the auditor shall obtain an understanding of the matter. This
understanding shall include the nature of the NOCLAR or suspected NOCLAR and the
circumstances in which it has occurred or might occur.

• In discussing a NOCLAR or suspected NOCLAR with management and, where

appropriate, those charged with governance, the auditor shall advise them to take
appropriate and timely actions, if they have not already done so, to:

a. Rectify, remediate, or mitigate the consequences of the NOCLAR;

b. Deter the commission of the NOCLAR where it has not yet occurred; or

c. Disclose the matter to an appropriate authority where required by law or regulation

or where considered necessary in the public interest.

• The auditor shall consider whether management and those charged with governance
understand their legal or regulatory responsibilities with respect to the NOCLAR or
suspected NOCLAR.

• The auditor shall comply with applicable:

a. Laws and regulations, including legal or regulatory provisions governing the

reporting of NOCLAR or suspected NOCLAR to an appropriate authority and

b. Requirements under Auditing and Assurance Standards, including those relating to:

(i) Identifying and responding to NOCLAR, including fraud.

(ii) Communicating with those charged with governance.

(iii) Considering the implications of the NOCLAR or suspected NOCLAR for the
auditor’s report.

• The auditor shall assess the appropriateness of the response of management and,
where applicable, those charged with governance.

• The auditor shall exercise professional judgement in determining the need for, and
nature and extent of, further action. In making this determination, the auditor shall take
into account whether a reasonable and informed third party would be likely to conclude
that the auditor has acted appropriately in the public interest.

• If the auditor determines that disclosure of the NOCLAR or suspected NOCLAR to an

appropriate authority is an appropriate course of action in the circumstances, that
disclosure is permitted. When making such a disclosure, the auditor shall act in good

581

c09.indd 581 16-11-2022 18:49:02

 BUSINESS ASSURANCE

faith and exercise caution when making statements and assertions. The auditor shall
also consider whether it is appropriate to inform the client of their intentions before
disclosing the matter.

Having met all of the responsibilities outlined above the auditor will need to determine
what the impact of a NOCLAR or suspected NOCLAR might have on the auditor’s opinion, and
whether they should continue as the auditor of the company or group.

It should be noted that it is likely that the obvious NOCLAR or suspected NOCLAR will relate
to laws and regulations more observable to an auditor when undertaking a financial statement
audit. It is not expected that an auditor will search outside undertaking the financial statement
audit for NOCLAR.

Knowledge Check Questions

Question 16
Explain what you would recommend the auditor to do when conducting the audit of the
financial statements of a major retailer and discovering that a service assistant had stolen
HK$1,000 from the cash takings, which is immaterial for the financial statements.

582

c09.indd 582 16-11-2022 18:49:02

 M a jo r A c t io ns D u r ing t h e A u dit Complet ion

SUMMARY

This chapter has set out various requirements of auditors during the completion phase of the
audit. The completion phase should be viewed as bringing all previous activities of the auditors
to a conclusion with the ultimate output being the auditor’s report.

Taking a step back and taking a final overall look at what has been collected in terms of
sufficient appropriate audit evidence to support an auditor’s opinion is critical. In this chapter
the following headlines have been explored in detail.

• Audit Completion

• Going Concern

• Subsequent Events

• Written Representations

• Overall Audit of the Financial Statements

• Evaluation of Misstatements Identified During the Audit

• Communicating with Those Charged with Governance

• Related Parties

The auditor must be satisfied that the risk that a material misstatement exists after audit
completion has been minimised to an acceptable level.

As has been demonstrated in this chapter, what happens with an auditee can extend
past the period and date and even after an auditor’s opinion has been signed. Professional
scepticism on the part of the auditor never really ceases.

583

c09.indd 583 16-11-2022 18:49:02

 BUSINESS ASSURANCE

MIND MAP
AUDIT COMPLETION RALATED PARTIES
Sufficient Appropriate Audit Evidence Auditor’s objectives
• How much is enough Definition of a Related Party
• Quality of evidence obtained
Risk Assessment procedures and Related
PLAN THE PROCEDURES TO BE CONDUCTED Activities
AT THE COMPLETION OF THE AUDIT Responses to the Risks of Material
Misstatement Associated with Related Party
Not a discrete and separate part of the
Relationships and Transactions
overall audit
Evaluation of the Accounting for and
Subject to change dependent on unforeseen
Disclosure of identified Related Party
circumstances
Relationships and Transactions
EXPLAIN THE PURPOSE OF AND PROCEDURES Written Representations and Documentation
TO BE USED DURING AUDIT COMPLETION MAJOR ACTIONS
Communication with Those Charged with
DURING THE
A Going Concern review Governance
AUDIT COMPLETION
• Factors that may indicate going concern issue
• How management assessed going concern
• Implication for auditor’s report
A Subsequent Events Review
• Two types
• Three key phases
Obtaining Written Representations for
Management
• Requirements of representation letter
Overall Audit of Financial Statements
• Completeness of disclosures
• Accuracy of disclosures
• Final analytical procedures
Review of other published information
• Contingent Liabilities and Commitments
- Identification of factors
- Values attributable
- Adequate disclosures
Evaluation of Misstatement Identified during DISCOVERY OF ILLEGAL ACTS OR FRAUD
the Audit DISCOVERED DURING THE AUDIT
• Current year misstatements
The Auditor’s Responsibilities Relating to
• Summary of misstatements
Fraud in an Audit of Financial Statements
• Impact of uncorrected misstatements
Consideration of Laws and Regulations in
Communicating with Those Charged with
an Audit of Financial Statements
Governance
• Audit matters of governance interest
• Communication mechanisms

Answers to Knowledge Check Questions

Question 1
The answer should cover:
Source of evidence – external. Externally and independently derived audit evidence, in
most cases, has a greater level of credibility and effectiveness than internally generated
evidence. This evidence usually takes the form of confirmations, expert reports, analyst’s
reports, and benchmarking data. These sources will either act as primary evidence or serve
to corroborate management’s assertions.
Source of evidence – internal. Audit evidence derived from the entity’s accounting
records and its controls. Inter-relationships between internally sourced data can provide a
degree of corroboration.
How the audit evidence was obtained and evaluated – inspection, observation,
recalculation re-performance, analytical procedures, and inquiry can be applied, as
appropriate, to the circumstances.
Relevance to the risks and assertions being audited – logical connection needs to be
achieved between the evidence gathered and the risks and assertions being considered.

584

c09.indd 584 16-11-2022 18:49:02

 M a jo r A c t io ns D u r ing t h e A u dit Complet ion

Question 2
Factors include:
Financial:
• Current liabilities exceed current assets.
• Total liabilities exceeding total assets.
• Total cash-outflows from operating activities.
• Current and historical operating losses.
• Cash on delivery terms commenced by creditors.
• Unusual financing arrangements (usually sourced from offshore countries that have
questionable tax regimes).
• Significant legal costs and pending cases.
• Bank covenant breaches.
Operational:
• Long lead times on sales of both current and non-current assets.
• Significant amount of debt due and payable.
• Creditor’s days extending dramatically.
• Supply chain issues.
• Increase in competition.
• Loss of major customers.
Other:
• Recent economic or environmental disasters.
• Changes in laws and regulation.
• Non-insurable events occur.

Question 3
Answer A is incorrect. The auditor’s responsibility in terms of audit procedures only
extends to the date of the auditor’s report for the current accounting period.
Answer B is incorrect. The auditor’s responsibility in terms of audit procedures only
extends to the date of the auditor’s report for the current accounting period.
Answer C is correct. The auditor’s responsibility in terms of audit procedures only extends
to the date of the auditor’s report for the current accounting period.
Answer D is incorrect. The auditor’s responsibility in terms of audit procedures only
extends to the date of the auditor’s report for the current accounting period.

Question 4
Adjusting events are those that provide further evidence of conditions that existed at the end
of the financial period and require the financial statements to be adjusted and
Non-adjusting events are those that provide evidence of conditions that arose after the end
of the financial period, while not adjusted are acknowledged by way of note disclosure.

585

c09.indd 585 16-11-2022 18:49:02

 BUSINESS ASSURANCE

Question 5
The three key objectives are:
• To obtain written representations from management and, where appropriate, those
charged with governance that they believe that they have fulfilled their responsibility
for the preparation of the financial statements and for the completeness of the
information provided to the auditor.
• To support other audit evidence relevant to the financial statements or specific
assertions in the financial statements by means of written representations, if
determined by the auditor or required by other HKSA.
• To respond appropriately to written representations provided by management
and, where appropriate, those charged with governance or, if management, or
where appropriate, those charged with governance do not provide the written
representations requested by the auditor.

Question 6
At a minimum the following should be included in the written representation letter:
• Management’s acknowledgment of its responsibility for the proper preparation
of the financial statements in accordance with the Hong Kong Financial Reporting
Standards.
• The availability of books and records.
• The completeness and availability of all minutes of meetings of directors and
associated board committees.
• Management assurance that it has made available all letters from regulatory
agencies concerning non-compliance with, or deficiencies in, financial reporting
practices.
• Management’s assurance that there are no unrecorded transactions.
• Management’s acknowledgement of its responsibility for the design and
implementation of controls and for the system of financial controls.
• Management assurance that it has disclosed all liens and other encumbrances on
its assets.
• Management’s assurance that all material transactions have been
appropriately recorded.
• Significant assumptions used by us in making accounting estimates, including those
measured at fair value, are reasonable HKSA 540 (Revised).
• Related party relationships and transactions have been appropriately accounted for
and disclosed in accordance with the requirements of Hong Kong Financial Reporting
Standards HKSA 550.
• All events subsequent to the date of the financial statements and for which Hong
Kong Financial Reporting Standards require adjustment or disclosure have been
adjusted or disclosed (HKSA 560).
• The effects of uncorrected misstatements are immaterial, both individually and
in the aggregate, to the financial statements as a whole. A list of the uncorrected
misstatements is attached to the representation letter (HKSA 450).
• Any other matters that the auditor may consider appropriate.

586

c09.indd 586 16-11-2022 18:49:02

 M a jo r A c t io ns D u r ing t h e A u dit Complet ion

Question 7
Answer should include discussion on:
In the case of identified inconsistencies between one or more written representation and
audit evidence obtained from other sources, the auditor should consider whether the risk
assessment remains appropriate and, if not, revise the risk assessment and determine the
nature, timing, and extent of further audit procedures that might be required to respond
to the assessed risks.
Concerns about the competence, integrity, ethical values, or diligence of management,
or about its commitment to or enforcement of these, may cause the auditor to conclude
that the risk of management misrepresentation in the financial statements is such that an
audit cannot be conducted. In such a case, the auditor may consider withdrawing from the
engagement, where withdrawal is possible under applicable law or regulation, unless those
charged with governance put in place appropriate corrective measures. Such measures,
however, may not be sufficient to enable the auditor to issue an unmodified audit opinion.

Question 8
Disclosures of information that would be deemed qualitative in nature are:
• Descriptions of significant accounting policies and critical accounting estimates,
including note disclosure when there has been any change in accounting policies or
critical accounting estimates.
• Information about the identity of related parties.
• Description of the basis for impairment losses recognised in the financial statements.
• Information about application of the going concern assumption when appropriate.
• Information about the circumstances leading to contingent liability disclosures.
Judgement is needed to help determine whether qualitative disclosures are material
or not.

Question 9
The audit procedures to determine completeness and accuracy of contingent liabilities
should include the following:
• An external confirmation issued in line with HKSA 505, External Confirmations, to legal
counsel and Banks. The types of information the auditor might ask for includes:
°° A list and progress report of any pending or imminent litigation to which legal
counsel has given substantial attention.

°° A list of other claims such as warranties and guarantees including comment

from legal counsel on their opinion of probability and HK$ outcome.

°° Bank guarantees.

• Examination of the minutes of the board of directors to determine if, for example,
any guarantees have been approved against loans.
• Examination of any environmental reviews and their likely outcomes for the entity.
• Consider industry practices. For example, for mining companies, it is common that
contracts will include ‘make good’ (restoration) clauses, which, as events occur

587

c09.indd 587 16-11-2022 18:49:02

 BUSINESS ASSURANCE

(e.g. as damage occurs to the relevant environment), the recognition criteria for
liabilities could be met (as the need to restore an asset could become probable and
be reliably estimated).
• Product warranty arrangements to determine whether commitments and
contingencies are appropriately recognised.

Question 10
The following are examples of audit procedures to determine the completeness and
accuracy of commitments:
Determine the amounts and time allocations for payments under operating leases. (HKAS
16, Leases, becomes effective in 2019, which means that operating leases will be recognised
in the balance sheet and cease to be a commitment requiring note disclosures. Refer to
the financial reporting module for further information.)
Determine whether there are any commitments for capital expenditure contracted for
future periods through discussion with management and review of minutes.
Determine whether there are any licensing costs subject to commitment.

Question 11
The auditor should do the following:
• Reference materiality levels.
• Misstatements should be accumulated by each member of the audit team that
identifies a misstatement to a central repository, unless clearly trivial.
• Reviewers of working papers should ensure that if a misstatement has been
identified that it has been cleared to a central repository.
• Any such misstatements should be accumulated up until the date of the
auditor’s report.

Question 12
The three types of unrecorded misstatements that the auditor may need to communicate
to management throughout the audit process:
Factual misstatements are those about which there is no doubt. The amount or
disclosure is materially incorrect.
Projected misstatements are the auditor’s best estimate of misstatements in
populations, involving the projection of misstatements identified in audit samples to
the entire population from which the samples were drawn.
Judgemental misstatements are those arising from the judgements taken by
management concerning accounting estimates and/or accounting policies that the
auditor disagrees with. These misstatements can in many cases cause some debate
between management and the auditor.

Question 13
Any five of the following would be an appropriate answer:
• The overall approach and scope of the audit, including any limitations on the scope
of the audit.
• The accounting policies, and any changes to them, that could materially affect the
financial statements.

588

c09.indd 588 16-11-2022 18:49:02

 M a jo r A c t io ns D u r ing t h e A u dit Complet ion

• For listed companies, Key Audit Matters. (Refer to Chapter 10 for further details on
Key Audit Matters.)
• Adjustments arising as a result of audit procedures that could materially impact the
financial statements.
• Material events or uncertainties that could jeopardise the going concern status and
that require disclosure within the financial statements.
• Disagreements with management over accounting treatments or disclosures.
• Any expected modifications to the auditor’s report.
• Material weaknesses discovered in the internal systems and controls.

Question 14
The answer should include any six of the following:
• Continuous roll-over of loans with no repayment.
• Lack of documentation supporting loans.
• Significant cash outflows that have been expensed in an unusual manner.
• Overly complex joint venture arrangements, where terms do not make
commercial sense.
• Unexplained movement of funds around a group.
• Fictitious employees.
• Management charges between companies that do not make sense.
• Credit card bills used to support purchases without description.
• High levels of entertainment expenses.
• Change of major suppliers with no tender sought and informal documentation.
• Large unexplained discounts being given or received.
• Limited documentation supporting major transactions such as the purchase or sale
of assets, lease agreements, plant, and equipment.
• The existence of suspense accounts, contra accounts.
• Difficulty in reconciling inter-company balances.

Question 15
Perform appropriate substantive audit procedures, such as:
• Ask about the entity’s relationships with identified related parties, including, where
appropriate, inquiring of parties outside the entity, such as solicitors, agents and
representatives, guarantors, or other close business partners;
• Analysing accounting records for transactions with identified related parties;
• Verifying the terms and conditions of the identified transactions and evaluating
whether they have been appropriately accounted for and disclosed; and
• Reconsider the risk that further unidentified or undisclosed relationships or
transactions exist and, if the non-disclosure appears intentional, evaluate the
implications for the audit.

589

c09.indd 589 16-11-2022 18:49:02

 BUSINESS ASSURANCE

Question 16
The auditor should:
• Discuss the matter with an appropriate level of management of the entity.
• Determine why the controls of the entity failed.
• Consider the implications of the defalcation for other aspects of the audit or be
satisfied that, in view of the perpetrator of the fraud, there are no implications for
other areas of the audit.
• Ensure that the matter is reported to those charged with governance.

EXAM PRACTICE

QUESTION 1
Market Limited is a non-listed company that runs a daytime market every day of the week,
except during the Lunar New Year, on Hong Kong Island. During the current year’s audit you
have become aware that store holders have not been declaring sales at the appropriate level
for the purpose of paying rent and you have also discovered that Market Limited have been
illegally dumping huge amounts of waste into the harbour.
(a) Identify what the audit engagement team needs to focus their audit effort on with the
potential under receipt of rent.

(b) Explain what responsibilities the audit team have in relation to the illegal activities of
the audit client.

QUESTION 2
Events Company has for many years been the pre-eminent events management company
in Hong Kong, Macau, and Singapore. Its name has been behind all of the top events and
also has been the company used by all of the wealthy families. The Company has a large
distribution centre where all its events furniture and equipment and trucks are housed.
Next to the distribution centre is the catering facility. The Company also has its own jet to
ensure clients demands are met on a timely basis. With its rapid growth over the last three
years and heavy investment into infrastructure, the Events Company has a large outstanding
debt with a major bank. During the planning phase of the current periods audit, the audit
team becomes aware of a scandal where the events company has disclosed confidential
client information, which has resulted in future clients cancelling major events. As the audit
proceeds the auditor becomes aware of the increasing number of cancellations. Explain
what steps the auditor should take in determining whether there is a going concern issue.

QUESTION 3
Describe at least eight matters that may be of interest to those charged with governance
and therefore should be communicated during the audit process.

QUESTION 4
Aussie Limited is a 100% owned significant subsidiary of Hong Kong Fruits. Hong Kong Fruits
has a year end of 31 December. Hong Kong Fruits sources all of its tomatoes and bananas
from Aussie Limited and has invested heavily in infrastructure. On 15 January after the

590

c09.indd 590 16-11-2022 18:49:03

 M a jo r A c t io ns D u r ing t h e A u dit Complet ion

current year end, Aussie Limited’s stock and infrastructure was completely destroyed by
terrible bushfires. Given this event, what should the auditor of Hong Kong Fruits consider?

QUESTION 5
The following procedures have been carried out by an engagement senior with regards
to the audit of the obsolescence provision of an electronics retailer, which sources all its
inventory from external suppliers and has 8,000 different stock keeping units (SKUs). The
amount of obsolescence provision is material to the Statement of Financial Position.

Evaluate whether the senior has obtained sufficient appropriate audit evidence in line
with the requirements of HKSA to form a conclusion and, if you do not believe that sufficient
appropriate audit evidence has been obtained, recommend what other further procedures
should be conducted before the completion of the audit.

2020 2019
HK$ HK$
Inventory – Finished goods 222,000,000 170,000,000
Inventory – Goods in transit 15,000,000 5,000,000
Provision for obsolescence 5,200,000 6,500,000
Carrying value of inventory 231,800,000 168,500,000

Overall materiality is set at HK$5,400,000 and performance materiality at HK$3,500,000.

The audit senior has:

(a) Assessed that the risk in relation to valuation of inventory is high.

(b) Determined that a fully substantive audit approach would be adopted.

(c) Conducted a high-level analysis on the movement in inventory levels and the level
of provision and concluded that the movements look to be in line with the general
understanding of the business and the fact that the buyers purchased more inventory
this year because of a likely decline in the HK$ and the need to service expected sales
campaigns.

(d) On the basis of the analysis performed, it was determined that the senior would
conduct tests of detail by doing the following procedures as the inherent risk in his view
had dropped to medium:

(i) Picking a limited random sample of 30 items from the inventory listing and testing
the cost back to the purchase invoice and testing the cost against the sales price
at year end.

(ii) Determining, using the same sample, whether the ageing of the inventory
was correct.
(iii) Conducting a reasonableness analysis by applying the client’s provision percentages
against the age categories to determine if there were any differences.

On the basis of the audit work performed, it was concluded that ‘there were no exceptions
noted’.

(e) This can be interpreted to mean that the obsolescence provision was correctly stated.

(f) The view was formed that no further audit procedure is required to deal with inventory
obsolescence.

591

c09.indd 591 16-11-2022 18:49:03

 BUSINESS ASSURANCE

ANSWERS TO EXAM PRACTICE

QUESTION 1
(a) The auditor shall evaluate whether such a misstatement is indicative of fraud. If there
is such an indication, the auditor shall evaluate the implications of the misstatement
in relation to other aspects of the audit, particularly the reliability of management
representations, recognising that an instance of fraud is unlikely to be an isolated
occurrence.

If the auditor identifies a misstatement, whether material or not, and the auditor
has reason to believe that it is or may be the result of fraud and that management
(in particular, senior management) is involved, the auditor shall re-evaluate the
assessment of the risks of material misstatement due to fraud and its resulting impact
on the nature, timing, and extent of audit procedures to respond to the assessed risks.
The auditor shall also consider whether circumstances or conditions indicate possible
collusion involving employees, management, or third parties when reconsidering the
reliability of evidence previously obtained. This is unlikely in this case unless given that
the fraud is being perpetrated by the stall holders.

If the auditor has identified a fraud or has obtained information that indicates that
a fraud may exist, the auditor shall communicate these matters on a timely basis to the
appropriate level of management in order to inform those with primary responsibility
for the prevention and detection of fraud of matters relevant to their responsibilities.

Unless all of those charged with governance are involved in managing the
entity, if the auditor has identified or suspect’s fraud involving:

(i) Management,

(ii) Employees who have significant roles in internal control, or

(iii) Others where the fraud results in a material misstatement in the financial
statements,

The auditor shall communicate these matters to those charged with governance
on a timely basis. If the auditor suspects fraud involving management, the auditor shall
communicate these suspicions to those charged with governance and discuss with them
the nature, timing, and extent of audit procedures necessary to complete the audit.

The auditor shall communicate with those charged with governance any other
matters related to fraud or illegal acts that are, in the auditor’s judgement, relevant to
their responsibilities.

If the auditor confirms that, or is unable to conclude whether, the financial

statements are materially misstated as a result of fraud, the auditor shall evaluate the
implications for the audit and the potential auditor’s report that should be issued.

(b) Section 260 of Code of Ethics sets out the following responsibilities of auditors:

• If an auditor of financial statements becomes aware of information concerning non-

compliance with laws and regulations (NOCLAR) or suspected NOCLAR, the auditor
shall obtain an understanding of the matter. This understanding shall include the
nature of the NOCLAR or suspected NOCLAR and the circumstances in which it has
occurred or might occur.

592

c09.indd 592 16-11-2022 18:49:03

 M a jo r A c t io ns D u r ing t h e A u dit Complet ion

• In discussing a NOCLAR or suspected NOCLAR with management and, where

appropriate, those charged with governance, the auditor shall advise them to take
appropriate and timely actions, if they have not already done so, to:

(i) Rectify, remediate or mitigate the consequences of the NOCLAR;

(ii) Deter the commission of the NOCLAR where it has not yet occurred; or

(iii) Disclose the matter to an appropriate authority where required by law or

regulation or where considered necessary in the public interest.

• The auditor shall consider whether management and those charged with
governance understand their legal or regulatory responsibilities with respect to the
NOCLAR or suspected NOCLAR.

• The auditor shall comply with applicable:

(i) Laws and regulations, including legal or regulatory provisions governing the
reporting of NOCLAR or suspected NOCLAR to an appropriate authority and

(ii) Requirements under Auditing and Assurance Standards, including those

relating to:

°° Identifying and responding to NOCLAR, including fraud.

°° Communicating with those charged with governance.

°° Considering the implications of the NOCLAR or suspected NOCLAR for the

auditor’s report.

• The auditor shall assess the appropriateness of the response of management and,
where applicable, those charged with governance.

• The auditor shall exercise professional judgement in determining the need for, and
nature and extent of, further action. In making this determination, the auditor shall
take into account whether a reasonable and informed third party would be likely to
conclude that the auditor has acted appropriately in the public interest.

• If the auditor determines that disclosure of the NOCLAR or suspected NOCLAR to an

appropriate authority is an appropriate course of action in the circumstances, that
disclosure is permitted. When making such disclosure, the auditor shall act in good
faith and exercise caution when making statements and assertions. The auditor
shall also consider whether it is appropriate to inform the client of their intentions
before disclosing the matter.

Having met all of the responsibilities outlined above the auditor will need to determine
what the impact of a NOCLAR or suspected NOCLAR might have on the auditor’s opinion and
whether they should continue as the auditor of the company or group.

QUESTION 2
The answer should include the following:

• Audit of budgets and forecasts for sales revenue, expenses, with a detailed analysis of
the underlying assumptions and appropriateness of their use. This should obviously
be a recast of the original budgets and forecasts given the cancellation of many events
by clients.

593

c09.indd 593 16-11-2022 18:49:03

 BUSINESS ASSURANCE

• Understand the plans to minimise the costs until revenue growth can be obtained.

• Management plans and minutes supporting changes to operating strategies and plans
to mitigate the loss of clients.

• Confirm when creditors or financiers give written agreement that they will not call back
what is owed to them for at least 12 months from the date of the financial statements
that this is financially viable.

• Obtain proof of support from related parties that they can underwrite any payments
of debts as and when they fall due for 12 months from the date of the financial
statements.

• Understand what further funding from creditable financiers could be obtained.

• Determine whether there are any implications for the auditor’s report.

QUESTION 3
The eight matters should include the following:

• The overall approach and scope of the audit, including any limitations on the scope of
the audit.

• The accounting policies, and any changes to them, that could materially affect the
financial statements.
• For listed company’s Key Audit Matters.

• Adjustments arising as a result of audit procedures that could materially impact the
financial statements.

• Material events or uncertainties that could jeopardise the going concern status and that
require disclosure within the financial statements.

• Disagreements with management over accounting treatments or disclosures.

• Any expected modifications to the auditor’s report.

• Material weaknesses discovered in the internal systems and controls.

• Details of any threats to independence and objectivity, and of any safeguards adopted.

• Explanations of the audit approach used (for example, the concept of materiality and its
application to the audit process).

• A summary of business risks identified, including an assessment of the likelihood of the

risks materialising.

• A review of the contents of written representations.

• Recommendations, where relevant, to help improve the entity’s internal systems

and controls.

QUESTION 4
This is a subsequent event occurring between the date of the financial statements and the
date of the auditor’s report:

The auditor needs to refer to their initial risk assessment undertaken under the
requirements of HKSA 315 (Revised 2019), and updated as appropriate throughout the audit

594

c09.indd 594 16-11-2022 18:49:03

 M a jo r A c t io ns D u r ing t h e A u dit Complet ion

process, to determine the appropriate extent of additional audit procedures that need to be
undertaken. It is important to note that audit procedures undertaken should be completed
as close to the date of the auditor’s report as possible. The procedures may include:

• Gaining an understanding of how management has identified and assessed the

significance of the subsequent events and the reasonableness of the assumptions used
by management in drawing their conclusions;

• Enquiring of management and potentially the Board to establish the extent of the
financial impact on the entity;

• Determining the impact on the entity’s financial statements;

• Reviewing trial balances produced after the period end;

• Contacting legal counsel to determine whether anything has come to their attention
since sending their written confirmation. (Note that often regulators expect, although
this is not written in law or the auditing standards, that such a follow-up should be
made a maximum of seven days before the date of the auditor’s opinion.)

This is definitely a non-adjusting event so extensive note disclosures would be required.

If such a note disclosure in the view of the auditor is not sufficient then the auditor would
need to consider the potential impact that fact may have on the auditor’s opinion.

QUESTION 5
Sufficient appropriate audit evidence has not been obtained and nor have the requirements
of auditing standards been followed.

Recommendations should include all of the following:

1. Given that the risk around the obsolescence provision was assessed as high, there are
requirements in HKSA 315 (Revised 2019) and HKSA 330 that the auditor should at the
very least understand the controls management have in place over its obsolescence
provisioning and document those controls. If the controls are to be tested then they
should be tested annually.

2. A high-level fluctuation analysis would not provide any audit comfort, as it is not
analytical by nature and does not meet the requirements of HKSA 520.

3. The limited level of audit sampling and the method for selecting items would appear
to be questionable as there are over 8,000 SKUs and this sample is the sole basis on
which the conclusion is being drawn on whether the inventory obsolescence provision
is materially correct.

4. The auditor should check whether subsequent to year end that the selling prices on
the items that were subject to audit sampling have not decreased (as decreases would
indicate an issue with NRV and thus the level of provision).

The auditor has not looked at the month’s cover of inventory (how many months of
sales could be met by the current levels of inventory by SKU), which is an essential basis
for determining the reasonability of the provision in the retail sector in particular. If, on
average, inventory has in the past been turned over x times per year, the senior should
have checked whether the turnover slowed down in the current period. If so, this might
suggest that the inventory is not realisable at an amount in excess of the carrying

595

c09.indd 595 16-11-2022 18:49:03

 BUSINESS ASSURANCE

amount and that a write-down might be required. This should then be compared
to the management’s assessment of the levels and determine whether a material
difference exists.

5. The auditor has not made any assessment of the reasonability of the management’s
percentages applied as the basis for provision. HKSA 540 (Revised) requires an auditor,
when auditing an accounting estimate, which is what an obsolescence provision
is, to test the underlying assumptions and point estimates by management and to
stand back and conduct sensitivities on those assumptions and estimates to form an
independent view.

6. The auditor has not conducted an actual loss assessment on sales for the current year.
This would involve taking particular items of stock and comparing sales prices achieved
with the carrying amounts at the year end. To undertake this audit procedure would
assist the auditor in determining whether the percentages applied by management as
the basis for provision are appropriate.

7. After having conducted all of the above additional procedures the auditor will need to
consider the results of the testing against the level of performance materiality, whether
an adjustment is needed to the summary of unadjusted differences, any post balance
date events, and any perceived impacts to the auditor’s opinion.

8. Inventory obsolescence would need to be addressed in the management

representation letter.

9. The auditor needs to consider whether any issues should be communicated to those
charged with governance.

596

c09.indd 596 16-11-2022 18:49:03

 10
Auditor’s Reporting

CHAPTER TOPIC LIST

10.1 Auditor’s Objectives 10.3 Auditor’s Report Requirements

10.1.1 Importance of the 10.4 Form of Opinion
Auditor’s Report
10.4.1 Unmodified Opinion
10.1.2 Implications of Materiality for
10.4.2 Modified Opinion
the Auditor’s Opinion
10.5 Modified Opinions
10.2 Components of an
Auditor’s Report 10.5.1 Qualified Opinion
10.5.2 Adverse Opinion
10.2.1 Title of Auditor’s Report
10.5.3 Disclaimer of Opinion
10.2.2 Addressee
10.2.3 Auditor’s Opinion 10.6 Additional Communications in
10.2.4 Basis for Opinion the Auditor’s Report
10.2.5 Key Audit Matters 10.6.1 Key Audit Matters (‘KAMs’)
10.2.6 Other Information 10.6.2 Other Information
10.2.7 Responsibilities of Directors 10.6.3 Material Uncertainty Related
and Those Charged with to a Going Concern
Governance 10.6.4 Emphasis of
10.2.8 Auditor’s Responsibilities Matter Paragraph
for the Audit of the Financial 10.6.5 Other Matter Paragraph
Statements 10.7 Auditor Reporting on
10.2.9 Report on Other Legal and Opening Balances
Regulatory Requirements

597

c10.indd 597 12/6/2022 3:01:40 PM

 BUSINESS ASSURANCE

10.7.1 First Year Audit for the 10.9 Auditor Reporting on Special
Existing Auditor Purpose Frameworks
10.7.2 Prior Period Auditor’s Report 10.9.1 Auditor’s Report Format in
Modifications to Be Assessed Line with HKSA 800 (Revised)
by Existing Auditor 10.9.2 Auditor’s Report Format
10.8 Review Opinions for Interim on Other Than Complete
Financial Statements Financial Statements
10.8.1 Reporting the Nature, Extent, 10.10 Auditor’s Reporting on Small-
and Results of the Review of and Medium-sized Entities
Interim Financial Information 10.10.1 Auditor’s Report
10.8.2 Differences between an
Auditor’s Opinion and an
Auditor’s Conclusion

598

c10.indd 598 12/6/2022 3:01:40 PM

 A u ditor ’ s R eporting

L E A R N I NG O U T C O M E S

PRINCIPAL LO1: PERFORM ASSURANCE ENGAGEMENTS

LO1.13: P
 repare, plan, and develop assurance engagements including the audits of financial
statements in accordance with relevant Hong Kong Standards of Quality Management,
Auditing, Assurance and Related Services, guidance, and legislation with emphasis on:
Reporting
1.13.03 Analyse the format and content of modified and unmodified auditor’s report
1.13.04 Recommend an appropriate audit opinion based on the audit evidence collected
1.13.05 Prepare final reports for the audit

599

c10.indd 599 12/6/2022 3:01:40 PM

 BUSINESS ASSURANCE

O P E N I NG C A S E

CWAVES FERRY HOLDING COMPANY LIMITED

T his case study is the basis for illustration in the rest of this chapter.

CWaves Ferry Holding Company Limited (CWaves) is a publicly listed company on the
Hong Kong Stock Exchange (HKEx) and operates ferry services in Hong Kong Harbour, Sok
Kwu Wan, Shenzhen, and Macau. CWaves has a 31 December year end and has 10 wholly
owned subsidiaries, which it must consolidate for the purpose of reporting under Cap.622,
Section 379(2) of the Companies Ordinance and HKFRS 10, Consolidated Financial Statements.
The CWaves group has significant investments in buildings, godowns, port infrastructure, travel
agencies, and hotels.

Chloe Cheng is a newly appointed independent non-executive director of CWaves. She is

concerned about the possible audit reporting outcomes for the coming year end audit cycle.
CWaves must lodge its financial report under its annual filing obligations; however, on top of
this, CWaves must also provide on an annual basis audited financial statements prepared under
the Hong Kong Financial Reporting Standards (HKFRSs) for its eight material subsidiaries for its
off-shore banks by way of the banking agreements. The banking arrangements entered require
audited financial statements to be forwarded to the banks five months after each year end.

Chloe Cheng is concerned about the level of key audit matters that might be disclosed
in the auditor’s report of CWaves’ consolidated financial statements, given the complexity
surrounding the accounting for some of the group’s non-current assets and its share-based
payments to directors. She is also concerned what effect this might have on the share price
of CWaves. She is also concerned about the carry-over effects of prior period qualifications
relating to impairments against goodwill.

The auditor’s reports for some of the material subsidiaries are also concerning Chloe Cheng
for the following key reasons:

1. CWaves Hotels has suffered losses for the last three years and the level of external
debt has increased substantially over the last two years. Also, there have been net
cash outflows from operating activities in those years. There are no cross guarantees
between this company and other companies in the CWaves group.

2. Wonder Travel Company’s revenue recognition policy and accounting have been the
topic of discussion and concerns expressed by the company’s previous external auditor
(Diligent Audit Firm (‘Diligent’)) for a number of years and Quality Audit Firm (‘Quality’),
the new audit firm for the current reporting period, have noted during the planning
phase for the upcoming 31 December 20X2 year end audit at, if there is a material issue

600

c10.indd 600 12/6/2022 3:01:40 PM

 A u ditor ’ s R eporting

emerging in the current year under the requirements of the new HKFRS 15, Revenue
from Contracts with Customers, a modification to the auditor’s opinion might be required.

Quality was appointed at the previous year’s annual general meeting in line with
Section 396 of the Companies Ordinance.

Chloe Cheng has requested a meeting with the board’s audit committee and Quality to
discuss the transition of Quality as the new group auditor and to determine what view Quality
will have in relation to opening balances. Chloe Cheng would also like to understand the
approach Quality will have to the group’s interim financial statements. Quality’s audit partner
Jianji Ling will lead this audit engagement.

The group structure is as in Exhibit 10.1.

CORPORATE STRUCTURE

CWaves Ferry Holding Company Limited

Material to
the Group 100%

1 2 3 4 5 6 7 8 9 10

1 CWaves Hotels Company 6 CWaves Maintenance Company

2 CWaves Ferry’s Company 7 CWaves Godown Company

3 HKCW Development Holding Company 8 Donghai Company

4 HKCW Investment Limited 9 CWaves Management Company

5 Hai Cruising Company 10 Wonder Travel Company

EXHIBIT 10.1 Corporate structure of CWaves Ferry Holding Company

601

c10.indd 601 12/6/2022 3:01:41 PM

 BUSINESS ASSURANCE

OVERVIEW

Understanding an auditor’s report and what goes behind it can be a complex task for auditors
as well as stakeholders (i.e. company management and/or those charged with governance), not
to mention auditors themselves. Stakeholders are hereafter referred to simply as Management.
If those charged with governance is the name given instead of a Board of Directors, then use
the term for those charged with governance and management separately.

The final decision as to what the auditor’s report will look like is that of the auditor alone,
but is fundamentally shaped by the requirements of auditing standards, laws, and regulations.
It reflects the independent nature of auditors and their reporting.

This chapter looks at the various steps the auditor must take in determining the
appropriate form of an auditor’s opinion. It also explores the different types of auditor’s
reports from unmodified, to modified, to interim financial statements and special purpose
frameworks and takes into consideration the Companies Ordinance requirements.

It is important for an accountant in public practice or an accountant in business to

understand the auditor’s work as set out in the auditor’s reporting standards suite –
HKSA 700–799. Practice Note 600.1 (Revised), Reports by the Auditor under the Companies
Ordinance (Cap.622) issued by HKICPA, is very helpful in terms of general application for
auditor’s reporting.

1 0 . 1 AUDITOR’S OBJECTIVES

Management is responsible for designing and maintaining an accounting system that

appropriately draws data together from other internal management reporting systems to
capture all business transactions, events, and circumstances needed to compile a set of
financial statements. Those outside the company, such as stakeholders, the Hong Kong Stock
Exchange (HKEx), the Inland Revenue Department (IRD), and the Companies Registry, may be
concerned about whether management has prepared the financial statements in accordance
with HKFRSs, the Companies Ordinance, and other regulations that may be applicable to
the auditee.

602

c10.indd 602 12/6/2022 3:01:41 PM

 A u ditor ’ s R eporting

The auditor, exercising professional judgement and scepticism, will review the (implicit
and explicit) assertions of management and consider whether management could have
unintentionally or intentionally presented some of the financial information and/or events
more optimistically or pessimistically than required under HKFRSs. Alternatively, could
management have intentionally included fictitious revenues, or omitted expenses, hidden bank
loans, or bolstered inventory numbers so that the financial statements would appear other
than in accordance with the company’s actual financial position?

The objectives of the auditor in forming an auditor’s opinion therefore are:

1. To form an opinion on the financial statements based on an evaluation of the

conclusions drawn from the audit evidence obtained; and

2. To express clearly that opinion through a written report.

10.1.1 Importance of the Auditor’s Report

An independent auditor’s report is designed to significantly reduce the concerns that
unintentional and intentional misstatements may have occurred and to provide assurance that
the financial statements, as a whole, are prepared in accordance with HKFRSs and can be relied
on by all users of the financial statements.

The importance of the independence of the auditor cannot be overestimated as it is

fundamental to the level of confidence that the auditor’s report is appropriate and that
the message of the auditor’s report will be heard in whatever form it takes, unmodified or
modified, reports for special purpose frameworks (the different types of auditor’s reports and
auditor’s review reports will be explored in detail later in this chapter).

Independence is covered in more detail in Chapter 1. However, as a result of a number

of corporate scandals and failures in the USA and elsewhere in the 1990s, and those of
the Global Financial Crisis in 2007–2008, significant focus was placed on the degree of
auditors’ independence. Regulator intervention, new accounting and auditing standards, and
considerable media focus and investor criticisms ensued from those scandals and failures.
These developments, in turn, led to a greater focus by the International Ethical Standards
Board for Accountants (IESBA), and in Hong Kong by the HKICPA, on auditors’ independence
and maintaining confidence in the auditor’s reports.

The importance of the auditor’s eports has been described here to assist understanding of
the fundamental premise of the need for auditor’s reporting.

10.1.2 Implications of Materiality for the Auditor’s Opinion

The overall objectives of the auditor are to obtain and communicate in the auditor’s report
reasonable assurance that the financial statements are free from material misstatement.
Materiality therefore is a crucial concept at all stages of the audit process, from planning
continually through to the point of signing the financial statements. The concept of materiality
was addressed in detail in Chapter 5, so, should you need to, refer back to that chapter or to
HKSA 320, Materiality in Planning and Performing an Audit.

As the auditor moves through the conduct of the auditor’s procedures, in whatever form
the auditor determines is appropriate, to reduce detection risk (see Chapter 6) to an acceptable

603

c10.indd 603 12/6/2022 3:01:41 PM

 BUSINESS ASSURANCE

level, the auditor must consider the likely implications of any misstatements that are discovered
for the financial statements.

At the end of the audit, when drawing a conclusion on any uncorrected misstatements and
making a final determination on the impact the uncorrected misstatements may have on the
financial statements and ultimately the auditor’s opinion, the auditor should re-evaluate the
level of materiality that has been used during the course of the audit. The auditor must then
determine whether the level of materiality remains appropriate at the time of the preparation
of the financial statements and at the time of the issuance of the auditor’s report.

It is very important in practice to take the time to stand back from the detail of all the
working papers that have been collated throughout the entire audit process, in order to
reflect on the overall materiality levels being applied to the final decisions on the form of the
auditor’s opinion.

Financial statements are prepared by management on the basis that they are in accordance
with HKFRSs, the Companies Ordinance, and other relevant legal and regulatory requirements
so that they are not materially misstated. Management themselves will have made their
own determination as to the level of materiality levels during the preparation of the financial
statements. The auditor, in determining the levels of materiality throughout the audit process,
should come to an independent conclusion on management’s assumptions about materiality.

As materiality is concerned with the level of importance of information provided to users

for making economic decisions, the auditor is required to be mindful of both the quantitative
and qualitative characteristics of the information being considered. For example, provision
for legal costs against the auditee for environmental indiscretions may be quantitatively
immaterial, but the disclosures surrounding the environmental indiscretions may influence
the auditor’s assessment of what users may consider material. Another example might be
a non-arm’s-length transaction initiated by a director of the auditee that is small in terms of
HK$ value but is important to the users’ understanding of the governance of the auditee. Each
individual misstatement should be considered to determine its effects on the relevant classes
of transactions, account balances, or disclosures and whether the materiality level for the
specific class of transactions, account balance, or disclosure has been surpassed. Note that any
misstatements that have arisen due to fraud are always considered to be qualitatively material,
even if they are not quantitatively material.

If a misstatement is determined to be material, care should be taken not to confuse that

assessment by combining it inappropriately with other material misstatements. For example, if
revenue has been materially overstated, the financial statements as a whole will be materially
misstated, even if a cost of sales misstatement offsets the ultimate effect on profit and loss and
other comprehensive income.

The auditor may need to re-evaluate the risks of material misstatement for a specific
account balance or class of transactions upon detection of a number of individually immaterial
misstatements within the particular account balance or class of transactions that, taken
together, might be material.

In determining the final form of the auditor’s opinion, the auditor must be mindful that to
express an unmodified opinion the auditor needs to conclude that the financial statements as
HKSA a whole are prepared, ‘in all material respects, in accordance with the applicable reporting
700.16 framework’.

604

c10.indd 604 12/6/2022 3:01:41 PM

 A u ditor ’ s R eporting

If the auditor concludes that the financial statements as a whole are not free from material
misstatement, the auditor’s opinion would need to be modified and reference would need to
be made to HKSA 705 (Revised), Modifications to the Opinion in the Independent Auditor’s Report,
as to the appropriate level of modification.

The concept and application of the independent auditor’s determination of materiality is

one of the central elements in determining the appropriate auditor’s opinion.

Knowledge Check Questions

Question 1
Identify which of the following options best describes the main reason for an independent
auditor’s report on the financial statements.
A To give users of the financial statements assurance that any fraudulent activities will
be detected.
B To identify a poorly designed internal control structure that may produce unreliable
financial statements.
C To provide expertise to the auditee, who may not be totally knowledgeable of
the HKFRSs.
D To provide independent assurance of the relevance and reliability of the auditee’s
financial statements.

Question 2
Identify which of the following best describes the overall objectives of an auditor in relation
to the financial statements.
A Reduce detection risk.
B Unrecorded misstatements should be kept to a minimum.
C Issue an unmodified auditor’s opinion.
D Communicate in the auditor’s report whether the financial statements are free from
material misstatement.

Question 3
Advise why the concept of materiality is so important to the auditor when concluding on
the appropriate auditor’s opinion.

1 0 . 2 COMPONENTS OF AN AUDITOR’S REPORT

An auditor’s report must be in writing in all cases, no matter the basis for opinion. The
components to the auditor’s report will vary depending on the type of report. In Hong Kong,
HKSA 700 (Revised) provides eight illustrations of Independent Auditor’s Reports on Financial
Statements, HKSA 705 (Revised) provides another five illustrations, HKSA 706 (Revised) provides

605

c10.indd 605 12/6/2022 3:01:41 PM

 BUSINESS ASSURANCE

two illustrations, and HKSA 800 (Revised), Special Considerations – Audits of Financial Statements
Prepared in Accordance with Special Purpose Frameworks, provides three illustrations. Although
the illustrations are appendices to each of the auditing standards, they are relevant guidance
when constructing an appropriate auditor’s report.

10.2.1 Title of Auditor’s Report

The auditor’s report must state clearly that it is an Independent Auditor’s Report. This reaffirms
to financial statement users that the auditor is independent of management and provides
assurance to those that are seeking to place reliance on the opinion.

10.2.2 Addressee
The nature of the audit will determine to whom the auditor’s report should be addressed.
The most common addressee is the party for whom the auditor’s report has been prepared,
normally either the shareholders or for non-listed companies it is common that the auditor’s
report be addressed to those charged with governance.

In Hong Kong it is very common to state in the auditor’s report where the company was
incorporated.

10.2.3 Auditor’s Opinion

As noted earlier in the chapter, one of the most significant changes made to the HKSA 700
(Revised) was that the auditor’s opinion moved from being the last paragraph of the auditor’s
report to being the first. This now provides more prominence to the auditor’s opinion.

As a precursor to the actual opinion, it is common that a sub-title be presented that

sets out which financial statements are being addressed. This will normally be ‘Report on
the Audit of the Financial Statements’ or ‘Report on the Audit of the Consolidated Financial
Statements’.

The first paragraph of the opinion section in all cases:

• States that the financial statements have been audited;

• Identifies the auditee, whether a single company, e.g. CWaves Hotels Company (‘the
company’), for single company financial statements or a group audit, e.g. CWaves Ferry
Holding Company Limited and its subsidiaries (‘the Group’), for a consolidated set of
financial statements;

• Defines the pages of the financial statements that the auditor’s opinion covers;

• States the specific components of the financial statements upon which an auditor’s
opinion is given:

°° Statement of financial position as at a defined point of time, e.g. 31 December 20X1;

°° Statement of profit or loss and other comprehensive income; statement of changes

in equity and statement of cash flows for the year (or, when relevant, the period) then
ended (HKAS 1 (Revised), Presentation of Financial Statements, allows entities to present

606

c10.indd 606 12/6/2022 3:01:41 PM

 A u ditor ’ s R eporting

comprehensive income using either a one-statement approach or a two-statement

approach, the importance of which is consistency with the titles of the corresponding
statements); and

°° The notes to the financial statements, including the summary of significant

accounting policies.

The second paragraph indicates whether the auditor’s opinion on the financial
statements is:

• Unmodified; or

• Modified:

°° Qualified opinion

°° Adverse opinion

°° Disclaimer of opinion.

The different types of opinion will be explored in detail later in this chapter.

10.2.4 Basis for Opinion

This paragraph follows directly after the opinion paragraph and gives the users of the
financial statements an understanding of the basis used in coming to the auditor’s opinion.
This is relevant to all opinions except when a Disclaimer of Opinion is issued. (The basis for a
Disclaimer of Opinion will be addressed in detail later in this chapter.)

HKSA700 (Revised) requires that the basis for an opinion paragraph states that the
audit was conducted in accordance with HKSAs and that reference is made to the Auditor’s
Responsibilities for the Audit of the Financial Statements section of the auditor’s report, where
the auditor’s responsibilities are set out in more detail.

This paragraph must also state the independence and ethical basis on which the opinion
has been formed. In Hong Kong this is the HKICPA’s Code of Ethics for Professional Accountants
(’the Code’). The Code referenced here is the Revised Code that took effect from June 2019 in
Hong Kong.

Finally, the auditor states whether the auditor believes that the audit evidence obtained
was sufficient and appropriate to provide the basis for the auditor’s opinion.

10.2.5 Key Audit Matters

The Key Audit Matters (’KAMs’) section is included only in the financial statements of a publicly
listed auditee or when the auditee has voluntarily adopted HKSA 701, Communicating Key Audit
Matters in the Independent Auditor’s Report. KAMs are those matters that, in the professional
judgement of the auditor, were of most significance in the audit of the current period’s financial
statements. A note is made of how the matters were addressed through the audit process and
a clear statement is made that a separate auditor’s opinion is not provided on the matters.

607

c10.indd 607 12/6/2022 3:01:41 PM

 BUSINESS ASSURANCE

10.2.6 Other Information

The auditor must make reference to their responsibilities relating to other information if
relevant. These responsibilities are set out in HKSA 720 (Revised), The Auditor’s Responsibilities
Relating to Other Information, and also extend to the requirements of the Companies Ordinance.
The auditor is required to read ‘other information’ that exists within the financial report, but
outside the financial statements covered by the auditor’s opinion. Some examples are the
chairman’s statement, a summary of highlights, management discussion and analysis, and
the corporate governance report. Further examples can be seen in Appendix 1 in HKSA 720
(Revised). Note that, as with the financial statements themselves, the directors are responsible
for the preparation and presentation of other information.

The auditor must state that no opinion is given on the ‘other information’ and that the
auditor’s responsibility extends only to reading the other information to ensure that it is
materially consistent with the information disclosed as part of the financial statements.

If the auditor concludes that there is a material inconsistency of the ‘other information’, the
auditor is required to report that fact. If no material inconsistencies exist, the auditor simply
states that, based on the audit work completed, nothing has come to their attention that
requires reporting. The auditor cannot provide any assurance on ‘other information’.

10.2.7 Responsibilities of Directors and Those Charged with Governance

The auditor’s report must state that the directors are wholly responsible for the preparation of
the financial statements and that they are responsible for such internal controls that they deem
necessary to enable the preparation of the financial statements that are free from material
misstatement, whether due to fraud or error.

The directors must be satisfied that in their view the financial statements have been
prepared to give a true and fair view in accordance with HKFRSs and the Companies Ordinance.

There is now in the revised auditor’s reporting standards a statement referring to the
HKSA directors’ specific statement in relation to the ability of the company or the group to continue
700.34(b) as a going concern and, where applicable, appropriate disclosures have been made. This is
replicated by the directors themselves in the body of the financial statements and
financial report.

Finally, a statement is included that the directors are responsible for the oversight of the
financial reporting process.

10.2.8 Auditor’s Responsibilities for the Audit of the Financial

Statements
Under the revised auditor’s reporting suite of HKSAs, the auditor’s responsibilities paragraphs
can be displayed in a number of ways, and various approaches have been employed in practice
(as will be shown later).

The first paragraph describing the auditor’s responsibilities, as set out in HKSA 700
(Revised), must be disclosed in all types of auditor’s reports except where a Disclaimer of
Opinion is issued. (Illustrations 4 and 5 of HKSA 705 (Revised) give the required statements

608

c10.indd 608 12/6/2022 3:01:41 PM

 A u ditor ’ s R eporting

for Disclaimer of Opinion conclusions). The key point that is made is that the objective of the
auditor is to provide reasonable assurance (not a guarantee) about whether the financial
statements as a whole are free from material misstatement whether due to fraud or error. The
auditor states that misstatements are considered material if individually or in aggregate they
could influence the economic decisions of users of the financial statements.

The requirements of HKSA 700 (Revised) contain a shaded section. The shaded section sets
out matters that can be addressed at the auditor’s discretion:

• Within the body of the auditor’s report;

• As an appendix to the auditor’s report; or

• By reference to the relevant authority or the auditor’s firm website where the exact
description of the auditor’s responsibilities as described in HKSA 700 (Revised) are
documented.

The shaded area of HKSA 700 (Revised) also outlines the following required disclosures.
The auditor states that, as part of an audit conducted in accordance with HKSA, the auditor
maintains professional judgement and scepticism throughout the audit, and specifically:

• Identifies and assesses the risk of material misstatement in the financial statements,
whether due to fraud or error;
• Obtains an understanding of the control environment relevant to the design and
execution of audit procedures;

• Assesses the adequacy of the accounting policies adopted by the directors;

• Concludes on the directors’ declaration associated with the going concern assumption;

• Concludes on whether the financial statements including disclosures appropriately

reflect the underlying transactions and events in the period covered by the
auditor’s report;

• Remains solely responsible for the auditor’s opinion; and

• Communicates with the directors and management throughout the audit process in
line with the requirements of HKSA 260 (Revised), Communication with Those Charged
with Governance.

10.2.9 Report on Other Legal and Regulatory Requirements

The matters addressed in this section are those required outside the requirements of the HKSA,
which would not otherwise be covered in the auditor’s report. The most common requirements
in Hong Kong are those of the Companies Ordinance. For example, Section 407 requires the
auditor to opine on other matters. Section 407(2) (a) requires a statement where adequate
accounting records have not been kept by the company. While the form of the auditor’s opinion
would reflect this in broad terms, the Companies Ordinance requires an explicit comment from
the auditor under the heading ‘Report on Other Legal and Regulatory Requirements’. Further
examples can be found in PN 600.1 (Revised).

609

c10.indd 609 12/6/2022 3:01:41 PM

 BUSINESS ASSURANCE

The auditor’s report must also include:

• For audits of listed companies, the engagement partner’s name;

• Auditor’s name; and

• Whether the auditor is a Certified Public Accountants (Practising) or a Certified Public

Accountants.

• The auditor’s address; and

• The date of the auditor’s report.

Knowledge Check Questions

Question 4
Identify which of the following is not an acceptable place for the shaded section of the
auditor’s responsibilities for an audit of the financial statements to be disclosed.
A As an appendix to the auditor’s report.
B HKICPA website.
C Within the body of the auditor’s report.
D Exact reference to the auditor’s firm website.

Question 5
Describe what should be included in the first and second paragraphs of the auditor’s
opinion section of the auditor’s report.

1 0 . 3 AUDITOR’S REPORT REQUIREMENTS

As indicated previously, once the audit procedures have been appropriately carried out, the
auditor must stand back from what has been collected and determine whether detection risk
has been sufficiently minimised across each audit assertion relating to material balances and
disclosures, to form an appropriate view of the form of the auditor’s opinion.

The auditor must also review the unadjusted misstatements that have accumulated during
the course of the audit and evaluate their impact on the auditor’s opinion.

610

c10.indd 610 12/6/2022 3:01:41 PM

 A u ditor ’ s R eporting

The auditor’s opinion is the direct communication between the auditor and the users of the
financial statements. It provides the auditor with the opportunity to explain how the opinion
has been formed and the basis for the conclusions drawn.

The following are the possible types of auditor’s opinions and the key messages they
communicate to users:

• Unmodified opinion

The financial statements give a true and fair view in accordance with HKFRSs. This is the
best opinion an auditor can deliver.

• Modified opinion – qualified

In the auditor’s opinion, except for the effects of the matter described in the Basis for
Qualified Opinion section of the auditor’s report, the financial statements give a true and
fair view in accordance with HKFRSs. This opinion demonstrates some reservation on the
part of the auditor about the financial statements as a whole.

• Modified opinion – adverse

The financial statements as a whole do not give a true and fair view in accordance with
HKFRSs, for the reasons disclosed in the Basis for Adverse Opinion paragraph. This
is a very serious opinion for the auditor to deliver as it is indicating to users that the
financial statements cannot be relied upon.

• Modified opinion – disclaimer of opinion

An opinion is not expressed on the financial statements, with the basis being described
in the Basis for Disclaimer of Opinion paragraph. An auditor makes this conclusion
when the auditor has been unable to obtain sufficient appropriate audit evidence to
conclude. Given the responsibilities upon management to prepare financial statements
in accordance with the applicable financial reporting framework, this too is an
unfortunate form of opinion. The rest of this chapter explains the judgement required
on the part of the auditor to determine what form the final auditor’s opinion will take.

Review opinions issued by an auditor as a result of reviews of interim financial statements

can also take any of the above forms.

1 0 . 4 FORM OF OPINION

The form of the auditor’s opinion can have a serious impact on the decisions made by the users
of the financial statements. There is a continuum in terms of opinions, which will be explored in
more detail in this chapter (Exhibit 10.2).

611

c10.indd 611 12/6/2022 3:01:41 PM

 BUSINESS ASSURANCE

Modified Opinions

Qualified Disclaimer of Opinion

Unmodified Opinion Adverse
(Except for) (No opinion given)

EXHIBIT 10.2 Forms of opinions

10.4.1 Unmodified Opinion

In an unmodified opinion, the auditor concludes that the financial statements give a true and
fair view in accordance with the applicable financial reporting framework. Globally and in Hong
Kong an unmodified opinion is the most common opinion outcome. This is to be expected, as a
successful audit is one that has detected and corrected any material misstatements identified
by the auditor to a high level of assurance. The resulting audited financial statements merit an
unmodified auditor’s opinion.

Illustrative Example 1 – Unmodified Opinion

INDEPENDENT AUDITOR’S REPORT

To the members of CWaves Ferry Holding Company Limited

(incorporated in Hong Kong with limited liability)

Report on the Audit of the Consolidated Financial Statements

Opinion

We have audited the consolidated financial statements of CWaves Ferry Holding Company
Limited and its subsidiaries (‘the Group’) set out on pages x to xx, which comprise the
consolidated statement of financial position as at 31 December 20X2, and the consolidated
statement of profit or loss and other comprehensive income, consolidated statement of
changes in equity, and consolidated statement of cash flows for the year then ended,
and notes to the consolidated financial statements, including a summary of significant
accounting policies.

In our opinion, the consolidated financial statements give a true and fair view of
the consolidated financial position of the Group as at 31 December 20X2, and of its
consolidated financial performance and its consolidated cash flows for the year then
ended in accordance with Hong Kong Financial Reporting Standards (‘HKFRSs’) issued by
the Hong Kong Institute of Certified Public Accountants (‘HKICPA’) and have been properly
prepared in compliance with the Companies Ordinance.

612

c10.indd 612 12/6/2022 3:01:41 PM

 A u ditor ’ s R eporting

Illustrative Example 1 (continued)

Basis for Opinion

We conducted our audit in accordance with Hong Kong Standards on Auditing

(‘HKSAs’) issued by the HKICPA. Our responsibilities under those standards are further
described in the Auditor’s Responsibilities for the Audit of the Consolidated Financial
Statements section of our report. We are independent of the Group in accordance with
the HKICPA’s Code of Ethics for Professional Accountants (‘the Code’), and we have
fulfilled our other ethical responsibilities in accordance with the Code. We believe that
the audit evidence we have obtained is sufficient and appropriate to provide a basis for
our opinion.

Apply and Analyse 1

CWaves Godown Company (‘Godown’) is a material subsidiary of CWaves Ferry Holding
Company Limited and has made a profit for the year ended 31 December 20X2. The
operations for the year have been consistent with prior years and Godown is at near
capacity. It is likely that expansion of this subsidiary will occur over the next couple of years
with investment in the construction of a further Godown to meet the demand for space.
This expansion is planned to be funded by significant external debt. Quality, the company’s
auditor, is completing the current year’s audit and is considering what should be the
appropriate type of auditor’s opinion to issue.

Analysis

Quality would need to reference HKSA 700 (Revised) in the first instance to determine
the likely auditor’s opinion to be issued. From the information given it appears that
Quality would be looking to issue an unmodified opinion. In determining the type of
unmodified opinion to issue, Quality should consider whether there is anything to which
they may need to draw the user’s attention. In this instance, the management’s use of
the going concern basis of accounting in the preparation of the financial statements
is appropriate, so material uncertainty related to the going concern paragraph would
not be needed. The discussion concerning future developments and the funding model
would not normally have an impact on the auditor’s opinion in the current year, not even
as an other matter, as no formal commitments have been made and it could be viewed
as a potential strategic development. Therefore, with these considerations, Quality
should conclude that an unmodified auditor’s opinion should be issued with no further
references.

613

c10.indd 613 12/6/2022 3:01:41 PM

 BUSINESS ASSURANCE

10.4.2 Modified Opinion

Qualified Disclaimer of Opinion

Adverse
(Except for) (No opinion given)

EXHIBIT 10.3 Modified opinion

HKSA 705 (Revised) requires the auditor to modify the opinion in the auditor’s report when the
requirements of HKSA 700 (Revised) cannot be achieved and:

• The auditor concludes that, based on the audit evidence obtained, the financial
statements as a whole are not free from material misstatement; or

• The auditor is unable to obtain sufficient appropriate audit evidence to make a

definitive conclusion on the potential cumulative effects on the financial statements of
uncertainties.

HKSA 705 (Revised), paragraph A.1, describes the types of modified opinions and
circumstances when they are given (Exhibit 10.4). Further detail is given later in this chapter.

Nature of matter giving Auditor’s judgement about the pervasiveness of the

rise to the modification effects or possible effects on the financial statements
Material but not pervasive Material and pervasive
Financial statements are Qualified Opinion Adverse Opinion
materially misstated
Inability to obtain sufficient Qualified Opinion Disclaimer of Opinion
appropriate audit evidence

EXHIBIT 10.4 Types of modified opinions

Knowledge Check Questions

Question 6
This question requires you to use the information in the CWaves case. When issuing a
qualified auditor’s opinion in relation to revenue recognition for Wonder Travel Company,
identify which of the following would be the conclusion of the case.
A The financial statements as a whole are materially misstated and that revenue
recognition is pervasive.
B Sufficient appropriate audit evidence on revenue recognition could not be obtained that
was both material and pervasive.
C Revenue recognition was the only audit issue, but because it has been an issue in the
past there should be a qualification.
D There was a material problem with management’s determination for revenue recognition
and for the amount of difference to the HKSA requirements that could be quantified.

614

c10.indd 614 12/6/2022 3:01:41 PM

 A u ditor ’ s R eporting

1 0 . 5 MODIFIED OPINIONS

10.5.1 Qualified Opinion

A qualified auditor’s opinion is given by the auditor in either of the following two circumstances:

1. When the auditor has evidence that the financial statements are materially misstated
due to misstatement in one particular account balance, class of transactions, or
disclosures that does not have a pervasive effect on the financial statements as
a whole; or

2. When the auditor is unable to obtain sufficient appropriate audit evidence regarding
a particular account balance, class of transactions, or disclosures (often referred to as
a limitation of scope). The auditor concludes that the possible effects on the financial
statements of undetected misstatements, if any, could be material but not pervasive to
the financial statements as a whole.

The wording of the Opinion paragraph of a qualified auditor’s opinion is very similar to that
of an unmodified auditor’s opinion. The Basis for Opinion paragraph that immediately follows
the Opinion paragraph explains the reasons for the qualification and must provide, to the
extent possible, a quantification of the effects of the matter subject to qualification.

Illustrative Example 2
An auditor’s report containing a qualified opinion due to a material misstatement of
the financial statements (only the Opinion paragraph and Basis for Opinion will be
illustrated). For the purpose of this illustration the auditor concluded that creditors
were materially misstated as the company was trying to minimise the level of liabilities
recorded and reduce expenses for the year to maximise reported profit.

INDEPENDENT AUDITOR’S REPORT

To the members of ABC Company

(incorporated in Hong Kong with limited liability)

Report on the Audit of the Financial Statements

Qualified Opinion
We have audited the financial statements of ABC Company (‘the Company’) set out on
pages . . . to . . ., which comprise the statement of financial position as at 31 December 20X1,
and the statement of profit or loss and other comprehensive income, statement of changes
in equity, and statement of cash flows for the year then ended, and notes to the financial
statements, including a summary of significant accounting policies.

In our opinion, except for the effects of the matter described in the Basis for Qualified
Opinion section of our report, the financial statements give a true and fair view of the financial
position of the Company as at 31 December 20X1, and of its financial performance and its cash

615

c10.indd 615 12/6/2022 3:01:41 PM

 BUSINESS ASSURANCE

Illustrative Example 2 (continued)

flows for the year then ended in accordance with Hong Kong Financial Reporting Standards
(‘HKFRSs’), issued by the Hong Kong Institute of Certified Public Accountants (‘HKICPA’), and have
been properly prepared in compliance with the Companies Ordinance.

Basis for Qualified Opinion

The Company’s creditors are carried in the statement of the financial position at xxx. The
directors have not included all creditors that should have been recognised, which constitutes
a departure from HKFRSs. The Company’s records indicate that, had the directors stated the
creditors appropriately, an amount of xxx would have been required to increase the value
of creditors. Accordingly, a number of expense accounts would have been increased by xxx,
and income tax, net income, and shareholders’ equity would have been reduced by xxx, xxx,
and xxx, respectively.

We conducted our audit in accordance with Hong Kong Standards on Auditing (‘HKSAs’)
issued by the HKICPA. Our responsibilities under those standards are further described in
the Auditor’s Responsibilities for the Audit of the Financial Statements section of our report.
We are independent of the Company in accordance with the HKICPA’s Code of Ethics for
Professional Accountants (‘the Code’), and we have fulfilled our other ethical responsibilities
in accordance with the Code. We believe that the audit evidence we have obtained is
sufficient and appropriate to provide a basis for our qualified opinion.

Illustrative Example 3
An auditor’s report contains a qualified opinion due to a material omission in a disclosure
in the financial statements (only the Opinion paragraph and Basis for Opinion will be
illustrated). For the purpose of this illustration the auditor concluded that material related
party transactions had not been disclosed.

You will note that the only difference between Example 1 and this example is how the
basis for qualified opinion is described. It is also important to note that the words used are
generally not generic but should reflect the specific circumstances of the auditor’s decision.

INDEPENDENT AUDITOR’S REPORT

To the members of ABC Company

(incorporated in Hong Kong with limited liability)

Report on the Audit of the Financial Statements

Qualified Opinion

We have audited the financial statements of ABC Company (‘the Company’) set out on
pages . . . to . . ., which comprise the statement of financial position as at 31 December 20X1,
and the statement of profit or loss and other comprehensive income, statement of changes
in equity and statement of cash flows for the year then ended, and notes to the financial
statements, including a summary of significant accounting policies.

616

c10.indd 616 12/6/2022 3:01:41 PM

 A u ditor ’ s R eporting

Illustrative Example 3 (continued)

In our opinion, except for the effects of the matter described in the Basis for Qualified
Opinion section of our report, the financial statements give a true and fair view of
the financial position of the Company as at 31 December 20X1, and of its financial
performance and its cash flows for the year then ended in accordance with Hong Kong
Financial Reporting Standards (‘HKFRSs’) issued by the Hong Kong Institute of Certified
Public Accountants (‘HKICPA’) and have been properly prepared in compliance with the
Companies Ordinance.

Basis for Qualified Opinion

The Company has entered into a number of material related party transactions during the
current year. The directors have not disclosed the relationships or transaction values that
are required by HKAS 24 (Revised), Related Party Disclosures. An engineering contract with
Engineers Company, an entity owned by VV Director, was awarded a consulting contract by
the Company for HKD xx. A further consulting contract was awarded to ZZ Director’s payroll
services company for HKD xx.

We conducted our audit in accordance with Hong Kong Standards on Auditing (‘HKSAs’)
issued by the HKICPA. Our responsibilities under those standards are further described in
the Auditor’s Responsibilities for the Audit of the Financial Statements section of our report.
We are independent of the Company in accordance with the HKICPA’s Code of Ethics for
Professional Accountants (‘the Code’), and we have fulfilled our other ethical responsibilities
in accordance with the Code. We believe that the audit evidence we have obtained is
sufficient and appropriate to provide a basis for our qualified opinion.

Illustrative Example 4
An auditor’s report containing a qualified opinion due to the auditor’s inability to obtain
sufficient appropriate audit evidence (only the Opinion paragraph and Basis for Opinion
will be illustrated). For the purpose of this illustration the auditor was not able to obtain
audit evidence pertaining to the completeness and occurrence of revenue from a contract
with an African Company.

INDEPENDENT AUDITOR’S REPORT

To the members of ABC Company

(incorporated in Zambia with limited liability)

Report on the Audit of the Consolidated Financial Statements

Qualified Opinion

We have audited the consolidated financial statements of ABC Company and its subsidiaries
(‘the Group’) set out on pages . . . to . . ., which comprise the consolidated statement of
financial position as at 31 December 20X1, and the consolidated statement of profit or
loss and other comprehensive income, consolidated statement of changes in equity and
consolidated statement of cash flows for the year then ended, and notes to the consolidated
financial statements, including a summary of significant accounting policies.

617

c10.indd 617 12/6/2022 3:01:42 PM

 BUSINESS ASSURANCE

Illustrative Example 4 (continued)

In our opinion, except for the possible effects of the matter described in the Basis for
Qualified Opinion section of our report, the consolidated financial statements give a true
and fair view of the financial position of the Group as at 31 December 20X1 and of its
consolidated financial performance and its consolidated cash flows for the year then ended
in accordance with Hong Kong Financial Reporting Standards (‘HKFRSs’) issued by the Hong
Kong Institute of Certified Public Accountants (‘HKICPA’) and have been properly prepared
in compliance with the Companies Ordinance. (Note that this is not included where the
company was not incorporated in Hong Kong.)

Basis for Qualified Opinion

The Group has a major contract with an African company to supply and install mining
infrastructure in Zambia over a period of two years. Revenue associated with the first year
of the contract is recognised at xxx in the consolidated statement of profit or loss and other
comprehensive income as at 31 December 20X1. This same amount is also reflected in trade
receivables. We were unable to obtain sufficient appropriate audit evidence about the value
of revenue recognised or the recoverability of the trade receivable for the year ended 31
December 20X1 because the underlying contract could not be found and management could
not provide evidence that payments would be received. Consequently, we were unable to
determine whether any adjustments to revenue or trade receivables was necessary.

We conducted our audit in accordance with Hong Kong Standards on Auditing (‘HKSAs’)
issued by the HKICPA. Our responsibilities under those standards are further described in
the Auditor’s Responsibilities for the Audit of the Consolidated Financial Statements section
of our report. We are independent of the Group in accordance with the HKICPA’s Code
of Ethics for Professional Accountants (‘the Code’), and we have fulfilled our other ethical
responsibilities in accordance with the Code. We believe that the audit evidence we have
obtained is sufficient and appropriate to provide a basis for our qualified opinion.

Apply and Analyse 2

Wonder Travel Company (‘Wonder’) is a material subsidiary of CWaves Ferry Holding Company
Limited and from the case study background the external auditor Quality has expressed
concerns in relation to Wonder’s revenue recognition policy. In the current year, Wonder
has to apply the new HKFRS 15, Revenue from Contracts with Customers, accounting standard.
Quality has concluded that the new accounting standard has not been appropriately applied
by a material amount and will therefore need to issue a modified auditor’s opinion.

Analysis

Quality would need to reference HKSA 705 (Revised) to determine the form of modification.
From the information given, Quality has determined the amount as material, and as it is
quantifiable and contained to specific account balances a qualified auditor’s opinion would
be appropriate. There is no evidence that the issue is pervasive and Quality has been able
to obtain sufficient appropriate audit evidence to draw their conclusion. In this case an
opinion similar to the one illustrated in Illustrative Example 1 would be issued.

618

c10.indd 618 12/6/2022 3:01:42 PM

 A u ditor ’ s R eporting

Ethics in Practice
For an auditor to conclude that a qualified auditor’s opinion should be issued can
sometimes entail significant discussion with management and/or those charged with
governance.

This discussion can at times result in pressure being placed on the auditor not to
issue a qualified auditor’s opinion (this can be applied to all forms of modified auditor’s
opinions). The auditor must stand their ground in order to meet the requirements of the
HKSAs, the HKFRSs, and the Companies Ordinance. It is recognised that this can sometimes
be difficult when a client threatens to engage another firm for a second opinion or
threatens to change auditor after the current audit is complete.

To also meet the ethical principles of integrity, objectivity, professional competence

and due care, and professional behaviour (as defined in Sections 111, 112, 113, and 115 of
the Code of Ethics for Professional Accountants (Revised)), the auditor must not be tempted
to issue an unmodified auditor’s opinion in circumstances where a reasonable third party
would conclude that a qualified opinion should be issued.

10.5.2 Adverse Opinion

An auditor should express an adverse opinion when the auditor, having obtained sufficient
appropriate audit evidence, concludes that misstatements, individually or in the aggregate, are
both material and pervasive to the financial statements.

This type of opinion is the signal to stakeholders that the financial statements of the
company may not be reliable enough to make economic decisions. This may also alert
stakeholders to the fact that management and those charged with governance may not be
operating the company appropriately or ethically.
As you will note from the discussion above, the main difference between a qualified
auditor’s opinion and an adverse auditor’s opinion is that an adverse auditor’s opinion is
pervasive to the financial statements as a whole.

Illustrative Example 5 – Adapted from HKSA 705 (Revised), Appendix

Illustration 2
It is one of the most common reasons for an adverse auditor’s opinion. (Only the Opinion
paragraph and Basis for Opinion will be illustrated.)

For the purpose of this illustration the auditor determined that the consolidated
financial statements were materially misstated due to the non-consolidation of a
subsidiary.

Independent Auditor’s Report

To the members of ABC Company

(incorporated in Hong Kong with limited liability)

619

c10.indd 619 12/6/2022 3:01:42 PM

 BUSINESS ASSURANCE

Illustrative Example 5 (continued)

Report on the Audit of the Consolidated Financial Statements

Adverse Opinion

We have audited the consolidated financial statements of ABC Company and its subsidiaries
(‘the Group’) set out on pages . . . to . . ., which comprise the consolidated statement of
financial position as at 31 December 20X1, and the consolidated statement of profit or
loss and other comprehensive income, consolidated statement of changes in equity and
consolidated statement of cash flows for the year then ended, and notes to the consolidated
financial statements, including a summary of significant accounting policies.

In our opinion, because of the significance of the matter discussed in the Basis for
Adverse Opinion section of our report, the consolidated financial statements do not give a
true and fair view of the consolidated financial position of the Group as at 31 December
20X1, and of its consolidated financial performance and its consolidated cash flows for the
year then ended in accordance with Hong Kong Financial Reporting Standards (‘HKFRSs’)
issued by the Hong Kong Institute of Certified Public Accountants (‘HKICPA’). In all other
respects, in our opinion the consolidated financial statements have been properly prepared
in compliance with the Companies Ordinance.

Basis for Adverse Opinion

As explained in Note X, the Group has not consolidated subsidiary XYZ Company that the
Group acquired during 20X1 because it has not yet been able to determine the fair values
of certain of the subsidiary’s material assets and liabilities at the acquisition date. This
investment is therefore accounted for on a cost basis. Under HKFRSs, the Company should
have consolidated this subsidiary and accounted for the acquisition based on provisional
amounts. Had XYZ Company been consolidated, many elements in the consolidated
financial statements would have been materially affected. The effects on the consolidated
financial statements of the failure to consolidate have not been determined.

We conducted our audit in accordance with Hong Kong Standards on Auditing (‘HKSAs’)
issued by the HKICPA. Our responsibilities under those standards are further described in
the Auditor’s Responsibilities for the Audit of the Consolidated Financial Statements section
of our report. We are independent of the Group in accordance with the HKICPA’s Code
of Ethics for Professional Accountants (‘the Code’) and we have fulfilled our other ethical
responsibilities in accordance with the Code. We believe that the audit evidence we have
obtained is sufficient and appropriate to provide a basis for our adverse opinion.

Apply and Analyse 3

CWaves Hotels is a material subsidiary of CWaves Ferry Holding Company Limited. From
the case study background, they have suffered losses for the last three years and the level
of external debt has increased substantially over the last two years. Let us assume that
CWaves Hotels has to pay back a material portion of the debt two months after the date of

620

c10.indd 620 12/6/2022 3:01:42 PM

 A u ditor ’ s R eporting

Apply and Analyse 3 (continued)

the auditor’s report, but has no foreseeable way of funding it. Quality, the external auditor
for the current period, needs to determine what impact this may have on the current year’s
auditor’s opinion.

Analysis

The financial statements have been prepared by the directors on a going concern basis as
the directors believe they will somehow be able to raise the funds to pay back the expiring
debt. Quality has concluded that this is not likely, on the basis that there was no audit
evidence in relation to negotiations for re-financing or new funding to repay the debt.

Because of the nature of the situation, Quality has concluded that it does not believe
that CWaves Hotels is a going concern and as such the values of assets and liabilities at the
year end may be materially misstated. Given that this situation is pervasive to the financial
statements as a whole, Quality should issue an adverse auditor’s opinion on CWaves
Hotels. (Note that the adverse auditor’s opinion would be replicated in the consolidated
financial statements of CWaves Ferry Holding Company Limited.)

10.5.3 Disclaimer of Opinion

The auditor will issue a disclaimer of opinion in circumstances where the auditor is unable to
obtain sufficient appropriate audit evidence on which to base an opinion. The auditor would
also conclude that the possible effects are likely to be material and pervasive to the financial
statements.

Note that essentially this is not an opinion. Instead, it means that the auditor chooses not to
render one.

Auditors may issue a disclaimer of opinion when:

• The auditor’s scope was limited. The auditor was limited in this way, for instance, when
the auditor cannot access particular financial data.

• The auditor has other doubts about the reports. For example:

°° The financial statements may seem to violate accounting principles such as the
matching concept or the conservatism principle.

°° The auditor may question the classification of certain revenue and expense items.

°° Some assets should not have been capitalised.

°° The auditor may question the way the entity applies rules such as the lower of cost
or net realisable value for inventory.

The auditor issues an auditor’s opinion only when they are confident the opinion is supported
by sufficient appropriate audit evidence. Otherwise, a Disclaimer of Opinion should be expressed.

621

c10.indd 621 12/6/2022 3:01:42 PM

 BUSINESS ASSURANCE

Illustrative Example 6
This example is of a Disclaimer of Opinion (only the Opinion paragraph and Basis for
Opinion will be illustrated). For the purpose of this illustration the auditor has not been
able to conclude on revenue and associated balances.

INDEPENDENT AUDITOR’S REPORT

To the members of ABC Company

(incorporated in Hong Kong with limited liability)

Report on the Audit of the Consolidated Financial Statements

Disclaimer of Opinion

We were engaged to audit the consolidated financial statements of Hong Kong Company
and its subsidiaries (‘the Group’) set out on pages . . . to . . ., which comprise the consolidated
statement of financial position as at 31 December 20X1, and the consolidated statement
of profit or loss and other comprehensive income, consolidated statement of changes in
equity and consolidated statement of cash flows for the year then ended, and notes to the
consolidated financial statements, including a summary of significant accounting policies.

We do not express an opinion on the consolidated financial statements of the Group.

Because of the significance of the matter described in the Basis for Disclaimer of Opinion
section of our report, we have not been able to obtain sufficient appropriate audit evidence
to provide a basis for an audit opinion on these consolidated financial statements. In all
other respects, in our opinion the consolidated financial statements have been properly
prepared in compliance with the Companies Ordinance.

Basis for Disclaimer of Opinion

Cash receipts are a significant source of revenue for the Group. The Group has determined
that it is impracticable to establish controls over the collection of cash receipts prior to
their entry into the financial records of the Group. Accordingly, as the evidence available
to us regarding revenue was not sufficient, our audit procedures with respect to cash
receipts had to be restricted to the amounts recorded in the financial statements. We were
therefore unable to determine whether any adjustments might have been necessary in
respect of amounts disclosed in the consolidated statement of profit and loss and other
comprehensive income, the consolidated statement of financial position, consolidated
statement of changes in equity, and consolidated statement of cash flows.

Note that for all modified auditor’s reports the auditor is required to report on other
matters under Sections 407(2) and 407(3) of the Companies Ordinance.

Section 407 of the CO requires the auditor to opine on other matters:

1. In preparing an auditor’s report, the auditor must carry out an investigation that
will enable the auditor to form an opinion as to:

a. Whether adequate accounting records have been kept by the company; and

b. Whether the financial statements are in agreement with the accounting records.

622

c10.indd 622 12/6/2022 3:01:42 PM

 A u ditor ’ s R eporting

Illustrative Example 6 (continued)

2. A company’s auditor must state the auditor’s opinion in the auditor’s report if the
auditor is of the opinion that:

a. Adequate accounting records have not been kept by the company; or

b. The financial statements are not in agreement with the accounting records in
any material respect.

3. If a company’s auditor fails to obtain all the information or explanations that, to

the best of the auditor’s knowledge and belief, are necessary and material for the
purpose of the audit, the auditor must state that fact in the auditor’s report.

4. If the financial statements do not comply with Section 383(1), the auditor must
include in the auditor’s report, so far as the auditor is reasonably able to do so,
a statement giving the particulars that are required to be, but have not been,
contained in the financial statements.

Where the opinion on the financial statements has been modified, the auditor needs
to evaluate what the consequences of this modification are on the reporting requirement
under the CO and, if necessary, further modify the report. For the requirements under the
Companies Ordinance, reference may be made to PN 600.1 (Revised), Reports by the Auditor
under the Companies Ordinance (Cap.622).

Knowledge Check Questions

Question 7
The auditor of Tony’s Toy Kingdom has had difficulty in determining whether
management’s assessment of stock obsolescence is adequate and thinks there could
be a material overstatement of inventory but does not have sufficient appropriate audit
evidence to make this conclusion. Assuming all other aspects of the financial statements
are materially stated, describe and explain the auditor’s opinion that should be issued by
the auditor.

Question 8
The auditor of Qualitas Consulting Limited noted an issue with the value and basis of the
work in progress balance in Qualitas’s balance sheet. The auditor’s view is that the amount
involved is material but not pervasive and can quantify the difference. Identify which of the
following is the most likely opinion issued by the auditor.
A Unmodified opinion.
B Qualified opinion.
C Adverse opinion.
D Disclaimer of opinion.

623

c10.indd 623 12/6/2022 3:01:42 PM

 BUSINESS ASSURANCE

Knowledge Check Questions (continued)

Question 9
Queen Furniture (the parent entity) is a high-end furniture retailer in Hong Kong which
has a material subsidiary in China that manufactures all of the furniture that Queen sells.
Queen Furniture will not consolidate the Chinese subsidiary in their financial statements.
Identify which of the following audit opinions would be the most appropriate.
A Qualified opinion.
B Unqualified opinion with an Other Matter paragraph.
C Disclaimer of opinion.
D Adverse opinion.

Question 10
Advise what an adverse auditor’s opinion signals to stakeholders.

Question 11
Justify when a Disclaimer of Opinion would be considered by the auditor.

Question 12
For all modified auditor’s reports, state what the auditor is required to report on other
matters under Sections 407(2) and 407(3) of the Companies Ordinance.

1 0 . 6 ADDITIONAL COMMUNICATIONS
IN THE AUDITOR’S REPORT

10.6.1 Key Audit Matters (’KAMs’)

The introduction of KAMs was the most significant change in the new suite of auditors’
reporting standards, HKSA 701, Communicating Key Audit Matters in the Independent Auditor’s
Report, and was effective from 15 December 2016. The objective for the inclusion of KAMs in
the auditor’s opinion is to provide users of the financial statements an insight as to what, in the
auditor’s view, were the most important focus areas for them in the current audit.

Note that KAMs are only required to be included in auditors’ reports for listed entities with
voluntary application to other entities.

HKSA 701 defines KAMs as those matters that, in the auditor’s professional judgement,
were of most significance in the audit of the financial statements of the current period.

10.6.1.1 Determining KAMs

Determining what should be disclosed in the current periods KAMs is a matter of an auditor’s
judgement but would normally take into consideration the factors shown in Exhibit 10.5.

In most instances, KAMs relate to areas of significant management judgements, or

significant events or transactions during the current period. The auditor must then determine
which were the most significant to them during the current audit and communicate them as
KAMs in the auditor’s report.

624

c10.indd 624 12/6/2022 3:01:42 PM

 A u ditor ’ s R eporting

Matters Matters
identified communicated
through the to those
audit process charged with The most
governance significant
matters = KAMs
for the current
period

Significant risks or
high inherent risk
factors determined in line
with HKSA 315 (Revised 2019)

EXHIBIT 10.5 Key audit matters

10.6.1.2 Communicating KAMs

KAMs are described in a separate section of the auditor’s report, under the heading ‘Key Audit
Matters’, using appropriate sub-headings for each KAM.

The introductory language must state that:

• KAMs are those matters that, in the auditor’s professional judgement, were of most
significance in the audit of the financial statements of the current period; and

• The matter(s) identified were addressed in the context of the audit of the financial
statements as a whole and in forming the auditor’s opinion thereon, and the auditor
does not provide a separate opinion on the matter(s).

The description of each KAM must include the following:

• The factors supporting why the matter was considered to be one of the most significant
in the audit and therefore a KAM;

• A reference to any disclosures in the financial statements, which would be by way of

referencing to specific notes where users can read management’s disclosures; and

• How the matter was addressed by the auditor; for example, the approach, an overview
of the audit procedures undertaken, and any relevant observations should be described.

Illustrative Example 7 – Adapted from HKSA 700 (Revised)

Below is an illustration of only the Key Audit Matters component of an auditor’s report.

Key Audit Matters

Key audit matters are those matters that, in our professional judgement, were of
most significance in our audit of the financial statements of the current period. These
matters were addressed in the context of our audit of the financial statements as a
whole and in forming our opinion thereon, and we do not provide a separate opinion on
these matters.

625

c10.indd 625 12/6/2022 3:01:42 PM

 BUSINESS ASSURANCE

Illustrative Example 7 (continued)

Key Audit Matter – Assessment of Carrying Value of Goodwill
Area of Focus How our audit addressed it
Refer also to Notes 1(m), 2(b), and 10
(illustration only)
In the prior years, the company/(group) expanded Our audit procedures included:
its activities through acquisition of businesses. As • A detailed evaluation of the company’s/
a result, the company’s/(groups) net assets include (group’s) budgeting procedures (upon
a significant amount of goodwill. Certain of the which the forecasts are based) and
new and established businesses are (i) early in testing of the principles and integrity of
their life and/or trading cycles, (ii) trading cycle’s the discounted future cash flow models.
inconsistent, (iii) value of businesses questionable.
(These three areas are where the engagement • Testing the accuracy of the calculation
team would include the relevant data, so for derived from each forecast model
the purpose of this illustration various options and assessing key inputs into the
have been noted for students.) As such, there is calculations such as revenue growth,
a risk that they may not trade in line with initial discount rates, and working capital
expectations and forecasts, resulting in the carrying assumptions, by reference to the board
amount of goodwill exceeding the recoverable approved forecasts, data external to the
amount and therefore requiring impairment. company/(group), and our own views.
The recoverable amount of each cash generating • Engaging our own valuation specialists
unit (CGU) has been calculated based on value-in- when considering the appropriateness
use. These recoverable amounts use discounted of the discount rates and the long-term
cash flow forecasts in which the directors make growth rates.
judgements over certain key inputs, for example,
but not limited to, revenue growth, discount rates • Reviewing the historical accuracy by
applied, long-term growth rates, and inflation comparing actual results with the
rates. Overall, due to the high level of judgement original forecasts.
involved and the significant carrying amounts We also considered the adequacy of the
involved, we have determined that this is a key company’s/(group’s) disclosures in relation
judgemental area that our audit concentrated on. to the impairment testing.
Key Audit Matter – Business Combination
Area of Focus How our audit addressed it
Refer also to Notes 1(Z) and 20 (illustration only)
The company/(group) acquired ABC Pty Ltd for Our audit procedures included:
HK$xxx, which was considered a significant • Reading the sale and purchase
purchase for the company/(group). agreement to understand the key terms
Accounting for this transaction is complex and and conditions of the acquisition.
required significant judgements and estimates by
• Assessing the intangible assets identified
management:
by management for their separability/
• To determine the date of acquisition; contractual basis to allow recognition
• To determine the fair value of assets and and assessing whether the measurement
liabilities acquired; basis and assumptions underlying the
estimate of fair values were appropriate.
• To determine the tax basis for deferred tax
assets and liabilities; • Testing the group’s determination of
fair values with reference to audited
• To determine the fair value of deferred financial statements/due diligence
consideration; reports/work performed by our
• To determine the non-controlling Corporate Finance division/work
interest; and performed by a valuer.

• To allocate the purchase consideration • Testing the appropriateness of the

to goodwill and separately identifiable deferred consideration.
intangible assets. We assessed the adequacy of the Group’s
disclosures in respect of the acquisition.

626

c10.indd 626 12/6/2022 3:01:42 PM

 A u ditor ’ s R eporting

Apply and Analyse 4

From the opening case, Chloe Cheng, the independent non-executive director, noted her
concerns about the matters that may be disclosed as Key Audit Matters (‘KAMs’), being
the basis for accounting for some of the groups’ non-current assets and its share-based
payments to directors. Chloe Cheng has called for a meeting with Quality, the external
auditors, to discuss what they believe are the KAMs for the current period.

Analysis

The determination of what should be disclosed as KAMs is that of the auditor alone.
Quality may need to discuss this with Chloe Cheng. The auditor would normally give
management an early insight into the topics that are likely to be included as KAMs.
Evidence from long form auditor’s reports issued by listed companies that include KAMs
demonstrates that KAMs have been well received by users of the financial statements and
have had a positive impact on the way the auditor’s report has been read.

What if there are no KAMs? If the auditor determines, based on the facts and circumstances
of the entity during the audit, that there are no KAMs (this will be rare), then a statement that
there are no Key Audit Matters to communicate should be included under the heading of Key
Audit Matters.

What happens when a modified auditor’s opinion is issued? Any matter that gives rise to a
modified auditor’s opinion or a material uncertainty related to a going concern is disclosed in the
auditor’s report, and is by its very nature a KAM. However, in these circumstances these matters
should not be described separately as KAMs but rather reference should be made to the Opinion
paragraph in the opening paragraph of the KAMs section.

Illustrative Example 8
In this example, the auditor issued a qualified auditor’s opinion in relation to the carrying
value of an investment in a subsidiary and reported a material uncertainty related to a
going concern.

Key Audit Matters

Key audit matters are those matters that, in our professional judgement, were of most
significance in our audit of the financial report of the current period. This matter was
addressed in the context of our audit of the financial statements as a whole, and in
forming our opinion thereon, and we do not provide a separate opinion on this matter.
In addition to the matter described in the Basis for Qualified Opinion and in the Material
Uncertainty related to Going Concern sections, we have determined that the matter
described below to be the key audit matter to be communicated in our report.

Key Audit Matter – Assessment of Carrying Value of Goodwill

Area of Focus How our audit addressed it
Note: Refer also to notes 1(m), 2(b), and
10 (illustration only)

627

c10.indd 627 12/6/2022 3:01:42 PM

 BUSINESS ASSURANCE

Ethics in Practice
For an auditor to conclude that a KAM should be disclosed can sometimes entail significant
discussion with management and/or those charged with governance.

This discussion can at times result in pressure being placed on the auditor not to
include a KAM. Auditors must stand their ground in order to meet the requirements of the
HKSA. It is recognised this can sometimes be difficult when a client threatens, for example,
to change auditor after the current audit is complete.

To also meet the ethical principles of integrity, objectivity, professional competence,

and due care and professional behaviour (as defined by Sections 111, 112, 113, and 115 of
the Code of Ethics for Professional Accountants (Revised)), the auditor must not be tempted
to exclude KAMs that would otherwise be included.

Key Learning Point

KAMS are only required to be included in the auditor’s reports for listed entities with
voluntary application to other entities.

10.6.2 Other Information

HKSA 720 (Revised), The Auditor’s Responsibilities Relating to Other Information, became effective
for audits of financial statements for periods ending on or after 15 December 2016. The revised
standard sees an increase in the expectations of auditors to look at other information. Other
information is the financial or non-financial information (other than the financial statements)
in the annual report. The standard setters needed to address the increasing significance of this
other information.

Annual Reports now include more narrative and qualitative information. Examples are
shown in Exhibit 10.6.

10.6.2.1 Scope of the Standard

HKSA 720 (Revised) is written in the context of an audit of financial statements by an
independent auditor. The auditor’s opinion on the financial statements does not cover the
‘other information’ in the annual report and this auditing standard does not require the auditor
to obtain audit evidence beyond that required to form an opinion on the financial statements.

The standard does, however, require the auditor to obtain in a timely manner the other
information and read and consider it for material inconsistencies with the financial statements
or with the auditor’s knowledge obtained during the course of the audit process. It is important
to note that the auditor does not provide any assurance over other information.

The auditor is expected, for consistency, to consider selected amounts or other items in the
other information where they replicate such amounts or items disclosed in the financial statements.

The auditor must document the procedures they performed and maintain the final version
of the other information on which the auditor has performed the work on the audit file.

628

c10.indd 628 12/6/2022 3:01:42 PM

 A u ditor ’ s R eporting

EXHIBIT 10.6 Examples of information found in annual reports. (Sources: HKEx 2017 Annual Reports, Bank
of China, PetroChina Company Limited and Lenovo Hong Kong Limited.)

10.6.2.2 Response If There Is a Material Misstatement of the Other Information

If the auditor concludes after discussing with management that there is a material
misstatement of other information, the other information should be requested to be changed.
If management are unwilling to make the necessary changes as required by the auditor, the
auditor must consider the possible impact that it might have on the auditor’s opinion.

10.6.2.3 Communication in the Auditor’s Report about Other Information

Note that earlier in the chapter there were a number of specific disclosures required in other
information pertaining to the Companies Ordinance that must be considered for disclosure.

629

c10.indd 629 12/6/2022 3:01:44 PM

 BUSINESS ASSURANCE

Under the heading Other Information, the following must also be disclosed:

• A statement that management is responsible for the other information;

• Identification of the other information obtained prior to the date of the auditor’s
report (for listed entities the auditor is also required to identify any other information
expected to be obtained after the date of the auditor’s report);

• A statement that the auditor’s opinion does not cover the other information and,
accordingly, the auditor does not express an auditor’s opinion or any other form of
assurance thereon;

• A description of the auditor’s responsibilities relating to reading, considering, and

reporting on other information; and

• When other information has been obtained prior to the date of the auditor’s report
either a statement should be made that the auditor has nothing to report or a
statement should be made that describes the uncorrected material misstatement of
other information.

10.6.3 Material Uncertainty Related to a Going Concern

As described in Chapter 9 of this module, HKSA 570 (Revised), Going Concern, states that the
auditor’s responsibilities are to obtain sufficient appropriate audit evidence regarding and
finding the appropriateness of management’s use of the going concern basis of accounting in the
preparation of the financial statements, making conclusions based on the audit evidence obtained,
and whether a material uncertainty exists about the entity’s ability to continue as a going concern.

In relation to the issue of a going concern, there are varied auditor’s opinion outcomes
that can be achieved. The best way to understand these outcomes is posed now by way of
questions an auditor should ask themselves (Exhibit 10.7).

Apply and Analyse 5

Let us look at CWaves Hotels again, but a little differently this time.

CWaves Hotels is a material subsidiary of CWaves Ferry Holding Company Limited.

From the case study background, they have suffered losses for the last three years and
the level of external debt has increased substantially over the last two years. Quality, the
external auditor, needs to determine what impact this may have on the current year’s
auditor’s opinion.

Analysis

The financial statements have been prepared by the directors on a going concern basis
as the directors believe they will be able to pay their debts as and when they fall due,
through expansion and repricing of their accommodation rates. This has been adequately
disclosed in the financial statements. Quality has concluded that the going concern basis of
accounting is appropriate.

On this basis, Quality should issue an unmodified Opinion with a material uncertainty
related to the going concern paragraph.

630

c10.indd 630 12/6/2022 3:01:44 PM

 A u ditor ’ s R eporting

Did the risk assessment

procedures undertaken
to meet the requirements
of HKSA 315 (Revised 2019) Likely
Is there anything else that
to identify any events or NO NO Unmodified
comes up during the audit?
conditions that may cast Opinion
significant doubt on the
entity’s ability to continue
as a going concern?

YES

Can the auditor obtain

through additional audit
Can management provide
procedures sufficient Likely
sufficient appropriate audit
appropriate audit evidence NO NO Disclaimer of
evidence to support their
to conclude whether a Opinion
going concern assessments?
material uncertainty
exists?

YES

Has management prepared

Is the use of the going
the financial statements Likely Adverse
concern basis of accounting NO YES
using the going concern Opinion
appropriate?
basis of accounting?

YES

Are appropriate disclosures

made in the financial
NO Likely Qualified Opinion
statements relating to
a material uncertainty?

YES

Likely Unmodified Opinion

with a Material Uncertainty
related to Going Concern
paragraph

EXHIBIT 10.7 Questions auditors should ask themselves regarding

the issue of a going concern

10.6.4 Emphasis of Matter Paragraph

An Emphasis of Matter paragraph, as the name suggests, is a paragraph that is included in the
auditor’s report to direct users of the financial statements to a matter that has been discussed
appropriately in the financial statements. The reasoning for an auditor to draw users’ attention
is that in the auditor’s judgement the matter is of such importance that users should be aware
of it in order to completely understand the financial statements.

HKSA 706 (Revised), Emphasis of Matter Paragraphs and Other Matter Paragraphs in the
Independent Auditor’s Report, defines an Emphasis of Matter paragraph as:

A paragraph included in the auditor’s report that refers to a matter appropriately presented
or disclosed in the financial statements that, in the auditor’s judgement, is of such significance
that it is fundamental to users’ understanding of the financial statements.

631

c10.indd 631 12/6/2022 3:01:44 PM

 BUSINESS ASSURANCE

What does this mean to the auditor?

• That an Emphasis of Matter paragraph is basically a reference to a matter or a

disclosure in the financial statements;

• By including an additional paragraph, the auditor has highlighted the matter or

disclosure so that it can be applied in the users’ decisions about the financial
statements and the company as a whole; and

• The auditor has decided that to not include the additional paragraph may lead users of
the financial statements to draw incorrect conclusions about the financial statements
and the company as a whole.

The most common reasons for an Emphasis of Matter paragraph to be included in the
auditor’s report are:

• A significant uncertainty surrounding accounting estimates;

• Where a special purpose framework has been used to prepare the financial statements;

• Early application of accounting standards that have a pervasive effect on the financial
statements; or

• Where the prior period’s financial statements have a material error that has been
restated in the current year but did not require a modified opinion to be issued.

Illustrative Example 9
For the purpose of this illustration, reference is made to the opening case study. Hai
Cruising Company has determined that they want to adopt HKFRS 16, Leases, early, given
the number of operating leases they have to finance their cruise ships. The financial
statements clearly disclose the changes, and Quality, the external auditor, has concluded
that an unmodified auditor’s opinion will be issued with the following additional
paragraph.

Emphasis of Matter

We draw attention to Notes X, X, and X (in this case there is likely to be a number of
note disclosures, including the accounting policies note) of the financial statements,
which describe the effects of the early adoption of HKFRS 16, Leases. Our opinion is not
modified in respect of this matter.

10.6.5 Other Matter Paragraph

HKSA 706 (Revised) defines an Other Matter paragraph as:

A paragraph included in the auditor’s report that refers to a matter OTHER than those
presented or disclosed in the financial statements that, in the auditor’s judgement, is relevant
to the users’ understanding of the audit, the auditor’s responsibilities or the auditor’s report.

What does this mean to the auditor?

• The paragraph highlights a matter that has not already been presented in the financial
statements.

632

c10.indd 632 12/6/2022 3:01:44 PM

 A u ditor ’ s R eporting

• If an Other Matter paragraph is added in an auditor’s report, it will be added after the
opinion paragraph and, if relevant, after an Emphasis of Matter paragraph and Key
Audit Matters. The auditor needs to be wary of the wording when a KAM covers similar
topics. This can usually be achieved by giving more detail in the heading of the Other
Matter paragraph.

The most common reasons for an Other Matter paragraph to be included in the auditor’s
report are:

• A case of non-compliance with laws and regulations identified through the audit
process. These matters, if not resolved, can now be reported under the revised
non-compliance with laws and regulations requirements under the revised Code of
Ethics for Professional Accountants;

• When the comparative information was audited by another auditor, also highlighting
the opinion given; and

• When a new or amended auditor’s report has been issued after the discovery of
material subsequent events, and also if in these cases management has not amended
the financial statements, a statement to that effect should be included.

Knowledge Check Questions

Question 13
Identify which of the following describes when KAMs are required to be included in an
auditor’s report.
A All auditor’s reports required to be issued by the Companies Ordinance.
B All public interest entities.
C All auditor’s reports where the auditor’s opinion has been modified.
D All listed companies.

Question 14
When an adverse auditor’s report is issued for a listed company, advise what effect this has
on the introductory paragraph to Key Audit Matters.

Question 15
Under the heading Other Information, determine what needs to be disclosed in the
auditor’s report.

Question 16
If the auditor deems an Other Matter paragraph is required for a Listed Company, advise
where in the auditor’s report the Other Matter paragraph should be placed.
A After the opinion but before the Key Audit Matters.
B After the auditor’s responsibility paragraphs.
C As part of the other information paragraph.
D After the auditor’s opinion and after the Key Audit Matters.

633

c10.indd 633 12/6/2022 3:01:44 PM

 BUSINESS ASSURANCE

Knowledge Check Questions (continued)

Question 17
Advise when auditors generally use Emphasis of Matter paragraphs.

Question 18
Describe the key differences between an Other Matter paragraph and an Emphasis of
Matter paragraph.

1 0 . 7 AUDITOR REPORTING ON OPENING

BALANCES

10.7.1 First Year Audit for the Existing Auditor

HKSA 710, Comparative Information – Corresponding Figures and Comparative Financial
Statements, deals with the auditor’s responsibilities relating to comparative information in an
audit of financial statements when the financial statements of the prior year have been audited
by a predecessor auditor or were not audited. Reference will also be made to HKSA 510, Initial
Audit Engagements – Opening Balances.

The nature of the comparative information that is presented in the company’s financial
statements can vary depending on the requirements of the applicable financial reporting
framework. In Hong Kong, however, financial statements of companies incorporated under
the provisions of the Companies Ordinance are required to disclose comparative amounts as
required under the applicable accounting standards.
Appendix 16 to the Main Board Rules and Chapter 18.07(5) of the GEM Listing Rules ,
Governing the Main Board Listing Rules, require financial statements of listed issuers to
include comparative figures for the balance sheet, income statement, cash flow statement, and
statement of changes in equity for the corresponding previous period. ‘Comparative figures’
referred to by the Main Board Listing Rules and GEM Listing Rules give the corresponding
figures as described in HKSA 710.

Corresponding figures are defined as comparative information where amounts and other
disclosures for the prior period are included as an integral part of the current period’s financial
statements and are intended to be read only in relation to the amounts and other disclosures
relating to the current period (referred to as ‘current period figures’). The level of detail
presented in the corresponding amounts and disclosures is dictated primarily by its relevance
to the current period figures.

10.7.1.1 Corresponding Figures Not Audited

The auditor shall obtain sufficient appropriate audit evidence about whether the corresponding
figures contain misstatements that materially affect the current period’s financial statements.
In the case where the corresponding figures were not audited, the auditor will need to perform
one or more of the following:

634

c10.indd 634 12/6/2022 3:01:44 PM

 A u ditor ’ s R eporting

• Evaluate whether audit procedures in the current period provide sufficient appropriate
audit evidence regarding the corresponding figures; or

• Perform specific audit procedures to obtain sufficient appropriate audit evidence

regarding the corresponding figures.

The nature and extent of audit procedures necessary to obtain sufficient and appropriate
audit evidence regarding corresponding figures will vary depending on:

• The nature of the account balances, classes of transactions and disclosures, and where
the risk lies with material misstatements in the current period’s financial statements.

• The significance or materiality of the corresponding figures to the current period’s

financial statements.

• The accounting policies of the auditee.

Exhibit 10.8 shows what should be provided based on the amount of appropriate audit
evidence obtained.

Sufficient appropriate audit evidence obtained that corresponding figures are not materially misstated
→ Unmodified Opinion with an Other Matter paragraph advising that the corresponding figures
were unaudited.
Sufficient appropriate audit evidence was not obtained and corresponding figures are materially
misstated but not pervasive to the financial statements as a whole.
→ Qualified Opinion with an Other Matter paragraph advising that the corresponding figures were
unaudited.
Sufficient appropriate audit evidence was not obtained, and corresponding figures are materially
misstated and pervasive to the financial statements as a whole.
→ Disclaimer of Opinion with an Other Matter paragraph advising that the corresponding figures
were unaudited.

EXHIBIT 10.8 Current period reporting

Illustrative Example 10
Winner Company is a company that has grown significantly due to a new contract
providing support services to the Sha Tin Racing Course. The company must now,
under the provisions of the Companies Ordinance, have its financial statements audited.
The corresponding figures have not previously been subject to audit.

The existing auditor has undertaken audit procedures endeavouring to obtain

sufficient appropriate audit evidence to determine whether the corresponding figures
contain material misstatements. The auditor’s endeavours were unsuccessful and
the auditor is therefore unable to obtain sufficient appropriate audit evidence on the
corresponding figures for either financial performance of the financial position.

The inability to obtain sufficient appropriate audit evidence regarding corresponding

figures is considered by the auditor to be both material and pervasive to the financial
statements. The opinion would therefore look like this.

635

c10.indd 635 12/6/2022 3:01:44 PM

 BUSINESS ASSURANCE

Illustrative Example 10 (continued)

INDEPENDENT AUDITOR’S REPORT (only illustrating the auditor’s opinion and basis
for opinion)

To the members of Winner Company

(incorporated in Hong Kong with limited liability)

Report on the Audit of the Consolidated Financial Statements

Disclaimer of Opinion

We were engaged to audit the consolidated financial statements of Winner Company and
its subsidiaries (‘the Group’) set out on pages . . . to . . ., which comprise the consolidated
statement of financial position as at 31 December 20X1, and the consolidated statement
of profit or loss and other comprehensive income, consolidated statement of changes in
equity and consolidated statement of cash flows for the year then ended, and notes to the
consolidated financial statements, including a summary of significant accounting policies.

We do not express an opinion on the consolidated financial statements of the Group.

Because of the significance of the matter described in the Basis for Disclaimer of Opinion
section of our report, we have not been able to obtain sufficient appropriate audit evidence
to provide a basis for an audit opinion on these consolidated financial statements. In all
other respects, in our opinion the consolidated financial statements have been properly
prepared in compliance with the Companies Ordinance.

Basis for Disclaimer of Opinion

The previous financial report was not audited. We were unable to satisfy ourselves
by alternative means concerning a number of corresponding figures disclosed in the
consolidated statement of the financial position, the consolidated statement of profit
or loss and other comprehensive income, consolidated statement of changes in equity,
and consolidated statement of cash flows as corresponding figures. Whilst we were
satisfied with the material accuracy of amounts recorded in the consolidated statement
of financial position at 31 December 20X1, the impact of the corresponding figures on the
current period consolidated statement of profit or loss and other comprehensive income,
consolidated statement of changes in equity, and consolidated statement of cash flows
prevents us from forming an opinion on the financial statements as a whole.

10.7.1.2 Corresponding Figures Were Audited by a Predecessor Auditor

In the case where the corresponding figures were audited by a predecessor auditor, the
existing auditor will need to perform one or more of the following:

• Review the predecessor auditor’s working papers to obtain sufficient appropriate audit
evidence regarding the corresponding figures;

• Evaluate whether audit procedures in the current period provide sufficient appropriate
audit evidence regarding the corresponding figures; or

• Perform specific audit procedures to obtain sufficient appropriate audit evidence

regarding the corresponding figures.

636

c10.indd 636 12/6/2022 3:01:44 PM

 A u ditor ’ s R eporting

Reviewing the predecessor auditor’s audit file can be an effective and efficient way of
obtaining sufficient appropriate audit evidence on opening balances. However, the existing
auditor must make a formal assessment of the professional competence and independence
of the predecessor audit in determining the level of reliance that can be placed on the work
previously performed.

For current period reporting, we will assume that the predecessor auditor issued an
unmodified auditor’s opinion and that was the appropriate opinion in the existing auditor’s
view. Exhibit 10.9 shows what should be provided based on the amount of appropriate audit
evidence obtained.

Sufficient appropriate audit evidence was obtained that found corresponding figures are not materially
misstated.
→ Unmodified Opinion with an Other Matter paragraph advising that the corresponding figures
were audited by a predecessor auditor and an unmodified opinion was issued and on what date.

EXHIBIT 10.9 Current period reporting

10.7.2 Prior Period Auditor’s Report Modifications to Be Assessed by

Existing Auditor
In the case where the corresponding figures were audited by a predecessor auditor and the
predecessor auditor modified their auditor’s opinion, the existing auditor will need to evaluate
the effect of the matter giving rise to the modification in assessing the risks of a material
misstatement in the current period’s financial statements.

• Example 1: Predecessor auditor issued a Qualified auditor’s opinion.

If the matter causing the predecessor auditor to qualify is not resolved and the auditor
determines that the matter affects the current period’s financial performance or
position, the existing auditor will need to determine whether to repeat the qualification
or issue a further basis for qualification depending on the results of the review of the
predecessor’s audit file and audit procedures undertaken by the existing auditor of the
corresponding figures.

If the matter causing the predecessor auditor to qualify is resolved, assuming

no other circumstances have arisen as a result of audit procedures undertaken on
the corresponding figures by the existing auditor, the existing auditor could issue an
unmodified auditor’s opinion. The existing auditor may consider including an Emphasis
of Matter paragraph referencing the note disclosure containing details of how the
matter resulting in the qualified auditor’s opinion has been resolved.
• Example 2: Predecessor auditor issued an Adverse auditor’s opinion.

• Example 3: Predecessor auditor issued a Disclaimer of opinion.

The thought process for the auditor is the same as applied in Example 1.

637

c10.indd 637 12/6/2022 3:01:44 PM

 BUSINESS ASSURANCE

Apply and Analyse 6

Quality during a meeting with the chief executive officer (CEO) of CWaves wanted to probe
what management’s views were in relation to the qualification by the predecessor auditor
relating to the level of impairment against goodwill in order to determine the potential
impact this may have on the current period’s financial statements.

Analysis

Quality undertook a review of the predecessor auditor’s audit files. The predecessor
auditor was assessed by Quality to be a well-known firm and a member of HKICPA. Quality
assessed the independence of the predecessor auditor and concluded that there were no
impairments to independence. Quality also concluded that they could place reliance on the
predecessor’s audit procedures and conclusions, and documented this assessment and
conclusion in the audit file.

Quality did not identify any further potential areas for misstatement with the
corresponding figures.

During the current period, the basis for the qualification has been resolved in that
a number of uncertainties in the discounted cash flow model adopted by management
to determine whether an impairment existed were appropriate and would remain
appropriate in the current period.

Quality now believes it has sufficient appropriate audit evidence to issue an

unmodified auditor’s opinion. Quality will include an Emphasis of Matter paragraph as the
CEO wishes to disclose the reasons why the issue has been resolved in the notes to the
financial statements. Quality will, in an Other Matter paragraph, state that the financial
statements for the prior period were audited by the predecessor auditor and that the
opinion was qualified and for what reason and state the date of the report.

Knowledge Check Questions

Question 19
Identify which of the following prior period disclosures are classified as in Hong Kong.
A Prior period comparatives.
B Corresponding figures.
C Corresponding numbers.
D Prior period figures.

Question 20
Compare the difference in obtaining sufficient appropriate audit evidence when
corresponding figures have and when they have not been audited.

638

c10.indd 638 12/6/2022 3:01:44 PM

 A u ditor ’ s R eporting

1 0 . 8 REVIEW OPINIONS FOR INTERIM

FINANCIAL STATEMENTS

HKSRE 2410, Review of Interim Financial Information Performed by the Independent Auditor of the
Entity, is directed towards a review of interim financial information.

The Main Board Listing Rules and GEM Listing Rules require that a listed issuer prepares
a report on interim financial information in respect of the first six months of its financial year
in line with the requirements of HKAS 34, Interim Financial Reporting. The interim financial
information shall include, at a minimum, the following components:

• A balance sheet;

• An income statement;

• A cash flow statement;

• A statement of changes in equity;

• Comparative figures for the statements referred to above; and

• Accounting policies and explanatory notes.

The Listing Rules do not require a report on interim financial information to be reviewed by
the auditor. If an auditor is engaged to conduct a review of the interim financial information,
they should follow the requirements of HKSRE 2410, Review of Interim Financial Information
Performed by the Independent Auditor of the Entity.

Chapter 12, Other Assurance Engagement Requirements, outlines the auditors’

responsibilities when conducting review engagements in line with HKSRE 2410.

10.8.1 Reporting the Nature, Extent, and Results of the Review of Interim
Financial Information
The auditor will issue a written report that contains the following:

1. An appropriate title, for example Report on Review of Interim Financial Information,

Independent Auditor’s Review Report.

2. An addressee as required by the circumstances of the engagement.

3. Identification of the interim financial information reviewed, including identification

of the title of each of the statements contained in the complete or condensed set
of financial statements and the date and period covered by the interim financial
information.

4. If the interim financial information comprises a complete set of general-purpose

financial statements prepared in accordance with a financial reporting framework
designed to achieve fair presentation, a statement that management is responsible for
the preparation and fair presentation of the interim financial information in accordance
with HKFRSs.

639

c10.indd 639 12/6/2022 3:01:44 PM

 BUSINESS ASSURANCE

5. In other circumstances, a statement that management is responsible for the

preparation and presentation of the interim financial information in accordance
with HKFRSs.

6. A statement that the auditor is responsible for expressing a conclusion on the interim
financial information based on the review.

7. A statement that the review of the interim financial information was conducted in
accordance with HKSRE 2410, Review of Interim Financial Information Performed by the
Independent Auditor of the Entity, and a statement that such a review consists of making
inquiries, primarily of persons responsible for financial and accounting matters, and
applying analytical and other review procedures.

8. A statement that a review is substantially less in scope than an audit conducted in

accordance with HKSAs and consequently does not enable the auditor to obtain
assurance that the auditor would become aware of all significant matters that might be
identified in an audit and that accordingly no auditor’s opinion is expressed.

9. If the interim financial information comprises a complete set of general-purpose

financial statements prepared in accordance with HKFRSs designed to achieve fair
presentation, a conclusion as to whether anything has come to the auditor’s attention
that causes the auditor to believe that the interim financial information does not give a
true and fair view, or does not present fairly, in all material respects, in accordance with
HKFRSs (including a reference to the jurisdiction or country of origin of the financial
reporting framework when the financial reporting framework used is not based on
HKFRSs); or

10. In other circumstances, a conclusion as to whether anything has come to the auditor’s
attention that causes the auditor to believe that the interim financial information is not
prepared, in all material respects, in accordance with HKFRSs (including a reference
to the jurisdiction or country of origin of the financial reporting framework when the
financial reporting framework used is not HKFRSs).

11. The date of the report.

12. The location in the country or jurisdiction where the auditor practises.

13. The auditor’s signature.

It should be noted that the form of the conclusion can be any one of those explored in
Section 10.4, Form of Opinion.

10.8.2 Differences between an Auditor’s Opinion and an Auditor’s

Conclusion
The resulting report from the auditor and level of assurance is driven by the difference
between an audit and a review.

An audit is a detailed process that provides a high level of assurance to the users of
financial reports. The objective of an audit of financial statements is to enable the auditor to
express an opinion whether the financial statements are prepared, in all material respects, in
accordance with HKFRSs. When forming an opinion on the financial statements the auditor
needs to evaluate whether, based on the audit evidence obtained, there is reasonable

640

c10.indd 640 12/6/2022 3:01:44 PM

 A u ditor ’ s R eporting

assurance about whether the financial statements taken as a whole are free from material
misstatement.

A review, in contrast to an audit, is not designed to obtain reasonable assurance that the
interim financial statements are free from material misstatement.

A review consists of making inquiries, primarily of persons responsible for financial and
accounting matters, and applying analytical and other review procedures. A review may bring
significant matters affecting the interim financial statements to the auditor’s attention, but it
does not provide all of the evidence that would be required in an audit.

The objective of a review of interim financial statements differs significantly from that
of an audit conducted in accordance with Auditing Standards. A review of interim financial
statements does not provide a basis for expressing an opinion whether the financial
statements give a true and fair view, in all material respects, in accordance with HKFRSs.

The objective of an engagement to review interim financial statements is to enable the

auditor to express a conclusion whether, on the basis of the review, anything has come to the
auditor’s attention that causes the auditor to believe that the interim financial statements are
not prepared, in all material respects, in accordance with HKFRSs (Exhibit 10.10).

Audit Review
Level of assurance A reasonable or high level of Limited assurance is about
assurance is about whether whether the financial statements
the financial statements as a as a whole are free from
whole are free from material material errors or fraud. Limited
errors or fraud. Reasonable or assurance is less than reasonable
high assurance is not absolute assurance.
assurance.
Report provided Independent Auditor’s Report Independent Review Report
Opinion is expressed in a Conclusion is expressed in a
positive form, e.g. ‘The financial negative form, e.g. ‘Nothing
statements are free from has come to our attention that
material misstatement.’ causes us to believe that the
financial statements are not free
from material misstatement.’
Nature of procedures Procedures normally involve Procedures are primarily based
detailed tests of accounting on inquiry and analytical review.
records using techniques such
as inspection, observation,
confirmation, recalculation
and re-performance, as well as
inquiry and analytical review.

EXHIBIT 10.10 Differences between an audit and a review

641

c10.indd 641 12/6/2022 3:01:44 PM

 BUSINESS ASSURANCE

Knowledge Check Questions

Question 21
Identify which of the following interim financial information the auditor does not have
to opine on.
A Accounting policy note regarding revenue recognition.
B Statement of financial position.
C A statement in changes in equity.
D Compliance with HKFRSs.

Question 22
Determine what the auditor must state in relation to the scope of work conducted for
interim financial statements.

Question 23
List the key differences between an auditor’s opinion and an auditor’s review report
conclusion.

1 0 . 9 AUDITOR REPORTING ON SPECIAL

PURPOSE FRAMEWORKS

10.9.1 Auditor’s Report Format in Line with HKSA 800 (Revised)

The reference standard is HKSA 800 (Revised), Special Considerations – Audits of Financial
Statements Prepared in Accordance with Special Purpose Frameworks. This HKSA is written in the
context of a complete set of financial statements prepared with a special purpose framework.

When forming an opinion and reporting on special purpose financial statements, the
auditor shall apply the requirements of HKSA 700 (Revised), the main difference comes in the
description of the applicable financial reporting framework.

HKSA 700 (Revised) requires an auditor to refer to or describe the applicable financial
reporting framework. Typically, in Hong Kong examples of special purpose frameworks for the
purpose of application of HKSA 800 (Revised) would include, but not be limited to, financial
reporting provisions of a contract, provisions established by a regulator such as the Hong Kong
Monetary Authority, or other governance requirements, such as school audits conducted under
the requirements of the Education Ordinance.

HKSA 700 (Revised) as has been described throughout this chapter deals with the form and
content of the auditor’s report, including the specific ordering for certain elements. In the case
of an auditor’s report on special purpose financial statements:

• The auditor’s report shall also describe the purpose for which the financial statements
are prepared and, when deemed appropriate, the intended users. Alternatively, if
a note in the special purpose financial statements describes this, reference to the
applicable note; and

642

c10.indd 642 12/6/2022 3:01:44 PM

 A u ditor ’ s R eporting

• If management makes a determination as to the appropriate financial reporting

framework, then the responsibilities of management and those charged with the
governance section of the auditor’s report shall make reference to management’s
responsibility for determining the financial reporting framework and its acceptability in
the circumstances.

The auditor’s report shall also include an Emphasis of Matter paragraph alerting the user
of the auditor’s report that the financial statements have been prepared in accordance with a
special purpose framework, and as a result the financial statements may not be suitable for any
other purpose. In the Emphasis of Matter paragraph, the auditor may determine it appropriate
to indicate that the auditor’s report is intended solely for the specific users.

Illustrative Example 11

INDEPENDENT AUDITOR’S REPORT (only Illustrating the Auditor’s Opinion and Basis
for Opinion)

To XX Authority

(incorporated in Hong Kong with limited liability)

Opinion

We have audited the financial statements of ABC Company (‘the Company’) set out on
pages . . . to . . ., which comprise the statement of financial position as at 31 December
20X1, and the profit and other comprehensive income, statement of changes in equity and
statement of cash flows for the year then ended, and notes to the financial statements,
including a summary of significant accounting policies.

In our opinion, the financial statements give a true and fair view of the financial position
of the Company as at 31 December 20X1 and of its financial performance and its cash flows
for the year then ended in accordance with the financial reporting provisions of Section A of
XX Authority Regulation C.

Basis for Opinion

We conducted our audit in accordance with Hong Kong Standards on Auditing

(‘HKSAs’) issued by the Hong Kong Institute of Certified Public Accountants (‘HKICPA’).
Our responsibilities under those standards are further described in the Auditor’s
Responsibilities for the Audit of the Financial Statements section of our report. We
are independent of the Company in accordance with the HKICPA’s Code of Ethics
for Professional Accountants (‘the Code’) and we have fulfilled our other ethical
responsibilities in accordance with the Code. We believe that the audit evidence we have
obtained is sufficient and appropriate to provide a basis for our opinion.

Emphasis of Matter – Basis of Accounting

We draw attention to Note X of the financial statements, which describes the basis of
accounting. The financial statements are prepared to assist the Company to meet the
requirements of XX Authority. As a result, the financial statements may not be suitable for
another purpose. Our opinion is not modified in respect of this matter.

643

c10.indd 643 12/6/2022 3:01:44 PM

 BUSINESS ASSURANCE

10.9.2 Auditor’s Report Format on Other Than Complete Financial

Statements
HKSA 805 (Revised), Special Considerations – Audits of Single Financial Statements and Specific
Elements, Accounts or Items of a Financial Statement, and HKSA 810 (Revised), Engagements to
Report on Summary Financial Statements, are the reference standards.

10.9.2.1 Audits of Single Financial Statements and Specific Elements, Accounts, or Items
of a Financial Statement
HKSA 210, Agreeing the Terms of Audit Engagements, requires that the agreed terms of the audit
engagement include the expected format of any reports to be issued by the auditor. This
extends to the auditor considering whether the expected form of opinion is appropriate in the
circumstances.

When forming an opinion HKSA 700 (Revised) and when applicable HKSA 800 (Revised)
should be adapted and used.

If the auditor undertakes an engagement to report on a single financial statement or on a

specific element of a financial statement in conjunction with an engagement to audit the entire
set of financial statements, the auditor will need to express separate opinions.

The auditor will need to consider the implications if any of the following matters included in
an auditor’s report on the entire set of financial statements, for the audit of the single financial
statement or the specific element of a financial statement:

• A modified auditor’s opinion issued in accordance with HKSA 705 (Revised);

• An emphasis of matter paragraph or an other matter paragraph issued in accordance

with HKSA 706 (Revised);

• A material uncertainty related to a going concern section in accordance with HKSA 570
(Revised);

• Communication of KAMs in accordance with HKSA 701; or

• A statement that describes an uncorrected material misstatement of the other

information in accordance with HKSA 720 (Revised).

It should be noted that the auditor shall not express an unmodified opinion on a single
financial statement or on a specific element of a financial statement of an entire set of financial
statements if the auditor has expressed an adverse opinion or disclaimed an opinion. This is the
case even when the auditor’s report on the single financial statement is not published together.

Illustrative Example 12

INDEPENDENT AUDITOR’S REPORT (Only Illustrating the Auditor’s Opinion and Basis
for Opinion)

To the Shareholders of DEF Company

Opinion

We have audited the accounts receivable schedule of DEF Company (‘the Company’) as at
31 December 20X1 (‘the schedule’).

644

c10.indd 644 12/6/2022 3:01:44 PM

 A u ditor ’ s R eporting

Illustrative Example 12 (continued)

In our opinion, the financial information in the schedule of the Company as at 31
December 20X1 is prepared, in all material respects, in accordance with the operating
agreement with the Customer Company.

Basis for Opinion

We conducted our audit in accordance with Hong Kong Standards on Auditing

(‘HKSAs’) issued by the Hong Kong Institute of Certified Public Accountants (‘HKICPA’).
Our responsibilities under those standards are further described in the Auditor’s
Responsibilities for the Audit of the Schedule section of our report. We are independent of
the Company in accordance with the HKICPA’s Code of Ethics for Professional Accountants
(‘the Code’) and we have fulfilled our other ethical responsibilities in accordance with the
Code. We believe that the audit evidence we have obtained is sufficient and appropriate to
provide a basis for our opinion.

Emphasis of Matter – Basis of Accounting and Restriction on Distribution

We draw attention to Note X to the schedule, which describes the basis of accounting. The
schedule is prepared to assist the Company to meet the requirements of the operating
agreement with the Customer Company. As a result, the schedule may not be suitable for
another purpose. Our report is intended solely for the Company and Customer Company
and should not be distributed to parties other than the Company or Customer Company.
Our opinion is not modified in respect of this matter.

10.9.2.2 Engagements to Report on Summary Financial Statements

HKSA 810 (Revised) deals with auditor’s responsibilities relating to an engagement to report on
summary financial statements derived from financial statements audited in accordance with
HKSAs by the same auditor.

Companies Ordinance, Section 439, allows the directors of a company to prepare for a
financial year, a financial report, in summary form, derived from the reporting documents for
the financial year. Under Section 441, the summary financial report may be sent to a member
instead of the full set of reporting documents otherwise required under Section 430 and within
the same timeframe.

The HKEx main board listing rule 13.46 states that an issuer may send a copy of its
summary financial report to a member and a holder of its listed securities in place of a copy
of its annual report and accounts, provided that it complies with the relevant provisions set
out in Sections 437 to 446 of the Companies Ordinance. The GEM Listing Rules have the same
requirements.

Cap.622E Companies (Summary Financial Reports) Regulation needs to be read in light of

the Companies Ordinance for summary financial statements as this regulation sets out both the
requirements of directors in terms of form and contents of a summary financial report and
auditor’s report and opinion.

645

c10.indd 645 12/6/2022 3:01:44 PM

 BUSINESS ASSURANCE

Paragraph 4 requires the following to be included in the auditor’s report:

1. A summary financial report for a financial year of a company must:

a. Contain a statement from the company’s auditor as to whether the auditor’s report
for that financial year is qualified or otherwise modified, or includes a reference
to any matter to which the auditor drew attention by way of emphasis without
qualifying the report; and

b. If the auditor’s report is qualified or otherwise modified, set out the full auditor’s
report and any further material necessary for the understanding of the qualification
or other modification.

2. If the auditor’s report of a company contains a statement that, in the auditor’s opinion,
the financial statements for a financial year of the company have not been properly
prepared in compliance with the Ordinance and, in particular:

a. A true and fair view of the financial position and financial performance of the
company in accordance with the reporting framework has not been given; or

b. For a company that is required to prepare annual consolidated financial statements,

a true and fair view of the financial position and financial performance of the
company, and all the subsidiary undertakings, as a whole, in accordance with the
reporting framework, has not been given, a summary financial report for that
financial year must contain that statement.

3. If the auditor’s report of a company contains a statement that, in the auditor’s opinion,
the information in a directors’ report for a financial year is not consistent with the
financial statements for the financial year, a summary financial report for that financial
year must contain that statement.

4. If the auditor’s report for a financial year of a company contains:

a. A statement that, in the auditor’s opinion:

(i) Adequate accounting records have not been kept by the company; or

(ii) The company’s financial statements are not in agreement with its accounting
records in any material respect;

b. A statement that the auditor has failed to obtain all the information or explanations
that, to the best of the auditor’s knowledge and belief, are necessary and material
for the purpose of the audit; and

c. A statement giving the particulars that are required to be, but have not been,
contained in the financial statements, as required by Section 407(4) of the
Ordinance, a summary financial report for that financial year must contain those
statements.

4. A summary financial report of a company must contain an opinion from the company’s
auditor as to whether:

a. The report is consistent with the reporting documents from which the report is
derived; and

b. The report complies with the requirements of this Part.

646

c10.indd 646 12/6/2022 3:01:44 PM

 A u ditor ’ s R eporting

In addition to these requirements of the auditor’s report HKSA 810 (Revised) requires a
number of further elements to be disclosed:

• A title clearly indicating that it is the report of an independent auditor.

• An addressee.

• Identification of the summary financial statements on which the auditor is reporting,

including the title of each statement included in the summary financial statements.

• Identification of the audited financial statements.

• A clear expression of an opinion (except where an adverse or disclaimer of opinion

has been issued, in these circumstances the auditor would need to state that it is
inappropriate to express an opinion on the summary financial statements).

• A clear statement that the summary financial statements do not contain all the
disclosures required by HKFRSs applied in the preparation of the audited financial
statements and that reading the summary financial statements and the auditor’s
report thereon is not a substitute for reading the audited financial statements and the
auditor’s report thereon.

• Where applicable if the auditor’s opinion on the summary financial statements is issued
after the date of the auditor’s report on the financial statements, the auditor’s report
on the summary financial statements shall state that the summary financial statements
and the financial statements do not reflect the effects of events that occurred
subsequent to the date of the auditor’s report on the audited financial statements.

Apply and Analyse 7

Chloe Cheng, an independent non-executive director of CWaves, has decided that she
wants to provide members of CWaves with summary financial statements in line with
Section 439 of the Companies Ordinance and HKEx listing rule 13.46. Chloe wants the
auditor’s report on the summary financial statements to be signed on the same date as the
auditor’s report on the financial statements. Quality must present a draft of their proposed
report on the summary financial statements.

Analysis

The audit partner provided the following draft to Chloe Cheng based on the illustrations
that he found at the back of HKSA 810 (Revised).

REPORT OF THE INDEPENDENT AUDITOR ON THE SUMMARY FINANCIAL REPORT

To the Members of CWaves Ferry Holding Company Limited

(incorporated in Hong Kong with limited liability)

Opinion

The summary consolidated financial report of CWaves Ferry Holding Company Limited
(‘the Group’), set out on pages . . . to . . ., includes the summary consolidated financial
statements of the Group for the year ended 31 December 20X1. The summary consolidated

647

c10.indd 647 12/6/2022 3:01:44 PM

 BUSINESS ASSURANCE

Apply and Analyse 7 (continued)

financial statements of the Group, set out on pages . . . to . . ., which comprise the summary
consolidated statement of financial position as at 31 December 20X1, the summary
consolidated statement of comprehensive income and summary consolidated income
statement, consolidated summary statement of changes in equity and consolidated
summary statement of cash flows for the year then ended, and related notes are derived
from the audited consolidated financial statements of the Group for the year ended 31
December 20X1. In our opinion, the summary financial report:

(a) Is consistent with the annual financial statements and the auditor’s report thereon
and the directors’ report of the Company for the year ended 31 December 20X1
from which it is derived; and

(b) Complies with the requirements of Part 2 of the Companies (Summary Financial
Reports) Regulation.

Summary Financial Statements

The summary consolidated financial statements included in the summary consolidated

financial report do not contain all the disclosures required by Hong Kong Financial
Reporting Standards issued by the Hong Kong Institute of Certified Public Accountants.
Reading the summary consolidated financial statements and the auditor’s report on the
summary consolidated financial report, therefore, is not a substitute for reading the audited
consolidated financial statements and the auditor’s report thereon.

The Audited Consolidated Financial Statements and Our Report Thereon

We expressed an unmodified opinion on the audited consolidated financial statements in our

report dated 15 February 20X2. That report also includes the communication of key audit
matters. Key audit matters are those matters that, in our professional judgement, were of
most significance in our audit of the consolidated financial statements of the current period.

Directors’ Responsibility for the Summary Consolidated Financial Report

Under the Companies Ordinance, the directors are responsible for the preparation
of the summary consolidated financial report in accordance with Section 439 of the
Companies Ordinance and the Companies (Summary Financial Reports) Regulation.
In preparing the summary consolidated financial report, Sections 3(1) and (2) of
the Companies (Summary Financial Reports) Regulation requires that the summary
consolidated financial report must contain the information derived from the annual
consolidated financial statements and the auditor’s report thereon and the directors’ report
for the year ended 31 December 20X1 and contain such information and particulars set out
in Sections 3(3), 5, and 6 of the Companies (Summary Financial Reports) Regulation and be
approved by the board of directors.

Auditor’s Responsibility

Our responsibility is to express an opinion on whether the summary consolidated financial

report is consistent with the annual consolidated financial statements and the auditor’s
report thereon and the directors’ report, and complies with the requirements of Part 2 of the

648

c10.indd 648 12/6/2022 3:01:45 PM

 A u ditor ’ s R eporting

Apply and Analyse 7 (continued)

Companies (Summary Financial Reports) Regulation, based on our procedures, which were
conducted in accordance with Hong Kong Standard on Auditing 810 (Revised), Engagements
to Report on Summary Financial Statements, issued by the Hong Kong Institute of Certified
Public Accountants. We are also required to state whether the auditor’s report on the annual
consolidated financial statements for the year ended 31 December 20X1 is qualified or
otherwise modified.

The engagement partner on the audit resulting in this independent auditor’s report is
Jianji Ling.

Signature

Quality Auditors

Certified Public Accountants (Practising)

Hong Kong Building, Queens Road, Central

15 February 20X2

Knowledge Check Questions

Question 24
Identify which of the following statements would not be made in the independent auditor’s
report on a special purpose framework for a full set of financial statements.
A The financial statements can be relied upon by all users.
B The audit was conducted in accordance with HKSA.
C The auditor is independent.
D True and fair view.

Question 25
Identify which of the following the auditor must further state if the auditor’s opinion on the
summary financial statements is not signed on the same date as the auditor’s report on
the financial statements:
A No subsequent events are reflected in the summary financial statements that occurred
after the date of the summary financial statements.
B The identity of the summary financial statements.
C No subsequent events are reflected in the summary financial statements that occurred
after the date of the financial statements.
D The date of the auditor’s opinion on the summary financial statements.

649

c10.indd 649 12/6/2022 3:01:45 PM

 BUSINESS ASSURANCE

1 0 . 1 0 AUDITOR’S REPORTING ON
SMALL- AND MEDIUM-SIZED ENTITIES

The Small and Medium-Sized Entity Financial Reporting Framework (‘revised SME-FRF’) and Financial
Reporting Standard (‘revised SME-FRS’) form the accounting standard that is the reference point
for the audit of small- and medium-sized entities. PN 900 (Revised) Audit of Financial Statements
Prepared in Accordance with the Small and Medium-sized Entity Financial Reporting Standard, is the
auditor’s reference point.

In accordance with the revised SME-FRF:

(a) A company incorporated under the new Companies Ordinance or predecessor

Companies Ordinance (Cap.32) qualifies for reporting under the revised SME-FRF if it
satisfies the criteria set out in Section 359 of the new Companies Ordinance and the
sections and Schedules to which that section refers.

Specifically:

(i) Section 359(1)(b) brings forward the qualifying criteria that were previously found
in Section 141D of the predecessor, the Companies Ordinance, relating to private
companies that do not have subsidiaries and are not a subsidiary of another
company. These companies (unless they fall within the types of companies listed
in Section 359(4)) are eligible for the reporting exemption, provided that each year
they obtain 100% approval in writing from their members.

(ii) The remainder of Section 359 introduces three additional categories of entities
(or groups) that fall within the reporting exemption if they meet certain criteria
relating to the type of entity, the size of the entity, and in certain cases the need for
member approval (15 February 20X2).

(b) An entity that is not a company incorporated under either the new Companies Ordinance
or the predecessor, the Companies Ordinance, subject to any specific requirements
imposed by the law of the entity’s place of incorporation and subject to its constitution,
qualifies for reporting under the revised SME-FRF when the entity meets the same
requirements where a Hong Kong incorporated entity is required to meet under
Section 359 of the new Companies Ordinance.

The new Companies Ordinance permits private companies and companies limited by
guarantee to take advantage of a ‘reporting exemption’ if they meet certain qualifying criteria
set out in Section 359. The reporting exemption takes the form of an exemption from certain of
the requirements for the contents of the directors’ report and financial statements that would
apply if the entities did not qualify for the exemption.

Of these exemptions, the most significant one for the purposes of the revised SME-FRF
and SME-FRS is the exemption from the requirement for the financial statements to give a true
and fair view as set out in Section 380(7) of the new Companies Ordinance. Instead of preparing
financial statements under the fair presentation framework, financial statements prepared
by entities taking advantage of the reporting exemption are required to be properly prepared
in accordance with the revised SME-FRF and SME-FRS as these are the applicable accounting

650

c10.indd 650 12/6/2022 3:01:45 PM

 A u ditor ’ s R eporting

standards for such companies for the purposes of complying with Section 380(4)(b). With
reference to paragraph 13(a) of HKSA 200 Overall Objectives of the Independent Auditor and the
Conduct of an Audit in Accordance with Hong Kong Standards on Auditing, the revised SME-FRF is
considered to be a compliance framework.

Regardless of whether a company falls or does not fall within the reporting exemption, the
auditor of the company is required under Section 406 of the new Companies Ordinance to opine
in the auditor’s report on whether the financial statements have been properly prepared in
compliance with the new Companies Ordinance. In accordance with the Hong Kong Framework
for Assurance Engagements, this is a form of ‘reasonable assurance’ as the auditor is required to
express a positive form of conclusion.

10.10.1 Auditor’s Report

HKSA 700 (Revised) applies to the audit of the financial statements prepared in accordance
with the revised SME-FRS. An auditor should also refer to HKSA 705 (Revised) and HKSA 706
(Revised) in the independent auditor’s report if necessary.

In an auditor’s report on the financial statements prepared in accordance with the

revised SME-FRS, the auditor expresses an opinion as to whether the financial statements are
prepared, in all material respects, in accordance with the revised SME-FRS.
In addition, regardless of whether a company falls or does not fall within the reporting
exemption, the auditor of the company is required under Sections 406 and 407 to opine in the
auditor’s report:

(i) If, in the opinion of the auditor, the information in a directors’ report is not consistent
with the financial statements; and

(ii) On certain other matters, as and when necessary. As noted earlier in this chapter,
guidance on these reporting requirements is provided in PN 600.1 (Revised).

Illustrative Example 13

INDEPENDENT AUDITOR’S REPORT (Only Illustrating the Auditor’s Opinion and Basis
for Opinion)

To the Members of SME Limited

(incorporated in Hong Kong with limited liability)

Report on the Audit of the Financial Statements

Opinion

We have audited the financial statements of SME Limited (‘the Company’) set out on
pages . . . to . . ., which comprise the statement of the financial position as at 31 December
20X1, the income statement and cash flow statement for the year then ended, and notes
to the financial statements, including a summary of significant accounting policies.

In our opinion, the financial statements of the Company are prepared, in all material
respects, in accordance with the Hong Kong Small and Medium-Sized Entity Financial Reporting
Standard (‘SME-FRS’) issued by the Hong Kong Institute of Certified Public Accountants (‘HKICPA’)
and have been properly prepared in compliance with the Companies Ordinance.

651

c10.indd 651 12/6/2022 3:01:45 PM

 BUSINESS ASSURANCE

Illustrative Example 13 (continued)

Basis for Opinion

We conducted our audit in accordance with the Hong Kong Standards on Auditing
(‘HKSAs’) and with reference to PN 900 (Revised), Audit of Financial Statements Prepared
in Accordance with the Small- and Medium-Sized Entity Financial Reporting Standard
issued by the HKICPA. Our responsibilities under those standards are further described
in the Auditor’s Responsibilities for the Audit of the Financial Statements section of our
report. We are independent of the Company in accordance with the HKICPA’s Code of
Ethics for Professional Accountants (‘the Code’) and we have fulfilled our other ethical
responsibilities in accordance with the Code. We believe that the audit evidence we have
obtained is sufficient and appropriate to provide a basis for our opinion.

Knowledge Check Questions

Question 26
Identify which of the following is the type of assurance given in an auditor’s report of a
small or medium-sized entity.
A Reasonable assurance.
B Moderate assurance.
C Limited assurance.
D Positive assurance.

652

c10.indd 652 12/6/2022 3:01:45 PM

 A u ditor ’ s R eporting

SUMMARY

This chapter has set out the various auditor reporting requirements, which are detailed and
sometimes complex, depending on the situations faced during the audit process.

The format and key elements of the auditor’s reports do not change given differing
opinions, but understanding the different elements for listed companies’ reports and where
other paragraphs are added is essential.

The auditor must carefully consider the circumstances that may lead to a modified
auditor’s opinion.

Decisions pertaining to an auditor’s opinion in relation to the going concern assumption are
important and should be mapped to the particular circumstances of the company.

Key Audit Matters are the newest component added to listed company auditors’ reports
and serve to inform users of the financial statements the matters that were most important to
the auditor during the audit process.

The auditor must also be aware of reporting on other than listed and large non-listed
companies and circumstances that require interim review reporting on listed entities.

653

c10.indd 653 12/6/2022 3:01:45 PM

 BUSINESS ASSURANCE

M I ND M A P

AUDITOR’S OBJECTIVES ADDITIONAL COMMUNICATIONS IN

THE AUDITOR’S REPORT
Importance of the Auditor’s Report
Implications of Materiality to the Key Audit Matters (’KAMs’)
Auditor’s Opinion • Determining KAMs
• Communicating KAMs
COMPONENTS OF AN AUDITOR'S REPORT Other Information
Title of Auditor’s Report • Scope of the Standard
• Response if there is a material misstatement
Addressee of the other information
Auditor’s Opinion • Communication in the auditor’s report
Basis for Opinion about other information
Key Audit Matters Material Uncertainty Related to Going Concern
Other Information Emphasis of Matter Paragraph
Responsibilities of Directors and Those Other Matter Paragraph
Charged with Governance
Auditor’s Responsibilities for the Audit of AUDITOR’S AUDITOR REPORTING ON OPENING BALANCES
the Financial Statements REPORTING First Year Audit for the Existing Auditor
Report on Other Legal and Regulatory Prior Period Auditor’s Report Modifications
Requirements to Be Assessed by Existing Auditor
AUDITOR’S REPORT REQUIREMENTS REVIEW OPINIONS FOR INTERIM FINANCIAL
What the auditor has accumulated to STATEMENTS
reduce detection risk Reporting the Nature, Extent, and Results of
Forming an auditor’s opinion requires the Review of Interim Financial Information
considerable judgement Differences between an Auditor’s Opinion
and an Auditor’s Conclusion
FORM OF OPINION
Unmodified Opinion AUDITOR REPORTING ON SPECIAL PURPOSE
Modified Opinion FRAMEWORKS
• Qualified Auditor’s Report Format in Line with HKSA 800
• Adverse (Revised)
• Disclaimer of Opinion
Auditor’s Report Format on Other Than
Complete Financial Statements

AUDITOR REPORTING ON SMALL AND

MEDIUM-SIZED ENTITIES
Revised SME-FRF
Revised SME-FRS
PN 900 (Revised)

Answers to Knowledge Check Questions

Question 1
Answer A is incorrect. It is not the role of the auditor to detect any or all fraudulent
activities.
Answer B is incorrect. The auditor does certainly have a responsibility to understand those
internal controls that may be relevant to the audit, but it is not the primary responsibility of
the auditor to identify control weaknesses; the primary responsibility for that comes with
those charged with governance and/or management.
Answer C is incorrect. This situation in most cases would cause a conflict that may result in
an independence issue for the auditor. The auditors can review a company’s conclusion on
an HKFRS issue but not form the audit conclusion.
Answer D is correct. The basic premise of the independent auditor’s report is that it helps
to reduce the concerns users of the financial statements have that there may be company
bias, which could unintentionally or intentionally present financial information more
optimistically than could be argued.

654

c10.indd 654 12/6/2022 3:01:45 PM

 A u ditor ’ s R eporting

Question 2
Answer A is incorrect. Objective throughout the audit process.
Answer B is incorrect. This is not an objective of an auditor.
Answer C is incorrect. This is not a direct objective, as this decision is driven by the
circumstances of the particular audit.
Answer D is correct. This is the overall objective for the auditor.

Question 3
In determining the final form of the auditor’s opinion, the auditor must be mindful that to
express an unmodified opinion the auditor needs to conclude that the financial statements
HKSA as a whole are prepared ‘in all material respects, in accordance with the applicable
700.16 reporting framework’.
If the auditor concludes that the financial statements as a whole are not free from
material misstatement the auditor’s opinion would need to be modified and reference
would need to be made to HKSA 705 (Revised), Modifications to the Opinion in the
Independent Auditor’s Report, as to the appropriate level of modification.
The concept and application of the independent auditor’s determination of materiality
is one of the central elements in determining the appropriate auditor’s opinion.

Question 4
Answer A is incorrect. This is an option in HKSA 700 (Revised).
Answer B is correct. This is not an option in HKSA 700 (Revised).
Answer C is incorrect. This is an option in HKSA 700 (Revised).
Answer D is incorrect. This is an option in HKSA 700 (Revised).

Question 5
The first paragraph of the opinion section in all cases:

• States that the financial statements have been audited;

• Identifies the auditee, whether a single company, e.g. CWaves Hotels Company
(‘the company’) for single company financial statements or a group audit, e.g.
CWaves Ferry Holding Company Limited and its subsidiaries (‘the Group’) for a
consolidated set of financial statements;

• Defines the pages of the financial statements that the auditor’s opinion covers;

• States the specific components of the financial statements upon which an auditor’s
opinion is given:

°° Statement of the financial position as at a defined point of time,

e.g. 31 December 20X1;

°° Statement of profit or loss and other comprehensive income, statement of

changes in equity, and statement of cash flows for the year (or when relevant –
the period) then ended (HKAS 1 (Revised), Presentation of Financial Statements,
allows entities to present comprehensive income using either a one-statement
approach or a two-statement approach. The importance is consistency with the
titles of the corresponding statements.); and

655

c10.indd 655 12/6/2022 3:01:45 PM

 BUSINESS ASSURANCE

°° The notes to the financial statements, including the summary of significant

accounting policies.

The second paragraph indicates whether the auditor’s opinion on the financial
statements is:
• Unmodified; or

• Modified:

°° Qualified Opinion;

°° Adverse Opinion; or

°° Disclaimer of Opinion.

Question 6
Answer A is incorrect. The issue is not pervasive to the financial statements as a whole.
Answer B is incorrect. The inability to obtain sufficient appropriate audit evidence on an
issue that is both material and pervasive is a disclaimer of opinion.
Answer C is incorrect. A qualified auditor’s opinion is not simply issued because the
relevant issue has been around for some time. Materiality to the relevant financial
statements is a key determinant.
Answer D is correct. It is considered a material issue that can be quantified and has a
limited effect to revenue.

Question 7
The auditor’s opinion should be qualified on the basis that the auditor believes that
stock could be overvalued by a material amount. Even though the auditor does not have
sufficient appropriate audit evidence to be able to quantify the amount of underprovision,
the impact is on the stock balance only, and it would be reasonable to conclude that the
issue is not pervasive, and so would not end in the disclaimer of opinion category.

Question 8
Answer A is incorrect. The issue would require a modification to the auditor’s opinion.
Answer B is correct. The material misstatement is suspected to be material but not pervasive.
Answer C is incorrect. The financial statements are true and fair except for an item the
auditor has identified which is not pervasive.
Answer D is incorrect. An opinion can be issued and the suspected material amount is not
pervasive.

Question 9
Answer A is incorrect. The issue is material and pervasive.
Answer B is incorrect. An unmodified auditor’s report is inappropriate.
Answer C is incorrect. They know what the issue is and have been able to obtain sufficient
appropriate audit evidence to draw the conclusion that the issue is material and pervasive.
Answer D is correct. Such departure from HKFRS with a material and pervasive effect on
the financial statements leads to an adverse opinion.

656

c10.indd 656 12/6/2022 3:01:45 PM

 A u ditor ’ s R eporting

Question 10
This type of opinion is the signal to stakeholders that the financial statements of the
company may not be reliable to make economic decisions. This may also alert stakeholders
to the fact that management and those charged with governance may not be operating the
company appropriately or ethically.

Question 11
Auditors may issue a Disclaimer of Opinion when:
• The auditor’s scope was limited. The auditor was limited in this way, for instance,
when the auditor cannot access particular financial data.

• The auditor has other doubts about the reports. For example:

°° The financial statements may seem to violate accounting principles such as the
matching concept or the conservatism principle.

°° The auditor may question the classification of certain revenue and

expense items.

°° Some assets should not have been capitalised.

°° The auditor may question the way the entity applies rules, such as the lower
cost or net realisable value for the inventory.

The auditor issues an auditor’s opinion only when they are confident the opinion is
supported by sufficient appropriate audit evidence. Otherwise, a Disclaimer of Opinion
should be expressed.

Question 12
Section 407 of the Companies Ordinance requires the auditor to opine on other matters:
1. In preparing an auditor’s report, the auditor must carry out an investigation that
will enable the auditor to form an opinion as to:

a. Whether adequate accounting records have been kept by the company; and

b. Whether the financial statements are in agreement with the accounting records.

2. A company’s auditor must state the auditor’s opinion in the auditor’s report if the
auditor is of the opinion that:

a. Adequate accounting records have not been kept by the company; or

b. The financial statements are not in agreement with the accounting records in
any material respect.

Question 13
Answer A is incorrect. ASA 700 specifically states for Listed Companies only.
Answer B is incorrect. ASA 700 specifically states for Listed Companies only.
Answer C is incorrect. ASA 700 specifically states for Listed Companies only.
Answer D is correct. This must be disclosed for listed entities.

657

c10.indd 657 12/6/2022 3:01:45 PM

 BUSINESS ASSURANCE

Question 14
Reference to the adverse auditor’s opinion must be made as well as the basis for the
adverse opinion as this matter would have otherwise been a KAM. The reason for the
adverse opinion should not be repeated as a separate KAM.

Question 15
Under the heading Other Information, the following must also be disclosed:
• A statement that management is responsible for the other information;
• Identification of the other information obtained prior to the date of the auditor’s
report (for listed entities the auditor is also required to identify any other
information expected to be obtained after the date of the auditor’s report);
• A statement that the auditor’s opinion does not cover the other information and,
accordingly, the auditor does not express an auditor’s opinion or any other form of
assurance thereon;
• A description of the auditor’s responsibilities relating to reading, considering, and
reporting on other information; and
• When other information has been obtained prior to the date of the auditor’s report
either a statement that the auditor has nothing to report or a statement that
describes the uncorrected material misstatement of other information.

Question 16
Answer A is incorrect. This is not the prescribed order under HKSA 706 (Revised).
Answer B is incorrect. This is not the prescribed order under HKSA 706 (Revised).
Answer C is incorrect. This is not the prescribed order under HKSA 706 (Revised).
Answer D is correct. This is the prescribed order under HKSA 706 (Revised).

Question 17
The most common reasons for an Emphasis of Matter paragraph to be included in the
auditor’s report are:
• A significant uncertainty surrounding accounting estimates;
• Where a special purpose framework has been used to prepare the financial
statements;
• Early application of accounting standards that have a pervasive effect on the financial
statements; or
• Where the prior period’s financial statements have a material error that has been
restated in the current year but did not require a modified opinion to be issued.

Question 18
The major differences between the two paragraphs are:
(a) An Emphasis of Matter paragraph draws users’ attention to matters already
disclosed in the financial statements; and

(b) An Other Matter paragraph draws users’ attention to matters that the auditor
believes the users should be aware of in relation to the financial statements but is
not disclosed in the financial statements.

658

c10.indd 658 12/6/2022 3:01:45 PM

 A u ditor ’ s R eporting

Question 19
Answer A is incorrect. This is not the terminology used in Hong Kong.
Answer B is correct. This is the terminology used in Hong Kong 710.
Answer C is incorrect. This is not the terminology used in Hong Kong 710.
Answer D is incorrect. This is not the terminology used in Hong Kong 710.

Question 20
The major difference in obtaining sufficient appropriate audit evidence between when
corresponding figures have and have not been audited is the review of the predecessor’s
audit documentation from the prior period and determining to what extent if any the
existing auditor can place reliance on the work completed. The existing auditor also must
assess the capability and independence of the predecessor auditor in determining the
extent of reliance that can be placed on the work completed.

Question 21
Answer A is incorrect. Required by HKSRE 2410.
Answer B is incorrect. Required by HKSRE 2410.
Answer C is incorrect. Required by HKSRE 2410.
Answer D is correct. The auditor only opines when a full set of general-purpose financial
statements has been prepared in accordance with HKFRSs.

Question 22
In line with the requirements of HKSRE 2410, the auditor must state that review of interim
financial statements consists of making inquiries, primarily with persons responsible for
financial and accounting matters, and that such work is based on analytical and other
review procedures. The auditor shall also state that a review is substantially less in scope
than an audit conducted in accordance with HKSA. Consequently, the auditor is not
enabled to obtain assurance that all relevant significant matters have been identified and
that accordingly no auditor’s opinion is expressed.

Question 23
The key differences between an auditor’s opinion and an auditor’s review report are:
Auditor’s opinion: A reasonable or high level of assurance is obtained about whether
the financial statements as a whole are free from material errors or fraud. The auditor’s
opinion is expressed in a positive form.
Auditor’s review report: Limited assurance about whether the financial statements as a
whole are free from material errors and fraud. Limited assurance is less than reasonable
assurance. A conclusion not an opinion is expressed in a negative form.

Question 24
Answer A is correct. The financial statements cannot be relied upon by all users as they
have been prepared for certain users.
Answer B is incorrect. Required by HKSA 800 (Revised).
Answer C is incorrect. Required by HKSA 800 (Revised).
Answer D is incorrect. Required by HKSA 800 (Revised).

659

c10.indd 659 12/6/2022 3:01:45 PM

 BUSINESS ASSURANCE

Question 25
Answer A is incorrect. The requirements of HKSA 810 (Revised) only extend to the date of
the auditor’s opinion on the summary financial statements.
Answer B is incorrect. Required by HKSA 800 (Revised) in all circumstances.
Answer C is correct. This is required by HKSA 810 (Revised) in circumstances where the
dates of the reports are different.
Answer D is incorrect. Required by HKSA 800 (Revised) in all circumstances.

Question 26
Answer A is correct. The level of assurance is reasonable in line with PN 900 (Revised).
Answer B is incorrect. This is not language used in HKSA.
Answer C is incorrect. This is not language used in HKSA.
Answer D is incorrect. This is not language used in HKSA.

EXAM PRACTICE

QUESTION 1
John Chang is a brand new graduate of an Audit Firm. He has been on his first audit job and
has been told by his supervisor that there is a material error in the inventory balance and he
has come to you, the audit manager, with the following requests for help and clarification:

(a) Categorise the different types of possible auditor’s opinions that John should consider
in determining the appropriate auditor’s opinion for this client.

(b) Advise John on the key messages that the different types of auditor’s opinions are likely
to mean to the users of the financial statements.

(c) Advise John what type of auditor’s opinion will likely be issued on this his first audit.

QUESTION 2
The auditor’s inability to obtain sufficient appropriate audit evidence may arise in three
different areas. Determine what each of the areas is and give examples.

QUESTION 3
Khan Company Limited was incorporated in Hong Kong and is listed on the HKEx and has
several subsidiaries in Hong Kong and Mainland China. Over the last three years Khan
has expanded its operations into Malaysia with the purchase of two very large companies
with significant property, plant, and equipment. The auditor of Khan intends to issue an
unmodified auditor’s opinion. The auditor has also assumed that this matter should be
described as a Key Audit Matter. Recommend what you think to be the key elements of this
Key Audit Matter including the type of audit procedures that should be carried out.

660

c10.indd 660 12/6/2022 3:01:45 PM

 A u ditor ’ s R eporting

QUESTION 4
Great Leap audit firm, having recently been appointed auditor of the Hong Kong Hotel
Group (an unlisted entity), has been advised that the predecessor auditor issued a disclaimer
of opinion on the corresponding figures on the basis that accounting records were lost as
a result of a large typhoon. Great Leap has become aware that Hong Kong Hotel Group has
been able to retrieve back-up data for the period covered by the disclaimer.

(a) Recommend the steps that Great Leap should take in obtaining sufficient appropriate
audit evidence for the corresponding figures.

(b) Evaluate the impact that the retrieval of back-up data might have on the current
period’s auditor’s opinion.

QUESTION 5
Shareholders of River Park Limited, the largest games and water park in Asia and a listed
entity on the HKEx, have requested that they receive summary financial statements in line
with listing rule 13.46 for the current period and moving forward. It is acknowledged that
the full financial report can be accessed on the company’s website and the HKEx. Advise
what the requirements for disclosure are in the auditor’s report under HKSA 810 (Revised),
including disclosure of the fact that the summary financial statements auditor’s report
is issued after the auditor’s report on the financial statements. An unmodified opinion is
expressed on the audited financial statements of River Park Limited.

ANSWERS TO EXAM PRACTICE

QUESTION 1
(a) The following are the possible types of auditor’s opinions and

(b) The key messages that are likely to mean to the users:

Unmodified Opinion: The financial statements give a true and fair view in accordance
with HKFRSs. This is the best opinion an auditor can deliver.
Modified Opinion – Qualified: In the auditor’s opinion, except for the effects of the
matter described in the Basis for Qualified Opinion section of the auditor’s report,
the financial statements give a true and fair view in accordance with HKFRSs. This opinion
demonstrates some reservation on the part of the auditor about the financial
statements as a whole.
Modified Opinion – Adverse: The financial statements as a whole do not give a true and
fair view in accordance with HKFRSs, for the reasons disclosed in the Basis for Adverse
Opinion paragraph. This is a very serious opinion for the auditor to deliver as it is
indicating to users that the financial statements cannot be relied upon.
Modified Opinion – Disclaimer of Opinion: An opinion is not expressed on the financial
statements, with the basis being described in the Basis for Disclaimer of Opinion
paragraph. An auditor makes this conclusion when the auditor has been unable to
obtain sufficient appropriate audit evidence to conclude. Given the responsibilities
upon management to prepare financial statements in accordance with the applicable
financial reporting framework, this too is an unfortunate form of opinion. The rest of
this chapter explains the judgement required on the part of the auditor to determine
what form the final auditor’s opinion will take.

661

c10.indd 661 12/6/2022 3:01:45 PM

 BUSINESS ASSURANCE

Review opinions issued by an auditor as a result of reviews of interim financial

statements can also take any of the above forms.

(c) The effect of misstatement is material, but, given that it relates to inventory only, it is
unlikely to be pervasive. If management does not adjust based on the issues the auditor
has raised, then a qualified auditor’s opinion will be necessary.

QUESTION 2
(a) Examples of circumstances beyond the control of the entity are:

• The company’s accounting records have been destroyed.

• The accounting records have been seized by a government authority.

(b) Examples of circumstances relating to the nature or timing of the auditor’s work are:

• The auditor cannot obtain sufficient audit evidence from substantive

procedures alone.

• The auditor could not attend the annual inventory count.

• The entity has not been able to obtain information from an equity accounted
investment.

(c) Examples of limitation on the scope of the audit imposed by management include:
• Management prevents the auditor from attending the annual inventory count.

• Management prevents the auditor from conducting third party confirmations.

• Management refuses to provide details supporting material balances.

QUESTION 3
Key Audit Matters

Key audit matters are those matters that, in our professional judgement, were of most
significance in our audit of the financial report of the current period. These matters were
addressed in the context of our audit of the financial statements as a whole, and in forming
our opinion thereon, and we do not provide a separate opinion on this matter.

Heading – Key Audit Matter: Assessment of Carrying value of property, plant, and
equipment.

Area of focus:

• Reference notes where issue addressed in the financial statements.

Why the assessment of the carrying value of goodwill is a key audit matter:

• The company/(group) has property, plant, and equipment of $XX for XX end date.

• The company/(group) appointed an external independent valuer to value land and

buildings at XX end date.

• The company/(group) reviews the carrying value of plant and equipment at each
reporting period.

662

c10.indd 662 12/6/2022 3:01:45 PM

 A u ditor ’ s R eporting

There are a number of judgements required in determining the carrying value of plant and
equipment due to the current economic conditions. These judgements include assessing
the remaining useful life of plant and equipment and where appropriate the current
market value.

How the audit addressed the matter:

Our audit procedures included:

• Evaluating the external independent valuations obtained by the company/(group)

regarding the fair value of land and buildings and assessing the key valuation
assumptions for reasonableness.

• Evaluating the qualifications of the valuer.

• Consulting with our own external expert/Corporate Finance division to assess the
underlying assumptions of management’s experts.

• In relation to the company’s valuation of plant and equipment we discussed with

management the estimated useful life of plant and equipment, reviewed utilisation
rates to identify any idle plant and equipment and reviewed management’s
forecasts.

We also assessed the adequacy of the company’s/(group’s) disclosures in respect of

Property, Plant, and Equipment and the basis for a Fair value.

QUESTION 4
(a) The auditor should first review the working papers of the predecessor auditor and
determine the level of reliance that could be placed on the work completed and document
conclusions. The auditor must also assess the capability of the predecessor auditor and
whether they were appropriately independent. The auditor should determine whether,
together with reliance on procedures of the predecessor auditor and the performance of
audit procedures over the retrieval of back-up data, sufficient appropriate audit evidence
has been obtained on corresponding figures. The auditor would need to undertake
a risk assessment under HKSA 315 (Revised 2019) and pay particular attention to the
completeness of the financial information provided by management and that there is
a seamless connection with the data prior to the data loss. Sufficient appropriate audit
evidence is likely to have been obtained through substantive audit procedures.

(b) Assuming that the auditor obtains sufficient appropriate audit evidence on opening
balances and the auditor is satisfied that the prior period’s financial books and records
are complete and accurate, the auditor would issue an unmodified auditor’s opinion
in line with the requirements of HKSA 700 (Revised), with an Emphasis of Matter
paragraph in line with HKSA 706 (Revised) to draw attention to the note to the financial
statements where management have described how the matter resulting in the
disclaimer of opinion was resolved.

663

c10.indd 663 12/6/2022 3:01:45 PM

 BUSINESS ASSURANCE

QUESTION 5
The required components of the auditor’s report on summary financial statements are
as follows:

• Report title indicating independence of the auditor;

• The appropriate addressee;

• Identification of the composition of the summary financial statements;

• Identification of the financial statements from which the summary has been taken;

• The summary financial statements do not contain all the disclosures required by HKFRS;

• A clear expression of opinion, which in this instance would be an unmodified auditor’s

opinion consistent with the financial statements;

• Reading the summarised financial statements and the report thereon is not a substitute
for reading the audited financial statements and the auditor’s report thereon;

• The summary financial statements and the financial statements do not reflect the
effects of events that occurred subsequent to the date of the report on the audited
financial statements;

• A paragraph setting out the audited financial statements and the report thereon,
stating the type of report issued and the date on which the report was issued, and that
key audit matters were communicated;

• Management’s responsibilities;

• Auditor’s responsibilities;

• The name of the auditor;

• The name of the audit firm;

• The auditor’s address; and

• Date of auditor’s report on the summary financial statements.

664

c10.indd 664 12/6/2022 3:01:45 PM

 11
Group Audits

CHAPTER TOPIC LIST

11.1 Audit of Groups 11.3 Group Engagement Team

11.1.1 Scope and Terminology 11.3.1 Group Engagement
11.1.2 Companies Ordinance Partners’ and Staff Members’
(Cap.622) Responsibilities
11.1.3 Understanding the Group, 11.3.2 Component Team Members’
Its Components, and Their Responsibilities
Environments 11.4 Audit Planning and Risk
11.1.4 Group-wide Controls Assessment
11.1.5 Auditor’s Objectives
11.4.1 Engagement Letter
11.2 Components Auditors 11.4.2 Control Procedures Review
11.2.1 Characteristics of Components 11.4.3 Risk Assessment: Group
Auditors Audit versus Single Company
11.2.2 Responsibilities of Audit Risks
Components Auditors 11.4.4 Plan of Procedures to Develop
11.2.3 Overview of How Understanding (Group, Client,
Components auditors Work Components Auditors)
Within the Group Audit 11.4.5 Consider Risks of Material
11.2.4 Materiality for Components Misstatement
11.2.5 Communication with 11.4.6 Plan Methods, Timing, and
Components Auditors Content of Communication
with Those Charged with
Governance

665

c11.indd 665 12/6/2022 3:04:52 PM

 BUSINESS ASSURANCE

11.4.7 Develop Audit Plan for Work 11.5 Audit Procedures and Reporting
to be Completed (Group, 11.5.1 Complete Procedures to
Client, Components Auditors) Substantively Test the
for Significant and Non- Group’s Consolidation
significant Components 11.5.2 Review of Reports from
11.4.8 Group Audit Strategy Components Auditors to the
Memorandum for Group Auditor
Communication to a 11.5.3 Review of Components
Components Auditors Auditors Work
11.5.4 Group Audit Completion
Documents Preparation
11.5.5 Options for Audit Opinion for
the Group, Parent Company,
and Component Financial
Statements

666

c11.indd 666 12/6/2022 3:04:52 PM

 G ro u p Aud its

LEARNING OUTCOMES

PRINCIPAL LO1: PERFORM ASSURANCE ENGAGEMENTS

LO1.12: P
 repare, plan, and develop assurance engagements including the audits of financial
statements in accordance with relevant Hong Kong Standards of Quality Management,
Auditing, Assurance and Related Services, guidance, and legislation with emphasis on:
Completion Procedures
1.12.02 Explain the purpose of and procedures to be used during audit completion:
• A subsequent events review
• A going concern review
• Obtaining written representations from management
• Review of report by components auditors to the group auditor
• Overall review of the financial statements
• Review of other published information
LO1.14: P
 repare, plan, and develop assurance engagements including the audits of financial
statements in accordance with relevant Hong Kong Standards of Quality Management,
Auditing, Assurance and Related Services, guidance and legislation with emphasis on:
Audits of Group Financial Statements (including the work of components auditors)
1.14.01 Explain how consolidated financial statements are produced
1.14.02 Evaluate whether a group’s control environment and control systems are effective
1.14.03 Recommend control procedures that a group should implement over its operations and
the preparation of consolidated financial statements
1.14.04 Evaluate a potential group audit engagement for the acceptance risks it presents to the
audit firm
1.14.05 Consider risk of group audit in addition to a single company audit (e.g. different
accounting policies)
1.14.06 Prepare an audit engagement letter for a group
1.14.07 Plan procedures to develop a sufficient understanding of the group, as a client, and a
components auditors for audit purposes
1.14.08 Recommend an appropriate planning materiality to be applied to components
1.14.09 Consider the significant components and evaluate to determine the type of work to be
performed on the financial information of significant components and components that are
not significant
1.14.10 Plan an approach to gathering sufficient appropriate audit evidence from the
components auditors
1.14.11 Evaluate the information collected about a group to identify the significant risks of material
misstatement in the group financial statements

667

c11.indd 667 12/6/2022 3:04:53 PM

 BUSINESS ASSURANCE

1.14.12 Develop the group audit strategy memorandum for communication to a

components auditors
1.14.13 Plan the methods, timing, and content of communication with those charged with
governance and with components auditors during the audit
1.14.14 Design procedures to substantively test the group’s consolidation
1.14.15 Prepare the group audit completion documents
1.14.16 Recommend an appropriate audit opinion for the group, parent company, and component
financial statements based on the audit evidence collected

668

c11.indd 668 12/6/2022 3:04:53 PM

 G ro u p Aud its

OPENING CASE

CWAVES FERRY HOLDING COMPANY LIMITED

T his case study is the basis for illustration in the rest of this chapter.

CWaves Ferry Holding Company Limited (‘CWaves’) is a publicly listed company on the
Hong Kong Stock Exchange (‘HKEx’) and operates ferry services in Victoria Harbour, Sok Kwu
Wan, Shenzhen, and Macau. CWaves has a 31 December year end and has 10 wholly owned
subsidiaries, which it must consolidate for the purpose of reporting under Section 379(2) of the
Companies Ordinance (Cap.622) and HKFRS 10, Consolidated Financial Statements. The CWaves
group has significant investments in buildings, godowns, port infrastructure, travel agencies,
and hotels.

Choxiang Cheng is a newly appointed independent non-executive director of CWaves and

he wants to understand how the group external auditor (Quality Audit Firm (‘Quality’)) manages
the components auditors and how the components auditors were chosen given that Quality is
not part of a global accounting firm.

The group structure is shown in Exhibit 11.1.

CWaves Ferry Holding Company Limited –

Audited by Quality
Material to
the Group 100%

1 2 3 4 5 6 7 8 9 10

CWaves Hotels Company (incorporated

1 6 CWaves Maintenance Company
and based in Malaysia)

2 CWaves Ferries Company 7 CWaves Godown Company

3 HKCW Development Holding Company 8 Donghai Company

4 HKCW Investment Limited 9 CWaves Management Company

Wonder Travel Company

5 Hai Cruising Company 10
(incorporated and based in Singapore)

Audited by: Quality Audited by: Component auditor 1 Audited by: Component auditor 2

Audited by: Component auditor 3 Not subject to audit for group purposes

EXHIBIT 11.1 CWaves’ corporate structure

669

c11.indd 669 12/6/2022 3:04:53 PM

 BUSINESS ASSURANCE

OVERVIEW

The audit of consolidated financial statements can be more complex when components auditors
(i.e. other audit firms, or even affiliates or parts of the same firm) are involved. The work of
these components auditors can influence the group engagement team’s (or the group auditor’s)
processes and the overall audit conclusion at the consolidated financial statements level.

This chapter will explore the concept of group audits, the role of the group auditor, and
the role of the components auditors in drawing conclusions on the consolidated financial
statements. The roles of each of these are critical in ensuring that the consolidated auditor’s
report is reflective of the conclusions reached at each component and group level.

Determining group materiality and auditing the consolidation process can be complex. This
chapter will aim to set out the steps involved in both these processes in some detail.

This chapter is simply an extension, for a group, of all of the fundamental aspects to the
audit process that have been introduced to you in Chapters 1 to 10.

1 1 . 1 AUDIT OF GROUPS

The reference standard for group audits is HKSA 600 (Revised), Special Considerations – Audits
of Group Financial Statements (Including the Work of Components Auditors). This standard will be
referred to during this chapter.

11.1.1 Scope and Terminology

The HKSAs apply to group audits. HKSA 600 (Revised), deals with the special considerations that
apply to group audits, in particular those that involve components auditors.

It should be noted that the terminology used under HKSAs for groups does differ from
the terminology used for accounting. Where the auditor is making decisions pertaining
to a business combination or control for consolidation purposes, direct reference should,
respectively, be made to HKFRS 3 (Revised), Business Combinations, and HKFRS 10 (Revised),
Consolidated Financial Statements, respectively.

This chapter reflects the terminology used for Audit of Groups under the HKSAs.

HKSA 220 (Revised) Quality Management for an Audit of Financial Statements, paragraphs 26
and 29, requires the group audit partner to be satisfied that those performing the group audit
engagement, including components auditors, collectively have the appropriate competence and
capabilities. The group engagement partner is also responsible for the direction, supervision,
and performance of the group audit engagement. See Section 4.1.1.1 which describes recent
revisions to the Quality Standards.

670

c11.indd 670 12/6/2022 3:04:53 PM

 G ro u p Aud its

The group engagement partner should apply the requirements of HKSA 200 regardless
of whether the group engagement team or the components auditors performs the audit
procedures on the financial information of the component.

HKSA
It is important that consistent terminology is applied when looking at group audits, where
600.9 the following terms have the meanings attributed below:

Component: An entity or business activity for which group or component management

prepares financial information that should be included in the group financial statements.

Components auditors: An auditor who, at the request of the group engagement team,
performs work on financial information related to a component for the group audit.

Component management: Management responsible for the preparation of the financial

information of a component.

Component materiality: The materiality for a component determined by the group

engagement team.

Group: All the components whose financial information is included in the group financial
statements. A group always has more than one component.

Group audit: The audit of group financial statements.

Group audit opinion: The audit opinion on the group financial statements.
Group engagement partner: The partner or other person in the firm who is responsible
for the group audit engagement and its performance and for the auditor’s report on
the group financial statements that is issued on behalf of the firm. Where joint auditors
conduct the group audit, the joint engagement partners and their engagement teams
collectively constitute the group engagement partner and the group engagement team.
This HKSA does not, however, deal with the relationship between joint auditors or the work
that one joint auditor performs in relation to the work of the other joint auditor.

Group engagement team: Partners, including the group engagement partner, and staff
who establish the overall group audit strategy, communicate with components auditors,
perform work on the consolidation process, and evaluate the conclusions drawn from the
audit evidence as the basis for forming an opinion on the group financial statements.

Group financial statements: Financial statements that include the financial information of
more than one component. The term ‘group financial statements’ also refers to combined
financial statements aggregating the financial information prepared by components that
have no parent but are under common control.

Group management: Management responsible for the preparation of the group financial
statements.

Group-wide controls: Controls designed, implemented, and maintained by group

management over group financial reporting.

Significant component: A component identified by the group engagement team (i) that
is of individual financial significance to the group or (ii) that, due to its specific nature or
circumstances, is likely to include significant risks of material misstatement of the group
financial statements.

671

c11.indd 671 12/6/2022 3:04:53 PM

 BUSINESS ASSURANCE

11.1.2 Companies Ordinance (Cap.622)

On top of the general requirements for financial statements outlined in Section 380 of
the Companies Ordinance (Cap.622), Section 381 outlines the requirements in relation to
consolidated financial statements as follows.

Subsidiary undertakings to be included in annual consolidated financial statements are:

1. Subject to subsections 2 and 3, the annual consolidated financial statements for a

financial year must include all the subsidiary undertakings of the company.

2. Where the company falls within the reporting exemption for the financial year, one or
more subsidiary undertakings may be excluded from the annual consolidated financial
statements in compliance with the accounting standards applicable to the statements.

3. Where the company does not fall within the reporting exemption for the financial year:

(a) One subsidiary undertaking may be excluded from the annual consolidated
financial statements if the inclusion of the subsidiary undertaking is not material
for the purpose of giving a true and fair view of the financial position, and of the
financial performance, mentioned in Section 380(2)(a) and (b); and

(b) More than one subsidiary undertaking may be excluded from the annual
consolidated financial statements if the inclusion of those subsidiary undertakings
taken together is not material for the purpose of giving a true and fair view of the
financial position, and of the financial performance, mentioned in Section 380(2)(a)
and (b).

11.1.3 Understanding the Group, Its Components, and Their Environments

HKSA 315 (Revised 2019), Identifying and Assessing the Risks of Material Misstatement, contains
guidance on matters on which the auditor performs risk assessment procedures to obtain an
understanding of:

(a) the industry, regulatory, and other external factors that affect the group and/or
individual components (including the organizational structure, ownership and
governance, and applicable financial reporting framework),

(b) the nature of the entity,

(c) its business model and strategies and related business risks,

(d) use of IT;

(e) internal and external measurement and review of the entity’s financial
performance.

The auditor is also required to obtain an understanding of the components of the entity’s
system of internal control through performing risk assessment procedures.

The group auditor should also have a detailed understanding of the group instructions
issued by group management to component management. These instructions will often make
clear to the group auditor the accounting policies expected to be applied at the group and
component level, the financial reporting framework to be adopted, segment identification and
reporting, how related party and intra-group transactions are to be treated, and the reporting
timetable.

672

c11.indd 672 12/6/2022 3:04:53 PM

 G ro u p Aud its

The group auditor should assess the quality of the instructions issued by group
management to component management and determine whether, in the case of a lack of
clarity, the risks of material misstatements at the component level are heightened and address
this with the components auditors.

The group auditor should obtain an understanding of the activities for the financial period
being subject to audit and of the internal audit. (Refer back to Chapter 8: Using the Work of
Others for considerations in relation to using the work of internal auditors). This understanding
should extend to the areas of the business that have been the subject of audit and whether the
work conducted by the internal audit can be relied upon at the group and/or component level.

The responsibility for the determination of the significant components of a group is that of
the group auditor. For the purposes of HKSA 600 (Revised), components fall into one of two
categories: significant and non-significant components (Exhibit 11.2).

Significant components Non-significant components

Significant in financial terms Immaterial to the group as a whole

Significant for the degree of risk they present Low-risk profile

Components

Significant Non-significant
components components

Auditor’s Auditor’s
Approach Approach

Driver is Size: Driver is Risk: • Analytical procedures;

Full audit. • Full audit; • Further procedures determined if
• Audit of risk areas; or a conclusion cannot be reached on
• Specific procedures. ‘non-significant’.

EXHIBIT 11.2 Significant and non-significant components

11.1.3.1 Indicators of ‘Significance’

There is not a singular approach to determine which components should be audited because
they are financially significant. The group auditor needs to be satisfied that sufficient amounts of
work will be performed. Determination of ‘sufficient’ will vary from engagement to engagement,
depending on circumstances and will be determined by professional judgement. What is critical
is that the audit documentation reflects the judgement and explains how it was reached.

A component identified by the group auditor (i) that is of individual financial significance to
HKSA
the group or (ii) that, due to its specific nature or circumstances, is likely to include significant risks
600.9(m) of material misstatement of the group financial statements. As the individual financial significance
HKSA
of a component increases, the risks of material misstatement of the group financial statements
600 (A5) ordinarily increase. Indicators of financial significance (i.e. size) might include the overall size of
the component’s statement of financial position or profit or the relative size of a component’s
contribution to a particular item (e.g. revenue) in the group financial statements. HKSA 600
(Revised) indicates that 15% of a chosen benchmark (such as the group assets or profit) might
be chosen by the group auditor as indicative of financial significance, but professional
judgement is still required and higher or lower percentages may be appropriate, depending on

673

c11.indd 673 12/6/2022 3:04:53 PM

 BUSINESS ASSURANCE

the composition and/or the nature and circumstances of the group. If the group auditor does
apply the 15% as the benchmark, documentation as to its appropriateness is strongly
recommended.

The group auditor may also identify a component as likely to include significant risks of
material misstatements of the group financial statements due to its specific nature or
HKSA 600 circumstances, even though the component is not otherwise of individual financial significance
(A6) to the group. Indicators of non-financial significance (i.e. risk) might include the presence in a
component of particular risks of material misstatement, such as those relating to estimates
associated with impairments, inventory impairments, and taxation provisions. Risks relating to
complex areas such as financial instruments, and other highly subjective areas such as
contingencies and subsequent events, may also determine non-financial significance.

11.1.3.2 Type of Audit Work to be Performed on Components

Determining the coverage of components is resolved in part by the nature of the group,
the quality of its system of internal control, and the quality and sources of the information
and evidence available, such as the effectiveness of group-level analytical procedures. More
coverage will be required where controls are poor and/or the evidence available at a group
level is weak. Group-wide controls will be explored later in this chapter.

The group auditor is required under HKSA 600 (Revised) to perform, or have components
auditors perform, full audits of all financially significant components.

For a component that is significant because it is likely to include significant risks of material
misstatement of the group financial statements due to its specific nature or circumstances, the
group engagement team, or a components auditors on its behalf, shall perform one or more of
the following:

(a) An audit of the financial information of the component using component materiality
(i.e. at a materiality level lower than the group level).

(b) An audit of one or more account balances, classes of transactions, or disclosures

relating to the likely significant risks of material misstatement of the group financial
statements.

(c) Specified audit procedures relating to the likely significant risks of material
misstatement of the group financial statements.

11.1.3.3 Procedures for Non-significant Components

The group auditor is required to perform analytical procedures at the group level covering
non-significant components to corroborate conclusions that there are no significant risks in
those components. The degree of disaggregation of data used for these procedures may vary
and is impacted by the nature and level of management information available.

When no additional risks are identified as a result of analytical procedure, the group auditor
should document the belief that there is nothing to indicate a need for the performance of
additional procedures on these components. However, if the results of the analytical procedures
indicate that there may be a risk of a material misstatement in one or more components, the
group auditor needs to document the nature, timing, and extent of the procedures that will be
performed to address the identified risks.

674

c11.indd 674 12/6/2022 3:04:53 PM

 G ro u p Aud its

Apply and Analyse 1

Quality determined that both CWaves Maintenance Company and CWaves Management
Company were likely to be immaterial to the CWaves consolidated financial statements
based on the financial results of the two companies in the last three years.

Analysis

During the current year’s audit planning process, Quality needs to determine whether
CWaves Maintenance Company and CWaves Management Company continue to be
immaterial to the group for consolidation purposes. Quality obtains the management
accounts from group management for the two components and undertakes analytical
procedures to confirm whether or not there are significant risks in the components, and
also reviews board minutes. Quality also discusses with group management the activities
and proposed activities of the components. On the basis of the work that has been
completed by Quality, they have concluded that it is unlikely that the financial activities
and results of CWaves Maintenance Company and CWaves Management Company would
create a risk of a material misstatement to the consolidated financial statements and
therefore will not be subject to further audit procedures in the current period. Quality has
documented their assessments and conclusions in the audit file.

11.1.4 Group-wide Controls

Group-wide controls is the responsibility of the group auditors to obtain an understanding of the
group’s system of internal control including:

• The control environment established by those charged with governance that relate to
group-wide controls.

• The level of involvement of those charged with governance at the group level in terms
of how the components develop their business strategies, how they operate, and how
they perform.

• How often interactions occur between the group and component and the degree of
detail obtained.

• How the component management identify and assess risk and the significance of those
risk, specifically including the identification and management of business risks that
might result in a misstatement in the group financial statements.

• How the component management assess the risk of fraud and management of
circumstances when fraud has been identified.
• Controls over intra-group transactions, balances, and profits including taxation
consequences.

• Group-wide monitoring controls.

• The degree of use of shared service centres and component management’s oversight of
shared service centres.

• The extent to which controls operate in the same way across components in the group.

675

c11.indd 675 12/6/2022 3:04:53 PM

 BUSINESS ASSURANCE

Internal audit may be regarded as part of group-wide monitoring component of the system
of internal control when the role is centralised. HKSA 610 (Revised 2013), Using the Work of
Internal Auditors, deals with the group auditor’s evaluation of the internal audit function and its
potential use by the group auditor.

In thinking about group-wide controls the group auditors should:

• Consider the extent to which there are group-wide controls and determine the
appropriate split of work between the group auditors and components auditors for
these controls.

• Request details of internal control weaknesses identified by components auditors, as

HKSA 600 (Revised) requires the group auditors to make group management aware as
soon as practicable of material weaknesses in the design and operation of group-wide
controls.

For the components auditors, they should:

• Consider the impact of any group-wide controls that the group auditor has told them
about, on the planning of the component audit, including assessing any impact on the
local statutory audit when relevant.

• Consider the appropriate clearances, when the components auditors is being asked to
rely on the testing completed by the group auditor on group-wide controls for group
purposes. Specific reference may need to be made to the fact that no work has been
conducted at the request of the group auditor.

• Consider the level of documentation required in the components auditors audit file
when seeking to place reliance on the group auditor’s testing of group-wide controls for
the purpose of a local statutory opinion.

• Communicate to local management any weaknesses identified as well as

communicating them to the group auditor.

11.1.5 Auditor’s Objectives

The objectives of the auditor in relation to the audit of a group are:

(a) To determine whether they can act as the auditor of the group financial statements.

(b) If acting as the auditor of the group financial statements:

(i) To communicate clearly with components auditors about the scope and timing
of their work on financial information related to the components and their
findings; and
(ii) To obtain sufficient appropriate audit evidence regarding the financial information
of the components and the consolidation process to express an opinion on whether
the group financial statements are prepared, in all material respects, in accordance
with HKFRS.

676

c11.indd 676 12/6/2022 3:04:53 PM

 G ro u p Aud its

Knowledge Check Questions

Question 1
For a component that is deemed significant because it is likely to include significant risks
of material misstatement in the group financial statements due to its specific nature or
circumstances, determine the types of audit procedures the group engagement team, or a
components auditors on its behalf, should consider performing.

Question 2
Identify the responsibilities the group auditor has for assessing group-wide controls.

1 1 . 2 COMPONENTS AUDITORS

11.2.1 Characteristics of Components Auditors

HKSA 600 (Revised) requires the group auditor, if the intention is to use the work of a
components auditors or components auditors, to obtain an understanding of:

• Whether the components auditors will comply with the ethical and independence
standards set out in the HKICPA Code of Ethics for Professional Accountants. The group
auditor should ensure that, where the components auditors is not based in Hong
Kong, Hong Kong ethical requirements, including being independent, are, nevertheless,
understood. The components auditors should be made aware of the expectations of
the group auditor of the HKICPA ethical requirements for group purposes;

• The professional competence of the components auditors;

• Whether the group auditor will be able to be involved in the work of the components
auditors as necessary to obtain sufficient appropriate audit evidence; and

• Whether components auditors operate in a regulatory environment that actively oversees

auditor quality, and which practically may be difficult to assess if in other jurisdictions.

In assessing the professional competence of a components auditors, the group auditor

needs to be confident that the components auditors can properly fulfil the group audit
responsibilities. If the group auditor fails to make a formal documented assessment of this,
it will be difficult to demonstrate that they have sufficient involvement in, or control over, the
group audit. The quantum of documentation required will depend on the complexity of finding
the required information to conduct the assessment. The group auditor should be satisfied that
components auditors:

• Understand the auditing quality management standards under which they should
operate for group audit purposes, and will comply with those standards. If the
components auditors is in a jurisdiction outside of Hong Kong, but follows international
auditing and quality management standards, the assessment will be aided. If
international auditing and quality management standards are not followed the
group auditor will need to determine whether the proposed components auditors
can be used.

677

c11.indd 677 12/6/2022 3:04:53 PM

 BUSINESS ASSURANCE

• Have the requisite skills and specialist skills where required, such as industry-specific
knowledge, valuation, or taxation specialists, to assist the component audit team for
complex audit issues where there is a risk of a material misstatement.

• Have an understanding of HKFRSs that is sufficient to fulfil group reporting

responsibilities. Again, this will be easier to determine where the components auditors
jurisdiction follows International Financial Reporting Standards (‘IFRS’).

Apply and Analyse 2

Quality had issues in the prior period with the auditors of CWaves Hotels Company, which
is based in Malaysia. The previous components auditors did not meet the deadlines
that Quality established, and it was very difficult to obtain the required information as
instructed in the group audit questionnaire. The situation reached the stage that the
components auditors resigned. CWaves Hotels Company sought Quality’s views on finding
a new auditor. Quality itself did not have a Malaysian presence or a Malaysian affiliate.

Analysis

Quality indicated to CWaves Hotels Company that any new components auditors would
need to be assessed in detail by Quality. Quality indicated that they would expect the new
auditor to be an accredited member firm of the Malaysian Institute of Accountants (which,
like HKICPA, subscribes to the international ethical, auditing, and accounting standards).
Quality also indicated that it would be required to make a detailed assessment of the new
auditor’s independence, competence, willingness to communicate, and ability to meet
group deadlines and with the requisite information being provided to Quality. As the hotel
business requires industry knowledge to audit it appropriately, Quality indicated it would
need to assess whether the components auditors had the necessary skills to undertake the
audit. CWaves Hotels Company reviewed how Quality would assess an incoming auditor
and used that assessment to select a particular audit firm. They chose to make the final
appointment subject to Quality’s detailed assessment.

11.2.2 Responsibilities of Components Auditors

Components auditors report to the group auditors on their work in the form agreed in the
group audit instructions, whether it is an audit report on financial information or certain
account balances or a report on specified procedures.

The components auditors should consider the following when issuing an audit report:

• Whether the introductory paragraph clearly identifies the financial information that is
being reported on.

• Referencing the level of materiality used as instructed by the group auditor.

• Modifications to the auditor’s opinion. This is particularly important, and it is the

responsibility of the components auditors to raise the issue of a potential modification
as soon as possible with the group auditor. A determination will need to be made by
the group auditor whether the modification will also be reflected at the consolidated
financial statement level.

678

c11.indd 678 12/6/2022 3:04:53 PM

 G ro u p Aud its

The components auditors should consider the following when issuing a report on specified
procedures:

• The report provides sufficient clarity on the work performed, which should make clear
what was not performed.

• Generally, not provide assurance on conclusions reached but restate what was
requested by the group auditor and what was completed.

The group auditors generally request that the components auditors either prepares a
summary memorandum of work performed or completes a group audit questionnaire. Either
reporting format usually contains similar information from the components auditors. The
components auditors needs to provide this information to the group auditor in order that the
group auditor has sufficient information to enable them to draw the appropriate conclusions.

Matters that are usually included in the components auditors memorandum or

questionnaire are as follows:

• Reconfirmation that the components auditors have complied with the ethical
requirements of the HKICPA Code of Ethics for Professional Accountants;

• Confirmation that the components auditors has complied with the group auditor’s
requirements;
• The scope of work performed, including explanations for significant changes to the
audit strategy and any variations from group instructions (note that this should be
communicated by the components auditors to the group auditor prior to variation and
the documentation at this stage of the component audit confirms what should already
have been agreed);

• Instances of fraud or non-compliance with laws and regulations, and indicators of

management bias (again, any fraud identified should be communicated immediately to
the group auditor);

• Significant matters arising from the work performed by the components auditors
including details of significant risks that may affect the consolidated financial
statements, including those communicated by the group auditor at the planning stage,
and a summary of responses to those risks;

• In the instance that the parent entity is listed, Key Audit Matters (‘KAMs’) should
either be included in the main body of the audit report or in the memorandum
or questionnaire (for further information on KAMs refer back to Chapter 10 of
this module);

• Details of corrected and uncorrected misstatements, including explanations from

component management why misstatements have remained uncorrected;

• Significant deficiencies in the system of internal control that were identified (again this
should be reported to the group auditor at the point of discovery);

• Details of any related party transactions;

• Subsequent events procedures performed and whether there were any material
matters identified and details of the potential effects of such matters;

• Specific inclusions identified by the components auditors for inclusion in the group
letter of representation;

679

c11.indd 679 12/6/2022 3:04:53 PM

 BUSINESS ASSURANCE

• Matters that should be communicated to those charged with governance at the

group level;

• Other information, such as contingencies and commitments; and

• The components auditors overall findings, conclusions, or opinion.

In some instances, the group auditor may require that further information be supplied by
the components auditors as follows:

• An analytical review of the component’s financial statements, with explanations for

the trends and movements year on year and reference to actual results in the current
financial period as compared to budget;

• A summary of key estimates and judgements and how management approached their
assessment; and

• Financial reporting issues and how they were addressed.

Ultimately, what needs to be reported by the components auditors will be determined by

the group auditor. If the components auditors does not believe they can carry out what has
been requested of them, then they need to advise the group auditor. The group auditor may
need to consider replacing a components auditors if they cannot meet their responsibilities,
or send members from the group audit team as a short-term measure to ensure that the
component’s financial information has been appropriately audited.

11.2.3 Overview of How Components auditors Work Within

the Group Audit
How components auditors work within the group audit is dependent on the audit firms involved
in the various aspects of the group audit. There are several combinations that could exist.

(a) The group auditors audit the whole group. The group and all components auditors are part
of the same firm or network of firms.
In these circumstances the group auditor should have a good understanding of the
components auditors and they will in most cases be following the same audit methodology.

Communications should be easier for firms with common audit approaches, quality
management procedures and audit software, and partners and staff who undertake
common training programmes. Notwithstanding this, HKSA 600 (Revised) still requires
group auditors to document their understanding of components auditors and for
components auditors to acknowledge their compliance with group auditor requests.
HKSA 600 (Revised) also requires that the group auditors determine the extent of
involvement at the component level. This is made easier in the situation where the
group auditors audit the whole group.

There will be distinctions between approaches depending on whether there is a

single office group audit, multiple office group audit (same firm), or multiple firm (same
network) group audit.

(b) The group auditors are not auditing the whole group. The group includes multi-network
group audits and group or components auditors that are not members of any network.

While the basic considerations are the same as those where group and components
auditors all belong to the same network, the level of knowledge about the audit
methodology of firms outside the group auditor’s firm is likely to be limited.

680

c11.indd 680 12/6/2022 3:04:53 PM

 G ro u p Aud its

The group auditor cannot simply rely on the components auditors opinion on the
financial statements of the component. If the components auditors has concluded
that the financial statements of the component are free from material misstatement,
the group auditor should not just rely on this opinion and assume that the financial
statements are materially correct. An appropriate level of understanding is required
between the components auditors and the group auditor on the work undertaken
by the components auditors. (Review requirements of the work conducted by the
components auditors will be addressed in Section 11.5.3 later in this chapter.)

Communication between the components auditors and the group auditor is critical
to ensure that definitive conclusions can be drawn at the end of the group audit
process. Successful group audit scenarios are ones where all of the auditors involved in
the group audit consider themselves part of the one audit engagement, which is akin to
a single audit of a company where all members of the audit engagement team are clear
on their responsibilities and communicate freely with others on the audit engagement.

11.2.4 Materiality for Components

There is much to consider when evaluating the allocation of materiality to components auditors
by the group auditor. One of the main complexities lies with the concept of aggregation risk,
which heightens with decentralisation of operations into components. Aggregation risk is
defined as the risk that the aggregate of uncorrected and undetected misstatements in the
financial statements exceeds materiality for the financial statements as a whole.

As a starting point, HKSA 600 (Revised) requires the group engagement team to determine
HKSA 600. materiality for the group financial statements as a whole, as part of the development of the
A43–A46 group audit strategy.

To reduce to an appropriately low level the probability that the aggregate of uncorrected
and undetected misstatements in the group financial statements exceeds materiality for the
group financial statements as a whole, component materiality is set lower than materiality for
the group financial statements as a whole. Different component materiality may be established
for different components. Component materiality need not be an arithmetical portion of the
materiality for the group financial statements as a whole and, consequently, the aggregate of
component materiality for the different components may exceed the materiality for the group
financial statements as a whole. Component materiality is used when establishing the overall
audit strategy for a component.

Component materiality is determined for those components whose financial information

will be audited or reviewed as part of the group audit. Component materiality is used by the
components auditors to evaluate whether uncorrected detected misstatements are material,
individually or in the aggregate.

In the case of an audit of the financial information of a component, the components auditors
(or group engagement team) determines performance materiality at the component level. This is
necessary to reduce to an appropriately low level the probability that the aggregate of uncorrected
and undetected misstatements in the financial information of the component exceeds component
materiality. In practice, the group engagement team may set component materiality at this
lower level. Where this is the case, the components auditors uses component materiality for
the purposes of assessing the risks of material misstatement of the financial information of the
component and to design further audit procedures in response to assessed risks as well as for
evaluating whether detected misstatements are material, individually or in the aggregate.

681

c11.indd 681 12/6/2022 3:04:53 PM

 BUSINESS ASSURANCE

Determination of component materiality as noted above requires the exercise of

professional judgement. In Exhibit 11.3 are some factors that the group auditor may take into
consideration when determining materiality levels for components.

Consideration Group auditor Aggregation Component

notes that risk materiality relative
to group materiality
Risk of material Less known Increases Decreases
misstatement
Complexity Increases Increases Decreases
Product lines Number and Increases Decreases
diversity increases
Group-wide controls Fewer Increases Decreases
IT systems and software Decentralised Increases Decreases
Jurisdictions that Differing and growing Increases Decreases
components operate in

EXHIBIT 11.3 Factors determining materiality levels

11.2.5 Communication with Components Auditors

If there is not effective two-way communication between the group auditor and the
components auditors, there is a heightened risk that the group auditor may not obtain
sufficient appropriate audit evidence on which to base their opinion.

The table below illustrates at a high level the nature and timing of effective two-way
communication, but please note this is illustrative and differing circumstances may require
different communications.

Illustrative Example 1
Before work on the financial information commences

The group auditor sends group instructions.

Group Component
auditor The component auditor confirms receipt of the instructions auditor
and agrees with time lines.

Planning the work on the component

Group auditor reviews component auditor’s risk assessment and their proposed
Group responses to significant risks and also advises the component auditor of any Component
auditor significant risks identified at the group level. auditor
The component auditor responds to queries of the group auditor.

Executing the work on the component financial information

Significant matters relevant to the group communicated

Group by the component auditor. Component
auditor auditor
Significant matters to the component communicated by the group auditor.

Reporting of the work performed

Component auditor’s final report to the group auditor documenting

Group all the requests made by the group auditor. Component
auditor auditor
Group auditor’s review of the component auditor’s communication and discusses
significant matters to the group audit and reviews relevant audit documentation.

682

c11.indd 682 12/6/2022 3:04:54 PM

 G ro u p Aud its

The types of detailed communication with the components auditors may include the following:

(a) Work to be performed.

(b) Form and contents of components auditors communication with the group
engagement team.

(c) Confirmation that the components auditors will cooperate with the group
engagement team.

(d) Ethical requirements, particularly independence requirements, regarding both the

group and the component.

(e) The level of component materiality.

(f) Identified significant risks of material misstatement of the group financial statements,
whether due to fraud or error.

(g) Related parties.

(h) Non-compliance with laws and regulations.

(i) Material weaknesses in internal controls that could affect the components auditors.

(j) Relevant accounting, auditing and reporting requirements.

(k) Communications with those charged with governance at the group level and where
necessary at the component level.

Key Learning Point

Get the right components auditors and ensure there is open, two-way communication.

Knowledge Check Questions

Question 3
Advise on the types of detailed communication from the group auditor to the
components auditors.

Question 4
Explain at least five items that a components auditors would normally be expected to
report to the group auditor.

Question 5
Identify which of the following matters described would usually not be included in the
components auditors memorandum or questionnaire.
A Reconfirmation that the components auditors have complied with the ethical
requirements of the HKICPA Code of Ethics for Professional Accountants.
B Results of procedures undertaken by the group auditor.

683

c11.indd 683 12/6/2022 3:04:54 PM

 BUSINESS ASSURANCE

Knowledge Check Questions (continued)

C Significant deficiencies in internal controls that were identified.
D Details of corrected and uncorrected misstatements, including explanations from
component management why misstatements have remained uncorrected.

Question 6
Advise on what aggregation risk is in the context of setting materiality for a group audit.

Question 7
If you were a group auditor, list five types of communication you would receive from a
components auditors.

1 1 . 3 GROUP ENGAGEMENT TEAM

11.3.1 Group Engagement Partners’ and Staff Members’ Responsibilities

The overall responsibility for a group audit rests with the group engagement partner. As
stipulated in HKSA 220 (Revised) Quality Management for an Audit of Financial Statements, the
group engagement partner is responsible for the direction, supervision, performance, and
review of the work, the adequacy of the audit documentation, and whether, and how, the group
engagement partner has become satisfied that sufficient appropriate audit evidence has been
obtained to allow the group engagement partner to take responsibility for the consolidated
financial statements and the auditor’s report thereon.
The responsibilities of the group engagement partner and that of the group audit team
are the same as all audits conducted under HKSAs, and this does not change in the audit
of a group.

In general, the following are the key responsibilities of the group engagement partner and
group engagement team:

• Carry out the client acceptance or continuance procedures.

• Issue a group engagement letter.

• Establish the overall audit strategy and audit plan.

• Obtain an understanding of the group components and their environment.

(a) Obtain an understanding of the group, its components, and their environment.

(b) Obtain an understanding of the consolidation process.

(c) Review instructions issued by management to components.

(d) Verify that all components have been included in group financial statements.

(e) Evaluate completeness and accuracy of consolidation adjustments.

684

c11.indd 684 12/6/2022 3:04:54 PM

 G ro u p Aud its

(f) If the component’s accounting policies are different from the group’s policies, verify
that appropriate adjustments have been made for the purposes of group financial
statements.

(g) If the component’s accounting period is different from the group’s accounting
period, verify that appropriate adjustments have been made for the purposes of
group financial statements.

• Obtain an understanding of the components auditors:

(a) Compliance with ethical requirements, particularly independence.

(b) Professional competence.

(c) Regulatory environment (if in another jurisdiction).

(d) In the case where the group engagement partner has concern over (a) to (c) above,
the group engagement team should perform the audit of the components.

• Determine materiality levels:

(a) Materiality to be applied at the component level.

(b) Materiality to be applied at the group level.

• Consolidation process.
• Responding to assessed risks:

(a) For components that are financially significant, arrange full scope audits (for
example, financially significant components are, prima facie, those components
that comprise more that 15% of sales, net income, assets, liabilities, or cash flows of
the group).

(b) For components that are significant, not because of financial benchmarks but
because of excessive risks, either arrange full scope audits or audits of specific
accounts or carry out specified procedures.

(c) For insignificant components carry out analytical procedures.

(d) Involve the group engagement team in the work performed by the components
auditors/s, in the following areas:

(i) Discussing business activities that are significant to the group.

(ii) Identifying aspects of the financial statements of the component that may be
misstated due to frauds and errors.
(iii) Reviewing the components auditors documentation of identified significant
risks of material misstatements.
(iv) Evaluating, when significant risks of material misstatements of the group
financial statements have been identified in a component, what further
audit procedures are required and whether direct involvement of the group
engagement team is necessary.

• Arrange subsequent events reviews. Ensure that subsequent events reviews of

components have been completed up to the date of the auditor’s report on the group
financial statements.

• Consider any significant findings of the components auditors.

685

c11.indd 685 12/6/2022 3:04:54 PM

 BUSINESS ASSURANCE

11.3.2 Component Team Members’ Responsibilities

A critical responsibility of the components auditors is to follow the instructions set out by the
group auditor.

The components auditors should ensure there is an open line of communication with the
group auditor such that any issues identified at the component level that may have a material
impact on the group financial statements can be addressed on a timely basis.

The component audit team should view themselves as an extension of the group
audit team.

The component audit team should conduct the audit to meet all of the regulatory and legal
requirements as outlined in the group audit instructions and adhere to the deadlines during
the audit process and up to completion.

The component audit team may also have responsibilities for local jurisdiction financial
reporting for which they have sole responsibility.

Apply and Analyse 3

The components auditors of Wonder Travel Company have advised Quality that they are
required to lodge financial statements in Singapore and will be applying a materiality level
at the component level that is lower than group materiality.

Analysis

It is very common for components auditors to conduct an audit for jurisdictional purposes
at the same time as the audit for group reporting purposes. The components auditors of
Wonder Travel Company, however, must still comply with the instructions and reporting
requirements of the CWaves Group. It is likely that group materiality will be greater than
component materiality, so the fact that the components auditors is auditing to a lower
materiality level should not create an issue for Quality. The components auditors is
responsible to report to Quality against the group materiality level.

Knowledge Check Questions

Question 8
Advise on the seven areas that the group engagement partner and group audit team are
responsible for, in relation to obtaining an understanding of the group component and its
environment.

686

c11.indd 686 12/6/2022 3:04:54 PM

 G ro u p Aud its

1 1 . 4 AUDIT PLANNING AND RISK ASSESSMENT

11.4.1 Engagement Letter

The same requirements of HKSA 210, Agreeing the Terms of Audit Engagements, apply in a group
audit situation. These requirements were looked at in detail in Chapter 3 of this module. There
are, however, some additional considerations that need to be given in a group audit situation.

HKSA The terms of engagement should identify the applicable financial reporting framework.
600.A20 Additional matters should be included in the terms of a group audit engagement letter, such as:

• The communication between the group engagement team and the components
auditors should be unrestricted to the extent possible under law or regulation;

• Important communications between the components auditors, those charged

with governance of the component, and component management, including
communications on significant deficiencies in internal control, should be communicated
as well to the group engagement team;

• Important communications between regulatory authorities and components

related to financial reporting matters should be communicated to the group
engagement team; and

• To the extent the group engagement team considers necessary, it should be permitted:

°° Access to component information, those charged with governance of components,

component management, and the components auditors (including relevant audit
documentation sought by the group engagement team); and

°° To perform work or request a components auditors to perform work on the

financial information of the components.

Components auditors will need to consider whether there is a requirement to issue an

engagement letter to those charged with governance at the component level. It is better
practice to issue an engagement letter to ensure the audit scope is understood and agreed with
component management. An engagement letter will be required when there are local statutory
requirements.

11.4.2 Control Procedures Review

One of the key responsibilities of the group auditor is to identify group-wide system of internal
control and also understand the control environments of components through the components
auditors. The understanding and assessment of controls have a direct impact on the overall risk
assessment at the group and component levels.

Group-wide control procedures may be as simple as consistent accounting policies, to

common IT systems that cannot be modified at the component level, to the use of shared
service centres.

687

c11.indd 687 12/6/2022 3:04:54 PM

 BUSINESS ASSURANCE

The group auditor, through the planning process, needs to establish the responsibilities for
the review of the components of the system of internal control. It is likely in the situation of a
shared service centre that the group auditor would conduct the audit and share the results with
components auditors. This is also likely to be the case where common IT systems exist, but in
this case it is common for the group auditor to request that the components auditors confirm
that the controls are working effectively at the component level.

11.4.3 Risk Assessment: Group Audit versus Single Company Audit Risks
The requirements of HKSA 315 (Revised 2019) become more difficult to apply in a group audit
situation as opposed to the audit of a single company. The more components that a group has,
the more likely is the increase in risk of a material misstatement.

HKSA The group engagement team’s assessment at group level of the risks of material
600.A31 misstatement of the group financial statements is based on information such as:

• Information obtained from the understanding of the group, its components, and their
environments, and of the consolidation process, including audit evidence obtained in
evaluating the design and implementation of group-wide controls and controls that are
relevant to the consolidation.

• Information obtained from components auditors.

The auditor is required to identify and assess the risks of material misstatement of the
financial statements due to fraud or error, and to design and implement appropriate responses
HKSA to the assessed risks. Information used to identify the risks of material misstatement of the
600.A27 group financial statements due to fraud or error may include:

• Group management’s assessment of the risks that the group financial statements may
be materially misstated as a result of fraud or error.

• Group management’s process for identifying and responding to the risks of fraud in the
group, including any specific fraud risks identified by group management, or account
balances, classes of transactions, or disclosures for which a risk of fraud is higher.

• Whether there are particular components for which a risk of fraud is higher.

• How those charged with governance of the group monitor group management’s
processes for identifying and responding to the risks of fraud or error in the group, and
the controls group management has established to mitigate these risks.

• Responses of those charged with governance of the group, group management, internal
audit (and, if considered appropriate, component management, the components
auditors, and others) to the group engagement team’s inquiry whether they have
knowledge of any actual, suspected, or alleged fraud affecting a component or the group.

The key members of the engagement team are required to discuss the susceptibility of an
HKSA entity to material misstatement of the financial statements due to fraud or error, specifically
600.A28 emphasising the risks due to fraud.

In a group audit, these discussions may also include components auditors. The group
engagement partner’s determination of whom to include in the discussions, how and when

688

c11.indd 688 12/6/2022 3:04:54 PM

 G ro u p Aud its

HKSA
they occur, and their extent is affected by factors such as prior experience with the group. The
600.A29 discussions provide an opportunity to:

• Share knowledge of the components and their environments, including group-wide

controls.

• Exchange information about the business risks of the components or the group.

• Exchange ideas about how and where the group financial statements may be
susceptible to material misstatement due to fraud or error, how group management
and component management could perpetrate and conceal fraudulent financial
reporting, and how assets of the components could be misappropriated.

• Identify practices followed by group or component management that may be biased

or designed to manage earnings that could lead to fraudulent financial reporting, for
example, revenue recognition practices that do not comply with HKFRSs.

• Consider known external and internal factors affecting the group that may create an
incentive or pressure for group management, component management, or others to
commit fraud, provide the opportunity for fraud to be perpetrated, or indicate a culture
or environment that enables group management, component management, or others
to rationalise committing fraud.

• Consider the risk that group or component management may override controls.
• Consider whether uniform accounting policies are used to prepare the financial
information of the components for the group financial statements and, where not, how
differences in accounting policies are identified and adjusted.

• Discuss fraud that has been identified in components or information that indicates
existence of a fraud in a component.

• Share information that may indicate non-compliance with national laws or regulations,
for example, payments of bribes and improper transfer pricing practices.

The challenge in a group audit situation is to ensure that the assessment of risk and how
the risks will be mitigated is appropriately updated through the audit process at the group and
at the component level and that this assessment is adequately documented and communicated
between the group auditor and the components auditors on a timely basis.

11.4.4 Plan of Procedures to Develop Understanding (Group, Client,

Components Auditors)
The group auditor needs to dedicate enough time and resources to ensure an adequate depth
of knowledge about the group and the components auditors.

The group engagement team obtains an understanding of a components auditors only

when it plans to request the components auditors to perform work on the financial information
of a component for the group audit. For example, it will not be necessary to obtain an
HKSA understanding of the auditors of those components for which the group engagement team
600.A32 plans to perform analytical procedures at the group level only.

HKSA 315 (Revised 2019) contains guidance on matters the auditor may consider when
obtaining an understanding of the industry, regulatory, and other external factors that affect
the entity, including the applicable financial reporting framework, the nature of the entity,

689

c11.indd 689 12/6/2022 3:04:54 PM

 BUSINESS ASSURANCE

HKSA objectives and strategies and related business risks, and measurement and review of the
600.A23 entity’s financial performance.
HKSA Examples of Matters about Which the Group Engagement Team Obtains an Understanding:
600.App 2
• Group-wide controls: group-wide controls may include a combination of the following:

°° Regular meetings between group and component management to discuss business

developments and to review performance.

°° Monitoring of components’ operations and their financial results, including regular

reporting routines, which enables group management to monitor components’
performance against budgets and to take appropriate action.

°° Group management’s risk assessment process, that is, the process for identifying,
analysing, and managing business risks, including the risk of fraud, that may result
in material misstatement of the group financial statements.

°° Monitoring, controlling, reconciling, and eliminating intra-group transactions and

unrealised profits, and intra-group account balances at the group level.

°° A process for monitoring the timeliness and assessing the accuracy and
completeness of financial information received from components.

°° A central IT system controlled by the same general IT controls for all or part of
the group.

°° Control activities within an IT system that are common for all or some components.

°° Monitoring of controls, including activities of internal audit and self-assessment

programmes.

°° Consistent policies and procedures, including a group financial reporting

procedures manual.

°° Group-wide programmes, such as codes of conduct and fraud prevention

programmes.

°° Arrangements for assigning authority and responsibility to component management.

• Internal audit may be regarded as part of group-wide controls; for example, when the
internal audit function is centralised. ISA 610, Using the Work of Internal Auditors, deals
with the group engagement team’s evaluation of the competence and objectivity of the
internal auditors where it plans to use their work.

• Consolidation process: the group engagement team’s understanding of the consolidation

process may need to include matters such as the following:

°° The extent to which component management understands the applicable financial

reporting framework.

°° The process for identifying and accounting for components in accordance with the
applicable financial reporting framework.

°° The process for identifying reportable segments for segment reporting in

accordance with the applicable financial reporting framework.

690

c11.indd 690 12/6/2022 3:04:54 PM

 G ro u p Aud its

°° The process for identifying related party relationships and related party
transactions for reporting in accordance with the applicable financial reporting
framework.

°° The accounting policies applied to the group financial statements, changes from
those of the previous financial year, and changes resulting from new or revised
standards under the applicable financial reporting framework.

°° The procedures for dealing with components with financial year ends different from
the group’s year end.

11.4.5 Consider Risks of Material Misstatement

HKSA The following are examples of conditions or events that may indicate risks of material
600.App 3 misstatement of the group financial statements. The examples outlined below cover a broad
range of conditions or events; however, not all conditions or events will be relevant to every
group audit engagement and the list of examples is not necessarily complete:

• A complex group structure, especially where there are frequent acquisitions, disposals,
or reorganisations.

• Poor corporate governance structures, including decision-making processes that are

not transparent.
• Non-existent or ineffective group-wide controls, including inadequate group
management information on monitoring of components’ operations and their results.

• Components operating in foreign jurisdictions that may be exposed to factors such as

unusual government intervention in areas such as trade and fiscal policy, restrictions on
currency and dividend movements, and fluctuations in exchange rates.

• Business activities of components that involve high risk, such as long-term contracts or
trading in innovative or complex financial instruments.
• Uncertainties regarding which component’s financial information require incorporation
in the group financial statements in accordance with the applicable financial reporting
framework, for example, whether any special-purpose entities or non-trading entities
exist and require incorporation.

• Unusual related party relationships and transactions.

• Prior occurrences of intra-group account balances that did not balance or reconcile on
consolidation.

• The existence of complex transactions that are accounted for in more than one
component.

• Components’ application of accounting policies that differ from those applied to the
group financial statements.

• Differences in financial reporting frameworks across the group.

• Components with different financial year ends, which may be utilised to manipulate the
timing of transactions.

691

c11.indd 691 12/6/2022 3:04:54 PM

 BUSINESS ASSURANCE

• Prior occurrences of unauthorised or incomplete consolidation adjustments.

• Aggressive tax planning within the group or large cash transactions with entities in
tax havens.

• Frequent changes of auditors engaged to audit the financial statements of components.

• Tendency to obtain second opinions from firms other than the audit firm.

11.4.6 Plan Methods, Timing, and Content of Communication with Those

Charged with Governance
Communication with those charged with governance takes on an increased level of complexity
in a group audit situation. It is important that the group auditor determines and communicates
at least the formal reporting points. This is commonly done in the engagement letter.

The group engagement team shall communicate the following matters with those
charged with governance of the group, in addition to those required by HKSA 260 (Revised),
Communication with Those Charged with Governance, and other HKSAs:

(a) An overview of the type of work to be performed on the financial information of the
components.

(b) An overview of the nature of the group engagement team’s planned involvement in
the work to be performed by the components auditors on the financial information of
significant components.

(c) Instances where the group engagement team’s evaluation of the work of a components
auditors gave rise to a concern about the quality of that auditor’s work.

(d) Any limitations on the group audit, for example, where the group engagement team’s
access to information may have been restricted.

(e) Fraud or suspected fraud involving the system of group management, component
management, employees who have significant roles in group-wide controls, or others
where the fraud resulted in a material misstatement of the group financial statements.

(f) Outcomes from testing of internal control, where significant deficiencies were noted.

(g) Changes to the audit approach as a result of significant issues being identified through
the audit process.

The matters the group engagement team communicates to those charged with governance
of the group may include those brought to the attention of the group engagement team
by components auditors that the group engagement team judges to be significant to the
responsibilities of those charged with governance of the group.

Communication with those charged with governance of the group takes place at various
times during the group audit. For example, the matters referred to in (a) and (b) above may be
communicated after the group engagement team has determined the work to be performed
on the financial information of the components. On the other hand, the matter referred to in
(c) above may be communicated at the end of the audit and the matters referred to in (d) and (e)
above may be communicated when they occur. Some communications could happen multiple
times during the audit process, like the matters described in (f) and (g) above. There are no
specific requirements in terms of when communication should occur, but the group auditor does
have the responsibility for timely communication, which is a matter of professional judgement.

692

c11.indd 692 12/6/2022 3:04:54 PM

 G ro u p Aud its

11.4.7 Develop Audit Plan for Work to be Completed (Group, Client,

Components Auditors) for Significant and Non-significant
Components
The audit plan developed by the group audit engagement team will be multidimensional and
will differ considerably depending on whether components have been assessed as significant
or non-significant. As noted in Section 11.1.3, work on non-significant components would in
most cases be planned to be limited to analytical procedures. For significant components, the
audit plan is normally delivered to components auditors by way of what is commonly referred
to as group audit instructions.

The following represents the topics generally found in the group audit instructions (noting
that audit plans will vary from group audit to group audit):

• An introduction that sets out that the instructions are designed to inform the
components auditors of the scope of the work required for the purpose of the
group audit.

• Group background, including group structures, business overview, significant events

that occurred during the year, and the names of company directors and management
personnel.

• Client expectations.

• Engagement risk, including the identification of significant risks at the group and
component levels.

• Communication timetable, including reporting timetable and communications

protocols.

• Client engagement team.

• Audit and accounting standards, including independence requirements, notice on

the group engagement letter and the requirement for a component level letter, and
significant risks to be specifically addressed.

• Scope of work and materiality, including the procedures to be performed by the

components auditors and the procedures that will be performed by the group
engagement team.

• Reporting requirements, which will include acknowledgement of instructions,

independence declaration, interim reporting of significant matters, clearance reports, a
final summary of significant matters, including a summary of audit differences.

• Specific information required for consolidation purposes and for financial statement
disclosure requirements.

• Key Audit Matters to be reported if the parent entity is listed.

• Structure of management letter to be issued at the component level.

• Management representation letter requirements.

• Outline of the required subsequent events review report.

693

c11.indd 693 12/6/2022 3:04:54 PM

 BUSINESS ASSURANCE

11.4.8 Group Audit Strategy Memorandum for Communication to a

Components Auditors
The group engagement partner’s review of the overall group audit strategy is an important part
of fulfilling the group engagement partner’s responsibility for the direction of the group audit
engagement. The requirements to be included in the overall audit strategy are often in practice
sent to components auditors in the group audit instructions, as outlined in Section 11.4.7.

Key Learning Point

Planning and open communication are key to helping ensure that the group auditor
is aware of all issues that may have a material effect on the consolidated financial
statements.

Knowledge Check Questions

Question 9
Demonstrate why group audit risk identification is more complex than a single
company audit.

Question 10
Describe five areas group auditors should communicate to those charged with governance.

Question 11
Describe seven key aspects of group audit instructions that should be included by the
group auditor.

1 1 . 5 AUDIT PROCEDURES AND REPORTING

11.5.1 Complete Procedures to Substantively Test the Group’s

Consolidation
The audit of a group’s consolidation process is a key function of the group auditor and can vary
significantly in complexity. In a less complex group, for example, all of the components are
audited by the group auditor in the same country and all of the components are wholly owned
subsidiaries since incorporation of the consolidation entries are easier to identify. In such
cases, the audit of the consolidation is generally fairly uncomplicated and a lower audit risk. In
more complex multinational groups, for example, the group may have both acquired and sold
components in the year and may have impairment issues.

HKSA 600 (Revised) requires group auditors to obtain an understanding of group-wide

controls and the consolidation process. It also makes specific reference to the consolidation

694

c11.indd 694 12/6/2022 3:04:54 PM

 G ro u p Aud its

instructions that have been issued by group management to components (as illustrated in
Section 11.4.7). The requirements for group-wide controls are the same as for any other type
of control – auditors need to identify the key controls and test them if the group auditors
are seeking to place reliance on them. It is at this point that the group auditor can determine
the extent of other substantive procedures that are required in the audit of the group.

The group is required to present consolidated financial statements incorporating all

components that are material to the group. The group auditor should obtain a listing of all entities
within the group from group management as part of the planning process for the group audit. The
group auditor should verify that all components have been included in the consolidated financial
statements. In respect of ensuring completeness of this information the group auditor should:

• Review work papers from prior years;

• Review the procedures adopted by the parent entity to identify components;

• Review any changes in the level of investment held by the parent during the current
period; and

• Review statutory registers required to be maintained by the Companies Ordinance

(Cap.622).

All of the above should be reviewed in the context of applying HKFRS 3 and HKFRS 10.
There will be some permanent consolidation entries that are normally determined at the
date of a business combination under the requirements of HKFRS 3 and/or when assessing
control as follows:

• Determination and valuation of identifiable assets acquired.

• Determination of the amount of goodwill or gain from a bargain purchase, at the date
of acquisition.

• The determination of the level of non-controlling interests (previously known as

minority interests) at the date of the business combination.

The current period consolidation entries usually include elimination of the following:

• Intra-group interest paid and received and management fees;

• Unrealised profits or losses on assets transferred between components;

• Intra-group debts;

• Adjustments for differing accounting policies or accounting standards;

• Adjustments where reporting dates are different from the parent;

• Determination of movement in equity attributable to non-controlling interests since the

date of acquisition; and

• Impairment losses for goodwill arising on consolidation.

The group auditor needs to ensure that all intra-group transactions and balances have
been eliminated. The group auditor should gain an understanding of the procedures adopted
by group management to make the above-noted adjustments.

695

c11.indd 695 12/6/2022 3:04:54 PM

 BUSINESS ASSURANCE

At the same time as checking consolidation adjustments, group auditors need to ensure
that the information to be consolidated is complete and reconciles with the information
provided by components auditors in their clearance to the head office auditor.

Group auditors also need to consider how the consolidation process is actually performed.
Most consolidations are undertaken in Excel spreadsheets, which often heightens the risk of
completeness and accuracy. When auditing a consolidation, auditors cannot simply audit the
data that are displayed in the workbook but must ensure that the figures have been derived
from component financial statements and the consolidation adjustments. Auditors also
need to audit the workings of the consolidation spreadsheets themselves to ensure that the
consolidated numbers reflect the complete and accurate picture of the group.

11.5.2 Review of Reports from Components Auditors to the Group Auditor

For the group auditor to be satisfied that their responsibility for the group auditor’s opinion
is achieved, a detailed review needs to be completed for all reports issued by components
auditors. The focus of such reviews would include the following:

• Whether any unadjusted material misstatements have been identified.

• Any fraudulent activity has been identified.

• A going concern issue has been identified.

• Material departures from relevant accounting standards.

• Issues identified with independence of the components auditors.

• Subsequent events identified

It is important that the group auditor understand in detail any likely impact on the group
financial statements from what has been reported from components auditors.

11.5.3 Review of Components Auditors Work

It has already been noted earlier in this chapter that, if group auditors wish to use the work
performed by components auditors, group auditors must be satisfied that components
auditors are sufficiently competent and independent, and that this assessment should be
documented. They must also have in writing from the components auditors that they agree to:

• Conduct their audit as set out in the group instructions; and

• Provide all the information they consider necessary from themselves and component
management to the group auditor.

If the group auditor is not satisfied that the components auditors has conducted the work
in line with the group instructions or provided all information, the group auditor will need to
perform the work necessary for group audit purposes themselves.

Where access to components auditors working papers is agreed to, the group audit
instructions should include a request for confirmation, again in writing, from the components
auditors that they will:

• Provide group auditors with unlimited access to their audit working papers; or

• Provide the group auditor with copies of their working papers, either electronically or in
paper form.

696

c11.indd 696 12/6/2022 3:04:54 PM

 G ro u p Aud its

If the components auditors is unable to provide group auditors with unrestricted access to
their working papers or copies thereof because of legal or regulatory reasons, these reasons
should be detailed by the components auditors early in the process (this can be the case where
components auditors are auditing within the USA, for example).

In addition to arranging access to components auditors work papers, for significant

components the group auditor needs to consider whether they need to visit the
components auditors.

11.5.3.1 Visits to Components Auditors

If the group auditor decides it is appropriate to visit the components auditors, this is usually on
the basis of:

• Where, as noted above, components auditors working papers cannot be moved out of a
jurisdiction for regulatory or legal reasons;

• Because of the size or specific risks associated with the component;

• Because the group auditor believes it appropriate to discuss matters face to face (this
may be the case when there is some doubt about the understanding or performance of
a components auditors);

• Where there is a change of either group or components auditors;

• Where the component has been recently purchased or there is an expected disposal;

• On the basis of work and conclusions reached by internal auditors;

• On the basis of prior period issues at the component;

• On the basis of the audit adjustments that have been noted by the components
auditors; or

• Where there have been changes to local management or the size and scope of the
component.

When visiting components auditors, it is suggested as better practice for:

• An experienced member of the group audit team to conduct the visit. In practice this is
often the partner and/or the engagement manager.

• The group auditor to be clear about the purpose of the visit, including the files to
be reviewed, particular areas of focus, the component audit staff that need to be
interviewed, component management that are to be met, and what documents may be
required to be copied for the group audit file.

• The visit to take place prior to the components auditors close-out meeting with
component management, so that any issues raised by the group auditor can be
factored into the close meeting.

11.5.3.2 Reviewing Components auditors Working Papers

The most common form of audit procedure carried out by the group auditor, over the
work of the components auditors, is the review of working papers prepared by the
components auditors. The basis for selection and the amount of review to be conducted
will vary considerably and will be dependent upon the size of the component, the risks that
the component poses to the group, and the experiences the group auditor has had with
components auditors in the past or with component management.

697

c11.indd 697 12/6/2022 3:04:54 PM

 BUSINESS ASSURANCE

Set out below are some of the working papers that the group auditor may review in
ensuring that the group auditor has sufficient appropriate audit evidence to support the
auditor’s opinion on the group financial statements. The group auditor will ensure that the
audit evidence obtained confirms their understanding of the activities of the component and
what the components auditors has concluded.

• Component audit planning memorandum

The group auditor will need to see the components auditors audit planning
memorandum as per the group audit instructions, and confirm that it covers:

°° The fact that the system of internal control has been evaluated to identify and
assess any risk of material misstatement at the component level;

°° The risk assessment at the assertion level for all material accounts; and

°° The components auditors documentation of their understanding of:

▪ The component, its control environment, including IT controls, and its

accounting and information systems.

▪ The way in which transactions are processed by the component.

▪ The component’s closing process and the controls applicable to accounting

entries including journal entries.
• Significant risks

The group auditor will review working papers identifying significant risks, confirm that
there are appropriate planned audit responses, and that the audit evidence is sufficient
and appropriate, and assess the implications of those risks for the group financial
statements. For identified fraud risks, confirm that appropriate planned procedures
have been documented and completed.

• Detailed work programmes

The group auditor will review the detailed work programmes and confirm they have
been prepared for all material accounts and disclosures. The group auditor will
also confirm that the nature, timing, and extent of tests of controls and substantive
procedures are appropriate to the component’s characteristics and the risks identified,
as well as confirming that the work programmes have been appropriately reviewed and
approved by the components auditors.

• Specialists

The group auditor will confirm that specialists or experts (such as legal, tax, corporate
advisory, valuation, actuarial, or IT specialists) that have been involved in the audit of
the component, as deemed necessary, have had their competence and capabilities
assessed by the components auditors.

• Materiality thresholds

The group auditor will confirm that audit work has been performed on the basis of the
materiality thresholds allocated by, or approved by, group auditors in advance.

698

c11.indd 698 12/6/2022 3:04:54 PM

 G ro u p Aud its

• Supervision and review

The group auditor will determine that audit work has been carried out as planned and
appropriately supervised and reviewed.

• Tests of controls

The group auditor will confirm that components auditors have tested controls as follows:

°° The controls identified during audit planning and on which a components auditors
wishes to place reliance; and

°° The group-wide controls identified for testing by group auditors and included in the
group audit instructions.

Where components auditors have identified significant control deficiencies, the group
auditor will confirm that there is evidence that:

°° The implications for the changes to the level of substantive procedures have
been assessed;

°° Deficiencies have been discussed with component management; and

°° Deficiencies have been communicated to group auditors and where appropriate

group management.
• Substantive procedures

The group auditor will confirm that conclusions in respect of substantive procedures
are appropriate and have been properly documented.

• Significant accounting judgements, and estimates

The group auditor will confirm that procedures have been performed to ensure that
significant accounting judgements and estimates, and transactions outside the normal
course of business, do not constitute evidence of a risk of management bias on the part
of component management.

• Related parties

The group auditor will confirm that adequate audit procedures have been performed
in respect of the identification of related parties and transactions. The group auditor
will also check that appropriate audit procedures have been undertaken for any related
party transactions undertaken at arm’s length.

• Material contracts

The group auditor will confirm that components auditors obtained appropriate
information in respect of material contracts taking effect during the period.

• Non-compliance with laws and regulations

The group auditor will confirm that components auditors have addressed the risk of
non-compliance with applicable laws and regulations.

• Minutes of meetings

The group auditor will confirm that components auditors have reviewed the minutes
of meetings of component management and component governance bodies, and the
minutes of any other important meetings, and that they have assessed the impact of
decisions taken.

699

c11.indd 699 12/6/2022 3:04:54 PM

 BUSINESS ASSURANCE

• Litigation

The group auditor will confirm that components auditors have performed adequate
audit procedures to identify litigation likely to be material at group level.

• Contingent assets and liabilities

The group auditor will confirm that procedures have been performed to ensure proper
disclosure of material component contingent assets and liabilities.

• Going concern

The group auditor will confirm that appropriate procedures have been performed to
assess the validity of the going concern basis for the component.

• Consolidation package

The group auditor will confirm that components auditors have checked that the
consolidation package has been prepared in accordance with the group’s accounting
policies and that the numbers agree with those audited and documented in the audit
working papers.

• Roll-forward procedures

When audit work has been performed before the year end, the group auditor will confirm
that components auditors have performed appropriate roll-forward procedures.
• Management representation letter

When a component audit has been completed, the group auditor will confirm
that components auditors have obtained an appropriate signed management
representation letter from component management.

• Significant points outstanding

The group auditor will confirm that all significant points outstanding that are relevant to
the components auditors report to the group auditor have been cleared by the time of
the issue of the report.

• Communications with component management

The group auditor will confirm that all significant matters described in the working
papers have been communicated to component management and that this was
communicated before the financial statements were approved by the component.

• Adequacy of audit work performed

Assess whether, for the elements of the file reviewed, the audit work performed is
adequate and complies with the group audit instructions and the applicable auditing
and accounting standards.

• Final analytical procedures

The group auditor will confirm that components auditors have performed final
analytical procedures on any information provided in completed consolidation
packages, corroborating conclusions, and that they have obtained satisfactory
explanations for material or unusual variances.

700

c11.indd 700 12/6/2022 3:04:54 PM

 G ro u p Aud its

• Auditor’s opinion

The group auditor will confirm that any report issued, and auditor’s opinion expressed,
is consistent with the audit conclusions reached and documented, including those on
the list of adjusted and unadjusted misstatements.

• Communications with component management

The group auditor will check that component sauditors communications with
component management do not contain any significant information not already
brought to the group auditor’s attention.

The group auditor’s evaluation of the work of the components auditors must be
documented. As part of the assessment as to the level of documentation, the group auditor
needs to consider the extent to which they should include certain of the components auditors
working papers in the group audit file. This decision will be made on the basis of what is
needed in the group auditor’s file to provide sufficient appropriate audit evidence to support
the auditor’s opinion on the consolidated financial statements.

11.5.4 Group Audit Completion Documents Preparation

The completion stage of the audit must be carefully planned to ensure that the requirements of
the many relevant HKSAs are adhered to. If the completion stage is not adequately performed,
there is a risk that an inappropriate opinion is given on the financial statements. In a group
audit situation, there are effectively documents for each component to be considered and
addressed by the group auditor that increase the complexity significantly for the group auditor.
Chapter 9 of this module presents in detail the processes and documents required in the
completion of the audit. The group audit instructions would normally include reference to each
document and the required timing for them to be sent to the group auditor.

11.5.5 Options for Audit Opinion for the Group, Parent Company, and
Component Financial Statements
The first step for the group auditor is to assess the reports that are received from components
auditors. This may seem obvious, but a thorough review is necessary to ensure that if there
are any modifications these can be discussed and a determination made as to the likely impact
such a modification may have on the consolidated financial statements. If the parent company
is listed, then the group auditor would need to consider any key audit matters that have been
raised by components auditors. Refer back to Chapter 10 for details of the types of auditor
opinions and the circumstances that lead to a modification to an auditor’s opinion.

Key Learning Point

A thorough review is required of the work undertaken by the components auditors to
ensure that all factors are known to the group auditor when finalising the consolidated
financial statements and determining the appropriate auditor’s opinion.

701

c11.indd 701 12/6/2022 3:04:54 PM

 BUSINESS ASSURANCE

Knowledge Check Questions

Question 12
Where access to components auditors working papers is consented to from the
components auditors, the group audit instructions should include a request for
confirmation from the components auditors. List what content should be included in the
confirmation.

Question 13
For the group auditor to be satisfied that their responsibility for the group auditor’s
opinion is achieved, a detailed review needs to be completed for clearance reports issued
by components auditors. Explain what the focus of such review would be.

702

c11.indd 702 12/6/2022 3:04:54 PM

 G ro u p Aud its

SUMMARY

• There are many assessments that need to be made by group auditors. In their role as group
auditors, the key considerations are:

°° Evaluation of the competence of the components auditors;

°° Evaluation of the significance of components within the group;

°° The level of understanding necessary to issue informed instruction to components

auditors; and

°° Evaluation of the work performed by the components auditors.

• At all times, the ultimate responsibility for the audit of the consolidated financial statements
rests with the group auditor, who must be satisfied that sufficient appropriate audit evidence
exists to support the auditor’s opinion on the group financial statements.

703

c11.indd 703 12/6/2022 3:04:54 PM

 BUSINESS ASSURANCE

MIND MAP

AUDIT OF GROUPS AUDIT PLANNING AND RISK ASSESSMENT

Scope and Terminology Engagement Letter
Companies Ordinance (Cap.622) Control Procedures Review
Understanding the Group, Its Components Risk Assessment
and Their Environments Plan of Procedures to Develop Understanding
• Indicators of ‘significance’ (Group, Client, Component Auditor)
• Type of audit work to be performed
Consider Risks of Material Misstatement
on components
• Procedures for non-significant components Plan Methods, Timing, and Content of
Communication with Those Charged with
Group Wide Controls
Governance
Auditor’s Objectives
Develop Audit Plan for Work to be Completed
COMPONENT AUDITORS (Group, Client, Component Auditor) for
GROUP AUDITS significant and Non-significant Components
Characteristics of Component Auditors
Group Audit Strategy Memorandum for
Responsibilities of Component Auditors Communication to a Component Auditor
How Component Auditors Work within
the Group Audit AUDIT PROCEDURES AND REPORTING
Materiality for Components Complete Procedures to Substantively Test
Communication with Component Auditor the Group’s Consolidation
Review of Reports from Component Auditors
GROUP ENGAGEMENT TEAM to the Group Auditor
Group Engagement Partners’ and Staff Review of Component Auditors’ Work
Members’ Responsibilities • Visits to component auditors
Component Team Member’s Responsibilities • Reviewing component auditor working papers
Group Audit Completion Document
Preparation
Options for Audit Opinion for the Group,
Parent Company, and Component Financial
Statements

Answers to Knowledge Check Questions

Question 1
The following should be considered:
(a) An audit of the financial information of the component using component
materiality (i.e. at a materiality level lower than the group level).

(b) An audit of one or more account balances, classes of transactions, or disclosures

relating to the likely significant risks of material misstatement of the group financial
statements.

(c) Specified audit procedures relating to the likely significant risks of material
misstatement of the group financial statements.

Question 2
Consider the extent to which there are group-wide controls and determine the appropriate
split of work between the group auditors and components auditors for these controls.
Request details of internal control weaknesses identified by components auditors, as
HKSA 600 (Revised) requires group auditors to make group management aware as soon as
practicable of material weaknesses in the design and operation of group-wide controls.

704

c11.indd 704 12/6/2022 3:04:55 PM

 G ro u p Aud its

Question 3
(a) Work to be performed.

(b) Form and contents of components auditors communication with group

engagement team.

(c) Confirmation that the components auditors will cooperate with group
engagement team.

(d) Ethical requirements, particularly independence requirements, regarding both the

group and the component.

(e) The level of component materiality.

(f) Identified significant risks of material misstatement of the group financial

statements, whether due to fraud or error.

(g) Related parties.

(h) Non-compliance with laws and regulations.

(i) Material weaknesses in internal controls that could affect the components auditors.

(j) Relevant accounting, auditing, and reporting requirements.

(k) Communications with those charged with governance at the group level and where
necessary at the component level.

Question 4
Any five of the following would be correct:
• Reconfirmation that the components auditors have complied with the ethical
requirements of the HKICPA Code of Ethics for Professional Accountants;
• Confirmation that the components auditors has complied with the group auditor’s
requirements;
• The scope of work performed, including explanations for significant changes to the
audit strategy and any variations from group instructions (note that this should be
communicated by the components auditors to the group auditor prior to variation;
the documentation at this stage of the component audit is confirming what should
already have been agreed);
• Instances of fraud or non-compliance with laws and regulations, and indicators of
management bias (again, any fraud identified should be communicated immediately
to the group auditor);
• Significant matters arising from the work performed by the components auditors,
including details of significant risks that may affect the consolidated financial
statements including those communicated by the group auditor at the planning
stage, and a summary of responses to those risks;
• In the instance that the parent entity is listed, Key Audit Matters (‘KAMs’) should
either be included in the main body of the audit report or in the memorandum
or questionnaire (for further information on KAMs refer back to Chapter 10 of
this module);

705

c11.indd 705 12/6/2022 3:04:55 PM

 BUSINESS ASSURANCE

• Details of corrected and uncorrected misstatements, including explanations from

component management as to why misstatements have remained uncorrected;
• Significant deficiencies in internal controls that were identified (again, this should be
reported to the group auditor at the point of discovery);
• Details of any related party transactions;
• Subsequent events procedures performed and whether there were any material
matters identified and details of the potential effects of such matters;
• Specific inclusions identified by the components auditors for inclusion in the group
letter of representation;
• Matters that should be communicated to those charged with governance at the
group level;
• Other information, such as contingencies and commitments; and
• The components auditors overall findings, conclusions, or opinion.

Question 5
Answer A is incorrect. This would be something that would be expected to be
communicated.
Answer B is correct. The group auditor is responsible for their own working papers and not
the components auditors.
Answer C is incorrect. This would be something that would be expected to be
communicated.
Answer D is incorrect. This would be something that would be expected to be
communicated.

Question 6
There is much to consider when evaluating the allocation of materiality to components
auditors by the group auditor. One of the main complexities lies with the concept of
aggregation risk, which heightens with the decentralisation of operations into components.
Aggregation risk is defined as the risk that the aggregate of uncorrected and undetected
misstatements in the financial statements exceeds materiality for the financial statements
as a whole.

Question 7
The answer could include any of the following:

(a) Work to be performed.

(b) Form and contents of components auditors communication with group

engagement team.

(c) Confirmation that the components auditors will cooperate with group
engagement team.

(d) Ethical requirements, particularly independence requirements, regarding both the

group and the component.

(e) The level of component materiality.

706

c11.indd 706 12/6/2022 3:04:55 PM

 G ro u p Aud its

(f) Identified significant risks of material misstatement of the group financial

statements, whether due to fraud or error.

(g) Related parties.

(h) Non-compliance with laws and regulations.

(i) Material weaknesses in internal controls that could affect the components auditors.

(j) Relevant accounting, auditing, and reporting requirements.

(k) Communications with those charged with governance at the group level and where
necessary at the component level.

Question 8
The seven areas that the group engagement partner and group audit team are
responsible for:

(a) Obtain an understanding of the group, its components, and their environment.

(b) Obtain an understanding of the consolidation process.

(c) Review instructions issued by management to components.

(d) Verify that all components have been included in group financial statements.

(e) Evaluate the completeness and accuracy of consolidation adjustments.

(f) If the component’s accounting policies are different from the group’s policies, verify
that appropriate adjustments have been made for the purposes of group financial
statements.

(g) If the component’s accounting period is different from the group’s accounting
period, verify that appropriate adjustments have been made for the purposes of
group financial statements.

Question 9
The requirements of HKSA 315 (Revised 2019) become more difficult to apply in a group
audit situation as opposed to the audit of a single company. The more components that a
group has, the more likely the increase in the risk of a material misstatement.
The group engagement team’s assessment at group level of the risks of material
misstatement of the group financial statements is based on information such as:
• Information obtained from the understanding of the group, its components, and
their environments, and of the consolidation process, including audit evidence
obtained in evaluating the design and implementation of group-wide controls and
controls that are relevant to the consolidation.
• Information obtained from components auditors.
• The spread of information and the increased number of places it is coming from
means it is more complex to undertake a risk assessment.

707

c11.indd 707 12/6/2022 3:04:55 PM

 BUSINESS ASSURANCE

Question 10
Any five of the areas addressed below:

(a) An overview of the type of work to be performed on the financial information of

the components.

(b) An overview of the nature of the group engagement team’s planned involvement in
the work to be performed by the components auditors on the financial information
of significant components.

(c) Instances where the group engagement team’s evaluation of the work of a
components auditors gave rise to a concern about the quality of that auditor’s work.

(d) Any limitations on the group audit, for example, where the group engagement
team’s access to information may have been restricted.

(e) Fraud or suspected fraud involving group management, component management,

employees who have significant roles in group-wide controls, or others where the
fraud resulted in a material misstatement of the group financial statements.

(f) Outcomes from testing of internal controls, where significant deficiencies

were noted.

(g) Changes to the audit approach as a result of significant issues being identified
through the audit process.

Question 11
Any seven of the following would be correct:
• An introduction that sets out that the instructions are designed to inform the
components auditors of the scope of the work required for the purpose of the
group audit.
• Group background, including group structures, business overview, significant
events that occurred during the year, and the names of company directors and
management personnel.
• Client expectations.
• Engagement risk, including the identification of significant risks at the group and
component levels.
• Communication timetable, including reporting timetable and communications
protocols.
• Client engagement team.
• Audit and accounting standards, including independence requirements, notice on
the group engagement letter, and the requirement for a component level letter and
significant risks to be specifically addressed.
• Scope of work and materiality, including the procedures to be performed by the
components auditors and the procedures that will be performed by the group
engagement team.
• Reporting requirements, which will include acknowledgement of instructions,
independence declaration, interim reporting of significant matters, clearance reports,
and, final summary of significant matters, including a summary of audit differences.

708

c11.indd 708 12/6/2022 3:04:55 PM

 G ro u p Aud its

• Specific information required for consolidation purposes and for financial statement
disclosure requirements.
• Key audit matters to be reported if the parent entity is listed.
• Structure of management letter to be issued at the component level.
• Management representation letter requirements.
• Outline of the required subsequent events review report.

Question 12
Answer: a request for confirmation from the components auditors that they will:
• Provide group auditors with unrestricted access to their working papers;
• Provide the group auditor with copies of their working papers; or
• Be unable to provide group auditors with unrestricted access to their working papers
or copies thereof because of legal or regulatory reasons, which should be detailed
(this can be the case where components auditors are auditing within the USA,
for example).
In addition to arranging access to components auditors work papers, for significant
components the group auditor needs to consider whether they need to visit the
components auditors.

Question 13
The focus of such reviews would include the following:
• Whether any unadjusted material misstatements have been identified.
• Any fraudulent activity has been identified.
• Going concern issue identified.
• Material departures from relevant accounting standards.
• Issues identified with independence of the components auditors.
• Subsequent events identified.
It is important that the group auditor understands in detail any likely impact on the
group financial statements from what has been reported from components auditors.

EXAM PRACTICE

QUESTION 1
Explain the objectives of the auditor in relation to the audit of a group.

QUESTION 2
May Tong is the group audit partner for Sticky Lollies Hong Kong Group. The audit process
for the group is well advanced with component clearance reports due within the next week.
May Tong has just received an email from a significant components auditors, KCUB & Co, in
Australia, explaining that they have discovered that they have a conflict of interest that no
safeguards could be put in place to minimise the threat to an acceptable level. Advise the
appropriate procedures May Tong should consider to ensure that the Australian significant
component audit is completed by the required date.

709

c11.indd 709 12/6/2022 3:04:55 PM

 BUSINESS ASSURANCE

QUESTION 3
You have recently joined the audit team for the group audit of Johnson Company and
its six subsidiary companies. The group’s business is development of urban housing in
SE Asia’s major cities. Two of the subsidiaries are audited by unrelated audit firms. You
are familiar with HKSA 315 (Revised 2019), Identifying and Assessing the Risks of Material
Misstatement, but this is your first group audit and you are trying to familiarise yourself with
HKSA 600 (Revised) Special Considerations – Audits of Group Financial Statements (including
the Work of Component Auditors). Your audit manager has asked you to prepare a list of
information items that should be collected by the group audit team to assist in the auditing
planning process.

QUESTION 4
Gong Fa Company has a number of components in Hong Kong, Mainland China, Malaysia,
the United Kingdom, and the UAE. Recommend the key considerations that need to be made
by the group auditor in determining component materiality.

ANSWERS TO EXAM PRACTICE

QUESTION 1
The objectives of the auditor in relation to the audit of a group are:
(a) To determine whether they can act as the auditor of the group financial statements;

(b) If acting as the auditor of the group financial statements:

(i) To communicate clearly with components auditors about the scope and timing
of their work on financial information related to the components and their
findings; and

(ii) To obtain sufficient appropriate audit evidence regarding the financial information
of the components and the consolidation process to express an opinion on whether
the group financial statements are prepared, in all material respects, in accordance
with HKFRS.

QUESTION 2
May Tong will need to take immediate action if the looming deadline is to be met. As a first
step, he could appraise the working papers prepared by KCUB & Co and determine whether
sufficient appropriate audit evidence has been obtained for the component, to enable
effective clearance of the component’s balances. Given the conflict of interest issue, it is
unlikely that such a conclusion could be reached. If the situation had been identified earlier,
May Tong could have considered an alternative components auditors to complete the audit
work at the component level. It is likely, however, in the circumstances described that May
Tong would be better positioned to send group audit team members to complete the audit
of the significant Australian component this year and consider an alternative components
auditors for future periods.

QUESTION 3
The list of information items that should be collected by the group audit team is as follows:

• The group structure and activities;

• The business environment(s);

710

c11.indd 710 12/6/2022 3:04:55 PM

 G ro u p Aud its

• Business risk and fraud risk at group and component levels;

• Group-­wide controls;

• Group components and those components that are significant;

• The component auditors – integrity, competence, experience and professional status;

• The group financial reporting framework(s);

• Intra-­group assets and liabilities, equity holdings, transactions and unrealised

profits; and

• The consolidation process.

QUESTION 4
As a starting point, HKSA 600 (Revised) requires the group engagement team to determine
materiality for the group financial statements as a whole, as part of the development of the
group audit strategy, so this would be done on the Hong Kong entity.

To reduce to an appropriately low level the probability that the aggregate of uncorrected
and undetected misstatements in the group financial statements exceeds materiality for the
group financial statements as a whole, component materiality is set lower than materiality
for the group financial statements as a whole. Different component materiality may be
established for different components. Component materiality need not be an arithmetical
portion of the materiality for the group financial statements as a whole, and, consequently,
the aggregate of component materiality for the different components may exceed the
materiality for the group financial statements as a whole. Component materiality is used
when establishing the overall audit strategy for a component.

Component materiality is determined for those components whose financial information

will be audited or reviewed as part of the group audit. Component materiality is used by the
components auditors to evaluate whether uncorrected detected misstatements are material,
individually or in the aggregate.

In the case of an audit of the financial information of a component, the components

auditors (or group engagement team) determines performance materiality at the
component level. This is necessary to reduce to an appropriately low level the probability
that the aggregate of uncorrected and undetected misstatements in the financial
information of the component exceeds component materiality. In practice, the group
engagement team may set component materiality at this lower level. Where this is the case,
the components auditors uses component materiality for the purposes of assessing the
risks of material misstatement of the financial information of the component and to design
further audit procedures in response to assessed risks as well as for evaluating whether
detected misstatements are material, individually or in the aggregate.

711

c11.indd 711 12/6/2022 3:04:55 PM

c11.indd 712 12/6/2022 3:04:55 PM
 12
Other Assurance
Engagement Requirements

CHAPTER TOPIC LIST

12.1 Other Assurance Engagements 12.2.7 

Investment Circular
Requirements Overview Reporting Engagements
12.1.1 
Scope and Terminology Overview
12.1.2 
Critical Distinctions Between 12.2.8 
Agreed-Upon Procedures
Assurance and Non-assurance Overview
Engagements 12.2.9 
Preliminary Announcements
of Annual Results Overview
12.2 Other Assurance Engagements
12.2.10 
Continuing Connected
and Non-Assurance
Engagements Overview Transactions Overview
12.2.11 
Comfort Letters Overview
12.2.1 
Reviews Overview
12.2.12 
Due Diligence Work
12.2.2 
Assurance Engagements
Overview
Other than Reviews or
12.2.13 
Compilation Engagements
Audits Overview
Overview
12.2.3 
Assurance Reports on
Controls at a Service 12.3 Engagement Risks for Other
Organisation Overview Assurance and Non-assurance
12.2.4 
Assurance Engagements on Engagements
Greenhouse Gas Statements 12.3.1 
Ethical Requirements of the
Overview Engagement
12.2.5 
Pro Forma Financial 12.3.2 
Engagement Acceptance and
Information Overview Continuing the Engagement
12.2.6 
Summary of Financial 12.3.3 
Agreeing on the Terms of
Statements Overview the Engagement

713

c12.indd 713 16-11-2022 18:49:23

 BUSINESS ASSURANCE

12.3.4 
Planning and Performing the 12.5.1 
Methods of Communication
Engagement 12.5.2 
Timing of Communication
12.3.5 
Materiality and Assurance 12.5.3 
Content of the Communication
Engagement Risk with Those Charged with
12.3.6 Engagement Quality Governance
Management 12.6 Evidence Analysis Overview
12.4 Obtaining Sufficient Evidence – 12.6.1 
Subsequent Events Review
Overview 12.6.2 
Documentation
12.4.1 
Obtaining an Understanding of
12.7 Preparing the Engagement
the Subject and Engagement Report
12.4.2 
Reasonable Assurance
12.7.1 
Other Assurance Report
Testing
Contents
12.4.3 
Sampling
12.7.2 
Non-assurance Report
12.5 Communication with Those Contents
Charged with Governance

714

c12.indd 714 16-11-2022 18:49:23

 O ther A ssu rance E ngage m ent R e q u ire ments

LEARNING OUTCOMES

PRINCIPAL LO1: PERFORM ASSURANCE ENGAGEMENTS

LO1.01: P
 repare, plan and develop assurance engagements including the audits of financial
statements in accordance with relevant Hong Kong Standards of Quality Management,
Auditing, Assurance and Related Services, guidance and legislation with emphasis on:
Other assurance engagement requirements
1.01.01 Explain why users need assurance reports
1.01.02 D
 escribe the level of assurance and the issues relating to other assurance and non-assurance
engagements, including:
• Agreed-upon procedures
• Pro-forma financial information
• Investment circular reporting engagements
• Preliminary announcements of annual results
• Continuing connected transaction
• Comfort letters
• Due diligence work
1.01.03 Analyse the potential engagement for the risks it presents to the auditor
1.01.04 Prepare an engagement letter
1.01.05 Determine an approach to gathering sufficient appropriate evidence
1.01.06 D
 etermine the methods, timing and content of communication with those charged with
governance
1.01.07 Analyse the results of evidence collected
1.01.08 Prepare the engagement report

715

c12.indd 715 16-11-2022 18:49:23

 BUSINESS ASSURANCE

OPENING CASE

BRIEFING TO AUDIT COMMITTEE OF YAU

MANUFACTURING COMPANY LIMITED, A LISTED
HONG KONG COMPANY ON UNDERSTANDING
OTHER ASSURANCE ENGAGEMENTS

Y our firm (Jay & Co) has been asked to advise the Chief Executive Officer about the
assurance services available to their recently re-organised company, Yau Manufacturing
Company Ltd (Yau). Yau manufacture high-quality chipsets for inclusion in laptops. Yau have
also had a change in senior management with the Chief Financial Officer, Chief Operating
Officer, and the chair of the Audit Committee being recently appointed. Specifically, Yau want to
understand the different types of assurance engagements or any other engagements your firm
has the expertise to perform, given your firm, Jay & Co, is not the auditor of Yau.

On further discussion with the Chief Executive Officer, to better understand their specific
assurance requirements, you find that Yau is contemplating acquiring another Hong Kong
listed entity in the next few years. Also, Yau’s financiers (Dan & Co) have requested further
information on Yau in relation to the recent increase in their secured loan borrowing limits.
That increase was arranged to fund an expansion of Yau’s manufacturing plant located
in Chengdu.

Yau has also heard about non-assurance services such as agreed-upon procedures and
would like to understand the benefits compared to traditional assurance services, particularly
in respect of reporting on the efficiency and effectiveness of internal controls designed to
ensure quality assurance on the various chipsets manufactured. Yau recently put into place
improved internal controls at their manufacturing plant after a spate of quality-related issues
with their chipsets.

716

c12.indd 716 16-11-2022 18:49:23

 O ther A ssu rance E ngage m ent R e q u ire ments

OVERVIEW

This chapter focuses on explaining the different types of assurance engagements that can be
performed for an entity by an HKICPA practitioner, why they are needed, key considerations
in performing these engagements, the procedures required to conduct the common types of
assurance engagements, and the reporting outputs. Non-assurance engagements are also
explained.

The intended users of the engagement report determine what type of engagement they
require for their particular information needs and circumstances (assurance or non-assurance)
and in cases where law or regulation do not specify, the type of assurance provided (limited or
reasonable assurance). The intended users may be the entity, regulators, current or potential
investors/shareholders, banks, other financiers, regulators, suppliers, and/or customers.

If independent assurance by an HKICPA practitioner is required on particular entity financial

and/or non-financial information (called subject matter information in this chapter), then an
assurance engagement is appropriate. If independent assurance is not required, but the entity
wishes to have an HKICPA practitioner (who may or may not be independent) perform certain
procedures on the entity’s subject matter information to report factual findings or the results of
compiling information, then a non-assurance engagement is appropriate. For all engagements,
practitioners must possess adequate knowledge in the subject matter information (financial
and non-financial information), act with due care, keep an objective state of mind, and obtain
suitable evidence for their reporting on the entity’s subject matter information.

Assurance and non-assurance engagements are performed at the request of the entity
for a wide variety of reasons and covering a wide variety of subject matters (financial and/or
non-financial information), including:

• Compliance with the requirements of law or regulation, e.g. an entity undertaking debt
or equity securities fundraising.

• Compliance with the terms of bank or financing covenant agreements.

• Compliance with other contractual obligations (e.g. supplier agreement).

• To facilitate prospective mergers and acquisitions.

• To provide management of the entity with independent comfort that a process, control,
or system is working as designed.

Assurance engagements (including review engagements) can provide either limited

or reasonable assurance to intended users. They are designed to enhance the degree of
confidence of intended users of the assurance report about the outcome of the practitioner’s
evaluation or measurement of the subject matter information against applicable criteria.
The type of assurance required again depends on the engagement circumstances and, in

717

c12.indd 717 16-11-2022 18:49:23

 BUSINESS ASSURANCE

some cases, the requirements of HKICPA standards. The procedures performed are planned,
designed, and performed by the practitioner based on their risk assessment of the subject
matter information and the engagement. The entity, as the responsible party, prepares and
accepts responsibility for the accuracy and completeness of the subject matter information to
which the practitioner assures.

Non-assurance engagements provide no assurance on the specified subject matter

information; instead, the practitioner reports factual findings based on performing procedures
agreed with the entity. Again, the entity, as the responsible party, prepares and accepts
responsibility for the accuracy and completeness of the subject matter information to which
the practitioner does not assure.

This chapter uses the terminology of ‘entity’ throughout to describe an organisation that
has requested the practitioner to perform an assurance or non-assurance engagement, and
who is the responsible party. An entity can be a company (private or public), a sole proprietor,
a partnership, or a foreign company office. The focus in this chapter is on a company structure.
Further, it is assumed that the entity is the responsible party for all engagements discussed in
this chapter.

This chapter also uses the terminology ‘HKICPA standards’ to describe the suite of auditing,
assurance, and non-assurance standards issued by the HKICPA with which the practitioner, as
a professional accountant – as per the HKICPA'S Code of Ethics for Professional Accountants (also
known as Code of Ethics) – must comply.

1 2 . 1 OTHER ASSURANCE ENGAGEMENTS

REQUIREMENTS OVERVIEW

12.1.1 Scope and Terminology

12.1.1.1 Scope
This chapter explains both assurance and non-assurance engagements. It will detail the key
differences between these engagement types, when and how they are used, and provide the
common examples of each type.

The HKICPA Preface to the Hong Kong Quality Management, Auditing, Review, Other Assurance,
and Related Services Pronouncements (the Preface) specifies that the Hong Kong Standards apply
to particular types of assurance and non-assurance engagements.

Engagements Providing Assurance

As noted in Chapter 1, assurance engagements can be undertaken on a broad range of
financial and non-financial information, with an audit being just one form of an assurance
engagement. Other than audits, reviews and other assurance engagements are also examples
of assurance engagements.

718

c12.indd 718 16-11-2022 18:49:23

 O ther A ssu rance E ngage m ent R e q u ire ments

In assurance engagements, the practitioner is engaged by the entity (responsible party) to

independently provide assurance about the entity’s prepared subject matter information, which
will have been prepared for intended users.

A reasonable assurance engagement requires the practitioner to reduce the assurance

engagement risk to an acceptably low level as the basis for a positive conclusion. This type
of engagement consists of the practitioner making inquiries, applying analytical procedures,
and inspecting relevant documentation. The engagement is planned and conducted to obtain
sufficient appropriate evidence on the subject matter information on which to base the
conclusion, with much of that evidence being persuasive rather than conclusive. There are
inherent limitations to a reasonable assurance engagement (it can achieve a high but not
absolute level of assurance). A common example of a reasonable assurance engagement is an
audit. The conclusion is couched in wording such as ‘the practitioner believes that the subject
matter information is presented in accordance with (applicable framework) . . .’

A limited assurance engagement requires the practitioner to reduce the assurance

engagement risk to an acceptably low level as the basis for a negative conclusion. This type of
engagement consists of the practitioner making inquiries and applying analytical procedures
(applying fewer audit type procedures with less emphasis, if any, on tests of controls and
obtaining evidence from external sources than for a reasonable assurance engagement) and
utilises practitioner knowledge gained from any previous engagements with the client entity.
A common example of a limited assurance engagement is a review. The conclusion is couched
in wording such as ‘nothing came to my attention that causes the practitioner to believe that
the subject matter information is not presented in accordance with (applicable framework) . . .’

There are a number of categories of standards that deal with other assurance engagements
and with non-assurance engagements (‘other’ refers to engagements other than audits and
reviews of historical financial information):

• Other assurance engagements (Hong Kong Standards on Assurance

Engagements – HKSAE)

1. An overarching assurance standard applicable for all HKSAE assurance engagements

other than audits and reviews.

( HKSAE 3000 (Revised) Assurance Engagements Other Than Audits or Reviews of

Historical Financial Information) (Note that HKSAE 3000 (Revised) does not apply to
the HKSRE review standards or HKSIR investment circular reporting standards.)

2. Reasonable or limited assurance on specific internal controls at a service organisation.

(HKSAE 3402 Assurance Reports on Controls at a Service Organisation)

3. Reasonable or limited assurance on the entity’s reported greenhouse gas emissions

statement.

(HKSAE 3410 Assurance Engagements on Greenhouse Gas Statements)

719

c12.indd 719 16-11-2022 18:49:23

 BUSINESS ASSURANCE

4. Reasonable assurance on the entity’s compilation of pro forma financial information

included in a prospectus.

( HKSAE 3420 Assurance Engagements to Report on the Compilation of Pro Forma

Financial Information Included in a Prospectus)

• Investment circular reporting (Hong Kong Standards on Investment

Circulars – HKSIR)

1. Reasonable assurance on the entity’s historical financial information included in

investment circulars (e.g. prospectuses).

( HKSIR 200 Accountants’ Reports on Historical Financial Information in Investment

Circulars)

2. Specific agreed-upon procedures (no assurance) by the appointed auditor of the

entity contained in an auditor’s comfort letter requirements related to the entity’s
due diligence transactions.

(HKSIR 400 (Revised) Comfort Letters and Due Diligence Meetings)

3. Reasonable assurance on the entity’s profit forecast or the statement of sufficiency

of the entity’s working capital or agreed-upon procedures (no assurance) on the
statements of the level of indebtedness.
( HKSIR 500 Reporting on Profit Forecasts, Statements of Sufficiency of Working Capital
and Statements of Indebtedness)

• Applicable Practice Notes (PN)

1. Specific agreed-upon procedures (no assurance) by the appointed auditor of the

entity of the preliminary results of the entity for the financial year.

( PN 730 (Revised) Guidance for Auditors Regarding Preliminary Announcements

of Annual Results read in conjunction with HKSRS 4400 (Revised) Agreed-Upon
Procedures Engagements)

2. Limited assurance by the appointed auditor of the entity in respect of reporting on

continuing connected transactions.

( PN 740 (Revised) Auditor’s Letter on Continuing Connected Transactions Under the

Main Board Listing Rules read in conjunction with HKSAE 3000 (Revised) Assurance
Engagements Other Than Audits or Reviews of Historical Financial Information)

 N 810.1 (Revised) Licensed Insurance Broker Companies – Compliance with the

P
Insurance (Financial and Other Requirements for Licensed Insurance Broker Companies)
Rules. The engagement may be performed by an external auditor, internal auditor,
or government auditor.

• Other types of assurance engagements (not HKICPA Standard specific)

°° Compliance audits. The objectives of the practitioner are to obtain limited or

reasonable assurance on the extent to which the specified requirements have been
complied with. Examples of requirements are compliance with specified policies,
procedures, contracts, laws, or regulations. The practitioner compares/measures
the requirements to suitable criteria, which will vary depending on the nature of the

720

c12.indd 720 16-11-2022 18:49:23

 O ther A ssu rance E ngage m ent R e q u ire ments

requirements. These types of audits are often performed by the internal auditor of
the entity.

°° Operational audits. Their scope is more extensive than compliance audits,

for example it may involve the practitioner assessing the effectiveness of the
procedures that are being audited. While an element of assurance is given
(particularly with regard to the compliance elements of the assignment), the audit
is designed with the intention of the internal auditor drawing their own conclusions
about the systems from the work performed. These types of audits are often
performed by the internal auditor of the entity.

°° Performance audit (value for money (VFM) audits). These audits are conducted in
all sectors by external auditors and internal auditors and cover a broad range of
activities. In a VFM audit, the objectives of a specified activity need to be understood
to properly assess whether value for money has been achieved by that activity.
Objectives may be financial (e.g. maximising profit, minimising cost) or non-financial
(e.g. achieving delivery of certain services to a target population). Practitioners
generally conduct VFM audits by assessing the activity in terms of how it achieved
its economy, efficiency, and/or effectiveness measures. These are explained
as follows:

– Efficiency examines how well the entity’s activity is able to minimise inputs
used to deliver required outputs (being quality, quantity, and timing). These
audit types are investigative, i.e. did the entity make the most of its allocated
resources to deliver what was required for that activity?

– Effectiveness examines the extent to which the entity’s activity achieved its stated
objective(s). These audit types are compliance focused, i.e. did the entity do
what it said it would or it was required to for that activity?

– Economy examines the entity’s ability to minimise the cost of the activity’s
resources, while still meeting its timeliness and availability of required quantity/
quality outputs. These audit types are investigative, i.e. did the entity minimise
costs to achieve the greatest activity benefit? (benefit versus cost).

Examples of VFM audits include:

• In a for-profit entity (non-government or government), internal auditors assessing an

individual profit centre for how efficiently they achieved their profit target for a given
time period. In a not-for-profit, non-government entity, external auditors assessing the
effectiveness of an activity, for a given time period, designed to provide vision impaired
children with access to education support resources to help them learn to read.

• In a not-for-profit, government entity external auditors assessing how effectively a

provincial child immunisation health programme was able to deliver immunisation
services to the target of X% of the population for a time period.

Non-Assurance Engagements
Non-assurance engagements (also called non-assurance services) provide the intended users
with additional, objective information on certain targeted subject matter information to allow
them to form their own opinion regarding the subject matter information. There are some
engagements that a practitioner conducts that are not assurance engagements as they provide

721

c12.indd 721 16-11-2022 18:49:23

 BUSINESS ASSURANCE

no assurance (i.e. include no opinion or conclusion) to the intended users of the practitioner’s
report. An example is when a practitioner is requested to perform procedures determined by
management in order to report on whether an entity’s implemented internal controls over the
monthly financial reporting close process are operating as designed.

In non-assurance engagements, the HKICPA independence requirements are not met

as the practitioner has not independently determined the nature, timing, and extent of
procedures to perform, instead agreeing to perform the entity’s specified procedures. While
independence is not a requirement, HKICPA practitioners always apply objectivity as one of
the fundamental principles in the Code of Ethics. The procedures performed by the practitioner
will vary depending on requirements and needs. They may include procedures such as enquiry
and analysis, re-computation/re-performance, comparison and other clerical accuracy checks,
observation, inspection, and confirmations. If, for example, the practitioner’s report is going
to be used by a party other than the entity, such as their bank, it is up to the entity and the
bank to ensure that the procedures the practitioner will perform are suitable to give them the
additional information they require.

The type of subject matter information (financial or non-financial) and the procedures
performed will vary depending on the individual engagement requirements and needs. The
entity, having received the practitioner’s report, interprets the findings in the context of their
business, draws their own conclusions, and takes any appropriate action(s). Non-assurance
engagements do not require the practitioner to verify the accuracy or completeness of the
information provided by the entity on which the practitioner performs the procedures.

Engagements not providing assurance are performed under HKICPA Standards on Related
Services (HKSRS). There are two HKSRS applicable:

(a) Engagements to provide factual findings on certain financial information.

(HKSRS 4400 (Revised) Agreed-Upon Procedures Engagements)

(b) Engagements to provide factual findings on compiled information.

(HKSRS 4410 (Revised) Compilation Engagements)

12.1.1.2 Terminology
The following are key terms used in this chapter relevant to a range of ‘other assurance
engagements’:

• Agreed-­upon procedures engagement: An engagement in which an auditor is

engaged to carry out those procedures of an audit nature to which the auditor and the
entity and any appropriate third parties have agreed and to report on factual findings.
The recipients of the report form their own conclusions from the report by the auditor.
The report is restricted to those parties that have agreed to the procedures to be
performed since others, unaware of the reasons for the procedures may misinterpret
the results.’ It is a non-­assurance engagement.

• Compilation engagement: An engagement in which a practitioner applies accounting

and financial reporting expertise to assist management in the preparation and
presentation of financial information of an entity in accordance with an applicable
financial reporting framework, and reports as required by this HKSRS’ (HKSRS 4410
(Revised)). It is a non-­assurance engagement.

722

c12.indd 722 16-11-2022 18:49:23

 O ther A ssu rance E ngage m ent R e q u ire ments

• Connected persons: Related parties of the entity and include, for example, a director,
chief executive, or substantial shareholder of the listed issuer or any of its subsidiaries,
or their associates and any persons deemed by the Stock Exchange to be connected.

• Connected transactions: Transactions with connected persons, and specified

categories of transactions with third parties that may confer benefits on connected
persons through their interests in the entities involved in the transactions.

• GHG statement: A statement setting out constituent elements and quantifying an

entity’s greenhouse gas (GHG) emissions for a period and, where applicable, includes
comparative information and explanatory notes including a summary of significant
quantification and reporting policies. It may also include a categorized listing of
removals or emissions deductions. GHGs are defined as carbon dioxide and any other
any gasses required under the applicable criteria to be included in the GHG statement.

• Investment circular: A document issued by an entity relating to securities and for the
information or investment decision of the holders of the entity’s securities or other
parties, including without limitation a listing document, a prospectus, a circular to
shareholders or similar document.

• Pro forma financial information: Financial information shown together with

adjustments to illustrate the impact of an event or transaction on unadjusted financial
information as if the event had occurred or the transaction had been undertaken at an
earlier date selected for purposes of the illustration. It is presented in columnar format
showing unadjusted financial information (usually historical), pro forma adjustments
(reflecting the proposed transaction/event), and the resulting pro forma results column.

• Prospective financial information: Financial information based on assumptions

about events that may occur in the future and possible actions by an entity.
Prospective financial information can be in the form of a forecast, a projection or a
combination of both.

• Service organisation: An independent third-­party organisation that provides particular

services to user entities that are of likely relevance to user entities’ internal control as it
relates to financial reporting. That is, they provide a service to the entity that the entity
relies on as part of its financial reporting process.

Summary financial statements: Historical financial information extracted from the

audited financial statements. They are prepared by the entity’s management based on
applied criteria set by the entity that the practitioner audits.

12.1.2 Critical Distinctions Between Assurance and Non-assurance

Engagements
As already explained in Chapter 1, Section 1.1.1, there are five elements that must be present
for the engagement to be an assurance engagement. By way of brief reminder, these
elements include:

• A three-party relationship (the practitioner, the responsible party – within the entity –
and intended users);

• Appropriate subject matter (identifiable and capable of consistent evaluation/

measurement against the identified criteria);

723

c12.indd 723 16-11-2022 18:49:24

 BUSINESS ASSURANCE

• Suitable criteria (depends on engagement circumstances – may need to be specified

by law/regulation or designed to meet the needs of specified intended users. Criteria
provide the definitive reference for evaluating/measuring the subject matter against);

• Sufficient, appropriate evidence to support the assurance conclusion; and

• A conclusion contained within a written report.

As noted in the assurance engagement definition, the practitioner in an assurance

engagement obtains sufficient appropriate evidence on the financial/non-financial information
about the outcome of the measurement or evaluation of the underlying subject matter against
criteria to enable them to express a conclusion, having planned, designed, and performed their
audit procedures to achieve this outcome.

If any of the above assurance elements are missing, then the engagement is not an
assurance engagement. In a non-assurance engagement, the practitioner ordinarily does not
specify the criteria (the entity does), and the level of evidence obtained on the subject matter
information is less than required for an assurance engagement. The factual findings report
issued by the practitioner on the results of the agreed procedures therefore provides the entity
with no independent assurance on the underlying subject matter information and the entity
has to form their own opinion about the outcome of the reported findings. The practitioner
does not verify or express any opinion on the accuracy or completeness of the entity’s
information being reported on.

Key Learning Point

Practitioners can perform a wide variety of assurance engagements (other than audits) on
different subject matter information and also conduct engagements that do not provide
any assurance on the specified subject matter.

Knowledge Check Questions

Question 1
Identify which of the following is not an assurance engagement.
A An engagement to report on whether certain financial internal controls are operating as
designed by the company.
B An engagement to report on the effectiveness of the company’s financial internal
controls related to inventory.
C An engagement to report on the effectiveness of certain company financial internal
controls related to inventory, by performing procedures specified by the entity.
D An engagement to report on whether the company’s financial internal control
environment is operating effectively.

Question 2
Explain whether an HKICPA practitioner is able to perform all types of assurance and
non-assurance engagements.

724

c12.indd 724 16-11-2022 18:49:24

 O ther A ssu rance E ngage m ent R e q u ire ments

1 2 . 2 OTHER ASSURANCE ENGAGEMENTS

AND NON-ASSURANCE
ENGAGEMENTS OVERVIEW

Assurance engagements are reviews and any other assurance engagements, other than audits.

12.2.1 Reviews Overview

A review engagement is a particular type of assurance engagement that is designed to provide
a limited assurance conclusion that the financial information subject to review is free from
material misstatement.

The practitioner designs procedures (consisting of making enquiries, performing analytical

procedures and other review procedures – observing, reading, and evaluating) to reduce, to
a moderate level of risk, the possibility of expressing an inappropriate conclusion. A review
may bring significant matters affecting the financial information to the practitioner’s attention,
but it does not provide all of the evidence that would otherwise be required in an audit. It
does not provide the practitioner with a basis for expressing an opinion as to whether the
financial information gives a true and fair view or is presented fairly, in all material respects,
in accordance with an applicable financial reporting framework. Review engagements are by
nature more cost effective than an audit as they are less time consuming and require fewer
procedures to be performed.

The two HKSREs that apply to review engagements are:

• HKSRE 2400 (Revised) Engagements to Review Historical Financial Information (performed

by a practitioner who is not the auditor of the entity).
The objective of this review is to enable a practitioner to state whether, on the
basis of procedures that do not provide all the evidence that would be required in a
review, anything has come to the practitioner’s attention that causes them to believe
that the historical financial information is not prepared, in all material respects, in
accordance with an applicable financial reporting framework (being the applicable
criteria). As the practitioner is not the entity’s auditor, they will not ordinarily have
the same understanding of the entity and its environment, including its internal
controls relevant to financial reporting, and has to therefore perform additional
procedures from that of HKSRE 2410 to gain an understanding sufficient for the
engagement.

• HKSRE 2410 Review of Interim Financial Information Performed by the Independent

Auditor of the Entity (performed by a practitioner who is the auditor of the
reporting entity).

The objective of this review is to enable a practitioner to state whether, on the

basis of procedures that do not provide all the evidence that would be required in a
review, anything has come to the practitioner’s attention that causes the practitioner to
believe that the interim financial information is not prepared, in all material respects,
in accordance with an applicable financial reporting framework (being the applicable
criteria). This engagement is required for listed issuers by the Main Board Listing Rules

725

c12.indd 725 16-11-2022 18:49:24

 BUSINESS ASSURANCE

and GEM Listing Rules. It can also be applied in circumstances when the practitioner
reviews historical financial information (other than interim financial information).
The practitioner, as the appointed auditor, brings audit-based knowledge to such an
engagement, including having an understanding of the entity and its environment,
including its internal controls relevant to financial reporting.

12.2.2 Assurance Engagements Other than Reviews or Audits Overview

HKSAE 3000 (Revised) Assurance Engagements Other Than Audits or Reviews of Historical Financial
Information (HKSAE 3000 (Revised)) applies to engagements where the practitioner provides
either limited or reasonable assurance as to whether the particular subject matter is free from
material misstatement based on the outcome of the measurement or evaluation (applicable
criteria) of that underlying subject matter information. It is the overarching standard for all
assurance standards and sets out the minimum requirements for all assurance engagements
in terms of their general acceptance and continuance, planning, performing, evaluating, and
minimum reporting requirements and is designed to cover diverse types of subject matter
information (financial or non-financial information) and different levels of assurance. It
also contains relevant ethical and quality management requirements. The subject matter
information specific standards in the HKSAE suite are to be read in conjunction with this
standard such that the assurance practitioner must comply with the requirements of both
standards.
It is important to note that the practitioner does not have to be the entity’s auditor to
perform most of these assurance engagements. Where the practitioner must also be the
auditor, this will be noted and explained as to the reasons why this is the case.

The practitioner plans and performs assurance engagements with:

• An attitude of professional scepticism, recognising that circumstances may exist that

cause the subject matter information to be materially misstated;
• Using professional judgement, including in planning, determining the nature, timing
and extent of the procedures, and evaluating the evidence collected; and

• Using assurance skills and techniques as part of an iterative, systematic

engagement process.

12.2.3 Assurance Reports on Controls at a Service Organisation Overview

HKSAE 3402 Assurance Reports on Controls at a Service Organisation applies to assertion-based
engagements where the practitioner (known as a service auditor) is engaged by an entity
(called a service organisation) to provide reasonable assurance on the organisation’s suitable
design of a particular system’s internal controls related to financial reporting, as compared
to the described and designed control objectives. The standard applies only when the service
organisation is responsible for, or otherwise able to make a statement about, the suitable
design of controls.

The assurance report is used by the entity and its external auditors. The practitioner’s
report is described as either a type 1 or type 2 report. A type 1 report is a report on the
description and design of controls at the service organisation. A type 2 report is a report on
the description, design, and operating effectiveness of controls at the service organisation.
The practitioner does not have to be the entity’s auditor to perform this engagement.
HKSAE 3402 is read in conjunction with HKSAE 3000 (Revised).

726

c12.indd 726 16-11-2022 18:49:24

 O ther A ssu rance E ngage m ent R e q u ire ments

Examples of service organisations are superannuation administrators (processing member

benefit payments and contributions received), outsourced payroll providers (processing and
paying employee wages, salaries, and entitlements), outsourced expenditure processors
(processing and paying direct invoices), and IT administrators (maintaining the general controls
of a particular computer system or the entire network).

12.2.4 Assurance Engagements on Greenhouse Gas Statements Overview

HKSAE 3410 Assurance Engagements on Greenhouse Gas Statements applies to practitioners
providing limited or reasonable assurance on an entity’s greenhouse gas (GHG) statement.
Where the engagement does not cover the entity’s entire GHG statement, the term ‘GHG
statement’ is to be read as that portion that is covered by the engagement. The practitioner
does not have to be the entity’s auditor to perform this engagement. HKSAE 3410 is read in
conjunction with HKSAE 3000 (Revised).

HKSAE 3410 sets out practitioners’ responsibilities in identifying, assessing, and responding
to risks of material misstatement when reporting on GHG statements. The statement can be
prepared as part of a regulatory disclosure regime, as part of an emissions trading scheme
(ETS), or to inform investors and others on a voluntary basis. HKSAE 3410 applies to a broad
range of situations, from emissions from electricity used at a single office to emissions
from complex physical or chemical processes at several facilities across a supply chain. The
practitioner’s assurance conclusion is expressed in terms of whether the GHG statement is
prepared in all material respects in accordance with the applicable criteria. Applicable criteria
in the context of HKSAE 3410 are the criteria used by the entity to quantify and report its
emissions in the GHG statement.

HKEX Listing Rules, Appendix 27 Environmental, Social and Governance Reporting Guide
(31 December 2015 onwards) contains environmental, social, and governance reporting
obligations for Hong Kong listed entities (these are couched in terms of those that are ‘comply
or explain’ and disclosures that are simply recommended) that include GHG reporting.

12.2.5 Pro Forma Financial Information Overview

HKSAE 3420 Assurance Engagements to Report on the Compilation of Pro Forma Financial
Information Included in a Prospectus deals with reasonable assurance assertion-based
engagements undertaken by a practitioner to report on a responsible party’s compilation of pro
forma financial information included in a prospectus. HKSAE 3420 is read in conjunction with
HKSAE 3000 (Revised).

Pro forma financial information reflects a significant event or transaction of the entity and
is ordinarily prepared for inclusion in a fundraising prospectus, pursuant to the Main Board
Listing Rules, the Hong Kong Takeover Code, or the Companies (Winding Up and Miscellaneous
Provisions) Ordinance. There are Hong Kong Listing Rules that apply to issuer prospectuses and
where an issuer includes pro forma financial information in any document.

Under HKSAE 3420, the practitioner performs procedures to obtain sufficient appropriate
evidence to enable them to assess whether the applicable criteria used by the entity in the
compilation of the pro forma information provide a reasonable basis for presenting the
effects of the event or transaction (for example an acquisition, disposal, or merger), whether
the adjustments made reflect the proper application of those adjustments to the underlying

727

c12.indd 727 16-11-2022 18:49:24

 BUSINESS ASSURANCE

financial information and finally that the pro forma financial information has been properly
compiled and has been appropriately presented and disclosed. It also involves evaluating
the overall presentation of the pro forma financial information. Applicable criteria in this
engagement are the criteria used by the entity to compile the pro forma financial information
and may be set by law or regulation or developed by the entity.

12.2.6 Summary of Financial Statements Overview

HKSA 810 (Revised) Engagements to Report on Summary Financial Statements) deals with
reasonable assurance assertion-based engagements undertaken by a practitioner to report on
the entity’s summary financial statements, which have been directly extracted from the annual
financial statements audited by that same practitioner. It is to be read in conjunction with the
requirements of the suite of Hong Kong Standards on Auditing. This is because the engagement
relies on the underlying financial statements, which the summary financial statements are
extracted from, have been audited, and only the auditor can have the appropriate knowledge
of those audited financial statements. HKSA 810 (Revised) is read in conjunction with
applicable HKSA standards. The engagement is treated as separate to the audit of the financial
statements and has separate terms and conditions that may be separately included in the audit
engagement letter or issued as a separate engagement letter.

The practitioner’s objective, as the entity’s auditor, is to ensure that the summary financial
statements are appropriately extracted from the audited financial statements, the applied
criteria used for the extraction are acceptable, and the criteria have been used appropriately
in preparing the summary financial statements, and that the summary financial statement
disclosures contain the information necessary and are not misleading.

Apply and Analyse 1

The Chief Financial Officer of Yau Manufacturing Company Ltd, Ms. Chan, has requested
your firm, Jay & Co, to perform an assurance engagement to provide reasonable assurance
on their compliance with their financiers, Dan & Co, borrowing facility covenants. They
explain that the required covenant calculations are directly derived from their historical
financial information results for the most recent financial year, 31 December 20X8.
The covenants are a mixture of amounts, percentages, and ratios. Dan & Co put these
covenants in place in the current financial year as a result of Yau’s secured loan being
increased to fund their expansion of their manufacturing plant located in Chengdu. Dan &
Co requires a copy of the assurance report. Jay & Co are not the appointed auditor of Yau.

Explain what HKICPA standard this engagement would be conducted under, and why.

Analysis

This reasonable assurance engagement would be conducted under HKSAE 3000 (Revised)
Assurance Engagements Other Than Audits or Reviews of Historical Financial Information. This
is due to the borrowing covenants being directly derived from Yau’s historical financial
information.

728

c12.indd 728 16-11-2022 18:49:24

 O ther A ssu rance E ngage m ent R e q u ire ments

12.2.7 Investment Circular Reporting Engagements Overview

Investment circulars are used for issuing a new listing of debt or equity securities or
acquisitions/mergers). There are rules governing the Main Board Listing Rules and the Rules
Governing the Listing of Securities on the Growth Enterprise Market Operated by the GEM
Listing Rules that set out the reporting requirements for entities.

An investment circular may contain a profit forecast, must contain statements of sufficiency
of working capital and statements of indebtedness and may include historical financial
information. This historical financial information may have been previously included in audited
financial statements, prepared solely in connection with the investment circular (‘underlying
financial statements’) and/or be other historical financial information that may or may not have
been audited.

12.2.7.1 Historical Financial Information

HKSIR 200 Accountants’ Reports on Historical Financial Information in Investment Circulars applies
to engagements where the practitioner, as the reporting accountant, is requested to prepare
a reasonable assurance accountants’ report on the entity’s historical financial information for
inclusion in an investment circular, such as a prospectus in accordance with the Companies
Ordinance (Sections 31–33 of Part II of the Third Schedule). The practitioner’s engagement
objective is to conclude on whether the reported historical financial information gives a true
and fair view for the purposes of the accountant’s report.

12.2.7.2 Profit Forecasts, Statements of Sufficiency of Working Capital and Statements

of Indebtedness
HKSIR 500 Reporting on Profit Forecasts, Statements of Sufficiency of Working Capital and Statements
of Indebtedness provides guidance for the practitioner, as the reporting accountant, is requested
to report on these specific types of information included in an investment circular document and
is written in the context of new listings of equity securities.

Profit Forecasts
Entities are not required to include a profit forecast in their investment circular document.
A profit forecast is the entity’s best estimate, using judgement and making certain assumptions
of their future results at a point in time, assuming planned/expected future events and certain
transaction volumes using historical financial information as the base to adjust. The time
period covered by the entity’s profit forecast ordinarily correlates with the financial year end
or sometimes half year end (provided the interim report for that half year is audited). Profit
forecasts must be clear, unambiguous, and presented in an explicit manner. The principal
assumptions on which it is based must be stated and it must be prepared on a basis that is
consistent with the entity’s normal accounting policies.

Where the entities choose to include a profit forecast, they are required to obtain a
reasonable assurance report from a practitioner on the profit forecast being properly complied
by the entity on the basis of the assumptions made (and disclosed). The engagement is
conducted with reference to HKSAE 3000 (Revised) Assurance Engagements Other Than Audits
or Reviews of Historical Financial Information. The practitioner’s objective for this engagement
is to provide a reasonable assurance report on the profit forecast, being prospective financial
information, so far as the accounting policies and calculations are concerned, as to whether it
has been properly complied with by the entity on the basis of the assumptions made.

729

c12.indd 729 16-11-2022 18:49:24

 BUSINESS ASSURANCE

Profit forecasts by nature are highly subjective, contain inherent uncertainties, and depend
on the nature of the entity’s business (stable or highly volatile results), key assumptions, and
judgements the entity has made about future events and transactions. This is particularly
evident if the forecast reporting period extends beyond a year. Due to these factors, the
practitioner ordinarily restricts reporting on profit forecasts to those that are for periods one
year or less from the date of the last audited financial statements.

Statements of Sufficiency of Working Capital

Main Board Listing Rules (Appendix 1A) and GEM Listing Rules (Appendix 1A) require the entity’s
investment circular document for a new listing of equity securities to include a statement of
sufficiency of working capital by the issuer entity’s directors that in their opinion the working
capital available to the entity’s group is sufficient for the group’s present requirements (that
is for at least the next 12 months from the date of publication of the investment circular)
or, if not, how the directors propose to provide that additional working capital required.
The entity is required to obtain an independent assurance report from a practitioner on the
statement’s accuracy.

The practitioner’s objective for this engagement is to provide a reasonable assurance

report on the director’s statements of sufficiency of working capital, primarily through making
inquiries of the entity’s management, considering the analyses and assumptions on which the
working capital forecast is based and applying analytical procedures to financial data in the
working capital forecast. The engagement is conducted with reference to HKSAE 3000 (Revised)
Assurance Engagements Other Than Audits or Reviews of Historical Financial Information.

Statement of Indebtedness
The Main Board Listing Rules and GEM Listing Rules require a listed issuer’s investment circular
document relating to a new listing of equity securities to include a directors’ statement of
indebtedness as at the most recent practicable date (normally no more than two months
before the issue of the investment circular) of the total amount of all loan capital, borrowings,
indebtedness, mortgages, charges, contingent liabilities, and guarantees. The entity is required
to obtain an independent report from a practitioner on the statement’s accuracy.

The practitioner’s objective for this engagement is to provide agreed-upon procedures

on the director’s statements of the entity’s indebtedness and contingent liabilities and report
factual findings based on the results of those procedures. These procedures include confirming
with external financiers the entity’s financing facilities in place and reviewing the profit forecast.
The engagement is conducted with reference to HKSRS 4400 (Revised) Agreed-upon Procedures
Engagements.

12.2.8 Agreed-Upon Procedures Overview

In an agreed-upon procedures (AUP) engagement on particular financial information the
practitioner is engaged to carry out specified procedures on particular financial information
prepared by the entity and to report factual findings (no assurance is expressed). Financial
information can be an individual item of financial data (e.g. an account balance), a financial
statement, or a complete set of financial statements. Agreed-upon procedures engagements
are performed in accordance with HKSRS 4400 (Revised) Agreed-upon Procedures Engagements.

730

c12.indd 730 16-11-2022 18:49:24

 O ther A ssu rance E ngage m ent R e q u ire ments

The standard can also be applied to non-financial information provided the practitioner has
adequate knowledge of the subject matter information and reasonable criteria exist on which
to base findings. The report is restricted for use to those parties who specified or agreed to the
procedures performed by the practitioner, as any other parties may misinterpret the results
reported. Users of the practitioner’s report must form their own conclusions on the results of
the procedures performed.

This type of engagement is useful as it can be targeted to particular financial information,

for example it can cover accounts payable, accounts received, related party transactions, and
purchases/sales.

12.2.9 Preliminary Announcements of Annual Results Overview

The entity’s auditors must approve the publishing of the entity’s preliminary announcement
of annual results for the financial year under the requirements of the Main Board or GEM
Listing Rules (Appendix 4 Trust Deeds or Other Documents Securing or Constituting Debt Securities).
Preliminary announcements are the first public communication of the entity’s (as listed issuer)
financial year end results, and are relied on by investors and other interested parties to provide
timely, sufficient, and accurate information on the entity’s results and financial position, and
either confirm or update market expectations on the entity’s results. The engagement is a non-
assurance engagement.
The engagement is conducted in accordance with HKSRS 4400 (Revised) Agreed-Upon
Procedures Engagements (refer to Section 12.2.8 for more details) and PN 730 (Revised) Guidance
for Auditors Regarding Preliminary Announcements of Annual Results. The practice note provides
additional guidance for auditors on their specific responsibilities when reporting on the
preliminary announcements of results. The objective of this engagement is for the practitioner,
as auditor, to report factual findings on the preliminary announcement results to be reported,
including that they are consistent with the audited financial statements. Preliminary results may
be based on either audited financial statements or draft financial statements, depending on
the status of the audit process. If they are based on draft financial statements, the preliminary
announcement may need to be revised if such changes are identified through finalising the
audit process.

12.2.10 Continuing Connected Transactions Overview

PN 740 (Revised) Auditor’s Letter on Continuing Connected Transactions under the Main
Board Listing Rules provides guidance to a practitioner when performing limited assurance
engagements on the annual reporting of continuing connected transactions by a listed
issuer in the annual report. This annual reporting is required by Chapter 14A of the Main
Board Listing Rules or Chapter 20 of the GEM Listing Rules issued by the Stock Exchange of
Hong Kong Limited (the ‘Stock Exchange’). The engagement is conducted in conjunction with
HKSAE 3000 (Revised).

The listed issuer is required annually to request its auditor to issue a letter in respect of
continuing connected transactions and is required to state in the annual report whether its
auditor has confirmed the specific matters stated in the Listing Rules (see Section 1.2.1). The
practitioner is expected to be the entity’s auditor to perform this assurance engagement.

731

c12.indd 731 16-11-2022 18:49:24

 BUSINESS ASSURANCE

The types of transactions to be reported on include transactions of a capital or revenue

nature, and whether they are conducted in the ordinary and usual course of business of the
listed issuer’s group. Examples are (non-exhaustive list) acquisitions or disposals of assets,
entering into or terminating finance leases or operating leases or sub-leases, issuing new
securities of the listed issuer or its subsidiaries, and providing, receiving, or sharing services.

Related party transactions and other aspects of the annual audit may be relevant to a
listed issuer’s continuing connected transactions. The extent to which the auditor will be able
to consider procedures performed and the findings from the audit will vary. It might not be
possible to perform a direct comparison between the actual transaction amounts for the
continuing connected transactions and the amounts as reported in the financial statements.
For example, transactions with connected subsidiaries that were fully eliminated on
consolidation.

If the auditor has expressed or is intending to express a modified opinion on the financial
statements and the modification casts doubt on the matters to be reported on for continuing
connected transactions (e.g., an inability to obtain sufficient appropriate audit evidence in
respect of related party transactions), the auditor shall consider the implications for the
contents of his letter.

It is important to note that this engagement does not provide the practitioner with a basis
for expressing an opinion on whether the continuing connected transactions disclosed in the
listed issuer’s annual report give a true and fair view, or are presented fairly, in all material
respects, in accordance with an applicable financial reporting framework or whether the
listed issuer has complied with all the applicable requirements of the Listing Rules in respect of
continuing connected transactions.

12.2.11 Comfort Letters Overview

HKSIR 400 (Revised) Comfort Letters and Due Diligence Meetings deals with engagements where
the practitioner, as the entity’s auditor, is requested to issue a comfort letter in connection
with the entity’s due diligence responsibilities under Main Board Listing Rules/GEM Listing
Rules. The standard also applies when the practitioner participates in a due diligence meeting
for an offering of securities in Hong Kong. This is discussed in more detail in Section 12.2.12.
A comfort letter is issued to agreed addressees, usually the issuer entity and the sponsors,
being the signatories to the practitioner’s engagement letter and reports on particular
financial information included by the entity in a securities offering document for issuance to
third parties.

The procedures performed in this engagement are conducted in accordance with HKSIR
400 (Revised) and the relevant HKICPA standard for the engagement circumstances. The
engagement can be a combined assurance and non-assurance engagement. Limited assurance
is ordinarily provided on reporting on subsequent changes in historical financial information
included in the investment circular (in accordance with the principles in HKSAE 3000 (Revised)
Assurance Engagements Other Than Audits or Reviews of Historical Financial Information) with
factual findings reporting on the agreed-upon procedures (in accordance with the principles

732

c12.indd 732 16-11-2022 18:49:24

 O ther A ssu rance E ngage m ent R e q u ire ments

in HKSRS 4400 (Revised) Agreed-Upon Procedures Engagements performed on specific financial

and non-financial information included in the comfort letter. The practitioner is required
to have been the entity’s auditor for the time covered by the comfort letter. This is due to
the engagement report (letter) being dependent on in-depth knowledge of the audited
financial statements, which are related to the historical financial information included in the
comfort letter.

The comfort letter is issued to requesting parties in relation to particular financial

information related to, and/or included in, the entity in a securities offering document that will
be issued to third parties. The comfort letter is issued to the agreed addressees, usually the
issuer entity and the sponsors, being the signatories to the practitioner’s engagement letter.
It is prepared based on the practitioner:

• Having performed the requesting parties’ due diligence specified procedures as

measured against applicable criteria with no assurance expressed, the practitioner does
not determine whether the extent of such procedures is sufficient for the purposes
of the requesting parties. Practitioners only comment on matters to which their
professional competence is relevant. Additionally, the practitioner should limit their
comments in the comfort letter to information other than financial information only
when it has been sourced from accounting records that are subject to internal controls,
policies, and procedures of which reporting accountants have knowledge or it has been
the subject of a separate assurance engagement conducted in accordance with the
relevant HKICPA standard.

• If applicable, having provided limited assurance (or if this is inappropriate in the

engagement circumstances, no assurance – factual findings) on the amount of
subsequent changes (increases/decreases) made in particular items in the audited
historical financial information (e.g. net current assets, share capital, long-term debt,
and receivables) that occurred subsequent to the date and period of the historical
financial information, and ending at the cut-off date, the practitioner avoids reporting
on the reasons for such changes. This subsequent changed information should be
prepared on the same basis as the underlying historical financial information.

12.2.12 Due Diligence Work Overview

The entity has particular due diligence responsibilities in respect of issuing securities (debt or
equity) as set out by the Hong Kong Stock Exchange, which a sponsor assists in performing.
A sponsor can be any corporation or authorised financial institution, licensed or registered
under applicable laws to advise on corporate finance matters, approved by the Stock Exchange
and appointed by a new entity applicant under the Listing Rules to assist the new entity with
its initial application for listing. The sponsor will conduct reasonable due diligence inquiries,
aimed broadly at ensuring that the issuer is suitable to be listed, that the directors understand
their obligations both on initial listing and subsequently, and that the investment circular
complies with the Listing Rules and is accurate and complete in all material respects and is not
misleading.

733

c12.indd 733 16-11-2022 18:49:24

 BUSINESS ASSURANCE

HKSIR 400 (Revised) also deals with engagements where the practitioner, as the entity’s
auditor, is requested by the sponsor to attend one or more meetings (due diligence meeting)
with the issuer entity representatives, sponsors, and legal counsel, at which meeting the
respective parties are requested to respond to the sponsor’s specific questions. These
questions, which assist the sponsor fulfil their responsibilities, ordinarily relate to the business
of the issuer entity, information contained in the investment circular, the nature of the
engagement undertaken by the practitioner, financial reporting, corporate governance, and
other matters of interest to the sponsors.

A high-level summary of all the engagements discussed is included in Exhibit 12.1.

Comparison Assurance Review engagement No assurance

engagement
When do you When an When an independent When there is no need for
choose this independent, conclusion on assurance on the subject
engagement reasonable, or historical or interim matter information but requires
type? limited conclusion financial information the practitioner to perform
is required over (particular subject agreed-upon procedures to:
particular subject matter information) is • Provide additional reliable
matter information required, but the entity information that specific
other than audits does not need the cost matters have been done; or
or reviews. and extent of an audit.
• Compile the entity’s financial
A review is a particular information.
type of assurance
engagement.
Is the Yes, the practitioner’s Yes, the practitioner’s Independence is required where
practitioner independence is independence is the non-assurance service is
required to be required for all required for all review provided by the auditor of a
independent? types of assurance engagements. Public Interest Entity, and the
engagements. provision of that service creates
a self-review or other threat.
This means that services that
have an effect on the financial
statements, the accounting
controls or the accounting
system are prohibited.
What does the The practitioner The practitioner The practitioner is required to
practitioner do assesses how the assesses how the perform procedures specified by
in this type of entity has prepared entity has prepared its the entity:
engagement? its subject matter historical or interim • These procedures are not
information financial information designed to support an
and provides and provides a opinion but are designed to
an independent report giving a provide a factual report to
practitioner report negative independent the user; or
giving a positive or practitioner opinion.
• The practitioner provides
negative opinion Limited assurance accounting expertise to the
(as appropriate) on provides a lower level entity to compile and present
the subject matter of assurance than their financial information.
information. reasonable assurance.

EXHIBIT 12.1 Overview of engagements

734

c12.indd 734 16-11-2022 18:49:24

 O ther A ssu rance E ngage m ent R e q u ire ments

Key Learning Point

Assurance engagements can be diverse and cover a wide variety of financial and/or
non-financial information. The practitioner needs to have the appropriate expertise in the
subject matter information to perform these types of engagements. A review is a particular
type of assurance engagement, providing limited assurance on financial information that
may be performed by the entity’s auditor or an independent practitioner. Non-assurance
engagements can be diverse and cover a wide variety of financial and/or non-financial
information and are useful in targeting procedures on specific information and their
characteristics. The practitioner needs to have the appropriate expertise in the subject
matter information to perform these types of engagement.

Apply and Analyse 2

The Chief Financial Officer of Yau Manufacturing Company Ltd, Ms. Chan, has asked your
firm Jay & Co to perform an agreed-upon procedures engagement on the effectiveness
of recently implemented internal controls related to maintaining the quality assurance
process for their latest chipset production line at their manufacturing plant located in
Chengdu. Yau have provided you with a complete list of the procedures that they would
like you to perform in order to assess the effectiveness of the relevant internal controls,
and this list looks reasonable. They have asked that you visit the manufacturing plant as
part of the engagement and to perform some of the required procedures in observing the
controls in operation.

Explain what key considerations you should make prior to accepting this engagement if
Jay & Co are not Yau’s appointed auditor.

Analysis

HKSRS 4400 (Revised) Agreed-Upon Procedures Engagements is the relevant HKICPA

standard. It also applies to non-financial information.

Key considerations would include:

• Whether the practitioner can comply with the relevant ethical requirements in
the Code of Ethics and the requirements of HKSQM1 Quality Management for Firms
that Perform Audits or Reviews of Financial Statements or Other Assurance or Related
Services Engagements.

° In assessing the ethics, you should first consider if you have the appropriate
expertise and experience in internal controls related to quality assurance to
accept the engagement.

° There is no requirement to be independent in this type of engagement, but this

is not a problem as you are not Yau’s auditor.

• Assess if you can meet any engagement pre-conditions.

There are no specific pre-conditions in HKSRS 4400 (Revised).

735

c12.indd 735 16-11-2022 18:49:24

 BUSINESS ASSURANCE

Apply and Analyse 2 (continued)

The one pre-condition that Yau have asked for is that you visit the manufacturing plant
at Chengdu. You would need to assess the logistics of attending the plant, but this request
appears reasonable as it would be appropriate to observe the relevant internal controls.

• Considering any engagement risks of accepting this engagement.

You would need to consider Yau’s reputation (e.g. from any prior experience obtained
in performing different types of engagements for Yau), if you had, or anticipate for
this engagement, any difficulties in accessing or obtaining the required information, or
performing the procedures. Consider if Yau’s procedures are reasonable and complete, or
if there are any significant deficiencies in them that may make the engagement impractical
or an engagement you and your firm do not want to be professionally associated with.

12.2.13 Compilation Engagements Overview

In a compilation engagement, the practitioner is engaged to carry out specified compilation
procedures on particular financial information prepared by the entity and to report factual
findings (no assurance is expressed). Compilation engagements on historical financial information
are conducted in accordance with HKSRS 4410 (Revised) Compilation Engagements. The standard
can also be applied to financial information other than historical financial information, and to
non-financial information. The ‘financial information’ may be an individual item of financial data
(e.g. an account balance), a financial statement, or a complete set of financial statements.

Practitioners are requested to perform such engagements as they have professional

expertise in accounting and financial reporting in compliance with required standards and
can therefore assist management in the preparation and presentation of the entity’s financial
information in accordance with an applicable financial reporting framework (applicable criteria).
Users of the information derive benefit because of the professional competence and due care
with which the work is carried out and because of the ethical and professional standards that
apply to the work HKICPA practitioners perform.

A summary of the key engagement differences between assurance (including limited and
reasonable assurance) and non-assurance engagements is included in Exhibit 12.2.

Engagement type Applicable Assurance Type of

HKICPA standard provided? assurance
Review of historical financial information HKSRE 2400 (Revised) Yes Limited
Review of interim financial information HKSRE 2410 Yes Limited
performed by the independent auditor
Reporting on summary financial HKSA 810 (Revised) Yes Reasonable
statements
Assurance engagements other than HKSAE 3000 (Revised) Yes Reasonable
reviews or audits or limited

EXHIBIT 12.2 Summary of key engagement differences

736

c12.indd 736 16-11-2022 18:49:24

 O ther A ssu rance E ngage m ent R e q u ire ments

Engagement type Applicable Assurance Type of

HKICPA standard provided? assurance
Reporting on controls at a service HKSAE 3402 Yes Reasonable
organisation
Reporting on greenhouse gas statement HKSAE 3410 Yes Reasonable
or limited
Reporting on pro forma financial HKSAE 3420 Yes Reasonable
information
Reporting on historical financial HKSIR 200 Yes Reasonable
information in investment circulars
Providing comfort letters and due HKSIR 400 (Revised) No N/A
diligence meetings
Reporting on profit forecasts HKSIR 500 Yes Reasonable
Reporting on the statements of sufficiency HKSIR 500 Yes Reasonable
of working capital
Reporting on the statements of HKSIR 500 No N/A
indebtedness
Reporting on the preliminary PN 730 (Revised)/ No N/A
announcement of results HKSRS 4440
Reporting on continuing connected PN 740 (Revised)/ Yes Limited
transactions HKSAE 3000 (Revised)
Agreed-upon procedures on financial HKSRS 4400 (Revised) No N/A
information (or non-financial information)
Compilation engagements of financial HKSRS 4410 (Revised) No N/A
information

EXHIBIT 12.2 (Continued)

Knowledge Check Questions

Question 3
Explain the primary way in which a review of an interim financial statements differs from
an audit of financial statements.

Question 4
Identify which of the following best explains whether you can accept an engagement by an
entity to compile their financial statements when you are their appointed auditor.
A Yes, there is no problem with compiling financial statements that you then audit.
B No, performing both engagements is a clear conflict of independence for the practitioner
as the practitioner cannot audit financial statements they have compiled.
C No, performing both engagements is a clear conflict of the practitioner’s confidentiality
as the practitioner would obtain information on the financial statements that they could
use in planning the audit engagement.
D Yes, HKSRS 4400 (Revised) specifically allows this.

737

c12.indd 737 16-11-2022 18:49:24

 BUSINESS ASSURANCE

1 2 . 3 ENGAGEMENT RISKS FOR OTHER

ASSURANCE AND NON-ASSURANCE
ENGAGEMENTS

A practitioner prior to accepting a new engagement considers the risk of accepting the
engagement with that entity (client). Note that this risk is different from the engagement risk
assessment, which is used by the practitioner, post acceptance, to design procedures based on
the entity risks to enable the practitioner to conclude on the subject matter information criteria
and achieve the desired level of assurance (if applicable).

Engagement risk for non-assurance engagements is the risk that the practitioner reports
incorrect factual findings on the financial information.

Engagement risk for assurance engagements is the risk that the practitioner
expresses an inappropriate conclusion when the subject matter information is materially
misstated.

In assessing the specific engagement risk, the risks are very similar to those explained
in Chapter 3. The practitioner’s assessment is made based on the knowledge and
understanding they have obtained of the entity primarily through review of subject matter
information (sourced from a wide range of different reputable sources) and discussions
with relevant persons (for example, the current auditor, if the practitioner is not also the
appointed auditor, entity’s management, and those charged with governance, internal
audit, and key service providers of the entity related to the subject matter information).

For engagements requiring the practitioner’s independence, the outcomes of these

considerations may cause the practitioner to question their ability to accept the engagement on
the basis of threats to independence that they consider cannot be appropriately safeguarded,
or the other fundamental ethical principles contained in the Code of Ethics.

Engagement risks depend on the particular engagement circumstances and the type of
subject matter information and therefore vary from engagement to engagement.

Here are some examples of engagement risks to consider (non-exhaustive) based on the
practitioner’s preliminary understanding of the engagement:

• The nature of the subject matter information.

° Is the information complex or simple and how was it prepared?

–– Is it prepared on a historical basis? (Was this previously audited/reviewed?)

–– Is it prepared on a prospective basis? (This is ordinarily more risky than

historical, given the degree of subjectivity involved in preparation.)

–– Is it adjusted? (Is there an appropriate basis for the adjustments, based on

‘normal’ entity accounting or other policies?)

–– Is it unadjusted? (Is that reasonable in the engagement circumstances?)

738

c12.indd 738 16-11-2022 18:49:24

 O ther A ssu rance E ngage m ent R e q u ire ments

° Is there is a relevant HKICPA standard that applies to the subject matter? (This may
reduce risk.)

° Has any part of the subject matter information been previously audited/reviewed/
assured/reported on? If so, what were the report findings? (Previously audited/
reviewed/assured/reported on information may reduce risk, depending on their
findings.)

° What is the degree of subjectivity, estimation, or assumption inherent in the

information? (The more the information is subjective, subject to significant
management estimation, or based on management assumptions, the greater
the risk.)

• The type of assurance (if any) to be provided.

° Is the type of assurance requested reasonable, given the type of subject matter
information, engagement type and purpose, and the needs of the intended
users? (Limited assurance engagements are ordinarily less risky than reasonable
engagements given that they require a lower level of evidence.)

° Is the fact that the entity has requested a non-assurance engagement reasonable
given the subject matter information and engagement circumstances (e.g. consider
the purpose of the information and the needs of intended users).
• The nature of the business.

° Are there any risks inherent in the entity’s industry, business, or regulatory
environment that may impact the engagement?

° Is the entity financially sound? (Do the entity’s most recent financial results indicate
any problems with their profitability, cash flow position, or going concern issues?)

• The organisational and management structure.

° Is the entity’s legal structure suitable for the type of entity or is it overly complex or
simple? (Does it make sense relative to the business type?)

° Is the entity’s organisational structure simple or complex? (Are there clear lines of
accountability?)

° Is the entity within a group? (Are there clear lines of accountability or segregation of
appropriate duties, and are there any related party transactions?)

• Management group’s key characteristics and integrity.

° Who are the key management personnel that may impact the engagement
(consider their cultural, governance, and internal control attitudes and the
perceived ‘tone at the top’)?

° Are they capable and competent to perform their roles?

° Are there any management incentives that may affect the engagement?

° Could management try and impose any restrictions on the engagement scope?

739

c12.indd 739 16-11-2022 18:49:25

 BUSINESS ASSURANCE

• Business relationships and related parties of the entity.

° Who are the entity’s key relationship stakeholders that may affect the
engagement (for example, suppliers, customers, consultants, experts, and other
interested parties)?

° Are there any known significant transactions or events that may impact the
engagement?

° Who are the entity’s related parties? Will they impact the engagement?

• The IT environment (including cyber security) as it relates to the engagement.

° What is the status of applicable key legacy systems? Have these been maintained,
regularly backed-up, upgraded, and secured? Can the entity consistently produce
reliable, accurate, and complete information?

° Are there any known security vulnerabilities in key systems (e.g. lack of internal
control – particularly IT general controls and application controls, or a lack of timely
patch management to deploy required updates)? Consider how these issues may
affect the integrity, accuracy, or completeness of the subject matter information.

° What is management’s attitude to maintaining appropriate security over key data

and putting systems into place to appropriately safeguard that data?

° Is there appropriate backup and continuity planning, and regular testing of systems
to ensure required controls are operating effectively (e.g. penetration testing)?

• Any prior knowledge and experience for engagements conducted for the entity.

° Has there been any prior disagreements, adverse findings, questionable actions, or
fee difficulties that may impact the engagement?

• Any legal, regulatory, and professional issues.

° Are there any potential impediments to perform the engagement (e.g. independence)?
Refer to Section 12.3.1 for a discussion on relevant ethical requirements that apply
to the engagement.

• The availability of appropriate engagement resources.

° Will the practitioner have access to appropriate and adequate professional

resources?

° Is the proposed fee for the work appropriate and ensure that a quality engagement
is able to be conducted?

° Is the proposed timeframe for the engagement acceptable?

• The availability of required information and persons and quality of evidence to support
the subject matter information and any assurance to be provided.

° Is the practitioner aware of any matter that may call into question their ability to
obtain sufficient evidence to appropriately report on?

740

c12.indd 740 16-11-2022 18:49:25

 O ther A ssu rance E ngage m ent R e q u ire ments

Apply and Analyse 3

The Chief Financial Officer of Yau Manufacturing Company Ltd, Ms. Chan, has requested
your firm, Jay & Co, to perform an assurance engagement to provide reasonable assurance
on their compliance with borrowing facility covenants set by their main financiers,
Dan & Co. Ms. Chan explains that the required covenant calculations are directly derived
from their historical financial information results for the most recent financial year,
31 December 20X8. The covenants are a mixture of amounts, percentages, and ratios.
Dan & Co put these covenants in place in the current financial year as a result of Yau’s
secured loan being increased to fund their expansion of their manufacturing plant.
Dan & Co also required that the covenant calculations be independently assured and wish
to receive a copy of the independent assurance report. The 31 December 20X8 financial
statements have been audited by Jin & Co, the external auditor of Yau, and Ms. Chan
indicated the audit opinion was unmodified.
Explain whether or not there are any potential engagement risk(s) in Jay & Co agreeing
to perform this assurance engagement. If there are, explain how the risk(s) can be
appropriately mitigated.

Analysis

Yes, there is an engagement risk as Jay & Co are not the appointed auditor of Yau and
therefore did not audit Yau’s 31 December 20X8 financial statements from which the
covenants are calculated. Consequently, there is the risk that the covenants may be
calculated correctly but based on incorrect information in the financial statements. This
risk can be appropriately mitigated by Jay & Co obtaining a copy of Yau’s 31 December
20X8 audited financial statements, reviewing Jin & Co’s independent auditor’s report, for
any matters disclosed of impact to the covenants, and ensuring all covenant calculations
are based on, or derived from, the appropriate audited financial statements amounts.

12.3.1 Ethical Requirements of the Engagement

Compliance with relevant ethical requirements is a fundamental part of an HKICPA
engagement. All engagements, regardless of whether they are assurance engagement or
non-assurance engagement, require the HKICPA practitioner to comply with the relevant
ethical requirement in their engagements. Relevant ethical requirements are those contained
in the Code of Ethics for Professional Accountants (COE) and HKSQM1 Quality Management for
Firms that Perform Audits or Reviews of Financial Statements or Other Assurance or Related Services
Engagements, or professional requirements or requirements contained in law or regulation that
are at least as demanding as the COE and HKSQM 1. This section assumes that the practitioner
is required to comply with the COE and HKSQM 1 for all engagements discussed. See Sections
1.2.2.2 and 4.1.1.1 which describe recent revisions to the Code of Ethics and the Quality
Standards.
The practitioner is taken to be the engagement partner, with overall responsibility for
engagement and compliance with required standards, including quality management. They
must ensure that they have sufficient competence to accept this responsibility and that the
engagement team is sufficiently competent and capable. Where law or regulation requires,
engagement quality reviews must be conducted. The practitioner is required to remain

741

c12.indd 741 16-11-2022 18:49:25

 BUSINESS ASSURANCE

alert throughout the engagement to any evidence of non-compliance by engagement team

members with relevant ethical actions and to take appropriate action if such evidence is found.

Relevant ethical requirements are contained in the HKICPA COE. The following parts of the
COE apply to other assurance engagements.

• Part 1 describes the fundamental principles of professional ethics that practitioners

must comply with, being: integrity, objectivity, professional competence and due care,
confidentiality, and professional behaviour. See Sections 1.2.2.3–1.2.2.5.

• Part 3 illustrates how the conceptual framework is to be applied in specific engagement

situations for professional accountants in public practice. See Section 1.2.2.7.

• Part 4 includes independence related requirements for:

° Audits and reviews (Part 4A). See Section 1.2.2.8.

° Assurance engagements other than audits and reviews (Part 4B). See Section 1.2.2.8.

HKSQM 1 deals with ‘a firm’s responsibilities to design, implement and operate a system of
quality management for audits or reviews of financial statements, or other assurance or related
services engagements’.

HKSQM 1 requires the practitioner who is performing an engagement to be a member of

a firm that is subject to HKSQM 1. It sets out detailed requirements for the firm to establish,
monitor, and maintain in respect of independence (for assurance engagements only) and client
engagement and acceptance procedures. These requirements are mainly consistent with those
of audit engagements.

The practitioner is required to implement quality management systems that are applicable
to the individual engagement. The elements of quality management systems that are relevant
include governance and leadership, the firm’s risk assessment process, relevant ethical
requirements, acceptance and continuance of client relationships and specific engagements,
engagement performance, resources, information and communication, and monitoring and
remediation processes.

12.3.1.1 Assurance Engagements

As noted above, practitioners performing assurance engagements in the HKSRE, HKSAE, and
HKSIR suites must comply with relevant ethical requirements. The practitioner is required to
be independent of the entity in all assurance engagements, as independence is critical to the
practitioner performing an unbiased assurance engagement (independence of mind and in
appearance). It also enhances the practitioner’s ability to act with integrity, to be objective,
and to maintain an attitude of professional scepticism. The practitioner must therefore
not accept any assurance engagement where the practitioner cannot be independent. It is
therefore critical for the practitioner to identify any threats to independence prior to accepting
the assurance engagement, evaluate any threats, and apply appropriate safeguards when
necessary to eliminate those threats or at least reduce them to an acceptable level. Threats
can be direct or indirect and be financially based or non-financially based and be actual or
perceived. They include threats that relate to self-interest, self-review, familiarity, advocacy,
or intimidation threats. In some cases, there may be no safeguards that can be put in place to
ensure independence, in which case the practitioner should decline to accept the appointment,
or if already appointed, resigns/withdraws. For more detail on ‘Independence’, refer to
Chapter 1, Section 1.2.2.2.

742

c12.indd 742 16-11-2022 18:49:25

 O ther A ssu rance E ngage m ent R e q u ire ments

HKSQM 1 requires assurance for engagements, detailed requirements for the firm
to establish, monitor, and maintain in respect of independence, and client engagement
and acceptance procedures. It requires the practitioner to comply with relevant ethical
requirements in conducting their assurance engagement, including independence.

All Other Assurance Engagements

In addition to the application of Part 1 for all other assurance engagements, the following
sections in Parts 3 and 4B also apply:

• Part 3 ‘Professional Accountants in Public Practice’, Section 320 ‘Professional

Appointment’ (incorporating any changes in appointment); and

• All Part 4B ‘Independence for Assurance Engagements Other Than Audit and Review
Engagements’.

Refer to Chapter 1, Section 1.2.2.2, for more details on Section 320 ‘Professional
Appointment’. Part 4B, like Part 4A, requires for all other assurance engagements that the
R905.6 practitioner be independent of their client and that firm shall not charge a contingent fee.

HKSAE 3400 specifically acknowledges that the practitioner conducting this type of
engagement may not be a professional accountant and bound to follow the Code of Ethics
and HKSQM 1 (HKSAE 3410.10). Therefore, it reminds practitioners to comply with either the
Code of Ethics and HKSQM 1 or professional requirements, or requirements imposed by law or
regulation, that are at least as demanding as Parts 1, 3 and 4B of the Code of Ethics related to
assurance engagements and HKSQM 1. However, a firm shall not charge a contingent fee for
a non-assurance service provided to an assurance client if the outcome of the non-assurance
R905.7 service, and therefore, the amount of the fee, is dependent on a future judgement.

12.3.1.2 Non-Assurance Engagements

As noted above, practitioners performing non-assurance engagements must comply with
relevant ethical requirements, being the COE and HKSQM 1. Unlike assurance engagements,
the practitioner is not required to be independent of the entity unless the firm or the network
of which the firm is a member is also the auditor of the entity or a related entity. Independence
requirements are stricter if the client or a related entity is a PIE, and where fee dependency
exists. See further discussion of independence in Sections 1.2.2.7 Ethics for Professional
Accountants in Public Practice and 1.2.2.8 Ethics and Independence.

HKSRS 4400 (Revised) requires, where the practitioner is not the auditor of the entity
and is not independent, that the practitioner’s factual findings report includes a statement to
this effect.

HKSRS 4410 (Revised) contains additional guidance on the practitioner’s association with
the compiled financial information that is the subject of the engagement. It reminds the
practitioner not to be knowingly associated with reports, returns, communications, or other
information where the practitioner believes that the information contains a materially false
or misleading statement, contains statements or information furnished recklessly, or omits or
obscures information required to be included where such omission or obscurity would be
misleading. In circumstances where they become aware of such an association, they are
required to take steps to dissociate themselves from the information.

743

c12.indd 743 16-11-2022 18:49:25

 BUSINESS ASSURANCE

Key Learning Point

All assurance engagements are required to be conducted by independent practitioners.
Non-assurance engagements are not required to be conducted by independent
practitioners.

12.3.2 Engagement Acceptance and Continuing the Engagement

12.3.2.1 Assurance Engagements
The practitioner is required for all potential engagements to consider whether they should
accept or, for continuing engagements, continue to accept the engagement. Refer to Chapter 3
for more detail. See Sections 1.2.2.2 and 4.1.1.1 which describe recent revisions to the Code of
Ethics and the Quality Standards.

The practitioner must consider engagement risk before accepting or continuing any
engagement. Engagement risk is the risk that the practitioner accepts an engagement that
they should not in the circumstances. The practitioner reduces the risk of this occurring by
performing appropriate pre-engagement acceptance and continuance procedures to ascertain
whether the engagement is the type of engagement the practitioner should accept. The
practitioner remains alert to any changes in the circumstances during the engagement that
may cause them to re-evaluate if they continue the engagement.

The general principles for engagement acceptance and continuance are that the
engagement should only be accepted/continued when:

• The practitioner has no reason to believe that relevant ethical requirements, including
independence (for assurance engagements only), will not be satisfied (refer to
Section 12.3.1).

• The practitioner is satisfied that those persons who are to perform the engagement
collectively have the appropriate competence and capabilities.

• The basis upon which the engagement is to be performed has been agreed, through:

° Establishing that the preconditions for the engagement are present; and

° Confirming that there is a common understanding between the practitioner and

the engaging party of the terms of the engagement, including the practitioner’s
reporting responsibilities.

Preconditions to the Engagement

Preconditions for each engagement are set out in each applicable HKICPA standard, where
applicable, and generally outline factors, agreements, and discussions the practitioner needs
to have prior to accepting or continuing the engagement. The practitioner’s assessment is
based on their preliminary knowledge of the engagement. If any pre-condition is not met,
the practitioner is not able to accept or continue with the engagement unless required by
law or regulation to do so. Any such engagement does not comply with HKICPA standards
and the practitioner is not allowed to include any references to any of the applicable
standards that would have applied in the engagement circumstances in the practitioner’s

744

c12.indd 744 16-11-2022 18:49:25

 O ther A ssu rance E ngage m ent R e q u ire ments

report. The practitioner monitors ongoing compliance with the required pre-conditions
throughout the engagement.

If, after accepting the engagement, the practitioner finds the pre-conditions have not
been met (e.g. some of the applicable criteria are unsuitable or some or all of the underlying
subject matter information is not appropriate), they should first discuss this with the
entity’s management/those charged with governance to determine whether the matter can
be resolved, whether it is appropriate to continue with the engagement, and whether to
communicate the matter in the practitioner’s report. Otherwise, the practitioner withdraws
from the engagement (if this is allowed by law or regulation).

Examples of common pre-conditions the practitioner takes a preliminary view on are (non-
exhaustive list):

• The practitioner has the appropriate capabilities and competence to perform the
engagement.

• Understand who the intended users of the practitioner’s report are.

• Assess whether the roles and responsibilities of the appropriate parties to the
engagement are suitable in the circumstances.

• Check whether a rational purpose for the engagement exists, the engagement scope
is adequate, and that the level of assurance to be provided (if any) is expected to be
meaningful to the intended users.

• The engagement exhibits the following characteristics:

° The underlying subject matter information is appropriate.

° The criteria that the practitioner expects to be applied in the preparation of

the subject matter information is acceptable and suitable for the engagement
(e.g. in light of its stated purpose, intended users), including that they exhibit
the characteristics of relevance, completeness, reliability, neutrality, and
understandability (assurance engagements). Also, check that it is unlikely that the
resultant subject matter information will be misleading for the purpose for which it
is intended.

° The applied criteria will be available for the intended users.

° The subject matter information will be adequately described and disclosed by

the entity.

• Where the source of some or all of the subject matter information has been
previously reviewed or audited and a modified audit opinion or review conclusion
and/or an emphasis of matter paragraph has been included in the assurance
practitioner’s report, consider whether an applicable law or regulation allows the
practitioner to include a reference to that modified audit opinion, or review the
conclusion or emphasis of matter paragraph in the practitioner’s report in respect of
such sources.

• If the entity’s subject matter information (particularly historical financial information)

has not been previously audited or reviewed, consider whether the practitioner can
obtain a sufficient understanding of the entity and its processes for preparing and
presenting the subject matter information to perform the engagement.

745

c12.indd 745 16-11-2022 18:49:25

 BUSINESS ASSURANCE

• Obtain agreement from management as to their key responsibilities:

° For preparation and presentation of the subject matter information in

accordance with the applicable criteria (e.g. the applicable financial reporting
framework);

° If applicable to the engagement circumstances, for such internal control as

management determines is necessary to enable the preparation of subject
matter information that is free from material misstatement, whether due to
fraud or error;

° To provide the practitioner with:

–– Access to all information of which management/those charged with governance

is aware that is relevant to the preparation of the subject matter information,
such as records, documentation, and other matters;

–– Additional information that the practitioner may request from management/

those charged with governance for the purposes of the engagement; and

–– Unrestricted access to persons within the entity (or relevant external entity)
from whom the practitioner determines it is necessary to obtain evidence.

• The practitioner expects to be able to obtain the evidence needed to support the
practitioner’s conclusion (assurance engagements) or factual findings (non-assurance
engagements).

• The practitioner’s findings or assurance conclusion, as appropriate, is to be contained in

a written report.

• If applicable to the engagement circumstances and/or required by law or regulation,

to include the practitioner’s report on the subject matter information in any public
document that contains the subject matter information and that indicates that the
practitioner has reported on them (particularly applicable for historical financial
information prepared in summary financial statements).

• If the proposed wording of the practitioner’s report is prescribed by law or

regulation, to determine that the practitioner would be likely to express the opinion
so prescribed based on performing the procedures specified in the applicable
HKICPA standard.

As each subject matter information is different in terms of the nature, purpose for which
it is prepared, type, and source of the information (financial/non-financial) and time periods
covered, the applicable HKICPA standard contains specific pre-conditions that are relevant
to the particular subject matter information, the applicable criteria to be applied, and the
practitioner’s reporting responsibilities (assurance or factual findings).

Engagement Risks
Engagement risks are assessed by the practitioner prior to acceptance or continuance to
ensure that they are fully informed of, and understand the nature of, the entity and the subject
matter information they are being asked to report on. This allows the practitioner to make a
professional judgement as to whether they wish to be professionally appointed by the entity to
conduct the work (and be associated with the engagement).

746

c12.indd 746 16-11-2022 18:49:25

 O ther A ssu rance E ngage m ent R e q u ire ments

The practitioner should ensure for the engagement that intended users of the report have
a good understanding and agreement of the practitioner’s scope of work agreed, procedures to
be performed, and type of report (and level of assurance, if applicable) to be provided.

HKSQM 1.30 and A67–­A74 set out the requirements for Acceptance and Continuance of
Client Relationships and Specific Engagements. The firm’s quality objectives should establish
that judgements by the firm about whether to accept or continue a client relationship or
specific engagement are based on:

• Information obtained about the nature and circumstances of the engagement and the
integrity and ethical values of client management and those charged with governance.

• The firm’s ability to perform the engagement in accordance with professional standards
and applicable legal and regulatory requirements.

• The financial and operational priorities of the firm do not lead to inappropriate
HKSQM judgments about whether to accept or continue a client relationship or specific
1.30 engagement.

The firm is required to ensure that:

• It is competent to perform the engagement.

• It has the capabilities, including time and resources.

• It can comply with relevant ethical requirements (COE).

The firm is also required:

• To obtain such information as it considers necessary before accepting an engagement

with a new client.

• Consider whether there is a potential conflict of interest.

• To document any issues identified when the firm was deciding to accept or continue the
client relationship or a specific engagement.

Key Learning Point

All potential assurance engagements must be assessed for any engagement risks prior
to acceptance and continuance processes being finalised to ensure that the practitioner
is not precluded by reason of law or regulation or the requirements of applicable HKICPA
standards or other pronouncements (e.g. COE).

12.3.2.2 Non-Assurance Engagements

There are no specific pre-conditions for the non-assurance engagement as the practitioner
and the specified parties to the engagement agree on the procedures to be performed
on the subject matter information to enable the practitioner to report factual findings

747

c12.indd 747 16-11-2022 18:49:25

 BUSINESS ASSURANCE

(HKSRS 4400 (Revised)) or the compiled financial information (HKSRS 4410 (Revised)) and
neither engagement is required to be conducted by law or regulation. The practitioner,
however, practically considers whether the entity and the type of engagement and subject
matter information is acceptable, taking into account the stated purpose of the engagement,
the intended users and their requirements (if any), the practitioner possesses the relevant
expertise and experience to conduct the engagement, and any conditions imposed by
the entity.

12.3.3 Agreeing on the Terms of the Engagement

The practitioner agrees the terms of the engagement with the entity (ordinarily this is
management/those charged with governance at the entity) and evidences those agreed terms
in writing. For continuing engagements, the practitioner has to decide if the circumstances of
the engagement for the current period warrant the issuance of a new letter or whether the
existing letter continues to be appropriate. For all new engagements, an engagement letter
must be issued and agreed prior to the practitioner commencing work.

An engagement letter helps avoid any misunderstandings regarding the nature of their
engagement and, in particular, the objective and scope of the engagement, management’s
responsibilities, the extent of the practitioner’s responsibilities, the level of assurance (if any) to
be provided, and the nature and form of the practitioner’s report. If the engaging party wants
to change the engagement terms, the practitioner should not agree to the change unless there
is a reasonable justification to do so. If the practitioner agrees to the change, they should not
disregard any evidence obtained prior to the change. All relevant parties to the engagement
(at a minimum the entity) should sign the engagement letter as acknowledgement of their
acceptance of the engagement terms.

Typical engagement letter terms are:

• Identification of the subject matter information, the purpose for which it has been
prepared, and the time period it relates to.
• Identification of the applicable financial reporting framework (if any) the subject matter
information is being prepared in accordance with.

• The name, nature, and details of the applicable criteria against which the subject matter
information will be assessed.

• Explanation of the intended use and distribution of the subject matter information and
any restrictions on the use or distribution of the practitioner’s report where applicable.

• The objective and scope of the engagement, including the level of assurance (if any) to
be provided.

• The responsibilities of the practitioner are outlined, including under which HKICPA
standard the engagement is conducted in accordance with, and that they will comply
with the named relevant ethical requirements.

• The responsibilities of the entity’s responsible party:

° For preparing the subject matter information (in accordance with a suitable
criterion that is acceptable in view of the intended use of the subject matter

748

c12.indd 748 16-11-2022 18:49:25

 O ther A ssu rance E ngage m ent R e q u ire ments

information by the intended users).

° Including for the subject matter information, for establishing and maintaining
effective internal control relevant to the preparation of subject matter information
(where appropriate).

° For making all requested and relevant information available to the practitioner.

° Management’s agreement to provide written representations to the practitioner to

confirm representations made orally during the review, as well as representations
that the practitioner requests.

• That there are no restrictions on the scope of the practitioner’s work.

• The nature, type, and scope of procedures to be conducted (either specified by the
practitioner or the entity, as appropriate).

• Reference to (or inclusion of) the expected form and content of the report/letter to be
issued by the practitioner and a statement that there may be circumstances in which
the report may differ from its expected form and content.

• Management’s agreement that where any document containing subject matter

information indicates that the subject matter information has been assured or reported
on by factual findings by the practitioner, that the practitioner’s report will also be
included in the document.

• The fees to be charged for the engagement and how they will be billed to the entity’s
responsible party.

• Note that a firm shall not charge a contingent fee for a non-assurance service provided
to an assurance client if the fee is related to a matter that is material to the subject
R410.10 matter information of the assurance engagement.

For non-assurance engagements, it is important that the letter document includes

the entity management’s acceptance of its responsibility for the underlying accuracy and
completeness of the records, documents, explanations, and other information provided to the
practitioner for the engagement and judgements needed in the preparation and presentation
of the subject matter information, including those for which the practitioner may provide
assistance in the course of the engagement.

12.3.4 Planning and Performing the Engagement

12.3.4.1 Planning the Engagement
The practitioner’s engagement planning depends on the type of engagement (assurance
or non-assurance), type of subject matter information, type of assurance, if applicable
(reasonable or limited), and their understanding of the engagement circumstances.
Engagements should be planned so that they will be performed in an effective manner and
will achieve the practitioner’s overall engagement objectives. This includes the practitioner
being able to exercise professional scepticism and professional judgement throughout the
engagement.

749

c12.indd 749 16-11-2022 18:49:25

 BUSINESS ASSURANCE

Additionally, the level of planning required will depend on whether the practitioner is
already the entity’s auditor – and understands the entity and its environment, including
internal control. For practitioners who are the appointed auditor, they will need to update
their understanding relevant to the engagement circumstances. For those practitioners who
are not the appointed auditor, they will need to plan the engagement to obtain the necessary
understanding for the engagement.

There are two key aspects to planning the engagement:

• First, where the practitioner needs to understand (or update their understanding) of
the entity and its environment (including any relevant internal controls, if applicable)
sufficient for the engagement circumstances; and

• Second, when the practitioner needs to understand the subject matter information to
perform the engagement.

Refer to Section 12.4.1 for a detailed explanation of the steps required to obtain an
understanding of the entity and its environment and the subject matter information.

12.3.4.2 Performing the Engagement

The practitioner uses understanding of the entity and the subject matter information, as well
as professional judgement and expertise to plan the nature, timing, and extent of procedures
appropriate to the engagement. The practitioner chooses a combination of procedures to
obtain sufficient and appropriate evidence on which to form the type of assurance conclusion
or report factual findings, as applicable. Examples of procedures include: inspection,
observation, confirmation, recalculation, re-performance, analytical procedures, and inquiry.

Fewer procedures are required for a limited assurance engagement due to lower levels of
evidence being required for assessed risk areas and the fact that the engagement risk is lower,
and thus fewer procedures are required to be performed. Inquiry and analytical procedures
are planned rather than more detailed substantive testing, such as testing accounting
records through physical inspection, observation, third party confirmation, and little or no
testing of internal control. Practitioners will test populations using smaller sample sizes and
adopt smaller test coverages. At a minimum there should be testing on all material financial
statement items, including disclosures, and focus on addressing the key risk areas within the
subject matter information where, in their professional judgement, material misstatements are
likely to arise. If the subject matter information contains forecast/prospective information, the
degree of work required will in part depend on the reliability of forecasts made in the past and
their materiality to the subject matter information.

For a reasonable assurance engagement more procedures are required to obtain sufficient
and appropriate evidence necessary to provide a reasonable level of assurance – ordinarily
they are a combination of inquiry, inspection, observation, confirmation, re-calculation,
re-performance, and analytical procedures to be performed; the specific combination of
procedures depends on engagement circumstances.

For non-assurance engagements, the procedures may include inquiry and analysis,
re-computation, comparison, and other clerical accuracy checks, observation, inspection, and
obtaining confirmations.

The procedures performed are covered in Section 12.4.2.

750

c12.indd 750 16-11-2022 18:49:25

 O ther A ssu rance E ngage m ent R e q u ire ments

Key Learning Point

The practitioner plans the engagement to design and perform procedures efficiently,
taking into account the engagement objectives, circumstances, and the level of assurance
required (if applicable).

12.3.5 Materiality and Assurance Engagement Risk

12.3.5.1 Materiality
Information is considered material if it can reasonably be expected to have the capacity
to influence the decisions of the information’s intended users. Materiality is only relevant
for assurance engagements. It has no relevance for non-assurance engagements as the
practitioner is merely reporting factual findings based on specific agreed-upon procedures
determined by the entity and expresses no assurance on the financial information. The
practitioner does have to consider misstatements in the financial information as all
exceptions or errors are reported in their factual findings report. Misstatements in the
subject matter information may arise from the information being omitted, incorrectly
recorded (amount), classified, presented, or disclosed (e.g. obscured) as compared to the
applicable criteria used (e.g. an applicable reporting framework). Misstatements can also
arise from error or fraud.

Materiality is used to plan and perform procedures on significant items within the subject
matter information and in assessing whether the subject matter information is free from
any material misstatements compared to the applicable criteria. It is not affected by the level
of assurance provided by the engagement because materiality is based on the information
needs of the intended users and uses the same risk assessment basis, meaning that
materiality for a reasonable assurance engagement is the same as for a limited assurance
engagement.

Establishing what is material for an assurance engagement is a matter of the practitioner’s

professional judgement, taking into account the engagement circumstances, understanding
and assessing what factors might influence the decisions of the intended users in using the
subject matter information, and the nature of the subject matter information. Examples
of factors may be the degree of precision and accuracy required in the subject matter
information. If the practitioner is also the auditor of the entity, the same materiality should not
be used as that for the audit for the assurance engagement, as the engagement circumstances
are different.

Materiality is assessed in terms of qualitative (nature) and quantitative (amount)

measures. While materiality is set at the beginning of the engagement (before the
practitioner performs any procedures), it should be re-assessed throughout the engagement
if more information comes to the practitioner’s attention that causes a reassessment or
change to the initial materiality level. HKSA 320 Materiality in Planning and Performing an Audit
can provide helpful guidance on establishing materiality for assurance engagements.

751

c12.indd 751 16-11-2022 18:49:25

 BUSINESS ASSURANCE

Key Learning Point

Materiality levels are not prescribed for any other assurance engagement in HKICPA
applicable standards. This is due to the setting of materiality requiring the practitioner’s
professional judgement, taking into account the particular engagement circumstances and
the nature of the subject matter information being reported on.

12.3.5.2 Assurance Engagement Risk

Assurance engagement risk is the risk that the practitioner expresses an inappropriate
(assurance) conclusion when the subject matter information is materially misstated.
As this risk cannot be reduced to nil, assurance is never absolute. The practitioner
reduces this risk by setting materiality at a level appropriate to the nature of the
subject matter information and the individual engagement circumstances such that the
risk is reduced to an acceptably low level to facilitate the level of assurance required.
The practitioner then designs procedures to achieve the level of assurance required
for the engagement. Assurance engagement risk is not relevant for non-assurance
engagements, as no assurance is expressed. See Sections 1.2.2.2 and 4.1.1.1 which describe
recent revisions to the Code of Ethics and the Quality Standards.
The risk of the subject matter information not being prepared and presented in all material
respects on the basis of the applicable criteria may arise when there is evidence of, for
example, the subject matter information:

• Being sourced inappropriately or incorrectly extracted from underlying records;

• The misapplication of accounting or other policies or inconsistent with the entity’s

relevant policies;

• It is prospective information and has not been based on adjusted historical financial
information;

• A mathematical mistake; or

• Inadequate or incorrect disclosures.

12.3.6 Engagement Quality Management

As noted in Section 12.3.1, all practitioners must comply with the HKSQMs, regardless of the
engagement type. The practitioner, as an engagement partner, is leader of the engagement
team and is responsible for ensuring compliance with the Code of Ethics and the HKSQMs on
individual engagements and takes responsibility for the overall quality on the engagement.
See Sections 1.2.2.11 and 4.1.1.1 which describe recent revisions to the Code of Ethics and the
Quality Standards. This means:

• Performing appropriate procedures regarding the acceptance and continuance of client

relationships and engagement.

• Implementing quality management procedures that are applicable to the individual

engagement – including leadership responsibilities for quality on the engagement,
ethical requirements, acceptance and continuance of client relationships and specific
engagements, assignment of engagement teams, engagement performance, and
monitoring.

752

c12.indd 752 16-11-2022 18:49:25

 O ther A ssu rance E ngage m ent R e q u ire ments

• Conducting the engagement in accordance with the firm’s quality management policies.
This includes:

° Being satisfied that appropriate procedures for the acceptance and continuance
of client relationships and engagements have been performed and that the
conclusions reached are appropriate. The engagement partner should be
satisfied that such procedures included considering whether there is information
available that would lead them to conclude that the entity’s management lacks
integrity.

° Being satisfied that the engagement team has the appropriate competence and
capabilities (for example, assurance skills and techniques, if required, and expertise
in the subject matter information, including its measurement/evaluation) to:

–– Be able to perform the engagement in compliance with all required professional

standards and applicable laws and regulations; and

–– Accept responsibility for the report issued, including the assurance conclusion
or factual findings (as appropriate) and for it being appropriate to the
engagement circumstances.

° Take responsibility for all engagement documentation (i.e. provides evidence

of achievement of the practitioner’s objectives and that the engagement was
performed in accordance with the relevant HKICPA standard and any relevant legal
and regulatory requirements).

• The direction, supervision, planning, and performance of the engagement in

compliance with professional standards and applicable legal and regulatory requirements.

• Be satisfied that the practitioner will be able to be involved in the work of:

° A practitioner’s expert, where the work of that expert is to be used; and

° Another practitioner, not part of the engagement team, where the work of that
practitioner is to be used to an extent that is sufficient to accept responsibility for
the assurance conclusion, or factual findings, as appropriate, on the subject matter
information.

• Appropriate consultation being undertaken by the engagement team on difficult or

contentious matters.

• Taking into account the results of the firm’s monitoring process and to determine
whether those results affect the engagement.

• File reviews being performed in accordance with the firm’s engagement policies and
procedures, and reviewing the engagement documentation on or before the date of the
assurance report or factual findings report as appropriate.

• Throughout the engagement the practitioner remains alert through observation and
making inquiries as necessary for any evidence of non-compliance with relevant ethical
requirements by members of their engagement team. If any evidence presents, the
engagement partner is required to determine the appropriate action.

• Stating their compliance with the HKSQMs and the relevant ethical Code of Ethics
requirements within Parts 1, 3, and 4A (audits and reviews) or 4B (all other assurance
engagements) as applicable (or equivalent) in their practitioner report.

• The practitioner’s report is appropriate in the circumstances.

753

c12.indd 753 16-11-2022 18:49:25

 BUSINESS ASSURANCE

Additionally, for those engagements for which an Engagement Quality Review (EQR)
is required by an applicable HKICPA standard, law or regulation, or for which the firm has
determined that an EQR is required, the EQ reviewer performs an objective evaluation of all
significant judgements reached and conclusions made by the engagement team. In carrying out
this evaluation, the EQ Reviewer will:

• Discuss significant matters with the engagement partner.

• Review documentation relating to significant judgments made by the engagement team

and the conclusions reached.

• Review the subject matter information.

• Evaluate the conclusions reached in formulating the assurance report.

The engagement partner may not finalise and date their assurance report until the EQR has
been completed. (See also Chapter 4, Section 4.2.12, Engagement Quality Reviews.)

Key Learning Point

The practitioner must comply with applicable quality management requirements contained
in the Code of Ethics and the HKSQMs when conducting any type of other assurance or non-­
assurance engagements. This ensures the continuing quality of engagements performed
by HKICPA practitioners.

Apply and Analyse 4

The Chief Operating Officer of Yau Manufacturing Company Ltd, Mr. Wong, has requested
you as a partner in your firm, Jay & Co, to perform a reasonable assurance engagement on
their Greenhouse Gas Statement in respect of their manufacturing plant. You previously
met Mr. Wong at a trade show. The relevant regulatory body has requested Yau to prepare
their yearly statement assured as part of the Government’s ongoing push to quantify the
levels of CO2 in key manufacturing hubs. Jay & Co are not the appointed auditor of Yau.
You are keen to accept the engagement as your firm does not have much experience in
performing this type of engagement and is eager to gain the necessary experience as the
firm sees this is a future work growth area. Explain whether there are any potential issues
with you or your firm accepting the engagement.

Analysis

Yes, there is an issue with you accepting the engagement as you and your firm do not
have the necessary competence and capability to oversee, lead, and provide quality
management of this engagement in compliance with the requirements of HKSQM1
Quality Management for Firms that Perform Audits or Reviews of Financial Statements, and
Other Assurance or Related Services Engagements or HKSAE 3410 Assurance Engagements on
Greenhouse Gas Statements. You should decline the engagement on this basis. Specifically,
HKSAE 3410, paragraph 16 requires the engagement partner to:

754

c12.indd 754 16-11-2022 18:49:25

 O ther A ssu rance E ngage m ent R e q u ire ments

Apply and Analyse 4 (continued)

(a) Have sufficient assurance skills, knowledge, and experience, and sufficient
competence in the quantification and reporting of emissions, to accept
responsibility for the assurance conclusion; and

(b) Be satisfied that the engagement team and any practitioner’s external experts
collectively possess the necessary professional competencies, including in the
quantification and reporting of emissions and in assurance, to perform the
assurance engagement in accordance with this HKSAE (HKSAE 3410).

Knowledge Check Questions

Question 5
Explain why it is important to perform an assessment of engagement risk prior to
accepting the engagement.

Question 6
Explain why it is important to establish pre-conditions for the engagement prior to
engagement acceptance.

Question 7
You have previously performed an engagement providing reasonable assurance on Yau
Manufacturing Company Ltd’s compliance with its banking covenants for the financial
year, as required under the terms of their loan agreement. The new Chief Financial Officer
of Yau has now requested you to again perform the compliance engagement. Explain
whether you need to re-issue the engagement letter.

1 2 . 4 OBTAINING SUFFICIENT EVIDENCE –

OVERVIEW

12.4.1 Obtaining an Understanding of the Subject and Engagement

12.4.1.1 Understanding the Entity and Its Environment
All engagements require the practitioner to obtain an understanding of the subject matter of
the engagement in order to provide assurance or report factual findings in the practitioner’s
report, as appropriate. In addition to understanding the engagement and the engagement
circumstances, the practitioner obtains an understanding of the entity and its environment,
including its relevant internal controls, sufficient to:

• For assurance engagements – identify and assess the risks of material misstatement of
the subject matter information whether due to fraud or error, and sufficient to design,
and perform further procedures.

755

c12.indd 755 16-11-2022 18:49:25

 BUSINESS ASSURANCE

• For non-assurance engagements – conduct the entity’s agreed-upon procedures on the

subject matter information.

Such an understanding is ordinarily obtained by:

• Meeting the directors and management of the entity to understand matters related to
the engagement, including, for example, obtaining their understanding of the principal
transaction flows, internal controls and reporting arrangements of the business that
relate to the engagement, as well as relevant information and recent reporting results
with management;

• Attending the entity’s premises; and

• Applying analytical procedures to available information.

The practitioner, who is not the appointed auditor of the entity (or only recently appointed
as auditor or who has not previously performed the same type of engagement), performs
planning procedures through inquiry and review to obtain an understanding of the entity and
its environment, including its internal control, as it relates to the preparation of the subject
matter information.

The following planning procedures to obtain an understanding of the engagement are

non-exhaustive and may/may not apply, depending on the engagement circumstances and the
subject matter information:
• Understand the purpose of the engagement.

• Understand the characteristics of the engagement that define its scope – understand
who the interested parties/intended users of the practitioner’s report are, what is the
expected timeline for reporting and any other relevant considerations.

• Identify the intended users of the practitioner’s report, an understanding of their

information needs, and materiality assessment (sensitivity to accuracy of the results),
including their assessed risks that the subject matter information may be materially
misstated.

• If applicable, make inquiries of the predecessor auditor and, where practicable, review
the predecessor auditor’s documentation. The practitioner considers the nature of
any corrected misstatements and any uncorrected misstatements aggregated by the
predecessor auditor, any significant risks, including the risk of management override
of controls, and significant reporting matters that may be of continuing significance
(for example, a material weakness in a relevant internal control).

• Understanding the nature of the entity, its business, key strategies and objectives,
activities, ownership structure, types of investments, how it is financed, and key
related parties. This can be done by reviewing key governance and compliance policies,
reviewing press and public announcements, and in discussions with management/
those charged with governance.

• Understand the relevant time period covered by the engagement and, if applicable to
the engagement, if events occurring after that time period should be considered.

• Understand the relevant industry, regulatory, and other external factors including the
applicable criteria (e.g. the financial reporting framework).

756

c12.indd 756 16-11-2022 18:49:25

 O ther A ssu rance E ngage m ent R e q u ire ments

• Understand the entity’s appropriate IT systems and underlying records relevant to the
subject matter information and assess their adequacy for producing information that is
accurate, complete, and valid.

• Review last year’s engagement file, if applicable, to refresh key aspects of the
understanding – including significant risks (such as the risk of management override of
controls), uncorrected misstatements, material misstatements identified and corrected,
and any risks that the subject matter information may be materially misstated.

• Understand if there are any initial going concern issues – e.g. factors that the
practitioner needs to remain alert to, or make/update inquiries regarding those factors.

• Understand any internal controls relevant to the engagement, including if there is an

internal audit function.

• Read the minutes of meetings of management, shareholders, those charged with

governance, and other appropriate committees (e.g. the audit committee) for an
understanding of key issues affecting the entity, and its governance and financial
reporting.

• The expected timing and nature of the practitioner’s communications required by

the entity.

• The extent to which fraud may be relevant to the engagement.

• The nature, timing, and extent of resources required by the practitioner to perform the
engagement, such as personnel and expertise requirements, including the nature and
extent of any expert’s involvement.

For practitioners who are the appointed auditor of the entity (or who have previously
performed the same type of engagement) they ordinarily update their understanding of the
entity by performing the inquiry and review. This would include reviewing prior reporting,
engagement file, and reflecting on any engagement circumstances that are relevant to the
current engagement. These may include considering:

• The prior degree of difficulty in obtaining information.

• The need to engage entity employees or experts.

12.4.1.2 Understand the Subject Matter Information

The practitioner is required to obtain an understanding of the underlying subject matter
information (i.e. understanding its key characteristics) and other engagement circumstances
(e.g. type of assurance, if any is required) sufficient to provide the practitioner with the ability to
report on the subject matter information.

The level of understanding of the subject matter information must be sufficient to:

• Identify and assess any areas of possible material misstatement in the subject matter
information (risk considerations) and how the practitioner plans to respond to those
risks through designing the nature, timing, and extent of certain procedures.

• The relevance and reliability of information to be used as evidence.

• Whether the work of an expert, another practitioner, an entity’s, measurer’s, or

evaluator’s expert, or an internal auditor is expected to be used.

757

c12.indd 757 16-11-2022 18:49:25

 BUSINESS ASSURANCE

The practitioner, who is the appointed auditor of the entity (or who has previously
performed the same type of engagement) performs planning procedures through inquiry
and review to obtain an understanding of the entity and its environment. The following
planning procedures to obtain an understanding of the engagement are non-exhaustive and
may/may not apply, depending on the engagement circumstances and the subject matter
information:

• Understand the source of the subject matter information:

° If it is new information or extracted from existing historical financial information.

° Understand the basis of preparation, presentation, and the reliability of the

underlying records used to prepare it:

–– If any part of the source has been audited/reviewed.

–– If the subject matter information is prospective (e.g. a forecast) or contains

forecast data, then understand the basis of preparation, reconcile any historical
financial information components to audited/reviewed historical financial
information (if applicable), understand any key underlying adjustments made
(based on assumptions and judgements), what, if any, are the uncertainties in
the information, if the forecast has been compiled based on the adjustments,
and compare for consistency to applicable policies within historical financial
information.

–– If the subject matter information is historical, then understand the basis of

preparation, reconcile any historical financial information components to
audited/reviewed historical financial information (if applicable), and compare
for consistency to applicable policies within historical financial information. If
there is no audit or review report, the practitioner is required to design and
perform procedures to be satisfied that show the source is appropriate.

–– The entity’s selection and application of relevant policies and their

appropriateness.

–– Who reviewed and approved the subject matter information.

Factors that affect the appropriateness of the source include whether there is
an audit or a review report on the source and whether the source is permitted or
specifically prescribed by the relevant law or regulation, is clearly identifiable, and
represents a reasonable starting point, including whether it is consistent with the
entity’s published policies.

° Inquire of management how the subject matter information has been prepared
and the reliability of the entity’s IT systems and accuracy of underlying records from
which the subject matter information has been prepared.

° Identify any internal control relevant to achieve properly prepared subject matter
information and understand how it has been designed, implemented, and is
operating effectively throughout the relevant period (e.g. through performing a
transactional walk-through from start to finish).

• Design appropriate analytical procedures that will identify relationships and unusual
items that may indicate a material misstatement in the subject matter information.

758

c12.indd 758 16-11-2022 18:49:25

 O ther A ssu rance E ngage m ent R e q u ire ments

• If applicable, consider the nature of any adjustments to the subject matter information
that the entity represents as necessary (for example, as a result of correction of errors,
achieving consistent entity or group policies, or changing the applicable reporting
framework) and the sources of evidence to support the adjustments.

• Read the minutes of meetings of shareholders, those charged with governance,

and other appropriate committees for any matters that impact the subject matter
information.

• Read the subject matter information and identify anything that suggests that it has not
been prepared in accordance with the applicable criteria.

• Review the applicable criteria and assess whether they are acceptable and suitable for
the engagement, by assessing if those criteria have characteristics of being relevant,
complete, reliable, neutral, and understandable.

• Whether there are significant, unusual, complex, or non-monetary transactions, events,

or matters that have affected or may affect the subject matter information, including as
a result of:

° Significant changes in the entity’s business activities or operations (e.g. acquisitions

and disposals).

° Significant changes to the terms of contracts (e.g. terms of finance and debt
contracts or covenants).

° Significant journal entries posted or other adjustments made to historical financial

information.

° Significant movements in account balances between comparable time periods.

° Significant transactions occurring or recognised near the end of the reporting period.

° Effects or possible implications for the entity of transactions or relationships with its
related parties.

° Significant changes in internal control and the potential effect of any such changes
on the preparation of subject matter information.

• Any material commitments, contractual obligations, or contingencies (assets/

liabilities) including litigation claims that have affected or may affect the subject matter
information, including disclosures.

• If applicable, obtain previous reports regarding the subject matter information and:

° Consider the impact of any corrected or uncorrected misstatements affecting the

subject matter information identified in a prior engagement; and

° Consider the impact of any modifications included in previous reports.

• If applicable, inquire of management as to their assessment of the risk that it might be

affected by actual, suspected, or alleged fraud, or non-compliance with provisions of
applicable laws and regulations.

• Consider the work of the internal audit function, if any, and understand if they have
issued any reports relevant to the subject matter information. Review any such reports

759

c12.indd 759 16-11-2022 18:49:25

 BUSINESS ASSURANCE

and consider any recommendations and implemented remediation actions taken in

areas relevant to the review.

The practitioner uses understanding of the entity and its environment to set materiality.
Refer to Section 12.3.5 for a further discussion.

Practitioners who are the auditor of the entity ordinarily update their understanding of the
entity and use the prior understanding to assist them plan and conduct the engagement so as
to be able to identify the types of potential material misstatement and consider the likelihood
of their occurrence and be able to select the procedures that will provide them with a basis for
their required reporting.

Key Learning Point

Planning the engagement to obtain a sufficient understanding of the engagement and
the particular subject matter the practitioner has been requested to report on is critical to
ensure that an efficient, targeted engagement is conducted.

12.4.2 Reasonable Assurance Testing

All assurance engagements require the practitioner to obtain an understanding of the subject
matter information of the engagement in order to provide assurance on that subject matter
information.

The practitioner, who is not the appointed auditor of the entity (or who has not previously
performed the same type of engagement), performs procedures appropriate to the
engagement. Refer to Chapters 6 and 7 for more details on procedures that can be performed
in an assurance engagement.
As explained in Section 12.3.4, for a reasonable assurance engagement more procedures
than for a limited assurance engagement are required to obtain necessary sufficient and
appropriate evidence. Ordinarily procedures are a combination of inquiry, inspection,
observation, confirmation, re-calculation and re-performance, However, analytical procedures
need to be performed and the type and combination selected by the practitioner depends on
the engagement circumstances. When designing and performing procedures, the practitioner
is required to consider the relevance and reliability of any information they intend to use
as evidence.

The testing approach for limited assurance engagements, based on identifying the areas
where a material misstatement in the subject matter information is likely to arise, are to:

• Design and perform procedures to address the areas of likely material misstatement,
sufficient to obtain limited assurance. No testing on internal control relevant to the
subject matter information is required.

• If the practitioner becomes aware of matters that cause them to believe the subject
matter information may be materially misstated, they need to design and perform
additional procedures to obtain further evidence to enable the practitioner to conclude
if this is the case or not.

760

c12.indd 760 16-11-2022 18:49:25

 O ther A ssu rance E ngage m ent R e q u ire ments

In contrast, the testing approach for reasonable assurance engagements, based

on identifying and assessing the risks of material misstatement in the subject matter
information, are to:

• Design and perform procedures to respond to the assessed risks in the engagement
circumstances, sufficient to obtain reasonable assurance. The procedures are required
to include testing on relevant controls over the subject matter information (which
are assumed to be operating effectively) such that the practitioner obtains sufficient
appropriate information over their operating effectiveness. Note that procedures other
than testing of controls cannot alone provide sufficient appropriate evidence.

• Reassess their risk assessment if additional evidence comes to the practitioner’s

attention and modify the procedures to be performed.

The following examples of reasonable assurance procedures are non-exhaustive and may/
may not apply, depending on engagement circumstances and the subject matter information:

• Perform and document risk assessment procedures to support the engagement.

• Ensure the engagement pre-conditions remain present throughout the engagement.

Refer to Section 12.3.2 for a reminder of the types of pre-conditions to consider.

• If applicable, review prior practitioner reports and consider any implications of these
reports on the current engagement (e.g. modifications, emphasis of matter, other matters).
• If applicable, re-calculate and challenge any significant estimates, judgements, and/or
assumptions used in preparing the subject matter information, ensure they are directly
related to that information, are factually supportable, and assess the extent to which
they are consistent with the entity’s historical financial information or other relevant
entity policies, including assessing the suitability of their recording and/or classification.

• Evaluate whether the subject matter information:

° Is sourced from appropriate information. If the source information is not

appropriate the practitioner must discuss the situation with the entity and consider
what further action to take. This may include withholding the report, withdrawing
from the engagement, and seeking legal advice.

° Is consistent with the practitioner’s understanding of the entity and with the
information provided by the entity.

° Reconciles to underlying records/supporting documentation (e.g. contracts/

agreements, independent reports, published documents such as audited financial
statements) and, if applicable, is consistent with the basis of accounting or other
basis on which the subject matter information has been prepared by the entity.

° Obtain corroborating information and documentation from independent sources.

° If any calculations underlying the subject matter information are mathematically

correct.

° Review any significant transactions and agree to supporting evidence. Assess their
classification and presentation.

° Is prepared in accordance with the applied criteria and adequately refers to, or
describes, the applicable criteria (against which it has been assessed).

761

c12.indd 761 16-11-2022 18:49:26

 BUSINESS ASSURANCE

° Is appropriately presented and disclosed:

–– Any historical and other financial information is clearly distinguished. Check

that the amounts in the subject matter information have been accurately
extracted from audited, reviewed, or draft financial statements, and reflect the
presentation to be adopted in those financial statements.

–– If applicable, it illustrates the impact of any significant event or transaction in a

manner that is not misleading.

–– Discloses the information necessary, such that intended users understand

the information conveyed, which is presented at an appropriate level of
aggregation, so as not to be misleading in the circumstances (in view of the
purpose of the subject matter information).

• If applicable, review management’s going concern assessment and assess if there are
any events or conditions that appear to cast doubt on the entity’s ability to continue as
a going concern.

• If applicable, review the reports and work of the internal audit function by assessing
and re-performing elements of their work relevant to the engagement. HKSA 610
(Revised 2013) Using the Work of Internal Auditors may provide helpful guidance on how
to place such reliance.
• If applicable, assess placing reliance on the audit work of the entity’s internal auditor, by
considering:

° The professional qualification, experience, integrity, independence, and

professional competence of the auditor and the quality management systems
applied by the audit firm to that engagement;

° If the auditor was required to apply HKSAs or equivalent standards; and

° Whether there is any evidence that the auditor has not complied with applicable
independence requirements.

• If applicable, assess placing reliance on the work of an independent expert engaged by

the practitioner by performing similar procedures to placing reliance on the work of
the internal auditor (above). HKSA 620 Using the Work of an Auditor’s Expert may provide
helpful guidance on how to place such reliance.

• If the information contains prospective financial information (e.g. a forecast):

° Compare the forecast with the group’s existing financing facilities and cash
resources or that are to become available to the group;

° Independently obtain direct confirmation from the appropriate third party of the
extent of financing facilities and resources available to the group;

° Consider adjustments for items such as capital expenditure and pre-payments that
exert no impact on the profit forecast but may significantly impact the working
capital forecast; and

° Consider management’ s sensitivity analysis and the extent of any margin

or headroom.

762

c12.indd 762 16-11-2022 18:49:26

 O ther A ssu rance E ngage m ent R e q u ire ments

• Test those internal controls relevant to achieve properly prepared subject matter
information to ensure they have been appropriately designed and implemented and
are operating effectively throughout the relevant period. When determining the extent
of tests of controls, consider the characteristics of the population to be tested, which
include the nature of the controls, the frequency of their application (for example,
monthly, daily, several times per day), and the expected rate of deviation.

When designing and performing tests of controls, the practitioner:

° Performs other procedures (e.g. observation, inspection) in conjunction with

observation and inquiry, in order to obtain evidence about how the control was
applied, the consistency with which the control was applied, and by whom or by
what means the control was applied.

° Determines whether controls to be tested depend on other controls (indirect

controls) and, if so, whether it is necessary to obtain evidence supporting the
operating effectiveness of those particular indirect controls.

° Determines means of selecting items for testing that are effective in meeting the
objectives of the procedure.

• Design and perform analytical procedures, based on the practitioner’s understanding to

identify any relationships and unusual items that may indicate a material misstatement
by comparing the subject matter information. Any significant variations, unusual
fluctuations, or inconsistencies should be discussed with the entity. Types of analytical
procedures include:

° Comparing results, percentages, and ratios with those of prior periods and those
expected for the current periods, as well as other sources (e.g. external).

° Comparing the recorded amounts or ratios the practitioner has calculated

from recorded amounts to expectations they developed identifying (e.g. from
comparable entities) and applying relationships between information based on
their understanding of the entity. When significant fluctuations or unexpected
relationships are identified that are inconsistent with other relevant information,
the practitioner investigates and obtains explanations.

• If the subject matter information and the practitioner’s report is contained with
other information, reading that other information ensures that it is not inconsistent
with it.

• Identify any uncorrected misstatements identified during the engagement (other than
those that are clearly trivial) that need to be accumulated for evaluation.

• Obtain engagement appropriate written representations from management of the

entity. Examples may include:

° That it has provided the practitioner with all the information of which the
appropriate party (parties) is (are) aware that is relevant to the engagement.

° Confirming the measurement or evaluation of the underlying subject matter against

the applicable criteria, including that all relevant matters are reflected in the subject
matter information.

763

c12.indd 763 16-11-2022 18:49:26

 BUSINESS ASSURANCE

° For the preparation and presentation of the subject matter information, in all
material respects, in accordance with the applicable criteria.

° Where relevant, for the design and implementation of internal control.

° Confirmation that the effect of uncorrected misstatements is immaterial

(a summary of these should be attached to the representations).

° All significant facts relating to fraud or non-compliance with the law and regulations
have been disclosed to the practitioner.

° All significant subsequent events have been disclosed to the practitioner. Refer
to Section 12.6.1 for a discussion on subsequent event procedures that may be
applicable to the engagement.

Apply and Analyse 5

The Chief Financial Officer of Yau Manufacturing Company Ltd, Ms. Chan, has requested
you as a partner in your firm, Jay & Co, to perform a reasonable assurance engagement
on pro forma financial information they have prepared for inclusion in their upcoming
prospectus. This is to raise additional funds to finance Yau’s acquisition of another
Chengdu-based chipset manufacturer, Liu Manufacturing Co. You understand that the
pro forma financial information is based on audited financial statements that have been
adjusted to reflect the proposed acquisition. You understand that the acquisition talks are
advanced and Yau and Liu have both agreed on a purchase price and their Chief Executive
Officers have signed a Heads of Agreement. Further, they are waiting on the completion of
all required documentation to finalise the acquisition.

(a) Describe the key type of procedures you would initially plan to perform on Yau’s
pro forma financial information.
(b) Explain what procedure you would always perform on the audited financial statements
used as the underlying basis for making adjustments to reflect the Liu acquisition.

(c) Describe the procedures you plan and design to allow you to assess the pro forma
financial information.

Analysis

(a) Given the engagement is a reasonable assurance engagement, you should plan
on performing a combination of inquiry, inspection, observation, confirmation,
recalculation, re-performance, and analytical procedures. You would need
to undertake detailed planning procedures (considering any pre-conditions,
engagement risks and materiality, understanding the entity, and further
understanding the pro forma financial information) before finalising the exact type
and combination of procedures to design and perform to enable you to obtain
sufficient appropriate evidence to issue a reasonable assurance report.

(b) Given you have been told that Yau’s pro forma financial information is based
on previously audited financial statements, you would always plan to obtain the
audited financial statements and confirm the unadjusted financial information Yau
have used in their pro forma financial information to these statements.

764

c12.indd 764 16-11-2022 18:49:26

 O ther A ssu rance E ngage m ent R e q u ire ments

Apply and Analyse 5 (continued)

(c) Those procedures should enable you to assess:

° Whether the applicable criteria used by the responsible party in the

compilation of the pro forma financial information provide a reasonable basis
for presenting the significant effects directly attributable to the transaction
reflecting the intended purchase of Liu Manufacturing Co, and to obtain
sufficient appropriate evidence about whether:

–– The related pro forma adjustments made by Yau give appropriate effect to
those criteria; and

–– The resulting pro forma financial information reflects the proper

application of those adjustments to the underlying audited historical
financial information.

° Be able to evaluate the overall presentation of the pro forma financial information.

12.4.3 Sampling
It is not practical or efficient (time and cost) for the practitioner to test all items within a
population that are part of the subject matter information. Practitioners use sampling mainly
because they are not seeking absolute certainty (they are looking for reasonable assurance),
examining all data may still not provide absolute certainty (completeness assertion), and for
cost–benefit reasons. A population can be in account balance (containing transactions) or a
group of items with homogeneous characteristics.

Sampling can be defined as the process of testing/examining only a part of a data

population, for a particular characteristic (e.g. that all invoices were appropriately approved in
line with delegation authorities), sufficient to extrapolate to the entire population, and to gain
reasonable assurance regarding that population. The extent of testing and the selection of
items for testing is determined by the practitioner using professional judgement.

A key risk with sampling (called sampling risk) is that if the sample chosen is not
representative of the population from which it was drawn the practitioner could reach an
incorrect conclusion. This risk can be reduced if every item in the population is given an equal
chance of selection and/or increasing the sample size.

Appropriately designed sampling tests (where all sampling units have a chance of selection
and are representative of the population) allow the practitioner to draw conclusions, with
a reasonable basis, about an entire population based on testing a sample drawn from it.
Typically, the practitioner is testing for a particular characteristic in the population that is
relevant to the subject matter information.

The practitioner can sample (test check) by:

• Selecting all items (100% examination);

• Selecting specific items; and

• Audit sampling.

765

c12.indd 765 16-11-2022 18:49:26

 BUSINESS ASSURANCE

The application of any one or combination of these sampling techniques means that it may
be appropriate depending on the engagement, for example the risks of material misstatement
related to the assertion being tested and the practicality and efficiency of the different sampling
techniques.

The practitioner can use statistical or non-statistical sampling (often called judgemental
or random sampling) types. Statistical sampling uses computer-based technology to
mathematically derive the sample size numbers and then to randomly select items from the
population for the practitioner to test. Non-statistical sampling is based on the practitioner’s
judgement and experience to derive the sample size. The practitioner will select which type of
sampling to apply based on the engagement circumstances and the nature and characteristics
of the population to be tested.

Once the sampling type is selected, the practitioner decides the type of methodology to
employ on the sample. As for audit engagements, this depends on the nature of the population
to test – if the practitioner wants to substantively test a population, variable sampling is often
used. This looks for the sample to predict the value of a specific variable within a population,
where each individual item in the population is treated as a sampling unit. For testing of
controls, attributes sampling is usually used, which looks for whether the sample will or will
not possess certain qualities (attributes) by selecting a certain number of records to estimate
how many times a certain feature will show up in a population – each individual item in the
population is treated as a sampling unit.
The practitioner considers:

• When designing the sample, the purpose of the procedure and any particular
population characteristics to take into account.

• What sample size is necessary to reduce sampling risk to an appropriately low level.

• Ensuring all sample units in the population have an equal chance of selection.

• If the designed procedure is not applicable to the selected item, ensuring that a
replacement item is selected and tested using that procedure.

• If the practitioner is unable to apply the designed procedures or suitable alternative

procedures to a selected item, the practitioner treats that item as a deviation from the
prescribed control in the case of tests of controls or a misstatement in the case of tests
of details.

For any deviations identified during sampling on the test of controls, the practitioner must
consider the nature and cause of any deviations identified and whether:

• Identified deviations are within the expected rate of deviation and are acceptable,
thus enabling the practitioner to conclude that the control is operating effectively
throughout the specified testing period;

• Additional testing of the control or of other controls is required, to enable the

practitioner to conclude whether the controls over a particular control objective are
operating effectively throughout the specified testing period; or

• The testing performed enables the practitioner to appropriately conclude whether the
control operates effectively or not throughout the specified testing period.

766

c12.indd 766 16-11-2022 18:49:26

 O ther A ssu rance E ngage m ent R e q u ire ments

For any misstatements identified during sampling on the test of details, the practitioner
must consider the nature and cause of any misstatements identified and whether:

• Identified misstatements are within the tolerable misstatement amount (the amount
determined by the practitioner to indicate that the population may be materially
misstated, based on performance materiality) and are acceptable. Therefore, the
testing that has been performed provides an appropriate basis for concluding that the
sampled population is unlikely to be materially misstated;

• Identified misstatements come close to, or exceed, the tolerable misstatement

amount. If the misstatements exceed the tolerable misstatement amount, then the
sampled population’s actual level of material misstatement may be higher. In such
circumstances, the practitioner should perform an additional substantive test of detail
procedures to gain sufficient appropriate evidence on which to conclude the sampling.

HKSA 530 Audit Sampling may provide additional helpful guidance in sampling. Additionally,
refer to Chapter 6 for more details on procedures related to sampling.

Key Learning Point

The practitioner determines the appropriate sampling strategy for particular items within
the subject matter information based on their professional judgement, taking into account
what particular population characteristics they want to test for and that are relevant to
their assessed risks and set materiality.

12.4.3.1 Evaluating the Results of Procedures Performed

Assurance Engagements
The practitioner shall evaluate the sufficiency and appropriateness of all evidence obtained
during the engagement. If the practitioner considers that additional information is required
for evaluation of the underlying subject matter, an attempt should be made to obtain
further evidence. The practitioner should consider all relevant evidence obtained during the
engagement, regardless of whether it appears to corroborate or to contradict information
already obtained (e.g. the subject matter information measurement or evaluation as compared
to the applicable criteria). If the practitioner is unable to obtain the required further evidence,
the implications for a conclusion are then considered. The practitioner also evaluates whether
uncorrected misstatements are material, individually or in the aggregate.

The practitioner is then required to form a conclusion about whether the subject matter
information is free from material misstatement. If the practitioner is unable to obtain sufficient
appropriate evidence, a scope limitation exists and the practitioner should express a qualified
opinion, disclaimer, or withdraw from the engagement, where withdrawal is possible under
applicable law or regulation, as appropriate.

The practitioner expresses an unmodified opinion when the practitioner concludes:

(a) For a reasonable assurance engagement, that the subject matter information is
prepared, in all material respects, in accordance with the applicable criteria; or

767

c12.indd 767 16-11-2022 18:49:26

 BUSINESS ASSURANCE

(b) For a limited assurance engagement, that, based on the procedures performed and
evidence obtained, no matter(s) has come to the attention of the practitioner that
causes the practitioner to believe that the subject matter information is not prepared,
in all material respects, in accordance with the applicable criteria.

The practitioner includes an ‘emphasis of matter’ paragraph in the assurance report when it
is concluded that a matter has been identified that is of such importance that it is fundamental
to intended users’ understanding of the subject matter information. Such a matter must be
presented or disclosed in the subject matter information.

The practitioner includes an ‘other matter’ paragraph in the assurance report when the
practitioner concludes they wish to communicate a matter other than those that are presented
or disclosed in the subject matter information that, in the practitioner’s judgement, is relevant
to intended users’ understanding of the engagement, the practitioner’s responsibilities, or the
assurance report and this is not prohibited by law or regulation.

The practitioner expresses a modified opinion when it was found in conclusion that the
subject matter information was misstated. The type of modified opinion expressed depends
on whether the misstatement is material but not pervasive, material and pervasive, or if
the practitioner is unable to conclude on whether the misstatement(s) is material and/or
pervasive.

• If the misstatement in the subject matter information is material but not pervasive,
then the type of conclusion is a qualified opinion.

• If the misstatement in the subject matter information is material and pervasive, then
the type of conclusion is an adverse opinion.

• If the practitioner is unable to obtain sufficient evidence to conclude that the identified
misstatement in the subject matter information is material and pervasive, but believes
its possible effect on the subject matter information may be both material and
pervasive, then the type of conclusion is a disclaimer of opinion.

For more details, refer to Chapter 10.

Non-assurance Engagements
The practitioner has to consider if, based on the testing performed, any errors or
exceptions that were identified needed to be included in the factual findings report
(non-assurance engagement). In some engagement circumstances, not all such errors may
be included in the report if the entity has requested only errors above a certain dollar value
to be advised.

Key Learning Point

The practitioner considers all information obtained during the assurance engagement that
is intended to be used as evidence and evaluates that information in forming a conclusion
on the procedures performed on the subject matter information.

768

c12.indd 768 16-11-2022 18:49:26

 O ther A ssu rance E ngage m ent R e q u ire ments

Knowledge Check Questions

Question 8
Identify which of the following best explains why it is important to spend time to obtain an
understanding of the subject matter information in an assurance engagement.
A It is required by the HKICPA standards.
B Obtaining an understanding of the subject matter information is required so that the
practitioner can identify and assess the risks of material misstatement of the subject
matter information, whether due to fraud or error, and be able to design and perform
further procedures.
C It is not particularly important to the engagement.
D Obtaining an understanding of the subject matter information is required so that the
practitioner can minimise their procedures to only those areas of interest to the subject
matter information.

Question 9
Explain whether a practitioner is required to use sampling for testing components of
subject matter information.

1 2 . 5 COMMUNICATION WITH THOSE CHARGED

WITH GOVERNANCE

12.5.1 Methods of Communication

All HKICPA standards require the practitioner to communicate any significant matter(s)
that comes to the practitioner’s attention during the engagement that in their professional
judgement are of sufficient importance and relevance to merit the attention of management/
those charged with governance. Additionally, the engagement requirements may contain
specific communication requirements including how to communicate, to whom to
communicate, when to communicate, and what to communicate. Communication may be
orally or in writing (preferable). The practitioner’s decision whether to communicate orally or in
writing is affected by factors such as the nature, sensitivity, and significance of the matter to be
communicated and the timing of such communications. Any oral communications will need to
be documented by the practitioner. HKSA 260 (Revised) Communication with Those Charged with
Governance may provide helpful guidance on the types of issues that may be communicated.

12.5.2 Timing of Communication

The practitioner communicates all significant matters on a timely basis or as soon as practical.
This enables management, those charged with governance, or any other relevant parties
(e.g. audit committees) to clarify facts and issues, and allow them to consider the matters

769

c12.indd 769 16-11-2022 18:49:26

 BUSINESS ASSURANCE

raised, address them, and advise the practitioner, such that the practitioner can consider their
actions and the impact, if any, on the engagement and ultimately the practitioner’s report.

If management agrees to communicate a matter of governance interest with those charged

with governance, the practitioner may not need to repeat the communications, provided
that the practitioner is satisfied that such communications have effectively and appropriately
been made.

12.5.3 Content of the Communication with Those Charged with

Governance
The practitioner must use professional judgement to assess each matter identified of sufficient
importance as to who is the most appropriate entity representative to advise. If the matter
relates to management, those charged with governance will be more appropriate. If the matter
relates to those charged with governance, it may be that the audit committee or board are
more appropriate.

Examples of matters that may be of sufficient importance for the practitioner to report to
the appropriate entity level, on a timely basis are:

• Any attempted limitations of scope on the practitioner’s work, or difficulties in obtaining

requested information or accessing the appropriate persons.
• Any uncorrected material misstatements required to the subject matter information for
it to be prepared, in all material respects, in accordance with the applicable criteria to
the appropriate level of management on a timely basis, with a request to the entity to
correct those misstatements. Also consider the need to report them to those charged
with governance.

• All corrected misstatements made during the engagement with the appropriate level
within the entity.
• Any misstatements aggregated by the practitioner during the engagement that were
determined by management to be immaterial, both individually and in the aggregate,
and that were determined by management not to constitute non-compliance with
the applicable requirements of the Listing Rules regarding continuing connected
transactions.

• Any identified non-compliance with applicable requirements of the Listing Rules

regarding connected transactions of which the practitioner has become aware.

• Actual, identified, or suspected fraud or non-compliance by the entity with required

laws and regulations (other than when the matters are clearly trivial) and other relevant
matters of governance interest.

• Deficiencies in internal control that, in the practitioner’s professional judgement,

are of sufficient importance to merit attention, together with recommendations for
improvement (where appropriate).

• Matters of governance interest with management, except where those matters relate to
questions of management competence or integrity.

770

c12.indd 770 16-11-2022 18:49:26

 O ther A ssu rance E ngage m ent R e q u ire ments

Key Learning Point

It is important that for every engagement type the practitioner communicates as soon as
possible all matters to the entity that is considered of sufficient importance to advise those
charged with governance.

Knowledge Check Questions

Question 10
Explain why it is important to communicate, on a timely basis, any significant matters
identified during the course of the engagement with those charged with governance.

Question 11
Identify which of the following you would ordinarily advise those charged with governance.
A If you have encountered considerable difficulty in obtaining information regarding a
material component of the subject matter information.
B If you had to perform alternate procedures on those you originally planned to conduct
on particular information.
C If you confirmed there had been no non-compliance with applicable laws and regulations
relevant to the engagement.
D Trivial misstatements.

1 2 . 6 EVIDENCE ANALYSIS OVERVIEW

12.6.1 Subsequent Events Review

There are varying requirements in the HKICPA standards for the practitioner to consider events
occurring between the date of the subject matter information and the date of the practitioner’s
report or events after the issuance of the practitioner’s report.

Generally, the key consideration is whether a subsequent event would require adjustment
of, or disclosure in, the subject matter information. In some engagements, subsequent events
may not be relevant because of the nature of the underlying subject matter information. For
example, if the practitioner is concluding on the subject matter information at a point in time
(i.e. up to the practitioner’s report) then subsequent events may be of little consequence unless
they cause the practitioner to re-consider information either used as evidence in forming their
conclusion or included in the report.

Most HKICPA standards do not require the practitioner to perform any procedures to
identify events after the date of the subject matter information that require adjustment of,
or disclosure in, such subject matter information after the date of the practitioner’s report.
Additionally, the engagement terms may determine what obligations the practitioner has to
consider subsequent events. The practitioner may, depending on engagement circumstances,

771

c12.indd 771 16-11-2022 18:49:26

 BUSINESS ASSURANCE

consider requesting the entity to inform the practitioner of any event occurring subsequent to
the date of the practitioner’s letter that may impact on the subject matter information.

When subsequent events are relevant to the assurance engagement (e.g. the subject
matter information is related to another document that was issued after the subject matter
information), for events the practitioner becomes aware of after completion of the work and
before the issuance of the assurance report, the practitioner is required to consider their effect
on the subject matter information and on the assurance report and is required to respond
appropriately to facts, including considering the impact on the assurance report. Additionally,
if the practitioner becomes aware of a fact after issuing the practitioner’s report that, if it
had been known to the practitioner at the date of the practitioner’s report, may have caused
the practitioner to amend the report, the practitioner needs to discuss the matter with the
entity (management or those charged with governance, as appropriate), determine whether
the subject matter information needs amendment, and inquire how management intends to
address the matter.

If management fails to amend the subject matter information in circumstances where

the practitioner believes it needs to be amended, and the practitioner’s report has already
been provided to the entity, the practitioner notifies management and those charged with
governance not to issue the subject matter information to third parties before the necessary
amendments have been made. If the subject matter information is nevertheless subsequently
issued without the necessary amendments, the practitioner is required to take appropriate
action to seek to prevent reliance on the practitioner’s report.

12.6.2 Documentation
The practitioner’s preparation of documentation provides sufficient and appropriate basis for
the practitioner’s conclusion and to provide evidence that the engagement was performed in
accordance with the applicable HKICPA standard, legal, and regulatory requirements where
relevant and a sufficient and appropriate record of the basis for the practitioner’s report.
The practitioner is generally required to assemble the engagement documentation in
an engagement file and complete the administrative process of assembling the final engagement
file on a timely basis after the date of the practitioner’s report. After the final engagement file has
been assembled and is considered complete, the practitioner is required to retain all engagement
documentation for the duration of its required retention period. If after the assembly of the final
engagement file has been completed the practitioner considers it necessary to amend or add to
the existing file, the practitioner is required to document:

• The specific reasons for making the amendments or including the additions; and

• When, and by whom, the amendments and/or additions were made and reviewed.

The practitioner documents the following aspects of the engagement in a timely manner,
sufficient to enable an experienced practitioner, having no previous connection with the
engagement, to understand:

• Any issues identified with respect to compliance with relevant ethical requirements
(including independence) and how they were resolved, and any relevant discussions
with the firm that support these conclusions.

• All conclusions reached regarding the acceptance and continuance of client

relationships and the engagement.

772

c12.indd 772 16-11-2022 18:49:26

 O ther A ssu rance E ngage m ent R e q u ire ments

• The nature, timing, and extent of the procedures performed to comply with the
required HKICPA standard and applicable legal and regulatory requirements.

• Results obtained from the procedures, and the practitioner’s conclusions formed on the
basis of those results.

• If the practitioner used the specific work of the internal auditors, the conclusions
reached regarding the evaluation of the adequacy of the work of the internal auditors
and the procedures performed by the practitioner on that work.

• Significant matters arising during the engagement, including discussions with

management and/or those charged with governance/relevant others, including
the nature of those matters, the disposition of such matters (e.g. inconsistencies
in information), the practitioner’s conclusions reached thereon, and any significant
professional judgements made in reaching those conclusions.

• The record of how the subject matter information reconciles with the underlying
records, documents, explanations, and other information provided by management.

• A copy of the final version of the subject matter information for which management or
those charged with governance, as appropriate, has acknowledged their responsibility
and the practitioner’s report.

• Evidence of who:

° Performed the engagement work and the date such work was completed; and

° Reviewed the work performed for the purposes of quality management for the
engagement and the date and extent of the review.

• The nature and scope of, and conclusions resulting from, any significant consultations
undertaken during the course of the engagement.

Key Learning Point

The engagement file documentation must support the practitioner’s report and stand
alone in terms of another practitioner being able to understand how the engagement was
planned, conducted, and reported, particularly how significant matters to the engagement
were addressed and resolved.

Knowledge Check Questions

Question 12
You recently completed an assurance engagement on Yau’s greenhouse gas (GHG)
statement, dated 31 December 20X9, that was published on their website, in respect of
reported carbon dioxide (CO2) emissions at their manufacturing plant at Chengdu. Based
on the procedures performed, you issued an unmodified assurance conclusion on their
statement. The Chief Operating Officer of Yau Manufacturing Company Ltd, Mr. Wong,
has just made you aware of a subsequent event that may affect the completeness of the
quantification of the reported CO2 emissions in the GHG statement. Explain what the most
appropriate course of action for yourself is.

773

c12.indd 773 16-11-2022 18:49:26

 BUSINESS ASSURANCE

Knowledge Check Questions (continued)

Question 13
You are assembling the engagement file for a non-assurance engagement involving
compiling historical financial information. The file is going to be reviewed by another
advisory partner in your firm as required under your firm’s quality management policy.
In reviewing the documentation on the file, you realise some supporting documentation
you received from the client on a material balance is not in the file and is still contained in
an email file you saved in your email system. Explain whether you need to download and
attach the email file to the file or can instead cross-reference to the email.

1 2 . 7 PREPARING THE ENGAGEMENT REPORT

12.7.1 Other Assurance Report Contents

In preparing the assurance report, the practitioner evaluates the results of their procedures
in order to form the conclusions in the report. For example, the practitioner should consider
whether any matters would preclude the practitioner from issuing their assurance report
or whether they may need to modify or qualify the conclusion.

The report form can be a formal report or a letter, depending on engagement

circumstances and the requirements of the applicable assurance standard. All assurance
engagements must have a written assurance report issued by the practitioner. Their form
and content elements will be determined, at a minimum, by the requirements of the relevant
HKICPA standard.

In terms of dating the assurance report, the practitioner is required to date the report no
earlier than the date on which the practitioner has obtained sufficient appropriate evidence
as the basis for the practitioner’s conclusion on the financial statements, including being
satisfied that:

• All the statements that comprise the subject matter information have been prepared
under the applicable criteria, including the related notes where applicable; and

• Those with the recognised authority have asserted that they have taken responsibility
for the subject matter information.

Each applicable HKICPA standard contains minimum requirements for each other
assurance engagement discussed in Section 12.2. The practitioner is able to add additional
content over and above these minimum requirements. Refer the reporting sections within each
standard to understand the minimum requirements applicable to the particular engagement.

12.7.2 Non-assurance Report Content

In preparing the report, the practitioner evaluates the results of the agreed-upon procedures
performed on the financial information or in compiling the financial information. They consider

774

c12.indd 774 16-11-2022 18:49:26

 O ther A ssu rance E ngage m ent R e q u ire ments

if all the procedures have been performed and the results of those procedures, including if any
exceptions or errors were identified. They consider, using professional judgement, and taking
into account the engagement circumstances and requested reporting by the entity, whether
to include any or all of these exceptions and errors in the report. Ordinarily all exceptions and
errors are reported.

Each applicable HKICPA standard contains minimum requirements for each non-assurance
engagement discussed in Section 12.2. The practitioner is able to add additional content over
and above these minimum requirements. Refer the reporting sections within each standard to
understand the minimum requirements applicable to the particular engagement.

Key Learning Point

All engagements require the practitioner to produce a written report, and provide it to the
appropriate person, as evidence of the work performed and the results of that work.

Knowledge Check Questions

Question 14
You have recently completed fieldwork on an engagement to assure a company’s pro
forma financial information in connection with the company seeking increased funding
from their financiers. You need to prepare the assurance report and were unsure
whether you needed to include all the requirements contained in HKSAE 3420 Assurance
Engagements to Report on the Compilation of Pro Forma Financial Information Included in a
Prospectus as the requirements do not all seem to apply to your engagement. Evaluate
what the practitioner’s reporting obligations are under the standard.

Question 15
Explain, in reporting on assurance engagements, whether you need to consider HKSAE
3000 (Revised) Assurance Engagements Other Than Audits or Reviews of Historical Financial
Information reporting requirements in preparing the assurance report.

775

c12.indd 775 16-11-2022 18:49:26

 BUSINESS ASSURANCE

S UMM A R Y

This chapter explained the different types of assurance engagements and non-assurance
engagements an HKICPA practitioner can perform on different subject matter information.
It also explained the key differences of, and key aspects for, both engagement types when
planning, performing, and reporting, including relevant ethical considerations. It covered:

• Assurance engagements:

°° All review engagements (Hong Kong Standards on Review Engagements).

°° Other assurance engagements (Hong Kong Standards on Assurance Engagements).

°° Investment circular reporting (Hong Kong Standards on Investment Circulars).

°° Applicable Practice Notes (related to another assurance engagement or non-assurance

engagement).

°° Hong Kong Auditing Standard HKSA 810 (Revised) Engagements to Report on Summary
Financial Statements.

°° Other types of assurance engagements (not HKICPA Standard specific), including

compliance audits, operational audits, and value for money audits.

• Non-assurance engagements

776

c12.indd 776 16-11-2022 18:49:26

 O ther A ssu rance E ngage m ent R e q u ire ments

MIND MAP

OTHER ASSURANCE ENGAGEMENTS OBTAINING SUFFICIENT EVIDENCE

REQUIREMENTS
Obtaining and Understanding of the
Engagements providing assurance Subject and Engagement
Engagements not providing assurance Reasonable Assurance Testing
Critical distinctions between assurance Sampling
and non-assurance engagements
COMMUNICATION WITH THOSE CHARGED
• Three-party relationship
WITH GOVERNANCE
• Appropriate subject matter
• Suitable criteria Methods of Communication
• Sufficient, appropriate evidence Timing of Communication
• A conclusion
Content of the Communication with Those
OTHER ASSURANCE ENGAGEMENTS Charged with Governance
AND NON-ASSURANCE ENGAGEMENTS
EVIDENCE ANALYSIS
Reviews
Subsequent Events review
Assurance engagements other than
reviews or audits Documentation
Assurance reports on controls at OTHER ASSURANCE PREPARING THE ENGAGEMENT REPORT
a Service Organisation ENGAGEMENT
REQUIREMENTS Other Assurance Report Content
Assurance engagements on greenhouse
Non-Assurance Report Content
gas statements
Pro forma financial information ENGAGEMENTS RISK FOR OTHER
ASSURANCE AND NON-ASSURANCE
Summary financial statements
ENGAGEMENTS
Investment Circular Reporting Engagements
Ethical requirements of the engagement
Preliminary Announcements of
Annual Results Engagement Acceptance and Continuing
the Engagement
Continuing connected transactions
Agreeing on the Terms of the Engagement
Comfort Letters
Planning and Performing the Engagement
Due Diligence Work
Materiality and Assurance Engagement Risk
Agreed-upon procedures
Engagement Quality Management

Answers to Knowledge Check Questions

Question 1
Answers A, B, and D are incorrect. They are all assurance engagements as the practitioner
independently designs and specifies the procedures to perform on the internal controls
(not the entity).
Answer C is correct. The entity specifies the procedures to be performed by the
practitioner; therefore, the practitioner does not independently plan, design, and perform
their own procedures to obtain any type of assurance on the internal control.

Question 2
Yes, provided the practitioner has the necessary competencies and skills and is able to
meet the relevant ethical requirements to conduct the particular engagement.

Question 3
The level of assurance provided is different. An engagement to review interim financial
statements is limited assurance (negative conclusion), in contrast to an engagement to
audit financial statements, which is reasonable assurance (positive conclusion).

777

c12.indd 777 16-11-2022 18:49:27

 BUSINESS ASSURANCE

Question 4
Answer A is incorrect. This is not permitted by the Code of Ethics or HKSQM 1.
Answer B is correct. The practitioner cannot prepare and compile information that is then
subject to audit as this is a clear threat to their independence and is not allowed by the
HKICPA Code of Ethics for Professional Accountants or HKSQM1 Quality Management for Firms
that Perform Audits or Reviews of Financial Statements, and Other Assurance or Related Services
Engagements.
Answer C is incorrect. The conflict is of the practitioner’s independence not the
confidentiality fundamental principle.
Answer D is incorrect. HKSRS 4400 (Revised) does not specifically allow this situation. It
does, however, contemplate this situation arising. In fact, in the Application and Other
Explanatory Material, paragraph A37 of HKSRS 4400 (Revised), it notes that in setting the
engagement terms the practitioner should include a specific term outlining the ‘extent of
the practitioner’s responsibilities, including that the practitioner will not express an audit
opinion or a review conclusion on the financial information’.

Question 5
The practitioner performs an assessment of engagement risks prior to acceptance or
continuance to ensure that they are fully informed of, and understand the nature of,
the entity and the subject matter information they are being asked to report on. This
allows the practitioner to make a professional judgement as to whether they wish to be
professionally appointed by the entity to conduct the work (and be associated with the
engagement). The practitioner should ensure for the engagement that intended users
of the report have a good understanding and agreement of the practitioner’s scope of
work agreed, procedures to be performed, and type of report (and level of assurance, if
applicable) to be provided.

Question 6
Each engagement conducted by HKICPA standards sets out pre-conditions that must
exist/be met prior to accepting or continuing an engagement. Additionally, there may be
applicable laws, regulations, or proposed engagement terms (specified by the practitioner
and/or the entity) that specify pre-conditions. Pre-conditions are established essentially
to ensure that similar engagements are performed consistently in accordance with
requirements, in particular agreements between the practitioner and the entity, for how
the engagement will be conducted and the requirements are all met. Generally, if any
such pre-conditions are not met, the practitioner does not accept or continue with the
engagement unless required by law or regulation to do so.

Question 7
Yes, Yau have a new management team and it is appropriate to issue a new
engagement letter so that you receive their acknowledgement and acceptance of the
engagement terms.
As noted in the opening case, Yau have a new Chief Financial Officer, Chief Operating
Officer, and Chair of the Audit Committee, and therefore it is appropriate to issue an
engagement letter for them to give them the opportunity to review the engagement
terms contained in the engagement letter and to sign the letter as evidence of their
acknowledgement and acceptance of its engagement terms.

778

c12.indd 778 16-11-2022 18:49:27

 O ther A ssu rance E ngage m ent R e q u ire ments

Question 8
Answer A is correct but is not the best answer. It does not explain why obtaining an
understanding is important.
Answer B is correct. The practitioner obtains an understanding of the subject matter
information so that they can design an efficient audit that targets their procedures and
work effort to those areas within the subject matter information that are material or they
understand may have risks of material misstatement.
Answer C is incorrect. Obtaining an understanding of the subject matter information is
critical to planning and performing a risk-based assurance engagement.
Answer D is incorrect. This is not the purpose of obtaining an understanding of the
subject matter.

Question 9
No, a practitioner is not required to use sampling if it is not efficient to do so, taking into
consideration the characteristics of the population within the subject matter information,
e.g. the number of transactions included in the population and its materiality.

Question 10
Communicating with those charged with governance on a timely basis allows them the
opportunity of investigating the matter raised and to respond appropriately (e.g. provide
additional information).

Question 11
Answer A is correct. The practitioner should always advise significant difficulties they
experienced during the engagement in obtaining sufficient appropriate evidence on which
to form a conclusion on individual material components of the subject matter information.
Answer B is incorrect. This is part of the engagement and the fact that the practitioner
had to design and perform alternate procedures from those planned does not ordinarily
warrant those charged with the governance’s attention.
Answer C is incorrect. The practitioner does not ordinarily need to inform those charged
with governance of this. An exception to this is if under the terms of engagement those
charged with governance had specifically requested the practitioner to advise on their
entity’s compliance with applicable laws and regulations related to the engagement.
Answer D is incorrect. The practitioner is not required to report clearly trivial misstatements.
An exception to this is if under the terms of engagement those charged with governance
had specifically requested the practitioner to advise these types of misstatements.

Question 12
You should meet with the Chief Operating Officer of Yau (Mr. Wong) as soon as practical to
understand the details of the subsequent event they have made you aware of and review
any relevant documents connected to the subsequent event. Based on this additional
information, you should assess its impact, if any, on the issued assurance report on the
greenhouse gas statement. Its impact will depend on the nature of the event and whether
it has the potential to change the assessment of evidence obtained during the engagement
and ultimately if it could impact your conclusion on the GHG statement.

779

c12.indd 779 16-11-2022 18:49:27

 BUSINESS ASSURANCE

If based on further procedures you designed and performed, and additional evidence
obtained, you assess the subsequent event to change your issued assurance report,
then you would update the engagement file for the information, work performed, and
conclusion formed and then update and re-issue the assurance report to explain the
impact of the subsequent event. If the subsequent event is not disclosed in the GHG
statement or accompanying notes, the practitioner could consider that a different
assurance conclusion (e.g. modified opinion) is appropriate or could include an emphasis
of matter paragraph or another matter paragraph.
If based on further procedures you designed and performed, and additional evidence
obtained, you assess the subsequent event does not change your issued assurance report,
then you would file the additional information, together with your conclusion on that
information, and finalise the engagement file.

Question 13
The most appropriate course of action is to download the file and attach it to the
engagement file so that the file is a standalone and the engagement quality reviewer can
review the complete engagement file. Cross-referencing is not appropriate as that reviewer
must be able to review all documentation used as evidence in the engagement within the
engagement file.

Question 14
The minimum reporting requirements within HKSAE 3420 Assurance Engagements to
Report on the Compilation of Pro Forma Financial Information Included in a Prospectus
must be complied with. The practitioner is not able to exclude any information required
to be included in the assurance report. If they do, the report is not in compliance
with HKSAE 3420 and they would be unable to assert in the assurance report that the
engagement had been conducted in accordance with HKSAE 3420.

Question 15
Yes, the practitioner is required to consider, and comply with, the minimum requirements
in HKSAE 3000 (Revised) in addition to the particular HKICPA standard relevant to the
engagement.

EXAM PRACTICE

QUESTION 1
The Chief Financial Officer, Ms. Chan, of Yau Manufacturing Company Ltd would like to
understand the key differences between an assurance engagement and a non-assurance
engagement. Yau are contemplating requesting a number of engagements covering their
diverse manufacturing business and would like to understand the benefits and costs of
each option.

Required:

Explain to Ms. Chan what the key differences are between an assurance engagement and
a non-assurance engagement. Be sure to include in your explanation their relative benefits
and costs in conducting the respective engagement.

780

c12.indd 780 16-11-2022 18:49:27

 O ther A ssu rance E ngage m ent R e q u ire ments

QUESTION 2
You are the assurance partner of Chow & Co CPAs and have just received a request from the
Very Best Lighting Company (Very Best) based in Hong Kong to review their 31 December
20X8 financial statements. You understand that they have never had an audit or review
conducted before (they commenced trading in March 20X6) and have recently obtained
financing from Standard Chartered Bank (Hong Kong) to fund their expansion into wholesale
selling of small electrical appliances. As part of the new financing arrangement, the bank
has required Very Best to have their most recent 31 December 20X8 financial statements
reviewed by an independent HKICPA practitioner.

Required:

(a) Explain your key considerations in accepting this engagement.

(b) Describe what type of assurance procedures you would plan to perform.

ANSWERS TO EXAM PRACTICE

QUESTION 1
Assurance Engagements

An assurance engagement is conducted when the entity requires independent assurance on

financial or non-financial information. It is designed to enhance the degree of confidence of
intended users (of the assurance report) about the outcome of the practitioner’s evaluation/
measurement of that financial or non-financial information against acceptable applicable
criteria (e.g. the requirements of the applicable financial or other reporting framework). This
outcome is expressed in terms of a positive (reasonable) or negative (limited) assurance
conclusion included in the practitioner’s report. The practitioner obtains sufficient
appropriate evidence on the financial or non-financial information, as measured against
applicable criteria, to enable them to express a conclusion, having planned, designed,
and performed their audit procedures to achieve this outcome. In some cases, the type of
assurance possible depends on the requirements of applicable HKICPA standards.

The practitioner is required to be independent of the entity for all assurance

engagements and performs procedures that are planned, designed, and performed by them,
based on their own risk assessment of the subject matter information and the engagement.
The entity, as the responsible party, prepares and accepts responsibility for the accuracy and
completeness of the subject matter information to which the practitioner assures.

An assurance engagement is more time consuming and costly than a non-assurance

engagement due to the increased work performed by the practitioner and the fact that the
practitioner expresses a conclusion on the work performed. If the intended users of the
practitioner’s report are external to the entity, they will often see more value in assurance
engagements than non-assurance engagements as the HKICPA practitioner expresses an
opinion on the work performed.

Non-assurance Engagements

In contrast, a non-assurance engagement is conducted when the entity does not require
independent assurance on specified financial or non-financial information (specified
information), but instead requests the practitioner (who may or may not be independent
of the entity) to perform certain procedures, nominated by the entity, on that specified
information. Often these procedures are designed to meet the needs of intended users

781

c12.indd 781 16-11-2022 18:49:27

 BUSINESS ASSURANCE

(who may be internal or external to the entity). Given the practitioner has not independently
determined the nature, timing, and extent of procedures to perform, instead agreeing to
perform the entity’s specified procedures, they are not able to provide independent assurance.

The practitioner then reports results of performing those procedures in a factual

findings report to the engagement’s nominated intended users (i.e. the practitioner does
not express any opinion or draw any conclusion from the procedures performed on the
specified information). The entity, having received the practitioner’s report, interprets the
findings in the context of their business, draws their own conclusions about the outcome of
the procedures performed as contained in the report, and takes any appropriate action(s).
Again, the entity, as the responsible party, prepares and accepts responsibility for the
accuracy and completeness of the subject matter information to which the practitioner does
not assure (i.e. the practitioner does not verify or express any opinion on the accuracy or
completeness of the entity’s information being reported on).

A non-assurance engagement is less time consuming and costly than an assurance

engagement due to the reduced, more targeted, work performed by the practitioner and
the fact that the practitioner does not express any conclusion on the work performed. If
the intended users of the practitioner’s report are internal to the entity, and the nature
of the information being reported on is focused/targeted, and the entity only needs a
HKICPA practitioner to perform certain agreed procedures on the specified information,
then a non-assurance engagement may offer more value in assurance engagements than
non-assurance engagements.

QUESTION 2
(a) HKSRE 2400 (Revised) Engagements to Review Historical Financial Information is the applicable
HKICPA standard as it applies to a review engagement performed by a practitioner who
is not the auditor of the entity. The objective of this type of review is to enable Chow &
Co CPAs to state, on the basis of procedures performed (primarily inquiry and analytical
procedures), whether the financial statements as a whole are free from material
misstatement, they are able to conclude as to whether anything has come to their attention
that causes them to believe that the 31 December 20X8 financial statements are not
prepared, in all material respects, in accordance with the applicable financial reporting
framework (being the applicable criteria). The review conclusion is limited assurance.
Key considerations to achieve the engagement objectives are:

• Are there any engagement risks to accepting this new engagement (these
depend on the particular engagement circumstances and the type of subject
matter information and therefore vary from engagement to engagement)?

• Ensure you have the ability to comply with relevant ethical requirements
contained in the Code of Ethics (Parts 1, 3, and Part 4A) and HKSQM1 Quality
Management for Firms that Perform Audits or Reviews of Financial Statements or
Other Assurance or, Related Services Engagements.

° You need to be independent of Very Best and possess competence in

assurance skills and techniques and competence in financial reporting
appropriate to the engagement circumstances.

° You should be able to plan and perform the review with professional
scepticism and exercising professional judgement.

782

c12.indd 782 16-11-2022 18:49:27

 O ther A ssu rance E ngage m ent R e q u ire ments

• Be alert to any information obtained to assess if anything has come to your

attention that causes you not to accept the engagement.

• Consider if any of the engagement pre-conditions required by HKSRE 2400

(Revised) cannot be met. If so, the engagement should be declined.

• Set materiality for the financial statements as a whole. This materiality can
be used in designing the procedures and in evaluating the results of those
procedures.

• Understand the entity and its environment, through inquiry and inspection
of relevant documents, sufficient to identify and assess the risks of material
misstatement of the subject matter information, whether due to fraud or error,
and also sufficient to design and perform further procedures to respond to
those assessed risks. As you are not the entity’s auditor, you will not ordinarily
have the same understanding of the entity and its environment, unless you have
performed this type of engagement for Very Best before (we are not told in the
question). You therefore have to plan to perform additional procedures to gain
an understanding sufficient for the engagement.

• Understand the subject matter information (in this case, the 31 December 20X8
financial statements) through inquiry and inspection of relevant documents,
sufficient to provide you with the ability to report on the subject matter
information. The level of understanding of the subject matter information must
be sufficient to:

° Identify and assess any areas of possible material misstatement in the

subject matter information (risk considerations) and how you plan to
respond to those risks through designing the nature, timing, and extent of
certain procedures.

° Check the relevance and reliability of information to be used as evidence.

° Check whether the work of an expert, another practitioner, an entity’s or

measurer’s or evaluator’s expert, or an internal auditor is expected to be used.

(b) The types of assurance procedures, sufficient to obtain limited assurance, are designing
and performing inquiry and analytical procedures, based on having previously
identified the areas where a material misstatement in the subject matter information
is likely to arise and to address all material items in the financial statements (including
disclosures). You should remain alert to any related parties, fraud and non-compliance
with laws and regulations, and going concern related issues, and any subsequent events
that occur after the practitioner’s report is issued, as they may impact the review.

• Inquiries are usually of management and other relevant persons within the entity.

• Analytical procedures are performed on historical financial information, once

you have assessed the data obtained from the entity’s IT systems (including
accounting) are adequate.

If you become aware of matters that cause you to believe the subject matter information
may be materially misstated, you would have to design and perform additional procedures
to obtain further evidence to enable you to conclude if this is the case or not.

783

c12.indd 783 16-11-2022 18:49:27

c12.indd 784 16-11-2022 18:49:27
 13
Computerised Business
Systems and Controls

CHAPTER TOPIC LIST

13.1 Overview of Computerised 13.4.2 General Controls

Business Systems 13.4.3 Application IT Controls
13.1.1 IT Department Structure 13.4.4 Auditing Computerised
13.1.2 IT Department Functions Business Systems and
Controls
13.2 IT Environment
13.2.1 Implementation of New 13.5 Computer-assisted Auditing
IT Systems Techniques
13.2.2 Financial Reporting Systems 13.5.1 Audit Software
13.2.3 E-commerce Overview and 13.5.2 Test Data and Testing
Importance to Business Procedures
13.2.4 Networked Systems 13.5.3 Documentation
13.2.5 PC Systems 13.5.4 Effectiveness of Cyber-
security Safeguard
13.3 IT Strategy
13.5.5 Weakness Identification and
13.3.1 The Role of IT Strategy Recommendations
13.3.2 How Information Technology
Improves Internal Control 13.6 E-commerce Control Issues
13.3.3 Assessing Risks of IT 13.6.1 Detailed Characteristics of
E-commerce Systems
13.4 Internal Controls Specific to IT
13.6.2 Internal Controls in
13.4.1 General and Application IT E-commerce
Controls Relationship 13.6.3 Auditing E-commerce

785

c13.indd 785 16-11-2022 18:49:35

 BUSINESS ASSURANCE

LEARNING OUTCOMES

PRINCIPAL LO4: EVALUATE AND ADVISE ON COMPUTERISED BUSINESS SYSTEMS AND CONTROLS
LO4.01: Evaluate and advise on computerised business systems and controls of an entity
4.01.01 Explain how an effective IT department should be structured
4.01.02 Describe the functions that should be carried out by the IT department
4.01.03 Describe the contents of an IT strategy
4.01.04 Explain the importance of e-commerce to a business
4.01.05 Explain the characteristics of an entity operating a networked computer system
4.01.06 Explain the characteristics of an entity operating with standalone PCs
4.01.07 Describe examples of general and application controls
4.01.08 Prepare documentation of key systems
4.01.09 Analyse an entity’s controls within selected processes
4.01.10 Design appropriate procedures to test the operation of an entity’s control system, including
the IT environment, and the effectiveness of its cyber-security safeguard
4.01.11 Evaluate the outcome of the testing of the control system to address identified weaknesses
4.01.12 Recommend IT controls that are appropriate to the entity
4.01.13 Identify and explain the effect of e-commerce on the auditor’s risk assessment and
audit approach
4.01.14 Identify the knowledge and skills required to audit an entity’s e-commerce activities
4.01.15 Design effective business processes including key controls activities
4.01.16 Advise on the risks relating to particular business processes

786

c13.indd 786 16-11-2022 18:49:35

 Computerised Business S ystems and C ontrols

OPENING CASE

CWAVES FERRY HOLDING COMPANY LIMITED

C Waves Ferry Holding Company Limited (CWaves) is a publicly listed company on the Hong
Kong Stock Exchange (HKEx). It operates ferry services in Hong Kong Harbour, Sok Kwu
Wan, Shenzhen, and Macau. CWaves has 10 wholly owned subsidiaries and is a conglomerate
with quite varied interests and investments. The CWaves Group has significant investments in
buildings, godowns, port infrastructure, travel agencies, and hotels.

The Chief Information Officer (CIO) for the CWaves Group is Ka Yut Kwan. Ka Yut was
previously the IT manager at CWaves Hotels Company and was promoted to replace Liao Jing,
who retired at the end of last year. Jing had been CIO for more than 10 years.

As CIO, Ka Yut is responsible for the IT services delivered to this large organisation with
many different parts (Exhibit 13.1). Although Ka Yut likes his job and thinks that CWaves has
many good opportunities, he is at times daunted by the complexity of the organisation.

CORPORATE STRUCTURE

CWaves Ferry Holding Company Limited

Material to
the Group 100%

1 2 3 4 5 6 7 8 9 10

1 CWaves Hotels Company 6 CWaves Maintenance Company

2 CWaves Ferries Company 7 CWaves Godown Company

3 HKCW Development Holding Company 8 Donghai Company

4 HKCW Investment Limited 9 CWaves Management Company

5 Hai Cruising Company 10 Wonder Travel Company

EXHIBIT 13.1 Corporate structure of CWaves Ferry Holding Company

Currently, each member of the CWaves Group has its own IT department and its own IT
infrastructure, except for Hai Cruising Company and Wonder Travel Company. Hai Cruising and
Wonder Travel share their IT department with a cloud-based infrastructure. It is CWaves Group
policy that all IT departments throughout the group have a job rotation programme to give
IT staff experience in each member of the group. To date, however, members of the CWaves
Godown IT team have not taken part in the job rotation programme.

Each IT department delivers services to the company in which it is located. There are
nine different data centres (including the Group Data Centre, which hosts all of the group’s

787

c13.indd 787 16-11-2022 18:49:35

 BUSINESS ASSURANCE

electronic commerce solutions) and the Hai Cruising/Wonder Travel cloud-based service
provider. There are 1,000 workstations and laptops used by the CWaves workforce.

The Group Data Centre provides electronic commerce hosting services, principally
for CWaves Hotels, Wonder Travel, and CWaves Godown. This Data Centre uses the latest
technologies and is run by an external service provider. This is HKBuTS – Hong Kong Business
Technology Solutions – and this company manages the Group Data Centre and its IT security
using CWaves’ own infrastructure. The electronic commerce solution for CWaves Hotels and
Wonder Travel is a standard commercial system, but the electronic commerce software for
CWaves Godown is developed by the CWaves Godown software development team using agile
software methods (SCRUM and eXtreme Programming (XP)).

Ka Yut thinks that, although managing the technology is a big task on its own, managing the
people is of great concern to him. For example, the CWaves Godown software development
team is secretive about the software that they have developed for CWaves Godown’s electronic
commerce solution. They are concerned that if they share the source code for the solution that
they have developed, Ka Yut will fire them. The software development team deliberately writes
the software with little documentation and insists on managing the installation of the software
on the CWaves Group Data Centre rather than letting the HKBuTS team have access to the
software. The source code is kept on CWaves Godown’s own IT infrastructure.

Ka Yut has a meeting of the CWaves IT Committee on Monday morning and just reviewed
the agenda. Although the agenda deals with the normal, regular updates on various IT projects,
Ka Yut is curious. Tak Wai Yu, the team leader of the financial audit team, wants to meet with
the IT Committee. Why, exactly, do the financial auditors want to meet with the members of
the CWaves IT Committee? There must be some mistake and they really want to meet with the
CWaves Audit Committee – Ka Yut is responsible for CWaves’ technology infrastructure and
keeping it operational, not the financial accounts.

On the agenda there was a phone number listed for Tak Wai. Ka Yut called her and asked
the question, ‘Why do you need to meet with myself and the IT Committee? Why do you even
care about what we do with IT? You’re about the numbers!’ There was an exasperated sigh at
the other end of the line before Tak Wai Yu spoke. ‘Well, let me tell you – there’s a whole bunch
of reasons I need to talk to you and your team. But mostly, it’s because the auditing standards
require me to do so!’

788

c13.indd 788 16-11-2022 18:49:35

 Computerised Business S ystems and C ontrols

OVERVIEW

The auditor is required to develop a professional opinion as to the risk of material

misstatement in the financial reports whereby a financial report is so inaccurate, incomplete,
or invalid that it could affect the decisions of a user of a financial report.

The information in financial reports is derived from one or more information systems (IS)
in the audited entity. The effectiveness of these systems is therefore a key consideration for the
auditor in developing a professional opinion.

This chapter provides a foundational guide to the auditor in assessing the risk of material
misstatement in the financial reports relating to the audited entity’s IS. The most relevant Hong
Kong Standards on Auditing (HKSA) for this assessment are HKSA 315 (Revised 2019), Identifying
and Assessing the Risks of Material Misstatement, and HKSA 320, Materiality in Planning and Performing
HKSA 320.10
HKSA 320.14 an Audit. The HKSA set out three IS audit-related duties that the financial auditor must fulfil when
auditing the financial reports of an entity. This chapter directly addresses these three duties.

The auditor’s first duty is, in the context of the use of IT in the entity’s business model,
to understand the IT environment and the entity’s system of internal control. Appendix 1
to HKSA 315 (Revised 2019) identifies the considerations for understanding the entity and
its business model. The auditor must understand the structure and operations of the IT
department (Section 13.1: Overview of Computerised Business Systems) and the building of
new systems and how the systems in place affect financial reporting information (Section 13.2:
IT Environment).

The auditor’s second duty is to assess the risks that arise from the use of information
technology (IT). The auditor needs to understand how the strategic use of IT affects internal
control at the entity and the assessment of IT risk (Section 13.3: IT Strategy).

The auditor’s third duty is to develop the audit strategy and approach required to evaluate
the effectiveness of the audit entity’s IT internal controls. The auditor must select audit
procedures that allow the auditor to evaluate the effectiveness of the system of internal control
specific to IT (Section 13.4: Internal Controls Specific to IT).

This chapter concludes by addressing two final issues. The first is the use of
computer-assisted auditing techniques (Section 13.5: Computer-assisted Auditing Techniques).
The second is the selection of audit procedures that address the internal controls of electronic
commerce (e-commerce) IS (Section 13.6: E-commerce Control Issues).

The chapter recognises that the nature and complexity of the entity and its business model
may result in entities using a range of IT systems and infrastructure whose characteristics
impact the matters to be considered by an auditor in addressing their responsibilities. This
chapter covers a range of such IT models and frameworks with differing characteristics
affecting IT matters in an IT environment and the system of internal control.

789

c13.indd 789 16-11-2022 18:49:35

 BUSINESS ASSURANCE

1 3 . 1 OVERVIEW OF COMPUTERISED
BUSINESS SYSTEMS

At the broad level, the auditor obtains an understanding of the entity and its environment,
the application of the applicable financial reporting framework and how inherent risk may
impact assertions to formulate expectations about classes of transactions, account balances
and disclosures. These expectations need to be based on an understanding of the entity’s
information system.

HKSA 200 (Revised 2022), Overall Objectives of the Independent Auditor and the Conduct of an
Audit in accordance with Hong Kong Auditing Standards requires the auditor to obtain sufficient
appropriate audit evidence to reduce audit risk to an acceptably low level. Audit risk, being
the risk of the auditor issuing an unqualified opinion due to the failure to detect material
misstatements is therefore a function of the risk of material misstatement and detection
risk. The risk of material misstatement exists at the overall financial statement level and the
HKSA 200 assertion level. indicates that the risks of material misstatement are assessed at the assertion
level to determine the nature timing and extent of further audit procedures to obtain sufficient
appropriate audit evidence on which to form an opinion.

Planning the Audit of Financial Statements requires that the auditor develop an audit plan and
HKSA 200 strategy that implements the risk identification and assessment process.
HKSA 300 In applying and requires a separate assessment of inherent and control risks for
HKSA identified risks of material misstatement. This requires an understanding of the entity and
300,
HKSA 315 its environment, the applicable financial reporting framework and the entity’s system of
(Revised
2019)
internal control.

HKSA 315 Paragraph 19 identifies a number of aspects of the entity and its environment that the
(Revised
2019) auditor needs to obtain an understanding when performing risk assessment procedures.
One aspect of this requirement is gaining an understanding of the business model, as this
provides information about the business risks facing the entity, which risks may have financial
consequences. One implication of this requirement is that the auditor needs to understand the
extent to which the business model integrates the use of IT.

HKSA 315 As part of the process of gaining that understanding, requires the auditor, when performing
(Revised the risk assessment, to consider the components of the entity’s system of internal control.
2019)
Computerised systems operate within an entity’s overall system of internal control.

HKSA 315
The system of internal control is defined in paragraph 12(m) as:
(Revised
2019) ‘The system designed, implemented and maintained by those charged with governance,
management and other personnel, to provide reasonable assurance about the achievement of an
entity’s objectives with regard to the reliability of financial reporting, effectiveness and efficiency of
operations, and compliance with applicable laws and regulations.’
HKSA 315
(Revised identifies the following inter-related components of the system of internal control to which
2019)
the auditor needs to apply risk assessment procedures. The discussion that follows addresses
HKSA 315 the components discussed in paragraphs 21-26.
(Revised
2019)

790

c13.indd 790 16-11-2022 18:49:35

 Computerised Business S ystems and C ontrols

Control environment.
This component covers the culture and values applied to governance and oversight
responsibilities by management, or where separate from management, those charged with
governance, and in determining whether the appropriate culture has been created and
maintained. The auditor also considers:

(a) the assignment of authority and responsibilities;

(b) the ability of the entity to attract, develop and obtain competent individuals;

(c) how individuals are held accountable for their responsibilities;

(e) the evaluation of whether the control environment provides an appropriate base for
HKSA
315.21 other control components given the complexity of the entity; and,
(Revised
2019) (f) how dealing with deficiencies may impact other control components.

In doing so, the auditor evaluates how the entity demonstrates behaviour consistent with
management’s commitment to integrity and ethical values. This evaluation allows the auditor
to determine whether the control environment provides an appropriate foundation for other
components of the system of internal control, and assists in identifying potential issues in other
components and in understanding risks that can impact the assessment of risks of material
misstatement (HKAS 315.21, A99-108).
Risk assessment Process.

HKSA This component involves identifying business risks relevant to financial reporting and assessing
315.22 the significance of, and the process for addressing, those risks. Again, the auditor is to evaluate
(Revised
2019) whether the process is appropriate given the nature and complexity of the entity..

As part of this evaluation the auditor needs to understand the business model as this
provides information about the business risks facing the entity and the role of IT at the
entity. Such risks may have financial consequences, and for this reason the auditor needs to
understand the extent to which the business model integrates the use of IT.
HKSA 315 Appendix 1 identifies the considerations for understanding the entity and its business
(Revised
2019) model. It notes that the business model includes strategies by which management plans to
achieve its objectives and address the risks and opportunities facing the entity. For example,
the business model could have implications for how IT is used at the entity and its associated
risk. The business operations, nature of products, services, involvement in e-commerce, joint
ventures, geographic dispersion and location of production facilities might all have an impact
on the risk of material misstatement at the assertion level.

The entity’s risk assessment process to identify business risks and their significance.
This assists the auditor’s evaluation of how the entity identifies its business risks and how it
addresses those risks and whether they are appropriate to the nature and complexity of the
entity (HKAS 315.22, A109-113).

Monitoring the System

This component involves the auditor understanding how the entity monitors effectiveness of
controls and remediates deficiencies. This involves understanding the sources of information
HKSA used to monitor the system of internal control and how management determines that
315.24
(Revised
information is reliable for the purpose. The auditor has to evaluate whether the monitoring
2019) process itself is appropriate given the nature and complexity of the entity. The auditor may find

791

c13.indd 791 16-11-2022 18:49:35

 BUSINESS ASSURANCE

it relevant to consider the design, performance, and frequency of the monitoring activities. The
evaluation of the results of such activities to determine control effectiveness, and the remedial
actions taken to address identified deficiencies, may also be relevant.

For less complex entities, this understanding might focus on how management is directly
involved in IT operations as there may not be other monitoring activities. For example, the
auditor may explore these issues with management at interview, or observe them through
a walkthrough test. For more complex entities, monitoring of the system may include an
understanding of controls to monitor complex IT environments, monitor the permissions
enforcing the segregation of duties through automated information processing controls,
and controls that monitor automated financial reporting processes for errors or control
deficiencies.

Information System and Communication Activities Relevant to the Preparation

of the Financial Statements.
This component focuses on policies that define, for significant account balances and disclosures,
how information flows through the information system, including how transactions are initiated,
recorded and processed, corrected and included in the general ledger. It also covers the entity’s
policies as to how information relevant to the preparation of the financial statements is captured
HKSA and processed, and how information is communicated both internally within the entity and
315.25
(Revised externally. In this context, the auditor needs to evaluate whether the financial statements have
2019) been prepared in accordance with the applicable financial reporting framework..

This aspect focuses on the flow of transactions and other information processing related
to the preparation of the financial statements and whether this component supports the
preparation of the financial statements and auditor’s identification and assessment of the risks
of material misstatement at the assertion level.

If the results of the auditor’s procedures are inconsistent with expectations about the
system of internal control, this may also indicate risks of material misstatement at the financial
statement level. This includes the use of IT applications and other aspects of the IT environment
that may result in IT risks. In addition to understanding the systems and controls as it relates to
information from the entity’s internal processing, it covers information obtained from outside
the general and subsidiary ledgers, for example fair value calculations, estimates and modelling
assumptions for financial statement figures and disclosures (HKAS 315,25, A123-146).

Control Activities
This component involves the auditor gaining an understanding of the controls that address
the risk of material misstatement at the assertion level. It covers understanding controls over
journal entries and controls that the auditor plans to test, for operating effectiveness, when
determining the nature, timing and extent of substantive procedures. Within this component,
the auditor needs to identify the IT applications, and other aspects of the IT environment,
subject to the risks associated with the use of IT. In this regard, the auditor needs to evaluate
HKSA the effectiveness of the design of the controls identified as addressing the risk of material
315.26
(Revised
misstatement, and whether the controls have been implemented, by performing procedures
2019) other than simply by inquiry of entity personnel. .

As indicated, the control activities component includes understanding the IT applications

associated with financial statement assertions subject to the risk of material misstatement and
the risks from using IT, including the general IT controls implemented to address those IT risks.

792

c13.indd 792 16-11-2022 18:49:35

 Computerised Business S ystems and C ontrols

Control activities are controls to ensure the proper application of policies, with the auditor’s
evaluation focused on the processing of information that directly affects risks to the integrity
of information, and particularly so for significant classes of transactions, account balances and
disclosures. Relevant controls here might relate to authorization, approvals, reconciliations,
verification, edit and validation checks, automated transactions, segregation of duties and
physical or logic controls. Understanding management’s approach in this area facilitates the
auditor’s decisions as to the approach to the performance of substantive procedures and
controls testing where substantive procedures do not provide sufficient appropriate audit
HKSA 315 evidence. (HKAS 315.26, A147-174)
(Revised
2019) Risks arising from the use of IT are defined in paragraph 12(i) as:

‘Susceptibility of information processing controls to ineffective design or operation, or risks to

the integrity of information (i.e. completeness, accuracy and validity of transactions and other
information) in the entity’s information system, due to ineffective design or operation of controls in
the entity’s IT processes.’

The IT environment includes:

(a) IT applications/programs used to initiate, process, record and report transactions and
information,

(b) IT infrastructure, comprising the network, operating systems, databases and

associated hardware and software, and,

(c) Management of access to the IT environment, program changes, and IT operations.

The controls in the control environment, risk assessment and monitoring components set
out above are regarded as indirect controls that provide the foundation for the operation of the
HKSA 315 other components of the system of internal control.
(Revised
2019) When an entity’s business systems involve IT systems, meeting the requirements of will
depend on the characteristics of the IT environment, the nature and complexity of the IT
systems and applications and the framework within which IT, as well as how the system of
internal control is designed, is implemented and maintained within an entity.

Key Learning Point

In summary, the above requirements to identify and assess the risks of material
HKSA 315 misstatement, mean that the auditor needs to obtain an understanding of the IT
(Revised
2019) environment, identified in as the IT infrastructure, applications, processes and personnel,
in the context of financial reporting - to the extent that the IT environment is relevant to
the audit.

The Principles – For Auditing of IT Environments

There are two aspects to be addressed as principles in auditing IT environments.

The first aspect requires the auditor to understand the IT function capabilities of
the audited entity. This is facilitated by the auditor understanding and documenting the
organizational structure of the entity. Typically, that structure will include an IT department,

793

c13.indd 793 16-11-2022 18:49:35

 BUSINESS ASSURANCE

albeit that it varies in sophistication depending on the nature and size of the entity. In some
entities, the IT function may be less formalised and more loosely structured.

The auditor needs to understand the structure of the IT department and how the IT
department ensures that its work addresses the audited entity’s needs. Specifically , and
integral to this, is the need to understand and document the IT applications and controls
relevant to the information system that the entity relies upon to process, and maintain the
integrity of, information used in the financial reporting function. Understanding the flows of
transactions and information processing system assists the auditor understand the nature
and characteristics of the IT applications used and the IT infrastructure supported by the IT
department.

The second aspect requires the auditor to understand and document the technical IT
environment of the audited entity. This second aspect is addressed below in Section 13.2. In
addressing the first aspect, the auditor documents a high-level understanding of the structure
and functions of the IT Department within the overall IT environment. That understanding is
needed to set the audit strategy for the entity.

Maintaining an understanding of the entity and its IT environment and system of internal
control involves obtaining information, updating and assessing that information, throughout
the audit. The auditor’s expectations may change as new information is obtained and systems
are modified, and therefore the audit strategy in relation to IT risks also needs to be kept
current and relevant.

13.1.1 IT Department Structure

The IT department is the area responsible for providing the IT services upon which the entity
depends. An understanding of the structure of the IT department is important in understanding
the entity’s IT and controls environment. The IT department structure determines how decisions
are made regarding the planning, building, running, and management of the entity’s IT.
All entities are different and so the structure used will differ between entities. There is no
single ‘right’ way to structure the IT department. HKSA 265, Communicating Deficiencies in Internal
Control to Those Charged with Governance and Management, requires the auditor to advise the client
of control deficiencies and if the structure of the IT department presents a control weakness, the
auditor may communicate this deficiency to the entity’s senior management. It is not, though, the
financial auditor’s role to advise the entity on how best to structure the IT department. However,
for the auditor to understand the IT environment, the auditor needs to assess the fit between the
structure used in the IT department and the nature of the entity.

There are three common ways of organising the IT function, although most entities will
likely reflect aspects of each model. These are the centralised, decentralised, and federated/
hybrid operating models.

The centralised model has a single central IT services structure that provides all IT services
to the entity’s business units. Decisions are made centrally and resources are allocated to each
business unit of the entity according to those decisions to address their needs. An advantage
of the centralised model is that costs can be more readily controlled and activities directed
according to centrally determined standards. In a centralised operating model, data are often
cohesive and meaningful across the entity. These advantages can be at the cost of flexibility
and agility in responding to the needs of each area of the entity.

794

c13.indd 794 16-11-2022 18:49:35

 Computerised Business S ystems and C ontrols

In contrast, the decentralised model has an IT service department for each business unit of
the entity to meet its own needs. Resourcing decisions are made according to the needs of the
business unit rather than the needs of the entity as a whole. An advantage of the decentralised
model is that the business unit has access to its own resources and does not need to negotiate
with a central authority for those resources – the business unit makes its own investment
decisions based on its own resources. The work of the IT department is focused on the needs
of the business unit.

However, such an arrangement cannot realise the benefits that arise from economies of
scale and by necessity duplicates many IT services that are common across business units. Data
may also be redundant, inaccurate, or inconsistent. Some specialised services such as those
provided by cyber-security professionals are expensive to provide in each IT department under
the decentralised model. As the business units lack these specialised services, the entity also
lacks such capabilities. Further, a lack of centrally determined standards often means that data
sharing between areas of the entity is difficult, and hardware and software standards will likely
be incompatible.

Between the two extremes of centralised and decentralised operating models, the
federated/hybrid model places fully functioning IT service departments within the different
business units to provide flexibility, but with a strong central department providing common
IT services and direction. This arrangement provides a depth of capabilities centrally, allows
corporate-wide standards to be set that allow economies of scale to be realised, and still allows
some flexibility and agility as needed. The value of this arrangement is that the entity can
realise the benefits of both centralised and decentralised structures.

Key Learning Point

The auditor needs to understand and document the IT environment and related
department structures in place to the extent that they are relevant to the audit.

Illustrative Example 1

Department Structure

At CWaves, Tak Wai wanted to meet with members of the IT Committee to understand
the general IT environment at CWaves. As part of this discussion, Tak Wai spoke at length
with Ka Yut about the way in which the IT department at CWaves was structured. Each
member of the CWaves Group has its own IT department and its own IT infrastructure.
On its own, this would indicate a federated model. However, there is job rotation to
ensure that IT staff have experience with the IT infrastructure in each company. Since
Ka Yut was appointed from the CWaves Hotels Company, it seems that staff are a
shared resource.

Ka Yut, as CIO, is ‘responsible’ for the IT services delivered but he does not have
authority over the CWaves Godown software development team as they do not cooperate
by documenting their software.

795

c13.indd 795 16-11-2022 18:49:36

 BUSINESS ASSURANCE

Illustrative Example 1 (continued)

The existence of the Group Data Centre that is shared amongst the members of the
group does indicate some central shared resources.

As it displays features of both a federated and a centralised operating model, Tak Wai
concludes that the structure of the CWaves Group is an example of a federated/hybrid
operating model.

13.1.2 IT Department Functions

To obtain an understanding of the IT environment and system of internal control, an
understanding of how the IT department helps the auditor to evaluate how the entity makes
IT-related decisions that ensure the validity of the information reported in the financial reports.
The IT department has many activities that it undertakes, but at the highest level these activities
all relate to the planning, building, running, and management of the IT infrastructure under
their control. The auditor is most concerned with how the IT function develops and operates the
entity’s IS and the provenance – or source – of the information that is reported in the financial
reports. There are several areas that the work of the auditor addresses.

Under HKSA 315 (Revised 2019), the auditor obtains information about the nature and
characteristics of the IT applications used and the IT infrastructure and its complexity.

HKSA 315 (Revised 2019) Appendix 5 ‘Considerations for Understanding Information

Technology (IT)’ identifies, among others, the following typical matters that the auditor may
consider in understanding the IT environment:

• The extent of automation and use of data (for example the extent of automated
procedures and reliance on system-generated reports).

• The IT applications and infrastructure (for example whether applications are

commercially available or are bespoke in-house).

• The IT processes (for example, how skills and numbers of personnel are involved, access
rights and program changes).

To understand the IT environment within the entity’s departmental structure, the auditor
is concerned with how the entity selects, develops, and implements new IT infrastructure
that affects the financial reports. New IT and IS applications bring change and, presumably,
operational improvements, but in such changes there also arise risks for the validity of the
data processed by these systems. The auditor must understand the processes for the selection
and development of new systems and applications and their implications for data validity.
For example, the auditor would be interested in understanding how software was selected or
developed if that software is considered material.

The auditor is interested in how the entity keeps the network accessible to authorised users
and how the network is secured against attempts to gain unauthorised access. The network
administrator role is responsible for ensuring only authenticated users access the network and
the security of all devices on the network.

Another key role is the IT operations team, which is responsible for IS that are part of the
network. The auditor needs to understand the responsibilities and accountabilities of the

796

c13.indd 796 16-11-2022 18:49:36

 Computerised Business S ystems and C ontrols

members of the operations team for the individual IS and applications. The auditor needs to
understand how the network is kept secure and operational, including the reliance of the entity
on the work of third-party service providers.

The auditor also seeks to understand the integrity of the entity’s operational data. The
database administrator (DBA) role is responsible for ensuring the integrity and security of
the entity’s data stored in databases. As a specialist function, the role of the DBA is usually
undertaken as a shared service in centralised and federated/hybrid operating models. In the
decentralised operating model, the DBA is usually a service dedicated to the relevant business
unit. Another function to consider is the day-to-day processing of the data, which requires the
auditor to know how the data are controlled or entered into systems and whose responsibility
this task is. Further, the entity like has a general computer operations function that maintains IT
infrastructure and possibly a data library function responsible for maintaining and archiving data.

The auditor must understand the entity’s approach to the development, implementation, and
operation of IS and specific IT applications that provide data that affect the financial reports. The
auditor must understand the role of the network administrator and the IT operations team, as
well as how responsibilities and accountabilities for keeping the network secure and operational
are assigned and segregated. Finally, the auditor needs to understand how the IT function
administers the database and processes the entity’s data that affect the financial reports.

Understanding the activities within an IT department and the complexity of its operations
facilitates the auditor’s identification of how the entity uses IT for processing, storing and
communicating financial reporting information and therefore the manner in which the entity’s
system of internal control is designed and implemented.

In the context of determining which IT applications the entity is relying upon to accurately
process financial information for the preparation of the financial statements, understanding
the IT departmental model and environment facilitates the auditors decision as to which IT
applications to test where automated controls address identified risks of material misstatements.

General controls support the continued effective functioning of information processing

and controls and proper operation of the IT environment. At this level, the auditor obtains an
understanding of the general IT controls for IT applications that the auditor has determined
address the risks of using IT. These risks arise when there is ineffective design of, or operation
HKSA 315 of controls over, the entity’s IT processes.
(Revised
2019) Requires that the auditor understands the General IT controls. Appendix 6 to
HKSA 315 ‘Considerations for Understanding General IT Controls’ identifies general IT controls typically
(Revised
2019) implemented for each aspect of the IT environment:

• Applications and the nature and extent of controls commensurate with the functions of
applications and their complexity

• Database, addressing risks relating to unauthorised changes to information and data

base access

• Operating system dealing with administrative access and override of controls

• Network dealing with network segregation, remote access and authentication.

Appendix 6 of provides several detailed examples of general controls. These examples

HKSA 315
(Revised illustrate general controls that deal with the processes of access management, management of
2019)
programs or other IT environmental changes, and the managing of IT operations.

797

c13.indd 797 16-11-2022 18:49:36

 BUSINESS ASSURANCE

General controls that support access management processes are necessary. Authentication
controls ensure that the user uses their own log-in credentials to access IT applications or other
aspects of the IT environment, and not the credentials of others. For example, user access may
be authenticated through unique user IDs and passwords to validate the user’s access.

Authorisation controls allow users to access the information they need to undertake
their role and no more, which facilitates the appropriate segregation of duties. For example,
such an authorisation control is the management approval of the nature and extent of user
access privileges. For such controls to be effective, provisioning controls that authorise new
users or change the access rights of existing users are required in addition to ‘deprovisioning’
controls that remove user access when employees change role or leave the organisation. For
example, in addition to controls that approve user access for new users, controls that remove
or modify terminated or transferred users are required. Security over the privileged access
of administrator users ensures that the need for appropriate authorisation and restriction of
privileged access is attended to. Lastly, once granted, user access privileges should be regularly
reviewed in case unauthorised changes are implemented.

Key security configuration controls are needed that help restrict access to the environment.
Controls over physical access to the information technology infrastructure are also required as
physical can be used to override other controls, such as secured and reinforced doors and locks.

General controls that manage changes to programs or other aspects of the IT environment
are also essential. Change management controls are controls that cover the process to design,
program, test and migrate changes to a production (i.e., end user) environment. Segregation of
duties should also be enforced over change migration; these controls segregate the user access
needed to make and migrate changes to a production environment. For example, users with
responsibility for processing financial transactions should not also have responsibility for migrating
program and data changes from the development environment to the production environment as
such users have access to financial application data outside of the application environment.

Likewise, controls over initial IT application development or their implementation are

needed. For example, application changes must be appropriately tested and approved in the
test environment before migration to the production environment. Data conversion controls
during development, implementation, or upgrades to the IT environment are also required. By
way of example, and similar to application changes, database changes should be appropriately
tested and approved before implementation in the production environment.

Finally, general controls over the management of IT operations are vital. Job scheduling
controls over the execution of programs affecting financial reporting should be in place. For
example, the job scheduling software should ensure only authorised users are able to update
batch jobs. The successful execution of these programs should also be overseen through job
monitoring to allow the correction of processing errors to ensure successful completion.

The backup and recovery of financial reporting data also needs to follow a plan, and
this data needs to be recoverably in a timely fashion in the event of an outage or attack.
For example, financial data must be backed up regularly in accordance with an established
schedule. The final general control in the management of IT operations discussed in Appendix
6 are intrusion detection controls that monitor intrusions in the IT environment. An example
of this control is the regular vulnerability scanning of the network perimeter by the network
management team (and, by extension, the follow-up investigation of potential vulnerabilities
discovered through this scanning).

798

c13.indd 798 16-11-2022 18:49:36

 Computerised Business S ystems and C ontrols

HKSA 315
(Revised
Understanding the IT department’s role and the role of individuals in that department as
2019) indicated above provides the information relevant to the requirement.

The auditor needs to document the understanding of the functions of the IT department as
it relates to understanding the control activities component of the system of internal control.
This documentation should include the risk assessment procedures that identify controls that
address the risk of material misstatement at the relevant financial statement assertion level
and the IT applications and any associated IT risks from using IT, and the general controls that
address such risks.

IT controls are discussed further in Section 13.2.

Key Learning Point

The auditor is most concerned with:

• How the IT function develops and operates the entity’s IT applications and the
source of the information that is reported in the financial reports.

• How the network is made accessible to authorised users and how it is secured
against attempts to gain unauthorised access.

• The responsibilities and accountabilities of the members of the operations team

for the individual IS and applications as well as key third-party service providers.

• The entity’s approach to the development, implementation, and operation of IS and

specific IT applications that provide data affecting the financial reports.

Illustrative Example 2

IT Functions

Tak Wai needs to document how CWaves plans, builds, runs, and manages its IT. She
is very interested in understanding how the IT department functions, but not all IT is
relevant to the financial audit.

Tak Wai knows she will want to understand how the IT strategic plan is developed and
implemented, and how CWaves goes about building new systems. This means both the
selection of software packages from established vendors, but also the building of new
information systems.

At a high level, Tak Wai is also keen to understand the responsibilities of HKBuTS in
operating the CWaves Group Data Centre. She is also looking to understand how CWaves
keeps the network accessible to authorised users and how the network is secured against
attempts to gain unauthorised access. The network administrator will likely be part of the
operations team and so Tak Wai documents the responsibilities and accountabilities of the
key team members. She also documents who fulfils the database administrator role and
how that role is structured in relation to the IT team.

Tak Wai first wants to discuss these issues with Ka Yut so that she understands the
foundation of how the IT function is carried out at CWaves before planning the audit.

799

c13.indd 799 16-11-2022 18:49:36

 BUSINESS ASSURANCE

Knowledge Check Questions

Question 1
Identify which of the following describes the requirement that an auditor will need to
obtain an understanding of the IT environment.
A The understanding of the financial reporting systems in place at the audited entity to the
extent that these systems are relevant to the audit.
B Only an understanding of the IT function capabilities of the entity.
C The understanding of IT function capabilities, as well as an understanding of the
structure of the IT department and the technical IT environment for the audited entity.
D The understanding of the IT function capabilities, understanding of the structure of the
IT department and the technical IT environment for the audited entity to the extent that
the IT environment is relevant to the audit and the risk of material misstatement.

Question 2
Identify which of the following lists the three common ways of organising the IT function.
A Star, hierarchical, or network configurations.
B Centralised, decentralised, or federated/hybrid operating models.
C Vertical, flat, or diagonal configurations.
D Consolidated, disaggregated, or hybrid operating models.

Question 3
Identify which of the following describes the overall activities of the IT department.
A Completing, validating, and correcting business data.
B Selecting, developing, and implementing new IT investments.
C Administering the network.
D Planning, building, running, and managing the IT infrastructure under their control.

Question 4
In the context of understanding how the IT department fulfils its functions at a high
level, identify which of the following is not an area that the work of the auditor is most
concerned with.
A How the entity keeps the network accessible to authorised users.
B How the entity secures the network against attempts to gain unauthorised access.
C How the entity maintains compatibility between IT devices with different operating
systems, such as macOS and Windows.
D How the entity selects, develops, and implements new IT infrastructure that affects the
financial reports.

Question 5
Identify which of the following is an advantage of using the decentralised model for
delivering IT services.
A Difficulty in achieving benefits arising from economies of scale.
B Each business unit does not need to negotiate with a central authority for decisions
made relating to the business unit’s IT resources.

800

c13.indd 800 16-11-2022 18:49:36

 Computerised Business S ystems and C ontrols

Knowledge Check Questions (continued)

C Incompatible hardware and software standards between business units.
D Easier data sharing between different business units.

Question 6
Explain whether it is the role of the auditor to provide advice to their client on the ‘best’
way to structure the IT function.

Question 7
Describe the key differences between the centralised, decentralised, and federated/hybrid
operating models for the IT function in organisations and explain which of these is the
most commonly used.

Question 8
Describe and contrast the role of the network administrator and the role of the database
administrator.

Question 9
Explain why the auditor needs to understand the IT department structure and functions.

1 3 . 2 IT ENVIRONMENT

The auditor’s responsibility is to obtain an understanding of the IT environment in the context of

the financial reports to be audited and to identify the risk of material misstatement arising from
the use of IT. There are two aspects of this duty and the first aspect (to understand the IT function
capabilities of the audited entity) was discussed in the previous section. The second aspect requires
the auditor to understand the technical IT environment. Here, the auditor needs to develop a more
detailed understanding of the processes and systems that are relevant to the audit.

An approach that is often used as an initial step of the audit involves the auditor identifying
the controls in place through a walkthrough test. A walkthrough test is part of the financial audit
and identifies source documents that commence a transaction cycle (e.g. a purchase order).
The auditor then follows the source documents and subsequent transactions through the
process until the process is completed. During the course of this discussion, the auditor makes
inquiries, inspects documents and records, and documents their own observations. In this way
the auditor identifies the internal controls in place and develops their initial understanding
of the IT environment. This information provides the auditor with a foundation for obtaining
an understanding of the components of the system of internal control and designing specific
tests of the internal control system relevant to assertions subject to the risk of material
misstatement.

801

c13.indd 801 16-11-2022 18:49:36

 BUSINESS ASSURANCE

The walkthrough provides context for the auditor in understanding and documenting the
IT environment. The auditor specifically looks to understand and document how the entity
acquires and implements new IS and how the entity’s IS relates to the audited financial reports.
The auditor must also understand and document the entity’s use of e-commerce, if any, as
relevant to the audit. E-commerce activities are an important consideration in assessing IT
risks. The auditor may also need to understand and document whether the Financial Reporting
Systems (FRS) are arranged as networked systems, personal computers (PCs), or some
combination of both.

The auditor documents this detailed understanding of how the entity acquires and
implements new IS, the use of electronic commerce, and how the relevant systems are
arranged. The auditor uses this documentation to inform their decisions in determining the
appropriate audit strategy.

13.2.1 Implementation of New IT Systems

Entities introduce a new IS with the aim of creating value for the organisation. A new IS might
provide the following:

• Benefits, like being able to support a new business model or new markets.

• Reduction of costs, like fewer processing steps.

• Reduction of uncertainty, like better management information for decision making.

For example, a truck transport company might reduce its costs by implementing a stock
management system, or it might develop an artificial intelligence agent that allows it to
compete in small package delivery or invest in a data lake to improve the information the
company needs for decision making.

New IS implement new technologies and change business processes. This implementation
is not without its risks. The validity of the system’s data needs to be maintained during and
after the change. The auditor must understand the approach used by the entity in selecting,
developing and implementing new systems. General controls over system introduction or
change should include those over designing, programming, testing and migrating changes to
the production environment. Those controls of most interest to the auditor are segregation
of programming and user functions to reduce the risk of fraud or theft and data conversion
controls. Data conversion controls applied during system development and implementation
ensure data is not lost or corrupted. Database changes must be tested and approved prior to
system implementation.

New systems can be purchased as Commercial Off-­The-­Shelf (COTS) solutions from

a vendor. This solution might be implemented in its standard form or customised to meet
the entity’s needs. Alternatively, the entity may custom-­develop a solution according to its
own specifications. Here, a third-­party developer might be engaged or the system might be
developed in-­house.

802

c13.indd 802 16-11-2022 18:49:36

 Computerised Business S ystems and C ontrols

In developing or implementing a new information system, there are many different

approaches that might be adopted by the business. These approaches can be very formal
and highly documented. For example, the traditional (but increasingly uncommon) software
development life cycle (SDLC) approach is a systematic path to developing quality software. It has
the following seven stages, each of which should be completed in sequence:

1. Problem Definition

2. Design

3. Coding

4. Debugging

5. Testing

6. Documentation

7. Maintenance

1. Problem Definition:

• The first stage is the thorough understanding and formal identification of the problem
for which the program is to be developed. The user’s input is critical.
• Factors such as inputs and outputs, processing requirements, memory requirements,
error handling and interfacing with other programs should be taken into consideration
in this stage.

2. Design

• The software developer makes use of tools like algorithms and flowcharts to develop
the design of the program.

3. Coding

• Once the design process is complete, the actual computer program (the source code) is
written in a computer language.

• For effective coding some of the guidelines that should be applied are:

°° Use of meaningful names and labels of variables,

°° Simple and clear expressions,

°° Modularity with emphasis on making modules generalised,

°° Making use of comments and indenting the code properly, and

°° Avoiding jumps in the program to transfer control.

4. Debugging (also program validation)

• Compliance with coding guidelines noted above should be verified.

• Coding errors in the programs are detected and corrected.

803

c13.indd 803 16-11-2022 18:49:36

 BUSINESS ASSURANCE

5. Testing

• The program is tested to ensure it addresses the problem definition (1) and complies
with the specifications of the design document (2).

• To ensure completeness, a testing plan should be developed, carried out and the
results documented.

• Test data should include both normal and unusual cases, and the maximum and
minimum values of all variables.

• Testing can be carried out in a single part of an organisation (pilot testing) or in parallel
to the old system being updated or replaced.

6. Documentation

• Documentation of all program development stages is essential.

• Documentation assists user understanding, program maintenance and in future

modifications.

7. Maintenance

• Maintenance includes corrections and updates to the program.

• Maintenance becomes essential in the following situations:

°° Change in specification arising from changes in the environment or unanticipated

requirements,

°° Change in equipment, or

°° Errors that are found during program execution.

Alternatively, some systems development approaches can be more flexible. These ‘agile’
approaches do not require substantial system documentation. For example, SCRUM and
eXtreme Programming are agile approaches that focus on system outcomes rather than
documentation. Organisations can select many different approaches.

The auditor’s role in systems development mirrors that of other aspects of the audit. The
auditor should:

• Identify the risks to the financial report inherent in the entity’s system development
process and current system development activities.

• Understand the entity’s ITGC over system development and implementation and data
conversion.

• Test the operation of those controls that address the identified risks.

• Form a conclusion about the inherent and control risks to inform the audit plan.

Key Learning Point

The auditor needs to understand and document how new systems are selected,
developed, and implemented.

804

c13.indd 804 16-11-2022 18:49:36

 Computerised Business S ystems and C ontrols

Illustrative Example 3

Implementation of New IT Systems

As CWaves has a fairly large e-commerce implementation, Tak Wai wants to know how
these systems are implemented. The CWaves Hotel and Wonder Travel e-commerce
solution is a standard system and so Tak Wai documents how that system works and
how it was selected. However, the CWaves Godown solution is the system of most
concern. It is developed in-house by the software development team and CWaves
Godown is an important part of the CWaves Group.

Tak Wai is interested in understanding the software development methodologies

used at CWaves Godown to develop their e-commerce software, particularly given how
important e-commerce is in terms of commercial activity as well as the potential
cyber-security risks such systems present.

13.2.2 Financial Reporting Systems

The auditor must develop an understanding of the relevant aspects of the IT environment to
inform the assessment of the risk of material misstatement in the financial reports. As part of
developing this understanding, the auditor identifies the IS that provide information to the FRS
that could affect the financial reports. Material misstatements in these systems will flow into
the financial reports.

The relevant IS is part of the entity’s expenditure cycle, conversion cycle, or revenue
cycle. The auditor looks to understand how these systems relate to the financial reports and
IT applications relevant to specific financial report assertions subject to the risk of material
misstatement. Common systems in the expenditure cycle include purchases/accounts payable,
cash disbursements systems, payroll, and fixed assets systems. In the conversion cycle,
common systems are focused on production planning and cost control systems such as cost
management or budgeting systems. In the revenue cycle, the common systems include cash
receipts and sales order systems.

Systems that do not provide information to the FRS are of less interest to the auditor than
those that do. For example, an information system that monitors the temperature of cold
storage rooms or a system that centrally controls the air conditioning of hotel rooms can be
important operational systems. The auditor is, however, less concerned with developing an
understanding of the operation of these IS unless the information in those systems flows to the
financial reports.
The auditor documents the relevant relationships between the entity’s IS and the FRS
that produces the financial reports. This documentation may take various forms, including a
narrative description and systems flowchart.

Key Learning Point

The auditor documents how the IS relate to the FRS and the financial reports.

805

c13.indd 805 16-11-2022 18:49:36

 BUSINESS ASSURANCE

13.2.3 E-commerce Overview and Importance to Business

The auditor must understand how transactions that take place through e-commerce IS affect
the financial reports and how the IS that support these transactions ensure that complete,
valid, and accurate information flows to the financial reports. E-commerce is the buying
or selling of goods over the Internet with IS. E-commerce takes place in a purely digital
environment. The auditor seeks to understand e-commerce as a potential source of uncertainty
and risk in the financial reports. These concerns also extend to IS that are not e-commerce,
but have a very high volume of transactions and thus – as with e-commerce IS – have a high
reliance on system controls.

E-commerce is common in many businesses. In those businesses it is operationally

important, with more transactions undertaken in the online environment than in the offline
environment. In other businesses, electronic business (e-business) – business conducted
over the Internet – might be very important, but the business might have no Internet-based IS
that record actual financial transactions. Instead, transactions that do occur are recorded using
the same IS as the transactions recorded in the physical store. For example, a company might
advertise its goods to prospective customers over the Internet, but if consequent financial
transactions do take place, they might take place in the store.

There are several key features of e-commerce that are relevant to the auditor’s
understanding of the IT environment. However, other IS that are not e-commerce IS can
demonstrate the same features. For example, an IS that has a high volume of transactions or is
multinational but does not support the online sale of goods or services is not an e-commerce
IS. Nevertheless, in such an instance the same concerns will apply to the auditor’s development
of an understanding of such systems.

E-commerce IS face higher risks and uncertainty than offline and unconnected systems. For
example, the Alibaba Group has over 10 million active sellers on its platform, each with varying
degrees of integration with Alibaba’s systems.

E-commerce IS may also need to address the requirements of the many business
jurisdictions in which they might be used. For example, US entities may have to deal with the
tax regulations of approximately 10,000 different sales tax jurisdictions in the US alone. Entities
regularly dealing with Australia have to collect and forward the Australian Goods and Services
Tax when the customer is not a GST-registered business. With 195 countries in the world,
e-commerce IS can be very complex.

E-commerce systems record transactions in a wholly digital environment and are entirely
reliant on IT controls. E-commerce systems also operate in real time. The transactions occur
at such a pace and volume that manual intervention is impractical and so the controls must
be entirely based in the technology. E-commerce IS face higher risks and uncertainty as these
systems maintain solely electronic audit trails without physical source documentation of
any kind. Further, these systems need to integrate with the many different IS of the entity’s
business partners with consequently higher system complexity. These systems also have a
need for a greater focus on security.

As with the FRSs, the auditor documents the nature of e-commerce at the entity and the
relationship of those systems and the financial reports. In this chapter, Section 13.6 addresses
specific e-commerce control issues and their implications for the financial audit in more detail.

806

c13.indd 806 16-11-2022 18:49:36

 Computerised Business S ystems and C ontrols

Key Learning Point

The auditor documents the e-commerce IS and how those systems relate to the financial
reports.

Illustrative Example 4

E-commerce Overview and Importance to Business

CWaves Hotels provides a hotel room booking system that is available for use 24 hours
a day to prospective users anywhere in the world. All customers book using this system;
some bookings are via third-party websites such as Expedia and Lastminute.com.

Tak Wai is interested in this system as the system records transactions that are
presented in the financial reports, and the system is important as all revenue for a
significant subsidiary occurs in this system. As it is online and available 24 hours a day,
7 days a week, this system is highly reliant on its automated IT controls. As this system is a
commercial off-the-shelf system, it is likely that its development is complete and mature,
but Tak Wai still wants to review the security in place as poor security means the system’s
data may lack integrity.

13.2.4 Networked Systems

The auditor needs to understand how the entity’s IT environment is configured as relevant
to the audit. Technologies can be configured to work together as a network or configured to
work in isolation without dependencies on other technologies. The technologies in place at
most entities for which a financial audit is undertaken will work together rather than work
in isolation. There will likely be some combination of networked systems and PC-based
systems, however.

In understanding networked systems, the auditor has three key aspects to consider.
The auditor must understand the configuration of the hardware and IT infrastructure, the
networked resources that support the financial reports, and the manner in which cloud-based
services, if any, are used at the audited entity.

First, the auditor considers the network configuration of the technology infrastructure.
Most entities have a local area network (LAN) that allows desktop computers, laptop
computers, servers, and printers (among other resources) to share data and work together.
A LAN is usually confined to a single building or area.
At a higher level, a wide area network (WAN) links together the technology in multiple
locations, usually over substantial distances. More simply, a LAN links the IT hardware in
one location together and a WAN links the IT hardware in multiple locations together. Under
this configuration, the networked environment supports the entity’s applications and data
resources. Servers process the financial transactions and the networked environment manages
user access to these networked resources. Networked resources can be linked together on a
WAN using a storage area network (SAN) that pools different storage devices to present as a
single resource.

807

c13.indd 807 16-11-2022 18:49:36

 BUSINESS ASSURANCE

Second, the configuration of IS that support the financial reports as networked resources
is a consideration. The system may be PC-based, but stores its data on a networked server.
The networked environment determines access to the data and resources of the accounting
information system in addition to the PC-based system’s own security.

Third, the entity’s outsourcing of IS over the Internet is a consideration. Systems commonly
available, and increasingly used, include:

1. Cloud Hosting: Cloud computing reduces the need for investing in IT infrastructure.
Cloud hosting is based in data centres – large groups of networked computer servers that
are used by organisations for remote storage and backup, processing, or distribution of
large amounts of data.

2. Backups: Regular offsite backups of data are important for mitigating the impact on
a business in the event of a disaster – whether due to a cybersecurity breach, human
error, technology failure or mother nature.

3. Cyber security: Keeping data safe, secure and protected from viruses and ransomware
attacks is vital. Companies can be damaged or shut down by the sudden loss of
key files, confidential customer information, or other crucial data, documents and
applications.

4. Outsourcing IT Support.
5. Scalability: Managed IT services give businesses the flexibility to scale up or down.

6. Support: Constantly trying to deal with IT issues is a frustrating experience for

employees. Using IT support services enables employees to focus on their core jobs.
Business IT support increases productivity and reduces stress in the work environment.

7. Payroll: Payroll management providers pay staff, calculate employee entitlements and
submit taxes with automated reporting.

8. Healthcare IT: Support for pathology and imaging providers, telehealth, online
claiming, e-­prescriptions, online bookings and appointments, and compliance with
accreditation and other regulatory requirements.

Where outsourced activities like those above are a potential source of risk of misstatement
in the financial report, the auditor must be satisfied that the risk is reduced to an acceptable
level by performing appropriate audit procedures, as also whether the use of a service
organisation increases or decreases the risk of material misstatement depends on the nature
of the services provided and the entity and service provider’s controls over those services.

The use of cloud-­based services creates special issues for the auditor, as set out in
HKSA 402, Audit Considerations Relating to an Entity Using a Service Organisation. A service
organisation is considered part of the user entity’s IS if its work affects any of the following:

• Transactions and other events significant to the financial statements.

• Procedures for the initiation, recording and processing of transactions.

• Accounting records.

• Significant accounting estimates and disclosures.

• Controls over journal entries.

808

c13.indd 808 16-11-2022 18:49:36

 Computerised Business S ystems and C ontrols

As part of the audit planning process (see Chapter 5), the user entity’s auditor must
understand and document the relationship between the service organisation’s work and the
user entity’s IS in order to identify risks of misstatement.

The auditor would first examine the entity’s ITGC and controls over assertions. If these
controls are found to be adequately designed, then they may be tested, and if found to be
operating effectively, nothing more is required. If the user entity’s controls over the information
are deficient, the auditor should acquire additional evidence about controls from the service
organisation. Often, the external service provider has many clients and it is impractical for the
service provider to allow an auditor to audit the cloud service directly. Instead, the cloud service
provider normally engages an auditor to provide an assurance report on the nature of the
cloud service’s internal controls. The user entity’s auditor should consider:

• Obtaining a Type 1 report (on the service organisation’s controls).

• Obtaining a Type 2 report (on the service organisation’s controls and their effectiveness).

Both Type 1 and Type 2 reports should include information about:

• The flow of significant transactions through the service organisation to determine

the points in the transaction flow where material misstatements in the user entity’s
financial statements could occur.

• The controls at the service organisation that may affect the processing of the user
entity’s transactions and that are relevant to the user entity’s financial statement
assertions.

• The design and implementation of controls at the service organisation that act to
prevent or detect errors that could result in material misstatements in the user entity’s
financial statements.

Additionally, both types of reports should include an assurance report prepared by the
service auditor on the service organisation’s control system. The two types of reports differ
because a Type 1 report does not provide any evidence of the operating effectiveness of
the relevant controls, while a Type 2 report does address effectiveness. Where the service
auditor’s report is modified or notes significant exceptions, the user auditor should seek further
information from the service auditor regarding the impact of these matters on the user entity’s
financial statements.

Key Learning Point

The auditor documents the networked systems and their relationship to the FRS.

13.2.5 PC Systems
The auditor must understand how individual PC systems interact with the networked
environment – if they exist – and how the maintenance programme for keeping these PC
systems secure is carried out.

PC systems often work in isolation of other technologies in the environment or with

limited integration. The PC system might be an isolated system that works within a networked
environment but interacts with other IS in a limited way. Alternatively, an entity might have no

809

c13.indd 809 16-11-2022 18:49:36

 BUSINESS ASSURANCE

networked systems at all and instead use only PC-based systems. Most PC systems are based
on microcomputer systems intended for use by a single individual within the entity. Their focus
is usually on recording transactions or analysing data.

Often PC systems are used in smaller organisations or for specialised software that
is difficult or expensive to use on the network. Often, but not always, the use of such PC
systems is an indicator that the IT environment is not complex or sophisticated. Although a
PC system can have a sophisticated approach to security, the end user often has full access to
the computer and can install their own software or modify data. The end user in such cases
might install unauthorised software or make unauthorised changes to data if the PC is not
appropriately secured. However, an advantage of a PC-based system is that compensating
controls such as physical security can be adopted or close supervision exercised.

Isolated PC-based systems are often more difficult to manage, update, and keep secure
as part of a regular centralised maintenance programme. There is a risk that the PC system is
potentially exposed to viruses, Trojan horse programs, and ransomware attacks. This exposure
can result in loss of data, programs, or breaches of security. PC-based systems need special
consideration in the maintenance programme, including regular data backup, anti-virus
software updates, and regularly updated access control lists.

Key Learning Point

The auditor documents the PC systems that exist and their relationship to the FRS.

Illustrative Example 5

PC Systems

Tak Wai documents several PC systems within the CWaves Group. HKCW Investment
Limited has a PC-based system that operates solely on a PC to do financial modelling of
the Hong Kong Stock Exchange to assist stock analysts with determining their market
position. The system provides a single output file to be imported into separate data
visualisation software. This system is a specialist PC system, but does not directly affect
the financial reports.

At Hai Cruising there is a PC system that supports a point of sale (POS) cash register
at the ticket kiosk, whereas CWaves Management has payroll software that is installed
on a single PC used by the paymaster in his office. These two systems both produce
transactions in a single-user environment that affect the financial reports. As such systems
are difficult to secure, Tak Wai assesses the compensating controls for both systems.
The payroll system is well supervised and in a physically secure environment, but the
POS system is in an open environment and is at greater risk of security breaches and
loss of data.

810

c13.indd 810 16-11-2022 18:49:36

 Computerised Business S ystems and C ontrols

Knowledge Check Questions

Question 10
Identify how a new IS can create value for an organisation.
A By providing benefits.
B By reducing costs.
C By reducing uncertainty.
D All of the above.

Question 11
Identify which of the following statements regarding agile software development
methodologies is true.
A They always have inadequate controls for the purposes of the auditor.
B They have formal staged approaches that are very structured.
C They are used in implementing COTS solutions that require no customisation.
D They are often nimbler than software development methodologies based on the SDLC.

Question 12
Identify which of the following IS would the auditor be most concerned with.
A An inventory management system that reports the value of stock for the
financial reports.
B An email management system that allows end users to store and retrieve emails.
C A system that controls the humidity of a storage room that keeps priceless works
of art safe.
D A staff work roster that schedules employee shifts.

Question 13
Identify which of the following statements is true.
A E-commerce IS need less attention on security than offline IS.
B E-commerce IS need more attention on security than offline IS.
C E-commerce IS are usually not complex systems.
D E-commerce IS do not record financial transactions.

Question 14
Identify what the acronym WAN means.
A Wide Area Nodes.
B Wholly Articulated Networking.
C Wide Area Network.
D None of the above.

Question 15
Identify the high level aspects that the auditor considers in developing an understanding of
networked systems.
A The configuration of the access control list, user names, and passwords.
B Configuration of the LAN, WAN, and SAN.

811

c13.indd 811 16-11-2022 18:49:36

 BUSINESS ASSURANCE

Knowledge Check Questions (continued)

C Configuration of hardware and IT infrastructure, networked resources supporting the
financial reports, and the manner of use of cloud-based services.
D Configuration of hardware and IT infrastructure and networked resources supporting
the financial reports.

Question 16
Identify which of the following best describes PC-based systems.
A Never operate within a networked environment.
B Are tightly integrated with e-commerce IS.
C Have a relatively complex approach to security.
D Work within a networked environment, but interact with other IS in a limited way.

Question 17
Identify five aspects of the IT environment that the auditor must understand and
document. Explain, in your view, whether any aspect of this understanding is more
relevant to the financial audit than the others.

Question 18
Explain why auditors traditionally consider the systems development lifecycle the best
method to address the risks of a new system implementation.

Question 19
Identify the three different cycles that include the systems that relate to the financial
reports. Provide an example of systems that relate to each cycle.

Question 20
Explain why e-commerce IS have a greater need for strong IT controls in comparison with
offline systems.

Question 21
Explain why you agree or disagree with the following statement: ‘It is never appropriate
for a large company to use PC-based systems.’ Explain why you agree or disagree with this
statement.

1 3 . 3 IT STRATEGY

The auditor needs to assess the risk of material misstatement in the financial reports at the
assertion level that is due to incomplete, invalid, and/or inaccurate information provided
from the IS. This assessment is informed by the auditor’s documented understanding of the
IT environment and internal control system in the context of financial reporting. The auditor
considers the role of IT strategy and how IT improves internal controls and assesses the IT
risks from the business processes that affect the financial reports.

812

c13.indd 812 16-11-2022 18:49:36

 Computerised Business S ystems and C ontrols

The auditor documents their assessment of risk at the entity to inform and develop the
overall audit approach, including the audit procedures used to audit computerised business
systems and controls.

13.3.1 The Role of IT Strategy

Most audited entities use IT to support many, if not all, of their activities and business
processes. These business processes produce the information that flows to the financial
reports. The IT that supports these activities incorporates the entity’s policies, practices, and
procedures to ensure that the information produced by these business processes is complete,
valid, and accurate. IT is therefore an important part of the entity’s internal control environment
and is critical to ensuring the completeness, validity, and accuracy of information in the
financial reports.

Implementing the audited entity’s policies, practices, and procedures through its IS requires
strategic and directed action. These strong internal controls require design and planning, and
so the capability of the entity in developing and implementing this design and planning through
the IT strategy is important for the auditor assessing the risk of material misstatement in the
financial reports.

The auditor’s understanding of the computerised business systems and IT environment

provides the foundation for identifying the entity’s approach to developing the IT strategy. IT
strategy is fairly broad by nature, but at a high level it addresses three areas. First, it sets out
how IS are used to support business strategy. Second, it provides an overall master plan of the
IT function. Third, it documents the shared view of the IT function’s role within the organisation.

Although the process for developing the IT strategy varies between entities, the IT strategic
plan as a general rule defines the IT strategy and the objectives that the investment in IT is
expected to achieve. The business strategy is used as a basis for determining the entity’s
requirements of the IT function. The strategy identifies the gap between those needs and the
current organisational capabilities. It includes a strategic road map that identifies the steps
required to achieve the goals and objectives of the IT strategy, including the requirements for
training, new technologies, and change management approaches if the gap is to be addressed.

The plan groups these actions into programmes and projects that have goals and
deliverables. The plan also identifies – at a high level – the resources the entity needs to embark
on the IT strategy. Finally, the IT strategy recognises the dependencies between programmes
and projects, schedules and prioritises projects, and defines strategic and risk assessment
initiatives.

Taken together, the IT strategy therefore sets out proposed changes to the IS investment
at the entity and how the changes to IT are to be executed. These changes affect the internal
control environment, and the IT strategy should recognise the broad requirements of an
effective internal control environment.

The auditor documents the IT strategy and considers the extent to which the IT strategy
recognises and supports the integration of internal controls into the development and
maintenance of IS.

813

c13.indd 813 16-11-2022 18:49:36

 BUSINESS ASSURANCE

Key Learning Point

The auditor should consider the extent to which the IT strategy recognises and supports
the integration of internal controls in developing and maintaining the IS.

Illustrative Example 6

The Role of IT Strategy

Tak Wai discusses the CWaves IT strategy with Ka Yut. The CWaves Group has a strategic
goal of providing consistent and centralised information for decision making, and the
strategic plan identifies several programmes and projects required to achieve that
strategic goal.

Each project identifies the technologies, processes, and structures needed to close
the gap between CWaves’ needs and current capabilities. Under the strategy, CWaves
establishes a liaison committee between each entity in the group and sets out how the
different but complementary IT departments in each group will be integrated, and the
steps needed to achieve that strategic goal.

Tak Wai documents the changes to be made in the strategy, and in particular
documents the technologies, processes, and structures identified in the IT strategy that
support the CWaves internal control system.

13.3.2 How Information Technology Improves Internal Control

The entity’s internal controls are embedded in the entity’s policies, practices, and procedures
that ensure the reliability of the information contained in the financial reports.

Controls are defined as: ‘Policies or procedures that an entity establishes to achieve the
control objectives of management or those charged with governance….

1. Policies are statements of what should, or should not, be done within the entity
to effect control. Such statements may be documented, explicitly stated in
communications, or implied through actions and decisions.

2. Procedures are actions to implement policies.’ (HKSA Revised 2019) 12(c)

Internal controls can relate to the entire organisation or they might address specific
capabilities and functions. Not all internal controls are reliant on IT. For example, placing
physical controls such as a lock on the door to the business premises is a general internal
control that does not rely on IT. A combination lock on a cabinet that safeguards inventory is a
more specific internal control affecting the inventory function that does not rely on IT.

Internal controls that incorporate IT can be categorised as either IT general controls or

application controls. IT general controls (ITGC) ensure that the IT environment maintains
data integrity, security, and confidentiality. ITGC affect all financial reporting transactions.
Application controls relate to specific applications inside the entity’s ITGC environment.

814

c13.indd 814 16-11-2022 18:49:36

 Computerised Business S ystems and C ontrols

HKSA 315 (Revised 2019) Appendix 5 identifies the benefits that IT can bring to an entity’s
system of internal control, by enabling the entity to:

• Achieve consistency in the application of business rules and performing complex

calculations in processing large volumes of transactions or data

• Enhance the timeliness, availability and accuracy of information

• Facilitate additional data analysis

• Enhance the monitoring of policies and procedures

• Reduce the risk of control circumvention

• Enhance the ability to achieve effective segregation of duties by implementing security

controls in IT applications, databases and operating systems.

As well, the adoption of IT can compromise internal controls. For example, IT is useful in
achieving efficiencies in operations as it can be used to automate tasks and combine many
activities in a single role, but doing so can compromise internal controls that rely on the
segregation of incompatible duties. Such unintended consequences can apply at either the
ITGC or application level of controls.

IT nevertheless can improve internal controls at the IT general control level as well as
application level controls by embedding the policies, practices, and procedures into the IS.
Three different types of controls may be relied upon. These are automated, semi-automated, or
manual controls.

Automated controls are embedded in the computer system and operate without operator
intervention or possibility of override. Automated controls relate to a process and enforce
the rules of the process in the system. For example, the system might automatically enforce a
credit limit on a customer according to an algorithm specified in the system. Such a credit limit
could not be overridden by the operator.

A semi-automated control might include manual and automated elements. The manual
component might rely heavily on operator skill or judgement. For example, the system might
make a recommendation for a credit limit that can be accepted or modified by the operator.

In contrast, manual controls are enforced by the computer operator as they undertake
process tasks. Such controls do not have IT elements, but are nonetheless potentially effective
controls. For example, a manual control might rely on the computer operator making an
assessment of a credit limit appropriate for the customer without input from the system.

Adding automated and semi-automated controls to IT systems can be more effective and
sustainable than manual controls. Manual controls, although flexible, are reliant upon human
nature. However, automated controls require careful development and implementation.

Automated, semi-automated, or manual internal controls can take one of three forms:
preventive, detective, and corrective (PDC) controls. This arrangement is known as the PDC
model of internal control. IT supports these controls.

Preventive controls are passive techniques designed to reduce – but not eliminate – undesirable
events occurring. Preventive controls prevent most undesirable events from occurring.

Detective controls are more active steps taken to recognise undesirable events not stopped
by preventive controls. Detective controls flag invalid data after the error has occurred,
whereas preventive controls aim to prevent errors before they occur.

815

c13.indd 815 16-11-2022 18:49:37

 BUSINESS ASSURANCE

Corrective controls are actions taken to remedy undesirable events identified by detective
controls. Corrective controls are needed as detective controls by design do not correct the
problem – detective controls detect the problem but do not fix it. As a general rule, detected
problems require the tailored and unique responses to the problems detected that corrective
controls provide. Corrective controls usually cannot be completely automated as the problems
found are usually unforeseen.

These controls can be complex and sophisticated. They can operate to reduce the
likelihood of an error from occurring (preventive), to detect an error if it does occur (detective),
and to correct the initial error and to take steps to reduce the likelihood of a recurrence of the
error (corrective).

A detective control embedded in an IT system might be a routine management report that

identifies invoices with past or future dates. This control ensures that instances of wrongly
dated invoices in the information system are manually reviewed. Having detected the error, the
corrective control seeks to correct the error and implement preventive controls that reduce the
likelihood of the problem recurring. The corrective control can become quite complicated and
is usually unique to the individual problem. For example, the system might have allowed invalid
data to be entered. The correction of the individual error is one corrective control, and the
correction of the system to prevent invalid data from being entered in the future is another.

In this way, IT improves internal controls by embedding and automating the entity’s
practices, policies, and procedures into its IS.

An entity’s IS may include the use of manual and automated elements and how information
is dealt with in specific IT applications. The attributes of automated and manual controls are
relevant to the auditor in relation to the identification and assessment of the risks of material
misstatement at the financial statement and assertion levels, and the nature and extent of
further audit procedures based in internal controls.

Problems and Incidents

An increasingly common issue of concern caused by the rapid growth of the Internet and
e-­commerce is cyber-­security – making sure business data are safe from attack via the Internet.
Examples of cyber-­attack include ransomware, malware and hacking of customer credit card
data or other privacy breaches. A cyber-­attack could lead to either a ‘problem’ or an ‘incident’.

The terms ‘problem’ and ‘incident’ differ mainly in impact. From a management
viewpoint, problems are breaches of organisational policies and procedures that might lead
to misstatement of the financial statements or to operational failures, but that do not seriously
interfere with the continuance of the entity. In contrast, incidents are serious breaches,
even disasters, that destroy or limit access to the entity’s IT system, and are likely to result in
interruption to the entity’s operations. Incidents might arise through physical disruptions like
fire or flood, or through cyber-­attacks on the IT system. From the auditor’s viewpoint, both
problems and incidents may lead to misstatement of the financial statements and incidents
may create going concern issues.

The fundamental strategy for the management and reporting of problems and incidents
is the entity’s internal control system. IT-­related problems and incidents are addressed mainly
through the entity’s IT General Controls (ITGC) designed to ensure that the IT environment

816

c13.indd 816 16-11-2022 18:49:37

 Computerised Business S ystems and C ontrols

maintains data integrity, security and confidentiality. All ITGC should be properly documented
and regularly tested and updated to reflect the frequent changes to the IT environment, and
the entity’s human resources. ITGC may include:

• Anti-­virus software.

• Prompt updating of applications and operating systems.

• Whitelisting permitted software – rather than blacklisting known problem software.

• Passwords, fingerprints, PINs or tokens for authorised users.

• Daily data backups.

• Substitute data centres.

• Contingency plans that identify the roles responsible for incident response actions and
communications required in the event of a disaster.

Most of the above controls are primarily preventive. To the extent that control breaches
cannot be prevented, but are reported, controls are also detective in their operation. An
important component of the internal control system is the monitoring of controls to ensure
that detected problems are actioned through corrective controls that both correct the detected
errors and repair control system deficiencies so as to prevent future occurrences. Contingency
plans are primarily corrective.
Backup and contingency planning is discussed further in Sections 13.4.2.5 and 13.4.4.2.
Section 13.5.4, Effectiveness of Cyber-­security Safeguard, discusses cyber-­security and
Section 13.5.5, Weakness Identification and Recommendations, discusses the impact of controls
on the audit and relevant audit procedures.

Key Learning Point

IT improves internal controls by embedding and automating the entity’s practices, policies,
and procedures into the entity’s IS. Internal controls are preventive controls, detective
controls, and corrective controls.

Illustrative Example 7

How IT Improves Internal Control

In her discussions about the role of IT, Tak Wai asks general questions about the internal
controls in place at CWaves. Tak Wai considers the internal control systems as a whole;
that is, whether controls are manual or reliant on IT, the auditor’s concern is the level
of control afforded over the end-to-end process. Although one control might be weak,
another control in the same process might sufficiently address the auditor’s concern;
that is, the auditor assesses whether the internal controls as a whole provide comfort
that the process demonstrates sufficient control.

817

c13.indd 817 16-11-2022 18:49:37

 BUSINESS ASSURANCE

Illustrative Example 7 (continued)

Tak Wai discovers that HKCW Investment Limited uses an automated spreadsheet
that allows an end user to request a purchase order and approve it in a single step. The
unintended consequence of this increase in efficiency is that the end user has incompatible
duties – they are requesting and approving the same transaction. As a result, the internal
control system is weakened and HKCW Investment Limited faces a higher risk of fraud due
to violation of the segregation of duties control.

Tak Wai discusses with Ka Yut the implementation of preventive controls that stop
errors from entering the system. Ka Yut provides the example of the CWaves Management
accounting information system. This system has a control that prevents a sales invoice
from being assigned a date that is more than two months old without authorisation. This
control ensures that the information system only records valid dates as invoice dates.

Ka Yut notes that a problem was found in this process and the IT team worked with the
developer to correct this problem. Previously, the system allowed an incorrect date to be
entered if the sales invoice was a cash invoice. This error meant that the invoice could be
allocated to the wrong accounting period. The problem was detected when reconciling the
sales ledger and Tak Wai documented this activity as the preventive control.

The error was corrected by a clerk, but an IT team member liaised with the software
developer to change the system. Tak Wai documents both activities as a corrective control.

Apply and Analyse 1

Happy Islands provides children’s playground equipment to schools and families for
children to enjoy outside exercise.

You are undertaking your audit as part of the financial audit team. It is your job to review
the IT controls in place and assess. You are charged with identifying the IT in place that
strengthens the system of internal control at Happy Islands.

You have documented the existing computer information systems. The following describes
some of the systems in place and what they do:

• James’ EasyAccount Pro: This is an accounting information system that is

used to record and manage invoices, sales orders, payroll and other accounting
information necessary to run the Happy Islands business. Consequently, the
system is used to record the billable time of Happy Islands consultants, and
from this information the amount that clients are to be invoiced is determined.
This system captures all financial information relating to the business and its
operations.

• UserVerify Protect: This application provides multi-factor authentication for users

when they give their credentials to access Happy Islands corporate information
systems. UserVerify Protect provides an application on users’ phones, and users
use this application to verify that they are authorised users of the network when
they provide their passwords to access all corporate information systems.

818

c13.indd 818 16-11-2022 18:49:37

 Computerised Business S ystems and C ontrols

Apply and Analyse 1 (continued)

• Data Supremacy V2: This data analysis tool is used by Happy Islands to analyse
its corporate data. Data Supremecy V2 integrates data from different information
systems to a data warehouse on a daily basis, and then makes that information
available to management for operational as well as strategic decision-making.
For example, as Data Supremacy V2 accesses many systems, it is used to develop
reports of performance and benchmarks across Happy Islands in line with Happy
Islands business expectations.

• Audit Log Scrutineer: This tool that sends email alerts when system access rules
are violated (for example, standard hours of operation or systems are accessed
in violation of access rights). In addition to the email alerts, there is an interactive
dashboard that can be used to answer ad hoc questions regarding system access
and user activity.

• Landscape Ninja 2: This tool is used individually by Happy Islands consultants to

draft and plan playgrounds and landscaping for clients. Happy Islands consultants
use the tool as required in their planning development work. Some consultants
prefer to use the competing product, Yumisoft’s Terrain and Country (Premier
Edition), and such use is not mandated by Happy Islands so long as the consultants
meet client expectations.

Required:

(a) Review this case information and identify the benefits provided by each computer
information system to the Happy Islands system of internal control in accordance with
the benefits identified in Appendix 5 of HKSA 315 (Revised 2019).

Keep in mind that a single computer information system might provide multiple
such benefits, or might provide no such benefits at all.

Analysis:

(a) HKSA 315 (Revised 2019) Appendix 5 identifies several benefits that IT can bring to an
entity’s system of internal control. The table below matches, where possible, the IT
Components identified in the case to each benefit identified in Appendix 5.

Benefit to System of Internal Control IT Component

Achieve consistency in the application of James’ Easy Account Pro (provides a centralised
business rules and performing complex transaction processing system that makes it easier
calculations in processing large volumes of to control operational information).
transactions or data
Enhance the timeliness, availability and James’ Easy Account Pro (provides a central
accuracy of information repository of all financial information); Data
Supremacy V2 (provides a data warehouse
and distributes accurate information in a timely
manner to different areas of the business);
Audit Log Scrutineer* (email alerts provide
a timely notification of information relating to
system access).

819

c13.indd 819 16-11-2022 18:49:37

 BUSINESS ASSURANCE

Apply and Analyse 1 (continued)

Benefit to System of Internal Control IT Component
Facilitate additional data analysis Data Supremacy V2 (provides data analysis that
is in addition to that available at a transactional
level by integrating different information systems);
Audit Log Scrutineer* (allows analysis and review
of user login information).
Enhance the monitoring of policies and James’ Easy Account Pro* (provides information
procedures that allows performance to be compared to
established benchmarks); Audit Log Scrutineer
(ensures that user access and authentication is
within Happy Islands policies and procedures).
Reduce the risk of control circumvention UserVerify Protect (ensures a second level of
secure authorisation and access to the computer
information systems); Audit Log Scrutineer (used
to alert suspicious or unauthorised access to the
computer information systems).
Enhance the ability to achieve effective UserVerify Protect (enforces implementation of
segregation of duties by implementing system access rights).
security controls in IT applications, databases
and operating systems.

* IT Components marked with an ‘*’ indicate that this is not a primary benefit arising from the use of this ­component.
Note that the Landscape Ninja 2 system is an application used by individuals to deliver Happy Islands services, and on
the basis of the information is not part of the internal controls system.

13.3.3 Assessing Risks of IT

In order to plan their approach to the audit, the auditor must assess the risks that IT does
not prevent, detect or correct errors that may lead to material misstatements in the financial
reports. The auditor’s assessment is based on the ITGC, the extent of integration of IT across
applications and the level of involvement of IS in financial reporting.

Information Systems support business processes in three cycles: expenditure, conversion

and revenue (see Section 13.3.3.1). Information flows into the financial reports from these
business processes and the auditor must understand the key business processes and the IS
that support them in order to assess the risk of material misstatement.

The extent of integration of IT across applications is determined by the nature of the

entity’s system. Smaller entities with simple PC-­based systems will likely run a standalone
accounting and payroll system on a single machine, with the payroll system being an add-­on
to the accounting application provided by the vendor. Larger entities will have a Local Area
Network (LAN) or Wide Area Network (WAN) and the financial reporting system will interface
with numerous applications. A business running a full ERP system in a WAN will have a fully
integrated system.

820

c13.indd 820 16-11-2022 18:49:37

 Computerised Business S ystems and C ontrols

Illustrative Example 8

IT Risk: Retail Sales Systems and the Revenue Cycle

In revenue systems, fraudulent transactions are common. These might include the
early recognition of sales, or the recording of non-­existent sales so as to overstate
revenues, or sales might be made below authorised prices in exchange for kickbacks
from customers. The latter transaction would lead to an understatement of revenue.
Sales represent an inherent risk for fraud and error and revenue is the only area where
the auditor is required to plan the audit with an expectation of misstatement. The key
assertions affected are the occurrence, completeness, cut-­off and accuracy of sales.

Consider JayCo, which operates thirty supermarkets in Hong Kong. Over the past
five years JayCo has developed an on-­line store and 20% of its sales are now on-­line.
Sales transactions are processed in real time – transactions are validated and used to
update computer files immediately. Users can access the retail system and initiate sales
transactions directly through a variety of devices including phones, cash registers, optical
scanners and voice response systems.

Many risks exist in such IT environments, for example, unauthorised access,

viruses and the destruction or lack of audit trails. The auditor should always develop an
understanding of the entity’s security infrastructure before going on to consider the IT
general and application controls, some of which are noted below.

General controls

• Access controls: passwords, fingerprints, two-­level security, controls over access

rights and password assignment.

• Transaction logs.

• Programming controls – e.g. segregation of programming from operations.

• Firewalls.

The following application controls are important for on-­line processing:

• Pre-­processing authorisation (e.g. credit cards).

• Limit, range and reasonableness tests (e.g. sales amount).

• Input error identification, reporting and correction (e.g. incorrect bar code).

Cut-­off procedures to manage the continuous flow of transactions – where the

operator must stop processing long enough to copy a data file or produce a report.

Common audit procedures to test controls are as follows:

• CAATs, for example, the use of test data for on-­line sales.

• Tests of access controls.

• Reprocessing of transactions.

821

c13.indd 821 16-11-2022 18:49:37

 BUSINESS ASSURANCE

13.3.3.1 Assessing and Advising on the Risks of Business Processes

Having developed an understanding of the computerised business systems and IT
environment, the auditor is well equipped to identify many IT weaknesses or risks at an audited
entity. Not all such weaknesses or risks are the concern of the financial auditor, however. Many
systems will not contribute to an overall risk of material misstatement in the financial reports,
even if they have weaknesses or are risky. IS that are not material, or do not affect the financial
statements, likely do not require documentation or evaluation. Such IS are out of scope. IS
that are in scope are those that contribute to the overall risk of material misstatement in the
financial reports.

The financial auditor makes an assessment of materiality by considering the maximum

extent to which financial statements can be misstated and still not affect the decisions of
HKSA reasonable users of the financial statements. Materiality is assessed according to the specific
320.10 circumstances of the entity and will be set as part of the audit strategy. If the preliminary
assessment of materiality is 5% of revenue, an IS that records transactions to a total value of
less than 5% of revenue would likely be out of scope.

For example, consider a public transport company that has a weakly controlled information
system that manages the cleaning of its buses. This system does not affect the financial reports
and so the weakly controlled system does not contribute to a risk of material misstatement in
the financial reports despite the operational problem that exists.

HKSA The auditor therefore determines the materiality of the overall audit according to the
320.10 individual entity’s circumstances. The auditor then assesses whether they will rely on IT controls
in undertaking the audit. The auditor then identifies those systems that are in scope – if any
– for the audit according to their contribution to the overall risk of material misstatement in the
financial report.

The entity’s IS all support different business processes. The IS are often grouped together
by a business process according to their role in the expenditure cycle, conversion cycle, or
revenue cycle. Each business process might be supported by several IS. Some of those IS might
be in scope for the audit, whilst some may not be.

Expenditure Cycle
The expenditure cycle focuses upon processes that determine the goods and services to
acquire, the subsequent acquiring and receiving of those goods and services, the approval of
payment, and, finally, the actual payment for the goods and services. These business processes
are important to the auditor as they involve the transfer of resources – usually cash – to
external third parties. Consequently, these business processes are prime targets for fraud and
can be an important source of material misstatement in the financial reports.

The expenditure cycle has several central business processes, such as purchasing and
procurement, salary and wages, and cost planning and monitoring. These business processes
affect accounts in the financial reports, such as the cost of goods sold, inventory, factory
operating overheads, accounts payable, cash, and general expense accounts.

Expenditure cycle IS record transactions relating to the entity’s acquisition of goods and
services that the entity uses. A payroll information system, a purchasing information system,
a cost management system, and a fixed asset management system are all examples of
expenditure cycle IS.

822

c13.indd 822 16-11-2022 18:49:37

 Computerised Business S ystems and C ontrols

Conversion Cycle
The conversion cycle records transactions relating to the entity’s conversion of goods and
services that the entity uses. Such transactions generally represent the entity’s work-in-progress
in getting products or services ready for sale. In the conversion cycle, common systems are
focused on production planning and cost control systems, such as cost management or
budgeting systems. The conversion cycle records how the entity converts the inputs that it
acquired in the expenditure cycle prior to the final sale of the goods or services (that is, the
revenue cycle).

Revenue Cycle
Finally, the revenue cycle focuses upon those processes relating to the sale of goods and
services to the entity’s customers. These business processes are important to the auditor
as incorrect records may overstate or understate revenue and thus misrepresent the
sustainability of the business to prospective investors. As well, sales commissions and bonuses
are often determined by the revenue reported by the entity’s IS, and so again these business
processes and their associated IS are prime candidates for fraudulent activity.

Although other business processes are likely to exist, the central business process in the
revenue cycle is the sales ordering business process. This business process affects accounts
on the financial reports such as accounts receivable, bad debt expense, inventory, sales
commissions, sales revenue, and cash. At a high level, this process commences with the receipt
of a customer’s purchase order, the provision of credit terms if warranted, providing and/or
shipping the goods, invoicing the customer, and, finally, collecting cash from the customer.
In particular, this process should verify that the provision of goods on credit terms does not
exceed the customer’s pre-determined credit limit.

Revenue cycle IS record transactions relating to the entity’s sale of goods and services to
its customers. A sales order processing information system is an example of a revenue cycle
information system. This process is triggered by a sales order received from a customer. Other
systems may be involved, however, such as systems for inventory management, shipping
systems, or accounts receivable systems.

Assessment of Audit Risk

Using their understanding of the computerised business systems in place and the IT
environment, the auditor identifies the business processes and supporting IS from which
information flows to the financial reports. The resulting assessment informs the auditor’s
assessment of audit risk and, ultimately, audit engagement planning in the context of IS.

Key Learning Point

The auditor’s concern is the assessment of IT weaknesses and risks of material
misstatement in the financial reports. The auditor identifies the business processes and
supporting IS from which information flows to the financial reports.

823

c13.indd 823 16-11-2022 18:49:37

 BUSINESS ASSURANCE

Apply and Analyse 2

Golden OneTwoEight Infrastructure Services (G128) provides equipment maintenance and
engineering consulting services for large public infrastructures throughout Hong Kong.
They service some of the large mechanical equipment at Hong Kong’s ports, railways, and
airports. There is a large workforce of professional engineers and support staff, and a large
inventory of expensive spare parts that is maintained in the G128 warehouse facility in
Kwai Chung.

Golden OneTwoEight Infrastructure Services has revenue of approximately HK$630

million each year and overall expenses are approximately HK$580 million per annum. Most
of the revenue generated by G128 comes from the maintenance of equipment at G128’s
clients, with about HK$58 million coming from engineering consulting services. G128 has
approximately HK$100 million of fixed assets. The audit team has determined that the
concern of material misstatement of the financial statements for G128 is 5% of revenue.

You are a member of the audit team for G128 this year. After the initial walkthrough
test in the audit, and review of the ITGC in place, the audit team’s conclusion is that the
ITGC are reliable. For this reason, your audit team is now considering whether to rely on
the controls in the IS that support the business.

From the walkthrough tests, the audit team identifies three prominent systems. These
are InStock, MaintainYourPlant, and PeoplePay. InStock manages the large amount of
inventory in the Kwai Chung warehouse. MaintainYourPlant schedules the work orders
for maintaining the equipment at each of G128’s clients. PeoplePay manages the payroll
information for all of G128’s workforce.

InStock manages the inventory of consumables, spare parts, and small equipment that
G128 keeps on hand to service the infrastructure of its clients. G128 purchases and stores
the more valuable spare parts and consumables, and invoices clients for these items as they
are used. Thus, InStock manages a relatively large inventory of approximately HK$35 million
in value and G128 purchases about HK$15 million of replacement inventory each year.

InStock is a commercial off-the-shelf system that is used commonly in the industry. It is in

common use by G128’s competitors in Hong Kong and similar companies in North America,
Europe, and China. G128 is certified according to ISO9001 Inventory Control by a reputable
quality assurance agency. InStock does not have an integration into the financial reporting
system at G128. Instead, an inventory report is printed each month from InStock and an
adjusting journal is prepared to reflect the value of inventory in G128’s financial records.

MaintainYourPlant is software developed in-house by G128. Its purpose is to produce

work schedules that the workforce follows in maintaining the equipment across Hong Kong.
MaintainYourPlant was developed by Ka Wing Siu, the nephew of the G128 CFO, using
Microsoft Access and SQL Server.

MaintainYourPlant contains the records of all G128’s clients and their equipment,
and the maintenance log and the upcoming work schedule for all equipment.
MaintainYourPlant imports customer records from the G128 customer relationship
management. MaintainYourPlant records notes about the work done to customer
equipment. These notes are exported from MaintainYourPlant to the G128 customer
relationship management (CRM) for reference by G128 in dealing with customers.

824

c13.indd 824 16-11-2022 18:49:37

 Computerised Business S ystems and C ontrols

Apply and Analyse 2 (continued)

Engineers manually complete paper-based customer work completion (CWC) forms
when they have maintained client equipment. CWC forms are also completed by engineers
after providing engineering consulting services. These CWC forms are then processed by the
accounts department into the G128 financial reporting system and are used to create client
invoices. The CWC form is not produced or recorded by MaintainYourPlant.

PeoplePay manages the payroll records of all of the G128 workforce. In total, salary
and wages at G128 are approximately HK$475 million each year and PeoplePay records all
of this expenditure.

PeoplePay is commercial off-the-shelf payroll software that is popular in engineering

consulting firms. The software developer is listed as an HR software provider by the
Global Payroll Association. Software is implemented by a local payroll software provider
and the software is maintained by that software provider. Changes to the software
and its configuration are requested by Yu Hin So, G128’s CFO, and implemented by the
software provider.

PeoplePay is used to pay G128’s employees fortnightly. The payroll team in the
accounts department prepares each fortnightly payroll according to the payroll records.
One of the six senior members of the accounts team reviews each fortnightly payroll
according to a fortnightly rotating schedule. Yu Hin So, the CFO, authorises the final
prepared payroll and the payment advice is distributed to G128’s bank for processing.
PeoplePay directly integrates its information to the financial reporting system.

Required

(a) Three systems are identified in this case: InStock, MaintainYourPlant, and
PeoplePay. Considering the facts of the case, evaluate whether each system is in
scope for the financial audit. Provide reasons for your evaluation.

(b) For the three systems identified in the case (InStock, MaintainYourPlant, and
PeoplePay), consider which of the three cycles the system most relates to. Provide
reasons for your consideration.

(c) For the systems you identified as in scope for the financial audit, what is your
initial assessment – based on the available facts – as to whether you will rely on
the IT controls of these systems in undertaking the audit. Provide reasons for your
assessment.

Analysis

(a) To be in scope for the audit, each system would need to be a potential contributor
to the overall risk of material misstatement in the financial statements at G128.

The information maintained by InStock does affect the financial statements, but
not through direct integration to the financial reporting system as its information
is manually integrated. InStock would likely be in scope for the financial audit,
however, as the total managed value of inventory (HK$35 million) exceeds 5% of
total revenues (HK$31.5 million), which has been determined by the audit team as
the relevant level of materiality.

825

c13.indd 825 16-11-2022 18:49:37

 BUSINESS ASSURANCE

Apply and Analyse 2 (continued)

The information maintained by MaintainYourPlant does not affect the financial
statements. MaintainYourPlant schedules work orders but does not maintain financial
records. The value of the information managed by MaintainYourPlant is HK$630
million, which exceeds the assessment of materiality made by the audit team. The
argument can be made that MaintainYourPlant is in scope as it supports all of the
G128 revenue. On the facts provided, however, MaintainYourPlant would likely not be
in scope for the audit as it does not directly affect the financial statements.

The information maintained by PeoplePay does affect the financial statements

directly as the information is integrated directly into the financial reporting system.
PeoplePay is a material IS, as the value managed (HK$475 million) exceeds 5% of
total revenue (HK$31.5 million). On the facts provided, it is likely that PeoplePay
would be in scope for the audit.

(b) InStock is part of the expenditure cycle as purchases are a G128 expense. Although
MaintainYourPlant does not affect the financial statements, MaintainYourPlant is
part of the conversion cycle as it converts labour input (professional engineering
time) into finalised work orders (value to the client). PeoplePay is part of the
expenditure cycle as salary and wages are a G128 expense.
(c) The initial assessment would likely be that the IT controls of InStock are reliable.
The software is certified to best practice standards. Further, as a commercial
off-the-shelf solution the development and maintenance of the software is
undertaken by a third-party software provider with many different clients.

MaintainYourPlant was not evaluated as in scope for the financial audit. However,
if MaintainYourPlant were judged to be in scope, the initial assessment would likely
be that the IT controls of MaintainYourPlant are not reliable. MaintainYourPlant is
developed in-house using consumer-grade desktop software development tools that
are likely to lack robust security. The developer is also personally related to the G128
CFO, which would likely cause concerns over conflicts of interest and the difficulty of
ensuring a segregation of duties between the CFO and the system developer.

PeoplePay is an in-scope IS for the purpose of the audit. The initial assessment
of PeoplePay would likely be that the IT controls are reliable as the software is
from a reputable provider and is developed and maintained by a separate service
provider. The payroll records also appear to support an audit trail from the final
prepared payroll to the underlying payroll records, and the review by a different
senior member of the accounts team is a strong supervisory control. A possible
concern regarding segregation of duties is that Yu Hin So requests the changes to the
software that are made by the local service provider as well as authorising the final
payment made. It is likely, though, that the initial assessment would consider that the
review by a different senior member of the accounts team is a compensating control
that addresses the weakness in segregation of duties in this instance.

In each case, the initial assessment requires the gathering of further

information regarding the application controls if the application controls are to be
relied upon in the audit. If the application controls are not relied on, then the audit
will need to rely upon substantive testing instead of controls testing.

826

c13.indd 826 16-11-2022 18:49:37

 Computerised Business S ystems and C ontrols

13.3.3.2 Assessing Audit Risk

Audit risk is a function of the risks of material misstatement at the financial statement or
assertion levels, and detection risk. Risks of material misstatement at the assertion level
comprise inherent and controls risks. Assessing the audit risk in the business processes from
which information flows to the financial report therefore requires the auditor to consider three
components. These three components are inherent risk, control risk, and detection risk.

Audit risk can be calculated by assigning a value to the assessment made of inherent risk,
control risk, and detection risk in the following formula:

Audit Risk Inherent Risk Control Risk Detection Risk

Inherent risk is the first component of audit risk. Inherent risk relates directly to the
nature of the industry in which the entity operates. Inherent risk is the risk that the error
might occur in the first place, irrespective of whether a control protects against it. Inherent
risk acknowledges that some account balance, transaction and disclosure assertions are more
susceptible to misstatement, whether due to fraud or error. This is due to the inherent nature
of the account balances or the client’s business and environment that creates complexity,
subjectivity, uncertainty or changes in events or conditions affecting the entity and before
consideration of any related controls.
Inherent risk can also be impacted because of external factors affecting the entity’s
business risk. Changes in economic conditions that create pressure on the entity’s business
and consequent uncertainty in relation to cash flows and working capital could, for example,
increase the risk of misstatement in order to maintain compliance with debt covenant ratios.
Similarly, the nature of the entity’s business itself may have inherent business risks that affect
inherent risk.

Factors within the entity can impact inherent risk. For example, an entity whose business
operations are highly IT dependent has a higher level of inherent risk than an entity that relies
on IT only for its financial accounting functions.

The greater the level of inherent risk due to complexity, subjectivity, change or uncertainty,
the greater is the susceptibility of the financial statements to misstatement. Depending on the
degree to which inherent risk factors affect the susceptibility of misstatement of an assertion,
the level of inherent risk varies on a scale referred to as the spectrum of inherent risk and can
be measured in quantitative or qualitative terms.

Appendix 2 to HKSA 315 (Revised 2019) contains detailed guidance on understanding

inherent risk factors. Inherent risk factors relating to IT include changes in the IT environment
and the installation of significant new IT systems related to financial reporting.

The actions taken by the auditor do not affect the level of inherent risk, as the risk exists
whether the audit is undertaken or not. However, the auditor’s assessment of inherent
risk does affect the overall assessment of audit risk as part of the formula for audit risk set
out above.

Control risk is the second component of audit risk. Control risk is the risk that a material
misstatement in an assertion about a class of transactions, account balance or disclosure and
that could be material, either individually, or when aggregated with other misstatements, will

827

c13.indd 827 16-11-2022 18:49:37

 BUSINESS ASSURANCE

not be prevented, detected or corrected on a timely basis by the entity’s internal controls.
That is, control is the risk that an error that does occur might not be prevented, detected
or corrected by the internal controls system. Control risk reflects the adequacy of the
controls in place.

Control risk is a function of the design, implementation, maintenance and monitoring of

internal control by management to address risks that threaten the achievement of the entity’s
objectives relevant to preparation of the entity’s financial statements. In assessing control risk,
the auditor determines whether the controls in place are effective at preventing, detecting, and
correcting errors. There are two aspects to consider.

First, the auditor considers whether the design of the internal control is effective in
reducing the risk of material misstatement. If the design of the control is not effective at finding
the error, then the control is ineffective. The auditor cannot rely on an ineffectively designed
internal control to identify a misstatement.

Second, the auditor considers whether the internal control is actually effective in reducing
the risk of material misstatement. The auditor tests the controls to determine whether the
internal control operates as designed. The auditor can test controls by generating a new
transaction to identify the controls actually used and whether those controls are effective,
observing the business process in action to see controls in practice and examining the entity’s
records for evidence indicating that the controls were in fact performed.
The auditor evaluates the internal controls system as a whole. That is, a single ineffective
control – whether by design or operation – does not indicate that the internal control system
is ineffective. The control may have a relatively small impact or its impact may be offset by a
compensating control. One common compensating control is supervision. Here, a supervisor
works closely with all team members. In such a circumstance, the opportunities for collusion
are less even if the team members’ duties are incompatible.

As with inherent risk, the controls are in place irrespective of whether the audit is
undertaken or not. The auditor’s tests of controls do not change control risk, but they do
increase the reliability of the auditor’s assessment of it. That is, the auditor can reduce the
likelihood that their assessment of control risks is flawed by increasing controls testing. These
tests are therefore incorporated into the auditor’s overall approach to the audit.

Detection risk is the third and final component of audit risk. Detection risk is the risk
that the auditor does not detect errors that the entity’s internal controls also do not detect
and correct.

Detection risk is inversely related to substantive testing. The auditor can reduce detection
risk by increasing the substantive testing performed; conversely, detection risk is increased
by reducing the substantive testing performed. Substantive tests are designed to determine
whether the entity’s electronic records fairly reflect the organisation’s transactions. Substantive
tests often confirm the balances reported in the financial reports with independent third
parties. However, substantive testing also establishes whether the documents contain errors –
that is, that the financial information is complete, valid, and accurate.

The auditor’s assessment can be quite precise (for example, 40% inherent risk) or within
a band (for example, low inherent risk). The auditor determines an acceptable level of audit
risk and designs the audit approach to adjust the reliability of the control risk estimate and
the detection risk with controls testing and substantive testing. The auditor then designs the

828

c13.indd 828 16-11-2022 18:49:37

 Computerised Business S ystems and C ontrols

audit approach according to their assessment of audit risk. Increasing controls testing reduces
control risk and increasing substantive testing reduces detection risk. In this way, the auditor’s
assessment of audit risk directly informs the audit approach.

Key Learning Point

Audit risk can be calculated by assigning a value to the assessment made of inherent risk,
control risk, and detection risk:

Audit Risk Inherent Risk Control Risk Detection Risk

Inherent risk relates directly to the nature of the entity’s industry. Audit activities do
not affect inherent risk.

Control risk is the risk that the controls in place are inadequate in preventing,
detecting, or correcting errors that materially affect the financial reports. Tests of controls
do not change control risk, but they do increase the reliability of the auditor’s assessment
of control risk.
Detection risk is the risk that the auditor does not detect errors that the entity’s
internal controls also do not detect and correct. Increasing substantive testing reduces
detection risk.

The auditor designs the audit approach according to the assessment of audit risk.

Illustrative Example 9

Assessing Audit Risk

Tak Wai knows that the industry in which CWaves Ferry’s Company operates typically has
a large number of small cash transactions. For this reason, entities within the industry
are more susceptible to fraud or errors, and CWaves Ferry’s Company also faces that
risk. Tak Wai assesses inherent risk as medium for this reason.

Tak Wai also has to assess controls risk. This is the risk that the controls in place do not
prevent, detect, or correct errors that occur. For example, the information system controls
at CWaves Godown may not prevent, detect, or correct a data entry error that mistakenly
represents a HK$100,000 sale as a HK$1,000,000 sale. This risk arises from the inadequate
controls in place. Tak Wai needs to understand the adequacy of the controls in place as
part of her risk assessment and to document those controls.

Finally, Tak Wai needs to consider her own audit efforts. The more substantive testing
undertaken, the more likely any errors not corrected by the internal controls system will
be detected. This is detection risk. For example, if CWaves Godown’s internal controls did
not correct the misrepresentation of a HK$100,000 sale as a HK$1,000,000 sale above, the
detection risk is the risk that the auditor also does not detect this error.

Tak Wai determines the level of substantive testing (and thus the detection risk) by
considering inherent and controls risk. She uses this assessment of audit risk to plan
the audit.

829

c13.indd 829 16-11-2022 18:49:38

 BUSINESS ASSURANCE

Knowledge Check Questions

Question 22
Identify which of the following are the three areas that IT strategy addresses at a high level.
A How the business strategy supports the IT strategy, provides an overall master plan of
the IT function, and documents the shared view of the IT function’s role.
B How IS are used to support business strategy, provide an overall master plan of the
IT function, and document the shared view of the IT function’s role.
C The detailed IT budget provides a detailed schedule of training requirements and
documents the specifications required of a new IS.
D The documented understanding of the IT environment, the role of IT in improving
internal controls, and the assessment of the IT risks.

Question 23
Identify which of the following is an IT internal control.
A A member of the finance team verifies employee timesheets.
B A knowledgeable expert reviews expenditure reports.
C A supervisor observes data entry tasks.
D An application checks whether the data entered are a valid date.

Question 24
Identify which of the following describes the controls that comprise the PDC model of
internal control.
A Passive, directed, and compensating controls.
B Primary, direct, and co-directed controls.
C Preventive, detective, and corrective controls.
D Pooled, distinct, and combined controls.

Question 25
Identify which of the following describes the active steps taken to recognise undesirable
events that were not stopped from occurring in the system.
A Compensating controls.
B Directed controls.
C Detective controls.
D Preventive controls.

Question 26
Identify which of the following is considered to be a compensating control.
A Segregation of duties.
B Physical security.
C Supervision.
D Reasonableness tests.

830

c13.indd 830 16-11-2022 18:49:38

 Computerised Business S ystems and C ontrols

Knowledge Check Questions (continued)

Question 27
Identify the source document that triggers a transaction in the revenue cycle.
A The sales order from a customer.
B The purchase order from the audited entity.
C The sales invoice from the audited entity.
D The journal voucher of the audited entity.

Question 28
Discuss whether it is important for the IT strategy to support an effective internal control
environment from the perspective of the auditor.

Question 29
Define preventive controls, detective controls, and corrective controls. For each type of
control, provide an example.

Question 30
For each of the following five information systems, identify whether the system is part of
the expenditure, conversion, or revenue cycles. Identify when a system is not part of any
cycle and explain why.
(a) Sales ordering system.

(b) Closed-circuit security system.

(c) Work-in-progress management system.

(d) Group decision support system.

(e) Procurement system.

1 3 . 4 INTERNAL CONTROLS SPECIFIC TO IT

The auditor uses their documented understanding of the IT environment in the context of
financial reporting and their documented assessment of the risk of material misstatement to
formulate an audit strategy appropriate to the audit engagement.

HKSA 300, Planning an Audit of Financial Statements, requires the auditor to plan the audit
work, and the audit strategy sets out the scope, timing, and direction of the audit. HKSA 315
(Revised 2019) requires that the auditor apply risk assessment procedures to obtain audit
evidence as a basis for identifying and assessing the risk of material misstatement at the
HKSA financial statement and assertion levels and to design further audit procedures. Included in this
315.26
(Revised process is a requirement to ‘obtain an understanding of the control activities component’ of the
2019) system of internal control’.

831

c13.indd 831 16-11-2022 18:49:38

 BUSINESS ASSURANCE

Accordingly, the auditor must obtain an understanding of the ITGC in place. That is, the
auditor seeks an understanding of the ITGC to the extent that the understanding is relevant to
the audit, which is a matter of professional judgement.

The ITGC affect all of the entity’s IS and are pervasive. Effective ITGCs are necessary to
address risks relating to the use of IT applications. As a result, if ITGC are ineffective in design
or operation, application controls cannot be relied upon. If, however, the ITGC are effective in
design and operation, the auditor seeks to understand the application controls of the systems
that affect the financial reports as relevant to the audit. However, the auditor does not seek an
understanding of application controls if the control is not relevant to the audit, the information
maintained by the IS does not materially affect the financial statements, or the ITGC are
ineffective in design and operation.

This understanding and documentation is additional to, and more specific than, the
auditor’s understanding of the IT environment (Section 13.1, Overview of Computerised
Business Systems, and Section 13.2, IT Environment) and their assessment of IT risk
(Section 13.3, IT Strategy), discussed previously.

The audit strategy developed by the auditor is strongly dependent on their assessment
of the internal controls system in place at the audited entity. This system includes internal
controls that are specific to IT. These internal controls specific to IT are either ITGC or
application controls, and these controls have a close relationship. ITGC affect all IT functions,
whereas application controls relate to specific applications inside the entity’s ITGC environment.

The auditor then identifies audit procedures that set out a mix of controls testing and/or
substantive testing to evaluate the risk of material misstatement in the financial reports.

Overall, the audit strategy is a matter of professional judgement informed by

evidence-gathering activities regarding general and application controls as relevant to the audit.
The auditor documents these audit procedures as the audit plan. The audit plan is unique to
each audited entity.

13.4.1 General and Application IT Controls Relationship

The internal controls system consists of ITGC and application controls. ITGC affect all IT
functions. In contrast, application controls affect a single application that operates within the
ITGC environment. The purpose of ITGC is to ensure that the IT environment maintains data
integrity, security, and confidentiality. In contrast, the purpose of application controls is to
maintain the completeness, validity, and accuracy of data in a single application or system.

A key consideration in developing the audit plan is the extent to which the general and
application controls can be relied upon to reduce the risk of material misstatement. To be
effective, controls must be both designed effectively and operate effectively. A control that is
not effectively designed is ineffective and tests of its operation are not required to show that
the control is ineffective.

As application controls operate within the ITGC environment, the effectiveness of

application and ITGC are inter-related. If the ITGC environment is ineffective (whether through
ineffective design or operation), the application controls are similarly ineffective, as any
application controls can be circumvented. As a rule, effective application controls cannot
substitute for ineffective ITGC.

832

c13.indd 832 16-11-2022 18:49:38

 Computerised Business S ystems and C ontrols

Key Learning Point

ITGC ensure that the IT environment maintains data integrity, security, and confidentiality.
ITGC affect all financial reporting transactions. The auditor documents and assesses each
general control as relevant to the audit.

The application controls of each system maintain the completeness, validity, and
accuracy of data in a single system. These application controls may affect data processing,
and so input controls, processing controls, and output controls may be considered by the
auditor.

If the ITGC environment is ineffective (whether through ineffective design or operation),

the application controls are similarly ineffective as any application controls can be
circumvented.

Illustrative Example 10

General and Application IT Controls Relationship

For example, Tak Wai is assessing the CWaves Godown ITGC environment. She knows
that if, in her assessment, CWaves Godown has an IT environment with ineffective ITGC,
this means that the controls are not in place to prevent unauthorised installations of or
changes to application software or the application’s underlying data.

In such a case, she knows that CWaves Godown users can then update the database
or process transactions without authorisation – or install modified versions of the software
or delete or modify transactions directly. If her assessment is that the ITGC environment is
ineffective, it does not matter how effective the information system’s application controls
are. The ineffective ITGC compromise the application controls and so the CWaves Godown
application controls are also ineffective and unreliable.

13.4.2 General Controls

ITGC ensure that the IT environment maintains data integrity, security, and confidentiality.
ITGC affect all financial reporting transactions. The most important, or key, ITGC relate to the
administration of the IT function, the segregation of duties, the development of new systems,
physical and online security, backup planning, and controls over hardware infrastructure.

The internal controls system incorporates the entity’s ITGC. The ITGC environment uses IT
to embed the entity’s policies, practices, and procedures into the entity’s IS to create a system
of internal controls specific to that entity.

The auditor initially makes inquiries of management and supervisory personnel or reviews
high-level documentation to obtain an understanding of the ITGC in place. The walkthrough
test is one means of obtaining this understanding. The auditor documents their findings and
documents the key ITGC as part of the financial audit.

833

c13.indd 833 16-11-2022 18:49:38

 BUSINESS ASSURANCE

The auditor does not uncritically document and evaluate all the ITGC at the entity.
Instead, the auditor assesses whether the control is relevant to the audit, which is a matter of
professional judgement.

13.4.2.1 Administration of the IT Function

The first general control to be understood and documented is the administration of the IT
function. The more reliant the entity is upon IT in its business, the more important it is that the
IT function be administered effectively. A central concern in evaluating the design effectiveness
of this general control is the attitude and involvement of senior management and the board of
directors at the entity in IT decisions. The auditor’s evaluation of the design effectiveness
of the administration of the IT function is in part dependent upon the complexity of the
entity’s IT needs.

Complexity is usually related to the number of end users, the use of emerging or advanced
technologies, online transactions, customised software, the reliance of internal controls on IT,
and/or the mix of operating systems and software. Commonly, complexity is assessed on a
scale of low, medium, or high depending on the broad characteristics of the IT environment.

In medium or high complexity IT environments, the entity needs to coordinate and align
the activities of its IT function with the entity’s needs. For administration of the IT function to be
effective in complex IT environments, the entity should have structural, process, and relational
IT governance mechanisms in place.

Structural mechanisms provide formal organisational structures (for example, IT Steering

Committees, IT Project Steering Committees, or a Chief Information Officer role) to support
the IT department in connecting and liaising with the rest of the business and the effectiveness
of that mechanism in fulfilling that role (for example, reporting to the appropriate level in the
organisation or ability to supervise the team).

Process mechanisms provide procedures that support IT decision making and monitoring
(for example, portfolio management, project governance, and management methodologies or
IT budget control and reporting, including charge back arrangements).

Relational IT governance mechanisms support the development of professional

relationships among the entity’s executives, IT management, IT service providers, and business
management (for example, training, job rotation, or IT leadership).

In complex environments, the auditor could make relevant inquiries or seek relevant
documents indicating the existence and design of these or similar mechanisms. For example,
structural mechanisms will likely have a charter document, whereas process mechanisms
should be supported by policy or procedure documentation. Relational mechanisms such as
IT leadership require a shared vision or role of IT at the entity, which is usually supported by
documentation, such as an IT strategic plan or vision statement.

In less-complex environments, these mechanisms may not be formally set out, but informal
equivalents may be apparent.

834

c13.indd 834 16-11-2022 18:49:38

 Computerised Business S ystems and C ontrols

Illustrative Example 11

CWaves Godown Administration of the IT Function

For example, Tak Wai is looking to understand and document the CWaves Godown
administration of the IT function. She first assesses the complexity of Godown’s IT as low,
medium, or high. She notes that Godown has developed its own electronic commerce
software using its own software development team and this information makes her
assess Godown’s IT environment as highly complex.

She documents any structural mechanisms (e.g. IT Committee at the senior

management level, CIO roles, etc.), process mechanisms (e.g. project governance or project
management methodologies in place), and relational mechanisms (e.g. training and job
rotation with other members of the CWaves Group). In documenting her findings, she
would look for documented evidence indicating the existence of these mechanisms.

In this instance a concern is that Ka Yut is the CIO for the CWaves Group but there is a
poor relationship between the CWaves Godown Group and HKBuTS, who are the external
service provider, and the Godown IT team does not participate in the job rotation programme.

13.4.2.2 Segregation of IT Duties

The general control of the segregation of duties requires that the duties of authorising and
recording transactions are kept separate from each other, as well as from the custody of those
assets, and that incompatible functions are kept separate. For example, it is incompatible for a
purchase to be requested and approved by the same person. As a general principle, no transaction
should be performed in its entirety by a single role, and this principle extends to IT duties.

Achieving the full segregation of duties is difficult or impractical in smaller or less complex
entities, but ideally the roles of IT management, systems development, IT operations, and
maintenance and database management are kept separate from each other.

There are several IT duties of concern that the auditor should understand and document
the role with responsibility for the duty as well as its reporting responsibilities:

• Access to live operational data.

• Change authorisation.

• Data management/database administration.

• Implementation of new software.

• Implementation of updates to existing software.

• Investigations of suspected security breaches.

• Monitoring of access to IT resources.

• Oversight and strategic direction of the IT function.

• Recording and scheduling of IT operational and maintenance tasks through IT helpdesk

and support software.

• Software development.

835

c13.indd 835 16-11-2022 18:49:38

 BUSINESS ASSURANCE

• Software requirements analysis.

• Software review.

• Systems implementation.

The key concern is that physical and logical access to programmes and data addresses the
requirement for segregation of duties. The auditor reviews these IT duties and considers the
possibility of incompatible duties in the structure of the entity.

Illustrative Example 12

CWaves Godown Segregation of IT Duties

For example, Tak Wai is looking to understand and document the segregation of IT duties
at CWaves Godown. She looks for documentation (e.g. position descriptions, organisation
charts, etc.) and evaluates whether the assignment of the IT duties of concern violates
segregation of duties. For example, the same role should not both develop software and
authorise changes to be made.

In this case, Tak Wai is concerned that the software development team installs the
software that they have written and do not let the HKBuTS team have access to the software.

13.4.2.3 Systems Development

ITGC relating to system development require that the software acquired and implemented at
the entity is properly authorised so that no unauthorised changes to software are made and
that the software developed meets the entity’s requirements.

One of the auditor’s key concerns is that changes to software are properly documented,
approved, and authorised. This requires that the segregation of duties between those that
develop the software (the systems development team) from those that implement the
developed software (the database administrator, the operations team, and/or the software
librarian) is maintained, as discussed in Section 13.4.2.2.

The auditor seeks to understand how the entity maintains its existing IS. The segregation
of duties needs to be maintained when a program change is requested, software is configured
(or re-configured), and how program changes are applied. The general rule of the segregation
of duties applies in this case: the role responsible for requesting program changes is kept
separate from the roles that develop, authorise, and implement program changes. Similarly, a
defined and formalised (and documented) process for changes to the IT infrastructure should
be evident. During emergency changes to the IT environment, it will likely be appropriate to
suspend normal segregation of duties, but this should not be normal practice. These change
management considerations are particularly important in ensuring the integrity of the IS.

Further, however, the auditor must develop an understanding of the entity’s approach to
selecting, developing, and implementing new IS and the extent to which this approach ensures
that the entity’s requirements are met. The entity’s approach may be traditional, agile, or
somewhere in between.

836

c13.indd 836 16-11-2022 18:49:38

 Computerised Business S ystems and C ontrols

The traditional systems development approaches (for example, the phased approaches
of the SDLC) are quite structured and formal. For example, pilot testing (testing and
implementing the new system in a single part of the organisation) or parallel testing (testing
and implementing the new system whilst continuing to use the old system) are system
implementation strategies that emphasise formal phased stages that are documented.

Agile systems development approaches such as eXtreme Programming or SCRUM

are, however, increasing in popularity in many organisations. Agile approaches emphasise
collaboration between systems developers and end users and multiple rapid releases of
software over structured phases and milestones. eXtreme Programming emphasises taking
best practice programming to the extreme, such as rewriting (refactoring) program code, and
SCRUM adopts best practices for the management of a systems development team. Agile
approaches usually emphasise frequent, rapid, and complete test cycles, and such approaches
can be considered equivalent to formal pilot testing and parallel testing. In contrast with
traditional approaches, agile systems development does not emphasise comprehensive
documentation of the project.

Often, entities use a hybrid approach to developing software. In such cases the auditor
looks for evidence that indicate changes to the software are properly authorised and
documented.

No matter the approach to developing software that is adopted, the auditor looks
for documentation that acts as a source of evidence for developing and adding to their
understanding of the systems development general control.

Illustrative Example 13

CWaves Godown Systems Development

For example, Tak Wai is looking to understand and document the CWaves Godown
approach to systems development. CWaves Godown uses an agile methodology based
on SCRUM and eXtreme Programming. She gathers the documentation relating to the
systems development process.

A key concern she notes is that the system development methodology for the key
electronic commerce system does not seem to require extensive documentation of the
system. This is a concern partly because any change authorisation as part of the system
development lacks the necessary information. It is also a concern because of implications
for Godown’s resilience in the face of disaster.

13.4.2.4 Physical and Online Security

The ITGC regarding physical and online security should ensure the availability of the hardware,
software, and data as well as ensuring that only authorised changes to software programs and
data occur. There are physical real-world ITGC as well as online virtual ITGC.

Physical access controls restrict access to hardware, software, and data – including data
backup storage. Such access controls include doors with keypad entry controls, but may include
more advanced biometric (fingerprint, voiceprint, retina scanning) controls or monitoring
approaches with closed circuit television and security monitoring.

837

c13.indd 837 16-11-2022 18:49:38

 BUSINESS ASSURANCE

Physical controls can also make hardware ‘software’ and data safe through physical
controls that reduce the likelihood of disasters such as fire or flood from occurring or reduce
their impact. Such physical controls include fire extinguisher equipment and automated fire
prevention systems as well as air conditioning units that control temperature and humidity
in the data centre. The design and location of the data centre should also consider the risk of
flooding and fire.

Other physical controls include independent verification of completed transactions to check

for errors and misrepresentations by an independent third party and accounting records that
support an audit trail.

Online security controls are the virtual counterpart to these physical controls. User
authorisation measures including the need for usernames and passwords to access software
and data files reduce the risk of unauthorised changes to programs and data. These usernames
should have access restrictions that ensure users have access to the software programs and
data required by their role and no more.

A particular concern is the risk of cyber attack. Any network connected to the Internet
has a risk of cyber attack and it is difficult to harden a network against a sophisticated cyber
attack without compromising usability and accessibility. There are essential, and relatively
inexpensive, controls that are commonly recommended as a foundation for any approach
intended to mitigate the impact of a cyber attack.
These controls that mitigate the risk of a cyber attack include application whitelisting,
patching of applications, patching operating systems, restricting administrative privileges,
disabling untrusted Microsoft Office macros, user application hardening (i.e. preventing the use
of tools such as Flash and Java and disabling unneeded features in ubiquitous software such as
Microsoft Office), multi-factor authentication (for example, security tokens for privileged actions
by users), and the daily offline backup of important data. Additionally, regularly updated anti-
virus software serves to limit the impact of virus and ransomware attacks.

Illustrative Example 14

CWaves Godown Physical and Online Security

For example, Tak Wai is looking to understand and document the CWaves Godown
physical and online security. CWaves Godown has its own IT infrastructure for server
software, but the electronic commerce solution is managed on the group data centre.

Tak Wai seeks documentation on the group data centre’s approach to physical security
as well as the Godown IT centre. She does not note any concerns in this regard.

13.4.2.5 Backup and Contingency Planning

The general control of backup and contingency planning is required to mitigate the risk and
impact of disasters occurring that destroy or limit access to the entity’s IT, despite the physical
and online controls in place. Many entities find it difficult to operate if their key IS are not
available.

838

c13.indd 838 16-11-2022 18:49:38

 Computerised Business S ystems and C ontrols

The auditor should understand how incidents are managed at the entity. Incident
management is how the organisation understands the state of its IT environment. The IT
function identifies potential hazards, analyses the hazards, and takes actions to stop hazards
from occurring in that incident and for future incidents. In this way, incident management can
reduce the risk of disasters occurring.

The auditor must understand the entity’s backup and contingency plans as relevant to the
audit. The plans must outline the actions to take in the event of disaster to restore a normal
state of operations.

Disasters may affect an entity’s IT equipment directly, such as water damage, power failure,
fire, or disruptive cyber attacks that affect the data centre. However, some events can be more
indirect. For example, a gas leak or public safety concerns may result in police incidents. If that
occurs, it can make IT equipment unavailable and the business unable to deliver its services to
customers.

The entity should have backup and contingency plans appropriate to its circumstance. It is
generally accepted that entities require regular (at least daily) backup copies of data in secure
off-site storage facilities. The backup may be offline, continuous, or use a cloud service. The
volume of data held by the business, along with the business’s dependence upon that data, is a
factor in the selection of the backup approach used.

Another concern is contingency planning – how the business keeps key systems operational
in the event of a disaster. Contingency planning aims to ensure that the IT infrastructure
needed to run the entity’s IT – or at least the parts of IT essential for the entity to operate – can
be quickly substituted with operationally equivalent IT infrastructure elsewhere.

The contingency plan sets out the steps needed to keep the entity operational. Temporary
solutions might be specified that allow key transactions to be recorded for later processing
in the restored systems. These temporary solutions might be manual workarounds when the
disaster is relatively short term, but for longer term disasters temporary IT solutions might be
used until the entity’s IT services are restored.

The contingency plan might identify key hardware and the steps required to restore
the backups to new hardware. Alternatively, the entity may contract with third-party service
providers to have a substitute data centre available if required. A hot site is a continuously
available replica of the entity’s own data centre. A business struck by a disaster that makes its
operational site unavailable can quickly use a hot site, but this is an expensive arrangement.
Alternatively, a cold site is cheaper, but this arrangement cannot be made available as quickly
as a hot site.

The final phase of backup and contingency planning is the restoration of IT services to the
entity. A disaster recovery team should be in place with clearly defined and assigned roles.
The plan should outline how the entity is to recover its information and return to normal
operations. The backup plan should allow system records to be restored to the same state as
at the most recent backup before the disaster. The contingency plan then documents how the
entity would restore its records from the most recent backup until the time of the disaster.
The contingency plan also sets out how the transactions that took place using a temporary
manual or IT solutions during the intervening period would be processed to allow the system to
continue on without data loss.

839

c13.indd 839 16-11-2022 18:49:38

 BUSINESS ASSURANCE

In batch-oriented systems where records are grouped in ‘batches’ of transactions, the

batched transactions data can be re-processed from the time of the most recent backup. For
online real-time systems, batches would likely not exist but the transactions might be able to be
rebuilt using other records (e.g. electronic banking records). In all re-processing, the systems’
normal interface controls – system controls that ensure accurate, complete, and secure
processing of data – should be in place, or reproduced as part of the data restoration process.

Illustrative Example 15

CWaves Godown Backup and Contingency Planning

For example, Tak Wai is looking to understand and document the CWaves Godown
backup and contingency plan. She requests copies of the backup plan and contingency
plan, and looks to see when the plans were last updated.

She also requests evidence of any testing of the backup and contingency plans. A key
concern that she notes is that the software code for the electronic commerce solution is
only stored on Godown’s IT Centre and the software is poorly documented.

One concern she notes is that the software for the electronic commerce solution
might be lost in a disaster and the electronic commerce system might become inoperable.
A further concern is that the software development team might resign or be unable to
undertake their duties in a disaster. If this were to occur, new software developers would
find it difficult to maintain or review the undocumented software.

13.4.2.6 Hardware Controls

The hardware controls embedded in the technologies that support the IT environment are
an important general control. Much IT hardware has controls embedded in it when it is
manufactured.

These controls may monitor and report on hardware failures that occur or they may
be controls that enable the device to operate. For example, a network router may use
cryptographic techniques to support network communications with encryption or decryption
and user authentication, or hard drives may report errors in the server log.

Illustrative Example 16

CWaves Godown Hardware Controls

For example, Tak Wai is looking to understand and document the CWaves Godown
hardware controls embedded into the IT hardware. She notes that none of the IT
hardware is built by Godown. That is, they do not build their own routers or servers –
instead, they are standard IT solutions.

Tak Wai examines the IT procedures manual and IT work schedule to see if the
technologies in place are monitored for error messages and failures. She does not note
any concerns in this regard.

840

c13.indd 840 16-11-2022 18:49:38

 Computerised Business S ystems and C ontrols

13.4.3 Application IT Controls

Not all applications require documentation of their application controls and evaluation of their
effectiveness in every audit. It is a matter of the auditor’s judgement as to whether a control
individually, or in combination with others, is relevant to the audit because they relate to
significant risks of material misstatement. Aspects of the internal control system not relevant
to the audit in the auditor’s judgement are not documented or evaluated. In particular, if the
ITGC are not effective in their design or operation, then the risks arising from the use of IT
applications has not been controlled by the ITGCs. This would mean that the auditor would
not plan to test the operating effectiveness of the IT application controls as those controls
would not be effective in addressing the risk of identified material misstatement at the financial
statement or assertion levels.

Application IT controls are first considered as part of the initial walkthrough tests of
transactions at the entity. A walkthrough test identifies source documents that commence a
transaction cycle (e.g. a purchase order) and the auditor then follows the document through
the process until the process is completed. During the test, the auditor makes inquiries,
inspects documents, and documents their own observations. In this way the auditor identifies
the internal controls in place and develops their understanding of the IT environment. This
information provides the auditor with a foundation for designing specific tests of the internal
control system, including the application IT controls.

However, the auditor only considers the specific review of application IT controls for those
IS that are in scope. In-scope IS are those IS that are prospective sources of material
misstatement in the financial statements. Applications that are not material, or do not affect
the financial statements, are likely not to require documentation or evaluation; such IS are out
of scope. The financial auditor makes an assessment of materiality by considering the
maximum extent to which financial statements can be misstated and still not affect the
HKSA decisions of reasonable users of the financial statements. Materiality is assessed according to
320.10 the specific circumstances of the entity and will be set as part of the audit strategy. For
example, if the preliminary assessment of materiality is 5% of revenue, an IS that records
transactions to a total value of less than 5% of revenue would likely be out of scope.

Application controls maintain the completeness, validity, and accuracy of data in a

single system. These application controls may affect data processing, and so input controls,
processing controls, and output controls may be considered by the auditor. Other application
controls maintain the security, integrity, accountability, and recoverability of the master file
and database.

Application controls are also part of the internal controls system. Application controls
are unique to each system operated by the entity. Whereas ITGC are environmental and
affect all systems and all transactions in the financial reports, application controls relate to a
single system. Application controls therefore affect a smaller subset of the transactions in the
financial reports, and an individual IT application can relate to a specific financial statement
assertion or a number of related assertions.

The auditor makes inquiries of management and supervisory personnel, observing the
system in action or reviewing appropriate documentation to obtain an understanding of
the application controls in place for material systems as relevant to the audit. The auditor
documents their understanding of these application controls as relevant to the audit.

841

c13.indd 841 16-11-2022 18:49:38

 BUSINESS ASSURANCE

The auditor does not uncritically document and evaluate all the application controls of
material systems. Instead, the auditor assesses whether the control is relevant to the audit,
which is a matter of professional judgement in the context of the auditor’s assessment of the
identified risk of material misstatement at the financial statement and assertion levels, and
the IT applications that process information relating to the significant classes of transactions,
account balances and disclosures.

13.4.3.1 Input Controls

Input controls ensure the completeness, accuracy, and authorisation of data input into the
system at the time of data entry. The primary goal of input controls is to minimise the number
of errors occurring during the creation of data. Such errors affect the system’s processing as
well as its output. Input errors are common sources of errors in IS and principally these errors
occur during manual input.

In the IS audit context, input controls primarily relate to computerised systems, although
input controls also exist in manual systems. Nonetheless, IS have unique input controls
integrated into the system that can test data as they are entered for errors. These controls
take effect at the field or record level and the auditor documents their understanding of
these controls.

Field level input controls check the validity of a single data field in a data record. These
controls include checks on data that test data entry for transcription or transposition errors
using check digits, require data in the correct form (for example, alphabetical or numerical
data), meet a pre-determined limit (for example, a control that rejects new employees younger
than 13 years old), or is within an acceptable range (for example, a control that rejects month
data not in the range of 1 to 12). Similar to a range check, a validity check is an input control
that requires data inputs to be selected from a pick-list of possible values.

Record level input controls check the validity of the data record taken as a whole. One
check at the record level is a reasonableness check that compares different fields in the same
record to assess the record’s validity as a whole. The individual fields might hold valid values,
but in combination the record is invalid.

Another record level input check is the sign check that matches a transaction code with the
correct sign. For example, a sign check would ensure that a negative number is associated with
the transaction code for a credit note.

13.4.3.2 Processing Controls

Processing controls prevent, detect, and correct errors during the processing of transactional
input data. The primary goal of processing controls is to verify that the program is working
correctly and as intended. Processing controls can check that the correct data are processed in
the correct order or validate the results of processing.

Checking that the correct data are processed in the correct order is most important in batch
input systems. A batch input system processes data in groups, whereas a real-time system
processes data as the transaction occurs.

An application can include tests that ensure the correct transaction file is processed in the
correct order, such as verifying that the correct transaction file is being processed. Sequence
tests also check that the file is in the correct format and order for processing.

842

c13.indd 842 16-11-2022 18:49:38

 Computerised Business S ystems and C ontrols

Validation of processing results is important to batch input systems as well as real-time

systems. A control might double-check the results of processing. Such controls are similar
to input controls in that field level or record level data are checked, except that processing
controls check the results of processing input data.

Data reasonableness tests check whether the processed data are reasonable and meets a
set of pre-determined criteria, such as allowable working hours. Similarly, arithmetic accuracy
tests check whether the processed data are accurate by reprocessing the calculations or by
reconciling different calculated amounts. For example, the application might include a test that
checks whether the total payable for a payment run in the accounts payable process equals the
net sum of invoices received less discounts and applicable credit notes.

Completeness tests check whether the records for processing have had all the fields
necessary for processing completed. For example, the application might include a test that
checks whether the record for a new purchase order has a vendor number, the type of items,
and the number of items necessary for processing.

In all cases, the application should halt processing if any tests are not satisfied. Processing
can continue if the data are corrected, or those records that fail the test are flagged for later
manual review and correction. If processing is halted, the control may need to reverse any
already processed transactions.

13.4.3.3 Output Controls

Output controls detect errors and correct them after the completion of transaction
processing and also ensure that the results of processing are not intercepted and corrupted.
The primary goal of output controls is to verify the application’s output and to prevent
unauthorised changes.

The principal output control for the detection and correction of errors is the review of the
final output by a knowledgeable expert for reasonableness. This review might be based on the
expert’s own estimations of acceptable results from the input data or the formal reconciliation
and review of the output data.

The safe keeping of results requires controls that keep the output data secure from
interception and/or corruption. Controls here can focus on hard-copy distribution of output
such as the supervised printing of reports, the secure disposal by shredding of waste printouts,
or the controlled distribution of output reports. Other controls might focus on electronic
distribution of output reports and results through authorised and authenticated users, as well
as the encryption of output data that are distributed.

13.4.3.4 Master File/Database Controls

Application data are stored in a master file or database. Strictly, the master file refers to the
main subjects of interest in the system rather than all the system data, and so the master file
is a subset of the database. The terms are often used interchangeably, however. Database
controls ensure the security, integrity, accountability, and recoverability of the database.

Security requires that an access control list be used in the viewing, updating, or deleting of
data. The access control list is a structured document that sets out those with management’s
authorisation to access the data and is implemented by the DBA. The database management

843

c13.indd 843 16-11-2022 18:49:38

 BUSINESS ASSURANCE

system (DBMS) itself also must have security features that reflect and support the access
control list, and administration of this access control list is, again, the province of the DBA. The
DBMS is a central software system that allows data records to be managed (created, replaced,
updated, and deleted) and provides applications with access to data.

The general principle of maintaining access control lists be the rule of least access, which
is that users of a system should be granted access privileges on a need-to-know basis. This
principle is often breached, though, as over time users change roles and have new access
privileges granted without having previous privileges revoked. These breaches arise as the
managers with the authority to grant access privileges are frequently busy and often do not
exercise adequate care in revoking permissions or in initially assigning them. Users similarly
will likely not disclose that their system access is broader than required as it does not prevent
them from doing their new tasks. In contrast, users will likely request more access when they
are prevented from fulfilling their roles. Strong policies that require managers to apply due
diligence in assigning permissions to roles are required to avoid violations of the rule of least
access, and encourage users to report access that is no longer required.

Integrity requires that the database design be structured to store data without data loss.
Data loss might occur if a data design is unable to properly model the data required by the
system. For new databases, this means that the system development team should consult
the DBA about the data design and implementation of new systems to ensure data integrity.
For an established database, this means that the DBA should require proper authorisation,
documentation, testing, and review of database modifications before they are implemented.

Accountability requires that the DBMS record user access to the database and, in some
cases, the creation, read, update, or delete of data in an audit log. The audit log records these
events by date, time, and named user. This approach ensures that an audit trail is available for
data changes and promotes personal accountability by end users. Reviews of this audit log and
consequent updates by the DBA are undertaken and documented. Such a review of the audit
log acts as a detective control for unauthorised changes.

Finally, recoverability requires that the DBA ensure the ongoing availability of the database.
The database should be regularly backed up and these backups should be securely stored
off-site. Key databases should be explicitly addressed in the backup plan.

Key Learning Point

Master file/database controls maintain the security, integrity, accountability, and
recoverability of the master file and database.

13.4.3.5 Documentation of Key Systems

Documentation is a written description of how the system works. There are different
approaches to documenting systems, but the key purpose is to communicate the systems’ key
features. The organisation’s existing documentation may be used as a basis, but the auditor
needs to document the internal controls of the system for the purpose of the audit.

844

c13.indd 844 16-11-2022 18:49:38

 Computerised Business S ystems and C ontrols

Two approaches are usually adopted in documenting key systems. These techniques are to
describe the system using a narrative form and the other is to use a system flowchart.

A narrative description of the system simply documents the internal controls in writing,
although the narrative may also be presented as a table. The description identifies the
documents processed by the system, their source, how they are processed, and the final
location of the source documents when processing is finished. The narrative then sets out
the relevant internal controls in place that affect control risk. Exhibit 13.2 provides a possible
template to use in presenting a narrative description of an information system.

Information System: [Name of System]

Ref. Source document Prep. by Processing Source/ Risk Internal
Step destination controls
P1 [Source Document] Clerk [Description] Created [Risk] [Control]
AP [Description] [Risk] [Control]
PR [Description] L1 [Risk] [Control]
P2 [Source Document] Clerk [Description] L1 [Risk] [Control]
AP [Description] [Risk] [Control]
PR [Description] L2 [Risk] [Control]
Location Roles
L1 [File Location] Clerk Data Entry Clerk
(All Departments)
L2 [File Location] AP Accounts Payable
PR Procurement

EXHIBIT 13.2 A template for the narrative description of an information system and its internal
controls in a table format (note the cross-reference between Location and Roles)

The advantage of the narrative approach is its simplicity and flexibility. However, for
complex systems the narrative approach quickly becomes unwieldy and difficult for later
readers to understand.

The system flowchart is a more visual and condensed representation of the same
information. The flowchart is a graphical diagram that represents the system. As with the
narrative description, a system flowchart identifies the documents processed by the system,
their source, how they are processed, and the final location of the source documents after
processing. Again, the relevant internal controls are identified in the system flowchart.

In contrast with the narrative approach, the system flowchart represents the system
graphically using symbols to represent documents, controls, and the sequential steps that
occur in the flow. Several flowcharts may be constructed, with each flowchart representing the
steps of different processes or transactions through the system. Colour coding is often used to
indicate the controls in place on the system flowchart and the flowchart can be presented as a
process flowchart with swim lanes that indicate role responsibilities. A swimlane diagram divides
the flowchart into different lanes that are similar to the lanes of a swimming pool. Each lane
represents a different role or department and the indicated role or department is responsible for

845

c13.indd 845 16-11-2022 18:49:38

 BUSINESS ASSURANCE

addressing the activities located in its lane. The swim lane allows the reader to quickly identify the
responsibilities for each task and when information is handed over to other roles and/or systems.

In addition to documentation of the system, the documentation should provide information

as to the discussion among the engagement team and the significant decisions reached in
relation to the system of internal control. This includes documentation of the key elements of
the auditor’s understanding of the IT environment and the sources of information used to
obtain that understanding, the risk assessment procedures used, as well as the basis for the
HKSA
315.38 evaluation of identified controls and whether they have been implemented.
(Revised
2019)

Apply and Analyse 3

Kowloon City Technology Trader (KCTT) uses the commercial off-the-shelf software
PurchasePro to manage store inventory. PurchasePro is an inventory management system.
PurchasePro manages information relating to stock items, vendors, and purchase orders.

You have interviewed key staff and made the following observations about
PurchasePro in relation to its management of inventory for KCTT:

• For new vendors, PurchasePro requires vendor name, address, and banking details
to be entered into the system.
• For new items, PurchasePro requires the item name, its standard price, and stock
reorder points to be entered into the system. The Store Manager reviews all added
items each week and deletes items that have not been linked to an approved
vendor that can supply the item.

• The Stock Clerk, Store Manager, and General Manager can add vendors, but only
the General Manager can approve vendors. All three roles can create items and link
them to pre-approved vendors.

• PurchasePro manages all stock purchases for the store. For this process, when
stock reaches a previously assigned reorder point, the Stock Clerk raises a
purchase order in the system.

• PurchasePro requires that a purchase order can only order items already
registered in the system and only from approved suppliers of that item.

• A purchase order must identify a stock item, order a positive quantity of items
(it is not possible to order a negative quantity or order zero items), and an
approved supplier.

• Optionally, special instructions may be provided with the purchase order; these
instructions cannot exceed 255 characters. An expected delivery date must be
nominated.

• PurchasePro does not allow purchase orders to be back-dated or forward-dated;

they must be dated at the current date. Similarly, the delivery dates of purchase
orders must be no more than 30 days from the date of the purchase order.

• The Stock Clerk, Store Manager, and General Manager are able to create purchase
orders. The Stock Clerk can both create and approve orders up to HK$5,000,
but the Store Manager or the General Manager are required to approve orders

846

c13.indd 846 16-11-2022 18:49:38

 Computerised Business S ystems and C ontrols

Apply and Analyse 3 (continued)

over HK$5,000. Only the General Manager can approve orders over HK$30,000.
The Store Manager and the General Manager can only approve orders that they
created when the order is under HK$5,000.

• Purchase orders without approval are deleted.

Required

(a) Prepare a short narrative description of the processes supported by PurchasePro.

In describing each process, identify the key application controls.

(b) Note that you are not required to evaluate the internal controls system.

Analysis

Although descriptions will vary, the focus of the description is on the processes and
application controls for the purpose of the audit.

PurchasePro supports inventory management. There are three key processes

supported by this system, including New Vendor Data Entry, New Item Data Entry, and
Purchase Order Data Entry.

New Vendor Data Entry has input controls (data completeness checks).

New Item Data Entry has input controls (data completeness checks). New items have
up to one week to be linked to a vendor before being deleted by the Store Manager
(processing control).

New purchase orders require that the stock levels be at or below the reorder point
before being able to be placed (input control) and items can only be ordered from pre-
approved vendors (input control). The purchase order identifies the stock item, must order
a positive number of items, and identifies delivery instructions (input control).

Orders require approval once entered or they will be rejected after 24 hours according
to the following rules.

• The Stock Clerk (SC), Store Manager (SM), and General Manager (GM) can create
orders of any value.

• The SC, SM, and GM can approve orders up to HK$5,000.

• The SM and GM can approve orders between HK$5,000 and HK$30,000.

• The GM can approve orders over HK$5,000 (application processing controls).

• Orders below HK$5,000 can be approved by their creator.

• Unapproved purchase orders are deleted.

Delivery dates must be within 30 days of the purchase order date.

847

c13.indd 847 16-11-2022 18:49:38

 BUSINESS ASSURANCE

13.4.4 Auditing Computerised Business Systems and Controls

HKSA 315 (Revised 2019) (paragraphs 25–26) requires the auditor to perform risk assessment
procedures to understand and evaluate the design and effectiveness of the entity:

• Information processing activities, including the IT environment.

• IT applications.

• IT general controls (ITGC).

• Control activities. Relevant control activities include those:

°° That address the risk of material misstatement,

°° Over journal entries, or

°° That the auditor plans to test for effectiveness.

Control activities are considered relevant to the audit if omitting or misstating the
information provided by the IS to the Financial Reporting System (FRS) could influence decisions
of the users of the financial statements, i.e. if there is a risk of material misstatement in the
financial statements or in specific assertions. Some IT applications are not relevant to the
FRS and can be ignored by the auditor (e.g. operational applications like work scheduling or
quality management). The relevance of an IT application to the FRS is a matter of the auditor’s
professional judgment.

Illustrative Example 17

Relevant IT systems

Many IT applications are relevant to the financial statements. Some are obvious – the
Sales system, which records all sales and is critical to the Revenue in the Statement of
Profit or Loss, and the Inventory system, which is critical to the balance sheet and to the
Cost of Goods Sold. Other IT applications may not have a direct impact on the financial
statements, but nevertheless are important to the financial reporting system due to their
impact on other more obvious systems.

For example, the payroll processing system is focussed on the payroll journal where
details of payroll payments are recorded, but the personnel cycle involves numerous
other systems that may affect the auditor’s risk assessment. These include the personnel
records, pay rates, time records, labour distribution, earnings records and payroll tax
returns. The auditor should understand the structure of the payroll system and determine
those components that may lead to a misstatement. Due to the immense variety of
systems in operation, this is a matter of professional judgment.

ITGC should be evaluated if any IT application is considered relevant to the FRS.

Because almost all entity’s use one or more IT applications in their FRS (usually an
accounting application), ITGC are likely to be relevant to the audit. Again, relevance is a
matter of professional judgment. Where ITGC are not effective, the IT environment as
a whole is probably unreliable, and the controls of all applications embedded in the IT
environment cannot be considered effective.

Where an auditor develops an understanding of the entity’s internal control system

and judges it to be ineffective, the auditor would develop an audit plan based primarily on
substantive testing.

848

c13.indd 848 16-11-2022 18:49:38

 Computerised Business S ystems and C ontrols

13.4.4.1 Audit Procedures for Testing Computerised Business Systems and Associated
Controls of the Business Processes of an Entity
The auditor gathers the information and evidence needed to inform and support their
professional opinion regarding the risk of material misstatement in the financial reports. This
HKSA evidence-gathering is done according to an audit strategy and plan that sets out the nature and
300.9 timing of audit procedures.

The auditor develops these audit procedures by first developing an understanding of the IT
environment and then planning the controls testing and substantive testing in accordance with
the auditor’s assessment of the audit risk. The IT audit procedures are then designed in the
light of that assessment.

Initially, the auditor seeks to understand the IT environment by reviewing the organisation’s
controls. These controls include the technologies, processes, and structures in place. This
review is undertaken by the auditor making inquiries of the client regarding IT department
structure, function, and environment. The auditor also reviews the design of the ITGC and
application controls as relevant to the audit. Together, these two reviews address the auditor’s
first duty to obtain an understanding of the IT environment in the context of the financial
reports to be audited.

The extent to which the auditor evaluates the internal controls is a matter of professional
judgement. Such judgement is applied during the auditor’s risk assessment procedures to identify
the risk of material misstatement and their significance, and its exercise requires that the auditor
identify those controls that mitigate the risk (including and where IT is used, controls that address
any risks of material misstatement arising from that use). It is apparent that the audit of entities of
any relative size, riskiness, or complexity usually requires the auditor to obtain an understanding
of the system of internal control and the IT environment. Accordingly, the expectation is that the
auditor will obtain an understanding of the IT control environment (general and IT application
controls) in most audits, at least to a level that is sufficient to plan the audit.

In practice, the auditor obtains an understanding of the ITGC in place unless there are
factors that indicate some ITGC are not relevant to the audit. It is likely, though, that an auditor
will not obtain an understanding of all application controls. Many systems are not material, or
there are compensating controls in place that mean the application controls are not relevant
to the audit. For example, an output control where the output is reviewed by a knowledgeable
expert for reasonableness might compensate or address weak input controls or processing
controls. The controls are assessed holistically.

In that context, the auditor plans their tests of controls and substantive testing according
to their judgement. This planning is informed by the auditor’s assessment of audit risk, which is
made by the auditor addressing the requirement to assess the risks that arise from the use of
IT. Audit risk affects the nature of audit procedures and thus the extent and type of audit work
the auditor performs.

As discussed previously, audit risk is a function of the inherent risk of the client, control risk,
and detection risk. The auditor’s assessment of audit risk informs the audit approach adopted.
The work of the auditor cannot affect the client’s inherent risk or control risk, but the auditor can
undertake work to better understand the control risk. The auditor can also undertake substantive
testing to detect errors, and so the auditor’s own work directly affects the detection risk.

849

c13.indd 849 16-11-2022 18:49:38

 BUSINESS ASSURANCE

The auditor can use audit procedures to better understand the control risk and evaluate
whether the control risk is low. This work is controls testing. If the control risk is low (that is,
internal controls are effective in preventing, detecting, and correcting errors), the auditor can
place more reliance upon the entity’s internal controls. If the auditor’s reliance on internal
controls is high, the auditor can reduce their own work to detect errors through substantive
testing, as fewer errors exist to be detected.

Controls testing assesses the effectiveness of the design and operation of the entity’s ITGC
and, for areas of significant risk of material misstatement, IT application controls. Substantive
testing, is where the auditor seeks to objectively determine whether the entity’s financial
statements are materially misstated. Such tests do not rely on the effectiveness of controls.
Substantive tests represent the auditor’s work in detecting errors not prevented, detected, or
corrected by the controls.

Controls testing is generally less labour-intensive, less time-consuming, and less expensive
to perform than substantive testing, and detection risk depends on the effectiveness of the
controls that exist. For this reason, the auditor usually conducts controls testing to establish
the extent of reliance on internal controls before undertaking substantive testing. However, in
practice some substantive testing may be undertaken at the same time as controls testing in
some instances.

The planned mix of controls testing and substantive testing is a matter of professional
judgement. Generally, substantive testing will be preferred where controls testing is more
expensive than substantive testing (such as with small or simple audit entities) or where the
controls in place are ineffective in design and/or operation (that is, where the control risk is
high). It is very likely that the audit procedures will consist of a mix of both controls testing and
substantive testing. In large, diverse, and complex audit entities with many material systems,
controls testing will likely be more prominent in the audit procedures.

Controls testing is undertaken through inquiry of entity personnel, examination of

documents and reports, manuals, observation, or re-performing the procedures that are part
of a control (such as a process walkthrough with real or test data). HKSA 315 (Revised 2019)
A177 states that inquiry alone is not sufficient for obtaining evidence about the design and
implementation of identified controls.

Having documented the ITGC in planning the audit, the auditor then evaluates the design
effectiveness of the ITGC. If the design of a general control is ineffective, then the control cannot
be operationally effective and no further evaluation is required. If, however, the general control
is effectively designed, then the operational effectiveness of the general control is evaluated.

If the ITGC, taken as a whole, are effectively designed and operate properly, the auditor
may then evaluate the design and operational effectiveness of the IT application controls in
systems where the risk of material misstatement at the assertion level is significant. Here, the
auditor evaluates input, processing, output, and master file/database controls.

If the design of the application controls as a whole is effective and they operate properly,
then the audit approach may have a high reliance on the internal controls system. In such a
circumstance the substantive testing needed is lessened according to the auditor’s judgement.

The substantive tests to be undertaken include substantive tests of transactions, analytical

procedures, and tests of details of balances. Substantive tests can include physical examination,
confirmation, inspection, client inquiries, re-performance, analytical procedures, or recalculation.

850

c13.indd 850 16-11-2022 18:49:38

 Computerised Business S ystems and C ontrols

In an audit with a high reliance on controls, substantive testing will be less than if the
reliance on controls was low.

HKSA 315 (Revised 2019) notes that in some circumstances the nature of the risk of material
misstatement is such that the only way to obtain sufficient appropriate audit evidence is to test
the operating effectiveness of internal control. For example, in entities where routine business
transactions are subject to highly automated processing and much of the financial information is
initiated, recorded, processed and reported only in electronic form. Such entities have a high level
of integration across IT applications, for example banks, airlines and telecommunications entities.

Applying HKSA 315 (Revised 2019) in combination with HKSA 330 The Auditor’s Response
to Assessed Risks, the auditor is required to identify such risks. In these cases, audit evidence
is generally only available in electronic form and its sufficiency and appropriateness depends
on the effectiveness of internal controls to ensure its accuracy and completeness. The auditor
assesses such risks in designing and performing audit procedures. Where substantive procedures
alone cannot provide sufficient appropriate audit evidence in relation to the risk of material
misstatement at the assertion level, the auditor is required to design and perform tests of controls.

Overall, the auditor evaluates the results of controls testing and substantive testing
to assess the risk of material misstatement in the financial reports arising from the IT
environment. This assessment is reflected in evaluating the evidence to form the conclusion
expressed in the final audit report.

13.4.4.2 Evaluating the Effectiveness of Computerised Business Systems and Controls

The audit’s control risk is evaluated by controls testing. The auditor’s evaluation of control risk
determines the audit’s reliance on the system of internal controls, which in turn determines the
level and nature of substantive testing needed in the audit. The level of substantive testing in
turn directly affects the detection risk. Together, controls testing and substantive testing affect
the auditor’s assessment of the audit risk.

Controls testing includes client inquiry, examination of documents, observation of the work
being undertaken, or re-performing the procedures that are part of a control (such as a process
walkthrough with real or test data). These tests are increasingly rigorous, and so re-performing a
control is more rigorous than client inquiry, and a process walkthrough is more rigorous again.

In the initial stages of the audit, the auditor reviews the general and application controls
in place that are relevant to the audit. This review seeks to identify the controls that exist
and is often made on the basis of a client inquiry. The auditor then evaluates the design and
operation of the general and then the application controls according to the audit strategy. This
evaluation informs the auditor’s assessment of control risk and this assessment determines
the degree of reliance on internal controls in the audit. The supporting evidence for the
assessment, and the assessment itself, is documented as part of the audit.

The auditor’s assessment of the effectiveness of the internal controls system considers the
system as a whole. Consequently, although some internal controls may be ineffective, other
controls may compensate for this deficiency. The auditor considers the effectiveness of the
internal controls system in total in assessing the overall control risk.

Substantive testing is an important part of evaluating the effectiveness of computerised

business systems and controls. Substantive testing will be high where the degree of reliance on
internal controls in the audit is low and low where the reliance is high.

851

c13.indd 851 16-11-2022 18:49:39

 BUSINESS ASSURANCE

The nature and extent of the testing undertaken in an audit will vary between
engagements. The discussion that follows considers the testing of ITGC, application controls,
and substantive testing. Audit procedures that the auditor can adopt in evaluating the
effectiveness of computerised business systems and controls are suggested. It is likely that few
audits would use every audit procedure that follows. All tests that are performed should be
documented and assessed by the auditor.

IT General Controls (ITGC)

ITGC ensure that the IT environment maintains data integrity, security and confidentiality.
There are six key ITGC that the auditor may test. The extent of such testing depends on the
auditor’s evaluation of the control risk of the internal controls system as a whole.

Administration of Function

Overall, in both complex and less-­complex environments, the level of importance assigned to
the administration of the IT function at the audited entity is critical. If the administration of the
IT function is delegated to low-­level employees or external consultants, the implication is that IT
may not have a high priority.

If the organisation does not give a high priority to the IT function, the IT area will likely be
understaffed and underfunded, with the result that it is poorly controlled. The administration of
the function, and hence the general control, will likely also be poor and ineffective.
Audit procedures: The auditor should

• Examine work records and organisation charts to evaluate the quality of the
administrative function.

Segregation of Duties

Segregation of duties requires that the duties of authorising and recording transactions are
kept separate from each other, as well as from the custody of those assets. Incompatible
functions are kept separate. Segregation of duties is a relevant consideration in any business
process supported by IT as relevant to the control.

Segregation of duties also applies to the IT function. If segregation of IT duties is not

maintained, the IT assets are more easily stolen and/or errors may arise in record keeping.
Segregation of duties can be a very effective control as it requires collusion between two or
more people for assets to be stolen and such collusion is riskier and likely to be discovered.
However, IS tend to automate and combine many activities into a single role.

Two indicators of ineffective segregation of IT duties are that the IT function is often shared
and the records of system changes are inadequate or non-­existent. Ineffective segregation
provides opportunities for the theft of the entity’s assets. It is also likely that data can be
changed and consequently the reliability of the general control environment may be poor. In
such cases the auditor must assess whether compensating controls exist to allow the audit to
rely on this aspect of the ITGC environment.

The IT management, systems development, operations, maintenance and DBA roles are
especially important.

Senior IT managers should provide oversight and strategic direction to the IT function.
Security administrators should monitor access to IT resources and undertake investigations in
cases of suspected security breaches.

852

c13.indd 852 16-11-2022 18:49:39

 Computerised Business S ystems and C ontrols

In the systems development team, the auditor is concerned that the duties of requirements
analysis, change authorisation, software development, software review and systems
implementation are kept separate from each other, and particularly from the IT operations
and maintenance team. Formal authorisation should be provided for changes made to the
programs. Systems developers should not work with operational data.

The IT operations and maintenance team should operate at the direction of the IT
management, but according to a recorded and scheduled programme of work, such as that
provided by the IT helpdesk and support software. The implementation of new software and
updates to existing software should be undertaken by the role of the librarian. The librarian
should be located within the IT operations and maintenance team rather than the systems
development team to reduce opportunities for collusion.

The DBA role requires full administrative access to all the entity’s data. To discourage
collusion with other areas of the IT function, such as operations and maintenance and systems
development, the DBA role should have independent personnel who ensure the data quality of
the entity’s data.

The organisation chart, position descriptions and departmental structures should

document how incompatible IT duties are kept separate at the audited entity. Policy and
procedure documents are another prospective additional evidentiary source.

Audit Procedures: The auditor should

• Review records of system changes to ensure their existence and adequacy.

• Make enquiries and view documents, including the organisation chart, position
descriptions and program development policies, to understand how incompatible
duties are kept separate.

°° Key roles for segregations include:

■ IT Management,

■ Systems development,

■ Operations,

■ Maintenance,

■ Data-­base administrator, and

■ Users with responsibility for processing financial transactions.

°° Software developers should not work with operational data.

• New software or updates should be implemented by the operations team.

System Development

The decision to purchase COTS solutions or to develop software in-­house should be made in
consultation with IT and non-­IT staff and considering the strengths and weaknesses of these
approaches in meeting the entity’s needs.

Overall, if the general control over systems development is poor in ensuring that changes
to systems are adequately documented and authorised, then the ITGC in place can be
compromised. The auditor must evaluate whether the controls are effective in ensuring that
only authorised changes to software are implemented.

853

c13.indd 853 16-11-2022 18:49:39

 BUSINESS ASSURANCE

Traditional systems development approaches emphasise formal stages and documentation

of the project. This documentation provides considerable evidence to the auditor in evaluating
the control over systems development.

In contrast, it can be difficult for agile system development approaches to meet the needs
of the ITGC environment. Unlike the formal approaches, a key challenge for agile system
development approaches is that the documentation of the changes made to the software is to
a sufficient standard, that system changes are properly authorised and that the implementation
of the operational system is by a team that is separate to the development team.

One way to address this concern is for the agile development project to include an IT
auditor (usually, as part of the internal audit team) in the project. This approach can meet the
auditor’s needs for the documentation of system changes, testing results, authorisation of
changes and independence without unduly restricting the efficiency and effectiveness of the
overall project.

Relevant documents that the auditor may review are policy and procedure documents that
set out the development methodology for a new IS. These procedure documents should set out
the manner of consultation with system stakeholders in such projects and the responsibilities
and accountabilities in the project team. Documentation that records the system change, the
results of testing, the authorisation of changes and, particularly, that the implementation of the
change in live software is by the librarian rather than the system development team is also an
important source of evidence for this general control.

Audit Procedures: The auditor should

• Enquire about the segregation of duties within the system development team:

°° Requirements analysis (including users, feedback from Helpdesks and user queries,
and error log),

°° Change authorisation,

°° Software development,

°° Software review,

°° Data conversion,

°° IT (internal) audit,

°° Systems implementation (by operations),

°° Documentation (by IT audit or operations function).

• Review evidence of formal authorisation for changes.

• Review documentation of the system development process for accuracy and

completeness.

Physical and Online Security

Physical controls include locks, fire prevention systems and air conditioning systems. Online
security controls include usernames, passwords and access restrictions.

A growing online threat is a cyber-­attack including Ransomware viruses. Ransomware

encrypts the data of infected networks and the victim must pay a ‘ransom’ for the
encryption key.

854

c13.indd 854 16-11-2022 18:49:39

 Computerised Business S ystems and C ontrols

Controls that mitigate the risk of a cyber-­attack include:

• Updates and patching of application and operating systems.

• Multi-­factor authentication.

• Daily off-­line backups.

• Prevention of the use of tools like Java.

• Disabling of unneeded features of software.

If the physical and online security policies are inadequate then the ITGC environment is
compromised. These security policies must be documented to be effective. Further, the entity
should have processes to verify that these policies are followed and the auditor should assess
these physical controls. Over time, it is common for the entity to grow lax in following the
policies and many cyber-­attacks succeed through complacency.

Audit procedures: The auditor should

• Review documentation of physical security.

• Test physical controls.

• Review documentation of cyber-­security policies including those regarding updates, access,

backups, contingency plans.

°° Review documentation to ensure that program updates are current.

°° Observe the daily backup procedures.

°° Enquire about contingency plan roles

Backup and Contingency Planning

Backup and contingency plans should be regularly tested and updated. The backups should be
tested regularly according to the backup plan. These plans require regular updates as the IT
environment continually changes.

The auditor is concerned that backup and contingency planning is documented in the
entity’s policy and procedures. As with physical and online security controls, the backup
and contingency plans need to be documented by the entity as policies. The policy should
document how, when and where the backups are executed and stored and contingency plans
should identify the roles responsible for the incident response actions and communication to
be made in the event of disaster.

Backup and contingency plans should be documented and available for review. The auditor
can observe the backup process or review an audit trail to confirm that backups are carried out.
Tests of the contingency plan should also be documented and available for review. Contingency
plans can also be evaluated through process walkthroughs.

Audit procedures: The auditor should

• Review backup and contingency plans and enquire about their currency.

°° Backup plans should record how and when backups are executed and where they
are stored.

• Observe backup procedures.

855

c13.indd 855 16-11-2022 18:49:39

 BUSINESS ASSURANCE

• Review contingency plans.

°° Plans should identify those responsible for incident response and relevant
communications.

°° Make enquiries to ensure personnel understand their role in contingency plans.

Hardware Controls

Hardware controls embedded in the technologies that support the IT environment are often
embedded in the hardware when it is manufactured. These controls may monitor and report
on hardware failures that occur or they may be controls that enable the device to operate.
Hardware controls are embedded in the technology.

In most cases, the financial auditor is less concerned with the nature of hardware controls
than with the entity’s response to incidents and problems identified by hardware controls.
Documented policies and procedures that identify how the entity responds to critical hardware
controls should be available for examination by the auditor, along with logs or documentation
relating to any such incidents that have occurred.

Application Controls
Application controls relate to the processing of information and controls that address the integrity
of information; that is, the completeness, validity, and accuracy of data in a single system. There are
four key types of application controls that the auditor may test. The extent of such testing depends
on the auditor’s understanding of the components of the entity’s system of internal control
identified in Sections 13.1, and 13.4.2.

Review controls are controls whereby management reviews and uses their judgment to
detect and correct controls that are not working as intended. Application controls are not
commonly considered as forms of review controls, as there is no judgment by management
required. Furthermore, the term does not appear in the ISACA IT assurance guide.

Input Controls
Input controls ensure that the data entered into the system are complete, accurate, and
authorised. In addition to observing non-IS controls, such as using only qualified staff to enter
data, the auditor may test field-level input controls and record-level controls.

In testing input controls, the auditor might observe the data entry process and document
the process in detail or perhaps re-perform the data entry procedures (and thus test the
control), using test data to ensure that the field level and record level controls are effective.
For example, the auditor might process a test invoice with deliberate errors introduced at data
entry to evaluate whether the control is effective at capturing these errors.

These tests can also be applied to transactions that occurred during the period under
review. For example, the auditor may use computer-assisted audit techniques (CAATs) to
inspect the records of existing transactions for compliance with the identified input controls.

Processing Controls
Processing controls prevent, detect, and correct errors during the processing of transactional
input data. The auditor may test that the correct data are processed in the correct order or
validate the results of processing.

856

c13.indd 856 16-11-2022 18:49:39

 Computerised Business S ystems and C ontrols

In testing processing controls, the auditor may observe the processing of data to test whether
label checks or sequence tests are effective. The auditor can re-perform the process with test data
to confirm that label checks and sequence tests occur. Any re-performance of data entry of course
requires the ability to roll back any data entered before processing into the operational database.

The auditor may also observe the processing of data to check the operation of reasonableness
tests, arithmetic accuracy, or completeness. Re-performance of data entry processing can be
performed with test data that violates the rules of reasonableness and completeness to confirm
that these rules are followed. The auditor also uses the re-performance of data entry to confirm the
arithmetic accuracy of the system’s processing with data intentionally selected to test the accuracy
of the system (for example, using large numbers outside of the normal range). The system should
halt processing for data that is unreasonable, incomplete, or produces inaccurate results.

These tests can also be applied to transactions that occurred during the period under
review. For example, the auditor might use CAATs to query the records of existing transactions
to confirm that label checks and sequence controls ensured that data were processed in the
correct order, or apply the reasonableness checks, arithmetic accuracy checks, or completeness
checks to existing transactions. Such tests are inspections of the controls.

Output Controls
Output controls detect errors and correct them after the completion of transaction processing
and also ensure that the results of processing are not intercepted and corrupted. The auditor
may test the effectiveness of reviewing the final output by an expert and the secure distribution
of the application’s output.

In testing output controls, the reviewer would observe the review of the output by an
expert and/or re-perform the data entry process and evaluate the effectiveness of this review.
In evaluating this control, the auditor would ascertain the qualifications of the expert.

The observation or re-performance of the process can extend to tracing the distribution,
storage, and destruction (for example, by secure shredding) of the output from the system
and evaluating the control’s effectiveness in keeping the output secure. Controls might include
supervised printing, secure shredding, or controlled distribution of hard copy output reports.
Electronically, the auditor could consider access by authorised and authenticated users, and the
effectiveness of encryption when output reports are distributed electronically.

These tests can also be applied to transactions that occurred during the period under
review. For example, the auditor might use CAATs to inspect the audit log for transactions
to confirm that label checks and sequence controls ensured that data were processed in the
correct order or apply the reasonableness checks, arithmetic accuracy checks, or completeness
checks to existing transactions. Such tests are inspections of the controls.

Master File/Database Controls

Database controls ensure the security, integrity, accountability, and recoverability of the
database. The auditor may test the effectiveness of database controls by evaluating access
control and security, database creation and modification processes as part of systems
development, audit log creation, and review, and database backups.

In testing database controls, the auditor can review the policy or management documents
that authorise users’ access to the database, and observe the different levels of access available
to end users. The auditor examines and compares the authorisation of access set out in
documents with that provided by the access control lists.

857

c13.indd 857 16-11-2022 18:49:39

 BUSINESS ASSURANCE

The auditor can observe the process of requests for database modification for new systems
or existing systems. In particular, the auditor is looking for evidence that the DBA authorises,
documents, tests, and reviews database modifications as part of the process.

Similarly, the auditor can observe the control in action by observing the creation of the
audit log and the DBA’s review.

Finally, the auditor can review the backup and contingency plans and observe the backup
process to confirm that the documented process is followed. The backup process can consider
the location and security of the backup data. As part of this controls test, the auditor may test
the DBA’s ability to restore data as needed.

These tests can also be applied to transactions that occurred during the period under review.
For example, the auditor might use CAATs to inspect the audit log for completeness or the access
control list for variations from the authorisations set out in policy or management documents.
This approach can be extended to the other database controls that record transactions. For
example, an electronic log (such as a helpdesk system) might be kept that records the steps in
implementing database modifications. Such tests are inspections of the controls.

Illustrative Example 18

Application IT Controls

Tak Wai is reviewing application controls within the CWaves Maintenance Company.
Although she is concerned about the ITGC of some entities within the group, the CWaves
Maintenance Company has generally good controls in place. Tak Wai is reviewing the
CWaves Maintenance systems for their application controls.

Tak Wai documents a control at CWaves Maintenance that ensures only qualified staff
enter data about customer bookings. This control is an input control. Another input control
is the preparation of clear supporting source documents for authorisation by management.

Tak Wai also notes a reasonableness check in the payroll system. This check rejects an
employee record indicating an age of 25 with 30 years of work experience or a janitorial
role that has the salary of a CEO. As this control compares one data field (for example,
salary) with another data field (for example, position), this is a record level check.

However, some checks cannot be made until processing commences. These are processing
controls. For example, Tak Wai notes a processing control in CWaves Maintenance’s payroll
system that checks if a storeman working in multiple departments exceeds the allowable
working hours in a week when the employee submits multiple timesheets for processing.
Each timesheet seems valid on its own, but taken together they are unreasonable. At CWaves
Maintenance, this control alerts the data entry operator that the entry is unreasonable, but the
data entry operator can proceed if they confirm the data as correct.

858

c13.indd 858 16-11-2022 18:49:39

 Computerised Business S ystems and C ontrols

Illustrative Example 18 (continued)

Tak Wai notes another processing control in which the file label is verified to confirm
that the file is indeed the file required by the program for uploading a maintenance
schedule provided by a property manager. This check would prevent the loading of a
duplicate maintenance schedule. Similarly, another processing control checks that the
maintenance schedule is ordered by the date the maintenance was requested before
processing the file. This allows the system to ensure that maintenance work is carried out
for those properties that have been waiting longest in the queue.

Finally, Tak Wai notes that a supervisor reviews the system reports of work orders
under way each as a check that the system’s records are accurate. This output control
captures errors and data corruption upon processing.

Overall, Tak Wai is reasonably satisfied that the application controls in place at CWaves
Maintenance are adequate. She documents these controls in the audit working papers.

Substantive Testing
Substantive tests include substantive tests of transactions, analytical procedures, and tests
of details of balances. Substantive tests can also include physical examination, confirmation,
inspection, client inquiries, re-performance, analytical procedures, or recalculation.

Substantive tests of transactions test for monetary misstatements – that is, they test for
errors in the financial reports directly. These tests directly examine the assertions made by
HKSA management in the financial statement in the context of the entity’s transactions. These
315.A129
(Revised assertions are considered by the auditor and tested before the auditor can conclude that the
2019) transactions in the financial reports are fairly stated. These transaction-related assertions include:

• Occurrence: the equities in the statement of financial position exist and the transactions
in the statement of profit or loss and other comprehensive income actually occurred
and relate to the audited entity.

• Completeness: material assets, equities, or transactions that should have been recorded
have been recorded.

• Accuracy: amounts and other data for recorded transactions are recorded
appropriately.

• Classification: transactions are classified into their appropriate accounts.

• Cut-off: transactions are recorded in the correct accounting period.

• Presentation: transactions are appropriately aggregated or disaggregated and

understandable.

A sample of transaction records is made based on the auditor’s preferred approach. A

purposive sample (i.e. a sample of records not chosen at random, but to test the specific
objective) or a random sample may be used. Statistically, a random sample allows the auditor
to calculate a confidence interval; most CAAT tools provide calculators that give guidance on
determining an appropriate sample. These substantive tests are performed by relying upon
inspection, client inquiry, re-performance of the process, or recalculations.

859

c13.indd 859 16-11-2022 18:49:39

 BUSINESS ASSURANCE

Analytical procedures compare the recorded amounts against auditor expectations and
may be performed to audit account balances. The auditor develops expectations derived from
their knowledge of the entity and other factors, and if the final account balances are within
expectations, the substantive test is met. The extent of reliance placed on such analytical
procedures by the auditor is a matter of professional judgement.

Tests of details of balances primarily examine the accounts on the statement of financial
position. Here, audit procedures test the balances with external third parties or other
independent sources.

Key Learning Point

The auditor’s evaluation of the effectiveness of the system of internal control consideration
of the components of the system as a whole. Ineffective internal controls may be
compensated for by other controls. The auditor considers the effectiveness of the internal
controls system in totality in assessing the overall control risk.
The auditor plans controls testing and substantive testing in accordance with the
auditor’s assessment of audit risk.
The audit’s control risk is a function of evaluating the system of internal control and
controls testing. Controls testing includes client inquiry, examination of documents and
reports, observation of the work being undertaken, or re-performing the procedures that
are part of a control (such as a process walkthrough with real or test data).
Substantive tests affect detection risk and thus audit risk. Substantive tests of
transactions test for monetary misstatements – that is, they test for errors in the financial
reports directly. These tests directly address issues of: (1) Occurrence; (2) Completeness;
(3) Accuracy; (4) Classification; (5) Timing (Cut-off); and (6) Presentation.

Illustrative Example 19

Substantive Testing

Tak Wai is considering her options for testing systems within the CWaves Group. Her
review of the ITGC indicates that, mostly, she cannot rely on the internal controls system.

For this reason, Tak Wai plans to use a substantive testing approach to validate
the information contained within the CWaves Hotels’ inventory management system.
This system is particularly unreliable and furthermore manages all of the stock held by
CWaves Hotels.

Tak Wai is considering confirming the balances reported in the financial reports with
independent third parties (external confirmation) or physically to count the inventory
(physical examination). Either way, Tak Wai knows she will need to use substantive testing
in this issue – she just cannot rely on the controls in place.

860

c13.indd 860 16-11-2022 18:49:39

 Computerised Business S ystems and C ontrols

Apply and Analyse 4

Drawing on the facts set out in the previous Apply and Analyse case for Kowloon City
Technology Traders, address the following requirements. Identify three improvements to
KCTT’s controls.

Analysis

There are several areas where improvements can be made, including:

• One possibility is to automate several of the manual steps (e.g. the review of items
without preapproved vendors).

• Deletion of purchase orders should not occur – these purchase orders should
instead be archived only. Otherwise, the audit trail of purchase order numbers
is affected.

• Forcing purchase from approved suppliers may result in sub-optimal purchasing

decisions – improving the process for approving suppliers (so that it can be done
on-demand) or allowing ad hoc suppliers to be used might allow KCTT to obtain
better quality goods or better pricing.

• Requiring an expected delivery date is likely to result in unintended consequences

– for example, an expected delivery date might not be accurate but is simply
entered to allow the order to be processed. If the purpose of this control is to
ensure that stock is only ordered as it is required, then undertaking a regular
review of an expected delivery date as a processing control compared to an actual
delivery date might highlight regular ordering of goods before they are required.

• On the current rules, the General Manager and the GM are the same person.

Apply and Analyse 5

Kowloon City Technology Traders has another information system, SalesPro. This system
controls the retail point of sales. From discussions with the client, your file notes reveal the
following points in relation to SalesPro’s sales process.

• Sales can be either for cash or credit. This choice is made at the beginning of the
transaction.

• Cash sales do not need to be recorded against a pre-existing customer, but credit
sales must be recorded against both a pre-existing customer, and the total sale
amount for the invoice cannot exceed the credit limit.

• Credit sales are recorded only against items already recorded in inventory and
can only be sold to customers with an assessed credit limit authorised by the
Finance Manager.

861

c13.indd 861 16-11-2022 18:49:39

 BUSINESS ASSURANCE

Apply and Analyse 5 (continued)

• A credit sale is entered by the sales clerk but requires authorisation by the Store
Manager for approval. The Store Manager approves credit sales once in the
morning and once in the afternoon. An additional credit check is made at the
time of approval (in case the customer has had more items purchased during the
intervening period).

• Large items that are not in stock at the main showroom are kept at the Kowloon
City warehouse and delivered the next day. A daily shipping manifest is sent to
the inventory clerk at the warehouse to schedule these deliveries. This manifest is
automatically sent as an encrypted report via email.

• The database has an audit trail log maintained, which is reviewed monthly by the
internal audit team for unauthorised access.

Required

(a) Identify the apparent application controls of the SalesPro information system.

(b) Based on the information provided, explain whether you will be able to provide an
assessment on the design of the SalesPro information system’s controls.

Analysis

(a) At a high level there are four different types of application controls. The table
below identifies the input, processing, and output controls implied by the
discussion. A further application control to consider is the access to the Master File/
database and controls regarding such access.

Input controls ensure that the data entered into the system is complete, accurate,
and authorised. In addition to observing non-IS controls such as using only
qualified staff to enter data, the auditor may test field-level input controls and
record-level controls.

Processing controls prevent, detect, and correct errors during the processing of
transactional input data. The auditor may test that the correct data are processed
in the correct order or validate the results of processing.

Output controls detect errors and correct them after the completion of
transaction processing, and also ensure that the results of processing are not
intercepted and corrupted. The auditor may test the effectiveness of reviewing the
final output by an expert and the secure distribution of the application’s output.

Database controls ensure the security, integrity, accountability, and

recoverability of the database. The auditor may test the effectiveness of database
controls by evaluating access control and security, database creation, and
modification processes as part of systems development, audit log creation and
review, and database backups.

862

c13.indd 862 16-11-2022 18:49:39

 Computerised Business S ystems and C ontrols

Apply and Analyse 5 (continued)

Control Type of Control

Sales can be either on cash or on credit. This choice is made at the Input Control
beginning of the transaction.
Cash sales do not need to be recorded against a pre-existing customer, Input Control
but credit sales must be recorded against both a pre-existing customer
and the total sale amount, for the invoice cannot exceed the credit limit.
Credit sales are recorded only against items already recorded in the Input Control
inventory and can only be sold to customers with an assessed credit limit
authorised by the Finance Manager.
A credit sale is entered by the sales clerk but requires authorisation by Processing Control
the store manager for approval. The store manager approves credit sales
once in the morning and once in the afternoon. An additional credit check
is made at the time of approval (in case the customer has had more items
purchased during the intervening period).
Large items that are not in stock at the main showroom are kept at the Output Control
Kowloon City warehouse and delivered the next day. A daily shipping
manifest is sent to the inventory clerk at the warehouse to schedule these
deliveries. This manifest is automatically sent as an encrypted report
via email.
The database has an audit trail log maintained, which is reviewed monthly Master File/Database
by the internal audit team for unauthorised access. Control (Access)

(b) It is not possible to make this assessment as there is insufficient information

regarding the IT environment. SalesPro may or may not be well-controlled, but it is
not possible to determine this without an understanding of the ITGC in place.

Apply and Analyse 6

Ai Ma Ke Import/Export (AMKIE) is an importer/exporter company that exports
manufactured goods around the world. Ai Ma Ke Import/Export is privately owned and the
board of directors has retained your firm to conduct the annual audit.

You are undertaking your audit as part of the financial audit team and are charged
with reviewing the internal controls of the IS in place to determine whether the financial
auditors can rely on AMKIE’s IS and controls. Your work is part of the initial audit phase of
the audit at the commencement of the financial year.

The discussion that follows describes key points about the client’s approach to
managing the IS function.

There are several key IS that are brought together as a best of breed approach. That is,
there is no single enterprise-wide information system, but rather several IS are used and a
single system (SYBIL) integrates the different systems.

863

c13.indd 863 16-11-2022 18:49:39

 BUSINESS ASSURANCE

Apply and Analyse 6 (continued)

Man Hei Yip is the IS Manager for AMKIE. Man Hei was hired in 1994 as the IT Projects
Manager to build this platform of applications. He has continued to develop it on his
promotion to manager, where he is responsible for day-to-day operations as well as the
small development team that keeps their IS operational.

There are 21 people currently employed in the IS department, which consists of a

single team of database administrator, network administrators, technical support, and web
administrator roles. In this team, all team members are agile and flexible and ensure that
the work is done as required. Each role in the IS team reports directly to Man Hei.

This team develops the programming interfaces that make up the integration system
SYBIL. The team develops the interfaces between IS, implements software patches, and
maintains the data as a single team.

Man Hei Yip and Tsz Man Lam first developed the interfaces together back when
Tsz Man was an external developer working on contract. Tsz Man joined AMKIE as an
employee in 2009 and is now the database administrator. Tsz Man and Man Hei are the
people in the IT team who know SYBIL the best.

The computer centre uses traditional blade servers in a data room located in the office
headquarters in Central District. A dedicated server room is maintained in a separate
room on the fourth level of AMKIE’s headquarters. There are UPS (Uninterruptible Power
Supply) units sufficient to power the data centre for three hours in the event of unexpected
power outages.

The room is locked with a keypad entry; all members of the IS team have access to the
server room code. There is a single air conditioning unit that supplements the building’s
main air conditioning out of hours.

An exact replica of the data centre is maintained in the basement of the subsidiary
office in Wan Chai. This replica data centre even uses the same keycode as the main data
centre. It is a hot site data centre with fail-over capability. That is, all data and transactions
from the Central District data centre are immediately replicated in the Wan Chai data
centre. In the event that the Central District data centre is unavailable, all IT infrastructure
switches immediately to the Wan Chai data centre. The end result is that end users do
not notice the interruption (unless it is localised) so long as both data centres remain
operational.

No other backups are made. AMKIE does not use any form of cloud infrastructure.

The disaster recovery plan is maintained by Tsz Man. It was updated last year when the
Wan Chai data centre was implemented.

864

c13.indd 864 16-11-2022 18:49:39

 Computerised Business S ystems and C ontrols

Apply and Analyse 6 (continued)

Required

(a) Identify the ITGC and the physical controls presented in the case. Assess whether
these key controls are effective.

(b) Explain how you would improve the ITGC you identified.

Analysis

(a) There are several aspects to consider here. The table below assesses each aspect
including administration of the IT function (effective), the segregation of IT duties
(ineffective), system development (ineffective), physical and online security
(ineffective), backup and contingency planning (effective), and hardware controls
(not assessable).

Given the overall assessment of each aspect of general control in the table
below, the overall assessment is that the internal control system is not effective.

ITGC Issues
Administration of the IT Function
Man Hei Yip is the IS Manager for AMKIE. This is a structural governance mechanism in
the appointment of a management role with
responsibility for IS.
Man Hei has worked on SYBIL since 1994; he Man Hei has a long association with the firm
has continued to develop it on his promotion and has a deep understanding of the systems.
to manager.
There are 21 people currently employed in The IT team is a single team and, with 21
the IS department. There is a ‘One IS’ team people employed, there are a large number
approach. Each role reports directly to Man Hei. of people to supervise, probably more than is
appropriate. This is particularly so given the
wide range of tasks undertaken by the team.
Overall Assessment: Administration of the IT function is generally effective. However, compensating
controls such as supervision are likely to be ineffective.
Segregation of Duties
There is a ‘One IS’ team of database There is only one team and so there is no
administrator, network administrators, technical separation between an operations team and
support, and web administrator roles. There are the development team.
no separate teams – all team members ensure
that the work is done as required.
Each role in the IS team reports directly Segregation of duties is not well enforced
to Man Hei. within the IT team. The chance of collusion is
somewhat higher. It is likely that compensating
controls of supervision are ineffective given the
span of control of staff.

865

c13.indd 865 16-11-2022 18:49:39

 BUSINESS ASSURANCE

Apply and Analyse 6 (continued)

ITGC Issues
Tsz Man joined AMKIE as an employee in 2009 As Tsz Man reports to Man Hei, the possibility
and is now the database administrator. for collusion – particularly given their
knowledge of the in-house SYBIL system that
integrates all systems – is increased.
Overall Assessment: Segregation of duties within the IT team is ineffective.
System Development
That is, there is no single enterprise-wide SYBIL maintains information consistency in the
information system but rather several IS are different systems. Data quality problems with
used and a single system (SYBIL) integrates the SYBIL will affect all decision making across the
different systems. enterprise.
Man Hei Yip first developed SYBIL with Tsz Man Man Hei has continued to develop SYBIL even
Lam. Man Hei is now the manager. as manager. This is inappropriate as the duties
are incompatible.
This team develops the programming interfaces It does not seem that documentation,
that make up the integration system SYBIL. approval, and authorisation of software
The team develops the interfaces between IS, development occurs – particularly given that
implements software patches, and maintains Man Hei is developing the system and the team
the data as a single team. implements the software patches.
Tsz Man joined AMKIE as an employee in 2009 Database administrator role should be kept
and is now the database administrator. separate from the development team.
Overall Assessment: System development is not kept separate from operations, management, and
database administration, and the opportunity for collusion is high. Particularly as SYBIL is a central
system, this control is ineffective.
Physical and Online Security
A dedicated server room is maintained in a Central District occasionally suffers from
separate room on the fourth level of AMKIE’s flooding, but this should not affect the data
headquarters. room on the fourth floor greatly.
The room is locked with a keypad entry; all The physical lock is good. Too many people
members of the IS team have access to the have access to the room. No access log seems
server room code. This replica data centre even to be kept. Having the replica centre use the
uses the same keycode as the main data centre. same keycode is a problem as a breach in one
facility could be a breach in another.
Overall Assessment: Overall, the physical and online security is somewhat effective, but given the
common keycode and the number of people with access (and the lack of a log), physical and online
security are ineffective.
Backup and Contingency Planning
There are UPS (Uninterruptible Power Supply) It is positive to see these UPS units in place.
units able to keep the equipment running for There should be evidence of regular testing of
three hours. these units.
There is a single air conditioning unit If the single unit fails, there is no air
that supplements the building’s main air conditioning available out of hours. A second
conditioning out of hours. unit should be in place.
An exact replica of the data centre is maintained A basement is not a good location for a data
in the basement of the subsidiary office in Wan centre. An inspection for possible flooding
Chai. The end result is that end users do not should be considered. Also Wan Chai and Central
notice the interruption (unless it is localised) so District are not far from each other. If Central
long as both data centres remain operational. District is unavailable due to flooding, it is likely
the data centre in Wan Chai will also be affected.

866

c13.indd 866 16-11-2022 18:49:39

 Computerised Business S ystems and C ontrols

Apply and Analyse 6 (continued)

ITGC Issues
This replica data centre even uses the same Having the replica centre use the same keycode
keycode as the main data centre. means a breach in one facility could be a breach
in another.
No other backups are made. This is bad, particularly as the two data centres
are close to each other. The loss of both
facilities would be catastrophic.
The disaster recovery plan is maintained by Tsz It is good that the DR plan was updated.
Man. It was updated last year when the Wan Evidence of regular updates would be better. It
Chai data centre was implemented. seems in this case that the implementation of
the new data centre triggered the update.
Overall Assessment: Overall, the disaster recovery plan appears effective; however, there are several
key weaknesses that should be considered and addressed.
Hardware Controls
No hardware controls identified. No assessment made.
Overall Assessment: No overall assessment made.

(b) Several opportunities exist within the case. Some specific

recommendations include:

• Assess replica data centre for risk of water ingress and seek to mitigate this risk
by relocating or rebuilding the data centre.

• Implement a second air conditioning unit in both the main data centre and the
replica data centre.

• Implement unique keycodes for all staff and limit access to those that need access
to the data rooms. Implement a different keycode at the replica data centre.

• Implement a policy of an annual review and update of the disaster recovery

plan, and document evidence of this review.

• Separate the systems development staff from operations and database

administration. Implement a team leader for each of these teams.

• As a manager, Man Hei should not undertake system development work.

Knowledge Check Questions

Question 31
Identify the purpose of ITGC.
A Ensure that substantive testing is kept to a minimum in the audit.
B Ensure that the application controls maintain completeness, validity, and
accuracy of data.
C Ensure that the IT environment maintains data integrity, security, and confidentiality.
D Ensure that the IT environment maintains data completeness, validity, and accuracy.

867

c13.indd 867 16-11-2022 18:49:39

 BUSINESS ASSURANCE

Knowledge Check Questions (continued)

Question 32
Identify the purpose of application controls.
A Maintain the completeness, validity, and accuracy of data in a single application
or system.
B Maintain data validity, integrity, and usefulness.
C Ensure that only authorised changes are made to the application software.
D Maintain data integrity, security, and confidentiality.

Question 33
Identify which best describes a project steering committee.
A A process mechanism.
B A relational mechanism.
C A procedural mechanism.
D A structural mechanism.

Question 34
Identify which of the following is the general control that relates to the principle that no
transaction should be performed in its entirety by a single role.
A Input Controls.
B Segregation of IT Duties.
C Hardware Controls.
D Backup and Contingency Planning.

Question 35
Identify which of the following are included under substantive tests.
A Physical examination, confirmation, inspection, client inquiries, re-performance,
analytical procedures, and refactoring.
B Physical examination, collaboration, inspection, client inquiries, re-performance,
analytical procedures, and recalculation.
C Physical examination, confirmation, inspection, client inquiries, re-performance,
analytical procedures, and recalculation.
D None of the above.

Question 36
Identify which of the following is a systems development approach that cannot support the
development of effective internal controls.
A The Systems Development Life Cycle approach.
B The SCRUM systems development methodology.
C Any agile systems development methodology.
D None of the above.

868

c13.indd 868 16-11-2022 18:49:39

 Computerised Business S ystems and C ontrols

Knowledge Check Questions (continued)

Question 37
Identify which of the following describes the observation of the backup process.
A A test of output controls.
B A test of general controls.
C A test of application controls.
D A substantive test.

Question 38
Identify which of the following is not an output control.
A A data entry range check control.
B Supervisor review of the Accounts Receivable Report.
C Encrypted transmission of system reports.
D Secure disposal of waste printouts.

Question 39
An employee entered ‘40’ in the ‘hours worked per day’ field, which is of course impossible
as there are only 24 hours in each day. Identify the type of application control that would
detect this unintentional data entry error.
A A record level input control.
B A field level input control.
C A processing control.
D An output control

Question 40
Identify a disadvantage of integrated test facilities (ITFs).
A The potential for corrupting the data files of the organisation with test data.
B They reduce the efficiency of the audit and decrease the reliability of the audit
evidence gathered.
C They provide a static picture of application integrity at a single point in time.
D All of the above.

Question 41
Identify which of the following is a general principle of the segregation of duties control.
A The segregation of duties should be such that the authorisation for a transaction is
separate from the processing of the transaction.
B To ensure the validity, completeness, and accuracy of financial transactions.
C To ensure high employee satisfaction in carrying out their duties.
D None of the above is a principle of the segregation of duties control.

869

c13.indd 869 16-11-2022 18:49:40

 BUSINESS ASSURANCE

Knowledge Check Questions (continued)

Question 42
Identify which of the following situations indicates a violation of the need for the
segregation of duties.
A The Accounts Receivable (AR) clerk issues invoices and authorises the write-off of
bad debts.
B The Record-keeping Clerk maintains both Accounts Receivable and Accounts Payable
subsidiary ledgers.
C The Inventory Control Clerk authorises inventory purchase.
D The Accounts Receivable clerk prepares customer statements.

Question 43
Identify the purpose of output controls.
A Prevent and detect unauthorised and to the firm’s assets.
B Ensure that no single individual or department processes a transaction in its entirety.
C Identify keystroke errors in key fields by testing their internal validity at the time of input.
D Ensure that information is not lost, misdirected, or corrupted and that system processes
function as intended.

Question 44
Identify which of the following is an example of segregation of duties in a computer-based
information system.
A Separating the role of system developer from computer operator.
B Preventing management override.
C Separating the inventory process from the billing process.
D Performing independent verifications by the computer operator.

Question 45
Identify which of the following circumstances is most likely to violate the segregation of
IT duties.
A The software developer implementing software updates.
B Access to live operational data and database administration.
C The request and approval of a purchase order by the same person.
D Software development and software requirements analysis.

Question 46
Identify which best describes the IT Steering Committee.
A Structural governance mechanism.
B Compensating governance mechanism.
C Process governance mechanism.
D Relational governance mechanism.

870

c13.indd 870 16-11-2022 18:49:40

 Computerised Business S ystems and C ontrols

Knowledge Check Questions (continued)

Question 47
Outline how controls testing and substantive testing are related.

Question 48
Define a field level input control with an example. Contrast a field level input control with a
record level input control.

Question 49
Outline the rule of least access.

Question 50
Consider an organisation where the DBA and the Data Library are both part of the systems
development team. Explain whether this structural arrangement of the IT team increases,
decreases, or has no effect upon the effectiveness of the internal controls system at that
organisation.

Question 51
Identify an effective physical control that reduces the impact of a fire in the data centre.

1 3 . 5 COMPUTER-ASSISTED AUDITING
TECHNIQUES

The auditor exercises professional judgement in addressing the duties set out in the auditing
standards. However, the auditor’s judgement must be exercised diligently and professionally,
HKSA and an assessment is required to be driven by the evidence gathered and evaluated by the
320.14 auditor. The auditor often uses computer-based tools and techniques that give support in
developing and exercising the auditor’s judgement.

The use of computer-based tools and techniques generally provides greater assurance for
the audit. Testing can usually be undertaken against all transactions rather than selecting a
subset of the transactions as a sample for testing. These tools and techniques allow auditors
to focus on important exceptions across all of the entity’s records. These records relate to all
transactions recorded in the IS, including the revenue, payroll, fixed asset, accounts receivable,
accounts payable, general journal, and general ledger systems in place.

Depending on the auditor’s skills and the sophistication of the testing and evidence needed
to inform the audit opinion, auditors may execute these testing procedures themselves or
engage a specialist auditor to undertake the tests.

The auditor uses several different types of software and computer-assisted auditing
techniques (CAATs). Generalised audit software (GAS) is used by the auditor to undertake a
wide range of audit-focused analytical activities. The auditor may also test the application by

871

c13.indd 871 16-11-2022 18:49:40

 BUSINESS ASSURANCE

auditing around the computer (the black-box approach) or auditing through the computer (the
white-box approach). Although the black-box approach does not rely upon specialised IT tools
or techniques, the white-box approach relies upon several specialised testing techniques that
test the internal logic and controls of the application. The auditor needs to be involved with
both white-box approaches and black-box approaches – at least in terms of specifying the
requirements and scope of the testing.

In addition to the tools that support their analytical work, auditors usually manage the
audit project and documents their findings in software specifically designed to act as a form
of automated working papers. Such systems support the audit team with working papers
specifically designed to support the audit process. Finally, an auditor can and should evaluate
the entity’s approach to addressing its cyber-security needs without specialist skills and tools.

In doing all of this work, the auditor is in a unique place to assist the entity in recognising
and addressing the weaknesses of its internal control system. HKSA 260 (Revised),
Communication with Those Charged with Governance, and HKSA 265, Communicating Deficiencies
in Internal Control to Those Charged with Governance and Management, require the auditor to
communicate significant deficiencies in internal control to the entity and its management.

Overall, the auditor has many tools available in undertaking the audit. The auditor has
available a portfolio of tools that can be used to support the auditor in developing and
exercising professional judgement. These tools and techniques all provide a means of
supporting the auditor in controls testing – such as client inquiry, examination of documents,
observation, or re-performing the procedures that are part of a control – or substantive testing.
The auditor does not use all these tools and techniques in every engagement, or even in any
engagement, but auditors should be aware of the options available to them.

13.5.1 Audit Software

The auditor is expected to undertake audits of a wide variety of organisations across many
different industry contexts and the auditor is expected to support his or her judgement
with evidence and analysis in each case. It is not feasible for there to be analytical tools that
support all these contexts and, even where tools specific to an industry do exist, it is likely to
be impractical for the auditor to be an expert in the use of the tool unless that industry is his or
her professional focus. The cost of such tools (including training) is a factor in whether to use
such specialised software.

GAS consists of generic analytical tools that the auditor can apply across very different
circumstances. Such software is flexible and adaptable as it allows the auditor to develop and
use tailored computer command scripts or routines that extract, transform, and analyse data.
The advantage of these more generic tools is that the auditor can develop skills knowing that
these skills transfer to many different future audits. However, unlike more specialised audit
software, it is likely that the auditor will need to tailor or configure the GAS to support the
immediate audit need.

These tools allow the auditor to analyse the data sets extracted from the audit entity’s IS.
Usually, the auditor uses these tools to review and summarise the extracted data sets and
to analyse the data statistically. Two popular GAS tools are ACL (Audit Command Language)

872

c13.indd 872 16-11-2022 18:49:40

 Computerised Business S ystems and C ontrols

and IDEA (Interactive Data Extraction and Analysis). Such tools are designed with the audit
task in mind. However, the auditor often relies on tools that were not designed to support the
audit function but that are useful nonetheless. The auditor often uses spreadsheet and data
visualisation software to provide support in the audit task. These tools are powerful, adaptable,
and, usually, already familiar to the auditor.

Both ACL and IDEA have extensive development histories. ACL is a general-purpose
software designed to access and import data through many different file formats or even
connections to active operational databases. ACL is a widely used data extraction tool and its
history extends back to 1972, when the original Audit Command Language was developed – as
a scripting language. Strictly, ACL is a portfolio of many different products, but the ACL Analytics
application is the member of the portfolio that is the successor to the original product. ACL
Analytics connects to many different sources and supports analysis by the auditor to identify
anomalous patterns and to inform and guide the auditor’s examination. Recently, ACL has
moved to broaden its appeal by incorporating cloud-based automated working papers.

The IDEA (Interactive Data Extraction and Analysis) software is a competitor to ACL as an
analysis tool. IDEA software was developed by the Canadian Institute of Chartered Accountants
and is now owned by and developed by CaseWare International. CaseWare International is a
leading provider of automated working paper software designed to document and guide the
audit process. As with ACL, IDEA is designed to connect to many different sources and provide
support to the auditor in identifying anomalous patterns in the entity’s data as part of their
investigation. As with ACL, IDEA is now part of a portfolio of software that is complementary to
and integrated with an automated working papers package.

Frequently, the audit-focused GAS tools, such as ACL and IDEA, work with standard
software to complement its capabilities. For example, spreadsheet software such as Microsoft’s
Excel is used to load data and transform the data into a form that is ready for analysis in ACL
or IDEA. Although the GAS tools have strong capabilities and the auditor is likely to have a good
understanding of these tools, audited entities rarely have access to such software or people
with the skills to use these tools. Spreadsheet tools such as Microsoft Excel, the open source
Libre Office, and Google Sheets, among others, are common and ubiquitous. Accordingly,
audited entities frequently provide data in the form of a spreadsheet, and the auditor might
manipulate clients’ data using spreadsheeting tools before analysis in the audit-focused GAS
analytical tools.

A newer category of general software that the auditor may find useful is data visualisation
software. There are several tools of note here, including Tableau, Power BI, and QlikView. These
tools allow the auditor to extract and analyse data and then visualise it to better communicate
the findings to less technical audiences. Visualising the data under analysis in this way can also
help the auditor to understand the data and find anomalies.

Key Learning Point

GAS consists of generic analytical tools that the auditor can use in different contexts.

CAATs allow the review and summarisation of the extracted data sets and to analyse
the data statistically. Two popular tools are ACL Analytics and IDEA.

873

c13.indd 873 16-11-2022 18:49:40

 BUSINESS ASSURANCE

13.5.2 Test Data and Testing Procedures

In auditing an information system, the auditor can use the black-box (‘auditing around the
computer’) or the white-box (‘auditing through the computer’) approaches. The black-box
approach is where the auditor develops an understanding of the functional characteristics of
the application and then uses that understanding to reconcile actual inputs with actual outputs.
Auditing around the computer is less disruptive than auditing through the computer.

In contrast, the white-box approach is where the auditor places test data into the
application to systematically test the application’s logic and controls. The white-box approach
is more detailed, disruptive to the audited entity, and costlier, but is a stronger test of the
application and better able to address the complexity of an application than the black-box
approach. The black-box approach does not allow the auditor to use test data and test the
range of potential input data, whereas the white-box approach does allow the auditor to test a
more varied range of input data.

In applying the white-box approach the auditor has several testing techniques to choose
from. In general, the auditor can use the entity’s technology platform with test data to confirm
that applications work as expected and are understood. These testing techniques include
parallel simulation, the test data method, the base case system evaluation, and integrated test
facilities.

The Parallel Simulation technique requires the auditor to write a simulated version of the
application under review according to the deep understanding acquired by auditing through
the computer, and to then re-process transactions to compare the output of the simulation
with the original application. The simulation mimics the functional steps of the original
application and so does not require a complete re-development of the program. However,
the development of the simulation remains a potentially arduous task. Transactions already
processed by the original application are re-processed in the simulation, and the output of
the original application is compared with the simulation. This approach can be expensive and
difficult, although automated software development tools and rules-based expert systems can
make this task easier.

A further complication is that any differences found between the original application and
the simulation might be due to errors in the simulation rather than the original application.
Nevertheless, parallel simulations remain a technique used by a significant proportion of audit
firms, and this technique provides opportunities for developing and documenting a deep
understanding of the original application.

A different approach is to create a series of test cases designed to test different pathways
through the internal logic of the application. Some test cases are valid, some are invalid, and
some test cases deliberately examine obscure combinations of input data. The test cases are
processed through the operational system using fictional entities and transactions, and the
final results are reviewed and evaluated for consistency with the auditor’s understanding of
the application. This Test Data approach tests the logical pathway of the operational system as
implemented. However, this approach has the disadvantage of creating fictional transactions
that need to be removed from the system or risk corruption of the entity’s data.

An extension of the test data approach is to create a series of test cases that are processed
in the system at the beginning of the period under review. The same test cases (the base
cases) are then re-processed at the end of the period under review. Any differences in the

874

c13.indd 874 16-11-2022 18:49:40

 Computerised Business S ystems and C ontrols

application’s output highlight changes in the application during the intervening period.
Unexpected changes require further investigation by the auditor. This is the Base Case
Evaluation technique.

Both the Test Data and Base Case Evaluation techniques require considerable reliance on
the IT personnel at the audited entity. These techniques are also resource-intensive, and so it is
not likely that they will be appropriate in all audits and for all systems.

A further complication is that the parallel simulation, test data, and base case evaluation
techniques all examine the application at the time of testing. Potentially, the application may
be altered without authorisation after the tests were run and then returned to the authorised
version upon the auditor’s return. This is a weakness of these techniques as they test the
application at a single point in time. The Integrated Test Facility technique avoids this problem
by embedding a secured audit module in the operational system that can only be modified
by the audit team. The audit module tests transactions in the operational system during its
operation throughout the period.

As long as the audit module and its data remain secure, the auditor can use the integrated
test facility to indicate whether the application is changed without authorisation during the test
period and whether the application operates as expected. However, such a facility necessarily
imposes a processing overhead on the application, and – as with the Test Data technique – the
test data in the application may corrupt the entity’s data if not properly managed.

Key Learning Point

In auditing an information system, the auditor can use the black-box (‘auditing around
the computer’) or the white-box (‘auditing through the computer’) approach. The black-
box approach is less disruptive than the white-box approach, but the black-box approach
allows more fine-grained and controlled testing.

13.5.3 Documentation
A key obligation placed on the auditor by HKSA 230, Audit Documentation, is the need for
adequate documentation to provide evidence of the inquiries undertaken and the auditor’s
HKSA findings. It is important that the auditor document the audit procedures performed, the
230.7 relevant audit evidence obtained, and the conclusions reached.

HKSA 230, Audit Documentation, requires the auditor to:

Prepare the audit documentation so as to enable an experienced auditor, having no previous

connection with the audit, to understand:

(a) The nature, timing and extent of the audit procedures performed to comply with
HKSAs and applicable legal and regulatory requirements;

(b) The results of the audit procedures and the audit evidence obtained; and
HKSA
230.9 (c) Significant matters arising during the audit and the conclusions reached thereon.

The auditor is required to document to a standard such that an experienced auditor, with
no prior connection with the audit, can understand the nature, timing, and extent of the audit

875

c13.indd 875 16-11-2022 18:49:40

 BUSINESS ASSURANCE

HKSA procedures, the results of the audit procedures performed (including the audit evidence
230.8 obtained), and conclusions and professional judgements made. These records are usually
referred to as work papers or working papers.

This standard of documentation is required as the audit may be challenged legally or

professionally many years after completion of the audit. After the passage of such time it is
likely that the original auditor will not recall the audit with the necessary detail or is no longer
available to provide the context to working papers that are inadequately documented. An
inadequately documented audit has possible legal ramifications for the auditor – the rule of
thumb observed in the profession is that ‘if it’s not documented, it’s not done’.

Given the importance of documenting the audit, the auditor usually manages the audit
project and documents the findings using software specifically designed to act as a form
of automated working papers. In a sense, such software is a form of specialised document
management system designed to support the audit team. This software is known as
engagement management software. Engagement management software is increasingly
integrated with popular GAS tools, as is the case with both CaseWare (integrated with IDEA)
and ACL GRC (integrated with ACL Analytics). More recently, this software has been based in
the cloud by software vendors and it is much easier for the auditor to use such software when
operating in the field.

The software platform allows the auditor to organise their documentation and their
audit working papers, and to analyse the data and prepare different schedules. As multi-user
software is based on a local area network, groupware such as SharePoint, or in the cloud, the
audit team can track the progress of the engagement no matter the physical location of the
team. All members of the audit team will use engagement management software to document
their assigned tasks.

13.5.4 Effectiveness of Cyber-security Safeguard

An organisation needs to organise and implement the technologies, processes, and structures
needed to keep its IS protected when the system interacts with the Internet. These resources,
processes, and structures are the Cyber-security Safeguard. The emphasis is on the
technologies, processes, and structures used to protect systems that are connected to cyber-
space. More simply, cyber-security is making sure that business data are safe from attack via
the Internet.

As IS become increasingly interconnected, so too does the importance of cyber-security

increase. Although the auditor needs specialist skills and tools to address many of the
challenges presented by the need for cyber-security, the auditor can evaluate the entity’s
overall approach to cyber-security. In doing so, the auditor considers whether the approach
has weaknesses that affect the risk of material misstatement in the financial statements
(for example, the information may be changed by unauthorised parties) and controls that
can be implemented to improve the effectiveness of the entity’s cyber-security safeguard.

The auditor has several key concerns. A hacker might obtain sensitive information from the
entity’s systems such as credit card data or personal, private information relating to customers.
As a consequence, the business may find that the damage from the loss of data is exceeded by
the damage to its reputation. The damage to business reputation and goodwill might be more
crippling than the actual data loss itself.

876

c13.indd 876 16-11-2022 18:49:40

 Computerised Business S ystems and C ontrols

A different type of problem is presented by ransomware. Ransomware encrypts the

data of infected computers and networks. The user is required to pay a ransom for the
encryption key or else the key will be deleted and the data lost. A prominent example is the
WannaCry ransomware that affected the United Kingdom’s National Health Service (NHS) in
2017. This attack closed at least 16 hospitals in the NHS and cost the NHS at least $US100
million in IT costs to restore NHS systems. WannaCry demanded payment of the ransom
in Bitcoin cryptocurrency to ensure anonymity of the perpetrators. There are many other
examples of ransomware and new variants are created each year. In many ways, ransomware
commercialised computer viruses to allow criminals to hold business data to ransom.

A more indirect risk is that a cyber-security breach may result in legal action. The breach
might affect a third party who then commences legal action for their own losses. There are
several bases for such an action. The Personal Data (Privacy) Ordinance (PDPO) in Hong Kong
restricts the use of personal data by online intermediaries. Common law remedies such as
defamation or copyright actions might also arise as a consequence of a data breach. Further,
cyber risk is a risk that – as with all business risks-needs to be governed by the entity and the
entity has legal obligations if those cyber risks could have a financial impact. Even if a court
action ultimately fails, defending the action is costly and distracting.

Through client inquiry, examination of documents, observation, or re-performing

the control procedures, the auditor can observe the base controls in place to safeguard
against cyber-security attacks. The auditor needs to understand the overall approach to the
governance of cyber risk at the entity. The discussion that follows identifies some of these
controls that, taken together, are effective in safeguarding against cyber-security attacks.

The auditor needs to be aware that the cyber-security landscape is constantly changing and
evolving. The auditor needs to monitor that landscape and understand its implications for client
audits. The auditor should engage specialists in cyber-security when they lack the competency
to adequately understand and address cyber-security risks in the entity.

Key Learning Point

An organisation needs to organise and implement the technologies, processes, and
structures needed to protect IS that are exposed to the Internet. Many of the tasks
required in undertaking a cyber-security audit require specialist skills and tools. However,
a generalist auditor can examine the base controls around cyber-security without using
specialist skills and tools to assess whether a risk arises of material misstatements in the
financial reports.

13.5.4.1 Using Anti-virus Software and Keeping Software Current

The auditor is concerned that the entity implements anti-virus software and only installs
authorised and trustworthy software. Software should be current so that the latest version of
the software is managing business data. Many cyber breaches occur because older software
is being used. In such cases the process for updating software applications is not followed.
Application software (for example, Microsoft Word or Google Chrome) should be kept current
with the latest software as well as the operating system.

877

c13.indd 877 16-11-2022 18:49:40

 BUSINESS ASSURANCE

For example, ‘Trojan’ malware is software that appears legitimate but actually contains
malicious software (‘malware’). It takes control of the computer using vulnerabilities in the
computer’s operating system and seeks to damage the host’s network or data. The WannaCry
Trojan malware that affected many companies in 2017 exploited a vulnerability in Microsoft
Windows that Microsoft had addressed two months earlier. However, Microsoft only addressed
the problem in supported versions of Windows. Entities using Windows XP were vulnerable
as the Windows XP was no longer supported and updated by Microsoft. Windows XP did not
receive the update to address the vulnerability. This is an explicit risk that arises when out-of-
support and/or out-of-date software continues to be used.

13.5.4.2 Authorised Software

Cyber-security attacks often occur through the installation of unauthorised software. The entity
should ensure that only authorised software is installed. Many popular operating systems allow
the user to install and run almost any application by default. This approach is very convenient
for the end user, who is able to install software virtually unchallenged. However, most users
regularly use only a small set of applications to complete their tasks.

Anti-virus software does prevent some applications from being installed, but many argue
that anti-virus software is insufficient, as it only blacklists applications that are demonstrably
dangerous. In contrast with blacklisting applications, application whitelisting allows only
authorised software applications to run on a computer. No other software is allowed to run.
This approach is restrictive for some intensive users, but for most users a wider selection is
often simply not needed.

This whitelisting approach aims to ensure that only authorised software is on the computer.
In identifying needed software, the entity should adopt the control of application hardening.
Here, popular tools such as Flash or Java are blocked or uninstalled if they are not needed. Such
software often has weaknesses that become an avenue for cyber-security attacks. Increasingly,
these tools are not required or have more secure alternatives.

13.5.4.3 Authorised Users

A second control is to ensure that only authorised users use the computer. A strong password
is an assumed requirement, but as an additional control multi-factor authentication is a
powerful control that requires another factor in addition to the password for users to access
their account. These factors might include, for example, a separate PIN, a physical token, or a
fingerprint scan. Requiring such factor authentication for privileged activities (such as installing
software) is a control that ensures that actions are only undertaken as required.

13.5.4.4 Assigning User Privileges on an ‘As Needed’ Basis

By default, users often have full access to the computer with administrative privileges. Unless
full access is definitely required, users should have the privileges required to fulfil their roles.
Providing administrative privileges to the level needed greatly reduces the opportunity for
cyber-security attacks that compromise these user accounts to create widespread disruption
and damage.

Similarly, Visual Basic applications in Microsoft Office are prone to abuse through cyber-
attacks. At the least, Visual Basic macros should require approval to run on the computer. Often
end users allow these macros to run without user approval for convenience; this approach can
have dangerous consequences.

878

c13.indd 878 16-11-2022 18:49:40

 Computerised Business S ystems and C ontrols

13.5.4.5 Daily Backup of Important Data

The control of last resort in the event of a cyber attack is the ability to return the systems to
a working state. Frequently, cyber attacks encrypt and corrupt data – particularly so in the
case of ransomware attacks. Having offline, incorruptible, and disconnected backups – that
cannot be encrypted by malware attacks – is a key corrective control that stops the malware
from encrypting the entity’s backed-up data, although the online operational data may still be
encrypted.

Apply and Analyse 7

The auditor has five aspects of the internal control system to consider in evaluating
the effectiveness of cyber-security safeguards. These aspects are the use of anti-virus,
authorised software, user authorisation, user privileges, and daily backups.

Similarly, there are several different means by which these controls can be tested
without using specialised audit software. In increasing order of rigour, these different
tests include client inquiry, examination of documents, observation, or re-performing the
control procedures.

Required
(a) In each cell of the matrix below, identify a specific approach that the auditor might
choose for testing the cyber-security safeguard.

Test control Client inquiry Examination Observation Re-performing

of documents control
procedures
Use of anti-virus
Authorised software
User authorisation
User privileges
Daily backups

(b) For each control, identify which of the approaches is, in your view, the most efficient
and effective. Explain your answer.

Analysis

(a) In every instance, the approach and its results require documentation in a file note.

Test control Client Examination of Observation Re-performing

inquiry documents control
procedures
Use of Interview Review software Observe the Follow instructions
anti-virus client IT team licences; review release of for the setup of
and document software new anti-virus a new computer
responses. installation logs software; review workstation; confirm
and records. a sample of that the new
workstations to workstation includes
confirm operation. anti-virus software.

879

c13.indd 879 16-11-2022 18:49:40

 BUSINESS ASSURANCE

Apply and Analyse 7 (continued)

Test control Client Examination of Observation Re-performing

inquiry documents control
procedures
Authorised Interview Review authorised Observe the Attempt to install
software client IT team software list; implementation of unauthorised
and document identify process new software on software on
responses. for software workstations and a workstation
authorisation; servers; identify or server.
review software licence checks
licence register; that occur.
compare with a
list of installed
software; identify
implemented
software that is
unauthorised.
User Interview Review user Observe the Attempt to create an
authorisation client IT team authorisation creation of a unauthorised user
and document list and user new user on the on the system.
responses. authorisation system; identify
process; compare checks for
authorisation authorisation.
list to actual
current users.
User privileges Interview Review process Observe the Attempt to assign
client IT team for assigning assignment of unauthorised
and document privileges to users; user privileges privileges to a user
responses. compare actual to a user on on the system.
privileges to the system.
the process.
Daily backups Interview Review backup Observe the Carry out the
client IT team logs; examine daily backup daily backup
and document documentation process; observe process; attempt to
responses. indicating an attempt to restore data from
that tests of restore data. the backups.
the backups
have occurred.

(b) There are five controls to consider. Client inquiry on its own is insufficient; the auditor
needs to consider the control through at least one additional approach. These
approaches are increasingly rigorous and so increase in effectiveness. However, they
are also increasingly costly, and so generally decrease in efficiency.
With this in mind, consider the following response:

• Use of anti-virus: Observation

• Authorised software: Examination of Documents

• User authorisation: Examination of Documents

• User privileges: Examination of Documents

• Daily backups Examination of Documents

880

c13.indd 880 16-11-2022 18:49:40

 Computerised Business S ystems and C ontrols

13.5.5 Weakness Identification and Recommendations

Under HKSA 315 (Revised 2019) paragraph 27, based on the evaluation of the components of
the system of internal control, the auditor is required to establish whether control deficiencies
HKSA 260
(Revised)
have been identified. In terms of the audit process, this requires the auditor to consider the
HKSA 265 effect on the design of further audit procedures.
HKSA
265.7 In addition, the auditor has a duty to inform the entity’s management of significant
HKSA deficiencies found in the internal control system. The auditor is required to identify deficiencies
265.9 in internal control and assess whether those deficiencies (individually or in combination) are
HKSA significant deficiencies. The auditor communicates those deficiencies to those charged with
265.8
governance as well as to management.
HKSA
265.10 The auditor should communicate these significant deficiencies in internal control in writing,
and in doing so describe the deficiency, explain their potential effects, and provide context to
HKSA those charged with governance and management to understand the overall context of the
265.11 matter. Specifically, in their written communication the auditor should explain that:

(i) The purpose of the audit was for the auditor to express an opinion on the financial
statements;

(ii) The audit included consideration of internal control relevant to the preparation of the
financial statements in order to design audit procedures that are appropriate in the
circumstances, but not for the purpose of expressing an opinion on the effectiveness of
internal control; and

(iii) The matters being reported are limited to those deficiencies that the auditor has
HKSA identified during the audit and that the auditor has concluded are of sufficient
265.11 importance to merit being reported to those charged with governance.

The auditor’s role is as a watchdog, but not as a bloodhound. That is, the auditor’s purpose is
not the evaluation of the effectiveness of internal control. The auditor’s purpose is to understand
the risk of material misstatement of the financial statements. However, in addressing the audit
the auditor will potentially identify sufficiently important deficiencies in the internal control
system to warrant reporting of the problem to management. In such a circumstance, it would be
remiss of the auditor not to communicate issues identified in the internal control system.

Importantly, the auditor is not required by HKSA 265 to provide recommendations that
address the deficiencies identified. Rather, the auditor is required to report the problem where it
is sufficiently important. Despite this, the auditor will often inform the client management of their
recommendations for improving the client’s business through a management letter. Frequently,
this management letter is a letter of recommendations that focuses on suggestions for more
efficient operations, and in this letter the auditor often identifies any significant deficiencies in the
internal control system as required by HKSA 265.

However, if the auditor provides recommendations to management, the auditor must be

HKSA careful that their recommendations do not affect their professional independence by appearing
200.14 to influence the operations of the entity or participate in its business or professional activities.

Key Learning Point

If the auditor finds sufficiently important deficiencies in the internal control system
during the audit, the auditor should communicate these deficiencies to those in charge of
governance and management at the audited entity.

881

c13.indd 881 16-11-2022 18:49:40

 BUSINESS ASSURANCE

Apply and Analyse 8

Star Sea and Sky Limited is a medium-sized company whose headquarters operate out of
the company’s own premises (‘Star Tower’) in Central and Western District. It is a financial
services firm that facilitates mergers and acquisitions, the raising of capital, and organising
project finance in Hong Kong and, more recently, across the region.

There are approximately 532 staff working for Star Sea and Sky. About 75% of staff
work as consultants whose role it is to build relationships with local firms that are looking
for investment and with venture capital firms and hedge funds looking to invest. The
remaining 25% of staff work in support roles that undertake the day-to-day operations
of the firm.

The consulting staff all travel regularly and often, and so they are frequently out of
the office. Generally, these consulting staff are issued with mobile laptops and tablets. All
support staff use desktop computers. All staff connect to the Star Sea and Sky’s data centre
in Hong Kong via Wi-Fi and mobile hot spots on their mobile phones. The corporate data
centre is located in Star Tower in Hong Kong.

The head office in Hong Kong accommodates most (326) of Star Sea and Sky’s staff.
There are, however, many staff in the subsidiary offices located in Singapore (79 staff),
Hanoi (34 staff), and New Delhi (93 staff).
The Chief Technology Officer at Star Sea and Sky is Po Yi Siu. She is responsible for the
IT facilities and infrastructure at Star Sea and Sky. As part of this role, Po Yi sits on and acts
as the chairperson for the SkyIT Forum. Star Sea and Sky makes all of its decisions about IT
investments through this forum and there are representatives from each office (Singapore,
Hanoi, New Delhi, and Hong Kong) and each of the 12 business lines. On the SkyIT Forum,
the senior management team is represented by both the Chief Technology Officer (Po Yi
Siu) and the Chief Financial Officer. The forum meets monthly, but most meetings are held
using Skype video conferencing. Three face-to-face meetings are held each year.

There is an operations team that keeps the IT infrastructure up to date and working
as well as updating the software – including the in-house developed software Apteryx. The
team is relatively small, and Po Yi likes to keep it that way so that she only has one team to
deal with. She uses her One Team philosophy, which means that all members of the team
report directly to her, and all members of the team can address the needs of end users
when they are asked to do so.

However, Po Yi’s executive assistant is kept busy maintaining these relationships. In

Hong Kong, the IT team consists of three network administrators, four software architects,
four IT engineers, and five help-desk officers. The offices in Singapore, Hanoi, and New
Delhi each have one network administrator, two engineers, and five help-desk officers. At
least once a year at least one Hong Kong-based network administrator and IT engineer visit
each of the subsidiary offices to maintain a good relationship with each office.

The team also includes a database administrator, but this role is based in Hanoi.

Po Yi has an IT manual that documents most of the core tasks that the IT team
performs, but the software architects are generally left to their own devices to create the
Apteryx software as they see fit.

882

c13.indd 882 16-11-2022 18:49:40

 Computerised Business S ystems and C ontrols

Apply and Analyse 8 (continued)

The software architects together design, build, and implement the Star Sea and Sky
Apteryx system. The Apteryx system is the internally developed customer relationship
management database that tracks the firm’s venture capital and hedge fund investors and
prospective investments. Apteryx guides consultants in their investment decision making
and investor matching services. All investment decisions and relationships rely on Apteryx.
This software is critical to the firm’s success with internally developed algorithms and
expert systems that provide advice to Star Sea and Sky’s consultants and financial analysts.
These algorithms are the starting point of all the investment assessments Star Sea and Sky
make, which is several billion dollars’ worth of investments annually.

The current corporate data centre in Hong Kong is four years old and is due for an
upgrade. Currently, the data centre is in the basement of Star Tower. The servers in the
data centre provide data/file services to all employees, including the use of a self-hosted
NextCloud service. Backups are done on a daily basis using the Internet to copy data to a
local data centre approximately one kilometre away.

Star Sea and Sky is profitable and expanding. It is proposed that a new office be
opened in Jakarta with approximately 400 staff. This will require that the IT facilities
provide support to nearly twice as many staff as currently exist. Po Yi Siu is looking for your
advice in building the facilities and infrastructure to ensure it is well controlled.

Required

(a) Evaluate the ITGC in place at Star Sea and Sky and make recommendations to
improve the internal controls systems.

(b) Consider whether, on the basis of your evaluation, a financial auditor can rely on
the internal controls system in place at Star Sea and Sky.

Analysis

(a) Again, there are several aspects to consider here, including administration of the
IT function, the segregation of IT duties, system development, physical and online
security, backup and contingency planning, and hardware controls.

ITGC Issues
Administration of the IT Function
The Chief Technology Officer at Star Sea and Sky is There is a CTO in place. This indicates a
Po Yi Siu. She is responsible for the IT facilities and strong presumption that the role of IT is
infrastructure at Star Sea and Sky. valued in this organisation.
As part of this role, Po Yi sits on and acts as the The SkyIT forum acts as the forum for
chairperson for the SkyIT Forum. Star Sea and Sky deciding on investment decisions. It may be
makes all of its decisions about IT investments a little unwieldy; as a forum it is large. We
through this forum, and there are representatives would want to review minutes to see exactly
from each office (Singapore, Hanoi, New Delhi, what role is being fulfilled – is it making
and Hong Kong) and each of the 12 business lines. decisions?
The forum meets monthly, but most meetings are
held using Skype video conferencing. Three face-
to-face meetings are held each year.

883

c13.indd 883 16-11-2022 18:49:40

 BUSINESS ASSURANCE

Apply and Analyse 8 (continued)

ITGC Issues
On the SkyIT Forum, the senior management Indicates a strong interest in the IT
team is represented by both the Chief Technology investment in the organisation.
Officer (Po Yi Siu) and the Chief Financial Officer.
At least once a year at least one Hong Kong- This is a relational governance mechanism.
based network administrator and IT engineer visit This is a positive way of ensuring that end
each of the subsidiary offices to maintain a good user concerns are addressed.
relationship with each office.
Overall Assessment: Overall, the administration of the function is effective. There are links to the
rest of the organisation (job rotation, the SkyIT forum) and the function receives prominence
within the organisation.
Recommendations: Review the SkyIT forum for effectiveness and efficiency.
Segregation of Duties
There is an operations team that keeps the IT It appears that only one team exists – that
infrastructure up to date and working as well as operations and system development (and
updating the software – including the in-house database administration) all take place in the
developed software Apteryx. The team is relatively one team. This is a weakness in segregation
small, and Po Yi likes to keep it that way so that of duties – a possibility of collusion exists.
she only has one team to deal with. She uses
her One Team philosophy, which means that all
members of the team report directly to her, and
all members of the team can address the needs of
end users when they are asked to do so.
The team also includes a database administrator, This is good, as the database administrator
but this role is based in Hanoi. role is physically remote from the
development team. However, they are still
part of one team.
Overall Assessment: Segregation of duties between operations, development, and database
administration is inadequate.
Recommendations: Separate into operations, database administration, and systems development
teams. Ensure that software implementation is separate from systems development. Appoint
different team leaders for each team to ensure appropriate supervision as a prevention of
collusion.
System Development
There is an operations team that keeps the IT System development activities are not kept
infrastructure up to date and working as well as separate from operational or database
updating the software – including the in-house administration tasks.
developed software Apteryx.
Po Yi has an IT manual that documents most of Systems development is not done according
the core tasks that the IT team performs, but to a mature methodology. It is done as an
the software architects are generally left to their overall group task, but it is likely that new
own devices to create the Apteryx software as developers brought into the team take
they see fit. The software architects together time to train and become effective. Lacking
design, build, and implement the Star Sea and Sky documentation is also a problem for the
Apteryx system. effectiveness of the systems development
function. There is no doubt that, given
the importance of the Apteryx software,
documentation needs to be given a
higher priority.

884

c13.indd 884 16-11-2022 18:49:40

 Computerised Business S ystems and C ontrols

Apply and Analyse 8 (continued)

ITGC Issues
This software is critical to the firm’s success This is an important information system
with internally developed algorithms and that manages high-value investments.
expert systems that provide advice to Star Sea The developments of these algorithms
and Sky’s consultants and financial analysts. – particularly given their role in decision
These algorithms are the starting point of all making – are potentially attractive targets
the investment assessments Star Sea and Sky for fraud and should be understood
make, which is several billion dollars’ worth of well. They need to be documented and
investments annually. developed according to a mature, managed,
methodology.
Overall Assessment: Overall, this control is ineffective with opportunities for collusion in a high-value
information system.
Recommendations: Identify the systems development methodology used (or implement a
recognised methodology if it is not a recognised methodology) and monitor its use. Ensure
documentation as appropriate to the methodology exists. Ensure that the algorithms in particular
are reviewed and developed in transparent collaboration to reduce the risk that a developer can
modify the algorithm to their advantage.
Physical and Online Security
The consulting staff all travel regularly and often, Wi-Fi and Internet connectivity needs to be
and so they are frequently out of the office. secure – there is insufficient information
Generally, these consulting staff are issued with to be sure that this is the case. More
mobile laptops and tablets. All support staff use information is required to make this
desktop computers. All staff connect to the Star assessment. It seems likely that the
Sea and Sky’s data centre in Hong Kong via Wi-Fi NextCloud data service is used to sync files
and mobile hot spots on their mobile phones. from remote users back to the data centre.
The servers in the data centre provide data/file
services to all employees, including the use of a
self-hosted NextCloud service.
The corporate data centre is located in Star Tower Unless the Star Tower is in an area that is
in Hong Kong. The current corporate data centre generally insecure, it is likely that this location
in Hong Kong is four years old and it is due for is appropriate. There is no information
an upgrade. Currently, the data centre is in the regarding air conditioning or physical access
basement of Star Tower. to the data centre.
Backups are done on a daily basis by copying Physical security of the second data
data over the Internet to a local data centre centre needs to be reviewed – along with
approximately one kilometre away. the security of the data transportation
mechanism in place. More information
is required.
Overall Assessment: Overall, this control cannot be assessed without more information.
Recommendations: Review the connective security of mobile devices and data transportation from
the field to the corporate data centre. Review the physical controls in place in the data centre.
Review the connective security of the connection between the corporate data centre and the local
data centre hosting backup information.
Backup and Contingency Planning
The current corporate data centre in Hong Kong is Plans for this upgrade should be identified,
four years old and it is due for an upgrade. as it takes time to update a data centre
and by the time the upgrade is done the
data centre might be using dangerously old
infrastructure. Ageing systems might become
unreliable as well as become obsolete.

885

c13.indd 885 16-11-2022 18:49:40

 BUSINESS ASSURANCE

Apply and Analyse 8 (continued)

ITGC Issues
Currently, the data centre is in the basement of Being located in the basement of the Star
Star Tower. Tower is problematic – although unlikely,
the basement may flood during a rain event.
A review of possible flooding should be
undertaken here.
Backups are done on a daily basis by copying Much information is lacking on data recovery
data over the Internet to a local data centre possibilities; however, with a backup done
approximately one kilometre away. on a daily basis (rather than, say, hourly) it is
likely to be insufficient. Further, the local data
centre is too local – it is only one kilometre
away. Currently, any disaster that affects
the Star Tower will likely also affect the data
centre that is one kilometre away. Usually,
50–100 kilometres are required.
Overall Assessment: Overall, backup and contingency planning is inadequate.
Recommendations: Commence planning for the data centre upgrade. Include in this plan a review
of the location of the data centre and its risk of flooding – consider moving the data centre to a
higher ground location with more security. Move the local data centre hosting backup information
further away from the Hong Kong location.
Hardware Controls
No hardware controls identified. No assessment made.
Overall Assessment: No overall assessment made.
Recommendations: None.

(b) Overall, the assessment is that the internal controls system is unreliable.

In particular, the violation of segregation of duties for the development team – and
problems with the systems development process, such as a lack of documentation
and an unspecified methodology – means that a high-value information system is
not governed well and may cause loss.

Similarly, the security of data transport between the large number of staff in
the field and the corporate data centre, and between the corporate data centre
and the replicated local data centre, is not certain as more information is required
to make this assessment.

These two issues in particular make it difficult to rely on the internal controls
system to ensure the authenticity, validity, accuracy, completeness, integrity,
reasonableness, security, and confidentiality of Star Sea, and Sky’s information.

Apply and Analyse 9

BA Financial Services Limited (BAFS) provides investor master classes for high-wealth and
institutional investors on how to develop and create their wealth through investment in the
share market. BAFS refers to such clients as BA Winners.

As part of this process, BA Winners are encouraged to apply to undertake the courses
on credit – that is, take the course now and pay for the course out of later profits.

886

c13.indd 886 16-11-2022 18:49:40

 Computerised Business S ystems and C ontrols

Apply and Analyse 9 (continued)

Some BA Winners are also extended credit in the form of margin loans that they can
invest in the share market through BAFS.

The assessment of each application is managed by an individual assessor from start to

finish using the BAFS InvestorWin information system. InvestorWin is an expert system that
the individual assessor uses to evaluate both credit worthiness and investor worthiness.
BAFS considers credit worthiness to reflect how much of a ‘winner’ the applicant has been
in the past and investor worthiness to reflect how much of a ‘winner’ the applicant will be
in the future.

The whole assessment commences with the BA Winner completing an application

form. The individual assessor is paid HK$1,000 for each application approved by the
area manager.

This application includes the current wealth, statements of profit or loss, and other
comprehensive income from the applicant’s current financial advisors. With the investor’s
permission, further information is obtained through a detailed credit report from CreditGo.
This information is entered into the InvestorWin expert system and used to determine the
BA Winner’s credit worthiness score.

Applicants then take an online personality test (‘investor trait assessment’) and are
interviewed by the assessor using a pre-determined interview protocol. The results of the
personality test and the interview are then entered into InvestorWin. This information is
used to determine the BA Winner’s investor worthiness score.

InvestorWin then uses its own algorithm to automatically develop a report that
assesses whether to extend credit to the applicant. The algorithm for assessing credit
worthiness and investor worthiness is proprietary and commercially sensitive, and is kept
secret by the system developer. The final report is reviewed by the assessor and a final
assessor recommendation is developed. The recommendation is submitted to an area
manager, who then approves or rejects the application based on the assessment.

Required

(a) Outline several risks that exist with this business process for extending credit to
BAFS investor clients.

(b) Identify the risk you consider to be the most important in this context. Explain
your answer.

Analysis

(a) The focus in this case is to identify risks in the credit extension process. There are
several risks that may be considered here.

First, some inherent risk arises due to the very nature of the business. BA Winners
are already high-wealth individuals and will be likely to defend their legal rights
vigorously, and have the ability to do so. This means that BA Winners that
undertake the course on credit on the proviso that they pay for the course out of

887

c13.indd 887 16-11-2022 18:49:40

 BUSINESS ASSURANCE

Apply and Analyse 9 (continued)

later profits are unlikely to pay if the profits do not arise. Inherent risk also arises
due to margin loans using shares as collateral – a volatile share market can result
in considerable losses, which means that BAFS loans might not be repaid.

Second, the process itself has dangers due to the use of an expert system that
provides an initial assessment. Although the assessor reviews the application, it
is likely that the assessor will anchor on the expert system’s assessment and not
vary too far from the algorithm. This is the anchoring and adjustment effect – in
the absence of information that shows that the initial assessment is materially
incorrect, the assessor will use the assessment made by the algorithm rather than
try to second-guess the expert system. The assessment is likely biased towards
that made by the initial algorithm.

Third, there are risks that arise from the development process. The algorithm
is proprietary and secret. One risk is that the developer will make changes to the
algorithm to their own advantage – for example, to obtain a loan on favourable
terms. The development of the algorithm needs to have integrity and be
trustworthy.

Fourth, a risk arises with the compensation scheme for the assessor. It is in
the interest of the assessor to approve applications for credit as they receive a
payment for each approved application. An assessor that denies credit receives
no payment.

Fifth, there are data privacy risks with the applicant’s personal information with
a detailed credit report and statements of profit or loss and other comprehensive
income. BAFS needs to be confident in its ability to securely manage this
information.
There are other risks, but these are several key risks that are readily apparent
from the material provided.

(b) Of the five risks identified, one of highest risks to BAFS arises from the
development process. There are three relevant reasons here.

First, the development process is one that has no transparency, and BAFS does not
know how the overall credit worthiness score is calculated.

Second, and by extension, BAFS has no control over the algorithm despite its
importance in the extension of credit.

Third, errors in the algorithm will likely result in large losses due to the likely
size of the investments made by BAFS clients. BAFS will likely be liable for losses
arising from negligence in the algorithm despite BAFS ignorance of its workings.

Other risks can be identified, but this discussion provides some examples
to consider.

888

c13.indd 888 16-11-2022 18:49:40

 Computerised Business S ystems and C ontrols

Knowledge Check Questions

Question 52
Identify which of the following the IDEA software package is BEST characterised as an
example of.
A Technique that supports the black-box audit approach.
B Data visualisation tool.
C Automated Working Papers.
D Generalised Audit Software.

Question 53
Identify which of the following techniques are used in auditing through the computer.
A Input controls testing, processing controls testing, and output controls testing.
B Parallel simulation, a base case evaluation, and an integrated test facility.
C Reconciliation, a base case evaluation, and an integrated test facility.
D None of the above techniques is used in auditing through the computer.

Question 54
Identify which of the following offline, incorruptible, and disconnected backups is a key for
corrective control.
A It prevents malware from encrypting backed-up data and allows data to be restored.
B It prevents cyber attacks from occurring.
C It prevents malware from encrypting online operational data.
D It prevents unauthorised software from being installed.

Question 55
Identify which of the following is not a base control that is effective in safeguarding against
cyber-security attacks.
A Using anti-virus software.
B Application whitelisting.
C Daily backup of important data.
D Integrated test facility.

Question 56
Identify which of the following describes the cyber-security safeguard of application
whitelisting.
A It allows only authorised software to run on the computer.
B It prevents demonstrably dangerous applications from running on the computer.
C It automatically implements application software updates as they become available.
D It assigns user privileges on the basis of need.

889

c13.indd 889 16-11-2022 18:49:41

 BUSINESS ASSURANCE

Knowledge Check Questions (continued)

Question 57
Identify which of the following describe how auditors test computer application controls.
A By assisting in black-box testing but not white-box testing.
B By assisting in white-box testing but not black-box testing.
C By assisting with both white-box and black-box testing.
D By executing all black-box testing procedures.

Question 58
Outline why daily offline backups are an important safeguard against cyber attacks.

Question 59
Explain whether an auditor should communicate any weaknesses in the internal control
system to management.

Question 60
In your view, explain whether an auditor should use a white-box or black-box approach
when auditing a COTS software solution.

Question 61
Outline reasons why specialised auditing software might be inappropriate for a
particular audit.

Question 62
Identify a weakness of testing through the computer at the time of the audit, and illustrate
how this weakness might be addressed.

1 3 . 6 E-COMMERCE CONTROL ISSUES

Increasingly, commercial activities take place in an online environment. In addition to the risks
that accompany transactions in the real world, there are specific risks for transactions that arise
when operating in an online environment. E-commerce activities present control issues that the
auditor must address in the audit plan.

E-commerce has several key characteristics. However, other IS that are not e-commerce
IS can demonstrate the same or similar features (e.g. a high volume of transactions or cross-
border transactions) even though they do not support online transactions. In such cases the
control issues that relate to e-commerce IS may also apply to other IS. These key characteristics
require internal controls that address concerns specific to such IS. Several auditing procedures
exist that solely address the internal controls issues that arise from e-commerce.

Overall, the auditor must consider the impact of e-commerce on the financial audit. The
audit plan should include audit procedures relevant to e-commerce activity.

890

c13.indd 890 16-11-2022 18:49:41

 Computerised Business S ystems and C ontrols

13.6.1 Detailed Characteristics of E-commerce Systems

E-commerce refers to digitally enabled commercial transactions between a seller and a
purchaser. In the majority of instances, e-commerce transactions are supported by IS that
operate over the Internet, including smartphone applications. E-commerce has become a
common way of doing business. An e-commerce system supports an online marketplace that
enables the sale of a good or service – real or virtual.

E-commerce systems have several characteristics that are unique. Most of these
characteristics derive from the Internet and the low cost of creating, copying, tailoring,
updating, and delivering digital information anywhere in the world at any time. There are eight
unique characteristics of e-commerce.

First, unlike traditional marketplaces constrained by their physical location, e-commerce

systems are supported by IS that allow e-commerce to be ubiquitous. Particularly with the
growth of mobile computing and the use of smartphones, e-commerce can be accessed from
almost all places. For example, a hotel can provide a smartphone application that allows
customers to make bookings whether the customer is at their desk, in a taxi, or travelling
abroad. As long as there is access to the Internet, there is also access to the e-commerce IS.
A successful transaction does not require the consumer to travel to the seller or vice versa.

Second, e-commerce systems have a global reach: that is, such systems operate across
national borders at no, or at least low, cost. Traditionally, a marketplace was restricted to
buyers and sellers inside a defined regulatory zone such as a province or a country. For
example, a store with a physical storefront located in Causeway Bay can attract passing traffic.
With an e-commerce system, however, that store can attract passing traffic throughout the
world. This means that e-commerce systems enable access to a larger market, meaning that a
seller of niche goods or services can access a more sizeable market.

Third, e-commerce IS are built with technologies that use universal standards no matter
the country. Other technologies – for example, radio, television, and the mobile phone – use
national standards that mean a device used in one country may not work in another. This is
not the case with e-commerce IS. These common and universal standards are important in
supporting the global reach and ubiquitous nature of e-commerce.

Fourth, e-commerce IS support a richness of information that is scalable. In a traditional

market, providing such rich information is costly and time-consuming and so the richness of
information is a trade-off against customer reach. However, the information provided by an
e-commerce system can be complex and rich without affecting the reach of the information.
Information about the item can be tailored for the customer or more information can be easily
provided on demand.

Fifth, the sheer density of information supported by e-commerce systems is also unique.
Information density refers to the total amount of, and quality of, information available to sellers
and purchasers in the marketplace. The cost of producing, storing, updating, and accessing
this information is very much lower than in the physical environment, and this increases the
timeliness and accuracy of the information available. The seller and the buyer both benefit
from this characteristic. For example, if a transport company wishes to add a new bus route
or change the price of a bus tour to Repulse Bay and Stanley, this change can be achieved on
a web page for little to no cost. In contrast, changing printed marketing material or catalogues
is expensive and difficult. The purchaser can compare accurate information in the market and

891

c13.indd 891 16-11-2022 18:49:41

 BUSINESS ASSURANCE

the seller can more quickly adjust their offerings in the market to be competitive. This feature is
what economists refer to as menu cost – the cost to a firm of changing the prices it charges for
the goods and services offered. E-commerce systems reduce menu cost to near-zero.

Sixth, e-commerce IS are also interactive. The buyer and the seller in the marketplace can
interact, ask questions, provide information, or execute the transaction no matter where they
are in the world. In contrast, transactions in the physical world require a face-to-face interaction
or, at the very least, a telephone conversation. An e-commerce IS can dynamically format and
present information depending on the device used to access the system, and it can change
or update information (for example, by magnifying images or adding optional features to the
product or service) as the user interacts with the system. There is also the option of providing
messenger systems so that any user can interact directly with the firm no matter the time or
their location.

Seventh, e-commerce IS also allow personalisation and customisation of the information

provided. An e-commerce IS can tailor its output depending on what information is accessible
regarding the potential customer. The system might provide quite different interfaces,
information, and advertisements depending on the user’s location, browser history, and social
media profile such that no user has exactly the same user experience on the website. Language
need not be a barrier either, with features such as Google Translate in Chrome allowing users
to access websites in languages in which they are not fluent.
Finally, e-commerce systems can leverage social technologies to encourage and support
the global creation and sharing of content relating to their products. Users – in some cases,
fans – of the product can share their stories and create content using social technologies.
For example, the richness of information allows the e-commerce system to link to a YouTube
or Youku Tudou review of a product that the user can then share through their online
social networks.

These eight characteristics are that e-commerce is ubiquitous, has global reach, is built on
universal standards, and supports a richness of information as well as high information density.
E-commerce is also interactive, allows high personalisation/customisation, and can leverage social
technologies. Taken together, these eight characteristics are unique to e-commerce systems.
Some aspects are shared with other types of IS, but only e-commerce systems exhibit all of
these unique features. This mix of unique features means that e-commerce systems require
several internal controls that are unique to those systems and thus require specific and
focused auditing procedures.

Key Learning Point

E-commerce refers to digitally enabled commercial transactions between a seller and a
purchaser. E-commerce has become a common way of doing business.
There are eight unique characteristics of e-commerce: that is, e-commerce is
ubiquitous, has global reach, uses universal standards, and supports a richness of
information as well as high information density. E-commerce is also interactive, allows high
personalisation/customisation, and can leverage social technologies.

892

c13.indd 892 16-11-2022 18:49:41

 Computerised Business S ystems and C ontrols

13.6.2 Internal Controls in E-commerce

Principally, the fact that e-commerce IS are constantly exposed to the Internet determines
the nature of their internal controls. E-commerce IS are required to ensure integrity,
non-repudiation, authenticity, confidentiality, privacy, and availability.

Integrity requires that data stored or transmitted are unaltered. Non-repudiation means
that the participants in the market cannot challenge (i.e. repudiate) an online transaction, and
authenticity requires that e-commerce IS confirm that market participants are who they claim to
be. Confidentiality is about ensuring data are seen only by those authorised to see it, whereas
privacy provides tools that allow participants to control the use of the information they provide.
Finally, availability requires that the e-commerce IS are available for use. These requirements
have implications for internal controls around security, and especially user authentication.

The security arrangements must consider all of the cyber-security safeguards discussed in
Section 13.5.4: that is, e-commerce systems also require the controls of anti-virus, authorised
software, authorised users, assigned user privileges, and daily backups. However, in addition a
more detailed plan that is focused on the needs of e-commerce IS is required.

The audited entity’s e-commerce security plan starts with an initial risk assessment. This
risk assessment considers the system’s risks and the points of vulnerability. The information
assets are identified and ranked according to the value or impact if that information were to be
compromised, lost, or stolen, and for each information asset estimate the probability that that
loss might be realised.

This list of information assets should then inform the development of a security policy
that identifies the firm’s risk appetite and mechanisms for reducing the risk to this goal. This
requires an understanding of the information asset and the likely cost of protecting that asset
to an acceptable level of risk.

The security plan should next identify the technologies, processes, and the structures and
teams needed to implement the security policy.

The security plan then identifies controls that document the technologies, processes, and
structures and teams relied upon to ensure the security of e-commerce IS. As the system is
almost entirely reliant on its IT controls in a virtual environment, there are few opportunities
for manual controls in an online e-commerce IS. There are no second chances to control for
errant transactions. For that reason, the controls that operate in an offline IS also apply to
e-commerce systems, but even more so as the compensating manual controls do not exist.

The cyber-security safeguard discussed above provides an effective foundation of

mitigation strategies that protect against cyber attacks. Such controls need to be automatic,
dynamic, multi-compensating, and preventive. It is likely that the e-commerce security plan
refers to these controls for offline IS, but it would usually not document them. Additional
controls that more specifically protect online environments are required.

Firewalls and proxy servers should be standard. A firewall is networking hardware that
protects the information assets from unauthorised external access. In addition to standard
firewalls and proxy servers, other relevant internal controls include intrusion detection systems
that use algorithms to indicate patterns of activity that are suspicious or intrusion prevention
systems that not only detect the intrusion but also can terminate suspicious connections.
Neither of these controls adequately defends on their own against common DOS (‘Denial

893

c13.indd 893 16-11-2022 18:49:41

 BUSINESS ASSURANCE

of Service’) or DDoS (‘Distributed Denial of Service’) attacks that overwhelm the network’s
defences. In these attacks, the e-commerce site is flooded with network data requests so much
that the network infrastructure fails – the website and system become no longer available.

An option to reduce the impact of these attacks includes the use of cloud service providers
(‘DDoS Mitigation Services’). Other enhanced internal controls for e-commerce systems include
the patching of operating systems and software against zero-day exploits and the encryption of
both web traffic and data stored in the cloud.

The e-commerce security plan would identify the access controls to the network (including
biometric controls and/or multi-factor user authentication) and the authorisation management
systems implemented. For example, in an online environment multi-factor authentication
using tokens or biometric devices may be required in addition to the username and strong
passwords expected in an offline environment. Encryption and digital signatures can also be
used to ensure the identity of users of the e-commerce IS.

The e-commerce security plan is not static and the e-commerce plan needs to be monitored.
Security audits that regularly review access logs and monitor the implemented security
plan provide this feedback. This feedback results in adjustment to the e-commerce security
arrangements through ongoing maintenance by those responsible for the e-commerce security
plan. In larger organisations, it is very likely that an organisational team or business unit will be
needed that has carriage of the security function. In smaller organisations operating online, such
roles might be fulfilled by external service providers.

In entities with e-commerce IS, the major internal control is an e-commerce security plan
that documents the technologies, processes, and the structures and teams responsible for
implementing cyber-security controls focused on the e-commerce IS.

Key Learning Point

E-commerce IS are required to ensure integrity, non-repudiation, authenticity, confidentiality,
privacy, and availability. As e-commerce operates in a virtual environment, e-commerce
is almost entirely reliant on IT controls – few controls can be implemented to support
e-commerce that are not virtual.

13.6.3 Auditing E-commerce

Audit procedures for online e-commerce IS use the same framework as the audit procedures
for offline IS. The audit planning approach is adopted as that discussed in Section 13.4.4.1, but
with some changes in emphasis. The auditor still gathers the information and evidence needed
to inform and support their professional opinion regarding the risk of material misstatement
in the financial reports, and this evidence-gathering is done according to an audit strategy and
plan that sets out the nature and timing of audit procedures.

Integrating the audit of e-commerce IS into this plan requires the auditor to obtain
additional understanding during the planning phase, and then to perform additional tests of
controls and substantive tests according to the auditor’s judgement. The auditor’s evaluation of
the results considers the system of controls as a whole.

894

c13.indd 894 16-11-2022 18:49:41

 Computerised Business S ystems and C ontrols

The audit of e-commerce IS follows the same steps as the audit of other IS. The audit
planning phase requires the auditor to understand the IT environment by reviewing the
organisation’s policies, practices, and structure. This review is undertaken by the auditor
making inquiries of the client regarding IT department structure, function, and environment. As
part of considering the IT environment, the auditor determines whether the organisation relies
upon an e-commerce IS.

As with non-e-commerce IS, there is the likelihood that some IS are provided by third-party
service organisations, although this is more likely in the case of e-commerce IS. Often, because
the business arrangement prevents the auditor from testing the third-party provider’s
environment, the auditor will rely upon the service organisation’s auditors’ Type 1 or Type 2
assurance reports (as described in Section 13.2.4, Networked Systems).

The extent to which the auditor evaluates the internal controls is a matter of professional
judgement, and so the auditor only reviews the ITGC and application controls relating to
the e-commerce IS that in the auditor’s judgement are relevant to the audit based on the
risk assessment procedures applied in understanding the components of the system of
internal control and the risk of material misstatement at the financial statement and relevant
assertion levels.

The relevance of these controls to the audit depends upon the materiality of the
e-commerce IS to the organisation’s financial reports. For an organisation with an e-commerce
IS that is not material to the financial report, the auditor’s judgement may be that the
e-commerce IS are not relevant to the audit and thus the audit plan would make no special
accommodation for e-commerce IS controls. On the other hand, if the e-commerce IS are
material to the organisation’s financial reporting then the audit plan would be likely to consider
the ITGC and application controls relating to that e-commerce IS as relevant to the audit and
plan accordingly. As e-commerce IS rely almost exclusively on the controls embedded in the IT
without manual intervention, the ITGC in place is very important for e-commerce IS.

As part of their review, the auditor documents the general ITGC and application controls
relating to e-commerce IS that are relevant to the audit. These controls include, but are not limited
to, those identified in the e-commerce security plan, and so the e-commerce security plan is a
starting point for this review. The auditor documents the controls identified in the e-commerce
security plan, should it exist. The auditor also documents other relevant controls. Taken together,
the auditor reviews controls including the risk assessment of the e-commerce IS’s information
assets, the e-commerce security policy, and the technologies, processes, and structures and teams
needed to implement the security policy and keep the e-commerce IS secure.

Technology controls to consider include firewalls and proxy servers. Other technology
controls include intrusion detection systems, intrusion prevention systems, and any
technologies to reduce the impact of Denial of Service attacks (including DDoS Mitigation Cloud
Service Providers). The encryption of both web traffic and data stored in the cloud is another
technology control to consider, as is the use of digital signatures. The auditor should make
inquiries to determine whether other technology controls are in place.

Process controls to consider include the regular patching of operating systems and
software against zero-day exploits, the use of access controls to the network (for example, the
enforcement of strong online passwords and usernames, biometric controls, and/or multi-
factor user authentication), and the use of authorisation management systems. The auditor
should make inquiries to determine whether other process controls are in place.

895

c13.indd 895 16-11-2022 18:49:41

 BUSINESS ASSURANCE

Structural controls relate to the skilled staff required to implement these technology and
process controls. The auditor should make inquiries to identify the business unit (or service
provider) with responsibility for the e-commerce security function. This unit should monitor
and maintain the technology and process controls, and document their activity appropriately.
The auditor should make inquiries to determine whether other structures and teams that are
part of the e-commerce IS controls are in place.

Having documented the controls in place as they relate to e-commerce, the auditor
then plans the tests of controls and substantive testing procedures. Substantive tests use
records outside of the IS to determine whether the entity’s electronic records fairly reflect the
organisation’s transactions. The confirmation of the balances reported in the financial reports
with independent third parties or observation of the physical inventory count is a common
substantive test. In auditing e-commerce IS, however, such substantive testing may not be
possible where there are many transactions with anonymous parties. Accordingly, the audit
plan for an e-commerce IS emphasises the role of controls testing.

First, the auditor evaluates the design effectiveness of the ITGC as a whole, including the
ITGC of offline IS. Compensating controls are considered in this evaluation. If the design of a
general control is ineffective then the control cannot be operationally effective, and so planning
for further evaluation of that control is not required.

If, however, the general control is effectively designed, then the operational effectiveness
of the general control is evaluated if it is material and relevant to the audit in the auditor’s
judgement.

Some internal controls of e-commerce IS are more general in nature and should be
considered as part of the ITGC system. The e-commerce security plan, with its information
asset risk assessment and security policy, is general in nature, together with the technology and
process controls that are not specific to individual systems and the structures and teams that
support these controls.

Second, the auditor evaluates the design effectiveness of technology and process controls
specific to individual e-commerce IS. These controls will include the technology and process
controls that are specific to individual e-commerce IS. The auditor plans to test the technology
and process controls that are potentially effective, where those controls are material and
relevant to the audit in the auditor’s judgement.

As with the audit of offline IS, the planned mix of controls testing and substantive testing
is a matter of professional judgement informed by factors. It is very likely that the audit
procedures will consist of a mix of both controls testing and substantive testing. In audit
entities with material e-commerce IS, and particularly where the parties to these transactions
cannot be identified or cannot be relied upon as independent third parties, controls testing will
likely be more prominent in the audit procedures.

As with the audit of offline IS, controls testing is undertaken through client inquiry,
examination of documents and reports, observation, or re-performing the procedures that
are part of a control (such as a process walkthrough with real or test data). HKSA 315 (Revised
2019) requires that the auditor uses procedures in addition to client inquiry if the control is
relevant to the audit.

The controls to be tested include the technology and process controls that are specific to
individual e-commerce IS. These controls are broad in range and some are technical. Testing

896

c13.indd 896 16-11-2022 18:49:41

 Computerised Business S ystems and C ontrols

the controls through examination of documents and records examination, observation, or

re-performance may be sufficient to establish the effective operation of material controls.

As some technology controls are quite technical, it is likely that the auditor will require the
support of specialist auditors in evaluating the effectiveness of these controls. For example, the
auditor can engage a security specialist to review the configuration of the firewalls, routers, and
network infrastructure, or a database specialist might be required to review the access controls
for a particular database management system.

If the design of the application controls as a whole is effective and the controls operate
effectively, then the audit approach may have a high reliance on the internal controls system,
and substantive testing can be lessened. Overall, e-commerce IS have a high dependency on IT
controls and a considerable design effort should be implemented on such systems to ensure
the completeness, validity, and accuracy of the information they contain.

Substantive tests use records outside the IS to determine whether the entity’s electronic
records fairly reflect the organisation’s transactions. Substantive tests can include physical
examination, confirmation, inspection, client inquiries, re-performance, analytical procedures,
or recalculation. Substantive tests can also include tests of transactions, analytical procedures,
and tests of details of balances.

Certain substantive tests may be difficult to perform for e-commerce IS. For example,
the goods shipped may be virtual, or the clients may be anonymous, unreliable, or difficult
and expensive to contact. As a result, it is likely that tests requiring physical examination,
confirmation with clients, or inspection cannot be made or are impractical.

The auditor may nevertheless need to undertake substantive testing of e-commerce IS

where the reliance on controls is low or the controls are ineffective. In such cases the auditor
would be likely to rely upon recalculation or analytical procedures to substantiate the entity’s
electronic records. This assessment is incorporated into the final audit report. In the final
analysis, the auditor’s assessment of whether the financial statements are materially misstated
relies upon their informed judgement.

Key Learning Point

Certain substantive tests may be difficult to perform for e-commerce IS (for example,
where goods are virtual or clients are anonymous).

Audit procedures for online e-commerce IS use the same framework as the audit
procedures for offline IS. Additional tests of controls and substantive tests are required if
the auditor’s risk assessment procedures identify that there is an e-commerce system that
presents a risk of material misstatement in the financial statements.

The auditor documents the controls identified in the e-commerce security plan, should
it exist. The auditor also documents other relevant controls.

897

c13.indd 897 16-11-2022 18:49:41

 BUSINESS ASSURANCE

Knowledge Check Questions

Question 63
Identify what the characteristic of information density refers to.
A The ability to tailor the output of an e-commerce website to the personal interests of the
prospective customer.
B The complexity and richness of the information.
C The total amount of, and quality of, information available to sellers and purchasers in the
marketplace.
D The ability to access information anywhere in the world.

Question 64
Yunfei is able to access the Hong Kong Harbour Cruises (HKHC) e-commerce website from
Singapore to book and pay for a cruise using the same smartphone she uses in Hong Kong,
where HKHC is based. Identify which of the following characteristics of this capability is
most like the e-commerce IS.
A Personalisation and customisation.
B Ubiquity.
C Interactivity.
D Global reach.

Question 65
Besides being required to ensure integrity, authenticity, and privacy, identify which of the
following the e-commerce IS are supposed to accomplish.
A Non-repudiation, confidentiality, and availability.
B Ubiquity, sensitivity, and availability.
C Timeliness, dependability, and security.
D Faithfulness, secrecy, and reliability.

Question 66
Identify which of the following is the most accurate description of e-commerce security
plan documents.
A They are the foundational cyber-security safeguards used in all of the entity’s IS.
B They consist of the technologies, processes, and the structures and teams responsible
for implementing cyber-security controls focused on the e-commerce IS.
C They contain the configuration settings of firewalls and proxy servers.
D They identify the measures to be taken to ensure the ability of the entity to continue to
operate in the event of a cyber attack.

898

c13.indd 898 16-11-2022 18:49:41

 Computerised Business S ystems and C ontrols

Knowledge Check Questions (continued)

Question 67
Identify which of the following statements is most correct in relation to the substantive
testing of e-commerce IS.
A It is more difficult to perform than substantive testing of an offline IS.
B It is not possible.
C It is easier to perform than substantive testing of an offline IS.
D It is about the same level of difficulty as the substantive testing of an offline IS.

Question 68
Identify which of the following statements is false regarding an e-commerce audit.
A All substantive tests are considerably easier to perform for e-commerce IS than for
offline IS.
B The auditor reviews the technologies, processes, and the structures and teams needed
to keep the e-commerce IS secure.
C Process controls in e-commerce IS include the regular patching of operating systems and
software against zero-day exploits.
D The e-commerce security plan requires regular refreshment and renewal to remain
relevant in the face of changing security threats.

Question 69
Consider the following statement: ‘E-commerce IS are entirely reliant on their IT controls.’
Explain whether you agree with this view.

Question 70
Describe the high-level steps that should be taken in developing an e-commerce security
plan. If these steps are not taken, explain whether this means that the ITGC around
e-commerce IS are ineffective.

Question 71
Explain whether an auditor without specialist skills in cyber-security is able to assess the
risk of material misstatement in the financial reports without the support of a specialist IT
auditor who has cyber-security skills.

899

c13.indd 899 16-11-2022 18:49:42

 BUSINESS ASSURANCE

SUMMARY

Summary of Overview of Computerised Business Systems

IT Department Structure

• The IT department is the area responsible for providing the IT services upon which the
entity depends. An understanding of the structure of the IT department is important in
understanding the entity’s IT environment and system of internal control.

• There are three common ways of organising the IT function, although most entities are likely
to reflect aspects of each model. These are the centralised, decentralised, and federated/
hybrid operating models.

• The auditor needs to understand and document the IT department structures in place to the
extent that it addresses the components of the entity’s system of internal control and deals
with the use of IT to support its business model.

IT Department Functions

• IT department functions relate to IT planning, building, running, and management.

• The auditor is most concerned with how the IT function develops and operates the entity’s IS
and the source of the information that is reported in the financial reports.

• The auditor is also concerned with how the network is made accessible to authorised users
and how it is secured against attempts to gain unauthorised access.

• The auditor needs to understand and document the entity’s approach to the developing,
implementing, and operating IS that support the financial reports.

• The auditor needs to understand and document the functions of the IT department to the
extent that they are relevant to the audit.

Summary of IT Environment

The auditor’s understanding of the IT environment often commences with an initial

walkthrough test as part of the financial audit.

• A walkthrough test identifies source documents that commence a transaction cycle (e.g. a
purchase order). The document is followed through the process until the process is
completed. During the test, the auditor makes inquiries, inspects documents and records, and
documents their own observations.

• The auditor obtains an understanding of the components of the system of internal control
and the control activities in developing their understanding of the IT environment.

Implementation of New IT Systems

• The auditor needs to understand and document how new systems are selected, developed,
and implemented.

900

c13.indd 900 16-11-2022 18:49:42

 Computerised Business S ystems and C ontrols

• New systems can be Commercial Off-the-Shelf (COTS) solutions or custom-developed.

A custom solution needs more auditor attention than a COTS solution.

Financial Reporting Systems

• The auditor identifies the IS that provide information to the FRS. Material misstatements in
these systems will flow into the financial reports.

• The systems are part of the entity’s expenditure, conversion, or revenue cycles.

• Systems that do not provide information to the FRS are of less interest to the auditor.

• The auditor documents how the IS relate to the FRS and the financial reports.

E-commerce Overview and Importance to Business

• The auditor must understand how e-commerce transactions affect the reports.

• E-commerce systems face higher risks and uncertainty than offline systems.

• E-commerce IS can be very complex.

• E-commerce systems record transactions in a wholly digital environment and are entirely
reliant on IT controls that operate in real-time.

• The auditor documents the e-commerce IS and their relationship to the financial reports.

Networked Systems

• The auditor needs to understand the configuration of the hardware and IT infrastructure, the
networked resources that support the financial reports, and the manner in which cloud-based
services, if any, are used at the audited entity.

• The auditor documents the networked systems and their relationship to the FRS.

PC Systems

• The auditor must understand how PC systems are used and how they are kept secure.

• PC systems are often used in smaller organisations or for specialised software.

• PC-based systems are often more difficult to manage, update, and keep secure as part of a
regular centralised maintenance program. They are often riskier.

• The auditor documents the PC systems that exist and their relationship to the FRS.

Summary of IT Strategy

The Role of IT Strategy

• An audited entity needs to undertake strategic and directed action if it wishes to implement its
policies, practices, and procedures through its IS.

• At a high level, IT strategy addresses three areas:

(i) It sets out how IS are used to support business strategy.

(ii) It provides an overall master plan of the IT function.

(iii) It documents the shared view of the IT function’s role within the organisation.

901

c13.indd 901 16-11-2022 18:49:42

 BUSINESS ASSURANCE

• The IT strategic plan defines the IT strategy and the objectives that the investment in IT is
expected to achieve. It includes a strategic road map that identifies the steps required to
deliver the IT strategy.

• The IT strategy recognises dependencies between programs and projects, schedules and
prioritises projects, and defines strategic and risk assessment initiatives.

• The IT strategy should recognise the importance of the change management approach to
ensuring system integrity before, during, and after changes are made.

• The auditor should consider the extent to which the IT strategy recognises and supports the
integration of internal controls in developing and maintaining the IS.

How Information Technology Improves Internal Controls

• IT improves internal controls by embedding and automating the entity’s practices, policies,
and procedures into the entity’s IS.

• Such internal controls take three forms (the Prevention–Detection–Correction model):

(i) Preventive controls are passive techniques designed to reduce – but not eliminate –
undesirable events occurring.

(ii) Detective controls are more active steps taken to recognise undesirable events that are
not stopped by preventive controls.
(iii) Corrective controls are actions taken to remedy undesirable events identified by
detective controls.

Assessing and Advising on the Risks of Business Processes

• Business processes are often supported by many different IS. In-scope IS are those IS that
are prospective sources of material misstatement in the financial statements. Materiality is
assessed according to the specific circumstances of the entity and will be set as part of the
audit strategy.

• The auditor’s focus is on systems that affect the financial processes and systems in the
expenditure cycle, conversion cycle, or the revenue cycle.

• Expenditure cycle IS record transactions relating to business processes for the entity’s
acquisition of goods and services that the entity uses.

• Conversion cycle IS record how the entity converts the inputs that it acquired in the
expenditure cycle prior to the final sale of the goods or services.

• Revenue cycle IS record transactions relating to the entity’s sale of goods and services to its
customers.

• The auditor identifies the business processes and supporting IS from which information flows
to the financial reports.

Assessing Audit Risk

• The auditor must consider three components when assessing the audit risk in the business
processes from which information flows to the financial report. These three components are
inherent risk, control risk, and detection risk.

902

c13.indd 902 16-11-2022 18:49:42

 Computerised Business S ystems and C ontrols

• Audit risk can be calculated by assigning a value to the assessment made of inherent risk,
control risk, and detection risk:

Audit Risk Inherent risk Control risk Detection risk

• Inherent risk relates directly to the nature of the industry in which the entity operates and is
the risk that the error might occur in the first place, irrespective of whether a control protects
against it. Audit activities do not affect inherent risk.

• Control risk is the risk that the controls in place are inadequate in preventing, detecting, or
correcting errors that materially affect the financial reports.

• For control risk, the auditor assesses whether the design of the internal control is effective in
reducing the risk of material misstatement. If not, the control is not effective and the auditor
cannot rely on that internal control.

• For control risk, the auditor also assesses whether the internal control is operationally
effective in reducing the risk of material misstatement. To make this assessment, the auditor
undertakes controls testing to determine whether the internal controls operate as designed.

• Tests of controls do not change control risk, but they do increase the reliability of the auditor’s
assessment of control risk.
• Detection risk is the risk that the auditor does not detect errors that the entity’s internal
controls also do not detect and correct. Increasing substantive testing reduces detection risk.

• The auditor designs the audit approach according to their assessment of audit risk.

Summary of Internal Controls Specific to IT

General and Application IT Controls Relationship

• If the ITGC environment is ineffective (whether through ineffective design or operation), the
application controls are similarly ineffective as any application controls can be circumvented.

IT General Controls

• ITGC ensure that the IT environment maintains data integrity, security, and confidentiality.
ITGC affect all financial reporting IT applications. The most important, or key, ITGC relate
to the administration of the IT function, the segregation of duties, the development of
new systems, physical and online security, backup planning, and controls over hardware
infrastructure.

• An important aspect of ITGC during systems development is change management. The

segregation of duties needs to be maintained when a program change is requested, software
is configured (or re-configured), and how program changes are applied. IT changes should
follow a defined and formalised (and documented) process.

• The auditor initially makes inquiries of management and supervisory personnel or reviews
high-level documentation to obtain an understanding of the ITGC in place, and documents
their findings. The auditor documents the key ITGC as part of the financial audit.

• The auditor documents and assesses each general control as relevant to the audit.

903

c13.indd 903 16-11-2022 18:49:42

 BUSINESS ASSURANCE

Application IT Controls

• The application controls of each system maintain the completeness, validity, and accuracy of
data in a single system. These application controls may affect data processing, and so input
controls, processing controls, and output controls may be considered by the auditor.

• The controls to be tested should be determined through the initial walkthrough test when first
considering the IT environment as part of the financial audit.

• Application IT controls are specifically reviewed for those IS that are in scope. In-scope IS are
those IS that are prospective sources of material misstatement in the financial statement and
assertion levels. Materiality is assessed according to the specific circumstances of the entity
and will be set as part of the audit strategy.

• Master file/database controls maintain the security, integrity, accountability, and recoverability
of the master file and database.

• The auditor is most concerned by those material applications that are prospective sources of
material misstatement in the financial reports.

• The auditor makes inquiries of management and supervisory personnel, observing the
system in action or reviewing appropriate documentation to obtain an understanding of the
application controls in place for material systems.
• The auditor documents and assesses each application control as relevant to the audit. Key
systems are documented as a narrative description or a system flowchart.

Auditing in Computerised Business Systems and Controls

• HKSA 300 requires the auditor to develop an audit strategy and plan, and the auditor develops
a set of audit procedures that inform their professional opinion regarding the risk of material
misstatement in the financial reports.

• If controls testing is used, then the auditor evaluates the effectiveness of the design of these
controls and, if the design is effective, whether the controls operate according to the design.

Audit Procedures for Testing Computerised Business Systems and Associated Controls of the Business
Processes of an Entity

• The auditor develops audit procedures by understanding the IT environment and then
planning the controls testing and substantive testing in accordance with the auditor’s
assessment of audit risk.

• If control risk is low, the auditor can place more reliance on the internal controls.

• Controls testing assesses the effectiveness of the design and operation of the entity’s ITGC
and, for key systems, application controls. Substantive testing is where the auditor seeks to
objectively determine whether the entity’s financial statements are materially misstated.

Evaluating the Effectiveness of Computerised Business Systems and Controls

• The audit’s control risk is evaluated by controls testing.

• Controls testing includes client inquiry, examination of documents, observation of the work
being undertaken, or re-performing the procedures that are part of a control (such as a
process walkthrough with real or test data).

904

c13.indd 904 16-11-2022 18:49:42

 Computerised Business S ystems and C ontrols

• HKSA 315 (Revised 2019) paragraph 26 (d)(ii) requires that the auditor uses procedures in
addition to client inquiry in determining whether a control has been implemented.

• The auditor’s assessment of the effectiveness of the internal controls system considers the
system as a whole. Ineffective internal controls may be compensated for by other controls.
The auditor considers the effectiveness of the internal controls system in totality in assessing
overall control risk.

Substantive Testing

• Substantive tests affect detection risk and thus audit risk.

• Substantive tests include substantive tests of transactions, analytical procedures, and tests
of details of balances. They also include physical examination, confirmation, inspection, client
inquiries, re-performance, analytical procedures, or recalculation.

• Substantive tests of transactions test for monetary misstatements – that is, they test for
errors in the financial reports directly. These tests directly address the following issues: (1)
Occurrence; (2) Completeness; (3) Accuracy; (4) Classification; (5) Timing (Cut-off); and (6)
Presentation.

Summary of Computer-assisted Auditing Techniques

Audit Software
• GAS consists of generic analytical tools that the auditor can use in different contexts.

• CAATs allow the review and summarisation of the extracted data sets and to analyse the data
statistically. Two popular tools are ACL Analytics and IDEA.

• The auditor may use general tools such as spreadsheets or data visualisation software even
though these tools do not specifically support financial audits.

Test Data and Testing Procedures

• In auditing an information system, the auditor can use the black-box (‘auditing around the
computer’) or the white-box (‘auditing through the computer’) approaches.

• With a black-box approach the auditor determines what the application is supposed to do and
uses that understanding to reconcile actual inputs with actual outputs.

• Under the white-box approach the auditor places test data into the application to
systematically test the application’s logic and controls.

• The black-box approach is less disruptive than the white-box approach, but the black-box
approach allows more fine-grained and controlled testing.

• Auditing through the computer uses techniques such as parallel simulation, the test data
method, the base case system evaluation, and integrated test facilities.

Documentation

• The auditor documents the audit activities undertaken and their findings so that an
experienced auditor, with no prior connection with the audit, can understand the audit
procedures, their results, and the conclusions and professional judgements made.

• The auditor manages and documents the audit using automated working papers.

905

c13.indd 905 16-11-2022 18:49:42

 BUSINESS ASSURANCE

Effectiveness of Cyber-security Safeguard

• An organisation needs to organise and implement the technologies, processes, and structures
needed to protect IS that are exposed to the Internet.

• Many of the tasks required in undertaking a cyber-security audit require specialist skills
and tools. However, a generalist auditor can examine the base controls around cyber-
security without using specialist skills and tools to assess whether a risk arises of material
misstatements in the financial reports.

• The base controls that a generalist auditor examines include the use of anti-virus software,
keeping software current, ensuring only authorised software is installed by authorised users
with enough user privileges to fulfil their roles.

• It is important that the auditor examine the entity’s approach to offline backups.

Weakness Identification and Recommendations

• The auditor understands and identifies deficiencies in internal control and assesses whether
they are sufficiently important.

• If the auditor finds sufficiently important deficiencies in the internal control system during the
audit, the auditor should communicate these deficiencies to those in charge of governance
and management at the audited entity.

Summary of e-commerce Control Issues

Detailed Characteristics of E-commerce Systems

• E-commerce refers to digitally enabled commercial transactions between a seller and a

purchaser. E-commerce has become a common way of doing business.

• E-commerce has characteristics that are unique. Most of these characteristics derive from
the Internet and the low cost of creating, copying, tailoring, updating, and delivering digital
information anywhere in the world at any time.

• There are eight unique characteristics of e-commerce – that is, e-commerce is ubiquitous, has
global reach, uses universal standards, and supports a richness of information as well as high
information density, and is also interactive, allows high personalisation/customisation, and
can leverage social technologies.

Internal Controls in E-Commerce

• E-commerce IS are required to ensure integrity, non-repudiation, authenticity, confidentiality,

privacy, and availability.

• E-commerce systems also require the controls of anti-virus, authorised software, authorised
users, assigned user privileges, and daily backups.

• As e-commerce operates in a virtual environment, e-commerce is almost entirely reliant on

IT controls.

• In entities with e-commerce IS, the major internal control is an e-commerce security plan
that documents the technologies, processes, and the structures and teams responsible for
implementing controls focused on the e-commerce IS.

906

c13.indd 906 16-11-2022 18:49:42

 Computerised Business S ystems and C ontrols

• Firewalls and proxy servers should be standard. Other relevant internal controls include
intrusion detection systems and intrusion prevention systems. DDoS Mitigation Services
provided by a cloud service provider may be required.

• The e-commerce security plan requires regular refreshment and renewal to remain relevant in
the face of changing security threats.

Auditing E-commerce

• Audit procedures for online e-commerce IS use the same framework as the audit procedures
for offline IS. Additional tests of controls and substantive tests are required if the e-commerce
system is material in the auditor’s judgement.

• The auditor documents the controls identified in the e-commerce security plan, should it exist.
The auditor also documents other relevant controls.

• Relevant controls include technology controls (for example, firewalls and proxy servers),
process controls (for example, patching of software, access controls), and structural controls
(for example, a committee responsible for e-commerce security).

• The auditor evaluates the design effectiveness of the ITGC as a whole, including the ITGC
of offline IS. The auditor considers any compensating controls that exist in undertaking this
evaluation.
• The auditor evaluates the design effectiveness of technology and process controls specific to
individual e-commerce IS if the design of the ITGC is effective.

• The audit plan will consist of a mix of controls testing and substantive testing. For e-commerce
IS, controls testing is likely to be more prominent in the audit procedures.

• Controls testing is undertaken through client inquiry, examination of documents, observation,

or re-performing the procedures that are part of a control (such as a process walkthrough
with real or test data). HKSA 315 (Revised 2019) requires the auditor to use procedures in
addition to client inquiry if the control is relevant to the audit.

• The auditor may find that testing the controls through document examination, observation,
or re-performance may be sufficient to establish the effective operation of material controls.
Specialist auditors may be needed to evaluate technical controls.

• If the design of the application controls as a whole is effective and the controls operate
effectively, then the audit approach may have a high reliance on the internal controls system,
and substantive testing can be lessened.

• Certain substantive tests may be difficult to perform for e-commerce IS. Recalculation or
analytical procedures may be needed.

907

c13.indd 907 16-11-2022 18:49:42

 BUSINESS ASSURANCE

MIND MAP

OVERVIEW OF COMPUTERISED INTERNAL CONTROLS SPECIFIC TO IT

BUSINESS SYSTEMS
General and Application IT Controls
IT Department Structure Relationship
IT Department Functions General Controls
Application IT Controls
IT ENVIRONMENT
Auditing in Computerised Business
Implementation of New IT Systems Systems and Controls
Financial Reporting Systems
COMPUTERISED COMPUTER-ASSISTED AUDITING TECHNIQUES
E-commerce Overview and Importance BUSINESS SYSTEMS
to Business AND CONTROLS Audit Software
Networked Systems Test Data and Testing Procedures
PC Systems Documentation
Effectiveness of Cyber-security Safeguard
IT STRATEGY Weakness Identification and
The Role of IT Strategy Recommendations
How Information Technology Improves E-COMMERCE CONTROL ISSUES
Internal Control
Assessing Risks of IT Detailed Characteristics of E-commerce
Systems
Internal Controls in E-commerce
Auditing E-commerce

Answers to Knowledge Check Questions

Question 1
Answer A is incorrect. It is limited only to financial reporting systems in place, but the
auditor needs to understand the wider IT environment.
Answer B is incorrect. It is not sufficiently broad and does not consider relevance to
the audit.
Answer C is incorrect. It is too broad as it does not consider relevance to the audit.
Answer D is correct. It has the correct scope of understanding required by HKSA 315 (Revised
2019) but requires the scope to be understood only to the extent of relevance to the audit (S1).

Question 2
Answer A is incorrect. It is a combination of the configuration options for the network
model and the database model.
Answer B is correct. This is explicitly discussed in Section 13.1.1.
Answer C is incorrect. Although it is common terminology for describing the organisational
structure of organisations, these terms are not IS audit specific.
Answer D is incorrect. It replaces the specific terms given in Section 13.1.1 with synonyms,
and is partially correct but not complete.

Question 3
Answer A is incorrect. It is not complete, as it is focuses on operational tasks only.
Answer B is incorrect. It focuses only on implementing new software and does not consider
operational tasks.
Answer C is incorrect. It focuses on a single operational task of administering the network.
Answer D is correct. This statement is explicitly provided in Section 13.1.2 and covers the
full range of the IT department’s activities.

908

c13.indd 908 16-11-2022 18:49:43

 Computerised Business S ystems and C ontrols

Question 4
Answer A is incorrect. It is explicitly referenced in Section 13.1.2 as an aspect of the IT
department’s functions that the auditor is concerned with.
Answer B is incorrect. It is explicitly referenced in Section 13.1.2 as an aspect of the IT
department’s functions that the auditor is concerned with.
Answer C is correct. This is because maintaining compatibility between IT devices is a low
level and technical activity rather than a high level one.
Answer D is incorrect. It is explicitly referenced in Section 13.1.2 as an aspect of the IT
department’s functions that the auditor is concerned with.

Question 5
Answer A is incorrect. It is identified as a disadvantage of the decentralised
model in the discussion provided in Section 13.1.1.
Answer B is correct. It is explicitly identified as an advantage of the decentralised model in
the discussion provided in Section 13.1.1.
Answer C is incorrect. It is identified as a disadvantage of the decentralised
model in the discussion provided in Section 13.1.1.
Answer D is incorrect. It is identified as a disadvantage of the decentralised
model in the discussion provided in Section 13.1.1.

Question 6
No, it is not the role of the auditor to provide advice to their client regarding the best way
to structure the IT function. However, if the auditor finds a control deficiency, then the
control weakness should be communicated to the entity’s management.

Question 7
The centralised operating model provides all IT services from a central IT department to
all of the business units of the entity. The decentralised operating model locates an IT
department in each business unit of the entity. The federated/hybrid operating model
locates some components of the IT department in a central IT department, but locates
some IT departments in each business unit of the entity. Most commonly, organisations
use the federated/hybrid operating model.

Question 8
The network administrator ensures that the devices on the entity’s network are secure and
that the network provides access only to authenticated users. The network administrator
maintains and secures the organisational network used to access common IT resources
across the organisation. In contrast, the DBA’s focus is upon the integrity and security of
the data stored in the entity’s databases. These databases are usually focused on meeting
the requirements of individual business units rather than the entity as a whole, and so the
DBA has a more narrow – but deeper – scope of work than the network administrator.

Question 9
HKSA 315 (Revised 2019) requires the auditor to obtain an understanding of the internal
controls relevant to the financial audit and an understanding of the information system.
The structure and function of the IT department are critical controls as the IT department

909

c13.indd 909 16-11-2022 18:49:43

 BUSINESS ASSURANCE

makes many of the decisions in the general control environment and the effectiveness
of the IT department informs the auditor’s assessment of the effectiveness of the ITGC
environment of the entity.

Question 10
Answer A is incorrect. It is a component of value.
Answer B is incorrect. It is a component of value.
Answer C is incorrect. It is a component of value.
Answer D is correct. The value is stated in Section 13.2.1 as consisting of providing benefits,
reducing costs, or reducing uncertainty, which are options A, B, and C.

Question 11
Answer A is incorrect. Equivalent controls to that of the SDLC methodologies can exist
under agile methodologies and can be adequate according to Section 13.2.1.
Answer B is incorrect. Formal staged approaches are a feature of SDLC methodologies, not
agile methodologies, according to Section 13.2.1.
Answer C is incorrect. It describes a circumstance where software development is not required.
Answer D is correct. This aspect is attributed to agile methodologies in Section 13.2.1.

Question 12
Answer A is correct. It is the only system that affects the financial reports.
Answers B, C, and D are incorrect. It is an operational system that does not directly affect
the financial report. Although some of its systems may require review from a business
continuity perspective, the system of most apparent concern in assessing material
misstatement in the financial reports is the inventory management system.

Question 13
Answer A is incorrect. It is the opposite of the discussion in Section 13.2.3.
Answer B is correct. This flows directly from the discussion in Section 13.2.3, where it is
stated that online systems face more security issues and are entirely reliant on IT controls.
Answer C is incorrect. It directly contradicts the discussion given in Section 13.2.3.
Answer D is incorrect. It directly contradicts the discussion given in Section 13.2.3.

Question 14
Answer A is incorrect. It is plausible but incorrect.
Answer B is incorrect. It is plausible but incorrect.
Answer C is correct. This is given in Section 13.2.4.
Answer D is incorrect. It cannot be correct as Answer C is correct.

Question 15
Answer A is incorrect. It is too narrowly focused on access to the networked systems.
Answer B is incorrect. It is too narrowly focused on hardware configurations.
Answer C is correct. It addresses the breadth of the aspects of networked systems that the
auditor must understand, as set out in Section 13.2.4.
Answer D is incorrect. It is partially correct as it excludes cloud-based services.

910

c13.indd 910 16-11-2022 18:49:43

 Computerised Business S ystems and C ontrols

Question 16
Answer A is incorrect. PC-based systems do work in a networked environment but operate
independently.
Answer B is incorrect. It is partially correct as PC-based systems might be integrated with
an e-commerce IS but would rarely, if ever, be tightly integrated with an e-commerce IS.
Answer C is incorrect. PC-based systems often have simple security that can be bypassed,
as discussed in Section 13.2.5.
Answer D is correct. This is discussed in Section 13.2.5.

Question 17
The five aspects of the IT environment that the auditor must understand are (1) how the
entity implements new systems, (2) the FRSs in place, (3) the e-commerce systems that
exist, (4) the networked systems in place, and (5) the PC-based systems in place. All aspects
of the IT environment are critical, as it is mandatory that the auditor understand the IT
environment as relevant to the financial audit. However, the auditor’s understanding of the
FRSs in place is likely to be the most relevant to the audit as these systems directly affect
the financial report.

Question 18
The SDLC provides formal documentation and formal approval processes that provide
an audit trail that auditors can easily review and assess. For this reason, auditors tend to
prefer the SDLC approach as it allows the auditor to easily assess the risks faced by the
system development project.

Question 19
Expenditure cycle, conversion cycle, and revenue cycle. The payroll system, the cost
management system, and the sales system are, respectively, examples of each cycle.

Question 20
E-commerce IS are entirely reliant on IT controls as the transactions occur at such a pace
and volume that manual intervention is impractical. Accordingly, the IT controls need to be
stronger to ensure that transactions are complete, valid, and accurate.

Question 21
The statement should be disagreed with for two reasons. First, some important software
is only available on stand-alone PC systems as they require a dongle or similar hardware
device to operate or the software is considerably more expensive to operate in a
networked environment. Second, a PC system can rely on compensating physical controls
(such as a locked office) that mitigate concerns around access controls.

Question 22
Answer A is incorrect. The business strategy is supported by the IT strategy, not vice versa.
Answer B is correct. This is set out in Section 13.3.1.
Answer C is incorrect. All three areas are operational in focus and are not strategic.
Answer D is incorrect. It directly addresses the auditor’s duty in undertaking the audit.

911

c13.indd 911 16-11-2022 18:49:43

 BUSINESS ASSURANCE

Question 23
Answer A is incorrect. It is a physical control outside of the information system and thus is
not an IT internal control.
Answer B is incorrect. It is a physical control outside of the information system and thus is
not an IT internal control.
Answer C is incorrect. It is a physical control outside of the information system and thus is
not an IT internal control.
Answer D is correct. It is the only control that is embedded in an information system.

Question 24
Answer A is incorrect. This is a plausible alternative for the PDC acronyms, but is incorrect.
Answer B is incorrect. This is a plausible alternative for the PDC acronyms, but is incorrect.
Answer C is correct. This is defined in Section 13.3.2.
Answer D is incorrect. This is a plausible alternative for the PDC acronyms, but is incorrect.

Question 25
Answer A is incorrect. It is partially correct, as compensating controls compensate for
deficiencies in other controls including preventive controls, but is not a complete response
as compensating controls can themselves be preventive controls and thus do not actively
focus on identifying events not stopped by preventive controls.
Answer B is incorrect. Directed controls are not a notion addressed in Section 13.3.
Answer C is correct. Detective controls are active steps taken to recognise undesirable
events that are not stopped by preventive controls, as discussed in Section 13.3.2.
Answer D is incorrect. Preventive controls are designed to stop undesirable events from
occurring rather than recognising undesirable events.

Question 26
Answer A is incorrect. It is ITGC, not compensating controls, as described in Section 13.4.2.2.
Answer B is incorrect. It is ITGC, not compensating controls, as described in Section 13.4.2.4.
Answer C is correct. It is identified in Section 13.3.2 as a compensating control.
Answer D is incorrect. It is an application input control, discussed in Section 13.4.3.1.

Question 27
Answer A is correct. The sales order is discussed in Sections 13.2.2 and 13.3.3.1 as a
primary document for revenue cycle transactions.
Answer B is incorrect. The purchase order relates to the expenditure cycle.
Answer C is incorrect. The sales invoice is created after the sales order.
Answer D is incorrect. The journal voucher records the transaction after it happens and is
not the revenue cycle trigger.

Question 28
The discussion will vary, but the IT strategy is the source of changes to the IT environment.
The IT strategy should support an effective internal control environment by ensuring that new
information systems are designed with strong internal controls from the outset. It is critical
that this occurs if the IT systems are to support the organisation and its internal controls.

912

c13.indd 912 16-11-2022 18:49:43

 Computerised Business S ystems and C ontrols

Question 29
Preventive controls are passive techniques designed to reduce – but not eliminate –
undesirable events occurring. An example of a preventive control is a control that prevents
text being entered into a system instead of a date or the entry of a postal code that does
not exist. Detective controls are more active steps taken to recognise undesirable events
that are not stopped by preventive controls. Detective controls flag data that departs from
the standard after the error has occurred, whereas preventive controls aim to prevent
errors before they occur. An example of a detective control is the monitoring of returned
mail due to wrongly addressed items or the review of system reports for correct date
order. Corrective controls remedy undesirable events identified by detective controls.
Detective controls detect a problem but do not fix it. An example of a corrective control
is where a clerk is directed to correct the problem of an invalid date at data entry and the
systems development/application programmer team is directed to implement a data entry
rule that prevents the problem from recurring.

Question 30
Your answer should reflect the following points:

(a) A sales ordering system is part of the revenue cycle as its transactions affect the
income/sales figures on the financial report.

(b) A closed-circuit security system is not part of any cycle as it does not produce any
transactions.

(c) A work-in-progress management system is part of the conversion cycle as it

records work-in-progress manufacturing items prior to their sale.

(d) A group decision support system is not part of any cycle as it assists with decision
making and does not directly record any transactions.

(e) A procurement system is part of the expenditure cycle as it is used to manage

expenditure on purchase goods and services.

Question 31
Answer A is incorrect. It is partially correct, but indirectly so – well-designed and effective
ITGC minimise substantive testing, but that is a by-product of their purpose.
Answer B is incorrect. ITGC and application controls are separate concepts with different
purposes, as discussed in Section 13.4.1.
Answer C is correct. It is explicitly referred to in Section 13.4.1.
Answer D is incorrect. It ascribes the goals of application controls to ITGC, as discussed in
Section 13.4.1.

Question 32
Answer A is correct. It is explicitly referred to in Section 13.4.1.
Answer B is incorrect. It is a mix of the purpose of ITGC together with a notion of
‘usefulness’ that is not otherwise discussed.
Answer C is incorrect. It is referring to an ITGC activity rather than a purpose.
Answer D is incorrect. It ascribes the purpose of ITGC to application controls.

913

c13.indd 913 16-11-2022 18:49:43

 BUSINESS ASSURANCE

Question 33
Answer A is incorrect. A process mechanism is a procedure and a steering committee is not
a procedure (although it will be referenced in a procedure).
Answer B is incorrect. It is partially correct as the steering committee allows executives to
develop relationships, but the development of relationships is not its primary purpose and
so this is not a complete answer.
Answer C is incorrect. This response is not discussed in Section 13.4.
Answer D is correct. Section 13.4.2.1 uses a project steering committee as an example of a
structural mechanism.

Question 34
Answer A is incorrect. Input controls are not ITGC.
Answer B is correct. This is the general principle stated in Section 13.4.2.2 in relation to the
control of segregation of duties.
Answer C is incorrect. This is a different aspect of ITGC that is not based on this principle
identified in Section 13.4.2.2.
Answer D is incorrect. This is a different aspect of ITGC that is not based on this principle
identified in Section 13.4.2.2.

Question 35
Answer A is incorrect. Re-factoring is not a substantive test.
Answer B is incorrect. Collaboration is not a substantive test.
Answer C is incorrect. This is a different aspect of ITGC that is not based on this principle
identified in Section 13.4.2.2.
Answer D is incorrect. This is a different aspect of ITGC that is not based on this principle
identified in Section 13.4.2.2.

Question 36
A, B, and C can all support the development of effective internal controls as discussed in
S4.2.3, and so the correct response is D.
Answer D is correct as all of A, B, and C can support the development of effective
internal controls.

Question 37
Answer A is incorrect. It relates to application controls, not ITGC, and the backup process is
a general control.
Answer B is correct. Observation of the general control in action is a test of ITGC, as
discussed in Section 13.4.4.2.
Answer C is incorrect. It relates to application controls, not ITGC, and the backup process is
a general control.
Answer D is incorrect. Observation of a backup process is not a substantive test, as
discussed in Section 13.4.4.2.

914

c13.indd 914 16-11-2022 18:49:43

 Computerised Business S ystems and C ontrols

Question 38
Answer A is correct. Data entry and specifically a range check control occur at input, as
discussed in Section 13.4.3.1.
Answer B is incorrect. lt is an output control, as discussed in Section 13.4.3.3.
Answer C is incorrect. lt is an output control, as discussed in Section 13.4.3.3.
Answer D is incorrect. lt is an output control, as discussed in Section 13.4.3.3.

Question 39
Answer A is incorrect. A record level input control compares entered data to other values
entered at the same time, as discussed in Section 13.4.3.1.
Answer B is correct. A data entry relates to an input control, and these data are checked
against a possible range of values, and is thus a field control (Section 13.4.3.1).
Answer C is incorrect. Controls consider data after their entry into the system (Sections
13.4.3.2 and 13.4.3.3).
Answer D is incorrect. Controls consider data after their entry into the system (Sections
13.4.3.2 and 13.4.3.3).

Question 40
Answer A is correct. This is discussed as a disadvantage of the ITF in Section 13.5.2.
Answer B is incorrect. ITFs reduce operating efficiency of the entity, not the audit (see
Section 13.5.2).
Answer C is incorrect. Section 13.5.2 identifies ITFs as addressing this weakness of static
testing techniques.
Answer D is incorrect. It is not correct as Answer B is correct.

Question 41
Answer A is correct. This principle is stated in Section 13.4.2.2.
Answer B is incorrect. This is a re-statement of the purpose of application controls given in
Section 13.4.3, not the general control of segregation of duties.
Answer C is incorrect. Employee satisfaction is not a consideration of ITGC.
Answer D is incorrect. It is not correct as Answer A is correct.

Question 42
Answer A is correct. It is a direct violation of the principle given in Section 13.4.2.2 as the
same role creates debt as well as writes it off.
Answer B is incorrect. It is not a violation as these ledgers are separate reporting tools and
are not transactions.
Answer C is incorrect. It is not a violation unless the clerk is also requesting the
inventory purchase.
Answer D is incorrect. It is not a violation as preparing statements is not a transaction.

Question 43
Answer A is incorrect. This is a concern of physical security and is a general control
discussed in Section 13.4.2.4.
Answer B is incorrect. This is a reference to segregation of duties, which is also a general
control and is discussed in Section 13.4.2.2.

915

c13.indd 915 16-11-2022 18:49:43

 BUSINESS ASSURANCE

Answer C is incorrect. An input control is described in Section 13.4.3.1.

Answer D is correct. This design purpose is explicitly addressed in Section 13.4.3.3.

Question 44
Answer A is correct. This is an explicit example discussed in Sections 13.4.2.2 and 13.4.2.3.
Answer B is incorrect. No control of management override is discussed in the context of
segregation of duties in Section 13.4.2.2.
Answer C is incorrect. It is partially correct as inventory processes and billing processes
may be incompatible duties that require segregation, but is incomplete as this is not a
computer-based duty.
Answer D is incorrect. It is a review of tasks performed, not segregation of the duties as
discussed in Section 13.4.2.4.

Question 45
Answer A is correct. These IT duties and their likely incompatibility are discussed in
Sections 13.4.2.2 and 13.4.2.3.
Answer B is incorrect. These IT duties are discussed in Section 13.4.2.2 but no
incompatibility between these duties is apparent – they are complementary.
Answer C is incorrect. It is partially correct as this is cited in Section 13.4.2.2 as an example
of the general control of segregation of duties, but is not complete as this example does
not relate to IT duties.
Answer D is incorrect. These IT duties are discussed in Section 13.4.2.2 but no incompatibility
between these duties is apparent – rather, these duties are complementary.

Question 46
Answer A is correct. Section 13.4.2.1 cites the IT steering committee as an example of a
structural governance mechanism.
Answer B is incorrect. Compensating governance mechanisms are not discussed in
Section 13.4.2.1.
Answer C is incorrect. It is not correct according to the discussion provided in Section 13.4.2.1.
Answer D is incorrect. It is not correct according to the discussion provided in Section 13.4.2.1.

Question 47
As explained in HKSA 315 (Revised 2019) controls testing increases the auditor’s
understanding of control risk. More controls testing means less substantive testing, all
else equal, as audit risk is reduced. However, if controls testing indicates that controls are
unreliable then more substantive testing is needed.

Question 48
A field-level input control checks the validity of a single data field in a data record. For
example, a control that only allows valid postcodes to be entered is a field level input
control. A field level input control considers the information solely within an individual field
of a record, whereas a record level input control compares between fields in the record to
determine whether to reject or accept the record. A record level input control considers
the combination of different fields in the record.

916

c13.indd 916 16-11-2022 18:49:43

 Computerised Business S ystems and C ontrols

Question 49
The rule of least access is that users of a system should be granted access privileges
on a need-to-know basis. This principle is often breached though as over time users
change roles and have new access privileges granted without having the old access
privileges revoked. These breaches arise as the managers with the authority to grant
access privileges are frequently busy and often do not exercise adequate care in revoking
permissions or in initially assigning them.

Question 50
This arrangement decreases the effectiveness of the internal controls system as the
arrangement weakens ITGC. The DBA and Data Librarian roles should be kept separate
from the systems development team to reduce the chance of collusion whereby the
systems developer introduces unauthorised code or data structures and colludes with
the DBA and Data Librarian to commit fraud. The three structures (systems development
team, DBA, and Data Librarian) should be kept separate to reduce the chance of
collusion.

Question 51
There are several options, but such a physical control would include fire suppression
systems, building the data centre out of non-flammable materials, or locating the data
centre away from likely fire hazards.

Question 52
Answer A is incorrect as IDEA software is not a technique.
Answer B is incorrect. It is partially correct but not complete as IDEA software can be used
to visualise data.
Answer C is incorrect. It is partially correct as IDEA can be integrated with an automated
working papers package, but this does not make IDEA an automated working paper
support tool.
Answer D is correct. IDEA is identified as generalised audit software in Section 13.5.1.

Question 53
Answer A is incorrect. None of the items listed is a testing technique.
Answer B is correct. Each technique listed is described in Section 13.5.2 as a testing
technique that can be used in applying the white-box approach.
Answer C is incorrect. Reconciliation is a technique used in support of the black-box approach.
Answer D is incorrect. It is not correct as Answer B is correct.

Question 54
Answer A is correct. It is a corrective control (data are restored to their former state), as
described in Section 13.5.4.5.
Answer B is incorrect. Offline backups do not prevent the cyber attack from occurring; they
only correct the problem when it occurs.
Answer C is incorrect. Online operational data can still be encrypted.
Answer D is incorrect. Backups generally have no impact on the implementation of
unauthorised software.

917

c13.indd 917 16-11-2022 18:49:43

 BUSINESS ASSURANCE

Question 55
Answer A is incorrect. It is explicitly identified in Section 13.5.4 as a base control in
safeguarding against cyber-security attacks.
Answer B is incorrect. It is explicitly identified in Section 13.5.4 as a base control in
safeguarding against cyber-security attacks.
Answer C is incorrect. It is explicitly identified in Section 13.5.4 as a base control in
safeguarding against cyber-security attacks.
Answer D is correct. An integrated test facility is described in Section 13.5.2 as a testing
technique for testing data, not safeguarding cyber-security.

Question 56
Answer A is correct. This explicit definition is provided in Section 13.5.4.2.
Answer B is incorrect. It describes an anti-virus program that blacklists known problem
applications and prevents them from executing.
Answer C is incorrect. This approach ensures software is kept up to date.
Answer D is incorrect. Assigning user privileges on the basis of need is not application
whitelisting, as discussed in Sections 13.5.4.2 and 13.5.4.4.

Question 57
Answer A is incorrect. Section 13.5 discusses auditor involvement in both black-box and
white-box testing.
Answer B is incorrect. Section 13.5 discusses auditor involvement in both black-box and
white-box testing.
Answer C is correct. This is discussed in Sections 13.5 and 13.5.2.
Answer D is incorrect. The auditor does not need to execute all testing (Section 13.5).

Question 58
Offline backups cannot be encrypted by a cyber attack. They are independent of the
networking environment and so a cyber attack that encrypts, deletes, or corrupts business
data cannot affect an offline backup. This means that the network can be cleaned of any
malware and unaffected data can be restored from the backup.

Question 59
HKSA 265 requires the auditor to communicate significant deficiencies to those charged
with governance. The deficiencies do need to be sufficiently important to warrant
reporting the problem to management. The auditor does not need to suggest a solution,
but often does. In doing so, the auditor should be careful not to affect their professional
independence.

Question 60
It is likely that a COTS software solution would not be audited unless it is material and/
or significant customisation has occurred. A COTS solution has already been tested
elsewhere. The opportunity for implementing unauthorised changes in the software is less
than for a custom-built software solution. If the COTS solution were to be audited, the least
disruptive approach would be a black-box approach.

918

c13.indd 918 16-11-2022 18:49:43

 Computerised Business S ystems and C ontrols

Question 61
First, specialised software might not be relevant to the entity’s industry. Second, the
auditor may not have skills in using the software. Third, the software might be expensive to
buy and training in that software might also be expensive.

Question 62
The tests through the computer are only performed at a particular time. An unauthorised
change to the software might have occurred after the last audit, and the change then
reversed prior to the auditor’s return. An integrated test facility – with access only available
to the audit team – is one way to combat this problem.

Question 63
Answer A is incorrect. It describes personalisation and customisation (Section 13.6.1).
Answer B is incorrect. It describes richness of information (Section 13.6.1).
Answer C is correct. This is the definition of information density provided in Section 13.6.1.
Answer D is incorrect. It describes global reach (Section 13.6.1).

Question 64
Answer A is incorrect. The capability described does not address Yunfei’s ability to
customise the experience.
Answer B is incorrect. It partially corrects but the response is not complete as the focus of
the description is on the ability to access websites across international borders.
Answer C is incorrect. It partially corrects but the response is not complete as the focus of
the description is on the ability to access websites across international borders.
Answer D is correct. The capability described focuses on Yunfei’s capability to access
websites across international borders – the key aspect of global reach (Section 6.1).

Question 65
Answer A is correct. This is explicitly defined in Section 13.6.2.
Answer B is incorrect. The response includes terms not discussed in Section 13.6.
Answer C is incorrect. The response includes terms not discussed in Section 13.6.
Answer D is incorrect. The response includes terms not discussed in Section 13.6.

Question 66
Answer A is incorrect. The scope of the e-commerce security plan is limited to IS that
support e-commerce, not all of the entity’s IS.
Answer B is correct. This is explicitly identified in Section 13.6.3.
Answer C is incorrect. It is partially correct as an e-commerce security plan might
document these configuration settings, but processes, structures, and teams need to be
documented as well (Section 13.6.3).
Answer D is incorrect. This option outlines a business continuity plan, not an e-commerce
security plan.

919

c13.indd 919 16-11-2022 18:49:43

 BUSINESS ASSURANCE

Question 67
Answer A is correct. This is noted in Section 13.6.3.
Answer B is incorrect. Substantive testing of an e-commerce system is identified in
Section 13.6.3 as an option for auditing e-commerce.
Answer C is incorrect. Section 13.6.3 notes several substantive tests that are more difficult
in the online environment.
Answer D is incorrect. Section 13.6.3 notes several substantive tests that are more difficult
in the online environment.

Question 68
Answer A is correct. It contradicts the statement made in Section 13.6.2 and is thus false.
Answer B is incorrect. The statement is made in Section 13.6.2 and is thus true.
Answer C is incorrect. The statement is made in Section 13.6.2 and is thus true.
Answer D is incorrect. The statement is made in Section 13.6.2 and is thus true.

Question 69
An e-commerce IS operate in a virtual environment and are dependent on IT controls.
However, it is not entirely reliant on its IT controls, as some physical controls remain
relevant and some corrective controls are likely to be needed to manually correct problems
that do arise.

Question 70
The steps are: (1) undertake an initial risk assessment; (2) develop a security policy;
(3) identify the technologies, processes, and the structures and teams needed to
implement the security policy. If these steps are not taken, it means that an explicit
e-commerce security plan does not exist. Although it is a key internal control, it is possible
that other relevant controls are implemented that address the same concerns. This
assessment is a matter of judgement for the auditor.

Question 71
Detailed testing will require extended technical skills. It is possible, however, for the
generalist auditor to establish that the process used in developing these controls
was effective. The generalist auditor can make their assessment in the light of the
risk assessment made and the level of materiality assigned to the e-commerce IS. As
complexity and materiality of the e-commerce IS increases, the more likely it is that the
auditor will require the support of a specialist IT auditor.

EXAM PRACTICE

QUESTION 1
(a) Outline the relationship between Audit Risk, Controls Testing, and Substantive Testing.

(b) During an audit, an auditor compares the prices on supplier invoices to the original
purchase order price. Identify whether this is a substantive test or a controls test and
explain the reason for your answer.

920

c13.indd 920 16-11-2022 18:49:43

 Computerised Business S ystems and C ontrols

QUESTION 2
(a) Consider the following three application controls implemented in an information
system:

(i) A control that checks whether an entered value in a record is within an acceptable
range.

(ii) A transaction log of all transactions that are entered into the system.

(iii) A control that distributes the sales report to a limited range of recipients in an
encrypted format.

Describe the purpose of each of these controls/tests. For each control/test, identify
its type of application IT control.

Identify whether any of these controls/tests performed a record level input control
and explain the reason for your answer.

(b) Consider the following two ITGC:

(i) A defined software development methodology is used to develop new software.

(ii) The IT operations team installs and implements the software developed by the
system development team.
Identify the type of general control to which each control MOST relates.

QUESTION 3
(a) Describe the ‘rule of least access’ and explain why it is often breached. In your view,
identify whether such violations of the ‘rule of least access’ can be reduced and, if so,
explain how.

(b) Define database security, integrity, accountability, and recoverability as aspects

of database control. In your view, determine whether any one of these aspects of
database control is more important than the others and explain the reason for
your answer.

QUESTION 4
(a) Describe the three transaction cycles that exist in all businesses. In describing each
cycle, provide an example of a related subsystem.

(b) Consider the following statement:

Given the prevalent use of computer-based accounting information systems, all

financial auditors need to have strong skills in IS audit.

Explain whether you agree with this statement and justify your answer.

QUESTION 5
Read the following case material:

Amber Tree Professional Association (ATPA) is a not-for-profit membership organisation for

arborists and landscape gardeners across Hong Kong. ATPA has its offices in Tsuen Wan and
shares the building with many organisations. The building is close to a stormwater drain
known for becoming blocked and flooding the surrounding buildings.

The IT manager reports to the Chief Financial Officer. There are 45 IT staff in two
teams. The IT services team keeps the network running and the hardware working. The IT

921

c13.indd 921 16-11-2022 18:49:43

 BUSINESS ASSURANCE

development team develops in-house software and implements all application software
including their own. The IT development team also updates and maintains the Council’s
databases. The IT development team has 20 members. A team leader in each team is
responsible for supervising team members. There are no other supervisors.

ATPA runs its own 15-computer server data centre in the basement of the office building
in Tsuen Wan, as do all other businesses in the building. Accessing the data centre requires
a physical key and a common entry keycode. Each member of the IT team, the security, the
cleaning staff, and the members elected to the Board have a copy of the key. These people
also know the keycode for access to the building and the data centre.

No tape backup solution is in place. All data processing is done at ATPA headquarters.
There is a shared cold site data centre at Disaster Recovery Iz Us, a commercial operator
located in Hanoi. Data are transferred weekly. Disaster Recovery Iz Us has been particularly
successful in having all the businesses in ATPA’s building use their services due to an
agreement with the building’s owner.

Key IS used by the Council includes the Human Resources and Payroll System (including
staff rosters and direct integration with the electronic timesheet system for employee
timesheets), the Events System (used to manage and schedule member events and
functions), the Finance and Accounting Information System (used to manage financial data
and reporting), and the Membership Fees System (MFS; this system is used to generate fee
notices to all ATPA members).

The Membership Fees System was developed by the IT Development team, and this
project was overseen by Rudy McGrath, an IT contractor with a strong interest in systems
integration, gambling statistics theory, and the Facebook API. Rudy used an agile software
development methodology of his own design.

During the project, the emphasis was upon quick, cheap development and access and
availability to users using Microsoft Access. However, Rudy has since left ATPA to move
to Las Vegas, Nevada, in the USA, where he is using his analysis skills to gamble in the
casinos. Rudy was the only person who knew how to find the documentation and now that
documentation (and indeed Rudy) cannot be found.

The largest system is the MFS, which stores members’ credit card numbers and
generates a transaction file that is uploaded to AMEX and CardLink websites by Jodie Smith,
the Membership Systems Developer. Jodie has a special arrangement with her boss so that
she can work from Stanley every day – she wants to support her son and husband who are
in the Tung Tau Correctional Institution pending their release from jail later this year for
white collar crimes. Approximately HK$18 million in membership fees are processed by the
system each year. These fees represent 85% of ATPA’s annual revenue.

The MFS also integrates with Facebook and Google Maps using Facebook’s API
(Application Programming Interface) to keep members informed of their Association
obligations. This capability was developed by Jodie Smith. The MFS automatically posts
on members’ Facebook Wall the due dates of their latest membership invoices along with
any reminder notices and the outcomes of any disciplinary hearings for poor professional
landscaping work. These posts are made publicly to ensure transparency.

In this context, Wing Nam Siu, the independent Chair of the ATPA Audit and Risk
Committee, has asked your IS audit team to evaluate this approach to managing operations
and to present recommendations to ATPA to improve current practice.

922

c13.indd 922 16-11-2022 18:49:43

 Computerised Business S ystems and C ontrols

Required

(a) Explain why ITGCs are relevant to the auditor and identify SIX (6) ITGC outlined in the
preceding case. For each control, evaluate SIX (6) ITGC outlined in the preceding case.
For each control, evaluate whether, on the basis of the evidence, the control is effective
or ineffective.

You may wish to present your evaluation in a table. Use a short label that adequately
identifies the controls in the case.

(b) Outline two key improvements to the ITGC that you consider should be implemented. In
your discussion, explain why you consider each improvement to be a key improvement
in the context of the financial audit.

(c) In your professional judgement, determine whether the financial audit can rely on the
ITGC in planning the audit and justify your answer.

ANSWERS TO EXAM PRACTICE

QUESTION 1
(a) In planning this answer, note that there are three relationships to consider as there are
three aspects identified. That is, the answer should address the relationship between
audit risk and controls testing, audit risk and substantive testing, and controls testing
and substantive testing. This question draws from Section 13.1 and 13.3.3.2.

The solution provided should address the following:

• Audit risk is the risk that the auditor will provide an assurance that the financial
reports are not materially misstated when in fact they are, and HKSA 200
explains that the risk of material misstatement exists at the financial statement
and assertion levels.

• Audit risk has three component parts and is equal to: Inherent Risk × Controls
Risk × Detection Risk. The component parts of the formula are:

°° Inherent risk is risk that arises directly due to the entity’s industry.

°° Controls risk is that the controls in place are inadequate in preventing,

detecting, or correcting errors that materially affect the financial reports.

°° Detection risk is the risk that the auditor does not detect errors that the
entity’s internal controls also do not detect and correct.

• Audit activities do not affect inherent risk – it is independent of the entity and the
audit. Inherent risk is independent of controls testing and substantive testing.

• Controls testing does not reduce controls risk – the entity’s controls are as
effective or ineffective as designed and implemented by the entity. However,
increased controls testing does increase the reliability of the auditor’s
assessment of control risk. Increased controls testing allows the auditor to have a
more reliable estimate of audit risk but does not reduce controls risk.

• Substantive testing reduces detection risk by reducing the risk the auditor does
not find errors that are also not detected and corrected by the entity’s internal
controls. More substantive testing reduces audit risk.

923

c13.indd 923 16-11-2022 18:49:43

 BUSINESS ASSURANCE

• The auditor, in planning the audit, has regard to the reliability of their assessment
of audit risk. The auditor plans to ensure that their audit activities reduce audit
risk to an acceptable level.

• Under HKSA 200 the risk of material misstatement is assessed at the assertion
level so as to determine the nature, timing and extent of further audit
procedures. For identified risks of material misstatement at the assertion level
HKSA 315 (Revised 2019) requires a separate assessment of IR and CR. These
assessments impact the audit risk assessment.

• In the case of an unreliable estimate of audit risk, the auditor plans for the higher
estimate of audit risk. For this reason, increased controls testing may result in
reduced substantive testing.

(b) In planning this answer, the test needs to be identified as substantive or controls
testing. The reason for the choice made is then required. This question draws from
Section 13.3.3.2.

The solution provided should address the following:

• Comparing prices on supplier invoices to the original purchase order price

may be argued as either a controls test or a substantive test. It is discussed
in Section 13.3.3.2 as an example of a substantive test, but it can be either,
depending on the context.

• The explanation should consider the nature of controls testing and compare it to
substantive testing. There are two aspects to consider.

• First, a control prevents, detects, or corrects errors that affect the financial
reports. A test of controls therefore considers whether the design of the internal
control is effective or whether the internal control operates as designed.

• Second, substantive tests are designed to determine whether the entity’s

electronic records fairly reflect the organisation’s transactions. Such tests can
confirm transactions with independent third parties or assess whether the
financial records are complete, valid, and accurate.

• Several reasons would be appropriate here, but they must support the
assessment made. It can be argued that the test is substantive, as it aims to
assess validity (for example, was the invoice received actually based on an
authorised purchase order?), accuracy (for example, does the supplier invoice
match that which was ordered?), and completeness (for example, have all
purchases made been recorded?). However, the test may be a test of controls;
for example, the test may be aimed at detecting whether the system’s controls
ensure that the purchase order is accurate, that the purchase order is properly
authorised, or that the vendor is authorised. In the latter case, the test would
be a test of the effectiveness of the control as implemented – and thus a
controls test.

QUESTION 2
(a) In planning this answer, note that the purpose and type of application control is
required for each control identified, and the answer needs to identify and explain why
the controls/tests are, or are not, a record level input control. This question draws from
Section 13.4.3.

924

c13.indd 924 16-11-2022 18:49:43

 Computerised Business S ystems and C ontrols

The solution provided should address the following:

• There are four broad types of application controls: Input Controls, Processing
Controls, Output Controls, and Master File/Database Controls.

°° Input controls ensure the completeness, accuracy, and authorisation of data

input into the system at the time of data entry.

°° Processing controls prevent, detect, and correct errors during the processing
of transactional input data.

°° Output controls detect errors and correct them after the completion of
transaction processing and also ensure that the results of processing are not
intercepted and corrupted.

°° Database controls ensure the security, integrity, accountability, and

recoverability of the database.

• A record level input control tests the validity of the entire record.

• Range check tests are input controls as they test whether the data entered into a
field are within an acceptable range of values. This tests an individual field and so
is not a record level input control.

• Transaction logs are processing controls that record all transactions for later
review and correction of any processing errors. This test is not an input control
and so is not a record level input control.

• Encrypted report distribution is an output control that tightly controls report

distribution. This test is not an input control and so is not a record level
input control.

(b) In planning this answer, consider the different types of ITGC and classify each control
accordingly. This question draws from Section 13.4.2.

The solution provided should address the following:

• ITGC ensure that the IT environment maintains data integrity, security, and
confidentiality. ITGC affect all financial reporting transactions. The most
important, or key, ITGC relate to the administration of the IT function, the
segregation of duties, the development of new systems, physical and online
security, backup planning, and controls over hardware infrastructure.

• Development methodologies are ITGC for the systems development function.

The methodology for implementing new software needs to be an effective
manner of addressing the entity’s requirements.

• The requirement for the installation and implementation of software developed

by the systems development team to be performed by another team is a
segregation of IT duties general control. Ideally the roles of IT management,
systems development, IT operations and maintenance, and database
management are kept separate from each other. In this case, the control outlined
MOST relates to the segregation of IT duties control as it ensures incompatible IT
duties are kept separate.

925

c13.indd 925 16-11-2022 18:49:43

 BUSINESS ASSURANCE

QUESTION 3
(a) In planning this answer, note that the description of the rule of least access is required
along with an explanation of why it is breached. An explanation as to how such
violations can be reduced is needed if they can indeed be reduced. This question draws
from Section 13.4.3.4.

The solution provided should address the following:

• The rule of least access is that users of a system should be granted access
privileges on a need-to-know basis.

• The rule is often breached as users change roles and have new access privileges
granted whilst the old access privileges are not revoked. This arises as users will
disclose when they are prevented from doing their assigned tasks, but are likely
not to report the problem if their access is more than they need. A further issue
is that managers are frequently busy and so they often do not exercise adequate
care in revoking permissions or in initially assigning them.

• Violations can be reduced. Strong policies that are monitored are required.
For example, managers must be required to apply due diligence in assigning
permissions to roles to avoid granting excessive access to the system. Similarly,
policies that encourage users to report access that is no longer required
are needed.
(b) In planning this answer, note the need to define the four aspects of database control
and then assess if any of these are more important than the others. An explanation for
this assessment is required. This question draws from Section 13.4.3.4.

The solution provided should address the following:

• Security requires that an access control list is used in the viewing, updating, or
deleting of data. The access control list is a structured document that sets out
those with management’s authorisation to access the data.

• Integrity requires the database design to store data without data loss.

• Accountability requires that the DBMS record user access to the database and, in
some cases, the creation, reading, updating, and deletion of data in an audit log.
The audit log records these events by date, time, and named user.

• Recoverability requires the database’s ongoing availability to be ensured.

• Views will differ. One view is that no one aspect of database control is more
important than the others as all four aspects are essential to database control.
However, a well-argued reason that supports one aspect over another is
also reasonable. For example, it can be argued that the importance of the
database control is that, as an application control, it needs to ensure that data
are complete, valid, and accurate to enable decision making. On that basis,
integrity can be considered as the most important as a secure, accountable,
and recoverable database that does not have integrity is still unable to support
decision making.

926

c13.indd 926 16-11-2022 18:49:43

 Computerised Business S ystems and C ontrols

QUESTION 4
(a) In planning this answer, note the need to describe the three transaction cycles and
provide an example of a related subsystem for each. This question draws from
Section 13.3.3.1.

The solution provided should address the following:

• The expenditure cycle focuses upon processes that determine the goods and
services to acquire, the subsequent acquiring and receiving of those goods and
services, the approval of payment, and, finally, the actual payment for the goods
and services.

• The conversion cycle records transactions relating to the entity’s conversion of

goods and services that the entity uses. Such transactions generally represent
the entity’s work in progress in getting products or services ready for sale.

• The revenue cycle focuses upon those processes relating to the sale of goods and
services to the entity’s customers.

• Common systems in the expenditure cycle include purchases/accounts payable,

cash disbursements systems, payroll, and fixed assets systems.

• In the conversion cycle, common systems are focused on production planning

and cost control systems such as cost management or budgeting systems.
• Common revenue cycle systems include cash receipts and sales systems.

(b) In planning this answer, note that the question requires the development of a
considered opinion. This question draws from the whole chapter, but primarily is
informed by Section 13.1.

The solution provided should address the following:

• A statement as to whether the statement is agreed with or disagreed with is

required. This statement is then supported by the discussion that follows.

• There are several reasons why this statement is inaccurate.

• For example, there are good reasons for some financial auditors to have good
skills in IS audit, but all financial auditors do not need strong skills in IS audit. For
example, the audit opinion is informed by the team’s audit work and as long as
the auditor can assess that work, strong skills are not required.

• An auditor who invests in strong skills in IS audit is likely to make such an

investment at the expense of other skills that the financial audit team needs. For
example, the presumption of this statement results in a team with strong skills in
the area of IS audit but not in others (e.g. financial statement analysis).

• Requiring all auditors to have strong IS audit skills is likely to result in a less
effective and capable financial audit team.

QUESTION 5
(a) The question requires six ITGC to be identified and assess the effectiveness of its
design, together with a short reason for the assessment. This question draws from
Sections 13.1.2 and 13.4.2.

927

c13.indd 927 16-11-2022 18:49:44

 BUSINESS ASSURANCE

The solution provided should address the following:

• S1.2 explains that ITGCs support the operation of the IT environment and the
effective operation of information processing controls. HKSA 315 (Revised 2019)
requires the auditor to obtain an understanding of the general controls that
address the risk associated with using IT in specific IT applications associated
with controls that address the risk of material misstatement.

• Section 13.4.2 identifies six types of ITGC. These controls relate to administration
of the IT function, the segregation of duties, the development of new systems,
physical and online security, backup planning, and controls over hardware
infrastructure.

• It is possible to identify more than one control for each type of general control.
Several ineffective controls are considered in the points that follow.

• Physical controls are potentially ineffective as the key and keycode for the
computer centre are shared with far too many different people. Having a
common keycode means that access logs cannot record who accesses the centre.

• Administration is ineffective as there are too many people to supervise in

each team.

• Systems Development is potentially ineffective as Jodie Smith may be of poor

character due to her potential criminal associations. She has access to a system
with credit card numbers. Potentially, Jodie’s special arrangement to work near
the Tung Tau Correctional Institution should cause concern given her criminal
associations and that the compensating control of supervision is non-existent.

• Segregation of IT Duties is ineffective as database administration should not be

located with the development team; similarly, systems developers also undertake
network and operational support tasks.

• Systems development is ineffective as documentation for the MFS does not exist.

• Systems development is potentially ineffective as the software development

methodology is of Rudy’s own design rather than using an accepted standard.

• Systems development is potentially ineffective due to Rudy’s gambling. Rudy

might use his knowledge of the system to support his gambling habit.

• Systems development is potentially ineffective as Microsoft Access is not a secure

and recognised development platform.

• Backup and contingency planning is ineffective as the computer centre is in the

basement of a flood-prone area. In particular, as many businesses in the same
building have their computers located in the same basement, and their cold
site is in a shared space in Hanoi, it is likely that during a disaster ATPA will not
be able to access the cold site as its co-tenants will also wish to use the same
cold site.

• Backup and contingency planning is ineffective as backup is not daily.

928

c13.indd 928 16-11-2022 18:49:44

 Computerised Business S ystems and C ontrols

(b) In planning this answer, note that the question requires that improvements to two
ITGC be identified and an explanation as to why it is key. This question draws from
Section 13.4.2.

The solution provided should address the following:

• Any of the ineffective controls set out above can be considered key.

• Two improvements are provided by way of example.

• First, consider as a priority changing the disaster recovery and cold site
arrangement to a different provider (and implementing daily backups), as it is
very likely that a flood will make the systems unavailable and ATPA will be unable
to continue operating (thus, the risk has a high consequence if it occurs). This is a
relatively simple improvement to implement.

• Second, consider the redevelopment of the MFS to a more secure and robust
system. Microsoft Access is an inherently insecure desktop system, but
furthermore the lack of documentation for the key system is a considerable risk
from a security perspective as well as the sustainability of the system in the long
term. As a major system storing credit card numbers it is likely that any data
breach or hack would have a high impact on ATPA due to reputation loss.

(c) In planning this answer, note that the question requires the expression of professional
judgement and a justification for this judgement. This section draws from Section 13.4.2.

The solution provided should address the following:

• The financial audit cannot rely on the design of the ITGC.

• Justification includes the impact and nature of the problems with the ITGC noted
in the discussion above. Several key concerns can be noted as follows, although
any of the examples cited above are also key concerns.

• The software that manages 85% of revenue is developed by a single team with no
separate database administration role.

• The same software has no system documentation.

• The developer of the system, Rudy, may have a gambling problem.

• The data centre is not secure.

929

c13.indd 929 16-11-2022 18:49:44

c13.indd 930 16-11-2022 18:49:44
 F u r t h er R e a d ing

F URTHER READING

A Framework for Audit Quality: Key Elements that Create an Environment for Audit Quality.
IAASB, International Federation of Accountants (IFAC), USA, 2019. https://www.ifac.org/­
system/files/uploads/IAASB/Framework-for-Audit-Quality-Outline.pdf.

Audit reform moves ahead in Hong Kong. The Economist Intelligence Unit, United Kingdom,
2018.

Davis, G.B., Neter, J. and Palmer, R.R. An Experimental Study of Audit Confirmations Journal of
Accountancy, pp. 36–34, June 1967.

Graham, L. Audit Guide: Audit Sampling. New York: American Institute of Certified Professional
Accountants (AICPA), 2019.

Integrity in the Spotlight: The Future of Compliance: 15th Global Fraud Survey. Ernst & Young
Global Limited (EY), United Kingdom, 2018. https://assets.ey.com/content/dam/ey-sites/ey-
com/en_gl/topics/assurance/assurance-pdfs/ey-integrity-in-spotlight.pdf.

Lam, N.C.Y. and Lau, P.T.Y. Intermediate Financial Reporting: An IFRS Perspective, 3rd edn.
Singapore: McGraw-Hill Education Asia, 2017.

Rittenberg L., Johnstone, K.M. and Gramling, A. Auditing: A Business Risk Approach, 7th Edn.
Boston: Cengage Learning, 2019.

Survey of Inspection Findings 2018. International Forum of Independent Audit Regulators (IFIAR),
Japan, 2019. https://www.ifiar.org/?wpdmdl=9603.

Yu, B. and Rudge, L. Hong Kong Corporate Governance: A Practical Guide. London, UK: Slaughter
and May/White Page Ltd, 2014.

931

b01.indd 931 2/15/2023 8:11:27 PM

b01.indd 932 2/15/2023 8:11:27 PM
 G L O S S A R Y O F T ER M S

GLOSSARY OF TERMS

Acceptable level A level at which a professional Agreed-upon procedures engagement A non-

accountant, using the reasonable and informed assurance engagement where the auditor agrees
third party test would likely conclude that a with the client party to undertake audit
professional accountant complies with the procedures agreed by both parties. The auditor
fundamental ethical principles. reports the factual findings arising from applying
Accountability relationship A relationship where those procedures, but no conclusion is expressed,
one party in an entity is responsible for its actions and no assurance provided. The user draws own
in relation to a matter and report to another conclusions and derives assurance from the
party, internal or external to the entity, as to its information provided.
performance in relation to that matter. Appropriate in the context of audit evidence,
Accounts preparation A responsibility of means its quality (relevance and reliability).
management involving an accounting system to appropriateness The measure of the quality of
identify, record, and classify all the transactions audit evidence; that is, its relevance and its
and events relating to an entity that occur during reliability in providing support for the conclusions
a reporting period. To maintain accountability for on which the auditor’s opinion is based.
assets, liabilities, revenue and expenditure and to Assertions Representations, explicit or otherwise,
convert that data into information in the form of with respect to the recognition, measurement,
financial statements. presentation and disclosure of information in the
Accounts preparation process A process through financial statements which are inherent in
which the company’s accountant, management management representing that the financial
and directors prepare the financial statements statements are prepared in accordance with the
from accounting data contained in the underlying applicable financial reporting framework.
financial records, including judgements and Assertions are used by the auditor to consider
estimates where necessary. the different types of potential misstatements
Accuracy The extent to which the information that may occur when identifying, assessing and
managed in an information system is within a responding to the risks of material
range of tolerance that is sufficiently fit for misstatement.
purpose for the user’s requirements. The Assurance An independent professional opinion,
information represents the real-world concept in the objective of which is to reduce information
a way that meets the user’s needs. risk (risk from incorrect information) to users of
Adverse opinion An opinion in which the auditor financial and other information to improve the
concludes that misstatements are both material reliability and credibility of information so that
and pervasive to the financial statements. users can make more informed decisions.
Agile Systems Development Agile systems Assurance client The responsible party and also,
development is a category of different in an attestation engagement, the party taking
approaches to software development that responsibility for the subject matter information
emphasise collaborative work practices, early (who might be the same as the
delivery and evolutionary development of responsible party).
minimum viable products. These approaches Assurance engagement An engagement in which
encourage a flexible response to change, and a professional accountant in public practice aims
discourage the use of stable long-term plans and to obtain sufficient appropriate evidence in order
predictions. SCRUM and eXtreme Programming to expresses a conclusion designed to enhance
are specific approaches to agile systems the degree of confidence of the intended users
development. Agile systems development is other than the responsible party about the
frequently contrasted with the software subject matter information (that is, the outcome
development lifecycle (SDLC) or waterfall of the measurement or evaluation of an
approaches to systems development. underlying subject matter against criteria).

933

b02.indd 933 16-11-2022 18:51:47

 BUSINESS ASSURANCE

Assurance engagement risk The risk that the the client entity’s nature, its control system and
assurance practitioner expresses an the auditor’s risk assessment.
inappropriate conclusion when the subject matter Audit programme is developed in the audit
is materially misstated. planning process and lists the audit objectives
Attest Engagement a party other than the and procedures to be followed in gathering
assurance provider measures or evaluates the evidence to test the accuracy of account
subject matter against the criteria and then balances.
presents the information in a written report. The Audit Risk The risk that an auditor will express an
assurance practitioner provides users with an inappropriate opinion when the financial
opinion that enhances the credibility of the statement is materially misstated. It is a function
assertion. of material misstatement and detection risk.
Attestation engagement An assurance Audit Strategy The initial audit judgement that
engagement in which a party other than the defines the scope and broad approach to be
professional accountant in public practice taken during the audit process based on the
measures or evaluates the underlying subject auditor’s understanding of the client and its
matter against the criteria. A party other than the environment.
accountant also often presents the resulting Auditing a systematic process of objectively
subject matter information in a report or obtaining and evaluating evidence regarding
statement. In some cases, however, the subject assertions about economic actions and events to
matter information may be presented by the ascertain the degree of correspondence between
accountant in the assurance report. In an those assertions and established criteria and
attestation engagement, the accountant’s communicating the results to interested users.
conclusion addresses whether the subject matter
Auditor’s expert A professional other than an
information is free from material misstatement.
accountant (e.g. a lawyer, a valuer or a geologist)
Audit Objective The objective of an audit of who has specialist knowledge that enables them to
financial statements is to enable the auditor to collect appropriate audit evidence for the auditor
express an opinion whether the financial
Business Risk The risk that due to significant
statements are prepared, in all materials respects,
conditions, events, circumstances, actions or
in accordance with an applicable financial
inactions the entity may not be able to achieve its
reporting framework.
objectives or execute its strategies. A risk that
Audit committee A sub-committee of the Board may impact and be reflected in financial
of Directors, composed of a majority of statement components.
independent directors, that oversees the financial
Chief Information Officer (CIO) Most senior
reporting and external and internal audit
executive of an organisation with responsibility
functions within an entity.
for devising and delivering the IT strategy that
Audit documentation is the written record that supports business goals.
forms the basis for the auditor’s conclusions. Also
Close members of the family Family members
known as work papers or working papers.
who may be expected to influence, or be
Audit evidence Information used by the auditor in influenced by, that person in their dealings with
arriving at the conclusions on which the auditor’s the entity.
opinion is based. Audit evidence includes both
Cloud A network of remote servers that can store,
information contained in the accounting records
manage and process data on IS with virtual
underlying the financial statements and
hardware (for example, hard drive space), virtual
information from other sources.
servers (for example, applications) or virtual
Audit Plan The document that sets out the machines (for example, hosted Windows or Linux
planned nature, timing and extent of specific operating system environments). The data is
audit procedures to implement the audit strategy stored, managed and processed may be
and obtain the required evidence relating to anywhere in the world.
specific account balance assertions or classes of
Code of ethics Professional standards that set out
transactions.
fundamental principles of ethics for professional
Audit procedures Procedures that might be used accountants, reflecting the profession’s
to collect evidence for the audit of the financial recognition of its public responsibility. The
statements. Audit procedures are designed to suit principles establish the standards of behaviour

934

b02.indd 934 16-11-2022 18:51:47

 G L O S S A R Y O F T ER M S

expected of a professional accountant in Component management Management

business, in public practice and for independence responsible for the preparation of the financial
in audit and other assurance engagements. information of a component.
Commercial off The Shelf (CoTS) Software Component materiality The materiality for a
Software that can be purchased and close to component determined by the group
immediate installation with minimal opportunity engagement team.
for customisation and software development. Conceptual framework The approach that
Comparative financial statements are identical professional accountants are to apply to identify,
in form to the current period financial statements evaluate and address threats to compliance with
and are complete financial statements. If audited, the fundamental ethical principles. It involves the
they are referred to in the current professional accountant identifying any threats
auditor’s opinion. to the fundamental principles, evaluating their
Comparative information amounts and significance, and either applying safeguards to
disclosures in respect of prior periods. Includes reduce it to an acceptable level based on a
both comparative financial statements and reasonable and informed third part test or if no
corresponding figures. safeguards are available, eliminating the
Compensating Control A control that circumstances or declining or discontinuing an
compensates for deficiencies in other controls engagement.
implemented in the system. For example, close Confirmations a response to an auditor’s request
supervision is a control that compensates for a for information from a confirming external party.
lack of segregation of in small teams where such Consultation includes discussion within the
controls are impractical. engagement team and with individuals who have
Completeness The extent to which the specialized expertise
information managed in an information system is Control environment The governance and
a full and whole representation of the real-world management functions and the attitudes,
concepts represented by the system. awareness, and actions of those charged with
Compliance audit An engagement where an governance and management concerning the
audit is undertaken to determine whether an entity’s system of internal control, and its
entity has complied with specified policies, importance in the entity. The control environment
procedures, laws and regulations. These sets the tone of an organization, influencing the
engagements can be undertaken by internal or control consciousness of its people, and provides
external auditors. the overall foundation for the operation of the
Compliance framework Is used to refer to a other components of the entity’s system of
financial reporting framework that requires internal control.
compliance with the requirements of the Control Risk A component of the risk of material
framework, but does not: misstatement. The risk that a misstatement could
(i) acknowledge explicitly or implicitly occur in an assertion about a class of
that, to achieve fair presentation of the transactions, account balance or disclosure and
financial statements, it may be necessary that could be material either individually or when
for management to provide disclosures aggregated with other misstatements, will not be
beyond those specifically required by the prevented, detected and corrected on a timely
framework; or basis by the entity’s internal control.
(ii) acknowledges explicitly that it may be Conversion cycle The conversion cycle represents
necessary for management to depart from a those activities in the organisation that convert
requirement of the framework to achieve fair the inputs received (expenditure cycle) into the
presentation of the financial statements. outputs supplied by the organisation (revenue
Component An entity or business activity for cycle). Usually, inputs are acquired in the
which group or component management expenditure cycle, converted as required in the
prepares financial information that should be conversion cycle and delivered to customers in
included in the group financial statements. the revenue cycle.
Component auditor An auditor who, at the Corporate Governance the system used by an
request of the group engagement team, performs entity to direct and control its activities to achieve
work on financial information related to a its strategic objectives, to be accountable to its
component for the group audit. stakeholders, to ensure the rights of those

935

b02.indd 935 16-11-2022 18:51:47

 BUSINESS ASSURANCE

stakeholders are honoured by those responsible Direct engagement In an assurance engagement,

and to ensure compliance with applicable legal the benchmarks used to measure or evaluate the
and social requirements. underlying subject matter. The ‘applicable criteria’
Corresponding figures are only relevant as an aid are the criteria used for the particular
to understanding the current period financial engagement.
statements. They are not complete financial Disclaimer of opinion It is expressed when the
statements auditor is unable to obtain sufficient audit
Criteria In an assurance engagement, the evidence on which to base an opinion and the
benchmarks used to measure or evaluate the auditor concludes that the possible effects of
underlying subject matter. The ‘applicable criteria’ undetected misstatements could be material and
are the criteria used for the particular pervasive to the financial statements.
engagement. Electronic Business (e-business) Business
Cyber-Attack An attempt by online criminals to activities that are done using or with the support
damage, destroy or disable an organisational of the internet but not involving the purchase or
network, IT infrastructure or information system sale of goods and services.
through the internet. Electronic Commerce (e-commerce) E-commerce
Cyber-Security The activities needed to protect an is the buying or selling of goods over the
organisational network, IT infrastructure or internet with IS.
information system from cyber-attack. Emphasis of Matter Matter included in the
Database Management System (DBMS) A central auditor’s report to direct users of the financial
software system that allows data records to be statements to a matter that has been discussed
managed (created, replaced, updated and appropriately in the financial statements.
deleted) and provides applications with Engagement circumstances the context in which
access to data. the engagement is being conducted.
Data Centre A sfacility that groups together IT Engagement quality review An objective
hardware in a single location, usually for the evaluation of the significant judgments made by
storage, management and processing of data. the engagement team and the conclusions
Data Lake The storage of a large repository of reached thereon, performed by the engagement
untransformed enterprise data from many quality reviewer and completed on or before the
different structured and unstructured data date of the engagement report.
sources as a single virtual data resource. The Engagement quality reviewer A partner, other
data stored in a data lake is consequently individual in the firm, or an external individual,
unrelated and, possibly, inconsistent. The data appointed by the firm to perform the engagement
lake can be supported by a data centre or hosted quality review.
in the cloud. Existing auditor is used to describe the last
Database A repository of enterprise data, usually in appointed auditor (incumbent auditor). Where the
support of an enterprise activity. Amongst other ‘existing auditor’ is being replaced with another
design choices, a database can be a navigational auditor, they become the ‘outgoing auditor’.
(networked, hierarchical or networked-hierarchical), Expenditure cycle The expenditure cycle
relational, object-oriented or NoSQL database. represents those activities in the organisation that
Database Administrator (DBA) An organisational acquire the goods and services needed to deliver
role in the IT Team with responsibility for goods and services to customers. Usually, inputs
database planning, design, implementation, are acquired in the expenditure cycle, converted
operation, maintenance and future as required in the conversion cycle, and delivered
requirements planning. to customers in the revenue cycle.
Detection Risk The risk that the procedures External Service Provider A third-party provider
performed by the auditor to reduce audit risk to of services used by the organisation; usually these
an acceptably low level will not detect a services are specialised IT services or IT services
misstatement that exists and that could material, that can be provided more effectively and/or
either individually or when aggregated with other efficiently than if the organisation provided these
misstatements. services on its own.
Direct assistance The use of internal auditors to eXtreme Programming (XP) An agile system
perform audit procedures under the direction, development methodology that focusses on
supervision and review of the external auditor. frequent releases of software code and aims to

936

b02.indd 936 16-11-2022 18:51:47

 G L O S S A R Y O F T ER M S

use extreme best practices in programming. team. This HKSA does not, however, deal with the
Often used in conjunction with SCRUM. relationship between joint auditors or the work
Fair value is the price that would be received to that one joint auditor performs in relation to the
sell an asset, or paid to transfer a liability, in an work of the other joint auditor.
orderly transaction between market participants Group engagement team Partners, including the
at the measurement date. It is an exit price group engagement partner, and staff who
Financial Report Formal records of the financial establish the overall group audit strategy,
activities and position of an entity. The records communicate with component auditors, perform
are prepared according to a set of rules as to how work on the consolidation process, and evaluate
to account for business activities (International the conclusions drawn from the audit evidence as
Financial Reporting Standards) and audited the basis for forming an opinion on the group
according to a set of rules as to how to determine financial statements.
the risk of material misstatement (International Group financial statements Financial statements
Standards on Auditing). that include the financial information of more
Financial statement audit An audit undertaken than one component. The term ‘group financial
to provide reasonable assurance that financial statements’ also refers to combined financial
statements prepared by management are in statements aggregating the financial information
accordance with the applicable financial prepared by components that have no parent but
reporting framework, to enhance the degree of are under common control.
confidence of intended users in the financial Group management Management responsible for
statements. the preparation of the group financial statements.
Financial statement statutory auditor An Group-wide controls Controls designed,
external auditor appointed by a company’s implemented and maintained by group
shareholders under the Companies Ordinance to management over group financial reporting.
undertake an audit of the company’s financial Historical financial information Information
statements and report to shareholders. expressed in financial terms in relation to a
General information technology (IT) particular entity derived primarily from the
controls Controls over the entity’s IT processes entity’s accounting system, about economic
that support the continued proper operation of events occurring in past time periods, or about
the IT environment, including the continued economic conditions at points in time in the past.
effective functioning of information processing Hong Kong Standards on Auditing (HKSA) The
controls and the integrity of information in the Hong Kong version of the International Standards
entity’s information system. on Auditing (ISAs) published by the International
Governance Describes the role of person(s) in Federation of Accountants.
organisations with responsibility for the direction Hosting A third-party service provider of IT
of the entity and obligations relating to the services such as data storage, processing or
accountability of the entity. management, or virtual services (application
Group All the components whose financial services, website hosting or virtual machines).
information is included in the group financial Hosting may be provided through the cloud or
statements. A group always has more than one through the host’s own data centre.
component. Incompatible duties Duties that are incompatible
Group audit The audit of group financial should not be performed by the same role
statements. according to the general control of segregation
Group audit opinion The audit opinion on the of duties.
group financial statements. Incoming auditor is the newly appointed auditor
Group engagement partner The partner or other (i.e. the auditor nominated for the current period
person in the firm who is responsible for the who did not audit the preceding period’s financial
group audit engagement and its performance, statements). If the person has not been appointed
and for the auditor’s report on the group financial as auditor yet, but have been invited to become the
statements that is issued on behalf of the firm. new auditor, they are referred to as the ‘prospective
Where joint auditors conduct the group audit, the incoming auditor’ until formally appointed.
joint engagement partners and their engagement Independence A state of mind or avoidance of
teams collectively constitute the group circumstances that permits an opinion without
engagement partner and the group engagement being, or being seen to be, affected by influences

937

b02.indd 937 16-11-2022 18:51:48

 BUSINESS ASSURANCE

that compromise professional judgement, activities designed to add value to the entity by
allowing an individual to act with integrity, evaluating and improving the effectiveness of the
objectivity and professional scepticism. entity’s governance, risk management and
Information processing controls Controls internal control processes.
relating to the processing of information in IT Internal Control System The system of physical,
applications or manual information processes in general and application controls that provide
the entity’s information system that directly assurance that the organisation’s objectives are
addresses risks to the integrity of information addressed efficiently and effectively, reported
(i.e. the completeness, accuracy and validity of reliably and comply with relevant laws,
transactions and other information. regulations and policies.
Information risk The risk of making incorrect IT Committee An organisational structure that
decisions because of incorrect or unreliable provides a forum for the IT department provider
information. of services to meet with business unit recipients
Information Systems (IS) An information system of services and set priorities for the planning,
is made up of the technology (hardware and building, running and managing of the
software), the process (a policy or procedure that organisation’s IT infrastructure and IS.
mandates the way in which the system is used) IT environment The IT applications and supporting
and the people that use the technology according IT infrastructure, as well as the IT processes and
to the processes set out. personnel involved in those processes, that the
Information Technology (IT) Technology (including entity uses to support business operations and
computing hardware and software) that stores, achieve busines strategies. An IT application is the
retrieves and sends information electronically. program(s) used to initiate, process, record and
Infrastructure The basic physical and report transactions or information and include
organisational structures that provide the data warehouses and report writers. IT
foundation for the operation of an organisation’s infrastructure comprises the network, operating
hardware and software platform. systems and databases and their related hardware
and software. IT processes to manage access to
Inherent Risk A component of the risk of material
the IT environment, manage change and IT
misstatement. The susceptibility of an assertion
operations.
about a class of transactions, account balance or
disclosure to a misstatement that could be IT Strategy The IT strategy sets out proposed
material, either individually or when aggregated changes to the IS investment at the entity, and
with other misstatements, before consideration of how the changes to IT are to be executed in line
any related controls. with the business strategy.

Inherent risk factors Characteristics of events or Key audit matters Those matters that, in the
conditions that affect susceptibility to auditor’s professional judgment, were of most
misstatement, whether due to fraud or error, of significance in the audit of the financial statements
an assertion about a class of transactions, account and are selected from those communicated with
balance or disclosure, before considering controls. those charged with governance.
Such factors may be qualitative or quantitative, Limited assurance engagement An engagement
and include complexity, subjectivity, change, where assurance engagement risk is reduced to
uncertainty or susceptibility to misstatement due an acceptable level in the circumstances of the
to management bias or other fraud risk factors engagement, but where the risk is greater than
insofar as they affect inherent risk. for a reasonable assurance engagement. Provides
Inspection procedures designed to provide the basis for a negative expression of opinion
evidence of compliance by engagement teams generally identified with a review engagement.
with the firm’s quality management policies and Listed issuer means a company listed on the Main
procedures. Board or Growth Enterprise Market (GEM)
Intended users The person, persons or class of of the SEHK.
persons for whom the assurance practitioner Management Those with executive responsibility
prepares the assurance report. The responsible for the conduct of the entity’s operations. For
party can be one of the intended users, but not some entities, management includes some or all
the only one. of those charged with governance.
Internal audit function A function within an Management’s expert A professional hired or
entity that performs assurance and consulting employed by management to prepare estimates,

938

b02.indd 938 16-11-2022 18:51:48

 G L O S S A R Y O F T ER M S

valuations and disclosures to be used in the statements are those that, in the
financial reports Auditor’s judgment:
Material Misstatement In the context of a 1. Are not confined to specific elements,
financial audit, a material misstatement of the accounts or items of the financial statements;
information in a financial report is so inaccurate, 2. If so confined, represent or could represent
incomplete or invalid that it could affect the a substantial proportion of the financial
decisions of a user of a financial report. statements; or
Modified opinion a qualified opinion, an adverse 3. In relation to disclosures, are fundamental
opinion or a disclaimer of opinion on the financial to users’ understanding of the financial
statements. statements.

Monitoring an ongoing consideration and Practice review is a quality assurance programme

evaluation of the firm’s system of quality that covers the provision of audit and other
management, including a periodic inspection of a related assurance services in Hong Kong by firms,
selection of completed engagements, designed to corporate practices and individual practising
provide the firm with reasonable assurance that certificate holders (practice units).
its system of quality management is designed, Practice unit The term to describe the person or
implemented and operating effectively. entities that can be appointed as financial
Monetary unit sampling the key characteristic statement auditors under the Companies
of MUS is the definition of the sampling unit Ordinance. They can be individual CPAS, a
as $1. partnership of CPAs or CPAs structured as a
corporate practice.
Non-assurance engagements engagements that
provide no assurance on a particular subject Practitioner an HKICPA ‘professional accountant’
matter based on the entity’s requested audit in public practice.
procedures. Preconditions Factors, agreements and
Non-statistical samples samples selected by discussions the practitioner needs to have prior to
haphazard, block or directed selection. accepting or continuing the engagement. The
practitioner’s assessment is based on their
Non-statistical sampling samples that are
preliminary knowledge of the engagement.
selected and evaluated using ‘professional
judgement’, which is highly subjective and differs Predecessor auditor The auditor from a different
between auditors audit firm, who audited the financial statements
of an entity in the prior period and who has been
Other information Financial or non-financial
replaced by the current auditor.
information (other than the financial statements
and the auditor’s report thereon) included in an Predictive analytics Analytic models of the
entity’s annual report. relation between a sampling unit and one or
more known attributes of that unit designed to
Overall audit strategy Sets the scope, timing and
assess the likelihood that a similar unit will exhibit
direction of the audit and guides the development
the same characteristics.
of the more detailed audit plan.
Professional judgment Professional judgment
Performance audit An audit of an entity’s
involves the application of relevant training,
activities and operations to assess economy,
professional knowledge, skill and experience
efficiency or effectiveness.
commensurate with the facts and circumstances,
Performance Materiality The amount or taking into account the nature and scope of the
amounts set by the auditor at less than particular professional activities, and the interests
materiality for the financial report as a whole to and relationships involved.
reduce to an acceptably low level the probability
Professional scepticism An attitude that includes
that the aggregate of unrecorded and undetected
a questioning mind, being alert to conditions
misstatements exceeds materiality for the overall
which may indicate possible misstatements due
financial statements.
to error or fraud, and a critical assessment of
Pervasive A term used, in the context of evidence.
misstatements, to describe the effects on the
Professional standards Hong Kong Standards on
financial statements of misstatements or the
Auditing (HKSAs) and relevant ethical
possible effects on the financial statements of
requirements.
misstatements, if any, that are undetected due to
an inability to obtain sufficient appropriate audit Public Interest Entities PIEs have a large number,
evidence. Pervasive effects on the financial and a wide range, of stakeholders. PIEs would

939

b02.indd 939 16-11-2022 18:51:48

 BUSINESS ASSURANCE

include those businesses holding assets for cycle, converted as required in the conversion
numerous customers like banks, insurance cycle and delivered to customers in the
companies and pension funds, as well as large revenue cycle.
organisations, organisations with many Review is oversight of the work of less
employees and publicly traded entities. experienced team members by experienced
Qualified opinion An opinion in which the auditor members to ensure it has been performed in
concludes that misstatements are material, but accordance with professional standards and
not pervasive, to the financial statements. applicable legal and regulatory requirements.
Quality culture includes clear, consistent, and Review engagement See limited assurance
frequent actions like training seminars, meetings, engagement.
dialogue, mission statements and newsletters Risk assessment procedures The audit
that emphasize the firm’s quality control policies procedures designed and performed to identify
and procedures, and a culture that recognizes and assess the risk of material misstatement,
and rewards high-quality work. whether due to fraud or error, at the financial
Quality management A system of quality statement and assertion levels.
management addresses the following eight Risk of Material Misstatement Risk of material
components: misstatement exists when there is a reasonable
(a) The firm’s risk assessment process; possibility of a misstatement occurring (i.e., its
(b) G
 overnance and leadership responsibilities likelihood); and being material if it were to occur
for quality within the firm; (i.e., its magnitude). Risks at the financial
(c) Relevant ethical requirements; statement level relate pervasively to the financial
statements as a whole and potentially affect many
(d) A
 cceptance and continuance of client
assertions. Risks of material misstatement at the
relationships and specific engagements;
assertion level consists of two components,
(e) Engagement performance; and inherent and control risk.
(f) Human resources; Safeguards Actions, individually or in combination
(g) Information and communication; and that the professional accountant undertakes that
(h) The monitoring and remediation process. effectively reduce threats to compliance with the
Reasonable assurance engagement An fundamental ethical principles to an
engagement where assurance engagement risk is acceptable level.
reduced to an acceptably low level in the Sampling risk is the risk that sample
circumstances of the engagement as the basis for characteristics will not represent the population.
a positive expression of opinion of the SCRUM An agile system development
practitioner’s conclusion. Generally identified as a methodology that sets out best practices for the
high level of assurance and associated with audit management of a systems development team.
engagements. The methodology relies upon a Scrum Master,
Related party A person or entity that is related to and uses short sprints to focus on the delivery of
the entity that is preparing its financial statements minimal viable products. SCRUM is often used
(referred to here as the ‘reporting entity’). with eXtreme Programming.
Related party transaction A transfer of Segregation of duties Segregation of duties is a
resources, services or obligations between a general control, and is intended to reduce the
reporting entity and a related party, regardless of opportunity for fraudulent collusion or errors by
whether a price is charged. ensuring that incompatible duties are not
Relevant ethical requirements are those to performed by the same individual. That is,
which the engagement team and engagement authorising a transaction is performed by a
quality reviewer are subject, and which comprise different role that processes the transaction,
Chapters A, C, D, E and F of the HKICPA’s Code of custody of an asset is by a different role to the
Ethics for Professional Accountants (the Code). one that keeps records about the asset, and
Revenue cycle The revenue cycle represents those generally keeping roles separate so that collusion
activities in the organisation that provide the is required to perpetrate a fraud. Segregation of
goods and services paid for by customers. duties is relevant in considering both non-IT
Usually, inputs are acquired in the expenditure controls and controls that rely on IT (ITGC or
application controls)

940

b02.indd 940 16-11-2022 18:51:48

 G L O S S A R Y O F T ER M S

Self-regulation Activities undertaken by the Subject matter information The outcome of the
HKICPA as a professional organisation to regulate measurement or evaluation of the underlying
those who can become Certified Public subject matter against the criteria, i.e., the
Accountants, and to impose requirements that information that results from applying the criteria
govern the behaviour of CPAs and impose to the underlying subject matter.
sanctions for non-compliance with those Special Purpose Framework A financial reporting
requirements. framework designed to meet the financial
Service auditor is the auditor of a service information needs of specific users. The financial
organisation reporting framework may be a fair presentation
Service organisation is an organisation that framework or a compliance framework.
provides services to an entity that have an impact Stratification is used to increase sampling
on the entity’s information system and financial efficiency. Sampling units are grouped, or
statements ‘stratified’, and separate samples are selected
Shared Service A shared service supports several from each stratum.
business units within an organisation. In the Substantive Procedures Audit procedures
context of IT, a shared service usually relates to designed to detect material misstatements at the
the services required to support an information assertion level. They comprise tests of detail of
system or resource used and paid for by several classes of transactions, account balances, and
business units. disclosures and analytical procedures.
Significant component A component identified Sufficiency The measure of the quantity of audit
by the group engagement team (i) that is of evidence. The quantity of the audit evidence
individual financial significance to the group, or needed is affected by the auditor’s assessment of
(ii) that, due to its specific nature or the risks of material misstatement and also by the
circumstances, is likely to include significant risks quality of such audit evidence.
of material misstatement of the group financial Sufficient appropriate audit evidence Audit
statements. evidence that in quality and quantity is adequate
Significant risk An identified risk of material to support the auditor’s conclusions and opinion.
misstatement for which the assessment of Summary financial statements Historical
inherent risk is close to the upper end of the financial information that is derived from financial
spectrum of inherent risk due to the degree to statements but that contains less detail than the
which the inherent risk factors affect the financial statements, while still providing a
combination of the likelihood of a misstatement structured representation consistent with that
occurring and the magnitude of the potential provided by the financial statements of the
misstatement should that misstatement occur. entity’s economic resources or obligations at a
Software Development Life Cycle (SDLC) point in time or the changes therein for a
Sometimes referred to as the system period of time.
development life cycle, the SDLC is an approach Supervision includes tracking the progress of the
to the development of software that emphasises engagement, considering the competence and
documentation, formal stages and the early capabilities of personnel, addressing matters
specification of systems requirements. The SDLC arising during the engagement and identifying
is often contrasted with agile development matters for consideration by more experienced
methodologies. engagement team members
Statistical samples samples that are selected Test of Controls An audit procedure designed to
either by random selection or systematic evaluate the operating effectiveness of controls in
selection. preventing or detecting and correcting, material
Statistical sampling applying statistical methods misstatements at the assertion level.
to sampling. Allows the auditor to calculate Tolerable deviation rate a rate of deviation from
sampling risk when planning the sample and prescribed internal control procedures (control
again when evaluating the sample failure) set as acceptable by the auditor. The
Statutory audit An audit undertaken in auditor seeks evidence by testing controls that
compliance with the requirements of the the tolerable rate of deviation is not exceeded by
Companies Ordinance. the actual rate of deviation in the population.

941

b02.indd 941 16-11-2022 18:51:48

 BUSINESS ASSURANCE

Unmodified opinion an opinion expressed by an the extent or nature of audit procedures

auditor when the auditor concludes that the undertaken by the external auditor. The work is to
financial statements are prepared, in all material be assessed by the external auditor.
respects, in accordance with the applicable Validity The extent to which the information
financial reporting framework. managed in an information system is a
User auditor is the external auditor of a meaningful representation of the real-world
user entity. concept it represents.
User entity is an organisation that uses a service Walkthrough The act of going slowly through the
organisation to provide information services steps of a process in order to learn it.
relevant to its financial statements Work papers or working papers The written
Using the work of an internal auditor Using record that forms the basis for the auditor’s
work performed by internal audit during the conclusions. Also known as audit
course of their work within the entity to reduce documentation.

942

b02.indd 942 16-11-2022 18:51:48

 Ind ex

I NDEX

NOTE: Key Terms and their page references are given in bold

A payroll, 452–453
service organisation outsourcing, 453–454
Acceptable level, 36 property, plant and equipment, 470
Accountability, 15 purchases cycle, 441–443
Accountability relationship, 8, 20 revenue cycle, 431–432
Account balances, 391 share capital, 482–483
Accounting, 461 Assurance, 6
Accounting estimates, 392–393 Hong Kong Standards and Guidelines for, 29–65
Accounts preparation process, 16–17 levels of, 11–15
Accounts receivable turnover ratio, 283, 284 Assurance engagement risk, 11
Accuracy of information, 813 Assurance engagements, 6, 7, 717
Adverse opinion, 619–620 acceptance and continuance, 744–747
Advocacy, 38 contents, 774
Agile systems development, 810 critical distinctions, 723–724
Agreed-­upon procedures (AUP), 730–731 definition, 8
Agreed-­upon-­procedures engagement, 13 ethical requirements of, 741–742
AML/CFT policies, procedures, and controls, framework for, 8–9
60–61 greenhouse gas (GHG) statement, 727
Analytical procedures Hong Kong framework for, 30
bank and cash, 459 other than reviews or audits overview, 726
debt securities, 480 performing, 750
defined, 279 planning, 749–750
effectiveness of, 280 reasonable, 760–764
for marketable financial instruments, 466 risk, 752
goodwill and intangible assets, 474 sampling, 765–768
payroll, 454 scope, 718–722
property, plant and equipment, 470–471 terminology, 722–723
purchases cycle, 443–445 Assurance report, 726–727
revenue cycle, 432–433 Assurance services
share capital, 483 demands for, 20–22
Analytical procedures, substantive, 381 objectives of, 7–19
comparisons of financial ratios, 382–383 Attendance procedures, 449–450
multi-­period comparisons, 382 Attestation function, 17
simple comparisons, 382 Attest engagement, 10
Application controls, 828–830 Audit, 7
Appropriate audit evidence, 350 attest and direct reporting audits, 10–11
Appropriateness, 536 limitations, 11
Approvals, 359–360 Audit assertions and tests of details
Assertions, 12, 352–354 bank and cash, 459–461
Assertions about balances, 353, 354 debt securities, 481
Assertions about classes of transactions for marketable financial instruments, 466–468
and events, 298–299 goodwill and intangible assets, 475–476
Assertions about transactions, 353, 354 payroll, 454–455
Assertions, controls and tests of controls property, plant and equipment, 471–472
bank and cash, 457–459 purchases cycle, 445–448
debt securities, 479–480 inventory count, 448–450
financial instruments, 464–466 revenue cycle, 434
goodwill and intangible assets, 474 share capital, 484

943

bindex.indd 943 2/10/2023 1:48:40 PM

 BUSINESS ASSURANCE

Audit assurance engagement, 9–10 Auditor’s report

Audit committee, 5, 32–33, 106, 128–129 addressee, 606
Audit completion, purpose and procedures auditor’s opinion, 606–607
auditor’s objectives, 539 auditor’s responsibilities, 608–609
auditor’s report, 542–545 audits of single financial statements, 644–645
communication with, governance, 546 basis for opinion, 607
evaluating managements assessment, 541 communication, 629–630
identifying events, 542 directors responsibilities, 608
period beyond management’s assessment, 541 format in line, HKSA 800, 642–643
requirements, 540 implications, of materiality, 603–605
risk assessment procedures, 540–541 importance of, 603
Audit documentation, 401 KAMs, 607
completion of, 403 legal and regulatory requirements, 609–610
overview, 401–402 material misstatement, 629
preparation of, 402–403 material uncertainty, 630
Audit engagement, 428 matter paragraph, 631–633
Audit evidence, 14, 536 modified opinion, 614
appropriateness/quality, 350 opening balances, 634–638
sufficiency, 350 other information, 608
Auditing, 70, 461 requirements, 610–611
demands for, 20–22 scope of the standard, 628–629
Hong Kong Standards and Guidelines for, 29–65 small-­and medium-­sized, 650–652
objectives of, 7–19 summary financial statements, 645–647
Auditing and Assurance Standards Committee title of, 606
(AASC), 29 unmodified opinion, 612–613
Auditing IT environments, 793–794 Audit plan, 253, 254, 256–259
Audit Log Scrutineer, 819, 820 development, 266–267
Audit methodologies, performance of, 324–325 Audit procedures, 428
Audit objective, 11, 239 other entities, 476–477
Audit of financial statements Audit procedures for fair values, 394
accounting regulations, compliance, 559–561 Audit programme, 356, 428
consistency and reasonableness, 561 for accounts payable, 266–267
disclosures, 558–559 Auditor’s responsibilities, 132–133
treatment, of errors, 561–562 Audit risk (AR), 253, 290, 348, 827
Auditor appointment requirements components, 289–295
appointed by court, 154 defined, 290
appointment, as joint auditor, 155 Audit risk model, 348
auditor unpaid fees, 156 Audit software, 872–873
casual vacancy, 156 Audit strategy, 254, 256–259
company acquired, by new company, 156 entity’s business model, 276
by the company’s members, 154 overall strategy, 263–267
by directors of company, 153–154 AUP. See Agreed-­upon procedures (AUP)
incoming auditor, 156–157 Authorization, 359
legislative process of, 154–155 Automated controls, 362–363, 815
statutory provisions, 157–161
Auditor, change of
B
announcement, by listed issuer, 168–169
auditor resignation, 163–164 Balance sheet approach, 322–323
listed issuer, 167–168 Bank and cash
Auditor’s attendance planning, 449 analytical procedures, 459
Auditor’s experts, 508 assertions, controls and tests of
evaluating the adequacy of, 519 controls, 457–459
need for, 515–516 audit assertions and tests of details, 459–461
work of, 516–517 key accounts, 455–456
Auditor’s reliance on the work of others, 508 risk, 457

944

bindex.indd 944 2/10/2023 1:48:40 PM

 Ind ex

Big data, 378–379 Compensating controls, 810

Block selection of non-­statistical samples, 374 Compilation engagements, 736–737
Bond indentures, 478 Completeness of information, 813
Business risks, 268 Compliance, 239
Compliance audits, 76, 720–721
Compliance Officer (CO), 60
C
Component, 671, 685
Capital, 478 Component auditors, 671
Cash, 369, 456 characteristics of, 677–678
cut-­off assertion for, 459 materiality for, 681–682
receipts, 368 report review of, 696
transactions, 456 responsibilities of, 678–680
Casual vacancy, 156 visits to, 697
Certified Public Accountants (CPAs), 25 working papers, 697–701
Cheque receipts, 456 work within the group audit, 680–681
Cheques, 368 Component management, 671
Chief Information Officer (CIO), 787 Component materiality, 671
China Foods Ltd (CFL), 209 Components of SOQM, 239
Chloe Cheng, 600–601 Comprehensive audits, 78
Client and engagement acceptance procedures, 198 Computer-­assisted auditing techniques,
acceptance, of engagement, 181 871–872
agreed engagement terms, 182 audit software, 872–873
assess preconditions, 175 cyber-­security safeguard, 876–880
auditor appointment requirements, 152–155 documentation, 875–876
Code of Ethics, 173–174 test data and testing procedures,
engagement letter, 183–186 874–875
engagement risk assessment, 175–180 weakness identification and
ethical requirements, 180–181 recommendations, 881
HKSA 220, 172 Computerised business systems
HKSQM 1, 172 auditing IT environments, 793–794
Cloud, 787 control activities, 792–793
Code of ethics, 7, 33, 64–65 control environment, 791
Code of Ethics for Professional Accountants (COE), financial statements, 792
31–32, 34, 581 IT department functions, 796–799
Combined approach, 357 IT department structure, 794–795
Comfort letters, 720 monitoring process, 791–792
Commercial Off-­the-­shelf (COTS), 802 risk assessment process, 791
Commitment, 563 system of internal control, 790
Communication Conceptual framework, 34
with Audit Committee Confirmations, 388–390
incoming auditor’s requirements, 167 Consolidation process, 690–691
professional clearance, 165–167 Consultation, 223
sharing, resignation letter, 165 Contingencies, 484
charged with governance audit programme for, 485–486
auditor’s responsibilities, 569 Contingent assets, 484
issues, to communicate, 569–570 Contingent fees, 44
process, 571 Contingent liabilities, 484, 562
with component auditor, 682–683, 694 Continuing connected transactions, 720
with those charged with governance Control activities, 359–360
content, 770 Control risk (CR), 290, 348, 349,
group engagement team, 692 827–828
methods of, 769 defined, 291
timing of, 769–770 factors affecting the level of, 292
Comparative financial statements, 398 Control tests, 361–364, 376
Comparative information, 397 Conversion cycle, 781

945

bindex.indd 945 2/10/2023 1:48:40 PM

 BUSINESS ASSURANCE

Corporate governance, 105 daily backups, 879

accountability, 111 user privileges, 878
arrangement’s analysis, 135 using anti-­virus software, 877–878
audit committee, 106, 128–129 Cycle approach, 364–369
auditor’s responsibilities in, 132–133
capital markets and preventing corporate
D
failure, 108
external auditors in, 106–107 Database, 797
fairness, 109 Database administrator (DBA), 797
in Hong Kong Database management system (DBMS),
Corporate Governance Code, 117–119 843–844
Corporate Governance Report (CGR), Data centres, 787
119–124 Data lake, 802
independence, 109–110 Data Supremecy V2, 819, 820
integrity, 113 Debt securities, 478
internal control (ISO), 130 analytical procedures, 480
judgement, 112 assertions, controls and tests of
managing strategically, 107 controls, 479–480
Nomination Committee, 127–128 audit assertions and tests of details, 481
openness and transparency, 109 risk, 478–479
probity and honesty, 110 Debt to equity ratio, 284
recommendations, 136 Detection risk (DR), 290, 293–295, 348, 349
Remuneration Committee, 129–130 auditor, 828
reputation, 112 Detective controls, IT system, 815, 816
responsibility, 110–111 Direct assistance, 19, 509, 511
Sarbanes–Oxley Act, 133–135 Directed selection of non-­statistical
serving stakeholders, 105–106 samples, 374
Corporate Governance Report (CGR), 119–124 Direct engagement, 10
Corporate social responsibility audits, 78 Directional testing, 324
Corporate structure, 787 Documentation, 401–403
Corrective controls, 816 of count procedures, 450
Corresponding figures, 397 defined, 261
Credibility, 20 examples of, 262
Credit card payments, 368 planning activities, 263–267
Credit card receipts, 456 preliminary engagement activities,
Criteria, 8 262–263
Cross-­sectional regression analysis, 444 Due diligence, 733–734
Current period reporting, 635
Current ratio, 283 E
Customer Due Diligence (CDD), 61–63
Customer relationship management (CRM), 824 E-­commerce, 806–807
Customer work completion (CWC) forms, 825 E-­commerce control issues
CWaves Ferry Holding Company Limited (CWaves), audit procedures, 894–897
600–601, 669, 787–788 characteristics of, 891–892
CWaves Godown Administration, IT function, 835 internal controls in, 893–894
CWaves Godown Company, 613, 788 Economy level, 278–279, 285–286
CWaves Godown ITGC environment, 833 Efficiency auditing, 76
CWaves Godown segregation of IT duties, 836 Electronic business (e-­business), 806
CWaves Godown software development team, 788 Electronic commerce (e-­commerce), 789
CWaves Hotels, 620, 788 Electronic transfers, 368, 456
Cyber attack, 838 Emphasis of matter, 632
Cyber-­security, 877 Engagement. See Assurance engagements;
Cyber-­security safeguard, 876–877 Non-­assurance engagements
authorised software, 878 ethical requirements of, 741–742
authorised users, 878 letter, 687

946

bindex.indd 946 2/10/2023 1:48:40 PM

 Ind ex

quality management of, 752–754 Financial reporting systems (FRS), 802, 805
terms of, 748–749 Financial reports, 789
Engagement performance, 240 Financial sanctions, 64
Engagement Quality Review (EQR), 230–232, 240 Financial statement audit, 7, 10, 14, 70–74
Engagements not providing assurance, 722 Financial statement fraud, 347, 440
Engagements providing assurance, 718–722 Financial statements, 728
Enhanced CDD (EDD), 61 preparation of, 15
Entity level, 277–278, 282–285 users, 22–23
Entity’s business model Flash Ltd, 507
audit strategy, 276 Follow-­up, 450
financial performance, 270 Fraud
financial reporting framework, 270 defined, 307
information sources, 277–280 payroll, 452
organizational and external, 269–270 purchases cycle, 440
system of internal control, 270–276 Fraud risk, 309–310
Errors, 380 assessment process, 308
Ethics factors, 307
and independence, 46–57 Fraudulent financial reporting, 381
for professional accountant Fundamental ethical principles, 35–36
in business, 39–42 threats to, 36–38
in public practice, 42–46
Evaluation of audit evidence, 352
G
Evidence
sources of, 350–351 G&E MUSIC (GEM), 346, 426–427
types of, 350 Goodwill, 396, 472–474
Evidence analysis analytical procedures, 474
documentation, 772–773 assertions, controls and tests of controls, 474
subsequent events, 771–772 audit assertions and tests of details, 475–476
Existing auditor, 153 risk, 474
Expenditure cycle, 805 Governance, 5
External auditor, 7, 18–19 Gross profit ratio, 284
External audits, 70–74 Group, 671
External service provider, 788 Group audit opinion, 671
eXtreme Programming (XP), 788 Group audits, 671
auditor’s objectives, 676
audit procedures and reporting, 694–701
F
Companies Ordinance, 672
Fair values, 393–394 component auditors, 677–683
Familiarity, 38 group engagement team, 684–686
Financial assets, 461 group-­wide controls, 675–676
Financial instruments, 461–462 scope and terminology, 670–671
analytical procedures for marketable, 466 versus single company audit risks, 688–689
assertions, controls and tests of understanding of, 672–674
controls, 464–466 Group Data Centre, 766
audit assertions and tests of details for Group engagement partner, 671, 694
marketable, 466–468 Group engagement team, 671
key accounts, 462–463 component team member’s responsibilities, 686
risk, 463–464 partner’s and staff member’s
Financial liabilities, 461 responsibilities, 684–685
Financial ratios, comparisons of Group financial statements, 671
debt securities, 480 Group management, 671
payroll, 454 Group’s consolidation process, 694–696
property, plant and equipment, 470 Group-­wide controls, 671, 675–676, 687, 690
purchases cycle, 444 Guidelines for Anti-­Money Laundering and
Financial Reporting Council (FRC), 238 Counter-­Terrorist Financing, 58–64

947

bindex.indd 947 2/10/2023 1:48:40 PM

 BUSINESS ASSURANCE

H Information technology (IT), 789, 793

application IT controls, 814–815
Hai Cruising Company, 787, 788 auditing, computerised business systems
Haphazard selection of non-­statistical and controls, 821–832
samples, 374 documentation of, 817–819
High control risk, 357 input controls, 814
Historical financial information, 30 master file/database controls, 816–817
HKFRS 8, 486 output controls, 816
HKICPA Standards on Related Services (HKSRS), 722 processing controls, 815–816
HKSA 240, 553 definition, 793
HKSA 250 (Revised), 554 department functions, 796–799
HKSA 450, 554 department structure, 794–795
HKSA 501, 554 environment
HKSA 540 (Revised), 554 E-­commerce, 806
HKSA 550, 554 financial reporting systems, 805
HKSA 560, 554 internal control system, 801
HKSA 570, 555 networked systems, 807–809
HKSA 710, 555 new systems implementation, 802–805
HKSA 560 subsequent events, 547 PC systems, 809–810
Hong Kong Auditing Practice Guidance (HKAPG), 31 internal controls specific to
Hong Kong Business Technology Solutions administration of IT function, 834–835
(HKBuTS), 788 backup and contingency planning,
Companies Ordinance (Cap.622), 672 838–840
Hong Kong Financial Reporting Standards general and application, 832–833
(HKFRS), 26, 545 hardware controls, 840
Hong Kong Institute of Certified Public Accountants physical and online security, 837–838
(HKICPA), 211–213 segregation of IT duties, 835–836
Hong Kong Monetary Authority (HKMA), 546 systems development, 836–837
Hong Kong Standards on Assurance Engagements Infrastructure, 787
(HKSAE), 719–720 Inherent risk, 290–291, 348, 827, 828
Hong Kong Standards on Auditing Initial audit engagements, 396
(HKSA), 544, 789 Inland Revenue Department (IRD), 602
Hong Kong Standards on Investment Circulars Input controls, 841
(HKSIR), 720 Insolvency practitioners, 57
Hong Kong Stock Exchange (HKEx), 533, 600, 787 Intangible assets, 472–474
Hosting, 788 analytical procedures, 474
Human resources, 224–225 assertions, controls and tests of controls, 474
Hung Fu Bank International (Hung Fu), 533, 534 audit assertions and tests of details, 475–476
HWA LTD, 252 risk, 474
Intended users, 8
Internal Audit Charter, 74
I Internal audit function, 7, 18
IAASB, 68 Internal auditors, 7, 18–19
Illegal acts, audit completion documentation, 514
auditor’s responsibilities, to fraud, 580 functions, 509
laws and regulations, in audit, 581–582 recommended improvements to, 514
Incoming auditor, 155 work of, 509–513
Incoming auditor responsibility, 165–167 Internal audits, 17–18, 74–79, 690
Incompatible duties, 815 Internal control (ISO), 130
Independence, 7 Internal control components, 357–358
Independence and ethics, 46–57 Internal control system, 801
Independent external auditor, 15, 17 International Ethics Standards Board for
Industry level, 278, 285 Accountants (IESBA), 32
Information risk, 6, 7 International Federation of Accountants
Information systems (IS), 789 (IFAC), 29, 68–69

948

bindex.indd 948 2/10/2023 1:48:40 PM

 Ind ex

International Forum of Independent Audit Manchu Kang, 562

Regulators (IFIAR), 236–237 Manual control activities, audit procedures
International Organisation of Securities for, 363
Commissions (IOSCO), 70 Master file/database controls, 843–844
International Standards on Quality Management Materiality
(ISQM 1 and ISQM 2), 212 assurance engagements, 751
Intimidation, 38 for component auditors, 681–682
Inventory count, purchases cycle, 448–450 defined, 314
Inventory purchases cycle, 438 financial reporting framework, 317–318
Inventory turnover ratio, 284 payroll, 451
Inventory valuation errors, 440–441 purchases cycle, 439
Investment circular reporting engagements, setting limits, 315–317
720, 729–730 Material misstatement, 522, 691–692, 789
IT. See Information technology (IT) Medium control risk, 358
IT Committee, 788 Ming Wa Company, 548
IT general controls (ITGC), 814, 832, 852 Misappropriation of assets, 308, 380
IT strategy, 812 payroll, 451
assessing and advising on the risks of purchases cycle, 440
audit risk assessment, 823 Misstatements
conversion cycle, 823 accumulation, 566–567
expenditure cycle, 822 auditor’s objectives, 566
revenue cycle, 823 defined, 317
assessing audit risk, 827–829 prior-­year misstatements, 567–568
internal control, 814–818 qualitative and quantitative considerations, 568
uncorrected misstatements, 568
Modern purchasing system, 439
J
Modified opinion
James’ EasyAccount Pro, 818, 819 adverse opinion, 619–620
Judgmental sampling, 374 disclaimer of opinion, 621–623
qualified opinion, 615–618
Monetary unit sampling (MUS), 374–375
K
Money Laundering Reporting Officer
Keeson Inc, 5 (MLRO), 60
Key Audit Matters (KAMs), 600, 607, 624 Monitoring, 213, 227–228, 240
communicating, 625–628 Multi-­period comparisons
determining, 624–625 financial instruments, 466
payroll, 454
property, plant and equipment, 470
L
purchases cycle, 444
Landscape Ninja 2, 819
Levels of assurance, 11–15
N
Liabilities and equity, 477–478
debt securities, 478–481 Net profit ratio, 284
provisions and contingencies, 484–486 Nomination Committee, 127–128
share capital, 481–484 Non-­assurance engagements, 717
Limited assurance engagement, 9, 11–12, 719 acceptance and continuance,
Liquidation, 57–58 747–748
Logical controls, 360 contents, 774–775
Long-­term liabilities, 478 critical distinctions, 723–724
Low control risk, 357 ethical requirements of, 743
performing, 750
planning, 749–750
M
sampling, 767
Management, 5 Non-­compliance with laws and regulations,
Management’s expert, 508, 519 311–313

949

bindex.indd 949 2/10/2023 1:48:40 PM

 BUSINESS ASSURANCE

Non-­current assets, 468 Preventive controls, 815

goodwill and other intangible assets, Preventive, detective, and corrective (PDC)
472–476 controls, 815
interests in other entities, 476–477 Procedures planning, 538–539
property, plant and equipment, 468–472 Processing controls, 842–843
Non-­significant components, 673, 674, 693 Professional accountant
Non-­statistical samples, 374 AML/CFT, Guidelines for, 58–64
Non-­statistical sampling, 374 ethics for
in business, 39–42
in public practice, 42–46
O
fundamental ethical principles, 35–36
Obsolescence, 440 Professional Accountants Ordinance (PAO), 25
Ongoing Monitoring Implementation, 63 Professional scepticism, 8
Opening balances, 397 Professional standards, 29–31
Opening balances, initial engagement Profit forecasts, 729–730
procedures, 191–194 Pro forma financial information, 727–728
Operational audits, 76, 721 Property, plant and equipment (PPE), 468–469
Organization for Economic Cooperation and analytical procedures, 470–471
Development (OECD), 114–116 assertions, controls and tests of controls, 470
Other entities. See Variable interest entities audit assertions and tests of details, 471–472
Outgoing auditor, 156 risk, 469
Output controls, 843 Prospective incoming auditor, 165
Overall audit strategy, 71 Provisions, 484
audit programme for, 485–486
PurchasePro, 846
P
Purchases cycle
Parallel Simulation technique, 874 analytical procedures, 443–445
Payroll assertions, controls and tests of
analytical procedures, 454 controls, 441–443
assertions, controls and tests of audit assertions and tests of details, 445–448
controls, 452–453 inventory count, 448–450
service organisation outsourcing, 453–454 key accounts, 437–438
audit assertions and tests of details, 454–455 inventory, 438
key account, 450–451 modern purchasing system, 439
risks steps in, 438–439
fraud, 452 risks
materiality, 451 fraud, 440
misappropriation of assets, 451 inventory valuation errors, 440–441
Performance audits, 76–78, 721 materiality, 439
Perpetual inventory system, 438, 448, 449 misappropriation of assets, 440
Personal computers (PCs), 802, 809–810 recognition, 440
Physical controls, 360
Politically Exposed Person (PEP), 63
Q
Post-­implementation reviews (PIR), 32
PPE. See Property, plant and equipment (PPE) Qualified opinion, 615–618
Practice Notes (PNs), 31, 720 Quality auditor, 533
Practice review, 212–213 Quality audits, 239
Practice unit, 27 Quality management (QM), 211
Practitioner, 8 and The Code, 33
Predecessor auditor, 634 documentation of, 234–235
Predictive analytics, 378 FRC, 238
Predictive models, 379 HKICPA, 211–213
Preliminary analytical procedures, 286 IFAC and IAASB, 213–214
Preliminary announcement of annual results, 731 IFIAR, 236–237
Presentation assertions, 299 ISQM 1 and ISQM 2, 212

950

bindex.indd 950 2/10/2023 1:48:40 PM

 Ind ex

requirements accounts in, 365

engagement quality reviews, 230–232 analytical procedures in, 383–385, 432–433
engagement performance, 222–224 assertions, controls and tests of
engagements acceptance and controls, 431–432
continuance, 222 audit assertions and tests of details,
firm’s risk assessment process, 217–218 386, 387, 434
governance and leadership, 219–220 inherent risk in, 366
HKSA 220 (Revised), 216–217 key accounts, 429–430
HKSQM 1, 215 risk, 430–431
HKSQM 2, 216 Review, 223
human resources, 224–225 Review engagements, 12, 14, 725–726
information and communication, 226–227 Review of published information
intellectual resources, 225 contingent liabilities and commitments,
monitoring and remediation 562–563
process, 227–229 requirements and procedures, 563–565
relevant ethical requirements, 220–221 Review opinions, interim financial statements
service providers, 225 auditor’s opinion vs. conclusion, 640–641
technological resources, 225 reporting nature, 639–640
scope, 214 Risk-­based auditing, 319–320
Quality culture, 220 Risk-­based audit strategy and plan, 349
Quick ratio, 283 Risk of material misstatement, 253, 290, 307
identifying and assessing, 268
Risks
R
bank and cash, 457
Random selection of statistical samples, 374 debt securities, 478–479
Reasonable assurance engagement, 9, 11, 719 financial instruments, 463–464
Reasonable assurance engagements, 760–764 goodwill and intangible assets, 474
Recognition, purchases cycle, 440 other entities, 476
Reconciliations, 360 payroll
Record keeping, 64 fraud, 452
Referral fees, 44 materiality, 451
Regression models, 379 misappropriation of assets, 451
Regulation, 24–28 property, plant and equipment, 469
Regulation and oversight, 240 purchases cycle
Regulators, role of, 24–28 fraud, 440
Regulatory bodies, 25 inventory valuation errors, 440–441
Regulatory framework, 239 materiality, 439
Related party, 398 misappropriation of assets, 440
auditor’s objectives, 573 recognition, 440
communication, 579 revenue cycle, 430–431
definition, 574 share capital, 482
evaluation of, accounting, 579
relationships and transactions, 552
S
responses to risks, 576–578
risk assessment procedures, 574–576 Safeguards, 34
written representations and documentation, 579 to threats, 38–39
Related party transaction, 398–399 Sales, 368
Relevance of evidence, 350 Sales revenue, 430
Relevant ethical requirements, 220–221 Sample deviation rate, 376
Reliability of evidence, 350–351 Sample evaluation
Remuneration Committee, 129–130 Big data, 378–379
Reporting supply chain, 239 control tests, 376
Responsible party, 8 substantive tests, 377–378
Return on assets ratio, 284 Sample quality, 374–375
Revenue cycle, 364, 429, 805 Sample size, 375–376

951

bindex.indd 951 2/10/2023 1:48:40 PM

 BUSINESS ASSURANCE

Sampling, 765–768 auditor objectives, 547

overview, 372–373 audit procedures, 548–550
units, 373 requirements, 548
Sampling risk, 373–376 types of, 547–548
Sarbanes–Oxley Act (SOX), 133–135 Substantive procedures, 258, 380
SCRUM, 788, 804 analytical procedures, 381–385
Securities and Futures Commission (SFC), 25, 169 confirmations, 388–390
Securities and Futures Ordinance (SFO), 25 description, 380
Segment information, 486–487 tests of details, 385–387
Segregation of duties, 360, 818 Substantive tests, 377–378, 859–860
Self-­interest, 38 Sufficiency, 536
Self-­regulation, 24 Sufficient appropriate audit evidence,
Self-­review, 38 535–538
Semi-­automated controls, IT systems, 815 Sufficient appropriate audit evidence, 10
Service auditor, 520 Sufficient audit evidence, 350
Service organisation, 508, 520–522, 726–727 Summary financial statements, 645
Serving stakeholders, 105–106 Supervision, 223
Share capital, 481 Suspicious Transaction Report (STR), 63–64
analytical procedures, 483 Systematic selection of statistical samples, 374
assertions, controls and tests of System-­based auditing, 321
controls, 482–483 System of internal control, 270–276, 790
audit assertions and tests of details, 484 control activities, 306–307
risk, 482 control environment, 301–303
Shared service, 797 information processing system, 305–306
Shareholder’s equity, 481 monitoring of controls, 304–305
Significant component, 671, 673 risk assessment process, 303
Significant risks, 264, 307 Systems audit, 322
defined, 299
Simplified SDD (SDD), 61
T
Small-­to medium-­sized enterprises (SMEs), 533
Software development life cycle (SDLC), 803 88 Tandi Company, 104
Special purpose frameworks, 602 Terrorist financing, 64
Staff hiring and training, 64 Tests of controls, 258
Standards on Assurance Engagements (HKSAEs), 30 control activities, 359–360
Standards on Auditing (HKSAs), 30 control tests, 361–364
Standards on Investment Circular Reporting cycle approach, 364–369
Engagements (HKSIRs), 31 evaluation of, 370
Standards on Quality Management (HKSQMs), 30 internal control components, 357–358
Standards on Related Services (HKSRSs), 31 Tests of details
Standards on Review Engagements (HKSREs), 30 of account balances, 386, 387
Statement of financial position approach, 322–323 of classes of transactions, 385
Statement of indebtedness, 729, 730 Threats, to the fundamental principles, 36–38
Statistical samples, 374 Timing, 352
Statistical sampling, 374 Tolerable deviation rate, 370
Statutory auditor, 28 Top-­down auditing, 320–321
Statutory audits, 21 Trade receivables, 369
Statutory provisions Transaction cycle approach, 323–324
auditor cease, 159 ‘Trojan’ malware, 878
auditor resignation, 157–158
termination, 159–161
U
Stock Exchange of Hong Kong (SEHK), 25, 151
Stratification, 374, 375 Unmodified opinion, 604
Subject matter information, 8, 757–760 User auditor, 520
Subsequent events, 771–772 User entity, 520
Subsequent events review UserVerify Protect, 818

952

bindex.indd 952 2/10/2023 1:48:40 PM

 Ind ex

V Wonder Travel Company, 618, 787, 788

Work papers, 401–403
Validity of information, 813 Written representations, from management
Value for money audits, 76 auditor objectives, 551
Variable interest entities form of, 555–557
audit procedures, 476–477 new companies ordinance, 555
risk, 476 by other HKSAs, 553–555
Verifications, 360 reliability of, 557
VFM audits, 721 responsibilities, 551–553

W Y
Winner Company, 635 Yay Manufacturing Company Limited (Yay), 151

953

bindex.indd 953 2/10/2023 1:48:40 PM

bindex.indd 954 2/10/2023 1:48:40 PM
bindex.indd 955 2/10/2023 1:48:40 PM
bindex.indd 956 2/10/2023 1:48:40 PM
 QUALIFICATION PROGRAMME

HKICPA Qualification:
A Pathway to Success
The Qualification Programme (QP) of the Hong Kong Institute of CPAs (HKICPA) provides
a pathway for the development of world-class practicing accountants. The HKICPA is
the statutory body established by the Professional Accountants Ordinance responsible
for the professional training, development and regulation of certified public accountants
in Hong Kong. Members of the Institute are entitled to the description “certified public
accountant” and to the designation CPA.

Since 1973, the HKICPA (previously known as the Hong Kong Society of Accountants)
has worked to further the public interest by promoting efficient accounting practices in
Hong Kong. Through its efforts in promulgating financial reporting, auditing and ethical
standards, the Institute has helped safeguard Hong Kong’s leadership as an international
financial centre.

Our QP assures the quality of entry into the profession by providing accountants with
the knowledge base they need to meet future market needs. Successful participants
develop skills by completing training courses, passing examinations and acquiring
practical experience.

The QP consists of three levels. At the Associate Level, participants develop a solid
technical foundation. The aim of the Professional Level is to deepen technical capabilities.
The Capstone integrates knowledge, skills and experiences and applies them to business
problems.

The QP provides accountants with relevant and portable skills that enhance their
employability and opens the door to opportunities in Hong Kong and around the world.

The Hong Kong Institute of Certified Public Accountants

37th Floor, Wu Chung House, 213 Queen’s Road East, Wanchai, Hong Kong
Tel: (852) 2287 7228
Fax: (852) 2137 3293

www.hkicpa.org.hk

bindex.indd 957 2/10/2023 1:48:41 PM