Tải bản đầy đủ
1 Audit procedures to obtain audit evidence Dec 08, June 10, June 11, June 13

1 Audit procedures to obtain audit evidence Dec 08, June 10, June 11, June 13

Tải bản đầy đủ

Key terms

Tests of controls are an audit procedure designed to evaluate the operating effectiveness of controls in
preventing, or detecting and correcting, material misstatements at the assertion level.
Substantive procedures are audit procedures designed to detect material misstatements at the assertion
level. Substantive procedures comprise:

Exam focus

Tests of details (of classes of transactions, account balances, and disclosures); and
Substantive analytical procedures

It is essential that you know the difference between a test of control and a substantive procedure. In recent
examiner reports, the examining team noted a number of candidates lost marks because they did not
understand the difference between these two fundamental types of procedure.
Auditors obtain evidence by one or more of the following procedures.
Inspection of
tangible assets

Inspection of tangible assets that are recorded in the accounting records confirms
existence, but does not necessarily confirm rights and obligations or valuation.
Confirmation that assets seen are recorded in accounting records gives evidence of

Inspection of
documentation or

This is the examination of documents and records, both internal and external, in paper,
electronic or other forms. This procedure provides evidence of varying reliability,
depending on the nature, source and effectiveness of controls over production (if
internal). Inspection can provide evidence of existence (eg a document constituting a
financial instrument), but not necessarily about ownership or value.


This involves watching a procedure or process being performed (for example, post
opening). It is of limited use, as it only confirms the procedure took place when the
auditor was watching, and because the act of being observed could affect how the
procedure or process was performed.


This involves seeking information from client staff or external sources.
Strength of evidence depends on the knowledge and integrity of source of information.
Enquiry alone does not provide sufficient audit evidence to detect a material
misstatement at assertion level, nor is it sufficient to test the operating effectiveness of

Exam focus



This is the process of obtaining a representation of information or of an existing
condition directly from a third party eg confirmation from bank of bank balances.


This consists of checking the mathematical accuracy of documents or records and can
be performed through the use of IT.


This is the auditor's independent execution of procedures or controls that were
originally performed as part of the entity's internal control.


Evaluating and comparing financial and/or non-financial data for plausible relationships.
Also include the investigation of identified fluctuations and relationships that are
inconsistent with other relevant information or deviate significantly from predicted

Read the article 'Audit procedures' which was published in Student Accountant. This helpful article
provides tips on how to approach questions which require you to identify audit procedures. The article can
be found via the Technical Articles link on the ACCA's website: www.accaglobal.com/gb/en/student/accaqual-student-journey/qual-resource/acca-qualification/f8/technical-articles.html

8: Introduction to audit evidence ⏐ Part B Planning and risk assessment


Discuss the quality of the following types of audit evidence, giving two examples of each form of


Audit evidence

Evidence originated by the auditors
Evidence created by third parties
Evidence created by the management of the client

Describe the general considerations which auditors must bear in mind when evaluating audit


Quality of audit evidence

Evidence originated by the auditors
This is in general the most reliable type of audit evidence because there is little risk that it
can be manipulated by management.



Analytical procedures, such as the calculation of ratios and trends in order to
examine unusual variations


Physical inspection or observation, such as attendance at inventory counts


Reperformance of calculations making up figures in the accounts, such as the
computation of total inventory values

Evidence created by third parties
Third-party evidence is more reliable than client-produced evidence to the extent that it is
obtained from independent sources. Its reliability will be reduced if it is obtained from
sources which are not independent, or if there is a risk that client personnel may be able to
and have reason to suppress or manipulate it.



Circularisation of trade receivables or payables, confirmation of bank balances


Reports produced by experts, such as property valuations, actuarial valuations, legal
opinions; in evaluating such evidence, the auditors need to take into account the
expert's qualifications, independence and the terms of reference for the work


Documents held by the client which were issued by third parties, such as invoices,
price lists and statements; these may sometimes be manipulated by the client and so
are less reliable than confirmations received directly

Evidence created by management
The auditors cannot place the same degree of reliance on evidence produced by client
management as on that produced outside the company. However, it will often be necessary
to place some reliance on such evidence. The auditors will need to obtain audit evidence
that the information supplied is complete and accurate, and apply judgement in doing so,
taking into account previous experience of the client's reliability and the extent to which the
client's representations appear compatible with other audit findings, as well as the
materiality of the item under discussion.

The company's accounting records and supporting schedules. Although these are
prepared by management, the auditors have a statutory right to examine such
records in full: this right enhances the quality of this information.

Part B Planning and risk assessment ⏐ 8: Introduction to audit evidence




The client's explanations of, for instance, apparently unusual fluctuations in results.
Such evidence requires interpretation by the auditors and, being oral evidence, only
limited reliance can be placed on it.


Information provided to the auditors about the internal control system. The auditors
need to confirm that this information is accurate and up-to-date, and that it does not
simply describe an idealised system which is not adhered to in practice.

General considerations in evaluating audit evidence
Audit evidence will often not be wholly conclusive. The auditors must obtain evidence which is
sufficient and appropriate to form the basis for their audit conclusions. The evidence gathered
should also be relevant to those conclusions, and sufficiently reliable to form the basis for the
audit opinion. The auditors must exercise skill and judgement to ensure that evidence is correctly
interpreted and that only valid inferences are drawn from it.
Certain general principles can be stated. Written evidence is preferable to oral evidence;
independent evidence obtained from outside the organisation is more reliable than that obtained
internally; and evidence generated by the auditors is more reliable than that obtained from others.


8: Introduction to audit evidence ⏐ Part B Planning and risk assessment

Chapter Roundup

Auditors must design and perform audit procedures to obtain sufficient appropriate audit evidence.

Audit tests are designed to obtain evidence about the financial statement assertions. Assertions relate to
classes of transactions and events and related disclosures and account balances at the period end and
related disclosures.

Audit evidence can be obtained by inspection, observation, enquiry and confirmation, recalculation,
reperformance and analytical procedures.

Quick Quiz

Define sufficiency and appropriateness as they relate to audit evidence.


State the financial statement assertions.


Fill in the blanks.
Audit evidence from external sources is …………………… ………………….. than that obtained from
the entity's records.


State five procedures which auditors can use to obtain audit evidence.


Explain what 'reperformance' is.

Part B Planning and risk assessment ⏐ 8: Introduction to audit evidence


Answers to Quick Quiz

Sufficiency is the measure of the quantity of audit evidence.
Appropriateness is the measure of the quality/reliability of audit evidence.


Existence, rights and obligations, occurrence, completeness, valuation, accuracy, classification and
understandability, cut-off, allocation.


More reliable


Any five from:
Analytical procedures


'Reperformance' is the auditor's independent execution of procedures or controls that were originally
performed as part of the entity's internal control.
Now try the question below from the Practice Question Bank









20 mins

8: Introduction to audit evidence ⏐ Part B Planning and risk assessment


Internal control



Internal control

Topic list

Syllabus reference

1 Internal control systems

C1, D2

2 The use of internal control systems by auditors

C1, C2

3 The evaluation of internal control components

C2, C4

4 Internal controls in a computerised environment


The auditor generally seeks to rely on the internal controls within the entity in
order to reduce the amount of substantive testing.
The initial evaluation of a client's system is essential as the auditor gains an
understanding of the entity, as we outlined in Chapter 6. In this chapter, we
shall look at some of the detailed requirements of ISA 315 with regard to
internal controls, and shall also set out control issues the auditor may come
The auditor will assess the risks of material misstatement arising and, as we
discussed in Chapter 6, may respond to those risks by carrying out tests of
controls. If they conclude that they can rely on the controls in place, the level of
substantive audit testing required can be reduced.
In this chapter we also look at the ways in which auditors can document the
internal control systems using narrative notes, flowcharts, questionnaires and
checklists, focusing particularly on the use of questionnaires.
We shall examine the detailed controls that businesses operate in Chapter 10
and the tests that the auditors may carry out in specific areas. You should bear
in mind the principles discussed in this chapter when considering the controls
needed over specific accounting areas.


Study guide
Intellectual level

Internal control systems


Explain why an auditor needs to obtain an understanding of internal control
relevant to the audit.



Describe and explain the five components of an internal control system: the
control environment; the entity's risk assessment process; the information
system, including related business processes relevant to financial reporting and
communication; control activities relevant to the audit; and monitoring of



The use and evaluation of internal control systems by auditors


Explain how auditors record internal control systems including the use of
narrative notes, flowcharts, internal control questionnaires and internal control
evaluation questionnaires.



Evaluate internal control components, including deficiencies and significant
deficiencies in internal control.



Discuss the limitations of internal control components.



Tests of control


Describe computer system controls, including general IT controls and
application controls.


Communication on internal control


Discuss the requirements and methods of how reporting significant
deficiencies in internal control are provided to management and those charged
with governance.



Explain, in a format suitable for inclusion in a report to management,
significant deficiencies within an internal control system and provide
recommendations for overcoming these deficiencies to management.



Audit procedures


Describe why smaller entities may have different control environments and
describe the types of evidence likely to be available in smaller entities.



Discuss the difference between tests of control and substantive procedures.



Exam guide
Questions on internal control are highly likely to come up in a scenario-based setting focusing on control
procedures in a given system or asking you to describe deficiencies in the system of internal control,
together with recommendations of internal controls to mitigate those deficiencies.
Other topics likely to be examined include:

Explaining the components of an entity's system of internal control


Describing the methods for documenting and evaluating systems of internal control and discussing
the advantages and disadvantages of each


Explaining the controls expected to be in place in a wages system / in respect of cash / in respect
of purchases / in respect of non-current assets


Describing matters to consider in evaluating the control environment in different types of
organisations (including charitable organisations)

The above can also be examined in the form of mini-case OTQs in Section A of the exam.
This Chapter also forms the foundation for tests of controls, which we will look at in Chapter 10 and which
features in nearly every F8 exam.

9: Internal control ⏐ Part C Internal control

1 Internal control systems

Key term

Dec 08, Dec 09, Dec 11

The auditors must understand the accounting system and control environment in order to determine
their audit approach.
Internal control is the process designed, implemented and maintained by those charged with governance,
management, and other personnel to provide reasonable assurance about the achievement of the entity's
objectives with regard to reliability of financial reporting, effectiveness and efficiency of operations, and
compliance with applicable laws and regulations.
An understanding of internal control assists the auditor in identifying types of potential misstatements and
factors that affect the risks of material misstatement, and in designing the nature, timing and extent of
further audit procedures.
Initially, gaining an understanding of internal control helps auditors to determine which are relevant to the
audit. ISA 315 (Revised) Identifying and assessing the risks of material misstatement through
understanding the entity and its environment points out that there is a direct relationship between an
entity's objectives and the controls it implements to provide reasonable assurance about their
achievement. Many of these controls will relate to financial reporting, operations and compliance, but not
all of the entity's objectives and controls will be relevant to the auditor's risk assessment.
Having determined which controls are relevant, and are adequately designed to aid in the prevention of
material misstatements in the financial statements, the auditor can then decide whether it is more efficient
to seek reliance on those controls and perform tests of controls in that area, or more efficient to perform
substantive testing over that area.
If the controls are not adequately designed, the auditor needs to perform sufficient substantive testing
over that financial statement area in light of the apparent lack of control and increased risk. Any
deficiencies are noted and, where appropriate, these will be communicated to management (see Section
ISA 315 (Revised) Identifying and assessing the risks of material misstatement through understanding the
entity and its environment deals with the whole area of controls.
Internal control has five components:

Exam focus

The control environment
The entity's risk assessment process
The information system relevant to financial reporting
Control activities
Monitoring of controls

Student Accountant published an article focusing on the components of internal control under ISA 315
(Revised). This article can be found via the Technical Articles link on the ACCA's website:
In obtaining an understanding of internal control, the auditor must understand the design of the internal
control and the implementation of that control. In the following sub-sections, we look at each of the
elements of internal control in turn.

1.1 Control environment
The control environment is the framework within which controls operate. The control environment is very
much determined by the management of a business.

Part C Internal control ⏐ 9: Internal control


Key term

Control environment includes the governance and management functions and the attitudes, awareness
and actions of those charged with governance and management concerning the entity's internal control
and its importance in the entity.
A strong control environment does not, by itself, ensure the effectiveness of the overall internal control
system, but can be a positive factor when assessing the risks of material misstatement. A weak control
environment can undermine the effectiveness of controls.
Aspects of the control environment (such as management attitudes towards control) will nevertheless be a
significant factor in determining how controls operate. Controls are more likely to operate well in an
environment where they are treated as being important. In addition, consideration of the control
environment will mean determining whether certain controls (internal auditors, budgets) actually exist.
ISA 315 states that auditors shall have an understanding of the control environment. As part of this
understanding, the auditor shall evaluate whether:

Management has created and maintained a culture of honesty and ethical behaviour.


The strengths in the control environment provide an appropriate foundation for the other
components of internal control and whether those components are not undermined by deficiencies
in the control environment.

The following table illustrates the elements of the control environment that may be relevant when
obtaining an understanding of the control environment.
Communication and
enforcement of integrity and
ethical values

Essential elements which influence the effectiveness of the design,
administration and monitoring of controls

Commitment to competence

Management's consideration of the competence levels for particular jobs
and how those levels translate into requisite skills and knowledge

Participation by those
charged with governance

Management's philosophy
and operating style

• Approach to taking and managing business risks
• Attitudes and actions towards financial reporting
• Attitudes towards information processing and accounting functions
and personnel

Organisational structure

The framework within which an entity's activities for achieving its
objectives are planned, executed, controlled and reviewed

Assignment of authority and

How authority and responsibility for operating activities are assigned and
how reporting relationships and authorisation hierarchies are established

Human resource policies and

Recruitment, orientation, training, evaluating, counselling, promoting,
compensation and remedial actions

Independence from management
Experience and stature
Extent of involvement and scrutiny of activities
Appropriateness of actions and interaction with internal and external

The auditor shall assess whether these elements of the control environment have been implemented using
a combination of enquiries of management and observation and inspection.

Exam focus


The audit examining team has written an article entitled 'The Control Environment of a Company' in
Student Accountant, focusing on the matters which auditors should consider when assessing the
effectiveness of the control environment of a large limited liability company (UK – limited company). This
article can be accessed via the Technical Articles link on the ACCA's website:

9: Internal control ⏐ Part C Internal control