lOMoARcPSD|10174924

3 - Understanding of the entity and its environment

Auditing 300 (University of Johannesburg)

Studocu is not sponsored or endorsed by any college or university

Downloaded by Jenitha John ([email protected])
 lOMoARcPSD|10174924

CHAPTER 3 FINAL
AUDIT OF FINANCIAL STATEMENTS, AUDIT OF PREDETERMINED OBJECTIVES AND
COMPLIANCE AUDIT
UNDERSTANDING OF THE ENTITY AND ITS ENVIRONMENT

A. ACTIVITY CONTEXT
1. This audit activity deals with the requirements and guidance to obtain the necessary
knowledge of the entity at an overall level. Obtaining this understanding will as far as possible
be coordinated and integrated for all three types of audits (audit of financial statements, audit
of predetermined objectives and compliance audit) that are performed simultaneously as a
single overall engagement for a particular auditee during a particular audit cycle.
2. The compliance audit (and in certain instances as described in chapters 1 and 2, the audit of
predetermined objectives) is a limited assurance engagement and, as such, its scope is
substantially less than a reasonable assurance engagement in relation to the nature and depth
of understanding of the entity and its environment, and the nature and extent of procedures
performed to respond to risks of material non-compliance (or risks of material misstatement
(RMM) in the case of the audit of predetermined objectives).
3. The nature and characteristics of the subject matter and subject matter information and what
could cause it to be misstated are the same irrespective of whether the engagement is a
reasonable or a limited assurance engagement. The difference lies in the level of assurance
that is achievable, since the procedures performed in a limited assurance engagement vary in
nature and timing from, and are less in extent than for, a reasonable assurance engagement.
The auditor obtains an understanding of the same aspects and matters as relevant for a
reasonable assurance engagement, but in the context of the objectives and scope of a limited
assurance engagement.
4. The objective of the auditor in terms of this chapter is to obtain an understanding of the entity
at an overall level to:
• Determine the terms of engagement.
• Form an audit strategy.
• Provide the auditor with input to determine materiality.
• Provide the basis for identifying risk factors and RMM (in the audit of financial statements
and the audit of predetermined objectives performed as reasonable assurance
engagements).
• Identify areas where material misstatement or material non-compliance is likely to arise (as
applicable to the audit of predetermined objectives and the compliance audit, respectively,
performed as limited assurance engagements).
5. Obtaining an understanding of the entity’s internal control relevant to the audit, which includes
internal control at entity and business process levels, is addressed in chapters 7.1, 7.2, 7.3
and 7.4.
6. A more detailed understanding of the entity and its environment is obtained by way of
performing risk assessment procedures as described in chapters 11, 12, 13, 14.1 and 14.2,
which relate to a number of specific consideration circumstances / items (addressed in
individual International Standards on Auditing (ISAs) and in International Standard on
Assurance Engagement (ISAE) 3000) that affect the identification of risk factors.
7. Identifying risk factors through an understanding of the entity and its environment provides the
basis for the identification and assessment of RMM as discussed in chapters 8.1 and 8,2for
reasonable assurance engagements. (For limited assurance engagements, chapter 8.3 and
8.4 addresses identifying areas where material misstatement or material non-compliance is
likely to arise).

Downloaded by Jenitha John ([email protected])

 lOMoARcPSD|10174924

B. REQUIREMENTS
• Requirements of ISAs and ISAEs, as applicable to the type of the engagement, are MANDATORY – the
requirements that the auditor shall comply with to achieve the overall objectives of the particular assurance
engagement. These requirements are indicated in bold in the Source column of the tables.
• There is no specific ISAE for assurance engagements on reported information about performance against
predetermined objectives or compliance assurance engagements. Therefore, only ISAE 3000 is applicable. All
‘3000’ references in the tables are to ISAE 3000 issued in December 2013 and applicable for all audits with
year-ends beginning after 15 December 2015.
• Requirements from other engagement standards selected for use and/or requirements ‘deduced’ from identified
standards and/or the auditing principles in the International Standards of Supreme Audit Institutions (ISSAIs) are
SUPPLEMENTARY and have been included to contribute to an adequate evidence-gathering process. The
supplementary requirements are indicated in { } brackets in the Source column of the tables.

a. Audit of financial statements

8. Table of requirements
Source The auditor shall …
500.6 Design and perform audit procedures (which include risk assessment procedures and further
audit procedures) that are appropriate in the circumstances for the purpose of obtaining
sufficient appropriate audit evidence.
300.9(a) Develop an audit plan that shall include a description of the nature, timing and extent of
planned risk assessment procedures, as determined under ISA 315 (Revised).
315.5 Perform risk assessment procedures to provide a basis for the identification and assessment of
315.6 RMM at the financial statement and assertion levels. Risk assessment procedures by
themselves, however, do not provide sufficient appropriate audit evidence on which to base the
audit opinion. Risk assessment procedures shall include:
Inquiries of management, of appropriate individuals within the internal audit function (if the
function exists), and of others within the entity who in the auditor’s judgement may have
information that is likely to assist in identifying RMM due to fraud or error.
Analytical procedures.
Observation and inspection.
315.7 Consider whether information obtained from the auditor’s client acceptance or continuance
process is relevant to identifying RMM.
315.8 If applicable, consider whether information obtained from other engagements performed for the
entity is relevant to identifying RMM.
315.9 Where the auditor intends to use information obtained from the auditor’s previous experience
with the entity and from audit procedures performed in previous audits, determine whether
changes have occurred since the previous audit that may affect its relevance to the current
audit.
315.11 Obtain an understanding of the following:
Relevant industry, regulatory, and other external factors including the applicable financial
reporting framework.
The nature of the entity to enable an understanding of the classes of transactions,
account balances and disclosures to be expected in the financial statements. Relevant
matters include the entity’s operations, its ownership and governance structures, types of
investments (including investments in special-purpose entities), how it is structured and
how it is financed.
The entity’s selection and application of accounting policies, including the reasons for
changes thereto (including an evaluation of its appropriateness in the context of the
entity’s business, relevant industry and the applicable financial reporting framework).
The entity’s objectives and strategies, and those related business risks that may result in
RMM.
The measurement and review of the entity’s financial performance.
315.23 If the entity has an internal audit function, obtain an understanding of the nature of the internal
audit function’s responsibilities, its organisational status, and the activities performed, or to be
performed.
250.12 As part of obtaining an understanding of the entity and its environment in accordance with
250.13 ISA 315 (Revised), obtain a general understanding of the legal and regulatory framework
250.14 applicable to the entity and the industry or sector in which the entity operates and how the
entity is complying with that framework.

Par. A7 suggests that to obtain a general understanding, the auditor may, for example:
Use the auditor’s existing understanding of the entity’s industry, regulatory and other
external factors.
Update the understanding of those laws and regulations that directly determine the

Downloaded by Jenitha John ([email protected])

 lOMoARcPSD|10174924

Source The auditor shall …

reported amounts and disclosures in the financial statements.
Inquire of management as to other laws or regulations that may be expected to have a
fundamental effect on the operations of the entity.
Inquire of management concerning the entity’s policies and procedures regarding
compliance with laws and regulations.
Inquire of management regarding the policies or procedures adopted for identifying,
evaluating and accounting for litigation claims.

[For further context:

ISA 250.13 and 250.14 require the auditor to perform certain procedures in relation to the two
different categories of laws and regulations that are relevant to consider in an audit of
financial statements:
Obtain sufficient appropriate audit evidence regarding compliance with the provisions of
those laws and regulations generally recognised to have a direct effect on the
determination of material amounts and disclosures in the financial statements.
To help identify instances of non-compliance with other laws and regulations that may have
a material effect on the financial statements:
- Inquire of management and, where appropriate, those charged with governance
(TCwG), as to whether the entity is in compliance with such laws and regulations.
- Inspect correspondence, if any, with the relevant licensing or regulatory authorities.]
240.16 Perform the risk assessment procedures specified in ISA 240.17-24 (see hereunder) to obtain
information for use in identifying RMM due to fraud.
240.17 Make inquiries of management regarding their:
Assessment of the risk that the financial statements may be materially misstated due to
fraud, including the nature, extent and frequency of such assessments.
Process for identifying and responding to the risks of fraud, including any specific risks of
fraud that management has identified or that have been brought to its attention, or classes
of transactions, account balances, or disclosures for which a risk of fraud is likely to exist.
Communication, if any, to TCwG regarding its processes for identifying and responding to
the risks of fraud in the entity.
Communication, if any, to employees regarding its views on business practices and
ethical behaviour.
240.18 Make inquiries of management, and others within the entity as appropriate, to determine
whether they have knowledge of any actual, suspected or alleged fraud affecting the entity.
240.19 If the entity has an internal audit function, make inquiries of internal audit to determine whether
it has knowledge of any actual, suspected or alleged fraud affecting the entity, and obtain its
views about the risks of fraud.
240.20 Obtain an understanding of how TCwG exercise oversight of management’s processes for
identifying and responding to the risks of fraud and the internal control that management has
established to mitigate these risks (unless all of TCwG are involved in managing the entity).
240.21 Make inquiries of TCwG to determine whether they have knowledge of any actual, suspected
or alleged fraud affecting the entity (unless all of TCwG are involved in managing the entity).
240.22 Evaluate whether unusual or unexpected relationships that have been identified in performing
analytical procedures, including those related to revenue accounts, may indicate RMM due to
fraud.
240.23 Consider whether other information obtained by the auditor indicates RMM due to fraud.
240.24 Evaluate whether information obtained from risk assessment procedures and related activities
indicates that one or more fraud risk factors are present (while fraud risk factors may not
necessarily indicate the existence of fraud, they have often been present in circumstances
where fraud has occurred and therefore may indicate RMM due to fraud).
[Refer to specific When performing risk assessment procedures and related activities to obtain an understanding
consideration of the entity and its environment (including the entity’s internal control), identify which of the
circumstances / following circumstances / items may be relevant in the circumstances of the auditee, and/or
items in the ISAs] which financial statement items may be affected:
Initial engagements – opening balances
Comparatives and related prior period experience
Accounting estimates
Related parties
Subsequent events
Going concern
Internal auditors
Expertise in a field other than accounting or auditing is involved in preparing the financial
statements
The audit client using the services of a service organisation
Litigation and claims involving the entity
Selected item – inventory
Selected item – segment information

Downloaded by Jenitha John ([email protected])

 lOMoARcPSD|10174924

b. Audit of predetermined objectives

9. Table of requirements
Source The auditor shall …
ISAE 3000 and other
{ISSAI 100.45} [Should] obtain an understanding of the nature of the entity / programme to be audited.

[This includes understanding the relevant objectives, operations, regulatory environment, internal
controls, financial and other systems and business processes, and researching the potential
sources of audit evidence. Knowledge can be obtained from regular interaction with
management, TCwG and other relevant stakeholders. This may mean consulting experts and
examining documents (including earlier studies and other sources) to gain a broad
understanding of the subject matter to be audited and its context.]
{ISSAI 100.46} [Should] conduct a risk assessment or problem analysis and revise this as necessary in
response to the audit findings.

[This can be achieved through procedures that serve to obtain an understanding of the entity or
programme and its environment, including the relevant internal controls. Such understanding
provides the basis for the identification and assessment of RMM.]
3000.46R For a reasonable assurance engagement
Obtain an understanding of the underlying subject matter and other engagement circumstances
sufficient to enable the [auditor] to identify and assess RMM in the subject matter information,
and, thereby, provide a basis for designing and performing procedures to respond to the
assessed risks and to obtain reasonable assurance to support the [auditor’s] conclusion.

3000.46L For a limited assurance engagement

Obtain an understanding of the underlying subject matter and other engagement circumstances
sufficient to enable the [auditor] to identify areas where a material misstatement of the subject
matter information is likely to arise, and, thereby, provide a basis for designing and performing
procedures to address the areas identified and to obtain limited assurance to support the
[auditor’s] conclusion.
3000.45(a) Make inquiries of the appropriate party(ies) whether they have knowledge of any actual,
suspected or alleged intentional misstatement or non-compliance with laws and regulations
affecting the subject matter information.
{ISSAI 100.47} [Should] identify and assess the risks of fraud relevant to the audit objectives, including making
inquiries and performing procedures to identify and respond to the risks of fraud relevant to the
audit objectives.
3000.45(b) Make inquiries of the appropriate party(ies) whether the responsible party has an internal audit
function and, if so, make further inquiries to obtain an understanding of the activities and main
findings of the internal audit function with respect to the subject matter information.
3000.45(c) Make inquiries of the appropriate party(ies) whether the responsible party has used any experts
in the preparation of the subject matter information.
{Deduced from Be conversant with the statute(s) governing the entity – in particular, with the laws and
NZS.19-20} regulations that specify the form, content, preparation, publication, and audit of the non-financial
performance report, and gain an understanding of the nature and purpose of the entity to assist
the auditor to evaluate the entity’s approach to performance management.
{Deduced from When planning the audit of the service performance report, consider the current state of the
NZS.22-23} entity and its environment and any changes affecting the entity’s internal control since their most
recent assessment and consider the implications of those changes for planning the audit
approach and the nature and extent of audit procedures. Specifically, the auditor shall consider:
How the entity views the relationships between the various elements of performance.
The entity’s performance priorities.

[Understanding the way the entity manages and reports its performance.]
{NZS.24} Consider the entity’s audit history, including recent audit reports and reports to management or
TCwG in relation to matters affecting the entity’s non-financial performance report.
Identified requirements from the ISAs (supplementary to the requirements above). Any reference to ‘financial
statements’ or ‘financial reporting’ or the context of ‘financial’ or ‘accounting’ considerations was adapted and
interpreted to suit the context of an audit of predetermined objectives. Updated terminology is indicated in
italics.
{315.5} Perform risk assessment procedures to provide a basis for the identification and assessment of
{315.6} RMM at the annual performance report and selected programme / objectives / development
priority levels. Risk assessment procedures by themselves, however, do not provide sufficient
appropriate audit evidence on which to base the audit opinion. Risk assessment procedures
shall include:
Inquiries of management, of appropriate individuals within the internal audit function (if the

Downloaded by Jenitha John ([email protected])

 lOMoARcPSD|10174924

Source The auditor shall …

function exists), and of others within the entity who in the auditor’s judgement may have
information that is likely to assist in identifying RMM due to fraud or error.
Analytical procedures.
Observation and inspection.
{315.7} Consider whether information obtained from the auditor’s client acceptance or continuance
process is relevant to identifying RMM.
{315.8} If applicable, consider whether information obtained from other engagements performed for the
entity is relevant to identifying RMM.
{315.9} Where the auditor intends to use information obtained from the auditor’s previous experience
with the entity and from audit procedures performed in previous audits, determine whether
changes have occurred since the previous audit that may affect its relevance to the current audit.
{315.11} Obtain an understanding of the following:
Relevant industry, regulatory, and other external factors including the applicable
performance management and reporting framework (PMRF).
The nature of the entity to enable an understanding of the performance objectives,
indicators and targets to be expected in the annual performance report. Relevant matters
include the entity’s operations, its ownership and governance structures, how it is structured
and how it is financed.
The entity’s objectives and strategies, and those related business risks that may result in
RMM.
The measurement and review of the entity’s non-financial performance.
{250.12} As part of obtaining an understanding of the entity and its environment in accordance with
ISA 315 (Revised), obtain a general understanding of the legal and regulatory framework
applicable to the entity and the industry or sector in which the entity operates and how the entity
is complying with that framework.
{240.17} Make inquiries of management regarding their:
Assessment of the risk that the annual performance report may be materially misstated due
to fraud, including the nature, extent and frequency of such assessments.
Process for identifying and responding to the risks of fraud, including any specific risks of
fraud that management has identified or that have been brought to its attention.
Communication, if any, to TCwG regarding its processes for identifying and responding to
the risks of fraud in the entity.
Communication, if any, to employees regarding its views on business practices and ethical
behaviour.
{240.18} Make inquiries of management, and others within the entity as appropriate, to determine whether
they have knowledge of any actual, suspected or alleged fraud affecting the entity.
{240.19} If the entity has an internal audit function, make inquiries of internal audit to determine whether it
has knowledge of any actual, suspected or alleged fraud affecting the entity, and obtain its views
about the risks of fraud.
{240.20} Obtain an understanding of how TCwG exercise oversight of management’s processes for
identifying and responding to the risks of fraud and the internal control that management has
established to mitigate these risks (unless all of TCwG are involved in managing the entity).
{240.21} Make inquiries of TCwG to determine whether they have knowledge of any actual, suspected or
alleged fraud affecting the entity (unless all of TCwG are involved in managing the entity).
{240.24} Evaluate whether information obtained from risk assessment procedures and related activities
indicate that one or more fraud risk factors are present (while fraud risk factors may not
necessarily indicate the existence of fraud, they have often been present in circumstances where
fraud has occurred and therefore may indicate RMM due to fraud).

c. Compliance audit
Audit of compliance with identified provisions of legislation for selected compliance
subject matters / focus areas

10. Table of requirements

In general, for purposes of the compliance assurance engagement concerned, any reference to ‘RMM’ must be
interpreted as ‘risks of material non-compliance’, and ‘areas where a material misstatement is likely to arise’ must be
interpreted as ‘areas where material non-compliance is likely to arise’. Furthermore, the subject matter information
is the outcome of the auditor’s measurement or evaluation of the auditee’s compliance with the identified compliance
requirements / criteria. Therefore, any reference to ‘subject matter information’ must be interpreted in the context of
‘compliance focus areas and the related compliance requirements / criteria for each’.

Source The auditor shall …

{ISSAI 100.45} [Should] obtain an understanding of the nature of the entity / programme to be audited.

[This includes understanding the relevant objectives, operations, regulatory environment, internal

Downloaded by Jenitha John ([email protected])

 lOMoARcPSD|10174924

Source The auditor shall …

controls, financial and other systems and business processes, and researching the potential
sources of audit evidence. Knowledge can be obtained from regular interaction with
management, TCwG and other relevant stakeholders. This may mean consulting experts and
examining documents (including earlier studies and other sources) to gain a broad
understanding of the subject matter to be audited and its context.]
{ISSAI 100.46} [Should] conduct a risk assessment or problem analysis and revise this as necessary in
response to the audit findings.

[This can be achieved through procedures that serve to obtain an understanding of the entity or
programme and its environment, including the relevant internal controls.]
3000.46L Obtain an understanding of the underlying subject matter and other engagement circumstances
sufficient to:
Enable the [auditor] to identify areas where a material misstatement of the subject matter
information is likely to arise.
Thereby, provide a basis for designing and performing procedures to address the areas
identified, above, and to obtain limited assurance to support the [auditor’s] conclusion.
{SAE 3100.29} Plan a compliance engagement so that it will be performed effectively.
{SAE 3100.31} Obtain an understanding of the entity and its compliance system, the applicable requirements,
suitable criteria and other relevant engagement circumstances, sufficient to identify and assess
the risks of the entity’s non-compliance with the applicable requirements, and sufficient to design
and perform further evidence-gathering procedures.

[The auditor’s focus is on identifying risk factors that could indicate risks that the entity is, or may
be, materially non-compliant with the applicable requirements.]
{ISSAI 400.52} [Should] understand the audited entity in light of the authorities governing it.

[The authorities that govern the entity (as it applies to each compliance subject matter)
determine the criteria for testing of compliance. The auditor’s understanding of the structure and
operations of the audited entity and its procedures for achieving compliance provides the basis
to determine materiality and identify risks of non-compliance.]
3000.45(a) Make inquiries of the appropriate party(ies) whether they have knowledge of any actual,
suspected or alleged intentional misstatement or non-compliance with laws and regulations
affecting the subject matter information.
{ISSAI 100.47} [Should] identify and assess the risks of fraud relevant to the audit objectives, including making
inquiries and performing procedures to identify and respond to the risks of fraud relevant to the
audit objectives.
3000.45(b) Make inquiries of the appropriate party(ies) whether the responsible party has an internal audit
function and, if so, make further inquiries to obtain an understanding of the activities and main
findings of the internal audit function with respect to the subject matter information.
3000.45(c) Make inquiries of the appropriate party(ies) whether the responsible party has used any experts
in the preparation of the subject matter information.

C. APPLICATION OF REQUIREMENTS – A PRACTICAL APPROACH

11. The application material and guidance in this section are organised as follows in the
subsections below:
a. Introduction – identifying risk factors through an understanding of the entity and its
environment
b. Risk assessment procedures and related activities
c. Key aspects of the entity and its environment
d. Obtaining an understanding with the focus on compliance with legislation
– Consideration of legislation in all three types of audits
– The compliance audit: focus on the compliance requirements / criteria for the subject
matters / focus areas scoped into the audit
e. Obtaining an understanding with the focus on RMM due to fraud
f. Specific risk assessment procedures and related activities directed at the internal audit
function
g. Specific consideration circumstances / items relevant to the audit

Downloaded by Jenitha John ([email protected])

 lOMoARcPSD|10174924

a. Introduction – identifying risk factors through an understanding of the entity and its
environment
12. The auditor obtains an understanding of the following through inquiries, analytical procedures,
observation and inspection:
• Key aspects of the entity and its environment (refer to subsection c)
• Specific consideration circumstances / items relevant to the audit (refer to subsection g
as well as chapters 11, 12, 13, 14.1 and 14.2)
• The auditee’s internal control (refer to chapters 7.1, 7.2, 7.3 and 7.4)
13. Information about the auditee is gathered and documented to form part of a permanent audit
file. Certain information that had previously been documented (during the prior period
engagement) may be used in the current year audit and is confirmed with the auditee to
ensure that the information is up to date.
14. The auditor obtains an understanding of the auditee to identify risk factors that provide the
basis for the identification and assessment of RMM.
15. Risks are what can go wrong in terms of:
• The financial statements as a whole and the individual financial statement items (classes of
transactions, account balances and disclosures) at the assertion level.
• The reported information in the annual performance report for each selected programme /
objective / development priority as a whole and the individual performance measures /
indicators and their related targets at the assertion level.
• The auditee’s compliance with respect to each selected compliance subject matter / focus
area as measured or evaluated in terms of the selected compliance requirements / criteria
for each focus area.
16. Risk factors are those conditions and events (or causes) that may indicate:
• The existence of RMM in the financial statements and annual performance report.
• The existence of risks of material non-compliance.
Risk factors are any attribute, characteristic, condition or exposure of the auditee’s
environment and circumstances (auditee facts or issues) that increases the likelihood of
something occurring, i.e. it increases risk. They indicate what and how the subject matter
information (e.g. the financial statements) may be misstated. They are the indicators of risk.
The auditor considers various causes of risk in the circumstances of the auditee. Such causes
represent the aspects of the entity and its environment about which the auditor is required to
obtain an understanding.
17. Obtaining an understanding of the auditee and its environment is not a discrete, one-off step;
rather it is a continuous and dynamic process of gathering, updating and analysing information
throughout the three types of audits. The understanding establishes a frame of reference
within which the auditor plans the audit and exercises professional judgement throughout the
audit.
18. Therefore, the auditor considers whether the results of procedures performed during the audit
of financial statements and the audit of predetermined objectives indicate areas where
material non-compliance is likely to arise, or even specific matters that cause the auditor to
believe that there may be material instances of non-compliance.
19. Similarly, the auditor considers whether the results of procedures performed during the
compliance audit indicate previously unidentified RMM of the financial statements or of the
reported performance information for the selected programmes / objectives / development
priorities.
20. Obtaining an understanding assists the auditor in determining how assertions may be used to
consider RMM in terms of the audit of the financial statements and the audit of predetermined

Downloaded by Jenitha John ([email protected])

 lOMoARcPSD|10174924

objectives. (Linking identified risk factors to what can go wrong at the assertion level is
addressed in further detail in chapters 8.1,8.2 and 8.3.) For the compliance audit, there is one
overall assertion, namely ‘compliance’. Although TCwG do not make an explicit statement
regarding compliance, there is an inherent / implicit assertion that the entity has conducted its
business and operations ‘in compliance with’. This single overall compliance assertion finds
application in the detailed requirements that are used as criteria for the engagement (refer to
chapter 8.4).

Additional notes on the nature of reported performance information

21. The nature of reported performance information per programme / objective / development
priority and the manner in which it is presented in the entity’s annual performance report
require the auditor to obtain an understanding and consider relevant risk factors at two levels
(also refer to similar discussions in chapter 5.2 on materiality considerations):
• At the level of the entity’s planned performance that has as its source the entity’s annual
performance plan and strategic plan (or like documents) as part of the entity’s overall
performance management system. This is referred to as the usefulness aspects of the
entity’s reported performance information.
• At the level of the entity’s actual reported performance / target achievement that has as its
source the information on actual performance as identified, captured, processed,
summarised, collated, compiled and reported as part of the entity’s system for performance
management and reporting. This is referred to as the reliability aspects of the entity’s
reported performance information.

Additional notes on the nature of the compliance audit

22. In terms of a compliance audit, risk factors are identified by being aware of and considering
possible motivations or rationale that could result in instances of non-compliance as well as
reasons for the execution of an action or for inaction that represents a compliance breach.
• Non-compliance could be the actual motive, e.g. to conceal something that would
otherwise have been revealed had the stated requirement been complied with.
• The motivation may be unrelated to non-compliance as such but because the action was
executed in a certain way (either intentionally or unintentionally), the result is
non-compliance (or it also results in non-compliance).
23. The risk factors and risks of material non-compliance identified through an understanding of
the entity and its environment assist the auditor to consider how non-compliance may occur,
and therefore what procedures would be most efficient and effective to measure or evaluate
the auditee’s compliance with the provisions of legislation identified as the compliance
requirements / criteria for the engagement. Refer to chapters 8.4 and 9.4.
24. The focus in a compliance audit is on the authorities that govern the auditee. The compliance
requirements / criteria that the auditee must comply with, and that the auditor will use to
measure or evaluate compliance, are identified from the authorities that govern the auditee.
The auditor must have sufficient knowledge of such authorities, both in terms of the structure
and the content of the authorities. The authorities considered in the compliance audit are
limited to legislation (i.e. applicable acts and related directives, regulations, by-laws, instruction
notes, or codes issued in terms of the acts) applicable to the compliance subject matters /
focus areas scoped into the audit.

Examples of risk factors

25. The following are examples of risk factors that may indicate the existence of RMM. The
examples cover a broad range of conditions and events; however, not all conditions and

Downloaded by Jenitha John ([email protected])

 lOMoARcPSD|10174924

events are relevant to every audit engagement and the list of examples is not necessarily
complete.
Nature of the auditee and its operations
• Operations in regions that are economically unstable, e.g. countries with significant
currency devaluation or highly inflationary economies.
• Operations exposed to volatile markets, e.g. futures trading.
• Operations that are subject to a high degree of complex regulation.
• Changes in the industry in which the entity operates.
• Developing or offering new products or services, or moving into new lines of business.
• Expanding into new locations.
• Changes in the entity, such as large acquisitions, reorganisations or other unusual events.
• Entities or business segments likely to be sold or transferred (transfer of functions).
• Privatisations.
• Major changes to existing programmes.
• New legislation and regulations or directives.
• Political decisions, such as the relocation of operations.
• Programmes without sufficient allocated resources and funding.
• Increased public expectations.
• Procurement of goods and services in certain industries, such as defence.
• Outsourcing of government activities.
• Operations subject to special investigations.
• Changes in political leadership.
• Indications of waste or abuse.
• Inquiries into the entity’s operations or financial results by regulatory or government
bodies.
Financing activities
• New financing sources.
• Budget overspending due to weak budgetary controls.
• Constraints on the availability of government funding and credit.
• Higher than normal expectations to meet budget.
Financial reporting
• Existence of complex alliances and joint ventures.
• Use of complex financing arrangements.
• Significant transactions with related parties.
• Lack of personnel with appropriate accounting and financial reporting skills.
• Changes in key personnel, including the departure of key executives.
• Deficiencies in internal control, especially those not addressed by management.
• Incentives for management and employees to engage in fraudulent financial reporting.
• Past misstatements, history of errors or a significant amount of adjustments at period end.

Downloaded by Jenitha John ([email protected])

 lOMoARcPSD|10174924

• Significant amount of non-routine or non-systematic transactions, including intercompany

transactions and large revenue transactions at period end.
• Transactions that are recorded based on management’s intent, e.g. debt refinancing,
assets to be sold, and classification of marketable securities.
• Application of new accounting pronouncements.
• Accounting measurements that involve complex processes.
• Events or transactions that involve significant measurement uncertainty, including
accounting estimates, and related disclosures.
• Omitting or obscuring significant information in disclosures
• Pending litigation and contingent liabilities, e.g. sales warranties, financial guarantees and
environmental remediation.
• Going concern and liquidity issues, including loss of significant customers.
• Public and private partnerships.
Information technology (IT) environment
• Changes in the regulatory or operating environment can result in changes in competitive
pressures and significantly different risks.
• New personnel may have a different focus on, or understanding of, internal control.
• Significant and rapid changes in information systems can change the risk relating to
internal control.
• Significant and rapid expansion of operations can strain controls and increase the risk of a
breakdown in controls.
• Incorporating new technologies into production processes or information systems may
change the risk associated with internal control.
• Entering into new business models, products or activities with which an entity has little
experience may introduce new risks associated with internal control.
• Restructuring may be accompanied by staff reductions and changes in supervision and
segregation of duties, which may change the risk associated with internal control.
• Adopting new accounting principles or changing accounting principles may affect risks in
preparing the financial statements.
26. The following are examples of risk factors that relate specifically to material non-compliance.
Once again, this is not an exhaustive list.
• Uncertainty about the entity's objective, mandate and legal capacity, or further clarity is
required and/or the information is not readily available
• Recent changes in mandate, objectives or programme areas.
• Recent changes in legislation from which detailed compliance requirements / criteria have
been identified for the subject matters / focus areas scoped into the audit.
• Indications that roles and responsibilities within the organisational structure may not be
clear and well defined, or may not be clearly communicated and understood throughout
the entity.
• Lack of attention to, or focus on, risk assessment and risk management, including risks of
non-compliance in the entity’s operations.
• Recent significant organisational changes, including outsourcing of activities to other
entities (with insufficient focus on monitoring compliance and performance).

10

Downloaded by Jenitha John ([email protected])

 lOMoARcPSD|10174924

• Questions regarding the competence and ethical behaviour of staff with responsibilities
pertaining to compliance as well as the supervision and monitoring of others.
• High vacancy rate that can result in a lack of segregation of duties and that may leave
gaps in the processes and procedures to be followed to ensure compliance.
• Indications of, or evidence that there may be, collusive behaviour in certain key areas.
• Identified areas of political focus, visibility and sensitivity.
• Identified areas of particular public interest.
• Strained working relationship between the political and the administrative management
function.
• Relevant legislation from which compliance requirements / criteria have been identified is
relatively new, or not well established.
• Different interpretations exist (inside or outside the entity) on what compliance means or
entails with respect to certain compliance requirements / criteria, or indications that
legislation is not clearly understood and applied.
• Indications that management or others within the entity rely on disproportionate levels of
rationalisation to explain why or how certain transactions, events or actions actually
comply with relevant legislation (compliance is not always obvious and clearly observable;
rather further explanation is required).
• Execution of a transaction, event or action is subject to significant application of
judgement (questions whether such judgement is applied with the intentions behind the
relevant legislation).
• Previous audit findings – identified instances of non-compliance, fraud, unlawful acts,
unethical behaviour, management bias, etc.
• Lack of adequate response by management to address findings from previous audits, or
to implement recommendations and improvements.
• Inspections or investigations conducted by regulatory authorities or other enforcement or
oversight bodies.

b. Risk assessment procedures and related activities

27. Risk assessment procedures include inquiries, analytical procedures, and observation and
inspection. Although the auditor is required to perform all of these risk assessment procedures
in the course of obtaining the required understanding of the auditee, the auditor is not required
to perform all of them for each aspect of that understanding.
28. In the case of a limited assurance engagement, inquiries may often be sufficient to obtain the
required level of understanding. Inquiries may be supplemented by other procedures, such as
limited analytical procedures, inspection and observation if this proves to be the most efficient
and effective means of gathering the required information. Also, inquiries would normally not
have to be corroborated to the same extent than would be the case for a reasonable
assurance engagement.
29. In addition to risk assessment procedures, the auditor also obtains information from the
following related activities:
• The auditor’s client acceptance or continuance process.
• Initial knowledge and understanding obtained during scoping of the audit and
pre-engagement activities about the applicable financial reporting framework used by the
auditee to prepare financial statements and the elements of those financial statements
(also refer to chapter 2).

11

Downloaded by Jenitha John ([email protected])

 lOMoARcPSD|10174924

• The knowledge gained and results of the work conducted in the scoping of the audit of
predetermined objectives (part of pre-engagement activities and agreeing the terms of
engagement – also refer to chapter 2). This includes an understanding of:
o The individual programmes / objectives / development priorities that were selected
and how they were selected (application of scoping criteria and decision rules in the
circumstances of the auditee).
o The elements of each selected programme / objective / development priority, namely
the performance measures / indicators and their related targets.
o The prescribed PMRF used by management and TCwG for the preparation of the
performance information by programme / objective / development priority as
presented in the annual performance report.
• The knowledge gained and results of the work conducted in the scoping of the compliance
audit (part of pre-engagement activities and agreeing the terms of engagement – also
refer to chapter 2). This includes an understanding of:
o The individual compliance subject matters / focus areas selected for inclusion as part
of the assurance engagement, e.g. procurement and contract management, budgets,
transfer of funds, and revenue management.
o For each compliance subject matter / focus area, the specific provisions of legislation
selected as the compliance requirements / criteria for the assurance engagement and
that will be used to measure or evaluate the auditee’s compliance.
• Other engagements performed for the auditee, if applicable. These may include any
discretionary engagements such as performance audits, investigations, special audits and
audit-related services.
• Previous experience with the auditee and the audit procedures performed in previous
audits. This includes an understanding of:
o Past misstatements (their size and nature, cause and circumstances) in the audit of
financial statements and in the audit of predetermined objectives with a distinction
between misstatements that had been corrected and misstatements that had not
been corrected, as well as material and non-material misstatements.
o With respect to the compliance audit, past instances of non-compliance and how
non-compliance occurred, with a distinction between material and non-material
instances of non-compliance.
o The nature of the entity and its environment and the entity’s internal control, including
deficiencies in internal controls (across all three types of audits).
o Significant changes that the entity or its operations may have undergone since the
prior reporting period.
• Discussions among the engagement team pertaining to (also refer to chapter 6):
o The susceptibility of the financial statements to material misstatement, and the
application of the applicable financial reporting framework to the auditee’s facts and
circumstances.
o The susceptibility to material misstatement of the auditee’s performance information
as presented in the annual performance report for the selected programmes /
objectives / development priorities, and the application of the prescribed PMRF to the
auditee’s performance facts and circumstances.
o The susceptibility of the auditee’s business and operations to material
non-compliance in the context of the individual compliance subject matters / focus
areas scoped into the audit, and the application in the circumstances of the entity of
those specific provisions of legislation selected as the compliance requirements /
criteria for the engagement.

12

Downloaded by Jenitha John ([email protected])

 lOMoARcPSD|10174924

• Meetings held within the Auditor-General of South Africa (AGSA) to identify transversal
risks: within a specific sector (industry) or a specific type of entity (e.g. metro); or generally
for a specific audit cycle.
• Information from portfolio committee meetings or standing committee on public accounts
(SCoPA) resolutions.
30. Inquiry procedures may include, for example, inquiries with the following (which is not an
exhaustive list):
At a minimum
• Management and those responsible for financial reporting, performance management and
reporting as well as the auditee’s compliance with legislation.
• TCwG.
• The internal audit function.
• In-house legal counsel.
As applicable in the circumstances
• Information and communication systems personnel.
• Other employees with different levels of authority.
• Other employees not directly involved in accounting and financial reporting processes,
performance management and reporting processes or the entity’s compliance systems
and processes.
• Organisations or bodies external to the entity (e.g. an oversight body or regulatory body).
• External legal counsel.
• Experts.
31. Analytical procedures performed as risk assessment procedures include the identification of
unusual transactions, events or occurrences; comparing the budget with actual results; and
the calculation of ratios and trends to identify matters that have audit implications.
32. Observation and inspection procedures focus firstly on the subject matter information as
presented by the auditee (i.e. the financial statements and the reported performance
information for selected programmes / objectives / development priorities) and the records,
information, systems and processes that underlie the reported information. For the compliance
audit, similar focus is on the documentation and records maintained by the auditee that
support its compliance, including any significant interpretations made or applied with respect to
the meaning of compliance in the circumstances. In addition, observation and inspection
procedures may relate to any aspect of the auditee’s operations, premises and facilities; any
documents, records, manuals, policies and procedures; minutes of meetings and other records
of proceedings; any internally prepared reports (including in-year management records and
reports); any information or reports from external sources; readily available or accessible
information relating to the auditee’s financial statements, performance information and
compliance, its industry and/or its operations; as well as laws and regulations (this is not an
exhaustive list).
33. The information systems auditor assists with performing risk assessment procedures to obtain
an understanding of the auditee’s IT environment and related controls, and to identify related
risk factors and RMM. The nature and extent of the involvement of the information systems
auditor are determined for each audit based on specific criteria taking cognisance of any
guidance that may have been issued at firm level.
• It is important that there is sufficient contact and interaction with the information systems
auditor from the initial planning of the audit, and through the evidence-gathering process,
to ensure that the audit engagement team has sufficient understanding of how the auditee

13

Downloaded by Jenitha John ([email protected])

 lOMoARcPSD|10174924

has responded to risks arising from IT, and to ensure that the related further procedures
provide sufficient appropriate audit evidence.
• The information systems auditor possesses special skills and knowledge pertaining to
information systems and processing, general IT controls and application controls. The
information systems auditor participates in, and is an integral part of, the planning
activities, including discussions among the engagement team.
• Risk assessment procedures that focus on IT will address the following:
o Information about the entity’s IT environment and application systems – refer to
subsection c.
o General IT controls as part of understanding internal control at entity level – refer to
section C.a of chapters 7.1, 7.2, 7.3 and 7.4.
o Automated application controls as part of understanding internal control at business
process level – refer to section C.b of chapters 7.1, 7.2, 7.3 and 7.4.
34. The auditor may have occasion to involve fraud specialists in performing risk assessment
procedures pertaining to the engagement team’s understanding of certain circumstances,
events, transactions or occurrences with the focus on identifying fraud risk factors and related
RMM due to fraud (or non-compliance, as applicable). Fraud specialists possess special
knowledge and skills relating to investigations involving the identification, follow-up and
interrogation of information about fraud or that may indicate that fraud could have occurred.
Refer to subsection e for further guidance.

c. Key aspects of the entity and its environment

35. As indicated earlier, the auditor obtains an understanding of the key aspects for different
purposes. For example, certain information is already required during pre-engagement for
purposes of scoping the audit and assessing engagement risk prior to issuing the engagement
letter, while other information informs decisions in relation to the audit strategy and later on
performing the risk assessments.

Nature of the auditee

36. The auditor obtains an understanding of the following aspects of the nature of the auditee,
which enables the auditor to understand the classes of transactions, account balances and
disclosures that can be expected in the financial statements, as well as providing context for
understanding the auditee’s reported performance information and matters relating to
compliance with legislation:
• The type of auditee, e.g. national or provincial department, Parliament or provincial
legislature, schedule 2 or 3 public entity, constitutional institution, trading entity,
municipality, municipal entity, or other (e.g. trust or fund).
• The purpose / mandate, applicable sector or cluster, and general information about the
auditee, including the primary and secondary responsibilities (core and supporting
functions) in terms of its legislative and political mandate.
• The group and organisational structures of the auditee. If the auditee has a complex
structure (e.g. if it has subsidiaries or operates in multi-locations), this often introduces
issues that may give rise to RMM. Such issues may include, for example, whether
goodwill, joint ventures, investments or special-purpose entities are accounted for
appropriately and whether such issues have been disclosed adequately in the financial
statements.
• The different revenue streams e.g. own revenue, grants, donor funding, etc..
• What the revenue is used for e.g. services provided, transfers to another entity,
infrastructure developments, etc.

14

Downloaded by Jenitha John ([email protected])

 lOMoARcPSD|10174924

• The budget / expenditure structure (also linked to appropriations, budgets and actual
expenses).
• Governance structures of the auditee, including internal audit functions, audit committees,
etc.
• For prior year misstatements, whether they were resolved or remained uncorrected, and
whether they were material, including any corrective actions taken in the current year, if
applicable, and whether management is aware of any misstatements, or events or
circumstances that may contribute to misstatements in the current year.
• Significant changes at the auditee from the previous reporting period.

Other engagements with the auditee

37. If applicable, the auditor documents information of the auditee relevant to the identification of
risk factors obtained from performing other engagements at the auditee, e.g. audit-related
services, special audits and investigations. This should also include any specific or related
transversal performance audits that may have been performed.

The auditee’s regulatory environment

38. The auditor obtains an understanding of legislation that significantly affects the entity’s
business and operations and that is relevant to the three types of audits being undertaken (i.e.
financial reporting, performance management and reporting, and the entity conducting its
business and operations in compliance with selected provisions of legislation for those
compliance subject matters / focus areas scoped into the compliance audit).
39. Subsection d addresses obtaining an understanding with the focus on compliance with
legislation in more detail.
40. Certain additional work with respect to specific focus areas / value-adding focus areas may
also be required as part of the additional reporting responsibilities assumed by the auditor as
determined in the AG Directive. The auditor obtains an understanding of legislation relevant to
such specific focus areas to the extent that it is required for purposes of performing specific
procedures. Refer to chapter 2, section J that addresses specific focus areas.

External factors
41. The auditor obtains an understanding of external factors affecting the entity by reviewing, for
example, the following (which is not an exhaustive list):
• Media coverage, investigations, litigation and claims.
• Resolutions of council and SCoPA as well as ministerial directives.
• Publications by government, e.g. state of the nation address.
• General economic conditions, interest rates, availability of financing, inflation and currency
revaluations.

The auditee’s objectives and strategies

42. The auditor obtains an understanding of how the entity’s management or TCwG define
objectives (which are the overall plans for the entity and which include objectives that have
their source in law, regulation or other authority), and how and what strategies have been
established to achieve its objectives. This includes an understanding of how objectives and
strategies are influenced by government priorities and public sector concerns, such as
accountability, effective legislative oversight, public interest and public expectations.

15

Downloaded by Jenitha John ([email protected])

 lOMoARcPSD|10174924

43. Linked to objectives and strategies is a general understanding of the business risks facing the
entity. Although ‘business risk’ is broader than the RMM of the financial statements and of
reported performance information, an understanding of the business risks increases the
likelihood of identifying RMM, since most business risks will eventually have financial and
performance consequences. However, the auditor does not have a responsibility to identify or
assess all business risks.
44. One of the components of internal control is the risk assessment process established by
management, with oversight by TCwG, for purposes of identifying and responding to business
risks. Refer to chapters 7.1, 7.2, 7.3 and 7.4 that address, among other, the components of
internal control.

Information about the entity’s IT environment and application systems

• Number of servers.
• Type of network operating systems in use.
• Number of workstations in place.
• Type of applications used for financial and performance information.
• Number of remote locations where data capturing takes place.
• Responsibility for system maintenance.
• Number of key controls within the applications used for financial and performance
information.
• Use of emerging or advanced information technology.
• Use of e-commerce.
45. The auditor will obtain this information annually. Assistance may be requested from the
information systems auditor for new auditees, after which the maintenance and updating of the
information will become the sole responsibility of the auditor. The information will be obtained
for all entities.
The information will be obtained for all systems used for financial and performance
information, such as general ledger, payroll, human resources, procurement, asset
management and electronic funds transfers, specific disclosures in the financial statements
not contained in the general ledger and subsidiary ledgers, as well as those specific to
performance management and reporting. A level of judgement will have to be applied to
classify the systems and overall environment as a level 1 (low-risk), level 2 (medium-risk) or
level 3 (high-risk) sophistication. The information systems auditor will assist with this
classification.
46. Below is a description of the different levels of entities’ IT sophistication:
Level 1 – low risk
• This is the lower end of the spectrum for IT sophistication and relevance.
• Generally speaking, there would be one server associated with financial reporting and/or
performance information, a limited number of workstations (generally, fewer than 15), no
remote locations (associated with financial reporting and performance information),
commercial off-the-shelf applications and infrastructure, vendor perform updates and
maintenance on the system, little emerging or advanced technology, and few or no online
/ e-commerce transactions.
• Key controls over financial reporting and/or performance information would not be overly
reliant on IT, would be embedded in the commercial off-the-shelf applications, or would be
limited to very few manual processes and controls.

16

Downloaded by Jenitha John ([email protected])

 lOMoARcPSD|10174924

• Many small to medium-sized entities would fit this description. Due to the scope of the
minimum IT procedures for this level – limited in number and nature (inquiry and
observation) – it is possible that these IT procedures would not require the assistance of
an information systems auditor .
Level 2 – medium risk
• This is the middle of the spectrum.
• Generally speaking, these entities would have more than one server associated with
financial reporting and/or performance information, more than one network operating
system or a non-standard one, more workstations than level 1 but fewer than about 30 in
total, possibly some customisation of the application software (or relatively complex
configuration of commercial off-the-shelf applications, e.g. mid-size enterprise resource
planning), medium reliance on IT for key controls over financial and/or performance
information or several manual controls, updates and maintenance on the system is
performed centrally on site or through vendors, a few to moderate number of emerging or
advanced technologies, and few online / e-commerce transactions.
• This level would require an information systems auditor to design and/or perform the
necessary IT procedures that address the risk and the level of control reliance to be
placed on financial and/or performance information systems.
Level 3 – high risk
• This is the high end of the spectrum.
• These entities would have more than two servers associated with financial reporting
and/or performance information, have remote locations, have generally more than
30 workstations associated with financial reporting, use enterprise resource planning or
write custom software, perform centralised updates and maintenance on the system and
distribute these to decentralised sites or through onsite vendors, employ a large number
of emerging or advanced technologies, and possibly have a large number of online /
e-commerce transactions. The entities would also rely heavily on IT for key controls over
financial and/or performance information.
• An entity running transversal systems would also fall into this category. Information
systems for which certain IT processes are managed centrally, but which are used by
various auditees who have limited responsibility regarding the design and enhancement of
the system, will be classified as high risk at a national level.
• Information systems auditors will perform IT audit procedures that address the risk and
the level of control reliance to be placed on the financial and/or performance information
systems.
47. The level of sophistication at an auditee will be the first consideration when deciding on the
need for an information systems auditor. During the second level of assessment, the extent
and nature of procedures to be performed will be determined, as well as the responsibility for
performing the audit procedures, the engagement risk, and the planned approach. These
matters will determine the ultimate classification of the auditee and the extent and nature of
the work to be performed on the IT general controls (refer to chapter 7.1).
48. An information systems auditor is someone with the necessary skills and experience to audit
IT general controls. Adequate skills is seen as being qualified in an IT area of expertise, such
as a certified information systems auditor or a certified information systems manager, or
having network and security qualifications, such as a certified information systems security
professional. To be able to obtain these certifications, certain knowledge and experience
needed to have been obtained and are therefore seen as the minimum requirements for an
information systems auditor.
49. Once the entity’s IT sophistication and resulting level of risk have been determined, a deeper
understanding of the IT environment needs to be obtained. For entities that have been

17

Downloaded by Jenitha John ([email protected])

 lOMoARcPSD|10174924

assessed as a level 1 (low-risk) auditee, a lower level of understanding will be required than
for a level 2 (medium-risk) or a level 3 (high-risk) auditee.
50. The following figure indicates the information that needs to be obtained for a level 1 auditee,
the additional information that will be obtained for a level 2 auditee as well as the further
information that will be required for a level 3 auditee:

Figure 1: Information to be obtained at auditees based on their different levels of IT

sophistication

Level 1 Level 2 and 3

IT Organisational Application software
Structure information
New system Systems software on
information application servers;
Access paths Systems software on
High-level ITGC database servers;
procedures Data input and
processing;
Change management;
Maintenance and
upgrades on existing
systems
Network infrastructure;
Database management;

51. Refer to chapters 7.1, 7.2, 7.3 and 7.4 for further guidance on obtaining an understanding of
IT general controls and the effect of IT at the business process level.

Applicable financial reporting framework and its application by the entity

52. The auditor determines the financial reporting framework that should be applied by the auditee
by referring to technical guidance provided at firm level.
53. The auditor may accept the financial reporting framework as acceptable if the auditee applied
the framework as prescribed for that type of public sector entity.
54. If a departure / exemption was granted to the auditee by the National Treasury / the minister of
Finance, as applicable, the auditor follows the separate guidance on assessing the
acceptability of the financial reporting framework (also refer to chapter 1, section F).
55. The auditor’s understanding of the financial statements and the financial reporting framework
applied includes:
• The auditee’s selection and application of accounting policies, including matters such as:
o Methods the auditee uses to account for significant transactions, including unusual
transactions.
o Changes in the auditee’s accounting policies.

18

Downloaded by Jenitha John ([email protected])

 lOMoARcPSD|10174924

o How and when the auditee will adopt requirements of financial reporting standards
and legislation that are new.
• Consideration of disclosures to assist the auditor in giving appropriate attention to, and
planning adequate time for, addressing disclosures. This consideration may assist the
auditor to determine the effects on the audit of:
o Significant new or revised disclosures required as a result of changes in the entity’s
environment, financial condition or activities.
o Significant new or revised disclosures arising from changes in the applicable financial
reporting framework.
o The need for the involvement of an auditor’s expert to assist with the audit procedures
related to particular disclosures.
o Matters relating to disclosures that the auditor may wish to discuss with TCwG.
• Identification of the business processes within which events and transactions are initiated
and executed, and information is captured, processed and reported, for financial reporting
purposes. Individual financial statement items are linked to one or more business
processes. Refer to chapter 7.1 that address, among other, the auditor’s understanding of
internal control at the business process level.

Performance management and reporting

56. The auditor ensures that the engagement team has a proper understanding of the
requirements of the PMRF prescribed for use by public sector entities in the preparation of
annual performance reports, as well as the criteria developed from the PMRF that will be used
as the applicable criteria for the assurance engagement (as defined in the AG Directive).
57. With respect to the circumstances of the particular auditee, the auditor obtains an
understanding of the application by the auditee of the requirements and principles of the
PMRF, including its effect on recording, summarising, collating and disclosing performance
information per selected programme / objective / development priority as well as the
performance measures / indicators and their related targets for each. This understanding is
obtained through the documentation of the relevant business processes.
58. The following key performance-related documentation is central to the auditor’s overall
understanding relevant to performance management and reporting:
• Approved strategic plan (or similar document depending on the type of public sector entity
concerned).
• Approved annual performance plan (or similar document depending on the type of public
sector entity concerned).
• Approved budget and adjustments budget per programme / objective / development
priority.
• Quarterly reports (or mid-year performance assessment reports in the case of
municipalities and municipal entities).
• Relevant documentation relating to the audit committee / performance audit committee:
terms of reference, minutes of meetings, and report on the assessment of the
performance management system.
• Internal audit reports relevant to performance management and reporting.
• Annual performance report for inclusion in the entity’s annual report.
59. The auditor proceeds to obtain a deeper understanding of the auditee’s organisational
performance management system, as well as of the detailed information systems, processes
and procedures at the level of individual performance measures / indicators and their related
targets, as discussed in chapters 7.2 and 7.3.

19

Downloaded by Jenitha John ([email protected])

 lOMoARcPSD|10174924

Information relating to multi-locations

60. If the auditee’s operations take place in different locations and the auditor will have to perform
the audit at these locations, the auditor obtains:
• The names of the locations and the nature of their operations.
• Their geographical location.
• The financial statement items and the reported performance information for which audit
evidence has to be obtained at each location.
• The significant changes at the locations from the prior year.
61. The audit plan with respect to visiting multi-locations to perform audit procedures and obtain
audit evidence is addressed in more detail in chapter 11.

Information relating to consolidations

62. If the auditee prepares consolidated financial statements, the auditor obtains an understanding
of:
• The names of each component and the nature of their operations.
• The significant changes at the components, if any.
• Whether the financial year-ends are the same as that of the controlling entity; and if not,
what the year-ends are (and how these are aligned during the consolidation process).
• Whether the financial reporting frameworks and accounting policies are the same as that
of the controlling entity; and if not, what the differences are (and how these are aligned
during the consolidation process).
63. The audit plan for auditing consolidated financial statements is addressed in more detail in
chapter 14.1 (in accordance with the requirements of ISA 600).
64. The different scenarios that apply in the audit of predetermined objectives are included in
chapter 14.2.

The measurement and review of the auditee’s financial performance

65. An understanding of the entity’s performance measures assists the auditor in considering
whether pressures to achieve financial performance targets may result in management actions
that increase RMM, including those due to fraud.
66. Examples of internally generated information used by management for measuring and
reviewing financial performance which the auditor may consider, include:
• Key performance indicators (financial and non-financial) and key ratios, trends and
operating statistics.
• Period-on-period financial performance analyses.
• Budgets, forecasts, variance analyses, segment information and divisional, departmental
or other level performance reports.
• Employee performance measures and incentive compensation policies.

20

Downloaded by Jenitha John ([email protected])

 lOMoARcPSD|10174924

d. Obtaining an understanding with the focus on compliance with legislation

Consideration of legislation in all three types of audits

67. In the audit of financial statements and the audit of predetermined objectives, the auditor is
concerned with RMM of the financial statements and of the reported information in the annual
performance report for selected programmes / objectives / development priorities, recognising
that there may be misstatements due to non-compliance with applicable legislation. However,
the further removed non-compliance is from the events and transactions reflected in the
financial statements and in the annual performance report, the less likely the auditor is to
become aware of it or to be concerned with it, as it would not affect the audit opinion /
assurance conclusion.
68. In the compliance audit, the auditor is the measurer or evaluator of the entity’s compliance with
legislation. However, this is limited in terms of the scope of the compliance audit – the auditor
is concerned with those compliance subject matters / focus areas scoped into the audit and
the specific provisions of legislation selected as the compliance requirements / criteria for the
particular engagement.
69. It is important to realise throughout that the auditor and the engagement team are not legal
experts and cannot make a final determination whether a particular transaction, event or action
is illegal. The auditor does not make a legal determination whether an illegal act has occurred.
The auditor is concerned about whether a particular requirement of legislation has been
adhered to or not.
70. In terms of the auditee’s regulatory environment, the auditor obtains an understanding of:
• Those laws and regulations that have a direct effect on the determination of material
amounts and disclosures in the financial statements and that affect the auditee’s
performance management and reporting.
• Other laws and regulations that may have a fundamental effect on the operations of the
auditee. The consequences to the auditee of non-compliance with such laws and
regulations may have a material effect on the financial statements.
• Relevant laws, regulations, guidance and best practices that describe the requirements of
the auditee’s overall / organisational performance management system (an understanding
of the organisational performance management system and compliance is discussed in
more detail in chapters 7.2 and 7.3).
• The auditee’s policies and procedures regarding compliance with laws and regulations.
• The auditee’s policies and procedures regarding the identification and evaluation of, and
accounting for, litigation and claims.
71. To assist in identifying instances of non-compliance with laws and regulations in the ‘other
laws and regulations’ category that may have a material effect on the financial statements, the
auditor performs the following specific risk assessment procedures:
• Inquire of management and, where appropriate, TCwG, as to whether the entity is in
compliance with such laws and regulations.
• Inspect correspondence, if any, with the relevant licensing or regulatory authorities.
72. The auditor makes inquiries of management, TCwG and others within the entity concerning:
• Their knowledge of the identified compliance requirements / criteria and how the entity
has interpreted and applied ‘compliance’ or ‘non-compliance’. The processes to ensure
compliance with applicable legislation are covered in chapter 7.4.
• Whether they have knowledge of any actual, suspected or alleged non-compliance with
the identified compliance requirements / criteria, as well as their knowledge about related
fraud or illegal acts affecting the entity.

21

Downloaded by Jenitha John ([email protected])

 lOMoARcPSD|10174924

73. Inquiries of ‘others’ within the entity could specifically include entity personnel working directly
within the accounting and financial reporting processes, performance management and
reporting processes or the processes pertaining to the selected compliance focus areas (at
different levels of responsibility), as well as the entity’s compliance and regulation officer (or
other similar position) and the entity’s in-house legal counsel.

The compliance audit: focus on the compliance requirements / criteria for the subject matters /
focus areas scoped into the audit
74. The compliance subject matters / focus areas and the compliance requirements / criteria for
each are predetermined with a distinction between different categories of auditees in terms of
different legislation that may apply to different types of public sector entities (which forms part
of the scoping of the audit as discussed in chapter 2).
75. Standard audit programs have been designed that summarise the predetermined compliance
requirements / criteria for each compliance focus area, and provide additional guidance, as
applicable, in terms of what compliance with each requirement means, or what it entails for the
auditee to comply with that requirement.
76. The auditor ensures that there is sufficient understanding within the engagement team of not
only the compliance focus areas applicable to the auditee, but also of the detailed compliance
requirements / criteria themselves (using the relevant standard audit programs applicable to
the particular auditee and the compliance subject matters / focus areas scoped into the audit).
This facilitates the auditor’s consideration of how non-compliance may occur.
77. Furthermore, the auditor considers how the entity ensures compliance with legislation; that is,
the policies, systems and procedures established to ensure compliance with applicable
legislation as well as compliant conduct by the entity’s officers, employees and, where
appropriate, third parties. This is part of the entity’s internal control to ensure achievement of
its compliance objectives. Refer to chapter 7.4 that address the auditor’s understanding of
internal control.
78. Although inquiries and other initial procedures are important to obtain the required level of
understanding, the auditor’s conclusions about the auditee’s compliance must be based on
evidence obtained through tests of compliance. The auditor’s measurement or evaluation of
the auditee’s compliance is dependent on sufficient understanding of the detailed compliance
requirements / criteria for each selected compliance subject matter / focus area.
79. Any non-compliance already identified during the planning stage will be followed up and
corroborated by performing additional procedures to address the specific matters concerned. If
the further evidence confirms an instance of non-compliance, it will be accumulated with all
other instances of non-compliance identified during the evidence-gathering process and
evaluated to determine the effect on the auditor’s conclusion in the assurance report.

e. Obtaining an understanding with the focus on RMM due to fraud

80. There is a general public expectation of the auditor in the public sector to be alert to fraud risk
factors and occurrences of abuse. As such, the auditor must be alert throughout the audit that
RMM could arise due to fraud (as opposed to error). Fraud is generally understood as referring
to an intentional act by one or more individuals among management, TCwG, employees or
third parties involving the use of deception to obtain an unjust or illegal advantage.
[ISA 240.11(a)] In other words, it is an intentional, deliberate or purposeful act to deceive,
conceal or mislead.
81. In the context of the audit of the financial statements, the auditor is concerned with fraud that
causes a material misstatement in the financial statements. In this regard, two types of
intentional misstatements are relevant, namely misstatements resulting from fraudulent
financial reporting and misstatements resulting from the misappropriation of assets.

22

Downloaded by Jenitha John ([email protected])

 lOMoARcPSD|10174924

82. In the context of an audit of predetermined objectives, the auditor is in particular concerned
with the possibility of fraudulent reporting of performance information, such as:
• Intentional misstatements, including omissions or manipulation of reported performance
information or disclosures to deceive the users of the annual performance reports.
• Intentional misstatements in reporting the degree to which the entity has actually
performed / delivered against planned targets.
• The credibility of reported actual results compared to what was expected.
83. The auditor also considers the possibility of risks of material non-compliance due to fraud (i.e.
intentional actions or inaction, as opposed to unintentional actions or inaction, or actions or
inaction in error). Fraud in compliance auditing relates mainly to the abuse of public authority,
but also to fraudulent reporting on compliance issues. [ISSAI 400.55] Instances of
non-compliance with authorities may constitute the deliberate misuse of public authority for
improper benefit, and may relate to decisions, non-decisions, preparatory work, advice,
information handling and other acts in the public service.
84. The consideration of fraud requires a general mindset and alertness throughout the audit
[ISA 240.12-15].
• The auditor maintains professional scepticism throughout the audit, recognising the
possibility that a material misstatement due to fraud could exist, notwithstanding the
auditor’s past experience of the honesty and integrity of the entity’s management and
TCwG.
Note: While the auditor cannot be expected to disregard past experience with
management and TCwG, a belief that they are honest and have integrity does not relieve
the auditor of the need to maintain professional scepticism, including considering that
there may have been changes in circumstances. [ISA 200.A22; ISA 240.A8;
ISAE 3000.A80]
• Unless the auditor has reason to believe the contrary, the auditor may accept records and
documents as genuine. If conditions identified during the audit cause the auditor to believe
that a document may not be authentic or that terms in a document have been modified but
not disclosed to the auditor, the auditor investigates further. [ISA 200.A21; ISA 240.13
& .A9; ISAE 3000.A79]
• Where responses to inquiries of management or TCwG are inconsistent, the auditor
investigates the inconsistencies.
• Discussions among the engagement team place particular emphasis on how and where
the entity’s financial statements or reported performance information may be susceptible
to material misstatement due to fraud, including how fraud might occur.
85. During the process of obtaining an understanding of the entity and its environment, the auditor
is alert to risk factors that may indicate RMM due to fraud. Fraud risk factors are events or
conditions that indicate an incentive or pressure to commit fraud or provide an opportunity to
commit fraud. [ISA 240.11(b)]
86. The auditor’s risk assessment procedures include inquiries of management regarding their:
• Assessment of the risk that the financial statements and reported performance information
may be materially misstated due to fraud, including the nature, extent and frequency of
such assessments.
• Process for identifying and responding to the risks of fraud, including any specific risks of
fraud that management has identified or that have been brought to its attention, or
financial statement items (classes of transactions, account balances or disclosures) or
performance measures / indicators and their related targets for which a risk of fraud is
likely to exist.

23

Downloaded by Jenitha John ([email protected])

 lOMoARcPSD|10174924

• Communication, if any, to TCwG regarding its processes for identifying and responding to
the risks of fraud in the entity.
• Communication, if any, to employees regarding its views on business practices and
ethical behaviour.
87. The auditor further makes inquiries of management, TCwG and others within the entity, as
appropriate, to determine whether they have knowledge of any actual, suspected or alleged
fraud affecting the entity. Examples of others within the entity to whom the auditor may direct
inquiries about fraud include:
• Operating personnel not directly involved in the financial or performance reporting
processes.
• Employees with different levels of authority.
• Employees involved in initiating, processing or recording complex or unusual transactions
or events, and those who supervise or monitor such employees.
• In-house legal counsel.
• Chief ethics officer or equivalent person.
• Persons charged with dealing with allegations of fraud.
88. The auditor obtains an understanding of how TCwG exercise oversight of management’s
processes for identifying and responding to the risks of fraud and the internal control that
management has established to mitigate these risks. This understanding may be obtained in
different ways, including attending meetings where such discussions take place, reading the
minutes from such meetings, or making inquiries of TCwG.
89. If the entity has an internal audit function, the auditor inquiries of the internal audit function
whether it has knowledge of any actual, suspected or alleged fraud affecting the entity, and
obtain its views about the risks of fraud.
90. The auditor evaluates whether unusual or unexpected relationships identified in performing
analytical procedures may indicate RMM due to fraud.
91. Other information obtained about the entity and its environment may also assist in identifying
RMM or non-compliance due to fraud. This may include:
• Information obtained from the auditor’s client acceptance and retention processes.
• Experience gained on other engagements performed for the entity.
• Information pertaining to ongoing investigations or investigations that have been finalised,
including liaising with investigative authorities such as the Public Protector and the Special
Investigating Unit (prescribed processes must be followed in these instances).
• Information provided by the fraud specialist where requested to undertake a certain
investigation, or otherwise requested to assist the audit engagement team.
92. The auditor is alert during the planning process (and later throughout the audit when
performing procedures and obtaining and evaluating evidence) to information that may
indicate that it could be appropriate to involve a fraud specialist to assist with the identification
of fraud risk factors and related RMM due to fraud (as well as, if required in the circumstances,
designing and performing procedures in response to such risks).
93. In accordance with the criteria provided below, an engagement manager may decide to
involve a fraud specialist. A fraud specialist refers to an audit professional who:
• Has undergone relevant fraud training as determined by the AGSA.
• Has the necessary experience.
• Has competencies related to fraud identification and investigation.

24

Downloaded by Jenitha John ([email protected])

 lOMoARcPSD|10174924

94. A fraud specialist must be involved in the audit if there is a complex significant risk of fraud. A
complex significant risk of fraud exists if the majority of the following factors are present; or if
some of the following factors are present and the engagement manager deems those few
factors to be extremely significant to necessitate the involvement of a fraud specialist:
• Senior officials have been suspended on allegations of fraud.
• There is a known history of instances of fraud committed by management.
• During the current and/or previous financial years, there have been allegations of fraud
against management from external and/or internal parties.
• Management has failed to investigate alleged fraud and/or take action or remedy
instances of confirmed fraud reported in the prior year.
• The auditee is subject to ongoing fraud-related investigations or litigation, or the auditee
was subject to investigations of fraud by law-enforcement agencies in the current and/or
prior financial years.
• There has been an increase in irregular, unauthorised or fruitless and wasteful
expenditure since the prior year, resulting from weaknesses in procurement and contract
management or the utilisation of conditional grants.
95. Where the minimum criteria for involving a fraud specialist has been met (i.e. the majority of
the above criteria apply), the auditor must involve a fraud specialist when performing risk
assessment procedures during:
• Discussions among the engagement team.
• Inquiries of management, TCwG, the internal audit function and others within the entity.
• Assessment of fraud risk factors.
• Preliminary analytical review procedures.
• Documenting the identified alleged, suspected and known instances of fraud.
96. If the minimum criteria for involving a fraud specialist is not met, but the engagement manager
deems it necessary to engage a fraud specialist, it is up to the engagement manager to
determine in which stages of the audit or audit procedures the fraud specialist would be
involved.
97. The auditor evaluates whether the information obtained about the entity and its environment
(as per subsection c) and the results of the risk assessment procedures that focused on the
consideration of fraud (as discussed in this section) indicate that one or more fraud risk factors
are present.
98. Fraud risk factors may not necessarily indicate the existence of fraud, but they have often
been present in circumstances in which fraud has occurred and, therefore, may indicate
RMM or non-compliance due to fraud.
99. The determination of whether a fraud risk factor is present and whether it is to be considered
in assessing RMM of the financial statements and of the reported performance information
due to fraud requires the exercise of professional judgement. Refer to chapters 8.1,8.2 and
8.3.
100. Similarly, for a compliance audit, the determination of whether a fraud risk factor is present
and how the auditor proceeds to test for compliance in response to the fraud risk that has
been determined as an area where material non-compliance is likely to arise, requires
professional judgement.
101. Annexure A provides examples of fraud risk factors – risk factors relating to misstatements
arising from fraudulent financial reporting and from the misappropriation of assets (which
may also be adapted and interpreted to suit the context of the audit of predetermined
objectives and the compliance audit, as applicable).

25

Downloaded by Jenitha John ([email protected])

 lOMoARcPSD|10174924

f. Specific risk assessment procedures and related activities directed at the internal audit
function
102. If the auditee has an internal audit function, the auditor interacts with the internal audit
function as part of the process of obtaining an understanding of the auditee and identifying
risk factors and RMM. Furthermore, the auditor’s initial understanding and evaluation of the
internal audit function determine whether the audit engagement team could consider using
the work of the internal audit function, or using internal auditors to provide direct assistance
to the external auditor.
103. The auditor obtains the following information as part of engagement team’s initial review and
preliminary understanding of the auditee’s internal audit function:
• The function’s reporting structure.
• By whom the head of internal audit is appointed.
• Any restrictions that are placed on the internal audit function.
• The methodology used by the function (manuals, documents, systems, supervision, etc.).
• The members and their qualifications, experience and training interventions.
• The approved charter for the function and the annual audit plan.
104. If, based on the annual audit plan (i.e. the planned audits undertaken or the reports to be
issued), the auditor considers the possibility of using the work performed by the internal audit
function to modify the nature or timing, or reduce the extent, of the audit procedures directly
performed by the external audit engagement team, the relevant requirements of ISA 610
(Revised) must be satisfied. Refer to subsection g and chapter 12.
105. The auditor may further consider the possibility of using internal auditors to provide direct
assistance to the external audit engagement team, under the direction, supervision and
review of the external auditor. The relevant requirements of ISA 610 (Revised) must be
satisfied. Refer to subsection g and chapter 12.

g. Special consideration circumstances / items relevant to the audit

106. ‘Special consideration circumstances / items’ refers to a number of specific topics addressed
in individual ISAs (specific-topic ISAs), since these circumstances / items present or
encapsulate unique characteristics that affect the identification of risk factors and the
assessment of RMM as well as the auditor’s approach and decisions with respect to
obtaining sufficient appropriate audit evidence. ISAE 3000 focuses on certain similar special
consideration circumstances / items for assurance engagements other than audits or reviews
of historical financial information.
107. These specific consideration circumstances / items pose unique challenges in terms of the
auditor’s understanding of the entity and its environment, ensuring that the auditor identifies
and considers all factors relevant to the audit and that these are logically integrated in the
auditor’s evidence-gathering process, comprising risk assessment, risk response, evaluating
the results of audit procedures, and drawing conclusions.
108. The timely identification, during audit planning, of which special consideration
circumstances / items that are relevant to the audit contributes to the timely requesting of
specific information by the auditor and/or timely decisions regarding specific audit resources
that may be required. Furthermore, it contributes to ensuring that all factors relevant to the
audit are identified and considered as part of the risk assessment process and, therefore,
that the auditor’s response will take such circumstances / items into account.
109. Refer to chapters 11, 12, 13, 14.1 and 14.2 that address the requirements, principles and
practical considerations with respect to the following specific consideration circumstances /
items. If relevant to the audit, the auditor ensures that the requirements of the standards

26

Downloaded by Jenitha John ([email protected])

 lOMoARcPSD|10174924

concerned are complied with in so far as they relate to obtaining an understanding and
identifying risk factors and related RMM, or identifying areas where material misstatement or
material non-compliance is likely to arise, as applicable.
Circumstances / items that may be relevant to the audit of financial statements, the audit of
predetermined objectives or the compliance audit
• Accounting estimates in the case of the audit of financial statements, or performance
information estimates in the case of the audit of predetermined objectives.
• Related parties (could be relevant to the audit of financial statements or the compliance
audit).
• Using the work of internal auditors (refer to subsection f).
• Using the work of an auditor’s expert.
• Using the work of ‘others’, i.e. management’s expert or another auditor.
• Audit considerations relating to an entity using a service organisation.
• Audit of group reporting
Additional circumstances / items that may be relevant to the audit of financial statements (it is
not expected to be relevant to the audit of predetermined objectives or the compliance audit)
• Initial audit engagements – opening balances.
• Comparative information.
• Going concern.
• Specific considerations with respect to litigation and claims.
• Specific considerations with respect to inventory.
• Specific considerations with respect to segment information.

h. Understanding value chain analysis at auditee level

110. The value chain analysis concept, its purpose, application and approach by the AGSA is
discussed in Annexure A of chapter 2.
111. As part of obtaining an understanding of the entity and its environment, the auditor is
required to obtain thorough knowledge and understanding of the auditee’s needs, its
business and value chain of activities to focus on auditing areas that matter with a view to
improve audit reporting on the utilisation of public funds.
112. The information required to understand value chain analysis is not additional audit work, but
rather a consolidation and summary of the information already obtained as part of the pre-
engagement understanding and the understanding of the entity and its environment
(including the business processes) which will deepen the auditor’s understanding and enable
a more focussed audit approach.
113. The auditor obtains an understanding of the auditee’s primary and secondary responsibilities
in terms of its mandate as part of the pre-engagement understanding. This understanding is
used to identify the services/ products that the auditee is primarily responsible for i.e. core
functions that directly relate to the service delivery objectives and the mandate of the entity.
This information informs AoPO scoping decisions, the identification of the key programmes
for reporting (i.e. AoPO subject matter or a cross cutting government priority or specific
government programme otherwise determined at firm level e.g. water and sanitation) and
ultimately the identification of the key projects supporting the core functions.
114. Once the core function is selected for further value chain analysis, the value chain key
activities are elaborated to deepen the auditor’s understanding of how services / products are
delivered and to direct the auditor’s focus on key projects that affect service delivery. The

27

Downloaded by Jenitha John ([email protected])

 lOMoARcPSD|10174924

understanding of the value chain key activities are obtained from the related business
processes e.g. procurement and supply chain management, HR management, performance
indicators, etc.
115. Refer to Annexure A of chapter 2 for more detail on the matters to consider and the approach
to documenting the understanding.

D. PRODUCT (including documentation requirements)

116. The audit activities discussed here, together with those relating to understanding the
auditee’s internal control (refer to chapters 7.1, 7.2, 7.3 and 7.4), result in a documented
understanding of the auditee and its environment as well as specific matters relevant to all
three types of audits being performed.
117. The information documented is used to:
• Determine the terms of engagement.
• Determine the overall audit strategy as described in chapter 4.
• Identify risk factors:
o At an overall level and at an assertion level for individual classes of transactions,
account balances and disclosures for purposes of risk assessment as described in
chapter 8.1.
o At an overall level for selected programmes / objectives / development priorities and
at an assertion level for individual performance measures / indicators and their related
targets for purposes of risk assessment as described in chapters 8.2 and 8.3. In the
case of a limited assurance engagement, there is no formal risk assessment at the
assertion level; rather the auditor’s understanding assists with identifying areas where
material misstatement is likely to arise.
o At an overall level for the compliance subject matters / focus areas scoped into the
audit and at the level of the individual compliance requirements / criteria to identify
areas where material non-compliance is likely to arise (refer to chapter 8.4).
118. The ISAs require that the following shall be included in the audit documentation (provided
that the overall documentation requirements in ISA 230 are always met) [ISA 315
(Revised).32(b); ISA 250.29; ISA 240.46]:
• The key elements of the understanding obtained regarding each of the aspects of the
entity and its environment specified above, the sources of information from which the
understanding was obtained, and the risk assessment procedures performed.
• Identified or suspected non-compliance with laws and regulations (that have an impact on
the presentation of the financial statements) and the results of discussions with
management and, where applicable, TCwG and other parties outside the entity.
• The audit documentation of communications about fraud made to management, TCwG,
regulators and others.
119. ISAE 3000.79-83 prescribe overall documentation requirements at a principle level. Provided
that these overall documentation requirements are always met, the methodology expects the
following to be included in the audit documentation for the audit activities concerned:
• The key elements of the understanding obtained regarding the aspects relevant to:
o The reported performance information by programme / objective / development
priority, the sources of information from which the understanding was obtained, and
the risk assessment procedures performed.
o The auditee’s compliance with identified provisions of legislation for the selected
compliance subject matters / focus areas, the sources of information from which the
understanding was obtained, and the initial procedures performed.

28

Downloaded by Jenitha John ([email protected])

 lOMoARcPSD|10174924

• Identified or suspected non-compliance with legislation and the results of discussions with
management and, where applicable, TCwG.
• Any documentation of communications about fraud made to management, TCwG,
regulators and others.

E. SPECIAL CONSIDERATIONS FOR SMALL AUDITEES

120. Smaller entities have a limited range of services and performance indicators and targets, and
operate from a limited number of locations with uncomplicated business processes and
structures. The compliance subject matters / focus areas and related compliance
requirements / criteria are likely to have more limited application in a smaller entity. The
documentation of the auditor’s understanding of such an entity’s operations and the relevant
industry, regulatory and other external factors is likely to be simple in form and relatively
brief. Elements of understanding to be documented include those that the auditor believes
will have an impact on the assessment of RMM of the financial statements and of the
reported performance information (or in the case of limited assurance engagements, those
that are relevant to identifying areas where material misstatement or material
non-compliance is likely to arise). Documentation should be proportionate to the complexity
of the engagement.
121. The auditor may find it helpful and efficient to record various aspects of the understanding of
the auditee and its environment in a single document when preparing audit documentation
on the audit of a small entity. This can be cross-referenced to supporting working papers
included elsewhere in the audit file, as appropriate. Examples of matters that can be
documented together in the audit of a small entity include the pre-engagement understanding
of the entity, the overall understanding of the entity and the internal control relevant to the
audit (including information systems controls), the overall audit strategy and audit plan,
internal control deficiencies identified, key controls identified, special audit considerations,
the fraud risk assessment, materiality, assessed risks, significant matters noted during the
audit, and conclusions reached.

F. SPECIAL CONSIDERATIONS WHERE MANAGEMENT HAS IMPOSED A LIMITATION

122. During the process of gaining an understanding, the auditor may determine that there are
likely to be significant limitations on the scope of the audit, especially if they have occurred
previously. The auditor should also obtain an understanding of the actions management has
taken to resolve prior year limitations on the audit. To improve efficiency, the auditor should
use the completed working papers that relate to the prior year risk assessment and request
management to confirm whether there are any changes to this information, which the auditor
should confirm.
123. Actions taken on prior year limitations could include:
• Provision of the information requested in the prior year. Under these circumstances, the
auditor will follow the normal audit process to test and evaluate the audit evidence and
evaluate whether a limitation still exists and the impact on the current year’s audit opinion
on the financial statements.
• Implementation of internal controls to prevent the same limitation from recurring in the
current year.
124. Management could also have taken no action to resolve the prior year limitations. The
auditor’s responses to different scenarios in which management has imposed a limitation are
discussed for the different types of audits in chapters 9.1, 9.2, 9.3 and 9.4. It is important to
note that these responses will follow after the normal process of risk assessment based on
the auditor’s understanding of the entity and its environment, as discussed in chapters 8.1,
8.2, 8.3 and 8.4.

29

Downloaded by Jenitha John ([email protected])

 lOMoARcPSD|10174924

125. In an audit of financial statements, the above also includes considering the effect of
uncorrected misstatements from the prior period, which is discussed in further detail in
chapters 15.1 and 18.1.

30

Downloaded by Jenitha John ([email protected])

 lOMoARcPSD|10174924

ANNEXURE A
EXAMPLES OF FRAUD RISK FACTORS
(refer to section Ce.)
The sources of these examples are ISA 240 and ISSAI 1240, which address the consideration of
fraud in an audit of financial statements. These risk factors may also be adapted and interpreted to
suit the context of the audit of predetermined objectives and the compliance audit, as applicable.

1. The following are examples of risk factors relating to misstatements arising from fraudulent
financial reporting.
• Financial stability or profitability is threatened by political, economic, budget, industry, or
entity operating conditions, such as (or as indicated by):
o High degree of competition or market saturation, accompanied by declining margins.
o High vulnerability to rapid changes, such as changes in technology, product
obsolescence, or interest rates.
o Significant declines in customer demand and increasing business failures in either the
industry or overall economy.
o Operating losses making the threat of bankruptcy, foreclosure, or hostile takeover
imminent.
o Recurring negative cash flows from operations or an inability to generate cash flows
from operations while reporting earnings and earnings growth.
o New accounting, statutory, or regulatory requirements.
o Weak budgetary controls.
o Privatizations.
o New programs.
o Major changes to existing programs.
o New financing sources.
o New legislation and regulations or directives.
o Political decisions such as relocation of operations.
o Programs without sufficient allocated resources and funding.
o Procurement of goods and services in certain industries such as defence.
o Outsourcing of government activities.
o Operations subject to special investigations.
o Changes in political leadership.
o Public and private partnerships.
• Excessive pressure exists for management to meet the requirements or expectations of
third parties or those charged with governance due to the following:
o Need to obtain additional debt financing to stay competitive – including financing of
major research and development or capital expenditures.
o Marginal ability to meet debt repayment or other debt covenant requirements.
o Perceived or real adverse effects of reporting poor financial results on significant
pending transactions, such as contract awards.
o Increased public expectations.

31

Downloaded by Jenitha John ([email protected])

 lOMoARcPSD|10174924

o Reduction in budgets without corresponding reduction in service delivery

expectations.
• Information available indicates that the personal financial situation of management or
those charged with governance is threatened by the entity’s financial performance arising
from the following:
o Significant portions of their compensation (for example bonuses) being contingent
upon achieving aggressive targets for operating results, financial position, or cash
flow.
• There is excessive pressure on management or operating personnel to meet financial
targets established by those charged with governance, including sales or profitability
incentive goals.
• The nature of the industry or the entity’s operations provides opportunities to engage in
fraudulent financial reporting that can arise from the following:
o Significant related-party transactions not in the ordinary course of business or with
related entities not audited or audited by another firm.
o Assets, liabilities, revenues, or expenses based on significant estimates that involve
subjective judgments or uncertainties that are difficult to corroborate.
o Significant, unusual, or highly complex transactions, especially those close to period
end that pose difficult “substance over form” questions.
o Significant operations located or conducted across international borders in
jurisdictions where differing business environments and cultures exist.
o Closed environment with strong political network and ties.
o Officials in high ranking positions who may take the opportunity to misuse their
authority.
o Potential for private sector directorship after completion of a term of office e.g. as a
result of awarding tenders.
o Tolerance of errors in financial information.
• The monitoring of management is not effective as a result of the following:
o Domination of management by a single person or small group (in a non-owner
managed business) without compensating controls.
o Oversight by those charged with governance over the financial reporting process and
internal control is not effective.
o Strong political motives, ties, and loyalties.
o Unstable political environment.
• There is a complex organisational structure, as evidenced by the following:
o Difficulty in determining the organization that has a controlling interest in the entity.
o Overly complex organizational structure involving unusual legal entities or managerial
lines of authority.
o High turnover of senior management, legal counsel, or those charged with
governance.
o Large number of locations with government activities in remote areas.
• Internal control components are deficient as a result of the following:
o Inadequate monitoring of controls, including automated controls and controls over
interim financial reporting.

32

Downloaded by Jenitha John ([email protected])

 lOMoARcPSD|10174924

o High turnover rates or employment of accounting, internal audit, or information

technology staff that are not effective.
o Accounting and information systems that are not effective, including situations
involving significant deficiencies in internal control.
o Communication, implementation, support, or enforcement of the entity’s values or
ethical standards by management, or the communication of inappropriate values or
ethical standards, that are not effective.
o Nonfinancial management’s excessive participation in or preoccupation with the
selection of accounting policies or the determination of significant estimates.
o Difficult recruitment environment and/or lack of sufficient qualified personnel;
o Lack of sophisticated IT-software and platforms designed for public sector specific
needs;
o Fragmented and non-integrated IT-infrastructure.
• Known history of violations of laws and regulations, or claims against the entity, its senior
management, or those charged with governance alleging fraud or violations of laws and
regulations.
• Management failing to remedy known significant deficiencies in internal control on a timely
basis.
• Low morale among senior management.
• The owner-manager makes no distinction between personal and business transactions.
• Recurring attempts by management to justify marginal or inappropriate accounting on the
basis of materiality.
• The relationship between management and the current or predecessor auditor is strained,
as exhibited by the following:
o Frequent disputes with the auditor on accounting, auditing, or reporting matters.
o Unreasonable demands on the auditor
o Restrictions on the auditor that inappropriately limit access to people or information or
the ability to communicate effectively with those charged with governance.
o Domineering management behaviour in dealing with the auditor, especially involving
attempts to influence the scope of the auditor’s work or the selection or continuance
of personnel assigned to or consulted on the audit engagement.
• Generally lower salary levels in the public sector as compared to the private sector that
may give employees reason to justify fraudulent financial reporting, especially if incentives
such as bonus payments are involved;
• Disregard for implications of government breaches, which in the private sector might
involve implications such as fines, dismissal or imprisonment.

2. The following are examples of risk factors relating to misstatements arising from
misappropriation of assets.
• Personal financial obligations may create pressure on management or employees with
access to cash or other assets susceptible to theft to misappropriate those assets.
• Adverse relationships between the entity and employees with access to cash or other
assets susceptible to theft may motivate those employees to misappropriate those assets.
• For example, adverse relationships may be created by the following:
o Known or anticipated future employee layoffs.

33

Downloaded by Jenitha John ([email protected])

 lOMoARcPSD|10174924

o Recent or anticipated changes to employee compensation or benefit plans.

o Promotions, compensation, or other rewards inconsistent with expectations.
o Rigid public sector compensation structures that are seen to be inconsistent with
expectations.
o Rewarding seniority instead of performance.
• Unique aspects of the public sector procurement/tender-process, such as:
o Politically sensitive contracts.
o Competition created by high volume/ high value contacts might create risks for
payment of bribes and kick-backs.
o Contracts with related parties.
o Risky nature of certain government activities, e.g. weapons, natural resources etc.
• Misuse of power and authority:
o Bribes when making decisions on sensitive areas such as decisions on grants or
applications for work or residence permits, or for citizenship.
• Certain characteristics or circumstances may increase the susceptibility of assets to
misappropriation. For example, opportunities to misappropriate assets increase when
there are the following:
o Large amounts of cash on hand or processed.
o Inventory items that are small in size, of high value, or in high demand.
o Easily convertible assets.
o Fixed assets which are small in size, marketable, or lacking observable identification
of ownership.
o Mismatch between actual value and recorded value of heritage assets;
o Shortcomings of the cash basis of accounting, such as:
Non-recording of certain assets;
Inadequate ownership details for assets such as land and buildings;
Ability to manipulate the period for recording of transactions;
Uncontrolled or unstructured move from cash basis to accrual basis accounting.
• Inadequate internal control over assets may increase the susceptibility of misappropriation
of those assets. For example, misappropriation of assets may occur because there is the
following:
o Inadequate segregation of duties or independent checks.
o Inadequate oversight of senior management expenditures, such as travel and other
re-imbursements.
o Inadequate management oversight of employees responsible for assets, for example,
inadequate supervision or monitoring of remote locations.
o Inadequate job applicant screening of employees with access to assets.
o Inadequate record keeping with respect to assets.
o Inadequate system of authorization and approval of transactions (for example, in
purchasing).
o Inadequate physical safeguards over cash, investments, inventory, or fixed assets.
o Lack of complete and timely reconciliations of assets.

34

Downloaded by Jenitha John ([email protected])

 lOMoARcPSD|10174924

o Lack of timely and appropriate documentation of transactions, for example, credits for
merchandise returns.
o Lack of mandatory vacations for employees performing key control functions.
o Inadequate management understanding of information technology, which enables
information technology employees to perpetrate a misappropriation.
o Inadequate access controls over automated records, including controls over and
review of computer systems event logs.
o Disregard for the need for monitoring or reducing risks related to misappropriations of
assets.
o Disregard for internal control over misappropriation of assets by overriding existing
controls or by failing to take appropriate remedial action on known deficiencies in
internal control.
o Behaviour indicating displeasure or dissatisfaction with the entity or its treatment of
the employee.
o Changes in behaviour or lifestyle that may indicate assets have been
misappropriated.
o Tolerance of petty theft.
o Public sector officials make no distinction between personal and government
transactions, e.g. misuse of government credit cards;
o The belief by certain public sector officials that their level of authority justifies a
lifestyle similar to private sector executives, when their agreed terms of compensation
are not sufficient for such a lifestyle;
o Tolerance of unacceptable behaviour in situations where it may be difficult to dismiss
or replace employees.

35

Downloaded by Jenitha John ([email protected])