DYNAMIC AUDITING

A STUDENT EDITION

Fourteenth Edition
 DYNAMIC AUDITING
A STUDENT EDITION
Fourteenth Edition

Author and Editor

B MARX
BCompt, BCompt (Hons), MCompt, DCom (Auditing), CA(SA), FCCA(UK)
Professor and Head of Auditing
Department of Accountancy, University of Johannesburg

Co-authors
A VAN DER WATT
BCom, BCom (Hons), MCom, CA(SA)
Professor of Practise in Auditing, University of Johannesburg
Independent Educational Consultant

P BOURNE
Associate Professor Emeritus
University of Cape Town

T MOLOI
BCom, BCom (Hons) (Accounting), MSc (Financial Management), MCom (Accounting),
MA (International Relations), PhD (Finance), FCMA, CGMA
Professor of Accounting, University of Johannesburg
Members of the LexisNexis Group worldwide
South Africa LexisNexis (Pty) Ltd
www.lexisnexis.co.za
JOHANNESBURG Building 8, Country Club Estate Office Park, 21 Woodlands Drive, Woodmead, 2191
CAPE TOWN First Floor, Great Westerford, 240 Main Road, Rondebosch, 7700
DURBAN 215 Peter Mokaba Road (North Ridge Road), Morningside, Durban, 4001
Australia LexisNexis, CHATSWOOD, New South Wales
Austria LexisNexis Verlag ARD Orac, VIENNA
Benelux LexisNexis Benelux, AMSTERDAM
Canada LexisNexis Canada, MARKHAM, Ontario
China LexisNexis, BEIJING
France LexisNexis, PARIS
Germany LexisNexis Germany, MÜNSTER
Hong Kong LexisNexis, HONG KONG
India LexisNexis, NEW DELHI
Italy Giuffrè Editore, MILAN
Japan LexisNexis, TOKYO
Korea LexisNexis, SEOUL
Malaysia LexisNexis, KUALA LUMPUR
New Zealand LexisNexis, WELLINGTON
Poland LexisNexis Poland, WARSAW
Singapore LexisNexis, SINGAPORE
United Kingdom LexisNexis, LONDON
United States LexisNexis, DAYTON, Ohio

© 2021

Fourth Edition 2001, Reprinted 2002 Ninth Edition 2009

Fifth Edition 2002 Tenth Edition 2011
Sixth Edition 2003 Eleventh Edition 2014
Seventh Edition 2004, Reprinted 2005 Twelfth Edition 2017
Eighth Edition 2006, Reprinted 2007 Thirteenth Edition 2018

ISBN 978-0-6390-0968-1
E-Book ISBN 978-0-6390-0969-8

Copyright subsists in this work. No part of this work may be reproduced in any form or by any means without
the publisher’s written permission. Any unauthorised reproduction of this work will constitute a copyright
infringement and render the doer liable under both civil and criminal law.
Whilst every effort has been made to ensure that the information published in this work is accurate, the
editors, publishers and printers take no responsibility for any loss or damage suffered by any person as a
result of the reliance upon the information contained therein.

Editor: Mandy Jonck

Technical Editor: Maggie Talanda/Tiger Chetty
 PREFACE

This handbook is based on the educational requirements of the South African Institute
of Chartered Accountants for entry into Initial Test of Competence Examination of
SAICA. It contains changes to statements and legislation up to June 2021.
The handbook is not intended to be an all-inclusive text on auditing, assurance and
governance, but is written to present the competency area to the student in a simple
and easily understandable format. For this purpose, the contents are structured in a
concise and descriptive format.
We trust that this handbook will make a real contribution towards the students’
understanding of auditing, assurance and governance, and that they will be success-
ful in the examination venue, practice, and commerce and industry.
Comments and recommendations to improve the handbook will be welcomed,
especially from students using it.

B MARX
A VAN DER WATT
P BOURNE
T MOLOI
September 2021
Johannesburg

v
 CONTENTS

CHAPTER Page
1 The auditing profession in South Africa ....................................................... 1–1

Governance and ethics

2 Corporate governance – Background; King IV Report and
internal control ............................................................................................. 2–1
3 Professional and ethical responsibilities ...................................................... 3–1
4 Companies Act ............................................................................................. 4–1

Auditing and assurance

5 The audit and assurance process ............................................................... 5–1
6 Responsibility in respect of fraud and errors, communication, auditor’s
liability and the consideration of laws and regulations ................................ 6–1
7 Audit evidence ............................................................................................. 7–1
8 Engagement and planning activities............................................................ 8–1
9 Auditing in an information technology environment (computerised
information systems) .................................................................................... 9–1
10 New technologies ........................................................................................ 10–1
11 Audit sampling and other relevant testing methods .................................... 11–1
12 The auditor and internal control ................................................................... 12–1
13 Substantive procedures ............................................................................... 13–1
14 Completion of the audit ................................................................................ 14–1
15 Management consulting services, special audit investigations, assurance
engagements other than audits or reviews of historical financial
information, integrated sustainability reporting and internal audit .............. 15–1
16 Reporting ...................................................................................................... 16–1
17 Auditing accounting issues with supplement concerning derivative
financial instruments..................................................................................... 17–1

vii
 1
THE AUDITING PROFESSION IN SOUTH AFRICA

Page
1. Introduction .................................................................................................. 1–3
2. Registered auditors ...................................................................................... 1–3
2.1 Introduction ........................................................................................ 1–3
2.2 Auditing Profession Act 26 of 2005.................................................... 1–3
3. Auditing in the public sector ........................................................................ 1–11
3.1 Background to the public sector ....................................................... 1–11
3.2 Auditing in the public sector .............................................................. 1–17
3.3 International organisation of supreme audit institutions .................... 1–18
3.4 Audits performed by the AGSA ......................................................... 1–18
3.5 Auditing standards applicable in the public sector........................... 1–19
3.6 Important dates .................................................................................. 1–20
3.7 The audit report .................................................................................. 1–20
3.8 Audit of predetermined objectives..................................................... 1–21

1–1
 CHAPTER 1: The auditing profession in South Africa

1. INTRODUCTION
The auditing profession in South African consists of a variety of auditors, includ-
ing auditors registered with the Independent Regulatory Board for Auditors
(IRBA), the Auditor-General South Africa who is responsible for the audit of the
public sector, internal auditors and forensic auditors.
The objective of this chapter is to deal with the Auditing Profession Act, which
regulates the audits performed by registered auditors, as well as with auditing in
the public sector.

2. REGISTERED AUDITORS

2.1 INTRODUCTION
In South Africa, registration with the IRBA is required in order to sign off on the
audit reports of financial statements audits. The IRBA is established in terms of
the Auditing Profession Act.

2.2 AUDITING PROFESSION ACT 26 of 2005

SOURCE REFERENCE: Auditing Profession Act 26 of 2005
Auditing Profession Amendment Act 5 of 2021

2.2.1 Objects of the Act

l To protect the public by regulating audits performed by registered auditors;
l To provide for the establishment of an Independent Regulatory Board for
Auditors;
l To approve the development and maintenance of internationally compar-
able ethical standards and auditing standards for auditors;
l To set out measures to advance the implementation of appropriate stand-
ards of competence and good ethics in the profession; and
l To provide for procedures for disciplinary action in respect of improper
conduct.

2.2.2 Definitions (section 1)

L Audit: The examination of, in accordance with pre-
scribed or applicable auditing standards –
• financial statements with the objective of
expressing an opinion as to their fairness or
compliance with an identified financial report-
ing framework and any applicable statutory
requirements; or
• financial and other information, prepared in
accordance with suitable criteria, with the object-
ive of expressing an opinion on the financial
and other information.

1–3
 Dynamic Auditing

L Client: The person for whom a registered accountant is

performing or has performed an audit.
L Firm: A partnership, company or sole proprietor referred
to in section 40.
L Management Board: Board of directors (company), or the body or
individual responsible for the management of the
business of the entity (any other entity).
L Public accountant: Any person who is engaged in public practice.
L Public practice: The practice of a registered auditor who places
professional services at the disposal of the public
for reward, and “practice” has a similar meaning.

2.2.3 Governance – Appointment of members of the Regulatory Board

(section 11)
The Minister of Finance must appoint a Regulatory Board consisting of
between six and ten non-executive members.
Members should be competent persons who are independent from the audit-
ing profession.
The Minister should consider the need for transparency and representativity
within the demographics of the South African population when making appoint-
ments.

2.2.4 Governance – Term of office of members of the Regulatory Board

(section 12)
The term of office of members of the Regulatory Board is determined by the
Minister but may not exceed three years.

2.2.5 Committees of the Regulatory Board (section 20)

The Regulatory Board must establish at least the following permanent com-
mittees:
l a committee for auditor ethics;
l a committee for auditing standards;
l an education, training, and professional development committee;
l an inspections committee;
l an investigating committee;
l a disciplinary committee; and
l an enforcement committee.

1–4
 CHAPTER 1: The auditing profession in South Africa

2.2.6 Registration of individuals as registered auditors (section 37)

l For successful registration with the Board, the applicant must:
• be a member of an accredited professional body;
• have complied with the prescribed education, training and compe-
tency requirements for a registered auditor;
• be resident in the Republic; and
• be a fit and proper person to practice the profession.
l The Board may refuse registration of an individual if:
• he/she has been removed from an office of trust on account of mis-
conduct;
• he/she has been convicted of theft, forgery, fraud, corruption, etc., and
sentenced for imprisonment or a fine exceeding such amounts as pre-
scribed by the Minister;
• he/she is of unsound mind/incapable;
• he/she is disqualified from registration under a sanction imposed
under this Act; or
• he/she is an unrehabilitated insolvent.

2.2.7 Registration of firms as registered auditors (section 38)

The only firms that may become registered auditors are:
l partnerships of which all the partners are individuals who are themselves
registered auditors;
l sole proprietors where the proprietor is a registered auditor; and
l companies, provided:
• that its memorandum of association provides that its directors and past
directors shall be liable jointly and severally for the company’s debts
contracted during their periods of office;
• that all shareholders of the company have to be:
– individuals who are registered auditors; and
– directors.
• with regard to a company, the following apply:
– if a shareholder dies/ceases to be registered with the Board,
he/she may continue to hold the shares for a period of six months,
but the shares hold no voting rights. The shareholder may also not
act as a director or receive, directly or indirectly, any remuneration
or profit share;
– the company may, if its articles of association so provide and
without confirmation by a court, purchase any shares held in it;
– the members are not entitled to appoint other persons than mem-
bers to act as proxies.

1–5
 Dynamic Auditing

2.2.8 Practice (section 41)

Only a registered auditor may engage in public practice or hold out as a regis-
tered auditor in public practice or use the registered auditor description “public
accountant”, “certified public accountant”, “registered accountant and auditor”,
or any description likely to create the impression of being a registered auditor
in public practice.
A person who is not registered in terms of this Act may not:
l perform any audits;
l give himself/herself out as accountant or auditor or use the designation to
create such an impression; and
l use the name of a registered auditor or any title referred to above.
The above does not apply to:
l an accountant or internal auditor in service of an organisation;
l a member of a club, institution or association which is not carried on with a
view to profit, provided he/she receives no remuneration (fee or other con-
sideration) for his/her services (acts as honorary auditor); or
l the Auditor-General, who can appoint any person who is not a registered
auditor to carry out on his/her behalf any audit in terms of the Public Audit
Act, 2004.
A registered auditor may not, without consent of the Board, knowingly employ
a person in practice:
l who is not registered as a registered auditor as a result of the termination
or cancellation of his or her registration; and
l whom the Board declined to register.
A registered auditor may not:
l practice under a firm name or title unless on every letterhead bearing the
first name or title there appears:
• first names/initials and surname of the registered auditor;
• in the case of a partnership, at least the first names/initials and sur-
names of managing partners; and
• in the case of a company, the names of the directors;
l sign a statement, report, document, etc., unless the work was performed
by the auditor or under his/her personal supervision/direction or that of
his/her partners;
l perform audits unless adequate risk management practices and proced-
ures are in place;
l engage in public practice during any period in respect of which the regis-
tered auditor has been suspended from public practice;

1–6
 CHAPTER 1: The auditing profession in South Africa

l make over to or share a portion of professional fees (derived from an

audit) with a person that is not a registered auditor; or
l share profits or practise in partnership in respect of audit work with a
person not registered with IRBA.

2.2.9 Duties in relation to the audit (section 44)

Where a registered auditor that is a firm is appointed by an entity to perform an
audit, the firm must immediately take a decision as to the individual registered
auditor or auditors who will be responsible and accountable for that audit.
The first name and surname of the individuals referred to above must be sup-
plied to the entity on taking the decision and to the Board on request.
The registered auditor may not, without such qualification as may be appro-
priate in the circumstances, express an opinion unless:
l the audit was carried out free of restrictions;
l proper accounting records were kept in one of the official languages of the
Republic;
l all information, vouchers and documents necessary for the proper per-
formance of the auditor’s duties were obtained;
l where an undertaking is regulated by a law, the registered auditor com-
plied with all the requirements of that law relating to the audit (e.g. sec-
tion 90 to 93 of the Companies Act);
l he/she had satisfied him-/herself of the existence of all assets and liabilities;
l he/she had satisfied him-/herself of the fairness/truth/correctness of the
financial statements; and
l any reportable irregularity that existed at the date of the report had been
properly disclosed and reported.
If the registered auditor, or any member of the firm, where the registered audit-
or is a firm, was responsible for keeping the books of the entity, the registered
auditor must, in reporting indicate the fact.
NOTE: The above does not include making journal entries, assisting with any
adjusting entries or framing any financial statements or other docu-
ments from existing records.
The registered auditor may not have or have had a conflict of interest in
respect of a client, as prescribed by the Board.

1–7
 Dynamic Auditing

2.2.10 Duty to report irregularities (section 1 definition, and section 45)

l If an individual registered auditor is satisfied or has reason to believe that an
unlawful act or omission was committed by any person responsible for the
management of the entity, which
• has caused or is likely to cause material financial loss to the entity or to
any partner, member, shareholder, creditor or investor of the entity in
respect of his, her or its dealing with that entity; or
• is fraudulent or amounts to theft; or
• represents a material breach of any fiduciary duty owed by such
person to the entity or any partner, member, shareholder, creditor or
investor of the entity under any law applying to the entity or the con-
duct or management thereof,
he/she must, without delay, send a written report to the Regulatory Board.
The report must provide full particulars of the reportable irregularity and
must include such other information and particulars as the registered audi-
tor considers appropriate.
Within three days of sending the report to the Regulatory Board, the regis-
tered auditor must notify the members of the management board of the
entity in writing of the sending of the report and the provisions of this sec-
tion. A copy of the report to the Regulatory Board must accompany this
notice.
The registered auditor must, as soon as it is reasonably possible but no
later than 30 days from the date on which the report was sent to the Regu-
latory Board:
• discuss the report with the management board of the entity;
• afford the members of the management board an opportunity to make
representations in respect of the report; and
• send another report to the Regulatory Board which must include a
statement that the registered auditor is of the opinion that:
– no reportable irregularity has taken place or is taking place;
– the suspected reportable irregularity is no longer taking place and
that adequate steps have been taken for the prevention or recov-
ery of any loss as a result thereof; or
– the reportable irregularity is continuing.
l The Board may disclose information to the Attorney-General, the Registrar
of Banks, any officer in public service, the JSE, members/creditors, etc.,
as may be deemed fit.
l To determine whether a reportable irregularity is taking place, the auditor
may carry out any such investigation as he/she may deem fit.

1–8
 CHAPTER 1: The auditing profession in South Africa

l Section 45 sets the auditor’s duty of confidentiality aside regarding report-

able irregularities. The auditor is thus empowered to consider any informa-
tion from whichever source to determine whether a reportable irregularity
exists at a client.
An auditor who reported an irregularity to the Regulatory Board may not be
removed until he or she has discussed the report with the management
board of the entity, afforded the entity the opportunity to respond to the
report and the second report, as discussed above, was submitted to the
Regulatory Board.

2.2.11 Limitation of liability (section 46)

l An auditor will incur no liability to a client or a third party in respect of an
opinion expressed or statement/report given in the ordinary course of
his/her duties, unless he/she acted:
• negligently; or
• maliciously.
l With regard to negligent performance of duties, an auditor incurs liability
for financial loss to a third party who has relied on a statement/report/
opinion/certificate, etc., of the auditor, only if it is proved that the auditor:
• knew or could, in the particular circumstances, have been expected to
know that when the negligence occurred:
– the client would use such an opinion/statement, etc., to induce the
third party to act or refrain from acting in some way;
– a third party would rely on such an opinion/statement, etc., to act
in some way; or
• represented to a third party that the statement/opinion, etc., was cor-
rect.
NOTE: The liability in respect of malicious action is a legal matter.
l For the purpose of reliance by a third party, the fact that a registered
auditor performed the functions of a registered auditor is not in itself proof
that the registered auditor could reasonably have been expected to know
that the client or third party would act as described above.
l The above does not affect any additional or other liability of a registered
auditor arising from:
• a contract between a third party and a registered auditor; or
• any statutory provisions or the common law.

1–9
 Dynamic Auditing

l A registered auditor may incur liability to any partner, member, share-

holder, creditor or investor of an entity if the registered auditor fails to report
a reportable irregularity in accordance with section 45.
l A registered auditor may not through an agreement or in any way limit or
reduce the liability that such auditor may incur in terms of this section.

2.2.12 Inspections (section 47)

The Regulatory Board, or any person authorised by it, may at any time inspect
or review the practice of a registered auditor.

2.2.13 Investigation of charge of improper conduct (section 48)

The Regulatory Board must refer a matter brought against a registered auditor
to the investigating committee of the Board.

2.2.14 Charge of improper conduct (section 49)

The Regulatory Board must charge a registered auditor with improper conduct
if the investigating committee recommends that sufficient grounds exist for a
charge.

2.2.15 Reportable irregularities and false statements in connection with audits

(section 52)
A registered auditor who:
l fails to report a reportable irregularity in accordance with section 45; or
l for the purposes of, or in connection with, the audit of any financial state-
ments knowingly or recklessly expresses an opinion or makes a report or
any other statement which is false in a material respect,
shall be guilty of an offence.
Non-compliance with this section may lead to a fine or imprisonment for a term
not exceeding ten years, or both.

2.2.16 Offences relating to public practice (section 54)

A person who contravenes section 41, 44 or 47 is guilty of an offence and is
liable to a fine or in default of payment to imprisonment not exceeding five
years, or both.

1–10
 CHAPTER 1: The auditing profession in South Africa

3. AUDITING IN THE PUBLIC SECTOR

SOURCE REFERENCE: Guide for Registered Auditors – Auditing in the Pub-
lic Sector (Revised August 2019)

3.1 BACKGROUND TO THE PUBLIC SECTOR

The public sector can be defined as the part of the economy concerned with
providing government services. Government services are delivered on three
levels, namely national, provincial and municipal level.
The levels or spheres of government are autonomous but at the same time,
they all operate according to the Constitution and laws and policies made by
Parliament.
The government machinery is made up of three parts:
l The elected members (legislature) – who represent the public, approve
policies and laws, and monitor the work of the executive and departments.
l The cabinet or executive committee (executive) – who coordinate the
making of policies and laws and oversee implementation by government
departments.
l The departments and public servants – who are responsible for doing the
work of government and account to the executive

SPHERE LEGISLATURE EXECUTIVE ADMINISTRATION

NATIONAL Parliament President and Director-general
cabinet
PROVINCIAL Legislature Premier and Head of department
executive council
LOCAL Council Mayor and mayoral Municipal manager
committee

The Judiciary is often referred to as the third arm of the state, with Parliament
and the Executive the other two arms. The Judiciary is however independent
and this independence from Parliament and the Executive is a cornerstone of
any constitutional democracy.
The role, powers and functions of national government
Laws and policies are approved by Parliament, which consists of the National
Assembly and the National Council of Provinces (NCOP). Members of Par-
liament are elected every five years as part of national elections.
The mandate of the NCOP is to ensure that provincial government and local
government are directly represented in Parliament and consists of representa-
tives of provincial legislatures and local government. Any laws or policies that
affect provincial or local government are debated and vote on by the NCOP.

1–11
 Dynamic Auditing

Key committees of Parliament include the:

l Portfolio committees (PG’s) – The PG’s consider bills, deal with depart-
mental budget votes, oversee the work of the department they are respon-
sible for, and enquire and make recommendations about any aspect of the
department, including its structure, functioning and policy.
l Standing Committee on Public Accounts (SCOPA) – SCOPA exercises
oversight over the expenditure of public money allocated to national depart-
ments and other organs of state.
l Standing Committee on the Auditor-General (SCOAG) – The SCOAG
exercises oversight over the AG. The AG also consults with the committee
on auditing standards and submit its budget, business plan and annual
financial statements to the committee.
Parliament elects the President of the Republic who then appoints a cabinet of
ministers. The cabinet acts as the executive committee of government and
ministers are the political heads of government departments. Operationally
government departments are headed by a director-general and employ direc-
tors (managers) and public servants (staff) to do the work of government,
including the implementation of laws and policies as legislated by Parliament.
Two important national departments as it relates to the work of government are
the Department of Public Service and Administration (DPSA) and the Depart-
ment of Cooperative Governance and Traditional Affairs. DPSA is responsible
for setting the policies and frameworks for the public service at national and
provincial level while the Department of Cooperative Governance and Trad-
itional Affairs is responsible for national coordination of, and support to prov-
inces and municipalities.
The role, powers and functions of provincial governments
Each of the nine provinces in South Africa have a legislature. The legislative
authority of a province is vested in its provincial legislature. The provincial leg-
islature has the power to pass a constitution and legislation for the province in
terms of the Constitution and to assign any of its legislative powers to a muni-
cipal council in that province. Members of the provincial legislature (MPLs) are
elected every five years in provincial elections that are held with national elec-
tions.
The executive authority of a province is vested in the premier of a province.
The premier exercises the executive authority together with the executive
council by, inter alia, implementing provincial legislation in a province, devel-
oping and implementing provincial policy, and coordinating the functions of the
provincial administration and its departments.
Premiers are elected by the legislature and appoints members of the Executive
Committee (MEC’s) to be the political heads of provincial departments. The
MEC’s and the premier form the provincial executive council (cabinet).

1–12
 CHAPTER 1: The auditing profession in South Africa

Provincial government is headed by a director-general, while provincial depart-

ments are headed by a deputy director-general or a head of department.
Directors (managers) and public servants are employed by national govern-
ment departments to perform the work of government.
The role, powers and functions of local government
Municipalities fulfill the role of local government. Municipalities are governed
by councils which consist of members who are elected during local govern-
ment elections. A municipal council elects a mayor who is assisted by coun-
cillors in an executive committee (elected by the council) or a mayoral com-
mittee (appointed by the mayor). The mayor together with the executive or
mayoral committee also oversee the work of the municipal manager and
department heads. The municipal manager oversees the administration of the
municipality.
Different categories of municipalities
There are three different types of municipalities in South Africa:
l Metropolitan municipalities (category A)
Nine metropolitan municipalities exist in the six biggest cities in South Africa,
namely Buffalo City (East London), City of Cape Town, Ekurhuleni Metropolitan
Municipality (East Rand), City of eThekwini (Durban), City of Johannesburg,
Mangaung Municipality (Bloemfontein), Msunduzi Municipality (Pietermaritz-
burg), Nelson Mandela Metropolitan (Port Elizabeth) and City of Tshwane (Pre-
toria).
l Local municipalities (category B)
Areas that fall outside of the six metropolitan areas are divided into local muni-
cipalities, which are further categorized as high- or low-capacity municipalities
by the National Treasury.
l District municipalities (category C)
District municipalities consist of a number of local municipalities that fall into
one district. Usually, between three and six local municipalities form a district
council.
While metropolitan municipalities are responsible for all local services and
development and delivery in the metropolitan area, local municipalities share
these responsibilities with district municipalities.
Functions of municipalities
Municipalities are responsible for the following functions:
l electricity delivery;
l sewage and sanitation;
l refuse removal;

1–13
 Dynamic Auditing

l municipal health services;

l municipal roads;
l street trading;
l parks and recreational areas;
l local tourism;
l water for household use;
l storm water systems;
l firefighting services;
l decisions around land use;
l municipal public transport;
l abattoirs and fresh food markets;
l libraries and other facilities.
Other important stakeholders in the public sector
National Treasury – The National Treasury is responsible for managing South
Africa’s national government finances through efficient and sustainable public
financial management. The Constitution mandates the National Treasury to
ensure transparency, accountability and sound financial controls in the man-
agement of public finances.
The National Treasury’s legislative mandate is also described in the PFMA.
This includes the promotion of government’s fiscal policy framework, the coor-
dination of macroeconomic policy and intergovernmental financial relations
and the management of the budget preparation process.
Office of the Accountant (OAG) – The responsibility of the OAG is to promote
and enforce transparency and effective management in respect of revenue,
expenditure, assets and liabilities of institutions in all three spheres of govern-
ment. The OAG is also responsible for developing policies and frameworks on
accounting, internal audit and risk management.
Provincial treasuries – Provinces each has a treasury.
Accounting Standards Board (ASB) – The ASB is a juristic person and sets
standards of generally accepted accounting practice, as required by the Con-
stitution, for the annual financial statements of departments, public entities,
constitutional institutions, municipalities and boards, commissions, companies,
corporations, funds or other entities under the ownership control of a munici-
pality, Parliament and the provincial legislatures.

1–14
 CHAPTER 1: The auditing profession in South Africa

Important laws and regulations applicable to the public sector

The key laws and regulations applicable to the public sector include the follow-
ing:
Constitution of the Republic of South Africa, 1996 (Act No. 108 of 1996)
The Constitution establishes, inter alia the three spheres of government.
Public Finance Management Act, 1999 (Act No. 1 of 1999 (and regulations and
instructions issued in terms of the Act
The Act promotes sound financial management in order to maximize service
delivery through the efficient and effective use of limited resources. The Act
forms the basis for a more effective corporate governance framework and
covers, inter alia, the following:
l the establishment of the National Treasury and provincial treasuries as well
as the ASB and their functions and powers;
l the national and provincial budgets and the appropriation of money by
Parliament and provincial legislature for each financial year for the require-
ments of the state and the provinces, respectively;
l the requirements for departments and constitutional institutions regarding
the responsibilities and powers of accounting officers;
l the fiduciary duties, general responsibilities, annual budgets, information
to be submitted and annual reports and financial statements to be pre-
pared by accounting authorities of public entities;
l the financial responsibilities of executive authorities;
l the submission of financial statements by departments, trading entities
and constitutional institutions within two months after the end of the finan-
cial year to the AG and relevant treasury;
l the submission of an auditor’s report by the AGSA on the above financial
statements within two months of receipt of the financial statements;
l the submission of an annual report, financial statements and the AGSA’s
auditor’s report by departments, trading entities and constitutional institu-
tions within five months after the end of the financial year, to the relevant
treasury, and in the case of a department and trading entity, also to the
executive authority;
l the submission of the annual report, financial statements and auditor’s
report by a constitutional institution to Parliament within one month of receipt
of the AG’s auditor’s report;
l the submission of financial statements by public entities within two months
after the financial year-end to their auditors;
l the submission of an annual report, financial statements and the auditor’s
report by public entities within five months after financial year-end, to the
relevant treasury, executive authority and the AG if the AG is not the audit-
or of the entity.

1–15
 Dynamic Auditing

Division of Revenue Act

The Act provides for the equitable division of revenue between the three
spheres of government.
Appropriation Act
The Act provides for the appropriation of money from the National Revenue
Fund to meet the requirements of the state.
Municipal Finance Management Act, 2003 (Act No. 56 of 2003) and regulations
issued in terms of the Act
The Act aims to improve budget and financial management practices of local
government. The MFMA covers, inter alia, the following:
l the requirements for the opening and control of, and withdrawals from,
municipal bank accounts;
l the appropriation of funds for expenditure and annual budgets of munici-
palities;
l the responsibilities of mayors and municipal officers;
l the establishment, financial governance and accounting officers of muni-
cipal entities;
l the submission of the financial statements by the accounting officer of a
municipality within two months after the financial year end to the AG (three
months for consolidated financial statements);
l the submission of the financial statements by the accounting officer of a
municipal entity within two months after the financial year-end to the AG
and the parent municipality;
l the submission of the auditor’s report by the AG within three months after
receipt of the financial statements of a municipality or municipal entity;
l the submission of the annual report by the accounting officer of a munici-
pal entity within six months after the financial year-end to the municipal
manager of the parent municipality;
l the tabling of the annual report by the mayor of a municipality and any
municipal entity under the municipality’s control within seven months after
the financial year-end in the municipal council.
Municipal Systems Act, 2000 (Act No. 32 of 2000)
The Act provides for the following:
l the core principles, mechanisms and processes to be followed by munici-
palities;
l the legal nature of a municipality.

1–16
 CHAPTER 1: The auditing profession in South Africa

l the manner in which municipal powers and functions are exercised and
performed to provide for community participation;
l a simple and enabling framework for the core processes of planning,
performance management, resource mobilization and organisational change;
l a framework for local public administration and human resource develop-
ment;
l empowerment of the poor and ensuring that municipalities put in place
service tariffs and credit control policies that take their needs into account
by providing a framework for the provision of services, service delivery
agreements and municipal service districts;
l credit control and debt collection;
l a framework for support, monitoring and standard setting by other spheres
of government.
Municipal Structures Act, 1998 (Act No. 117 of 1998)
The Act provides for the establishment of municipalities in accordance with the
requirements relating to categories and all types of municipality. It further
establishes criteria for determining the category of municipality to be estab-
lished in an area and defines the types of municipality that may be established
within each category. It also provides for an appropriate division of functions
and powers between categories of municipality. It regulates the internal sys-
tems, structures and office-bearers of municipalities and provides for appro-
priate electoral systems.
Municipal Property Rates Act, 2004 (Act No. 6 of 2004}
The Act regulates the power of a municipality to impose rates on properties
and to exclude certain properties from rates in the national interest.

3.2 AUDITING IN THE PUBLIC SECTOR

In terms of section 188 of the Constitution, the Auditor-General of South Africa
(AGSA) is responsible for auditing and reporting on the accounts, financial
statements and financial management of the public sector.
Auditing in the public sector is described as follows in the Lima declaration of
guidelines of auditing precepts of the International Organisation of Supreme
Audit Institutions (INTOSAI):
The concept and establishment of an audit is inherent in public financial
administration, as the management of public funds represents a trust. An
audit is not an end in itself but rather an indispensable part of a regulatory
system whose aim is to reveal deviations from accepted standards and vio-
lations of the principles of legality, efficiency, effectiveness and economy of
financial management early enough to make it possible to take corrective
action in individual cases, to make those accountable accept responsibility,
to obtain compensation, or to take steps to prevent, or at least render more
difficult – such breaches.

1–17
 Dynamic Auditing

In addition to the Constitution, the Public Audit Act (PAA) prescribes the func-
tions of the AGSA and requires the AG to audit and report on the accounts,
financial statements and financial management of:
l all national and provincial state departments and administrations;
l all constitutional institutions;
l the administration of Parliament and each provincial legislature;
l all municipal entities; and
l any other institution or accounting entity required by other national or
provincial legislation to be audited by the AG.
The PAA further requires the AG to audit and report on the consolidated finan-
cial statements of:
l the national government;
l all provincial governments; and
l a parent municipality and all municipal entities under its sole or effective
control.

3.3 INTERNATIONAL ORGANISATION OF SUPREME AUDIT INSTITUTIONS

The International Organisation of Supreme Audit Institutions (INTOSAI) oper-
ates as an international umbrella organisation for the external government audit
community. The Supreme Audit Institution of South Africa is the AGSA and the
AGSA is therefore a member of the INTOSAI.

3.4 AUDITS PERFORMED BY THE AGSA

The AG can perform annual audits, performance audits, other audit related
services, or can in terms of section 12 of the PAA elect not to perform an audit.
These are explained below.

3.4.1 Annual audits

The full scope of public sector auditing is broader than in the private sector
and as such a financial audit consists of an audit of financial statements, plus
some or all of the following:
l audit of financial accountability of accountable entities, involving examin-
ation and evaluation of financial records and expression of opinions on
financial statements;
l audit of financial accountability of the government administration as a
whole;
l audit of financial systems and transactions, including an evaluation of
compliance with applicable statutes and regulations;
l audit of internal control and internal audit functions;

1–18
 CHAPTER 1: The auditing profession in South Africa

l audit of probity and propriety of administrative decisions taken within the

audited entity;
l audit of performance against predetermined objectives; and
l reporting of any other matters arising from or relating to the audit that the
AG considers should be disclosed.

3.4.2 Performance audits

A performance audit can be described as an independent auditing process to
evaluate the measures instituted by management to ensure that resources
have been procured economically and are used efficiently and effectively.

3.4.3 Other audit-related services

These may include investigations to be conducted on request or special audits
and audit-related services in accordance with the International Standards on
Related Services.

3.4.4 Audits not performed by the AGSA

The AG may opt not to perform the audit and report on the accounts, financial
statements and financial management of any of the following:
l any public entity listed in the Public Finance and Management Act
(PFMA);
l a provincial revenue fund; or
l a municipality.
In cases where the AG opts not to perform the audit, a private practitioner will
be contracted to perform the audit on behalf of the AGSA. The AGSA is man-
dated by the PAA to impose a wide spectrum of duties on the private practi-
tioners appointed as auditors of these entities.

3.5 AUDITING STANDARDS APPLICABLE IN THE PUBLIC SECTOR

Assurance engagements in the public sector are performed in accordance
with the International Quality Control, Auditing, Review, Other Assurance and
Related Services Pronouncements. In addition, INTOSAI issues ISSAIs which
are
also taken into account when performing engagements.
The ISSAIs consist of the following levels:
l founding principles;
l prerequisites for the functioning of Supreme Audit Institutions;
l fundamental auditing principles;
l auditing guidelines; and
l INTOSAI GOV which provides guidance to public authorities on the proper
administration of public funds.

1–19
 Dynamic Auditing

3.6 IMPORTANT DATES

The PFMA and the MFMA require that the financial statements and the audit
thereof be finalized within certain deadlines. For this reason, audits in the pub-
lic sector are concluded in two cycles, namely the PFMA and the MFMA.
The following table illustrates the legislated dates for the PFMA and the MFMA:
Date of
Date of submission of Date of the Submission to
Tabling of the
financial the financial auditor’s the executive
annual report
year-end statements for report authority/council
auditing
PFMA 31 March 31 May 31 July 31 August by the 30 September by
accounting the executive
officer/authority to authority in
the executive Parliament/
authority provincial
legislature
MFMA 30 June 31 August / 30 November / 31 January by the Within seven
30 September 31 December mayor to the days after the
(consolidated) (consolidated) council council has
adopted the
relevant oversight
reports in the
provincial
legislature

3.7 THE AUDIT REPORT

Public sector audit reports include references to compliance with laws, finan-
cial management and the audit of pre-determined objectives. The three areas
that the office of the Auditor-General audits and reports on annually are –
l the fair presentation and the absence of material misstatements in the
financial statements;
l useful and credible performance information for purposes of reporting on
predetermined performance objectives; and
l compliance with key legislation governing financial matters.
Different types of audit opinions can be issued by the Auditor-General, includ-
ing the following:
l Unqualified opinion with no findings (clean audit): The auditee achieves a
financially unqualified opinion with no findings, commonly known as a
clean audit opinion, when its financial statements are unqualified, with no
reported audit findings in respect of either reporting on predetermined
objectives or compliance with key legislation.

1–20
 CHAPTER 1: The auditing profession in South Africa

l Financially unqualified opinion with findings: The auditee receives finan-

cially unqualified audit opinions with findings on their performance infor-
mation or compliancy with key legislation, or both these aspects.
l Qualified opinion: The auditee receives a qualified audit opinion, which
means it was unable to account adequately and accurately for all the
financial effects of the transactions and activities it had conducted. This
means the financial statements it presented were unreliable in certain
areas. Related to performance information it means the AGSA was provid-
ed with performance information that either was not useful or was unre-
liable, which compromised the ability to drive effective accountability.
l Adverse opinion: Conditions regarding unreliable financial statements are
common in most areas of the financial statements. This is unlike a qualified
opinion where it is limited to certain areas.
l Disclaimed opinion: These auditees were unable to provide the required
evidence to enable the auditors to perform tests to satisfy themselves
regarding the fair presentation of the financial statements. The auditors
were therefore unable to conclude or express an opinion on the credibility
of the financial statements. Also, auditees with adverse and disclaimed
opinions are typically not complying with key legislation.

3.8 AUDIT OF PREDETERMINED OBJECTIVES

Purpose of performance information
Performance information indicates how well an entity is performing against
strategic objectives. Strategic objectives indicate what an entity intends doing
(or producing) to achieve its legislative mandate. Performance indicators and
targets are used to track and measure performance in relation to the strategic
objectives. The indicators also reflect equity concerns and value for money in
the use of resources.
Importance of performance information
Performance information is essential to focus the attention of the public and
oversight bodies on whether public institutions are delivering public services,
by comparing their performance against their budgets and strategic plans and
to alert those charged with governance to areas where corrective action is
required. Performance information also facilitates effective accountability
enabling legislators, members of the public and other interested parties to
track progress, identify the scope for improvement in service delivery, and
better understand issues and context.
The audit of predetermined objectives of public institutions is an annual
engagement to provide assurance to Parliament, legislators, members of the
public and other relevant parties that the actual performance reported is useful
and reliable.

1–21
 Dynamic Auditing

The concepts of performance management and reporting were formally intro-

duced to the public sector in South Africa with the implementation of the Public
Finance Management Act, 1999 (Act No. 1 of 1999) (PFMA) and the Municipal
Finance Management Act, 2003 (Act No. 56 of 2003) (MFMA).

Differences between the audit of predetermined objectives and

performance auditing

Audit of predetermined objectives Performance auditing

y Mandatory audit (sections 20(2)(c) y Discretionary audit (section 20(3)

and 28(1)(c) of the PAA) of the PAA)
y Reflects an opinion or conclusion y Reporting is based on factual
on the reporting of performance findings and does not include an
against predetermined objectives audit opinion
y Reporting takes place annually as y Reporting is not limited to annual
part of the regularity audit process information and can cover more
y The audit is conducted by regu- than one financial year
larity auditors y The audit is conducted by per-
y Focuses on the planning, imple- formance auditors and may
mentation, monitoring and report- include subject matter experts
ing on performance information y Focuses on a specific government
y Audit criteria: Existence, timeli- programme, project or manage-
ness, presentation, consistency, ment process
relevance, measurability, validity, y Audit criteria: Economy, efficiency
accuracy and completeness and effectiveness
y Provides assurance on whether the y Factual report on whether goods
annual reported performance and services have been acquired
against predetermined objectives economically, applied efficiently
is useful and reliable and managed effectively towards
achieving the desired goals
The audit of predetermined objectives can be defined as an annual audit of
reported actual performance against predetermined objectives. The audit of
pre-determined objectives is part of the annual audit, confirming whether the
entity complies with applicable laws and regulations as well performing pro-
cedures that will enable the auditor to express an opinion on the usefulness
and reliability of the reported performance information as published in the
annual reports of government institutions.

1–22
 CHAPTER 1: The auditing profession in South Africa

A performance audit is different in that it aims to determine whether the aud-

itee’s resources were procured economically and utilised efficiently and effect-
ively. The performance of a performance audit is discretionary in that the AG
can decide whether it wishes to perform the audit or not.
Performance auditing is defined as an independent audit of the management
measures instituted by a government entity to ensure the economical procure-
ment and efficient and effective utilisation of resources. The key concepts to be
audited can further be defined as follows:
Economy: To procure resources of the right quality in the right quantities
at the right time and place at the lowest possible cost.
Efficiency: To achieve the optimal relationship between the output of
goods, services or results and the resources used to produce
them.
Effectiveness: To achieve policy objectives, operational goals and other
intended effects.

1–23
 2
CORPORATE GOVERNANCE – BACKGROUND;
KING IV REPORT AND INTERNAL CONTROL

Page
1. The background and definition of corporate governance ........................... 2–3
2. The governance compliance framework...................................................... 2–4
3. The characteristics of good corporate governance .................................... 2–4
4. The development of corporate governance guidelines ............................... 2–5
5. The King IV Report on Corporate Governance ............................................ 2–6
5.1 Introduction ........................................................................................ 2–6
5.2 Fundamental concepts ...................................................................... 2–6
5.3 King IV application and disclosure .................................................... 2–7
5.4 The King IV Code on Corporate Governance.................................... 2–9
5.5 Sector supplements ........................................................................... 2–24
6. Internal control.............................................................................................. 2–25
6.1 The definition of internal control ......................................................... 2–25
6.2 The components of internal control ................................................... 2–25
6.3 Inherent limitations of the internal control system.............................. 2–31
6.4 Objectives of internal controls ........................................................... 2–31
6.5 Internal controls in a computerised environment .............................. 2–32
6.6 Documentation and the flow of information ....................................... 2–33
6.7 Internal controls within the business cycles ...................................... 2–34

2–1
 CHAPTER 2: Corporate governance – Background; King IV Report and internal control

1. THE BACKGROUND AND DEFINITION OF CORPORATE GOVERNANCE

The concept of corporate governance was born in the late 1980s as a result of
the separation of the ownership of companies from the control thereof. A situation
developed, especially in the United Kingdom, where owners of companies no
longer were part of the management of companies. The responsibility for control
therefore shifted to the directors of the company.
Corporate governance was consequently introduced to ensure that the agents of
the owners of companies (management and directors) manage companies in
ways that will serve the interests of the shareholders of the company.
The concept of corporate governance further developed in the last decade of the
nineteenth century because of the following:
l The role of institutional investors shifted from that of trading in shares to that
of a major, more permanent shareholder in companies.
l The interest of not only the shareholders of the company, but all the other
stakeholders became relevant for corporate decision-makers.
l A series of corporate failures and scandals that took place because of fraud
pointed to a lack of effective accountability within companies.
2008 saw a series of corporate collapses in the banking and financial services
sector. This has led to a renewed focus on the strengthening of corporate govern-
ance, specifically regarding performance-related remuneration, transparency, risk
management, accountability and ethical behaviour.
New global realities emerged in the last few years and include social tensions,
climate change, radical transparency, and technological and scientific advance-
ment.
Technological advancements, such as the Internet of Things, artificial intelli-
gence, 3D printing and blockchain, are also disrupting traditional business mod-
els. 2019 has seen the emergence of a global pandemic which swept across the
world. All of these realities are testing governance structures and arrangements.
Corporate governance can be defined as the system whereby entities are man-
aged and controlled.
A good system of corporate governance is essential for the proper functioning of
the entity.
The key challenge for companies is to find an appropriate balance between
performance and conformance with governance principles.

2–3
 Dynamic Auditing

2. THE GOVERNANCE COMPLIANCE FRAMEWORK

Corporations can either follow a principle-based approach or a rule-based
approach to governance.
The principle-based approach to governance normally manifests itself in codes of
corporate governance with recommendations on how to best apply corporate
governance principles and which could be applied on a voluntary basis.
The rule-based approach to governance normally manifests itself in the codifica-
tion of governance in legislation and a situation whereby legal sanctions could
exist for non-compliance to the legislation.
It has become practice for countries to adopt a combination of the rule- and the
principle-based approaches. In South Africa, several pieces of legislation con-
taining sections which directly deal with the governance of corporations devel-
oped since the publication of the second King Report (King II). There will always
be a link between corporate governance and compliance with the law.
Internationally, the principle-based approach to governance has evolved into
different approaches of which the “comply or explain”, “adopt or explain” and the
“apply or explain” approaches are some examples. The King IV Report has intro-
duced an “apply and explain” regime.
In following for instance the “apply or explain approach”, the board of directors
could conclude that an interpretation of the governance principle which is different
from the recommendation contained in the code will be in the best interest of the
company. The Board may therefore apply the principle differently and still achieve
the overarching governance principles of transparency, accountability, respon-
sibility and fairness. Explaining how the principles and recommendations were
applied, or if not applied, the reasons, results in compliance with the code.
The principle-based approach to governance could therefore also allow for a dif-
ferent interpretation of what would be in the best interest of the company in com-
bination with compliance with recommendations in codes on a voluntary basis.
Directors do, however, have a legal duty to act in the best interest of the com-
pany and it is anticipated that the more established certain governance practices
become, the more likely a court, in considering whether directors have acted in
the best interest of the company, would regard conduct that conforms with these
practices as meeting the required standard of care.

3. THE CHARACTERISTICS OF GOOD CORPORATE GOVERNANCE

It has become international practice for principle-based codes to be based on
the following principles:
L Transparency
Transparency is the ease with which an outsider is able to make meaningful analy-
sis of a company’s actions and its economic fundamentals. Management must
make the necessary information available in a candid and accurate manner

2–4
 CHAPTER 2: Corporate governance – Background; King IV Report and internal control

and on a timely basis. It should be possible to obtain a clear and true picture of
what is happening inside a company from the information supplied by the com-
pany.
L Accountability
Individuals or groups in a company who make decisions and take actions on
specific issues need to be accountable for their decisions and actions. Mechan-
isms must exist and be effective to allow for accountability, thus facilitating both
transparency and responsibility. This provides investors with the means to query
and assess the actions of the board and its committees.
L Responsibility
Responsibility pertains to management behaviour that follows internal mechan-
isms to allow for corrective action, and sanction of mismanagement. Responsible
management would, when necessary, put in place what it takes to set the com-
pany on the right path.
L Fairness
The systems that exist within the company must be balanced in taking into
account all those who have an interest in the company and its future. The rights of
various groups have to be acknowledged and respected. Minority shareholder
interests must receive equal consideration to that of the dominant shareholder(s).

4. THE DEVELOPMENT OF CORPORATE GOVERNANCE GUIDELINES

The Treadway Commission in the United States and the Cadbury Committee in
the United Kingdom investigated and made recommendations relating to the finan-
cial aspects of corporate governance.
The Cadbury Committee was set up in the United Kingdom in May 1991 because
of the lack of confidence which was perceived in financial reporting and in the
ability of the auditors to provide the assurances required by the users of the
financial statements. The Committee, in the context of its terms of reference, con-
sidered, primarily, financial reporting and accountability, good practice concerning
the responsibilities of executive and non-executive directors, the case for audit
committees, the principal responsibilities of auditors and the links between share-
holders, boards and auditors.
The King Committee on Corporate Governance was formed in 1992 with the
objective of making recommendations on the effective implementation of corpor-
ate governance in South Africa. The Committee was formed under the auspices
of the Institute of Directors in Southern Africa. They made their recommendations
public on 29 November 1994 in what is commonly referred to as the first King
Report on Corporate Governance for South Africa.

2–5
 Dynamic Auditing

Since 1994, several developments have led to the recent review of corporate
governance standards and practices in South Africa by the King Committee.
These developments include, inter alia, globalisation, stakeholder activism, the
growth of information technology and e-commerce and a shift towards flatter
management structures and part-time employment.
The review led to the publication of the King Committee’s second Report on
Corporate Governance for South Africa during March 2002.
International developments since 2002, as well as the promulgation of the new
Companies Act, 71 of 2008 necessitated a review of the second Report by the
King Committee. The third Report on Corporate Governance for South Africa was
published in September 2009.
Continued financial instability, the emergence of new international governance
codes and best practice, increased compliance requirements, new reporting and
disclosure requirements, and risk and opportunities from new technologies
prompted a review of the third Report on Corporate Governance in South Africa
and led to the publication of the King IV Report on 1 November 2016. Recent
corporate failures in South Africa have again placed the spotlight on corporate
governance in organisations.

5. THE KING IV REPORT ON CORPORATE GOVERNANCE

5.1 INTRODUCTION
The King IV Report on Corporate Governance was released on 1 November
2016 and consists of seven parts:
l Part 1 – Glossary of terms
l Part 2 – Fundamental concepts
l Part 3 – King IV application and disclosure
l Part 4 – King IV on a page
l Part 5 – King IV Code on Corporate Governance
l Part 6 – Sector supplements
l Part 7 – Content development process and King committee

5.2 FUNDAMENTAL CONCEPTS

Part 2 of the King IV Report contains the fundamental concepts and philosophy
on which King IV is based, as well as a discussion on the distinguishing fea-
tures and highlights of the report.
King IV defined corporate governance as the exercise of ethical and effective
leadership by the governing body towards the following governance outcomes:
l ethical culture;
l good performance;

2–6
 CHAPTER 2: Corporate governance – Background; King IV Report and internal control

l effective control; and

l legitimacy.
King IV further explains the governing’s body primary governance role and
responsibilities as:
l steering and setting strategic direction;
l approving policy and planning that give effect to the strategy and the set
direction;
l overseeing and monitoring implementation and execution by manage-
ment; and
l ensuring accountability for organisational performance by means of,
amongst others, reporting and disclosure.
King IV advocates integrated thinking as an important philosophy underpinning
the Code. Integrated thinking is defined as thinking that takes account of the
connectivity and interdependencies between a range of factors that affect an
organisation’s ability to create value over time. Integrated thinking underpins all
of the following:
l seeing the organisation as an integral part of society and thus as a corpor-
ate citizen;
l the stakeholder-inclusive approach;
l sustainable development; and
l integrated reporting.
The main features that distinguish King IV from previous reports include:
l An outcomes-based approach is advocated. Achieving the principles will
enable organisations to realise the intended governance outcomes of ethi-
cal culture, good performance, effective control and legitimacy.
l Clear differentiation between principles and practices. Principles are achieved
by mindful consideration and application of the recommended practices.
l Drafted to apply to all organisations, regardless of their form of incor-
poration. References to companies and boards of directors have been
replaced with references to organisations and governing bodies.
l Proportionality is explained and advocated. Practices are meant to be
scaled in accordance with proportionality considerations particular to the
organisation. These include size of turnover and workforce, resources and
extent and complexity of activities.
l “Apply and explain” regime as opposed to an “Apply or explain” regime in
King III.

5.3 KING IV APPLICATION AND DISCLOSURE

Part 3 of the King IV Report deals with application and disclosure require-
ments.

2–7
 Dynamic Auditing

King IV is a set of voluntary principles and leading practices.

King IV aspires to apply to all organisations, regardless of their form of incorp-
oration. This is achieved by:
l phrasing principles and governance outcomes such that they embody the
essence of the Code and in order for it to be applied with the necessary
changes in terminology;
l provision of supplements for specific sectors; and
l advocating the implementation of King IV on a proportional basis, recog-
nising that the practices as recommended in the Code are positioned at
the level of leading practices, and that it may not be suitable and appro-
priate for all organisations.
The application regime of King IV is “apply and explain”. It is recommended
that organisations provide a narrative explanation of the recommended prac-
tices that have been implemented, and how these achieve or give effect to the
related King IV principles. There is therefore no need to disclose whether each
practice has been implemented or not.
Specific disclosure recommendations are included under each principle of the
King IV Code. These recommendations are intended as guidance and as a
starting point for disclosure. The following approach is suggested regarding
the disclosure on the application of King IV:
l As a starting point, referencing of all the principles in the Code.
l In respect of each principle, explain in narrative form the matters that the
King IV Code recommends for specific disclosure under each principle.
l Consider the recommended practices associated with the principle that is
not already included in the narrative. Expand the explanation to these
other practices only if necessary to further demonstrate how their imple-
mentation supports the achievement of the principle.
l Assess the completed disclosure and consider whether it will enable the
users of the report to make an informed assessment of the quality of gov-
ernance in so far as the application of the particular principle. Make
enhancements if necessary.
l If applicable and necessary, explain what alternative practices (practices
other than those recommended by the Code) have been implemented,
and how its implementation supports the achievement of the practices.
King IV states that the governing body has the discretion to determine where
disclosures be made. Options include the integrated report, sustainability
report, social and ethics committee report and other online or printed infor-
mation or reports.
It is recommended that King IV disclosures be updated at least annually.

2–8
 CHAPTER 2: Corporate governance – Background; King IV Report and internal control

Disclosure on the application of King IV is effective in respect of financial

years starting on or after 1 April 2017, but immediate transition is encour-
aged. King IV replaces the third King Report on Corporate Governance in its
entirety.

5.4 THE KING IV CODE ON CORPORATE GOVERNANCE

The King IV Code consists of the following five parts:
l leadership, ethics and corporate citizenship;
l strategy, performance and reporting;
l governing structures and delegation;
l governance functional areas; and
l stakeholder relationships.
The five parts contain 17 principles, and recommended practices that the
governing body should perform are provided for each principle. Readers are
encouraged to consult the full King IV Code as contained in the King IV Report
on Corporate Governance, as the section that follows only contains a brief dis-
cussion on the principles and recommended practices.

5.4.1 Leadership, ethics and corporate citizenship

As discussed under section 5.2 above, King IV defines corporate governance
as the exercise of ethical and effective leadership by the governing body
towards the achievement of governance outcomes.
Part 1 of the Code is devoted to leadership, ethics and corporate citizenship
and consists of the following three principles:
l Principle 1: The governing body should lead ethically and effectively;
l Principle 2: The governing body should govern the ethics of the organ-
isation in a way that supports the establishment of an ethical culture; and
l Principle 3: The governing body should ensure that the organisation is and
is seen to be a responsible corporate citizen.
The recommended practices under the first principle deal mainly with leader-
ship and encourage members of the governing body to set an example by dis-
playing the characteristics of integrity, competence, responsibility, account-
ability, fairness and transparency.
The recommended practices under the second principle deal with organ-
isational ethics and aim to assist with the management of ethics within the
organisation. The Code specifically recommends that codes of conduct and
ethics policies provide for arrangements that familiarise employees and other
stakeholders with the organisation’s ethical standards. These arrangements
should include:
l publishing the organisation’s codes of conduct and policies on the organ-
isation’s website, or on other platforms or through other media as is appro-
priate;

2–9
 Dynamic Auditing

l reference to, or inclusion of the relevant codes of conduct and polices in

supplier and employee contracts; and
l inclusion of the codes of conduct and ethics policies in employee induc-
tion and training programmes.
The governing body should further ensure that the organisation’s ethical
standards are applied to the processes for the recruitment, evaluation of per-
formance and reward of employees, as well as the sourcing of suppliers.
Those who breached the ethical standards should be sanctioned. Protected
disclosure or whistle-blowing mechanisms should also be available to detect
breaches of ethical standards and dealing with such disclosures appropriately.
The governing body should monitor adherence to the ethical standards
through inter alia, periodic independent assessments of adherence.
Finally, recommendations are made under the third principle on how the organ-
isation should act as a responsible citizen, also as it engages with internal and
external stakeholders and society as a whole. The Code specifically recom-
mends that the governing body should oversee and monitor, on an ongoing
basis, how the consequences of the organisation’s activities and output affects
its status as a responsible corporate citizen, especially in the following areas:
l workplace (including employment equity; fair remuneration; and the safety,
health, dignity and development of employees);
l economy (including economic transformation; prevention, detection and
response to fraud and corruption, and responsible and transparent tax
policy);
l society (including public health and safety; consumer protection; commu-
nity development; and protection of human rights); and
l environment (including responsibilities in respect of pollution and waste
disposal; and protection of biodiversity).

5.4.2 Strategy, performance and reporting

Part 2 of the Code deals with strategy, performance and reporting, and con-
tains the following two principles:
l Principle 4: The governing body should appreciate that the organisation’s
core purpose, its risks and opportunities, strategy, business model, per-
formance and sustainable development are all inseparable elements of the
value creation process; and
l Principle 5: The governing body should ensure that reports issued by the
organisation enable stakeholders to make informed assessments of the
organisation’s performance, and its short, medium and long-term pro-
spects.

2–10
 CHAPTER 2: Corporate governance – Background; King IV Report and internal control

It is recommended as part of principle 4 that the governing body should:

l set the direction, purpose and strategy of the organisation;
l delegate to management the formulation of the strategy;
l approve the strategy;
l approve management policies and plans, including key performance
measures and targets;
l delegate the implementation of plans to management; and
l oversee the implementation of the strategy and plans by management.
As part of principle 5 it is recommended that the governing body should:
l assume responsibility for the organisation’s reporting by setting the direc-
tion and approach to be followed;
l approve the reporting frameworks;
l ensure that all reports comply with legal requirements and that they meet
the legitimate and reasonable expectations of material stakeholders;
l ensure that an annual integrated report is published either as a stand-
alone report or as part of another report;
l approve management’s bases for materiality;
l ensure the integrity of external reports; and
l ensure that the disclosures required by the King IV Code, integrated
reports, annual financial statements and other external reports are avail-
able on the organisation’s website and other appropriate media.

5.4.3 Governing structures and delegation

Part 3 of the Code deals with governing structures and delegation, and more
specifically with the:
l primary role and responsibilities of the governing body – principle 6;
l composition of the governing body – principle 7;
l committees of the governing body – principle 8;
l evaluation of the performance of the governing body - principle 9; and
l appointment and delegation to management – principle 10.
The principles and recommended practices contained in part 3 are:
l Principle 6: The governing body should serve as the focal point and cus-
todian of corporate governance in the organisation.
The Code recommends that the governing body should exercise its leadership
role by:
l steering the organisation and setting its strategic direction;
l approving policy and planning that give effect to the direction provided;

2–11
 Dynamic Auditing

l overseeing and monitoring of implementation and execution by manage-

ment; and
l ensuring accountability for organisational performance by means of,
among others, reporting and disclosure.
The governing body’s role, responsibilities, membership requirements and
procedural conduct should be documented in a charter which is regularly
reviewed.
A protocol should guide the process to be followed in the event that the gov-
erning body or any of its members or committees need to obtain independent,
external professional advice at the cost of the organisation on matters within
the scope of their duties. Similarly, a protocol should guide non-executive
members of the governing body in requisitioning documentation from, and set-
ting up meetings with, management.
l Principle 7: The governing body should comprise the appropriate balance
of knowledge, skills, experience, diversity and independence for it to dis-
charge its governance role and responsibilities objectively and effectively.
The Code recommends that the governing body should consider an appro-
priate size for itself, having regard for the optimal mix of knowledge, skills,
experience, diversity and independence.
When determining the requisite number of members of the governing body, the
following factors should be considered:
l the appropriate mix of knowledge, skills and experience, including the
business, commercial and industry experience, needed to govern the
organisation;
l the appropriate mix of executive, non-executive and independent non-
executive members;
l the need for a sufficient number of members that qualify to serve on the
committees of the governing body;
l the need to secure a quorum at meetings;
l regulatory requirements; and
l diversity targets relating to the composition of the governing body.
The governing body should comprise a majority of non-executive members,
most of whom should be independent. The executive directors should com-
prise as a minimum, the chief executive officer (CEO) and at least one other
executive (chief executive officer or any other director).
Diversity in its membership as it relates to field of knowledge, skills and experi-
ence as well as age, culture, race and gender, should be promoted by the
governing board. It should also set targets for race and gender representation
in its membership.

2–12
 CHAPTER 2: Corporate governance – Background; King IV Report and internal control

Members of the governing body should be rotated regularly and in a stag-

gered manner. Future members of the governing body should be identified,
mentored and developed as part of a succession plan.
Nomination, election and appointment of members to the governing body:
The nomination of candidates for election as members of the governing body
should be approved by the governing body as a whole and the processes for
nomination, election and ultimately, appointment should be formal and trans-
parent.
Several factors should be considered before nominating a candidate, includ-
ing:
l The collective knowledge, skills and experience required by the governing
body;
l The diversity of the governing body; and
l Whether the candidate meets the appropriate fit and proper criteria.
The performance of a member, including attendance of meetings should be
considered as part of the nomination process for re-election of an incumbent of
the governing body.
Prior to their nomination for election, candidates’ backgrounds should be
independently investigated, and their qualifications should be independently
verified. It should also be ensured that they will have sufficient time to commit
to the business of the governing body.
The notice to the AGM on the election of members of the governing body
should include:
l a brief professional profile of each candidate;
l details of existing professional commitments; and
l a statement from the governing body confirming whether it supports the
candidate’s election or re-election.
Upon election new members should receive a letter of appointment setting out
the terms and conditions of appointment. Incoming members should also be
inducted and those new members with no or limited governance experience
should be provided with mentorship and encouraged to undergo training.
All members of the governing body should be expected to participate in a pro-
gramme of ongoing professional development and regular briefings on legal
and corporate governance developments, and risks and changes in the exter-
nal environment of the organisation.
Independence and conflicts:
The independence of members of the governing body is recognised as an
essential element of corporate governance. Recent corporate failures have
however seen the demise of many organisations despite organisations having
the appropriate number of independent directors on its board. The King IV
Code emphasises the importance of independence and stresses that all

2–13
 Dynamic Auditing

members of the governing board have the duty to act with independence of
mind in the best interest of the organisation.
The Code recommends that, subject to legal provisions, each member of the
governing body should submit to the governing body a declaration of all finan-
cial, economic and other interests held by the member and related parties at
least annually, or whenever there are significant changes.
Members should also declare any conflict of interest in respect of a matter on
the agenda before the start of all meetings.
Non-executive members of the governing body may be categorised by the
governing body as independent if it concludes that there is no interest, posi-
tion, association or relationship which, when judged from the perspective of a
reasonable and informed third party, is likely to influence unduly or cause bias
in decision-making in the best interest of the organisation.
The following factors should be considered in assessing the independence of
members of the governing body:
l whether the member is a significant provider of financial capital, or ongo-
ing funding to the organisation; or is an officer, employee or a representa-
tive of such provider of financial capital or funding;
l participation in a share-based incentive scheme;
l if the organisation is a company, whether the member owns securities in
the company, the value of which is material to the personal wealth of the
director;
l whether the member has been in the employ of the organisation as an
executive manager during the preceding three financial years, or is a relat-
ed party to such executive manager;
l whether the member has been the designated external auditor responsible
for performing the statutory audit for the organisation, or a key member of
the audit team of the external audit firm, during the preceding three finan-
cial years;
l whether the member is a significant or ongoing professional adviser to the
organisation, other than as a member of the governing body;
l whether the member is a member of the governing body or the executive
management of a significant customer of, or supplier to, the organisation;
l whether the member is a member of the governing body or the executive
management of another organisation which is a related party to the organ-
isation; or
l whether the member is entitled to remuneration contingent on the perform-
ance of the organisation.
A non-executive member of the governing body may continue to serve, in an
independent capacity, for longer than nine years if, upon an assessment by the
governing body conducted every year after nine years, it is concluded that the
member exercises objective judgement and there is no interest, position,
association or relationship which, when judged from the perspective of a

2–14
 CHAPTER 2: Corporate governance – Background; King IV Report and internal control

reasonable and informed third party, is likely to influence unduly or cause bias
in decision-making.
Chair of the governing body
The Code recommends that an independent non-executive member be elect-
ed as chair of the governing body.
It is also recommended that an independent non-executive member be elected
as the lead independent to fulfil the following functions:
l to lead in the absence of the chair;
l to serve as a sounding board for the chair;
l to act as an intermediary between the chair and other members of the
governing body, if necessary;
l to deal with shareholders’ concerns where contact through the normal
channels has failed to resolve concerns, or where such contact is inappro-
priate;
l to strengthen independence on the governing body if the chair is not an
independent non-executive member of the governing body;
l to chair discussions and decision-making by the governing body on
matters where the chair has a conflict of interest; and
l to lead the performance appraisal of the chair.
The charter of the governing body should set out the chair’s role, responsibil-
ities and term in office, as well as that of the lead independent.
The CEO of the organisation should not chair the governing body, and any
retired CEO can only become the chair of the governing body after three com-
plete years have passed after the end of the CEO’s tenure.
When determining which of its committees the chair of the governing body
should serve on, either as member or chair, the governing body should con-
sider how this affects the overall concentration and balance of power on the
governing body. Generally, the following should apply:
l The chair should not be a member of the audit committee.
l The chair may be a member of the committee responsible for remu-
neration but should not be its chair.
l The chair should be a member of the committee responsible for nomina-
tions of members of the governing body and may also be its chair.
l The chair may be a member of the committee responsible for risk govern-
ance and may also be its chair.
l The chair may be a member of the social and ethics committee but should
not be its chair.

2–15
 Dynamic Auditing

Succession planning should be in place for the position of chair.

l Principle 8: The governing body should ensure that its arrangements for
delegation within its own structures promote independent judgement, and
assist with balance of power and the effective discharge of its duties.
The governing body can delegate particular roles and responsibilities to an
individual member or members of the governing body, or to standing or ad
hoc-committees in which case the delegation should be recorded in writing
and approved by the governing body.
Committees should have formal terms of reference which at a minimum should
deal with the following:
l the composition of the committee and, if applicable, the process and
criteria for the appointment of any committee members who are not mem-
bers of the governing body;
l the committee’s overall role and associated responsibilities and functions;
l delegated authority with respect to decision-making;
l the tenure of the committee;
l when and how the committee should report to the governing body and
others;
l the committee’s access to resources and information;
l the meeting procedures to be followed;
l the arrangements for evaluating the committee’s performance.
IT is recommended that committees should consist of a minimum of three
members with the necessary knowledge, skills, experience and capacity to
execute its duties effectively.
Members of the executive and senior management should be invited to attend
committee meetings and members of the governing body are entitled to attend
any committee meeting as an observer. However, unless that member is also a
member of the committee, the member is not entitled to participate without the
consent of the chair; does not have a vote; and is not entitled to fees for such
attendance, unless payment of fees is agreed to by the governing body and
shareholders.
The governing body remains accountable despite delegation of roles and
responsibilities to committees.
Audit committee
The establishment of an audit committee is a statutory requirement for some
organisations. The Code also recommends that any organisation that issues
audited financial statements should establish an audit committee
The primary role of the audit committee is to provide independent oversight of,
among others:
l the effectiveness of the organisation’s assurance functions and services,
with particular focus on combined assurance arrangements, including

2–16
 CHAPTER 2: Corporate governance – Background; King IV Report and internal control

external assurance service providers, internal audit and the finance func-
tion; and
l the integrity of the annual financial statements and other external reports
issued by the organisation.
It is recommended that the audit committee oversees the management of
financial and other risks that affect the integrity of external reports issued by
the organisation.
The members of the audit committee should, as a whole, have the necessary
financial literacy, skills and experience to execute their duties effectively and
all members of the audit committee should be independent, non-executive
members of the governing body. The committees should be chaired by an
independent non-executive member.
The audit committee should meet annually with the internal and external audit-
ors respectively, without management being present.
Committee responsible for nominations of members of governing body:
It is recommended that a nominations committee takes responsibility for:
l The process for nominating, electing and appointing members of the gov-
erning body.
l Succession planning in respect of governing body members.
l Evaluation of the performance of the governing body.
The committee for nominations should consist of non-executive members of the
governing body, and the majority should be independent.
Committee responsible for risk governance:
It is recommended that a dedicated committee takes responsibility for the
governance of risk. One or more members should have joint membership
should the committees for audit and risk be separate. The committee for risk
governance should have executive and non-executive members, with a major-
ity being non-executive members of the governing body.
Committee responsible for remuneration:
It is recommended that a remuneration committee takes responsibility for
oversight over remuneration. All members of the committee for remuneration
should be non-executive members of the governing body, with the majority
being independent non-executive members of the governing body. The com-
mittee should be chaired by an independent non-executive member.
Social and ethics committee:
For some companies, the establishment of a social and ethics committee is a
statutory requirement. It is recommended that oversight of, and reporting on,
organisational ethics, responsible corporate citizenship, and sustainable
development and stakeholder relationships be delegated to a dedicated

2–17
 Dynamic Auditing

committee, or that another committee take responsibility for the functions

where appropriate.
The social and ethics committee should consist of executive and non-executive
members, with a majority being non-executive members of the governing
body.
l Principle 9: The governing body should ensure that the evaluation of its
own performance and that of its committees, its chair and its individual
members, support continued improvement in its performance and effect-
iveness.
It is recommended that the performance of the governing body and its commit-
tees, the chair and individual members be assessed formally. The lead inde-
pendent director should lead the performance evaluation of the chair, or alter-
natively an independent director should a lead independent not be in place.
l Principle 10: The governing body should ensure that the appointment of,
and delegation to, management contribute to role clarity and the effective
exercise of authority and responsibilities.
It is recommended that the governing body appoints the CEO.
The CEO should be responsible for leading the implementation and execution
of approved strategy, policy and operational planning, and should serve as the
chief link between management and the governing body. The CEO should be
accountable, and report to, the governing body.
The CEO should not be a member of the remuneration, audit or nomination
committees, but should attend by invitation any meeting, or part thereof, if
needed to contribute pertinent insights and information.
The CEO can also, in the absence of any conflicts and should it be possible to
commit the required time, serve on the governing bodies of other entities if so
agreed upon with the governing body. It is recommended that succession
planning be put in place for the role of CEO.
The performance of the CEO governing body should be evaluated formally
against agreed performance measures and targets at least annually.
Delegation:
It is recommended that the governing body approves a delegation of authority
framework that articulates the delegation of authority to management via the
CEO.
The governing body should ensure that key management functions are headed
by individuals with the necessary competence and authority, and that the func-
tions are adequately resourced.
Succession planning should be in place for senior management positions.
Professional corporate governance services to the governing body:
The governing body should ensure that it has access to professional and
independent guidance on corporate governance and its legal duties, and

2–18
 CHAPTER 2: Corporate governance – Background; King IV Report and internal control

also that it has support to coordinate the functioning of the governing body and
its committees.
The company secretary provides professional corporate governance services
in instances where the appointment of a company secretary is a statutory
requirement. It is recommended that all entities consider the appointment of a
company secretary or other appropriate professional to provide such services.
It is recommended that the person appointed to provide governance services
should have the necessary competence, gravitas and objectivity to provide
independent guidance and support at the highest level of decision-making in
the organisation.
The governing body should have primary responsibility for the removal of the
company secretary or other professional providing corporate governance ser-
vices.
The company secretary or other professional providing corporate governance
services should have unfettered access to the governing body but, for reasons
of independence, should maintain an arms-length relationship with it and its
members. The company secretary should not be a member of the governing
body.
The company secretary or other professional providing corporate governance
services should report to the governing body via the chair and the perform-
ance and independence of the company secretary or other professional
providing corporate governance services should be evaluated at least annually
by the governing body.

5.4.4 Governance functional areas

Part 4 of the Code deals with the governance of risk, technology and infor-
mation, compliance, remuneration and assurance and contains the following
principles:
l Principle 11: The governing body should govern risk in a way that sup-
ports the organisation in setting and achieving its strategic objectives;
l Principle 12: The governing body should govern technology and infor-
mation in a way that supports the organisation setting and achieving its
strategic objectives;
l Principle 13: The governing body should govern compliance with applic-
able laws and adopted, non-binding rules, codes and standards in a way
that supports the organisation being ethical and a good corporate citizen;
l Principle 14: The governing body should ensure that the organisation
remunerates fairly, responsibly and transparently so as to promote the
achievement of strategic objectives and positive outcomes in the short,
medium and long term; and
l Principle 15: The governing body should ensure that assurance services
and functions enable an effective control environment, and that these

2–19
 Dynamic Auditing

support the integrity of information for internal decision-making and of the

organisation’s external reports.
It is recommended that the governing body should:
l set the approach for risk governance with a specific focus on opportunities
and risk when developing strategy;
l approve risk policy;
l evaluate and agree the risks it is prepared to take;
l delegate the implementation of risk management to management;
l oversee the risk management process;
l consider to receive independent assurance on the effectiveness of risk
management; and
l make the necessary disclosures regarding risk and opportunities.
It is further recommended that the governing body:
l set the approach for technology and information governance and that it
approve the policy;
l delegate to management effective technology and information implemen-
tation;
l oversee the results of the implementation by management;
l oversee management of information and technology;
l consider to receive independent assurance on the effectiveness of tech-
nology and information; and
l make the necessary disclosures regarding technology and information.
Regarding compliance governance, it is recommended that the governing
body direct compliance, approve policy, delegate to management the imple-
mentation of compliance management, oversee compliance management and
make the necessary disclosures.
Remuneration governance is covered in a lot of detail. It is recommended that:
l the governing body sets an organisation-wide remuneration policy that
articulates and gives effect to its direction on fair, responsible and trans-
parent remuneration;
l disclosure takes place via a remuneration report containing a background
statement, an overview of the main provisions of the remuneration policy,
and an implementation report;
l shareholders be given the opportunity to vote on remuneration policy and
implementation.
Remuneration policy
It is recommended that the remuneration policy should, among others, provide
for the following:
l arrangements towards ensuring that the remuneration of executive man-
agement is fair and responsible in the context of overall employee remu-
neration in the organisation;

2–20
 CHAPTER 2: Corporate governance – Background; King IV Report and internal control

l the use of performance measures that support positive outcomes across

the economic, social and environmental context in which the organisation
operates; and/or all the capitals that the organisation uses or affects;
l if the organisation is a company, the voting by shareholders on the remu-
neration policy and implementation report, and for the implementation of
related responding measures as outlined under Voting on Remuneration
below.
Remuneration report
Remuneration should be disclosed by means of a remuneration report in three
parts:
l a background statement;
l an overview of the main provisions of the remuneration policy;
l an implementation report which contains details of all remuneration awarded
to individual members of the governing body and executive management
during the reporting period.
Background statement
The background statement should briefly provide context for remuneration
considerations and decisions, with reference to:
l internal and external factors that influenced remuneration;
l the most recent results of voting on the remuneration policy and the imple-
mentation report and the measures taken in response thereto.
l key areas of focus and key decisions taken by the remuneration commit-
tee during the reporting period, including any substantial changes to the
remuneration policy;
l whether remuneration consultants have been used, and whether the remu-
neration committee is satisfied that they were independent and objective;
l the views of the remuneration committee on whether the remuneration
policy achieved its stated objectives; and
l future areas of focus.
Overview of remuneration policy
The brief overview of the main provisions of the remuneration policy should
address the objectives of the policy and the manner in which the policy seeks
to accomplish these. The overview should include the following:
l the remuneration elements and design principles informing the remuner-
ation arrangements for executive management and, at a high level, for
other employees;
l details of obligations in executive employment contracts which could give
rise to payments on termination of employment or office;
l a description of the framework and performance measures used to assess
the achievement of strategic objectives and positive outcomes, including

2–21
 Dynamic Auditing

the relative weighting of each performance measure and the period of time
over which it is measured;
l an illustration of the potential consequences on the total earnings for
executive management, on a single, total figure basis, of applying the
remuneration policy under minimum, on-target and maximum performance
outcomes;
l an explanation of how the policy addresses fair and responsible remuner-
ation for executive management, in the context of overall employee remu-
neration;
l the use and justification of remuneration benchmarks;
l the basis for the setting of fees for non-executive directors;
l a reference to an electronic link to the full remuneration policy for public
access.
Implementation report:
The implementation report, which includes the remuneration disclosure in
terms of the Companies Act, should reflect the following:
l The remuneration of each member of executive management, which
should include in separate tables:
l a single, total figure of remuneration, received and receivable for the
reporting period, and all the remuneration elements that it comprises, each
disclosed at fair value;
l details of all awards made under variable remuneration incentive schemes
in the current and prior years that have not yet vested, including: the num-
ber of awards, the values at date of grant, their award, vesting and expiry
dates (where applicable) and their fair value at the end of the reporting
period; and
l the cash value of all awards made under variable remuneration incentive
schemes that were settled during the year.
l An account of the performance measures used and the relative weighting
of each, as a result of which awards under variable remuneration incentive
schemes have been made, including: the targets set for the performance
measures and the corresponding value of the award opportunity; and for
each performance measure, how the organisation and executive man-
agers, individually, performed against the set targets.
l Separate disclosure of, and reasons for, any payments made on termin-
ation of employment or office.
l A statement regarding compliance with, and any deviations from, the
remuneration policy.

2–22
 CHAPTER 2: Corporate governance – Background; King IV Report and internal control

Voting on remuneration (only applicable to companies):

In terms of the Companies Act, fees for non-executive directors for their ser-
vices as directors must be submitted for approval by special resolution by
shareholders within the two years preceding payment.
The remuneration policy and the implementation report should be tabled every
year for separate non-binding advisory votes by shareholders at the AGM.
The remuneration policy should record the measures that the board commits to
take in the event that either the remuneration policy or the implementation
report, or both have been voted against by 25% or more of the voting rights
exercised. Such measures should provide for taking steps in good faith and
with best reasonable effort towards the following at a minimum:
l an engagement process to ascertain the reasons for the dissenting votes;
l appropriately addressing legitimate and reasonable objections and con-
cerns raised, which may include amending the remuneration policy, or
clarifying or adjusting remuneration governance and/or process.
In the event that either the remuneration policy or the implementation report, or
both were voted against by 25% or more of the voting rights exercised, the fol-
lowing should be disclosed in the background statement of the remuneration
report succeeding the voting:
l with whom the company engaged, and the manner and form of engage-
ment to ascertain the reasons for dissenting votes; and
l the nature of steps taken to address legitimate and reasonable objections
and concerns.
King IV expands on the combined assurance model by indicating that a com-
bined assurance model should incorporate and optimise all assurance func-
tions and services so that, taken as a whole, these enable an effective control
environment, support the integrity of information used for decision-making, and
support the integrity of external reports.
The Code specifically makes the following recommendations regarding the
internal audit function:
Oversight if the internal audit function should be delegated to the audit commit-
tee. The governing body should approve an internal audit charter that defines
the role and associated responsibilities and authority of internal audit, including
addressing its role within combined assurance and the internal audit standards
to be adopted.
The internal audit function should have the necessary skills and resources and
where appropriate be supplemented by specialist services such as those pro-
vided by forensic fraud examiners and auditors, safety and process assessors,
and statutory actuaries.

2–23
 Dynamic Auditing

The chief audit executive (CAE) should be independent from management and
have the necessary competence, gravitas and objectivity. The appointment of
the CAE should be approved by the governing body.
The CAE should have access to the chair of the audit committee, and should
not be a member of executive management.
The CAE should report to the chair of the audit committee on the performance
of duties and functions that relate to internal audit. On other duties and admin-
istrative matters, the CAE should report to the member of executive manage-
ment designated for this purpose as appropriate for the organisation. The
governing body should have primary responsibility for the removal of the CAE.
The governing body should monitor on an ongoing basis that internal audit:
l follows an approved risk-based internal audit plan; and
l reviews the organisational risk profile regularly, and proposes adaptations
to the internal audit plan accordingly.

5.4.5 Stakeholder relationships

Part 5 focuses on stakeholder relationships and contains the following two
principles:
l Principle 16: In the execution of its governance role and responsibilities
the governing body should adopt a stakeholder-inclusive approach that
balances the needs, interests and expectations of material stakeholders in
the best interests of the organisation over time; and
l Principle 17: The governing body of an institutional investor organisation
should ensure that responsible investment is practised by the organisation
to promote the good governance and the creation of value by the com-
panies in which it invests.
Principle 17 above is only applicable to institutional investors.

5.5 SECTOR SUPPLEMENTS

Part 6 of the King IV Report contains six sector supplements which illustrate
how the King IV Code should be interpreted and applied in different contexts,
situations and legislative regimes. The sector supplements provide the neces-
sary adaption of terminology and specific recommendations which should be
considered together with specific industry codes, practices and legislation. All
governance outcomes as per the King IV Code still apply.
Sector supplements are not provided for all sectors or industries and organisa-
tions for which specific supplements are not provided are encouraged to con-
sider the supplement most closely aligned to its organisational structure.

2–24
 CHAPTER 2: Corporate governance – Background; King IV Report and internal control

Supplements have been provided for the following sectors:

l municipalities;
l non-profit organisations;
l retirement funds;
l small and medium enterprises; and
l state-owned entities.

6. INTERNAL CONTROL
SOURCE REFERENCE: ISA 265 “Communicating deficiencies in internal
control to those charged with govern-
ance and management”
ISA 315 “Identifying and assessing the risk of
material misstatement” (Revised)
ISA 330 “The auditor’s procedures in response
to assessed risks”

6.1 THE DEFINITION OF THE SYSTEM OF INTERNAL CONTROL

The system of internal control is defined by ISA 315 (Revised) as the process
designed and effected by those charged with governance, management and
other personnel to provide reasonable assurance about:
l the achievement of the entity’s objectives with regard to the reliability of
financial reporting;
l the effectiveness and efficiency of operations; and
l compliance with applicable laws and regulations.
Internal control is designed and implemented to address business risks that were
identified and that threaten the achievement of any of the above objectives.

6.2 THE COMPONENTS OF THE SYSTEM OF INTERNAL CONTROL

The system of internal control for purposes of the ISAs consists of the following
components:
l the control environment;
l the entity’s risk assessment process;
l the entity’s information system and communication;
l control activities; and
l the entity’s process to monitor the system of internal control.

2–25
 Dynamic Auditing

The above components and how they relate to the financial statement audit
can be explained as follows:

6.2.1 The control environment

The control environment includes the governance and management functions
and the attitudes, awareness, and actions of management and those charged
with governance regarding internal control and its importance. The foundation
for effective internal control is the control consciousness of management and
others within the entity. Management should set the tone of an organisation by
having the right attitude towards control and by putting in place governance
and management structures.
The control environment encompasses the following elements:
L How management’s responsibilities are carried out, such as creating
and maintaining the entity’s culture and demonstrating management’s
commitment to integrity and ethical values
The effectiveness of internal control can be linked directly to the level of
organisational integrity of the entity. Management should demonstrate its
commitment to organisational integrity and a code of ethics as recom-
mended by the King Report on Corporate Governance, as discussed in
this chapter. With regards to the financial statement audit, it is important
that incentives and temptations to engage in dishonest, illegal or unethical
behaviour, or to misstate the financial statements, be reduced or removed.
L How the entity attracts, develops, and retains competent individuals
in alignment with its objectives
Management should ensure that employees possess the necessary skills
and competence required for a particular job. Standards should be set for
recruiting the most qualified individuals, training should be guided by pol-
icies and practices, and promotions should be driven by periodic perform-
ance appraisals.
L How those charged with governance demonstrate independence from
management and exercise oversight of the entity’s system of internal
control
Those charged with governance can significantly contribute towards the
control consciousness of an entity. This will, however, only be achieved
when they:
• are independent from management;
• have the necessary experience and stature;
• are involved in the scrutiny of the entity’s activities;
• take appropriate actions based on information that they receive on a
timely basis;
• are able to raise difficult questions with management; and
• effectively interact with the internal and external auditors.

2–26
 CHAPTER 2: Corporate governance – Background; King IV Report and internal control

L How the entity assigns authority and responsibility in pursuit of its

objectives
This includes key areas of authority and responsibility and appropriate
lines of reporting, and is therefore the framework within which the activities
that will achieve the entity’s objectives are planned, executed, controlled
and reviewed.
The assignment of responsibility for operating activities and the establish-
ment of reporting relationships and authorisation hierarchies are important
components of an effective control environment. Policies should exist and
communications should be directed at ensuring that all personnel under-
stand the following:
• the entity’s objectives;
• how their individual actions interrelate and contribute to those object-
ives; and
• how and for what they will be held accountable.
L How the entity holds individuals accountable for their responsibilities
in pursuit of the objectives of the entity’s system of internal control
It was already indicated that the competence of an entity’s personnel is an
important component of the control environment. This component relates to
how individuals are held accountable for performance of control responsibil-
ities and how corrective action is taken where necessary. Human resources
practices and policies should contribute to the achievement of competence
through recruitment, orientation, training, evaluating, counselling, promo-
ting, compensating and remedial actions.
Employees should take leave regularly. Rotation of duties should be
enforced and dishonest employees should be dismissed immediately.

6.2.2 Entity’s risk assessment process

From a financial reporting perspective, it is important that management identi-
fies business risks relevant to the preparation of the financial statements in
accordance with the entity’s applicable financial reporting framework, esti-
mates their significance, assesses the likelihood of their occurrence, and
decides upon actions to manage them.
Risk factors that could impact on the fair presentation of the financial state-
ments include the following:
l Changes in the regulatory or operating environments can lead to added
competitive pressures and an added risk of material misstatements.
l New personnel may lack an understanding of the internal controls.
l Significant and rapid changes in information systems could lead to per-
sonnel being unfamiliar with the system and therefore making mistakes.

2–27
 Dynamic Auditing

l Rapid growth and expansion of operations can put too much pressure on
controls and therefore possibly lead to a breakdown in controls.
• New technologies may change the risks associated with the system of
internal control.
• New business models, products or activities with which an entity has
little experience may introduce new risks associated with the system
of internal control.
l Corporate restructurings accompanied by staff reductions could nega-
tively impact on segregation of duties.
l Expanded foreign operations could lead to risks related to foreign cur-
rency transactions.
• The use of IT may introduce further risks to the system of internal
control.
l New accounting pronouncements may affect risks associated with the
preparation of financial statements.
NOTE: Management should identify, assess and control all business risks.
Thus, controls should exist (as far as they are cost-effective) to
control all risks to the entity.
However, the auditors are only concerned with those risks affecting the
financial statements.

6.2.3 The information system and communication

Any information system consists of hardware, software, people, procedures
and data. (In manual systems, hardware and software will be absent.)
The elements of the information system that are relevant to financial reporting
consist of the procedures and records established to:
l initiate, record, process and report entity transactions and to maintain
accountability for the related assets, liability and equity;
l resolve the incorrect processing of transactions;
l process and account for system overrides or bypasses to controls;
l transfer information from transaction processing systems to the general
ledger;
l capture information relevant to financial reporting for events and condi-
tions other than transactions; and
l ensure information required to be disclosed by the applicable financial
reporting framework is accumulated, recorded, processed, summarised
and appropriately reported in the financial statements.

2–28
 CHAPTER 2: Corporate governance – Background; King IV Report and internal control

6.2.4 Control activities

These comprise the techniques, methods and principles that are needed for the
application of the internal controls and consist of the following:
L Authorisation and approvals
An authorisation by a higher level of management should affirm that the
transaction is valid.
Segregation of duties
This comprises segregation:
• between the functions of:
– the initiation of transactions;
– the authorisation of transactions;
– the recording of transactions;
– the safeguarding of assets; and
– the reviewing of transactions/control over assets (e.g. compari-
son of recorded assets with the physical assets); and
• in respect of departments/sections and individuals.
The principle is that one individual should not be responsible for carrying
out and recording a complete transaction. Proper segregation of duties
will limit the risk of fraud and error and will increase the level of revision.
L Verification
Verification compares two or more items with each other or with a policy
and will require follow-up if the two items do not match or if they are incon-
sistent with the policy.
• Physical safeguarding
This comprises control over:
– the safeguarding of assets (against theft, elements, etc.);
– access to assets to authorised persons only; and
– stationery (see Stationery control ).
L Document design
Documents should be:
• simple and easy to understand; and
• sequentially numbered.

2–29
 Dynamic Auditing

L Stationery control
Control over stationery includes:
• the use of a stationery register (sign for issuing and receipt of docu-
ments);
• stationery must be safeguarded and properly locked away;
• numerically pre-numbered; and
• supporting documentation should be cancelled after authorisation
(sign/stamp).
L Comparisons, reconciliations and control accounts
• maintain control accounts for important general ledger accounts (e.g.
debtors, creditors, inventories);
• reconciliations of general ledger accounts (balancing between support-
ing ledgers and general ledgers);
• regular comparison between recorded and existing assets (e.g. cash
counts and stock counts); and
• use of suspense accounts and regular investigation of balances there-
on.
L Insurance
Maintain adequate insurance cover against theft and damage.
L Specific control techniques
This represents the control techniques for the application of internal con-
trol in a specific application, and includes the following:
• transactions should be supported by supporting documentation;
• sequential pre-numbering of documents;
• comparison/matching with:
– external and internal source documentation; and
– the accounting records;
• authorisation;
• control and batch totals, and batch control;
• control accounts and reconciliations;
• manual revision and control;
• physical verification, inspection, reviewing;
• overall review; and
• computer controls (edit and validation checks).

2–30
 CHAPTER 2: Corporate governance – Background; King IV Report and internal control

6.2.5 The entity’s process to monitor the system of internal control

Management should consider whether the controls are operating as intended
regularly.
Monitoring of controls may include activities related to management super-
vision and review. These comprise:
l that all transactions be authorised according to the general or specific
authorisation of management;
l supervision of day-to-day transactions by senior responsible persons; and
l reviewing of all work done by an independent person.

6.3 INHERENT LIMITATIONS OF THE INTERNAL CONTROL SYSTEM

There are limitations that could lead to the controls not functioning effectively,
and thus increasing the control risk. The following are regarded as inherent lim-
itations:
l Only cost-effective controls can be implemented.
l Controls are usually directed at the routine transactions rather than non-
routine transactions.
l Potential human error due to carelessness, distraction, errors of judge-
ment, etc.
l The possible circumvention of controls through collusion with parties
outside the entity or between employees within the entity.
l A person responsible for exercising a control could abuse that responsibility,
for example a member of management overriding a control for his/her own
benefit.
l Procedures may become inadequate because of changing circumstances,
or the compliance with procedures may deteriorate.

6.4 OBJECTIVES OF INTERNAL CONTROLS

This represents the objectives that apply with regard to the different applica-
tions of the accounting system. They include the broader objectives of accur-
acy, completeness and validity, but are more detailed and specific.
The control objectives’ aims are to ensure that all transactions are carried out
and recorded timeously, accurately and efficiently.

2–31
 Dynamic Auditing

They consist of:

Validity: All recorded transactions are valid (actually occurred)

and are supported by sufficient documentation and
evidence.
Authorisation: All transactions are authorised according to the general
and specific policies of management.
Completeness: All valid transactions are recorded and no transactions
are left out.
Accuracy: All transactions and transaction documents are record-
(quantity, price, ed at the correct quantity and price and are arithmet-
calculation) ically correct.
Recording: All transactions are recorded correctly.
Classification: All transactions are classified correctly (according to the
nature thereof).
Cut-off: All transactions are recorded timeously in the correct
financial period to which they relate.
The above-mentioned objectives will apply to any application, whether of a
revenue/expense or asset/liability nature. Some of the objectives may be more
or less important depending on the specific nature thereof.
The aim of the auditor during the investigation of the accounting and internal
control system can be deduced directly from the control objectives. That is
because the aims of the audit during the investigation of the system are to deter-
mine whether the accounting records are relevant, complete and accurate.

6.5 INTERNAL CONTROLS IN A COMPUTERISED ENVIRONMENT

The control objectives and the control techniques apply equally to a com-
puterised accounting system. The processing capability of the computer,
however, gives an additional opportunity to exercise control through pro-
grammed controls (e.g. matching, sequential numbering, batch control,
control totals, edit checks, etc.). The user (manual) controls, however,
remain just as applicable and important, as in the case of a manual system.

2–32
 CHAPTER 2: Corporate governance – Background; King IV Report and internal control

6.6 DOCUMENTATION AND THE FLOW OF INFORMATION

This represents the flow of information and the basic documentation involved.
1. Sales and receipt cycle
Sales
Sales order o Internal sales order o Delivery note
l in writing l quantity, price, etc. l gate control
l authorisation l client signs
l credit control
Invoice o Sales journal/cash book o General ledger
l from delivery note l numerical sequence
l match with the delivery
note

Sales returns
Receiving o Goods received note (GRN) o Credit note
l count, etc. l quantity l authorised
l sign l GRN, etc.

Payments
Receipts o Cash summary o Deposit slip o Cash book

2. Purchase and payment cycle

Purchases
Requisition o Order o Receiving
l authorised l in writing l separate department
l authorised l count, inspect, etc.
l long outstanding l two persons
orders followed up l compare with the order

GRN o Delivery note o Invoice

l signed l match: l match with the order/
• GRN GRN/delivery note
• goods

Purchase journal/cash book o General ledger

Purchase returns
Return note o Credit note o Purchase journal
l supplier sign l authorised
l supporting
documentation
Payments
Cheque requisition/EFT o Cheque/EFT payment o Receipts
payment l crossed
l supporting l two signatories or
documentation: people to authorise EFT
• invoice l independently mailed
• GRN
• delivery note
• order
l cancelled after authori-
sation
l signed/approved by
two signatories

2–33
 Dynamic Auditing

6.7 INTERNAL CONTROLS WITHIN THE BUSINESS CYCLES

Below is an overview of possible controls and tests of controls to be imple-
mented in the different cycles. This should not be regarded as an absolute
complete “guide” of all possibilities. The controls within a cycle can differ,
depending on the specific circumstances and risks that exist.
NOTE: 1. In a computerised system many of the controls listed below will be
performed by the computer, for example edit checks, validation
checks and computations.
2. Many of the control procedures listed below will cover more than
one objective (e.g. accuracy and validity).

6.7.1 Sales and receipt cycle

This includes credit sales, returns, payments received from debtors and cash
sales.
Risks
l Fictitious sales recorded (validity);
l Sales/deliveries are not invoiced/recorded (completeness);
l Sales are made to risky clients (authorisation and validity);
l Incorrect prices/quantities and incorrect calculations on invoices (accur-
acy);
l Cut-off problems on month/year-end (cut-off);
l Incorrect classification in terms of nature, account, period (classification);
l Excessive bad debts (management control);
l Rolling of debtors payments (validity);
l Unauthorised write-off of debtors (authorisation).
Documentation (flow of information)
l Orders from clients;
l Credit sales (internal sales order);
• price, quantity;
• authorised for credit-worthiness;
l Delivery notes (client must sign these to acknowledge receipt);
l Invoices;
l Sales journal;
l Debtor’s account in the debtors ledger;
l Debtors control account in the general ledger;
l Monthly statements + payment advices;
l Mail register;
l Receipts.

2–34
 CHAPTER 2: Corporate governance – Background; King IV Report and internal control

L CREDIT SALES
Control objective Control procedure
Validity: All recorded sales are valid (actually • All entries in the sales journal are sup-
occurred) and are supported by appropriate ported by an internal sales order, delivery
documentation. note and invoice.
Authorisation: All credit sales are authorised • Credit limits are determined for all credit
according to company policy (creditworthy). clients after checking their credit-wor-
thiness.
• No credit granted for non-creditworthy
clients, or guarantees are required.
• An internal sales order is made out on
receipt of the client's order which:
– is sequentially numbered;
– specifies the quantity ordered;
– contain the prices of goods per official
price list;
– is authorised by the credit manager.
• The sales manager authorises credit sales
daily – signs duplicate invoice as author-
isation.
• After the sale has been authorised, a
delivery note is prepared, which:
– is numerically numbered;
– fully describes the quantity and the
goods;
– is signed by the client as acknow-
ledgement of receipt of the goods.
• Gate control: Guard counts goods and
agrees it with the delivery note.

NOTE: Internal sale orders are not issued in some businesses – the
above controls are then directly performed on the sales invoice.
Completeness: All valid sales are recorded, • All delivery notes are:
and nothing is left out. – sequentially numbered;
– recorded in a register for matching with
the invoice.
Accuracy: All sales are recorded on sales • On receipt of a signed delivery note, a
invoices at the correct quantity, price and are numerical invoice is made out and marked
arithmetically correct. off in the register.
Recording: All sales invoices are correctly • All unmatched delivery notes (in the regis-
recorded. ter) are frequently followed up.
• A numerical list of delivery notes and
invoices is frequently produced and mis-
sing numbers are frequently followed up by
a senior person.

(continued)

2–35
 Dynamic Auditing

• The quantities on the invoices are obtained

from the delivery note.
• The price on the invoice is obtained from
the official price list (master file).
x Calculations are checked by an inde-
pendent person (edit checks).
• The sales journal is recorded from the sales
invoices.
• Sales journal sales are posted to:
– the individual debtor's account in the
debtors ledger;
– the total sales to the debtors control
account and the sales account in the
general ledger.
Classification: All sales are correctly classified • The debtors control account is reconciled
according to the nature thereof. monthly with the debtors ledger.
• External and internal sales (intercompany)
are classified as such, clearly distinguished
by a code number, recorded on separate
documentation and are separately record-
ed.
Cut-off: All sales transactions (invoices) are • Invoices are made out from the delivery
accounted for in the correct accounting period. notes i.r.o. the date of delivery.

L RETURNS
Validity: All recorded sales returns are valid • All entries in respect of sales returns in the
and are supported by appropriate documenta- sales journal are supported by:
tion. – a credit request from the client;
– a GRN (i.r.o. returns);
– other supporting documentation (price
corrections), etc.
– a credit note.
Authorisation: All credit notes for sales returns • For all sales returns the following are pre-
are authorised in accordance with the company pared:
policy. – an internal numerical credit request
which is supported by supporting
documentation;
– a numeric credit note which is author-
ised by a senior official (supporting
documentation cancelled).
Completeness: All valid credit notes are • Credit notes are numerically accounted for.
accounted for. • A list of numeric credit notes are regularly
produced – missing numbers are followed
up by a senior official.
Accuracy: Purchases returns are recorded on • Credit request is supported by the original
credit notes at the correct amount, quantity and invoices.
are arithmetically correct. • The quantity of goods returned on the
credit note is supported by a GRN.

(continued)

2–36
 CHAPTER 2: Corporate governance – Background; King IV Report and internal control

• Incorrect pricing on invoices are supported

by the correct price per price list.
• Calculations are independently checked.
• The sales journal in respect of sales returns
is recorded from the credit note.
Recording: All credit notes are correctly • From the sales journal sales returns are
recorded. posted to:
– the individual debtor's accounts;
– the total to the sales account and debt-
ors control account in the general
ledger.
Classification: Sales returns per credit note • Credit notes are matched and allocated to
are correctly allocated to the correct account the original invoice in the:
and to the correct period. – debtor's account (statement);
– age analysis.
Cut-off: Sales returns per credit notes are • A provision is made for credit notes issued
recorded against the date of the original sales after year-end for sales made before year-
transactions per sales invoice. end.

L PAYMENTS FROM DEBTORS

Validity: All payments and discount on debt- • Payments on debtors' accounts are sup-
ors' accounts are valid and are supported by ported by:
appropriate documentation. – a payment advice;
– a receipt;
– cash receipt summary and deposit slip.
Authorisation: All credit adjustments, for • Settlement discounts are granted accord-
example credit notes, discounts, etc., are ing to fixed company policy.
authorised according to company policy. • Management monitors discounts granted.
Completeness: All valid payments received • All payments received via mail are record-
from debtors are recorded. ed in a mail register.
• Payments received through EFTs should be
matched to the appropriate debtor which
should be supported by EFT proof of pay-
ment from debtor (and then recorded with
the date received on the bank statement).
x Numeric receipts are issued in respect of
all money received.
• A daily cash receipt summary is prepared,
balanced with cash and independently
reviewed.

(continued)

2–37
 Dynamic Auditing

• A debtors’ control account is kept and is

regularly reconciled with the debtors’
ledger.
Accuracy: All payments and discounts • Discounts granted are independently
accounted for at the correct amount, discounts reviewed.
are accurately calculated. • Calculations are independently reviewed.
Recording: All payments and discounts are • Payments allocated to debtor's account
correctly recorded. and accounting period according to the
payment advice.
Classification: All payments and discounts • Debtors’ statements are sent out regularly
correctly classified to the correct account and and differences and errors on statements
in the correct period. are immediately independently followed up.
Cut-off: Payments and discounts are recorded • Payments and discounts are recorded on
in the correct period to which it relates. the date of receipt.

L CASH SALES
Additional documentation
Cash sales invoices
Cash register slips
Cash receipt summary
Cash book
Validity: All recorded sales are valid and • Daily cash sales in the general ledger
supported by sufficient documentation. account are supported by:
– a daily cash receipt summary;
– cash sale invoices;
– cash register slips; and
– Proof of payment of EFT.
Authorisation: Cash discounts are given in • Fixed company policy for cash discounts.
terms of the company’s approved policy.
Completeness: All valid cash sales are record- • Premises lay-out must be such that cus-
ed and nothing is left out. tomers can't leave without passing the
cash register.
• Guard checks goods to cash invoice/cash
slip.
• Cash sales invoices recorded numerically.
• A daily cash summary is prepared, con-
sists of the amount and the number of the
sales invoices.
• At the end of each day
– cashiers' money is independently
counted and agreed with the summary
and deposit slip;
– a summary is compared with the phys-
ical sales invoices and the amounts
are agreed.

(continued)

2–38
 CHAPTER 2: Corporate governance – Background; King IV Report and internal control

• A list of numerical sales invoices is pre-

pared, and missing numbers are followed
up.
Accuracy: Cash sales recorded from cash • Cash invoices are reviewed by an inde-
sales invoices at the correct quantity amount pendent official.
and is arithmetically correct. • For cash sale invoices:
– price obtained from price list;
– the quantities are physically counted
by the sales personnel/cashier.
• The calculations and prices are checked
independently by a second official.
Recording: All cash sales are correctly record- • From the cash summary, sales are posted
ed. to ledger accounts:
– control ("clearing") account; and
– to cash sales account in the ledger.
• “Clearing” or “suspense” account is used
for cash sales.
– It is posted from a cash summary or
list of invoices and the deposit slip.
• Any balance on the account must be
investigated and corrected.
Classification: Cash sales are correctly classi- • Cash sales are recorded separately from
fied according to its nature. credit sales – distinguish via code number.
Cut-off: Cash sales are recorded at the date of • Sale is recorded at the date of sale.
sale.

L GENERAL PRINCIPLES/CONTROLS
The control environment should support the • Supervision and review.
control procedures. • Segregation of duties.
• Rotation of duties.
• Personnel take leave regularly.
• Management control.
• Internal audit.
• Sufficient stationery control.

6.7.2 Purchase and payment cycle

This includes credit purchases, returns, payments of creditors, and cash
purchases.
Risks
l Orders:
• not properly authorised;
• not carried out timeously;
• wrong goods ordered;
• not at best prices/conditions.

2–39
 Dynamic Auditing

l Goods received:
• not recorded (stock, purchases, creditors) or not accurately recorded.
l Payments made:
• for goods not received;
• at wrong prices;
• discounts not used.
Documentation (flow of information)
l Requisitions;
l Orders;
l Goods received notes (GRN);
l Delivery notes;
l Invoices;
l Credit requests and credit notes;
l Purchase journal;
l Creditor’s account in the creditors ledger;
l Creditor’s control account in the general ledger and reconciliation thereof;
l Creditor’s statements;
l EFT requisitions/payment advices.
L PURCHASES (CASH AND CREDIT)
Control Objective Control procedure
Validity: All recorded purchases are valid and • All entries in the purchases journal (and in
supported by proper documentation. the cash book in respect of cash pur-
chases) are supported by:
– EFT requisitions, orders, delivery note,
GRN, invoices, creditor's statement.
• Any changes that are made to the payee
information on the banking system should
be accompanied with supporting docu-
mentation to support the change.
• A payment requisition is generated when
stock decreases to re-order level (com-
puter/ storeman).
Authorisation: All purchases are authorised • No goods delivered are accepted if a valid
according to company policy. order for it doesn't exist.
• Separate goods receiving section where
goods are received.

(continued)

2–40
CHAPTER 2: Corporate governance – Background; King IV Report and internal control

Control Objective Control procedure

• Orders are prepared by buyers who
request quotations/compare prices.
• Orders are authorised by the purchase
manager and supporting documentation is
cancelled (or authorised via computer).
• For all EFT payments the following controls
should be in place:
1. There should be two authorised per-
sonnel releasing the payment
2. Both of which should not be the same
person who loads the EFT
3. All supporting documentation (i.e. EFT
requisition, Supplier invoice and any
other documentation) should be pro-
vided to the two authorizes for release
once the payments have been loaded.
4. Release levels should be in place,
therefore e.g. Release A can release
payment for any amount more than
R1 million and release B only author-
ised to release payments below
R1 million
Ensure that all authorized persons whom
have access to the online banking system
has a unique username and password
and that password is changed monthly
Completeness: All valid purchase transactions • Two persons inspect goods on receiving
are recorded and nothing is left out. for quantity and quality, and prepare a
GRN.
• The GRN is matched with the delivery
note, short deliveries are indicated on a
delivery note and a credit request is made
out.
• A register is kept of unmatched invoices
and is regularly followed up by the senior
buyer.
• The GRN is matched with the invoice and
is thereafter recorded in the purchase
journal.
• All requisitions, orders and GRN are
recorded numerically and missing num-
bers are followed up.
Accuracy: All orders are carried out accurately. • The purchase invoice is independently
All purchase transactions are accurately rec- checked before recording it in the pur-
orded at the correct quantity, at the correct chase journal and the following is done:
amount and are arithmetically correct. – prices: compared with orders/ price
list;
– quantity: GRN;
– accounting accuracy checked.

(continued)

2–41
 Dynamic Auditing

Control Objective Control procedure

Recording: All purchase transactions are • The purchase journal is updated from the
correctly recorded. purchase invoices.
• From the purchase journal purchases are
posted to:
– creditor's accounts in the creditors
ledger;
– purchase and creditors control account
in the general ledger.
• Stock records are updated from the GRN.
• The creditors control account is kept up to
date and regularly reconciled with the list
of creditors.
• Ensure that only the authorized personnel
can load a new payee on the online bank-
ing system. As well as changes to be
made to the payee details.
Classification: All purchase transactions are • Intergroup purchases clearly distinguished
correctly classified according to the nature by a code number and separately record-
thereof. ed.
Cut-off: All purchase transactions are recorded • Purchase journal updated from invoices in
in the correct accounting period. respect of the date of delivery.
• A provision is made at year end in respect
of purchases not yet invoiced.

L RETURNS
Control Objective Control procedure
Validity: All purchase returns are valid and • Purchase returns in the purchase journal
supported by proper documentation. are supported by credit requests and
credit notes.
Authorisation: All credit requests are author- • In respect of all damaged goods, shortage
ised according to company policy. delivery, wrong prices, etc., a sequentially
numbered credit note is issued.
• Credit request recorded numerically and
regularly matched with credit notes.
Completeness: All credit requests are carried • Unmatched requests regularly followed up
out. by senior official.
All credit notes are recorded.
Accuracy: All credit requests are correctly • Purchases invoices are matched with the
completed. GRN, and price lists and credit requests
are made out for differences.
All credit notes are accurately recorded at the • All credit notes received are matched with
correct quantity and amount and are arith- credit request in respect of quantity and
metically correct. amount.

(continued)

2–42
 CHAPTER 2: Corporate governance – Background; King IV Report and internal control

Control Objective Control procedure

Recording: All credit notes are accurately • Credit notes are matched with original
recorded. invoice and recorded on the date of the
invoice. Match selected purchase returns
per credit note with the invoice and follow
it through to the entry in the accounting
records.
Classification: All purchase returns are classi- • Purchase returns are recorded in the pur-
fied and recorded against the original purchase chase journal from the credit notes.
invoice and creditor's account. • From the purchase journal returns are
posted to the individual creditor's account
and ledger accounts.
Cut-off: Purchase returns are recorded at the • See controls above.
date of the original purchase.

L PAYMENTS
Control Objective Control procedure
Validity: All payments on creditors accounts are • Creditor payments supported by:
valid and are supported by proper documenta- – a EFT/cheque payment requisition;
tion.
– a creditor statement;
– a creditors reconciliation;
– a purchase order, GRN, delivery
note, invoice.
Authorisation: All payments are authorised • All payments made to creditors done by
according to company policy. means of a cheque requisition/EFT which
is authorised by a senior official.
Completeness: All payments are correctly • Two signatories check and cancel
recorded. supporting documentation.
Accuracy: Payments are made at the correct • Creditors control account is kept up to
amount and are arithmetically correct. date in the general ledger and regularly
reconciled with the creditors ledger.
• Payment advices recorded numerically
(according to cheque numbers where
applicable) and missing numbers fol-
lowed up.
• EFT requisition forms should also be
sequentially numbered accordingly.
• Individual creditors’ reconciliations are
prepared and serve as supporting docu-
mentation for payments.
• All calculations are checked by an
independent person.
Recording: All payments are correctly recorded. • Payments are posted from the payments
advice to the individual creditors' account
and the total to the control account.
• Payments are posted from the cheque to
the cash book and the total to the control
account.
(continued)

2–43
 Dynamic Auditing

Control Objective Control procedure

Classification: All payments classified to the • Payments coded according to the cred-
correct creditor's account. itor's number and posted on date of
cheque.
• Second independent person checks
codes and date of payment.
Cut-off: All payments recorded at date of pay- • See tests above.
ment per payment advice and date of cheque.

L GENERAL CONTROLS
Control Objective Control procedure
The control environment should support the appli- • Supervision and review;
cation of controls. • Segregation of duties;
• Rotation of duties;
• Personnel should regularly take leave;
• Internal audit;
• Proper stationery control.

6.7.3 Wages and salaries

Wages and salaries are usually a very material expense for most businesses.
This, together with the fact that many businesses pay wages in cash, requires
an effective internal control system to prevent fraud and errors.
Risks
l Unauthorised payments in respect of:
• fictitious (ghost) employees;
• for time not worked (normal and overtime);
• at faulty wage rates.
l Unauthorised changes to master file data (e.g. wage rate, deductions) in a
computerised environment.
l Errors in calculation of wages and deductions (on payroll).
l Irregularities in respect of unclaimed wages.
Documentation (flow of information)
l Appointment (permanent file):
• application for work;
• letter of appointment;
• personal information (IRP2, bank details, etc.);
• copies of certificates (qualifications) etc.;
• authorisation of deductions (pension, medical aid, unions, etc.).

2–44
 CHAPTER 2: Corporate governance – Background; King IV Report and internal control

l Timekeeping:
• clock cards (normal and overtime) or transaction file maintained by the
computer;
• schedule of time worked kept by foreman.
l Record of wages:
• payroll: time and wage rates (master file);
• wage cheque and cheques in respect of deductions;
• wage packets.
l Unclaimed wages:
• marked as unclaimed on payroll;
• recorded in a register.
L INTERNAL CONTROL OBJECTIVE
Validity: – Wages paid are valid for hours actually worked, are at
the correct wage rate, and are supported by sufficient
documentation.
– Wages are paid to valid employees employed by the
business (not fictitious).
Authorisation: – All access to personnel and pay–roll records should
be controlled.
– All appointments are authorised according to com-
pany policy.
– All payments for normal and overtime as well as fringe
benefits are authorised according to company policy.
– All payments in respect of deductions are authorised
according to company policy.
Completeness: All valid time worked are recorded and paid.
Accuracy: – All time worked is accurately recorded on the pay–roll
at the correct hours and wage rates.
– All deductions are recorded accurately on the pay–
roll.
Recording: All payroll transactions for wages and deductions are
correctly recorded.
Classification: Wages are classified according to the nature thereof (e.g.
wages for hours worked in constructing fixed assets are
capitalised as part of the cost of the asset).
Cut-off: All wages and deductions are recorded in the accounting
period to which it relates.

2–45
 Dynamic Auditing

L INTERNAL CONTROLS OVER WAGES

1. General principles
– Proper segregation of duties between:
* appointment, dismissal, recording of time, pay-out of wages,
safe-guarding of unclaimed wages, maintenance of perma-
nent personnel records.
– Reviewing of work:
* internal audit/senior management that regularly attends wage
pay-outs;
* wages on payroll checked and agreed with valid supporting
documents;
* independent review of work done within the wage section.
– Access to time, personnel and wages records controlled and
limited to authorised persons.
– Personnel working with wages:
* should be competent/have integrity;
* regularly take leave;
* where possible, rotate duties.
– Proper job descriptions of personnel, and provision should be
made for performance of duties in absence of an employee.
– Proper stationery control:
* clock cards, payroll, cheques, wage packets, unclaimed
wages.
– Insurance:
* against theft and fraud.
– Management control by regularly comparing wage expenses with
budgets (budgetary control).
2. Appointment and dismissals
– Interviews with applicants: head of department in which applicant
is going to work should also be present.
– Application form, letter of appointment, IRP2, authorisation in
respect of deductions.
– All appointments and dismissals/resignations should be author-
ised and approved by a senior official on supportive documenta-
tion.
3. Time keeping
– Clock cards
* should be numerically accounted for;
* should be issued by the personnel department (prepared
from personnel records/master file):

2–46
CHAPTER 2: Corporate governance – Background; King IV Report and internal control

* kept at clock machine (under supervision, not with the employ-

ees).
– Clock procedures
* clock situated at entrance – personnel may not leave premis-
es without clocking in/out;
* supervision over clock (prevent employees to clock in for
absentees).
– Foreman:
* should keep record of personnel present and time worked;
* should approve clock cards in respect of time worked (sign);
* the foreman's clock card should be approved by a senior
official (e.g. factory manager).
– Overtime:
* should be authorised according to company policy – for
example, the factory manager signs clock cards (or if applic-
able the foreman);
* the foreman's overtime is authorised by the factory manager.
4. Preparation of payroll
– the time on the payroll is obtained from the clock card (or com-
puter-transaction file);
– the wage rates, deductions are obtained from personnel records
(or master files);
– the calculations should be reviewed by an independent person
(e.g. one wage clerk checks another one’s work/edit checks);
– a cheque requisition should be prepared in respect of wages and
deductions;
– all personnel should sign payroll as proof of functions performed.
5. Wages cheque and make-up of pay packets
– The wages cheque/EFT request together with the current and
previous payroll and supportive documentation in respect of
appointments, dismissals and increases should be presented to
the cheque's signatories for authorisation.
– The EFT/wage cheque should be signed by two signatories, one
of whom must be senior management:
* compare payroll with wages cheque;
* compare current payroll/EFT request with previous payroll/
EFT request and check the validity of all changes to support-
ive documentation;
* sign/stamp payroll and documentation (cancel after approval).

2–47
 Dynamic Auditing

– Wages cheque cashed at bank:

* by two or more persons;
* not at regular times/routes;
* preferably make use of security company to do wage pay-
outs.
– Make-up of wage packets:
* preferably done by independent persons not involved with the
preparation of the pay-roll;
* the wage details should appear on the wage-packet (gross
wage, deductions);
* the money in the wage-packet should be independently
reviewed.
– Wage/Salary payments made through EFT:
* ISO form (confirmation of banking details) needs to be pro-
vided to the payroll administrator.
* Employee must sign the information given to the payroll
administrator as proof of validity of the information given
• The letter provided should have a bank stamp to verify the
employees banking details
• Each month all new employees and or changes to the
employee details are checked and loaded by the payroll
administrator.
• All of the above needs to the be reviewed by the financial
manager or another independent personnel with all the
supporting documentation.
• Any additional payments that are required to be made
other than salary or wages should be accompanied with a
request form signed by the wage officer/administrator or
HR administrator in order to ensure payment is authorised
accordingly.
6. Pay-out
– Should be done by personnel not involved with make-up of wages;
– Foreman identifies employees (pay-out not done by himself):
* the employees sign payroll as proof of receipt;
* the foreman signs payroll after pay-out as proof of supervision
and identification of employees.

2–48
 CHAPTER 2: Corporate governance – Background; King IV Report and internal control

7. Unclaimed wages
– Should be noted on the payroll;
– Should be paid over to the cashier:
* who signs the payroll as proof of receipt;
* recorded in the register;
* banks it after ± 2 weeks.
– On pay-out employee should:
* identify himself (ID, etc.);
* sign register as proof of receipt.
L INTERNAL CONTROL OVER SALARIES
Salaries, in contrary to wages, are paid by cheque (and are normally not
for work paid per hour.
– The same internal control principles as for wages are applicable.
– The same principles as for wages will apply to appointments, person-
nel records, etc.
– The only difference is that a salary register (which will frequently be a
fixed salary in contrary to wages which are based on hours worked)
will be kept instead of a wage register.
– The salary register should still be authorised in respect of salaries,
overtime, bonuses, deductions, etc.

6.7.4 Fixed assets

Risks
l Theft/unauthorised use of assets;
l Physical damage to assets;
l Erroneous/non-recording of assets.
Documentation
l Fixed assets register;
l General ledger accounts: fixed assets, depreciation;
l Minutes (authorisation for purchases and sales);
l Capital budgets;
l Fixed asset requisitions.
l Invoices (purchases, sales).

2–49
 Dynamic Auditing

Control objective Control procedure

Validity: All recorded assets are valid • All purchases of fixed assets are supported by a
(really exist) and are supported by proper fixed asset requisition and capital budget.
documentation. • Recorded assets are periodically compared to
physical assets by an independent senior offi-
cial.
Authorisation: All purchases and sales • Purchases and sales of fixed assets are:
are authorised according to company – authorised by senior management on a
policy. numerical, capital requisition/request/ sales
document;
– authorisation/decision recorded in minutes.
Completeness: All valid fixed assets are • Capital requisitions are numerically accounted
recorded and nothing is left out. for.
• The list of missing numbers is regularly followed
up.
Accuracy: All fixed assets are recorded • Fixed assets are recorded in a fixed assets
at the correct amount and are arithmeti- register and are regularly compared with fixed
cally correct. assets (see also test under validity).
• Fixed assets are recorded at the amount of the
invoice.
• Depreciation and other calculations are done by
computer with a program which has been tested
beforehand (if per hand, independently reviewed).
Recording: All transactions in respect of • All purchases and sales of fixed assets are
fixed assets and depreciation are correct- recorded in the fixed asset ledger accounts
ly recorded. (control account) and fixed assets register from
the source documents.
• The fixed assets register is reconciled with the
control accounts in the ledger regularly.
Classification: All transactions in respect • Fixed assets are classified into the respective
of fixed assets are correctly classified categories according to company policy.
according to their nature. • Improvements are capitalised as fixed assets
and clearly distinguished from maintenance (and
vice versa).
Cut-off: All purchases and sales of fixed • Fixed assets purchased are recorded at the date
assets are recorded in the period to which of receipt (per GRN) and when sold as from the
they relate. date that the risks and reward of ownership pass
to the purchaser.
General: Assets are properly safeguard- • A fixed assets register is kept, with fixed assets
ed against theft and the elements. that are numbered, and regular independent
physical inspections of assets take place, and
compared to the register.
• Fixed assets are as far as possible stored in
permanent form (bolted).
• Set company policy regarding the use of the
company’s assets.
• Asset must be adequately insured.
• Safe guard
– access to assets is limited to authorised per-
sons (locked, key control, etc.)
– against physical elements (rain, weather,
etc.).

2–50
 CHAPTER 2: Corporate governance – Background; King IV Report and internal control

6.7.5 Inventory
A major part of the activities in respect of inventory was already covered under
the purchases and sales cycles, for example:
l inventory received on purchasing;
l inventory issued on selling.
Additional controls are listed below regarding the safeguarding and the
recording of inventory.
Risks
l Theft of inventory;
l Obsolescence and damaging of inventory;
l Errors in receipt and issue of inventory;
l Errors in inventory records.
Documentation
l Receipt: GRN (see purchasing cycle);
l Issue: Requisitions and issuing notes;
l Inventory adjustments forms;
l Inventory records:
• perpetual inventory records;
• inventory take records.
Receipt of inventory
Refer to the purchasing cycle.
L Safeguarding of inventory
Objective: Inventory should be safeguarded against theft and damage.
Controls
Inventory should be kept in a locked storeroom:
• access should be limited to authorised personnel (storeman and others);
• key control over doors, gates, etc.;
• security guards, dogs, etc.;
• cameras, etc.
Inventory susceptible to damage is safeguarded against the elements:
• under shelter, etc.;
• fire extinguishers, etc.
Inventory must be sufficiently insured.
L Issuing of inventory
Objective: Inventory only leaves the storeroom based on properly author-
ised documentation.

2–51
 Dynamic Auditing

Controls
Issue notes are made out for issuing inventory to production:
• it occurs only after receipt of a requisition authorised by the production
foreman/manager;
• it is numerically accounted for and missing numbers are followed up;
• it is signed by the storeman;
• it is signed by production foreman as proof of receipt of goods.
No changes are allowed on the issuing notes.
Regarding sales to clients, no inventory may leave the storeroom without a
delivery note.
L Recordkeeping
Objective: Everything in the inventory is accurately recorded at the cor-
rect quantity and prices.
Controls
Continuous inventory records are:
• maintained by personnel independent from the safeguarding function
of the inventory;
• written up from the GRN and delivery notes or issue notes to produc-
tion (frequently integrates with purchases and sales in a computerised
system).
Inventory must be taken regularly and compared with inventory records:
• follow up of differences;
• adjustment of inventory records after proper management author-
isation (inventory adjustments).
Obsolete/slow-moving inventory must be identified timeously and system-
atically written off according to company policy.
General:
• Segregation/rotation of duties, etc.;
• Supervision and review;
• Tests by management, internal audit;
• Stationery control, etc.

6.7.6 Bank and cash

Usually consists of:
l cash in bank;
l petty cash;
l cash advances/loans.
Also refer to the controls over cash as covered under the purchases and sales
cycles.

2–52
 CHAPTER 2: Corporate governance – Background; King IV Report and internal control

Basic controls
1. Segregation of duties for receipt and recording of money.
2. Different forms of cash (sales, petty cash, cash loans) should be kept
separately and recorded separately.
3. Proper stationery control:
• receipts, cash sales slips/invoices, etc., are numerically recorded;
• locked away;
• recorded in a register (sign for issuing and on receipt).
4. Money received by mail:
• opened and counted by two independent persons;
• recorded in a mail register;
• the person/cashier to whom it is handed over should sign as proof of
receipt.
5. Safeguarding of money:
• locked in vault, etc. (key control);
• banked as soon as possible (next day/twice per day, etc.).
6. Payments should be made by cheque based on supporting documen-
tation:
• two cheque signatories (mechanical signing – control over signing
plates/under supervision);
• cancel supporting documentation after payment;
• signed cheques must not be returned to the beneficiary by the per-
son who has requested it.
7. Post-dated cheques received should be recorded in a register and strictly
controlled.
8. Loans to employees (IOU) should be properly authorised by a senior per-
son.
9. Adequate insurance should be taken out against theft and fraud (fidelity
guarantee).
Controls over cash (advances, petty cash, receipts)
1. Cashier must balance cash daily and must compare it with the source
documents (receipt, cash invoices, cash register totals) and record it on a
cash receipt summary:
• signed by the cashier;
• independently reviewed by a senior official:
– counts the money in the cashier’s presence (cashier signs for
receipt back of money);
– compare cash with supporting documentation.
Shortages should be paid in by the cashier.

2–53
 Dynamic Auditing

2. Every cashier should only be responsible for his own funds:

• during lunch, etc., cash/cash register should be locked and proper
key control exercised.
3. Every cashier should be responsible for his own float – lock in cash drawer/
cashbox.
4. Supervision over cashiers - senior/camera's, etc.
Controls over bank account
1. Refer to the controls already listed in respect of payments and receipts.
2. The bank account should be reconciled monthly:
• independent of the person who writes up the cashbook (who also
directly receives bank statements, etc.);
• reviewed by senior independent official.

2–54
 3
PROFESSIONAL AND ETHICAL
RESPONSIBILITIES

Page
1. Introduction .................................................................................................. 3–3
2 Rules regarding improper conduct of the Independent Regulatory
Board for Auditors (IRBA) ............................................................................ 3–3
3. Punishable offences in terms of the by-laws of the South African
Institute of Chartered Accountants (SAICA) ................................................ 3–4
3.1 Acts and practices which may constitute improper conduct by
chartered accountants ....................................................................... 3–4
4. Code of Professional Conduct (CPC) of the Independent Regulatory
Board for Auditors (IRBA) ............................................................................ 3–6
5. The Code of Professional Conduct (CPC) of the South African
Institute of Chartered Accountants (SAICA) ................................................ 3–6
5.1 Background........................................................................................ 3–6
Part 1: Complying with the code, fundamental principles and conceptual
framework ..................................................................................................... 3–8
5.2 Section 100: Complying with the code .............................................. 3–8
5.3 Section 110: The fundamental principles .......................................... 3–8
5.4 Section 120: The conceptual framework ........................................... 3–11
Part 2: Professional accountants in business .............................................. 3–13
5.5 Section 200: Applying the conceptual framework – professional
accountants in business .................................................................... 3–13
5.6 Section 210: Conflicts of interest ....................................................... 3–14
5.7 Section 220: Preparation and presentation of information ................ 3–16
5.8 Section 230: Acting with sufficient expertise ..................................... 3–16
5.9 Section 240: Financial interests, compensation and incentives
linked to financial reporting and decision making ............................. 3–17
5.10 Section 250: Inducements, including gifts and hospitality ................ 3–18

3–1
 Dynamic Auditing

Page
5.11 Section 260: Responding to non-compliance with laws and
regulations.......................................................................................... 3–19
5.12 Section 270: Pressure to breach the fundamental principles ........... 3–22
Part 3: Professional accountants in public practice .................................... 3–23
5.13 Section 300: Applying the conceptual framework – professional
accountants in public practice .......................................................... 3–23
5.14 Section 310: Conflict of interests ...................................................... 3–26
5.15 Section 320: Professional appointments ........................................... 3–28
5.16 Section 321: Second opinions ........................................................... 3–30
5.17 Section 330: Fees and other types of remuneration .......................... 3–30
5.18 Section 340: Inducements, including gifts and hospitality ................ 3–32
5.19 Section 350: Custody of client assets ................................................ 3–32
5.20 Section 360: Responding to non-compliance with laws and
regulations.......................................................................................... 3–33
Part 4A – Independence for audit and review engagements ...................... 3–36
5.21 Section 400 – Applying the conceptual framework to independence
for audit and review engagements .................................................... 3–36
Part 4B – Independence for assurance engagements other than audit
and review engagements ............................................................................. 3–53
5.22 Section 900: Applying the conceptual framework to independence
for assurance engagements other than audit and review
engagements ..................................................................................... 3–53
5.23 Section 905–990: Application of framework to specific
situations ............................................................................................ 3–53

3–2
 CHAPTER 3: Professional and ethical responsibilities

1. INTRODUCTION
Chartered accountants and registered auditors enjoy a professional status in the
corporate environment. This professional status results in certain professional
obligations being placed on the individual. The professional and ethical respon-
sibilities of chartered accountants and registered auditors in terms of the following
rules and codes are discussed in this chapter:
l Rules regarding improper conduct of the Independent Regulatory Board for
Auditors;
l Punishable offences in terms of the by-laws of the South African Institute of
Chartered Accountants;
l The Code of Professional Conduct of the Independent Regulatory Board for
Auditors; and
l The Code of Professional Conduct of the South African Institute of Chartered
Accountants.

2. RULES REGARDING IMPROPER CONDUCT OF THE INDEPENDENT

REGULATORY BOARD FOR AUDITORS (IRBA)
SOURCE REFERENCE: IRBA Rules regarding improper conduct
A registered auditor shall be guilty of improper conduct if he/she:
l contravenes or fails to comply with the provisions of the Act with which
he/she has a duty to comply;
l contravenes or fails to comply with the provisions of any Act with which
he/she has a duty to comply in providing professional services;
l has been found guilty of any offence involving dishonesty;
l is dishonest in the performance of any work;
l contravenes or fails to comply with any requirements in auditing pronounce-
ments;
l contravenes or fails to comply with any requirements in the Code of Profes-
sional Conduct;
l fails to perform any professional services with the degree of skill, com-
petence and due care expected by the Regulatory Board;
l evades or assist any person to evade any tax, duty, levy, or rate (including
making or signing false statements and preparing or maintaining false books
or records);
l permits the registered auditor’s name to be used in connection with any
estimate of earnings contingent upon future transactions in a manner which
may lead to the belief that the registered auditor vouches for the accuracy of
the estimate, or fails to take steps to dispel such belief;
l seeks to impose any restraint on a prospective registered auditor which will
apply after the termination of a training contract (a restriction to solicit

3–3
 Dynamic Auditing

professional services from an existing client is allowed for a maximum of one

year after termination of service);
l receives any payment, reward or compensation for the cancellation of a
training contract (reimbursements of disbursements made to the Regulatory
Board in connection with the training contract is allowed);
l fails to answer or adequately deals within a reasonable time with any com-
munication from the Regulatory Board or any other person which reasonably
requires such response;
l fails to comply within a reasonable time with an order, requirement or request
from the Regulatory Board;
l fails to resign from an appointment when requested to do so by the client,
including failure to transfer all books, papers and property of such client;
l fails after demand to pay any subscription, levy, fee or charge payable to the
Regulatory Board;
l abandons public practice without previous notice to clients and without
arranging for the dispatch of clients’ business or the care of clients’ property;
and
l behaves in a manner which tends to bring the auditing profession into disre-
pute.

3. PUNISHABLE OFFENCES IN TERMS OF THE BY-LAWS OF THE

SOUTH AFRICAN INSTITUTE OF CHARTERED ACCOUNTANTS (SAICA)
SOURCE REFERENCE: SAICA By-Laws par 34 – Punishable offences

3.1 ACTS AND PRACTICES WHICH MAY CONSTITUTE IMPROPER CONDUCT

BY CHARTERED ACCOUNTANTS
l Contravening of any of the provisions of sections 20 and/or 27 of the
Public Accountants’ and Auditors’ Act, 1991, or contravening of any rules
or regulations created by the IRBA from time to time under the power
granted to it in terms of section 13(1)(h) of the said Act or its replacement.
l Conducting him-/herself with gross negligence in connection with any
work performed by him/her in his/her profession or employment.
l Certifying or reporting on any accounts, statements, reports or other
documents, without taking reasonable steps to ensure the correctness of
such certificate or report.
l Contravening any provisions of the Chartered Accountants’ Designation
(Private) Act 67 of 1993.
l Directly or indirectly paying a person, other than a member in public
practice or any person practising as an accountant or auditor outside the
Republic, a commission or giving such person monetary or other con-
sideration, as remuneration for bringing the member work, or for inducing
other persons to give work to the member.

3–4
 CHAPTER 3: Professional and ethical responsibilities

l Accepting directly or indirectly any commission or other remuneration in

respect of professional or commercial business referred to others as an
incident to his/her service to any client, except with the knowledge and
consent of that client.
l Improperly obtaining or attempting to obtain work.
l Soliciting or advertising or canvassing in any manner not permitted by the
Code of Professional Conduct.
l Committing a breach of the Code of Professional Conduct.
l Unlawfully failing to account for, or unreasonably delaying an accounting
of any money or property received for or on behalf of a client or any other
person.
l Conducting him-/herself in a manner which is discreditable, dishonour-
able, dishonest, irregular or unworthy or which can bring the profession of
accountancy into disrepute.
l Failing to comply with any regulation, by-law, article, code of conduct or
rule of the Institute.
l Seeking either before or during the period of training a trainee accountant
to impose any restraint whatsoever on the trainee accountant concerned
which will apply after the date of the termination of the training period or
threatening or attempting to enforce any such restraints after such date.
l Registration or indirect payment or compensation set as a condition or
received in regard to cancellation of a trainee accountant’s training con-
tract. Repayments required by a practitioner in regard of expenses
accrued, regarding the registration of the training contract by SAICA, is
permissible.
l Directly or indirectly stipulating or receiving from a trainee accountant who
is or has been serving under a training contract or from any other person
any payment, reward, compensation or consideration for agreeing to the
cancellation of such training contract; provided that it shall not be deemed
a breach of this by-law if a member or former member requires to be or is
reimbursed in respect of disbursements actually made by him/her to the
Institute in connection with a training contract which is subsequently can-
celled and of which disbursements he/she is able to produce proof to the
satisfaction of the Institute.
l Without reasonable cause failing to resign from a professional appoint-
ment when requested by the client to do so.
l Failing to answer or deal with appropriately within a reasonable time any
correspondence or other communication from the Institute or any other
person which requires a reply or other response.
l Failing to comply within a reasonable time with an order, requirement or
request from the Institute.
l Failing after demand to pay any subscription or any fee, levy or other
charge payable to the Institute.
NOTE: Improper conduct on the part of a trainee accountant shall include
any conduct which would be improper had it been perpetrated by a
member or associate.

3–5
 Dynamic Auditing

4. CODE OF PROFESSIONAL CONDUCT (CPC) OF THE INDEPENDENT

REGULATORY BOARD FOR AUDITORS (IRBA)
SOURCE REFERENCE: IRBA Code of Professional Conduct for Registered
Auditors (Revised 2020)
The Code of Professional Conduct of IRBA is consistent in all material aspects
with the International Federation of Accountants’ Code (IFAC) as well as with the
Part 1, 3 and 4 of the SAICA Code of Professional Conduct.
The SAICA Code is discussed under section 5.

5. THE CODE OF PROFESSIONAL CONDUCT (CPC) OF THE SOUTH AFRICAN

INSTITUTE OF CHARTERED ACCOUNTANTS (SAICA)
SOURCE REFERENCE: Code of Professional Conduct of the South African
Institute of Chartered Accountants (Revised 2020)

5.1 BACKGROUND
Members of the accountancy profession in South Africa have the duty not to
only act in the interest of clients or employers, but also to act in the public
interest. In doing this, professional accountants registered with SAICA should
observe and comply with the ethical requirements of the SAICA Code of Pro-
fessional Conduct. Professional accountant is a generic term used in the Code
to refer to a chartered accountant (CA(SA)), an associate general accountant
(AGA(SA)), associate accounting technician (FMAAT(SA), MAAT(SA), or
PSMAAT(SA)).
The Code contains the following material:
Definitions – an explanation of the terminology used in the Code.
Part 1 – Complying with the Code, Fundamental Principles and Conceptual
Framework – deals with the general application of the Code and is applicable
to all professional accountants. Part 1 also establishes the fundamental prin-
ciples of professional ethics and provides a conceptual framework for the
application of these principles by professional accountants.
A professional accountant can either be in Public Practice or in business. A
professional accountant in Public Practice is an individual in a firm that pro-
vides professional services to the public, whether accounting-, auditing-, taxa-
tion-, management consulting-, or financial management services. A profes-
sional accountant in business is employed or engaged in an executive or non-
executive capacity in such areas as commerce, industry, service, the public
sector, education, the not-for-profit sector, regulatory bodies or professional
bodies, or a professional accountant contracted by such entities.

3–6
 CHAPTER 3: Professional and ethical responsibilities

Part 2 – Professional Accountants in Business – applicable to professional

accountants in business when performing professional activities. Part 2 is also
applicable to professional accountants in public practice when performing pro-
fessional activities related to their relationship with the firm, whether as a con-
tractor, employee or owner.
Part 3 – Professional Accountants in Public Practice – applicable to profes-
sional accountants in public practice when providing professional services.
International Independence Standards – sets out additional material regarding
independence that applies to professional accountants when providing assur-
ance services. The section is divided into Part 4A and Part 4B as follows:
Part 4A – Independence for Audit and Review Engagements
Part 4B – Independence for Assurance Engagements other than Audit or
Review Engagements
The Code contains sections which address specific topics, and some sections
contain subsections dealing with specific aspects of those topics. Each section
contains an introduction, requirements and application material. The introduc-
tion contains information, sets out the specific subject matter, and introduces
the requirements and the application material in the context of the conceptual
framework. Requirements are in the SAICA Code designated with the letter “R”,
include the word “shall” and imposes an obligation on a professional account-
ant or firm to comply with the specific provision. The use of the word “may” in a
section which is designated with the letter “R” indicates an exception and
denotes permission to take a particular action in certain circumstances. Appli-
cation material is designated with the letter “A” and provides context, explan-
ations and suggestions for actions or matters to consider. The purpose of the
application material is to enhance an understanding of the Code.
Note: In section 5 of this chapter of the textbook sections of the Code which
contain requirements and impose obligations are printed in italics.
The SAICA Code is consistent in all material respects with the Code of Ethics
for Professional Accountants issued by the International Federation of
Accountants. In addition to the IFAC Code, SAICA has included additional
guidance to assist with the local interpretation of certain requirements.

3–7
 Dynamic Auditing

PART 1: COMPLYING WITH THE CODE, FUNDAMENTAL PRINCIPLES AND

CONCEPTUAL FRAMEWORK
5.2 SECTION 100: COMPLYING WITH THE CODE
A distinguishing mark of the accountancy profession is its acceptance of the
responsibility to act in the public interest. A professional accountant’s respon-
sibility is therefore not exclusively to satisfy the needs of an individual client or
employing organisation.
A professional accountant shall comply with the Code. Should laws or regula-
tions preclude an accountant from complying with certain sections of the
Code, the relevant laws and regulations will prevail, and the accountant shall
comply with all other parts of the Code.
The professional accountant is encouraged to consult with a professional or
regulatory body should circumstances be encountered in which the account-
ant believes that the result of applying a specific requirement in the Code
would not be in the public interest.
A professional accountant who identifies a breach of any provision of the Code
shall evaluate the significance of the breach and its impact on the ability of the
accountant to comply with the fundamental principles. The accountant shall
also take steps to address the consequences of the breach and determine
whether to report the breach to those who may be affected by it, professional
or regulatory bodies, or an oversight authority.

5.3 SECTION 110: THE FUNDAMENTAL PRINCIPLES

A professional accountant shall comply with the fundamental principles of
integrity, objectivity, professional competence and due care, confidentiality
and professional behaviour.
Subsections 111 to 115 of the Code discuss the five fundamental principles of pro-
fessional ethics.

5.3.1 SUBSECTION 111: INTEGRITY

A professional accountant shall comply with the principle of integrity which
requires straightforwardness, honesty, fair dealing and truthfulness in profes-
sional and business relationships.
Specifically, a professional accountant shall not be associated with reports,
returns, communications or other information where the accountant believes
the information:
l contains a materially false or misleading statement;
l contains statements or information furnished recklessly; and
l omits or obscures information required to be included where such omis-
sion or obscurity would be misleading.
A professional accountant shall take steps to disassociate him/herself from
reports as described above, when required.

3–8
 CHAPTER 3: Professional and ethical responsibilities

5.3.2 SUBSECTION 112: OBJECTIVITY

A professional accountant shall comply with the principle of objectivity, which
requires an accountant not to compromise professional or business judgement
because of bias, conflict of interest or the undue influence of others.
A professional accountant shall not undertake a professional activity if circum-
stances or relationships unduly influences the accountant’s professional
judgement regarding that activity.

5.3.3 SUBSECTION 113: PROFESSIONAL COMPETENCE AND DUE CARE

Professional accountants shall comply with the principle of professional com-
petence and due care, which requires an accountant to maintain professional
knowledge and skill at the level required to ensure that clients or employers
receive competent professional service. This requires a continuing awareness
and an understanding of relevant technical professional and business devel-
opments. This emphasises the importance of continuing professional devel-
opment.
Professional accountants should also act diligently in accordance with applic-
able technical and professional standards when providing professional ser-
vices.
The professional accountant shall take reasonable steps to ensure that those
working under the professional accountant’s authority in a professional capaci-
ty have appropriate training and supervision.
Clients, employers and other users shall be made aware of the inherent limita-
tions of services provided.
A professional accountant shall not undertake or continue with any engage-
ment which he/she is not competent to perform, unless advice and assistance
are obtained in order to carry out the engagement satisfactory.

5.3.4 SUBSECTION 114: CONFIDENTIALITY

Professional accountants shall comply with the principle of confidentiality,
which requires professional accountants to refrain from:
l disclosing outside the firm or employing organisation confidential informa-
tion acquired as a result of professional or business relationships without
proper or specific authority or unless there is a professional or legal duty
or right to do so; and
l using confidential information acquired as a result of a professional or
business relationship to their, or to the advantage of a third party.
Confidentiality shall be maintained, even in a social environment.
The confidentiality of information by a prospective client or employer shall also
be maintained.
Staff under the professional accountant’s supervision and advisers should also
respect the duty of confidentiality.

3–9
 Dynamic Auditing

The duty of confidentiality shall continue even after the end of a relationship.
Professional accountants may be required to disclose, or disclosure may be
appropriate under the following circumstances:
l if so permitted by law and authorised by the client or employer;
l when disclosure is required by law, for example:
• production of documents or provision of evidence in the course of
legal proceedings; or
• disclosure to appropriate public authorities, including disclosures of
reportable irregularities reported to the Regulatory Board as required
by section 45 of the Auditing Profession Act;
l when there is a professional duty or right to disclose, and when not prohib-
ited by law:
• to comply with the quality review of the Regulatory Board or the profes-
sional body;
• to respond to an enquiry or investigation by the Regulatory Board or a
regulatory body;
• to protect the professional interests of a professional accountant in
legal proceedings; or
• to comply with technical standards and the requirements of this Code.
The professional accountant should consider the following factors in deciding
whether to disclose confidential information:
l whether the interests of any parties could be harmed;
l whether all relevant information is known and substantiated;
l the type of communication that is expected and to whom it is addressed;
and
l whether the parties to whom the communication is addressed are appro-
priate recipients.

5.3.5 SUBSECTION 115: PROFESSIONAL BEHAVIOUR

Professional accountants shall comply with the principle of professional behav-
iour, which requires compliance with relevant laws and regulations and avoid-
ance of any action that may bring discredit to the profession. This includes
action that an informed and reasonable third party, having knowledge of all
relevant information, would conclude negatively affects the good reputation of
the profession.
In marketing and promoting themselves, chartered accountants shall be hon-
est and truthful and therefore not:
l make exaggerated claims for the services they are able to offer, the quali-
fications they possess, or experience they have gained; or
l make disparaging references or unsubstantiated comparisons to the work
of others.

3–10
 CHAPTER 3: Professional and ethical responsibilities

Multiple firms and assisted holding out

An individual professional accountant is permitted to be a member of more
than one registered auditing or other professional firm. Such association shall
not be misleading or cause confusion, and the professional accountant shall
ensure that there is clear distinction between the different firms.
A clear distinction must always be made should firms have members who are
not registered auditors in order not to contravene section 41(2) of the Audit
Profession Act.
Signing convention for reports or certificates
A professional accountant responsible for an engagement shall not delegate to
any person who is not a partner, or fellow director, the power to sign the audit,
review or other assurance reports or certificates. This prohibition may be
relaxed:
l in specific cases where emergencies of sufficient gravity arise; and
l provided full circumstances giving rise to the need to delegate are reported
to the client and the Regulatory Board.
Any audit, review, or assurance report shall reflect the following:
l the individual accountant’s full name;
l the capacity in which he/she is signing, namely as partner or director;
l their designation underneath their name; and
l the name of the professional accountant’s firm (if not set out on the letter-
head).

5.4 SECTION 120: THE CONCEPTUAL FRAMEWORK

The fundamental principles of ethics as discussed above establish the stand-
ard of behaviour expected of a professional accountant. The Code also pro-
vides a conceptual framework which establish the approach a professional
accountant is required to apply in complying with the fundamental principles.
The conceptual framework requires a professional accountant to:
l Identify threats to compliance with the fundamental principles;
l Evaluate the threats identified; and
l Address the threats by eliminating them or reducing them to an accept-
able level.
When applying the conceptual framework, the professional accountant shall:
l Exercise professional judgement;
l Remain alert to new information and to changes in facts and circum-
stances; and

3–11
 Dynamic Auditing

l Consider whether the same conclusion would likely be reached by another

party (the third-party test).
Identifying Threats
Compliance with the fundamental principles of professional ethics may be
threatened by a broad range of circumstances. Understanding these circum-
stances and by putting them in specific categories will make it easier for the
professional accountant to identify threats to compliance with professional ethics.
The threats can be categorised as follows:
l Self-interest threats, the threat that a financial or other interest will inap-
propriately influence a professional accountant’s judgement or behaviour.
l Self-review threats, which may occur when a previous judgement or ser-
vices delivered needs to be re-evaluated by the professional accountant
that was originally responsible for the judgement, or by another profes-
sional accountant in the firm.
l Advocacy threats, which may occur when a professional accountant
promotes an opinion or position to the point that subsequent objectivity
may be compromised.
l Familiarity threats, which may occur when, because of a close relation-
ship, a professional accountant becomes too sympathetic to the interests of
others or too accepting of their work.
l Intimidation threats, which may occur when a professional accountant may
be deterred from acting objectively by threats, actual or perceived.
Evaluating threats
When the professional accountant identifies a threat to compliance with the
fundamental principles, the accountant shall evaluate whether the threat is at
an acceptable level.
An acceptable level would be when the accountant complies with the funda-
mental principles.
Addressing threats
If the professional accountant determine that the threat is not at an acceptable
level, he/she shall reduce the threat to an acceptable level by:
l Eliminating the circumstances, including interests or relationships, that are
causing the threats;
l Applying safeguards to reduce the threat to an acceptable level; or
l Declining or ending the specific professional activity.

3–12
 CHAPTER 3: Professional and ethical responsibilities

PART 2: PROFESSIONAL ACCOUNTANTS IN BUSINESS

5.5 SECTION 200: APPLYING THE CONCEPTUAL FRAMEWORK –
PROFESSIONAL ACCOUNTANTS IN BUSINESS
This Part of the Code illustrates how the conceptual framework contained in
Part 1 is to be applied by professional accountants in business.
Professional accountants in business might be an employee, contractor, part-
ner, director (executive and non-executive), owner-manager, or volunteer of an
employing organisation.
Identifying threats
The following are examples of the circumstances that might create any of the
categories of threats.
Self-interest threats:
l Financial interests, loans or guarantees;
l Incentive compensation arrangements;
l Inappropriate personal use of corporate assets;
l Concern over employment security; and
l A gift or special treatment from a supplier.
Self-review threats:
l Business decisions or data being reviewed and justified by the same
professional accountant who was responsible for making those decisions
or preparing that data.
Familiarity threats:
l A professional accountant in business in a position to influence reporting
or business decisions which may benefit an immediate or close family
member.
l Long association with business contracts influencing business decisions.
l Acceptance of a gift or preferential treatment, unless the value is clearly
insignificant.
Intimidation threats:
l Threat of dismissal or replacement of the professional accountant in busi-
ness or a close or immediate family member over a disagreement about
the application of an accounting principle or the way in which financial
information is to be reported.
l A dominant personality attempting to influence the decision-making pro-
cess.
Advocacy threats:
Manipulation of information in a prospectus in order to obtain favourable finan-
cing.
An advocacy threat would generally not be created when a professional
accountant in business promotes the employing organisation’s position to further

3–13
 Dynamic Auditing

the legitimate goals and objectives, provided the statements made are neither
false nor misleading.
Evaluating threats
The following will impact the professional accountant’s evaluation on whether a
threat to compliance with a fundamental principle is at an acceptable level:
l The employing organisation’s systems of corporate oversight or other
oversight structures.
l The employing organisation’s ethics and conduct programmes.
l Recruitment procedures in the employing organisation emphasising the
importance of employing high-calibre, competent staff.
l Strong internal controls.
l Appropriate disciplinary processes.
l Leadership that stresses the importance of ethical behaviour and the
expectation that employees will act in an ethical manner.
l Policies and procedures to implement and monitor the quality of employee
performance.
l Employment organisation’s policies and procedures, including any chang-
es, to be communicated to all employees on a timely basis, and appropriate
training and education on such policies and procedures to be provided.
l Implementation of policies and procedures to empower and encourage
employees to communicate to senior levels within the organisation any
ethical issues that concern them, without fear of retribution.
Addressing threats
Section 210 to 270 describe certain threats that may arise and include actions
that might address such threats.
A professional accountant in business should consider seeking legal advice if
it is believed that unethical behaviour has occurred and will continue within the
organisation. He/she should also consider resigning from the employing organ-
isation if the circumstances that created the threat cannot be eliminated or
should safeguards not be available or be incapable of reducing the threat to
an acceptable level.

5.6 SECTION 210: CONFLICTS OF INTEREST

A chartered accountant in business may be faced with a conflict of interest
when undertaking a professional activity in which case a threat to objectivity
will be created. Threats to other fundamental principles are also possible.

3–14
 CHAPTER 3: Professional and ethical responsibilities

Such threat may be created when:

l a professional activity is undertaken for two or more parties whose interest
with respect to that matter are in conflict; or
l the interest of the professional accountant and the party for whom the
professional activity is undertaken are in conflict.
A party may include an employing organisation, a vendor, a customer, a lend-
er, a shareholder, or another party.
Examples of situations in which conflicts of interest may arise include:
l serving in a management or governance position for two employing organ-
isations and acquiring confidential information from one employing organ-
isation which may be used by the professional accountant to the advant-
age or disadvantage of the other employing organisation;
l preparing financial information for certain members of the management of
the employing entity and where the specific members of management are
considering a management buy-out;
l selecting a vendor for the employing organisation and where an imme-
diate family member of the professional accountant may benefit financially
from the transaction; and
l serving in a governance capacity and approving investments where the
investment decision made will increase the value of the personal invest-
ment portfolio of the professional accountant or an immediate family mem-
ber.
Conflict identification
Professional accountants shall take reasonable steps to identify circumstances
that might create a conflict of interest, and therefore compliance with one or
more of the fundamental principles.
Addressing threats
Safeguards should be applied, when necessary, to address threats created by
conflicts of interests include:
l restructuring and segregating certain responsibilities and duties;
l appropriate oversight by an executive or non-executive director; and
l withdrawing from the decision-making process related to the matter giving
rise to the conflict.
Professional accountants may also be required to consult with third parties,
including professional bodies, legal counsel and other chartered accountants.
It may also be necessary to disclose the nature of conflicts of interest to interest-
ed parties and to obtain consent regarding the safeguards implemented.

3–15
 Dynamic Auditing

5.7 SECTION 220: PREPARATION AND PRESENTATION OF INFORMATION

Professional accountants in employing organisations are involved on the prep-
aration and presentation of information including operating and performance
reports, budgets and forecasts, information provided to internal and external
auditors, general and specific purpose financial statements and tax returns.
When preparing and presenting information, the professional accountant shall
prepare or present information:
l In accordance with a relevant reporting framework; and
l In a manner that is intended neither to mislead nor to influence contractual
or regulatory outcomes inappropriately.
The professional accountant shall also exercise professional judgement to
ensure that all facts are represented accurately and completely in all material
respects. The professional accountant shall also not omit anything with the
intention of rendering information misleading or of influencing contractual or
regulatory outcomes.
A self-interest threat to integrity and professional competence and due care
may arise where a professional accountant in business is responsible for infor-
mation, or where he/she is pressured to become associated with misleading
information. The professional accountant shall take the necessary action in
such cases in order to resolve the matter.
Appropriate action might include consulting with superiors within the organisa-
tion, for example the audit committee or a professional body in order to reduce
or eliminate the threat.
The professional accountant should refuse to be associated with the mis-
leading information should these actions fail to reduce or eliminate the threats
identified above.
Should an employing organisation continue to issue misleading information, the
professional accountant should consider, in line with the confidentiality require-
ments in section 114, to inform appropriate authorities or to obtain legal advice.
It might also be appropriate for the professional accountant to resign from the
employing organisation.

5.8 SECTION 230: ACTING WITH SUFFICIENT EXPERTISE

The fundamental principle of professional competence and due care requires
from professional accountants in business to only undertake significant tasks
for which they are suitably qualified. Employing organisations should not be
misled regarding the level of expertise or experience and appropriate advice
and assistance should be obtained where necessary.
A self-interest threat might be created if a professional accountant has:
l insufficient experience, education or training;
l inadequate resources;

3–16
 CHAPTER 3: Professional and ethical responsibilities

l inadequate time available for performing the duties; and

l incomplete, restricted or inadequate information.
Factors that are relevant in evaluating the level of the threat include the senior-
ity of the individual in the business and the level of supervision and review
applied to the work.
Examples of actions that might be safeguards to address the threats include:
l obtaining additional advice or training;
l ensuring that there is adequate time available for performing the duties;
l obtaining assistance from someone with the necessary expertise; and
l consulting, where appropriate, with superiors within the organisation, inde-
pendent experts or a professional body.
The professional accountant shall refuse to perform an assignment, should
he/she not possess the experience or expertise, and should the above safe-
guards fail to reduce or eliminate the resultant threat to the fundamental prin-
ciple of professional competence and due care.

5.9 SECTION 240: FINANCIAL INTERESTS, COMPENSATION AND

INCENTIVES LINKED TO FINANCIAL REPORTING AND DECISION
MAKING
Financial interests (including those arising from compensation or incentive
arrangements), or the financial interests of immediate or close family members,
in certain circumstances, may give raise to threats to compliance with the fun-
damental principles.
Examples of circumstances that may create self-interest threats include situa-
tions where the professional accountant in business or an immediate family
member:
l holds a direct or indirect financial interest in the employing organisation
and the value of that financial interest could be directly affected by deci-
sions made by the professional accountant;
l is eligible for a bonus and the value of the bonus could be directly affect-
ed by decisions made by the professional accountant;
l holds, directly or indirectly, deferred bonus share entitlements or share
options in the employing organisation of which the value could be directly
affected by decisions made by the professional accountant; and
l otherwise participates in compensation arrangements which provide
incentives to achieve performance targets.
Self-interest threats arising from incentive or compensation arrangements may
be further compounded by pressure from superiors or peers within the employ-
ing organisation who participate in the same arrangements.
The nature, including whether it is a direct or indirect interest, will be relevant in
evaluating the level of the threat.

3–17
 Dynamic Auditing

Other relevant factors include:

l level and form of remuneration of senior management to be determined by
a committee independent of management;
l disclosure of all financial interests;
l disclosure of any plans to trade in relevant shares to those charged with
the corporate governance of the organisation, in accordance with any
internal policies;
l consultation with professional bodies, superiors, or those charged with
governance within the employing organisation;
l audit procedures performed by internal or external auditors;
l education on ethical issues, legal restrictions and other regulations around
potential insider trading.

5.10 SECTION 250: INDUCEMENTS, INCLUDING GIFTS AND HOSPITALITY

Threats to compliance with the fundamental principles of professional behav-
iour can be created when a professional accountant in business or an immedi-
ate family member is offered an inducement, or when he/she is offering an
inducement to improperly influence professional judgement of a third party.
A professional accountant in business should not offer an inducement to
improperly influence professional judgement of a third party.
The significance of threats created by receiving an inducement will depend on
the nature, value and intent behind the offer.
An offer received in the normal course of business will generally not create a
significant threat.
The professional accountant should not accept the inducement should it not be
possible to reduce or eliminate the threat.
The following actions should be considered when an inducement has been
received:
l Immediately inform higher levels of management or those charged with
governance if such an offer is made.
l Inform third parties, such as a professional body or the offeror’s employer,
of the offer. Consider taking legal advice prior to informing third parties.
l Advise immediate or close family members of relevant threats and safe-
guards if they are in positions which may result in offers of inducements.
l Inform higher levels of management or those charged with governance
where immediate or close family members are employed by competitors or
potential suppliers of the organisation.

3–18
 CHAPTER 3: Professional and ethical responsibilities

5.11 SECTION 260: RESPONDING TO NON-COMPLIANCE WITH LAWS AND

REGULATIONS
The purpose of this section is to set out the responsibilities of professional
accountants in business when non-compliance or suspected non-compliance
with laws and regulations is encountered in the course of carrying out profes-
sional activities. Guidance is also provided regarding the assessment of the
implications of the matter and possible courses of action when responding to
it. This section applies regardless of the nature of the employing organisation,
including whether or not it is a public interest entity.
A self-interest or intimidation threat to compliance with the principles of integ-
rity and professional behaviour is created when a professional accountant
becomes aware of non-compliance or suspected non-compliance with laws
and regulations.
Professional accountants shall obtain an understanding of legal or regulatory
provisions and how non-compliance with laws and regulations should be
addressed, should it exist in a jurisdiction. The requirements may include a
requirement to report the matter to an appropriate authority, or a prohibition on
alerting the relevant party.
Professional accountants must always act in the public interest and the object-
ives when responding to non-compliance with laws and regulations are there-
fore to:
l comply with the fundamental principles of integrity and professional behav-
iour;
l by alerting management or those charged with governance, to seek to:
• enable them to rectify, remediate or mitigate the consequences of the
non-compliance; or
• prevent the non-compliance where it has not yet occurred; and
l to take further action as appropriate in the public interest.
The section sets out the approach to be taken in relation to non-compliance
with laws and regulations that are recognised to have a direct effect on the
determination of material amounts and disclosures in the employing organ-
isation’s financial statements, as well as laws and regulations that do not have
a direct effect.
Generally, a professional accountant is not required to comply with this section
with respect to matters that are clearly inconsequential on the employing
organisation, its stakeholders and the general public.
This section does not address personal misconduct unrelated to the business
activities of the employing organisation, nor non-compliance other than by the
employing organisation, those charged with governance, management, or other
individuals working for or under the direction of the employing organisation.

3–19
 Dynamic Auditing

Many employing organisations have policies and procedures that deal with the
reporting of inter alia non-compliance with laws and regulations. This shall be
considered by the professional accountant in deciding on how to respond to
non-compliance.
Professional accountants in business shall comply with this section on a timely
basis, having regard to the nature of the matter and the potential harm to the
interests of the employing organisation, investors, creditors, employees or the
general public.
Responsibilities of senior professional accountants in business
Senior chartered accountants are directors, officers or senior employees able
to exert significant influence over, and make decisions regarding, the acquisi-
tion, deployment and control of the employing organisation’s resources.
Obtaining an understanding of the matter
Senior professional accountants in business shall obtain an understanding of
an instance of non-compliance or suspected non-compliance in the course of
carrying out professional activities. The understanding shall include:
l The nature of the non-compliance or suspected non-compliance and the
circumstances in which it occurred or might occur;
l Laws and regulations relevant to the situation; and
l Potential consequences of the non-compliance or suspected non-com-
pliance.
The senior professional accountant is required to apply knowledge, profes-
sional judgement and expertise, but is not expected to have a level of know-
ledge beyond that which is required for the professional accountant’s role in
the employing organisation.
Consultation on a confidential basis with others in the employing organisation,
or professional body, is permitted, depending on the nature and significance of
the matter
Addressing the matter
The senior professional accountant shall discuss the matter with his/her imme-
diate superior, except if the immediate superior appears to be involved, in
which case the matter shall be discussed with the next higher level of authority
within the employing organisation.
The senior professional accountant should also take appropriate steps to:
l have the matter communicated to those charged with governance;
l comply with applicable laws and regulations;
l have the consequences of non-compliance or suspected non-compliance
rectified, remediated or mitigated;

3–20
 CHAPTER 3: Professional and ethical responsibilities

l reduce the risk of re-occurrence; and

l seek to prevent the non-compliance if it has not yet occurred.
The senior professional accountant shall also determine whether disclosure to
the employing organisation’s auditor is necessary to enable the auditor to per-
form the audit.
Determining whether further action is needed
The senior professional accountant shall, in determining whether further action
is needed, assess the appropriateness of the response of his/her superiors or
where appropriate, those charged with governance.
Further action as referred to above may include the following:
l informing the management of the parent company of the matter if the
employing organisation is a member of a group;
l disclosing the matter to an appropriate authority even if not required to do
so by law; and
l resigning from the employing organisation.
Resigning from the employing organisation may not be considered as a substi-
tute for taking other action in the public interest, but may be the only available
course of action.
Determining whether to disclose the matter to an appropriate authority
Disclosure to an appropriate authority would be precluded if doing so would
be contrary to law or regulation.
In deciding whether or not to make a disclosure, the senior professional
accountant shall consider the actual or potential harm that is or may be caused
by the matter to investors, creditors, employees or the general public.
The decision will also be influenced by:
l whether there is an appropriate authority able to receive and deal with the
information;
l whether robust and credible protection exist from civil, criminal or profes-
sional liability or retaliation; and
l whether there are threats to the physical safety of any person.
Documentation
The senior professional accountant is encouraged to have the following mat-
ters documented:
l the matter;
l the results of discussions with superiors, those charged with governance
and other parties;
l how the above parties have responded to the matter;
l the courses of action considered, the judgements and the decisions
made; and
l how the senior professional accountant is satisfied that all his/her respon-
sibilities have been fulfilled.

3–21
 Dynamic Auditing

Responsibilities of professional accountants other than senior

professional accountants in business
Professional accountants in business shall obtain an understanding of an
instance of non-compliance or suspected non-compliance in the course of car-
rying out professional activities. This understanding shall include the nature of
the non-compliance or suspected non-compliance and the circumstances in
which it has occurred or might occur.
The professional accountant is required to apply knowledge, professional
judgement and expertise, but is not expected to have a level of knowledge
beyond that which is required for the professional accountant’s role in the
employing organisation.
Consultation on a confidential basis with others in the employing organisation,
or professional body is permitted, depending on the nature and significance of
the matter
The professional accountant shall discuss the matter with his/her immediate
superior, except if the immediate superior appears to be involved, in which
case the matter shall be discussed with the next higher level of authority within
the employing organisation.
In exceptional circumstances, the professional accountant may decide that
disclosure of the matter to an appropriate authority is an appropriate course of
action. When making such disclosure, the accountant shall act in good faith
and exercise caution when making statements and assertions. The professional
accountant is encouraged to have the following matters documented:
l the matter;
l the results of discussions with superiors, and where applicable those
charged with governance and other parties;
l how the accountant’s superior has responded to the matter; and
l courses of action considered, judgements made, and decisions taken.

5.12 SECTION 270: PRESSURE TO BREACH THE FUNDAMENTAL PRINCIPLES

A professional accountant shall not allow pressure from other to result in a
breach of compliance with the fundamental principles or place pressure on
others that would result in the other individual breaching the fundamental prin-
ciples.
Examples of pressure that might result in threats to compliance with the funda-
mental principles include:
l Pressure related to conflicts of interest – pressure from a family member
who is bidding to be a vendor to select the family vendor over another
prospective vendor.

3–22
 CHAPTER 3: Professional and ethical responsibilities

l Pressure to influence the preparation or presentation of financial state-

ments – pressure to report misleading financial results to meet investor,
analyst or other expectations, or pressure to approve or process expendi-
tures that are not legitimate business expenses.
l Pressure to act without sufficient expertise or due care – pressure from
superiors to inappropriately reduce the extent of work performed.
l Pressure related to financial interests – pressure from those who might
benefit from participation in an incentive scheme to manipulate perform-
ance indicators.
l Pressure related to inducements – pressure to accept a bribe.
Discussions with the following parties may enable the professional accountant
to evaluate the level of the threat:
l The individual who is exerting the pressure – an attempt to resolve it;
l The accountant’s superior (not the individual exerting the pressure);
l Higher levels of management;
l Internal or external auditors;
l Those charged with governance;
l A colleague, human resources personnel, or another professional account-
ant;
l Relevant professional body or regulatory authority; and
l Legal counsel.
The professional accountant is encouraged to document the facts, the commu-
nications and parties with whom the matter was discussed, the courses of
action considered and how the matter was addressed.

PART 3: PROFESSIONAL ACCOUNTANTS IN PUBLIC PRACTICE

5.13 SECTION 300: APPLYING THE CONCEPTUAL FRAMEWORK –

PROFESSIONAL ACCOUNTANTS IN PUBLIC PRACTICE
Part 3 of the Code applies to all professional accountants in public practice,
whether they provide assurance services or not. The term “professional
accountant” also refers to the individual accountant in public practice and their
firms.
As already discussed, the conceptual framework requires the professional
accountant to identify threats to compliance with the fundamental principles,
evaluate the level of the threat, and address threats to compliance with the
fundamental principles.
Identifying threats
Circumstances may give rise to one or more threats to compliance. The follow-
ing examples of circumstances that may create the different categories of
threats are provided by the Code and could assist the professional accountant
to identify threats.

3–23
 Dynamic Auditing

Examples of circumstances that may create self-interest threats:

l A professional accountant having a direct financial interest in the client.
l A professional accountant having undue dependence on total fees from a
client.
l A professional accountant having a significant close business relationship
with a client.
l A professional accountant discovering a significant error when evaluating
the results of a previous professional service performed by a member of
the professional accountant’s firm.
Examples of circumstances that may create self-review threats:
l A professional accountant issuing an assurance report on the operation of
financial systems after being involved in their design or implementation.
l A professional accountant having prepared the original data used to gen-
erate records that are the subject matter of the assurance engagement.
Examples of circumstances that may create advocacy threats include:
l A professional accountant promoting shares in a client.
l A professional accountant acting as an advocate on behalf of an audit
client in litigation or disputes with third parties.
Examples of circumstances which may create familiarity threats include:
l A professional accountant having a close or immediate family relationship
with a director, or an officer of the client.
l A former engagement partner being a director or officer of the client or an
employee who is in a position to exert direct and significant influence over
the subject matter of the engagement.
l A professional accountant receiving gifts or preferential treatment from a
client, unless the value is trivial or inconsequential.
l Long association of an audit team member with the audit client.
Examples of circumstances which may create intimidation threats include:
l A professional accountant being threatened with dismissal from a client
engagement or the firm because of a disagreement about a professional
matter.

3–24
 CHAPTER 3: Professional and ethical responsibilities

l A professional accountant feeling pressured to agree with the judgement

of a client because the client has more expertise on the matter in question.
l A professional accountant being informed that he/she will not be promoted
unless he/she agrees with an inappropriate accounting treatment.
Evaluating threats
Professional accountants need to evaluate whether the above threats are at an
acceptable level. Conditions, policies and procedures might impact this evalu-
ation and might relate to:
l The client and its operating environment; and
l The firm and its operating environment.
The client and its operating environment
The professional accountant’s evaluation of whether the threat is at an accept-
able level might be impacted by whether the client is
l An audit client and whether the audit client is a public interest entity;
l An assurance client that is not an audit client; or
l A non-assurance client.
As an example, providing a non-assurance service to an audit client that is a
public interest entity may result in a higher level of threat to compliance with
the fundamental principle of Objectivity.
Compliance with the fundamental principles might be promoted by the client’s
governance structure and leadership. The client may for instance require the
appointment of the firm to perform the engagement by an appropriate govern-
ance structure. The competence, experience and seniority of the client’s
employees and corporate governance structures that promote oversight over
the firm’s services might also promote compliance with the principles.
The firm and its operating environment
The professional accountant’s evaluation of the level of the threat might also be
impacted by the work environment within the accountant’s firm and its operat-
ing environment. This includes:
l Firm leadership that stresses the importance of compliance with the funda-
mental principles and establishes the expectation that members of an
assurance team will act in the public interest.
l Policies and procedures to implement and monitor quality control of
engagements, including policies and the monitoring thereof with regard to
independence and compliance with the fundamental principles.
l Timely communication of a firm’s policies and procedures to all partners
and professional staff, and appropriate training and education on such
policies and procedures.
l A senior member of staff to take responsibility for the firm’s quality control
system.

3–25
 Dynamic Auditing

l A disciplinary mechanism to promote compliance with policies and pro-

cedures.
l Policies and procedures to encourage and empower staff to communicate
to senior levels within the firm any issue relating to compliance with the
fundamental principles that concern them.
New information or changes in facts and circumstances may change the level
of the threat or conclusions about whether safeguards continue to address the
threats. Examples of changes include the expansion of the scope of a profes-
sional service and the merger or listing of the client.
Addressing threats
The following are examples of engagement-specific safeguards that might be
actions to address the threats:
l involving an additional professional accountant to review the work done or
otherwise advise as necessary;
l consulting independent third parties, such as a committee of independent
directors, a professional regulatory body or another professional account-
ant;
l disclosing any referral fees or commission arrangements with those
charged with governance of the client;
l engaging another firm to perform or re-perform part of the engagement;
l Separating teams when dealing with matters of a confidential nature.

5.14 SECTION 310: CONFLICT OF INTERESTS

A professional accountant in public practice may be faced with a conflict of
interest when performing a professional service. The threat is mainly to object-
ivity but threats to other fundamental principles are also possible. Such threats
may be created when a professional service is provided to two or more clients
whose interests are in conflict, or when the interest of the professional
accountant providing the service is in conflict with the client.
Examples of conflicts of interest include:
l providing a transactional advisory service to the client seeking to acquire
an audit client of the firm and where confidential information obtained dur-
ing the audit is relevant to the transaction;
l advising two clients at the same time who are seeking to acquire the same
company and where the advice given might be relevant to the two clients’
relevant positions;
l providing services to both a seller and the buyer in relation to the same
transaction;
l preparing valuations of assets for two parties who are in adversarial posi-
tions with respect to the assets;
l representing two clients on the same matter who are in a legal dispute with
each other;

3–26
 CHAPTER 3: Professional and ethical responsibilities

l providing an assurance report for a licensor on royalties payable under a

licence agreement when at the same time advising the licensee of the cor-
rectness of the amounts payable;
l advising a client to invest in a business in which the spouse of a profes-
sional accountant in business has a financial interest;
l providing strategic advice to a client on its competitive position while
having a joint venture or similar interest with a major competitor of the
client; and
l advising a client on the purchase of a product or a service whilst having a
commission or royalty arrangement with the vendor of the product or ser-
vice.
Conflict identification
A professional accountant in public practice must identify potential conflicts of
interest before accepting a new client, including potential conflicts because of
a network firm. An effective conflict of interest identification process (which
may differ based on several factors including the size of the firm) may assist in
this regard.
Threats created by conflicts of interest
The professional accountant in public practice should evaluate the level of the
threat caused by conflicts of interests. Factor that are relevant in evaluating the
level of the threat include:
l The existence of mechanisms to prevent disclosure of confidential infor-
mation in situations where professional services are provided to two par-
ties whose interests are in conflict regarding the specific matter. Examples
of mechanisms include:
• separate engagement teams who maintain confidentiality;
• separate areas of practice for speciality functions within the firm to act
as a physical barrier for the passing of confidential information; and
• signing of confidentiality agreements by partners and employees.
Examples of actions that might be safeguards to address the threats include:
l Review of the work performed by a professional accountant not involved in
the provision of the service for appropriateness; and
l Having separate engagement teams who maintain confidentiality.
It is generally necessary to disclose conflicts of interests and the safeguards
applied to the affected clients. This disclosure may be general, specific or
even implied, and the nature of the disclosure will depend on the nature and
significance of the conflict of interest.

3–27
 Dynamic Auditing

The professional accountant should discontinue an engagement or not accept

the engagement should explicit consent be sought and not be granted by a
client.
Specific disclosures in order to obtain explicit consent may result in a breach
of confidentiality. The firm shall generally not accept or continue with an
engagement under these circumstances, unless:
l the firm does not act in an advocacy role for one client where this requires
the firm to assume an adversarial role against the other client in the same
matter;
l specific mechanisms are in place to prevent disclosure of confidential
information between engagement teams; and
l a restriction on the firm’s ability to perform the service to both parties
would produce a disproportionate adverse outcome and a reasonable and
informed third party would come to the same conclusion.

5.15 SECTION 320: PROFESSIONAL APPOINTMENTS

Before accepting a client, accepting a specific engagement, or replacing
another professional accountant in public practice, a professional accountant
in public practice should consider whether there are any circumstances which
may create threats to compliance with the fundamental principles. The level of
the threats should be evaluated, and actions taken to address the threats.
Client acceptance
Threats to professional behaviour and integrity include questionable issues
relating to a client’s owners, managers and activities, such as illegal activities,
dishonesty and questionable financial reporting practice.
Factors that are relevant in evaluating the level of the threats include know-
ledge and understanding of the client, its owners, managers and those respon-
sible for its governance and business activities, and the client’s commitment to
improve corporate governance practices or internal controls.
A professional accountant in public practice should agree to provide only
those services that he/she is competent to perform.
A self-interest threat to professional competence and due care is created if the
engagement team does not possess, or cannot acquire, the competencies
necessary to perform the engagement.
Factors that are relevant in evaluating the level of the threat include:
l an appropriate understanding of the nature of the client’s business, the
complexity of its operations, and the requirements, purpose, nature and
scope of the engagement;
l complying with quality control policies and procedures; and
l knowledge of relevant industries or subject matters, or of relevant regu-
latory or reporting requirements.

3–28
 CHAPTER 3: Professional and ethical responsibilities

Examples of actions that might be safeguards to address the threat

include:
l assigning sufficient staff with the necessary competencies;
l using experts where necessary (it should first be determined whether
reliance is warranted); and
l agreeing on a realistic time frame for the performance of the engagement.
If threats cannot be addressed, the client must not be accepted.
Acceptance decisions should be periodically reviewed for recurring client
engagements.
Changes in professional appointment
A professional accountant who is asked to replace another professional
accountant in public practice, or who considers tendering for an engagement
currently held by another accountant, should consider whether there are any
circumstances that threaten compliance with the fundamental principles. A
threat to professional competence and due care may for instance arise if the
professional accountant in public practice accepts an engagement before
knowing all the pertinent facts.
Professional accountants should, through discussion of the client’s affairs with
the existing accountant, ascertain if there are any professional reasons why an
appointment should not be accepted. The client’s permission, preferably in
writing, should be obtained for this. Direct communication will enable the pro-
fessional accountant to evaluate the level of any threats. Another factor that
might be relevant in evaluating the level of the threat is whether the tender
states that, prior to accepting the engagement, contact with the existing
accountant will be permitted to determine whether there are any professional
reasons why the appointment should not be accepted.
Examples of actions that might be safeguards to address the threats include
requesting the existing accountant to provide known information on any facts
or circumstances that, in the proposed accountant’s opinion, the proposed
accountant should be aware of prior to deciding whether to accept the
engagement.
If a professional accountant is asked to undertake an assignment and the
existing professional accountant will continue to provide professional services,
threats to professional competence and due care may arise. A relevant factor
in evaluating the level of the threat is whether the accountant could notify the
existing accountant of the proposed work.
If the threats cannot be addressed, the engagement should not be accepted.

3–29
 Dynamic Auditing

If the proposed client refuses or fails to give permission for communication with
the existing or predecessor accountant, the proposed accountant shall decline
the appointment, unless there are exceptional circumstances of which the pro-
posed accountant has full knowledge.

5.16 SECTION 321: SECOND OPINIONS

A situation where a professional accountant is asked to express a second
opinion could create a threat to the fundamental principles and as such the
level of the threat should be evaluated.it should be identified, and the signifi-
cance evaluated. Factors to consider when evaluating the level of the threat
include the circumstances of the request and all other available facts and
assumptions relevant to the expression of a professional judgement.
Examples of actions that might be safeguards to address the threat include:
l with permission from the client, contacting the existing accountant and
confirming that the facts relevant to the issue are complete;
l communicating any limitations surrounding the second opinion to the
client;
l having an appropriate reviewer who has not taken part in the second
opinion, review the draft second opinion.
The professional accountant should consider whether it is appropriate to
provide a second opinion if the client denies him/her the opportunity to com-
municate with the existing accountant.
The second opinion should be provided in writing.
A professional accountant shall not provide a second opinion regarding an
opinion expressed on financial statements where the audit was performed in
terms of the ISAs.

5.17 SECTION 330: FEES AND OTHER TYPES OF REMUNERATION

The level and nature of fee and other remuneration arrangements might create
a self-interest threat to compliance with one or more fundamental principles.
Level of fees
A professional accountant in public practice may generally quote whatever fee
deemed to be appropriate. It is not in itself unethical to quote a lower fee than
another accountant when entering into negotiations regarding a professional
appointment, but the professional accountant should still consider any threats
and evaluate level of the threats. A self-interest threat to professional com-
petence and due care may for instance be created if the fee quoted is so low
that it may be difficult to perform the engagement in accordance with the
applicable technical and professional standards.

3–30
 CHAPTER 3: Professional and ethical responsibilities

Factor that are relevant in evaluating the level of the threat include:
l Whether the client is aware of the terms of the engagement and, in particu-
lar, the basis on which fees are charged and the services to which fees
relate; and
l Whether the level of the fee is set by an independent third party such as a
regulatory body.
Examples of actions that might be safeguards to evaluate the threat include:
l Adjusting the level of the fee or the scope of the engagement; and
l Having an appropriate reviewer review the work performed.
Contingency fees
Contingency fees are widely used for certain types of non-assurance engage-
ments. A contingency fee can be defined as a fee calculated on a predeter-
mined basis relating to the outcome or result of a transaction or the result of the
work performed. Contingency fees may give rise to a self-interest threat to
compliance with the fundamental principle of objectivity in certain circum-
stances.
A professional accountant shall not charge contingent fees for the preparation
of an original or amended tax return, as these services are regarded as creat-
ing self-interest threats to objectivity that cannot be eliminated and safeguards
are not capable of being to reduce it to an acceptable level.
Factors that are relevant in evaluating the level of the threat include:
l the nature of the engagement;
l the range of possible fee amounts;
l the basis for determining the fee;
l Disclosure to intended users of the work performed by the professional
accountant and the basis of remuneration;
l Quality control policies and procedures; and
l whether the outcome of the transaction is to be reviewed by an independ-
ent third party.
Examples of actions that might be safeguards to address the threats include:
l Obtaining an advance written agreement with the client on the basis of the
remuneration; and
l review of the work performed by an objective third party.
Commission/referral fees
In certain circumstances, a professional accountant in public practice may
receive a referral fee or commission relating to a client, or pay a referral fee to
obtain a client. This could happen when the specific service required by a
client is not offered by the professional accountant. Commission can also be
received in connection with the sale of goods or services to a client. The sale
of software by a software vendor is an example. The acceptance/payment of

3–31
 Dynamic Auditing

such a referral fee/commission may give rise to self-interest threats to objectiv-

ity and professional competence and due care.
The level of the threats should be evaluated, and actions taken as safeguards
to ensure compliance with the fundamental principles. Examples of actions that
might be safeguards may include:
l disclosing to the client any arrangement to pay/receive a referral fee
to/from another professional accountant. This should be done in advance
and in writing; and
l obtaining the agreement, in advance, in writing from the client for com-
mission arrangements in connection with the sale by a third party of goods
or services to the client.
A professional accountant in public practice may purchase all or a part of
another firm. The payments made to individuals formerly owning the firm or to
their heirs or estates are not regarded as commissions or referral fees.

5.18 SECTION 340: INDUCEMENTS, INCLUDING GIFTS AND HOSPITALITY

Compliance with the fundamental principles may be threatened if a profes-
sional accountant in public practice, or an immediate or close family member,
accepts gifts and hospitality from a client.
The level of such threats will depend on the nature, value and intent behind the
offer. Offers made in the normal course of business will not pose a significant
threat.

5.19 SECTION 350: CUSTODY OF CLIENT ASSETS

A professional accountant in public practice shall not assume custody of client
monies or other assets unless permitted to do so by law and, if so, in com-
pliance with any additional legal duties imposed upon him/her.
The professional accountant shall also as part of client and engagement pro-
cedures related to assuming custody of client monies or other assets make
inquiries about the source of the assets and also consider related legal and
regulatory obligations. The professional accountant shall not hold assets if
inquiries reveal that the assets were derived from illegal activities such as
money laundering.
A self-interest threat to professional behaviour exists and a self-interest threat
to objectivity may arise from the holding of, or association with, client assets.
A professional accountant entrusted with money or other assets shall:
l Keep client assets separate from personal or firm assets.
l Use such assets only for the purpose for which they were intended.
l At all times, be prepared to account to any person who is entitled to such
accounting for those assets, and any income, dividends or gains gener-
ated.
l Comply with all relevant laws and regulations relevant to the holding or
accounting of those assets.

3–32
 CHAPTER 3: Professional and ethical responsibilities

When a professional accountant, in the course of providing professional ser-

vices, is entrusted with client monies or property, the professional accountant
shall:
l maintain one or more bank account with an institution(s) registered in
terms of the Banks Act 94 of 1990, that are separate from the professional
accountant’s own bank account;
l appropriately designate such accounts (accounts may be in the name of
the professional accountant or relevant clients);
l deposit client monies without delay to the credit of such client account;
l maintain such records as may be reasonably expected to ensure that the
property can be identified as being the property of the client; and
l safeguard documents against unauthorised use in cases where property
is in the form of documents of title to money.

5.20 SECTION 360: RESPONDING TO NON-COMPLIANCE WITH LAWS AND

REGULATIONS
The purpose of this section is to set out the responsibilities of professional
accountants in public practice when non-compliance or suspected non-com-
pliance with laws and regulations is encountered in the course of providing a
professional service to a client. Guidance is also provided regarding the
assessment of the implications of the matter and possible courses of action
when responding to it. A self-interest or intimidation threat to compliance with
the principles of integrity and professional behaviour is created when a profes-
sional accountant becomes aware of non-compliance or suspected non-com-
pliance with laws and regulations.
Professional accountants have the responsibility to obtain an understanding of
legal or regulatory provisions and how non-compliance with laws and regula-
tions should be addressed, should it exist in a jurisdiction.
Professional accountants must always act in public interest and the objectives
when responding to non-compliance with laws and regulations are therefore to:
l to comply with the fundamental principles of integrity and professional
behaviour;
l by alerting management, or those charged with governance, to seek to:
• enable them to rectify, remediate or mitigate the consequences of the
non-compliance; or
• prevent the non-compliance where it has not yet occurred; and
l to take further action as appropriate in the public interest.

3–33
 Dynamic Auditing

The section sets out the approach to be taken in relation to non-compliance

with laws and regulations which are recognised to have a direct effect on the
determination of material amounts and disclosures in the client’s financial
statements, as well as laws and regulations that do not have a direct effect.
Generally, a professional accountant is not required to comply with this section
with respect to matters that are clearly inconsequential on the client, its stake-
holders and the general public.
This section does not address personal misconduct unrelated to the business
activities of the client, or non-compliance other than by the client, those
charged with governance, management, or other individuals working for or
under the direction of the client.
Professional accountants in public practice shall comply with this section on a
timely basis, having regard to the nature of the matter and the potential harm to
the interests of the entity, investors, creditors, employees or the general public.
Obtaining an understanding of the matter
The professional accountant engaged to perform an audit of financial state-
ments shall obtain an understanding of an instance of non-compliance or sus-
pected non-compliance, whether in the course of performing the engagement
or through information provided by other parties.
The professional accountant is required to apply knowledge, professional
judgement and expertise, but is not expected to have a level of knowledge that
is greater than what is required to undertake the engagement.
Consultation on a confidential basis with others in the firm, network firm or
professional body is permitted, depending on the nature and significance of
the matter
The professional accountant shall discuss the matter with the appropriate level
of management, or where appropriate, those charged with governance. The
purpose of such discussion is to clarify the understanding of the facts and cir-
cumstances relevant to the matter, but it may also prompt management to
investigate.
The appropriate level of management referred to above is a matter of profes-
sional judgement and may include a consideration of factors, such as the
nature and circumstances of the matter, the individuals involved, the likelihood
of collusion, and the potential consequences of the matter.
Addressing the matter
The professional accountant shall advise management or those charged with
governance to take appropriate and timely action, including:
l rectify, remediate or mitigate the consequences of the non-compliance;
l prevent the non-compliance where it has not yet occurred; or

3–34
 CHAPTER 3: Professional and ethical responsibilities

l disclose the matter to an appropriate authority where required to do so by

law or where considered to be in the public interest.
A professional accountant involved in the audit of a group as the component
auditor shall consider communicating an actual or suspected non-compliance
to the group engagement partner, unless prohibited to do so by law or regula-
tion. The same applies to communication as the group engagement partner to
the component auditor.
The professional accountant shall, in determining whether further action is
needed, assess the appropriateness of the response of management or those
charged with governance.
Further action as referred to above may include:
l disclosing the matter to an appropriate authority even if not required to do
so by law; and
l withdrawing from the engagement.
Withdrawal from an engagement may not be considered as a substitute for
taking other action in the public interest, but may be the only option in some
jurisdictions.
The professional accountant shall, on the request of the successor accountant,
provide all information regarding the actual or suspected non-compliance.
Determining whether to disclose the matter to an appropriate authority
Disclosure to an appropriate authority would be precluded if doing so would
be contrary to law or regulation.
In deciding whether or not to make a disclosure, the professional accountant
shall consider the actual or potential harm that is or may be caused by the mat-
ter to investors, creditors, employees or the general public.
The decision will also be influenced by:
l whether there is an appropriate authority able to receive and deal with the
information;
l whether robust and credible protection exist from civil, criminal or profes-
sional liability or retaliation; and
l whether there are threats to the physical safety of any person.
When making a disclosure, the accountant shall act in good faith and exercise
caution when making statements and assertions. The accountant shall also
consider whether it is appropriate to inform the client of the accountant’s inten-
tions before disclosing the matter.

3–35
 Dynamic Auditing

Documentation
The professional accountant shall, in addition to complying with the require-
ments of ISAs, also document the following:
l how management or those charged with governance have responded to
the matter;
l courses of action considered, judgements and decisions made (by the
chartered accountant); and
l how the chartered accountant has fulfilled his/her responsibility in the
public interest.
Professional services other than audits of financial statements
The above will also be applicable to the delivery of services other than audits
of financial statements by professional accountants.

PART 4A – INDEPENDENCE FOR AUDIT AND REVIEW ENGAGEMENTS

5.21 SECTION 400 – APPLYING THE CONCEPTUAL FRAMEWORK TO
INDEPENDENCE FOR ADUDIT AND REVIEW ENGAGEMENTS
Part 4 A addresses the independence requirements for audit engagements
and review engagements in which the professional accountant expresses a
conclusion on financial statements. Independence requirements for other
assurance engagements are addressed in Part 4 B.
Independence requires:
l Independence of mind:
The state of mind that permits the provision of a conclusion without being
affected by influences that compromise professional judgement, allowing
an individual to act with integrity, and exercise objectivity and professional
scepticism.
l Independence in appearance:
The avoidance of facts and circumstances that are so significant that a
reasonable and informed third party, having knowledge of all relevant
information, including safeguards applied, would reasonably conclude
that a firm’s, or member of the assurance team’s, integrity, objectivity or
professional scepticism had been compromised.
If a firm concludes that a breach of a requirement in this Part has occurred, the
firm shall:
l end, suspend or eliminate the interest or relationship that created the
breach and address the consequences of the breach;
l consider whether any legal or regulatory requirements apply to the
breach, and if so, comply with the requirements;

3–36
 CHAPTER 3: Professional and ethical responsibilities

l immediately communicate the breach to the engagement partner, those

with responsibility for the policies and procedures relating to independ-
ence and other relevant staff in the firm or network firm;
l evaluate the significance of the breach and its impact on the firm’s object-
ivity and ability to issue the audit report; and
l determine whether to end the audit engagement, or whether it is possible
to take action that satisfactorily addresses the consequences of the
breach.
In this section, the term(s) “audit” includes: “audit team”, “audit engagement”,
“audit client”, and “audit report” and applies equally to “review team”, “review
engagement”, “review client” and “review report”.
SECTION 410 – 800: APPLICATION OF FRAMEWORK TO SPECIFIC
SITUATIONS
The following are examples of threats to independence, factors that might be
relevant in evaluating the level of the threat, as well as actions that might be
safeguards in ensuring compliance with the fundamental principles. considera-
tions with regards to whether the threats are significant or clearly insignificant.
In some situations, no action or safeguards can ensure compliance with the
fundamental principles, in which case it is indicated as such.

3–37
 PART 4A: INDEPENDENCE: AUDITS AND REVIEWS OF FINANCIAL STATEMENTS
THREATS TO INDEPENDENCE FACTORS THAT ARE RELEVANT IN ACTIONS THAT MIGHT BE
EVALUATING THE LEVEL OF THE THREAT SAFEGUARDS
1. Total fees generated from an audit client • Structure of the firm. • Reduce dependency on the client by
represent a large portion of the firm’s total • Whether the firm is well established or newly increasing the client base in the firm.
fees (self-interest or intimidation threat). created.
• The significance of the client qualitatively
and/or quantitatively to the firm.
Additional actions that might be safeguards
should be applied if the audit fee of a public
interest entity for two consecutive years
represents more than 15% of the fee income of
the firm. The actions include:
• Disclosure of the fact to those charged with
governance.

Dynamic Auditing
• The performance of a quality control review
prior to and after the issuance of the audit
report.
3–38

2. Fees generated from an audit client • The significance of the client to the partner or • Reduce dependency on the client by
represent a large part of the revenue of an the office. increasing the client base of the partner or
individual partner or one office of a firm • The extent to which the compensation of the the office.
(self-interest or intimidation). partner, or the partners in the office is • An additional person that was not a member
dependent on the fees generated from the of the audit team to review the work done.
client.
3. Fees from an audit client is not paid before Always significant. • Obtain partial payment of overdue fees.
the audit report for the following year is • An additional person who did not take part in
issued (self-interest). the audit engagement to review the work
performed.
When fees outstanding for a long time:
• Consider whether the outstanding fees might
be regarded as being equivalent to a loan to
the client.
• Consider whether appropriate to continue
with the engagement.
4. Firm charges contingency fees with regard Threat is so significant that no actions might be
to an audit engagement. taken as safeguards to address the threat.
(continued)
 THREATS TO INDEPENDENCE FACTORS THAT ARE RELEVANT IN ACTIONS THAT MIGHT BE
EVALUATING THE LEVEL OF THE THREAT SAFEGUARDS
5. A contingency fee is charged regarding a • The range of possible fee amounts. • An appropriate person who did not take part
non-assurance service to an audit client • Whether an appropriate authority determines in the non-assurance engagement to review
(self-interest threat). the outcome on which the contingency fee the work performed.
depends. • Obtaining an advance written agreement
• Disclosure to intended users of the work with the client on the basis of remuneration.
performed and the basis of remuneration.
• The nature of the service.
• The effect of the transaction on the financial

CHAPTER 3: Professional and ethical responsibilities

statements.
6. An audit team member for a particular audit • What proportion of the compensation or To eliminate the threat:
client is evaluated on or compensated for evaluation is based on the sale of such • Revise the compensation plan or evaluation
selling non-assurance services to that audit services. process for that individual.
client (self-interest threat). • The role of the individual on the audit team. • Removing the individual from the audit team.
• Whether the sale of such services influences To address the threat:
promotion decisions. • Having an appropriate reviewer review the
work of the audit team member.
3–39

7. Firm or member of the audit team receives Threat is so significant that no actions might be
gifts or hospitality from an audit client. taken as safeguard to address the threat., unless
the gift is trivial and inconsequential.
8. Actual or threatened litigation between the • The materiality of the litigation. To eliminate the threat:
firm or a member of the audit team, and the • Whether the litigation relates to a prior audit • If the litigation involves a member of the
audit client (self-interest or intimidation engagement. audit team, remove that individual from the
threat). team.
To address the threat:
• Involve an additional person to review work
performed.
9. The firm or network firm, a member of the So significant that no actions can be taken as Not applicable.
audit team, or their immediate family safeguards to address the threat.
member, any other partner in the office in
which the partner practices, or any of that
partner’s immediate family, or any other
partner, or managerial employee who
provides non-audit services to the audit
client, or that individual’s immediate family
has a direct financial interest or a material
indirect financial interest in an audit client.
(continued)
 THREATS TO INDEPENDENCE FACTORS THAT ARE RELEVANT IN ACTIONS THAT MIGHT BE
EVALUATING THE LEVEL OF THE THREAT SAFEGUARDS
10. The firm or network firm, a member of the So significant that no actions can be taken as Not applicable.
audit team, or their immediate family safeguards to address the threat.
member has a direct financial interest or a
material indirect financial interest in an
entity that has a controlling interest in an
audit client.
11. A firm, partner, or employee of the firm, or a Always significant. • Direct interest: Dispose of the direct interest.
member of that individual’s immediate • Indirect interest: Dispose of the indirect
family receives by way of, inheritance, gift, financial interest in total or dispose of a
or as a result of a merger, a direct financial sufficient amount so that it is no longer
interest or a material indirect financial material.
interest in the audit client.
• Remove the individual from the audit team.
12. Close family member of a member of the • Nature of relationship between the close To eliminate the threat:

Dynamic Auditing
audit team has a direct financial interest or family member and the member of the audit • Having the close family member dispose of
material indirect financial interest in an team. all of the direct interest or enough of the
3–40

audit client (self-interest threat). • Whether the financial interest is direct or indirect interest so that the remaining
indirect. interest is no longer material.
• Materiality of the financial interest. • Removing the individual from the audit team.
To address the threat:
• Have an appropriate reviewer review the
work of the member of the audit team.
13. Firm, network firm or member of the audit Insignificant if: No safeguards (such an interest shall not be
team holds a direct financial or indirect ma- • the member of the audit team, immediate held unless insignificant).
terial financial interest in the audit client as family and firm are not beneficiaries of the
a trustee. trust;
• the interest in the audit client is not material to
the trust;
• the trust is not able to exercise significant
influence over the audit client; and
• the trustee, an immediate family member of
the trustee, or the firm does not have signifi-
cant influence over any investment decisions
involving a financial interest in the audit client.
(continued)
 THREATS TO INDEPENDENCE FACTORS THAT ARE RELEVANT IN ACTIONS THAT MIGHT BE
EVALUATING THE LEVEL OF THE THREAT SAFEGUARDS
14. An audit team member, or an immediate • The role of the individual on the audit team. To eliminate the threat:
family member of the audit team member, • Whether ownership in the entity is closely or • Removing the individual from the audit team.
the firm or a network firm has a financial widely held. To address the threat:
interest in an entity when a director or
• Whether the interest allows the investor to • Have an appropriate reviewer review the
officer or controlling owner of the audit
control or significantly influence the entity. work of the member of the audit team.
client is also known to have a financial
interest in that entity (self-interest, • The materiality of the financial interest.

CHAPTER 3: Professional and ethical responsibilities

familiarity, or intimidation threat).
15. Deposits made by, or brokerage accounts Dispose of, unless made under normal lending Having the work reviewed by an appropriate
of, or a loan from, or guarantees thereof by, practices. reviewer, who is not an audit team member from
an audit client that is a bank, broker or It might create a self-interest threat even if it is a network that is not a beneficiary of the loan.
similar institution, to the firm (self-interest made under normal lending practices.
threat).
16. A loan from or a guarantee thereof by an Dispose of unless the loan or the guarantee is
audit client, or any officer or director of the immaterial to:
audit client, that is not a bank or similar • The firm, the network firm, or the individual
3–41

institution to a member of the audit team, receiving the loan or guarantee, as

their immediate family, or to the firm or net- applicable, and
work firm (self-interest threat). • The client.
17. Firm, network firm or member of the audit Significant unless: Applicable safeguards do not exist if it is
team or immediate family of the member of • loan or guarantee is immaterial to the significant.
the audit team has granted loans or guar- firm/member of the audit team (or immediate
antees of loans to an audit client or any family);
director or officer of the audit client.
AND
• immaterial to the audit client.
18. Firm, network firm or member of the audit Significant unless: • Remove the individual from the audit team if
team has a commercial or common • Financial interest is immaterial. significant.
financial interest in the audit client or its • Terminate the business relationships.
• Business relationships are insignificant.
management. For example, distribution or
• Reduce the extent of the relationships, so
marketing arrangements under which the
that the relationships are insignificant and
firm acts as distributor or marketer of the
the financial interest is immaterial.
audit client’s products or services, or the
audit client acts as the distributor of the
products or services of the firm.
(continued)
 THREATS TO INDEPENDENCE FACTORS THAT ARE RELEVANT IN ACTIONS THAT MIGHT BE
EVALUATING THE LEVEL OF THE THREAT SAFEGUARDS
19. Firm, network firm, member of the audit Not a threat to independence if: If threat to independence:
team, or any of that individual’s immediate • in the normal course of business; and • Eliminate or reduce the magnitude of the
family purchases goods and services from transaction.
• on arm’s length basis.
an audit client (self-interest, familiarity or
The nature and magnitude of the transaction • Remove the individual from the audit team.
intimidation threat).
could make it significant.
20. A member of the audit team has family and • Individual’s responsibilities in the audit To eliminate the threat:
personal relationships with a director, engagement. • Remove the individual from the audit team.
official or employee that can exert a direct • Role of the family member or other individual To address the threat:
and significant influence on the audit (self- within the audit client.
interest, familiarity or intimidation threat). • Structuring the responsibilities of the audit
team so that the audit team member does
not deal with matters that are within the
responsibility of the immediate family
member.

Dynamic Auditing
21. Immediate family of a member of the audit Always significant. • Remove the individual from the audit team.
team is a director or officer or an employee
3–42

of the audit client in a position to exert a

direct and significant influence (self-
interest, familiarity or intimidation threat).
22. A close family member of the audit team is • The position the close family member holds To eliminate the threat:
a director or officer or an employee of the with the client. • Remove the individual from the audit team.
audit client, in a position to exert a direct • The role of the audit team member on the To address the threat:
and significant influence. audit team. • Where possible, structure the responsibilities
• The nature of the relationship between the of the audit team so that the audit team
member of the audit team and the close family member does not deal with matters that are
member. within the responsibilities of the close family
member.
23. Partner or employee of the firm which is not • The nature of the relationships. • Structuring the partner’s or employee’s
a member of the audit team but has • The degree of interaction of the partner or responsibilities to reduce any potential
personal and family relationships with a employee of the firm with the audit team. influence over the audit engagement.
director, officer or an employee of the audit • Having an appropriate reviewer review the
• Position of the individual within the client.
client that is in a position to exert a direct relevant audit work performed.
and significant influence on the subject • Role of the individual within the audit team.
matter of the audit engagement.
(continued)
 THREATS TO INDEPENDENCE FACTORS THAT ARE RELEVANT IN ACTIONS THAT MIGHT BE
EVALUATING THE LEVEL OF THE THREAT SAFEGUARDS
24. A member of the audit team served as a • The audit team shall not include an individual Having an appropriate reviewer review the work
director or officer or was an employee in a who was an employee at the client during the performed by the audit team member.
position to exert significant influence over period that is covered by the audit report.
the preparation of the client’s accounting • If the member of the audit team was an
records or financial statements on which employee, director or officer at the client prior
the firm will express an opinion before the to the period which is covered by the audit
period covered by the audit report (self- report, the significance depends on the:
interest, self-review or familiarity threat).

CHAPTER 3: Professional and ethical responsibilities

– position that the person held at the client;
– length of time that has passed since the
individual has left the audit client; and
– role the individual plays on the audit
team.
25. A partner or employee of the firm or a Not applicable. Not applicable.
network firm shall not serve as official or
director on the Board of the audit client.
3–43

26. Partner or employee of the firm or network Not allowed unless:

firm serves as company secretary. • the practice is specifically allowed under local
law, professional rules or practice;
• functions are limited to routine work of an
administrative nature; and
• management makes all the appropriate
decisions.
27. Firm or network firm loans staff to an audit A firm or network firm shall not loan staff to an • Conducting an additional review of the work
client (self-review, advocacy, or familiarity audit client unless: performed by the loan staff might address
threats). • Such assistance is provided only for a short the self-review threat.
period of time. • Not including the loaned staff as an audit
• The staff are not involved in providing non- team member might address a familiarity or
assurance services that would not be advocacy threat.
permitted by the CPC. • Not giving the loaned staff audit
• The staff do not assume management responsibility for any function or activity that
responsibilities and the audit client is the staff performed during the loaned staff
responsible for directing and supervising the assignment might address a self-review
activities of the staff. threat.
(continued)
 THREATS TO INDEPENDENCE FACTORS THAT ARE RELEVANT IN ACTIONS THAT MIGHT BE
EVALUATING THE LEVEL OF THE THREAT SAFEGUARDS
28. A director, official or employee of the audit The firm shall ensure that no significant • Assign an audit team to the subsequent
client was a member of the audit team, and connection remains. A significant connection audit engagement that is of sufficient
now in a position to exert a direct and remains, unless: experience in relation to the individual who
significant influence on the subject matter • The individual is not entitled to any benefits or has joined the audit client.
of the audit engagement (self-interest, self- payments from the firm or network firm that • Review the work of a person who is not a
review or familiarity threat). are not made in terms of pre-determined member of the audit team.
arrangements. • Modifying the audit plan.
• Any amount owed to the individual is not
material to the firm or network firm.
• The individual does not continue to participate
or appear to participate in the firm’s or
network firm’s business or professional
activities.
Even if no significant connection remains, a
familiarity or intimidation threat might still be

Dynamic Auditing
created. The following factors are relevant in
evaluating this threat:
3–44

• The position that the individual has taken at

the audit client.
• The amount of any involvement that the
individual has with the audit team.
• The length of time that has passed since the
individual was a member of the audit team or
firm; and
• The former position of the individual within the
audit team or firm.
29. A member of the audit team is planning on Always significant. • Policies and procedures that require the
joining the audit client sometime in the individual to notify the firm when entering
future. serious employment negotiations.
To eliminate the threat:
• Remove the individual from the audit
engagement.
To address the threat:
• Independent review of the decisions that
were made by the individual while on the
engagement.
(continued)
 THREATS TO INDEPENDENCE FACTORS THAT ARE RELEVANT IN ACTIONS THAT MIGHT BE
EVALUATING THE LEVEL OF THE THREAT SAFEGUARDS
30. Using the same individual over a long In relation to the individual: To eliminate the threat:
period of time on the audit engagement • The overall length of the individual’s • Rotate the senior personnel off the audit
(familiarity threat). relationship with the client. team.
• How long the individual has been an To address the threat:
engagement team member, and the nature of • Involve an appropriate individual who isn’t a
roles performed. member of the audit team to review the work.
• The extent to which the work of the individual • Regular independent internal quality

CHAPTER 3: Professional and ethical responsibilities

is directed, reviewed and supervised by more reviews.
senior staff. • Changing the role of the individual on the
• The extent to which the individual, due to the audit team or the nature and extent of the
individual’s seniority, has the ability to tasks the individual performs.
influence the outcome of the audit.
• The closeness of the individual’s personal
relationship with senior management or those
charged with governance.
• The nature, frequency and extent of the
3–45

interaction between the individual and senior

management or those charged with
governance.
In relation to the audit client:
• The nature or complexity of the client’s
accounting and financial reporting issues and
whether they have changed.
• Whether there have been any recent changes
in senior management or those charged with
governance.
• Any structural changes in the client’s
organisation.
31. Using the same engagement partner, Always significant. To eliminate the threat:
individual appointed as responsible for the • The individuals should be rotated after
engagement quality control review, or any seven years, or as determined by relevant
other key other partner over a prolonged legislation.
period on the audit of a public interest
entity.
(continued)
 THREATS TO INDEPENDENCE FACTORS THAT ARE RELEVANT IN ACTIONS THAT MIGHT BE
EVALUATING THE LEVEL OF THE THREAT SAFEGUARDS
• After the period above, the individual shall
serve a “cooling-off” period as follows:
– Engagement partner – five consecutive
years
– Individual responsible for engagement
quality control – three consecutive years
– Other key audit partner role – two
consecutive years
The timing of the rotation can be amended if:
• the lead engagement partner’s continuity is
especially important to the audit client, e.g.
important changes that are taking place at
the client;

Dynamic Auditing
32. Provision of non-assurance services to • The nature, scope and purpose of the • Professional staff are prohibited from
audit clients (Threat to independence). service. making any management decisions for the
audit client, or assuming responsibility for
3–46

• The degree of reliance that will be placed on

the outcome of the service as part of the such decisions.
audit.
• The legal and regulatory environment in which
the service is provided.
• Whether the outcome of the service will affect
matters reflected in the financial statements
on which the firm will express an opinion.
• The level of expertise of the client’s
management and employees with respect to
the type of service provided.
• The extent of the client’s involvement in
determining significant matters of judgment.
• The nature and extent of the impact of the
service on the systems that generate
information that forms a significant part of the
client’s accounting records or financial
statements on which the auditors will express
an opinion, or internal control over reporting.
(continued)
 THREATS TO INDEPENDENCE FACTORS THAT ARE RELEVANT IN ACTIONS THAT MIGHT BE
EVALUATING THE LEVEL OF THE THREAT SAFEGUARDS
• Whether the client is a public interest entity in The sections below contain more action that
which case the perceived level of threat will might eliminate or address the threats.
be higher.
33. Audit client is provided with accounting or Audit clients that are not public interest entities: To address the threat regarding audit clients that
bookkeeping services (self-review threat). A firm or a network firm shall not provide to an are not public interest entities:
audit client that is not a public interest entity • Using professionals who are not audit team
accounting and bookkeeping services including members to perform the service.

CHAPTER 3: Professional and ethical responsibilities

the preparation of financial statements on which • Having an appropriate reviewer who was
the firm will express an opinion or financial not involved in providing the service review
information which forms the basis of such financial the audit work or service performed.
statements unless:
• The services are of a routine or mechanical
nature; and
• The firm addresses any threats that are
created by providing such services that are
not at an acceptable level.
3–47

Audit clients that are public interest entities:

A firm or a network firm shall not provide to an
audit client that is not a public interest entity
accounting and bookkeeping services including
the preparation of financial statements on which
the firm will express an opinion or financial
information which forms the basis of such financial
statements. As an exception, a firm or network
firm may provide accounting or bookkeeping
services of a routine or mechanical nature to
divisions or related entities of the audit client if the
staff providing the service are not audit team
members, and
• The divisions or related entities are
collectively immaterial to the financial
statements on which the firm will express an
opinion; or
• The service relates to matters that are
collectively immaterial to the financial
statements of the division or the related entity.
(continued)
 THREATS TO INDEPENDENCE FACTORS THAT ARE RELEVANT IN ACTIONS THAT MIGHT BE
EVALUATING THE LEVEL OF THE THREAT SAFEGUARDS
34. Providing administrative services to an audit • Does not usually create e threat if routine or
client. mechanical tasks within the normal course of
operations that require little or no professional
judgement and are clerical in nature.
Examples include:
• Word processing services.
• Preparing administrative or statutory forms for
client approval.
Submitting such forms as instructed by the client.
• Monitoring statutory filing dates and advising
audit clients of such dates.
35. Providing valuation services to an audit • The use and purpose of the valuation report. • The review of the audit or valuation work by
client (self-review or advocacy threat). • Whether the valuation report will be made a professional who was not involved in

Dynamic Auditing
public. providing the valuation services.
• The extent of the client’s involvement in • Employees who provide such services not to
3–48

determining and approving the valuation be included in the audit team.

methodology and other significant matters of
judgment.
• Whether the valuation will have a material
effect on the financial statements.
• The extent and clarity of the disclosures
related to the valuation in the financial
statements.
• The degree of dependence on future events
of a nature that might create significant
volatility inherent in the amounts involved.
• A firm or network firm shall however not
provide a valuation service to an audit client
who is not a public interest entity if the valua-
tion
involves a significant degree of subjectivity,
and the valuation will have a material effect on
the financial statements on which an opinion is
expressed.
(continued)
 THREATS TO INDEPENDENCE FACTORS THAT ARE RELEVANT IN ACTIONS THAT MIGHT BE
EVALUATING THE LEVEL OF THE THREAT SAFEGUARDS
• A firm or network firm shall also not provide a
valuation service to an audit client who is a
public interest entity if the valuation will have a
material effect on the financial statements on
which an opinion is expressed.
36. Audit clients are provided with taxation • The system by which the tax authorities Refer to section 604.4 to section 604.11.

CHAPTER 3: Professional and ethical responsibilities

services. This may include: assess and administer the tax in question and
• tax return preparation; the role of the firm in that process.
• tax calculations for the purpose of • The complexity of the relevant tax regime and
preparing the accounting entries; the degree of judgment necessary in applying
• tax planning and other tax advisory it.
services; and • The particular characteristics of the
• assistance in the resolution of tax engagement.
disputes. • The level of tax expertise of the client’s
employees.
3–49

Refer to section 604.4 to section 604.11 for detail

of the different taxation services.
37. Firm or network firm provides internal audit In the case of a public interest entity, a firm or Ensure that:
services to an audit client (self-review network firm shall not provide internal audit • the audit client accepts responsibility for the
threat). services that relate to: internal audit activities and internal control;
• a significant portion of the internal controls • the audit client designates a competent
over financial reporting; employee (preferably senior management)
• financial accounting systems that generate to be responsible for internal audit activities;
information that is significant to the client’s • the audit committee approves the scope,
accounting records or financial statements; or risk and frequency of internal audit work;
• amounts or disclosures that are material to the • the audit client decides on what
financial statements. recommendations to be implemented;
• the audit client evaluates the adequacy of
procedures performed and the findings
reflected in reports; and
• findings and recommendations resulting
from internal audit activities are reported to
the audit committee.
(continued)
 THREATS TO INDEPENDENCE FACTORS THAT ARE RELEVANT IN ACTIONS THAT MIGHT BE
EVALUATING THE LEVEL OF THE THREAT SAFEGUARDS
Internal audit services should also only be
provided by personnel not involved in the audit
engagement and with different reporting lines
within the firm.
38. Firm or network firm provides IT systems Audit clients that are not public interest entities: Ensure that:
services to an audit client that involve the • The nature of the service. • the audit client acknowledges its
design and implementation of financial • The nature of the IT system and the extent to responsibility for establishing and monitoring
information technology systems that are a system of internal control;
which it impacts or interact with the client’s
related to internal control or that are used to
accounting records or financial systems. • a competent employee (preferably within
generate information forming part of a senior management) makes all management
client’s financial statements. • The degree of reliance that will be placed on
the particular IT systems as part of the audit. decisions regarding design and
Audit clients that are public interest entities: implementation;
• Not allowed if the IT systems form a significant • the audit client evaluates the adequacy and
results of the design and implementation of
part of the internal control over financial
the system;

Dynamic Auditing
reporting or generate information that is
significant to the client’s accounting records • the audit client is responsible for the
3–50

or financial statements on which the firm will operation of the system; and
express an opinion. • the services are provided by personnel not
involved in the audit engagement and with
different reporting lines within the firm.
39. Firm or network firm provides litigation • The legal and regulatory environment in which • Using a professional who is not a member of
support services (self-review or advocacy the service is provided, for example, whether the audit team to perform the service.
threat). an expert witness is chosen and appointed by
the court.
• The nature and characteristics of the service.
• The extent to which the outcome of the
litigation support service will have a material
effect on the financial statements on which an
opinion is expressed.
40. Firm or network firm provides legal services Acting in an advisory role: Acting in an advisory role:
to an audit client (self-review or advocacy • The materiality of the specific matter in relation • Using professionals who are not members of
threat). to the financial statements of the client. the audit team to provide the service.
• The complexity of the legal matter and the • Having an appropriate reviewer who was not
degree of judgement required to provide the involved in providing the service review the
service. audit work or the service performed.
(continued)
 THREATS TO INDEPENDENCE FACTORS THAT ARE RELEVANT IN ACTIONS THAT MIGHT BE
EVALUATING THE LEVEL OF THE THREAT SAFEGUARDS
Acting as General Counsel:
A partner or employee shall not serve as General
Counsel for an audit client.
Acting in an advocacy role:
Not allowed when the amounts involved are
material to the financial statements on which an
opinion is expressed.

CHAPTER 3: Professional and ethical responsibilities

41. Firm or network firm provides recruiting • The nature of the requested assistance. • Using professionals who are not members of
services to an audit client (self-interest, • The role of the individual to be recruited. the audit team to provide the service.
familiarity or intimidation threat). • Any conflicts of interest or relationships that
might exist between the candidates and the
firm providing the service.
Recruiting services that are prohibited:
• Acting as a negotiator on the client’s behalf.
• If the service relates to the searching for or
3–51

seeking out candidates, or undertaking

reference checks of prospective candidates
with respect to a director or officer of the
entity, or a member of senior management in
a position to exert significant influence over
the accounting records or financial
statements.
42. Firm or network firm provides corporate • The degree of subjectivity involved in • Using professionals who are not members of
finance services to an audit client (self- determining the appropriate treatment for the the audit team to provide the service.
review or advocacy threat). outcome or consequence of the corporate • Having an appropriate reviewer who was not
finance advice in the financial statements. involved in providing the service review the
• The extent to which the outcome of advice will audit work or the service performed.
directly affect amounts recorded in the
financial statements and the extent to which
the amounts are material to the financial
statements.
• Whether the effectiveness of the advice
depends on a particular accounting treatment
or presentation in the financial statements.
(continued)
 THREATS TO INDEPENDENCE FACTORS THAT ARE RELEVANT IN ACTIONS THAT MIGHT BE
EVALUATING THE LEVEL OF THE THREAT SAFEGUARDS
Corporate finance services that are prohibited:

Dynamic Auditing
• Services that involve promoting, dealing in, or
underwriting the audit client’s shares.
3–52

• Advice where the effectiveness of the advice

depends on a particular accounting treatment
or presentation in the financial statements and
the audit team has reasonable doubt as to the
appropriateness of the related accounting
treatment or presentation, or the outcome of
the advice will have a material effect on the
financial statements.
 CHAPTER 3: Professional and ethical responsibilities

PART 4B – INDEPENDENCE FOR ASSURANCE ENGAGEMENTS OTHER THAN

AUDIT AND REVIEW ENGAGEMENTS
5.22 SECTION 900: APPLYING THE CONCEPTUAL FRAMEWORK TO
INDEPENDENCE FOR ASSURANCE ENGAGEMENTS OTHER THAN AUDIT
AND REVIEW ENGAGEMENTS
Part 4 B addresses independence requirements for assurance engagements
that are not audits or reviews of financial statements. Independence require-
ments for audits and reviews of financial statements are addressed in Part 4 A.
If an audit or review of financial statements is also performed for the assurance
client, then the requirements of Part 4 A continue to apply to the firm, network
firms and members of the audit and review team.
Independence requires:
l Independence of mind:
The state of mind that permits the provision of a conclusion without being
affected by influences that compromise professional judgement, allowing
an individual to act with integrity, and exercise objectivity and professional
scepticism.
l Independence in appearance:
The avoidance of facts and circumstances that are so significant that a
reasonable and informed third party, having knowledge of all relevant
information, including safeguards applied, would reasonably conclude
that a firm’s, or member of the assurance team’s, integrity, objectivity or
professional scepticism had been compromised.
If a firm concludes that a breach of a requirement in this Part has occurred, the
firm shall:
l end, suspend or eliminate the interest or relationship that created the
breach;
l evaluate the significance of the breach and its impact on the firm’s object-
ivity and ability to issue the assurance report; and
l determine what action can be taken to satisfactorily address the conse-
quences of the breach.

5.23 SECTION 905–990: APPLICATION OF FRAMEWORK TO SPECIFIC

SITUATIONS
The following are examples of threats to independence, factors that might be
relevant in evaluating the level of the threat, as well as actions that might be
safeguards in ensuring compliance with the fundamental principles. consider-
ations with regards to whether the threats are significant or clearly insignificant.
In some situations, no action or safeguards can ensure compliance with the
fundamental principles, in which case it is indicated as such.

3–53
 PART 4B: INDEPENDENCE: ENGAGEMENTS OTHER THAN AUDITS AND REVIEW ENGAGEMENTS
THREATS TO INDEPENDENCE FACTORS THAT MIGHT BE RELEVANT IN ACTIONS THAT MIGHT BE SAFEGUARDS
EVALUATING THE LEVEL OF THE THREAT
1. Total fees generated from an assurance • Operating structure of the firm. • Dependency on the client should be
client represent a large portion of the firm’s • Whether the firm is well established or newly reduced by increasing the client base.
total fees (Self-interest or intimidation created.
threat).
x The significance of the client to the firm.
2. Fees generated from an assurance client Always significant. • Dependency on the client should be

Dynamic Auditing
represent a large part of the revenue of an reduced by increasing the client base of the
individual partner (Self-interest or intimida- individual partner.
3–54

tion threat). • An additional person that was not a member

of the assurance team to review the work
done.
3. Fees from an assurance client remain Always significant. • An additional person who did not take part in
unpaid for a long time (Self-interest threat). the assurance engagement to provide
advice and review the work performed.
x Obtaining partial payment of overdue fees.
• Consider whether the outstanding fees might
be regarded as being equivalent to a loan to
the client.
• Consider whether it is appropriate to be re-
appointed or continue the engagement.
(continued)
 THREATS TO INDEPENDENCE FACTORS THAT MIGHT BE RELEVANT IN ACTIONS THAT MIGHT BE
EVALUATING THE LEVEL OF THE THREAT SAFEGUARDS
4. Firm charges contingency fees with regard If the fee is in relation to an assurance engage- Regarding contingency fees for a non-
to an assurance engagement (self-interest ment, the threat is so significant that no safeguard assurance engagement:
threat). can address or eliminate the threat. • Have an appropriate individual review the
If the fee is charged for a non-assurance en- relevant assurance work.
gagement to an assurance client, the following • Obtaining an advance written agreement
factors might be relevant in evaluating the level of with the client on the basis of the remuner-
the threat:

CHAPTER 3: Professional and ethical responsibilities

ation.
• the range of possible fee amounts.
• whether an appropriate authority deter-mines
the matter upon which the contingency fee will
be determined.
• the nature of the service.
• The effect of the transaction or event on the
subject matter information.
3–55

5. Actual or threatened litigation between the • The materiality of the litigation. • If the litigation involves a member of the
firm or a member of the assurance team, • Whether the litigation relates to a prior assur- assurance team, remove that individual from
and the assurance client (self-interest or ance engagement. the team.
intimidation threat). • Involve an appropriate individual to review
work performed.
6. Holding a financial interest in an assurance • The role of the individual holding the financial
client (self-interest threat). interest.
• Whether the financial interest is direct or
indirect.
• The materiality of the financial interest.
A direct financial interest or a material indirect
financial interest in the assurance client shall not
be held by:
• The firm; or
• An assurance team member or any of that
individual’s immediate family.
(continued)
 THREATS TO INDEPENDENCE FACTORS THAT MIGHT BE RELEVANT IN ACTIONS THAT MIGHT BE
EVALUATING THE LEVEL OF THE THREAT SAFEGUARDS
7. A firm, partner, or employee of the firm, or a Always significant. • Direct interest: Dispose of the direct interest.
member of that individual’s immediate fami- • Indirect interest: Dispose of the indirect |
ly receives by way of, inheritance, gift or, as financial interest in total or dispose of a suf-
a result of a merger, a direct financial inter- ficient amount so that it is no longer material.
est or a material indirect financial interest in
the assurance client. • Remove the individual from the assurance
team.
8. Close family member of a member of the • Nature of relationship between the close To eliminate the threat:
assurance team has a direct financial inter- family member and the member of the assur- • Direct interest: Dispose of the direct interest.
est or material indirect financial interest in ance team.
an assurance client (self-interest threat). • Indirect interest: Dispose of the indirect
• Whether the financial interest is direct or
financial interest in total or dispose of a suf-
indirect.
ficient amount so that it is no longer material.

Dynamic Auditing
• Materiality of the financial interest to the close
• Remove the individual from the assurance
family member.
team.
3–56

To address the threat:

• Have an appropriate reviewer review the
work of the member of the assurance team.
9. Firm or member of the assurance team Not to be held unless:
holds a direct financial or indirect material • member of the assurance team, immediate
financial interest in the assurance client as family and firm are not beneficiaries of the
a trustee. trust;
• the interest in the audit client is not material to
the trust;
• the trust is not able to exercise significant
influence over the assurance client; and
• the trustee, an immediate family member of
the trustee, or the firm does not have signifi-
cant influence over any investment decisions
involving a financial interest in the assurance
client.
(continued)
 THREATS TO INDEPENDENCE FACTORS THAT MIGHT BE RELEVANT IN ACTIONS THAT MIGHT BE
EVALUATING THE LEVEL OF THE THREAT SAFEGUARDS
10. Firm or member of the assurance team or Loan or guarantee not to be made unless:
immediate family of the member of the • loan or guarantee is immaterial to the
assurance team has granted loans to or firm/member of the assurance team (or
received loans from the assurance client, or immediate family);
any director or officer of the assurance
client. AND
• immaterial to the assurance client, or the
director or officer of the client.

CHAPTER 3: Professional and ethical responsibilities

11. A loan from, or guarantees thereof by, an Not to be received unless given according to If in terms of normal lending procedures:
assurance client that is a bank, broker or normal lending procedures and terms and condi- Having the work reviewed by an appropriate
similar institution, to the firm, an assurance tions. reviewer who is not an assurance team member,
team member, or the individual’s immediate from a network firm that is not a beneficiary of
family member. the loan.
12. Firm or member of the assurance team has A firm or an assurance team member shall not Eliminating the threat:
a commercial or common financial interest have a close business relationship with an assur- • Remove the individual from the assurance
3–57

in the assurance client or its management. ance client or its management unless: team if significant.
For example, distribution or marketing • financial interest is immaterial; or
arrangements under which the firm acts as • Terminate the business relationships.
distributor or marketer of the audit client’s • business relationships are insignificant. • Reduce the extent of the relationships, so
products or services, or the audit client that the relationships are insignificant and
acts as the distributor of the products or the financial interest is immaterial.
services of the firm (self-interest or intimida-
tion threat).
13. Firm or member of the assurance team Not allowed unless: Eliminating the threat:
purchases goods and services from an • in the normal course of business; or • Eliminate or reduce the magnitude of the
assurance client (self-interest threat). transaction.
• on arm’s length basis.
• Remove the individual from the assurance
team.
14. A member of the assurance team has • Individual’s responsibilities in the assurance To eliminate the threat:
family and personal relationships with a engagement. • Remove the individual from the assurance
director, official or employee that can exert • Role of the family member or other individual team.
a direct and significant influence on the within the assurance client.
assurance engagement.
(continued)
 THREATS TO INDEPENDENCE FACTORS THAT MIGHT BE RELEVANT IN ACTIONS THAT MIGHT BE
EVALUATING THE LEVEL OF THE THREAT SAFEGUARDS
15. Immediate family of a member of the x The position held by the immediate family To eliminate the threat:
assurance team is a director or officer or an member. • Remove the individual from the assurance
employee of the assurance client in a posi- x The role of the assurance team member. team.to address the threat:
tion to exert a direct and significant
influence. x Structuring the responsibilities of the assur-
ance team so that the assurance team
member does not deal with matters that
are within the responsibility of the immedi-
ate family member.

Dynamic Auditing
16 A close family member of the assurance • The position the close family member holds To eliminate the threat:
team is a director or officer or an employee with the client. • Remove the individual from the assurance
3–58

of the assurance client, in a position to • The role of the professional on the assurance team.
exert a direct and significant influence. team. To address the threat:
(Self-interest, familiarity or intimidation
• The nature of the relationship between the • Where possible, structure the responsibili-
threat) member of the assurance team and the ties of the assurance team so that the pro-
close family member. fessional does not deal with matters that are
within the responsibilities of the close family
member.
17. Partner or employee of the firm which is not • The interaction of the professional person with x Structure the partner’s or the employee’s
a member of the assurance team but has the assurance team. responsibilities to reduce any potential in-
personal and family relationships with a • Position held within the firm. fluence over the assurance engagement.
director, officer or an employee of the as- x Having an appropriate reviewer review the
• Role of the individual within the assurance
surance client that is in a position to exert a team. relevant assurance work performed.
direct and significant influence on the sub-
ject matter of the assurance engagement.
(continued)
 THREATS TO INDEPENDENCE FACTORS THAT MIGHT BE RELEVANT IN ACTIONS THAT MIGHT BE
EVALUATING THE LEVEL OF THE THREAT SAFEGUARDS
18. A former official, director or employee of • Not allowed if the person was an employee at To address the threat:
the assurance client serves as a member of the client during the period that is covered by x Having an appropriate reviewer review the
the assurance team. the assurance report. relevant assurance work performed.
• If the person was an employee at the client

CHAPTER 3: Professional and ethical responsibilities

prior to the period which is covered by the
assurance report, the significance depends
on the:
– position that the person held at the client;
– length of time that has passed since the
individual has left the assurance client;
and
– role the individual plays on the assurance
3–59

team.
19. A director, official or employee of the • The position that the individual has taken at • Assign an assurance team to the subse-
assurance client was a member of the as- the assurance client. quent assurance engagement that is of
surance team, and now in a position to ex- • The amount of any involvement that the sufficient experience in relation to the indi-
ert a direct and significant influence on the individual has with the assurance team. vidual who has joined the assurance client.
subject matter of the assurance • Modifying the plan for the assurance
• The length of time that has passed since the
engagement. individual was a member of the assurance engagement.
team or firm. • Quality control review over the assurance
engagement.
• The individual is not entitled to any benefits
or payments from the firm unless these are
made in accordance with fixed pre-deter-
mined arrangements; and
• The individual does not continue to partici-
pate in the firm’s business and professional
activities.
(continued)
 THREATS TO INDEPENDENCE FACTORS THAT MIGHT BE RELEVANT IN ACTIONS THAT MIGHT BE
EVALUATING THE LEVEL OF THE THREAT SAFEGUARDS
20. A member of the assurance team is plan- • Policies and procedures that require the
ning on joining the assurance client some- individual to notify the firm when entering
time in the future. serious employment negotiations.
To eliminate the threat:
• Remove the individual from the assurance
engagement.
To address the threat:
• Independent review of the decisions that
were made by the individual while on the
engagement.
21. A partner or employee of the firm serves as Not allowed. Refuse to perform the assurance engagement
official or director on the board of the or withdraw from the engagement.

Dynamic Auditing
assurance client.
22. Partner or employee of the firm serves as Not allowed unless:
3–60

company secretary. • practices specifically permitted under local • Refuse to perform the assurance engage-
law, professional rules or practice; ment or withdraw from the engagement.
x functions are limited to routine work of an
administrative nature; or
• management makes all the appropriate
decisions.
23. Using the same senior personnel over a • The length of time that the individual has been To eliminate the threat:
long period of time on the assurance a member of the assurance team. • Rotate the senior personnel off the assur-
engagement. • The role of the individual in the assurance ance team.
team. To address the threat:
• The structure of the firm. • Involve an appropriate reviewer who isn’t a
• The nature of the assurance engagement. member of the assurance team to review the
• Whether the client’s management team has work.
changed. • Independent internal quality reviews.
x Changing the role of the individual on the
assurance team or the nature and extent of
the tasks the individual performs.
(continued)
 THREATS TO INDEPENDENCE FACTORS THAT MIGHT BE RELEVANT IN ACTIONS THAT MIGHT BE
EVALUATING THE LEVEL OF THE THREAT SAFEGUARDS

CHAPTER 3: Professional and ethical responsibilities

24. Provision of non-assurance services to x The nature, scope and purpose of the ser- • Professional staff are prohibited from mak-
assurance clients. vice. ing any management decisions for the audit
x The degree of reliance that will be placed on client, or assuming responsibility for such
the outcome of the service as part of the decisions.
assurance engagement. • Policies regarding the oversight responsibil-
x The legal and regulatory environment in which ity for provision of non-assurance services
the service is provided. by the firm.
x Whether the outcome of the service will affect • Involve an additional member or associate to
3–61

matters reflected in the subject matter or advise on the potential impact of the
subject matter information. activities on independence of the firm and
the assurance team.
• Obtain the audit client’s acknowledgement
of responsibility for the results of the work
performed by the firm.
• Disclose to the audit committee, the nature
of services provided, and the extent of fees
charged.
• Make arrangements so that personnel
providing non-assurance services do not
participate in the assurance engagement.
 4
COMPANIES ACT

Page
1. Introduction .................................................................................................. 4–3
2. The Companies Act 71 of 2008.................................................................... 4–3
2.1 Introduction ........................................................................................ 4–3
2.2 An overview of important aspects of the Companies Act.................. 4–4
3. Notes on the financial reporting, auditing and review requirements
(Regulations 26–30) .................................................................................... 4–47
3.1 Definitions........................................................................................... 4–47
3.2 Calculation of public interest score (PIS) .......................................... 4–48
3.3 Accounting standard to be applied by entities ................................. 4–50
3.4 Categories of entities required to be audited .................................... 4–50
3.5 Exemptions from audit or review (section 30(2A))............................. 4–51
3.6 Independent review of annual financial statements .......................... 4–51
4. Guidelines for the distribution of dividends ................................................. 4–53

NOTE: Section 2 on the Companies Act, 2008 deals with the Act issued in May 2011
and the more important sections of the regulations 2011 and all develop-
ments affecting it up to June 2021.

4–1
 CHAPTER 4: Companies Act

1. INTRODUCTION
A sound knowledge of the Companies Act is essential for any professional,
accountant and auditor, whether working in public practice or in commerce and
industry.
This chapter concentrates on the more important sections and is not intended to
be an all-inclusive summary of the Companies Act. Readers are advised to refer
to the relevant sections of the Act and Regulations where they deem it necessary.

2. THE COMPANIES ACT 71 OF 2008

SOURCE REFERENCE: Companies Act 71 of 2008
Regulations 2011 (gazetted)
Guidance on the provision of non-audit services by
the auditor of a company (section 90 of the Com-
panies Act, No 71 of 2008)
SAICA Companies Act guide

2.1 INTRODUCTION
The South African corporate law reform programme was initiated in 2005 by
the Department of Trade and Industry and resulted in short-term amendments
to the Companies Act, 1973, which became effective on 14 December 2007,
and a new Companies Act (71 of 2008, signed by the President on 8 April 2009
and gazetted in the Government Gazette (No 32121)). The new Companies Act
and regulations came into effect on 1 May 2011.
A brief overview of certain sections of the Act and Regulations is provided. The
intention is not to cover all sections and all aspects of the act and regulations,
but to concentrate on the everyday issues a professional person, accountant
and auditor will deal with. Readers are further recommended to consult the Act
itself regarding specific wording and requirements, and aspects not covered in
this section. The Companies Act, 71 of 2008, became effective on 1 May 2011,
together with the Regulations of 2011, and replaces Act 61 of 1973. However,
all transactions that occurred up to 30 April 2011 will still be under the old act.
NOTE: Section 2.2, an overview of the Act, should be read together with the
Act itself and the Regulations issued by the Minister.

4–3
 Dynamic Auditing

2.2 AN OVERVIEW OF IMPORTANT ASPECTS OF THE NEW COMPANIES ACT

CHAPTER 1
INTERPRETATIONS, PURPOSE AND APPLICATIONS (sections 1–10)

Section 1: Definitions
Reference should be made to section 1 of the Act for the meanings and definitions of
the terms used in the Act. The following are terms provided for background purposes:
Accounting records: Information in writing or electronic format concerning the
financial affairs of the company, and including but not limited
to, documents, ledgers, etc., used in the preparation of the
financial statements.
All or greater part of the In case of assets, more than 50% of the gross assets at fair
assets or undertaking: market value (irrespective of liabilities), or in the case of the
company’s undertaking, more than 50% of the value of its
entire undertaking, at fair market value.
Audit: The meaning thereof as per the Auditing Profession Act.
Commission: Companies and Intellectual Properties Commission (CIPC).
Director: Any director, alternate director or other person occupying
such position, by whatever name designated.
Distribution: Transfer of money or property of the company, excluding its
own shares, to or for the benefit of the shareholders of the
company or another company within the same group, in the
form of dividends, capitalisation shares or for consideration
of shares bought back (share buybacks). It also includes the
incurrence of debt by a company for the benefit of a share-
holder, or forgiveness or waiver of a debt owed to the com-
pany by a shareholder.
Holding company: A juristic person that controls a subsidiary.
Material: Means ‘significant’ in the circumstances of a particular matter
or which might reasonably affect a person’s judgement or
decision-making in the matter.
Member: For non-profit companies, a person who holds membership
in and has specified rights in respect of the non-profit com-
pany.
Memorandum of The document:
incorporation (MOI): – setting out the rights, duties and responsibilities of share-
holders, directors and others within/in relation to a com-
pany; and
– by which the company is incorporated.

4–4
 CHAPTER 4: Companies Act

Personal financial A direct material interest of that person, of a financial, mon-

interest: etary or economic nature, or to which such a value may be
attributed.
Securities Any share, debenture or other instrument, irrespective of its
title, issued or to be issued by a profit company.
NOTE: It is important to realise that securities are not limited
to shares only, but also include debentures, etc., as certain
sections of the Act apply not only to shares but to other
securities as well (such as section 44, 45).
Shareholder: The holder of a share issued by a company and who is
entered as such in the certified or uncertified securities regis-
ter.
State-owned entity: A company listed in schedules 2 or 3 of the Public Finance
Management Act, or which is owned by a municipality.
Prescribed officer: Despite not being a director, a person who exercises general
(see also regulation 38) Executive control over and manages the whole, or a signifi-
cant portion of the business and activities of the company, or
regularly participates to a material degree therein.
NOTE: It is important to identify who prescribe officers in the
company are, as most sections that apply to directors also
apply to prescribed officers.
Regulations The regulations made under the Act (this is set out in the
schedule at the back of the Companies Act).
NOTE: The regulations often provide more detail and further
administrative requirements as per the sections of the Act.
The regulations have also the same status and regulatory
power as the Act.

Section 2: Related and inter-related persons and control

An individual is related to another individual if they are married, live together in a
relationship similar to marriage, or are separated by no more than two degrees of
natural or adopted affinity.
An individual is related to a juristic person if the individual directly or indirectly controls
the juristic person.
A juristic person (company, corporation or trust) is related to another juristic person if
either of them directly or indirectly controls the other (holding company), is a subsid-
iary of the other, or if a person directly or indirectly controls both of them (fellow sub-
sidiaries).
Control means:
l having the ability to exercise or control the exercise of a majority of the voting
rights; or

4–5
 Dynamic Auditing

l having the right to appoint or control the appointment or election of directors of

that company who control a majority of the votes at a meeting of the Board.
NOTE: This definition should be considered where consideration is given to the
requirements for transactions (e.g., issuing shares to a person related to a
director will require the same authorisation as for a director).

Section 3: Control and subsidiaries

A company will be a subsidiary of another company if that company (holding com-
pany) has control as stated above.
NOTE: The Act does not specify when financial statements should be consolidated
and the format thereof, but in this regard the provisions of IFRS 10 should be
followed (financial statements must be prepared according to the applicable
financial reporting framework).

Section 4: Solvency and liquidity test

A company will satisfy the solvency and liquidity test if, at a particular time, and con-
sidering all reasonable foreseeable financial circumstances of the company at that
time:
l the assets of the company fairly valued, equal or exceed the liabilities fairly val-
ued; and
l it appears that the company will be able to pay its debts as they become due in
the ordinary course of business for a period of 12 months after the date on which
the test is considered, or 12 months after a distribution was made.
Financial information considered in respect of the company must be based on
accounting records that are accurate and complete, and financial statements that
present fairly the state of affairs according to financial reporting standards.
The Board or any other person applying the liquidity and solvency test must consider a
fair valuation of the company’s assets and liabilities, including reasonable foreseeable
contingent assets and liabilities.

Sections 5 and 6: General interpretation and other administrative issues

Business days are calculated, excluding the day on which the first event occurred and
including the day on which the second event will occur, excluding Saturdays, Sun-
days, and public holidays.
A court may declare agreements, transactions, or a provision of the company’s memo-
randum void if it is intended to defeat the object of the provisions of the Act.
Documents to be published (prospectus, notice, disclosure, etc.) should be in the
prescribed form and in plain language.
Notices, documents, records, statements, etc., may be retained in electronic format.

4–6
 CHAPTER 4: Companies Act

Such documents, statements, notices, etc., may also be published or delivered elec-
tronically, provided they can be conveniently printed by the recipient within a reason-
able time and at a reasonable cost.
NOTE: Such maintenance and publication of information (e.g. financial statements)
electronically can lead to significant cost savings and increase the security of
information.
A court interpreting or applying the Act may consider foreign company law.
If an inconsistency exists between this Act and another, the provisions of both Acts
apply. Where there is an inconsistency and it is not possible to apply both Acts, the
following will take preference and prevail:
l Auditing Professions Act, Labour Relations Act, Promotion of Access to Informa-
tion Act, Promotion of Administrative Justice Act, Public Finance Management Act,
Securities Services Act, Banks Act.
l In other cases, the provisions of the Companies Act will prevail.
l If there is a conflict between the listing requirements and this Act, both will apply
concurrently, and if not possible, the Companies Act will take preference.

Section 8: Categories of companies

Two types of companies may be formed and incorporated.
A) NON-PROFIT COMPANIES
This is a company:
l incorporated for public benefit, or whose object is related to cultural or social
activities or communal or group interests;
l whose income and assets are applied to advance its stated object in the
memorandum; and
l which may not, directly or indirectly, transfer any of its assets or pay any of its
income to its members or directors (except as reasonable remuneration for
services rendered).
NOTE: Schedule 1 provides detailed provisions for non-profit companies,
regarding:
l fundamental transactions, such as the disposal of assets;
l winding-up or dissolving of the company;
l requirements relating to members, members’ registers, voting
rights, etc.; and
l directors and their appointment.
The normal sections of the Act apply to non-profit companies, except that they do
not need a company secretary or audit committee (unless so required by the
MOI).

4–7
 Dynamic Auditing

B) PROFIT COMPANIES
A profit company is a company incorporated for the purpose of financial gain for
its shareholders (section 1). There are of four types of profit companies, namely:
B1: State-owned company
This is a company (section 1) that:
l falls within the meaning of a state-owned enterprise in terms of the Public
Finance Management Act; or
l is owned by a municipality.
B2: Private company
A private company:
l is not state owned; and
l through its memorandum of incorporation:
• prohibits the offering of its securities to the public; and
• restricts the transferability of its securities.
NOTE: No limitation is placed on the number of shareholders of a private
company as was the case under the old Companies Act (the previ-
ous limit was 50).
B3: Personal liability company
This is a company that:
l meets the criteria for a private company (its memorandum prohibits the
offering of its securities to the public and also restricts the transfer thereof);
and
l stipulates in the memorandum of incorporation (MOI) that it is a personal
liability company.
NOTE: In terms of section 19(3), the directors and past directors are liable
for the company’s debts.
B4: Public company
A profit company that is not a state-owned company, a private company or a
personal liability company (section 1).

CHAPTER 2
FORMATION, ADMINISTRATION AND DISSOLUTION OF COMPANIES

Sections 11 and 12: Names

A company name may comprise:
l the words in any of the official languages;
l for profit companies, the registration number, followed by the words (South
Africa).

4–8
 CHAPTER 4: Companies Act

If the memorandum includes any provision restricting or prohibiting the amendment of

any provision of the MOI, the name must be followed by the letter “RF”.
A company’s name must end with:
l personal liability company: Incorporated or Inc.
l private company: Propriety Limited or (Pty) Ltd
l public company: Limited or Ltd
l state-owned company: SOC Ltd
l non-profit company: NPC
Names may be reserved for a period of six months. The Commissioner must reserve
any name, unless the name already exists or is registered.

Sections 13 and 14: Incorporation and registration

One or more persons may incorporate a profit company, and three or more persons
may incorporate a non-profit company by:
l completing and each signing, in person or by proxy, the MOI; and
l filing a notice of incorporation (NOI).
The Commission may reject the NOI if it is incomplete and will reject it if there is less
than the required number of directors (at least three for public and non-profit com-
panies, and at least one for private and personal liability companies).
The Commission will assign the company a registration number, endorse the NOI and
the MOI, and issue and deliver a registration certificate to the company. The registra-
tion certificate is conclusive evidence that all requirements for incorporation have been
complied with and that the company is incorporated.
If the name of the company stated in the NOI is already in use, the Commission will
register the company under its registration number as the interim name.

Sections 15–18: Memorandum of incorporation (MOI)

Any provision of the MOI that is not consistent with the Act is void.
l The MOI may:
• include provisions dealing with matters the Act does not address, or alter
alterable provisions;
• impose a higher standard or more onerous provisions than required by what
the unalterable provisions;
• contain restrictive conditions for the amendment thereof; and
• not include provisions that negate, limit or alter the effect of unalterable pro-
visions.

4–9
 Dynamic Auditing

l Rules relating to governance

The Board of a company (except where the MOI provides otherwise) may make,
amend or repeal rules relating to the governance of the company not addressed
in the Act by publishing a copy of the rules as required by the MOI and filing a
copy of the rules with the Commission.
Such rules must be consistent with the Act and the MOI, and if not, are void. The
rules take effect 20 days after they have been published, or as specified in the
rules, and:
• are binding on an interim basis until voted on at the next shareholders’ meet-
ing;
• are permanently binding after shareholders’ ratification thereof.
Any failure to ratify a rule does not affect the validity of anything done in terms of
those rules during the period they had an interim effect.
NOTE: Although it is not stated in the Act, shareholders’ consent is needed to
change the rules: this is a logical assumption, given the fact that share-
holders should ratify such rules before they become permanently binding.
This is something that should be addressed in the rules to provide clarity.
The MOI, and any rules of the company, are binding between:
• the company and its shareholders;
• the shareholders;
• the company and its directors; and
• the company and members of the audit committee or other committee of the Board.
l Shareholders’ agreements (section 15(7))
The shareholders of a company may enter into agreements between themselves,
provided such agreements are consistent with the Act and the MOI (otherwise
they are void).
The conditions of existing shareholders’ agreements on the effective date will pre-
vail, and where there is a contradiction with the Act, the conditions of the share-
holders’ agreement will prevail for the next two years from the effective date, or
before that date, if the agreement is changed.
l Amendment of the MOI (section 16)
The MOI can be amended by:
• a court order;
• the Board regarding changes made to the company’s shares (changing the
authorised shares, their rights, preferences, classifications – section 36(3));
• by a special resolution, if proposed by the Board or shareholders entitled to
exercise at least 10% of the voting rights on such a resolution; and
• the MOI may provide (specify) other requirements for amendments.

4–10
 CHAPTER 4: Companies Act

An amendment may be in the form of a new MOI, or alterations thereto, and should
be submitted to the Commission together with a notice of amendment (NOA).
The amendment to the MOI takes effect from the date that the Commission
accepts the filing of the NOA, or a later date as set in the NOA.
l Model set of MOI
A model set of MOIs is provided in forms 15.1A to 15.1E
l Transitional arrangements (schedules 4 and 5)
All existing companies should convert their old memorandum and articles into a
new MOI within two years of the effective date, this being 1 May 2011 (this should
require a special resolution).
NOTE: The Commissioner however issued a practise note (Practise note 1 of
2012) stating that it is not required of companies to do such conversion
within two years anymore. However, if companies need to change any
condition in their articles or old memoranda (such as changing the share
capital, or changing the quorum requirement for meetings), a new MOI
will need to be registered as the old articles and memoranda cannot be
amended.
Until such MOI is in place, the conditions of the existing articles and memorandum
will prevail (and take preference over the Act, if there is a contradiction with the
Act). This will, however, not apply to the following, which will be immediately effect-
ive, irrespective of the existing memorandum or articles stipulations:
• the duties, conduct and responsibilities of directors;
• the rights of shareholders in terms of the Act to receive notices or have access
to information;
• meetings of shareholders and directors, and adoption of resolutions; and
• fundamental transactions.

Section 19: Legal status of companies

After incorporation, the company is a juristic person, exists continuously and has all
the legal powers and capacity of an individual, except to the extent that the MOI
provides otherwise.
A person is not, solely by reason of being a shareholder or director, liable for any of
the company’s liabilities or obligations, except as otherwise provided in the Act or the
MOI.
The directors and past directors of a personal liability company are jointly and sever-
ally liable, together with the company, for any debts and liabilities incurred during their
respective terms of office.

Sections 20 and 21: Validity of company’s actions and pre-incorporation contracts

No action of the company is void because the MOI limited or restricted such action, or
because thereof the directors had no authority to authorise the action.

4–11
 Dynamic Auditing

The above does not apply for legal proceedings between the company and its share-
holders, directors and officers.
An action restricted by the MOI may be ratified by a special resolution (unless it is a
contravention of the Act).
Shareholders, directors, officers of the company or trade unions representing employ-
ees may take action to prevent the company from doing anything inconsistent with the
Act.
A shareholder has a claim against any person who fraudulently or recklessly causes
the company to contravene the Act or the restrictions of the MOI.
A person dealing with the company other than a director, officer or shareholder is
entitled to presume that the company has complied in its actions with the Act, its MOI
and any rules of the company, unless the person knew or should have known other-
wise.
A person may enter into a pre-incorporation contract on the company’s behalf, and will
be jointly and severally liable with any other person for liabilities created in the con-
tract.
l The Board of the company can, within three months of incorporation, ratify the
agreement in full, partially, or conditionally or reject it, in which case the liability
incurred will rest with the signatories thereto. If the Board has not ratified or reject-
ed the agreement within three months of incorporation, it will be regarded as
being ratified by the company.
If a court on application by an interested party finds that the company abused its
juristic personality, the court may declare that the company is not to be deemed to be
a juristic person in terms of its rights, obligations, liabilities, etc.

Section 22: Reckless trading prohibited

A company must not carry on its business recklessly; with gross negligence; with
intent to defraud any person, or for any fraudulent purpose.
If the Commission has reasonable grounds to believe that a company is engaging in
conduct prohibited above or is unable to pay its debts as they fall due in the normal
course of business, the Commission may issue a notice to the company to show cause
why it should be permitted to carry on its business or trade.
If the company fails, within 20 days of the notice, to satisfy the Commission that it is not
engaging in such conduct, the Commission may issue a compliance notice to require
the company to cease carrying on its business or trade.

4–12
 CHAPTER 4: Companies Act

Section 23: External companies

External companies carrying on business in the Republic (holding shareholders’ or
Board meetings, having offices, bank accounts, property, etc.) must register within
20 days with the Commission.

Sections 24–26: Company records

Documents, books, accounts, etc., must be kept in written form or in a form that allows
the information to be converted into written form (this can be read to imply that elec-
tronic format is allowed).
The records must be kept for at least seven years (or for as long as the company
exists, if less than seven years).
The company must maintain:
l a copy of the MOI and changes thereto, and rules made by the Board regarding
the governance of the company (indefinite);
l records of its directors (current and past directors for seven years since they
ceased to be a director):
• full name and identity number (nationality and passport number if not South
African), occupation, date of most recent election or appointment; and name
and registration number of every other company (local and foreign) of which
he/she is a director.
l copies of the following:
• reports presented at the annual general meetings for seven years after the
meeting;
• annual financial statements for seven years; and
• accounting records for the current and previous seven years.
l notices and minutes for seven years of:
• shareholders’ meetings, and resolutions and documents relating thereto; and
• meetings of directors, director committees and audit committees.
l copies of written communication sent to holders of any class of securities.
Every profit company must also maintain:
l a securities (share) register;
l records of its auditors and company secretary (section 85) if applicable:
• name and date of appointment of the person; and
• if a firm is appointed as auditors, the name of the partner.
The above records must be accessible from the company’s registered office – a notice
must be filled of where it is kept, if not at the registered office.
Any securities holder has a right to inspect the above records as well as the register of
members and the register of the directors.

4–13
 Dynamic Auditing

Sections 27 and 28: Financial year and accounting records

Every company must have a financial year (and year end) as specified in the NOI. The
first financial year may not be more than 15 months.
The Board may change the year end, but not more than once during the year, and the
new year end must be later that the date that the notice is filed. The financial year may
also not be more than 15 months.
The company must keep accurate and complete accounting records at or accessible
from the registered office in at least one of the official languages to enable the proper
compilation of financial statements and conduct an audit or review as required by the
Act
The prescribed records should include records of all assets and liabilities, loans to
directors, prescribed officers and employees, liabilities and obligations, property held
in fiduciary capacity, revenue and expenses, and stock.

Section 29: Financial statements

Financial statements must:
l be prepared according to the accounting standards;
l present fairly the state of affairs and business of the entity, and explain the trans-
actions and financial position;
l show the assets, liabilities and equity, as well as the entity’s income and expenses;
l disclose the date the statements were produced and the accounting period;
l on the first page state:
• whether it is audited, reviewed or not; and
• the name and professional designation of the individual who prepared it or
supervised the preparation thereof.
Financial statements may not be false, misleading or incomplete, and any person who
is a party to the preparation, approval, dissemination or publication of such statements
thereof is guilty of an offence in terms of section 214(2).
A company may provide a summary of financial statements, provided the first page
states:
l that it is a summary;
l whether the original statements have been audited;
l the name of the person who prepared the original statements; and
l the steps necessary to obtain a copy of the original statements.

Section 30: Annual financial statements

Every company must prepare annual financial statements within six months of its year
end (or shorter period if the annual general meeting is earlier).

4–14
 CHAPTER 4: Companies Act

NOTE: Also refer to the IRBA guide on Reportable Irregularities (2015), which pro-
vides that annual financial statements must include an auditor’s report if
required to be audited and be approved by the directors. This all should hap-
pen with six months of year end, and, if not, it could result in a Reportable
Irregularity.
The annual financial statements must be:
l audited in the case of a public company or state-owned entity;
l in the case of any other profit or non-company:
• audited voluntarily if the company so chooses;
• audited, if so determined, by the Minister per regulation (if considered to be
desirable in the public interest – can be based on turnover, size of workforce,
or nature or extent of activities); and
• be independently reviewed (in the manner prescribed by the Minister in the
regulations as to the manner, form and procedures for the independent
review, and the professions whose members may conduct such a review),
Exemption from audit and review (owner-managed entities)
If every person who is a security holder, or has a beneficial interest in the company’s
securities, is also a director of the company, the company will be exempt from the
audit or review requirement, unless it meets the public interest score (PIS) for an audit.
The annual financial statements must include an auditor’s report (if audited) and a direct-
ors’ report and be approved by the Board and signed by an authorised director. They
must also be presented at the first shareholders’ meeting after approval thereof by the
Board.
The financial statements of companies that are required to be audited in terms of the Act
must disclose the following (section 30(4)) for directors and prescribed officers:
l the remuneration and benefits received by each director or prescribed officer;
l amount of pensions paid, or contributions to a pension scheme for current and
past directors and prescribed officer;
l the amount paid for loss of office of current and past directors and prescribed
officers;
l the number and class of securities issued to a director or prescribed officer, or
person related to them, and the consideration received therefore; and
l details of service contracts of current directors or prescribed officers.
NOTE: This means that for private, personal liability and non-profit companies the
disclosure of directors and prescribe officers remuneration will be required if it
meets the public interest score for an audit.

4–15
 Dynamic Auditing

The above should be for amounts received from the company or other companies in
the group or related thereto.
Remuneration will include:
l fees for services rendered, as well as amounts paid for accepting office;
l salary, bonuses and performance-related payments;
l expense allowances (for which he/she is not required to account);
l contributions to pension funds;
l the value of options given (past, present and future directors);
l financial assistance received (past, present and future directors) to subscribe for
shares in the company or inter-related companies; and
l regarding loans or other financial assistance to directors (past, present and future
directors), the value of any interest deferred, and the difference in value between
interest actually charged and market-related rates.

Note: Refer to section 3 of this chapter for the accounting, auditing and
review requirements and the calculation of the public interest score.

Section 32: Company names

The name and registration number of the company must be mentioned in all notices
and official publications.

Section 33: Annual returns

Every company must file an annual return, including a copy of the annual financial
statements, if required to be audited.
l Filing of annual returns: this must be filed by every company within 30 business
days after the anniversary date (date of incorporation).
l Filing of financial statements: every companies that is required by the Act or
Regulation to be audited must file a copy of those audited statements on the date
that it files its annual return, if the company’s Board has approved those state-
ments by that date, or within 20 business days after the Board approves those
statements, if they had not been approved by the date on which the company
filed its annual return.
l Filing of accountability supplement: any company that does not file annual
financial statements as above must file a financial accountability supplement to its
annual return.
l Process by Commission to review companies filing financial supplements:
the Commission will establish a system to select and review a sample of financial
accountability supplements that have been filed with the objective of monitoring
compliance with the financial record keeping and financial reporting.

4–16
 CHAPTER 4: Companies Act

Sections 35–40: Company shares

Nature of shares (section 35)
l Shares do not have a nominal or par value.
l A company may not issue shares to itself.
l Authorised shares have no rights until issued.
l Shares bought back or surrendered to the company are deemed to be authorised
but not issued.
Regulation 31: Par value shares
Companies may not authorise and issue new par-value shares after the effective date
of the 2008 Act;
Existing par value shares on the effective date may however remain in existence and
need not be converted.
Companies with existing par value shares may continue to issue authorised but
unissued par value shares up to the authorised share capital amount, if there are
shares already in issue at the effective date.
A special resolution will be required for conversion of par value into no-par value
shares.
Authorised shares
l Memorandum of incorporation (MOI) (section 36)
1. The MOI must set out the authorised share capital (classes of shares and
number):
For each class of classified shares:
• the designation;
• preferences, rights, limitations and other terms for that class; and
• shares without rights, to be determined by the Board in the future (may not
be issued until the Board has assigned rights thereto).
For authorised unclassified shares (shares that are subject to classification by
the Board): the number thereof.
2. Changing of the share capital: MOI
The authorisation, class, number, rights, etc. of shares may be changed by:
• amending the MOI by special resolution (any amendment); or
• the Board (except if the MOI provides otherwise) regarding:
– increasing or decreasing the number of authorised shares of any class;
– reclassifying any unclassified shares; and
– determining any preference rights, limitations for that class of shares
without rights specified.
A notice of amendment (NOA) of the memorandum must be filed, setting out the
changes effected by the Board.

4–17
 Dynamic Auditing

Rights of shares (section 37)

l All the shares of the same class have the same rights.
l Each share has one voting right, except to the extent otherwise provided in the
MOI (e.g. preference shares’ voting rights can be excluded).
l Despite any restriction on voting in the MOI, every share issued has an irrevoc-
able right of the shareholder to vote on any proposal affecting the rights or prefer-
ences of that share.
l Redeemable or convertible shares may be created and issued (section 37(5)).
The MOI may, for any class of shares, establish the following:
l special, conditional or limited voting rights;
l provide for shares to be redeemable or convertible, as set out in the MOI (how,
price, terms, etc.);
l entitle shareholders to distributions calculated in any manner, including dividends
that may be cumulative or partly cumulative; and
l provide for shares of a class to have preference over any other class with respect
to distribution, or rights upon liquidation.
This can be illustrated as follows:
Authorisation of shares (sections 36 and 37)

Authorised
Unauthorised

Classified Unclassified

Only authorised
by special
resolution – change
Rights attached No rights of MOI
attached

Directors may (should MOI allow):

• increase or decrease number of
shares
• reclassify any classified shares
• classify any unclassified shares
• determine preference right
limitations

4–18
 CHAPTER 4: Companies Act

Issue of shares (section 38)

l The directors may issue authorised shares (directors’ resolutions).
l Unauthorised shares may be issued, provided this is authorised or retroactively
authorised (by special resolution through amending the MOI):
• If authorisation is not obtained, the share is nullified, and the proceeds must
be returned to the shareholders.
Issue of shares by a private company (section 39)
A private company or personal liability company may not issue shares, unless:
l each shareholder has the right to subscribe within a reasonable time for a per-
centage of the shares to be issued equal to the voting power of the shareholder
before it is offered to any other person; and
l further restrictions may be added by the MOI.
The above does not apply for shares issued in terms of options or conversion rights
(section 39(b)(1)(aa)), capitalisation shares (section 39(b)(ii)) or shares for future ser-
vices or for an instrument not negotiable by the company (section 39(b)(i)(bb)).
The shareholder may subscribe for fewer shares than he/she is entitled to, and those
shares not subscribed to may be offered within a reasonable time to other persons as
permitted by the MOI.
NOTE: The above applies only to the issue of shares, and not the sale of shares,
which is an aspect that should be considered to be incorporated into the
MOI by the shareholders
Consideration for shares (section 40)
The Board may issue authorised shares:
l for adequate consideration as determined by the Board;
l in terms of the conversion rights associated with the securities; or
l as capitalisation shares.
The directors determine the consideration to be received for the shares, and the
determination thereof (amount) may not be challenged on any basis, except if the
directors did not comply with their fiduciary duties in doing this.
The shares issued are fully paid-up shares and must be recorded in the securities
register.
If the consideration received for the shares is in the form of a financial instrument,
but the instrument is not negotiable, or if the shares are issued as consideration for
future services, future payments or future benefits, such shares must be held in trust,
do not carry voting rights, and may not be issued until such time as the instrument
becomes negotiable, or the benefits have been received for the services, etc. (sec-
tions 40(5)–40(7))

4–19
 Dynamic Auditing

Section 41: Shareholders’ approval for the issuing of shares to directors or

related persons
(1) A special resolution of shareholders is required for the issuing of shares, secur-
ities convertible into shares, or options for such shares or securities when issued
to:
l a director, future director or prescribed officer;
l a person related or inter-related to such director or prescribed officer; or
l a nominee of such person.
NOTE: (1) A future director or prescribed officer is a person becoming a director
or officer within six months of acquiring the securities.
(2) A related person or inter-related company is defined in section 2 as:
l a person who is married to, or lives together in a relationship
similar to marriage, a person related within two degrees of
natural or adopted affinity; or
l if such a person controls a juristic person, directly or indirectly
or is controlled by such a person (section 2(1)(a–c)).
The above authorisation is not required if the shares or securities are issued
(exceptions):
l in terms of an underwriting agreement;
l in terms of pre-emptive rights;
l in proportion to existing holdings and on the same terms and conditions as
to all other shareholders;
l in terms of an approved employee share scheme (section 97(1)); or
l in terms of a general offer to the public.
(2) A special resolution is also required for the issue of shares, or securities convert-
ible to shares that represent 30% or more of the voting power of the class of
share before issue. (This applies to a single issue or a series of integrated trans-
actions.)
(3) A director will incur liability under the Act if he/she was present at a meeting
where the issue was approved and failed to vote against it if contrary to the Act’s
requirements.

Section 42: Option for securities

A company may issue options for the allotment or subscription of authorised shares or
securities.
The Board determines the consideration for such options.
The decision of the Board to issue the options is also authorisation for the actual issue
of the shares when exercised.

4–20
 CHAPTER 4: Companies Act

This can be illustrated as follows:

Issues to shareholders Directors’ approval

Issues to directors
(or outsiders representing >30% of Special resolution
voting rights)

Section 43: Securities other than shares (e.g. debentures)

The directors may authorise the company to issue secured or unsecured debentures
(except to the extent provided by the MOI).
Except to the extent that the MOI determines otherwise, a debt instrument may grant
special privileges to its holders, such as attending and voting at general meetings of
directors.
Every security document must indicate whether it is secured or not.
A director, officer or related person may not be appointed as trustee for the holders of
such debt instruments.
Any provision in a trust deed of security holders is void if it exempts a trustee of liability
for breach of trust, or fails to exercise the degree of care and skill required.

Section 44: Financial assistance for subscription of securities

The requirements for providing financial assistance (loans, guarantees, provision of
security or otherwise) to any person for the purpose of, or in connection with the sub-
scription for any option or any security (share, debenture, etc.):
l issued or to be issued by the company;
l an inter-related company (e.g. a holding company or subsidiary); or
l inter-related companies (follow-subsidiaries in a group),
require:
l authorisation by a special resolution of the shareholders, adopted within the
previous two years of the issue;
l for the Board to be satisfied that immediately after providing the financial assist-
ance, the company would satisfy the solvency and liquidity test;
l that the terms of providing the assistance are fair and reasonable to the company;
and
l that the conditions, if any, of the MOI have been adhered to.
Once the above conditions have been met, the directors can authorise the providing of
the financial assistance (provided it is done within two years of the special resolution).
This does not apply to assistance provided in the ordinary course of business as a
moneylender, or in terms of an employee share scheme.

4–21
 Dynamic Auditing

Financial assistance provided, contrary to:

l the above requirements; or
l the conditions (if any) of the MOI:
• is void; and
• any director who was present at a meeting when the Board approved it, and
failed to vote against it, will incur liability under the Act.
NOTE: (1) This section now allows the directors to provide financial assistance
(directors’ authorisation), provided it was approved by the shareholders
within the previous two years.
(2) The requirements now also apply to assistance to subsidiaries and fellow
subsidiaries (previously only for the company and holding company).

Section 45: Loans or other financial assistance to directors (or to related or inter-
related companies)
A company may, unless the MOI provides otherwise, and subject to specific condi-
tions therein, grant a loan, secure a debt or obligation, or otherwise provide direct or
indirect financial assistance to:
l a director or prescribed officer (the individual director or officer) of the company
or related or inter-related company (holding company, subsidiary or fellow sub-
sidiary), or an entity controlled by a director or officer of the company, holding
company, subsidiaries or fellow subsidiaries; or
l a related or inter-related company or corporation (intercompany assistance)
if the board is satisfied that (conditions):
l immediately after having given the assistance, the company would be in com-
pliance with the solvency and liquidity test; and
l the terms under which the assistance is proposed to be given are fair and rea-
sonable to the company.
The financial assistance must be pursuant to either (authorisation):
l an employee share scheme (section 97); or
l a special resolution of the shareholders given within the previous two years that
had approved such assistance, either for the specific recipient, or generally for a
category of potential recipients, and the specific recipient falls within that category.
A resolution by the board to provide financial assistance, or an agreement with respect
to the provision of any such assistance, is void to the extent that the provision of that
assistance is inconsistent with section 45 or with a provision of the MOI.
The above is not required for:
l lending money, guaranteeing a loan or securing a debt by a company whose
main business is money-lending;

4–22
 CHAPTER 4: Companies Act

l an accountable advance to meet legal expenses concerning the company or

other anticipated expenses incurred on the company’s behalf;
l an amount to cover the person’s expenses for removal as director or officer at the
company’s request.
The company must provide a written notice of the resolution to all shareholders (unless
every shareholder is a director) and trade unions representing employees:
l within ten days of the resolution if it exceeds 1/10 of 1% of the company’s net
worth at the time of the resolution; or
l otherwise within 30 days after year end.
NOTE: This section applies to loans to directors, or to inter-company loans. Author-
isation will be required for every loan made.

Section 46: Distributions must be authorised by the board

The requirements for a distribution are that:
l it is made based on:
• a court order; or
• a directors’ resolution authorising the distribution.
l the company satisfies the liquidity and solvency test immediately after the distri-
bution; and
l the company, through a directors’ resolution, acknowledges that it will satisfy the
liquidity and solvency test immediately after the distribution.
If the distribution is not made within 120 days of the Board’s resolution, court order or
legal obligation, the Board must reconsider the solvency and liquidity test, and may
not continue with the distribution until a new directors’ resolution has been taken to the
relevant effect.
If the company cannot comply with the court order because of the liquidity and solv-
ency position, it may apply to court for to change the original order.

Section 47: Capitalisation shares

A company may issue capitalisation shares by resolution of the Board (directors’
resolution).
Capitalisation shares may:
l be issued of one class in respect of shares of another class; and
l if the Board so decides, permit the shareholders to receive a cash payment
instead of shares, provided the liquidity and solvency test is met (calculated
based on the assumption that every shareholder elects a cash payment).

4–23
 Dynamic Auditing

Section 48: Company or subsidiary acquiring company’s shares (share buy-back)

A company may acquire its own shares if it is done in terms of (section 46):
l an existing legal obligation, or court order; or
l in other cases:
• if the Board, by resolution, has authorised the acquisition; and
• the liquidity and solvency test is satisfied.
Any subsidiary of a company may acquire shares of the (“holding”) company, but:
l all subsidiaries in aggregate may not hold more than 10% of the number of issued
shares of any class of shares; and
l such shares do not carry voting rights.
There must always be shares in issue, and no acquisition can be done contrary to this.
If shares are acquired and the company is not liquid and solvent, the company may
apply for a court order to reverse the acquisition.
NOTE: The requirement for a share buy-back (by the company or a subsidiary):
• is a directors’ decision (directors’ resolution) for normal buy-backs;
• special resolution if the share buy-back represents more than 5% of the
issued shares; or
• special resolution if any shares are bought back from a director or pre-
scribed officer or person related thereto from the company.

Sections 49–56: Securities registration and transfer

Securities must be either (section 49):
l certified (i.e. have a share certificate); or
l uncertified (i.e. where no certificates are issued and share records are maintained
by a central securities depository).
Every company must keep a register of issued securities (section 50):
l for uncertified securities, specifying the total number of issued shares for which
the central depository must maintain a record of the detail of every shareholder,
as the company’s uncertified register;
l for certified securities, specifying the shareholders’ details (names, addresses,
number of shares, etc.).
NOTE: • Certified securities have a share certificate (name, number of shares, etc.).
• Uncertified securities are maintained by a central securities depository
participant, who must provide the shareholder with a regular statement of
the uncertified securities held (read sections 52–55 for more on uncertified
securities).

4–24
 CHAPTER 4: Companies Act

A beneficial interest in securities exists where a person holds the securities for the
benefit of another (nominee officii). Where securities of public companies are held for
the benefit of another:
l the holder of the beneficial interest must disclose to the company the identity of
the person for whom the shares are held, and the number and class of shares
held (section 56); and
l if the company is a regulated company (subject to takeover regulations) it must
have a register of beneficial interests and publish in the financial statements a list
of persons holding 5% or more of such interests.

GOVERNANCE OF COMPANIES
(SHAREHOLDERS AND DIRECTORS)

Sections 57–65: Shareholders’ governance

Where all the directors are also shareholders, matters referred to the shareholders by
the Board may be decided on by the shareholders without notice or compliance with
other formalities. The Board may authorise any person to act as its representative at
shareholders’ meetings regarding securities held in companies.
The Board may set a date (record date) for the purpose of determining which share-
holders are entitled to receive notice of meetings, participate in and vote at meetings,
etc., and this may not be more than ten business days before the date of the event
(section 59).
Shareholders can vote on resolutions (section 60):
l at a shareholders’ meeting; or
l in writing (by poll), within 20 business days after the resolution was submitted.
Directors may also be elected by poll.
A statement describing the result of the voting must be delivered to every shareholder
within ten business days of adopting it.
Voting by poll may not be done in respect of any business of a company that is
required by the Act or the MOI to be conducted at the annual general meeting.
Shareholders’ meetings (general meetings) (section 61)
The Board, or persons specified in the MOI (if any) may call a shareholders’ meeting.
The Board must call a shareholders’ meeting:
l if so requested by the holders of at least 10% of the voting rights (the MOI may
specify a lower percentage); and
l annually as an annual general meeting (AGM).

4–25
 Dynamic Auditing

A company may apply to court to set aside a request for a shareholders’ meeting on
the ground that the demand is frivolous.
Annual general meeting (AGM)
A public company must convene an annual general meeting:
l within 18 months of incorporation; and
l thereafter within 15 months of the previous AGM.
The AGM must, as a minimum, deal with the following business (section 61(8)):
(a) presentation of the:
• directors’ report;
• audited financial statements; and
• audit committee report.
(b) election of directors.
(c) appointment of:
• an auditor for the ensuing year; and
• an audit committee.
(d) any matters raised by the shareholders (with or without advance notice).
Except if the MOI provides otherwise, the Board may determine the location of the
meeting in the Republic or in a foreign country.
Every shareholder’s meeting of a public company must be readably accessible within
the Republic for electronic participation by shareholders.
Notice of meetings (section 62)
Notice of shareholders’ meetings must:
l be given at least 15 business days before the meeting for public or non-profit
companies, and ten days in other cases;
l in writing (paper or electronically), and must include
• the date, time and place of the meeting;
• state the purpose of the meeting;
• copies of proposed resolutions;
• for an AGM, a copy of the financial statements to be presented or a sum-
marised form thereof, and directions for obtaining a complete set; and
• include a statement that shareholders may appoint proxies.
When no notice is given, or a defect exists in the information, the meeting may go
ahead, provided the shareholders agree thereto at the meeting.
Conduct of meetings (section 63)
Any person attending a shareholders’ meeting must identify him-/herself and the
company must verify that the person is entitled to vote.

4–26
 CHAPTER 4: Companies Act

Unless the MOI provides otherwise, notices may be sent electronically and share-
holders’ meetings may be conducted electronically.
Meeting quorum and adjournment (section 64)
A shareholders’ meeting may not begin until (quorum):
l sufficient persons are present to be able to exercise in aggregate 25% of all of the
voting rights in respect of at least one matter (or a lower percentage specified in
the MOI); and
l there are at least three shareholders present at the meeting (if the company has
more than two shareholders).
No matter may be decided upon unless at least 25% of all of the voting rights that are
entitled to be exercised on a matter, are represented at the meeting (or a lower per-
centage specified in the MOI).
If a quorum is not present within an hour of the starting time, the meeting is postponed
for a week, or if no quorum is present for a specific matter, it is adjourned for a week. If
at the adjourned or postponed meeting no quorum is present, the members present in
person or by proxy will constitute a quorum.
Shareholders’ resolutions (section 65)
Shareholders’ resolutions can be an ordinary resolution or a special resolution.
The Board may propose shareholders’ resolutions to be voted on (at a meeting or by
written consent).
Two or more shareholders may propose a resolution to be considered:
l at a meeting requested specifically therefore,
l at the next shareholders’ meeting; or
l by written vote.
An ordinary resolution requires more than 50% of the voting rights exercised on the
matter, and a special resolution 75% of the voting rights exercised on the matter.
NOTE: The percentage required is that of the votes exercised, and not present (as
under the old Companies Act).
The MOI can increase the percentage to more than 50% (except for the removal of a
director) and lower the percentage to less than 75% for a special resolution but a 10%
differential should always exist between the two.
A special resolution is required for:
l amending the MOI;
l ratifying a consolidated version of the MOI;
l ratifying actions of directors in excess of their capacity
l approving the issue of shares or options to directors, or to the others if it repre-
sents more than 30% of the votes;
l providing financial assistance for the acquisition of company shares;

4–27
 Dynamic Auditing

l authorisation of directors’ loans, and loans to related and inter-related companies

(intercompany loans);
l authorisation of directors’ remuneration;
l approving the winding up or liquidation of the company;
l approving proposed fundamental transactions (takeovers and mergers);
l approving the transfer of a company to a foreign jurisdiction; and
l any other matter as required by the MOI.

Sections 66–78: Directors’ governance

Board, directors and prescribed officers (sections 66–69)
The business and affairs of the company are managed by or under supervision of the
Board, which has the authority to exercise all of the powers and perform any of the
functions of the company, except to the extent excluded by the Act or the MOI.
Minimum number of directors required (except if the MOI specifies a higher number):
l a private or personal liability company: at least one.
l a public or non-profit company: at least three.
NOTE: This is in addition to the minimum number of directors that the company must
have to meet any other requirement of the Act or the MOI to appoint an ethics
and social committee, and audit committee (e.g. as all public companies
must have an audit committee of three directors, of which the members are
not involved in the day-to-day operations; thus there will need to be at least
three such “non-executive” directors plus the executive directors that will
constitute the board).
The MOI may provide for (section 66):
l the direct appointment and removal of directors by any person so named;
l ex-officio directors; and
l the appointment of alternate directors.
The MOI must provide for at least 50% of the directors to be appointed by the share-
holders.
An ex-officio director (executive director) has the same powers, functions, duties and
liabilities of any other director (except where the MOI restricts certain powers).
The election of a director is a nullity if the person is ineligible or disqualified.
Directors’ remuneration
l This may be paid to directors for services as directors (except to the extent that
the MOI provide otherwise), and
l may only be paid in accordance with a special resolution approved by share-
holders within the previous two years.

4–28
 CHAPTER 4: Companies Act

Failure to have less than the minimum number of directors does not limit or negate the
authority of, or invalidate anything done, by the Board.
Each incorporator of a company is a first director until the first directors are appointed
(section 67).
The shareholders elect the directors (except those directly appointed ex-officio directors).
Directors can serve for an indefinite term, or for terms as set out in the MOI (section 68).
The directors can fill vacancies on the Board by appointing a person to serve as a
director on a temporary basis until the vacancy has been filled.
Ineligibility and disqualification of directors or prescribed officers (section 69)
A director includes alternate directors, prescribed officers, Board committee members
and audit committee members.
An ineligible or disqualified person must not be appointed as a director, and the
company should not knowingly permit such a person to serve as a director.
A person who becomes ineligible or disqualified while serving as a director, ceases
immediately to be a director.
A person placed under probation by the court (delinquent director) may not serve as a
director, except as permitted by the court.
The MOI may impose additional grounds for disqualification or ineligibility.
Persons who are ineligible to be a director:
l a juristic person;
l an incapacitated minor, or person under legal disability; and
l a person specified as such in the MOI.
Persons disqualified to be a director:
l a person prohibited by a court to be a director, or declared delinquent;
l an unrehabilitated insolvent;
l a person prohibited by any public regulation to be a director;
l a person removed from office of trust on the grounds of misconduct involving
dishonesty; and
l a person convicted and imprisoned without a fine, or fined for more than the
prescribed amount, for theft, fraud, forgery, perjury or offences involving fraud,
misrepresentation or dishonesty in the management of a company.
The Commission must maintain a register of persons disqualified as directors.

4–29
 Dynamic Auditing

Vacancies on the Board (section 70)

A person ceases to be a director, and a vacancy arises on the Board:
l when the person’s term of office expires (if the MOI provides for fixed terms);
l in any other case if:
• the person resigns or dies;
• an ex-officio director ceases to hold the office;
• a person becomes incapacitated to the extent that he/she is unable to perform
the functions of a director;
• the person is declared delinquent, or is placed under probation by a court;
• the person became ineligible or disqualified in terms of section 71(3); or
• the person is removed by a resolution of the Board, the shareholders or a
court order.
A vacancy on the Board can be filled:
l by a new appointment (as per MOI); or
l through election at the next AGM.
If the company is not required to have an AGM (private and personal liability com-
panies), the vacancy must be filled within six months at a shareholders’ meeting, or by
means of a poll.
Every company must file a notice within ten business days after a person becomes or
ceases to be a director.
Removal of directors (section 71)
Despite anything in the MOI, rules, or agreement, a director may be removed by an
ordinary shareholders’ resolution.
Where a company has more than two directors, and a director or shareholder alleges
that a director is ineligible, incapacitated or has neglected the functions of a director:
l the Board, other than the director concerned, must consider and determine the
matter on resolution, and may remove a director.
The director, or person who appointed the director, may apply to court to review the
decision. Any director, who voted otherwise on the decision, can apply to court to
review the decision.
The director concerned must be given notice of the meeting, and a reasonable oppor-
tunity to make a presentation at the meeting, before a resolution to remove him/her is
taken.
Board committees (section 72)
Except to the extent that the MOI provides otherwise, the Board may appoint a number
of committees of directors and delegate any authority of the Board thereto.

4–30
 CHAPTER 4: Companies Act

Except to the extent that the MOI or rules determine otherwise, the committee:
l may include persons who are not directors (co-opt members) provided they are
not disqualified as directors, and no such person may vote on a committee matter;
l may consult or receive advice from any person; and
l has the full authority of the Board in respect of a matter referred.
The creation of a committee and delegation of power thereto do not alone satisfy or
constitute compliance by a director with the required duties of care and skill as per
section 76.
The Minister may by regulation prescribe that a company or category of companies
has a social and ethics committee, if it is considered desirable in the public interest.
Regulation 43 requires that a Social and Ethics committee should be established
within 12 months from the effective date, for all listed public companies, state-owned
entities and any other company with a public interest score greater than 500. The
committee should comprise at least three directors or prescribed officers, of which at
least one should be a director who is not involved in the day-to-day management of
the business, or has been so for at least the last three years (non-executive director).
The committee should monitor the company’s activities in regard to relevant legisla-
tion, other legal requirements, and codes relating to:
l social and economic development;
l corporate citizenship;
l the environment, health, public safety, and the impact of the company’s products
and services;
l draw matters to the boards attention; and
l report to the shareholders at the AGM on the matters within its mandate.
Board meetings (sections 73–74)
A director may call a Board meeting at any time, and a board meeting must be called
if so requested by 25% of the directors if there are at least 12 directors, or two direct-
ors in other cases (the MOI may specify a higher or lower percentage).
A Board meeting may be conducted electronically or certain directors may participate
electronically, as long as all persons are able to participate in the meeting.
Except where the MOI provides otherwise:
l the meeting may proceed if all directors agree thereto, where the company has
failed to give notice of the meeting, or where there was a defect therein;
l a majority of directors must be present before a vote may be called;
l each director has one vote; and

4–31
 Dynamic Auditing

l matters are decided by a majority vote, and in the case of a tied vote, the chair
has the deciding vote.
Minutes must be kept of Board meetings, resolutions taken, and directors’ interests
disclosed.
Resolutions must be dated, numbered and are effective as of the date of the resolu-
tion, unless stated otherwise. Minutes of meetings or a resolution signed by the chair,
are evidence of the proceedings of the meeting.
Except if the MOI determines otherwise, directors’ decisions can be adopted by writ-
ten consent.
Directors’ personal financial interests (section 75)
A director includes an alternate director, a prescribed officer, or a person who is a
member of a committee of a Board of a company, irrespective of whether the person is
also a Board member.
A director may disclose any personal financial interest in advance, by delivering to the
Board a notice setting out the nature and extent of the interest, to be used generally
until changed or withdrawn.
A director with a personal financial interest in a matter to be considered at a Board
meeting:
l must disclose the interest and its general nature before the matter is considered;
l must disclose to the meeting any material information relating thereto;
l may disclose observations or pertinent insights thereto;
l must leave the meeting after making the disclosure;
l may not take part in the consideration (vote) of the matter;
l while absent from the meeting:
• forms part of the quorum of the meeting for the purpose to consider if suffi-
cient directors are present;
• is not considered as being present for the purpose of determining whether the
resolution has sufficient support to be adopted; and
l must not execute any document on behalf of the Board regarding the matter,
unless requested by the Board to do so.
If a director acquires an interest after a matter has been decided by the Board, the
director must disclose the nature and extent of the interest to the Board.
A decision, transaction or agreement in which a director has a personal financial
interest is valid if:
l it was approved by the Board (after the interest has been disclosed, etc.);
l has been ratified by the shareholders; or
l a court has declared the transaction valid.

4–32
 CHAPTER 4: Companies Act

Where a company has only one director but other shareholders, a matter in which the
director has a personal financial interest must be approved by the shareholders.
Standards of directors’ conduct (section 76)
A director of a company must:
l not use the position of director, or information obtained while acting as a director,
to gain an advantage for him/herself or another person other than the company or
wholly-owned subsidiary;
l not knowingly cause harm to the company or a subsidiary; and
l communicate to the Board, as soon as practicably possible, information that
comes to the director’s attention.
A director must exercise the powers and perform the functions of a director:
l in good faith;
l in the best interest of the company; and
l with the degree of care, skill and experience that may be reasonably expected of
a like person in a similar position.
A director will meet the above obligation if he/she:
l has taken reasonably diligent steps to become informed about the matter;
l has no personal financial interest in the matter, or has disclosed the interest; and
l made a decision or supported a decision of a committee of the Board, on a rational
basis.
A director is entitled to rely on the information obtained and responsibilities performed
by:
l one or more employees;
l legal council, accountants, other professional persons; or
l a committee of the Board of which the director is not a member, unless the director
has reason to believe the actions of the committee do not merit reliance.
Liability of directors (section 77)
A director may be held liable:
l in accordance with the principles of the common law relating to a breach of fidu-
ciary duties or relating to delict (conflict of interest, care, skill and diligence) for
loss, damage or costs sustained by the company; and
l in terms of the Companies Act for:
• acting in the name of the company without the authority to do so;
• taking part in the carrying on of the business being conducted recklessly or
under insolvent conditions;

4–33
 Dynamic Auditing

• being a party to an act or omission of the company intended to defraud a

creditor, employee or shareholders, or for fraudulent purposes;
• signing, consenting to or authorising the publication of financial statements
that are false or misleading in a material respect, or a prospectus containing
untrue statements; and
• being present at a meeting and failing to vote against:
– the issuing of unauthorised shares (section 36);
– the issuing of shares to directors without approval of a special resolution
(section 41);
– the granting of options for unauthorised shares (section 42(4));
– providing loans to directors not approved by a special resolution (sec-
tion 45(6));
– the approval of a distribution when the liquidity and solvency test has not
been met (section 46(4));
– the acquisition of company shares when the liquidity and solvency test has
not been met (sections 46 and 48); and
– the allotment of shares contrarily to the stated requirements (sec-
tion 109(1)).
The liability of a person is joint and several with any other person who is or may be
held liable.
Proceedings to recover losses, damages, etc., may not be commenced more than
three years after the act or omission (prescription).

Indemnification of directors and insurance (section 78)

Any provision of the MOI, agreement, or rules of the company is void if it relieves a
director from the fiduciary and statutory duties of sections 75 to 77 or limits a director’s
liability.
A company may not pay a fine imposed on a director of the company or related com-
pany.
The company may advance expenses to a director to defend litigation or indemnify a
director of expenses if the litigation is abandoned or the director is exculpated.
The company may take out insurance to protect the director or company against
liability or costs.

Sections 79–84: Winding up solvent companies

A company may be wound up:
l voluntarily by special resolution; or
l by a court order.

4–34
 CHAPTER 4: Companies Act

The company ceases to exist and is dissolved as of the date its name is removed from
the company register.
Any liability of a former director or shareholder is not affected by the dissolvent.
(Refer to sections 79–84 for details on the winding-up process if necessary.)

CHAPTER 3
ACCOUNTABILITY AND TRANSPARENCY

General requirements (sections 84–85)

Every public company and state-owned entity must comply in full with sections 84 to
94 regarding:
l a company secretary;
l an auditor; and
l an audit committee (section 84(4)).
Every private, non-profit and personal liability company must:
l if required by the Act or regulations to be audited, comply with sections 90 to 93
regarding the statutory audit, but do not need to appoint a company secretary or
audit committee; and
l comply with the requirements of sections 86 to 94 to the extent so required by the
company in its MOI.
If the directors fail to make an appointment as required above, the Commission may
call a shareholders’ meeting to make such an appointment.
Every public company must maintain a record of its secretaries and auditors (sec-
tion 85) stating:
l the name and date of appointment; and
l if a firm is appointed:
• the name;
• registration number;
• office address; and
• the name of the audit partner.

Company secretary (sections 86–89)

Every public company and state-owned company must have a company secretary. A
juristic person may also be appointed as secretary.
A company secretary’s duties include, but are not restricted to:
l providing the directors of the company collectively and individually with guidance
as to their duties, responsibilities and powers;

4–35
 Dynamic Auditing

l making the directors aware of laws relevant to or affecting the company;

l reporting to the company’s Board any failure on the part of the company or a
director to comply with the MOI or rules of the company or this Act;
l ensuring that minutes of all shareholders’ meetings, Board meetings and meetings
of any committees of the directors, or of the company’s audit committee, are
properly recorded in accordance with this Act;
l certifying in the company’s annual financial statements whether the company has
filed the required returns and notices in terms of this Act, and whether all such
returns and notices appear to be true, correct and up to date;
l ensuring that a copy of the company’s annual financial statements is sent, in
accordance with this Act, to every person who is entitled to it; and
l carrying out the functions of a person designated in terms of section 33(3).
A company secretary may resign at any time with one month’s notice.
If a company secretary is removed by the Board, the secretary may require the
company to include a statement in the annual financial statements setting out the
secretary’s contention to the removal.

Auditors (sections 90–93)

Appointment of the auditor (section 90)
Upon its incorporation, and each year at its annual general meeting, a public company
or state-owned company must appoint an auditor. The appointed auditor will hold
office until the next annual general meeting.
In order to qualify for appointment as auditor, the person or firm must:
l be a registered auditor;
l not be disqualified from acting as the auditor, that is not being:
(i) a director or prescribed officer of the company;
(ii) an employee or consultant of the company who was, or has been engaged
for more than one year to maintain the company’s accounting records or
prepare the financial statements;
(iii) a director, officer or employee of the person appointed as company
secretary;
(iv) a person who, alone or with a partner or employees, habitually or regularly
performs the duties of accountant or bookeeper, or performs secretarial
work for the company;
(v) a person who, at any time during the five financial years immediately
preceding the appointment, was a person contemplated in (i) to (iv) above;
(vi) a person related to a person in (i) to (v) above.

4–36
 CHAPTER 4: Companies Act

l be acceptable to the company’s audit committee as being independent. In this

regard, the audit committee should ensure that the auditor did not receive any
direct or indirect benefit from the company, except remuneration as auditor, and
for the rendering of other non-audit services as approved by the audit committee.
NOTE: The firm is disqualified from acting as auditor (and not only the partner) if any
of the above disqualifications exist. This will be enforced by IRBA and CIPC
as from 1 January 2014 and will only apply prospectively.
The IRBA and SAICA guideline document issued in 2015 provides guidance
on when and what actions will be regarded as secretarial, accounting or
bookkeeping functions which are disqualified.
The IRBA Rule published in Government Gazette Number 39475 dated
4 December 2015 requires from the auditors to report in their audit report
their tenure, that is the number of years the firm have been the auditors of the
company.
If the company did not appoint an auditor when it registered the MOI, the directors
have to appoint the first auditor within 40 business days after incorporation of the
company. The first appointed auditor will hold office until the first annual general
meeting of the company.
A retiring auditor may be automatically reappointed at the annual general meeting
without a resolution passed to the effect, unless any of the following circumstances
exist:
l the auditor no longer qualifies for appointment, or is unwilling to accept the
appointment;
l the audit committee objects to the appointment; or
l the company gave notice of its intent to appoint another auditor.
If no appointment of an auditor has been made at the annual general meeting, the
directors have to appoint an auditor within 40 business days of the annual general
meeting.
Resignation of an auditor and vacancies (section 91)
The auditor may resign at any time by giving one month’s notice (or less than one
month with the Board’s approval) to the company.
The resignation of the auditor is effective when the notice is filed. The directors of the
company have to, within 40 business days, appoint a new auditor if there was only one
incumbent auditor, and may appoint a new auditor at any time if there was more than
one auditor (while such a vacancy exists, the surviving or continuing auditor may act
as auditor).
Before any appointment as auditor is made, the Board must propose to the audit
committee, within 15 business days after the vacancy, the name of at least one
registered auditor to be considered as auditor, and may go ahead with the
appointment if the audit committee does not object thereto within five business days
after delivering the proposal.

4–37
 Dynamic Auditing

Rotation of auditors (section 92)

The same individual may not serve as designated auditor for longer than five years.
Such individual may also not be reappointed as auditor within two years of rotation
thereafter.
NOTE: The Code of Professional Conduct’s requirements for rotation every seven
years of auditors for public interest entities should also be considered.
The auditor’s rights (section 93)
The auditor has the right of access to all accounting records, books and documents of
the company as well as to obtaining information and explanations from the directors
and officers of the company as he/she deems necessary to perform his/her duties as
the auditor.
The auditor of a holding company has the right of access to current and previous
financial statements of subsidiaries, as well as to obtaining information and explana-
tions from the directors and officers of the subsidiary and holding companies as
considered necessary to perform his/her task.
The auditor also has the right to attend any shareholders’ meeting of the company, be
heard at any shareholders’ meeting, and to receive all notices and other communi-
cations sent to the members of the company regarding the respective meeting.
An auditor may apply to court to enforce the above rights.
NOTE: In terms of the IRBA Rule published in the Government Gazette No 39475 of
2015, it is now mandatory for all auditor’s reports on annual financial
statements to disclose the number of years that the audit firm has been the
auditor of the entity (audit tenure). This will include tenure where there have
been mergers or other combinations of firms.
The requirement is for all public interest entities as prescribed by IRBA and the
Companies Act (note that currently there is no definition for public interest
entities in the Companies Act, as the public interest score is not defining
public
interest entities).
Audit committees (section 94)
At each annual general meeting, a public company or state-owned company, or other
company that has voluntarily decided to have an audit committee, must elect an audit
committee comprising at least three members, unless:
(a) the company is a subsidiary of another company that has an audit committee;
and
(b) the audit committee of that other company will perform the functions required
under this section on behalf of that subsidiary company.
The first members of the audit committee may be appointed by:
l the incorporators of a company; or
l by the Board, within 40 business days after the incorporation of the company.

4–38
 CHAPTER 4: Companies Act

Each member of an audit committee of a company must:

l be a director of the company who satisfies any applicable requirements pre-
scribed in terms of subsection (5) (qualifications);
l not be:
• involved in the day-to-day management of the company’s business or have
been so involved at any time during the previous financial year;
• a prescribed officer, or full-time employee, of the company or another related
or inter-related company, or have been such an officer or employee at any
time during the previous three financial years; or
• a material supplier or customer of the company, such that a reasonable and
informed third party would conclude in the circumstances that the integrity,
impartiality or objectivity of that director is compromised by that relationship;
and
l not be related to any person who falls within any of the criteria set out above.
The Minister may prescribe minimum qualification requirements for members of an
audit committee as necessary to ensure that any such committee, taken as a whole,
comprises persons with adequate relevant knowledge and experience to equip the
committee to perform its functions. Regulation 42 requires that at least one third of the
members should have qualifications or experience in economics, law, corporate
governance, finance, accounting, commerce, industry, public affairs or human
resource (this is questionable, as no financial experience and expertise requirement
was set).
The Board of a company must appoint a person to fill any vacancy on the audit
committee within 40 business days after the vacancy arises.
An audit committee of a company has the following duties:
l nominate, for appointment as auditor of the company under section 90, a
registered auditor who, in the opinion of the audit committee, is independent of
the company;
l determine the fees to be paid to the auditor and the auditor’s terms of engage-
ment;
l ensure that the appointment of the auditor complies with the provisions of this Act
and any other legislation relating to the appointment of auditors;
l determine the nature and extent of any non-audit services that the auditor may
provide to the company, or that the auditor must not provide to the company, or a
related company;
l pre-approve any proposed agreement with the auditor for the provision of non-
audit services to the company;
l prepare a report, to be included in the annual financial statements for that finan-
cial year:
• describing how the audit committee carried out its functions;
• stating whether the audit committee is satisfied that the auditor was independ-
ent of the company; and

4–39
 Dynamic Auditing

• commenting in any way the committee considers appropriate on the financial

statements, the accounting practices and the internal financial control of the
company;
l receive and deal appropriately with any concerns or complaints, whether from
within or outside the company, or on its own initiative, relating to:
• the accounting practices and internal audit of the company;
• the content or auditing of the company’s financial statements;
• the internal financial controls of the company; or
• any related matter;
l make submissions to the Board on any matter concerning the company’s
accounting policies, financial control, records and reporting; and
l perform other such functions as determined by the Board.
In considering whether a registered auditor is independent of a company, the audit
committee of that company must:
l ascertain that the auditor does not receive any direct or indirect remuneration or
other benefit from the company, except in his/her capacity as auditor or for
rendering other services to the company, to the extent permitted above.
l consider whether the auditor’s independence may have been prejudiced:
• as a result of any previous appointment as auditor; or
• having regard to the extent of any consultancy, advisory or other work under-
taken by the auditor for the company; and
l consider compliance with other criteria relating to independence or conflict of
interest as prescribed by the Independent Regulatory Board for Auditors
established by the Auditing Profession Act, in relation to the company, and if the
company is a member of a group of companies, any other company within that
group.
Nothing in this section precludes the appointment by a public company at its annual
general meeting of an auditor other than one nominated by the audit committee, but if
such an auditor is appointed, the appointment is valid only if the audit committee is
satisfied that the proposed auditor is independent of the company.
Neither the appointment nor the duties of an audit committee reduce the functions and
duties of the Board or the directors of the company, except with respect to the
appointment, fees and terms of engagement of the auditor.
A company must pay all expenses reasonably incurred by its audit committee,
including, if the audit committee considers it appropriate, the fees of any consultant or
specialist engaged by the audit committee to assist it in the performance of its
functions.

4–40
 CHAPTER 4: Companies Act

CHAPTER 4
PUBLIC OFFERINGS OF SECURITIES (sections 95–111)
This chapter deals with company securities offered to the public. For detailed
information on the specific requirements, stipulations, etc., reference should be made
to the Act itself.
l Securities: The definition attributed thereto in terms of section 1 of the Security
Services Act (shares, debentures, etc.).
l No person may offer securities to the public for subscription (initial public offering
or primary offer) unless it is accompanied by a prospectus.
l No person may offer securities for sale (secondary offer) unless it is accompanied
by a prospectus. (This does not apply to the sale of shares listed on an
exchange.)
l The prospectus must contain all the information that an investor may reasonably
require to assess the assets and liabilities, financial position, profits and losses,
cash flow and prospects of the company.
l No persons may be named in the prospectus (e.g. directors and experts), unless
they gave consent thereto.
l Every person who is a director, or consented to be named as a director, a pro-
moter, and a person who authorised the prospectus, will be liable to compensate
persons suffering losses, who acquired shares based on a prospectus containing
untrue statements.
l Experts and others who consented to be named in the prospectus will be liable for
untrue statements included in the prospectus.
l No securities may be allotted after four months of filing the prospectus or if the
application has not been made on the application form accompanied by a pro-
spectus.
Certain offers are not considered to be public offerings, and so, do not require a
prospectus (section 96), for example, non-renounceable offers to existing securities
holders, rights offers, offers to directors, to share schemes, etc.

CHAPTER 5
FUNDAMENTAL TRANSACTIONS, TAKEOVERS AND OFFERS
(sections 112–127)
This chapter deals with certain fundamental transactions and the stipulations for
takeover offers and arrangements. Where necessary, reference should be made to the
Act for the details on these sections.
NOTE: Documents required to be sent to shareholders for noting and approval
need to be submitted to CIPC first for approval (Regulation 117).

4–41
 Dynamic Auditing

Proposals to dispose of all or greater part of assets or undertaking (section 112)

This section does not apply to a proposal to dispose of all or the greater part of the
assets or undertaking of a company, if that disposal would constitute a transaction that
is pursuant to or contemplated in a business rescue plan adopted between a wholly-
owned subsidiary and its holding company; or between or among two or more wholly-
owned subsidiaries of the same holding company; or a wholly-owned subsidiary of a
holding company, on the one hand, and its holding company and one or more wholly-
owned subsidiaries of that holding company, on the other hand.
A company may not dispose of all or the greater part of its assets or undertaking
(based on fair market value) unless the disposal has been approved by a special
resolution of the shareholders.
A notice of a shareholders’ meeting to consider a resolution to approve a disposal
must:
l be delivered within the prescribed time, and in the prescribed manner to each
shareholder of the company; and
l include or be accompanied by a written summary of the precise terms of the
transaction to be considered at the meeting and in a manner that satisfies the
prescribed standards.
Any part of the undertaking or assets of a company to be disposed of, as contem-
plated in this section, must be considered at its fair market value as at the date of the
proposal, in accordance with financial reporting standards.
A resolution is effective only to the extent that it authorises or ratifies a specific transaction
Proposal for amalgamation or mergers (section 113) or a scheme of arrangement
(section 114)
The Board of each affected company must consider whether, upon completion, the
liquidity and solvency test will be satisfied, and the shareholders who are entitled to
vote must approve the arrangement by special resolution (section 115).
Required approval for fundamental transactions (sections 112–114)
A special resolution should approve the transaction, excluding the votes of the
acquiring party.
Court approval will be required if:
l the resolution was opposed by at least 15% of the voting rights; and
l any person who voted against the resolution requires the company to seek court
approval; or
l a court on an application by any person who voted against the resolution, grants
that person leave to apply for review.
Requirement for affected transactions (sections 119–127)
Affected transactions are where a company makes an offer to acquire the prescribed
percentage (35% or more of the voting rights). The core principle is that all parties to
the transaction should be treated equally and fair, and should be provided with
sufficient information to make informed decisions. (For further details, refer to the Act
itself.)

4–42
 CHAPTER 4: Companies Act

CHAPTER 6
BUSINESS RESCUE AND COMPROMISE WITH CREDITORS (sections 128–155)
The section on business rescue proceedings in the Companies Act is new and
introduces measures that did not exist before.
Business rescue involves proceedings to facilitate the rehabilitation of a company that
is in financial distress (i.e. where it appears to be reasonably unlikely that the company
will be able to pay all of its debts as they fall due within the next six months, or it
appears reasonably likely that the company will become insolvent within six months).
Business rescue provides for:
l the temporary supervision of the company and of the management of its affairs,
business and property;
l a temporary moratorium on the rights of claimants against the company or in
respect of property in its possession; and
l the development and implementation, if approved, of a plan to rescue the com-
pany by restructuring its affairs, business, property, debt and other liabilities and
equity in a manner that maximises the likelihood of the company continuing in
existence on a solvent basis, or if not possible to continue in existence, results in a
better return for the company’s creditors and shareholders.
Business rescue proceedings can be initiated by the Board of a company that is
financially distressed if there appears to be reasonable grounds to rescue the company
(voluntarily business rescue). Within five days of adopting and filing a resolution, the
Board must publish a notice of the resolution and appoint a business rescue
practitioner.
An affected person (shareholder, creditor, employee or trade union representing the
employees) may apply to court for an order:
l setting aside the resolution on the grounds that the company is not in financial
distress or that there are no reasonable prospects of saving the company; or
l setting aside the appointment of the practitioner on the grounds that he/she is not
independent, qualified, or does not have the necessary skills.
An affected person may also apply to court to begin business rescue proceedings.
During the business rescue proceedings, there is a general moratorium on legal pro-
ceedings against the company, property interests are protected, employees continue
to be employed, directors remain in office and have a duty to exercise any manage-
ment function as instructed by the practitioner, and the shareholders’ status of issued
securities is protected.

4–43
 Dynamic Auditing

A business rescue practitioner must be a member of an accounting, legal or manage-

ment profession, must not be disqualified as a director, and must be independent of
the company.
The practitioner will investigate the company’s affairs and determine if there is a
reasonable prospect of saving the company and, if so, prepare and present a
business rescue plan to the creditors and shareholders for approval. Once a business
rescue plan has been developed, it is binding on the company, every creditor and
every holder of the company’s securities.
NOTE: The above is an overview of business rescue. For further details, reference
should be made to the Act itself: sections 128–156 and Regulations 123–128.

CHAPTER 7
REMEDIES AND ENFORCEMENT (sections 156–184)
This section of the Act deals with the remedies available to security holders and others.
A brief overview of some remedies is provided, and readers should refer to the Act for
details thereon.
Alternative procedures for addressing complaints (sections 156–157)
A person specified in a provision of the Act, somebody acting on the person’s behalf,
acting as a member of a group, or acting in the public interest may seek to address a
contravention of the Act, the MOI or rules by:
l attempting to resolve the dispute through alternate dispute resolution;
l applying to the Companies Tribunal;
l applying to the High Court; or
l applying to the Commission.
Protection of whistle-blowers (section 159)
A shareholder, director, company secretary, employee, creditor, etc., who makes a
disclosure (contravention of the Act, a law, statutory obligation, endangerment of
health and safety, discriminating action, or other legislation that could lead to losses
for the company):
l has qualified privilege in respect of the disclosure;
l is immune from civil, criminal or administrative liability; and
l if harassed or threatened, is entitled to claim compensation from the company.
Public and state-owned companies must establish and maintain a whistle-blowing
function.
Application to protect the rights of security holders (section 161)
A holder of issued securities can apply to court for an order to protect any right of the
security holder in terms of the Act, the MOI, rules of the company or debt instrument.

4–44
 CHAPTER 4: Companies Act

Application to declare a director delinquent (section 162)

A company, shareholder, director, company secretary, a trade union representing
employees, or employees may apply for a court order declaring a person delinquent
or under probation if the person is a director or was a director within the previous
24 months, where a director:
l grossly abused the position of director;
l took personal advantage of company information or opportunities;
l intentionally, or through gross negligence, inflicted harm on the company or sub-
sidiary; or
l acted as director with gross negligence.
Relief from prejudicial conduct or abuse from the company (section 163)
A shareholder or director may apply to court for an order where the interests of the
applicant are affected by:
l an act of the company or a related person that is unfair or prejudicial;
l the business being carried on in a prejudicial manner; or
l the powers of directors being exercised in a prejudicial manner.
Dissenting shareholders’ appraisal rights (section 164)
Shareholders must receive notice of meetings to amend the MOI or transactions that
can affect their rights.
A shareholder whose rights are/have been affected may demand the company to pay
him/her the fair value of shares affected.
Derivative action (section 165)
A shareholder, director, trade union or person granted leave thereto by the court may
serve a demand on the company to commence or continue legal proceedings, or take
related steps, to protect the legal interests of the company.
Alternative dispute resolution (section 166)
As an alternative to applying to court for relief or filing a complaint with the Commis-
sion, a person may refer the matter to the Companies Tribunal or an accredited entity
for conciliation, mediation or arbitration.
Initiating a complaint in respect of takeovers (section 168)
A person may file a complaint in writing with the Takeover Regulation Panel regarding
takeover issue contraventions.

4–45
 Dynamic Auditing

CHAPTER 8
REGULATORY AGENCIES
The following agencies are established:
l Companies and Intellectual Property Commission (section 185).
l Companies Tribunal (section 193).
l Takeover Regulation Panel (section 196).
l Financial Reporting Standard Council (section 203).

CHAPTER 9
OFFENCES AND PENALTIES
Sections 213 and 214: Breach of confidence and false statements
It is an offence to:
l disclose confidential information concerning the affairs of any person obtained in
terms of the Act (section 213); or
l make false statements or be a party to the falsification of accounting records
(section 214)
and a penalty can be incurred or imprisonment for up to ten years, or both.
Complaints should be laid within three years (section 219).

Section 218: Civil actions

Any person who contravenes any provision of this Act is liable to any other person for
any loss or damage suffered by that person as a result of that contravention.

Section 223: Regulations

The Minister may make regulations to administer aspects of the Act – regulations must
be published for public comment.

Schedules
SCHEDULE 1: PROVISIONS CONCERNING NON-PROFIT COMPANIES
SCHEDULE 2: CONVERSION OF CLOSE CORPORATIONS TO
COMPANIES
SCHEDULE 3: AMENDMENTS OF LAWS
SCHEDULE 4: LEGISLATION TO BE ENFORCED BY THE COMMISSION
SCHEDULE 5: TRANSITIONAL ARRANGEMENTS

4–46
 CHAPTER 4: Companies Act

Regulations
The Regulations are issued by the Minister of Trade and Industry in consultation with
CIPC. The regulations provide more detail and further administrative requirements as
per the sections of the Act. The regulations have the same status and regulatory power
as the Act and are annexed at the back of the Act.
Readers should refer to the Regulation for details thereon.

3. NOTES ON THE FINANCIAL REPORTING, AUDITING AND REVIEW

REQUIREMENTS (REGULATIONS 26–30)
The notes below apply to the accounting framework required to be applied, and
the audit and review requirements for companies and close corporations, as well
as the calculation of the public interest score.
NOTE: In the section below, entity refers to a company or close corporation.

3.1 DEFINITIONS
Independent accounting professional
A person who is:
l a registered auditor in terms of the Audit Profession Act; or
l a member in good standing of a professional body accredited in terms of
section 33 of the Audit Profession Act; or
l qualified to be appointed as an accounting officer of a close corporation in
terms of sections 60(1), (2),(4) of the Close Corporations Act,
and, who
l does not have a personal financial interest in the entity or group; and
l is not involved in the day-to-day management of the entity’s business, nor
has been so involved during the previous three years; or
l a prescribed officer, or full-time executive employee, of the entity, or have
been at any time during the previous three years;
l is not related to any person above.
Independently compiled and reported
Annual financial statements that are prepared:
l by an independent accounting professional;
l on the basis of financial records provided by the entity; and
l in accordance with any relevant financial reporting standards.

4–47
 Dynamic Auditing

Standard to be followed for review engagements: ISRE 2400

ISRE 2400 means the International Standard for Review Engagements, as
issued from time to time, by the International Auditing and Assurance
Standards Board, or its successor body.

3.2 CALCULATION OF PUBLIC INTEREST SCORE (PIS)

For the purposes of the regulations every entity must calculate its public interest
score at the end of each financial year, calculated as the sum of the following:
l the number of points equal to the average number of employees of the
entity during the financial year;
l one point for every R1 million (or portion thereof) in third-party liability of
the entity, at the financial year end;
l one point for every R1 million (or portion thereof) in turnover during the
financial year; and
l one point for every individual who, at the end of the financial year, is
known by the entity to directly or indirectly have a beneficial interest in any
of the entity’s issued securities.
This can be illustrated as follows:

Every R1mR1
. turnover

• Every
Employee Every
employee – R1m third
average party
number 1 Point
liabilities

Every
security
holder

Practical issues to be considered when calculating the public interest score

(acknowledgement: SAICA Company Guide):
l This calculation should be made at a company level and not at a consol-
idated group level.
l When making the calculation, “employee” has the meaning set out in the
Labour Relations Act, 1995 (Act 66 of 1995) and would include any
person, excluding an independent contractor, who receives, or is entitled
to receive, any remuneration.

4–48
 CHAPTER 4: Companies Act

l “Third-party liabilities” is not defined in the Act but are viewed to be all
liabilities (on commercial terms) of a company that are payable to an
identifiable third party. Thus:
• all liabilities (including subordinated loans) from shareholders are seen
to be with a directly related party of the company and should be
excluded from the public interest score calculation;
• provisions should only be included if deemed to be payable and the
third party can be clearly identified (e.g., deferred tax would be
excluded);
• when calculating the public interest score, the company should be
considered and not the group, and therefore loans from other com-
panies within a group, as well as intercompany creditors, should be
included in the calculation of the public interest score (as well as
directors’ loans, except if they are shareholders as well). However,
loans not provided on normal commercial terms should be excluded
as favourable terms would be deemed to compromise the “third-party”
status of the counterparty; for example, loans with no specific repay-
ment terms and interest charge.
l Beneficial interest means the right or entitlement of a person, through
ownership, agreement, relationship or otherwise to receive or participate in
any distribution in respect of the company’s securities or exercise the
rights attaching thereto.
• a person is also regarded as having a beneficial interest in a security if
the security is held nomine officii by another person on that first
person’s behalf;
• “indirect beneficial interest” could imply that a subsidiary of a holding
company could be required to include the individuals with a beneficial
interest in the holding company in its public interest score, as these
individuals could be seen as having an indirect interest through its
shareholding in the subsidiary (thus including the counting of the
shareholders in the holding company as well, rather than counting only
the holding company as one shareholder), thus currently two views
exist;
• the JSE Ltd (JSE), however, has indicated that all subsidiaries of a
company listed on the JSE should be audited with the view that the
status quo under the Companies Act, 1973, should be maintained in
relation to publicly listed groups;
• with regards to calculating the beneficial interest in a company, whose
securities are held by a trust, the DTI has expressed the view that the
individual beneficiaries of the trust should be counted as the individual
beneficial interest holders.
l “Turnover” is defined as the gross revenue from the most recent annual
financial statements from the sale of goods; the rendering of services; or
the use by other persons of the company’s assets yielding interest,
royalties, or dividends.

4–49
 Dynamic Auditing

3.3 ACCOUNTING STANDARD TO BE APPLIED BY ENTITIES

Category of companies Financial Reporting Standard
State-owned companies IFRS, but in the case of any conflict with
any requirement in terms of the Public
Finance Management Act, the latter
prevails.
Public companies listed on an exchange. IFRS
Public companies not listed on an One of–
exchange (a) IFRS; or
(b) IFRS for SMEs, provided that the
company meets the scoping require-
ments outlined in the IFRS for SMEs.
Profit companies, other than state- One of–
owned or public companies, whose (a) IFRS; or
public interest score for the particular (b) IFRS for SMEs, provided that the
financial year is at least 350 company meets the scoping require-
ments outlined in the IFRS for SMEs.
Profit companies, other than state- One of–
owned or public companies: (a) IFRS; or
(a) whose public interest score for the (b) IFRS for SMEs, provided that the
particular financial year is at least company meets the scoping require-
100 but less than 350; or ments outlined in the IFRS for SMEs;
(b) whose public interest score for the or
particular financial year is less than (c) SA GAAP.
100, and whose statements are
independently compiled.
Profit companies, other than state- The Financial Reporting Standard as
owned or public companies, whose determined by the company for as long
public interest score for the particular as no Financial Reporting Standard is
financial year is less than 100, and prescribed.
whose statements are internally
compiled.

3.4 CATEGORIES OF ENTITIES REQUIRED TO BE AUDITED

In addition to public companies and state-owned entities:
l any profit or non-profit entity (company or corporation) holding assets in
the ordinary course of business in a fiduciary capacity for persons who are
not related to the company, in aggregate value at any time during the
financial year of more than R5 million;

4–50
 CHAPTER 4: Companies Act

l certain non-profit entities incorporated by the state or an organ of state;

l any other entity whose public interest score in that financial year, as
calculated in accordance with Regulation 26 (2):
• is 350 or more; or
• is at least 100, but less than 350, if its annual financial statements for
that year were internally compiled.

3.5 EXEMPTIONS FROM AUDIT OR REVIEW (SECTION 30(2A))

If, with respect to a particular entity (company or corporation), every person
who is a holder of, or has a beneficial interest in, any securities issued by that
entity is also a director (or member) of the entity, that entity is exempt from the
requirements in this section to have its annual financial statements audited or
independently reviewed, but this exemption does not apply if the entity falls
into a class that is required to have its annual financial statement audited in
terms of the regulations.
It also does not relieve the entity of any requirement to have its financial
statements audited or reviewed in terms of another law, or in terms of any
agreement to which the corporation is a party.
NOTE: This means that if an entity (company or close corporation) is exempt
from an audit, it will not need a review.

3.6 INDEPENDENT REVIEW OF ANNUAL FINANCIAL STATEMENTS

36.1 Definitions
For purposes of this regulation:
l Independent reviewer means a person referred to in regulation 29(4),
namely an independent accounting professional, and who has been
appointed to perform an independent review under this regulation.
l Reportable irregularity means any act or omission committed by any
person responsible for the management of a entity which
• unlawfully has caused or is likely to cause material financial loss to the
entity or to any member, shareholder, creditor or investor of the
company in respect of his, her or its dealings with that entity; or
• is fraudulent or amounts to theft; or
• causes or has caused the company to trade under insolvent circum-
stances.

4–51
 Dynamic Auditing

3.6.2 Exemption
This regulation applies to an entity (company or corporation), with respect to
any particular financial year, unless the company or corporation:
l is exempt, in terms of section 30(2A), from any requirement to have its
annual financial statements for that year audited or reviewed;
l is required by its own Memorandum of Incorporation, or required in terms
of the Act or regulation 28, to have its annual financial statements for that
financial year audited; or
l has voluntarily had its annual financial statements for that year audited.

3.6.3 Standard to be followed

An entity to which this regulation applies must have its annual financial state-
ments independently reviewed in accordance with ISRE 2400.

3.6.4 Requirements for independent review

The independent review of the annual financial statements must be carried out:
l in the case where the public interest score for the particular financial year
was at least 100, by a registered auditor, or a member in good standing of
a professional body that has been accredited in terms of section 33 of the
Auditing Professions Act (currently only CA(SAs); or
l in the case where the public interest score for the particular financial year
was less than 100, by:
• a person contemplated above; or
• a person who is qualified to be appointed as an accounting officer of a
close corporation in terms of sections 60(1), (2) and (4) of the Close
Corporations Act, 1984 (Act 69 of 1984).

3.6.5 Disqualification
An independent review of the annual financial statements must not be carried
out by an independent accounting professional who was involved in the prep-
aration of the said annual financial statements.
NOTE: The disqualification applies only to the individual and not to the firm,
and also only to the preparation of financial statements and not to
accounting and secretarial work provided by such person.

3.6.6 Reportable irregularities

l An independent reviewer that is satisfied or has reason to believe that a
reportable irregularity has taken place or is taking place in respect of the
entity must, without delay, send a written report to the Commission.

4–52
 CHAPTER 4: Companies Act

l The report must give particulars of the reportable irregularity and must
include such other information and detail as the independent reviewer
considers appropriate.
l The independent reviewer must, within three business days of sending the
report to the Commission, notify the members of the Board/members of a
close corporation of the entity in writing of the sending of the report
referred and the provisions of this regulation, A copy of the report sent to
the Commission must be attached.
l The independent reviewer must as soon as reasonably possible but not
later than 20 business days from the date on which the report was sent to
the Commission:
• take all reasonable measures to discuss the report referred to with the
members of the board of the entity (company or corporation);
• afford the members of the board of the entity (company or corporation)
an opportunity to make representations in respect of the report; and
• send another report to the Commission, which report must include a
statement:
– that the independent reviewer is of the opinion that no reportable
irregularity has taken place or is taking place; or
– that the suspected reportable irregularity is no longer taking place
and that adequate steps have been taken for the prevention or
recovery of any loss as a result thereof, if relevant; or
– the reportable irregularity is continuing.
The Commission must as soon as possible after receipt of a report notify any
appropriate regulator in writing of the details of the reportable irregularity to
which the report relates and provide it with a copy of the report and may
investigate any alleged contravention of the Act.
For the purpose of the reports relating to a reportable irregularity an independ-
ent reviewer may carry out such investigations as the independent reviewer
may consider necessary and, in performing any duty referred to in the
preceding provisions of this regulation, the independent reviewer must have
regard to all the information which comes to the knowledge of the independent
reviewer from any source.
NOTE: SAICA has provided illustrative reportable irregularity letters for inde-
pendent reviews.

4. GUIDELINES FOR THE DISTRIBUTION OF DIVIDENDS

l The requirements of the Companies Act, 2008 (sections 4 and 46) should
always be adhered to.

4–53
 Dynamic Auditing

l The following guidelines on the payment of dividends established by case

law over the years, however, still apply:
• Current-year profits may be distributed WITHOUT MAKING GOOD PRIOR
YEAR LOSSES.
• Depreciation and losses on CURRENT ASSETS HAVE TO BE PROVIDED
FOR before any distribution can be made, BUT DEPRECIATION AND
LOSSES ON FIXED ASSETS need not be provided for.
• REALISED PROFITS from the sale of fixed assets may BE DISTRIBUTED.
• DISTRIBUTION OF UNREALISED PROFITS:
Two court cases, namely:
– Westburn Sugar
The court decided unrealised profits cannot be distributed.
– Dumbula Tea Company
The court decided that unrealised profits can be distributed, provided
that:
* it is authorised by the articles;
* the increase in value is of a permanent nature;
* the valuation was done in good faith by a competent assessor; and
* the financial condition of the company allows it (liquidity and solvability).

4–54
 5
THE AUDIT AND ASSURANCE PROCESS

Page
1. Responsibilities, functions and qualities of the auditor................................ 5–3
1.1 The objectives of and general principles governing the audit of
financial statements ........................................................................... 5–3
1.2 Fundamental principles of auditing theory ........................................ 5–7
1.3 The audit profession .......................................................................... 5–7
1.4 Standard-setting procedures ............................................................. 5–9
1.5 Distinguishing between statutory and non-statutory audits .............. 5–11
1.6 Explanation of audit and related services ......................................... 5–11
1.7 Framework of the registered auditor .................................................. 5–14
1.8 Meanings and definitions ................................................................... 5–15
2. The audit of historical financial information (statements)............................. 5–15
2.1 Introduction ........................................................................................ 5–15
2.2 Stages of the audit process ............................................................... 5–15
3. Assurance engagements other than audits or reviews of historical
financial information ..................................................................................... 5–23
3.1 Assurance engagement framework ................................................... 5–23
3.2 Specific assurance engagements ..................................................... 5–27
4. Quality management .................................................................................... 5–30
4.1 Quality management at firm level ...................................................... 5–32
4.2 Engagement quality reviews .............................................................. 5–40
4.3 Quality management at audit level .................................................... 5–42
5. Key elements that create an environment for audit quality.......................... 5–47

5–1
 CHAPTER 5: The audit and assurance process

1. RESPONSIBILITIES, FUNCTIONS AND QUALITIES OF THE AUDITOR

1.1 THE OBJECTIVES OF AND GENERAL PRINCIPLES GOVERNING

THE AUDIT FINANCIAL STATEMENTS
SOURCE REFERENCE: ISA 200 “Overall Objectives of the Independent
Auditor and the Conduct of an Audit in
Accordance with International Standards
on Auditing”

1.1.1 Objectives of an audit of financial statementrs

The overall objectives of the auditor are:
l to obtain reasonable assurance about whether the financial statements as
a whole are free from material misstatement, whether due to fraud or error,
thereby enabling the auditor to express an opinion on whether the financial
statements are prepared, in all material aspects, in accordance with an
applicable financial reporting framework; and
l to report on the financial statements and to communicate as required by
the ISAs (International Standards on Auditing) and in accordance with the
auditor’s findings.
The auditor’s opinion:
l enhances the credibility of the financial statements; but
l does not guarantee the future viability of the entity; and
l does not guarantee the efficiency or effectiveness with which management
has conducted the affairs of the entity.
NOTE: An audit of historical financial information is an assurance engage-
ment, governed by the ISA statements, regulations and legislation and an
opinion is expressed and assuarance provided on the fair presentation of
the financials under ISA 700, 701, 705 and 706.
Assurance engagements other than audits and reviews of historical
financial information are assurance engagementon information other
than historic financial information on such aspects as sustainability or
environmental, social and governance reporting, integrated reporting,
reporting on corporate social responsibility, greenhouse gas statements
and service performance reporting in the public sector.
These other assurance engagements are governed by ISAE 3000 and an
opinion is expressed, and assurance provided, under under ISAE 3000.
Refer to section 3 for further guidance on assurance engagements under
ISAE 3000.

1.1.2 General principles of an audit

The auditor should comply with the Code of Professional Conduct of SAICA
(South African Institute of Chartered Accountants), IFAC (International Federation

5–3
 Dynamic Auditing

of Accountants) and IRBA (Independent Regulatory Board of Auditors). The

ethical principles underlying the auditor’s professional responsibilities are:
l integrity;
l objectivity;
l professional competence and due care;
l confidentiality; and
l professional behaviour.
Audits must be performed in accordance with the statements of the ISAs.
These contain basic principles and essential procedures, together with related
guidance.
The auditor must plan and perform the audit with an attitude of professional
scepticism that circumstances may exist that could cause the financial state-
ments to be materially misstated.
An attitude of professional scepticism means that the auditor should make
critical assessments, with a questioning mind, of the validity of audit evidence
obtained, and be alert to audit evidence that contradicts, or brings into ques-
tion, the reliability of documents or management’s representations.
NOTE: Whenever an audit opinion is expressed on the financial statements, the
same audit principles apply, regardless of the nature or legal form of the
entity, because the user of audited financial statements is entitled to a
uniform quality of audit performance.

1.1.3 Scope of the audit

The audit procedures which are deemed necessary to perform an audit in
accordance with the ISAs are determined with reference to:
l the statements of the ISAs;
l the requirements of the professional bodies (and IRBA);
l legislation and regulations; and
l the terms of the engagement and reporting requirements.
In performing the audit, the auditor should comply with each of the ISAs rele-
vant to the audit. Thus, the auditor should not represent compliance with ISAs,
unless the auditor has complied fully with all the ISAs relevant to the audit.

1.1.4 Reasonable assurance

An audit conducted in accordance with the ISAs provides reasonable assur-
ance that the financial statements taken as a whole are free from material mis-
statement. The inherent limitations of an audit may affect the auditor’s ability to
detect material misstatements.
Inherent limitations of an audit
These consist of:
l the use of testing;
l the inherent limitations of the internal control systems (e.g. the possibility of
management override or collusion);

5–4
 CHAPTER 5: The audit and assurance process

l the fact that audit evidence is often more persuasive than conclusive; and
l the fact that the auditor’s work is open to subjective judgement, especially
in terms of:
• the obtaining of audit evidence (nature, extent and timing of audit proced-
ures); and
• the drawing of conclusions based on the audit evidence obtained.
NOTE: Because of the above, an audit is not a guarantee that the financial
statements are free from material misstatement.

1.1.5 Responsibility for the financial statements

Auditor: Responsible for forming and expressing an opinion on the
financial statements.
Management: Responsible for preparation and fair presentation of the financial
(Those statements in accordance with the applicable financial reporting
Charged with framework (an audit does not relieve management of this
Governance) obligation).
Financial Refers to a structured representation of the financial information
statements: derived from the accounting records. This may be a complete
set of financial statements, or, in some cases, a single financial
statement, for example a balance sheet or a statement of rev-
enue and expenses.

1.1.6 Applicable financial reporting framweork

Financial The financial reporting framework refers to the format of
reporting reporting. The requirements of the financial reporting frame-
framework: work determine the content and form of the financial state-
ments, for example the International Public Accounting Stand-
ards (IPSAS), Standards of Generaly Recognised Accounting
Practise (GRAP) for public sector entities and the International
Financial Reporting Standards (IFRS or IFRS for SMEs).
Management is responsible for identifying and applying “an applicable finan-
cial reporting framework” when preparing and presenting the financial state-
ments. This responsibility includes:
l designing, implementing and maintaining internal controls relevant to the
preparation and presentation of the financial statements that are free from
material misstatement, whether due to fraud or error;
l selecting and applying appropriate accounting policies; and
l making accounting estimates that are reasonable in the circumstances.
The auditor is responsible for determining whether the financial reporting
framework, identified and applied by management is acceptable, based on the
nature and objective of the financial statements. The financial reporting frame-
work should also be stated in the engagement letter.

5–5
 Dynamic Auditing

1.1.7 Professional scepticism

The auditor should plan and perform the audit with an attitude of professional
scepticism. This means that the auditor should make critical assessments with
a enquiring mind, taking into account that circumstances may exist that may
result in the financial statement being materially misstated.
The application of professional scepticism by the auditor may include ques-
tioning contradictory information and the reliability of documents, considering
responses to inquiries and other information obtained from management and
those charged with governance, being alert to conditions that may indicate
possible misstatement due to fraud and error, and consider whether the audit
evidence obtained supports the auditor’s identification and assessment of risk
of material misstatement in light of the the entity’s nature and circumstances.

1.1.8 Risk and materiality

The auditor should plan and perform the audit to reduce the risk of material
misstatement to an acceptably low level.
The auditor performs risk assessment procedures to obtain information to
identify and assess the risk of material misstatement at the financial statement
level in totality. This is done in order to be able to set materiality and determine
an overall audit response and strategy to the audit, and at the assertion level,
separately assessing inherent and control risk to provide a basis for designing
and performing further audit procedures (tests of controls and/or substantive
procedures) to respond to the risk of material misstament at the assertion level.

1.1.9 Expressing an opinion on the historical financial statements

The auditor should express an opinion on the historical financial statements at
completion of the audit.
l Opinion on a complete set of general-purpose financial statements pre-
pared in accordance with a generally accepted financial reporting frame-
work:
• report under ISA 700, 701, 705 and 706 (if applicable).
l Opinion on a complete set of financial statements prepared in accordance
with special purpose frameworks; single financial statements; elements,
accounts or items of financial statements or summarized financial state-
ments
• report under ISA 800, 805 or 810.
For an audit of financial statements (being an assurance engagement):
l the subject matter will be the financial statements;
l the criteria will be the ISAs;
l the users will be the shareholders;
l the responsible party (for the financial statements) will be manage-
ment; and
l the audit opinion will be a positive form of expression, providing rea-
sonable (high), but not absolute assurance.

5–6
 CHAPTER 5: The audit and assurance process

1.2 FUNDAMENTAL PRINCIPLES OF AUDITING THEORY

These represent the basic principles on which auditing is based. They are also
called the postulates of auditing.
1. Financial data is verifiable.
2. No necessary conflict of interests exists between the auditor and the
management of the entity under audit.
3. The financial statements and other information presented for verification
are free of collusion and other irregularities.
4. Internal controls reduce the probability of errors and irregularities.
5. The consistent application of General Accepted Accounting Practice
results in fair presentation.
6. In the absence of any contrary evidence, that which held true in the
past will hold true in the future.
7. When the auditor is examining financial data with the objective of expressing
an independent opinion thereon, he/she acts exclusively in the capacity of
auditor.
8. The professional status of the independent auditor imposes commen-
surate professional obligations.

1.3 THE AUDIT PROFESSION

1.3.1 The need for auditors
The stakeholders of entities require assurance that the financial statements
prepared by such entities contain reliable information. An audit does not only
ensure the fair presentation of the financial information audited, but also plays
an important role in protecting the interest of the members, creditors, investors,
etc. (section 45 of the Auditing Profession Act).
An audit increases the credibility of the financial statements and plays an
important role in the capital markets of the world. It provides, inter alia, the fol-
lowing benefits:
l to investors, allowing them to base their investment decisions on audited
information;
l to employees, permitting them to use audited information on which to base
decisions concerning their employee benefits, etc.;
l to the state, making it possible for it to use the audit for the collection of
taxes; and
l to creditors, permitting them to use it for decisions on the provision of
trade credit.
The auditor is the guarddog of his/her client, as well as the general public. The
Companies Act 2008 requires all public companies and state-owned entities to
be audited, but only of private companies if they meet the PIS (Public Interest
Score), however many such companies will still be audited voluntarily due to
the user’s need for audited information.

5–7
 Dynamic Auditing

1.3.2 Criteria for a profession

A profession is distinguished by certain characteristics of its members, of which
the Code of Professional Conduct of SAICA, IRBA and IFAC emphasise the fol-
lowing:
l mastering of a particular intellectual skill, acquired through training and
education;
l acceptance of duties to society as a whole, in addition to duties to the
client or employer;
l an outlook which is essentially objective; and
l rendering personal services to a high standard of conduct and performance.

1.3.3 The audit profession in South Africa

A) Statutory: Auditing Profession Act (Act 26 of 2005)
The audit profession in South Africa is regulated by the Independent
Regulatory Board for Auditors (IRBA), a statutory body constituted by the
Auditing Profession Act of 2005. The IRBA reports to the Minister of
Finance.
The IRBA is responsible for the registration of persons and firms who may
act as auditors, as well as for the registration of trainee accountants and
the monitoring of service under training contracts.
NOTE: Only persons registered with the IRBA as Registered Auditors
(RA) may perform the audit (attest) function and express an
audit opinion.
B) Professional bodies of accountants and auditors
These are professional bodies which govern the interests of their mem-
bers, for example SAICA, SAIPA, CIMA, ACCA, IIA, etc.
L South African Institute of Chartered Accountants (SAICA)
SAICA is a professional body governing and advancing the interests
of chartered accountants in South Africa. It is not a statutory body,
but a professional body that reports to its members.
NOTE: Registration with SAICA is necessary in order for an auditor
to use the designation CA(SA).

1.3.4 The international audit profession (IFAC)

This represents a federation of approximately 90 accounting professions world-
wide. IFAC, through the International Audit and Assurance Standards Board
(IAASB), issues audit standards and strives to harmonise auditing practices
worldwide. SAICA is a member-body of IFAC.

5–8
 CHAPTER 5: The audit and assurance process

1.4 STANDARD-SETTING PROCEDURES

SOURCE REFERENCE: Preface “Preface to the International Standards on
Quality Control, Auditing, Review, Other
Assurance and Related Services”
BN 143 Adoption of International Quality Control,
Auditing, Review, Other Assurance and
Related Service pronouncements in terms
of the Auditing Profession Act, 26 of 2005
Status Committee for Auditing Standards
Status of Quality Control, Auditing, Review,
Other Assurance and Related Service
pronouncements
The preface is issued to facilitate understanding of the scope and authority of
the pronouncements of the IAASB of IFAC. It aims the IAASB goal of develop-
ing a set of International Standards and other pronouncements which are gen-
erally accepted worldwide.

1.4.1 Relationship between the South African and the International auditing
standards
Since 1994, the South African Statements on Auditing have been based on the
International Auditing Standards of IFAC.
As of 1 January 2005, the entire set of IAASB auditing statements was adopted
for use in South Africa. All South African audit statements were withdrawn as of
1 January 2005 and replaced by the international IFAC statements.

1.4.2 Issue of auditing standards

IRBA is the statutory body controlling the auditing profession in SA, and within
its powers it prescribes the standards to which auditors must comply when
performing audits.
IRBA has adopted the IAASB auditing standards of IFAC in full. Thus, all the
auditing standards approved by the Committee for Audit Standards on behalf
of IRBA are binding on all registered auditors in South Africa. These include:
l International Standards on Auditing (ISAs);
l International Standards on Review Engagements (ISREs)
l International Standards on Assurance Engagements (ISAEs); and
l International Standards on Related Services (ISRSs).
IFAC established the IAASB to develop and issue auditing statements. South
Africa is a member of the IAASB.
IRBA established a committee for auditing standards in accordance with
section 22 of the Auditing Profession Act, to develop and issue standards on

5–9
 Dynamic Auditing

its behalf. Thus, the committee for audit standards considers and issues for
comment IFAC exposure drafts, and once approved and issued by the IAASB,
approves them for issue in SA.

1.4.3 Authority of International Auditing Statements

The statements must be applied by:
l ISAs to all audits of financial statements;
l ISRE to the audits and reviews of other information and related services,
adjusted as necessary;
l ISAE to assurance engagements other than audits and reviews of historical
financial statements.
In exceptional circumstances, the auditor may consider it necessary to depart
from a statement in order to achieve the objective of his/her audit more effect-
ively. In such circumstances, he/she must be prepared to justify the departure.

1.4.4 Authority of audit guidelines, International Audit Practise Notes and South
African Auditing Practise Statements (IAPN and SAAPS)
Audit guidelines and practice notes are issued to provide guidance and prac-
tical assistance to auditors in implementing ISAs. South African Auditing Prac-
tice Statements are issued to provide guidance to South African auditors,
where the International Auditing Practice Statements do not apply to a specific
unique South African issue.
An auditor who does not apply the guidance included in a relevant IAPS needs
to be prepared to explain how the basic principles and essential procedures in
the Statements have been complied with.

1.4.5 Auditor’s responsibility

The auditor must be aware of and comply with:
l legislation and regulations applicable to the audit engagement; and
l the Auditing Profession Act (26 of 2005).
Compliance with the Auditing Standards may require the auditor to extend
his/her audit above the requirements of a specific law.
If an auditor’s work is tested in a court of law to determine the adequacy there-
of, the court would probably seek confirmation that the auditor had complied
with the Standards of Auditing (ISAs, etc.) in all material respects. If not, the
court might require proof that the deviation did not result in non-compliance
with generally accepted auditing standards.
The nature of the ISAs requires the professional accountant to exercise profes-
sional judgment in applying them.

5–10
 CHAPTER 5: The audit and assurance process

1.5 DISTINGUISHING BETWEEN STATUTORY AND NON-STATUTORY AUDITS

Statutory audits: These represent audits mandated by an Act, for
example, the Companies Act, the Public Finance
Management Act, the Financial Institutions Act,
the Sectional Title Act, etc. The auditor’s duties
and responsibilities are statutorily regulated by the
relevant Acts.
Non-statutory audits: These represent audits requested by the client
although this is not statutorily required, for example
an audit of a close corporation or private company
not meeting the PIS for an audit.
Irrespective of whether the audit is of a statutory nature or not, it is governed by
the Auditory Professions Act. The auditor must further comply with:
l the IFAC statements of auditing; and
l the codes of conduct of the IRBA and the relevant professional bodies.

1.6 EXPLANATION OF AUDIT AND RELATED SERVICES

Nature Agreed-upon
Audit Review Compilation
of service procedures

Comparative
High but not
level of assur- Moderate No opinion or No opinion or
absolute
ance expressed assurance assurance assurance
assurance
by the auditor

Positive Negative
Factual Identification
Report assurance assurance
findings of information
provided on the on the
on procedures compiled
assertion(s) assertion(s)

5–11
 Dynamic Auditing

L Audit and review

l Audit
Definition: The objective of an audit of the financial statements is to
enable an auditor to express an opinion as to whether or not
the financial statements fairly present (“or are a true and fair
view”), in all material respects, the financial position of the
entity at a specific date, and the results of its operations and
cash flow information for the period ended on that date, in
accordance with an identified financial reporting framework
and/or statutory requirements.
Considerations:
• The auditor must obtain sufficient and appropriate audit evidence to
draw conclusions on which to base his/her opinion.
• The auditor’s opinion enhances the credibility of the financial state-
ments by providing a reasonable (high), though not absolute, level of
assurance.
• Absolute assurance is not possible because of:
– the need for judgement;
– the use of testing;
– the inherent limitations of the accounting and internal control
systems; and
– the fact that most audit evidence may be considered persuasive,
rather than conclusive.
l Review
Overview: The objective of review engagements is to enable the auditor
to state, based on procedures that do not provide all the evi-
dence of an audit, whether or not anything has come to the
auditor’s attention that may cause the auditor to believe that
the statements were not prepared in all material respects in
accordance with an identified reporting framework and/or cer-
tain given criteria (negative assurance).
• The procedures consist of:
– enquiries; and
– analytical procedures.
• The procedures do not include:
– an assessment of the accounting and internal control systems; or
– the testing of records and answers to enquiries.
• The procedures offer a lower level of assurance than an audit opinion.

5–12
 CHAPTER 5: The audit and assurance process

L Related services
l Agreed-upon procedures: The auditor performs those procedures of
an audit nature that the client, the auditor
and third parties agreed upon.
• The receiver of the report forms his/her
own opinion based on the procedures
performed and findings thereof.
• The distribution of the report is limited
to those parties who have agreed on
the procedures to be performed.
l Compilations: The accountant uses accounting expertise (as opposed
to auditing expertise) to collect, classify and summa-
rise financial information.
• The procedures are not designed and do not enable
the accountant to express assurance on the finan-
cial information.
• The user obtains some benefit because the work
is done with professional skill and care.
l Auditor’s association with financial information:
• This applies where the auditor’s name is associated with financial
information and he/she did not issue a report on the financial infor-
mation or give consent for the use of his/her name.
• Action:
– Request management to refrain from doing so.
– Obtain legal advice.

5–13
 Dynamic Auditing

1.7 FRAMEWORK OF THE REGISTERED AUDITOR

SOURCE REFERENCE: Structure of pronouncements issued by the Inter-
national Auditing and Assurance Board

REGISTERED AUDITOR (RA)

Possible services covered by an IAASB Professional

Assurance engagements Related services

Framework on Assurance Engagements ISRE 4000–4699

Audits and reviews of Other than audits or reviews of

historical financial infor- historical financial information,
mation e.g.:
l non-financial performance
l physical characteristics
l systems and processes
(e.g. internal controls)
l behaviour (e.g. corporate
governance)

ISAE 3000

Audits Review engagements

ISAs 100–999 ISREs 2200–2699

Assurance
Financial Other Reviews on other Agreed- Compilations
statements special than upon
audits ISRE 2400 historical procedures ISRS 4410
ISA financial
700,701, ISA 800, 805 information ISRS 4400
705, 706 or 810
ISAE 3000–
3699

Opinion/conclusion:
Positive Positive Negative Positive and None None
negative
Assurance provided:
Reasonable Reasonable Limited Reasonable None – None
or limited report on
findings

5–14
 CHAPTER 5: The audit and assurance process

1.8 MEANINGS AND DEFINITIONS

SOURCE REFERENCE: “Glossary of terms”
The meanings and definitions (terminology of auditing concepts) are set out
and explained in the Glossary, that is, the preface to the Auditing Standards in
the IFAC handbook.

2. THE AUDIT OF HISTORICAL FINANCIAL INFORMATION (STATEMENTS)

2.1 INTRODUCTION
The aim of an audit of financial statements is to enable the auditor to express
an opinion on whether the financial statements are prepared, in all material
respects, in accordance with an applicable financial reporting framework
(present a “true and fair view”). Towards this goal, a series of procedures and
activities are performed to obtain evidence to support the auditor’s opinion –
this constitutes the audit process. Taken together, the ISAs provide the stand-
ards for the auditor’s work in fulfilling the objectives.

2.2 STAGES OF THE AUDIT PROCESS

The framework provides an overall view of the audit process and the state-
ments applicable to each stage.

ISAs 210, 220, 300;

Engagement activities ISQM 1 and 2

Client investigation for new and existing clients

Determine skills and competence requirements

Establish the terms of the engagement ISA 210

(continued)

5–15
 Dynamic Auditing

Planning the audit at

ISAs 200, 300, 315,
the overall financial statement level and establishing 320, 330, 402
the overall audit response
Understand the entity and its environment, and the applicable Financial
Reporting Framework

Understanding of the entity’s internal control

Identify and assess the risk of material misstatement

Set materiality
l Planing materiality for the audit
l Performance materiality for significant classes of transactions, accounts
and disclosures

Overall audit response

l Identify significant classes of transactions, account balances and disclo-
sures that require further audit procedures at assertion level
• accounts that are significant due to their nature and inherent risks identi-
fied
• accounts that are quantitatively material
l Formulate an overall repsone for the audit
• general audit approach (or strategy) for the audit as a whole
• areas of specific risks and focus that require specific audit attention
• direction and control for the audit and engagement team

Detailed planning at the assertion level for individual

ISAs 200, 300, 315,
classes of transactions, account balances and disclosures 330
(audit plan)
l For individual significant classes of transactions, account balances and
disclosures:
1. Perform risk assessment procedures to identify and assess the risk at
assertion level of material misstatement significance:
• identify inherent risks and assess them for scalabilty (risk ranking
between low and high) in terms of magnitude and likelihood.
• identify controls that will address the significant assessed risks
above
2. Design and perform further audit procedures whose nature, timing and
extent are based on and are responsive to the assessed risks of mate-
rial misstatement above at the assertion level (often referred to as an
audit approach, consisting of tests of controls, substantive procedures
or a combination thereof).
3. Allocation of resources and coordination and control of the audit of the
specific account (level and experience of staff, level of supervison and
review, use of experts, use of CAATs, time and cost budgets, etc.)
4. Perform audit procedures (test of control and/or substantive tests) in
response to the assessed risk.

(continued)

5–16
 CHAPTER 5: The audit and assurance process

Detailed planning at the assertion level for individual

ISAs 200, 300, 315,
classes of transactions, account balances and disclosures 330
(audit plan) continued
l For non-significant accounts:
• Verify through substantive analytical review procedures.

Obtaining of audit evidence through performance of audit procedures

ISAs 265, 315, 330,
Tests of controls
500, 530

ISAs 500, 501, 505,

510, 520, 530, 540,
Substantive procedures 550, 580, 600, 610,
620; IAPS 1000,;
SAAPS 4, 6

Evaluating, concluding and reporting

ISAs 260, 330, 450,
Overall review of the financial information,
560, 570; 580 SAAPS 3,
and evaluation of the audit evidence
1100

Conclude and formulate an audit opinion ISAs 700, 705

ISAs 700, 701, 705, 706,

710, 720, 800, 805, 810
Reporting ISRE 2400, 2410
ISRSs 4400, 4410
SAAPS 2, 3

* The above source references may change with the issue of new statements.
NOTE: The above framework is set out for the purpose of the audit of financial statements. It is,
however, just as appropriate for the performance of other assurance engagements, adjusted
as necessary.

2.2.1 Engagement activities

SOURCE REFERENCE: ISA 220 “Quality Management for an Audit of

(revised) Financial Statements”
ISA 300 “Planning an Audit of Financial Statements”
ISQM 1 “Quality Management for Firms that Per-
form Audit or Reviews of Financial State-
ments, or Other Assurance or Related
Services”
ISQM 2 “Engagement Quality Reviews”

5–17
 Dynamic Auditing

The objective of engagement activities

This is to determine the acceptability of new clients, or to consider the viability
to carry on as auditors for existing clients.
Procedures and considerations
l Perform a new client investigation, or consider changes in circumstances
of existing clients.
Consider:
• the independence of the auditor;
• the integrity (risk) of the client and its management and the potential
risk of material misstatement;
• changes in the entity for existing clients;
• communication with predecessor auditors.
l Determine the skills and competence requirements for the engagement:
• knowledge and experience requirements for the relevant industries;
• skill, experience and expertise required for the audit;
• experts required;
• sufficient audit staff, timing of work performed, etc.
l Establish the terms of the engagement in an engagement letter.
Engagement activities are dealt with in detail in chapter 8.

2.2.2 Planning of the audit

SOURCE REFERENCE: ISA 300 “Planning an Audit of Financial Statements”
ISA 315 “Identifying and Assessing the Risk of
(revised) Material Misstatement”
ISA 330 “The Auditor’s Response to Assessed
Risks”
The objective of planning
The auditor should plan the audit so that the audit work will be performed in an
effective manner. The results of the planning process are the formulation of the
overall audit response (or strategy) for the audit as a whole and a detailed audit
plan for the audit of individual classes of transactions, account balances and dis-
closures at the assertion level.
L Planning at the overall financial statement level and at the assertion level
for significant classes of transactions, account balances and disclosures
Planning consists of:
l Planning for the audit at the overall financial statement level and establish-
ing an overall audit response: To ensure that the audit is conducted in an
effective and efficient manner, and that the risk of material misstatement in
the financial statements as a whole is appropriately addressed.

5–18
 CHAPTER 5: The audit and assurance process

l Planning at the assertion level: For the conduct of the audit of specific
classes of transactions, account balances and disclosures (called signifi-
cant classes of transactions, account balances and disclosures) to ensure
the risk of material misstatement at the assertion level for those accounts is
appropriately addressed.
L Planning of the audit at the overall financial statement level and estab-
lishing an overall audit response
l Obtain an understanding of the entity and its environment, and the
applicable Financial Reporting Framework
The auditor shall obtain an understanding of the following:
Ŷ INTERNAL (entity factors)
• The entity’s organisational structure and ownership
• The entity’s governance
• The entity’s business model and strategy
• The entity’s activities
• Perormance management measures and criteria
Ŷ EXTERNAL
• Industry factors
• Regulatory and legislative factors
• Other external factors such as economic conditions, interest rates,
inflation, availability of financing, etc.
Ŷ APPLICABLE FINANCIAL REPORTING FRAMEWORK
• Relevant financial farmeworks and new standards, developments, etc.
l Obtain an understanding of the entity’s system of internal controls
The auditor shall obtain an understanding of:
• the control environment
• the entity’s risk assessment (management) process
• the entity’s process to monitor the system of internal control, including
internal audit where such function exists
• the information system and processing of data and activities (account-
ing information systems)
• the internal control system.
l Identify and assess the risk of material misstatement
Ŷ At the financial statement level
Risks of material misstatement at the financial statement level refer to risks
that relate pervasively to the financial statements as a whole and poten-
tially affect many classes of transations, accounts and disclosure at asser-
tion

5–19
 Dynamic Auditing

level. These risks may not necessarily be risk identifiable with specific
assertions (e.g., risk of override of controls), but rather represent circum-
stances that may increase the risk of material misstatement at the asser-
tion level.
Risk of material misstatement at the financial statement level may also
affect classes of transactions, accounts or disclosre at the assertion level.
The auditor would respond to the assessment of the risk of material mis-
stament at the financial statement level by formulating an overall audit
response (or strategy) to the audit.
Ŷ At assertion level
This relates to the risk of material misstatement at assertion level due to
the inherent risks identified and assessed based on its likelighood and
magnitude of misstatement.
The auditor’s assessment of the identified risks of material misstatemnt at
the assertion level provides a basis for considering an appropriate audit
approach for designing and performing further audit procedures.
l Materiality
This includes:
• considering the risk assessment of material misstatement at the finan-
cial satement level, as well as prior experience; and
• setting of planning materiality: this will be used for planning purposes to
identify classes of transactions and account balances that will be signif-
icant accounts because of it quantitative amounts.
NOTE: The planning of materiality, as calculated, will be adjusted for
the assessment of risk of material misstatement at the financial
statement level (entity risk).
• setting of performance materiality: this will be the criteria for the materi-
ality levels to be applied in the audit of significant classes of trans-
actions and account balances.
l Overall response
• Identify significant classes of transactions, account balances and dis-
closures to be audited in detail
– accounts that are significant due to their nature and inherent risks
– accounts that are quantitatively material
• Formulate an overall audit repsone for the audit
– general audit approach (or strategy) for the audit as a whole
– areas of specific risks and focus that require specific audit atten-
tion
– direction and control for the audit and engagement team
– emphasing the need for the audit team to maintain professional
sceptism and an enquiring mind

5–20
 CHAPTER 5: The audit and assurance process

– assigning of more experienced staff or those with special skills or

using experts
– nature, timing and extent of direction and supervison of members
of the engagement team and the review of the work performed
– incorporating additional elements of unpredictability in the selec-
tion of further audit procedures to be performed
– timing of the audit and need for early verification;
– administrative and coordinating matters such as timing
The audit plan (or in practice often referred to as audit strategy) at this
level is a high-level approach/respone to the audit and the organisation
and administration of the audit as a whole.
L Planning at the assertion level for classes of transacttions, account
balances and disclosures (significant accounts at the assertion level)
l For significant accounts (audit plan):
• Identify and assess the risk of material misstatement for the specific
class of transaction, account balance, or disclosure (through risk
assesment procedures).
– Identify and assess the spectrum (low to high) for each of the
inherent risks at the assertion level.
– For significant risks, that is, inherent risk assessed as high, identify
possible controls of audit importance (significant or key controls)
that will reduce or limit the significant inherent risks at the asser-
tion level.
• Audit approach for the specific classes of transaction, account bal-
ance and dislosure (e.g. sales, fixed assets, inventory, etc.). This will
consist of:
– the audit approach per assertion, namely:
* performing only tests of controls for particular assertions
* performing only substantive procedures for specific assertions
* a combined approach using both tests of controls and sub-
stantive procedures for assesrtions
– specific risk responses such as:
* use of technology
* level of professional scepticism
* level of unpredictability, etc.
• Organisation and control for the audit of the specific accounts (e.g.
attendance of inventory counts, use of experts, level of staff experi-
ence and expertise, supervison and review, use of CAATs, etc.).

5–21
 Dynamic Auditing

L For non-significant accounts, set a strategy of verifying such items

through substantive analytical review procedures.
NOTE: In identifying and assessing the risk of material misstatement, the
auditor uses assertions to consider the different types of misstate-
ments and risks that may occur. Assertions for which the auditor has
identified related risks of material misstatement (significant risks) are
relevant asserstions.
Planning activities are dealt with in detail in chapter 8.

2.2.3 Obtaining audit evidence evidence through performance of audit

procedures
SOURCE REFERENCE: ISA 330 “The auditor’s response to assessed risk”
ISA 500 “Audit evidence”
Objective of the obtaining of audit evidence
The auditor should obtain appropriate and sufficient audit evidence on which
to base the audit opinion.
Methods for obtaining audit evidence
The auditor obtains audit evidence by way of:
l in some circumstances, through tests of controls only;
l in some circumstances, substantive procedures only;
l in some circumstances, through a combination of tests of controls and
substantive procedures.
The obtaining of audit evidence is dealt with in chapters 7, 11, 12, 13 and 17.

2.2.4 Evaluating, concluding and reporting

SOURCE REFERENCE: ISA 260: “Communication to Those Charged
with Governance”
ISA 330 “The Auditor’s Response to Asses-
sed risk”
ISA 560 “Subsequent Events”
ISA 570 “Going Concern”
ISA 700, 705, 706 “Forming an Opinion and Report-
ing on Financial Statements”
ISA 800, 805, 810 “Reporting on Specific Audits of
Financial Statements”
The objective of the evaluation, concluding and reporting activities
These are performed at or near the end of the audit to enable the auditor to
assess whether the financial information is consistent with his/her knowledge of
the business, audit evidence obtained, and whether the information is fairly
presented.

5–22
 CHAPTER 5: The audit and assurance process

Procedures and considerations

L Perform an overall review of the financial information and evaluate
audit differences:
• Agree financial statements to the underlying accounting records.
• Test significant journal entries and other adjustments made during the
preparation of the financial statements.
• Perform an overall review of the financial information.
• Set final materiality.
• Evaluate the appropriateness of audit evidence obtained.
• Evaluate audit differences.
L Conclude on the fair presentation of the financial information.
L Reporting.
Completion of the audit procedures is dealt with fully in chapter 14.

3. ASSURANCE ENGAGEMENTS OTHER THAN AUDITS OR REVIEWS OF

HISTORICAL FINANCIAL IN FORMATION
This section defines and describes the elements and objectives for the perform-
ing of assurance engagements by professional accountants on information other
than audits and reviews of historical financial information, as well as a brief over-
view of specific assurance engagements.

3.1 ASSURANCE ENGAGEMENT FRAMEWORK

SOURCE REFERENCE: ISAE 3000 (revised) “Assurance Engagements
other than Audits or Reviews
of Historical Financial State-
ments”
The framework defines and describes the elements and objectives of the
performing of assurance engagements by professional accountants other than
audits or reviews of historic financial statements. (NOTE: An audit is also an
assurance engagement, but is governed by the ISA statements.)
Assurance engagements, other than audits and reviews of historical financial
information, are assurance engagement on information other than historic finan-
cial information. These cover aspects such as sustainability or environmental,
social and governance reporting, integrated reporting, reporting on corporate so-
cial responsibility, greenhouse gas statements and service performance reporting
in the public sector.
These kinds of reporting are growing in frequency and importance, and they are
becoming increasingly critical to decision-making by investors and other users.
Further guidance in regards to performance of such Extended External Reporting
(EER) Assurance Engagements is provided in the IAASB Non-Authoritative Guide
on Applying ISAE 3000 to EER

5–23
 Dynamic Auditing

3.1.1 Defintions
l Assurance Assurance refers to the auditor’s satisfaction as to the reliability of an
assertion made by one party for use by another party. To provide such
assurance, the auditor assesses the evidence collected as a result of
procedures conducted and expresses a conclusion. The degree of
satisfaction achieved and, therefore, the level of assurance which may
be provided, are determined by the procedures performed and their
results.

l Assurance An engagement in which a practitioner aims to obtain suffiecnt appro-

engagement priate evidence in order to expresses a conclusion designed to provide
confidence for the intended user (other than the responsible party)
about the outcome of the evaluation or measurement of the subject
matter against the stated criteria. Two types of assurance engagements
exist, namely:
l Reasonable assurance engagements:
• in which the practitioner reduces engagement risk to an
acceptable low level in the circumstances of the engagement.
This means the practionioer will identify and assess the risk of
material misstatement (and obtain an understanding of internal
control over the preparation of the subject matter information
relevant to the engagement) and design and perform proced-
ures to reduce the risk to an acceptable level to express assur-
ance (including testing the controls where deemed appropriate
as well as other procedures of detail);
• express a conclusion on the subject matter in a form that con-
veys the practioner’s opinion on the outcome of the measure-
ment thereof against the stated criteria.
l Limited assurance engagements:
• in which the practitioner reduces engagement risk to a level
that is acceptable in the circumstances, but where the risk is
greater than where an opinion is expressed. The nature, timing
and procedures are limited (e.g. selecting less items for exam-
ination, or performing only analytical procedures as necessary;
• express limited assurance, in a form that is negative based on
the performance of the procedures, that no matter has come to
the practioner’s attention that the subject matter is materially
misstated.

NOTE: An audit of historical financial information is also an assurance

engagement:
l reasonable assurance engagements are called audits; and
l limited assurance engagements are called reviews.

5–24
 CHAPTER 5: The audit and assurance process

3.1.2 Ethical principles

Practitioners performing assurance engagements must always comply with the
following ethical principles:
l integrity;
l objectivity;
l professional competence and due care;
l confidentiality; and
l professional behaviour.
The following requirements are embedded in the above, but because of their
importance, they are listed separately:
l independence; and
l technical standards.
Practitioners should also always comply with the quality management stand-
ards when performing assurance engagements.

3.1.3 Engagement acceptance

A practitioner should accept an assurance engagement only where the prac-
titioner’s preliminary knowledge of the engagement circumstances indicates
that:
l the relevant ethical requirements, such as independence and professional
competence, will be satisfied; and
l the engagement exhibits all of the following characteristics:
• the subject matter is appropriate;
• the criteria to be used are suitable and are available to the intended
users;
• the practitioner has access to sufficient appropriate evidence to sup-
port the practitioner’s conclusion;
• the practitioner’s conclusion, in the form appropriate to either a reason-
able assurance engagement or a limited assurance engagement, is to
be contained in a written report; and
• the practitioner is satisfied that there is a rational purpose for the engage-
ment and no significant scope limitation on the auditor’s work exists.

3.1.4 Elements of an assurance engagement

An engagement will only be an assurance engagement if all the following
elements exist:
L Three-party relationship involving:
• a practitioner: the professional accountant;
• a responsible party: the person/s responsible for the subject matter
(i.e. information reported on); and
• an intended user: the persons for whom the assurance report is
intended.

5–25
 Dynamic Auditing

l Subject matter
This is the information that will be measured against the identified criteria
and reported on, for example:
• financial information/conditions; and
• non-financial information/conditions, for example performance con-
ditions, physical characteristics, etc.
L Suitable criteria
This is the information that will be measured against the identified criteria
and reported on.
For financial statements, this will be the assertions, for example valuation,
existence of assets, etc.
For reporting on internal controls, this will be, for example, an internal
control framework or the control objectives.
For sustainability reports it might be the reporting framework, such as the
Sustainability Reporting Initiative Framework (GRI4)
L Planning the engagement and obtaining suitable appropriate
evidence
The engagement should be properly planned, set and the subject matter
information understood.
The professional accountant should obtain sufficient (quantity) and appro-
priate (quality) evidence that is relevant and reliable (source and nature)
on which to base the conclusion reached.
Materiality should be considered and set. Risks should be considered,
and for reasonable assurance engagements assesd as well. This will affect
the nature, timing and extent of the procedures to be performed.
Procedures need to be performed to obtain audit evidence. This will
depend on the nature of the engagement and the assurance to be
expressed. For reasonable or positive assurance engagements this will
consist of normal audit procedures, and for limited or negative assurance
engagements this will mainly consist of enquiries and analytical proced-
ures.
Representations should also be obtained from management that all rele-
vant information has been provided to the practioner and confirm the
measurement and accuracy of the information reported on.
L A written assurance report
The professional accountant should issue a report on the findings on the
subject matter, for example:
• An opinion for reasonable assurance engagements: “In our opinion
all controls are effective, in all material respects.” or

5–26
 CHAPTER 5: The audit and assurance process

• Negative assurance for limited assurance engagements: “Based on

our work described in this report, nothing has come to our attention
that causes us to believe that internal controls are not effective, in all
material respects.”

3.2 SPECIFIC ASSURANCE ENGAGEMENTS

These relate to engagements by professional accountants to provide assur-
ance on specific matters and are briefly described below.

3.2.1 The examination of prospective financial information

SOURCE REFERENCE: ISAE 3400: “The Examination of Prospective Finan-
cial Information”
“Prospective financial information” means financial information based on
assumptions about events that may occur in the future and possible actions by
an entity. It is highly subjective in nature and its preparation requires the exer-
cise of considerable judgment. Prospective financial information can be in the
form of a forecast, a projection or a combination of both, for example, a one-
year forecast plus a five-year projection.
Management is responsible for the preparation and presentation of the pro-
spective financial information, including the identification and disclosure of the
assumptions on which it is based. The auditor may be asked to examine and
report on the prospective financial information to enhance its credibility whether
it is intended for use by third parties or for internal purposes.
In an engagement to examine prospective financial information, the auditor
should obtain sufficient appropriate evidence as to whether:
(a) management’s best-estimate assumptions on which the prospective
financial information is based are not unreasonable and, in the case of
hypothetical assumptions, such assumptions are consistent with the pur-
pose of the information;
(b) the prospective financial information is properly prepared on the basis of
the assumptions;
(c) the prospective financial information is properly presented and all mater-
ial assumptions are adequately disclosed, including a clear indication as
to whether they are best-estimate assumptions or hypothetical assump-
tions; and
(d) the prospective financial information is prepared on a consistent basis
with historical financial statements, using appropriate accounting prin-
ciples.
The auditor should not accept, or should withdraw from an engagement when
the assumptions are clearly unrealistic or when the auditor believes that the
prospective financial information will be inappropriate for its intended use.

5–27
 Dynamic Auditing

The report by an auditor on an examination of prospective financial information

should
l identify the prospective financial information;
l contain a reference to the ISAE or relevant national standards or practices
applicable to the examination of prospective financial information;
l contain a statement that management is responsible for the prospective
financial information including the assumptions on which it is based;
l when applicable, a reference to the purpose and/or restricted distribution
of the prospective financial information;
l a statement of negative assurance as to whether the assumptions provide
a reasonable basis for the prospective financial information;
l an opinion as to whether the prospective financial information is properly
prepared on the basis of the assumptions and is presented in accordance
with the relevant financial reporting framework;
l appropriate caveats concerning the achievability of the results indicated
by the prospective financial information;

3.2.2 Assurance reports on controls at a service organisation

SOURCE REFERENCE: ISAE 3402: “Assurance Reports on Controls at a
Service Organization”
These engagements relate to work undertaken by a professional accountant in
public practice to provide assurance for use by user entities and their auditors
on the controls at a service organisation that provides a service to user entities
that is likely to be relevant for user entities’ internal control as it relates to finan-
cial reporting.
The objectives of the service auditor are to obtain reasonable assurance about
whether, in all material respects, based on suitable criteria:
l the service organisation’s description of its system fairly presents the
system as designed and implemented;
l the controls related to the control objectives stated in the service organisa-
tion’s description of its system were suitably designed throughout;
l whether the controls operated effectively to provide reasonable assurance
that the control objectives stated in the service organisation’s description
of its system were achieved throughout the specified period.
The service auditor then reports and provides assurance on:
l the description and design of controls at a service organisation (type 1
report);
l the description, design and operating effectiveness of controls at a service
organisation (type 2 report).

5–28
 CHAPTER 5: The audit and assurance process

3.2.3 Assurance reports on greenhouse gas statements

SOURCE REFERENCE: ISAE 3410: “Assurance Engagements on Green-
house Gas Statements”
Given the focus on climate change and the link thereto of greenhouse gas
emissions, many entities are quantifying their greenhouse gas emissions for
internal management purposes, as well as preparing a greenhouse gas emis-
sion statement as part of a regulatory disclosure regime, an emissions trading
scheme; or to inform investors and others on a voluntary basis.
Voluntary disclosures may be published as a stand-alone document, included
as part of a broader sustainability report or in an entity’s annual report, or made
to support inclusion in a “carbon register”.
The objectives of the practitioner are to obtain reasonable or limited assurance,
as appropriate, about whether the greenhouse statement is free from material
misstatement, whether due to fraud or error, thereby enabling the practitioner
to express a conclusion conveying the level of assurance. The practioner then
reports, in accordance with the practitioner’s findings, about whether:
l in the case of a reasonable assurance engagement, the GHG statement is
prepared, in all material respects, in accordance with the applicable crite-
ria; or
l in the case of a limited assurance engagement, anything has come to the
practitioner’s attention that causes the practitioner to believe, on the basis
of the procedures performed and evidence obtained, that the GHG state-
ment is not prepared, in all material respects, in accordance with the
applicable criteria.
3.2.4 Assurance engagements to report on the compilation of pro forma
financial information included in a prospectus
SOURCE REFERENCE: ISAE 3420 “Assurance Engagements to Report on
the Compilation of Pro Forma Financial
Information included in a prospectus”
The purpose of pro forma financial information included in a prospectus is
solely to illustrate the impact of a significant event or transaction on unadjusted
financial information of the entity as if the event had occurred or the transaction
had been undertaken at an earlier date selected for purposes of the illustration.
This is achieved by applying pro forma adjustments to the unadjusted financial
information. Pro forma financial information does not represent the entity’s
actual financial position, financial performance, or cash flows.
The practitioner’s responsibility is to report on whether the pro forma financial
information has been compiled, in all material respects, by the responsible party
on the basis of the applicable criteria. The practitioner has no responsibility to
compile the pro forma financial information for the entity; such responsibility
rests with the responsible party.

5–29
 Dynamic Auditing

4. QUALITY MANAGEMENT
Quality managemnt relates to the firms’ responsibilities to design, implement and
operate a system of quality management for audits or reviews of financial state-
ments, other assurance engagements, or related service engagements.
A system of quality management operates in a continual and interactive manner
and is responsive to changes in the nature and circumstances of the firm and its
engagements.
The ISQM standards for quality management require that the firm applies a risk-
based approach in designing, implementing and operating the components of a
system of quality management in an interconnected an coordinated manner, and
entail:
l establishing quality objectives (for the components of the system of quality
management);
l identifying and assessing quality risks;
l deisgning and implementing responses to address the quality risks.
ISQM 1 requires that, at least annually, the individual assigned ultimate responsi-
bility and accountability for the firm’s system of quality management, evaluates
the system of quality management and concludes whether the system provides
the firm with reasobale assurance that:
l the firm and its personnel fullfill their duties in accordance with the profes-
sional standards and applicable legal and regulatory reguirements; and
l that the engagement reports issued are appropriate.

L Scope of quality management standards

ISQM 1
ISQM 1 deals with the firm’s responsibilities to design, implement and operate a
system of quality management for audits or reviews of financial statements, other
assurance engagements and related services.
The components of the firm’s system of quality management consist of:
l the firm’s risk assessment process;
l governance and leadership;
l relevant ethical requirements;
l acceptance and continuance of client relationships and engagements;
l engagement performance;
l resources;
l information and communication;
l monitoring and remediation process.
ISQM 2
ISQM 2 deals with the appointment and eligibility of an engagement quality
reviewer, and the resonsibilities of such engagement quality reviewer.

5–30
 CHAPTER 5: The audit and assurance process

ISA 220
ISA 220 sets the responsibility of the auditor regarding quality management at the
engagement level.
The components of the quality management at the engagement level consist of:
l leadership responsibilities for managing and achieving quality on audits;
l ethical requirements, including those related to independence;
l acceptance and continuance of client relationships and engagements;
l engagement resources;
l engagement performance;
l monitoring and remediation process;
l overall responsibility for managing and achieving quality;
l documention.

L Documentation
The firm shall prepare documentation of its system of quality management that is
sufficient to support:
l a consistent understanding thereof by its personnel, including their roles and
responsibilities with respect to quality management; and
l provide evidence of the design, implementation and operation of responses
of the system of quality management.
L Deficiency in the firm’s system of quality management:
This exists when:
l a quality objective for the components of quality management is not estab-
lished; or
l a quality risk, or combination of quality risks, is not identified or properly
assessed; or
l a response, or combination of responses, does not reduce to an acceptable
low level the likelihood of a quality risk occurring; or
l another component of the quality management system is absent, or not
properly designed, implemented or operating effetectively.
L Definitions relating to quality management
Engagement partner: The partner or other person in the firm who is respon-
sible for the engagement and its engagement perform-
ance and the report issued.
Engagement quality The process designed to provide an objective evalua-
review: tion, before the report is issued, of the significant judge-
ments made and the conclusions reached by the
engagement team in formulating the report.
(continued)

5–31
 Dynamic Auditing

Engagement quality A partner or other individual in the firm, or an external

reviewer: individual appointed by the firm to perform the engage-
ment quality review on completed files for all listed
entities as required by ISQM para 34 (n).
Engagement team: All partners and staff performing the engagement, and
any individuals engaged by the firm or network firm
who perform procedures on the engagement.
Personnel: Partners and staff.
Quality objectives: The desired outcomes in relation to the components of
the qualty management system.
Quality risk: A risk that the quality objectives are not met.
System of quality A system designed, implemented and operated by a
management: firm to provide reasonable assurance that:
l the firm and its personnel fullfill their duties in
accordance with the professional standards and
applicable legal and regulatory requirements, and
conduct engagements in accordance with such
standards and requirements; and
l that the engagement reports issued by the firm or
engagement partners are appropriate in the cir-
cumstances.

4.1 QUALITY MANAGEMENT AT FIRM LEVEL

SOURCE REFERENCE: ISQM 1 “Quality Management for Firms that Per-
form Audits or Reviews of Financial State-
ments or Other Assurance and Related
Service Engagements”
L Purpose of a system of quality management
The firm shall design, implement, and operate a system of quality man-
agement. In doing so, the firm shall exercise professional judgement, tak-
ing into account the nature and circumstances of the firm and its engage-
ments.
The governance and leadership component of the quality management
system establishes the environment that supports the design, implementa-
tion and operation of the system of quality management.
L Responsibilities
The firm shall assign:
l ultimate responsibility and accountability for the system of quality man-
agement to the chief executive officer of the firm (or management part-
ner), or, if appropriate, the firm’s management board of partners;
l operational responsibility for the system to an appropriate individual or
team (e.g. audit quality oversight leader and/or team);

5–32
 CHAPTER 5: The audit and assurance process

l operational responsibility for specific aspects of the system, to an

appropriate individual or team;
l compliance with the independence requirements (independence over-
sight leader)
l the monitoring and remediation system (e.g. Root Cause analysis leader).
The above persons shall have the nesessarry experience, knowledge,
influence and authority within the firm, as well as sufficient time to perform
their repsonsibilties with vigor and due care.

L Components of a firm’s system of quality management system

The following are the components of the firm’s quality managemnt system.
For each of the components, the firm shall develop control objectives as
well as appropriate responses reflective of the firm’s circumstances to
ensure the quality management objectives are met. For each of the com-
ponents of the syetm of quality management, the objectives are stated as
well as examples of responses that firms can implement to meet their qual-
ity controls objectives.
1. The firm’s risk assessment process
Objectives
Audit firms should establish a system through which quality is managed
for each of the components of the system of quality management, and
entails that the firm shall design and implement a risk assessment process
through policies and procedures to:
l establish quality objectives (for each of the components of the sys-
tem);
l identify and assess quality risk (ROOT cause analysis); and
l design and implement responses to address the quality risk (correct-
ive and remedial actions).
Example of responses
l Ethics: Polices and procedures should be established for identifying
and assessing ethical breaches.
l Independence: The firm should obtain at least annually documented
independence confirmations for all personnel.
l Professional standards: Polices and procedures should be established
for receiving, investigating and resolving complaints and allegations
about failures to perform work in accordance with professional stand-
ards and applicable laws and regulations.
l Client relationships: The firm establishes policies and procedures to
evaluate clients’ relationships of an unfavourable nature after accept-
ance of the engagement that would have caused the firm to decline
the engagement if it was known at the time.

5–33
 Dynamic Auditing

l Ethics communication to clients: The firm establishes policies and pro-

cedures to communicate relevant matters of audit quality to those
charged with governance at clients.
l Engagement quality reviews: The firm should establish policies and
procedures for the appointment of an engagement quality reviewer
where required (for all listed entities or as required by law (para 34 (f)).
2. Governance and leadership
Objectives
The firm shall establish the following quality objectives:
l a culture of commitment to audit quality, ethics and serving the public
interest by all its personnel during all engagements and decision-
making;
l leadership responsibility and accountability for quality;
l setting the tone at the top by the firm’s leadership demonstrating a
commitment to quality through their actions and behaviours;
l establishing and maintaining an organisational structure and assign-
ment of roles, responsibilities and authority for the design, implemen-
tation and operation of the quality management system.
Example of responses
l Commitment to quality: Through setting a culture of ethical and profes-
sional behavior by all the personnel of the firms.
l Leadership and performance evaluations: The firm’s policies and prac-
tices addressing performance evaluation, compensation and promo-
tion (including incentive systems) for its personnel are designed to
demonstrate the firm’s overriding commitment to quality.
l Organisaional structure: The firm is organised and structured in such a
way as to support audt quality.
l Resources: The firm devotes sufficient resources for the development,
documentation and support of its quality management activities, and
the individual responsible for quality management is able to influence
the nature and extent of resources.
3. Ethical requirements
Objectives
The firm shall establish the following quality objectives to ensure all its
personnel comply with the relevat ethical requirements, including those
related to independence:
l The firm and its personnel understand and fulfill their responsibilities
regarding the ethical requirements.
l Others, including network firms, indiviuals in network firms or service
providers understand and fulfill their responsibilities regarding the eth-
ical requirements that the firm and its engagements are subject to.

5–34
 CHAPTER 5: The audit and assurance process

Example of responses
l Communicate the independence requirements to all of its personnel
and others subjected thereto.
l Engagement partner(s) are to provide the firm with information about
client engagements to enable the firm to evaluate independence
requirements.
l Personnel and engagement teams should communicate relevant infor-
mation to the firm without fear of reprisal, such as situations that may
create threats to independence, or breaches of relevant ethical require-
ments.
l Assigning indviduals to manage and monitor compliance with inde-
pendence and ethical requirements.
l Personnel should, at least annually, provide written confirmation to the
firm of compliance with its policies and procedures concerning inde-
pendence (independence declarations).
l Use of IT applications to monitor compliance with relevant ethical and
independence requirements.
l The engagement partner and review partner of listed entities (and other
significant/public sector entities) should rotate after a specific period of
time (IFAC Code period is seven years).
4. Acceptance and continuance of client relationships and engage-
ments
Objectives
The firm shall establish the following quality objectives for the acceptance
and continuance of client relationships:
Judgements by the firm about whether to accept or continue a client rela-
tionship are appropriately based on:
l sufficient and appropriate information obtained about the nature and
circumstances of the engagement and the integrity and ethical values
of the client, including its management and those charged with gov-
ernance;
l the ability of the firm to perform the engagement in accordance with
the professional standards and applicable legal and regulatory
requirements.
Example of responses
l Communicate with existing or previous providers of professional
accounting services.
l Make enquiries from firm personnel or third parties, such as bankers,
legal advisers, etc.
l Do background searches.
l Document all relevant facts, considerations and actions.

5–35
 Dynamic Auditing

l Information to be obtained about the client, nature of the engage-

ment and ethical values
• the nature of the entity, including complexity of its ownership and
management structure;
• nature of the client’s operation and its business practices;
• information of the attitude of the clienst business owners, key
management and those charged with governance towards
aspects such as aggressive interpretation of accounting stand-
ards and the internal controls environment;
• whether the client is agressively concerned with keeping the audit
firm’s fees as low as possible;
• indication of clients limiting the scope of audit work;
• indications that the client might be involved in money laudering or
other illegal activities;
• the reasons for the proposed appointment of the firm and non-
reappointment of the previous firm;
• identity and reputation of related parties.
l Information to be obtained about the firm and its ability to perform
the engagement in a professional manner
• the circumstances of the engagement and reporting deadlines;
• availabilty of personnel with the relevant experience, expertise
and time to perform and oversee the engagement;
• availability of experts;
• if required, the availability of an engagement quality reviewer;
• the need for technological resources, IT application software and
staff;
• intellectual resources such as methodologies, industry guides,
and access to information sources.
l Information about the audit firm’s financial and operational prior-
ities
• profitability of the engagement and whether the proposed audt
fee is sufficient to perform a quality audit;
• ability and willingness of the client to pay the audit fee.
5. Engagement performance
Objectives
The firm shall establish the following quality objectives that address the
performance of quality engagements:
l engament teams understand and fulfil their responsibility to ensure
audit quality is achieved throughout the audit;
l the engagement partner oversees the audit in such a manner to ensure
audit quality is maintained at all times;

5–36
 CHAPTER 5: The audit and assurance process

l there is appropriate direction, supervison and review of the work of

engagement team members;
l engagement teams exercise appropriate professional judgement and,
when applicable, excercise the appropriate professional sceptism on
the audit;
l consultation of difficult and contensious issues is undertaken and the
conclusions agreed are implemented;
l differences of opinion within the engagement team, or between the
team and engagement quality reviewer, are brought to the attention of
the firm and resolved;
l engagement documentation is assembled timely and appropriately
maintained and retained.
Example of responses
l Direction, supervision, review
The engagement shall be performed in accordance with professional
standards and according to regulatory and legal requirements.
The firm should provide consistency in the quality of engagement perform-
ance through the following:
l Direction (guidance) on performing audits through:
• firm manuals, software tools and standardised documentation;
• industry- and subject-matter-specific guidance material.
l Supervision of work includes:
• tracking the progress of the engagement;
• considering the competence, skills and work of individual mem-
bers;
• significant findings and issues; and
• identifying matters for consideration or consultation by more
experienced members of the engagement team.
l Review:
More experienced engagement team members should review the work
and findings of less experienced staff members.
l Consultation
The firm shall establish policies and procedures designed to provide
reasonable assurance that:
• appropriate consultation takes place on difficult or contentious
matters;
• sufficient resources are available to enable appropriate consul-
tation;
• all consultations and conclusions therefrom are documented; and
• conclusions resulting from consultations are implemented.

5–37
 Dynamic Auditing

l Differences of opinion
Policies and procedures should exist to resolve differences between
engagement team members, between those consulted and, where
appropriate, between the engagement partner and the engagement
quality reviewer.
l Professional judgement and professional sceptisism
Engagement teams’ members should exercise appropriate profes-
sional judgement and, when applicable, excercise the necessary
appropriate profesionnal sceptisism on the audit.
6. Resources
The firm shall establish the following quality objectives that address
appropriately obtaining, developing, using, maintaining, allowing and
assigning resources in a timely manner to the design, implementation and
maintenance of the system of quality management.
Objectives
Human resources:
l Personnel are hired, developed and retained and have competence
and capabilities to consistently perform quality engagements.
l Personnel demonstrate commitment to quality throughout their actions
and behaviours.
l Staff assigned to audits have the appropriate competencies, capabil-
ities and time to perform quality work.
Techological resources:
Appropriate technological resources are developed and maintained by the
firm to support quality work.
Intellectual resources:
Appropriate intellectual resources are obtained and developed to support
quality work.
Service providers:
Human, technological and intellectual resources for service providers are
adequate to support quality.
Example of responses
Capabilities and competence should be developed through a variety of
methods, including professional education, continuous professional devel-
opment, training, work experience, and mentoring by more experienced
staff of others on the engagement team.
Performance evaluation, compensation and promotion of personnel should
give recognition to development, competence and commitment to ethical
principles.
Personnel should be aware of the assessment criteria, and counseling
should be provided on performance, progress and career development.

5–38
 CHAPTER 5: The audit and assurance process

Staff assigned to the audit, being the engagement partner and personnel,
should have the capabilities, competence and time to perform a quality
audit.
Systems should exist to monitor the workload and availability of engage-
ment partners to ensure they have sufficient time to discharge their
responsibilities.
Only staff with the necessary experience and expertise required for the
specific assignment should be assigned to the audit. This should be done
annually by a responsible person or committee for the firm, and approved
by the engagement partner.
7. Information and communication
The firm shall establish quality objectives for obtaining, generating and
using information regarding the system of quality management, and the
communication thereof to the firm and external parties in a timely manner.
Objectives
The firm shall establish the following quality objectives:
l the information system should identify, capture, process and maintain
relevant and reliable information that supports the system of quality
management;
l the firm’s culture reinforces the responsibility of personnel to exchange
information with the firm;
l relevant and reliable information is communicated to the engagement
team members and others to understand and carry out their quality
responsibilities effectively.
8. Monitoring and remediation
The firm shall establish a monitoring and remediation process to provide
reliable, relevant and timley information on aspects of quality, and have
processes in place to ensure identified deficiencies are remediated in a
timely manner.
Objectives
Designing and performing monitoring activites for ongoing and completed
engagemnets.
Example of responses
l Consultation: Design policies and procedures for consultation during
audits by the engagement team on contentious matters of profes-
sional, ethical and technical nature.
l Reviews: Establish policies and procedures for reviews during audits
before the issuing of an audit report, by professional teams within the
audit firm (sometimes referred to as in-flight-reviews).

5–39
 Dynamic Auditing

Monitoring of:
l Quality reviews of ompleted engagements: This conists of the monitor-
ing of completed engagements of a cyclical basis, according to the
firm’s policies to ensure all engagement partners’ files are reviewed on
an ongoing cyclical basis to ensure audit quality is maintained on
audts (audit qualiy reviews).
l Engagement quality reviews of completed engagements according to
ISQM 2 for all listed entities or other entities as required by law (the
Code of Conduct refers to public interest entities).
l Establish policies and procedures and a formal process whereby qual-
ity aspects identified during audits are reported, assessed and
responded to by an appropriate function or team of dedicated profes-
sionals (professional and technical development updates).

4.2 ENGAGEMENT QUALITY REVIEWS

SOURCE REFERENCE: ISQM 2 “Engagement qaulitiy reviews”
An engagement quality review is an objective evaluation of the significant
judgements made by the engagement team and the conclusions reached
thereon. The engagement quality reviewer will evaluate significant judgements
made by the audit team in the context of professional standards and applic-
able legal and regularity requirements, but is not intended to be an evaluation
whether the entire engagement complies with professional standards, laws and
regulations and the firm’s policies and procedures.
The engagement quality reviewer is not a member of the engagement team,
and the performance of such a review does not change the responsibilities of
the engagement partners for direction, supervison and review of the engage-
ment and ensuring the overall quality of the audit.
The engagement quality reviewer is not required to obtain evidence to support
the opinion or conclusion on the engagement, but the engagement team may
obtain further evidence in responding to matters raised bt the reviewer.
The engagement quality reviewer can be a partner or other individual in the
firm, or an external individual, appointed by the firm to perform the engage-
ment quality review.

Objective
The objective is that the engagement quality reviewer is to perform an object-
ive evaluation of the significant judgement made by the engagement team and
the conclusions reached thereon.

Requirement for an engagement quality review

ISQM 1 requires engagement quality reviews to be performed for all listed
entities, entities for which this is required for by law (e.g. public sector audits,
pension funds, etc.), or entities for which it is required by the firm’s own pol-
icies of Quality Management (para 34 (f); A133–A137).

5–40
 CHAPTER 5: The audit and assurance process

Responsibilities
L Audit firm responsibility for engagement quality reviews
The audit firm is responsible for establishing policies and procedures for:
l assigning responsibility for the appointment of engagement quality
reviewers to an individual/s within the firm with the competence, capabil-
ities and authority to do so responsibly;
l establishing the criteria for eligibility to be appointed as engagement
quality reviewer;
l addressing the engagement quality reviewer’s responsibility for the per-
formance of the engagement and overseeing the work of others that
assist in the review.
L Responsibility of engagement quality reviewer
Independence: The engagement quality reviewer’s objectivity shall at all times
be maintained, for example:
l self-review threats created where the reviewer was previously involved in
areas of significant judgement made by the engagement team;
l familiarity threat, where the reviewer is a close family member of the
engagement team;
l intimidation threat where pressure is put on the reviewer by an aggressive
or dominant engagement partner.
NOTE: The firms shall also have a policy for determining a cool-off period for
individuals to act as engagement reviewer (e.g. where they have been
involved in the audit, or acted as reviewer before).

Documentation
The engagement reviewer shall maintain adequate and sufficient documen-
tation of the considerations and procedures performed during the review.
Procedures
The procedures performed by the engagement quality reviewer shall include:
l reading and obtaining an understanding of information involving areas of
significant judgement, as well as other information of relevance communi-
cated to the reviewer by the engagement team and the firm;
l discussing with the engagement partner and, if applicable, other members
of the engagement team, significant matters and significant judgements
made during the planning, performing and reporting on the engagement
(basis for judgements, documentation theron, and conclusions);
l evaluating the engagement partner’s adherence to the ethical require-
ments relating to independence on the audit;
l evaluate whether appropriate consultation has taken place on contensious
matters and those involving differences of opinion, as well as the conclu-
sions reached from consultations;

5–41
 Dynamic Auditing

l determining whether the engagement partner has been sufficiently and

adequately involved throughout the audit, to support the judgements and
conclusions reached on contentious and significant matters.

4.3 QUALITY MANAGEMENT AT AUDIT LEVEL

SOURCE REFERENCE: ISA 220 “Quality Management for an Audit of Finan-
cial Statements”

L Objective
The objective of the engagement partner is to manage the audit to ensure, with
reasonable assurance, that quality has been achieved on the audit at all times,
and that all professional standards and applicable legislation and regulatory
requirements have been complied with resulting in the issuing of an auditor’s
report that is appropriate in the circumstances.

L Responsibility for quality managent at audit engagement level

The engagement team, led by the engagement partner, is responsible, within
the context of the firm’s system of quality management, for:
l implementing the firm’s responses to quality risk;
l given the nature and circumstances of the audit engagement, determine
whether to design and implement responses at the engagement level,
beyond those of the firm’s policies and procedures; and
l communicate to the firm the information of the audit engagement as
required by the firm’s policies and procedures.
The engagement team is required to plan and perform the audit with pro-
fessional scepticism and exercise professional judgement.
The engagement partner is ultimately responsible and accountable for quality
at the engagement level.
The following are examples of quality management policies and procedures to
be applied on audit engagements for the elements of a firm’s quality manage-
ment for individual audits. (Note that the statement provides extensive guid-
ance and practises for these objecties to be met.)
1. Leadership responsibilities for managing and achieving quality on
audits
Objectives
The engagement partner shall take overall responsibility for managing and
achieving quality on the audit engagement, including taking responsibility for
creating an environment that emphasises the firm’s culture and expected
behaviour of engagement team members, emphasising:
l that all team members are responsible for contributing to quality at the
engagement level;
l the importance of professional ethics, values and attributes;

5–42
 CHAPTER 5: The audit and assurance process

l the importance of open and robust communication within the engagement

team, and supporting engagement team members to raise concerns with-
out fear of reprisal;
l the importance for each engagement team member to exercise profes-
sional sceptisism throughout the audit.
Example of responses
The engagement partner shall, for example:
l emphasise the need for professional scepticism by alerting the engage-
ment team to circumstances where auditor bias is greater, assigning more
experienced members to the team where necessary, to deal with man-
agement, and where specialised skills are required;
l be involved and oversee the assigning of tasks to engagement team
members, and the review of their work.
2. Ethical requirements, including those relating to independence
Objectives
The engagement partner shall have an understanding of the relevant ethical
requirements, including those of independence, that are applicable given the
nature and circumstances of the audit.
The engagement partner shall take responsibility for ensuring the engagement
team members:
l identify, evaluate and address threats to compliance with the ethical
requirements, including independence;
l address circumstances that may cause a breach of the ethical require-
ments;
l what the responsibilities of the engagement tem members are when they
become aware of non-compliance with laws and regulations by the entity.
Example of responses
The engagement partner shall:
l enquire as to, and observe compliance with, the ethical requirements of
the engagement team during the audit;
l identify and consider taking action to eliminate threats to independence
concerning the audit engagement; and
l form a conclusion on compliance with the independence requirements for
the audit and compliance with the ethical requirements, before signing the
audit report (audit report includes a statement on the auditor’s inde-
pendence).
3. Acceptance and continuance of client relationships and audit engage-
ments
Objectives
The engagement partner shall determine that the firms’s policies and proced-
ures regarding the acceptance and continuance of client relationships and
specific audit engagements have been followed and that conclusions reached
in this regard are appropriate and have been documented.

5–43
 Dynamic Auditing

Responses
Acceptance and continuance of client relationships and specific audit engage-
ments include considering:
l the integrity of the principal owners, key management and those charged
with governance of the entity;
l whether the engagement team is competent to perform the audit engage-
ment and has the necessary time and resources; and
l whether the firm and the engagement team can comply with the ethical
requirements.
When deciding whether to continue with an audit relationship, the auditor
should consider significant matters that have arisen during the current or pre-
vious audits, for example an expansion of the client’s business operations into
an area where the firm does not possess the necessary knowledge or exper-
tise.
4. Engagement resources (assignment of the engagement team (human
resources))
Objectives
The engagement partner shall determine that sufficient and appropriate
resources to perform the engagement are assigned or made available to the
engagement team in a timely manner, taking into account the nature and cir-
cumstances of the audit engagement.
The engagement partners shall determine that the engagement team, and any
auditor’s experts, internal auditors and others who provide direct assistance to
the audit team are competent, capable and have the time to perform the
engagement.
Responses
The engagement team as a whole should have the human, technological, and
intellectual resources needed for the audit engagement:
l human resources include the engagement team members, and, where
applicable, auditor’s experts and internal auditors who provide direct
assistance on the audit;
l technological resources include using technology throughout the audit to
perform the engagement, document procedures and findings and com-
municate;
l intellectual recources include audit methodologies, implementation tools,
auditing guides, model programs, templates, checklists, etc.

5–44
 CHAPTER 5: The audit and assurance process

5. Engagement performance
Objective and response 1: Direction, supervision and review
The engagement partner shall take responsibility for the direction, supervision
and review of the work of the engagement team members.
Direction
The engagement partner directs the audit engagement by informing the mem-
bers of the engagement team of:
l their responsibilities;
l the nature of the entity’s business;
l risk-related issues;
l problems that may arise; and
l the detailed approach to the performance of the engagement.
Supervision
Supervision by the engagement partner and responsible member of the engage-
ment team includes the following:
l tracking the progress of the audit engagement;
l considering the capabilities and competence of individual members of the
engagement team, whether they have sufficient time to carry out their
work, whether they understand their instructions, and whether the work is
being carried out in accordance with the planned approach to the audit
engagement;
l addressing significant issues arising during the audit engagement, con-
sidering their significance and modifying the planned approach appro-
priately; and
l identifying matters for consultation or consideration by more experienced
engagement team members during the audit engagement.
Review
Review responsibilities are determined on the basis that more experienced
team members, including the engagement partner, review work performed by
less experienced team members. Reviewers should consider whether:
l the work has been performed in accordance with professional standards
and regulatory and legal requirements;
l significant matters have been raised for further consideration;
l appropriate consultations have taken place and the resulting conclusions
have been documented and implemented;
l there is a need to revise the nature, timing and extent of work performed;
l the work performed supports the conclusions reached and is appropri-
ately documented;
l the evidence obtained is sufficient and appropriate to support the auditor’s
report;

5–45
 Dynamic Auditing

l the objectives of the engagement procedures have been achieved; and

l where a member of the engagement team with expertise in a specialised
field of accounting or auditing is used, the nature, scope and objectives of
the member’s work should be agreed upon and evaluated to assess the
adequacy and relevance thereof.
Objective and response 2: Consultation
The engagement partner shall ensure that there is appropriate consultation
between the engagement team and others at appropriate levels within the firm
on difficult or contentious issues or difficult matters and that the conclusions
resulting from the consultation process are implemented.
Consultation should occur:
l within the engagement team; and
l with other professionals within the firm (technical partner) or outside the
firm
and should be documented and implemented.
Objective and response 3: Engagement quality review
The engagement partner shall for all engagements requiring an engagement
quality review (listed entities and others as required by law – ISQM 1,
para 34(f)), ensure that such reviewer is appointed, and cooperate with the
reviewer, discuss significant matters and judgements on the audit with the
reviewer, and not issue the auditor’s report until completion of the engagement
quality control review.
Objective 4: Difference of opinion
The engagement partner should ensure that all differences of opinion between
engagement team members, and the engagement team and the quality
reviewer, are brought to his/her attention and are resolved.
6. Monitoring and remediation
Objective and response
The engagement partner shall take responsibility for obtaining and understand-
ing of the firm’s monitoring and remediation process, determining the effect
thereof on the audit, and remaining alert throughout the audit for information that
may be relevant thereto.
7. Documentation
Objectiive and response
The engagement partner shall include in the audit documentation:
l matters identified, relevant discussions with personnel, and conclusions
with respect to fulfilling the stated ethical requirements, including inde-
pendence;
l the nature, scope and conclusions on consultations undertaken during the
audit; and
l where applicable, that a quilty review has been undertaken and com-
pleted before issuing the audit report.

5–46
 CHAPTER 5: The audit and assurance process

5. KEY ELEMENTS THAT CREATE AN EVIRONMENT FOR AUDIT QUALITY

SOURCE REFERENCE: “A Framework for Audit Quality: Key Elements that
Create an Environment for Audit Quality”
The framework deals with the key elements for a quality audit engagement
team and the staffing requirements thereof. In essence, performing a quality
audit will require:
l ensuring adherence to appropriate values, ethics, and attitudes of all staff
involved in the audit process;
l that staff who is sufficiently knowledgeable, skilled, and experienced is allo-
cated to the audit;
l that sufficient time is spent on performing audits;
l that rigorous audit processes and quality control procedures are applied
that comply with laws, standards and regulations;
l that useful and timely reports are provided to those charged with govern-
ance on the audit findings;
l that appropriate reporting and communications are provided to relevant
stakeholders.

5–47
 6
RESPONSIBILITY IN RESPECT OF FRAUD
AND ERRORS, COMMUNICATION, AUDITOR’S
LIABILITY AND THE CONSIDERATION OF LAWS
AND REGULATIONS

Page
1. Introduction .................................................................................................. 6–3
2. Fraud and errors........................................................................................... 6–3
2.1 Responsibility for the prevention and detection of fraud ................... 6–4
2.2 Aspects of audit importance .............................................................. 6–4
2.3 Professional scepticism ..................................................................... 6–6
2.4 Documentation ................................................................................... 6–7
2.5 Management representations ............................................................ 6–7
2.6 Procedures if potential fraud and errors are detected ...................... 6–7
2.7 Communication .................................................................................. 6–8
2.8 Auditor unable to complete the engagement .................................... 6–9
2.9 Examples of conditions or events that may increase the risk of
fraud or errors .................................................................................... 6–10
2.10 Reportable irregularities..................................................................... 6–12
3. Auditor’s liability ........................................................................................... 6–14
3.1 Auditor’s negligence .......................................................................... 6–14
3.2 Steps which accountants may take in order to assist them to
manage their liability to clients or third parties .................................. 6–15
3.3 Case studies ...................................................................................... 6–15
4. Consideration of laws and regulations in an audit of financial statements .. 6–16
4.1 Responsibility for compliance with laws and regulations .................. 6–16
4.2 Aspects of audit importance .............................................................. 6–17

6–1
 Dynamic Auditing

Page
5. Responsibilities of the auditor when non-compliance of suspected non-
compliance with laws and regulation is encountered.................................. 6–20
6. Communication to those charged with governance .................................... 6–21
6.1 The role of communication................................................................. 6–21
6.2 Matters to be communicated ............................................................. 6–21
6.3 The communication process.............................................................. 6–21
7. Combating money laundering and financing of terrorism ........................... 6–21
7.1 Introduction ........................................................................................ 6–21
7.2 The meaning of money laundering and financing of terrorism.......... 6–22
7.3 The applicable legislation .................................................................. 6–22
7.4 Responsibilities of registered auditors in combating money
laundering when conducting an audit ............................................... 6–23

6–2
 CHAPTER 6: Responsibility in respect of fraud and errors, communication, auditor’s liability and laws

1. INTRODUCTION
The occurrence of fraud and errors, as well as the non-compliance with laws and
regulations, are unfortunately realities in the business world today. Knowledge of
this subject is therefore essential to both the chartered accountant and the regis-
tered auditor. Section 45 of the Auditing Profession Act 26 of 2005 also requires
the registered auditor to report any irregularities to the Independent Regulatory
Board of Auditors (IRBA).

2. FRAUD AND ERRORS

SOURCE REFERENCE: ISA 240 “The Auditor’s Responsibility Relating to
Fraud in an Audit of Financial Statements”
When planning and performing audit procedures, the auditor should identify and
assess the risk of material misstatements in the financial statements resulting
from fraud. The auditor must also, through designing and implementing appro-
priate procedures in relation to identified or suspected fraud, obtain sufficient
appropriate audit evidence about the identified risks that may cause material
errors due to fraud.
Misstatements in the financial statements can arise from either fraud or error.
Fraud: An intentional act by one or more members of management, those
charged with governance, employees or third parties, for example:
l use of deception to obtain an unjust or illegal advantage;
l intentional fraudulent financial reporting to deceive users;
l misstatements resulting from misappropriation of an entity’s
assets; and
l deliberate overriding of internal controls by management.
Error: Unintentional errors in the financial statements, for example:
l mathematical/clerical errors;
l oversight/misinterpretation of facts;
l misapplication of accounting principles relating to measure-
ment, recognition, classification, presentation or disclosure; and
l an incorrect accounting estimate.
The difference between fraud and error depends on whether the misstatement
had been done intentionally or not.

6–3
 Dynamic Auditing

Two types of intentional misstatements are relevant to the auditor:

l misstatements resulting from fraudulent financial reporting; and
l misstatements resulting from the misappropriation of assets.

2.1 RESPONSIBILITY FOR THE PREVENTION AND DETECTION OF FRAUD

L Management and those charged with governance
Management and those charged with the governance of an entity are
responsible for the prevention and the detection of fraud and errors by
implementing and maintaining an efficient system of accounting and internal
controls.
Such systems do not eliminate but reduce the possibility of fraud and errors.
It is the responsibility of management and those charged with the gov-
ernance of an entity to place strong emphasis on fraud prevention and
fraud deterrence. This involves a commitment to creating a culture of
honesty and ethical behaviour, which can be enforced by active over-
sight by management. Management must also consider the potential to
override controls and other inappropriate influences over the financial
reporting process. Audit committees can assist management in achiev-
ing these objectives.
L Responsibilities of the auditor
An auditor is responsible for obtaining reasonable assurance that the finan-
cial statements taken as a whole are free from material misstatements,
whether due to fraud or error.

2.2 ASPECTS OF AUDIT IMPORTANCE

L Discussion among the engagement team
ISA 315 requires a discussion among the engagement team on how and
where the entity’s financial statements might be susceptible to material mis-
statements due to fraud, including how fraud might occur.
Risk assessment procedures
When performing risk assessment procedures in order to obtain information
about the entity and its environment, including the entity’s internal control,
the auditor shall make inquiries to management regarding:
• management’s assessment of the risk that the financial statements may
be misstated due to fraud;
• management’s process for identifying and responding to risk of fraud in
the entity;

6–4
CHAPTER 6: Responsibility in respect of fraud and errors, communication, auditor’s liability and laws

• management’s communication to those charged with governance regard-

ing the processes for identifying and responding to the risk of fraud in
the entity;
• management’s communication to employees regarding its views on
business practices and ethical behaviour; and
• any knowledge of actual, suspected or alleged fraud affecting the entity.
It should also be inquired from the internal auditors whether they have
knowledge of any actual, suspected or alleged fraud.
The auditor should also:
• obtain an understanding on how those charged with governance exer-
cise oversight over management’s processes for identifying and respond-
ing to fraud risks;
• inquire from those charged with governance whether they have know-
ledge of any actual, suspected or alleged fraud affecting the entity;
• evaluate whether unusual or unexpected relationships that have been
identified in performing analytical procedures may indicate risks of
material misstatements due to fraud;
• evaluate whether other information obtained by the auditors indicates
risks of material misstatements due to fraud; and
• evaluate whether information obtained from risk assessment procedures
indicates that one or more risk factors are present.
Identification and assessment of the risk of material misstatements due
to fraud
ISA 315 requires the auditor to identify and assess the risk of material
misstatements at the overall financial statement level and at the assertion
level.
As part of this process, the auditor shall, based on the presumption that
there are risks of fraud in revenue recognition, evaluate which types of rev-
enue, revenue transactions and assertions give rise to such risks.
All risks of material misstatements due to fraud should be treated as
significant risks and the auditor should therefore obtain an understanding
of the entity’s related controls, including control activities, relevant to such
risks.

6–5
 Dynamic Auditing

Responses to the assessed risks of material misstatements due to

fraud
In determining overall responses, the auditor shall:
• assign more experienced people to the audit team;
• evaluate whether the selection and application of accounting policies
may be indicative of fraudulent financial reporting resulting from man-
agement’s efforts to manage earnings; and
• incorporate an element of unpredictability in the selection of the nature,
timing and extent of audit procedures to be performed.
The auditor shall also design and perform further audit procedures whose
nature, timing and extent are responsive to the assessed risks of material
misstatements at the assertion level.
The auditor should perform specific procedures regarding the risks related
to management’s override of controls. This will include:
• test the appropriateness of journal entries recorded in the general
ledger and other adjustments made in the preparation of the financial
statements;
• review accounting estimates for biases; and
• consider the business rationale for transactions which are outside the
normal course of business for the entity.
Evaluation of audit evidence
The auditor should consider whether analytical procedures performed
towards the end of the audit, indicate a possible previously unrecognised
risk of material misstatements due to fraud.
If the auditor identifies a misstatement, the auditor should evaluate whether
such a misstatement is indicative of fraud.
If there is such an indication, the auditor shall evaluate the implications of
the misstatements in relation to other aspects of the audit, particularly the
reliability of management representations. It should be kept in mind that
instances of fraud are unlikely to be an isolated event.
Any misstatement, whether material or not, where the auditor has reason to
believe that it may be the result of fraud and that management may be
involved, should result in the re-evaluation of the risk of material misstate-
ments due to fraud, and the response to the risk regarding the nature, extent
and timing of procedures to be performed.

2.3 PROFESSIONAL SCEPTICISM

Professional scepticism is an attitude that includes a questioning mind and a
critical assessment of audit evidence.

6–6
 CHAPTER 6: Responsibility in respect of fraud and errors, communication, auditor’s liability and laws

The auditor plans and performs an audit with an attitude of professional scepti-
cism so as to identify and properly evaluate the following:
l factors which increase the inherent and/or control risk of material mis-
statements
l circumstances which make the auditor suspect that the financial state-
ments are materially misstated; and
l conditions observed or evidence obtained which brings the reliability of
management representations into question.

2.4 DOCUMENTATION
Significant decisions reached during discussions among members of the
engagement team regarding fraud should be documented.
The auditor should document fraud risk factors identified as being present as a
result of the auditor’s assessment process and document the auditor’s
response to any such factors. If during the performance of the audit, fraud risk
factors are identified that cause the auditor to believe that additional sub-
stantive procedures are necessary, he/she should document the presence of
such risk factors and his/her response to them, including audit procedures
designed to address the risk of management’s override of controls.

2.5 MANAGEMENT REPRESENTATIONS

The auditor should obtain written representations that management:
l has disclosed to the auditor all facts relating to any fraud or possible fraud
known to management that may have affected the entity; and
l believes the effects of those uncorrected financial statement misstatements
aggregated by the auditor during the audit are immaterial, both individ-
ually and in the aggregate, to the financial statements taken as a whole. A
summary of such items should be included in or attached to the written
representations.

2.6 PROCEDURES IF POTENTIAL FRAUD AND ERRORS ARE DETECTED

The auditor should take the following actions and perform the following proced-
ures when the audit procedures indicate the possible existence of fraud and
errors.
l Consider the effect of the fraud or error on the financial statements.
l If the effect is material, additional/amended procedures need to be per-
formed to obtain more evidence of the fraud/error.
The procedures will depend on:
• the type of fraud or error indicated;
• the likelihood of occurrence; and
• the materiality thereof on the financial statements.

6–7
 Dynamic Auditing

Unless the circumstances prove otherwise, the auditor cannot assume that
the fraud or error is an isolated event.
l Adjust the nature, extent and timing of the substantive procedures accord-
ingly.
l If the adjusted procedures indicate the existence of fraud or errors, the
auditor should:
• discuss the matter with management or preferably the audit com-
mittee;
• consider whether the matter is properly disclosed in the financial state-
ments; and
• consider the effect on the audit report.
l Consider the effect of the fraud and errors on:
• other aspects of the audit; and
• the reliability of management’s representations.

2.7 COMMUNICATION
L Management and those charged with governance
The auditor should, as soon as is practically possible, report his/her find-
ings to management and consider the need to report such matters to
those charged with governance when:
• the existence of fraud is suspected, even if the effect on the statements
is not material; and
• fraud and material misstatements are detected.
The auditor should also inform those charged with governance of those
uncorrected misstatements aggregated by the auditor during the audit that
were determined by management to be immaterial to the financial state-
ments taken as a whole. Matters to be considered to be communicated to
those charged with governance may include:
• questions regarding management competence and integrity;
• fraud involving management;
• other fraud that results in a material misstatement of the financial state-
ments;
• material misstatements arising from error;
• misstatements that indicate significant weaknesses in internal control,
including the design or operation of the entity’s financial reporting pro-
cess;
• misstatements that may cause future financial statements to be materi-
ally misstated; and
• creative accounting issues.

6–8
 CHAPTER 6: Responsibility in respect of fraud and errors, communication, auditor’s liability and laws

Reporting in respect of fraud would entail:

• the reporting thereof to a higher level of authority than the person involved;
• if senior management is involved:
– report it to a higher level of authority, for example the audit com-
mittee or other non-executive directors; and
– if there is no higher level of authority, if the report is being ignored
or if the auditor is not sure to whom to report the matter, legal
advice needs to be obtained.
L Users of financial statements
The auditor must consider the impact of the fraud and errors on his/her
audit report, and if it is not sufficiently reflected or disclosed in the financial
statements, the auditor should qualify the audit report accordingly.
L Regulatory and enforcement authorities
• Reporting to third parties is not allowed. It is prohibited by the audit-
or’s ethical and legal responsibilities of confidentiality. However, in
certain circumstances, the duty of confidentiality may be overridden
by statute, the law or courts of law, and the auditor may have a statu-
tory duty to report fraud and material error to the supervisory author-
ities.
• If reporting is considered, the auditor should first obtain legal advice.
• If the action can be considered to be a reportable irregularity, the
auditor must report it to the IRBA in terms of section 45(1) of the Audit-
ing Profession Act 26 of 2005.

2.8 AUDITOR UNABLE TO COMPLETE THE ENGAGEMENT

If the auditor concludes that it is not possible to continue performing the audit
and that it is necessary to withdraw from the engagement as a result of a mis-
statement arising from fraud or possible fraud, the auditor should:
l consider the professional and legal responsibilities applicable in the cir-
cumstances; and
l discuss with the appropriate level of management and those charged with
governance the reasons for the withdrawal.
The auditor may encounter exceptional circumstances that bring into question
the auditor’s ability to continue performing the audit, for example in circum-
stances where:
l the entity does not take the remedial action regarding fraud that the auditor
considers necessary;

6–9
 Dynamic Auditing

l the auditor’s consideration of the risk of material misstatements arising

from fraud and the results of audit tests indicate a significant risk of mate-
rial and pervasive fraud; or
l the auditor has significant concern about the competence or integrity of the
executive management or those charged with governance.

2.9 EXAMPLES OF CONDITIONS OR EVENTS THAT MAY INCREASE

THE RISK OF FRAUD OR ERRORS
 L Risk factors relating to misstatements arising from fraudulent finan-
cial reporting
The following incentives/pressures, opportunities and attitudes are exam-
ples:
• Management is dominated by a single person and there is no effective
supervisory board/committee.
• A complex corporate structure exists where complexity is not warranted.
• Continued failure to correct material weaknesses in internal control
timeously.
• High turnover ratio of key accounting and financial personnel.
• Significant and prolonged personnel shortage in the accounting depart-
ment.
• There is excessive interest by management in maintaining or increas-
ing the entity’s share price.
• Management has an interest in pursuing inappropriate means to mini-
mise reported earnings for tax-motivated reasons.
• There is a strained relationship between management and the current
or previous auditor.
• There is a history of law violations or claims against the company.
• Management continues to employ ineffective accounting, information
technology or internal auditing staff.
• Management does not monitor significant controls regularly.
• Regular changes in legal counsel, senior management or board mem-
bers.
• Management sets unduly aggressive financial targets.
• Management has a poor reputation in the business community and a
disregard for regulatory authorities.
• A significant portion of management’s remuneration compensation is
represented by bonuses, share options and other incentives.
• New accounting, statutory or regulatory requirements that could impair
the financial stability or profitability of the entity.

6–10
 CHAPTER 6: Responsibility in respect of fraud and errors, communication, auditor’s liability and laws

• A high degree of competition or market saturation accompanied by

declining margins.
• A declining industry with increasing business failures and significant
declines in customer demand.
• Rapid changes in the industry, such as high vulnerability to rapidly
changing technology or rapid product obsolescence.
• Inability to generate cash flows from operations while reporting earn-
ings and earnings growth.
• Significant pressure to obtain additional capital necessary to stay
competitive.
• Assets, liabilities, revenues or expenses based on significant estimates
that involve unusually subjective judgements or uncertainties.
• Significant related party transactions which are not in the ordinary
course of business.
• Significant related party transactions which are not audited or are
audited by another firm.
• Significant, unusual or highly complex transactions.
• Significant bank accounts or subsidiary or branch operations in tax-
haven jurisdictions.
• An overly complex organisational structure.
• Difficulty in determining the organisation or person controlling the
entity.
• Unusually rapid growth or profitability.
• Especially high vulnerability to changes in interest rates.
• Unusually high dependence on debt.
• Unrealistically aggressive sales or profitability incentive programmes.
• A threat of imminent bankruptcy, foreclosure or hostile takeover.
• Adverse consequences on significant pending transactions if poor
financial results are reported.
• A poor or deteriorating financial position when management has per-
sonally guaranteed significant debts of the entity.
 L Risk factors from misstatements arising from misappropriation of
assets
The following incentives/pressures, opportunities and attitudes are
examples:
• large amounts of cash on hand;
• inventory characteristics, such as small size combined with high value
and high demand;
• easily convertible assets, such as bearer bonds, diamonds or com-
puter chips;

6–11
 Dynamic Auditing

• fixed asset characteristics such as small size combined with market-

ability and lack of ownership identification;
• lack of appropriate management oversight;
• lack of procedures to screen job applicants for positions where
employees have access to assets susceptible to misappropriation;
• inadequate record-keeping for assets susceptible to misappropriation;
• lack of an appropriate segregation of duties;
• lack of an appropriate system of authorisation and approval of trans-
actions;
• poor physical safeguards over cash, investments, inventory or fixed
assets;
• lack of timely and appropriate documentation for transactions; and
• lack of mandatory vacations for employees performing key control
functions.

2.10 REPORTABLE IRREGULARITIES

SOURCE REFERENCE: Sections 1 and 45 of the Auditing Profession Act
26 of 2005
IRBA Guide – Reportable Irregularities in terms of
the Auditing Profession Act (2005)

2.10.1 Definition and general principles

l A reportable irregularity is:
• any unlawful act or omission committed by a person responsible for
the management of the entity, and which:
– has caused or is likely to cause material financial loss; or
– is fraudulent or amounts to theft; or
– represents a material breach of fiduciary duties.
• Each of the three conditions for an unlawful act or omission as listed
above would give rise to a reportable irregularity.
l In terms of section 45(1)(a) of the Auditing Profession Act 26 of 2005, a
registered auditor appointed by an entity to perform an audit must report a
reportable irregularity to the Independent Regulatory Board for Auditors
without delay giving full particulars of the reportable irregularity.
l The duty to report arises when an auditor is appointed as the statutory
auditor of a client, in which case the duty to report irregularities exists even
when performing an assurance engagement, other than the audit.
Refer to chapter 1 of this book for the full process of dealing with reportable
irregularities.

6–12
 CHAPTER 6: Responsibility in respect of fraud and errors, communication, auditor’s liability and laws

2.10.2 The impact of reportable irregularities on the audit opinion

l Section 44 of the Auditing Profession Act provides that the registered
auditor may not, without such qualification as may be appropriate in the
circumstances, express an opinion that the financial statements fairly pre-
sent in all material respects the financial position of the entity and the
results of its operations and cash flow, and are properly prepared in accord-
ance with the basis of the accounting and financial reporting framework
unless no reports were sent to the Regulatory Board in terms of Sec-
tion 45, or unless a notification followed that the auditor has become satis-
fied that no irregularity has taken place or is taking place.
l In the context of the APA, the reference to “without such qualification as
may be appropriate” has the same meaning as a modified report.
l Whether the modification will be in the form of a qualification will depend
on whether the reportable irregularity affects fair presentation in the finan-
cial statements.
l An appropriate modification is required in the event that:
• the reporting process to IRBA is incomplete;
• a reportable irregularity did exist, even if it is no longer taking place or
adequate steps have been taken to recover losses; and
• a reportable irregularity existed and is continuing,

2.10.3 Specific situations which may require action in terms of section 45

The existence of the following situations might prompt the auditor to consider
reporting in terms of section 45 of the APA:
l fraud in relation to the financial statements;
l clients trading whilst their liabilities exceed their assets;
l non-compliance with laws and regulations;
l incomplete tax or other returns issued to SARS;
l bribery and other illegal acts;
l failure to present books for audit;
l failure to issue financial statements within six months of year end.
NOTE: The IRBA Guide, issued in 2015, provides 21 examples of possible
reportable irregularities and factors to consider in this.

6–13
 Dynamic Auditing

3. AUDITOR’S LIABILITY
SOURCE REFERENCE: SAICA Circular 01/1996: Managing the professional
liability of accountants

3.1 AUDITOR’S NEGLIGENCE

The auditor may be held liable in the following circumstances:
 L Breach of contract
There is a contract between an auditor and the company the auditor is
auditing. If the auditor is not performing a proper audit in accordance with
International Auditing Standards, he/she may be held liable for breach of
contract. In an action for damages the following will have to be proved:
• contractual relationship;
• breach of contract; and
• loss suffered as a result of the breach.
L Common law delict
The auditor may also be liable to other third parties who are users of the
financial statements. Before third parties can successfully bring a claim
against an auditor, the following five requirements must be met:
• the incorrect stated financial position of the company was an intentional
or negligent misrepresentation by the auditor;
• the auditor knew that the financial statements will be relied upon;
• the loss suffered by the third parties was caused by relying on the
incorrect financial statements;
• the loss suffered was a financial loss; and
• the auditor failed to observe the necessary degree of care and skill
while performing the audit.
 L Liability under section 46 of the Auditing Profession Act 26 of 2005
If an auditor acted maliciously, fraudulently or negligently during the
performance of his/her work, he/she can be held liable for damages. The
same five requirements discussed under common law delict must again
be present before a third party can bring a claim against the auditor.
Section 46(7) states that a registered auditor may incur liability to any
partner, member, shareholder, creditor or investor of an entity if the auditor
fails to report a reportable irregularity.

6–14
 CHAPTER 6: Responsibility in respect of fraud and errors, communication, auditor’s liability and laws

3.2 STEPS WHICH ACCOUNTANTS MAY TAKE IN ORDER TO ASSIST THEM

TO MANAGE THEIR LIABILITY TO CLIENTS OR THIRD PARTIES
It is not possible for accountants to guard against every circumstance in which
he/she may incur liability. The following may however be useful in managing
the risk of legal liability:
l identifying the terms of the engagement;
l defining the specific tasks to be undertaken;
l defining the responsibilities to be undertaken by the client;
l specifying any limitations on the work to be performed;
l defining the purpose of reports;
l restricting the use of the accountant’s name;
l identifying the authorised recipients of reports;
l limiting or excluding liability to a third party;
l obtaining an indemnity from the client or a third party; and
l defining the scope of professional competence.

3.3 CASE STUDIES

The following two case studies illustrate auditors’ liability.
 L Thoroughbred Breeders Association of South Africa v Price Water-
house 1999 (4) SA 968 (W)
The auditors failed to detect long outstanding cash deposits and a prom-
issory note that had been stolen by the financial manager. The audit clerk
who examined the bank reconciliation failed to query the long outstanding
cash deposits and the promissory note that was listed as an asset was not
inspected. Subsequent to the audit, more money was stolen by the finan-
cial manager. When the management at the end detected the crime, they
sued the auditors for breach of contract. They alleged that this theft could
have been averted had the auditor properly carried out the audit and dis-
covered the financial director’s earlier fraudulent activities. The auditors
denied any breach of the audit agreement and raised various defences
based on the contention that the company had itself to blame for its loss
because it had continued to employ the financial manager despite having
been aware of the fact that he had a criminal record for theft.
The court held that the auditors in this case acted negligently and they
had to pay damages to the company. Originally the settlement was much
lower than the company’s original claim in the light of the company’s own
gross negligence. On appeal it was decided by the majority of judges that
the auditor must pay the full amount claimed to the company plus costs,
even though the company was also partly responsible for the fraud.

6–15
 Dynamic Auditing

 L S v Nagrani 1997 (2) SACR 98 (W)

In this case the auditor lodged a false VAT claim to the South African
Revenue Service. The auditor was found to be criminally liable and was
sentenced to eight years’ imprisonment.

4. CONSIDERATION OF LAWS AND REGULATIONS IN AN AUDIT OF

FINANCIAL STATEMENTS
SOURCE REFERENCE: ISA 250 “Consideration of laws and regulations in an
audit of financial statements”
When performing an audit, the auditor must be aware that non-compliance
with laws and regulations may result in fines, litigation or other conse-
quences for the entity that may materially affect the financial statements.
An audit cannot, however, be expected to detect non-compliance with all laws
and regulations.
Non-compliance refers to intentional or unintentional acts/transactions entered
into by, or in the name of, or on behalf of the entity, in violation of current legisla-
tion or regulations. Overseas legislation should also be considered in respect of
international branches or subsidiaries.

4.1 RESPONSIBILITY FOR COMPLIANCE WITH LAWS AND REGULATIONS

 L Management
Management is responsible for the compliance and the prevention and
detection of non-compliance with laws and regulations. Management may
comply with these responsibilities by:
• identifying and monitoring legal requirements and ensuring com-
pliance therewith;
• the implementation and maintenance of internal controls;
• the implementation and enforcement of a code of conduct within the
enterprise;
• ensuring that employees are properly trained and understand the code
of conduct;
• monitoring compliance with the code of conduct and implementing
disciplinary measures in cases of non-compliance;
• engaging legal advisers to monitor compliance with the legal requirements;
• maintaining a register of significant laws with which the entity must
comply and keeping a record of complaints of non-compliance;
• introducing an internal audit function; and
• introducing an audit committee.

6–16
 CHAPTER 6: Responsibility in respect of fraud and errors, communication, auditor’s liability and laws

 L Auditor
• Non-compliance with laws and regulations by the entity may result in a
material misstatement in the financial statements. The auditor should
identify and assess possible misstatements due to non-compliance.
• The auditor is not, and cannot be, held responsible for preventing non-
compliance.
• The auditor is responsible for verifying compliance by obtaining suffi-
cient appropriate audit evidence of laws and regulations which have a
direct effect on the determination of material amounts and disclosures
in the financial statements such as tax and pension laws and regula-
tions.
• The auditor must also help to identify non-compliance with other laws
and regulations that could lead to material penalties or litigation which
would also affect the financial statements.

4.2 ASPECTS OF AUDIT IMPORTANCE

 L Auditor’s actions/procedures
• Plan and perform the audit with an attitude of professional scepticism
that the audit may reveal non-compliance with laws and regulations.
• Obtain a general understanding of the entity’s legal framework and
compliance therewith, by means of:
– using the existing knowledge of the business and industry;
– enquiry from management about policies concerning compliance
with laws and regulations;
– enquiry from management as to laws and regulations with a fun-
damental effect on the operations of the entity;
– discussions with management about the policies and procedures
adopted for the identification and accounting of litigation claims;
and
– discussions with auditors of overseas subsidiaries about the legal
and regulatory framework.
• Perform procedures to detect non-compliance, for example:
– enquire from management regarding compliance;
– investigate correspondence with licensed and regulatory bodies.
• Perform procedures to obtain audit evidence relating to compliance
with laws and regulations that may have an effect on the amounts and
disclosures in the financial statements.
• The auditor must be aware of the fact that his/her audit procedures
concerning the financial statements may reveal non-compliance with
laws and regulations.

6–17
 Dynamic Auditing

• Obtain written confirmation from management that states that all known
and possible non-compliance with laws and regulations that may affect
the financial statements have been disclosed to the auditor.
 L Procedures on discovery of non-compliance
• Obtain an understanding of the nature of the non-compliance and the
circumstances thereof and sufficient further information to evaluate the
effect on the financial statements.
• Consider the following in terms of the effect on the financial state-
ments:
– potential financial consequences (e.g. fines, litigation, etc.);
– possible disclosure of the financial consequences; and
– whether the potential financial consequences are so material as to
affect the fair presentation of the financial statements.
• Document the findings in the working papers and discuss them with
management.
• If management cannot provide assurance of compliance and the non-
compliance may be material, obtain legal advice.
• Consider the effect on:
– other aspects of the audit;
– the auditor’s risk assessment; and
– the reliability of management representations.
• Consider the effect on the auditor’s report.
L Reporting non-compliance
• Reporting to those charged with governance
– The auditor must inform the audit committee, the board or senior
management of the non-compliance with laws and regulations or
obtain proof that they are aware of it.
– Material and intentional non-compliance must be reported imme-
diately.
– If management is involved in non-compliance:
* report the non-compliance to the next level of authority (e.g. to
an audit committee); and
* where no higher authority exists or the auditor is unsure of who
to report to, obtain legal advice.

6–18
 CHAPTER 6: Responsibility in respect of fraud and errors, communication, auditor’s liability and laws

 • Reporting non-compliance in the auditor’s report

If the auditor concludes that the non-compliance has a material effect
on the financial statements and has not been adequately reflected in
the financial statements, the auditor shall express a qualified or an
adverse opinion on the financial statements.
If the auditor is precluded by management or those charged with
governance from obtaining sufficient appropriate audit evidence, the
auditor shall express a qualified opinion or disclaim an opinion on the
financial statements.
• Reporting to regulatory bodies
– Reporting to third parties could be prohibited by the auditor’s
ethical and legal responsibility in accordance with the duty of con-
fidentiality.
– If reporting is being considered, legal advice should first be
obtained.
– Also consider the reporting responsibility to the Regulatory Board
in terms of section 45 of the APA.
 L Withdrawal from the engagement
Consider withdrawal from the engagement if the client does not implement
corrective measures.
 L Indicators of possible non-compliance
• Investigation by government departments, payment of fines or penalties.
• Payment for unspecified services, or loans to consultants, related par-
ties, employees or government officers.
• Sales commission or agents’ fees that seem excessive in terms of
normal payments by the entity/industry for services actually received.
• Purchases at prices that are materially higher/lower than market prices.
• Unusual payments for cash, endorsed cheques, etc.
• Unusual transactions with companies registered in tax havens.
• Payments for goods or services to countries other than the source of
origin.
• Payments without sufficient exchange control documentation.
• Existence of an information system that does not show an audit trail or
sufficient audit evidence.
• Unauthorised or improperly recorded transactions.
• Adverse media reports/comments.

6–19
 Dynamic Auditing

5. RESPONSIBILITIES OF THE AUDITOR WHEN NON-COMPLIANCE OF

SUSPECTED NON-COMPLIANCE WITH LAWS AND REGULATION IS
ENCOUNTERED
SOURCE REFERENCE: SAICA Code of Professional Conduct Section 360
The SAICA Code of Professional Conduct sets out the responsibilities of profes-
sional accountants in public practice when non-compliance or suspected non-
compliance with laws and regulations is encountered in the course of providing a
professional service to a client. Guidance is also provided regarding the assess-
ment of the implications of the matter and possible courses of action when
responding to it. A self-interest or intimidation threat to compliance with the prin-
ciples of integrity and professional behaviour is created when a professional
accountant becomes aware of non-compliance or suspected non-compliance
with laws and regulations.
Professional accountants have the responsibility to obtain an understanding of
legal or regulatory provisions and how non-compliance with laws and regulations
should be addressed, should it exist in a jurisdiction.
Professional accountants must always act in public interest and the objectives
when responding to non-compliance with laws and regulations are therefore to:
l to comply with the fundamental principles of integrity and professional
behaviour;
l by alerting management, or those charged with governance, to seek to:
• enable them to rectify, remediate or mitigate the consequences of the
non-compliance; or
• prevent the non-compliance where it has not yet occurred; and
l to take further action as appropriate in the public interest.
Section 360 of the Code sets out the approach to be taken in relation to non-com-
pliance with laws and regulations which are recognised to have a direct effect on
the determination of material amounts and disclosures in the client’s financial
statements, as well as laws and regulations that do not have a direct effect.
Generally, a professional accountant is not required to comply with the section
with respect to matters that are clearly inconsequential on the client, its stake-
holders and the general public.
Refer to chapter 3 section 5.20 for more detail regarding section 360 of the Code
of Professional Conduct.

6–20
 CHAPTER 6: Responsibility in respect of fraud and errors, communication, auditor’s liability and laws

6. COMMUNICATION TO THOSE CHARGED WITH GOVERNANCE

SOURCE REFERENCE: ISA 260 “Communication to those charged with
governance”

6.1 THE ROLE OF COMMUNICATION

Communication to those charged with governance should create a two-way
communication process which could be important in assisting:
l the auditor and those charged with governance in understanding the
matters related to the audit;
l the auditor in obtaining information relevant to the audit; and
l those charged with governance in fulfilling their responsibility to oversee
the financial reporting process.

6.2 MATTERS TO BE COMMUNICATED

The following should be communicated to those charged with governance:
l the responsibilities of the auditor in relation to the financial statement audit;
l planned scope and timing of the audit;
l significant findings from the audit;
l issues regarding auditors’ independence (when applicable);
l preliminary views on key audit matters.

6.3 THE COMMUNICATION PROCESS

The auditor shall communicate to those charged with governance the form,
timing and expected general content of communications.
Communication should be in writing, if in the auditor’s judgement oral commu-
nication would not be adequate.
Communication should be on a timely basis.

7. COMBATING MONEY LAUNDERING AND FINANCING OF TERRORISM

SOURCE REFERENCE: IRBA guide for registered auditors: Combating money
laundering and financing of terrorism

7.1 INTRODUCTION
Registered auditors are required to comply with all relevant legislation applic-
able to them. This will include anti-money laundering legislation, as well as leg-
islation which was promulgated to combat financing of terrorism.

6–21
 Dynamic Auditing

Three Acts of Parliament provide the framework for anti-money laundering and
combating financing of terrorism in South Africa:
l The Prevention of Organised Crime Act 121 of 1998 (POCA);
l The Protection of Constitutional Democracy against Terrorism and Related
Activities Act 33 of 2004 (POCDATARA); and
l The Financial Intelligence Centre Act 38 of 2001 (FIC Act).
The above legislation can affect registered auditors in a number of ways,
including:
l in their own names, personal statutory duties to report certain unusual and
suspicious transactions to the Financial Intelligence Centre (FIC);
l compliance with additional administrative money laundering control obli-
gations should the firm fall within the ambit of accountable institutions
because it is carrying on certain commercial activities (mainly provision of
financial services);
l registered auditors are ideally placed to identify compliance breaches with
the applicable legislation by clients and should therefore evaluate the
impact on the audit, the client and its stakeholders; and
l the audit client may be involved in money laundering and financing of
terrorism in which case the impact on the audit and the auditor’s reporting
responsibilities ought to be considered.

7.2 THE MEANING OF MONEY LAUNDERING AND FINANCING

OF TERRORISM
Money laundering refers to any act that disguises the criminal nature or the
location of the proceeds of a crime. Put differently, money laundering could be
defined as involvement in any transaction that involves the proceeds of illegal
activities.
In South Africa money laundering is not only limited to acts in connection with
the proceeds of drugs, prostitution and other serious offences, but it extends to
the proceeds of all types of offences, including tax evasion, corruption and
fraud.
Financing of terrorism refers to the direct or indirect provision of financial or
economic benefit to support terrorism or related activity or any person or group
engaged in such activity.

7.3 THE APPLICABLE LEGISLATION

7.3.1 Prevention of Organised Crime Act 121 of 1998 (POCA)

POCA creates serious offences relating to money laundering, which may
include involvement, as well as the rendering of assistance or advice.

6–22
 CHAPTER 6: Responsibility in respect of fraud and errors, communication, auditor’s liability and laws

7.3.2 Financial Intelligence Centre Act 38 of 2001 (FIC Act)

The FIC Act gives rise to a duty for all businesses and employees to report
suspicious or unusual transactions (mainly transactions which involve the pro-
ceeds of a crime or tax evasion or if it does not have an apparent lawful or
business purpose).
The FIC Act creates additional duties for two specific groups of institutions,
namely reporting institutions (currently only dealers in motor vehicles and Kru-
gerrands) and accountable institutions (includes attorneys, banks, brokers,
insurers, estate agents and other financial services providers).
l Reporting institutions have a limited duty to report all transactions involving
cash amounts in excess of a prescribed amount.
l Accountable institutions, in addition to the above duty, also have a broader
responsibility to report on international conveyance and electronic trans-
fers.
l Accountable institutions have detailed duties in respect of the following:
• customer identification, verification and record-keeping;
• ensuring compliance; and
• providing limited access to information by relevant authorities.

7.4 RESPONSIBILITIES OF REGISTERED AUDITORS IN COMBATING MONEY

LAUNDERING WHEN CONDUCTING AN AUDIT

7.4.1 Acceptance of appointment as auditor

The auditor is required to consider the possibility that the client is involved in
money laundering or that the client is wilfully non-compliant with its obligations
in terms of money laundering legislation.

7.4.2 Understanding the entity and its environment and assessing the risk
of material misstatement
l The auditor is required to obtain an understanding of the entity and its
environment which may alert the auditor to factors indicating a possibility
of money laundering.
l The auditor should specifically consider the possibility of fines resulting
from non-compliance of money laundering legislation and the impact
thereof on the going concern status of the entity (could be as high as
between R100 million and R1 billion).
l The registered auditor is required to consider the risk of material misstate-
ment due to fraud and to reduce the risk to an acceptable level. A close
relationship exists between the factors giving rise to an increased risk of
fraud and those indicating money laundering and should as such be con-
sidered by the auditor.

6–23
 Dynamic Auditing

l The auditor is required to consider compliance with money laundering

legislation as far it might materially affect the financial statements.
l The extent of consideration of money laundering legislation compliance
will depend on whether the audit client is an accountable or reporting insti-
tution in terms of the Financial Intelligence Centre Act (FIC Act), or not.
• The auditor is required to review the steps taken by the entity to com-
ply with the FIC Act in situations where the entity is an accountable or
reporting institution.
• If the entity is not an accountable or reporting institution, the auditor is
only required to report suspicious or unusual transactions.

7.4.3 Procedures where possible money laundering is discovered

l The auditor is required to consider the guidance of ISA 240 in cases
where possible money laundering is detected.
l This includes:
• considering the impact on other areas of the audit;
• considering integrity of management and reliance to be placed on
management representations; and
• considering whether continuance with the audit is justified.
l Registered auditors that identify non-compliance with money laundering
legislation should ensure that they comply with any statutory duties which
they might have, including their professional duties in terms of section 45
of the Auditing Profession Act.

7.4.4 Reporting in terms of the FIC Act and the Prevention and Combatting
of Corrupt Activities Act (PRECCA)
l The registered auditor will only report suspicious or unusual transactions
to the Financial Intelligence Centre when the auditing firm has received or
is about to receive the proceeds of unlawful activities.
l Registered auditors who find evidence that theft or another relevant
offence in terms of PRECCA was committed against a client must ensure
that the client has complied with its obligations in terms of section 34 of
PRECCA.
l A failure to comply with those responsibilities may lead to a reporting
responsibility in terms of section 45 of the Auditing Profession Act.

7.4.5 The registered auditor’s report on financial statements

If it is known that money laundering has occurred, the auditor would have
regard to the materiality of the matter in the context of the financial statements
in determining the appropriate modification to the auditor’s report.

6–24
 7
AUDIT EVIDENCE

Page
1. Obtaining of audit evidence ......................................................................... 7–4
1.1 The concept of audit evidence .......................................................... 7–4
1.2 The auditor’s responsibility for the obtaining of audit evidence ........ 7–4
1.3 Requirements for audit evidence ....................................................... 7–4
1.4 Procedures for obtaining audit evidence .......................................... 7–4
1.5 Methods of obtaining audit evidence ................................................ 7–6
1.6 Relevance of audit procedures and audit evidence obtained .......... 7–6
1.7 The hierarchy of the importance of audit evidence (reliability) ......... 7–7
1.8 Using information produced by the entity ......................................... 7–7
1.9 Information prepared by a management expert to be used
as audit evidence (ISA 500)............................................................... 7–8
1.10 Financial statement assertions........................................................... 7–9
1.11 Audit evidence: Additional considerations for specific items ........... 7–10
2. Documentation ............................................................................................. 7–11
2.1 Documentation requirements for audit work performed .................... 7–11
2.2 The value of audit documentation...................................................... 7–12
2.3 Timely preparation of audit documentation ....................................... 7–12
2.4 Information to be documented........................................................... 7–12
2.5 Information ordinarily included in working papers ............................ 7–13
2.6 Classification of audit files ................................................................. 7–13
2.7 Property and confidentiality of working papers ................................. 7–13
2.8 Requirements of working papers ....................................................... 7–14
2.9 Assembly of the final audit file ........................................................... 7–14

7–1
 Dynamic Auditing

Page
3. External confirmations .................................................................................. 7–14
3.1 Introduction ........................................................................................ 7–14
3.2 Assertions addressed by external confirmations .............................. 7–15
3.3 Risk and external confirmations ......................................................... 7–15
3.4 External confirmation procedures ...................................................... 7–15
3.5 Management requests not to confirm balances ................................ 7–16
3.6 The confirmation process .................................................................. 7–16
3.7 External confirmations prior to year end ............................................ 7–17
4. Initial audit engagements – Opening balances ........................................... 7–17
4.1 Introduction ........................................................................................ 7–17
4.2 Audit evidence required for initial audit engagements...................... 7–18
4.3 Considerations for audit evidence regarding opening balances ...... 7–18
4.4 Audit procedures regarding opening balances ................................ 7–18
4.5 Reporting............................................................................................ 7–19
4.6 Considerations in relation to appointments during the year when
certain work had already been done by another auditor .................... 7–19
5. Analytical procedures .................................................................................. 7–20
5.1 Introduction ........................................................................................ 7–20
5.2 Nature of analytical procedures......................................................... 7–20
5.3 Stages when analytical procedures may be used and the
purpose thereof .................................................................................. 7–21
5.4 Analytical procedures as risk assessment procedures..................... 7–21
5.5 Analytical procedures as substantive procedures ............................ 7–21
5.6 Analytical procedures as a reasonability test at the end of the audit .. 7–22
5.7 Investigation of unusual items and fluctuations ................................. 7–22
5.8 Notes on the application of analytical procedures as substantive
tests .................................................................................................... 7–22
6. Audit of accounting estimates ..................................................................... 7–23
6.1 Introduction ........................................................................................ 7–23
6.2 Identifying and assessing the risk of material misstatement ............. 7–23
6.3 Audit approach or strategy to response to the risk of material
misstatement at the assertion ............................................................ 7–25
6.4 Procedures to audit accounting estimates and related disclosure ... 7–26
6.5 Audit the disclosure in the financial statements ................................ 7–27
6.6 Further procedures ............................................................................ 7–27

7–2
 CHAPTER 7: Audit evidence

Page
7. Related parties ............................................................................................. 7–27
7.1 Introduction ........................................................................................ 7–27
7.2 The auditor’s responsibility regarding related party relationships
and transactions ................................................................................ 7–28
8. Management representations ...................................................................... 7–31
8.1 Introduction ........................................................................................ 7–31
8.2 Objective of obtaining management representation letters .............. 7–31
8.3 Obtaining of representation letters .................................................... 7–32
8.4 Date and period(s) ............................................................................. 7–32
8.5 Auditor’s consideration when doubt exists as to the reliability of
representations received ................................................................... 7–32
8.6 Auditor’s response when representation letters are not reliable or
when management refuses to provide a representation letter .......... 7–33
9. Enquiries regarding litigation and claims..................................................... 7–33
9.1 Objective of enquiries ........................................................................ 7–33
9.2 Enquiries of management .................................................................. 7–33
9.3 Examining of documents ................................................................... 7–34
9.4 Enquiries of attorneys ........................................................................ 7–34
9.5 Disagreement with management ....................................................... 7–34
10. Reliance on the work of others ..................................................................... 7–35
10.1 Using the work of another auditor ...................................................... 7–35
10.2 Using the work of internal auditors .................................................... 7–41
10.3 Using the work of an expert ............................................................... 7–49
11. Comparatives ............................................................................................... 7–52
11.1 Introduction ........................................................................................ 7–52
11.2 The auditor’s responsibilities in relation to comparative information. 7–52
11.3 Reporting............................................................................................ 7–52
11.4 Comparative figures presented in a separate set of financial
statements .......................................................................................... 7–53
12. External confirmations from financial institutions ........................................ 7–54
12.1 Introduction ........................................................................................ 7–54
12.2 Information confirmed by the bank .................................................... 7–54
13. Special audit situations ................................................................................ 7–54

7–3
 Dynamic Auditing

1. OBTAINING OF AUDIT EVIDENCE

SOURCE REFERENCE: Glossary of terms
ISA 200 “Overall Objectives of the Independent
Auditor and the Conduct of an Audit in
Accordance with International Stand-
ards on Auditing”
ISA 315 “Identifying and Assessing the Risk of
(revised) Material Misstatement through Under-
standing the Entity and its Environment”
ISA 500 “Audit Evidence”
1.1 THE CONCEPT OF AUDIT EVIDENCE
Audit evidence: The information used by the auditor in arriving at the conclu-
sions on which his/her audit opinion is based, and includes information con-
tained in the accounting records underlying the financial statements and other
information.
Accounting records: This generally includes the records of accounting entries and
supporting records such as electronic transfer records, invoices, contracts, and
the general and subsidiary ledgers, journal entries, etc.
Other information: This includes minutes of meetings, confirmations from third
parties, analysts’ reports, etc.

1.2 THE AUDITOR’S RESPONSIBILITY FOR THE OBTAINING OF AUDIT

EVIDENCE
The auditor shall design and perform audit procedures that are appropriate in
the circumstances for obtaining sufficient and appropriate audit evidence to
reduce audit risk to an acceptably low level and thereby enable the auditor to
draw conclusions on which to base the audit opinion.

1.3 REQUIREMENTS FOR AUDIT EVIDENCE

The audit evidence obtained should be:
l sufficient: that is, of the right quantity and the right quality; and
l appropriate: that is, relevant and reliable.

1.4 PROCEDURES FOR OBTAINING AUDIT EVIDENCE

The auditor obtains audit evidence by means of:
l risk assessment procedures;
l a combination of tests of controls and substantive procedures; and
l in some circumstances, entirely from substantive procedures.
L Risk assessment procedures
These are procedures performed to obtain an understanding of the entity
and its environment, including the entity’s internal controls to identify and
assess the risk of material misstatements, whether due to fraud or error, at

7–4
 CHAPTER 7: Audit evidence

the financial statement and assertion levels (thus, information-gathering

procedures).
The risk assessment procedures should be performed to identify and
assess risk at:
• the overall financial statement level, affecting the entity as a whole; and
• the assertion level for each significant class of transaction and account
balance.
Risk assessment procedures are performed to obtain information during:
• the engagement review of new and existing clients:
– to review/assess the integrity of management; and
– to review/assess the client’s business risks.
• the planning of the audit at the overall financial statement level:
– to obtain an understanding of the entity and its environment, includ-
ing the information system and internal controls.
This will enable the auditor to identify and assess the risk of materi-
al misstatement at the overall financial statement level.
• the detailed planning of the audit of significant classes of transactions,
account balances and disclosures:
– to obtain an understanding of the design and implementation of the
controls over the specific account; and
– to identify and assess the risk of material misstatement at the asser-
tion level for the specific account.
Risk assessment procedures consist of:
• enquiries of management and others within the entity (e.g. employees’
internal audit, internal legal counsel, etc.);
• observation and inspection (operations, documents, records, control
manuals, management reports, premises and plant facilities, etc.); and
• analytical procedures.
L Tests of controls
These are audit procedures designed to evaluate the operating effective-
ness of controls in preventing, detecting and correcting material misstate-
ments at the assertion level.
Specifically, they will test:
• the suitability of the design of the internal controls to prevent, detect
and correct material misstatements (fraud and error); and
• the existence and effective operation of the systems throughout the
period of reliance.
L Substantive procedures
These are audit procedures designed to detect material misstatements at
the assertion level.

7–5
 Dynamic Auditing

They consist of:

• tests of details of transactions, balances and disclosures; and
• substantive analytical procedures.
The nature, timing and extent of substantive procedures will depend on:
• the risk of material misstatement of the financial statement assertions;
• effectiveness of internal controls and the result of the test of controls;
• the appropriateness and reliability of audit evidence that can be
obtained by means of substantive procedures.
The auditor must design and perform substantive procedures for each
significant class of transaction, accounts, balances and disclosure. This,
depending on the circumstances, consists of:
• substantive analytical procedures only;
• tests of details only; or
• a combination of substantive analytical procedures and tests of
details.
L Professional scepticism and an inquiring mind
When performing audit procedures and evaluating audit evidence, the
auditor should be alert to conditions that may indicate possible misstate-
ment due to error or fraud.

1.5 METHODS OF OBTAINING AUDIT EVIDENCE

The auditor obtains audit evidence by means of one or more of the following
procedures:
l inspection of records or documents and of tangible assets;
l observation of a process or procedure (note that this is limited to the
moment at which the observation took place);
l making inquiries of knowledgeable persons, both financial and others,
from the entity or outside the entity;
l external confirmation of information as a written response to the auditor
from a third party;
l recalculation of the mathematical accuracy of documents or records;
l re-performance by the auditor, manually or through CAATS, of procedures or
controls; that were originally performed as part of the entity’s internal control;
or
l analytical procedures (analyses) of financial and non-financial data.

1.6 RELEVANCE OF AUDIT PROCEDURES AND AUDIT EVIDENCE OBTAINED

Relevance deals with:
l the purpose of the audit procedure performed; and
l the assertion tested.

7–6
 CHAPTER 7: Audit evidence

The above is often tested by the direction of testing (e.g., if testing for over-
statement in accounts receivable, testing of the recorded amounts (from the
accounting records) to source documents, confirmation, etc., will be a relevant
procedure for existence and ownership, but not necessarily valuation thereof).
Testing receivables collected after year end will be a relevant procedure to
provide evidence on the existence and valuation at year end, but not neces-
sarily the ownership or cut off thereof.

1.7 THE HIERARCHY OF THE IMPORTANCE OF AUDIT EVIDENCE

(RELIABILITY)
The reliability of audit evidence is influenced by its source and nature.
Source
External audit evidence obtained directly by the auditor is better than internally
generated evidence.
Internally generated evidence is more reliable when the internal controls are
functioning effectively.
Audit evidence that the auditor obtains directly, is more reliable than evidence
supplied by the client.
Nature
Written evidence (in documentary form) is better than oral representations.
Original documents are more reliable than evidence provided by photocopies
or fax.
Further considerations relating to audit evidence
l The auditor must obtain audit evidence for each assertion in the financial
statements.
l Audit evidence is often more persuasive than conclusive.
l Audit evidence is more persuasive if evidence from different sources is
consistent.
l Where audit evidence from different sources or of a different nature is
inconsistent, the auditor must perform additional procedures to resolve the
inconsistency.
l Consideration should be given to the cost involved in obtaining audit
evidence and the usefulness thereof.
l If unable to obtain sufficient appropriate audit evidence, the auditor should
express a qualified opinion or a disclaimer of opinion (scope limitation).

1.8 USING INFORMATION PRODUCED BY THE ENTITY

When using information produced by the entity, the auditor should consider if
the information is:
l sufficient (i.e. detailed enough) for the auditor’s purposes; and
l reliable (i.e. complete and accurate).

7–7
 Dynamic Auditing

Accordingly, the auditor should perform procedures on such client information

to obtain evidence on the reliability thereof.

1.9 INFORMATION PREPARED BY A MANAGEMENT EXPERT TO BE USED

AS AUDIT EVIDENCE (ISA 500)
1.9.1 Definition of management’s experts
An individual or organisation possessing expertise in a field other than account-
ing or auditing, whose work in that field is used by the entity to assist the entity
in preparing the financial statements.
This may include aspects such as actuarial calculations, valuations, engin-
eering data, etc.
1.9.2 Considerations affecting the nature, timing and extent of the auditor’s
procedures required to rely on the work of the expert
l The nature and complexity of the matter to which the management expert
relates.
l The risk of material misstatement of the matter.
l The availability of alternative sources of audit evidence.
l The nature, scope and objectives of the expert’s work.
l Whether the management expert is employed by the entity, or is a party
engaged by it to provide relevant services.
l The extent to which management can exercise control or influence over
the work of the management expert.
l Whether the management expert is subject to technical performances
standards or other professional or industry requirements.
l The nature and extent of any controls within the entity over the manage-
ment expert’s work.
l The auditor’s knowledge and experience of the management expert’s field
of expertise.
l The auditor’s previous experience of the work of the expert.
1.9.3 Auditor’s procedures to rely on a management expert’s work
l Evaluate the expert’s competence, capabilities and objectivity
• The auditor will consider aspects such as the expert’s experience,
qualifications and professional affiliations, as well as whether the work is
subject to technical performance standards or other industry require-
ments.
The auditor can obtain this information through various means, including
previous personal experiences with the expert, discussions with the expert
and others familiar with his/her work and reading published papers, books
written by the expert etc.

7–8
 CHAPTER 7: Audit evidence

l Obtaining an understanding of the work of the expert

This will include aspects such as:
• the nature, scope and objectives of the expert’s work;
• any professional standards, regulations and laws that apply;
• the assumptions and methods used; and
• the nature of internal and external data used.
This information can be obtained from the expert’s engagement letter with
the entity and enquiries of the expert and management.
l Evaluating/testing the appropriateness of the expert’s work
The auditor should consider:
• the relevance and reasonableness of the expert’s findings and consist-
ency thereof with other audit evidence;
• the relevance and reasonableness of the assumptions used; and
• the relevance, completeness and accuracy of source data used.
This can be done by reviewing the expert’s report and testing of the
source data used.

1.10 FINANCIAL STATEMENT ASSERTIONS

These are the representations, explicit or otherwise, with respect to the recog-
nition, measurement, presentation and disclosure of information in the financial
statements which are inherent in management representation that the financial
statements are prepared in accordance with the applicable financial reporting
framework. Assertions are used by the auditor to consider the different types of
potential misstatements that may occur when identifying, assessing and
responding to the risk of material misstatement.
They consist of:
L Assertions about classes of transactions and related disclosure for
the period audit:
• Occurrence: transactions and events that have been recorded or
disclosed have occurred and pertain to the entity.
• Completeness: all transactions and events that should have been
recorded have been recorded, and all related dis-
closures that should have been included in the
financial statements have been included.
• Accuracy: amounts and other data relating to recorded trans-
actions and events have been recorded appropri-
ately, and related disclosure have been appropri-
ately measured and disclosed.
• Cut-off: transactions and events have been recorded in the
correct accounting period.
• Classification: transactions and events have been recorded in the
proper accounts.

7–9
 Dynamic Auditing

• Presentation: transactions and events are appropriately aggregat-

ed or disaggregated and clearly described, and
related disclosures are relevant and understandable
in the context of the requirements of the applicable
financial reporting framework.
L Assertions about account balances, and related disclosures at the
period end:
• Existence: assets, liabilities and equity interests exist.
• Rights and the entity holds or controls the rights to assets, and
obligations: liabilities are the obligations of the entity.
• Completeness: all assets, liabilities and equity interests that should
have been recorded have been recorded, and all
related disclosures that should have been included
in the financial statements have been included.
• Accuracy, assets, liabilities and equity interests are included in
Valuation and the financial statements at appropriate amounts
allocation: and any resulting valuation or allocation adjustments
are appropriately recorded and related disclosure
have been appropriately measured and disclosed.
• Classification: transactions and events have been recorded in the
proper accounts.
• Presentation: transactions and events are appropriately aggre-
gated or disaggregated and clearly described, and
related disclosures are relevant and understandable
in the context of the requirements of the applicable
financial reporting framework.
NOTE: In identifying and assessing the risk of material misstatement, the
auditor uses assertions to consider the different types of misstate-
ments and risks that may occur. Assertions for which the auditor
has identified related risks of material misstatement (significant
risks) are relevant assertions.

1.11 AUDIT EVIDENCE: ADDITIONAL CONSIDERATIONS FOR SPECIFIC ITEMS

SOURCE REFERENCE: ISA 501 “Audit evidence – Specific Considerations
for Selected Items”
L Attendance at physical inventory counts
When inventory is material to the financial statements, the auditor should
attend the physical inventory counts:
• this serves as a test of control to provide evidence regarding manage-
ment controls over inventory; and
• it serves as a substantive procedure regarding evidence of the exist-
ence and condition (valuation) of inventory.

7–10
 CHAPTER 7: Audit evidence

The auditor should also test the final inventory records to determine if they
accurately reflect the inventory count results.
When the auditor:
• is unable to attend the year-end inventory counts, he/she shall make or
observe physical counts on an alternative date and perform proced-
ures on the intervening transactions;
• if attendance at a count is impracticable and the auditor cannot per-
form alternative procedures, he/she shall modify the audit opinion
(scope limitation).
L Enquiries regarding litigation and claims
The auditor shall design and perform procedures to identify litigation and
claims involving the entity that may give rise to the risk of material mis-
statements by:
• enquiry of management and internal legal council;
• reviewing minutes of management and internal legal council meetings;
• reviewing legal expense accounts; and
• enquiry of external legal council.
L Segment information
The auditor should obtain sufficient appropriate evidence that the presen-
tation and disclosure of the segment information are in accordance with
the requirements of the accounting standards.
The auditor should do this by:
• obtaining an understanding of the methods used in the preparation
and compiling of the segment information;
• testing the methods applied; and
• performing analytical procedures and/or other procedures as consid-
ered necessary.

2. DOCUMENTATION
SOURCE REFERENCE: ISA 230 “Audit Documentation”
SAICA Guide: Access to Auditing Working Papers

2.1 DOCUMENTATION REQUIREMENTS FOR AUDIT WORK PERFORMED

The auditor should, on a timely basis, prepare audit documentation that pro-
vides:
l a sufficient and appropriate record of the basis for the auditor’s report; and
l evidence that the audit was performed in accordance with the ISAs.
Audit documentation may be recorded on paper, or on electronic media.

7–11
 Dynamic Auditing

2.2 THE VALUE OF AUDIT DOCUMENTATION

“Audit documentation” comprises the record of audit procedures performed,
audit evidence obtained, and conclusions reached, and is normally referred to
as “working papers”.
Working papers:
l assist the audit team in the planning and performance of the audit;
l assist in the supervision and review of the audit work;
l serve as proof of the work done to support the audit opinion, thus enabling
the audit team to be accountable for its work; and
l enable the conduct of quality control reviews by the firm or by external
parties in accordance with applicable legal and regulatory requirements.

2.3 TIMELY PREPARATION OF AUDIT DOCUMENTATION

Audit documentation should be prepared on a timely basis (when the work is
performed) to enhance the quality of the audit and facilitate the review of the
audit evidence obtained and conclusions reached before the auditor’s report is
finalised.
Documentation prepared after the work is performed is likely to be less accur-
ate than documentation prepared at the time the work is done.

2.4 INFORMATION TO BE DOCUMENTED

These will include:
L Engagement and planning
Procedures and considerations in accepting and continuing with engage-
ments.
Evidence of planning the audit, risks identified and the overall audit strat-
egy adopted.
L Audit plan (sets out the following)
• Audit procedures:
– the nature, timing and extent thereof;
– the results and findings thereof; and
– significant matters arising, conclusions thereon and significant
professional judgment applied.
• Documentation of the findings:
– details of items; and
– who performed, tested and reviewed the work.
• Significant matters discussed with management.
• How identified inconsistencies were resolved.

7–12
 CHAPTER 7: Audit evidence

• Reasons for a departure from requirements of an audit standard and

the alternative procedures performed.
• For matters arising after the date of the auditor’s report, the circum-
stances thereof, and procedures performed thereon.
L Audit differences and considerations affecting the audit opinion

2.5 INFORMATION ORDINARILY INCLUDED IN WORKING PAPERS

Working papers ordinarily include information about the following:
l who performed the work and when it was performed;
l legal/statutory and organisational aspects and structures;
l excerpts from legal documents, agreements, minutes;
l information about the industry, environment, legal requirements;
l proof of planning the audit;
l consideration of work done by internal audit;
l analyses of transactions, balances and trends;
l the identified and assessed risks of material misstatement at the financial
statement and assertion levels;
l nature, timing and extent of the audit procedures performed in response to
the risk at the assertion level;
l proof of supervision and review of work done by assistants;
l work done regarding components audited by other auditors;
l communication with other auditors, experts, external parties, etc.;
l documentation of matters discussed with management, staff, etc.;
l a list of matters discussed with management (e.g. engagement conditions
and weaknesses in internal controls reported to management);
l management’s representation letter;
l conclusions about the financial statements, method of resolving and treat-
ment of exceptions and differences; and
l copies of the financial statements.

2.6 CLASSIFICATION OF AUDIT FILES

Permanent audit files: They contain information of a permanent nature applicable
to recurring audits. They should be updated annually.
Current audit files: Contain information of the current year’s audit.

2.7 PROPERTY AND CONFIDENTIALITY OF WORKING PAPERS

Working papers are the property of the auditor.
The auditor should adopt appropriate procedures for maintaining the confi-
dentiality and safe custody of the working papers.

7–13
 Dynamic Auditing

An auditor should respect the confidentiality of information obtained during the

audit and may not disclose the information to third parties without proper and
specific authority of the client, unless there is a legal or professional duty on
the auditor to do so. When this is the case, the auditor should inform the client
thereof as soon as possible
It is appropriate that follow-up auditors gain access to the previous auditor’s
working papers. For this, the client’s consent is required.

2.8 REQUIREMENTS OF WORKING PAPERS

Working papers should:
l have a heading;
l be dated;
l identify the compiler;
l identify the reviewer;
l identify the applicable information;
l be cross-referenced; and
l contain conclusions.

2.9 ASSEMBLY OF THE FINAL AUDIT FILE

l This should be done on a timely basis after the date of the auditor’s report
(ISQC 1 indicates a maximum period of 60 days).
l This refers only to the assembly of the file and administrative issues and
does not involve the performance of new audit procedures or the obtaining
of audit evidence.
l When the auditor finds it necessary to modify existing audit documentation
or add new documentation after assembly of the file, he/she should docu-
ment that it was done, who it was done by and the specific reasons there-
for.

3. EXTERNAL CONFIRMATIONS
SOURCE REFERENCE: ISA 505 “External Confirmations”
3.1 INTRODUCTION
External confirmation is audit evidence obtained as a direct response to the
auditor from a third party (the confirming party) in paper, electronic or other
form.
External confirmations obtained by the auditor can be an effective way of
obtaining sufficient appropriate audit evidence, because:
l external confirmations are more reliable than internal evidence;
l written evidence is more reliable than oral evidence; and
l evidence obtained directly by the auditor from third parties provides the
highest level of audit assurance.

7–14
 CHAPTER 7: Audit evidence

External confirmations are used mainly to verify account balances, but are also
suitable for confirmation of the terms of agreements, contracts or transactions
with third parties.
Situations where external confirmations may be used include the following:
l bank balances and other information;
l accounts receivable balances;
l inventory held by third parties;
l share certificates held by third parties;
l title deeds and investment certificates held by third parties;
l loan balances; and
l accounts payable balances, etc.
The reliability of external confirmations will depend on the procedures applied
by the auditor in respect of:
l the design of the confirmation required;
l performance of and control over the confirmation procedures; and
l the evaluation of the results of the confirmation procedures.

3.2 ASSERTIONS ADDRESSED BY EXTERNAL CONFIRMATIONS

External confirmation will provide evidence in respect of certain assertions of
the financial statements, while other audit procedures should be performed to
address the other assertions. For example, an account receivable confirmation
will provide evidence of the existence and ownership of the debtor, but not of
the valuation thereof.

3.3 RISK AND EXTERNAL CONFIRMATIONS

The higher the risk of material misstatement due to fraud or error, the more
appropriate/effective external confirmations will be to reduce the risk. This
relates to both risk at the overall financial statement level as well as risk at the
assertion level.

3.4 EXTERNAL CONFIRMATION PROCEDURES

Factors to consider during the design of the request should include prior experi-
ence of the audit, the nature of the information confirmed and the expected
response.
Confirmation requests should include management’s authorisation to the
respondent to disclose the information to the auditor.
Positive versus negative confirmations
Positive confirmations
A positive confirmation request asks the respondent to respond directly to the
auditor in all cases and is ordinarily expected to provide audit evidence with a
high level of reliability.

7–15
 Dynamic Auditing

The risk, however, exists that a respondent may reply without verifying that the
information is correct.
Negative confirmations
A negative confirmation request asks the respondent to respond only in the
event of disagreement with the information provided in the request. Negative
confirmations provide less persuasive audit evidence than positive confirma-
tions.
Negative confirmations may be appropriate to reduce audit risk when:
l the assessed risk of material misstatement is low;
l a population consists of large numbers of small items;
l a low exception rate is expected; and
l no reason exists to believe that respondents will disregard these requests.
Combination of positive and negative confirmations
This might be appropriate where a small number of large (positive confirma-
tion) and a large number of small (negative confirmation) balances exist.

3.5 MANAGEMENT REQUESTS NOT TO CONFIRM BALANCES

If management refuses to allow the auditor to send a confirmation request, the
auditor shall:
l enquire as to management’s reason/s for the refusal and consider the
validity and reasonableness thereof;
l consider the impact on the risk of material misstatement, including the risk
of fraud; and
l if possible, perform alternative procedures to obtain the evidence.
If the auditor concludes that the refusal is unreasonable, he/she shall commu-
nicate this to those charged with governance (normally the audit committee if
there is one) and consider the implications for the audit and the auditor’s opin-
ion.

3.6 THE CONFIRMATION PROCESS

l The auditor should exercise control over the confirmation process by:
• preparing the confirmation requests himself/herself;
• sending the confirmation requests himself/herself;
• ensuring the requests are properly addressed; and
• requesting responses to be sent directly to the auditor.
l The auditor should evaluate whether the results of the confirmation pro-
cess, together with the results of other procedures, provide sufficient
appropriate audit evidence.

7–16
 CHAPTER 7: Audit evidence

l The auditor should perform alternative procedures where no response is

received to a positive request. These may include examination of subse-
quent payments, examination of documents, etc. These would include, for
example, regarding:
• accounts receivable, the inspection of subsequent payments of dis-
patch documentation; or
• accounts payable, the inspection of proof of payments of goods
received.
l The auditor should consider the reliability of responses requested.
This is affected by the respondent’s independence, authority to respond,
knowledge of the matter, etc.
l The auditor should consider the reason and frequency of exceptions to
confirmation requests, and if necessary perform additional procedures to
obtain audit evidence.

3.7 EXTERNAL CONFIRMATIONS PRIOR TO YEAR END

When confirmations are sent at a date prior to the year end, the auditor should
obtain audit evidence that transactions in the intervening period to year end
have not been materially misstated.

4. INITIAL AUDIT ENGAGEMENTS – OPENING BALANCES

SOURCE REFERENCE: ISA 510 “Initial Audit Engagements – Opening Bal-
ances”

4.1 INTRODUCTION
The purpose of this standard is to provide guidance regarding opening bal-
ances for initial engagements, that is, where:
l financial statements are audited for the first time; or
l financial statements for the prior period were audited by another auditor.
Opening balances: These are account balances that exist at the begin-
ning of the period. Opening balances are based on
the closing balances of the prior period and reflect
the effects of transactions and events of prior
periods and accounting policies applied in the prior
period. Opening balances also include matters
requiring disclosure that existed at the beginning of
the period, such as contingencies and commit-
ments.
Previous auditor: An auditor from a different firm who audited the
financial statements for the prior period and has
been replaced by the current auditor.

7–17
 Dynamic Auditing

4.2 AUDIT EVIDENCE REQUIRED FOR INITIAL AUDIT ENGAGEMENTS

The auditor should obtain sufficient appropriate evidence that:
l the opening balances do not contain misstatements that materially may
affect the current period’s statements; and
l appropriate accounting policies are consistently applied or that changes
therein are properly accounted for and adequately presented and dis-
closed.

4.3 CONSIDERATIONS FOR AUDIT EVIDENCE REGARDING OPENING

BALANCES
The nature and extent of audit procedures necessary to obtain sufficient
appropriate audit evidence regarding opening balances will depend on:
l the accounting policies followed by the entity;
l whether the financial statements for the prior period were audited and if
so, whether the auditor’s opinion was modified;
l the nature of the accounts and the risk of misstatement in the current
period’s financial statements; and
l the materiality/significance of opening balances in relation to the current
period’s financial statements.

4.4 AUDIT PROCEDURES REGARDING OPENING BALANCES

A) Where the prior period’s financial statements were audited by a
predecessor auditor
Procedures that the new auditor should perform are:
l reviewing of the predecessor auditor’s working papers to obtain suffi-
cient appropriate audit evidence regarding opening balances. Whether
it is appropriate to rely on the predecessor auditor’s working papers will
depend on the predecessor auditor’s competence and independence.
The incoming auditor will need to consider and assess this;
l if the prior period’s audit report was modified, the auditor should pay
particular attention in the current year to the matters that resulted in the
modification and consider whether they remain relevant and significant
to the current period’s financial statements; and
l agreeing opening balances to the prior period’s closing balances to
ensure they are correctly brought over as opening balances.
The auditor should comply with the requirements of the Code of Profes-
sional Conduct before contacting the predecessor auditor (obtain client’s
permission).

7–18
 CHAPTER 7: Audit evidence

B) Where the previous period’s financial statements were not audited, or

where the predecessor’s work cannot be relied upon
The auditor should perform audit procedures to verify the opening bal-
ances. These may entail:
l confirmation of opening balances with third parties (e.g. loans, invest-
ments, etc.);
l examination of the records underlying the opening balances (e.g.
fixed asset register, contracts, etc.);
l obtaining audit evidence regarding opening balances as part of the
current year’s audit (e.g. debtors’ and creditors’ accounts paid); and
l directly performing audit procedures to confirm opening balances
(e.g. in terms of inventory).

4.5 REPORTING
The auditor’s response where the opening balances contain misstatements
that materially affect the current year’s financial statements would include:
l discussing it with management and those charged with governance; and
l discussing it with the predecessor auditor (with the client’s permission).
If the misstatement is not properly accounted for or disclosed and this has a
material effect on the current year’s financial statements, the current audit
report will be modified on the basis of:
l an audit difference: opening balances contain misstatements, or the
accounting policy is not properly accounted for and adequately disclosed;
or
l uncertainty: opening balances cannot be confirmed (e.g. no inventory
count in the previous year and confirmation thereof impossible by means
of alternative procedures). Such a modification may only be in relation to
the results of operations and cash flow and may be unqualified in terms of
the financial position (balance sheets).
l Reference to the predecessor auditor: The current auditor may include an
emphasis of matter paragraph in the audit report in which he/she refers to the
fact that the prior year’s financial statements were audited by another audit-
or. The audit opinion expressed by such an auditor may also be stated
(also refer to ISA 710).

4.6 CONSIDERATIONS IN RELATION TO APPOINTMENTS DURING THE YEAR

WHEN CERTAIN WORK HAD ALREADY BEEN DONE BY ANOTHER
AUDITOR
Consider whether reliance can be placed on the work done by the other (pre-
decessor) auditor by:
l discussing relevant issues with the predecessor auditor;
l reviewing his/her working papers (with the consent of the client);

7–19
 Dynamic Auditing

l considering the professional reputation and independence of the prede-

cessor auditor; and
l re-performing certain work and comparing it with the predecessor audit-
or’s findings.
Reliance is justified
l document the procedures performed; and
l place reliance on the predecessor auditor’s work and adapt the audit
procedures accordingly.
Reliance is not justified
l document the procedures performed;
l discuss it with the client; and
l perform extensive procedures without relying on the work done by the
predecessor auditor.

5. ANALYTICAL PROCEDURES
SOURCE REFERENCE: ISA 520 “Analytical Procedures”
5.1 INTRODUCTION
The auditor should apply analytical procedures during the planning of the
audit, when obtaining audit evidence at the assertion level as part of the sub-
stantive procedures and at the overall review phase of the audit as a test of
reasonableness.
Analytical procedures consist of:
l an analysis of plausible relationships between financial and non-financial
data;
l an investigation of fluctuations and relationships that are inconsistent in
terms of other relevant information or anticipated amounts.

5.2 NATURE OF ANALYTICAL PROCEDURES

This includes the consideration of the entity’s financial information by means of:
l Comparisons:
• with comparable information from prior periods;
• with anticipated results; and
• with similar industry information.
l Consideration of relationships between:
• elements of the financial information expected to conform to a predict-
able pattern; and
• financial and non-financial information.
Analytical procedures are based on the assumption that relationships between
information/data exist and would continue to exist in future in the absence of
known information to the contrary.

7–20
 CHAPTER 7: Audit evidence

Various methods can be used to perform analytical procedures, ranging from

simple comparisons to performing complex analyses using advanced statisti-
cal techniques. Analytical procedures can be applied to consolidated financial
statements, components and individual elements of information.

5.3 STAGES WHEN ANALYTICAL PROCEDURES MAY BE USED

AND THE PURPOSE THEREOF
1. In the planning phase of the audit as risk assessment procedures (at
both the financial statement and assertion levels):
l to understand the client’s entity and environment;
l to identify potential risks of material misstatements; and
l to assist in determining the nature, timing, and extent of further audit
procedures.
2. During the course of the audit as substantive procedures to limit the
risk of material misstatement at the assertion levels (substantive analyt-
ical review).
3. During the overall review phase at the end of the audit (forming an
overall conclusion):
l as an overall test of reasonableness;
l to identify possible unidentified risks of material misstatements requir-
ing further audit procedures; and
l to provide an overview as to whether the financial statements as a
whole are consistent with the auditor’s knowledge of the business.

5.4 ANALYTICAL PROCEDURES AS RISK ASSESSMENT PROCEDURES

The auditor applies analytical procedures to obtain an understanding of the
entity and its environment, and to identify risks that will affect the nature, timing
and extent of the further audit procedures that are done at both the overall
financial statement level, as well as at the assertion level.

5.5 ANALYTICAL PROCEDURES AS SUBSTANTIVE PROCEDURES

Step 1: Consider the suitability of using substantive analytical procedures.
Specifically:
(a) the relationship between data and the predictability thereof;
(b) the assessment of the risk of material misstatement (the higher
the risk, the lower the reliance on analytical procedures); and
(c) other tests of detail directed towards the same assertion.
Step 2: Consider the reliability of the data on which the expectation will be
based. Specifically:
(a) the source of information (e.g. external or internal, etc.);
(b) the comparability of the information;

7–21
 Dynamic Auditing

(c) the nature and relevance of the available information; and

(d) the controls applied over the preparation of the information (e.g.
the accuracy of budgets). The auditor may consider testing the
controls, on their own, or as part of the normal tests of controls.
Step 3: Consider whether an expectation of recorded amounts can be
developed that is sufficiently precise to identify material misstate-
ments, specifically:
(a) the accuracy with which the expected results can be predicted;
(b) the degree to which information can be disaggregated to achieve
better accuracy; and
(c) the availability of the information, both financial and non-financial.
Step 4: Consider the difference between the recorded amounts and the
expected values:
(a) consider the amount of the difference against the materiality
figures; and
(b) consider the cumulative effect of the differences with those in
other accounts.

5.6 ANALYTICAL PROCEDURES AS A REASONABILITY TEST AT THE END

OF THE AUDIT
The auditor performs analytical procedures at the end of the audit to assess
whether the financial statements are consistent with the auditor’s under-
standing of the entity.

5.7 INVESTIGATION OF UNUSUAL ITEMS AND FLUCTUATIONS

The auditor should investigate unusual items and fluctuations that may be
identified by the analytical procedures by means of:
l enquiry of management, followed up by corroboration of management’s
explanations (e.g. by using the auditor’s knowledge of the business and
other audit evidence obtained); and
l applying other audit procedures.

5.8 NOTES ON THE APPLICATION OF ANALYTICAL PROCEDURES AS

SUBSTANTIVE TESTS
Step 1: Consider the suitability of the application thereof: refer to the factors
under 5.5.
2: Develop an expectation to compare the recorded amounts against: it
can be budgets, prior year financial statements, industry related
information, etc.
3: Develop a margin: this is the deviation between the recorded
amounts and the expectation that need, if exceeded, be investigated
– this can be an “R”-amount or a % of deviation.

7–22
 CHAPTER 7: Audit evidence

4: Investigate deviations which exceed the margin: identify the reasons

and corroborate explanations.
5: Consider the extent of reliance that can be placed on the analytical
procedures performed: refer to the factors under 5.5.
6: Concluding and quantifying any unexplained differences.

6. AUDIT OF ACCOUNTING ESTIMATES

SOURCE REFERENCE: ISA 540 “Auditing Accounting Estimates, and
(revised) Related Disclosure”
6.1 INTRODUCTION
Accounting estimates represent items that cannot be measured precisely but
can only be estimated. Accordingly, there is a high inherent risk of material
misstatement related to such items, such as:
l they are subject to estimation uncertainty, which reflects inherent limita-
tions in knowledge and data;
l involve the use of judgement; and
l are prone to management bias (that is that accounting estimates are
imprecise, and can be influenced by management judgement).
Examples of accounting estimates include items such as:
l estimates relating to the outcome of litigation;
l fair value accounting estimates for derivative financial instruments;
l allowances for doubtful accounts, inventory obsolescence, warranty obli-
gations, etc.
The auditor shall obtain sufficient appropriate audit evidence that the estimates
are:
l recognised at appropriate amounts in the financial statements (com-
pleteness, accuracy, valuation and allocation); and
l correctly disclosed according to the requirements of the applicable finan-
cial reporting framework..
NOTE: Throughout the audit of accounting estimates the auditors should at all
times apply a high level of professional scepticism and an enquiring
mind.

6.2 IDENTIFYING AND ASSESSING THE RISK OF MATERIAL

MISSTATEMENTS
The auditor must obtain an understanding of the nature and the type of
accounting estimates an entity may have. This is done when the auditor per-
forms risk assessment procedures to obtain an understanding of the entity and
its environment, including the entity’s internal control during the planning of the
audit.

7–23
 Dynamic Auditing

6.2.1 Risk assessment procedures

The auditor must, through the appropriate risk assessment procedures of
discussion and enquiry of management and other knowledgeable persons, as
well as the review of documentation and processes:
l obtain an understanding of the requirements of the applicable financial
reporting framework:
• identify transactions and events of the entity that may give rise to the
need for, or changes in, accounting estimates;
• the requirements for recognition, measurement and disclosure relating
to accounting estimates and how they apply in the context of the nature
and circumstances of the entity and its environment, including the
inherent risk factors that are susceptible to misstatement of assertions;
• identify regulatory or legislative factors affecting the estimates;
• consider the nature of the accounting estimates and disclosure the
auditor expects in the financial statements;
l obtain an understanding of the entity’s internal control:
• the nature and extent of governance oversight over the financial report-
ing process;
• how management identifies the need for, and applies specialised skills
or knowledge related to accounting estimates;
• the entity’s information system and controls over the estimation pro-
cess;
l understand the management process for calculating estimates and the
disclosure thereof:
• the methods used and, where applicable, the model used in making
the accounting estimate;
• the controls that exist over the process of making the estimates;
• whether they used an expert;
• the data and assumptions used;
• any changes from prior year periods in the method of making account-
ing estimates;
• how management addresses estimation uncertainty;
l identify management controls over the estimation process;
l the auditor must also review the outcome of accounting estimates includ-
ed in prior period financial statements (how accurate and reliable).

6.2.2 Assessing the risk of material misstatement

Based on the information obtained from the risk assessment procedures, the
auditor must identify and assess the risk of material misstatement related to the
accounting estimates, including separately assessing inherent and control risk
at the assertion level as required by ISA 315 and 330.

7–24
 CHAPTER 7: Audit evidence

L Inherent risk factors

The auditor shall identify inherent risk factors related to accounting estimates,
such as:
l the degree of accounting estimation uncertainty involved;
l factors such as the selection of data, assumptions, methods manage-
ments selection of point estimates and disclosure;
l susceptibility to misstatement due to management bias, and other fraud
risk factors;
l uncertainties and conditions other than estimation uncertainty.
As per ISA 315 and 330, the auditor should, in considering the risk of material
misstatement at the assertion level, separately assess the inherent and control
risk as a basis for designing further audit procedures. Inherent risks should be
assessed to determine if the risk is a significant risk that requires special audit
consideration (that is, the spectrum between high and low risk based on the
likelihood and magnitude of the risk assessed).
These inherent risks are normally considered and assessed under the asser-
tions it relates to.
L Control risk
The audit should consider if controls exist for the significant inherent risks
assessed that address the risk.
The completeness, accuracy, valuation and allocation, as well as disclosure
assertions, will normally be high-risk assertions (resulting from inherent risks
assessed as significant risks requiring specific auditors response for account-
ing estimates).
NOTE: The auditors should consider all accounting estimates, including not
only those that are recognised in the financial statements, but also
those that are included in the notes to the financial statements.

6.3 AUDIT APPROACH OR STRATEGY TO RESPONSE TO THE RISK OF

MATERIAL MISSTATEMENT AT THE ASSERTION
The auditor’s assessment of the identified risk of material misstatement at the
assertion level (inherent and control risk) provides a basis for considering the
appropriate audit approach for designing and performing further audit proced-
ures. This can affect both the types of audit procedures to be performed as
well as their combination, and consists of:
l performing tests of controls over the design and effective functioning of
controls identified that will address significant inherent risks;
l only performing substantive procedures where no controls exist, or it is not
viable or cost effective to test; or
l a combination of tests of controls and substantive procedures.

7–25
 Dynamic Auditing

6.4 PROCEDURES TO AUDIT ACCOUNTING ESTIMATES AND RELATED

DISCLOSURE
The auditor must, for all significant accounting estimates, respond to the risk
and obtain sufficient and appropriate audit evidence to limit the auditor’s risk.
This will consist of:

6.4.1 Testing the correctness of the accounting treatment

(in terms of the applicable accounting framework)
This will consist of testing:
l whether the accounting estimates are correctly treated accounting wise,
that is whether the recognition and measurement criteria are met (IAS 37);
and
l whether the methods used/applied for making the estimates are appropri-
ate.

6.4.2 Testing the amount of the accounting estimates

This will be done by one, or a combination, of the following approaches:
A) Testing the operating effectiveness of the controls over the estima-
tion process
This may be an appropriate response when the management process is
well designed, implemented and maintained.
This consists of testing controls over the accounting system as well as
those relating to management’s process for making the accounting esti-
mates.
B) Testing management’s estimate (methods, data, assumptions and
workings)
1. Test the data used by management in making the estimate:
l test the data on which the estimate is based to determine if it is
accurate, complete and relevant; and
l consider the source, relevance and reliability of the data.
2. Test the methods used of measurement. Consider if the method is
acceptable in terms of the accounting framework (e.g. discontinued
cash flow).
3. Test the assumptions used by management
Consider the reasonableness thereof:
l compare them with actual results of prior years;
l compare them with assumptions used on other estimates;
l consider whether they are consistent with management’s plans; and
l compare it with market conditions.
4. Recalculate the accounting estimate.
5. Consider management’s review and approval process.

7–26
 CHAPTER 7: Audit evidence

C) Developing a point estimate or range

This will entail the auditor calculating his/her own estimate or range within
which the estimate may fall.
The auditor can do this by:
l applying his/her own assumptions and models; or
l appointing an expert (ISA 620) with the necessary skills to provide an
independent estimate.
D) Auditing events occurring up to the date of the auditor’s report (sub-
sequent events)
Compare the accounting estimate with transactions and events that occur-
red after year end (e.g. the sale of inventory of a discontinued product
after year end may provide sufficient evidence of the net realisable value
at year end).

6.4.3 EVALUATE THE REASONABLENESS OF THE ACCOUNTING ESTIMATE

AND CONSIDER ANY MISSTATEMENTS
Based on the audit evidence consider whether the accounting estimates are
misstated.
Consider the correctness of disclosure of the accounting estimates.

6.5 AUDIT THE DISCLOSURE IN THE FINANCIAL STATEMENTS

Inspect the financial statements and consider whether the accounting policy
and disclosure note are complete and accurate in respect to the requirements
of the applicable financial reporting framework (IAS 37), and whether the dis-
closure agrees with the information as per the audit records.

6.6 FURTHER PROCEDURES

Document the following:
l the basis for the auditor’s conclusion; and
l any indications of possible management bias.
Obtain a written representation from management requesting whether they
believe the significant assumptions used in making the estimates are reason-
able (management representation letter).

7. RELATED PARTIES
SOURCE REFERENCE: ISA 550 “Related Parties”

7.1 INTRODUCTION
The auditor should perform audit procedures to recognise fraud risk factors
resulting from related party relationship and transactions, and to ensure further
that the entities related party relationships and transactions have been appro-
priately identified, accounted for and disclosed in the financial statements.

7–27
 Dynamic Auditing

Related party relationships and transactions poses an inherent high risk to the
auditors, and accordingly the auditor should plan and perform the audit with
professional scepticism.
Related parties and related party transactions are defined in the applicable
financial reporting frameworks but are essentially those between a person and
an entity that has control or significant influence over another, or transactions
between the entity and their directors or key management.

7.2 THE AUDITOR’S RESPONSIBILITY REGARDING RELATED PARTY

RELATIONSHIPS AND TRANSACTIONS
7.2.1 Perform procedures to identify related party relationships and transaction
(risk assessment procedures)
L Discussion amongst the engagement team
The engagement team should consider the susceptibility of the financial
statements being materially misstated due to fraud or error resulting from
related party relationships and transactions.
Matters to discuss include aspects such as the nature of the entity’s rela-
tionships and transactions with related parties, circumstances or condi-
tions thereto and records and documents that may indicate such aspects
or relationships.
L Enquiries of management
Enquiries should be made regarding the identity of related parties, the
nature of such relationships and any transactions with those parties.
L Obtain an understanding of the entity’s controls over related party
relationships and transactions
The auditor should enquire of management and others within the entity
(and perform risk assessment procedures) to obtain an understanding of
the controls, if any, that management has established to:
l identify, account for and disclose related party relationships and
transactions in accordance with the accounting requirements;
l authorise and approve significant transactions and arrangements with
related parties; and
l authorise and approve significant transactions and arrangements
outside the normal course of business.
Other parties within the entity to direct these enquire to include:
l those charged with governance (directors and audit committees);
l persons responsible for initiating, processing and recording significant
transactions;
l internal auditors;
l in-house legal council; and
l chief ethics officers (or equivalent).

7–28
 CHAPTER 7: Audit evidence

The auditor should also consider elements of the control environment that
might mitigate the risk of material misstatements associated with related
party relationships and transactions. These may include aspects such as:
l internal ethical codes;
l policies for the declaration of interest by management and those
charged with governance;
l guidelines for the approval of related party transactions;
l periodic reviews by internal auditors; and
l existence of whistle-blowing policies and procedures, etc.
Controls over related party relationships and transactions may be weak
because of factors such as a low importance attached thereto by manage-
ment, lack of oversight by those charged with governance or a continental
disregard of controls by management.
L Maintaining alertness for related party information when reviewing
documents or records
The auditor must inspect the following for indication of related party relation-
ships or transactions:
l bank and legal confirmations obtained by the auditor; and
l minutes of meetings of shareholders and those charged with govern-
ance.
Other records that may be inspected to identify related party relationships
and transactions are:
l the entity’s income tax returns;
l information supplied to regulatory authorities by the entity;
l shareholder registers to identify principal shareholders;
l records of the entity’s investments and pension plans;
l contracts and agreements with key management; and
l internal auditors’ reports, etc.
The auditor should also consider significant transactions outside the
entity’s normal course of business, and whether such transactions could
involve related parties.
L Sharing related party information with the engagement team
Information obtained by the auditor during the audit on related parties
should be shared with the other engagement team members.

7–29
 Dynamic Auditing

7.2.2 Identify and assess the risk of material misstatements associated with
related party relationships and transactions
The auditor must identify the risks associated with the identified related party
relationships and transactions and assess whether it is a significant risk con-
sisting of the risk of fraudulent financial reporting and the risk of misappro-
priation of assets.
Fraud risk indicators include:
l domination of management by a single person or small group;
l an unusually high turnover of senior management or professional advisors
that may suggest unethical or fraudulent business practices;
l the use of business intermediaries for significant transactions for which no
reasonable justification exists; and
l evidence of excessive participation by related parties in accounting pol-
icies or estimates.

7.2.3 Procedures to address the risk of material misstatements associated with

related party relationships and transactions (response to the risk of
material misstatements)
The nature, timing and extent of the audit procedures that the auditor must
perform to respond to the risk will depend on the nature of the risk and the cir-
cumstances.
Examples of substantive procedures in this regard are:
l confirmation or discussion of the specifics of the transactions with inter-
mediates such as banks, lawyers, agents, etc.;
l confirmation or discussion of the terms and conditions of the transactions
with the parties; and
l reading of the financial statements of related parties to obtain evidence of
the accounting for such transactions in the related party books.
L Procedures to respond to previously unidentified related parties or
transactions
l Communicate the information to the other members of the engagement
team.
l Communicate with management:
– Request management to identify all transactions with such parties.
– Enquire why the entity’s controls did not identify such relationships
or transactions.
l Audit the transactions through substantive tests.
l Consider the risk of fraud.
l Consider the risk that other undisclosed related party relationships or
transactions may exist.

7–30
 CHAPTER 7: Audit evidence

L Procedures to respond to identified related party transactions or rela-

tionships
l Inspect contracts, agreements, etc., and evaluate the business
rationale, terms and accounting treatment thereof.
l Obtain evidence that the transactions have been authorised and
approved.
L Procedures on related party transactions conducted at arm’s length
l Compare the terms of the transactions to similar transactions with
unrelated parties.
l Engage an expert to determine the market value and terms of the
transaction.
l Compare to market terms for similar transactions.

7.2.4 Evaluate the accounting and disclosure of the identified related party
relationships and transactions
Consider whether the related party transactions and relationships have been
accounted for and disclosed correctly (in terms of the accounting framework).
Consider both the nature and size of a possible misstatement.

7.2.5 Further procedures

These will include:
l obtaining a written representation from management that all related party
relationships and transactions have been identified and appropriately
accounted for and disclosed;
l communicating any significant matters to those charged with governance;
l documenting the names and relationships of related parties in the work
papers.

8. MANAGEMENT REPRESENTATIONS
SOURCE REFERENCE: ISA 580 “Management Representations”
8.1 INTRODUCTION
Management representation letters are an important source of audit evidence
and an integral part of information obtained by the auditor. They do not, how-
ever, provide sufficient audit evidence on their own about any of the matters
they deal with and do not affect the nature and extent of other audit evidence
obtained by the auditor.

8.2 OBJECTIVE WITH OBTAINING MANAGEMENT REPRESENTATION LETTERS

The auditor obtains written representations from management that they have
fulfilled their responsibilities for the preparation and presentation of the finan-
cial statements and have further provided the auditor with all the information
needed for the audit.

7–31
 Dynamic Auditing

8.3 OBTAINING OF REPRESENTATION LETTERS

The representation letters should be requested from management who is
responsible for the financial statements and has knowledge of the matters
concerned. The management letter should be in writing and be addressed to
the auditor.
The representations requested are:
l that management has fulfilled its responsibilities for the preparation and
presentation of the financial statements;
l that all transactions have been recorded and are reflected in the financial
statements; and
l that they provided the auditor with all relevant information needed to
perform the audit.
Other aspects for which written representations are specifically requested from
management are:
l ISA 240: Management’s responsibility in respect of fraud;
l ISA 250: Management’s responsibility in respect of laws and regulations;
l ISA 540: Management’s responsibility in respect of accounting estimates;
l ISA 550: Management’s responsibility in respect of related parties;
l ISA 560: Management’s responsibility in respect of subsequent events;
and
l ISA 570: Management’s responsibility in respect of going concern.

8.4 DATE AND PERIOD(S)

The representation letter should be dated as close to, but not after, the date of
the auditor’s report.
The period covered should be the same as that of the financial statements.

8.5 AUDITOR’S CONSIDERATION WHEN DOUBT EXISTS AS TO THE

RELIABILITY OF REPRESENTATIONS RECEIVED
If the auditor has concerns about management’s integrity, competence or
ethical values, he/she should consider the effect thereof on the reliability of
representations received.
If written representations are inconsistent with other audit evidence, the auditor
must perform audit procedures to attempt to resolve the matter, and if it
remains unresolved, consider:
l the effect thereof on the reliability of other representations by management
(oral and written);
l the effect on the reliability of other audit evidence; and
l the effect on the audit opinion.

7–32
 CHAPTER 7: Audit evidence

8.6 AUDITOR’S RESPONSE WHEN REPRESENTATION LETTERS

ARE NOT RELIABLE OR WHEN MANAGEMENT REFUSES TO PROVIDE
A REPRESENTATION LETTER
If management refuses to provide the auditor with written representations when
requested to do so, the auditor must:
l discuss the matter with management;
l re-evaluate the integrity of management; and
l consider the effect thereof on the audit opinion.
If the auditor concludes that written representations by management are unre-
liable or management refuses to provide such representations:
l the auditor is unable to obtain sufficient appropriate audit evidence; and
l the auditor must qualify the audit opinion (adverse opinion, as it affects all
elements in the financial statements and is pervasive).

9. ENQUIRIES REGARDING LITIGATION AND CLAIMS

SOURCE REFERENCE: SAAPS 4 “Enquiries regarding Litigation and Claims”
ISA 501 “Audit Evidence – Specific Considerations
for Selected Items”
9.1 OBJECTIVE OF ENQUIRIES
The objective of enquiries is to obtain sufficient appropriate audit evidence
regarding:
l whether all material litigation and claims have been identified;
l the probability of any material revenue or expenses arising from such
matters and the estimated amount thereof;
l costs associated with litigation;
l the adequacy of the accounting treatment of such matters, including the
disclosure thereof in the financial statements.
This information can be obtained:
l from management (a primary source of information) since management is
responsible for implementing policies and procedures to identify, evaluate
and report on these aspects;
l by examining documents (contracts, etc.), inspecting minutes of meetings,
enquiries of employees; and
l enquiries of attorneys.

9.2 ENQUIRIES OF MANAGEMENT

Discuss with management and review the internal controls:
l for identifying litigation and claims;
l for recording the legal costs thereof and related revenue.

7–33
 Dynamic Auditing

Obtain and discuss with management:

l a list of all litigation and claims, including the estimated financial conse-
quences thereof; and
l an analysis of legal expenses.
Obtain a written representation from management on the completeness of out-
standing litigation and claims.

9.3 EXAMINING OF DOCUMENTS

This may include:
l examining contracts, loan agreements, leases, etc.;
l reading minutes of meetings (of directors, audit committees, shareholders,
etc.);
l obtaining information from bank confirmations;
l enquires of employees of the entity; and
l reading correspondence (e.g. with attorneys, insurers, etc.).

9.4 ENQUIRIES OF ATTORNEYS

9.4.1 Procedure for enquiry
The client should make the enquiry on a schedule prepared by the directors.
This will be for the cost of the client.
The legal adviser will then return the completed schedule directly to the auditor.

9.4.2 External versus internal legal representations

If the legal adviser is in the employment of the client, the auditor should make
such enquiries from the client’s legal representative, and consider the following
regarding the legal adviser:
l his/her independence;
l his/her reputation and experience;
l whether his/her professional rules bind them to act responsibly.
Where the client has both external and internal legal advisers, the representa-
tions should be obtained from both parties.

9.5 DISAGREEMENT WITH MANAGEMENT

If the representations of the legal advisers differ significantly with manage-
ment’s original estimate, the auditor should try to resolve the disagreement
through discussions with management and the legal advisers.
If the legal advisers place limitations on a response, the auditor should try to
resolve the issue through discussion with management and the legal advisers,
and the performance of alternative procedures.
All correspondence should be documented.
If the aspect cannot be resolved, the auditor should consider the impact on the
audit opinion.

7–34
 CHAPTER 7: Audit evidence

10. RELIANCE ON THE WORK OF OTHERS

10.1 USING THE WORK OF ANOTHER AUDITOR
SOURCE REFERENCE: ISA 600 “Special Considerations – Audit of Group
Financial Statements”
10.1.1 Introduction
The auditor of the group financial statements should obtain sufficient appropri-
ate audit evidence on which to base the audit opinion of the group.
Accordingly, the group auditor should:
l determine whether to act as auditor of the group financial statements;
l communicate with component auditors about the scope and timing of their
work on the financial statements of components; and
l obtain sufficient appropriate audit evidence about the financial information
of the components and the consolidation process to express an opinion on
the group financial statements.
ISA 600 applies to the group, but the principals and guidelines can also be
applied when the auditor involves other auditors in the audit of financial state-
ments that are not a group.

10.1.2 Definitions
Component: An entity or business activity whose financial
information is included in the group financial
statements.
Component auditor: The auditor who audits the component.
Component materiality: The materiality level for the component as deter-
mined by the group engagement team.
Group engagement partner: The partner responsible for the group engage-
ment and its performance.
Group wide controls: The controls designed, implemented and main-
tained by group management over reporting.
Significant component: A component identified by the group engage-
ment team that is:
l of individual financial significance to the
group; or
l is likely to include significant risk of material
misstatement.

7–35
 Dynamic Auditing

10.1.3 Responsibility
The engagement partner is responsible for the:
l decision on acceptance and continuance of the audit of the group;
l the direction, supervision and performance of the group audit engage-
ment; and
l the group auditor’s report.
The auditor’s report on the group financial statements accordingly should not
refer to a component auditor, unless required by law or regulation.

10.1.4 Acceptance and continuance

The engagement partner should, in considering whether to accept or continue
as auditor of the group, consider:
l whether sufficient appropriate audit evidence can be obtained on the con-
solidation process, and the financial information of components; and
l where components are audited by component auditors, whether the
engagement team will be involved in the audit of components so as to
obtain sufficient appropriate audit evidence.
If the above is not possible, the audit should be declined, and for continuing
engagements, the auditor should resign.
The acceptance or continuance of an audit should be documented in an
engagement letter together with the applicable accounting framework.

10.1.5 Understanding the group, its components and their environment

The auditor should perform procedures (risk assessment procedures) to obtain
an understanding of:
l the group, its components and their environments (including reporting
requirements, regulations, etc.);
l group wide controls (refer to Appendix 2);
l the consolidation process (refer to Appendix 2) (instructions of group
management issued, etc.); and
l the component auditors involved (standing, status, competence, inde-
pendence).
The above is necessary to:
l identify significant components; and
l identify and assess the risk of material misstatement of the group financial
statements.

7–36
 CHAPTER 7: Audit evidence

10.1.6 Overall group audit strategy

The group engagement team must establish an overall group audit strategy for
the group audit as a whole. This will include:
l the overall audit approach to be followed regarding the audit of the group
and its components;
l considerations regarding the administration of the audit (timing, dates,
repeating requirements, etc.);
l as well as:
• group materiality levels; and
• identifying significant and non-significant components selected to be
audited; and
• specific risks affecting the group audit and consolidated financial state-
ments (such as related party transactions, legislative issues, etc.).

10.1.7 Materiality
The group engagement team must determine the following:
(a) Materiality for the group financial statements as a whole
This will entail:
l establishing materiality for the group financial statements; and
l if required by specific circumstances (risks, etc.) a lower materiality for
particular classes of transactions, account balances or disclosure
(performance materiality).
(b) Component materiality
This is the materiality level established by the engagement team for indi-
vidual components for group audit purposes (this will be lower than group
materiality).
NOTE: Where a component is required to be statutorily audited, the
statutory auditor (who will normally also be the component audi-
tor) will set its own materiality for purposes of the statutory audit.
Thus, the component auditor might have two materiality levels:
l one for statutory audit purposes; and
l one for group audit purposes.
(c) Threshold level
This is the level above which misstatements (unadjusted audit differences)
should be reported to the group auditor. All unadjusted audit differences
from components will be considered together to assess the cumulative
affect thereof on the group financial statements.

7–37
 Dynamic Auditing

10.1.8 Identifying and responding to the risk of misstatements at the group level
L Risk of material misstatements of the group financial statements
(Appendix 3)
These will be the risks relating to the group, its components, etc., and
includes aspects such as:
• complex group structures;
• weak corporate governance structures;
• non-effective group controls;
• business activities of components in foreign jurisdictions;
• business activities of components involving high risks, etc.;
• related party transactions;
• etc.
L Responding to the risk
The auditor should assess the risk and then respond thereto.
This will affect:
• materiality levels for the group components;
• the identification and audit of significant components, and non-signifi-
cant components; and
• the nature, timing and extent of procedures on the consolidation pro-
cess.
NOTE: When the nature, timing and extent of the audit work to be per-
formed on the consolidation process, or financial information of com-
ponents are based on an expectation that group controls are oper-
ating effectively, or when substantive procedures alone cannot
provide sufficient appropriate evidence, the group engagement
team must test or request component auditors to test such controls.
L Significant components
There will be components identified by the engagement team as significant,
based on:
• their individual financial significance to the group: this can be a per-
centage, for example 15% of revenue or assets, or an amount – based
on group materiality levels; or
• the significant risk of material misstatement of those components to the
group financial statements.
For significant components, the engagement team must ensure one or more
of the following:
• an audit of the financial statements of the component using component
materiality; or

7–38
 CHAPTER 7: Audit evidence

• an audit of one or more account balances or transactions of com-

ponents; or
• specific procedures to address the significant risk identified.
L Non-significant components
This will be audited through analytical review.
The auditor should also consider selecting non-significant components to
audit (self or by a component auditor).

10.1.9 Consolidation process

This will be tested by:
l testing the operating effectiveness of the group wide controls over the
consolidation process;
l further audit procedures to respond to identified risks (e.g. to ensure all
financial information is included);
l testing consolidation workings and adjustments; and
l testing the accounting treatment and adjustments (in terms of the finan-
cial reporting framework).
The auditor should also consider any subsequent events that occurred at
components or group levels.

10.1.10 Evaluating audit evidence obtained

This will include considering the sufficiency and appropriateness of the work
of component auditors (refer to 10.1.13 below).

10.1.11 Communicating with those charged with governance

The engagement team should report to those charged with governance
(board, audit committee) on the results of the audit performed, findings, risks
and other relevant aspects.

10.1.12 Documentation
The auditor must document the following:
l an analyses of components identified as significant, and the work per-
formed thereon;
l the engagement team’s involvement in work performed by component
auditors, etc.; and
l written communication between the engagement team and the compo-
nent auditors.

7–39
 Dynamic Auditing

10.1.13 The principal auditor’s procedures in relation to component or other

auditors
1. Consider the professional competence and independence of the other
auditors in the context of the specific assignment.
Consider factors such as:
• membership of professional organisations;
• membership or affiliation with the same firm of auditors;
• professional bodies to which the other auditors belong; and.
• other auditor’s system of quality management and the effectiveness
thereof.
NOTE: Where serious doubt exists regarding the independence of the
auditors, reliance will not be placed on their work.
2. Advise the other auditors of aspects such as:
• the independence requirements regarding both the entity and the
component;
• the use that is to be made of the other auditors’ work;
• the accounting, auditing and reporting requirements that apply;
• the component materiality;
• identified significant risks for the group financial statements, relevant
to the component;
• the information to be communicated to the group auditors (e.g.
independence issues, risks, misstatements, etc.);
• the co-ordination and planning of the work; and
• the timetable for completion of the work.
3. Perform procedures to obtain sufficient appropriate audit evidence that the
work of the other auditors is sufficient for the principal auditors’ purposes.
The nature, timing and extent of the procedures will depend on the cir-
cumstances of the engagement and the principal auditors’ knowledge of
the professional competence of the other auditors.
The procedures to assess the other auditors’ work should entail the follow-
ing:
• direct discussion with the other auditors of the procedures per-
formed;
• review of questionnaires and checklists prepared by the other audit-
ors;
• review of the other auditors’ working papers;
• review of written summaries prepared by the other auditors;
• discussions with and enquiries of the directors or management of
components; and
• analytical procedures on the financial statements of components.

7–40
 CHAPTER 7: Audit evidence

4. Perform procedures on the findings of the auditors:

• discuss the findings with the other auditors and management; and
• test the accounting records of the component, if necessary. Such
tests can be performed, depending on the circumstances, by the
principal auditor or the other auditors.

10.1.14 Reporting considerations

The principal auditor should not refer to the other auditors in an unqualified
audit report.
If the principal auditors cannot rely on the other auditors’ work and cannot
rectify the situation by conducting additional audit procedures, and it has a
material effect on the financial statements, they must qualify or withhold their
opinion.
If the other auditors qualify or withhold their opinion, the principal auditors
must consider the effect thereof on the statements that the principal auditors
have to report on.
Also consider whether any reportable irregularities at subsidiary level exist
that may impact on the group audit.

10.2 USING THE WORK OF INTERNAL AUDITORS

SOURCE REFERENCE: ISA 610 “Using the Work of Internal Auditors”
The standard deals with the external auditor’s responsibilities when using the
work of an internal audit, either as:
l relying on the work of the internal audit function in obtaining audit evi-
dence; or
l using the internal audit staff to provide direct assistance under the direc-
tion, supervision, and review of the external auditor (thus being part of the
external audit team).
Relying on the work of an internal audit, or using such auditors to provide
direct assistance, remains a decision of the external auditor. It might, however,
be beneficial to do so, as it:
l can help to increase the external auditor’s understanding of the entity and
its environment, and the identification and assessment of the risk of mate-
rial misstatement, as well as create an environment where the external
auditor can be informed by the internal audit regarding significant matters
that affect their work;
l can increase the effectiveness and efficiency of the external audit pro-
cess; and
l it could result in costs saving and increase the economics of the audit.

7–41
 Dynamic Auditing

10.2.1 Definitions and functions

Internal audit: An appraisal activity established by the entity or provided
as a service to the entity. These functions typically include
assurance and consulting activities designed to evaluate
and improve the effectiveness of the entity’s governance
processes, risk management and internal control.
Scope of the work: Internal audit activities include one or more of the follow-
ing:
l Activities relating to governance
• Assessing the governance process in its accomplishment of objectives
on ethics and values, performance management and accountability,
communicating risk and control information to appropriate areas of the
organisation and effectiveness of communication among those
charged with governance, external and internal auditors, and manage-
ment.
l Activities relating to risk management
• Assist the entity in identifying and evaluating significant exposures to
risk and contributing to the improvement of risk management and
internal control (including effectiveness of the financial reporting pro-
cess).
• Performance of procedures to assist the entity in the detection of fraud.
l Activities relating to internal control
• Evaluation of internal control
The internal audit function may be assigned specific responsibilities for
reviewing controls, evaluating their operation and recommending
improvements thereto. In doing so, the internal audit function provides
assurance on the control. For example, the internal audit function
might plan and perform tests or other procedures to provide assur-
ance to management and those charged with governance regarding
the design, implementation and operating effectiveness of internal
control, including those controls that are relevant to the audit.
• Examination of financial and operating information
The internal audit function may be assigned to review the means used
to identify, recognise, measure, classify and report financial and oper-
ating information, and to make specific inquiry into individual items,
including detailed testing of transactions, balances and procedures.
• Review of operating activities
The internal audit function may be assigned to review the economy,
efficiency and effectiveness of operating activities, including non-
financial activities of an entity.

7–42
 CHAPTER 7: Audit evidence

• Review of compliance with laws and regulations

The internal audit function may be assigned to review compliance with
laws, regulations and other external requirements, and with manage-
ment policies and directives and other internal requirements.

10.2.2 Relationship between internal and external audit

External audit: l stands independent of the entity and is solely respon-
sible for the audit opinion;
l the primary concern is to determine whether the finan-
cial statements are free from material misstatements.
Internal audit: l is a management function which objectives are deter-
mined by management, and accordingly it is not inde-
pendent of the entity.
An internal audit may be viewed as an internal control in its own right. The
external auditor would consider the effect that the existence and functioning of
the internal audit will have on the risk of material misstatements. A strong inter-
nal audit function will reduce the risk, while a weak internal audit function will
offer no such benefit. The work of the internal auditor can thus have an influ-
ence on the nature, timing and extent of the external auditor’s overall audit
strategy and audit plans.

10.2.3 Relying of the work of the internal audit function

If the external auditor wishes to place reliance on the work of internal audit
function, he/she will need to review the adequacy of the function and test their
work.
Where the external auditor determines that the work performed by the internal
audit function is likely to be relevant to the audit (in accordance with ISA 315,
understanding the entity including its controls), the external auditor must:
l consider to what extent to use the internal audit work;
l asses the adequacy of the internal audit function;
l coordinate the work of internal audit function with that of external audit; and
l test the internal audit’s work, if the external auditors want to rely thereon.

10.2.3.1 Consider to what extent to use the internal audit work

L Areas of work of the internal audit function that can be used by the
external auditor
These include the following:
• testing of the operating effectiveness of controls;
• substantive procedures involving limited judgment;
• observations of inventory counts;

7–43
 Dynamic Auditing

• tracing transactions through the information system relevant to finan-

cial reporting;
• testing of compliance with regulatory requirements;
• in some circumstances, audits or reviews of the financial information
of subsidiaries that are not significant components to the group.
L Areas where external audit will rely less on the work of the internal
audit
To prevent undue use of the work of the internal audit function, the exter-
nal auditor shall plan to use less of the work of the internal audit function
and perform more of the work directly where:
• more judgment is involved in planning and performing relevant audit
procedures and evaluating the audit evidence gathered;
• there is a higher assessed risk of material misstatement at the asser-
tion level, with special consideration given to risks identified as sig-
nificant;
• the internal audit function’s organisational status and relevant policies
and procedures do not adequately support the objectivity of the
internal auditors; and
• the level of competence of the internal audit function is low.
L Circumstances when the work of the internal audit function cannot
be used
The external auditor shall not use the work of the internal audit function
where:
• the function’s organisational status and relevant policies and proced-
ures do not adequately support the objectivity of internal auditors;
• the function lacks sufficient competence; or
• the function does not apply a systematic and disciplined approach,
including quality control
thus, where the risk relating to the quality of the work of the internal audit
function is too significant to rely upon.
L External auditor providing internal audit services
A self-review threat is created when the audit firm performs internal audit
services for an external audit client.
• This is because of the possibility that the engagement team will use
the results of the internal audit service without properly evaluating
those results or without exercising the same level of professional scep-
ticism as would be exercised when the internal audit work is performed
by individuals who are not members of the firm.
The Code of Conduct of SAICA and IRBA discuss the prohibitions that
apply in certain circumstances and the threats and the safeguards that
can be applied to reduce the threats to an acceptable level in other cir-
cumstances.

7–44
 CHAPTER 7: Audit evidence

10.2.3.2 Evaluating the internal audit function

Aspects to consider at the evaluation of the internal audit function
l Objectivity:
• the status of the internal audit function in the entity (e.g., who does
the internal auditor report to, namely those charged with governance
or management);
• whether the internal auditor is free from any conflicting responsibilities
(e.g. management or operational duties);
• whether those charged with governance (audit committee) oversee
the employment decisions related to the internal audit function;
• any constraints or restrictions placed on the internal audit function by
management or those charged with governance; and
• whether internal auditors are members of professional bodies whose
membership supports professional standards relating to objectivity.
l Technical competence and skills:
• whether the function is properly resourced;
• established policies for hiring, training and assignment of staff to
engagements;
• technical training and proficiency in auditing;
• knowledge of internal audit relating to the entity’s financial reporting
framework and skills to perform work related thereto; and
• membership of relevant professional bodies.
l Application of a systematic and disciplined approach to the work:
Whether the internal audit function follows a systematic and disciplined
approach to planning, performing, supervising, reviewing and docu-
menting its work and activities. Factors to consider include:
• existence and use of audit guides, work programmes, working papers,
documentation of the work, etc.;
• compliance with relevant quality control policies and procedures.

10.2.3.3 Co-ordination and liaison with the internal audit function

If the external auditor plans to rely on the work of the internal audit function,
there must be a discussion of the planned use of their work for the year at the
earliest stage possible.
Aspects to agree upon and to co-ordinate will include:
l timing of such work;
l nature of the work performed;
l extent of audit coverage;

7–45
 Dynamic Auditing

l materiality for the financial statements as a whole and performance

materiality;
l methods of selecting items and sampling sizes;
l documentation of work performed;
l review and reporting procedures;
Effective coordination will require;
l discussions at regular intervals throughout the year;
l that external auditors are given access to internal audit reports;
l that external auditors must be informed by internal auditors of findings/
conditions that may affect the external audit.

10.2.3.4 Evaluation and testing the adequacy of the internal audit function’s work
The external auditor should evaluate and test the work of the internal audit
before reliance can be placed thereon.
Nature and extent of testing
This will depend on the external auditor’s evaluation of:
l the amount of judgment involved;
l the assessed risk of material misstatement;
l the extent to which the internal audit function’s organisational status and
relevant policies and procedures support the objectivity of the internal
auditors; and
l the level of competence of the function.
Testing of the work
This may include:
l making inquiries of appropriate individuals within the internal audit func-
tion; 
l observing procedures performed by the internal audit function;
l reviewing the internal audit function’s work program and working papers;
l re-performance: testing and execution of items already assessed by the
internal audit (testing similar items or items already assessed).
Aspects to consider during evaluation
This will include considerations of whether or not:
l the work is performed by persons having adequate technical training and
proficiency as internal auditors, and whether the work of assistants is
properly supervised, reviewed and documented;
l conclusions are supported by sufficient appropriate audit evidence;
l conclusions are applicable; and
l exceptions or unusual matters disclosed by the internal audit are proper-
ly resolved.

7–46
 CHAPTER 7: Audit evidence

10.2.4 Using internal audit staff to provide direct assistance

Where appropriate, the external auditor can use the internal auditors to pro-
vide direct assistance to them during the audit. This will entail using the inter-
nal audit staff to perform audit procedures under the direction, supervision
and review of the external auditor

10.2.4.1 Determining whether internal audit staff can be used to provide direct
assistance
The external auditor should consider:
l whether there are significant threats to the objectivity of the internal
auditors, such as:
• a lack of organisational status and support for the external audit;
• family and personal relationships other than normal employment
conditions;
• association with a division or department to which the work relates;
• significant financial interests in the entity, other than normal; remu-
neration.
l that they might lack sufficient competence which could prohibit using
them to provide direct assistance. Aspects to consider in this regard
include;
• whether the function is properly resourced;
• policies for hiring, training and assignment of staff to engagements;
• their technical training and proficiency in auditing;
• their knowledge of internal audit relating to the entity’s financial report-
ing framework and skills to perform work related thereto; and
• their membership of relevant professional bodies.
The external auditor shall not use internal auditors to provide direct
assistance to perform procedures that:
l involve making significant judgments in the audit (e.g. audit significant
provisions);
l relate to higher assessed risks of material misstatement where the judg-
ment required in performing the audit procedures or evaluating the audit
evidence, is more than limited;
l relate to work with which the internal auditors have been involved and
which has already been, or will be, reported to management or those
charged with governance by the internal audit function; or
l relate to decisions the external auditor makes regarding the internal audit
function and the use of its work or direct assistance.

7–47
 Dynamic Auditing

It would also not be appropriate to use internal auditors for

l discussing fraud risks with client staff. The external auditor should, how-
ever, make enquiries of the internal audit regarding such risks in the
organisation;
l determination of unannounced audit procedures;
l performing and obtaining external confirmations (the external auditor
should maintain control thereof).
The external auditor’s use of internal audit staff should not be excessive and
the external auditor should be sufficiently involved in the audit at all times.

10.2.4.2 Requirements and external auditor response for using internal audit staff
When using internal audit staff, the external auditor should
l obtain written agreements from:
• an authorised representative of the entity that the internal auditors will
be allowed to follow the external auditor’s instructions, and that the
entity will not intervene in the work the internal auditor performs for
the external auditor; and
• from the internal audit staff that they will keep confidential specific
matters as instructed by the external auditor and inform the external
auditor of any threat to their objectivity.
l direct, supervise and review the work performed by internal auditors on
the engagement as required for external audit staff per ISA 220 for qual-
ity control on audits;
l document in the working papers:
• the evaluation of the existence and significance of threats to the
objectivity of the internal auditors;
• the level of competence of the internal auditors used to provide direct
assistance;
• the basis for the decision regarding the nature and extent of the work
performed by the internal auditors;
• who reviewed the work performed and the date and extent of that
review;
• the written agreements obtained from an authorised representative of
the entity and the internal auditors;
• the working papers prepared by the internal auditors who provided
direct assistance on the audit engagement.

7–48
 CHAPTER 7: Audit evidence

10.3 USING THE WORK OF AN EXPERT

SOURCE REFERENCE: ISA 620 Using the Work of an Audit Expert”
10.3.1 Introduction
The auditor is an expert in the field of accounting and auditing and business
matters in general, but it is not expected of the auditor to be an expert of other
professions or occupations such as, for example, an engineer. It may thus be
necessary for the auditor to rely on the work of an expert in relation to aspects
that might affect the financial statements on which he/she has to express an
audit opinion.
Where the auditor is to rely on the work of an expert, the auditor should obtain
sufficient appropriate audit evidence that such reliance is justified.
The auditor should consider the following in relation to the expert:
l whether reliance is justified, considering the expert’s competence, cap-
abilities and objectivity;
l the scope of the expert’s work; and
l adequacy of the expert’s work.

10.3.2 Appointment of an expert

The expert may be an internal expert such as a partner or staff member of the
firm, or network firm. Such a person will be subject to the firm’s system of quality
control. The expert may also be an external expert appointed by the auditor.
If the expert is an employee of the auditor, he/she acts in his/her capacity as an
expert and not as an assistant. The auditor will still need to apply procedures on
his/her work and findings.

10.3.3 Using the work of an expert

l Definition of an expert
A person or firm possessing special skills, knowledge and experience in a
particular field other than auditing or accounting, where work is used to
assist the auditor to obtain sufficient appropriate audit evidence.
l Examples of circumstances where reliance will be placed on the work of
an expert
These include aspects such as valuation of assets, financial instruments,
determining of quantities and legal opinions.
l Factors to consider in determining the need to use an expert
When determining the need to use the work of an expert, consider:
• the need for an expert to assist the auditor in understanding the entity
and its controls and in identifying risks;
• whether management used an expert to assist them in preparing the
financial statements;

7–49
 Dynamic Auditing

• the materiality of the financial statement item being considered;

• the risk of misstatements based on the nature and complexity of the
item being considered; and
• the quality and quantity of other evidence available.
l Understanding the field of expertise
The auditor should obtain an understanding of the expert’s field of exper-
tise. This will be done through enquiries, reading of relevant literature
experience.

10.3.4 Factors to consider in order to determine to what extent reliance can be

placed on the expert’s work
l Assess the expert’s competence and capabilities. Consider:
• qualifications, membership of professional bodies, etc.;
• experience and expertise.
l Consider the expert’s independence and objectivity.
• The information on the above can be obtained from:
– personal experience with the expert’s work;
– discussions with the expert;
– discussions with other auditors familiar with the expert’s work;
– knowledge of the expert’s qualifications, etc.; and
– published papers, books, etc.

10.3.5 Scope of the expert’s work

The auditor must agree to the following with the expert (in an engagement letter):
l the nature, scope and objectives of the work;
l the objectives and responsibilities of the auditor and the expert;
l the audit, timing and extent of communication between the expert and the
auditor, and the firm of the report on the work of the expert; and
l the expert’s duty to observe confidentiality requirements.

10.3.6 Evaluating the adequacy of the expert’s work

The auditor should assess the appropriateness of the expert’s work as audit
evidence regarding the financial statement assertions being considered, by:
l considering the appropriateness of the expert’s findings based on the
auditor’s knowledge of the business and the results of other audit proced-
ures.

7–50
 CHAPTER 7: Audit evidence

This can be done by (procedures):

• enquiries of the expert;
• review of the expert’s working papers;
• corroborative procedures, such as observing the expert’s work, confirm-
ing matters with third parties, etc.;
• analytical procedures on the expert’s findings; and
• re-performing calculations.
l methods and assumptions:
• obtaining an understanding of the methods and assumptions used by
the expert;
• considering whether the methods and assumptions are appropriate and
reasonable; and
• considering whether the methods and assumptions were applied con-
sistently compared to prior periods.
l testing the source data used by the expert:
• enquiry regarding the procedures performed by the expert to ensure
that the data is sufficient, appropriate and reliable; and
• reviewing and testing the data used by the expert.
l if the auditor is not satisfied, he/she should:
• discuss the matter with the expert and the entity;
• perform additional procedures;
• appoint a second independent expert if necessary; and
• qualify his/her audit report, if necessary.

10.3.7 Reference to the expert in the audit report

Unqualified opinion: No reference, as it may be interpreted incorrectly as a
qualification of the report.
Qualified opinion: May refer to the expert and his/her work, if necessary to
understand the qualification, provided:
l the expert consented thereto; and
l if he/she refuses, obtain legal advice.

7–51
 Dynamic Auditing

11. COMPARATIVES
SOURCE REFERENCE: ISA 710 “Comparative Information – Corresponding
Figures and Corresponding Financial State-
ments”
11.1 INTRODUCTION
Comparative information may be presented in two ways, namely:
l as corresponding figures for the previous period included as part of the
current period’s financial statements; or
l as separate comparative financial statements.
In South Africa, comparatives are normally presented as part of the current
period’s financial statements.

11.2 THE AUDITOR’S RESPONSIBILITIES IN RELATION TO COMPARATIVE

INFORMATION
The auditor should evaluate whether the comparative figures are fairly present-
ed by considering whether:
l The accounting policies applied in the prior year agrees with those of the
current year, and, if not, whether appropriate changes were made and
adequately disclosed.
l The comparative figures agree with the amounts and disclosure of the
prior year’s financial statements.
l Relating to opening balances, the following:
• Prior year’s statements audited by another auditor:
– Still perform procedures above, together with the procedures
listed in ISA 510 – Opening balances.
• Prior year’s statements not audited:
– Still perform procedures above, together with the procedures
listed in ISA 510 – Opening balances.
l In relation to material misstatements in comparative figures:
• If the auditor becomes aware during the current year’s audit of possible
material misstatements in the comparative figures, he/she should per-
form additional audit procedures to determine whether it exists.

11.3 REPORTING
11.3.1 Prior year’s statements unqualified
No reference is made in the auditor’s report to the comparative figures.

11.3.2 Prior year’s auditor’s report was qualified, and the matter is still
unresolved in the current year
l If it affects the current period’s statements, qualify the audit opinion in rela-
tion to both years.

7–52
 CHAPTER 7: Audit evidence

l If it doesn’t affect the current year’s statements, qualify the audit opinion
only in relation to the comparatives.

11.3.3 Prior year’s auditors’ report was qualified, but the matter is properly dealt
with and resolved in the current year
No reference to prior qualification, but, if material in respect of current year,
deal with it in an emphasis of matter paragraph.

11.3.4 Material misstatements detected during the current year’s audit which
existed in the prior year’s financial statements
l Comply with the auditing statement on subsequent events (ISA 560).
l Where the matter has been resolved and the comparatives restated, the
auditor must ensure that the comparatives agree with the amended finan-
cial statements, and further obtain a written representation from manage-
ment in this regard.
l Where comparative figures contain material misstatements and the corres-
ponding figures have not been restated or appropriate disclosures have
been made, the auditor’s opinion on the current period’s financial state-
ments must be modified in respect of the comparatives figures.

11.3.5 Prior period audited by another auditor

If the prior year figures were audited by another auditor and the auditor is not
prohibited by law or regulation to refer to the predecessor auditor, the current
auditor may do so in an “Other Matter” paragraph, stating that:
l the financial statements of the prior year were audited by the predecessor
auditor;
l the type of opinion expressed; and
l if modified, the reason therefore and the date of that report.

11.4 COMPARATIVE FIGURES PRESENTED IN A SEPARATE SET OF

FINANCIAL STATEMENTS
This represents the practice where comparatives are not included in the cur-
rent period’s financial statements but are presented as a separate set of finan-
cial statements. It is not generally applied in South Africa, although it is
accepted practice internationally.
The auditor’s considerations and responsibilities remain the same in relation to
the comparatives.
The auditor, however, reports separately on each period’s financial statements.

7–53
 Dynamic Auditing

12. EXTERNAL CONFIRMATIONS FROM FINANCIAL INSTITUTIONS

SOURCE REFERENCE: SAAPS 6 “External Confirmations from Financial Insti-
tutions”

12.1 INTRODUCTION
The purpose of external confirmations from financial institutions is to obtain
information directly from such institutions to confirm bank balances, details of
foreign exchange contracts, pledges, details of covenants, contingent liabilities
and other related aspects.
The request should be sent to the bank timeously and the necessary authority
should be given to the bank by the client to furnish the auditor with the infor-
mation.
The auditor should consider the reliability of the confirmation received, namely
whether it is received from a reliable source, authentic and complete. The con-
firmation can be on paper (e.g. a certificate or letter) or an electronic confirma-
tion such as a fax or email. Where necessary, the auditor should further
corroborate the confirmation with other audit evidence obtained.

12.2 INFORMATION CONFIRMED BY THE BANK

This includes, inter alia, the following:
l details of pledges or ceded balances and collateral provided;
l details of agreements between the institution and the client limiting the
client’s total borrowings;
l details of other covenants restricting the client’s ability to borrow;
l balances on current, deposit, savings, loans and other accounts;
l interest paid/received and interest rates;
l available overdraft facilities;
l details of deeds/pledges provided as security to the bank;
l agreements with the bank regarding the client’s borrowings;
l details of bills, discounting, etc.;
l client’s contingent liabilities in respect of guarantees, forward contracts,
bills discounted, etc.;
l authorised signatories; and
l accounts closed during the year of which the bank is aware.

13. SPECIAL AUDIT SITUATIONS

L Joint audits
This entails an audit in which the auditor is appointed together with another
auditor to report on the same set of financial statements.

7–54
 CHAPTER 7: Audit evidence

The auditor needs to consider accepting the engagement after:

• evaluating the potential client by means of the normal pre-engagement
procedures; and
• the professional status and independence of the joint auditor have been
evaluated.
Aspects to consider regarding the audit work include, inter alia:
• the planning of the audit and the formulation of an audit approach;
• the division and rotation of work between firms; and
• a review of the other auditor’s work.
Joint auditors are jointly and severally liable for the audit opinion expressed.
L Client with multiple locations
This entails the audit of an undertaking which operates from various locations
such as a retailer with many outlets.
The audit approach strategy to address these multiple locations may entail:
• the audit of the head office; with
• the audit of a selection of locations, by means of:
– a comprehensive audit;
– a systems audit;
– a balance sheet audit; or
– a review audit.
Aspects to consider on the choice of locations to audit are:
• statutory requirements;
• client requests;
• materiality/relative size of locations;
• risks;
• work done by internal audit, etc.; and
• other relevant facts or circumstances affecting the audit.

7–55
 8
ENGAGEMENT
AND PLANNING ACTIVITIES

Page
1. Engagement activities: Acceptance and continuance of client
relationships ................................................................................................. 8–3
1.1 Introduction ........................................................................................ 8–3
1.2 Obtaining of engagement acceptance information ........................... 8–4
1.3 Engagement activity procedures (framework) .................................. 8–5
1.4 Engagement letters ............................................................................ 8–7
2. Planning of the audit..................................................................................... 8–9
2.1 Overall audit planning ........................................................................ 8–9
2.2 Detailed audit planning at the assertion level for individual classes
of transactions, account balances and disclosures .......................... 8–43
3. The audit plan .............................................................................................. 8–44
4. Audit considerations relating to an entity using a service organisation ...... 8–45

8–1
 CHAPTER 8: Engagement and planning activities

1. ENGAGEMENT ACTIVITIES: ACCEPTANCE AND CONTINUANCE OF CLIENT

RELATIONSHIPS

SOURCE REFERENCE: ISA 220 “Quality Management for an Audit of

(revised) Financial Statements”
ISA 300 “Planning an Audit of Financial State-
ments”
ISQM 1 “Quality Management for Firms that
Perform Audit or Reviews of Financial
Statements, or Other Assurance or
Related Services”
ISQM “Engagement Quality Reviews”

1.1 INTRODUCTION
You will recall from chapter 5 that auditors need to perform engagement activ-
ities to evaluate the acceptability of new clients or to consider the ability or will-
ingness to continue as auditors for existing clients. This is done to limit the
auditor’s risks by not accepting unsatisfactory clients where the firm’s profes-
sional reputation may suffer considerable damage due to negative publicity
because of lawsuits or client failures. It is also done to ensure that audit firms
only accept and retain clients for whom they can provide a professional and
quality service.

1.1.1 Risks to the audit firm of unacceptable clients

The audit firm should carefully select its clients to limit the following risks and
exposures:
L Legal liability
This will result from lawsuits against the audit firm as a result of company
failures, which are somehow seen as audit failures.
L Reputational damage
This stems from negative publicity and damage to the audit firm’s good
name and reputation by being associated with a specific client. This might
result from fraudulent financial reporting and corporate failures, clients’
involvement in illegal and unlawful activities, etc.

1.1.2 Providing a quality audit

Auditors should only take on an engagement if they have the skills, competence,
necessary staff and experience to provide an effective and efficient audit. This is
a requirement of ISQM 1 and ISA 220.

1.1.3 Regulatory, statutory and ethical considerations

The auditor should take on a client only if all the ethical, professional, statutory
and regulatory requirements have been met. Failing to comply with the codes
of professional conduct of the relevant institutes and professional and statutory
bodies (e.g. IFAC, SAICA, IRBA, etc.), as well as the ISAs, might result in disci-
plinary action, penalties and even suspension from public practice.

8–3
 Dynamic Auditing

Practice reviews conducted by IRBA staff will also evaluate whether the audit
firm as a whole, and the audit partner for an individual client, complied with the
laid down quality control requirements of ISQM 1, ISQM 2 and ISA 220.
1.1.4 Responsibility for client acceptance and continuance decisions
The audit firm is responsible for establishing policies and procedures for the
acceptance and continuance of client relationships and specific engagements.
At the audit level the engagement partner is responsible for the quality of the
audit and for appropriate conclusions reached regarding client acceptance
and continuance.

1.2 OBTAINING OF ENGAGEMENT ACCEPTANCE INFORMATION

1.2.1 Method and timing of obtaining information: Risk assessment procedures
The auditor should obtain information of clients, before acceptance of the
engagement for new clients, or before the start of the current years audit for
existing clients.
Information will be obtained through the performance of risk assessment pro-
cedures consisting of:
l enquiries of management and others inside and outside the entity;
l observation and inspection; and
l analytical review.
These are dealt with in more detail in sections 1.2.2 and 1.2.3.
1.2.2 New clients
The auditor normally obtains information of a general nature from a wide range
of sources to evaluate and screen a new prospective client.
The sources available to the auditor include:
l communication with predecessor auditors;
l enquiry of client personnel (boards, audit committees, management, etc.);
l enquiry from third parties (e.g. bankers, lawyers, analysts, etc.);
l if the client is listed enquiry from the regulator on the results of the firms
proactive monitoring outcomes
l enquiry from other auditors with similar clients in the industry;
l press and media coverage of the client; and
l background searches of relevant databases, etc.
The above information will be used to screen a new client and to consider
whether or not to accept the engagement.
1.2.3 Existing clients
When considering continuance as auditors for existing clients, the auditor
would normally be in a good position to have access to all the information
required. This will normally be available from the current or previous year’s
audit files and the experience gained during previous audits and dealings with
the client.

8–4
 CHAPTER 8: Engagement and planning activities

The auditor should consider whether any changes occurred regarding the
client that might affect the ability to continue as their auditors, for example:
l takeovers and mergers, resulting in conflict of interest with other clients;
l factors affecting the auditor’s independence (e.g. family and friendship
relationships); and
l changes in owners/shareholders, management, directors, business prac-
tices, litigation status, etc, resulting in additional risks.

1.2.4 Documentation
The procedures performed, information obtained and conditions regarding
acceptance of a new client, or continuance with an engagement for existing
clients, should be documented in the working papers.

1.3 ENGAGEMENT ACTIVITY PROCEDURES (FRAMEWORK)

Step 1: Perform a client investigation (client screening)
1.1 Consider: The independence of the auditor
The auditor will need to consider the engagement team’s independ-
ence in respect of the client.
The auditor will need to give consideration to aspects that are or can
be seen as threats to the team’s independence and objectivity. Such
factors are prescribed in the Code of Professional Conduct (e.g. per-
sonal or family relationships, financial interests in clients, etc.).
1.2 Consider: The integrity of the client (risk of the client and
management’s integrity)
This entails considerations to determine whether the risk attached to
the appointment is at such a level that the auditor can accept the
appointment or continue therewith.
Matters that the firm considers include, for example:
l the integrity and business reputation of the client’s principal own-
ers, key management, related parties and those charged with its
governance;
l the prospective client’s corporate governance practises and
commitment to ethical business conduct;
l the nature of the client’s operations, including its business practices;
l information concerning the attitude of the client’s principal own-
ers, key management and those charged with its governance
towards such matters as aggressive interpretation of accounting
standards (to ensure maximum financial performance) and the
internal control environment;
l the client’s solvency level or plans for future developments, such
as retrenchments, cutbacks, proposed listings, takeovers or mer-
gers;

8–5
 Dynamic Auditing

l whether the client has a history of lawsuits, non-compliance with

laws and regulations, unfavourable press reports, late financial
statements, qualified audit opinions and frequent changes of
auditors;
l whether the client is aggressively concerned with maintaining the
audit firm’s fees as low as possible;
l indications of an inappropriate limitation in the scope of the
auditor’s work;
l indications that the client might be involved in money laundering
or other criminal or illegal activities; and
l the reasons for the proposed appointment of the firm and non-
reappointment of the previous firm.
The extent of knowledge a firm will have regarding the integrity of a
client will generally grow within the context of an ongoing relationship
with that client.
1.3 Consider: Changes in the entity for existing clients
Consider changes in circumstances of clients which may affect the
ability to continue with the engagement as auditors. This might result
from such issues as changes in owners or management, problems
encountered during previous audits, etc.
1.4 Consider: Information obtained from communication
with the predecessor auditor
In terms of the Code of Professional Conduct, the auditor should:
l enquire from the client whether the existing auditors were informed
of the intention to replace them;
l enquire whether the existing auditors were given permission to
discuss the client’s affairs with the new auditor;
l obtain the client’s permission to contact the existing auditors and
enquire about professional reasons/circumstances not to accept
the engagement; and
l if the client refuses this, the engagement should not be accepted,
unless there are good reasons for the refusal.
1.5 Consider: Financial responsibility of the client
This consists of business considerations such as the client’s ability
and willingness to pay the audit fee.
1.6 Consider: The legal procedures in respect of the engagement
Before accepting the engagement, the auditor should ensure that a
vacancy exists, that is to say, the predecessor auditor had resigned
or had been legally removed.

8–6
 CHAPTER 8: Engagement and planning activities

Step 2: Determine the skills and competence requirements

for the engagement (auditor requirements)
The firm and the engagement partner should consider if the audit firm
and the engagement team have the capabilities, competence, time
and resources to accept an engagement for a new client, or to con-
tinue as auditor for an existing client.
Matters for consideration should include whether:
l firm personnel have knowledge of the relevant industries or
subject matters;
l firm personnel have experience of relevant regulatory and finan-
cial reporting requirements, or have the ability to obtain the
necessary skills and knowledge;
l the firm has the respective Information Technology skills and
experience required for the audit;
l the firm has sufficient personnel with the necessary skills, compe-
tencies and expertise;
l experts are available, if needed; and
l whether the audit deadline can be met.
Step 3: Establish the terms of the engagement
All new engagements and changes in existing engagements (or
additional work) have to be confirmed in writing through an engage-
ment letter. This establishes a contractual relationship and should
remove any misunderstanding that may exist.
A copy of the engagement letter and confirmation of receipt thereof
must be filed in the working papers.

1.4 ENGAGEMENT LETTERS

SOURCE REFERENCE: ISA 210 “Agreeing the Terms of Audit Engage-
ments”
1.4.1 Purpose of engagement letters
Engagement letters should be issued for audit engagements and other ser-
vices to avoid any misunderstandings between the client and the auditor with
respect to the engagement. They record the auditor’s acceptance of the
engagement, his/her responsibilities to the client, the objective and scope of
the audit, and the format of any reports.
1.4.2 The issue of engagement letters
An engagement letter should be issued for each audit or other engagement.
For recurring audits, the letter need not be issued each year unless the auditor
finds:
l indications that the client does not understand the objective and scope of
the audit;
l that special or significant changes occurred in the terms of the engagement;

8–7
 Dynamic Auditing

l that changes in senior management or the board took place;

l that a significant change in ownership took place;
l that significant changes took place regarding the nature and size of the
entity’s business;
l that a change in legal or regulatory requirements occurred; and
l that a change in the financial reporting framework adopted in the prepara-
tion of the financial statements occurred.

1.4.3 Contents of engagement letters

l Letterhead, address, salutation, introductory paragraph:
• confirmation of acceptance of the engagement.
l Differentiate between audit, accounting and other services.
l Required information:
• the objective and scope of the audit;
• the responsibilities of the auditor; and
• the responsibilities of management and the identification of the finan-
cial reporting framework.
l Additional information:
• reporting to management;
• representations by management;
• arrangements in respect of documents to be issued with the financial
statements;
• fees; and
• acknowledgement of receipt.
l Additional information where applicable:
• arrangements in terms of the audit of subsidiaries (other auditors);
• arrangement in terms of internal auditors;
• first audit engagement – arrangements in respect of the predecessor
auditor;
• limiting the auditor’s liability where applicable;
• other agreements/services rendered; and
• arrangements in terms of planning the audit.
l The auditor’s responsibility for reporting reportable irregularities to IRBA
and the impact thereof on the audit report.
l Signed and dated.

1.4.4 Accepting a change in the terms of the audit engagement

The auditor shall not agree to a change in the terms of the engagement where
there is no justification for doing so.

8–8
 CHAPTER 8: Engagement and planning activities

Where the auditor is requested to change the engagement to a lower level of

assurance before the completion of the engagement:
l the auditor should consider the reasons and justifications therefor and
issue a new engagement letter if the change is considered acceptable;
and
l where the auditor is unable to agree to a lower level of assurance and is
not permitted by management to continue with the original engagement,
he/she should withdraw from the engagement and consider any legal or
regulatory obligations to report the circumstances to other parties.

2. PLANNING OF THE AUDIT

SOURCE REFERENCE: ISA 300 “Planning an Audit of Financial State-
ments”
ISA 315 “Identifying and Assessing the Risk of
(revised) Material Misstatement”
ISA 330 “The Auditor’s Response to Assessed
Risks”

2.1 OVERALL AUDIT PLANNING

This relates to the planning of the audit as a whole for an engagement. The
result will be an effective and efficient audit performed as a whole. After the
planning of the audit at the overall financial statement level and the estab-
lishment of an overall audit response, detailed planning will be done for the
audit of each significant class of transaction, account balance and disclosure
(this will be documented in the audit plan for the significant class of trans-
actions, account balances and disclosure).

2.1.1 Introduction
Planning the audit is not a discrete phase of the audit, but rather a continuous
process that often begins after accepting the audit engagement for new clients,
or shortly after completing the current audit engagement for existing clients.
L Extent of planning
The extent of planning will vary according to the size of the business, the
complexity of the audit and the auditor’s knowledge and experience of the
entity.
L The benefits of planning
The auditor has to plan the audit effectively so that:
• appropriate attention is devoted to areas of audit significance to the
audit;
• potential problem areas are identified and timeously resolved;
• the audit is organised and managed in an effective and efficient man-
ner;

8–9
 Dynamic Auditing

• the engagement team members with the appropriate experience and

expertise are allocated to the audit;
• work is properly delegated to the engagement team members; and
• work performed by other auditors and experts is properly planned and
co-ordinated.
L Persons responsible for planning the audit
The audit should be planned, and the overall response (audit plan or audit
strategy) finalised by a person or persons with the relevant knowledge,
skills and experience:
• this would normally be somebody at a senior level, for example an
audit senior or manager/partner; and
• the engagement partner should also approve the overall audit
response. (Note that different terminology is used in various ISA state-
ments as well as in practise by the audit firms for the response to the
audit as a whole, whether it is called an Audit Plan, Audit Strategy
Memorandum or Overall Response.) However, irrespective of the ter-
minology attached to the document, this records, at a high level, the
results of the different components of planning the audit as a whole (as
explained in section 2.1.2).
L Professional scepticism
The auditor should plan and conduct the audit with an attitude of profes-
sional scepticism and an inquiring mind that:
• circumstances may exist that may cause the financial statements to be
materially misstated; and
• during the audit, circumstances may arise that might result in the need
to change the overall approach for the scope and conduct of the audit
and the planned audit responses and procedures;
• remaining alert during the audit-to-audit evidence or information that is
not biased towards confirming the information in the financial state-
ments or contradicting it.
The application of professional scepticism by the auditor may include:
• questioning contradictory information and the reliability of documents;
• considering responses to enquiries and other information obtained
from management and those charged with governance;
• being alert to conditions that may indicate possible misstatement due
to fraud or error;
• considering whether audit evidence obtained supports the auditors’
identification and assessment of risks in the light of the entity’s nature
and circumstances.

8–10
 CHAPTER 8: Engagement and planning activities

L Obtaining information to plan the audit (risk assessment procedures)

The auditor should obtain sufficient information of the entity to be able to
plan the audit in an effective manner. This is done through Risk Assess-
ment Procedures, and consists of:
• inquiries of management and other appropriate individuals within and
outside the organisation:
– internal audit, if such function exists;
– risk managers, compliance officers, company secretaries;
– regulators;
– previous auditors, or auditors auditing companies in the same
industry;
– actuaries and service providers to the organisation;
• observation and inspection: to understand the entity and to further
support, collaborate or contradict enquiries from management and
others, and may entail:
– observation of the entity’s operations, premises and plant facilities
(note: technology can be of great use here, such as drones to
observe remote areas);
– inspection of documents such as business plans, strategies and
internal control manuals;
– inspection of reports prepared by management, such as budgets,
profit forecasts and management reports;
– inspection and considering information from external sources such
as press releases, material of investor groupings, analysts’ report,
economic journals, banks, rating agencies, etc.
• analytical review procedures: to understand the entity’s performance,
as well as to identify trends, ratios, inconsistencies, unusual trans-
actions (note that automated tools and techniques, such as data ana-
lytics, can be of great help to analyse large sets of data for trends and
inconsistencies).
L Planning discussions
l Engagement team discussion
The planning information and response to the audit should be discussed
with the engagement team members (normally led by the engagement
partner and managers).
This will assist the engagement team members to understand the entity
and its operations, risks, specific circumstances, as well as the overall
response and direction to the audit, as well as risks and factors affecting
classes of transactions, accounts and disclosures at assertion level that
will be audited by them.

8–11
 Dynamic Auditing

l With the client

The auditor will discuss the audit planning and overall audit response
(normally the audit strategy memorandum) with those charged with gov-
ernance (normally the audit committee if there is one) and with the entity’s
management.
Aspects to discuss will include, but will not be limited to:
• the general approach to and the overall scope of the audit;
– significant risks affecting the audit;
– significant classes of transactions, accounts and disclosure that are
susceptible for misstatement
– significant accounting policies and proposed changes to account-
ing standards;
• any limitation on the audit;
• co-operation with and the use of the client’s staff, for example internal
audit staff; and
• administrative issues, such as timing of the audit, dates of visits, etc.
The audit planning does, however, still remain the responsibility of the
external auditors.
L Overall audit response (audit strategy or planning memorandum)
This is normally a high-level summary of the overall financial statement
planning process and the overall response to the audit. This will often be
discussed with management and those charged with governance (the
audit committee). Aspects recorded therein may vary, but normally include
aspects such as significant risks affecting the audit, planning materiality,
the significant accounts identified, the overall audit approach and a high-
level overview of the nature, timing and extent of the planned audit pro-
cedures. Administrative aspects such as the timing of visits, reporting
requirements and co-operation with client staff are also covered.
L Audit plan (assertion level response for significant classes of trans-
actions, accounts and disclosure)
The audit plan referred to in chapters 12 and 13 normally contains and
documents:
• the nature, timing and extent of the risk assessment procedures;
• the nature, timing and extent of the test of controls and the substantive
procedures;
• the administration and control of the audit and resources required;
• the audit programmes for the audit procedures to be performed (test
of controls and/or substantive tests).

8–12
 CHAPTER 8: Engagement and planning activities

2.1.2 Procedures to perform and aspects to consider

Step 1: Obtaining an understanding of the entity and its environment,
and the applicable financial reporting framework.
SOURCE REFERENCE: ISA 315 (revised) “Identifying and Assess-
ing the Risk of Material Misstate-
ment

L Objective with obtaining of knowledge on the entity and its

environment, and the applicable financial reporting frame-
work
The auditor shall obtain a sufficient understanding of the entity
and its environment, and the applicable financial reporting
framework, to enable him/her to identify and assess the risks of
material misstatements at the overall financial statement level
and formulating an overall audit response and assigning staff of
the right experience, skills and competence to the audit.

L Aspects to obtain an understanding on

(a) Internal factors
(i) Entity’s organisational structure and ownership
• complexity of the entity’s structure: risk that subsid-
iaries are not correctly consolidated, and that issues
such as goodwill, joint ventures, special purpose enti-
ties, investments, etc., are not correctly accounted for
and disclosed;
• ownership and relationships: such as related party
transactions that may not be correctly identified,
accounted for and disclosed;
• structure and complexity of the entity’s IT environ-
ment (risk that IT systems may not be well integrated
resulting in complex IT environments, as well as the
use of external and internal IT service providers,
resulting in loss of data or data integrity).
(ii) Entity’s governance
• understanding the structures and processes for over-
sight of the entity and its operations.
(iii) Entity’s business model and strategy (appendix 1)
• scope of the entity’s activities and rationale therefore;
• structure and scale of operations;
• markets or geographical spheres;
• business and operating processes;

8–13
 Dynamic Auditing

• the resources (financial, human, intellectual, environ-

mental and technological) necessary or important for
the success of the business;
• how the entity’s business model integrates IT in its
interactions with customers, suppliers, lenders and
other stakeholders.
NOTE: The above will assist the auditor in identifying busi-
ness risks affecting the entity. Although not all busi-
ness risks are of audit importance, many business
risks have an immediate consequence for the risk of
material misstatement at both the financial statement
and assertion level (e.g. a business risk resulting
from a fall in the real estate market may affect the
solvency and going concern at the financial state-
ment level, and the valuation of assets and loans at
the assertion level).
(iv) The entity’s activities (appendix 1)
• Business operations such as:
– nature of revenue sources, products or services
and markets, including Internet sales;
– alliances, joint ventures, outsourcing of oper-
ations;
– geographic dispersion and industry segmen-
tation;
– location of production facilities, warehouses, etc.;
– key customers and important suppliers;
– research and development activities;
– transactions with related parties.
• Investments and investment activities:
– acquisitions, mergers or disposal of business
activities;
– investments and dispositions of securities and
loans;
– capital investment activities; and
– investments in non-consolidated entities, includ-
ing partnerships, joint ventures and special pur-
pose entities.

8–14
 CHAPTER 8: Engagement and planning activities

• Financing and financing activities:

– group structures (i.e. major subsidiaries and asso-
ciated entities);
– debt structure, including covenants, restrictions,
guarantees and off-balance-sheet financing arrange-
ments;
– leasing of property, plant and equipment for use
in the business;
– beneficial owners (local, foreign);
– related parties; and
– use of derivative financial instruments.
• Nature of Special Purpose entities:
– Complex accounting structures and entities estab-
lished for a specific purpose and that involve
complex accounting and reporting requirements.
It is normally susceptible for risk of material mis-
statement at both the financial statement and
assertion level.
(v) Performance management measures and criteria
• key ratios and operating statistics;
• key performance measures and incentive compensa-
tion policies;
• trends;
• use of forecasts, budgets and variance analysis;
• analyst reports and credit rating reports;
• competitor analysis;
• period-on-period financial performance (revenue
growth, profitability, leverage).
(b) External factors
(i) Industry factors
• markets and competition, including demand, capacity
and price competition;
• cyclical or seasonal activity;
• product technology relating to the entity’s products;
and
• energy supply and cost.

8–15
 Dynamic Auditing

(ii) Regulatory factors

• accounting principles and industry-specific practices;
• regulatory framework for a regulated industry;
• legislation and regulation that significantly affect the
entity’s operations;
• taxation;
• government policies currently affecting the entity’s
business, such as foreign exchange controls, fiscal
policies, financial incentives, tariffs, trade restrictions,
etc.; and
• environmental requirements affecting the industry and
the entity’s business.
(iii) Other external factors (economic factors)
• general level of the economy (e.g. recession, growth);
• interest rates and availability of financing; and
• inflation and exchange rates.
(c) Financial reporting framework
• accounting principles and industry-specific practices;
• revenue recognition practices;
• accounting for fair values;
• inventories (locations, quantities);
• foreign currency assets, liabilities and transactions;
• industry-specific significant categories (e.g. loans and
investments for banks);
• accounting for unusual or complex transactions;
• financial statement presentation and disclosure:
– selection and application of accounting policies;
– changes in accounting policies; and
– new financial reporting standards, laws and regula-
tions.
• special purpose entities:
– nature and purpose thereof;
– accounting considerations;
– legal and regulatory considerations (related party
transactions, etc.).

8–16
 CHAPTER 8: Engagement and planning activities

Step 2: Obtaining an understanding of the entity’s system of internal

control
SOURCE REFERENCE: ISA 315 “Identifying and Assessing
(revised) the Risk of Material”
L Definitions
Accounting system: The functions by which the entity’s
transactions are processed as a means
of maintaining the accounting records
(consisting of both manual and auto-
mated processes).
Internal control: The policies, processes and proced-
ures designed and implemented by
those charged with governance and
management and other personnel to
provide reasonable assurance about
the achievement of the entity’s object-
ives with regard to reliability of financial
reporting, effectiveness and efficiency
of operations, and compliance with laws
and regulations. Internal control con-
sists of the following components:
• the control environment;
• the entity’s risk assessment (man-
agement) process;
• the entity’s process to monitor the
system of internal control;
• the information system and proces-
sing of data and activities (account-
ing information system);
• the internal control system
L Components of the entity’s system of internal control (appen-
dix 3)
The internal control system consists of the following components:
(a) The control environment
This includes the governance and management functions and
attitudes, awareness and actions of those charged with gov-
ernance and management regarding the internal controls and
the importance thereof for the entity (“management should
set the tone at the top”). The control environment sets the
tone of an organisation, influencing the control conscious-
ness of its people, and provides the overall foundation for
the operation of the other components of the entity’s system
of internal control.

8–17
 Dynamic Auditing

An entity’s control consciousness is influenced by those

charged with governance, because one of their roles is to
counterbalance pressures on management in relation to
financial reporting that may arise from market demands or
remuneration schemes. Accordingly, those charged with
governance independence from management and their
understanding of the entity’s business transactions and the
extent of their oversight over financial reporting is key to an
effective control environment.
The elements of the control environment comprise:
• how management’s oversight responsibilities are carried
out, such as the entity’s culture and management’s com-
mitment to integrity and ethical values;
• the independence of those charged with governance
and their oversight of the entity’s system of internal con-
trol;
• the attraction, development and retention of competent
individuals;
• accountability management for individuals responsible
for the pursuit of the objectives of the system of internal
control.
(b) The entity’s risk assessment (management) process
This consists of the entity’s process for identifying business
risks and deciding on actions to respond to those risks.
Specifically:
• how management identifies the business risks;
• how they assess the significance of these risks, includ-
ing the likelihood of occurrence; and
• how the system addresses/manages the risks (actions
taken to manage the risks).
Where the auditor identifies a risk of material misstatement
that the management’s risk management system failed to
identify, the auditor shall obtain an understanding of why
the process failed to identify such risks and consider the
implications for the auditor’s evaluation of the effectiveness
of the entity’s risk management process.

8–18
 CHAPTER 8: Engagement and planning activities

(c) The entity’s process to monitor the system of internal

control, including internal audit where such function
exists (appendix 4)
The entity’s process to monitor the system of internal con-
trol is a continuous process to evaluate the effectiveness of
the entity’s system of internal control, and to take the
necessary remedial actions on a timely basis. Controls
related to the process to monitor the system of internal con-
trol may be automated or manual, or a combination thereof.
The entity’s processes to monitor the system of internal
control consist of:
• the ongoing and separate evaluations of monitoring
the effectiveness of control and the identification of
remedial actions;
• the entity’s internal audit function where such exists.
(d) The information system and processing of data and
activities (accounting information systems)
This consists of the functions (computerised and manual
procedures) through which the entity’s business processes
are controlled and financial information is assembled, pro-
cessed and recorded.
The auditor should obtain an understanding of the entity’s
information processing activities, including its data and infor-
mation, the resources used and the policies through which
information is processed and controlled:
• how the information flows through the entity’s informa-
tion system;
• the accounting records relating to the flow of informa-
tion;
• the financial reporting process used to compile the
financial statements;
• the entity’s resources, including the IT environment
related to the above;
• how the entity communicates significant matters that
support the preparation of the financial statements in
the information system and the system of internal con-
trol.

8–19
 Dynamic Auditing

(e) Internal controls (appendix 3)

The internal controls entail the control activities, consisting of
the information processing controls (application controls) and
general IT controls, both which may be manual or automated
in nature.
Specific control activities include the following:
• authorisations and approvals;
x reconciliations;
x verifications;
• physical or logical controls, including those that address
security of assets against unauthorised access, acqui-
sition, use or disposal (e.g. physical security of assets,
authorisation for access to computer program and data
files, periodic counting and comparison of assets with
records, etc.);
• segregation of duties;
• general and application controls of computerised sys-
tems;
• control accounts;
• stationery control;
• comparing of internal data with external sources;
• comparing physical assets with recorded assets (stock
counts, cash counts, etc.);
• budgetary control.
(f) Understanding the IT environment (appendix 5 and 6)
The auditor needs to obtain an understanding of the IT sys-
tems and the general controls that support the applications
that run on its platforms, such as:
• the extent and automation of data;
• reliance on system-generated reports;
• communication of IT facilities between applications;
• volume and complexity of digital data;
• type of IT applications (customized or highly integrated);
• complexity of the nature of the IT applications and IT infra-
structure;
• involvement of third-party hosting (cloud computing,
etc.);
• use of emerging technology that affects financial report-
ing (blockchain, artificial intelligence software, etc.);

8–20
 CHAPTER 8: Engagement and planning activities

• complexity of IT security and access rights;

• program changes made and changes in the IT environ-
ment;
• major data conversions and new system imputations.
L Value to the auditor of understanding the accounting infor-
mation system and the internal control system
In the audit of financial statements, the auditor is concerned with
those policies, procedures and controls within the accounting
and internal control system that are relevant to the financial state-
ment assertions.
The understanding of the accounting and internal control sys-
tems will assist the auditor to understand the control risk and
develop appropriate audit procedures accordingly.
L Obtaining an understanding of the internal controls
Sources for obtaining information on controls include:
• a system walk-through test;
• enquiry of management and personnel;
• inspection of documents (e.g. system flowcharts);
• observations of controls and processes;
• internal control questionnaires; and
• prior years’ working papers.
L IT (computer) risks and internal controls
IT also poses specific risks to an entity’s internal controls, busi-
ness processes and accounting system. This includes the follow-
ing:
• reliance on systems or programs that are inaccurately pro-
cessing data, processing inaccurate data, or both;
• unauthorised access to data that may result in the destruc-
tion of data or improper changes to data, including the
recording of transactions. Particular risks may arise where
multiple users access a common database;
• the possibility of IT personnel gaining access privileges
beyond those necessary to perform their assigned duties,
thereby breaking down segregation of duties;
• unauthorised changes to data in master files;
• unauthorised changes to systems or programs;
• failure to make necessary changes to systems or programs;
• inappropriate manual intervention over programmed controls
(e.g. overriding system controls);
• potential loss of data or inability to access data as required.

8–21
 Dynamic Auditing

Step 3: Identifying and assessing the risk of material misstatements

SOURCE REFERENCE: ISA 200 “Overall Objectives of the
Independent Auditor and the
Conduct of an Audit in
Accordance with International
Standards on Auditing”
ISA 315 “Identifying and Assessing
(revised) the Risks of Material Misstate-
ment”
ISA 330 “The Auditor’s Response to
Assessed Risks”

A) Concepts and principles of the risk of material misstatement

L Business risk, risk management and strategy
Entities are exposed to various business risks resulting from the
nature of their operations and the industry they operate in, busi-
ness models, financing, etc. These are business risks and should
be identified and addressed by management through imple-
menting appropriate risk management practises and controls,
strategies and governance practises.
Management is responsible for identifying and addressing busi-
ness risks.
The auditor is concerned with those risks affecting the financial
statements, but should also consider the entity’s business risks,
as these could have an impact on the risk of material misstate-
ment at the overall financial statement level.
L Risk of material misstatement
This is the risk that the financial statements are materially mis-
stated and exists at two levels:
• At the overall financial statement level
This relates to the financial statements as a whole and poten-
tially affects multiple accounts and assertions (the audit as a
whole).
Accordingly, the risk of material misstatement at the financial
statement level refers to risks that relate pervasively to the
financial statements as a whole and potentially affect many
classes of transactions, accounting balances and disclosure
at the assertion level. These risks may not necessarily be
risks identifiable with specific assertions, but rather represent
circumstances that may increase the risk of material mis-
statement at the assertion level.

8–22
 CHAPTER 8: Engagement and planning activities

Risk of material misstatement at the financial statement level

may also affect classes of transactions, accounting balances
or disclosure at the assertion level.
The auditor’s identification and assessment of the risk of
material misstatement at the financial statement level is influ-
enced by the auditor’s understanding of the entity and its
environment, the applicable financial reporting framework,
and the entity’s system of internal control. The risk of material
misstatement due to fraud may also be particularly relevant
to the auditor’s consideration of material misstatement at the
financial statement level.
The auditor would respond to the assessment of the risk of
material misstatement at the financial statement level by for-
mulating an overall audit response (or strategy) to the audit.
• At the assertion level
This relates to the risks of material misstatement at the asser-
tion level for significant classes of transactions, account bal-
ances and disclosures and will directly affect the nature,
timing and extent of further audit procedures (tests of con-
trols, substantive procedures or a combination thereof).
Risk of material misstatement at the assertion level relates to
the risk of material misstatement due to the inherent risks
identified and assessed based on its likelihood and magni-
tude of misstatement. The auditor assesses the risk of mate-
rial misstatement for identified inherent risks, based on the
significance of the combination of the likelihood of a mis-
statement and the magnitude of the potential misstatement
were it to occur. This assessment will determine where on the
spectrum of inherent risk the identified risk is assessed.
Risks of material misstatement are normally identified and
assessed according to the assertions they relate to. Accord-
ingly, a risk of material misstatement may relate to more than
one assertion, in which case all the assertions to which such
a risk relates are relevant assertions for which an audit
response is required. If an assertion does not have an identi-
fied risk of material misstatement, then it is not a relevant
assertion for which an audit response is required.

8–23
 Dynamic Auditing

L Significant risk
This is the identified and assessed risk of material misstatement
that, in the auditor’s opinion, requires special audit consideration
(glossary of terms).
ISA 315 (revised) describes a significant risk, in addition to the
definition above, as an identified risk of material misstatement for
which the assessment of inherent risk is close to the upper end
of the spectrum of inherent risk due to its likelihood of occur-
rence and magnitude of potential misstatement.
Inherent risks assessed as high on the spectrum (based on like-
lihood of occurrence and magnitude of impact) will be con-
sidered significant risks for which specific audit responses are
required.
The assessment of inherent risk is based on a spectrum, consist-
ing of a combination of:
• the likelihood of a misstatement, that relates to the possi-
bility that a misstatement may occur, based on considera-
tion of the inherent risk; and
• the magnitude of a potential misstatement that relates to the
quantitative and qualitative aspects of a possible misstate-
ment in an assertion.
The spectrum of assessment of risk of material misstatement
above may be expressed in quantitative terms such as per-
centages or in non-quantitative terms. Irrespective of the termin-
ology used, the auditor’s response to the assessed inherent risk
will be determined by the assessment on the spectrum of the in-
herent risk.
ISA 315 provides the following examples for clarity:
• cash at a supermarket would ordinarily be considered to
have a high likelihood of possible misstatement due to cash
being misappropriated, but the amount of cash being han-
dled may be low, and, as such, the magnitude assessed as
low. The combination of the above two factors (likelihood
and magnitude) on the spectrum of assessed inherent risk
would in all probability be low, and not considered a signifi-
cant risk (and not considered a significant account);
• for an entity selling a business, the auditor may consider the
likelihood and magnitude of impairment of goodwill to be
high, due to the impact of inherent risk factors such as man-
agement bias, or other fraud risk factors. Such impairment
amounts normally are also significant in monetary terms,
and accordingly on the spectrum of assessed inherent risk
would in all probability be high and considered a significant
risk (and a significant account).

8–24
 CHAPTER 8: Engagement and planning activities

The determination of significant risks allows for the auditor to

focus more attention on those risks that are on the upper end of
the spectrum of inherent risk (assessed as high, through the per-
formance of further audit procedures).
In exercising judgement as to which risks are significant risks,
the auditor shall consider at least the following:
• whether the risk is a risk of fraud;
• whether the risk is related to recent significant economic,
accounting or other developments, and therefore requires
special attention;
• the complexity of the transactions;
• whether the risk involves significant transaction with related
parties;
• the degree of subjectivity in the measurement of the financial
information related to the risk;
• whether the risk involves significant transactions that are
outside the normal course of business for the entity or are
unusual.
If the auditor determines that a significant risk exists, he/she shall
obtain an understanding of the entity’s control activities relevant
to the risk (key controls of audit significance that address the
inherent risk) if the audit response to the inherent risk assessed
as significant is the intention to rely on controls. If the auditor
cannot identify controls that address the inherent risk assessed
as significant, the control risk will be assessed as the same as
the inherent risk.
L Inherent risk factors (Appendix 2)
Inherent risk factors are characteristics of events or conditions
that affect susceptibility of an assertion of a class of transactions,
account balances of disclosure to misstatement, whether due to
fraud or error (before taking controls into account). Such factors
may be quantitative or qualitative and include complexity, sub-
jectivity, change, uncertainty, or susceptibility to misstatement
due to management bias or other fraud risk factors.
Examples of events or conditions that may give rise to the exist-
ence of risks of material misstatement are:
• complexity of:
– laws and regulations;
– business models;
– accounting measurements involving complex processes;
–- transactions, such as off-balance sheet financing and
special purpose entities;

8–25
 Dynamic Auditing

• subjectivity:
– measurement criteria for accounting estimates;
– selections of valuation techniques or models;
• change:
– economic conditions and markets;
– customer losses leading to going concern and liquidity
issues;
– industry within which the entity operates;
– expanding in new regions and locations;
– entity structures, such as acquisitions or disposals;
– change in key personnel;
– in IT environment: new IT systems, service providers, IT
conversions, etc.;
– new accounting standards;
– new legislation;
– investigations into the entity’s operations, etc.;
• uncertainty:
– reporting: events and transactions involving significant
measurements, uncertainty and estimates;
– pending legislation and contingent liabilities.
• susceptibly to management bias or other fraud:
– opportunity for management and others to engage in
fraudulent financial reporting;
– significant transactions with related parties;
– significant non-routine transactions;
• other events of conditions:
– lack of personnel with appropriate accounting and finan-
cial reporting skills;
– control deficiencies;
– history of past misstatements, errors and significant
adjustments at period end.
L Risk-based approach
This approach is generally applied in practice. It entails that the
auditor identifies the risks that could lead to the financial state-
ments being materially misstated, and then reacts to these risks
by adjusting the audit approach accordingly (nature, timing and
extent of the tests of controls and substantive procedures) to limit
the audit risk to an acceptable level.

8–26
 CHAPTER 8: Engagement and planning activities

In respect of some risks, the auditor may judge that it is not pos-
sible or practicable to obtain sufficient appropriate audit evi-
dence only from substantive procedures. This may for example
be the case for risk related to automated processing and will
require of the auditor to obtain an understanding of the controls
over such risks.
L Meaning and components of audit risk
Audit risk is the risk of:
• material misstatements (consisting of the two components,
inherent and control risk); and
• the risk that the auditor will not detect such misstatements
(detection risk).
Inherent risk is the susceptibility of an assertion to a misstate-
ment that could be material, either individually or when aggre-
gated with other misstatements, assuming that there are no
related internal controls.
Inherent risks are assessed based on the significance of the
combination of the likelihood of a misstatement and the magni-
tude of the potential misstatements, were they to occur. This
assessment will determine where on the spectrum of inherent risk
the identified risk is assessed.
The risk for misstatements is greater for some assertions of class-
es of transactions, account balances and disclosures than for
others.
The following are examples of factors affecting inherent risk at
the assertion level:
• complex calculations are more likely to be misstated than
simple calculations;
• accounts based on estimates are riskier than accounts
based on routine, factual data;
• external circumstances, for example technological develop-
ments, might lead to obsolete inventory (and overstatement);
and
• lack of funding/working capital (going concern).
Control risk is the risk that a misstatement, which could occur in
an assertion about a class of transactions, account balance or
disclosure and which could be material, either individually or
when aggregated with other misstatements, will not be prevented
or detected and corrected on a timely basis by the entity’s inter-
nal controls.
The control risk is directly dependable on the effectiveness of the
design and functioning of the internal controls.

8–27
 Dynamic Auditing

Methods to assess control risk

The auditor assesses the control risk by performing tests of con-
trols to obtain audit evidence about the operating effectiveness
of controls in preventing, or detecting and correcting, material
misstatements at the assertion level. Once the auditor has tested
the operating effectiveness of the controls, the auditor will be
able to confirm the initial expectation about the operating effect-
iveness of the controls.
The auditor may test individual controls or a combination of con-
trols to confirm the auditor’s expectation of the operating effect-
iveness of such controls. Such controls tested may be controls
directly attributable to a risk or indirect controls that affect mul-
tiple risks, as well as general IT controls.
When testing automated controls, the auditor may also wish to
test the operational effectiveness of the IT general controls as a
basis for reliance on the automated application controls tested.
Tests of controls consist of inspection, observation, recalculation,
enquiry and reperformance.
Detection risk is the risk that the auditor’s procedures will not
detect a misstatement that exists in an assertion that could be
material, either individually or when aggregated with other mis-
statements.
Detection risk is a function of the effectiveness of the audit pro-
cedures (tests of controls and substantive procedures), and of
the application thereof by the auditor.
Detection risk cannot normally be reduced to zero because the
auditor does not usually examine the entire account balance or
class of transactions.
Detection risk relates to the nature, timing and extent of the pro-
cedures performed by the auditor to reduce the audit risk to an
acceptably low level.
Relationship between risks
Audit Risk (AR) = Inherent risk (IR) × Control Risk (CR) × Detec-
tion Risk (DR)
The risk of material misstatements (consisting of inherent and
control risk) is an entity risk and stands independent from the
audit, while the detection risk is directly related to the auditor’s
procedures.
The auditor assesses the risk of material misstatement at the
assertion level (consisting of inherent and control risk) for signifi-
cant classes of transactions and account balances. This then
serves as a basis for further audit procedures (affecting the
nature, timing and extent thereof).

8–28
 CHAPTER 8: Engagement and planning activities

Regardless of the assessment of the risk of material misstate-

ments, the auditor should always perform some substantive pro-
cedures on significant balances and classes of transactions.
The higher the risk of material misstatements (inherent and con-
trol risks) the more audit evidence the auditor should obtain from
the performance of audit procedures to limit his/her audit risk.

B) Risk assessment and response thereto

• At the overall financial statement level
This relates to the risk of material misstatement of the finan-
cial statements as a whole, and the pervasive effect thereon.
The auditor’s identification and assessment of risk of material
misstatement at the financial statement level is influenced by
the auditor’s understanding of the entity and its environment,
the applicable financial reporting framework, and the entity’s
system of internal control. The risk of material misstatement
due to fraud may also be particularly relevant to the auditor’s
consideration of material misstatement at the financial state-
ment level.
The auditor will consider the identified risks of material mis-
statement at the financial statement level and the form and
assessment of the risk that the financial statements might be
materially misstated. This will be an overall risk assessment,
normally classified as high, medium, or low.
The auditor would respond to the assessment of the risk of
material misstatement at the financial statement level by for-
mulating an overall audit response (or strategy) to the audit.

After the auditor has identified the significant risks of material misstate-
ments at the overall financial statement level, he/she will then assess the
risk at the overall financial statement level (normally high, medium or low).
This will then affect:
l the setting of planning materiality (which is used for identifying
accounts that is significant due to its monetary value to be audited in
detail at the assertion level); and
l the overall audit response to the audit (overall audit approach, response
to specific risk areas, and the direction and control of the audit).

• At the assertion level for significant classes of transactions,

account balances and disclosure
The auditor assesses the risk of material misstatements at the
assertion level for each significant class of transaction and
account balance. These will be classified as significant
where the auditor identified significant risks at the assertion
level that exist on the spectrum of the inherent risk assessed
as high, based on the likelihood of occurrence and magni-
tude of potential misstatement.

8–29
 Dynamic Auditing

Accordingly, all classes of transactions, account balances

and disclosures for which significant risk exist will be consid-
ered significant accounts for which an appropriate audit
approach needs to be formulated to direct the further audit
procedures to be performed.
NOTE: – All material classes of transactions or account
balances or disclosure will be considered sig-
nificant accounts;
– If a class of transactions or account balances or
disclosure is not material, and no significant
risks are identified at assertion level, such
account will not be considered significant
The auditor will then set an audit approach and design further
design audit procedures to reduce the risk of material mis-
statements at the assertion level, through:
– tests of controls only;
* to test the operating effectiveness of the controls and to
support reliance on the controls to limit the inherent
assessed risk of material misstatements.
– substantive procedures only
* to limit assessed inherent risk of material misstatement
by reducing detection risk to an acceptably low level.
– a combined approach using both tests of controls and
substantive procedures.
This is discussed further in section 2.2.
The auditor’s assessment of inherent risk at the assertion lev-
el may change during the audit as additional audit evidence
is obtained. This may require the auditor to revise the assess-
ment and modify the further planned audit procedures
accordingly.

C) Considerations of risk in the audit of small businesses

ISA 315 (revised) refers to scalability, that is, given the size of an
entity and its environment, certain guidance and practices as
prescribed may be to a greater or lesser extent applicable. This
will especially be the case in smaller entities where the owners
and management are directly involved in the operations. The fol-
lowing are considerations relating to the audits of smaller entities
that the auditors should consider during their planning and per-
formance of the audit.

8–30
 CHAPTER 8: Engagement and planning activities

L Characteristics
The following are characteristics of small entities:
• small number of employees;
• limited segregation of duties;
• domination by senior management/owners of the business;
• few owners/shareholders;
• the main source of income is usually derived from one line of
business; and
• uncomplicated accounting systems exist.
L Risks
The following risks usually exist at small entities:
• the record keeping is informal or insufficient;
• a high risk exists that the financial statements may be incom-
plete/inaccurate;
• the audit firm often assists the client in the preparation of the
accounting records and the annual financial statements and
management may erroneously believe that this relieves them
of their responsibilities;
• the risk exists that management may bypass internal con-
trols; and
• the effectiveness of internal controls depends on the person-
ality of the owners/management.
L Factors the auditor should consider during the audit
1. Client-auditor relationship
A close client-auditor relationship usually develops:
• this may affect the auditor’s independence;
however,
• this offers detailed knowledge of the business; and
• this offers information for the assessing of the inherent and
control risks.
Steps: – Issue engagement letters for all audits and revised
conditions thereof.
– Obtain a management representation letter.

8–31
 Dynamic Auditing

2. Management may ignore or bypass internal controls

The auditor must consider the owner’s involvement in the
business and the effect thereof on the audit opinion.
Steps: Consider management’s/the owner’s personality and
the way of managing the business in terms of:
• the use of reliable financial information;
• exercising budgetary control;
• the knowledge of business;
• the successful management of operating cap-
ital;
• strategic management; and
• compliance with/commitment to legal and other
external requirements.
3. Reliability of internal controls
Internal control is probably less reliable because of the
simple systems used and the few people involved in the
accounting functions:
Steps: • Document the procedures in terms of the con-
sideration of the accounting and the internal
control systems.
• Consider the effect on the control risk caused by
the use of computer facilities and limited segre-
gation of duties.
4. Completeness
Completeness should always be considered. The auditor
may have problems concerning insufficient supervision by
management and owners in dominant positions that may
manipulate the accounting records.
Steps: Verify completeness through:
• data that is independently audited;
• using reconciliations (e.g. of goods purchased
and sold);
• appropriate analytical procedures;
• reviewing of a transaction after year end;
• third party confirmation; and
• obtaining representations from management/
owners.

8–32
 CHAPTER 8: Engagement and planning activities

5. Classification
The auditor must consider the classification of transactions,
especially in terms of the tax effects thereof.
Steps: Obtain increased assurance in respect of classifica-
tion by means of:
• reprocessing the accounting records;
• using analytical procedures; and
• obtaining appropriate substantive evidence.
6. Accounting work
Audit firms often do significant accounting work for clients,
for example keeping of books, preparing of the trial balance
and financial statements (on the condition that it is allowable
under the law, such as voluntarily audits that do not fall under
the Companies Act).
Steps: The auditor may obtain audit evidence from the
audit firm staff who performed the accounting work,
for example when:
• inspecting source documents; and
• doing calculations for clients (e.g. depreciation).
However, he/she must still:
• ensure that the reliance is justified; and
• ensure that the work is documented.
7. Taxation
Steps: Perform procedures to identify items required for
taxation purposes.
8. Working papers
The auditor must keep complete records of all work performed,
considerations and evidence obtained.
9. Audit report
If the auditor cannot obtain all the information he/she requires,
it constitutes a scope limitation of the audit performed and
the auditor should consider the effect on the audit report.

Step 4: Setting of planning materiality

SOURCE REFERENCE: ISA 320 “Materiality in Planning and Per-
forming an Audit”
DP 6 “Audit Risk and Materiality” (This
is an old document, but still pro-
vides valuable guidance on set-
ting materiality.)

8–33
 Dynamic Auditing

L Definition of materiality (accounting framework)

Information is material if its omissions or misstatements could influ-
ence the economic decisions of users taken on the basis of the
financial statements.
Materiality depends on the size of the omission or error in the given
circumstances, and thus provides a threshold or cut-off point
against which the usefulness of information is measured.
The auditor’s determination of materiality is a matter of professional
judgement and is affected by his/her perception of the financial
information needs of the users of the financial statements.
L Relationship between materiality and audit risk
The auditor should consider materiality and its relationship with
the audit risk when an audit is performed.
There is an inverse relationship between materiality and audit
risk, namely:
• the higher the audit risk, the lower materiality will be set to
compensate for this; and
• the lower the audit risk, the higher materiality may be set
because the chance is small that a material misstatement
could occur and go undetected.
It affects directly the nature, timing and extent of the audit proced-
ures.
NOTE: (1) The risk of material misstatements at the overall
financial statement level (identified in step 3 above),
will have a direct impact on the setting for planning
materiality.
(2) This is important, because planning materiality
will be used to identify significant classes of trans-
actions, account balances and disclosures which
will individually be audited in detail.
L Setting of materiality
The auditor should consider and set materiality during the follow-
ing stages of the audit:
• the planning phase: identify significant accounts to audit
(planning materiality) in detail;
and
• the completion phase: to measure the effect of audit differ-
(final materiality) ences and misstatements against.

8–34
 CHAPTER 8: Engagement and planning activities

A) Planning materiality
This is a provisional judgement of materiality. It is quantified and
it helps the auditor with identifying significant accounts to audit in
detail and accordingly determine the nature, timing and extent of
the audit procedures.
The auditor should consider the following when setting planning
materiality:
• the amount of misstatements (quantitative), namely individual
amounts, or small amounts that may be material in aggregate;
and
• the nature of accounts and possible misstatements (qualita-
tive).
Statutory and regulatory requirements, as well as the specific cir-
cumstances that exist, may influence the setting of materiality. Dif-
ferent materiality levels can also be set for particular classes of
transactions, account balances or disclosures if the auditor con-
siders it appropriate.
Quantitative indicators of materiality
The following can serve as a guide on which to base materiality
(DP 6):
l Turnover ½ – 1%
l Gross profit 1 – 2%
l Nett income 5 – 10%
l Total assets 1 – 2%
l Equity 2 – 5%

*NOTE: ISA 320 describes also benchmarks that can be used to base
materiality on such as profit before tax, total revenue, gross profit, total
expenses, total equity or net asset value. The benchmarks and criteria used
will depend on the specific circumstances, trends and conditions.

The auditor needs to base materiality for the entity upon the most
appropriate criteria that will provide a stable basis. It can be a
single indicator or a combination thereof.
Qualitative aspects that need to be considered
These entail the aspects that the auditor needs to consider when
quantifying materiality and include:
• the control environment;
• the effectiveness of the internal controls;
• the integrity of management;
• the appropriateness of the accounting policies and the disclo-
sure thereof;
• statutory requirements and regulations;
• problems and errors experienced in previous years;

8–35
 Dynamic Auditing

• the result of the provisional analytical procedures; and

• the possibility of the occurrence of illegal transactions.
NOTE: Final materiality may differ from planning materiality
because of different circumstances, and knowledge
obtained by the auditor during the audit, etc.

Use of planning materiality to identify significant accounts

Planning materiality is adjusted for the overall risk assessment (Step 3) at the
financial statement level (entity risk).
This adjusted planning materiality figure is then used to identify classes of
transactions, account balances and disclosures to audit in detail (referred to as
significant accounts (see Section 2.2)).

B) Performance materiality (ISA 320: “Materiality in planning

and performing the audit”)
Performance materiality is set to reduce to an acceptably low level
the probability that the aggregate uncorrected and undetected
misstatements in the specific class of transactions, account bal-
ances or disclosure will exceed materiality for the financial state-
ments as a whole.
Performance materiality is set at a lower level than planning materi-
ality and will in effect be the maximum potential error acceptable
to the auditor for that specific class of transaction, account bal-
ance or disclosure. This will affect the number of items selected
to be tested (refer to “Sampling” in chapter 11).
Performance materiality is set and determined normally as a
percentage of planning materiality, and requires professional
judgement (e.g. ranging between 50% to 80% of planning materi-
ality) based on the risk of material misstatement of the class of
transaction, account balance or disclosure based on the assess-
ment of the inherent risk thereto.
Final materiality (ISA 450: “Evaluating misstatements iden-
tified during the audit”)
Final materiality is established at the end of the audit and is the
standard against which identified misstatements are measured, to
determine the effect on the financial statements.
The auditor will need to re-assess the amount of planning materi-
ality, given the knowledge gained during the audit and the audit
evidence obtained. This will enable the auditor to assess whether
the amount of planning materiality is still appropriate or needs to be
adjusted to measure audit differences and other misstatements
against.
Evaluating of audit differences
The auditor should consider whether the unadjusted audit differ-
ences affect the fair presentation of the financial statements.

8–36
 CHAPTER 8: Engagement and planning activities

The auditor should consider the materiality of misstatements for

both their:
• quantitative nature: the amount of identified audit differ-
ences, together with the nett effect of
unadjusted audit differences of previous
years; and
• qualitative nature: consider the nature of the audit differ-
ences, irrespective of the amount there-
of.

Final materiality is discussed further in chapter 14: Evaluating and Concluding.

Step 5: Overall audit response

SOURCE REFERENCE: ISA 300 “Planning an audit of finan-
cial statements”
ISA 315 “Identifying and Assessing
(revised) the Risks of Material”
ISA 330 “The Auditor’s Response to
Assessed risks”
ISA 500 “Audit Evidence”
A) IDENTIFY SIGNIFICANT CLASSES OF TRANSACTIONS,
ACCOUNT BALANCES AND DOSCLOSURES TO BE AUDITED
IN DETAIL (for which further audit procedures are required)
Based on the auditor’s understanding of the entity and its envi-
ronment, the applicable financial reporting framework, and the
entity’s system of internal control, the auditor should be able to
identify significant classes of transactions, account balances and
disclosures at the assertion level to be audited in detail, being
• accounts that are significant due to their nature and inherent
risks;
• accounts that are quantitatively material
These are the classes of transactions, account balances and
disclosure for which an audit approach will be formulated to
inform the further audit procedures to be performed. This is nor-
mally referred to as an audit plan

8–37
 Dynamic Auditing

B) FORMULATE AN OVERALL AUDIT RESPONSE

The auditor would respond to the assessment of the risk of mater-
ial misstatement at the financial statement level by formulation of
an overall audit response (audit plan or strategy) to the audit.
The overall audit response for conducting the audit at the finan-
cial statement level will consist of:
• Formulate a general audit approach (or strategy) for the audit
as a whole
This will be based on the auditor’s understanding of the con-
trol environment and related internal controls, as well as the
assessed risk of material misstatement at the financial state-
ment level and will provide guidance on the audit approach
that will be informed to be followed for significant classes of
transactions, account balances and disclosures.
The overall audit approach will be either a combined or sub-
stantive approach and will deal with the nature, timing and
extent in general of the procedures to be performed.
• Identify areas of specific risks and focus that require specific
audit attention
These will be areas that will require special audit attention
such as:
– accounts affected by new accounting standards;
– areas of uncertainty and based on estimations, such as
impairments and estimates;
– related part transactions and disclosures;
– laws and regulations impacting on the entity and the audit;
– going concern considerations;
– areas that will be considered key audit matters, etc.
• Direction and control for the audit and engagement team
This will entail providing guidance and oversight to the engage-
ment team on aspects such as:
– emphasising the need for the audit team to maintain pro-
fessional scepticism and an enquiring mind;
– assigning of more experienced staff or those with special
skills or using experts;
– use of data software and CAATS, as well as IT experts;
– nature, timing and extent of direction and supervision of
members of the engagement team and the review of the
work performed;
– incorporating additional elements of unpredictability in
the selection of further audit procedures to be performed;

8–38
 CHAPTER 8: Engagement and planning activities

– timing of the audit and need for early verification;

– administrative and coordinating matters such as timing.
The audit plan (or in practice often referred to as audit strategy)
at this level is a high-level approach/response to the audit,
organisation and administration of the audit as a whole.
C) DISCUSSION OF THE AUDIT APPROACH
L Definition of an audit approach
This is the approach to obtain audit evidence against which to
measure the fair presentation of the financial statements. The
audit approach can be a test of controls only, substantive pro-
cedures only, or a combined approach using both tests of con-
trols and substantive procedures for a particular assertion. The
audit approach will contain the nature, timing and extent of the
audit procedures to be performed to limit the risk of material mis-
statements on the assertions.
NOTE: Not all assertions within a material class of transaction,
account balance or disclosure, are required to be test-
ed. This will be the case if the auditor did not identify
any significant risk for that particular assertion.
L Impact of internal controls on the substantive procedures
Reliance on internal Reliance on internal
control is justified control is not justified
Nature More analytical More substantive
Extent Less More
Timing Spread over the year/early Near/at year end
verification is possible (no early verification)

L Meaning of the nature, timing and extent of the audit proced-

ures to be performed
(a) NATURE
This relates to how the procedures will be performed to limit
the risk of material misstatements, namely (purpose):
• Tests of controls:
– Inspections, observations, enquiries, re-calculations,
re-performance, confirmations (type);
– Tests of controls are necessary in two circumstances,
namely:
* when the auditor’s risk assessment includes an
expectation of reliance on the effectiveness of
controls. This means that the auditor identifies
controls (often referred to as key or significant

8–39
 Dynamic Auditing

controls) that address the significant risks identi-

fied at assertion level for the significant accounts.
The auditor will then test the significant or key
controls to support the risk assessment of reli-
ance on controls; and
* when substantive procedures alone do not pro-
vide sufficient appropriate audit evidence. The
auditor will then test the controls to obtain evi-
dence on their effectiveness to limit the audit risk.
• Substantive procedures:
– Detail testing
Consisting of inspection, enquiry, re-calculations, re-per-
formance, and confirmations (type);
and/or
– Substantive analytical procedures (type).
(b) TIMING
This relates to when the procedures are performed (the timing
of performing the tests or controls or substantive procedures).
• Tests of controls:
Tests of controls should be performed to cover the whole
period of reliance. The auditor needs to obtain audit evi-
dence on the effective operation of the controls for the
entire period of reliance.
If the controls are tested at an interim stage, audit evi-
dence must also be obtained on the effectiveness of the
controls for the remaining period of reliance.
– Considerations regarding the length of the period that
may elapse before retesting controls:
* the effectiveness of other elements of internal con-
trols, including the control environment, the enti-
ty’s monitoring of controls and the entity’s risk
assessment process;
* the risks arising from the characteristics of the
controls, including whether controls are manual
or automated;
* the effectiveness of general IT controls;
* whether the lack of a change in a particular con-
trol poses a risk due to changing circumstances;
* the risk of material misstatements and the extent
of reliance on the control.

8–40
 CHAPTER 8: Engagement and planning activities

– Factors that may decrease the time for testing con-

trols since previous testing thereof:
* a weak control environment;
* weak monitoring of controls;
* a significant manual element to the relevant
controls;
* personnel changes that significantly affect the
working of the controls;
* changing circumstances that indicate the need
for changes in the controls;
* weak general computer controls.
Irrespective of the above, the controls should be tested
every three years.
• Substantive procedures
Substantive procedures are performed to verify trans-
actions and year-end balances. Thus, substantive pro-
cedures will mainly be performed at or after year end.
When substantive procedures are performed at an interim
date (early verification date), the auditor must perform fur-
ther substantive procedures combined with tests of con-
trols to cover the remaining period of reliance.
(c) EXTENT
This relates to how many items should be tested, namely the
size of the sample. Normally the more reliance to be placed
on the test performed, the bigger the sample should be.
• Tests of controls:
Tests of controls performed should be such to obtain
sufficient appropriate audit evidence that the controls
operated effectively throughout the period of reliance.
The extent (number) of the tests of controls will rely on:
– the frequency of the control procedure;
– the length of time of audit reliance on the control;
– the expected deviation of the control; and
– the extent of intended reliance on the control.
• Substantive procedures:
A sufficient number of substantive tests should be per-
formed (large enough samples) to substantiate the
auditor’s opinion, and to limit the detection risk.

8–41
 Dynamic Auditing

Setting of an overall audit approach

This will entail deciding on the overall audit approach as part of the
overall audit response or audit strategy during the planning phase of
the audit to give direction to the audit (a high-level overview of the
nature, timing and extent of the audit procedures to be performed,
namely tests of controls and substantive procedures). This will be
affected by the risk of material misstatements at the overall financial
statement level, the nature of the accounting information system (e.g.
general computer controls), the control environment, etc.
A detailed audit approach (as part of the audit plan) will also be set
for each significant class of transaction and for account balances
and disclosures (refer to section 2.2).

D) Areas of specific risks and focus that require specific

audit attention
The risk response will be directly related to the risks identi-
fied and the auditor’s response thereto. This will include
aspects such as, for example, going concern problems,
related party aspects, possible over- or understatement of
profits, etc.
E) Direction and control for the audit and engagement team
This entails the coordination and control of the audit and
should be done during the planning phase of the audit. It
includes arrangements with regard to:
L Engagement team specifics:
• the level of professional scepticism and unpredictability
applied during the audit;
• composition, experience, special skills, experts, number of
personnel;
• nature, timing and extent of direction, supervision and
review of the engagement team;
• quality management requirements; and
• use of audit software, data analytics and CAATS.
L Client-specific issues and circumstances:
• number of locations/areas to visit;
• staff availability; and
• travel and housing arrangements, etc.
L Dates/timing of the audit:
• client dates (e.g. inventory counts, reporting deadlines,
etc.);
• timing of audit visits, namely interim and final; and
• reporting dates.

8–42
 CHAPTER 8: Engagement and planning activities

L Budgeting for the audit:

• audit time per section; and
• audit fees, expenses;
• using the work of:
– internal audit;
– other auditors;
– experts; and
– computer experts;
• reliance on IT service organisations (where the client
subcontracts its IT functions).
L Communication with the entity:
• attending management/board/committee meetings;
• written reports required and timing thereof;
• communication with third parties; and
• previous audit experience.
L Previous audit findings and recommendations

2.2 DETAILED AUDIT PLANNING AT THE ASSERTION LEVEL FOR

SIGNIFICANT CLASSES OF TRANSACTIONS, ACCOUNT BALANCES
AND DISCLOSURES
2.2.1 Introduction
This entails the detailed planning at the assertion level for the audit of individ-
ual significant classes of transactions, account balances and disclosures (e.g.
sales, inventory, fixed assets, directors’ remuneration).
Classes of transactions, account balances and disclosure can be significant,
based on the nature of inherent risks, the monetary amount thereof, as well as
the significance of disclosure required under the applicable financial reporting
framework such as financial and derivative instruments and related part trans-
actions.
2.2.2 Procedures to perform and information to consider
The audit approach to follow and procedures to perform will consist of:
l performing only tests of controls for particular assertions.
l performing only substantive procedures for particular assertions;
l a combined approach using both tests of controls and substantive pro-
cedures for particular assertions

8–43
 Dynamic Auditing

Step 1: Perform risk assessment procedures to identify and assess the

inherent risk of material misstatement and internal controls that
addresses such inherent risks
Perform Risk Assessment procedures to:
l identify and assess inherent risks of material misstatement. The
inherent risks are assessed on a spectrum based on a combina-
tion of likelihood of occurrence and the magnitude of possible
misstatements. The inherent risks assessed as high are consid-
ered to be significant audit risks that will need further attention
l identify internal controls for the significant risks that the auditor
considers to be adequately designed and operational to prevent,
detect and correct a material misstatement on an relevant asser-
tion.
Step 2: Perform test of controls to test the operating effectiveness of
controls the auditor intends relying on to limit the risk of material
misstatement on an assertion
The results of the tests of control will determine whether the auditor
can rely on the controls to limit the risk of material misstatement for
that assertion.
If the controls tested are effective, the auditor may decide that no fur-
ther substantive procedures are required.
If the test of controls indicate that the controls are not properly
designed and operating effectively, the auditor will need to perform
further procedures of a substantive nature to limit the risk of material
misstatement on the assertions.
Step 3: Perform substantive procedures to limit the risk of material mis-
statement on an assertion
The auditor will perform substantive procedures consisting of detail
testing and verification, combined with substantive analytical proced-
ures to limit the risk of material misstatement on the assertions.

3. THE AUDIT PLAN (ISA 300; par 17)

The recording of the planning, considerations and procedures performed at the
assertion level of the audit of transactions, balances and disclosures are docu-
mented in an audit plan.
The documentation of the audit plan is a record of the planned nature, timing and
extent of risk assessment procedures and further audit procedures at the asser-
tion level in response to the assessed risks. It also serves as a record of the prop-
er planning of the audit procedures that can be reviewed and approved prior to
their performance. The auditor may use standard audit programs or audit comple-
tion checklists as appropriate for the engagement circumstances.

8–44
 CHAPTER 8: Engagement and planning activities

4. AUDIT CONSIDERATIONS RELATING TO AN ENTITY USING A SERVICE

ORGANISATION
SOURCE REFERENCE: ISA 402 “Audit Considerations Relating to an Entity
Using a Service Organization”
This applies where the entity being audited makes use of a service organisation
to process all or some of its transactions. Services provided by a service organ-
isation are relevant to the audit of a user entity’s financial statements when those
services, and the controls over them, are part of the entity’s information system,
relevant to the preparation of the financial statements.
When planning the audit, the auditor should, as part of its understanding of the
client’s information system and internal controls, consider the significance of the
service organisation activities and the impact thereof on significant accounts. The
auditor must then plan accordingly how to obtain assurance of the design and
effective operation of the controls of the service organisation processing the
client’s transactions. This will inform the audit strategy and overall response as
part of the audit plan for the audit.
Obtaining assurance of the design and effective operation of the controls of the
service organisation can consist of:
l the auditor testing the general and application controls of the service organ-
isation itself (normally this does not happen in practice as the service organ-
isations are reluctant to allow third parties access to their systems and
processes); or
l the service organisation appointing a third-party assurance provided to test
its controls and provide a report to the users of the service organisation
clients. The auditor will then place reliance on the work of the service pro-
vider assurance reports for the controls affecting the entity. The auditor will,
however, need to consider the acceptability of the assurance reports, apply-
ing the same criteria and principles as those for evaluation of a client’s
expert (refer ISA 500).
The assurance reports entail two types of reports (refer ISRE 3402 and chapter 5
section 3.12), namely:
l Type 1 report: on the general controls of the service organisation;
l Type 2 report: on the application controls of the service organisation proces-
sing the entity’s transactions.

8–45
 9
DYNAMIC AUDITING IN THE
FOURTH INDUSTRIAL REVOLUTION

Page
1. Introduction .................................................................................................. 9–2
2. Industrial Revolutions ................................................................................... 9–3
2.1 A brief look at the First Industrial Revolution ..................................... 9–3
2.2 A brief look at the Second Industrial Revolution ................................ 9–3
2.3 A brief look at the Third Industrial Revolution .................................... 9–3
2.4 A brief look at the Fourth Industrial Revolution .................................. 9–4
2.5 A composite picture of the Industrial Revolutions ............................. 9–4
3. Some of the key pillars of the Fourth Industrial Revolution .......................... 9–4
3.1 Artificial intelligence (AI) .................................................................... 9–5
3.2 Machine learning (ML) ....................................................................... 9–6
3.3 Natural language processing (NLP) .................................................. 9–7
3.4 Robotic process automation (RPA).................................................... 9–7
3.5 Augmented reality (AR) and simulation ............................................. 9–8
3.6 Blockchain technology (BT) ............................................................... 9–8
3.7 System integration (SI) ....................................................................... 9–8
3.8 Cloud computing (CC) ....................................................................... 9–9
3.9 Big data (BD) ..................................................................................... 9–9
3.10 Internet of Things (IoT) ....................................................................... 9–10
3.11 Three-dimensional (3D) printing ........................................................ 9–10
3.12 Considerations for dynamic auditing in the
Fourth Industrial Revolution ............................................................... 9–10
3.13 Typical dynamic major audit phases with the
Fourth Industrial Revolution technologies in place ............................ 9–12
References ................................................................................................... 9–17

9–1
 Dynamic Auditing

1. INTRODUCTION
Recent advances in technology manifest themselves with dramatic changes in all
aspects of life, whether physical, political, or business. Most workplaces are now
deploying machines in one way or the other. In addition, the utilisation of artificial
intelligence, cognitive computing and big data has become a common occur-
rence. As things stand, it is apparent that there is not a time in history when virtu-
ally all aspects of human life, from economics to politics, have been affected by
the swift changes brought by the developments in information technology (Moloi
& Marwala, 2020).
Human beings have reaped the rewards of technological advances. Some of the
rewards have included discovering powerful sources of cleaner energy and dis-
covering the fastest mode of transporting goods and services across the globe.
Further, technology has also improved the speed at which human beings com-
municate and share information in real time, no matter where they are across the
globe. These technological advances have been critical in conquering the bar-
riers of the previous generations, thus ensuring that life in the twenty-first century
has significantly improved.
Amid these constant changes, the auditing profession and the drivers of audits
have to evolve and become dynamic. The dynamic auditing profession will pos-
ition auditors to take advantage and leverage the benefits of these technological
advances. To be a dynamic profession, key stakeholders, particularly the audit-
ors, should understand the key Fourth Industrial Revolution technologies, their
capabilities, and how they can be deployed within the auditing field.
Whereas auditing has traditionally been seen as an objective examination and
evaluation of the enterprise records, dynamic auditing can be thought of as lever-
aging off the key technologies to take advantage of connectedness, update-
ability, speed, and accuracy, which are the fundamental advantages of intelligent
systems over human beings when examining and evaluating the enterprise rec-
ords.
Similarly, an auditor has traditionally been seen as a certified individual who
examined and evaluated the enterprise records. Finally, a dynamic auditor can
be considered a certified individual who leverages the key technologies to take
advantage of their connectedness, updateability, speed, and accuracy, which
are the fundamental advantages of intelligent systems over human beings when
examining and evaluating the enterprise records.
As indicated earlier, given the dramatic changes that are taking place in the
physical, political, or businesses environment, it has become a necessity that
those who are carrying out the task of examining and evaluating the enterprise
records understand the key Fourth Industrial Revolution technologies, their char-
acteristics and how they can be deployed within the auditing field.
To build a solid foundation for understanding these critical issues, this chapter
aims to provide the context of the industrial revolutions. It will then shift and pro-
vide context and understanding of the critical fourth Industrial Revolution tech-
nologies, their characteristics, and how they can be deployed within the auditing
field.

9–2
 CHAPTER 9: Dynamic auditing in the Fourth Industrial Revolution

2. INDUSTRIAL REVOLUTIONS
2.1 A BRIEF LOOK AT THE FIRST INDUSTRIAL REVOLUTION
Roughly, we can trace the First Industrial Revolution from as early as the
1700s. It is thought that the First phase of Industrial Revolutions (also known as
the First Industrial Revolution) would have lasted for about 140 years, from
1760 to 1900. During this stage, the focus was on mechanising specific pro-
duction methods traditionally based on physical man and animal power.
Table 9.1 First Industrial Revolution

First Industrial Revolution

l Timing – around 1760 to somewhere around 1900.

l Focus – mechanising certain means of production which had traditionally been
based on physical human and animal power.

Source: Schwab (2016)

2.2 A BRIEF LOOK AT THE SECOND INDUSTRIAL REVOLUTION

Roughly, we can trace the Second Industrial Revolution from as early as 1900.
It is thought that the second phase of Industrial Revolutions (also known as the
Second Industrial Revolution) would have lasted for about 60 years, from 1900
to 1960. Thus, it essentially lasted for less than half of the First Industrial Revo-
lution (about 80 years less). During this stage, the focus was on electrification.
Table 9.2 Second Industrial Revolution

Second Industrial Revolution

l Timing – around 1900 to somewhere around 1960.

l Focus – electrification and the rise of mass production.

Source: Schwab (2016)

2.3 A BRIEF LOOK AT THE THIRD INDUSTRIAL REVOLUTION

Roughly, we can trace the Third Industrial Revolution from the 1960s. It is
thought that the third phase of Industrial Revolutions (also known as the Third
Industrial Revolution) would have lasted for about 40 years, from 1960 to 2000.
Thus, it essentially lasted for about 20 years less than the Second Industrial
Revolution. During this revolution, the focus was on the automation of the pro-
duction processes (the rise of intelligent factory floors).
Table 9.3 Third Industrial Revolution

Third Industrial Revolution

l Timing – around 1960 to somewhere around 2000.

l Focus – automation of the production processes.

Source: Schwab (2016)

9–3
 Dynamic Auditing

2.4 A BRIEF LOOK AT THE FOURTH INDUSTRIAL REVOLUTION

We trace the Fourth Industrial Revolution from the 2000s. In this revolution, the
focus was on the rise of intelligent systems that are thought to be blurring the
lines between physical, digital, and biological worlds. Among others, a variety
of key technologies have emerged: artificial intelligence, robotics, the Internet
of Things (IoT), 3D printing, genetic engineering, and quantum computing.
Table 9.4 Fourth Industrial Revolution

Fourth Industrial Revolution

l Timing – around 2000.

l Focus – the rise of intelligence systems.

Source: Schwab (2016)

2.5 A COMPOSITE PICTURE OF THE INDUSTRIAL REVOLUTIONS

Figure 9.1 below illustrates a composite picture of the industrial revolutions,
from the first to the fourth. It further illustrates the critical focus of each revolu-
tion, from the mechanisation of the means of production in the first Industrial
Revolution to the rise of intelligent machines in the Fourth Industrial Revolution.

Fourth Industrial
Revolution
Third Industrial - The rise of
Revolution intelligent
Second Industrial - Automation/ machines/
Revolution Digitization Internet of Things/
First Industrial - Electrification Smart Factories
Revolution
- Mechanisation
of the means of
production

Figure 9.1 A composite picture of the Industrial Revolution

Source: Authors own illustration; information sourced from Schwab (2016

3. SOME OF THE KEY PILLARS OF THE FOURTH INDUSTRIAL REVOLUTION

This section introduced some of the critical pillars of the Fourth Industrial Revolu-
tion. This includes artificial intelligence, augmented reality, blockchain technol-
ogy, system integration, cloud computing, big data, IoT, 3D printing, robotics/
autonomous robots, and simulation. These technologies are introduced and dis-
cussed in this section to build a foundation and enrich those carrying the task of
examining and evaluating the enterprise records to understand the critical Fourth
Industrial Revolution technologies and their capabilities. The final part of this
chapter illustrates how these technologies can be deployed within the auditing
field.

9–4
 CHAPTER 9: Dynamic auditing in the Fourth Industrial Revolution

Artificial
Intelli-
Augmented gence
Simulation
Reality

Blockchain Robotics/
Technol- Autono-
ogies mous Robot
Pillars of the Fourth
Industrial Revolution
System
3D Printing
Integration

Cloud
IoT
Computing
Big Data

Figure 9.2 Pillars of the Fourth Industrial Revolution

Source: Authors own illustration; information sourced from Schwab (2016)

3.1 ARTIFICIAL INTELLIGENCE (AI)

Artificial intelligence (AI) is the art of making machines intelligent. Marwala
(2007 & 2009) sees it as a technique used to make computers intelligent.
Essentially, there are two classifications of AI, namely strong and weak AI. A
strong AI will typically be characterised by the ability of a machine agent to
perform various tasks. Additionally, the machine agent would have a capacity
to learn on its own, which eventually becomes crucial in solving new problems.
On the other hand, a weak AI is typically characterised by a machine agent
that is designed to perform a single task. In this regard, the machine agent
relies on its maker, a human agent, to define the key parameters.

9–5
 Dynamic Auditing

Tasks - Machine
agent perfoms a
single task.
Weak AI
Reliance - Relies on
its maker to make the
rules and define
parametres.
AI

Tasks - Machine
agent can perfom
various tasks.
Strong AI
Reliance - Has the
ability to learn on its
own.

Figure 9.3 Weak and strong artificial intelligence

The three forms of AI are briefly discussed below. These include machine
learning, natural language processing, and robotic process automation.

3.2 MACHINE LEARNING (ML)

Essentially, ML is often confused with the traditional software used to analyse
data. The difference between traditional software and ML lies in the interven-
tion of a human being. In traditional software, there is a combination of human-
created rules with data so that answers can be created to address the prob-
lem. When one looks at the ML, instead of using data so that answers can be
created to address the problem, it uses data and answers to discover the rules
behind the problem (Chollet, 2017)
Due to the vast amount of available data today, ML is one of the most prom-
inent technologies. Data has literally exploded in the past 50 years. However,
the non-availability of technologies such as ML meant that, in the past, this rich
data was not analysed, understood, or used effectively to find patterns hidden
within it.
Essentially, the emergence of ML technologies has been crucial in finding val-
uable underlying patterns within complex data. In traditional approaches,
human agents were tasked to find these patterns, which consumed a lot of
time, and the process was often plagued with errors. However, the output and
knowledge generated from this can predict future events and perform all kinds
of complex decision-making (Alpaydin, 2020).

9–6
 CHAPTER 9: Dynamic auditing in the Fourth Industrial Revolution

3.3 NATURAL LANGUAGE PROCESSING (NLP)

According to Moloi and Marwala (2021), NLP must be understood as a com-
bination of various fields, including computer science, artificial intelligence,
and linguistics. Essentially, in NLP, computer programmes interact with a human
language to form the computer linguistic. It is used to translate the human lan-
guage. Essentially, there are three functions of NLP, namely machine transla-
tion (MT), text summarisation (TS), and sentiment analysis (SA).
Table 9.5 Functions of natural language processing

Function of NLP Description

Machine translation MT would typically follow one of the three approaches.
It could be the
x Rule-based MT – In this approach, an expert who
understands the source language and the target
language is required to analyse text. The expert
will use this knowledge to create rules that will
provide guidance to achieve MT.
x Statistical MT – In this approach, to analyse text,
statistical approaches are deployed to achieve
MT.
x Neural MT – In this approach, to analyse text, neu-
ral networks are deployed to achieve MT.
Text summarization TS uses algorithms that summarize the text succinctly
and in a meaningful way.
Sentiment analysis SA uses algorithms to assess the text to determine
whether there is polarity or strength in the opinion in a
review.
Source: Moloi and Marwala (2021)

3.4 ROBOTIC PROCESS AUTOMATION (RPA)

RPA is sometimes known as software robotics. RPA is typically used to auto-
mate business processes. Often, RPA is deployed to free up time for employ-
ees to focus on other tasks that require more human intervention. It would often
be deployed to carry out manual and repetitive tasks. Repetitive tasks are often
time-consuming, and a source of risk as human beings could get bored.
Moloi and Marwala (2021) have touted the following as benefits of deploying
RPA, namely cost reduction, time efficiencies, better accuracy rate, improved
governance environment, better customer advocacy, and retention, improved
checks and balances, increased speed and productivity, easy integration into
existing technologies and super-scalability.
With no technology, human beings will carry out manual and repetitive tasks
which would ordinarily be time-consuming. RPA is modern software with some

9–7
 Dynamic Auditing

form of intelligence to carry out manual and repetitive tasks which would ordin-
arily be time-consuming for human beings. Essentially, RPA is meant for auto-
mating business processes to achieve efficiencies. RPA is non-invasive, which
means that it can interact with a company’s existing technological systems
using the user interface. If the company uses various technology systems, RPA
becomes important as it can integrate these technologies. The integration of
information makes its flow and management easy.

3.5 AUGMENTED REALITY (AR) AND SIMULATION

Typically, augmented reality provides a user with an interactive experience of
the real world. The computer will enhance or modify the user’s experience of
objects, which allows the user to simulate the real world.

3.6 BLOCKCHAIN TECHNOLOGY (BT)

Possibly one of the most critical disruptors of this century, blockchain cannot
be modified. Therefore, it is crucial to ensure that records are protected from
deletion, tampering and revision. The advantage of this technology is that
transaction records are stored in blocks, and more importantly, the network in
which these blocks are stored is connected from one peer to the next through
the nodes. Thus, the hub where the transaction records are stored becomes
the digital ledger that all peers can access and view. This makes it an essential
technology for sensitive records such as payment systems, health records,
tenders, and contracts.
In the blockchain, cryptography is an important technology. In the presence of
potentially malicious behaviour such as deletion, tampering, and revision of
transactions, cryptography ensures a secure identity for the transacting parties
in the blockchain.

3.7 SYSTEM INTEGRATION (SI)

Essentially, system integration will involve a hybrid between the software pack-
ages and various computing systems. Typically, these would be integrated to
create a more extensive and efficient system. Naturally, because of the large
swaths of information and data in the Fourth Industrial Revolution, the system
integrator becomes a crucial tool for combining different software, computing
systems, and processes. This allows for the harnessing of data and information
in real time, thus providing decision-makers with nimbleness in their decision-
making processes.
System integration could take two forms, namely horizontal system integration
and vertical system integration. Suppose one was to think of the organisational
pillars/divisions/departments/functions. In this case, they will typically consist of
research and development/projects, production department engineering and
maintenance, supply chain, finance, sales and marketing, assurance, human
resources, and strategy. In this example, vertical integration will link all these
departments together to ensure that the data and information flow freely across
the pillars/divisions/departments/functions. System integration allows for the

9–8
 CHAPTER 9: Dynamic auditing in the Fourth Industrial Revolution

harnessing of data and information across these pillars/divisions/departments/

functions in real time, thus providing decision-makers with nimbleness in their
decision-making processes.
Horizontal system integration introduces other critical organisational stake-
holders within its value chain process. This will typically be outside stakehold-
ers such as customers, suppliers, and service providers, among others. Unfor-
tunately, automating and linking with the external value chain, much as it has
benefits associated with insight into stakeholders such as customers, suppli-
ers, and service providers, could open up the organisation to malicious actors.

3.8 CLOUD COMPUTING (CC)

To understand cloud computing (CC), one has to understand his or her com-
puter. The computer has a hard drive. If one runs the programmes and stores
their information on the hard drive, they use the local storage and computing.
Cloud computing substitutes the running of programmes and storing of infor-
mation from the hard drive to the cloud. The cloud, in this case, is the internet.
If the information is stored on the cloud, it can be accessed anywhere by con-
necting to the internet.
In explaining cloud computing, Von Solms and Willet (2016) view it as a com-
puting model supplied by a third party on a contractual basis, which enables
one to access an IT service over a network at any given time. In the past
50 years, the explosion of data has meant enormous amounts of power needed
to process data. Kuyoro et al. (2011) believe that cloud computing is a more
cost-effective method that allows scalability, resilience, flexibility, and efficien-
cy.

3.9 BIG DATA (BD)

The scale in which humans collect and store data has led to new ways to make
sense of the world they live in. Big data refers to an emerging computational
ability to treat extensive data sets to reveal the underlying trends, patterns, and
relationships within data. For example, it could contain transactions and rec-
ords, which is called structured data, or files, documents, and text, which is
called the semi-structured, or logs from the IoT, which is called the unstruc-
tured data sets. These extensive data sets would ordinarily be difficult to treat
using traditional processing approaches that do not contain the computational
ability. The solution to the inability to deal with extensive data sets for the tradi-
tional data processing approaches has been to sample and make observa-
tions.
With computational ability, big data has advantages that users can benefit
from, such as businesses and governments. These advantages include the
performance of predictive analytics and understanding essential dimensions
such as trends, patterns, and relationships within data.
The main challenges associated with big data would include representa-
tiveness, generalisability, harmonisation, and data overload. Given these chal-
lenges, Picciotto (2019) suggests that it is important to understand the context

9–9
 Dynamic Auditing

in which big data is lifted. Picciotto’s (2019) suggestion is that data must be
cleaned and filtered to avoid discarding useful information, and at the same
time, to avoid false and irrelevant data.

3.10 INTERNET OF THINGS (IOT)

The internet of things (IoT) could be said to be referring to the idea that any
device that human beings use can be connected through the on or off switch
to the Internet, whether it be lights in the house, microwaves, coffee makers,
smartwatches and other wearables or smartphones, amongst others.

3.11 THREE-DIMENSIONAL (3D) PRINTING

Three-dimensional (3D) printing is sometimes referred to as additive manu-
facturing. It presents a new way of manufacturing products whereby physical
objects are created from digital designs. The name “additive manufacturing” is
because the technology allows for the creation of products in a way that builds
from one layer to the next (layer by layer). This contrasts with subtractive
manufacturing, where a product is made from carving its inputs from larger
pieces.

3.12 CONSIDERATIONS FOR DYNAMIC AUDITING IN THE FOURTH

INDUSTRIAL REVOLUTION
Some of the technologies highlighted and discussed above may seem irrele-
vant to the auditing field. However, it is important to discuss them for various
reasons. First, the auditing profession and auditors need to understand the
mechanics behind these technologies. The brief discussion above achieves
that objective by highlighting these technologies and their roles in the Fourth
Industrial Revolution. Another important aspect is that with these technologies,
everything functions in a digital world. This means more readily available data,
audit trails, and more advanced data analytical algorithms.
One of the major risks that auditors face has always been the audit risk. Essen-
tially, this is a risk that the auditor may fail to detect the serious underlying
flaws leading to an inappropriate audit opinion. The inability to detect serious
underlying flaws could be due to the vastness in the number of transactions
needed to be confirmed in a statement of comprehensive income and a state-
ment of financial position.
Given the vastness of transactions, to be efficient, the ISAs (particularly
ISA 315) require that the risk-based approach is followed. This is to say that
once the audit risk assessment has been carried out, significant risk areas
have to be identified. Significant risks areas are those areas more prone to
errors in balances and transactions, which could lead to material misstate-
ments and impact the statement of financial performance and position.
Another important aspect is that of professional scepticism. ISA 200 requires
that an auditor plans and performs an audit wearing professional scepticism
lenses. Professional scepticism has two dimensions, namely the auditor’s mind
and the evidence before the auditor.

9–10
 CHAPTER 9: Dynamic auditing in the Fourth Industrial Revolution

With regards to the first dimension, that requires an auditor to have a question-
ing mind. The idea of a questioning mind could be equated to a new Fourth
Industrial Revolution skill (skills of the future), namely the cognitive skill. One of
the things that cognitive skills require is critical thinking. In their explanation,
Mckinsey and Company (2021) have pointed to four critical deltas of critical
thinking. These are structured problem solving, logical reasoning, under-
standing biases, and seeking relevant information.
The second dimension of the evidence before the auditor is premised on the
idea that the auditor should critically assess the evidence placed before
him/her. Questions in the auditor’s mind could be the following: How consistent
are the documents? Are they reliable (this could include the reliability of
sources of these documents)? Are they sufficient? Do they relate to the trans-
action (appropriateness)? Essentially, assessing the risks is a crucial aspect of
the whole audit process. ISA 330 provides detailed guidance on how an audit-
or should obtain appropriate and sufficient audit evidence on the risks of
material misstatements by responding to the assessed risks through the pro-
cess of designing and performing substantive procedures for the individual
classes of transactions, account balances, and disclosures.
What is imperative in both professional scepticism (ISA 200) and the adoption
of the risk-based approach (ISA 315) is the importance of data and data ana-
lytics algorithms. The vastness of transactions building up to the statement of
comprehensive income and a statement of financial position tells us that it is
impossible to check all of the transactions. Even though there is guidance on
how an auditor could critically assess the evidence placed before him/her, the
concept could be subjective.
Auditing in the Fourth Industrial Revolution, supported by advanced data ana-
lytics algorithms and the deployment of intelligent agents, has the potential to
address challenges associated with sample size as well as bias (subjectivity).
It is clear that auditing in the Fourth Industrial Revolution will be characterised
by rapid detection of events (using forms of AI such as ML algorithms). The
analytical and predictive power of AI technologies could also be important
when the auditor is making estimates. Technologies such as blockchain are
key in protecting information from deletion, tampering, and revision. In gather-
ing audit evidence, AI forms such as NLP could allow for the high-level
(abstract) categorisation and grouping of facts. NLP could also be key in sav-
ing time during the audit of contracts to assess the risk and obtain sufficient
audit evidence as some contracts sometimes contain voluminous textual infor-
mation.
For those areas that are more prone to errors in balances and transactions,
which could lead to material misstatements and impact the statement of finan-
cial performance and position, RPA can be used to automate the reconciliation
process, to perform internal control testing, and perform detailed testing (carry
out substantive tests). With a larger sample size or even a population, dynamic
auditors could also have the advantage of gaining an understanding of other

9–11
 Dynamic Auditing

transactions in the vast network of transactions. AI technologies could also be

key in the integration of audit evidence from a variety of data sources (big data).
COVID has also illustrated how important Fourth Industrial Revolution technol-
ogies such as autonomous robots/drones could be when there is a restriction
in the movement of people. Autonomous robots powered by high-powered
laser cameras, together infused with image recognition, which all are part of
computer vision and AI, could be crucial in the collection of audit evidence
relating to the inventory. This will allow an auditor to draw conclusions from
these images by conducting an analysis of this.
Given the potential disruption of Fourth Industrial Revolution technologies in the
profession, dynamic auditors would have to adapt and learn the new Fourth
Industrial Revolution skill, namely the digital skill. Mckinsey and Company
(2021) have pointed to three critical areas, which includes digital fluency and
citizenship, software use and development, and understanding of digital sys-
tems. Digital fluency and citizenship include skills such as digital literacy, digi-
tal learning, digital collaboration, and digital ethics. Software and use devel-
opment include skills such as programming literacy, computational and algo-
rithmic thinking, data analysis, and statistics. Understanding of digital systems
includes data systems, data literacy, cybersecurity literacy, and tech-
translation and enablement.

3.13 TYPICAL DYNAMIC MAJOR AUDIT PHASES WITH THE FOURTH

INDUSTRIAL REVOLUTION TECHNOLOGIES IN PLACE
In general, an audit involves four typical major phases, namely the planning
phase, internal control testing phase, the substantive testing phase, then the
conclusion and reporting phase.

Internal control Substantive testing Conclusion and

Planning phase
testing phase phase reporting phase

Figure 9.4 Major audit phases

3.13.1 Processes in each major audit phase

Each major phase will contain its own processes. The processes are illustrated
in tables 9.6 to 9.9.

9–12
 Table 9.6 The planning process

Process Structured Semi-structured Unstructured

Planning process

CHAPTER 9: Dynamic auditing in the Fourth Industrial Revolution

• In cases where a firm has • In the case of an existing client, the • Determining the risk
taken a new client, a file will previous year’s correspondence tolerance of those charged
be opened to capture files, permanent files, and work with governance in
relevant and significant papers should be reviewed. committing the entity to
information that is vital in • Key client staff members respons- ventures that could be
understanding the client ible for overseeing the audit are the deemed risky.
engagements only. point of first contact. • Determining the
• In the subsequent years, the • The mix and size of items circumstances that could be
original file will be updated comprising an account are a motivator for those
with any major changes in a determined. charged with governance to
client’s circumstances. misstate accounts.
9–13

• The entity's ownership • Determining the attitude of

structure, and the balance those charged with
sheet structure will be governance about financial
determined. reporting.

Source: Process adapted from Zhang (2019) & Abdolmohammadi (1999).

Fourth Industrial Revo- RPA could be used to map and • RPA could be used to map the key • ML for continuous pattern
lution technology that automate the client’s audit stakeholders and their role in recognition, outlier detection,
could be applicable to organisational structure, the client. It could be used for formulating benchmarks.
the process. operational methods, and continuous test of details of mix • Critical thinking is also
accounting and financial and size of items in the account. crucial.
systems. • NLG could be useful in generating
text from numerical data.
 Table 9.7 The internal control testing phase

Process Structured Semi-structured Unstructured

The internal control • Test the accuracy of the • It is important that the audit team • The audit team is to determine
testing phase reconciliations prepared documents the system that is deemed the significance and the
by the client. sufficient to gain an understanding widespreadness of the
• The audit team and develop an audit program that practices of management
completes a generalised concentrates on substantive testing. override.
questionnaire, checklist, • The audit team has to determine if the • The audit team is to evaluate
or narrative memorandum boundary controls are in existence and the adequacy of the existing
that organises and sum- are adequate. This includes reviewing internal controls. It then
marizes the information account distribution by responsible decides on the
obtained by applying test officials; and performing the variance appropriateness as well as the
of controls procedures for analysis. degree of reliance it can place
preliminary evaluation. • The audit team reviews on this.

Dynamic Auditing
• Reviewing and examining correspondence files, prior year’s work • The audit team evaluates the
the practice of using papers, permanent files, and prior limitations that are deemed a
9–14

batch totals by client. year’s financial statements and audit hindrance to the application of
reports. planned audit procedures
Source: Process adapted from Zhang (2019) & Abdolmohammadi (1999)

Fourth Industrial • RPA for continuous test of • RPA for continuous test of details of • ML for continuous pattern
Revolution Technol- details of balances. balances. recognition, outlier detection,
ogy that could be • ML for continuous pattern • NLG could be useful in generating formulating benchmarks.
applicable to the recognition, outlier text from numerical data. • ML could aggregate manage-
process. detection. ment override data to identify
• Checklist, or narrative fraud and illegal-acts risk
memorandum answers, factors.
and narratives could be • Critical thinking is also crucial.
fed into ML algorithms, • NLP could allow for the high-
• Technology such as level (abstract) categorisation
image recognition and and grouping of facts.
text mining could be • NLG could be useful in
used to analyse this. generating text from numerical
data.
 Table 9.8 The substantive testing phase

Process Structured Semi-structured Unstructured

The substantive testing • Balance back the bank • Should there be unmatched items, • The audit team has to
phase reconciliations figures to reports relating to this, they must determine the quality of audit
the confirmation of bank be reviewed and inquiries must be evidence required to limit the
balances received from made about any disposals. risk to a tolerable level.

CHAPTER 9: Dynamic auditing in the Fourth Industrial Revolution

external parties (banks). • The description and classification • In high-risk areas such as the
• Balance back the opening of accounts must be reviewed. related party transactions, the
balances of fixed assets • If the company is a trading effect of immaterial
accounts to prior year’s company, sales contracts should misstatements must be
working papers. be reviewed for terms and prices. evaluated.
• Corroborate the accuracy • The audit team has to
of all relevant supporting determine the risk of material
schedules misstatement associated with a
specific account area and a
given audit objective.
9–15

Source: Process adapted from Zhang (2019) and & Abdolmohammadi (1999)

Fourth Industrial • RPA could be used for • RPA could be used for continuous • ML for continuous pattern
Revolution Technology continuous test of details test of details of balances. recognition, outlier detection,
applicable to the of balances. • NLP could allow for the high-level formulating benchmarks.
process • ML for continuous pattern (abstract) categorisation and • Critical thinking is also crucial.
recognition, outlier grouping of facts. • Big data and predictive
detection. • ML could be used for continuous analytics are an option for
• Checklist, or narrative pattern recognition, outlier related party transactions.
memorandum answers, detection, formulating • NLP could allow for the high-
and benchmarks. level (abstract) categorisation
• Narratives could be fed and grouping of facts.
into ML algorithms, tech- • NLG could be useful in gen-
nology such as image erating text from numerical
recognition and text mining data.
could be used to analyse
this.
 Table 9.9 The conclusion and reporting phase

Process Structured Semi-structured Unstructured

The conclusion and re- • Where applicable, request • Reviewing information • The audit team must
porting phase that the client include accompanying the financial determine the adequacy
disclosures required by statements to ensure that it is not and appropriateness of the
IFRS. materially inconsistent with the scope of the audit.
• When appropriate, the firm’s financial statements. • The audit team must
financial statement consider the adequacy of
disclosure checklist is to be the disclosures relating to
completed. material uncertainties or
contingencies.

Dynamic Auditing
• The audit team must
consider whether a
9–16

particular matter should be

disclosed in light of the
prevailing circumstances
and facts.
Source: Process adapted from Zhang (2019) & Abdolmohammadi (1999)

Fourth Industrial Revo- • ML for continuous pattern • NLP could allow for the high-level • ML for continuous pattern
lution Technology that recognition, outlier detection. (abstract) categorization and recognition, outlier
could be applicable to • Checklist, or narrative grouping of facts. detection, formulating
the process. memorandum answers, and • ML for continuous pattern recog- benchmarks.
• Narratives could be fed into nition, outlier detection, formulating • NLP could allow for the high-
ML algorithms, technology benchmarks. level (abstract)
such as image recognition • NLG could be useful in generating categorisation and grouping
and text mining could be text from numerical data. of facts.
used to analyse this.
 CHAPTER 9: Dynamic auditing in the Fourth Industrial Revolution

REFERENCES
Abdolmohammadi MJ ‘A comprehensive taxonomy of audit task structure, professional
rank and decision aids for behavioral research’ Behavioral Research in Accounting
11 (1999), 51–92.
Alpaydin E Introduction to Machine Learning 4th edn (Cambridge, Massachusets: The
MIT Press, 2020).
Chollet F Deep learning with Python (New York: Shelter Island Manning. Manning Pub-
lications Company, 2017).
IFAC International Standard on Auditing 330, Auditor’s Responses to Assessed Risks
(2010) https://www.ifac.org/system/files/downloads/a019-2010-iaasb-handbook-isa-
330.pdf (accessed 10/08/2021).
IFAC International Standard on Auditing 315, Identifying and Assessing the Risks of
Material Misstatement Through Understanding the Entity and Its Environment
(2010) https://www.ifac.org/system/files/downloads/a017-2010-iaasb-handbook-isa-
315.pdf (accessed 10/08/2021).
IFAC International Standard on Auditing 200, Overall Objective of the Independent
Auditor and the Conduct of an Audit in accordance with International Standard on
Auditing (2010) https://www.ifac.org/system/files/downloads/a008-2010-iaasb-
handbook-isa-200.pdf (accessed 10/08/2021).
Kuyoro SO, Ibikunle F and Awodele O ‘Cloud Computing Security Issues and Chal-
lenges’ International Journal of Computer Networks 3: 5 (2011), 247–255.
Marwala T Computational intelligence for missing data imputation, estimation, and
management: Knowledge optimization techniques (Pennsylvania: IGI Global, 2009).
Marwala T Computational intelligence for modelling complex systems (Delhi: Research
India Publications, 2007).
Mckinsey and Company Defining the skills citizens will need in the future of world of
work (2021) https://www.mckinsey.com/~/media/mckinsey/industries/public%20 and
%20social%20sector/our%20insights/defining%20the%20skills%20citizens%20will%
20need%20in%20the%20future%20world%20of%20work/defining-the-skills-citizens-
will-need-in-the-future-world-of-work.pdf?shouldIndex=false (accessed 15/08/2021).
Merandoti D and Pelosi A ‘R&D Innovation: Transformational Challenges for Organiza-
tions and Society’, R&D Management Conference, Milan, Italy, 30 June and 4 July
2018.
Moloi T and Marwala T Artificial Intelligence and the Changing Nature of Corporations.
How Technologies Shape Strategy and Operations (Springer Nature, 2021) https://
link.springer.com/book/10.1007%2F978-3-030-76313-8 (accessed 20/08/2021).
Moloi T and Marwala T (2020). Artificial Intelligence in Economics and Finance Theo-
ries (Springer Nature, 2020) http://www.springer.com/series/4738 (accessed
10/06/2021)
Picciotto R (2019). ‘Evaluation and the Big Data Challenge’ American Journal of Evalu-
ation 41: 2 (2019), 166–181.
Schwab K The Fourth Industrial Revolution (Geneva, Switzerland: World Economic
Forum, 2016).

9–17
 Dynamic Auditing

von Solms R and Viljoen M ‘Cloud Computing Service Value: A Message to the Board’
South African Journal of Business Management 43: 4 (2012), 43–81.
Zhang C (2019). ‘Intelligent Process Automation in Audit’ Journal of Emerging Technol-
ogies in Accounting 16: 2 (2019), 69–88.

9–18
 10
AUDITING IN AN
INFORMATION TECHNOLOGY ENVIRONMENT
(COMPUTERISED INFORMATION SYSTEMS)

Page
1. Introduction .................................................................................................. 10–3
1.1 Relevant auditing statements: IAASB Auditing Publications ............. 10–3
1.2 Background to information technology environments and
auditing in information technology environments .............................. 10–3
1.3 The auditor’s need for digital acumen (CA2025)............................... 10–6
2. Understanding the enterprise and the environment in which
it operates ..................................................................................................... 10–7
2.1 Strategic management of the computer environment ....................... 10–7
2.2 Different information technology environments ................................. 10–8
2.3. The use of service organisations and service providers
(outsourcing) ...................................................................................... 10–14
3. Risks in an information technology environment ......................................... 10–15
4. Controls in an information technology environment..................................... 10–20
4.1 Introduction ........................................................................................ 10–20
4.2 Overall framework of controls ............................................................ 10–22
4.3 Strategic management of information technology operations........... 10–23
4.4 General controls ................................................................................. 10–31
4.5 Application controls ........................................................................... 10–48
4.6 A framework for application controls ................................................. 10–61
5. Auditing in an information technology environment..................................... 10–62
5.1 Introduction ........................................................................................ 10–62
5.2 Impact of an information technology environment on the
audit process ..................................................................................... 10–63
5.3 Testing controls in an information technology environment .............. 10–69
5.4 Evaluation of controls: Tests of controls ............................................ 10–74
5.5 Substantive procedures ..................................................................... 10–75

10–1
 Dynamic Auditing

5.6 Audit software (computer assisted audit techniques or CAATs) ...... 10–76
5.7 Audit implications of outsourcing....................................................... 10–85
5.8 Use and control of personal computers in the audit process ........... 10–88
6. Application of principles to specific environments and applications .......... 10–89
6.1 Introduction ........................................................................................ 10–89
6.2 Online systems ................................................................................... 10–90
6.3 Internet applications .......................................................................... 10–92
6.4 Electronic data interchange (EDI) ..................................................... 10–97
6.5 Electronic funds transfer (EFT) .......................................................... 10–101
6.6 Stand-alone personal computers – PCs ............................................ 10–103
6.7 The effect of personal computers on accounting and
internal controls .................................................................................. 10–104
6.8 Specific risks and related controls..................................................... 10–104
6.9 The effect of a personal computer environment on
audit procedures ................................................................................ 10–106

10–2
 CHAPTER 10: Auditing in an information technology environment

1. INTRODUCTION
1.1 RELEVANT AUDITING STATEMENTS: IAASB AUDITING PUBLICATIONS
Whilst all the International Auditing Standards are of relevance to auditing in an
information technology environment, ISA300, ISA 315 and ISA 330 are of par-
ticular relevance to this chapter, as well as the following specific statements:
ISA 402 “Audit Considerations relating to an Enterprise using a Service
Organisation”
ISAE 3402 “Assurance Reports on Controls at a Service Organisation”

1.2 BACKGROUND TO INFORMATION TECHNOLOGY ENVIRONMENTS AND

AUDITING IN INFORMATION TECHNOLOGY ENVIRONMENTS
This is an auditing text and not an information technology manual. As our
readers have already taken at least one university course in information tech-
nology, they have already been exposed to basic computer literacy and ter-
minology.
Because of the wide variety of different computer environments and their effect
on auditors and the audit, we will concentrate on important principles applic-
able to all computer environments.
The objective of this chapter is thus to teach students the basic principles
relating to controls and auditing in a computer environment.
Chapter 9 illustrates the fast-changing ICT environment and deals with the
effect on auditors and the effect of the audit of recent advances in technology
as part of the Fourth Industrial Revolution.
As is apparent from chapter 9, ICT continues to evolve at an extremely rapid
and seemingly ever-increasing pace, leading to a continually changing envi-
ronment with ICT expenditure becoming one of the largest items on com-
panies’ budgets.
The 20th and 21st centuries have been defined by advancements in technology
and Information and Communication Technology (ICT) systems now form an
integral part of our everyday lives. From a business perspective, ICT plays a
critical role in the success of any enterprise by enabling prompt and reliable
access to and processing of information.
The evolution of technology has been accelerated as a result of the COVID-19
pandemic with many enterprises adapting their use of technology in order to
remain sustainable in adversity and many workers finding themselves working
from home in an online environment.
It seems likely that the effect of the pandemic will be felt well into the future and
that technology will continue to change our lives and the way enterprises oper-
ate. Any enterprise that fails to keep up with trends in technology will face lost
opportunities and find it difficult to catch up.

10–3
 Dynamic Auditing

Electronic business transactions have transformed, and will continue to trans-

form, the global economy, within and across geographic and sector boun-
daries, creating new markets and changing existing ones. Technology now
provides a significant contribution to an enterprise’s competitive edge in an
increasingly globalised world.
Computerised accounting systems
Most accounting information systems make extensive use of information tech-
nology (IT).
All accounting information and control systems comprise infrastructure, repre-
senting physical and hardware components, software, people, procedures,
data and electronic communications between computers.
An IT environment (computerised information systems (CIS) environment)
exists when a computer of any size or type is involved in processing financial
information by an enterprise – whether the system is operated by the enterprise
or by a third party. The use of a computer affects the generation of trans-
actions, the processing of these transactions, the storage and communication
of information and, therefore, has a significant impact on the accounting and
internal control system.
IT systems are designed to provide efficient and effective means of processing
information in order to satisfy the needs of users and support operational, con-
trol and strategic objectives. IT systems are designed to efficiently acquire,
store, process, analyse and disseminate information and present that informa-
tion to users in a form that improves decision effectiveness.
IT systems relevant to the accounting function may be grouped into five broad
categories:
l transaction processing systems (TPS) that process daily routine business
transactions at an operational level;
l management reporting systems (MRS) that provide managers with routine
reports, summaries and exception reports that enable them to control their
areas of responsibility;
l decision support systems (DSS) that contain strong analytical power and
may use information from external sources;
l executive information systems (EIS) that provide summarised data, focused
on longer term strategic views and used by senior executives;
l office information systems (OIS) that support work in an office environ-
ment, such as email, work scheduling, word processing and calculative
functions.
This chapter focuses essentially on transaction processing systems and man-
agement reporting systems as auditors, specifically external auditors, are prin-
cipally concerned with obtaining audit evidence concerning the recording of
transaction flows and the balances that result from recording transactions.

10–4
 CHAPTER 10: Auditing in an information technology environment

Computers have become smaller, faster and more powerful and can process
large quantities of data very quickly. This, together with developments in data
communications and the advance of tablets, smart phones and other handheld
devices, has led to transactions being processed electronically. The evolution
of technology has also resulted in a shift of emphasis from central electronic
data processing departments to end-user and distributed processing. This has
brought about specific risks and control considerations.
IT systems do not alter the need for systems of internal control. Nor do they
affect the control objectives or the need to apply auditing standards. Com-
puters merely provide the tools for different methods of processing information
and lead to changes in the characteristics of the system. An IT environment
will, however, influence the nature, scope and timing of audit procedures, spe-
cifically affecting:
l procedures to gain an understanding of the accounting and internal con-
trol system;
l the evaluation of inherent and control risks;
l the effect of IT on audit procedures, including the availability of data and
the increased use of audit software;
l the design and performance of procedures to obtain audit evidence – tests of
controls, analytical reviews and detailed substantive procedures.
Characteristics of and considerations in an IT environment
Characteristics Considerations
1. Organisational structure
1.1 User’s ability to remotely ac- • Less effective segregation of duties
cess computers and data • Persons with detailed knowledge of the system can
make unauthorised changes
• Risk of unauthorised:
– access to data and programs
– changes to data and programs
2. Nature of processing
2.1 Absence of input documents • Authorisation of transactions through the system
2.2 Lack of visible transaction trails • Data only available for a short time or only available in
electronic format
2.3 Lack of visible output • Lack of printed documentation, implying that data must
be examined in electronic format
2.4 Accessibility of data and pro- • Risk of unauthorised:
grams, particularly through – access to data
remote access
– processing of data
– changes to data by persons within/outside the
enterprise
– changes to program software
continued

10–5
 Dynamic Auditing

Characteristics Considerations
3. System design and processing aspects
3.1 Consistency of processing • Programming errors could result in processing errors
3.2 Programmed controls • Programmed internal controls exercise automatic and
consistent control (e.g. passwords which control
access)
3.3 Transactions automatically • The capture of an incorrect transaction could cause
update all files errors in various accounts
• Similarly, incorrect processing would cause errors in
various accounts
3.4 System-generated transactions • Transactions are generated automatically and author-
ised by the system without written documentary
evidence
3.5 Vulnerability of storage media • Data and programs are stored electronically and could
for data and programs easily be removed, altered or damaged
3.6 Transmission of data through • Data could be intercepted, lost, duplicated, corrupted
electronic communications or manipulated during transmission
media:
– within the organisation
(e.g., a network)
– between the organisation
and third parties

1.3 THE AUDITOR’S NEED FOR DIGITAL ACUMEN (CA2025)

It is clear from the considerations dealt with above that the rapid pace of tech-
nological change will require the auditors of the 21st century to remain current
with new technologies and continue to develop digital acumen.
This is congruent with the South African Institute of Chartered Accountants’
(SAICA) vision of “CA2025” and the proposed SAICA Competency Framework
for the CA of the future.
Given that most South African auditors are Chartered Accountants (SA), com-
pliance with the Competency Framework would be expected.
The Proposed Competency Framework requires accountants, and therefore
auditors, to be able to:
l understand the risks and benefits relating to technology;
l apply basic data concepts, including data structures, normalisation of
data and metadata and sources of data such as data files and databases;
l take cognisance of how these concepts influence data and interact with
each other;
l retrieve and store data when performing tasks;
l evaluate the risks and consequences related to the specific environments
in which data is stored;

10–6
 CHAPTER 10: Auditing in an information technology environment

l evaluate and report ways in which access to data may be controlled,

including cyber risk and both local data and data in transit;
l evaluate policies and strategies that deal with data protection, privacy,
intellectual property rights and ethical issues in data management;
l extract information that will assist with decision-making and problem
solving;
l use data analytic software tools to analyse data and interpret the results;
l understand new developments in technology.
Auditors of the 21st century owe it to themselves to continue their professional
development by remaining up to date. There is a wealth of information avail-
able on the Internet that can facilitate this.

2. UNDERSTANDING THE ENTERPRISE AND THE ENVIRONMENT IN WHICH IT

OPERATES
As part of their understanding of the enterprise and the environment in which it
operates, auditors would need to apply the competencies referred to above and
assess:
l the enterprise’s strategic management of the computer environment;
l the nature of the enterprise’s technology environment, including whether or
not data is processed in house or outsourced.
This section deals with these aspects under the following headings:
l strategic management of the computer environment;
l different IT environments;
l the use of service providers (outsourcing).

2.1 STRATEGIC MANAGEMENT OF THE COMPUTER ENVIRONMENT

Whilst an auditing text cannot explore IT strategy in any depth, it is, neverthe-
less, important that an auditor should understand the strategic process. The
audit focus would be principally on the risks relating to the implementation of
new systems and systems changes and the controls over these aspects.
IT Governance has become very topical and is specifically referred to in the
King IV Code on Corporate Governance.
IT is no longer seen as simply a mechanism for processing data but as a
strategic resource.
For this reason, strategic management no longer focuses merely on risks and
controls, but regards IT as a project designed to meet the enterprise’s needs
and objectives, and which is:
l aligned with the overall strategy of the enterprise;

10–7
 Dynamic Auditing

l integrated into the entire enterprise;

l designed to improve enterprise processes.
Strategic objectives
The IT strategy should strike an appropriate balance between the enterprise’s
needs, its current IT systems and the many and varied opportunities offered by
new technology. In order to achieve this objective, the strategy would:
l align the IT direction with the overall enterprise strategy;
l promote effective management of critical IT assets;
l allocate IT resources efficiently and effectively across the whole enter-
prise;
l improve communication between the financial and IT units within the enter-
prise;
l improve the flow of information and processes both within the IT unit and
throughout the enterprise;
l reduce the time frame and expense of the IT implementation life cycle.
Implementation
A basic model for implementation of the IT strategy would follow the following
steps:
l Clearly establish the overall mission, values and strategic direction of the
whole enterprise.
l Evaluate the current IT environment and document the present IT cap-
abilities.
l Perform SWOT and GAP analyses on the current IT environment.
l Engage with management and users to create an IT vision that is con-
gruent with the overall mission and values.
l Develop an IT strategic plan that schedules objectives, individual projects,
priorities, resources and timelines.
l Establish a communications plan that will continuously engage with man-
agement and users concerning the vision and status of the IT strategic
plan.
l Develop feedback, monitoring and assessment mechanisms to enable
continuous review and revision of the strategic plan.

2.2 DIFFERENT INFORMATION TECHNOLOGY ENVIRONMENTS

Owing to our readers’ prior knowledge of IT, we do not set out to provide
extensive detail concerning the nature of different IT systems in this textbook.
We deal briefly below with basic principles, whilst chapter 9 explores recent
developments and how these developments affect the audit of IT systems.
The constant state of change in IT has led to the application of numerous
different IT environments, including, but not limited to:

10–8
 CHAPTER 10: Auditing in an information technology environment

l Online systems
Most current systems operate in an online environment connected to a
network or the Internet.
The extent to which employees have been working online at home has
increased significantly as a result of COVID-19 lockdown regulations.
Because of the resultant savings in office infrastructure costs, this pattern
is expected to continue.
Online systems include:
1. Online entry with real-time processing
Transactions are entered via electronic input devices, automatically
validated and authorised by a server and system files are updated
immediately. This results in both transaction and data files being
updated immediately.
2. Online entry with batch processing
Transactions are entered via an input device, validated and authorised
and written to a transaction file. Transactions are then updated in
batch mode. As a result, transaction files and data files are not updat-
ed immediately.
Batches provide the opportunity for good control over the complete-
ness and accuracy of data through the use of control totals and audit
trails.
3. Shadow processing
A copy of the master data file is used during the day and is updated
continuously using online entry with real-time processing.
The system simultaneously creates batch files for the day’s trans-
actions and these batch files are used to update the original data file
overnight in batch mode. A new copy of the updated data file is then
created for use the following day.
Shadow processing offers the benefits of both real-time processing
and batch processing, whilst providing better protection to the original
data file.
4. Online entry with memory update
Transactions are entered, authorised and written to a memory file
which contains information drawn from the original data file. This is
similar to shadow processing and implies that:
• enquiries are made from an up-to-date memory file;
• data files are updated at a later stage from the transaction files.
l Real-time systems
These are essentially online systems where transactions are processed
immediately.

10–9
 Dynamic Auditing

l Networks
These involve online processing of different applications on different
devices and the sharing of hardware, software and data.
l Increased use of mobile applications (“apps”), wireless communica-
tions (WiFi) and handheld devices
This has caused the proliferation of devices used to access the system.
This has led to the term “bring your own device” (BYOD), where some sys-
tems allow access to virtually any device used by an authorised user.
l Databases
Databases typically form part of an online system where data is stored in a
database and accessible to a number of different users for different pur-
poses.
• Individual users are familiar with only the data used by themselves and
see the data as a file processed by the application systems.
• A database system comprises two principal components, namely the
database – the actual data – and the database management system
(DBMS).
The DBMS is the program used to create and store the data and
manage the database. Together with the operating system, the DBMS
facilitates the storage of data and the relationships between data and
makes the data available for use by users and application programs.
l The Internet
The 21st century has seen extensive use of the Internet including intranets
(private networks using the Internet) and extranets (extension of private
networks to include customers and suppliers).
Conceptually, the Internet is a huge wide area network.
• “Internet protocols” refer to the rules for defining the formats used for
communications.
• The term “internet” (lower case “i”) refers to situations where two or
more networks are connected, but not through the Internet. In this
case, communication is achieved through electronic communication.
This is similar to an intranet.
• An intranet is a private network restricted to a single enterprise or
group of enterprises. Whilst intranets use similar software to the Inter-
net, the networks are used for internal use only.
l Cloud computing and virtualisation
Cloud systems are dealt with in chapter 9 where we discuss virtualisation
and moving the enterprise’s focus away from ownership of resources to
access to and utilisation of resources.

10–10
 CHAPTER 10: Auditing in an information technology environment

Recent trends in virtualisation are expected to allow businesses to dis-

pense with their present banks of servers and drastically reduce operating
costs, whilst increasing flexibility.
The cloud enables enterprises to use computer services as a service over
a network, typically the Internet. The cloud service provider has full control
over the Internet-based applications used by the business, thus relieving
the business of a great deal of responsibility. Use of the cloud enables
processing without having to purchase the hardware, thus saving money
and time.
Data is centrally stored and any properly enabled electronic device con-
nected to the Internet may access the cloud computing environment to
use the common pool of applications and files.
The next step in cloud computing is edge computing, a recent technology
that achieves faster application performance by running fewer processes
in the cloud through greater integration with users’ systems and servers.
Similar to the cloud are virtual machine servers (VMS), which host or run
virtual machines that act as full computing platforms. VMSs can run vari-
ous operating systems and host multiple virtual machines at once.
Distributed cloud technology is expected to further improve cloud per-
formance by further distributing cloud resources.
“Software as a service” (SaaS) refers to applications available through
cloud computing.
“Infrastructure as a service” (IaaS) allows businesses to rely on equipment
owned and provided by service providers and could involve the use of
“virtual machines”. Virtual machines are “computers” that do not physically
exist but are created and located on the cloud.
“Platform as a service” (PaaS) refers to IaaS that also offers a software
development framework.
l Personal computer (PC) based systems
These are commonly used by smaller organisations, whilst larger enter-
prises would use PCs as part of a network with many of their employees
having remote access.
l Electronic business transactions
This includes electronic commerce (e-commerce), including electronic
funds transfer (EFT) and electronic data interchange (EDI).
• E-business relates to the use of IT to conduct business between buy-
ers and sellers.
• Organisations (trading partners) increasingly communicate with each
other through the Internet, thus eliminating the need for paper docu-
mentation. This is generally referred to as “Business to Business E-Com-
merce” (B2B). The most common forms of electronic business trans-
actions are EDI and EFT.

10–11
 Dynamic Auditing

• Transactions between businesses and individuals over the Internet are

generally referred to as “Business to Consumer E-Commerce” (B2C).
Examples of B2C include the numerous products available for sale
through the Internet as well as the travel and leisure industry (hotels,
accommodation providers, airlines and entertainment facilities offer
direct access to their services).
B2C is making ever increasing use of touch-free interaction using QR
codes.
• South African legislation dealing with e-commerce and related issues
covers a broad spectrum of legal issues. This legislation grants recog-
nition to data messages and the recognition of electronic signatures.
However, the legislation indicates that only an advanced electronic
signature will satisfy the legal requirement for a signature. An
advanced electronic signature is one that has been accredited by an
accrediting authority established in terms of the legislation.
• Definitions:
• Electronic commerce Electronic trading between buyers, sellers and
(e-business or trading partners using a computer.
e-commerce)
• Electronic data Electronic exchange of business information
interchange (EDI) between two or more trading partners. Paper
documentation is replaced with electronic docu-
mentation. This could take place:
• through direct network links between two trading
partners;
• indirectly through a network service;
• through the Internet.
• Electronic funds transfer This represents the initiation, authorisation and
(EFT) transfer of funds using a computer system. Examples
include:
• electronic payment of suppliers;
• direct payment of salaries into employees’ bank
accounts;
• point of sale payments.

l Enterprise software applications (ESAs)

ESAs are purpose-designed software applications aimed at organisa-
tions rather than at individual users. Organisations using ESAs range
from businesses to schools and government departments. Enterprise
software forms an integral part of an IT system and includes internet-
based applications.
• Enterprise software generally incorporates and integrates business
oriented applications, such as enterprise resource planning (ERP),
online trading, electronic payments, interactive product catalogues,
billing systems, security, IT service management, customer relation-
ship management, business intelligence, project management, human
resource management, manufacturing and enterprise automation.

10–12
 CHAPTER 10: Auditing in an information technology environment

• ESAs also include enterprise performance management (EPM) sys-

tems. EPM systems are generally beyond the scope of this book,
although it is noted that EPMs would often use analytics, big data, the
Internet of Things and artificial intelligence.
l The virtual office
This relates to the trend of moving away from the present physical office-
based environment towards many employees working from home using
remote access devices.
l Open source software
Open source software is software that is available at either no charge or
with the noncontractual expectation that the user will make either a monet-
ary contribution or a technical contribution towards further development.
• A wide range of open source software is available.
• Concerns do, however, remain concerning security, support and main-
tenance.
l Data analytics
Analytics are dealt with in chapter 9 in the sections on artificial intelli-
gence, machine learning, natural language processing, robotic process
automation, big data and the Internet of Things.
Modern data analytics provide very powerful tools for both management
and auditors.
Analytics can be used to analyse data, identify patterns, predict patterns,
compare predictions against actual, identify errors and anomalies and
detect possible fraud, thus providing management with decision useful
information and assisting auditors with analytical reviews.
The next step in data analytics is quantum computing, which is expected
to improve the process through its ability to track, interpret and act on
data, irrespective of source.
l New technologies dealt with in chapter 9
The following aspects of technology have been dealt with thoroughly in
chapter 9:
• artificial intelligence;
• machine learning;
• natural language processing;
• robotic process automation;
• augmented reality;
• blockchain;
• system integration;

10–13
 Dynamic Auditing

• cloud computing;
• big data;
• Internet of Things;
• the use of drones.

2.3 THE USE OF SERVICE ORGANISATIONS AND SERVICE PROVIDERS

(OUTSOURCING)
As an alternative to the purchase of computer equipment and the employment
of IT personnel, enterprises could outsource some or all of their data proces-
sing to a computer service organisation or service provider.
The practice of outsourcing goes back to 1949 and has been quite a conten-
tious labour and political issue as businesses often outsource their IT require-
ments offshore.
One of the most topical issues in IT is the question of achieving the right mix
between in-house and outsourced services. Whilst enterprises can benefit sig-
nificantly from outsourcing, IT managers should pay careful attention to service
level agreements (SLAs) and the quality and sustainability of the services
offered.
Outsourcing may result in the enterprise losing control over aspects of compu-
terised controls as many controls are exercised or managed by the service
provider.
Controls over outsourcing are dealt with in section 4.3.2, service agreements in
section 4.3.3 and the audit implications section 5.7.

2.3.1 Historical use of computer service organisations

The original form of outsourcing was the use of a computer service organisa-
tion to attend to all information processing needs. In this scenario, enterprises
used service organisations to process their accounting data.
The agreed procedure with a service organisation would involve:
l Submission of manual documents, usually in batches, to the service
organisation for processing. With the advent of personal computers, these
situations became less common, although they do still exist in specialised
areas such as payroll processing.
l The organisation could capture the data as a data file and transmit the
data, via electronic media, to the service organisation for processing. Data
could be transmitted online, in batches, or on removable devices.
The organisation could capture the data online using a link to the service
organisation.

10–14
 CHAPTER 10: Auditing in an information technology environment

2.3.2 Service providers in the 21st century

Common forms of outsourcing include:
l E-commerce applications.
l Internet service providers.
l These provide services related to Internet communications. Note the secur-
ity concerns related to the Internet.
l Cloud and Edge computing.
l Virtual machine service providers.
l Some enterprises with significant IT installations outsource the manage-
ment of facilities (both hardware and software) to independent contractors.
l Specific outsourced applications could include:
• development and maintenance of applications software;
• website applications;
• disaster recovery services;
• network operations.
Whilst outsourcing achieves considerable savings on employment and equip-
ment costs, an enterprise should be careful not to become overdependent on
service providers.
A good compromise would be to outsource functions whilst retaining a small
number of competent in-house specialists.

3. RISKS IN AN INFORMATION TECHNOLOGY ENVIRONMENT

The governance of IT is the responsibility of the board of directors and the board
should delegate to management the responsibilities for the implementation of an
IT governance framework. This responsibility should be delegated to a chief infor-
mation officer (CIO) appointed by the board or its IT subcommittee.
The board should monitor and evaluate significant IT investments and expend-
iture and ensure that information assets are managed effectively.
The different processing methods used in an IT environment led to additional
risks concerning the processing of information when compared to the risks inher-
ent in a manual environment.
It is important that the enterprise’s systems address these risks and limit the risks
through effective controls (internal controls). Auditors should be aware of these
risks and, when planning and performing the audit, should identify these risks,
how management control these risks and the impact on the nature, scope and
timing of the audit procedures.
IT should form an integral part of the company’s risk management and the risk
committee and audit committee should assist the board in carrying out its IT
responsibilities. Because of the high level of risk related to cybersecurity and
access, risk management should include a formal IT security management pro-
gram.

10–15
 Dynamic Auditing

Factors which influence the risks specific to IT environments (risk

indicators)
Risks specific to IT environments may be divided into:
l Risks which relate to the integrity of financial information. These risks are of
relevance both to management and auditors.
l Additional risks which relate principally to management’s requirements.
Practical application of the risk indicators
Both management and auditors would consider each of the risk indicators in the
context of the nature of the specific system and the relevance of each indicator to
the system under review.
RISKS RELATING TO THE INTEGRITY OF FINANCIAL INFORMATION (OF
RELEVANCE TO BOTH MANAGEMENT AND AUDITORS)
Access
The risks relating to access and cybersecurity are of particular and very specific
relevance in this modern age where IT systems involve many permutations of the
systems described in section 2.2.
The risk has increased significantly owing to the multiplicity of interfaces and the
increased use of facilities managed by third parties.
The security risk is further complicated by the complex environment, increased
integration between systems and the relative unpredictability of the number of
users and connected devices.
The Internet was not built with security in mind and new developments have
occurred in a relatively haphazard manner and at a rapid pace, often with little
consideration to security protocols.
In addition, IT systems are open to attack by hackers and through deliberate
security breaches, often coming from organised criminals who use sophisticated
software tools to disrupt systems and/or steal information for purposes of black-
mail, corporate espionage or identity theft.
Whereas hackers used to be more of an irritation than a threat, using mild viruses
and spam malware, hackers are now using AI to attack systems with intelligent
malware. Interoperability and multiple interfaces have also provided them with
more points of access.
The above factors create massive risks related to access and security.
Specific risks relate to:
l uncontrolled access to data, leading to:
1. duplication 2. corruption
3. manipulation 4. sabotage
5. unauthorised processing 6. theft of data
7. breach of privacy (POPI) 8. fraud;

10–16
 CHAPTER 10: Auditing in an information technology environment

l unauthorised changes to transactions data;

l unauthorised changes to standing data;
l uncontrolled access to programs leading to unauthorised changes;
l access through a third party, such as a service provider;
l corruption of data by viruses.
Note that the risk of illegal access applies equally to:
l unrelated external third parties (“hackers”);
l related parties, such as service providers;
l persons, such as staff members, who have authorised access but who might
abuse that access.
Input
l Absence of input documentation.
l Lack of visible audit trail providing evidence of authorisation.
Transfer of data through the various systems described in section 2.2.
l Unauthorised access through interconnectivity may be affected by weak-
nesses in network linkages, external service providers and data communi-
cations and could result in duplication, corruption or manipulation of data on
transfer internally or from:
• service providers;
• third parties.
l Data could be accidentally lost or corrupted in transmission.
Wireless communications and devices
l Interception of confidential data by unauthorised users.
l Unauthorised access to computers and servers through wireless connec-
tions.
Staff issues
l Lack of supervision in a decentralised/distributed processing environment.
l Staff may have limited experience of, or lack training on, computers.
l Segregation of duties may be weaker.
Processing
l Multiple functions are performed by single programs.
l Where systems are integrated, individual errors may affect different systems.
l System generated transactions.
l Uniform processing reduces the risk of clerical error but may increase the
risk of consistent error.
l Errors might not be detected owing to the high speed of processing and the
volumes involved.

10–17
 Dynamic Auditing

Output
l Absence of reports or loss of audit trail.
l There is often less manual review of information.
Continuity
l The risks related to continuity are of particular and very specific relevance to
the online and related systems discussed in section 2.2.
These risks relate to the loss of:
• data;
• IT facilities.
l Where detailed knowledge of the computer system is known only to a limited
number of people, there is also a continuity risk if key people leave.
Specific issues
l Financial loss related to electronic funds transfer.
l Failure to clear computer suspense files.
l Abuse of credit cards.
Issues of a general nature
l The multiplicity of connected devices used.
l The types of software: Developed or bought.
l Processing methods applied and any new updates.
l Effectiveness of the control environment and management’s attitude towards
computer controls.
l Effectiveness of computerised controls and potential weaknesses in the gen-
eral computer control environment and specific application controls.
l The nature and sensitivity of transactions.
l The size of the enterprise and the volume of transactions.
l The materiality of data and transactions processed.
l The level of dependency on computer processing and controls.
l New systems or changes to systems may not function properly when first
introduced.
l Complexity – The more sophisticated systems become, the more likely that
enterprises may become dependent on them (going concern).
l The level of dependence on controls exercised by a third party (e.g. service
provider).
l The risk of undetected manipulation of data as detailed knowledge of the
computer system is often known only to a limited number of people.
l Short-term retention of data on the system may result in the loss of data.
l The inability of a system to cope with the volume of transactions could result
in a system’s “crash”, resulting in the loss or corruption of data.

10–18
 CHAPTER 10: Auditing in an information technology environment

Effect of the risks on the audit

As IT systems directly affect financial information, these risks impact on the audit
approach, in terms of the nature, scope and timing of audit procedures.
The client’s risk profile would affect auditors’ decisions concerning the evaluation
of controls and the nature of substantive work.
ADDITIONAL RISKS RELATING PRINCIPALLY TO MANAGEMENT’S
REQUIREMENTS
Access
l Confidentiality of data.
l Unauthorised use of data.
l Business operations could be interrupted by viruses, hackers or deliberate
denial of service attacks.
Privacy
l Privacy of third parties’ personal data (e.g. individuals’ personal information,
credit card information and bank details).
l This risk has become of particular concern with the advent of the Protection
of Personal Information (POPI) Act.
Computer fraud
l Possible fraud.
Quality of management information
l Completeness of information (in that information is insufficient for decision-
making purposes).
l Availability of information (in that information is not available timeously for
decision-making purposes).
l Usefulness of data provided.
l The level of decision-making dependence on analytics and AI.
Analytics are only as reliable as the data used and the effectiveness and
reliability of processing.
l Whether or not data is up to date.
l Loss of continuity leading to temporary lack of data.
Operational issues
l Any inability of the system to cope with volumes could result in poor cus-
tomer service.
l Liabilities may arise from dealing with third parties where contractual terms
are not clear.
l Non-compliance with tax law, regulation or software licence conditions.

10–19
 Dynamic Auditing

l Loss of control where third parties (such as service providers and service
organisations) are involved.
l Issues relating to outsourcing (service providers) are dealt with in more detail
in sections 2.3 and 4.3.2.
l Adequacy, competence and the level of training of IT staff.
l Dependence on communications.
l Dependence on technology.
l Cost control.
l Staff morale problems arising from changes in systems.

4. CONTROLS IN AN INFORMATION TECHNOLOGY ENVIRONMENT

4.1 INTRODUCTION
The IT system relevant to financial reporting is a component of internal control
which includes the financial reporting system and consists of procedures and
records established to initiate, record, process and report enterprise trans-
actions (as well as events and conditions) and to maintain accountability for
the related assets, liabilities and equity.
The extent and nature of risks vary depending on the characteristics of the
enterprise’s IT system. The enterprise responds to these risks by establishing
effective controls in the circumstances.
Control techniques are employed in all systems to ensure transactions are
valid and accurately and completely recorded. Controls attempt to reduce the
risks by the prevention, detection and correction of errors.
Control risk in an IT environment
IT systems pose specific risks, including, for example:
l programs processing data inaccurately;
l inaccurate data;
l failure to make necessary changes to systems;
l unauthorised access to data;
l inappropriate manual intervention;
l a breakdown in segregation of duties;
l unauthorised changes to data files;
l unauthorised changes to systems or programs;
l loss of data or inability to access data as required.
Overview of IT controls
Because of the above risks, the IT environment will affect the manner in which
control activities are implemented. Auditors will seek to establish the existence
of effective IT controls designed to ensure the integrity of information and secu-
rity of the data.

10–20
 CHAPTER 10: Auditing in an information technology environment

Internal controls in an IT environment would consist of a combination of:

l automated controls;
l manual controls independent of IT;
l controls dependent on information produced by IT. These could involve
data analysis designed to identify errors, anomalies and exceptions.
When IT is used to initiate, record, process or report transactions, or other
financial data for inclusion in financial statements, the systems and programs
may include controls related to specific assertions for material accounts and
may be critical to the effective functioning of manual controls that depend on
IT.
Internal control in an IT environment is achieved through the implementation
and maintenance of general controls and application controls (each category
is likely to include both user (manual) controls and programmed (computer-
ised) controls).
Control audits performed by management
Regular IT control audits should be performed by management or internal audit
and should focus on:
l identifying cybersecurity control concerns;
l identifying and rectifying internal control deficiencies;
l assessing IT security controls and their operational effectiveness.
Benefits of IT controls
Generally, IT benefits an enterprise’s internal control by facilitating:
l consistent processing;
l accurate complex calculations for large volumes of data;
l enhanced timeliness, availability and accuracy of information;
l additional and more accurate analysis of information;
l enhanced monitoring of performance of the enterprise’s activities and
compliance with policies and procedures;
l reduced risk of control override;
l improved security over systems and data.
Controls are aimed at ensuring that:
l the computer system is properly developed, implemented and maintained
(general controls);
l proper controls are in place to ensure the validity, completeness and
accuracy of transactions and data (application controls).
The relevance of manual controls in an IT environment
Manual controls would still be relevant in an IT environment, particularly where
judgement and discretion are required, for example:

10–21
 Dynamic Auditing

l large, unusual, exceptional or nonrecurring transactions;

l circumstances where errors are difficult to isolate, anticipate or predict;
l in changing circumstances;
l when monitoring the effectiveness of automated controls.
Manual controls are prone to human error and may thus be less reliable than
automated elements. Manual controls can often be bypassed, ignored, or over-
ridden and consistency of application cannot be assumed. Manual control
elements may be less suitable in the case of:
l high volume or recurring transactions;
l where errors can be anticipated or predicted and can thus be prevented,
or detected and corrected, by automated controls.

4.2 OVERALL FRAMEWORK OF CONTROLS

In this section, we categorise controls in an IT environment as:
l strategic management controls – controls over long-term decision-making;
l general controls – controls over the entire IT environment;
l application controls – controls over specific functions within the IT environ-
ment.
This can be schematically presented as follows:

Strategic Management
General controls Application controls
(Computer environment controls) (Also known as specific controls)
• Systems development and implementation Transaction data Objective
controls
• System maintenance controls • Input ) * Validity
• Organisational and management controls • Processing ) * Completeness
• Master file ) * Accuracy
• Access and security controls • Output )
• Computer operating controls
• System software controls
• Business continuity and recovery controls

User controls Programmed controls

NOTES:
1. This chapter lists various controls that are generally used in IT environ-
ments.

10–22
 CHAPTER 10: Auditing in an information technology environment

The question of which controls apply to a unique system can only be

answered by developing a sound knowledge of potential controls and then
applying critical thinking to which controls are necessary and appropriate
for the specific system under review.
2. Access controls apply equally to:
• general controls to control access to data and programs;
• application controls to ensure the validity of input, processing and
output.
3. Terminology – “master files”:
The term “master file” is used in this chapter to distinguish between stand-
ing data in data files such as customer details, credit limits, authorisation
limits and pricing information, as opposed to “transaction files”, which con-
tain records of individual transactions.

4.3 STRATEGIC MANAGEMENT OF INFORMATION TECHNOLOGY

OPERATIONS
Strategic management refers to long-term decision-making, such as the devel-
opment and implementation of new computer systems and decisions as to
whether or not to outsource computerised applications.
Common pitfalls include:
l failure to fix scope, time and cost;
l a tendency to include nice-to-have extras;
l overcommitment to additional resources;
l failure to factor in maintenance costs;
l failure to consider the hidden costs of training and change management;
l underutilisation of off-the-shelf options that will work as well.

4.3.1 Systems development and implementation controls

Systems development refers to the development of a new computer system for
the enterprise. This could involve purchased software or a system developed
in house. In-house development might involve the use of outside consultants
and service provider personnel.
Programming controls (as opposed to programmed controls) refer to proced-
ures designed to prevent or detect improper changes to computer programs
accessed through online devices. Access may be restricted by controls such
as the use of separate operational and program development libraries and the
use of specialised program library software. It is important that online changes
to programs are adequately documented, controlled and monitored.

10–23
 Dynamic Auditing

Implementation controls

Systems developed in house Purchased software

OBJECTIVE:
To implement controls designed to ensure that a new system is authorised and
designed in an effective manner to meet users’ needs and that the system is
properly developed and implemented.
l Systems developed in house
1. Project authorisation
1.1 The client should develop a systems development plan which
integrates with the strategic business plan.
1.2 All new projects must result from management requirements or
requests by users.
1.3 A steering committee should conduct a feasibility study and
define the selection criteria.
1.4 The feasibility study must be performed after considering:
• the development of an in-house system;
• as opposed to purchasing a system;
• recommendations in respect of the project.
The study must also contain a cost benefit analysis in respect of:
• hardware, software, operating costs, staffing, etc.;
• benefits to be derived.
1.5 Projects should be authorised after analysing users’ needs and
performing proper systems analysis.
1.6 Systems specifications should be developed regardless of any
specific technology or hardware which may be available.
1.7 The project must be authorised by the computer steering com-
mittee before commencement.
2. Project management
2.1 A project team, consisting of management, users and computer
staff, must be established to manage the project.
2.2 Development of the system must occur in stages.
2.3 Responsibility for the definition of tasks must be assigned to
staff. Functions of the systems analysts and programmers are to
be defined:

10–24
 CHAPTER 10: Auditing in an information technology environment

• analysts to design the system, or changes to the system;

• programmers to change or write new programs;
• operations staff should not be authorised to implement soft-
ware or make changes.
2.4 Deadlines and time schedules must be prepared for each task
and stage of the project.
2.5 A formal plan of action and development should be prepared,
including the scheduled time scale and details of site prepara-
tion and delivery testing.
3. User needs
3.1 Systems analysts must determine the needs of users in respect
of input, processing, output and hardware.
3.2 Internal and external auditors should be consulted in respect of
audit requirements and specifications, specifically audit trails,
controls, etc.
3.3 Management of user departments should give their written
approval in respect of the stated requirements.
4. Purchase of hardware and software
4.1 Care should be taken over selection of the computer(s). Com-
petitive quotes should be obtained for hardware and quotes
should be properly assessed both as to the suitability of equip-
ment, support offered and the costs.
4.2 A meaningful decision should be taken concerning whether to
buy or develop software.
Competitive quotes should be obtained.
Available software should be evaluated and confirmation of the
ability of software to run on the hardware configuration should be
obtained through testing of the software.
4.3 Consideration should be given to financing – lease, purchase,
cash flow, tax, etc.
5. Standards in respect of system development and programming
5.1 Properly predefined industry standards should be applied in the
development of each phase of the project.
5.2 Compliance with standards should be monitored and deviations
should be followed up.
6. System specifications and programming
6.1 Predetermined standards in respect of system specifications and
programming should be complied with.
6.2 Programming and system development must be done on the
development versions and programmers must not have access
to live data.

10–25
 Dynamic Auditing

7. Testing of the system

Every program and system should be comprehensively tested before
installation and before every change.
7.1 Program coding of Through program code analysis,
individual systems: manual review and thorough testing.
7.2 Entire system: System testing by system and pro-
gram analysts.
7.3 User testing Testing by users, including parallel
and final “live” testing (beta testing)
7.4 Management approval: Testing by users and auditors
before management gives approval
for implementation (parallel- or
launch testing).
8. Approval
Final approval for implementation after testing and correction of errors
by management, users and IT staff.
9. Training
9.1 Training of staff.
9.2 User manuals prepared for staff guidance.
10. System documentation
Comprehensive system documentation should be maintained of all
systems analyses, programming and system descriptions.
11. Backups
All programs must be backed up and stored in a program library at
separate premises.
12. Conversion
See notes on controls during system conversion.
13. Post implementation review
A post-implementation review should be performed in order to con-
sider the relative success of implementation and to address any diffi-
culties encountered.
14. Long-term plans
Long-term plans should be devised for future system changes and
new development should be part of an approved master plan.
l Purchased software
Similar principles apply to the use of service providers.

10–26
 CHAPTER 10: Auditing in an information technology environment

When purchasing software, the user has little control over specifications,
development and testing. Emphasis is thus placed on determining
whether or not the software meets the users’ requirements. Control must
also be exercised over implementation and testing.
1. Perform a feasibility study to determine:
• users’ needs (users, IT staff and auditors);
• specifications and requirements of available packages;
• costs (hardware, packages and documentation);
• assistance and support from suppliers and service providers;
• adaptability and expansion ability of packages;
• the standing and reputation of suppliers and service providers;
• conclusions regarding the suitability of software are supported by:
• enquiry from other users of the software on aspects such as:
– functionality offered;
– occurrence of errors;
– speed and effectiveness;
– ease of use;
– costs;
• testing.
2. Authorisation for the purchase of software:
The purchase should be approved by management, users and com-
puter staff after the results of the feasibility study have been analysed
and recommendations have been considered.
3. Implementation:
See section on controls during system conversion.
4. Advantages of purchasing software:
• immediate installation;
• predetermined cost, often cheaper;
• criteria reviewed at demonstration, before buying, thus lower risk;
• usually debugged and error free;
• documentation sold with package;
• suppliers and service providers usually offer training;
• supplier and/or service provider support;
• continual upgrading with new versions at reasonable cost.
5. Disadvantages of package programs:
• not tailor made to organisation’s requirements;

10–27
 Dynamic Auditing

• not necessarily adaptable for changes;

• as software has to provide for all options, processing speed and
storage are not always efficient;
• written to supplier’s standards;
• often written overseas and thus not always catering for SA require-
ments, for example tax, VAT, overseas accounting standards as
opposed to GRAP, IFRS and IFRS for SMMEs;
• manuals could be inadequate or of low quality.
SYSTEM CONVERSION
This section deals with the transfer of data from the existing system to the
new.
1. The conversion must be planned:
• date and time schedules for conversion must be prepared;
• cut off points must be determined;
• the conversion method must be defined (parallel, launch, direct).
2. Preparation for conversion:
• preparation of data files on the new system;
• balancing of files on the old system:
– controls to ensure files and data are complete, accurate and
valid;
– preparation of control totals for conversion.
• training of staff in respect of the use of the new system;
• preparation of the premises (uninterruptible power supply, air con-
ditioning, etc.);
• authorisation and checking of data to be transferred.
3. Controls over the conversion by the data control group:
• supervision by competent senior management;
• the internal and external auditors should also be involved.
4. Testing of the system after conversion:
• balancing of files on the new system with balances of files on the
old system (control totals);
• obtaining a printout of converted data and comparison with source
data and reports from the old system;
• comparison of data run on the new system with information from
the old system (parallel/launch/ modular);
• confirmation of validity and accuracy from third parties;
• follow up of items on exception reports;
• approval by users of the new system.

10–28
 CHAPTER 10: Auditing in an information technology environment

5. System documentation must be updated, namely system flowcharts,

system descriptions, operating manuals.
6. Backup of new system files and data.
7. Post-implementation review by users, auditors and computer staff to
determine whether or not objectives have been met.
SYSTEM AND PROGRAM DOCUMENTATION
Documentation must be fully maintained and updated after changes to the
system.
• Documentation should comprise (as a minimum):
– approval documentation;
– application system documentation, including specifications, logic
diagrams and flow charts;
– program documentation, including source codes;
– file documentation, including file layouts;
– operations documentation;
– user documentation, including operating instructions and manuals;
– documentation concerning testing;
– approval at the various phases.
• The purpose of documentation is to:
– record the investigation, development, design and approval of
systems;
– provide a basis for communication between systems analysts and
programmers;
– serve as a processing manual for users;
– serve as a source reference for systems analysts and program-
mers who were not involved with the system at inception;
– assist with the review of and changes to the system;
– assist in staff training;
– serve as a basis for the evaluation of internal controls.

4.3.2 Controls when using service providers

Irrespective of whether or not data is processed by a service provider, the
normal user and programmed controls should exist over input, processing,
output and files. Some of these controls will be managed by the client and
others by the service provider.
The company should consider the advantages and disadvantages of out-
sourcing as opposed to in-house processing.

10–29
 Dynamic Auditing

l Arguments for/advantages of processing by service providers

• Division of duties is effected through processing being done by a third
party.
• Cost considerations, specifically:
– reduced capital outlay on hardware and software;
– savings on staff costs.
• Hardware, resources and expertise are provided by the service pro-
vider.
• Reliability of processing.
• The service provider is likely to have a secure control environment.
l Arguments against/disadvantages of using service providers
• Dependence on the service provider for processing.
• Loss of control over information processing.
• Costs and levies in respect of service provider processing.
• Reliability of service provider in respect of processing and safeguard-
ing integrity of data.
• The risk of being locked into obsolete technology.
l Other issues to be considered
• The fee structure.
• The speed of information turnaround.
• Whether or not the service provider is financially sound.
• The quality of backup and support available.
• The service provider’s contingency plans.
• The service provider’s ability to keep pace with technology.
• The quality of information made available.
• The implications for management control.
• The implications for accounting control.
• Whether or not the system is likely to cater for future needs.
• The effect on the company’s image, both with staff and outsiders.

4.3.3 Service provider agreements (service level agreements – SLAs)

The enterprise should enter into formal legal agreements with service pro-
viders. The internal and external auditors should evaluate the terms of these
agreements.
The most important aspects to be included in an agreement are:
l the exact responsibilities of both parties, including the extent of data
processing to be managed by the service provider;

10–30
 CHAPTER 10: Auditing in an information technology environment

l the basis on which fees are charged and paid;

l termination conditions;
l arrangements for conversion to the service provider’s system:
• responsibility and method for the creation of files;
• period of and procedures during parallel running;
• acceptance of the system by the client;
l content and format of input and how input will be delivered to the service
provider;
l a comprehensive list of controls to be applied;
l the safeguarding of the client’s information and responsibility for this
aspect;
l responsibility for and the treatment, correction and re input of errors;
l arrangements for the retention of transaction files or printouts;
l arrangements for the recovery of records and data in the case of corrup-
tion, loss or destruction;
l the liability of the service provider for the loss of data and for incorrect
processing;
l ownership of data, files and programs;
l procedures to be followed to change standing data on files and the control
of this aspect;
l the content and format of the output;
l the availability and cost of additional optional output;
l methods of communication between the service provider and the client;
l the time schedule for processing.

4.4 GENERAL CONTROLS

General IT controls are policies and procedures relating to many applications
and support the effective functioning of application controls by helping to
ensure the continued proper operation of information systems. General IT con-
trols commonly include:
l controls over data centres and network operations;
l system software acquisition, change and maintenance;
l access and security;
l application systems acquisition, development and maintenance.
General IT controls apply to all IT environments.
For the purposes of this chapter, it is assumed that:
l we are dealing with a large organisation that has a centralised IT depart-
ment;

10–31
 Dynamic Auditing

l the enterprise has sufficient human resources with properly defined func-
tions and responsibilities;
l the enterprise has sophisticated computer facilities developed and oper-
ated in house.
These assumptions make it possible to implement the most important general
controls.
As the enterprise under review becomes smaller and less sophisticated, many
of the controls would fall away or be compensated for by other controls, for
example in a small organisation, a system will often be purchased instead of
developed in house and this would negate the necessity for detailed systems
development controls.
NOTE:
General controls are also referred to as computer environment controls, IT
controls, or integrity and security controls.
l Objective of general controls
General controls encompass the framework of overall controls over IT
activities and provide a reasonable level of assurance that the overall
objectives of internal controls are achieved.
Specifically, they incorporate the controls over the development, imple-
mentation, maintenance and operation of the overall computer system and
computer environment. The desired outcome is the maintenance of the
integrity of data and programs and the effective functioning of the system.
l Importance of general controls
General controls have a profound influence over the environment within
which application controls operate. A weakness in the general controls
could affect numerous applications (whereas a weakness in an application
control only affects that specific application).
This can be schematically represented as follows:
Computer
GENERAL CONTROLS
environment

Purchases
Application Payroll Inventory and Etc.
controls payables

A prerequisite for reliance on computerised application controls would be

the existence of satisfactory general controls (computer environment con-
trols). This implies that general controls should be evaluated before any
application controls are tested and any reliance placed thereon.
General controls are dealt with under the following headings:
• systems maintenance (system change controls);
• organisational and management controls;

10–32
 CHAPTER 10: Auditing in an information technology environment

• access and security controls;

• computer operating controls;
• system software controls;
• business continuity and recovery controls.

4.4.1 Systems maintenance (system change controls)

OBJECTIVE
Systems maintenance controls relate to changes to a system after implemen-
tation, with the purpose of correcting errors or meeting the changing needs of
users. Controls must be implemented to ensure that changes are authorised
and are made in an effective manner.
CONTROLS
1. Requests for changes and corrections to the system should be
promptly and completely carried out:
• formal requests recorded sequentially;
• recorded in a register and regularly followed up.
2. Only authorised changes should be made:
• Division of duties between systems analysts, programmers and
users;
• Change requests should be formally authorised by:
– IT management in respect of changes to the operating system;
– IT management and user management in respect of changes to
application software;
• Important/significant changes should be authorised by the compu-
ter steering committee.
3. Compliance with standards:
• Changes should comply with predetermined standards for systems
development and programming.
4. Controls over program changes:
• Requests for changes should be prioritised according to import-
ance by IT management.
• Requests and completed changes should be compared regularly
to identify outstanding requests.
5. Testing and final approval:
• Changes should be tested by both programmers and users, who
both approve change requests as proof of satisfaction.
• Users should review and authorise every phase of the develop-
ment or change.
• Management should authorise every phase of the development or
change.

10–33
 Dynamic Auditing

6. Changes are made to test versions of programs and not the live versions.
7. Changes to the system should be fully documented and all systems
documentation should be modified accordingly.
8. Changes to production programs should be backed up and stored in the
program library.
9. Users should be trained in respect of the use of the updated programs.
10. A post-implementation review should be carried out.

4.4.2 Organisational and management controls

OBJECTIVE
To implement controls designed to establish an organisational framework over
IT activities and to ensure that basic principles such as division of duties,
review and virus protection are met.
CONTROLS
1. Levels of responsibility:
• Determining levels of responsibility and reporting structure for
staff:
– The IT steering committee, with representation on the board, is
responsible for policies and overall control of IT activities.
– The chief information officer (CIO) reports directly to the
board, the steering committee or senior management.
2. Division of duties:
• Separate IT department (functional).
– Computer department to be segregated from user depart-
ments:
– Computer department not to originate or authorise trans-
actions.
– Computer department not to have control over non computer
assets.
– Computer department not to authorise master file changes.
– User department to review all master file changes.
– User department to maintain independent control totals.
• Within the computer environment (operational):
– Between systems analysts, programmers and operators.
– Separate the management of access control and security from
operations.
– Between the initiation, safeguarding, authorisation and review
functions.

10–34
 CHAPTER 10: Auditing in an information technology environment

– No person should be able to initiate, authorise and process a

transaction.
– An independent person must correct errors.
– Separate controller to control input to output.
– Separate database administration function.
– Separate librarian function.
3. Management:
• IT department should be represented on the board of directors by
the CIO.
• IT managers should report to senior management.
• Top management should be committed to controls and to imple-
ment management controls such as internal audit.
4. Supervision and review:
• By IT managers, divisional managers, section heads.
• Regular systems investigations by internal and external audit.
5. Staff practices:
• Employment of honest, qualified, competent, reliable IT staff.
• Rotation of IT staff duties.
• IT staff must regularly take leave.
• Scheduling of work.
• Training and career development.
• Supervision and review.
• Cancellation of access on dismissal.
6. All computer output to be reviewed by user departments.
7. Controls against viruses.
8. Email policy to be in place.

4.4.3 Access and cybersecurity controls

Access and security controls represent procedures designed to provide secu-
rity for and restrict access to the IT system. These controls extend to all online
devices, programs and data.
Access and security controls manage “user authentication” and “user author-
isation”.
l “User authentication” is designed to identify users through unique logon
identities, passwords, access cards or biometric data.
l “User authorisation” controls consist of access rules to determine the
system resources each user may access.

10–35
 Dynamic Auditing

Specifically, controls are designed to prevent or detect:

l unauthorised access to terminals, devices, programs and data;
l the entry of unauthorised transactions;
l unauthorised changes to data;
l the use of programs by unauthorised persons;
l the use of unauthorised programs.
Although conventional wisdom focused on preventing access, it is not possible
to achieve full protection all of the time, with the result that current practice has
a secondary objective to detect unauthorised access as quickly as possible
and remedy any damage to, or loss of, functionality and data.
Linked to this is the ability to restore the system as quickly and efficiently as
possible.
OBJECTIVES:
l Program security: To implement controls designed to control unauthor-
ised access or changes to programs that process
data. Controls are necessary for programs in use
(accessible through the system) or not presently in
use (stored away from the live system).
Program security is important for auditors because it has a direct impact
on the reliability and integrity of programmed controls.
l Data file security: To implement controls designed to prevent or detect
unauthorised access or changes to data (standing
data as well as transaction data). Controls are need-
ed for both data files in use and those not presently in
use.
Data file security is important to auditors because the files contain informa-
tion from which the amounts in the financial statements are derived. Audit-
ors are concerned that there are no errors in the data files and that assets
are not misappropriated as a result of unauthorised access to data files.
l Access to These controls limit access to devices and files to
computers and authorised users. These incorporate physical (man-
files: ual) controls, as well as programmed (logical) con-
trols applied by the system.
l Access through Physical access controls cannot be used to control
other electronic access through these devices and control would be
devices (such as mainly dependent on programmed (logical) controls
laptops, notebooks, applied by the system.
tablets and smart Companies need to establish a comprehensive
phones): mobile device strategy in which:
• Policies are set and enforced concerning which
devices may be used and the user’s rights when
using these devices.

10–36
 CHAPTER 10: Auditing in an information technology environment

• Endpoint management software is used to track

and monitor user’s activity against these rights.
l Protection of An enterprise has a responsibility to protect the per-
personal sonal information of its customers, personnel and
information: business contacts. This is reinforced by the Protec-
tion of Personal Information Act (POPI). The enter-
prise is required to formalise and publish a POPI
policy and ensure compliance with that policy.
Access and security controls are necessary in order
to protect such personal information and form part of
that policy.
Larger companies have established cybersecurity operations centres
(SOCs) and security intelligence centres (SICs).
• SOCs are departments responsible for identifying security breaches
and responding to the issues.
• Whilst SOCs are reactive, SICs are more proactive, researching and
anticipating possible threats.
• Both SOCs and SICs would use AI to identify, research and anticipate
threats.
Access and security controls are important to auditors to ensure that
computer processing is limited to authorised personnel.
FRAMEWORK FOR ACCESS CONTROL
1. Programmed (logical) controls (implemented by computer software)
1.1 Data to be encrypted:
• data encryption involves using algorithms to convert data into
code, thus rendering the data useless to a person who gains
unauthorised access.
1.2 Keeping security software up to date:
• suppliers and service providers should provide regular security
updates;
• security updates should be updated automatically.
1.3 Terminals and devices
• individual terminals and devices’ access is restricted to specific
applications or parts of the system;
• terminals are identified by the system to ensure validity (terminal
identification number (TIN));

10–37
 Dynamic Auditing

• the system should poll all remote devices to identify unauthor-

ised users. (The system checks how many, and which, devices
are online at a particular time and checks this data for unauthor-
ised users.)
1.4 Terminals and other electronic devices:
• devices are disconnected after five minutes of inactivity;
• devices are shut down after approximately three unsuccessful
attempts to gain access to the system and the user is required
to contact the IT supervisor to re-establish connection;
• each disconnection should be investigated;
• devices can only be reconnected by a supervisor;
• simultaneous logon by one user through more than one device
should be prohibited;
• restricted hours of operation should be enforced by the system.
1.5 Identification of users:
• passwords and user identification (ID) numbers;
• the system should verify each user’s URL and Internet protocol
(IP) address;
• biometric data, such as voice recognition, facial recognition,
fingerprints, etc., could be used;
• magnetic access cards could be used.
1.6 Authorisation of users:
• logon IDs:
– should be unique and linked to passwords;
– should be allocated to only one workstation.
• passwords:
– should be required to sign on and sign off;
– should limit access to the system or specific parts of the
system;
– should limit access to certain terminals;
– should limit processing and access to certain times of the
day.
1.7 Authorisation of use:
• passwords should be structured for authorised levels of access:
– responsibility levels should be linked to individual users’
identities (or passwords) to limit access to programs and
data files to authorised users;

10–38
 CHAPTER 10: Auditing in an information technology environment

– two factor authorisation could be used. This involves multi-

level passwords, where two or more passwords, PIN num-
bers or one time passwords are required for access to the
system or to specific or sensitive applications;
– one-time passwords are advised to the user, usually per
cellphone or email, each time the user wishes to exercise a
specific function. Each password is used once only and only
for that specific function.
• authorisation levels should be approved and reviewed regularly:
– a system of system owners could be introduced. System
owners would be at a supervisory level and would continu-
ously monitor staff access rights.
1.8 Use of access control software:
Software could be implemented to control access to the system.
• AI-enabled systems to detect and block suspicious traffic and
activity;
• software to report unauthorised access or attempts at unauthor-
ised access;
• logs and activity registers of unauthorised access and pro-
cessing maintained by the system and followed up by senior
personnel;
• firewalls:
A firewall is a combination of hardware and software, incorpor-
ating controls that protect the system from external access.
A firewall monitors all transmissions and also provides protection
against viruses.
– Firewalls should be updated regularly and tested period-
ically.
– Firewall software would alert management to repetitive
attempts at unauthorised access.
– The combination of the firewall and virus detection software
is also referred to as gatekeeper software.
1.9 Monitoring of access and processing:
• Audit trails and activity logs should record daily activities and
processing for review by senior personnel. The audit trail should
include details of:
– all sign-ons and sign-offs;
– sensitive transactions processed;
– use of utilities.

10–39
 Dynamic Auditing

• AI-enabled programmes could be used to review the above

records, monitor activities and identify anomalies.
1.10 Communication lines and networks:
• access should be controlled through passwords;
• control or identification data should be included in data trans-
mitted, for example parity bits (a parity bit is an additional bit
inserted into a file or field – the system would detect an error if
the file or field is altered and the parity bit remains unchanged);
• sensitive data should be transmitted via secure routes;
• data should be encrypted and secure socket layer technology
(SSL) should be used.
The technology of encryption, SSL, controls over LANs, WANs,
SDNs. and SDWANs is beyond the scope of this text, but the funda-
mental principle is additional focus on logical security controls relat-
ed to user authentication, encryption, firewalls and monitoring.
1.11 Password control:
Passwords control requires:
• a minimum length;
• a mix of alphabetical, numeric and other (such as # or %) char-
acters;
• passwords that are not obvious or easily guessed (name, date
of birth, etc.);
• passwords are not displayed on screen or pasted on screen;
• passwords to be changed regularly (forced by system);
• password files on system to be protected by the operating
system against unauthorised access (encrypted);
• confidentiality to be emphasised to users (disciplinary process if
divulged);
• passwords should be:
– rejected if an identical password has already been used;
– cancelled immediately on resignation or dismissal;
– cancelled after a specified period of inactivity;
– cancelled after a number of unsuccessful attempts to gain
access;
• changes to passwords should be logged and reviewed.
1.12 The enterprise should restrict access to:
• password and log-in files;
• menu files;
• authorisation levels files.

10–40
 CHAPTER 10: Auditing in an information technology environment

1.13 The enterprise should establish separate systems for vulnerable

(e.g. servers) and sensitive (e.g. electronic funds transfer) applica-
tions (separate from main system or main file servers).
1.14 Program libraries:
The following processes may be used to control programme librar-
ies:
• access to backup programs should be controlled by access
software against unauthorised changes;
• access to programme libraries should be protected by pass-
words;
• updating of libraries should be authorised (senior official);
• programme libraries should be regularly reviewed by an inde-
pendent senior official;
• this librarian function (or library software that performs this func-
tion) should be designed to:
– control access to data;
– monitor and control access to all programs;
– control access to the documentation;
– monitor program updates and use;
– activate processes only for scheduled jobs;
– take regular stock of all programmes;
– ensure regular backups are made.
1.15 Utilities:
These are general user programs which can read, organise, change
or gain direct access to files.
Controls over utilities:
• utilities not to be available to users;
• the use of utilities should be logged and reviewed independently
by senior management;
• there should be password control over utilities;
• utility programs are stored separately;
• there is authorisation for the use of utilities;
• there is reporting, investigation and follow up of the use of util-
ities, etc.
1.16 User programming:
This represents functionality which offers users the facility to write or
modify programs. This facility necessitates control over access
through passwords (usually multilevel).

10–41
 Dynamic Auditing

2. Physical controls (implemented by users)

Physical access controls are equally important in a networking environ-
ment and would relate to access to file servers and peripheral equipment.
2.1 Computer hardware and servers should be:
• situated in a lockable computer room;
• subject to supervision and review (always two persons);
• physically secure – applicable to devices and drives, both fixed
and removable.
2.2 Staff access should be restricted using the mechanisms set out in
para. 1.5 of this section.
2.3 Terminals should be:
• physically locked;
• located in a visible area;
• situated in lockable areas, with access control (guards/locks/
key control).
2.4 Staff should be trained to keep portable devices secure.
2.5 Use of logs (registers) for control over processing.
2.6 Distributed processing:
• only executable programs (instead of production (source) pro-
grams) should be installed at remote locations;
• there should be regular comparison of executable programs
with source programs by an independent person (e.g. internal
auditor).
2.7 All logs and activity registers should be regularly reviewed and
followed up by an independent senior person.
2.8 Screening and training of staff before access:
This could include:
• background checks;
• set procedures for use and access;
• keys and cards to be removed from terminated staff;
• staff access limited to certain terminals;
• reporting, investigation, follow up and review of functions used.
2.9 Circumvention of access controls in cases of emergency should be:
• authorised and supervised;
• logged reported and followed up.

10–42
 CHAPTER 10: Auditing in an information technology environment

4.4.4 Computer operating controls

OBJECTIVE
To implement controls designed to control the proper operation of the system
and to ensure that programmed procedures are applied correctly and consist-
ently during the processing of data. These controls incorporate functions per-
formed by the operating system as well as users.
CONTROLS
1. The duties of IT controllers are to be defined:
These would include:
• log input data.
• log sequence of programs used;
• reconcile control information;
• record progress through the IT department;
• supervise output distribution;
• review error lists and log errors;
• liaise with users regarding errors;
• log corrections;
• log malfunctions and action taken.
2. Processing should be scheduled (this could be done manually or by the
system):
• The processing schedule should be checked regularly against activity
logs.
• Exceptions should be investigated and corrected.
• The set up and execution of programs should be:
– done by competent persons;
– assisted by means of procedure manuals and instructions;
– tested against the processing log;
– supervised and reviewed by IT staff.
3. Use of correct programs:
• librarian controls (refer also to access to programs and data).
4. Use of correct data files:
• programmed and physical review of files used.
5. Operating procedures would include:
• monitoring and review of the functioning of the hardware;
• standardised procedures and operating instructions;

10–43
 Dynamic Auditing

• user manuals;
• division of duties;
• supervision and review;
• rotation of duties;
• maintenance of system and manual logs with regular follow up by man-
agement.
6. Recovery procedures – see section 4.4.6.

4.4.5 System software controls

OBJECTIVE
To implement controls over programs which do not process data (e.g. the
operating system, access control programs, utilities, etc.) to ensure that they
are installed or developed and maintained in an authorised and effective man-
ner and that access to system software is limited.
CONTROLS
1. Acquisition, development of and changes to system software:
• the controls discussed under 4.3.1 apply.
2. The monitoring and follow up of any anomalies or irregularities reported by
monitoring software such as AI-enabled routines.
3. Security over system software is dependent on:
• integrity of staff;
• division of duties;
• strict staff policy (employment);
• supervision and review.
4. Database systems:
Aspects of particular relevance include:
• supervision and review (by database manager);
• control of schemas and sub-schemas;
• access control;
• documentation.
5. Networks:
Aspects of particular relevance include:
• programmed controls;
• support department;
• error correction;
• disaster recovery plan.

10–44
 CHAPTER 10: Auditing in an information technology environment

4.4.6 Business continuity and recovery controls

OBJECTIVE
To implement controls designed to ensure the continuity of processing, by pre-
venting system interruption or limiting damage and interruption to a minimum.
Continuity has become increasingly important against a background of:
l increased dependence on online systems;
l IT systems’ vulnerability to viruses, hackers or deliberate denial of service
attacks.
CONTROLS
1. Emergency plan and disaster recovery procedures
1.1 Established procedures in respect of functions and responsibilities in
the event of a disaster.
1.2 Maintaining a record of data and program files to be recovered in the
event of a disaster.
1.3 Provision of alternative processing facilities, for example service
organisations, trading partners, etc.
1.4 Planning, documenting and testing the disaster recovery plan.
2. Physical environment
2.1 Protection against the elements:
• Fire: fire detectors, fire extinguishers, smoke detection, automatic
gas release (CO2) and regular servicing of this equipment.
• Water: situated away from taps, water pipes, etc.
• Power: uninterruptible power supply and emergency power gener-
ators.
• Environment: air conditioning, constant humidity, dust free, etc.
3. Backups
3.1 Backup of data files regularly on a rotational basis with multiple ver-
sions (“grandfather, father, son”).
3.2 Store copies of backup files on separate premises.
3.3 Removable media is stored in fireproof facilities.
3.4 Arrange for hardware backup facilities.
3.5 Backup to a remote file server.
3.6 Online backup (i.e. the day’s transactions are stored and if the sys-
tem breaks down, recovery is possible through restoration of previous
day’s backup plus reprocessing of today’s transactions).
3.7 Retention of data, records and files according to legal requirements.

10–45
 Dynamic Auditing

4 Failover
4.1 This is a procedure involving more than one server, where the servers
replicate each other and there is continuous verification that replica-
tion is complete.
Thus, when one computer fails, its operations are seamlessly taken
over by other computers. “Seamlessly” implies that the user would be
unaware of the change and that IT operations would continue uninter-
rupted.
4.2 Replication can also provide additional capacity where load sharing
software is used to direct traffic between servers as efficiently as pos-
sible.
4.3 A danger with replication is that corrupted data can also be repli-
cated and thus affect all data on all servers. It would be advisable to
keep separate backups, over a period, on another server or servers.
5. Other controls
5.1 Physical security (see access controls).
5.2 Proper systems development including selection of suppliers and
testing of system.
5.3 Maintenance of hardware.
5.4 Adequate insurance.
5.5 Cable protection.
5.6 Prevention of viruses.
5.7 No over reliance on staff:
• training of backup staff;
• documentation, etc.;
• contracts with key personnel.
5.8 Logical access controls.
5.9 Personnel controls affecting security and continuity:
• segregation of duties;
• job rotation;
• hiring and firing procedures;
• employment contracts should deal with the use of company hard-
ware and software, prohibitions on pirated software and confiden-
tiality.

4.4.7 Viruses
A virus is a computer program designed to perform functions which lead to
system malfunctions.

10–46
 CHAPTER 10: Auditing in an information technology environment

Computer viruses can occur in almost any computer environment, but the risk
of viruses is increased in a distributed system where many end users have
access to the system. Such users are often uninformed of the dangers of com-
puter viruses and the procedures to prevent infection. Some viruses replicate
themselves and spread to other computers.
Computer viruses may be destructive or non-destructive.
l Destructive viruses
These viruses attack the system and destroy or damage data and pro-
grams. For example, these viruses retrieve confidential data, such as
banking details, delete important or vital information from files or deny
access to files or services.
“Ransomware” is a form of virus that encrypts a company’s data, thus
denying access to the data. The hacker(s) then demands payment for the
encryption key.
l Non-destructive viruses
These viruses hide files, create irritating messages or popups, slow down
systems, disrupt email or initiate undesirable actions, such as displaying
pornography, etc. Although they create disruption and irritate users, they
do not destroy or deny access to data or programs.
l Controls against computer viruses
Security policies should be implemented to prevent damage to the system
resulting from computer viruses.
Such policies would incorporate:
l Software protection
• All software should be purchased from reputable suppliers. All pro-
grams should be tested for viruses before they are implemented.
• Care should be taken when using any “open source”, “shareware”,
“free” or “public domain” software.
• Removable media devices should not be lent out. If this is unavoid-
able, each device should be scanned as soon as it is returned.
• Take care with removable devices, unless they are protected by “bit
blocking” software.
• Set antivirus software to “scan before mount”. This means that the
system will scan a file or removable device before accessing any data
included in the file or stored on the device.
• Never use illegal copies of software.
l Data file protection
• Install virus detection software (antivirus software).

10–47
 Dynamic Auditing

• Simple antivirus software is no longer sufficient. Although the develop-

ment of antivirus software is beyond the scope of this text, there are
many active projects devoted to the development of new more sophis-
ticated technologies to guard against cyber attacks.
• Encryption.
• Sound access controls, including firewalls.
• Install virus detection software (antivirus software).
• Test data files for viruses before use.
• Regular backups should be made of data files in case infection does
take place.
• Always keep removable devices set on “write protect” unless data has
to be written to the device.
l Staff
• All staff members should be informed of the dangers of viruses. They
should also sign a statement that they will not do anything that could
introduce viruses to the system, for example playing computer games
or accessing high risk websites.
• The users of personal computers should receive adequate training to
enable them to recognise the signs of infestation.
• Any viruses should be reported to a senior person immediately for
investigation and immediate corrective action.
• The use of personal computers should be limited to authorised per-
sons and/or terminals.

4.5 APPLICATION CONTROLS

Application controls are manual or automated procedures operating at a
business processing level and apply to the processing of transactions with-
in specific individual applications. Application controls can be preventative or
detective in nature and are designed to ensure the integrity of accounting
information. Accordingly, application controls relate to procedures used to ini-
tiate, record, process and report transactions or other financial data.
Application controls provide controls at the assertion level by helping to ensure
that transactions occurred, are authorised and are completely and accurately
recorded and processed. Examples include edit checks of input data, numeri-
cal sequence checks, follow up of exception reports and correction at the point
of data entry.
Each application needs specific controls to prevent, detect and correct user
and operator errors as transactions flow through the system on the instructions
of each program.
Although control techniques are specific to each application, they are all appli-
cations of basic control principles.

10–48
 CHAPTER 10: Auditing in an information technology environment

OBJECTIVES
The objectives of application controls are to ensure the validity, completeness
and accuracy of transactions.
Specific control objectives concerning application controls are set out below
and matched to the relevant audit assertions.
l Validity: – Transactions and changes thereto are valid.
(Occurrence) – Changes to data and programs are valid.
– Data is supported by supporting documents or
records.
– Data is not duplicated.
l Authorisation: – Transactions and changes thereto are author-
(Occurrence) ised by users or through the system (codes/
matching).
l Completeness: – All transactions are recorded.
l Accuracy: – Correct quantities and values are recorded.
– Calculations are correct.
– Transactions are recorded in the correct
accounts.
l Classification: – Transactions are correctly classified acccord-
ing to account.
l Cut off – Transactions are recorded in the correct
accounting period.
Application controls are dealt with under the following headings:
l input;
l processing;
l master file maintenance;
l output.
Definitions
Application program:
A set of procedures and programs designed for performing specific functions
(e.g. inventory, wages, purchases and accounts payable, sales and accounts
receivable, etc.).
Application controls:
Controls over the input, processing and output of financial information to
ensure that the information is valid, complete and accurate.
Application controls also include controls over the maintenance of the related
master files or standing data. Application controls incorporate user controls
and programmed controls.

10–49
 Dynamic Auditing

User controls:
Controls manually performed by users (e.g. batch controls, reviewing of excep-
tion reports, performance of reconciliations and authorisation of transactions).
These may be separated into:
l independent user controls (e.g. written authorisation of an input docu-
ment);
l user controls dependent on computerised information (e.g. the review of
an exception report).
Programmed controls (logical controls or automated controls):
Computerised controls incorporated into applications software. Hence “pro-
grammed controls” as opposed to “user controls”.
Examples of programmed controls include:
l edit and validation checks;
l run-to-run balancing;
l file balancing.
Transaction files:
Files used to store the information of individual transactions (e.g. sales trans-
actions).
Master files:
Files used to store standing data and balances, for example:
l customer details, names, addresses, credit limits;
l outstanding balance.
This term is used to distinguish between standing data in data files such as
customer details, credit limits, authorisation limits and pricing information, as
opposed to “transaction files”, which contain records of individual transactions.
Computerised batch processing systems
Batch processing refers to source documents and/or online transactions being
captured but not yet processed and collected prior to processing in batches of
similar items (e.g. 50 sales invoices).
l Control totals (“batch totals” of financial information and/or “hash totals” of
non-financial information) are then precalculated – for example, the num-
ber of items (a “hash total”) or the total monetary value of invoices (a
“batch total”), etc.
l This data is processed in batches together with the control totals. The
system calculates its own control totals and compares these to the original
control totals.
l Batches which do not balance are rejected and reported on exception
reports, after which an independent senior person checks the batch and
hash totals and ensures that errors are corrected and re submitted.

10–50
 CHAPTER 10: Auditing in an information technology environment

4.5.1 Pervasive controls

As readers work through the detail that follows concerning controls that meet
specific application control objectives, it will be apparent that certain controls
are pervasive. These significant controls include:
l access and security controls;
l access controls that limit the functionality available to individual users;
l control totals;
l validity/edit testing;
l exception reports:
l AI-enabled routines are a very powerful tool that can be used to identify
errors, exceptions and anomalies;
l management review and follow up of exceptions and anomalies;
l sequential numbering and follow up of missing or incomplete information;
l reconciliations;
l logs;
l review and checking of reports and logs.

4.5.2 Controls over input

OBJECTIVE:
To implement controls designed to ensure that data entered to update master
files is valid, complete and accurate.
POSSIBLE ERRORS:
l unauthorised data entered;
l errors in creation of data;
l errors in capture/input of data;
l data could be lost during input;
l data could be added to or altered;
l errors in correction of data or re-entering rejected data;
l corruption of data during capture or transfer.
All objectives
Computerised (programmed) controls
1. Control totals and reconciliations:
This is conceptually similar to batching and requires both computerised
and user controls.
• financial totals: totals on fields with “R” values.
• hash totals: totals on any numerical field.
• record counts: total of number of records or transactions.

10–51
 Dynamic Auditing

2. Batch processing:
• computer balancing of batches to predetermined batch totals;
• unbalanced batches are rejected and printed out on an exception
report.
3. Suspense files:
• unmatched transactions, those with missing information and those with
anomalies are recorded in suspense files, which require user inter-
vention.
User controls
1. Control totals and reconciliations:
See above.
2. Batch processing:
• a senior independent user checks and corrects errors.
3. Review of output and exception reports by users:
• comparison of reports of processed items to input documents where
applicable.
• review of numerical sequences of items;
• follow up of items on exception reports;
• balancing of input to output (totals/number of items);
and follow up and correction of errors identified.
4. Regular backups during input and after processing.
5. Adequate error correction procedures.
Controls over correction of errors
1. Errors must be followed up and corrected by user departments.
2. Suspense files are reconciled and items in suspense files are corrected.
3. Corrected transactions must be re entered in the normal way (to highlight
existing errors).
4. Done under supervision and control of an independent senior person (e.g.
IT manager).
Completeness of input
Computerised (programmed) controls
1. Sequential numbering:
• The system allocates a unique sequential number to each transaction/
input.
• The system follows up the sequence and reports missing numbers.
• Where sequentially numbered documents are used, the system checks
the sequence and reports missing numbers.

10–52
 CHAPTER 10: Auditing in an information technology environment

2. Matching by the system:

• The system matches transactions within the system to ensure that
transactions are completed and completely recorded. For example:
orders are matched to delivery records and delivery records are
matched to invoices.
• Transactions entered are compared by the system to data on master
files and suspense files.
• Exception reports set out unmatched, long outstanding or duplicated
items on file.
3. Field presence checks ensure that all critical input fields are present.
User controls
1. Stationery control (where preprinted documents and forms are still in use):
• proper form design;
• prenumbered documents.
2. Examination of processing logs for missing input entries.
3. Exception reports are investigated and followed up by a senior independ-
ent person.
Accuracy of input
Computerised (programmed) controls
1. Matching:
• The system matches input transactions with data on file (e.g. goods
received with orders).
• Information is generated by the system wherever possible (e.g. com-
puter generates the price against input of a product code).
2. Edit checks (validation checks) performed by the system to test the accu-
racy of data during input:
• Formatting check: Numerical/alpha-numerical.
• Sign check: Positive or negative.
• Screen check: Checking of accuracy of data on screen by
users.
• Screen prompts: “Are you sure?”
• Validity/existence: Matching (e.g. check stock codes included
in orders placed by customers against the
database for validity).
• Limit and Comparison with predetemined values (e.g.
reasonableness check: maximum 50 hours worked per week).
• Check digits: Accuracy of codes.
• Control totals: For example, batch processing and com-
parison.

10–53
 Dynamic Auditing

• Dependency check: Test interdependency of input in respect of

other fields.
• Field presence: All critical input fields are present.
• Field size check: Overflow of fields, etc.
• Specific character: For example, spaces in the right place.
• Arithmetic check.
• Logic check.
3. Batch input and processing.
Note that batching may involve both computerised and user controls:
• computerised reconciliation of batch and hash totals.
4. Use user-friendly screens to minimise error.
User controls
1. Review by user or senior staff of:
• reports;
• suspense account reconciliations;
• computer input reports to physical source documents (one-to-one
testing).
2. Batch input and processing:
• preparation of manual batches;
• manual reconciliation of batch and hash totals.
3. Use of well-designed documents to minimise error.
4. Staff training.
Validity of input
Computerised (programmed) controls
1. Access controls (these are discussed in 4.4.3 as general controls – here
we are discussing access at the application level, for example the sales
and receivables module):
• over programs and functions;
• over specific time of day for processing;
• user authorisation matrices – for example create, read only, inquiry,
update and delete).
2. Authorisation of transactions.
2.1 By user:
• online authorisation of input data using passwords and access
rights.
2.2 By computer:
• use of information generated by the system (e.g. master file infor-
mation – price list or discount table);

10–54
 CHAPTER 10: Auditing in an information technology environment

• against codes or categories (e.g. payroll class or customer cat-

egory);
• against data on file (e.g. goods received matched against the
order);
• against limits (e.g. credit limits).
2.3 Overrides of system generated information:
• specific authorisation using supervisory access codes;
• overrides reflected on exception reports.
3. Authorisation of changes to data (correction of transactions and standing
data).
Note that this involves both computerised and user controls. Refer to sec-
tion 4.5.4:
• authorised by independent senior person;
• done under supervision;
• checked and documented after corrections and changes.
4. Transactions generated by computer (e.g. order for purchases of inven-
tory):
• effective functioning of the general controls in terms of system imple-
mentation, change and access control;
• authorisation of transactions by users before execution (e.g. pur-
chases manager).
5. Validation tests:
• limit tests;
• matching, etc.
User controls
1. Segregation of duties, staff training and staff recruitment policies.
2. Authorisation of transactions by user:
• signatures on input documents (where applicable).
3. Authorisation of changes to data (correction of transactions and standing
data).
4. Review of authorisation procedures:
• on a regular basis by senior management;
• by internal audit;
and follow up and correction of errors identified.

4.5.3 Controls over processing

OBJECTIVE
To implement controls designed to ensure that only valid data (valid and
authorised) is processed and that data is processed completely and accur-
ately by the system.

10–55
 Dynamic Auditing

POSSIBLE ERRORS:
l Data could be lost or corrupted during processing
l Invalid data could be added during processing.
l Data could be altered during processing.
l Calculative or accounting errors could occur.
l Logic, precision or rounding errors in program.
l Incorrect program or data file.
l Data corrupted during transmission.
l Incorrect values or internal tables in program.
l Equipment malfunctions.
Completeness of processing
Computerised (programmed) controls
1. Reconciliation of control totals:
• This is conceptually similar to batching and requires both computer-
ised and user controls.
• Control totals for input are compared to totals for processing by the
system:
– financial fields, record count, or hash totals;
– file balancing:
A control total of the balance on file (or number of items) is main-
tained on a separate file and updated with the total of the trans-
action data. This independent total is then compared with the
updated balance or total of the master file.
2. Sequential testing by the system:
• numeric and sequential testing;
• exception reports of missing numbers or incomplete transactions are
generated.
3. Reconciliations of accounts and balances:
• this could be computerised but should also be reviewed by the user;
• for example, subsidiary ledgers to control totals in the general ledger
(e.g. debtors ledger to control account in ledger).
4. Logs of processing, including exception reports:
• the computerised control is producing logs and exception reports for
subsequent review.
5. Edit tests by computer program:
• validation checks, sequential testing, etc.
6. Control over transmission of data:
• control totals (number of items/hash totals);

10–56
 CHAPTER 10: Auditing in an information technology environment

• sequential numbering.
The receiving computer then tests the data received against the above.
User controls
1. Reconciliation of control totals, accounts and balances:
• The user control is a review to ensure that computer records balance.
2. Sequential testing by the system:
• Exception reports are investigated and followed up by a senior inde-
pendent person.
3. Logs of processing:
• Regularly reviewed for errors or interruptions in processing by control
group.
• Follow up and correction of errors identified.
4. Breakpoint re-runs:
• Processing can stop, if interrupted and restart at the correct point.
5. Processing errors should be reported on error reports and resubmitted.
6. Adequate backup procedures.
Accuracy of processing
Computerised (programmed) controls
1. Controls over computer hardware:
• programmed controls to test the accurate operation of hardware.
2. Edit checks by the system.
3. Produce exception reports for review by management.
4. Reconciliation and balancing (computer/user):
• run-to-run totals;
• control totals;
• control accounts in ledger.
5. Batch controls where data is processed in batches as opposed to online
real-time processing.
User controls
1. Note the comments under completeness above dealing with the separate
computerised and user aspects of exception reports, batching and recon-
ciliation.
2. Operator’s manual and user instructions.
3. Supervision and review of exception reports by competent staff.
Validity of processing
Computerised (programmed) controls
1. Access controls over transactions and standing data during processing.
2. Librarian functions to ensure correct program and file versions used.

10–57
 Dynamic Auditing

3. Files should have internal or external labels and programs should be

identified with version numbers to ensure that the correct version of the file
is in use.
4. Record comparison and matching by the system:
• Processing is rejected if transaction is not valid (e.g. invoice is not
processed if there is no GRN on file).
5. Computer monitors and prints abnormal activities for review by users on
exception reports (e.g. creditors paid more than once per month).
6. Computer generates adequate audit trails.
User controls
1. Authorisation of overrides if the incorrect version is detected.
2. Authorised manual intervention if the system breaks down.
3. Use of logs (manual and computer logs) for monitoring unscheduled pro-
cessing or unauthorised use.
4. Supervision and review of exception reports by competent staff.

4.5.4 Controls over master files

OBJECTIVE:
To implement controls designed to protect the integrity of master file infor-
mation, to ensure that only valid changes (valid and authorised) to master files
are processed and that changes are processed completely and accurately by
the system.
All objectives/protection of integrity
Computerised (programmed) controls
1. The master file is protected by:
• encryption;
• library controls;
• record counts;
• reconciliations.
2. Generation of exception reports.
User controls
1. Regular review by management of:
• all audit trails and exception reports;
• the entire master file;
• follow up and correction of errors identified.
Completeness of processing of changes
Computerised (programmed) controls
1. Sequentially numbered audit trails of master file changes.

10–58
 CHAPTER 10: Auditing in an information technology environment

User controls
1. Reconciliation of changes with the list or register of requests for changes
and follow up of outstanding items.
Accuracy of processing of changes
Computerised (programmed) controls
1. Edit or validation checks are performed over data capture (see Input
Controls).
User controls
1. Reconciliation of master file changes with master file amendment forms
and third-party documentation, etc.
Validity of processing of changes
Computerised (programmed) controls
1. Access controls and levels of authorisation on the system.
User controls
1. Formal authorisation of changes by senior management for changes if not
authorised through levels of authorisation:
• master file amendments matched with supporting documentation.
2. Checking of changes to master files:
• review of logs for changes to master files by management and check-
ing authorisation;
• follow up of unauthorised changes.

4.5.5 Controls over output

OBJECTIVE
To implement controls designed to ensure the completeness and accuracy of
output and to control distribution of output to authorised users.
The format of output could be in the form of online (on screen) output or printed
reports.
Confidentiality of output
Computerised (programmed) controls
1. Controls over online output:
• access controls to limit access to information on screen;
• requirement for users to log out or log off when terminals or devices
are not in use;
• requirement for terminals or devices to be disconnected automatically
if not used for a specified period;
• requirement for users to log on/off properly after system interruption to
prevent data from remaining on the screen;
• prohibition of simultaneous logon by one user prohibited.

10–59
 Dynamic Auditing

User controls
1. Controls over online output:
• where possible, terminals located in positions that ensure only author-
ised users have access.
2. Restrictions on which printers can be used for confidential reports.
Completeness of output
Computerised (programmed) controls
1. Output reports should be sequentially numbered.
User controls
1. IT control group to follow up on missing or duplicated numbers.
2. Review of output reports by users:
• reviewing of numerical sequence of items on reports;
• follow up of exceptions.
3. Reconciliation of input to output by the IT control group.
4. Sequence check on page numbers or document numbers.
5. End of report messages.
6. Page counts.
Validity (authorisation) of output
Computerised (programmed) controls
1. Logs, listing activities and output produced, maintained by computer sys-
tem – Regularly reviewed by IT control group for unauthorised output.
2. Generation of exception reports.
User controls
1. Distribution list of authorised users, listing to whom output is to be sent.
2. Distribution schedule (which output, by when and to whom).
3. Distribution controlled by the IT control group.
4. Distribution register in which users sign for receipt of sensitive reports.
5. Review of reports by users:
• exception reports;
• reports of summaries and analyses.
Accuracy of output
User controls
1. Reconciliation of output to input by user departments for accuracy of pro-
cessing.
2. Review of output by users for obvious errors (e.g. faulty printer, etc.)
3. Physical checking of accuracy of calculations by users (reports and docu-
ments).
4. Review and follow up of items on exception reports by an independent
control group.

10–60
 CHAPTER 10: Auditing in an information technology environment

5. Scrutiny (review) of processed information (reports, etc.) by users for

accuracy.
6. Checking by users of the accuracy of postings from subsidiary ledgers to
the general ledger.
7. Controls over stationery used for confidential reports (e.g. payslips).

4.6 A FRAMEWORK FOR APPLICATION CONTROLS

4.6.1 Per control objective
Completeness Accuracy Validity
1 Programmed
Input Matching Formatting tests Authorisation
Processing Sequential numbering Validity/edit checks Validity/edit testing
Master file Control totals Control totals Matching
Output: Control totals Dependency tests Logical access
y financial totals (matching) Suspense files
y hash totals Accuracy tests Logs
y record counts Duplication tests Activity testing
y batch totals Exception reports Exception reports
y suspense files Automated calculations
Change controls
Logs
File balancing
Exception reports
2 User
Input, Checking of: Checking of: Authorisation
processing, y logs y exception reports Checking of:
output: y exception reports y logs, etc. y logs
y suspense files Reconciliations y exception reports
Reconciliations y activity reports
Testing/review y documentation
y physical access

4.6.2 Per input, output, processing

Input controls
Validity Completeness Accuracy
• Access control • Batch processing • Validity/edit testing
– physical • Sequential testing by • Control totals
– programmed computer • Screen testing of input
• Authorisation by users of: • Checking by management by user
for completeness • Standard screen layout
– transactions
– corrections • Batch processing
• Authorisation by management of: • Compare debits with
credits
– exceptions and overrides
– supervision

10–61
 Dynamic Auditing

Processing controls
Validity Completeness Accuracy
• Checking logs for unauthorised • Edit tests • Edit tests by computer
processing • Sequential numbering – Accuracy tests
• Access control during processing • Reconciliations by – Duplication tests
• Supervision/review by IT computer – Reasonableness
management – run-to-run tests
• Correct file and program (file – control totals – Validity tests
labels) – file balancing
• Examine logs for
interruptions in processing

Master file controls

Validity Completeness Accuracy
• Authorisation of changes • Sequenced master file • Edit tests by computer
• Access controls amendments • Reconciliation with
• Checking of change reports • Sequenced output reports authorised master file
• Checking of change amendments
reports

Output controls
Validity Completeness Accuracy
• Sensitive output controlled by • Reconciliation with input • Checking by users for
management • Numerical recording in reasonableness
• Senior person controls order of date of output • Reconciliation with input
distribution of output • Printouts must be • Checking of exception
• Management review numbered reports
• Review of reports • Reconciliations by users • Comparison with
– users management
information by
– management
management

5. AUDITING IN AN INFORMATION TECHNOLOGY ENVIRONMENT

5.1 INTRODUCTION
The objectives and scope of an audit do not change in a computer environ-
ment. However, the methods for the application of audit processes and pro-
cedures and the acquisition of audit evidence do change.
An IT environment will result in changes in the characteristics of the system,
which may necessitate a change in the audit process, possibly causing an
auditor to place more emphasis on testing computerised controls and analys-
ing data on the system.
The use of different methods for processing information will lead to additional
risks concerning the processing of information and the resultant need for addi-
tional controls.

10–62
 CHAPTER 10: Auditing in an information technology environment

It may be necessary for auditors to use the system to obtain audit evidence –
this is generally referred to as the use of audit software or computer assisted
audit techniques.

5.2 IMPACT OF AN INFORMATION TECHNOLOGY ENVIRONMENT ON THE

AUDIT PROCESS
The audit approach to IT systems would be consistent with the approach set
out by the ISA Statements.
The fact that the environment is computerised simply requires auditors to
consider additional issues:
l prior to accepting the engagement;
l when obtaining an understanding of the business, the accounting system
and the related controls;
l when identifying risks;
l when planning the nature, timing and extent of audit procedures;
l when performing audit procedures.
1. Engagement considerations: Knowledge and skills
Prior to accepting the audit, the auditor should consider whether or not the
audit firm has the competence and resources necessary to evaluate the
effect on the audit of the enterprise’s IT systems.
• If necessary, the auditor should obtain assistance from computer audit
specialists within the audit firm or from outside specialists.
• If use is to be made of specialists, ISA 620 must be complied with:
– consideration of whether or not reliance on specialists, particularly
those engaged by management, is justified;
– engagement conditions;
– procedures to review the work of the specialists.
2. Planning activities
2.1 Develop an understanding of the IT environment and processing
Regardless of whether or not the client’s accounting records are
computerised, the auditor is obliged to obtain an understanding of
the business and develop an understanding of the accounting sys-
tems and related controls sufficient to develop the audit plan.
The auditor should thus obtain an in-depth knowledge of the IT envi-
ronment to understand its impact on transactions and events which
may affect the audit procedures.
Factors to be considered include:
• the enterprise’s use of and attitude towards IT.
• the use of IT in relation to the industry.

10–63
 Dynamic Auditing

• cybersecurity.
• changes and planned changes to the IT system.
• changes and planned or intended changes to non-financial sys-
tems which could have an impact on the reporting function.
2.2 Gain an understanding of the accounting and internal control system
Gain an understanding of the importance and complexity of the IT
activities and the availability of data. This includes aspects such as:
• the organisational structure.
• the extent to which IT is used in each financial application.
• the complexity of the IT system, affected by, for example:
– the volume of transactions;
– the extent of automatic generation of transactions;
– the number of users;
– the nature of user interaction with the system and the various
facilities and devices used in this interaction;
– the extent of complex processing performed by the IT system;
– the use of electronic data interchange for transactions;
• the hardware and software utilised;
• the layout and organisation of facilities;
• processing method(s) in use;
• where and by whom information is processed (could be affected
by outsourcing);
• an overview of the computer environment and the manual and
computer controls;
• the extent of audit trails and the availability of data for audit;
• the need and scope for audit software;
• the extent to which the client is dependent on the computer
system (this may affect going concern);
• planned or intended changes to accounting aspects of the sys-
tem.
The above information would be obtained through:
• discussions with client staff and those charged with governance;
• reviews of client documentation;
• review of manuals;
• audit observations;
• system walk-throughs.
The information is required to enable the auditor to:
• identify the effect of IT systems on material flows of information;

10–64
 CHAPTER 10: Auditing in an information technology environment

• assess inherent risks;

• provisionally assess control risk;
• consider an appropriate audit approach;
• consider the need for specialist expertise;
• consider the need for audit software.
The extent of the above review would be more detailed in the case of
new systems or revisions of existing systems.
2.3 Perform risk assessment procedures and assess the risks in the sys-
tem
The auditor would perform risk assessment procedures through
enquiry of management, IT personnel, internal audit and those
charged with governance, and:
• consider the risks identified by management and additional
significant risks apparent from the information gathered per 2.2;
• consider how management manages these risks.
Given the specific risks related to cybersecurity, the auditor would:
• evaluate management’s IT security management policies and
procedures;
• form an opinion on the effectiveness of these policies and pro-
cedures.
The auditor would consider the effect of the computer environment
and processing on the inherent and control risks.
Risks and internal control characteristics in a computer environ-
ment:
These are dealt with in detail in sections 3 and 4 of this chapter.
The auditor would base the assessment of inherent risk on the evalu-
ation of the risks set out in section 3 of this chapter.
The auditor would then assess control risk based on the evaluation of
the controls as described in section 4.
Impact of the computer environment (general controls) on con-
trol risk
In a computer system, programmed controls (performed automat-
ically by the computer) are dependent on the integrity of the related
programs performing the controls, therefore directly dependent on
general controls, specifically:
• staff training, staff recruitment and segregation of duties;
• systems development and implementation;
• system maintenance and program change control;
• access and security controls over data and programs.

10–65
 Dynamic Auditing

2.4 Setting of materiality levels

This is not affected directly by the computer environment, although
the level of materiality could be affected by specific risks and cir-
cumstances peculiar to computer related issues (e.g. an accounting
breakdown due to systems malfunction would lead to a higher
assessment of risk and, therefore, a lower assessment of materiality).
2.5 Evaluation of the control environment
The auditor would always evaluate the design of controls and deter-
mine whether they have been implemented. (Commonly referred to
as “D&I testing”.)
• The control environment; weaknesses in general IT controls would
result in a higher level of risk at the overall financial statement
level.
• Application controls; weaknesses in application controls would
result in a higher level of risk related to individual balances and
flows of transactions.
Note that this does not imply that the auditor would test controls at
this stage. See 2.7 below. The evaluation of controls that manage
significant risks is mandatory, but judgement may be used in decid-
ing whether or not to test controls.
The evaluation of controls (without yet testing controls) would be
achieved through:
• inquiry;
• inspection of documents and manuals;
• walk-throughs.
2.6 Risk assessment
As is dealt with in more detail in chapter 8, the auditor would assess
the risk of misstatement of financial information at:
• the overall financial statement level:
This assessment would be directly affected by the auditor’s
understanding of the IT system and the evaluation of the control
environment.
• at the assertion level for individual balances and flows of trans-
actions:
These assessments would be:
– indirectly affected by the assessment of risk at the overall
financial statement level (higher risk at the overall financial
statement level would suggest higher risk related to all bal-
ances and flows of transactions);
– directly affected by the auditor’s evaluation of the inherent
risks at the individual balance and transaction level.

10–66
 CHAPTER 10: Auditing in an information technology environment

2.7 Formulation of an audit strategy (audit approach)

The audit approach forms part of the audit plan. The audit plan is
more detailed than the overall audit strategy in that it includes the
nature, timing and extent of audit procedures to be performed.
The auditor’s audit objectives do not change where data is pro-
cessed electronically. The IT environment could, however, change
the manner in which audit evidence is obtained.
The formulation of an audit approach to IT systems would follow the
processes set out in ISA 300, ISA 315 and ISA 330 and dealt with in
chapters 7 and 8.
The auditor would first obtain an understanding of the IT system and
perform risk assessment procedures. This is dealt with in 2.2, 2.3, 2.5
and 2.6 above.
The principal decisions made when formulating an audit approach
concern the nature, timing and extent of audit procedures.
As is dealt with in more detail in chapters 7 and 8 and based on the
assessment of risk, the auditor would consider the most appropriate
methods for obtaining sufficient appropriate audit evidence. In doing
so, the auditor would seek to achieve a balance between testing con-
trols, substantive tests of detail and analytical review.
• Tests of controls
These would be performed where the auditor is satisfied that tests
of controls would provide a reliable source of audit evidence that
controls reduce the risk of material misstatement.
This decision is governed by the principles of necessity, possibil-
ity and desirability as discussed in section 5.3.
– This decision is affected by the characteristics peculiar to the
specific environment and the risks involved.
– Although the control principles remain unchanged, the char-
acteristics specific to IT systems make the nature of the con-
trols different to those in a manual system.
– The emphasis may also change in an IT environment, as sys-
tem orientated audit software (section 5.6.3) may be required.
Where tests of controls provide a reliable source of audit evi-
dence, this would enable the auditor to lower the assessment of
the risk of undetected material misstatement and thus reduce the
nature and extent of substantive testing required.
• Analytical reviews
Analytical reviews are used to evaluate trends, perform compar-
isons and identify anomalies.
These may, in certain circumstances, be a reliable source of audit
evidence that the risk of undetected material misstatement may
be reduced.

10–67
 Dynamic Auditing

Data analytics (section 5.6.4) may well provide a strong source of

audit evidence in an IT environment.
• Substantive tests of detail
In common with a manual system, substantive testing of detail will
always be necessary.
Audit software (section 5.6.5) would probably be of assistance in
this regard.
The manner in which the auditor acquires audit evidence (audit
approach to the computer) could involve:
(i) Auditing the output without using the computer
• The auditor would regard the computer merely as a proces-
sing medium and would audit the output (computer reports)
by reference to source documents (input).
• A prerequisite for using this approach is the existence of a
proper audit trail of visible input and output.
• Where testing of controls is used as a source of audit evi-
dence, this would involve testing user (manual) controls.
• This approach is more likely to apply to smaller organisations
with a limited number of users and limited volumes of trans-
actions.
(ii) Auditing using the computer
• This approach involves testing the effectiveness of computer
programs.
• Internal controls are tested by performing tests of controls
using the computer. This is dealt with in more detail in the
section on audit software.
• This approach provides the auditor with evidence concerning
the effective functioning of the system and the level of reli-
ance to be placed on internal controls.
• The auditor could also use audit software to assist in perform-
ing substantive tests to verify account balances and trans-
actions.
• Audit software might involve the use of AI-enabled data
analytics.
(iii) The use of IT specialists or experts
When planning the audit and developing the audit approach, the
auditor would again consider the need for the services of com-
puter audit specialists and would plan the involvement of these
specialists.
Specialist assistance may be required for both:
• evaluating computer controls;
• using audit software.

10–68
 CHAPTER 10: Auditing in an information technology environment

3. Administrative issues
Administrative issues specific to the audit of IT systems may need to be
addressed. Examples include:
• the availability of computer audit specialists;
• the timing of audit visits;
• scheduling the time of computer audit specialists;
• scheduling the availability of computer time to run audit software;
• obtaining permission to access computer facilities or data controlled
by third parties such as computer service organisations, network ser-
vice providers and the company’s bankers.
4. Obtaining audit evidence
Audit evidence is obtained through both tests of controls and substantive
procedures.
Audit evidence may be obtained through both manual procedures and the
use of audit software.
5. Evaluation, concluding and reporting
This is not affected by the computer environment, although the report may
be affected by specific circumstances or difficulties peculiar to computer
related issues (e.g. inadequate records due to systems malfunction).

5.3 TESTING CONTROLS IN AN INFORMATION TECHNOLOGY

ENVIRONMENT
1. Whether or not to test internal controls within IT systems
Necessity
1.1 Where computer systems are simple, there is no need to perform
tests on computerised internal controls. The auditor could simply per-
form manual tests of controls and/or substantive tests.
As the complexity of the computer systems increases, there will be a
need to evaluate the computerised internal controls and to possibly
use the computer to assist in audit testing through the use of audit
software.
Where an IT system is largely dependent on computerised internal
controls to maintain the integrity of its data, there could be a greater
need to perform tests of IT controls.
1.2 Other examples of system characteristics which would lead to a
necessity for increased tests of IT controls (or audit software) are:
• the presence of controls which manage significant risks;
• situations where sufficient audit evidence cannot be obtained
from substantive testing alone;
• large volumes of information;
• multiple functions performed by single programs;

10–69
 Dynamic Auditing

• the absence of input documents;

• dependence on computerised controls;
• complexity;
• system generated items;
• integrated systems;
• lack of audit trail;
• short retention of data.
Possibility
1.3 The auditor should consider whether or not testing IT controls is pos-
sible. This would depend on:
• whether or not IT controls are adequate to justify testing controls;
• the need for and availability of audit software;
• the need for and availability of technical expertise (specialists).
Note, however, that the performance of substantive procedures using
data analytics and/or data orientated audit software (sections 5.6.3
and 5.6.4) could be so efficient and achieve such high coverage of
transactions and balances that tests of controls might be neither
necessary nor desirable.
Desirability
1.4 The auditor should consider whether or not testing controls is desir-
able.
The overriding criterion is whether or not tests of controls would be
efficient and cost effective. This would depend on:
• the amount of time to be spent on tests of controls compared to
the expected saving in audit time resulting from the reduction in
substantive procedures;
• this, in turn, could be affected by:
– the expectation that evidence to be gained from tests of con-
trols in the current audit could be used in future audits;
– the ability to use evidence gained from tests of controls in
previous years in the current audit;
• the extent to which changes are made to the system. It would be
more difficult to test all controls in a constantly changing envi-
ronment. Similarly, it may not be desirable to evaluate controls in
a new system until it is fully operational and has been proven to
be reliable;
• the physical location at which controls are performed, for example
at the client or at a service provider or service organisation;
• management’s expectation or requirement that controls will be
tested;

10–70
 CHAPTER 10: Auditing in an information technology environment

• opportunities to make value added recommendations to man-

agement;
• preferences of the audit firm;
• staff training opportunities.
1.5 The auditor may use evidence gained from previous year’s tests of
controls, provided that the auditor can:
• prove that the system has not changed. This would require obser-
vation, enquiry and walk-throughs;
• can document this fact.
Note, however, that it is always necessary to test controls which:
• address significant risks;
• are of relevance to the audit and have changed.
Subject to the above, controls may then be tested on a rotational
basis over a three-year cycle, thus improving efficiency and cost
effectiveness, provided that:
• all relevant controls are tested at least once every three years;
• some controls are tested each year.
1.6 Timing considerations may lead the auditor to test controls, for
example transactions may not be permanently retained.
2. The nature of controls to be tested
2.1 Controls within IT systems may be:
• manual controls independent of the computerised system;
• manual controls over computerised information;
• computerised or programmed controls;
• combinations of the above.
Controls over computerised information are not confined to com-
puterised controls.
Manual controls, whether independent manual controls or manual
controls over computer information, are equally important.
2.2 As control risk is assessed at the individual balance and transaction
level, controls over individual applications (application controls)
would usually be tested.
2.3 Testing computerised application controls would be unlikely, how-
ever, unless the application controls operate in a sound general con-
trol environment.
2.4 The following additional aspects should be considered concerning
testing computerised application controls:
• Because computerised processing is inherently consistent, it may
not be necessary to perform extended testing on computerised
controls. A computerised control can reasonably be expected to
function consistently unless the underlying software is changed.

10–71
 Dynamic Auditing

Once evidence has been obtained that a computerised control is

functioning as intended, the auditor may change the focus to
tests to determine that the control continues to function effect-
ively. Such tests might include determining that:
– changes to the program are not made without authorisation;
– the correct authorised version of the program is used;
– other relevant general controls are effective, for example, the
auditor may inspect access records and activity logs to
obtain audit evidence that unauthorised access has not
occurred during the period.
• Thus, because of the inherent consistency of IT processing,
performing audit procedures to determine whether or not an auto-
mated control has been implemented may serve as a test of that
control’s operating effectiveness,
3. How to perform tests of controls
3.1 Tests of controls are dealt with in chapters 7 and 8.
3.2 Audit software may be required for testing computerised controls.
Audit software is fundamentally a test of reperformance.
4. Substantive work
4.1 Regardless of whether or not controls have been tested, the auditor is
obliged to design and perform substantive procedures for each
material class of transactions and account balance.
The question is thus rather one of extent in that, where controls have
been tested successfully, the auditor would reduce the extent of sub-
stantive work and may focus more on substantive analytical proced-
ures and less on substantive tests of detail.
4.2 Audit software may assist in the performance of substantive proced-
ures.
Refer to the two tables that follow:

A FRAMEWORK FOR THE AUDIT APPROACH IN A COMPUTER ENVIRONMENT

(Table 1)
Perform Risk
Assessment
Procedures

Evaluate the
Internal Controls

Assess Risks

Tests of Controls Balance Substantive

Procedures

10–72
 CHAPTER 10: Auditing in an information technology environment

A FRAMEWORK FOR THE AUDIT APPROACH IN A COMPUTER ENVIRONMENT

(Table 2)
Study the accounting system and internal controls

Will reliance be placed on

NO
internal control?

YES

NO Will reliance be placed on Advanced

programmed controls? applications?

Simple application
YES NO
Audit the computer output

Test the general controls of audit importance,

specifically:
x Staff training and recruitment;
x Segregation of duties;
x System development /implementation;
x System maintenance/change; and
x Security and access controls, including
management’s security management pro-
gram

Are there user controls which

justify reliance?

Reliance
justified?
NO
YES NO
Are there compensat- NO
YES ing user application
controls?
Tests of controls
YES
Test controls
manually Test the functioning of the
YES
application controls:
x Programmed; Test functioning of compen-
x User; and sating user application
controls
Reliance x Independent manual.
NO
justified NO

Reliance on internal control Reliance justified?

YES justified?

Limit Perform extended substan- NO

substantive tive procedures YES
procedures

Auditing output on the Limit substantive tests

basis of a good audit trail x Income statement/statement of comprehensive
income: place reliance on internal control and Perform extended
verify by way of data analytics and other analyt- substantive procedures
ical procedures
x Statement of financial position: substantive
procedures including the use of audit software

10–73
 Dynamic Auditing

5.4 EVALUATION OF CONTROLS: TESTS OF CONTROLS

If the auditor intends placing reliance on specific controls to reduce audit risk,
tests of controls should be performed to determine the reliance to be placed
on those controls.
This implies that:
l the auditor will test application controls (user and programmed);
l the auditor is satisfied with the outcome of the evaluation of controls over
the IT environment.
The auditor’s detailed review of the controls will involve the following steps:

5.4.1 Perform an evaluation of general and application controls

Methods:
l detailed flowcharts, diagrams, notes;
l detailed internal control questionnaires;
l enquiry of client staff; and
l full system walk-throughs.

5.4.2 Decide on specific controls to be tested

Objectives of tests:
l Do the controls manage significant risks?
l Are the controls performed?
l How well are the controls performed?
l By whom are the controls performed?
l Are the controls performed consistently throughout the year?
l Conclude on which controls should be test.

5.4.3 Perform tests of the IT control environment

Significant weaknesses in controls over the IT environment are likely to result in
an increased risk of error occurring at the application level and remaining
undetected.
Satisfactory evaluation of these general controls is, therefore, a prerequisite for
testing application controls:
l unless there are user controls at the application level which compensate
for the weaknesses in general controls.

5.4.4 Perform tests on application controls

l Obtain audit evidence through test of controls that the controls in question
operated satisfactorily during the period of intended reliance.
l Significant weaknesses in application controls may have a direct impact
on the level of risk related to any or all of the assertions.

10–74
 CHAPTER 10: Auditing in an information technology environment

The nature of the tests of controls can be represented schematically as follows:

• Evaluation of the control environment
• User controls Inspection, observation, enquiry and
reperformance
• Independent manual controls
• Computerised controls Enquiry, reperformance
– General controls • Manually – programme code analysis
– Programmed controls • Audit software
– access and security
– reprocessing
– test data
– embedded routines

5.4.5 Evaluate the tests of controls

l If controls are present and well performed: reduce substantive tests as
there is less risk of error.
l If controls are not present, or not well performed: increase the substantive
tests in view of high risk of errors.

5.5 SUBSTANTIVE PROCEDURES

The auditor performs substantive procedures to limit audit risk to an accept-
able level.
The nature, timing and extent of substantive procedures would be affected by
the results of tests of controls.

5.5.1 Nature
l The nature of substantive procedures would be similar to those performed
in a manual system.
l Substantive procedures could comprise:
• detailed testing of transactions;
• detailed testing to verify balances; and
• analytical review procedures.
l Audit software, including data analytics, may assist the auditor with
detailed tests of reperformance and in analytical reviews.

5.5.2 Extent
If the tests of controls indicate that the system is sound, the auditor is likely to
perform less extensive tests of detail and place more reliance on analytical
procedures.

5.5.3 Timing
l As would be the case with a manual system, the results of tests of controls
would influence decisions concerning the timing of substantive work, such
as the decision to perform early verification and a roll forward.

10–75
 Dynamic Auditing

l The timing of the use of audit software may be affected by the period for
which clients retain data.

5.6 AUDIT SOFTWARE (COMPUTER ASSISTED AUDIT TECHNIQUES OR

CAATs)
In IT systems, tests of controls and substantive tests can be performed using
audit software that can access the client’s computerised system at high speed.
Audit software, in various forms, also referred to as CAATs, an abbreviation for
“computer assisted audit techniques”, has, for many years, performed repeti-
tive one dimensional tasks as part of the audit.
Traditional CAATs, however, lack intelligence and auditors are now making
significant use of AI-enabled data analytics routines (section 5.6.4).
An anticipated future development is that, in due course, clients’ accounting
records will be kept on the blockchain or similar systems. Should this materi-
alise, auditors would be able to use software to perform 100% confirmations of
all transactions and balances through blockchain.

5.6.1 Definitions
Audit software refers to an auditor’s use of the computer to assist in the per-
formance of audit procedures and the acquisition of audit evidence.
Systems orientated audit software (section 5.6.3) is used to test computerised
controls.
Data orientated software (section 5.6.5) is used to assist in the performance of
substantive audit procedures to access, retrieve and manipulate data from a
computerised information system.
Whilst this section deals mainly with the two traditional forms of audit software,
AI-enabled data analytics routines (section 5.6.4) cannot be ignored.

5.6.2 Audit software methods (computer assisted audit techniques)

Audit software
Audit software refers to computer programs used by the auditor to process
important client data as part of the audit procedures.
Generalised audit software
Generalised audit software (GAS) refers to general usage programs which
read data files, process data, select and analyse data, perform calculations,
create files and print reports for use by the auditor.
Some GAS packages are designed for use within a particular environment, a
particular system or a particular industry (e.g. insurance companies). Some
accounting firms have their own proprietary GAS software.
GAS packages might not, however, be applicable to all clients, particularly
those with unique processing environments. GAS packages may also have lim-
itations in that they might not be able provide all specific functions or infor-
mation required for audit purposes.

10–76
 CHAPTER 10: Auditing in an information technology environment

Purpose-written software
These programs are written for a specific purpose. They might be written by
the auditor, the client, internal audit, or specialists employed or appointed by
auditors.
Development, however, is a costly process as expertise is required. The
auditor may also become dependent on the specialists responsible for devel-
opment.
Utilities
This involves the use of client utility or report writing programs to perform
general processing, such as enquiry facilities, creation and printing of files,
etc.
Note that utility programs are not intended for audit applications and their use
as an audit tool would require special care.
System management programs
These form part of sophisticated operating systems and could be used for data
retrieval software or code comparison.
In common with utilities, these programs are not specifically intended for audit
use.
NOTE:
Before using audit software, the auditor should consider the appropriateness of
the software and its intended use(s).

5.6.3 Systems-orientated audit software (systems CAATs)

Because systems CAATs are typically run periodically, reliance on general
controls is a prerequisite because of the risk that programs could be changed
in between the dates when the software is run.
It may be preferable for systems orientated software to be run by internal audit
in which case the external auditor would evaluate the work of the internal audit-
ors (ISA 610).
(i) Program code analysis
This involves the investigation of program coding of production programs
to ensure that the necessary programmed controls are present and that
the program is coded correctly.
• This requires a high level of technical knowledge and would require
specialist expertise.
• The auditor should also ensure that the program documentation under
examination relates to the production programs in use.
(ii) Testing access and security controls
Given the significant risks related to access and security controls, several
audit firms are now engaging the services of risk analysts, malware analy-
sists and ethical hackers to test clients’ access controls and security.

10–77
 Dynamic Auditing

These specialists could be employed by the audit firm or could be outside

specialists.
(iii) Reprocessing
This involves the processing (or reprocessing), under the auditor’s super-
vision, of selected transactions. The program is first checked by the
auditor and the processing is aimed at testing the functioning of the pro-
grammed controls.
The recording of the actual transactions is then checked against the
reprocessed output.
(iv) Test data
This involves the creation of simulated data by the auditor. This data is
then processed through the client’s computer system. The results of pro-
cessing are then checked by the auditor against preprepared expected
results.
As test data is more likely to be used either by internal audit or by the
enterprise’s IT personnel during the systems development phase, it is
questionable whether test data is a control or an audit technique.
We have, nevertheless, included test data in this section as it remains a
tool available to auditors.
Test data may be used to test:
• controls, such as input validation, online passwords and data access
controls;
• the processing of data by the computer system.
Test data should be processed separately from the client’s normal pro-
cessing and is frequently used to test software prior to implementation.
Test data should include:
• valid and invalid data;
• all possible conditions to be tested;
• data that will test the functioning of each programmed control.
Test data is suitable for use where:
• intensive use is made of programmed controls;
• it is difficult to match input with output manually;
• large volumes of data are processed.
Through the use of test data, the functioning of more than one control can
be tested simultaneously.
The auditor should ensure that test data runs on the correct version of the
production program.
If test data is run with live data, the test transactions are removed from the
system after processing.

10–78
 CHAPTER 10: Auditing in an information technology environment

Test data can be run against the live system or on a copy of the system.
(The auditor must then ensure that the copy is the same version as the
program in use.)
Test data represents a very practical approach.
The major risks relating to the use of test data are:
• lack of surprise in that the timing of test data is often by arrangement
with the client;
• the program subjected to test data may not be the program used
throughout the year;
• the possible corruption of live client data.
(v) Embedded audit routines
This term refers to audit routines built into the client’s computer system.
Embedded routines are also referred to as “concurrent audit software”.
The term “concurrent” indicates that the software, which is embedded in
and forms part of the applications software, runs at the same time as the
processing applications.
Embedded routines are designed to identify exceptions and anomalies
and select samples for audit.
Modern embedded routines would incorporate AI-enabled software.
Embedded routines have the advantage that the whole period under
review is covered.
Ideally, embedded routines are installed at the time of systems develop-
ment. Because embedded routines are resident on the client’s system,
there is a risk of unauthorised modification.
Embedded routines are usually run by internal audit, in which case the
external auditor would evaluate the work of the internal auditors (ISA 610).

5.6.4 Data analytics

AI-enabled audit interrogation routines are now being used by auditors to
streamline data extraction from clients’ systems.
These routines can interrogate huge volumes of client data, extract and con-
vert relevant data with great accuracy.
They are used to analyse connections, patterns and insights, thus enabling
them to identify anomalies and exceptions, predict patterns, compare actual
data against the predictions and select samples.
An interesting paradox concerning IT systems is that, whilst technology
changes rapidly, the underlying concepts seldom change. The functions per-
formed by AI-enabled routines do not differ significantly from those traditionally
performed by traditional audit software. The difference is that AI-enabled rou-
tines perform these functions with greater intelligence and produces more
comprehensive results.

10–79
 Dynamic Auditing

The most significant advantages of these routines are summarised below:

l enhanced audit quality;
l efficiency and effectiveness;
l more meaningful reports take away some of the mundane functions of the
audit and allow the auditor more time to focus on areas requiring profes-
sional judgement;
l improved client service in the ability to conduct more informed engage-
ments with those charged with governance.
There remains, however, a concern that the analytics are only as reliable as the
data used and the effectiveness of programming.

5.6.5 Data-orientated audit software (data CAATs)

The auditor performs substantive procedures to limit the audit risk to an
acceptable level. In an IT environment the auditor could use audit software to
assist in the performance of substantive procedures.
Data orientated audit software is used as a substantive audit procedure to
access, retrieve and manipulate data from a computerised information system.
(i) Downloading client data
This approach is an alternative to audit software, rather than a use of audit
software and is appropriate for more simple, low transaction volume envi-
ronments.
In this environment, functionality similar to that performed by audit retriev-
al software may be achieved by downloading data from the client’s sys-
tem into a spreadsheet format (e.g. Sage Pastel, Zoho or Accounting
Edge downloads to Excel). The spreadsheet program is then used to
manipulate the data, perform computations, select samples, etc.
(ii) Audit retrieval software
Modern data-orientated audit software would take advantage of AI-
enabled routines
Data-orientated audit software could be used to:
Reperform calculations
• Test casts and cross casts of files.
• Test casts of balances within the files.
• Test calculations (depreciation, interest, inventory value (quantity ×
cost price)).
• Calculate ratios for use in analytical procedures.
Perform investigations and analyses
• Extract detailed analyses of account balances (debtors and inventory
age analysis, etc.).
• Examine files for unusual items (long outstanding items, high-value
items, etc.).

10–80
 CHAPTER 10: Auditing in an information technology environment

• Examine records for quality, completeness and consistency in order to

identify exceptional items. Examples would include sequence checks,
alpha/numeric checks, checks for missing fields, checks for negative
items, matching to underlying records, etc.
• Compare transaction data with standing data (prices on invoice with
price list).
Select samples
• Items for testing (sampling) and confirmations.
• Items that meet certain criteria.
• Exceptions (debtors that exceed credit terms or have no set terms).
Extract summaries
• Items per category (debtors per days outstanding, etc.).
• Stratification of balances.
• Printouts of master files.
Perform comparisons
• Computer files with each other.
• Amounts (e.g. cost prices of inventory against NRV).
• Previous years’ files with current year (e.g. inventory lists).
Format of output
Output would include:
• standardised reports;
• sampling reports;
• exception reports.
Reports may serve any of the following purposes:
• Routine extracts of information.
• Audit tests performed by the auditor with the assistance of the com-
puter.
• Specific information:
– samples selected for audit testing;
– exceptions of importance to the auditor.
The auditor then performs detailed substantive procedures on the infor-
mation reflected on the reports.

5.6.6 Uses of audit software

Note that, whilst each form of software has a principal purpose, there is no
definite separation between systems and data-oriented software. This is
because the separation between tests of controls and substantive tests of
detail is in the purpose and not the nature of the individual procedure.

10–81
 Dynamic Auditing

It does seem apparent that much of the use of audit software relates to:
l substantive testing of detail of transactions and balances;
l analysing and selecting samples from a large volume of transactions;
l analytical procedures.
However, certain uses of audit retrieval software have relevance to tests of
controls, for example:
l If audit software indicates that all computations are correct, this would
provide evidence that computerised controls over these computations are
functioning.
l Similarly, if audit software indicates that all documents are properly
matched (e.g. invoices match to delivery notes), this would provide evi-
dence that computerised controls over document matching are func-
tioning.
Whilst the processes we have identified as systems orientated are used for
testing programmed application controls, these techniques, however, do pro-
vide some substantive evidence in terms of testing the logic of programs and
the accuracy of calculations.

5.6.7 Advantages of audit software

Audit software assists in achieving audit efficiency by saving time.
Audit software assists in achieving a reduction in audit costs.
Audit software assists in improving the quality of the audit, for example, as all
data or large samples of data can be tested, audit software achieves:
l more extensive reperformance;
l better precision;
l more conclusive results.
A better knowledge of the computerised information system is developed.
Audit software is able to deal with large volumes.
Audit staff develop improved expertise.
Audit software can reduce reliance on client computer personnel.
Audit software assists in achieving improved client service.

5.6.8 Factors the auditor should consider in the application of audit software
Computer knowledge, competence and experience
This depends on the complexity of the system.
The audit team should have sufficient knowledge to plan the audit and to eval-
uate the results of audit software.
This may need specialised training.
The auditor may need the services of a specialist.

10–82
 CHAPTER 10: Auditing in an information technology environment

Availability of audit software and computer facilities

l availability of audit software, computer facilities, etc.;
l compatibility of audit software with the client’s system;
l cooperation and coordination with the client’s staff;
l availability of computer facilities (computer time and hardware).
Impracticality of human/manual testing
l absence of visible input documents;
l absence of visible audit trails;
l absence of visible output;
l volume of transactions.
Efficiency and effectiveness
Concerning improving the efficiency and effectiveness of audit procedures, the
auditor would consider the time needed to plan, design and execute audit
software routines and evaluate the results, including technical review and
assistance hours.
Timing of testing
Factors to consider include:
l the possible retention of data in computer format for a limited period of
time;
l the possibility that such data will not be available in computer format when
requested by the auditor;
l the use of system orientated software only once a year may not provide
evidence that the system is functioning throughout the period of the audit.
This may be overcome by running audit software more than once during
the year, or by evaluating general controls, particularly those over access
and system change.
The involvement of internal audit
Many audit software routines are, in fact, run by internal audit. Where this is the
case, the auditor could avoid replicating work already done by internal audit by
evaluating the work of the internal auditors (ISA 610).
Other considerations
l the cost of the software in relation to the benefits achieved;
l the possible need for specialised equipment or peripherals;
l the risk of audit software corrupting client’s data and the related necessity
to back up data for audit testing purposes in an online system. For this
reason, the auditor should discuss any procedures involving live data with
client personnel and obtain approval before carrying out the tests.

10–83
 Dynamic Auditing

5.6.9 Characteristics of appropriate audit software

l ease of use;
l requires limited technical knowledge;
l cost effective;
l adaptable and flexible to meet the auditor’s needs;
l developed and run under audit supervision;
l machine independent;
l audit orientated;
l strong supplier support.

5.6.10 Procedures in the application of audit software

The major steps which the auditor should follow in using audit software:
l Determine the objectives of the application of audit software.
l Determine the content and accessibility of the enterprise’s files.
l Define transactions to be tested.
l Define the procedures to be performed.
l Define the output requirements.
l Arrange with client personnel for copies of the relevant data to be avail-
able.
l Identify audit and computer staff to assist in the design and application of
audit software.
l Estimate the costs and benefits.
l Control the application of audit software.
l Plan the administration of the use of facilities.
l Execute the application of audit software.
l Reconcile all data used by audit software with the accounting records.
l Evaluate the results.
l Document the use of audit software in the working papers, including:
• planning of the use of audit software;
• techniques used in running audit software;
• conclusions concerning audit evidence obtained;
• recommendations to management.
Procedures to control audit software generally
l Approve audit software specifications.
l Review work to be performed by software.
l Review the clients’ general control environment.

10–84
 CHAPTER 10: Auditing in an information technology environment

l Consider whether or not client staff can improperly influence the results of
the software.
l Ensure integration of output into the audit process.
l Participate in design and testing.
l Check program coding.
l Ensure that the software will run on the client’s operating system.
l Run audit software on small test files before running on the main system.
l Ensure that the correct versions of client files are used.
l Obtain evidence, such as reconciliations, to prove that the software func-
tioned as planned.
l Ensure security over data and output.

5.6.11 Audit software and small entities

Because a small enterprise is likely to have weaker general controls, the auditor
is less likely to apply tests of IT controls.
This would cause the auditor to place greater emphasis on substantive pro-
cedures and could increase the effectiveness of audit software as a substan-
tive audit tool.
However, the following aspects typical of small entities may influence the
auditor against the use of audit software:
l Smaller volumes of data may result in manual methods being more cost
effective.
l The use of audit software may not be practicable owing to a lack of tech-
nical expertise and support.
l It may prove more cost effective to download the client’s data for analysis
on another computer.

5.7 AUDIT IMPLICATIONS OF OUTSOURCING

The principles set out below are expressed in terms of service organisations
which perform transaction processing for clients, but apply equally to all types
of service provider.
The auditor should still test controls to determine the validity, completeness and
accuracy of processed transactions.
Because of the risk related to possible reliance on controls implemented by a
third party, it may be more convenient for the auditor to ignore computerised
controls managed by the service organisation and test processing controls
managed by the client and/or manual controls over the processed information,
such as controls over data capture, batching controls, reconciliations and
reviews of output.

10–85
 Dynamic Auditing

Whether or not the auditor chooses to evaluate controls operated by a service

organisation will depend on the materiality of the applications processed by the
service organisation and the existence of any controls operated by the service
organisation that are critical to the audit.
The controls to be tested by the auditor may include:
l General controls at the service organisation:
Specifically, those controls of importance to the auditor, namely controls
over:
• access and security;
• system development and implementation;
• system maintenance;
• organisational aspects and management;
• data communications.
l Application controls:
• managed by the client;
• managed by the service organisation.
Evaluation of the suitability of the service organisation
The processing of the client’s transactions by a service organisation is similar to
the auditor relying on the work of an expert. The auditor must therefore con-
sider whether or not reliance can be placed on the service organisation and will
therefore evaluate the reputation of the service organisation (refer to ISA 620).
Factors to consider:
l security provided in respect of client transactions;
l competence and reliability;
l qualifications of staff;
l independence;
l experience, standing and reputation;
l the range of services provided;
l quality of service rendered to clients;
l membership of professional bodies;
l security provided in respect of client transactions;
l sustainability;
l ability to meet deadlines.
Testing of controls at the service organisation
By the auditor:
Testing of the controls at the service organisation would involve:
l enquiry and discussion;

10–86
 CHAPTER 10: Auditing in an information technology environment

l review of systems documentation;

l completion of internal control questionnaires;
l testing of controls using reprocessing, test data;
l data analysis
By an independent third-party auditor (ISAE 3402):
The distinction between ISA 402 and ISAE 3402 is that ISA 402 applies to the
auditor using the report, whilst ISAE 3402 applies to the auditor preparing the
report.
This involves the service organisation appointing an independent third-party
auditor to evaluate its controls and security over data and program files.
In this case, the auditor will need to determine whether or not to place reliance
on the work of the other auditor:
l Comply with ISA 600: Using the work of other auditors.
Factors to consider concerning reports issued by the other auditors:
l The service organisation’s auditor will probably issue one of two types of
report:
Type 1
A report on the suitability of design, including a description of the control
systems operated by the service organisation and expressing an opinion
concerning:
• the accuracy of the above description;
• whether or not the controls are in operation;
• the suitability of design of the controls to meet their stated objectives.
Type 2
A report on the suitability of systems design and operating effectiveness,
including the information set out above and:
• details of tests performed on controls;
• a conclusion concerning whether or not the audit evidence indicates
that controls have operated effectively, based on the tests of controls.
Whilst the former report would be useful in enabling an auditor to obtain an
understanding of the system and related controls, the latter report would
be necessary if the auditor wished to use the report as a basis for reduc-
ing control risk.
When evaluating the latter form of report, the auditor would consider the
appropriateness of the work performed and the sufficiency of audit evi-
dence obtained.
Audit procedures
1. Evaluate the suitability of the service provider (section 4.3.2).
2. Evaluate the agreement with the service provider (section 4.3.3).

10–87
 Dynamic Auditing

3. Evaluate controls.
• Managed by the client:
Test the controls over:
– data preparation;
– data transmission;
– receipt and review of processed data from the service provider;
– test the accuracy of processed transactions against client rec-
ords, reconciliations, etc.
• Controls at the service provider:
– Testing by the auditor of IT controls. This is unlikely because the
service provider will probably refuse to grant the auditor access to
its systems.
– Reliance on third party review:
Comply with ISA 402 and ISA 600.
• Controls over data communications:
These controls would be particularly relevant in regard to service pro-
viders.
• Consider the necessity and possibility of including test data trans-
actions in client data sent to the service provider for transmission.
4 Evaluate the reliance to be placed on internal controls and the consequent
effect on substantive audit procedures (nature, scope and timing).
5. Perform substantive procedures.
This could involve the use of audit software on information stored by the
service provider.
6. The following practical problems may affect the auditors’ ability to use
audit software on a service provider’s system:
• whether or not the service organisation retains records covering the
whole period under audit;
• applicability (compatibility) of audit software;
• the need for the client to approve the service provider’s charges;
• availability of computer time.

5.8 USE AND CONTROL OF PERSONAL COMPUTERS IN THE AUDIT

PROCESS
Most audit working papers are now computerised and most audit staff are
equipped with laptop computers as their principal audit tool.
The use of personal computers as an audit tool improves the productivity of the
auditor, reduces audit costs and limits audit risk.
The use of automated audit working papers allows the auditor to control audit
costs effectively and to increase the effectiveness and efficiency of the audit.

10–88
 CHAPTER 10: Auditing in an information technology environment

Security in the use of personal computers on the audit

Access and security
Because of the sensitivity and confidentiality of the data on audit laptops,
access and security is of paramount importance.
The audit firm must implement staff policies over the maintenance of data
security. This would include:
l Limiting access through passwords and user ID.
l Encryption of data.
l Requiring staff to:
• switch their laptops off when not in use at client premises;
• lock them away when not in use or travelling;
• not leave drives containing sensitive information unattended on client
premises;
• remove laptops from client premises overnight and at weekends.
l Allowing only authorised copies of programs to be used.
l Protecting the laptops with antivirus software.
Backup
The audit firm must implement formal policies over backup:
l frequency of backup;
l regular online backup to server.
Security of client data
l Only audit team members should be allowed to work on the client’s data
files.
l Where possible, copies must be made of client files and audit tests done
on these copies.
Staff
l Must be trained in the use of computers.
l Must be accountable for computer equipment.
General
Equipment should be insured against “all risks”.

6. APPLICATION OF PRINCIPLES TO SPECIFIC ENVIRONMENTS AND

APPLICATIONS
6.1 INTRODUCTION
In chapter 9 and the previous sections of this chapter, we addressed the basic
principles of controls and auditing in Information Technology (IT) systems envi-
ronments. These principles apply to all computer systems, whether complex
systems, such as online environments, or simple systems such as processing
on stand-alone personal computers.

10–89
 Dynamic Auditing

In this section, we focus on more specific computer environments and appli-

cations, the relevant controls and audit considerations applicable in these cir-
cumstances.
Readers will find that many of the considerations raised are simply applications
of principles already covered earlier in this chapter.
This is both intentional and logical.
Intentional because this section is designed to illustrate the application of prin-
ciples already covered. Essentially, this section provides examples where
basic principles are applied to specific environments and applications.
Logical because there are no new controls, only new applications for which
traditional areas of controls need to be focused and updated. The control and
audit relevance of a new or different technology is not in its name but rather in
the nature of each system and the applications performed by the system.
We deal with technology at a comparatively superficial level because this is an
auditing text, and it is neither the intention nor the role of the author to cover IT
in depth.
We continue to use the term “master files” in relation to standing data such as
customer or supplier details, price lists and other semi-permanent information
stored on the system.

6.2 ONLINE SYSTEMS

6.2.1 The effect of online systems on the accounting system
The effect of an online computer system on the accounting system and the
associated risks will generally depend on the extent to which the system is
used to process accounting data, the type and materiality of transactions pro-
cessed, the nature of files and programs used and the adequacy of the secur-
ity infrastructure.
Online computer systems enable users to access data and programs directly
through enabled electronic devices and initiate various functions such as elec-
tronic commerce activities, entering transactions, making enquiries, updating
master files and requesting reports.
Online systems may also use special purpose devices such as point-of-sale
terminals, automated teller machines, wireless devices and voice response
systems.

6.2.2 Considerations which increase the risks in online systems

The characteristics of an online system may increase the risk of fraud and error
and affect the design and functioning of controls necessary to limit this risk.
Specific risks could arise from:
l An absence of formal established security policies.

10–90
 CHAPTER 10: Auditing in an information technology environment

l The distribution of various input devices throughout the enterprise

increases the risk of unauthorised access to and use of the computer.
l Increased risk relating to viruses
Whilst viruses can affect any computer environment, the risk of viruses is
increased in an online system because of the large number of users and
devices that have access and the likelihood that many of these users are
uninformed of the dangers of computer viruses and the procedures to
prevent infection.
l Unauthorised access to and modification of data and programs through
the Internet and telecommunications networks.
l Destruction or denial of data by hackers.
l There is greater dependence on computerised validation checks perform-
ed at the time transactions and data are entered.
l There is an increased risk of lost transactions owing to interruption of
processing.
l There may be an absence of traditional paper audit trails.
Online systems do, however, usually include controls leading to a reduced risk
of error. Typically:
l Data entry occurs at or near the point where each transaction occurs.
l Validation and authorisation occur at or near the point where each trans-
action occurs.
l Invalid transactions can be corrected immediately.
l Individuals who perform data entry understand the transactions.
l Transactions are processed immediately.
l An independent department monitors processing, follows up errors and
controls access.
l IT activities can by monitored by AI-enabled routines.

6.2.3 The effect of online systems on audit procedures

Online systems are likely to necessitate changes in the audit approach, includ-
ing the use of audit software and analytics.
The audit procedures applied and the methods of obtaining audit evidence are
affected by factors such as:
l Consideration should be given to the impact of the system on the audit
procedures.
l The timing of audit procedures may be affected, because data may only
be available for a limited time.
l Persons with technical knowledge must be involved in planning the audit.
l Identification of new remote access facilities and the various devices
used.

10–91
 Dynamic Auditing

l It might be necessary for the auditor to test controls, concentrating on:

• cybersecurity and access;
• data encryption;
• firewalls;
• systems development and maintenance controls;
• programmed controls, such as edit or validation tests;
• transaction logs;
• the manner in which transactions are authorised;
• error and exception reports, review of these reports and procedures
for dealing with errors;
• controls to ensure that the correct files are used;
• controls over changes to master files;
• control totals and reconciliations.
l Substantive tests might need to include data-orientated audit software and
analytics.
It would assist both the client and the auditor if the internal or external audit
were involved in the design of the system to ensure that it incorporates the
necessary controls and functions.

6.3 INTERNET APPLICATIONS

6.3.1 Risks associated with the Internet
The use of the Internet, including cloud applications, introduces special risks to
be addressed by the enterprise.
The following additional risks arise in the case of Internet transactions:
Security risks
If appropriate security controls are not established, the information in the Inter-
net “pipeline” might be accessed by unauthorised parties, either deliberately
or by accident.
Specific security risks include:
l There are risks relating to managing security, ranging from the choice of
business model at the strategic level, to the interfaces between processes
and technology at a technical level.
l The Internet, being a “public information highway”, may allow for access to
the enterprise’s systems data.
l Some internet protocols might carry no identity, enabling an intruder or
“hacker” to pose as someone else.
l The networking, transmission and data protocols of the Internet are not
designed with security in mind.

10–92
 CHAPTER 10: Auditing in an information technology environment

l There is no central management of the Internet.

l There is dependence on appropriate and adequate systems design to
prevent or detect error and fraud and report abnormalities.
l There is dependence on programmed application controls to cope with
large volumes of transactions at fast processing speeds and prevent
errors or misuse going unnoticed.
l There are risks relating to remote transactions initiated by users, including
the need to distinguish between intruders and genuine customers, sup-
pliers and employees.
l Payments, such as electronic funds transfers and credit card payments,
are processed via the Internet.
l There is a risk of failure of encryption-based security.
l Poorly designed web pages might create security problems.
Privacy risk
The risk of invasion of privacy may increase, unless there is adequate cyber-
security and comprehensive background checks are carried out on employees
who have access to sensitive private information.
Hackers
Internet-based systems are vulnerable to hacking in its various forms, including
“hactivists”, “phishing”, “spoofing”, “malware”, “spyware” and “ransomware”.
Enterprises need to ensure that they have adequate firewalls, virus protection
and anti-spyware software.
Employees are often the weakest link and staff need to undergo regular train-
ing.
The hacking of social media sites is also on the rise and company policies
need to include social sharing policies and operate secure social media
accounts.
Wireless applications
The principal risks related to wireless applications are:
l the interception of confidential data by unauthorised users;
l the risk of unauthorised access to computers and servers through wireless
connections.
The specific technology of controls over WLANs is beyond the scope of this
text but the fundamental principle is additional focus on logical security con-
trols related to user authentication, encryption and the use of firewalls to moni-
tor access and usage.
Business continuity risk
The overload of Internet file servers with data and/or requests for data could
cause a systems breakdown, resulting in the system being unavailable for
business.

10–93
 Dynamic Auditing

Where Internet trading is particularly important to an enterprise, the absence of

continuity controls may cause doubt concerning the enterprise’s ability to con-
tinue its operations in the event of a serious systems failure (going concern).
Payment via credit card
The principal risks associated with receiving Internet-based credit card pay-
ments are:
l unauthorised acquisition (“hacking”) of customer’s credit card information;
l claims against the organisation where client information is accessed by
unauthorised users (privacy risk);
l risk of bad debt resulting from stolen cards, misuse of cards, inability to
verify credit worthiness, etc.
Accounting risks
Accounting risks relate to the use of inappropriate accounting policies, includ-
ing:
l whether the enterprise is acting as agent or principal and thus whether
gross revenue represents gross sales or commissions on sales;
l the exact timing of revenue recognition where orders and payment are
received simultaneously but goods or services are delivered later;
l the treatment of introductory offers, such as free goods.
Taxation and regulation
The enterprise should have adequate mechanisms for recognition of taxation
liabilities in various jurisdictions. Factors giving rise to taxes on Internet trans-
actions may include the place where:
l the enterprise is legally registered;
l its physical operations are based;
l its web server is located;
l goods and services are supplied from;
l its customers are located.
These may all be in different countries, giving rise to the risk of failure to recog-
nise taxes applicable to cross jurisdictional transactions.
Other legal or regulatory issues arising in an Internet environment include:
l adherence to national and international privacy requirements;
l adherence to national and international requirements for regulated indus-
tries;
l the enforceability of contracts;
l the legality of particular activities (e.g. Internet gambling);
l the risk of money laundering;
l violation of intellectual property rights.

10–94
 CHAPTER 10: Auditing in an information technology environment

Outsourcing
Many entities depend on service organisations such as Internet service provid-
ers (ISPs), application service providers (ASPs), cloud service providers and
data hosting companies to meet all or some of their IT requirements for Internet
and e-commerce. Entities also often outsource other functions related to Inter-
net trading, such as customer relationship management, order fulfilment, deliv-
ery, operation of call centres and some accounting functions.
Other issues
Because the enterprise is not physically accessible to customers, business
risks exist relative to procedures for the return of goods and the processing of
claims under warranties.

6.3.2 Controls in Internet-based systems

In general terms, access and security controls are of paramount importance.
Specific areas of control include:
l Certification
The transmitting and receiving parties are who they say they are and they
are authorised to transmit and/or receive.
l Authenticity
The information received is identical in form and content to what is trans-
mitted.
l Confidentiality
The information is accessible only to the intended parties.
l Credit cards
Secure electronic transmission and the use of one-time passwords and
two factor authorisation to validate credit card transactions.
l Non-repudiation
Verification and time stamping of receipt of communications to establish
precisely by whom and when it was sent.
Orders and invoices to be created in such a way as to be regarded as
legal sales contracts between the seller and his customers.
Logging of all transactions.
l Identification and authentication
Identification
Internet protocol (IP) address, codes, cellphone numbers, etc.
Confirmation
Time stamping and digital signatures.
Requests for customers to confirm transaction details on screen.
Confirmation of transaction details sent to customers per email or cell-
phone.

10–95
 Dynamic Auditing

l Registration
All users must first register and receive unique login details and pass-
words before they can trade on a specific website.
l Privacy policy
Private information of customers (e.g. surnames, first names and credit
card information) must be protected.
Effective cooperation agreements between parties (buyers and sellers)
and credit card companies to be set up.
l Assurance logos
Assurance logos on a website indicate that an independent agency has
certified that the organisation complies with the necessary e-commerce
standards.
The independent agency will perform regular audits regarding the various
aspects of e-commerce.
l Firewalls
Firewalls provide additional security controls for companies and other
users of the Internet.
In simple environments, such as stand-alone personal computers, a fire-
wall would simply involve the installation of a software package. A more
complex environment, such as a large network, would require separate
computer equipment dedicated to running more sophisticated firewall
software.
l Controls relating to transaction integrity
Controls relating to transaction integrity are usually designed to validate
input and prevent duplication or omission of transactions.
Examples of controls designed to address both of the above include edit
or validation checks ensuring individual messages are complete.
l Controls over master file information
The system depends on the accuracy of information contained in master
files or standing data files, thus emphasising the importance of controls
over changes to and security of master file data.
As much information as possible should be stored in master files and auto-
matically generated by the system rather than the user. For example, a
user should simply click on a particular product and the system would
then record the transaction details and compute the value.

6.3.3 Auditing in an Internet environment

Except for the additional emphasis placed on specific controls related to
Internet activities, the audit approach would not differ significantly from the
approach set out in section 5.

10–96
 CHAPTER 10: Auditing in an information technology environment

6.4 ELECTRONIC DATA INTERCHANGE (EDI)

6.4.1 The effects of electronic data communication
Transactions generally have quicker reaction time, smaller purchase quantities
and more regular transactions.
Continuous processing is critical as no processing is possible if the computer
is offline.
The impact of unauthorised access to the system becomes more significant.
Third parties (trading partners) may have access to clients’ computer systems
– hence, increased importance of security controls.
Computer applications must meet common interface standards in order to be
compatible with trading partners’ systems, but control emphasis then shifts
towards system specifications and development.
Certain user controls may become obsolete and are replaced by programmed
controls.
There is generally a lack of paper audit trails for transactions and processing.
Human judgement and intervention fall away where transactions are performed
and processed automatically.
Contractual rights and obligations of the different parties must be addressed
through formal contracts.

6.4.2 Risks associated with electronic business transactions and controls to

address these risks
General risks
The tables set out on the following pages identify examples of risks inherent in
paperless electronic business transactions and controls to manage those risks.
Risks Controls to address risks
1. Increased reliance on trading partners. 1.1 Development and acceptance of proper
contractual data interchange agreements
between trading partners.
1.2 Good relations between trading partners.
1.3 Third party review of trading partners on a
regular basis.
2. Increased reliance (dependence) on 2.1 Hardware and software continuously tested.
technology: 2.2 Strict development standards.
• availability, stability, security of technology. 2.3 Control over physical access to critical
hardware.
2.4 Error correction procedures.
2.5 Backup.
continued

10–97
 Dynamic Auditing

Risks Controls to address risks

3. Less human involvement due to automation of 3.1 Automated (programmed) controls are of
tasks previously performed by users. major importance.
• Less chance for detecting and correcting 3.2 Training of management to understand
errors. information and to react timeously.
3.3 Limits and exceptions built into trading
agreements (e.g. transactions above certain
amounts must be physically authorised by
users).
3.4 Authorisation of transactions by users during
initial development of the system.
4. Dependency on service providers): 4.1 Assess reliability of service provider.
• risks regarding communication, 4.2 Contractual agreement with service
unauthorised access, etc. provider.
5. Legal risks: 5.1 Adherence to legal requirements.
• legal systems may fail to define or properly 5.2 Contractual rights and obligations must be
recognise the contractual rights and re- clearly defined in agreements with trading
sponsibilities of online buyers and sellers; partners and clearly set out on websites.
• possible litigation resulting from consumer 5.3 Employees to be bound by a code of con-
exploitation and industrial espionage; duct.
• unethical acts by employees.
6. Business risks: 6.1 Information risk management policies and
• the absence of integration between procedures.
business and IT decisions; 6.2 Adequate insurance cover.
• loss of revenue in the event of systems
failure;
• error and omission liability and business
interruption possibly not covered by
insurance.

Internal risks
The following examples of risks associated with paperless business trans-
actions can be controlled within the organisation:
Risks Controls to address risks
1. Security risks: 1.1 Security policy and procedures
A general lack of security policy for the implemented and regularly monitored.
organisation as a whole. 1.2 Programmed (logical) access control:
The absence of executive sponsorship for • passwords and firewalls;
security issues. • security administration;
Security breach due to: • monitoring of transactions;
• unauthorised: • encryption, etc.
– access to sensitive data; 1.3 Audit trail (logs) of access to EDI systems
– processing of data; and follow up of unauthorised access.
– use of facilities; 1.4 Backup, recovery and restoration
• hardware and software errors; facilities of transactions interrupted.
• denial of facilities owing to viruses; 1.5 Error correction procedures.
• trojan horses (illegal instructions to corrupt 1.6 Physical security:
the system, hidden as apparent valid • locks, personnel badges and cards
instructions); and biometric access control devices;
• industrial espionage – theft of data, trade • insurance;
secrets;
continued

10–98
 CHAPTER 10: Auditing in an information technology environment

Risks Controls to address risks

• fraudulent, fictitious or unauthorised • backup at separate premises or on
transactions; separate servers;
Consequences of security breach: • failover;
• loss of computer facilities; • air conditioners, uninterruptable power
• information loss; supply, etc.
• misappropriation misuse of critical data 1.7 Personnel security:
through error or fraud; • ensure that only people of integrity,
• confidential information can be read by without criminal records or drug abuse
hackers; problems are employed.
• information can be destroyed by hackers; 1.8 Administrative security:
• manipulation of software applications; • security policies, procedures and
awareness and training programs.
• blackmail through “ransomware”.
1.9 communication security:
• The protection of information transmis-
sions (e.g. Encryption).
1.10 Risk management:
• formal analyses to identify threats,
vulnerabilities, risks and security cost
benefits.
2. Implementation risk: 2.1 Data retention requirements have to be
• human judgement falls away; determined in respect of period, medium,
legal requirements, etc.
• risk that system cannot read and handle EDI
transactions. 2.2 Perform risk analysis prior to
implementation.
2.3 Obtaining of technical (expert) advice.
2.4 Auditor must be involved.
2.5 Normal system development procedures.
3. Processing risks: 3.1 Edit tests by the system.
• Loss of systems integrity: 3.2 Exception reports printed and followed up
Transactions/messages which: by management.
– get lost; 3.3 Sequential numbering of transactions and
– are translated incorrectly; follow up of missing items.
– contain unauthorised changes; 3.4 Reconciliations of:
– are duplicated; • control accounts;
– contain errors; • transactions, etc.
– generate incorrect reports. 3.5 Validation tests by the system.
• Incomplete processing: 3.6 Transaction logs and audit trails:
– transactions omitted/unrecorded; • protected against unauthorised access
– incomplete audit trails. and changes;
• Errors as a result of insufficiently trained and • checked regularly by senior
skilled members of staff to operate management.
e-commerce effectively. 3.7 Division of duties.
3.8 Protection of data transmitted through
encryption, etc.
3.9 High risk transactions (e.g. EFT):
• encrypted, higher authorisation.
continued

10–99
 Dynamic Auditing

Risks Controls to address risks

3.10 Regarding incoming transactions:
• user identification procedures;
• encryption;
• authorisation through codes, etc.;
• “document headers”;
• regular screening of trading partners;
• validation against trade information
(e.g. credit checks).
3.11 Initiated outgoing transactions:
• access control;
• encryption;
• division between initiation and trans-
mission powers;
• audit trail of transactions and initiating
party;
• digital signatures or smart cards to
authorise transactions and identify the
initiator;
• authorisation regarding transactions
automatically generated.
3.12 Staff training

External risks
The following common risks associated with paperless transactions arise from
the involvement of third parties, namely, service providers and trading part-
ners.
Risks Controls to address risks
1. Controls at trading partners and service 1.1 Contractual agreements.
providers: 1.2 Good relationships.
• unauthorised access; 1.3 Third party reviews.
• interruption in processing, etc.; 1.4 Verify the identity of trading partners.
• accuracy of processing.
2. Loss of sensitive data due to unauthorised ac- 2.1 Business agreement between parties.
cess. 2.2 Good business relationships.
2.3 Encryption of transactions and data.
2.4 Third party review (security review).
3. Legislation regarding business transactions. 3. Adhere to legislative requirements of
Institutions such as:
• revenue Services (might be international);
• departments of Trade and Industry,
Reserve Banks etc.
4. Loss of EDI facility. 4.1 Regular testing of the system.
4.2 Choice of network supplier.
4.3 Failover.
5. Errors during transmission of data/ 5.1 Edit tests.
transactions, corruption/delay, etc. 5.2 Parity tests by system.
6. Manipulation of transactions during 6.1 Access control.
transmission – such as alteration, duplication, 6.2 Encryption, etc.
deletion etc.

10–100
 CHAPTER 10: Auditing in an information technology environment

6.4.3 Controls in an electronic business transaction system

The advent of electronic transfer of data has introduced few new controls to the
computer environment. However, it has forced users of networks, the Internet,
intranets, extranets, electronic data interchange and electronic funds transfer
to more seriously consider the application of sound controls.
Ideally all controls should be strong, but particularly controls over security,
access and input because of the risks related to system access by outsiders.
The following table summarises the most significant controls.
Initiation Transmission Destination/receipt
• Validity • Validity • Validity
• access control: • access control in • access control;
– devices; respect of security lines; • digital signatures;
– identification: ID, • encryption. • identification ID, pass-
passwords; • Completeness words;
– logs; • logs; • algorithms.
– basic controls; • sequential numbers; • Accuracy
• authorisation of • matching; • edit tests;
exceptions and • control totals; • calculations;
overrides; • exception reports and • exception reports;
• “double release” (two error handling; • validation tests to be
factor) authorisation.
• hash controls. performed on receipt to
• Accuracy verify correct format.
• edit tests; • Completeness
• transmission log; • acknowledgement of
• control totals. receipt:
• Completeness • matching: one for one;
• register: • logs;
– unique ref. no.; • control numbers;
– time and date; • batch totals;
– person responsible. • reconciliations;
• sequential numbers;
• exception report if data
received is incomplete or
missing.

6.5 ELECTRONIC FUNDS TRANSFER (EFT)

6.5.1 Controls over EFT
The application controls necessary to ensure the validity, completeness and
accuracy of transactions, as identified earlier in this chapter, apply.
The following additional controls are, however, important:
Master file changes
Emphasis must be placed on controls to ensure that changes to supplier or
beneficiary master files are valid, complete and accurate.
Changes would be necessary in order to add or remove payment beneficiaries
to/from the file of beneficiaries.

10–101
 Dynamic Auditing

The reason for placing emphasis on these controls in the context of EFT is that
the creation of a master file for a fictitious supplier, beneficiary or employee
would be the first step in an attempt to defraud the enterprise through fraudu-
lent EFT transactions.
Execution of payments
1. Validity
Access and security controls, as dealt with in chapter 9, apply, with the
following additional requirements:
• Limit EFT transfers to specific terminals and users.
• Multi level passwords (two or more) of senior persons required to
authorise transfers.
• The bank should identify devices as authorised devices.
• A user should be disconnected after three unsuccessful attempts to
effect the transfer.
• One-time passwords.
• Security breaches should be logged and followed up by management.
• Controls over communication lines used for data transmitted, includ-
ing, encryption, identification of data included, etc.
• Division of duties (e.g. Accounts clerk/wages clerk should not be able
to effect EFT transactions).
• Use of separate (“imprest”) bank accounts for EFT facilities and pay-
ments (the total amount of a batch of payments is transferred from the
main bank account to the separate banking account and then the indi-
vidual payments are released, leaving a nil balance):
• These accounts must be reconciled regularly and checked by senior
management.
• EFT transfers should be limited to a certain days of the week or month
and time.
• The system should provide an audit trail of each EFT transaction. This
should be reviewed by management and reconciled with the support-
ing documentation.
• Regular bank reconciliations.
2. Completeness
Reconciliations of audit trails of transfers received from the bank, to lists
supporting payments provided by the system.
3. Accuracy
• Personnel should be trained in the use of EFT facilities.
• Edit checks.

10–102
 CHAPTER 10: Auditing in an information technology environment

6.6 STAND-ALONE PERSONAL COMPUTERS – PCs

6.6.1 Security and control procedures
A typical PC environment is less structured than a large centrally controlled IT
environment. Typically, management has IT skills and may not regard controls
over implementation and operations as important or cost effective, with the
result that the level of general controls is usually lower than would be found in a
large IT environment. It is thus important to implement sufficient control pro-
cedures to improve the overall level of internal control.
1. Management authorisation for use of personal computers
Management policies concerning the use of computers should deal with:
• systems development standards and documentation;
• controlled implementation and storage of software in one place and on
one computer or server;
• training;
• security and access;
• virus protection;
• backups and other continuity procedures;
• unauthorised copying of data and programs;
• instructions relating to use and, specifically, personal use;
• format of reports and distribution policies;
• division of duties.
2. Physical security over hardware
Due to the physical characteristics of personal computers, they can easily
be stolen or damaged.
Control security through:
• limitation of physical access through locks, etc.;
• alarm systems;
• fixing computers to tables, walls, etc.;
• mechanisms to control the switching on/off of computers.
3. Physical security: Removable media
Protection of removable drives and other storage media, etc. by:
• policies regarding the use of removable drives – particularly flash
drives or memory sticks as these often contain viruses;
• granting responsibility for control to certain individuals;
• safeguarding media devices in fireproof, lockable cabinets;
• backing up data and program files on separate premises.

10–103
 Dynamic Auditing

4. Program and data file security and data integrity

Proper access controls combined with controls for input, processing and
output could compensate for weaknesses in the general controls. These
comprise:
• access granted to data and programs;
• edit and validation checks;
• transaction logs and batch balancing;
• supervision;
• reconciliations and control totals;
• authorisation of processing;
• verification and review of output;
• follow up and correction of errors.

6.7 THE EFFECT OF PERSONAL COMPUTERS ON ACCOUNTING AND

INTERNAL CONTROLS
General controls
In a personal computer environment there often is a lack of division of duties
because the same individuals can initiate and authorise transactions, input
these transactions, change programs and have access to output. This could
lead to undetected errors and fraud.
Application controls
These are dealt with in 7.1

6.8 SPECIFIC RISKS AND RELATED CONTROLS

Absence of division of duties between IT department and users
Staff and members of user departments, create and authorise source docu-
mentation, key in data, operate the computer and use the output.
Controls
l Supervision and review by management.
l Compulsory vacation and rotation of duties.
l Independent reconciliations.
Limited computer knowledge
Risks
l The system does not meet management goals and processing is not in
accordance with management specifications.
l Lack of appropriate application controls.
l Insufficient testing and review of the system.

10–104
 CHAPTER 10: Auditing in an information technology environment

Controls
l Proper feasibility studies on acquisition.
l Program and system documentation.
l Independent third-party review of new and modified programs.
Use of removable drives
Extensive use of removable drives as storage media.
Risks
l Often a source of viruses.
l Processing of incorrect files.
Controls
l Control over access to and use of removable drives (physical and pro-
grammed).
Use of multiple input devices
Various input devices are used by different individuals to key in transactions,
enquiries and other interactive functions.
Risks
l Incorrect data capture.
l Incomplete data or loss of data.
l Unauthorised input, processing or output.
l Errors caused by improper use or manipulation of data files or computer
programs.
Controls
l Management review.
l Use of software that restricts certain tasks to particular terminals or devices.
l Physical controls to restrict access to the computer.
l Passwords to restrict access to specific functions.
l Encryption of data and programs.
l Record counts, batch control, run-to-run controls and validation.
l Error control procedures and error register.
Documentation
Details about how the program operates and user documentation are often
limited or do not exist at all.
Risks
l Undetected errors during processing and maintenance of the system.
Controls
l Thorough systems documentation.

10–105
 Dynamic Auditing

6.9 THE EFFECT OF A PERSONAL COMPUTER ENVIRONMENT ON AUDIT

PROCEDURES
The auditor will normally assess audit risk as high given the inadequate gen-
eral controls. This could result in:
l An inability to place reliance on these controls.
l The auditor concentrating on substantive procedures at or near year end,
comprising:
• detailed testing of transactions and balances;
• larger samples;
• the use of audit software and analytics where possible.
However, the auditor may wish to place reliance on such internal controls as
may be in place in order to reduce risk. Such controls may include, inter alia:
l access controls;
l division of duties;
l transaction logs;
l batch controls;
l supervision;
l reconciliations and scrutiny;
l use of reliable third-party software (purchased packages).
The auditor will test these internal controls through tests of controls by means
of manual testing and test data. The results of these tests will affect the nature,
scope and timing of substantive tests.

10–106
 11
AUDIT SAMPLING AND OTHER
RELEVANT TESTING METHODS

Page
1. Introduction .................................................................................................. 11–3
2. The theory of audit sampling ........................................................................ 11–3
2.1 Definitions........................................................................................... 11–3
2.2 Audit procedures and audit sampling ............................................... 11–5
2.3 Methods of selecting items for testing ............................................... 11–6
2.4 Risk considerations in obtaining audit evidence ............................... 11–6
2.5 Design of the sample ......................................................................... 11–6
2.6 Errors found and the evaluation of the sample results ...................... 11–7
3. Sample selection methods ........................................................................... 11–8
4. Application of sampling................................................................................ 11–8
4.1 Requirements for sampling ................................................................ 11–8
4.2 Steps in the process of sampling applications.................................. 11–9
5. Notes on the different sampling methods .................................................... 11–10
5.1 Judgemental sampling ...................................................................... 11–10
5.2 Statistical sampling ............................................................................ 11–10
5.3 Monetary unit sampling ...................................................................... 11–14

11–1
 CHAPTER 11: Audit sampling and other relevant testing methods

1. INTRODUCTION
The auditor must obtain audit evidence to reach a conclusion on fair presentation
of the financial statements as required by the ISAs and section 44(3) of the
Auditing Profession Act.
The auditor must also strive to perform a cost-effective audit for the client. Audit
sampling is a technique used by auditors to achieve the goal of a cost-effective
audit. By using sampling, the auditor does not test all items in a class of trans-
actions or account balance, but only those items selected for testing. The results
of audit procedures performed on selected items allow the auditor to form an
opinion on the entire population for the class of transactions or account balance.
Audit sampling is, therefore, more cost-effective than 100% testing.

2. THE THEORY OF AUDIT SAMPLING

SOURCE REFERENCE: ISA 530 “Audit sampling”
When designing audit procedures, the auditor should determine appropriate
means for selecting items for testing to gather audit evidence, in order to meet
the objectives of the audit procedures.

2.1 DEFINITIONS
Anomalous error: An misstatement or deviation (error) that is demon-
strably not representative of misstatement or deviation
in a population
Error: Tests of controls: Deviation from a control pro-
cedure.
Tests of detail Rand amount of the mis-
(substantive procedures): statement of transactions or
balances.
Population: The entire set of data on which the auditor wishes to
draw a conclusion.
Potential error: This is the auditor’s estimate of the likely error in the
population as a whole based on the procedures
performed on the selected items and projected over the
population.
Precision: This is the maximum degree with which the conclusion,
based on the sample, could deviate from the true
characteristics of the population. The smaller the
precision level, the bigger the sample.
Sampling: This involves the application of audit procedures to
less than 100% of the items within an account balance
or class of transactions to enable the auditor to form an
opinion on the whole population. Audit sampling could
follow either a statistical or a non-statistical approach.

11–3
 Dynamic Auditing

Sampling risk: The risk that the auditor could reach an incorrect con-
clusion based on the sample as opposed to the
conclusion that would have been reached if the entire
population had been tested.
There are two types of sampling risks, namely:
L Risk of under-reliance
Based on tests of controls, the auditor concludes
that controls are less effective than they actually
are or, based on tests of detail (substantive
procedures), that a material misstatement exists
when this is not the case. This could lead to over
auditing and inefficiency.
L Risk of over-reliance
Based on tests of controls, the auditor concludes
that controls are more effective than is actually
the case or, based on tests of detail (substan-
tive procedures), that there is no material mis-
statement, whilst misstatement in fact exists. This
could lead to an inappropriate audit opinion on
the annual financial statements.
Sampling unit: The individual items selected from the population on
which the audit procedures are performed.
Statistical sampling: This is a sampling method with the following charac-
teristics:
l random selection; and
l the use of probability theory to evaluate the
sample result and risk.
Stratification: The dividing of the population into sub-populations with
similar characteristics (e.g. Rand amounts).
Tolerable error: The maximum error in a population that the auditor will
be prepared to accept, whilst still reaching the conclu-
sion that the result from the sample has achieved the
audit objective. This will be a % for Test of Controls and
a “R” amount for substantive procedures.
Tolerable A monetary amount set by the auditor in respect of
misstatement: which the auditor seeks to obtain an appropriate level of
assurance that the monetary amount set by the auditor
is not exceeded by the actual misstatement in the
population. It involves the application of performance
materiality as defined in ISA 320, to a particular samp-
ling procedure. Tolerable misstatement may be the
same amount or an amount lower than performance
materiality.

11–4
 CHAPTER 11: Audit sampling and other relevant testing methods

Tolerable misstatement is expressed as a rand value

and usually relates to substantive procedures in that the
focus is on acceptable level of misstatement.
Tolerable rate of A rate of deviation from prescribed internal control
deviation: procedures, or rand amount of a transaction or bal-
ance, set by the auditor in respect of which the auditor
seeks to obtain an appropriate level of assurance that
the rate of deviation set by the auditor is not exceeded
by the actual rate of deviation.

2.2 AUDIT PROCEDURES AND AUDIT SAMPLING

Sampling could be used in audit procedures as follows:
L Risk assessment procedures: Risk assessment procedures are per-
formed to obtain an understanding of the
entity and its environment, including the
internal controls. Ordinarily risk assess-
ment procedures do not include the use
of sampling.
L Tests of controls: The auditor uses sampling for selecting
items to test the functioning of the internal
controls. The items are selected, regard-
less of their value – the test is aimed at
testing the effective functioning of the
controls.
Tests of controls are performed if the
auditor plans to assess control risk at less
than high for a particular assertion.
L Substantive procedures: The auditor uses sampling to test the
amounts in the financial statements. For this
purpose, the sample frequently consists of
items of higher value.
Stratification is a useful aid to sampling,
enabling the selection of a sample con-
taining relatively few items but representing
a high value of the population (this is
mainly used for tests for overstatement).
Substantive procedures are performed to
gather evidence to verify the financial state-
ment assertions. Substantive procedures
consist of analytical procedures and tests of
detail and must always be performed.
Sampling relates only to tests of detail.

11–5
 Dynamic Auditing

2.3 METHODS OF SELECTING ITEMS FOR TESTING

When designing audit procedures, the auditor should determine appropriate
means of selecting items for testing. This could be achieved by means of:
L Selecting all the items (100% test)
This method of selection will probably be used where:
• the population consists of a small number of high value items;
• there are exceptionally high inherent and control risks, and the auditor
wants to reduce detection risk to a minimum;
• a 100% audit will be more cost-effective; and
• computer-assisted audit techniques could be used effectively. (Note
that the speed at which CAATs can reperform processing would allow
the CAAT to reperform all transactions or items.)
L Selecting specific items (high value or key items)
These could include selecting:
• all items above a pre-defined value (stratification or value weighted
selection) to verify a high percentage of the total value of an account
balance;
• items on which to obtain specific information, for example knowledge
of the business; and
• items on which a specific procedure should be performed.
L Sampling
Audit sampling is achieved by:
• statistical methods; or
• non-statistical methods.
The choice between the two methods above will depend on the auditor’s
professional judgement and the specific circumstances that exist.

2.4 RISK CONSIDERATIONS IN OBTAINING AUDIT EVIDENCE

The auditor should use professional judgement to assess the audit risk and to
design audit procedures to ensure that risk is reduced to an acceptably low
level.

2.5 DESIGN OF THE SAMPLE

Factors to consider:
l the objective of the test, namely test of controls or substantive tests;
l the characteristics of the population;
l the definition of an error in the specific circumstances;
l the definition of the population and considering whether the sample is:
• appropriate; and
• complete;

11–6
 CHAPTER 11: Audit sampling and other relevant testing methods

l the use of stratification;

l the aggregate value of items in the population, applicable in particular to
overstatement tests; and
l the sample size. This is determined according to sampling risk: the lower
the acceptable risk is set, the greater the sample size.
L Factors influencing sampling size
Tests of controls Substantive procedures
Sample sizes would Sample sizes would
increase where there is: increase where there is:
l Higher intended reliance on l Higher control risk. (Sample sizes would decrease
internal controls. as control risk decreases (results of tests of
l Lower tolerable error. controls.))
l Higher expected error. l Sample sizes would decrease where there are
l Higher level of assurance other substantive procedures aimed at the same
required from the sample. objective.
l Larger number of items (this l Higher importance (materiality) of the account
has no or little effect). balance/class of transaction.
l Higher level of assurance required from the
sample.
l Lower tolerable error.
l Higher expected error.
l Use of stratification.
l Larger number of items (this has no or little effect).

The auditor should consider whether the chosen sample size will bring
about an acceptable level of sampling risk. Each item in the population
must have an equal chance of being selected for testing. The auditor then
performs audit procedures on all selected items.

2.6 ERRORS FOUND AND THE EVALUATION OF THE SAMPLE RESULTS

Should any errors be identified during the performance of the audit proced-
ures, the auditor should:
l analyse the nature and cause of errors detected, together with their effect
on the audit objectives and other audit areas; and
l project the effect of the expected error onto the population.
After considering all errors identified, the auditor should analyse the result of
the sample to determine whether the likely outcome for the population is
acceptable for audit purposes.
If the auditor considers a misstatement or deviation in a sample to be an
anomaly, the auditor should perform additional audit procedures to obtain a
high degree of certainty that such misstatement or deviation is genuinely an
anomalous error and thus not representative of the population as a whole.

11–7
 Dynamic Auditing

Should the results of the sample reflect circumstances which make the likely
outcome for the population unacceptable for audit purposes, the auditor
should:
l request management to investigate and correct the errors;
l adapt the audit procedures, for example extensive substantive testing
where tests of controls indicate weaknesses in internal controls; and
l consider the effect on the audit report.

3. SAMPLE SELECTION METHODS

The main categories of the methods of selecting samples may be summarised as
follows:
L Random sampling
This is a statistical approach to sampling. Random number tables or com-
puter selection programs are used to select items randomly from a specific
population. Computer selection programs normally have an automatic
random number generator function.
L Systematic sampling
A sampling interval is calculated by dividing the number of sampling units
in the population by the sample size. Items are then selected according to
the sampling interval. This method is also a statistical approach to
sampling.
L Haphazard sampling
No structured technique is followed by the auditor in the selection of
items. This is a non-statistical approach to sampling. The auditor should
be cautious of any bias or partiality when using this method.
L Block sampling
This method involves the selection of blocks of consecutive items from
within the population. The block of items could be selected following either
a statistical or a non-statistical approach. This technique is, however, not
regarded as appropriate when the auditor intends to draw valid inferences
about the entire population based on the sample.

4. APPLICATION OF SAMPLING

4.1 REQUIREMENTS FOR SAMPLING

In order to be valid, the sample must be:
l easy to understand;
l easy to apply and feasible;
l cost-effective;

11–8
 CHAPTER 11: Audit sampling and other relevant testing methods

l reliable; and
l legally justifiable.

4.2 STEPS IN THE PROCESS OF SAMPLING APPLICATIONS

These represent the approach to applying sampling, irrespective of which
method of sampling is used.

4.2.1 Designing the sample and selecting the items to be tested

When designing an audit sample, the auditor shall:
l define the population to be tested (e.g. for sales – invoices or delivery
notes);
l consider the purpose of the audit procedure (namely test of controls or
substantive); and
l consider the characteristics of the population from which the sample will
be drawn.
The auditor shall determine a sample size sufficient to reduce sampling risk to
an acceptably low level, defining:
l the number of items to be tested;
l what will constitute an error or deviation.

4.2.2 Selecting items to be tested

The auditor shall select items for the sample in such a way that each sampling
unit in the population has a chance of selection.

4.2.3 Performing audit procedures

The auditor shall perform audit procedures, appropriate to the purpose, on
each item selected, and where an audit procedure is not applicable to the
selected item, the auditor shall perform the procedure on a replacement item.
If the auditor is unable to apply the designed audit procedures, or suitable
alternative procedures, to a selected item, the auditor shall treat that item as a
deviation from the prescribed control in the case of tests of controls, or a mis-
statement in the case of tests of details.

4.2.4 Evaluating the results of the audit procedures performed on the sampling
items
Ŷ Nature and cause of deviations and misstatements
The auditor shall investigate the nature and cause of any deviations or
misstatements identified and evaluate their possible effect on the purpose
of the audit procedure and on other areas of the audit.

11–9
 Dynamic Auditing

In the extremely rare circumstances when the auditor considers a mis-

statement or deviation discovered in a sample to be an anomaly, the auditor
shall obtain a high degree of certainty that such misstatement or deviation
is not representative of the population, by performing additional audit pro-
cedures to obtain sufficient appropriate audit evidence that the misstate-
ment or deviation does not affect the remainder of the population.
Ŷ Projecting misstatements and considering audit differences
• For test of controls, the auditor should consider the control deviation in
the population.
• For tests of details, the auditor shall project misstatements found in the
sample to the population as a whole.

4.2.5 Evaluating results of audit sampling

The auditor shall evaluate the result of the sample and consider whether the
sample provided a reasonable basis for conclusions.

5. NOTES ON THE DIFFERENT SAMPLING METHODS

5.1 JUDGEMENTAL SAMPLING

This involves the determination of the number of items to be tested, the selec-
tion of the items and the determination of the acceptability of the results of the
test, based on the auditor’s professional judgement.

5.2 STATISTICAL SAMPLING

This involves the use of mathematical and statistical applications to determine
the number of items to be tested, the selection of the items and the evaluation
of the acceptability of the population.

5.2.1 Statistical sampling procedures

l Determine the nature of the test
Tests of controls/substantive.
l Determine the purpose of the test
What does the test want to prove, for example whether purchase orders are
authorised.
l Define the population
For example, number of purchase orders, or purchase amount per pur-
chase journal.
l Define the sample units
For example, purchase orders from the purchase journal.

11–10
 CHAPTER 11: Audit sampling and other relevant testing methods

l Define what is regarded as an error

For example, purchase order not signed by purchase manager.
l Determine the sample size
This requires the following:
• Define the required assurance level (confidence level)
This is the assurance required that the results of the sample will be the
same as that for the population. The greater the degree of assurance
required, the larger the sample size will be.
For example, if the degree of assurance required is 95% and 100 pur-
chase orders are selected, 95 would be a reliable indication that
orders are authorised. Alternatively, we would, statistically, be 95%
confident that orders are authorised.
• Define the precision level
This involves a statistical computation. Precision varies according to
the level of assurance required and the sample size. Low precision
and/or high assurance would typically be associated with a large
sample. Low precision would indicate that the sample is reasonably
accurate as a predictor of the extent of deviation or error in the
population.
For example, if we assume an assurance level of 95% and precision
computes at 2% for a creditors amount of R100 000, we would be 95%
confident that the true value of creditors is between R102 000 and
R98 000.
• Expected error
This is the expected rate of errors in the population. The larger the
expected error, the larger the sample size will be.
For example, based on our knowledge of the business, our assess-
ment of client competence and previous audit experience, we might
expect that the likely proportion of unauthorised orders is 4%.
• Population size
This is the number of items in the population. The population size has
little effect on the sample size.
• Tolerable error
This is the maximum error in the population that the auditor would be
willing to accept and is calculated at the expected error ± the preci-
sion level. Alternatively, this could be determined by way of mathe-
matical formulae.
For example, if the expected error is 4% and the precision level is 2%,
the tolerable error will be 6%.

11–11
 Dynamic Auditing

l Selecting the items to be tested:

• Random selection:
Every item in a population has the same probability of being selected
(statistical tables).
• Systematic selection:
Selection of every nth item. (Due to the possibility of patterns in a
population, this test may not be representative of the population.)
• Weighted monetary value selection:
Using the monetary unit value rather than the items as the population.
For example, for purchase orders selection will be based on the
aggregate rand value of all orders rather than the number of the
orders.
This method will typically select higher value items and is mainly used in
testing for overstatement and is not usually appropriate for testing for
understatement.
• Judgemental selection:
Non-statistical method based on professional judgement.
l Testing the items:
Apply audit procedures on the selected items.
l Evaluation of the results and determination of the potential error in the
population:
• Error rate in the sample
The error rate in the sample is expressed as the total errors found in
relation to the total items tested. For example, if 100 purchase orders
were tested and six were not authorised the error rate will be 6/100 = 6%.
• Potential error rate in the population
Potential error would generally be calculated at the error in the sample
adjusted for precision. In the above example, assuming precision was
computed at 3%, potential error would be 3 + 6% = 9%.
l Form an opinion on the population
Compare potential error to tolerable error and decide on the
necessary action
• If potential error is smaller than the tolerable error:
– accept the population; and
– report the errors found to management.
• If potential error is larger than the tolerable error:

11–12
 CHAPTER 11: Audit sampling and other relevant testing methods

For tests of controls, a high deviation rate would lead to an increase in

the assessed risk of material misstatement, unless further audit
evidence substantiating the initial assessment is obtained.
For tests of detail, a high misstatement amount would lead the auditor
to believe that a class of transactions or account balance is materially
misstated, in the absence of further audit evidence that no material
misstatement exists. In this case, the projected misstatement (poten-
tial error) is the auditor’s best estimate of misstatement in the popula-
tion. The closer this estimate is to tolerable misstatement, the more
likely that actual misstatement in the population may exceed tolerable
misstatement.
Consider appropriate action, which could include the following:
– Increase the sample size for the test (this would probably reduce
precision and give a more accurate result).
Recompute potential error after completing the new sample and
determine whether or not the new potential error rate is accept-
able.
– The client could be requested to take corrective action and the
auditor could re-test the information after corrective action has
been taken.
– Calculate the value of the population (using estimation sampling
for variables) and determine the likely value of the error in the
population.
– Consider the results of other audit procedures performed on the
population.
– The auditor could perform additional audit procedures to deter-
mine the effect and extent of an error. For example, if purchase
orders are not authorised, audit work on creditors might be
expanded.

5.2.2 Advantages and disadvantages of statistical sampling

L Advantages
• A greater element of surprise exists, as tests are spread throughout
the year, which differs from the traditional months, weeks or days.
• Emphasis could be placed on important items (e.g. higher value
items, if stratification is used).
• The auditor could place more reliance on his/her procedures ans this
reliance is statistically determined. In case of alleged negligence the
auditor will have a better defence.

11–13
 Dynamic Auditing

• The computer could be used to a great extent to select items, perform

calculations, etc.
• Audit personnel will use more initiative as they have a better under-
standing and appreciation of the system.
• Audit personnel will have a better understanding of the system as the
client’s system, especially internal controls, was tested earlier on.
• An objective selection of items is done. Judgemental factors play no
role.
• Statistical methods provide definition and empirical assessment of the
risks involved in audit sampling.
• With a large population, the test is smaller than with other techniques.
The sample size does not increase in proportion to the size of the
population.
• This might be a more economical technique owing to smaller
samples.
• Quicker availability of information than with other techniques.
• Optimisation of technology and use of audit software to select and
interpret sample results.
L Disadvantages
• Special training of personnel is necessary. Where audit personnel
change regularly, this may involve large costs for the auditor.
• This is usually not appropriate for the audit of smaller undertakings.
Lack of internal controls may force the auditor to test all items or per-
form extensive substantive procedures.
• Only one aspect of the audit can be tested at any one time.
• The conclusion reached is applicable only to the population from
which the items were selected.
• Where the items in the sample are not sequential, the search for the
items can be time consuming and expensive.

5.3 MONETARY UNIT SAMPLING

5.3.1 Definition
This entails audit sampling based on the rand value of the items in the popu-
lation. Every rand in the population represents a sample unit.

11–14
 CHAPTER 11: Audit sampling and other relevant testing methods

5.3.2 Illustration
The following example illustrates one possible method of monetary unit sam-
pling.
The variables, “MP”, “R” and “J” are unique to the method illustrated and are
used for illustrative purposes only.
Population: This is defined as the total rand value which
must be investigated.
MP: Maximum tolerable error.
Level of reliance: “R” – determined according to tables, for
example reliance level of:
95% = 3
86% = 2
63% = 1

MP
Sampling Interval (“J”) =
R
Population
Number of items in sample =
J
Selection of items:
Step 1) Select a random starting point between zero (0) and J.
Select the item within which the starting value falls.
This selection is based on the cumulative values of items in
the population.
(See illustration on the following page.)
Step 2) Add J to the starting value and select the item within which this
value falls.
Step 3) Repeat this process until the end of the population is reached.
Step 4) Audit the items selected.
Step 5) Evaluate the total deviation/error (in Rand value).
Step 6) Formulate an opinion on the acceptability of the population.

5.3.3 Example
Population of cheques per payment cashbook = R1 500 000
MP = R12 000
Level of confidence is 69% (or R=1,2) = 1,2 (R)
Required: 1 Calculate the size of the sample.
2 Explain the method of selection of the sampling items.

11–15
 Dynamic Auditing

MP R12 000
Answer: 1 Interval (J) = =
R 1,2
= R10 000 (J)
Population R1 500 000
Number of items = =
J R10 000
= 150 sampling units of R10 000.
2 Selection of items
(1) Select a starting point between 0 and R10 000, say R5 000.
(2) Select: Cheque within R5 000 interval.
(3) Add J (R5 000 + R10 000 = R15 000).
o Select the cheque which falls within R15 000 interval.
(4) Repeat until the end of the population is reached.
Illustration of selection based on cumulative values:
First five Value of each
Cumulative Sample
items in individual Select?
value selection
population item
1
1 R600 R600 R5 000 No
2
2 R4 600 R5 200 R5 000 Yes
3
3 R6 000 R11 200 R15 000 No
4
4 R22 000 R33 200 R15 000 Yes
and R25 000
5
5 R1 400 R34 600 R35 000 No

Notes:
1 Not selected because the cumulative value of R600 falls outside of the
random starting point of R5 000.
2 Selected because the random starting point of R5 000 occurs within the
cumulative value relating to this item – Between R600 and R5 200.
3 Not selected because the next sampling interval – R15 000 – occurs
outside of the cumulative value relating to this item. R15 000 is outside of
the range between R5 200 and R11 200.
4 Note that Item 4 is “selected twice”. This is because it contains two mon-
etary units of R10 000, selected because the next two sampling intervals
of R15 000 and R25 000 both occur within the cumulative value relating to
this item – between R11 200 and R33 200.
5 Not selected because the next sampling interval occurs at a cumulative
value of R35 000.

5.3.4 Advantages of monetary unit sampling

l All material items will be automatically tested: emphasis is on larger value
items.
l The size of audit sample is determined according to the total value of the
population – tests fewer items.

11–16
 CHAPTER 11: Audit sampling and other relevant testing methods

l Simple to apply.
l The auditor has to form an opinion on the system as the maximum accept-
able error must be set beforehand.

5.3.5 Disadvantages
l The system concentrates on large-value items – thus overstatement. Not a
test for understatement and nil balances.
l The system cannot select nil balances and, therefore, cannot detect bal-
ances or items that are not recorded (understatement).

11–17
 12
THE AUDITOR AND INTERNAL CONTROL

Page
1 Introduction ..................................................................................................
12–3
2 Risk assessment procedures ....................................................................... 12–4
2.1 Objectives with the performance of risk assessment
procedures ......................................................................................... 12–4
2.2 Nature and scope of risk assessment procedures............................ 12–5
2.3 Understanding controls related to significant risks ........................... 12–6
2.4 Documentation of the system ............................................................ 12–6
3 The performance of tests of control in response to the assessed risk of
material misstatements................................................................................. 12–8
3.1 Objective with the performance of tests of controls .......................... 12–8
3.2 Difference between risk assessment procedures and tests
of controls........................................................................................... 12–8
3.3 Nature of tests of controls .................................................................. 12–8
3.4 Extent of tests of controls ................................................................... 12–9
3.5 Timing/period of testing ..................................................................... 12–10
3.6 Direction of testing ............................................................................. 12–11
4 Communicating deficiencies in internal control to those charged with
governance and management ..................................................................... 12–12

12–1
 CHAPTER 12: The auditor and internal control

1. INTRODUCTION
The purpose of this chapter is to explain the evaluation and testing of controls
during the planning and performance of the audit.
The basic manual elements of internal controls, as well as the components of the
system of internal control in terms of ISA 315 (Revised) are discussed in chapter 2.
Nowadays most entities use IT systems for financial reporting and operational
purposes. You should therefore also refer to the basic principles and proced-
ures that will apply in a computerised environment, as discussed in chap-
ters 9 and 10.
SOURCE REFERENCE: ISA 265 “Communicating deficiencies in internal
control to those charged with governance
and management”
ISA 315 “Identifying and assessing the risk of mater-
ial misstatement” (Revised 2019)
ISA 330 “The auditor’s procedures in response to
assessed risks”
An entity’s control objectives normally relate to financial reporting, operations and
compliance. Not all these controls are relevant to the auditor’s assessment of risk,
but only those that pertain to:
l the entity’s objective of preparing financial statements for external purposes
that fairly present in all material respects of the financial position, results of
operations and cash flow in accordance with the applicable reporting frame-
work; and
l the management of risk that may give rise to a material misstatement in the
financial statements.
Some controls could therefore be important for management purposes, but not
for audit purposes (e.g. the completeness of orders in respect of purchases):
l important control objective: all orders are carried out (completeness of orders);
and
l audit objective: not important for audit purposes, because it has no effect on
the completeness of the accounting records. For audit purposes it is
important that all goods received notes (GRN) and suppliers’ invoices are
recorded (they affect stock, purchases and creditors).
International standards on auditing require the auditor, as part of the planning
phase of an audit, to identify and assess the risk of material misstatements at
the overall financial statement level and at the assertion levels for significant
classes of transactions, account balances and disclosures. This is referred to
as risk assessment procedures and consists of the auditor obtaining an under-
standing of the entity and its environment, the applicable financial reporting
framework, and the entity’s system of internal control. This is followed by the
design of further procedures in response to the assessed risks.

12–3
 Dynamic Auditing

Internal control will therefore impact on the audit in the following ways:
l During the performance of risk assessment procedures, the auditor will:
• obtain an understanding of the components of the system of internal
control as the information could be helpful in identifying risk of material
misstatements, specifically with regards to the identification of types of
potential misstatements and consideration of the factors that could affect
the risks of material misstatements; and
• evaluate the design of the entity’s control and determine whether they
have been implemented. The auditor needs to establish whether the con-
trol, individually or in combination with other controls, is capable of effect-
ively preventing, detecting and correcting material misstatements. This
will also assist the auditor in the design of further audit procedures.
• determine whether one or more control deficiencies have been identified.
• assess the control risk if the auditor plans to test the operating effective-
ness of internal control or if he/she is of the opinion that the performance
of substantive procedures alone will not provide sufficient and appropri-
ate audit evidence.
l During the performance of further procedures in response to the assessed
risks, the auditor can:
• perform tests of controls because he/she is of the opinion that the perform-
ance of substantive procedures alone will not provide sufficient appropri-
ate audit evidence as it will not be possible or practical to reduce the risk
of material misstatements at the assertion level by performing tests of
controls only; and
• perform tests of controls when he/she expects that there is a lower risk of
material misstatements because the entity has effective controls. The
auditor will then perform tests of controls in order to obtain audit evidence
regarding the operational effectiveness of the controls and the perform-
ance of substantive procedures will thus be based on the effective oper-
ation of the controls.

2. RISK ASSESSMENT PROCEDURES

2.1 OBJECTIVES WITH THE PERFORMANCE OF RISK ASSESSMENT

PROCEDURES
As indicated under 1.1 above, the auditor will, during the performance of risk
assessment procedures, obtain an understanding of the components of the
system of internal control (refer to chapter 2 for a discussion on the components
of the system of internal control) in order to:
l identify types of material misstatements;
l consider factors that affect the risks of material misstatements; and
l design the nature, extent, and timing of further audit procedures in response
to the assessed risks.

12–4
 CHAPTER 12: The auditor and internal control

Obtaining an understanding of internal control involves:

l Evaluating the design of a control: The auditor should consider whether the
control, individually, or in combination with other controls, is capable of
effectively preventing, or detecting and correcting, material misstatements.
l Determining whether it has been implemented: The auditor should consid-
er whether the controls are implemented and exist and that the entity is
using them.
NOTE: In accordance with the ISAs, the auditor is requested to test for all
significant risk (thus, for classes of transactions, account balances and
disclosures) the design and implementation of the control – this will
provide evidence of the risk of material misstatements at the assertion
level for the specific class of transaction, account balance or dis-
closure.
If the auditor wants to place reliance on the controls, he/she will then have to
test the operating effectiveness of the controls (through tests of controls: see
section 3.3).

2.2 NATURE AND SCOPE OF RISK ASSESSMENT PROCEDURES

The auditor can perform the following risk assessment procedures to obtain an
understanding of the internal control and to evaluate the design and implemen-
tation thereof:
l enquiries of management and others within the entity;
l observation of the application of the control;
l inspection of documents and reports; and
l tracing transactions through the information system relevant to financial
reporting (walk-throughs).
Enquiry alone, however, is not sufficient for the purpose of performing risk
assessment procedures.
The above procedures must be performed with regards to all the components
of internal control discussed under section 2.2.
The auditor, based on professional judgement, needs to consider whether a
control, individually or in combination with other controls, is relevant to the con-
siderations in assessing the risk of material misstatements and the design and
performance of further procedures in response to assessed risk. The auditor
can, in exercising that judgement, consider factors such as the following:
l assessment of materiality;
l the size of the entity;
l the nature of the entity’s business, including organisational and ownership
characteristics;
l the diversity and complexity of the entity’s operations;
l applicable legal and regulatory requirements; and

12–5
 Dynamic Auditing

l the nature and complexity of the systems that are part of the entity’s inter-
nal control.
The auditor will generally relate controls to the assertions made by manage-
ment (refer to ISA 315, paragraph A111).

2.3 UNDERSTANDING CONTROLS RELATED TO SIGNIFICANT RISKS

ISA 315 requires the auditor to determine whether any of the risks he/she
identified during risk assessment are significant risks. In exercising his/her
judgement, the auditor is required to exclude the effects of identified controls
related to the risks.
Management is expected to have implemented internal controls in response to
the significant risks identified by the auditor. The auditor should therefore
obtain an understanding of the entity’s controls, including control activities, rel-
evant to the significant risks. Failure of management to implement such con-
trols is an indicator of serious deficiencies in internal control.

2.4 DOCUMENTATION OF THE SYSTEM

The auditor will normally document the internal control systems of an entity
during the performance of risk assessment procedures. The following methods
are normally used by the auditor:
L System description
This is a description of the system and the controls in the system.
L System flow charts
This is a diagrammatical presentation of the functions and control proced-
ures in a system. It is probably the best method of documenting the system
because it provides a global picture of the system and the control proced-
ures thereof.
Documenting and reading of a flow chart should be from top to bottom
and left to right.

12–6
 CHAPTER 12: The auditor and internal control

Fixed asset system flowchart

Recorded raw
Purchases
materials and
payroll

Additions Materials
and wages

Adjustments
Assets
inspected

Amendments
Disposals to standing
data

Fixed
assets
detail

Key for symbols

Sequential data
Routine Exceptions

Document
Summary and analysis Fully depreciated assets
additions Assets not inspected
disposals
depreciation
adjustments Process
Standing data amendments
Profit or loss on disposal
List of balances
Flow of data

12–7
 Dynamic Auditing

3. THE PERFORMANCE OF TESTS OF CONTROL IN RESPONSE TO THE

ASSESSED RISK OF MATERIAL MISSTATEMENTS

3.1 OBJECTIVE WITH THE PERFORMANCE OF TESTS OF CONTROLS

The auditor is required to perform tests of controls in response to the assessed
risks:
l when the auditor’s risk assessment includes an expectation of the oper-
ating effectiveness of controls; or
l when substantive procedures alone do not provide sufficient appropriate
audit evidence at the assertion level. This may, for instance, be applicable
in situations where the entity is, to a large extent, dependent on computers
for the processing of transactions or where no supporting documentation
exists for transactions.
Tests of controls are therefore performed by the auditor to determine whether
the controls instituted by management, function effectively.
The auditor needs to determine whether the internal controls:
l are suitably designed to detect material misstatements; and
l functioned effectively, throughout the period of reliance.
The results of the tests of controls provide the auditor with a basis to assess
control risk. It directly influences the nature, extent and timing of the substan-
tive procedures. Substantive procedures could be reduced based on reliance
on the operating effectiveness of controls.

3.2 DIFFERENCE BETWEEN RISK ASSESSMENT PROCEDURES AND TESTS

OF CONTROLS
Testing the operating effectiveness of controls is different from evaluating the
design of the controls and determining whether the controls have been imple-
mented. When evaluating the design and implementation of the controls as
part of risk assessment procedures, the auditor will only determine whether the
controls exist, and the entity is using them. As part of the performance of fur-
ther procedures in response to the assessed risk, the auditor will by means of
test of controls, obtain audit evidence ensuring that controls operate effect-
ively.
Obtaining an understanding of an entity’s controls is not sufficient to serve as
the testing of the operating effectiveness of controls.

3.3 NATURE OF TESTS OF CONTROLS

The nature of tests of controls refers to the types of tests of controls that the
auditor can perform.
Tests of controls consist of:
l Inspection: This is the investigation of documents, records, recon-
ciliations, etc., for proof that the internal controls func-
tion effectively.

12–8
 CHAPTER 12: The auditor and internal control

l Observation: Observation of a process or procedure. Observation

provides evidence as to the functioning of the control
at the time that it was performed. Conclusions in
respect of the tests should only be made for the period
investigated.
l Enquiry: Enquiry of client personnel or third parties as to the
functioning of controls.
l Re-performance: This entails the re-performance of procedures carried
out by the client. If the auditor does not find a mistake,
he/she obtains convincing evidence as to the effective
functioning of the controls. If he/she finds errors which
were detected and corrected by the system, he/she
has obtained indisputable evidence as to the func-
tioning of the controls.
l Combination of The above-mentioned procedures are combined to
the above: determine whether the controls function effectively.
Some audit evidence is more reliable than others. For example, the observation
of a control by the auditor provides more reliable audit evidence than just the
enquiry thereof. Observation, however, only provides proof of the working of
the control at the time that it was observed. The auditor should consider sup-
plementing these procedures with other tests of controls. Enquiry alone is not
sufficient to test the operating effectiveness of controls.
For example, in respect of the receipt of goods:
Controls Test of controls

l Separate goods receiving depart- l Enquire and observe whether a separate

ment exists. department exists.
l The goods are received by two l Enquire of the goods receipt personnel how
persons who count and inspect the controls function. Observe on a secretive
them for quality. basis whether the controls are complied with.
l On receipt of the goods the goods l Observe the receipt of goods and determine
received personnel prepare a GRN whether the controls are complied with.
and sign it as proof of the fact that l Inspect the signatures on the GRN as proof
the goods were counted and in- that the control is complied with.
spected.

3.4 EXTENT OF TESTS OF CONTROLS

Extent refers to the quantity of tests of controls to be performed, for example a
sample size or the number of observations of a control activity. Due to the vol-
ume of the transactions, it is often impossible for the auditor to investigate all
items/transactions. Items must be selected on which the auditor will perform
his/her tests of controls. Items can be selected using professional judgement
or on a statistical basis. (Refer to chapter 11.)

12–9
 Dynamic Auditing

The extent of audit procedures is normally determined by:

l the auditor’s assessment of materiality;
l the assessed risk; and
l the degree of assurance the auditor plans to obtain.
The extent of audit procedures normally increases as the risk of material mis-
statements increases. It is, however, important to remember that increasing the
extent of an audit procedure will only be effective if the audit procedure itself is
relevant to the risk. The nature of audit procedures is therefore the most
important consideration.
Other matters that the auditor may consider in determining the extent of tests of
controls include:
l the frequency of the performance of the control by the entity during the
period;
l the length of time during the audit period that the auditor is relying on the
operating effectiveness of the control;
l the relevance and reliability of the audit evidence to be obtained in sup-
porting that the control prevents or detects and corrects material mis-
statements at the assertion level;
l the extent to which audit evidence is obtained from tests of other controls
related to the assertion;
l the extent to which the auditor plans to rely on the operating effectiveness
of the control during risk assessment (thereby reducing substantive pro-
cedures based on the reliance on such control); and
l the expected deviation from the control.

3.5 TIMING/PERIOD OF TESTING

The timing of tests of controls depends on the auditor’s objective and it will also
determine the period that the auditor can rely on those controls. If an auditor
tests a control at a specific time, evidence is only obtained that the control
operated effectively at that time. The auditor should obtain assurance on the
effective functioning of the internal controls on which he/she intends placing
reliance throughout the period of reliance. For this reason, the auditor should
spread the tests of controls throughout the year.
` If the tests of controls are performed at an interim stage (before year end), the
auditor will need to perform tests of controls for the remaining period of reli-
ance.
Factors that the auditor should consider to determine the extent of testing for
the remainder of the period will include:
l the results of the interim tests;
l the length of the remaining period;
l whether any changes have occurred in the accounting and internal control
system during the remaining period;

12–10
 CHAPTER 12: The auditor and internal control

l the nature and amount of transactions and balances involved;

l the control environment; and
l the substantive procedures that the auditor plans to carry out.
The auditor can, in some instances, use audit evidence about the operating
effectiveness of controls obtained in prior audits where no changes
occurred in those controls subsequent to the prior audit.
The auditor should consider the following in deciding whether reliance could
be placed on audit evidence gathered with regard to the operating effect-
iveness of controls obtained in prior audits, as well as the length of the
period that may elapse before re-testing of the controls:
l the effectiveness of other controls, including the control environment, the
entity’s risk assessment process and its monitoring of controls;
l the risks arising from the characteristics of the control;
l the effectiveness of general IT controls;
l the effectiveness of controls, based on assessment during prior audits;
l whether a lack of change in a particular control poses a risk due to chang-
ing circumstances that actually necessitated a change in control; and
l the risk of material misstatements and the extent of reliance on the control.

3.6 DIRECTION OF TESTING

When selecting the items on which to perform the tests of controls, the auditor
should consider the control objective that the control procedures are intended
to achieve.
L Validity: The auditor wants to verify the validity of the recorded item.
The direction of testing is from the accounting records to
the source documents.
For example, in respect of purchases
Control (audit)
Control procedure Tests of controls
objective
Validity: All recorded purchases Entries in the Select purchases from
are valid (goods actually purchases journal are the purchase journal and
received). supported by a follow them through to
requisition, authorised the invoice.
order, GRN, delivery note Agree the particulars on
and invoice. the invoice with the:
l delivery note
(quantity and
description);
l GRN (quantity and
description); and
l order (price,
description and
authorisation).
Follow up differences.

12–11
 Dynamic Auditing

L Completeness: The auditor wants to determine whether all valid trans-

actions are recorded.
The direction of testing is from the source documents to
the accounting records.
For example, in respect of purchases of stock
Control Tests of controls
Control procedure
(audit objective) (compliance tests)

Completeness: All valid On receipt of the goods: Observe and enquire whether
purchases are record- l the goods are GRNs are prepared for all
ed and nothing is left inspected and a receipts.
out. numerical GRN is Select GRNs and:
prepared; l follow them through to entry in
l the stock records are the register;
updated from the GRN; l match them with the invoice
l the GRN is recorded in and agree the particulars
the register and thereon (quantity and the
matched with the description); and
invoice on receipt and l follow the amount through to
recorded in the entry in the purchase journal
purchases journal; and and stock records.
l all unmatched GRNs Inspect the register in respect of
are continuously unmatched GRNs on month-end
followed up by a senior and follow them through to the pro
independent person. forma journal in respect of
purchases and provisions.
Inspect the numerical sequence of
GRN in the register and follow up
missing numbers.

4. COMMUNICATING DEFICIENCIES IN INTERNAL CONTROL TO THOSE

CHARGED WITH GOVERNANCE AND MANAGEMENT
In terms of ISA 265, it is the auditor’s responsibility to communicate significant
deficiencies in internal controls identified during the audit to those charged
with governance on a timely basis. The auditor is also required to communicate
to management significant deficiencies in internal control already communi-
cated or which he/she intends to communicate to those charged with govern-
ance. The auditor can also communicate other deficiencies in internal control
to management should he/she be of the opinion that the deficiencies are of suf-
ficient importance to warrant management’s attention.
For the purposes of ISA 265, deficiencies and significant deficiencies in inter-
nal control can be defined as follows:
A deficiency in internal control exists when:
l a control is designed, implemented or operated in such a way that it is
unable to prevent or detect and correct misstatements in the financial
statements on a timely basis; or

12–12
 CHAPTER 12: The auditor and internal control

l a control necessary to prevent or detect and correct misstatements in the

financial statements on a timely basis is missing.
A significant deficiency in internal control is a deficiency or a combination
of deficiencies in internal control that, in the auditor’s professional judgement,
is/are of sufficient importance to merit the attention of those charged with gov-
ernance.
Communication of significant deficiencies in internal control:
l should be in writing;
l could be preceded by some form of oral communication to assist manage-
ment or those charged with governance to take remedial action;
l should take place on a timely basis. In this regard, the auditor may con-
sider whether receipt of the communication would be an important factor
in enabling those charged with governance to discharge their oversight
role. The auditor’s communication of significant deficiencies should form
part of the final audit file which, in terms of ISA 230, should be completed
not more than 60 days after the date of the auditor’s report;
l should include a description of the deficiencies and an explanation of their
potential effects;
l should include sufficient information to enable those charged with govern-
ance and management to understand the context of the communication. In
particular, the auditor should explain that:
• the purpose of the audit is to express an opinion on the financial state-
ments;
• the audit includes consideration of internal control relevant to the
preparation of the financial statements in order to design audit pro-
cedures that are appropriate in the circumstances, but not for the pur-
pose of expressing an opinion on the effectiveness of internal control;
and
• matters being reported are limited to those deficiencies that the auditor
has identified during the audit and that the auditor has concluded are
of sufficient importance to merit being reported to those charged with
governance.
l may give an indication that:
• if the auditor had performed more extensive procedures on internal
control, he/she might have identified more deficiencies to be reported,
or concluded that some of the reported deficiencies need not have
been reported;
• such communication has been provided for the purposes of those
charged with governance, and that it may not be suitable for other
purposes; and

12–13
 Dynamic Auditing

l should be to the chief executive officer or chief financial officer in the case
of reporting to management.
In situations where the auditor has communicated a significant deficiency in
internal control to those charged with governance in a previous audit and the
deficiency remains or no remedial action was taken:
l the communication will have to be repeated or a reference could be made
to the previous communication;
l the auditor may ask management or those charged with governance why
the deficiency has not yet been remedied; and
l a failure to act may, in itself, represent a significant deficiency in the
absence of a rational explanation.
Communication of other deficiencies in internal control to management:
l need not be in writing but may be oral; and
l the appropriate level of management to report to is the one that has the
responsibility and authority to evaluate the deficiencies in internal control
and to take the necessary remedial action.
In situations where the auditor has communicated a deficiency in internal
control to management in a prior period and management has chosen not to
remedy them:
l the auditor need not repeat the communication in the current period,
except in the case of a change in management; and
l a failure to act may, in itself, represent a significant deficiency in the
absence of a rational explanation.

12–14
 13
SUBSTANTIVE PROCEDURES

Page
1. Introduction .................................................................................................. 13–3
2. Background to substantive procedures....................................................... 13–3
2.1 Definition of substantive procedures ................................................. 13–3
2.2 Objective of substantive procedures ................................................. 13–4
2.3 Nature, extent and timing of substantive procedures at
assertion level .................................................................................... 13–4
2.4 Substantive procedures and audit risk .............................................. 13–8
2.5 Substantive procedures for the assessment of significant risks
for a particular assertion .................................................................... 13–9
2.6 Evaluation of the results of the substantive procedures .................... 13–9
3. Financial statement assertions and audit objectives ................................... 13–10
3.1 Financial statement assertions........................................................... 13–10
4. Direction of testing: Risk-based testing ....................................................... 13–11
5. Early verification and early substantive procedures .................................... 13–13
5.1 The meaning of early verification ....................................................... 13–13
5.2 Reason for the application of early substantive verification .............. 13–13
5.3 Factors to consider whether substantive procedures at an interim
date can be performed (prerequisites for the application of
early verification) ................................................................................ 13–13
5.4 The effect of early verification on the remainder year-end
substantive procedures ..................................................................... 13–14
5.5 Follow-up audit procedures after early verification (roll-forward) ...... 13–15
5.6 Example of early verification .............................................................. 13–16
6. Use of computers as an audit tool ............................................................... 13–17
7. Substantive procedures and accounting treatment .................................... 13–17

13–1
 CHAPTER 13: Substantive procedures

1. INTRODUCTION
The aim with the audit of the financial statements is to enable the auditor to
express an opinion on the fair presentation (“or true and fair view”) of the financial
statements. To be able to do this, the auditor needs reasonable assurance on the
assertions in the financial statements for significant accounts (that is accounts
that is significant in terms of a high-assessed risk of material misstatement, or
which is material in amount). The auditor obtains assurance by performing audit
procedures that provide audit evidence on the assertions in the financial state-
ments. This can consist of only test of controls for a particular assertion, only sub-
stantive procedures for a particular assertion, or a combination of test of controls
and substantive procedures for a particular assertion.
In this chapter, the focus will be on the principles and procedures relating to sub-
stantive procedures to address the assessment of significant risks at the asser-
tion level for a particular assertion, thus providing information on the amounts and
disclosure in the financial statements.
SOURCE REFERENCE: ISA 200 “Overall Objectives of the Independent
Auditor and the Conduct of an Audit in
Accordance with International Standards
on Auditing”
ISA 315 “Identifying and Assessing the Risk of
(revised) Material Misstatement through Under-
standing the Entity and its Environment”
ISA 330 “The Auditor’s Response to Assessed
Risks”
ISA 500 “Audit Evidence”
ISA 501 “Audit Evidence – Specific Considera-
tions for Selected Items”
ISA 505 “External Confirmations”
ISA 520 “Analytical Procedures”

2. BACKGROUND TO SUBSTANTIVE PROCEDURES

2.1 DEFINITION OF SUBSTANTIVE PROCEDURES
Substantive procedures are audit procedures which are performed to detect
material misstatements at the assertion level (of classes of transactions,
account balances and disclosures) in the financial statements. They comprise:
l tests of detail (inspection, observation, inquiry, confirmation, recalculation
and reperformance); and/or
l substantive analytical procedures.

13–3
 Dynamic Auditing

2.2 OBJECTIVE OF SUBSTANTIVE PROCEDURES

The objective with substantive procedures is to reduce the auditor’s detection
risk to an acceptably low level.
They are performed to determine whether the amounts and disclosure in the
financial statements are fairly stated.
Contrary to substantive procedures, the tests of controls provide evidence that
is directly related to the functioning of the internal controls. Certain audit pro-
cedures are of a dual nature and meet both the objectives of tests of controls
and of substantive procedures.
REMEMBER:
l Tests of controls test the design and operating effectiveness of the internal
controls.
l Substantive procedures test the amounts and disclosures (assertions of
management) in the financial statements (product of the system).
l Irrespective of the assessed risk of material misstatement, the auditor shall
design and perform substantive procedures for each material class of trans-
actions, account balances and disclosure.
l The auditor shall always consider whether external confirmation procedures
are to be performed as part of the substantive procedures.

2.3 NATURE, EXTENT AND TIMING OF SUBSTANTIVE PROCEDURES AT

ASSERTION LEVEL
The nature, timing and extent of the substantive procedures will depend on:
l the assessed risk of material misstatements at the assertion level for the
specific class of transaction, account balance or disclosure, being:
• the inherent risk relating to the specific assertions (likely magnitude of
the potential misstatement and the likelihood of occurring); and
• the control risk (i.e. the effectiveness of the design, implementation
and working of controls that address the inherent risk, being auto-
mated and manual controls).
l the specific financial statement assertions addressed; and
l the applicability and reliability of audit evidence that can be obtained by
the different types of substantive procedures (analytical or detail).

13–4
 CHAPTER 13: Substantive procedures

2.3.1 Nature of substantive procedures

“Nature” refers to the type of substantive procedures that can be performed,
namely as:
l tests of detail;
l substantive analytical procedures (e.g. where the auditor’s assessment of
risk is supported by evidence from tests of controls; or
l a combination of the tests of controls and substantive procedures.
NOTE:
l The assessment of the risk, or the nature of the assertion is relevant to the
design of tests of detail. For example, tests of detail related to the exist-
ence or occurrence assertion may involve selecting items from the finan-
cial statement amount and tracing them to the relevant audit evidence,
whilst tests of detail relation to completeness of the same account, will
consist of audit evidence and tracing it to the financial statement amount
for inclusion.
l Because the risk of material misstatement takes into account the effective-
ness of controls, the extent (volume or sample size) of substantive proced-
ures might need to be increased when the results from the test of controls
are unsatisfactory.
Procedures for obtaining audit evidence through substantive procedures
Inspection: Consists of examining records or documents
(whether internal or external, in paper, electronic or
other form) or a physical examination of an asset.
Enquiries: Consist of seeking information from knowledgeable
persons within or outside of the entity, for example
enquiries from attorneys regarding pending litigation
(third parties) or from the client’s staff to determine
whether debtors and bank balances are regularly
reconciled.
Enquiries are used extensively throughout the audit
in addition to other audit procedures and may range
from formal written enquiries to informal enquiries.
Evaluating responses to enquiries is an integral part
of the enquiry process.

13–5
 Dynamic Auditing

External confirmation: External confirmation is audit evidence obtained by

the auditor as a direct written response to the auditor
from a third party (the confirming party) in paper,
electronic or other form.
NOTE: Confirmation obtained directly from third
parties provides sound support for the exist-
ence, accuracy and rights (ownership) and is
an important substantive procedure. It, how-
ever, does not provide information or evi-
dence on the valuation of assets, which will
need to be separately verified.
Factors that the auditor will consider to deter-
mine whether external confirmations are to be
performed as substantive procedures will
include aspects such as:
l the third–party’s knowledge of the sub-
ject matter;
l the third party’s willingness to respond to
the confirmation;
l the objectivity of the third party, for
example if the third party is a related
party, the response to the request may
be less reliable as audit evidence.
External confirmations, received directly by
the auditor from appropriate third parties, are
also very suitable to respond to significant
risks of material misstatement due to fraud or
error. This can be related to financial infor-
mation such as account balances, but also to
non-financial information such as contracts or
agreements.
Recalculations: Consist of checking the mathematical accuracy of
documents or records
Recalculations can be done manually or electronically.
Re-performance: Involves the auditor’s independent execution of pro-
cedures or controls that were originally performed as
part of the entity’s internal controls.

13–6
 CHAPTER 13: Substantive procedures

Substantive analytical Substantive analytical procedures consist of financial

procedures: information obtained from a study of plausible rela-
tionships between financial and non-financial data.
Substantive analytical procedures also encompass
the investigation of identified fluctuations and relation-
ships that are inconsistent with other relevant informa-
tion or deviate significantly from predicted amounts.
Substantive analytical procedures are more applic-
able to large volumes of data that tend to be predict-
able over time.
Standard further Consist of procedures such as the overall review of
procedures: information for reasonableness, the review of minutes,
enquiries of attorneys, the obtaining of management
representations, the testing of adjusting journal
entries of the financial statements and the agreement
of the general ledger balances with the amounts on
the financial statements.
L Audit programmes
The auditor develops audit programmes which set out the audit proced-
ures to limit the elements of audit risk relating to each assertion of significant
classes of transactions and account balances in the financial statements.
The objectives of audit programmes are, inter alia, to:
• assist with the planning of the audit so that the audit procedures are
performed in a cost-effective and efficient manner;
• provide clear instructions on the nature, extent and timing of the pro-
cedures; and
• serve as a basis for quality control.
NOTE: The audit programmes are often included in the audit plan that docu-
ments the work performed for the accounts at the assertion level.

2.3.2 Extent of substantive procedures

The extent of substantive procedures is normally measured in terms of sample
size.
The extent of substantive procedures will normally increase as the risk of mate-
rial misstatements increases, that is:
l a higher inherent risk; and
l a higher control risk resulting from weaknesses in the internal controls.

13–7
 Dynamic Auditing

2.3.3 Timing of substantive procedures

Substantive procedures are normally performed at or after year end. The audit-
or could perform substantive procedures to test transactions during the year,
provided that further procedures are performed for the remainder of the
period’s transactions and the balance at year end.
The performance of substantive procedures at an interim date is referred to as
“early verification procedures”. These are discussed in detail under section 5
of this chapter.

2.4 SUBSTANTIVE PROCEDURES AND AUDIT RISK

L The relationship between inherent, control and detection risk
Audit risk (AR) = Inherent risk (IR) × Control risk (CR) × Detection risk
(DR)
IR: this relates to the susceptibility of misstatements of assertions, clas-
ses of transactions, account balances and disclosures and may be
higher for some assertions or accounts than others.
CR: this relates to the effective design, implementation and functioning of
the internal controls to limit and detect errors and misstatements.
DR: this relates directly to the auditor’s audit procedures (substantive
procedures) to limit the risk of undetected material misstatements in
the financial statements.
The auditor estimates the inherent risk, as well as the control risk (after
testing the internal controls by means of tests of controls) and then applies
substantive procedures accordingly to limit the detection risk.
IR and CR are low: Limit the nature, extent and timing of the substantive
procedures (accept a higher detection risk).
IR and CR are high: Extended substantive procedures (nature, extent
and timing) to limit the audit risk (results in a lower
detection risk).
NOTE: The combined assessment of inherent and
control risk is referred to as an assessment of the risk
of material misstatements.
L Detection risk and substantive procedures
The level of detection risk is directly related to the auditor’s substantive
procedures.
The level of inherent and control risk (referred to as a combined assess-
ment of the risk of material misstatements) will influence the nature, timing
and extent of the auditor’s substantive procedures required to limit the
audit risk to an acceptable level. This can have the following effect on the
substantive procedures.

13–8
 CHAPTER 13: Substantive procedures

Nature: • detail testing or substantive analytical procedures;

• independent external verification versus internal verification.
Extent: larger or smaller samples.
Timing: at the end of the period or early verification.
NOTE: Irrespective of the level of inherent and control risk, the auditor
should always perform substantive procedures of some sort to
verify significant balances and classes of transactions (at least
substantive analytical procedures).

2.5 SUBSTANTIVE PROCEDURES FOR THE ASSESSMENT OF SIGNIFICANT

RISKS FOR A PARTICULAR ASSERTION
Significant classes of transactions, account balances and disclosures are
those that:
l are assessed as significant based of the assessed risk of material mis-
statement, that is, the monetary value is not of interest here, but the risk
inherent of misstatement is high (qualitative material); or
l are significant because they are material in amount (quantitative material).
For the above, the auditor will need to perform substantive procedures for
those assertions that are of high risk, and where tests of controls are not
appropriate to provide assurance alone.
NOTE: The auditor does not need to design and perform audit procedures where the
assessed risk of material misstatement is low for a specific assertion.

2.6 EVALUATION OF THE RESULTS OF THE SUBSTANTIVE PROCEDURES

When the auditor’s substantive procedures indicate that line items are mis-
stated, he/she should:
l consider the qualitative aspects of the misstatements, namely the nature
and cause thereof, and the possibility of further misstatements.
l consider the quantitative nature of the misstatements, namely the amount
of the misstatements:
• material: consider the effect on the auditor’s report if management
does not adjust the financial statements.
• not material: – accept, report to management;
– carry the difference to the schedule of audit differ-
ences (overs and unders). This is done to consider
the cumulative effect misstatements identified during
the audit.

13–9
 Dynamic Auditing

3. FINANCIAL STATEMENT ASSERTIONS AND AUDIT OBJECTIVES

3.1 FINANCIAL STATEMENT ASSERTIONS

SOURCE REFERENCE: ISA 315 “Identifying and Assessing the Risk of
(revised) Material Misstatement through Under-
standing the Entity and its Environ-
ment”
These are the representations, explicit or otherwise, with respect to the recog-
nition, measurement, presentation and disclosure of information in the financial
statements which are inherent in management representation that the financial
statements are prepared in accordance with the applicable financial reporting
framework. Assertions are used by the auditor to consider the different types of
potential misstatements that may occur when identifying, assessing and
responding to the risk of material misstatement.
They consist of:
L Assertions about classes of transactions and related disclosure for
the period under audit:
• Occurrence: transactions and events that have been recorded or
disclosed have occurred and pertain to the entity.
• Completeness: all transactions and events that should have been
recorded have been recorded, and all related dis-
closures that should have been included in the finan-
cial statements have been included.
• Accuracy: amounts and other data relating to recorded trans-
actions and events have been recorded appropri-
ately, and related disclosures have been appropri-
ately measured and disclosed.
• Cut-off: transactions and events have been recorded in the
correct accounting period.
• Classification: transactions and events have been recorded in the
proper accounts.
• Presentation: transactions and events are appropriately aggre-
gated or disaggregated and clearly described, and
related disclosures are relevant and understandable
in the context of the requirements of the applicable
financial reporting framework.

13–10
 CHAPTER 13: Substantive procedures

L Assertions about account balances and related disclosures at the

period end:
• Existence: assets, liabilities and equity interests exist.
• Rights and the entity holds or controls the rights to assets, and
obligations: liabilities are the obligations of the entity.
• Completeness: all assets, liabilities and equity interests that should
have been recorded have been recorded, and all
related disclosures that should have been included
in the financial statements have been included.
• Accuracy, valua- assets, liabilities and equity interests are included in
tion and the financial statements at appropriate amounts and
allocation: any resulting valuation or allocation adjustments are
appropriately recorded and related disclosures
have been appropriately measured and disclosed.
• Classification: transactions and events have been recorded in the
proper accounts.
• Presentation: transactions and events are appropriately aggregated
or disaggregated and clearly described, and related
disclosures are relevant and understandable in the
context of the requirements of the applicable financial
reporting framework.

4. DIRECTION OF TESTING: RISK-BASED TESTING

Definition: This comprises the approach to the audit and the design of the audit
procedures in such a manner as to concentrate on the risk areas.
Definition: The design of the audit procedures in such a way as to concentrate
on the risk areas

Tests: Overstatement Understatement

Direction: What is recorded is valid/ Everything has been recorded/

should have been recorded accounted for. From the source
documents to the accounting
records

Audit objectives

Primary: Existence/occurrence Completeness

Rights Valuation, accuracy and alloca-
Valuation, accuracy and allo- tion
cation

Secondary: Completeness Existence/occurrence

rights/obligations

13–11
 Dynamic Auditing

Direction of testing: Risk-based audit approach

Risk Direction of Assertions

testing

l Identify the risk from the scenario.

l The risk determines the direction of testing
l The direction of testing determines the affected assertions.

Remember double-entry:
Overstated debit results in overstated credit
& vice versa

Example:

Occurrence
Overstatement of AFS o Source
Accuracy
Revenue documents
Cut-off

Remember:
An overstated credit results in a corresponding overstated debit.

Existence
Overstatement AFS o Source Right and obliga-
Debtors/Bank documents tion
Valuation

13–12
 CHAPTER 13: Substantive procedures

5. EARLY VERIFICATION AND EARLY SUBSTANTIVE PROCEDURES

5.1 THE MEANING OF EARLY VERIFICATION
This means that a significant part of the substantive procedures is performed
before year end (this applies in respect of both the income statement and bal-
ance sheet items).

5.2 REASON FOR THE APPLICATION OF EARLY VERIFICATION

Early (verification) substantive procedures are mainly performed where there is
a time limit on the completion of the audit. Thus, where the auditor has to report
shortly after year end.
Specifically it is used to (advantages):
l ensure that the audit can be completed shortly after the balance sheet
date;
l channel the work away from the audit practice’s peak times (cost-effective
utilisation of staff in non-peak times);
l identify amounts that appear unusual and to investigate such amounts;
l give early warning of possible problems with the final audit; and
l be cost-effective and to ensure good client service.

5.3 FACTORS TO CONSIDER WHETHER SUBSTANTIVE PROCEDURES AT AN

INTERIM DATE CAN BE PERFORMED (PREREQUISITES FOR THE
APPLICATION OF EARLY VERIFICATION)
Early verification (substantive procedures at an interim date) can only be
applied as part of the substantive procedures if:
l the auditor can place reliance on the relevant internal controls (function
effectively);
l the control environment is functioning effectively;
l there have been no significant changes in the client’s circumstances since
the performance of early substantive procedures; and
l the ability of the auditor to perform appropriate substantive procedures, or
substantive procedures combined with tests of controls, to cover the
remaining period in order to reduce the risk that misstatements that may
exist at the period end will not be detected.

13–13
 Dynamic Auditing

5.4 THE EFFECT OF EARLY VERIFICATION ON THE REMAINDER YEAR-END

SUBSTANTIVE PROCEDURES
The performance of early verification by means of substantive procedures is
normally as follows:
Timing of early verification: Early verification is normally performed not longer
than three months before year end. The specific
timing will, however, depend on the prevailing risk
of errors and misstatements.
Nature of early verification: Income statement
This will entail:
l the performance of substantive analytical pro-
cedures for the first nine months (with the testing
of the internal controls through the application of
tests of controls for the nine months); and
l where detail testing of transactions is done by
means of substantive procedures, the detailed
testing of the transactions for the first nine
months.
It is normally cost-effective to apply early income
statement verification procedures.
Balance sheet
This will entail that a large part of the audit work in
respect of certain balance sheet items be per-
formed before year end. However, it will be neces-
sary to repeat certain substantive procedures for
the interim periods since verification at the balance
sheet date to obtain assurance that the financial
statements are not misstated (roll forward).
Early verification in respect of balance sheet items
can, inter alia, include the following:
l circulation of debtors’ balances before year
end;
l testing of the provision (impairment) for bad
debts (with the review of post-balance sheet
events);
l attendance of stock counts;
l verification of fixed assets;

13–14
 CHAPTER 13: Substantive procedures

l inspection of securities and investment certifi-

cates (provided they are sealed to year end);
l requesting creditors’ statements before year
end and reconciling them with the creditors’
balance in the creditors’ ledger.
Early verification of balance sheet items is not always cost-effective as certain
procedures have to be repeated at year end. The benefit arising from the time-
ous completion of the audit, however, often exceeds the costs thereof (and al-
so provides a good client service).

5.5 FOLLOW-UP AUDIT PROCEDURES AFTER EARLY VERIFICATION

(ROLL-FORWARD)
Where the auditor has performed early substantive procedures, it is necessary
to perform audit procedures for the remaining period up to year end to ensure
that the audit objectives are met, and the assertions of management contained
in the financial statements are applicable – this represents the roll-forward pro-
cedures described below.
Roll-forward procedures for the interim period
These will include the following:
l the performance of substantive analytical procedures and the follow-up and
verification of all significant fluctuations and exceptions;
l the verification through substantive procedures of transactions in the interim
period;
l the auditor must also satisfy him-/herself of the effective functioning of the
internal controls in the interim period – this is normally done as part of the
completion of the tests of controls for the remainder of the year.
Year-end procedures
These will include the following:
l detail substantive procedures as necessary, for example:
• valuation of investments;
• inspection of fixed assets in respect of existence;
• search for unrecorded liabilities in respect of creditors; and
• specific procedures in respect of cut-off of transactions and balances.
l substantive analytical procedures;
l obtaining of confirmation letters, such as bank confirmations, attorneys’
letters, management representation letters, etc. These can be requested
before year end to save time;
l examination, recalculation and verification of control accounts and the recon-
ciliation thereof with the subsidiary ledgers; and
l audit procedures regarding presentation and disclosure of the line items.

13–15
 Dynamic Auditing

5.6 EXAMPLE OF EARLY VERIFICATION

Assume that the stock count is scheduled for 31 October, the year end of the
company is 31 December and the auditor has to report by 15 January.
Early verification (existence, valuation, completeness, rights (ownership)):
l Attend the stock count and perform test counts.
l Audit the results of the stock count in respect of:
• quantities (test counts);
• cost price (price lists, etc.);
• valuation (obsolete/damaged stock); and
• ownership (consignment stock, etc.).
Interim period (roll-forward)
Perform a roll-forward.
Stock 31 October xx (1)
Plus Purchases, Nov, Dec xx (2)
Less Costs of sales, Nov, Dec xx (3)
Plus/less Reconciling items xx (4)
Balance 31 December xx (5)

(1) : audited.
(2), (3) : follow through to purchases journal/sales records;
select transactions and audit against the supporting documentation
(detail verification).
(4) : audit in detail against documentation, etc.
(2), (3) : substantive analytical procedures.
Year end
(5) : analytical procedures.
: detail audit procedures in respect of:
• arithmetical accuracy;
• cut-off; and
• presentation and disclosure.
: obtain a stock certificate from management.

13–16
 CHAPTER 13: Substantive procedures

6. USE OF COMPUTERS AS AN AUDIT TOOL

The auditor’s audit objectives do not change in the case of a computerised
accounting application. It may often be effective/essential for the auditor to use com-
puter assisted audit techniques, and especially audit software and data analytics to
obtain audit evidence.
Audit software accordingly serves as an audit tool to assist the auditor in analysing,
interpreting and investigating client information and data. Data analytics can also be
effectively used to analyse a full set of data for trends, characteristics, etc.
This can entail:
l reprocessing of data to test calculations (e.g. testing the working of the
debtors’ age analysis);
l the use of audit software packages:
• castings and calculations;
• investigation and analysis;
• selections;
• summaries; and
• comparisons.
Also refer to chapter 9 in respect of the use of computer-assisted audit techniques.

7. SUBSTANTIVE PROCEDURES AND ACCOUNTING TREATMENT

When performing the substantive procedures and testing the assertions, the
auditor shall also test the correctness of the accounting treatment of items. For
example, when testing the maintenance expenses, the auditor shall consider
whether their classification is correct (that the expenses are of a maintenance
nature, and not of an improvement nature) and the cut-off (relates only to the cur-
rent accounting period and not to future periods). Similarly, when testing the
existence and ownership of intangible assets, the auditor will first need to consid-
er whether the costs incurred meet the definition of an asset and, as such, may
be capitalised.

13–17
 14
COMPLETION OF THE AUDIT

Page
1. Introduction .................................................................................................. 14–3
2. Background .................................................................................................. 14–4
3. A framework for the completion of the audit ................................................ 14–4
4. Procedures to perform ................................................................................. 14–6
4.1 Substantive procedures relating to the financial statement
closing process .................................................................................. 14–6
4.2 Adequacy of the audit evidence ........................................................ 14–7
4.3 Evaluation of misstatements identified during the audit .................... 14–7
4.4 Overall review of the financial information ......................................... 14–10
4.5 Considering whether or not the liabilities exceed the assets ............ 14–12
4.6 Consideration of post-balance sheet events ..................................... 14–12
4.7 Concluding and reporting .................................................................. 14–12
4.8 Post-audit review ................................................................................ 14–12
5. Going concern considerations ..................................................................... 14–13
5.1 Going concern concept ..................................................................... 14–13
5.2 Foreseeable future ............................................................................. 14–13
5.3 The auditor’s consideration of the going concern concept............... 14–13
5.4 Factors which may cause concern as to the entity’s ability
to continue as a going concern ......................................................... 14–14
5.5 Procedures to assess the applicability of the going concern ........... 14–15
5.6 Consider the effect on the auditor’s report ........................................ 14–16
5.7 Communication with those charged with governance................................. 14–16
6. Subsequent events....................................................................................... 14–17
6.1 Definitions........................................................................................... 14–17
6.2 Events up to the date of the auditor’s report ..................................... 14–17

14–1
 Dynamic Auditing

Page
6.3 Information discovered after the date of the audit report, but
before the financial statements are issued (can still change
the audit report).................................................................................. 14–18
6.4 Information discovered after the financial statements
have been issued ............................................................................... 14–19
6.5 Factors to consider and procedures to perform where
management refuses to amend the statements ................................ 14–19
6.6 Securities offered to the public .......................................................... 14–20
7. Trading whilst the liabilities exceed the assets (factual insolvency) ........... 14–20
7.1 Background........................................................................................ 14–21
7.2 Considerations in respect of irregularities ......................................... 14–21
7.3 Action of the auditor where liabilities exceed the assets .................. 14–22
7.4 Steps that management may take to satisfy the auditor that no
irregularity is taking place, or that steps have been taken to
prevent the loss .................................................................................. 14–22

14–2
 CHAPTER 14: Completion of the audit

1. INTRODUCTION
The purpose of this chapter is to explain the considerations and procedures that
are applicable to the last phase of the audit process, namely the completion of
the audit phase.
By considering the factors and by performing the procedures listed, the auditor
will be able to ensure the successful completion of the audit and reporting there-
on.
SOURCE REFERENCE: ISA 220 “Quality Control for an Audit of Financial
Statements”
ISA 230 “Documentation”
ISA 260 “Communication with those charged with
Governance (revised)
ISA 450 “Evaluation of Misstatements Identified
during the Audit”
ISA 500 “Audit Evidence”
ISA 501 “Audit Evidence – Specific Considerations
for Selected Items”
ISA 520 “Analytical Procedures”
ISA 550 “Related Parties”
ISA 560 “Subsequent Events”
ISA 570 “Going Concern” (revised)
ISA 700 “Forming an Opinion and Reporting on
Financial Statements”
ISA 701 “Communicating Key Audit Matters in the
Independent Auditor’s Report”
ISA 705 “Modifications to the Opinion in the Inde-
pendent Auditor’s Report” (revised)
ISA 706 “Emphasis of Matter Paragraphs and
Other Matter Paragraphs in the Independ-
ent Auditor’s Report” (revised)
ISA 720 “The Auditor’s Responsibilities Relating to
Other Information (revised)
ISAE 3000: “Assurance Engagements other than
Audits or Reviews of Historical Financial
Information” (revised)
Guideline “Trading whilst Factually Insolvent”
SAICA Circular 02/02 “Subordination agreements”
SAICA Circular 03/02 “Letters of support”
IRBA Guide: Reportable Irregularities in terms of the
Auditing Profession Act (2015)
IAS 10 “Events after the balance sheet date”
IAS 37 “Provisions, contingent liabilities and con-
tingent assets”

14–3
 Dynamic Auditing

2. BACKGROUND
L Timing for the performance of the procedures
The completion of the audit procedures should be performed at the end of
the audit after the audit work has been completed and the draft financial
statements received. This is the last step before the auditor issues his/her
report.
L Reasons for the performance of the procedures
The completion of the audit procedures is performed to:
• ensure that sufficient and appropriate audit evidence was obtained to
justify the opinion on the financial statements and to limit the audit risk;
• form an opinion on the fair presentation of the financial statements; and
• be able to issue an audit report.
L Persons responsible for the completion of the audit procedures
The work must be performed by staff with the necessary experience and
competence to exercise professional judgement, namely audit seniors, audit
managers and audit partners.

3. A FRAMEWORK FOR THE COMPLETION OF THE AUDIT

The framework sets out the different aspects and issues to consider, as well as
the procedures to perform, during the completion of the audit phase.
l Sufficiency and appropriateness of audit evidence (ISA 230, ISA 500 and
ISAE 3000)
• Sufficiency is the measure of the quantity of evidence:
– sufficiency is affected by:
* risk – the higher the risk, the more evidence is required; and
* quality – the higher the quality of evidence, the less may be
required.
• Appropriateness is the measure of the quality of evidence:
– appropriateness is affected by:
* relevance, which is a measure of whether the audit evidence
addresses the applicable risk;
* reliability:
– source; and
– nature.
• Working papers should contain
– record of work done, evidence obtained; and
– be cross-referenced to the financial statements.

14–4
 CHAPTER 14: Completion of the audit

• Obtain:
– attorney’s letter; and
– management representation letter.
l Evaluation of misstatements identified during the audit (ISA 450)
• Determine final materiality:
– consider risks; and
– set final materiality.
• Consider the nature of misstatements:
– factual misstatements (amounts, accounting treatment, disclosure);
– judgemental misstatements (inherent uncertainties, scope limitation);
and
– projected misstatements (the auditor’s best estimate of misstate-
ments in populations or the projection of misstatements identified in
audit samples to entire populations from which the samples were
drawn).
• State of provisions and contingencies/contingent liabilities.
• Consider the materiality of audit differences (qualitative and quantitative)
and the effect thereof on the financial statements and audit report.
• Search for information that could affect the fair presentation of the finan-
cial statements:
– unrecorded liabilities; and
– related party transactions (ISA 550).
l Overall review of the financial information
• Draft financial statements:
– castings, cross-references to the working papers, etc.
• Final analytical procedures: reasonableness test.
• Consider in respect of the fair presentation of financial statements:
– the accounting policy;
– the fundamental accounting concepts:
* matching, prudence, consistency;
* going concern (ISA 570);
– financial position and results of operations;
– presentation and disclosure;
– statutory requirements and regulations; and
– whether all entities and transactions are correctly accounted for in
the financial statements (no off-balance-sheet financing, special
purpose entity accounting, etc.)

14–5
 Dynamic Auditing

• Consider if other information accompanying the financial statements is

fairly stated and contains no misstatements.
l Consider whether the liabilities exceed the assets
• Considerations and actions (auditor and management).
• Subordination agreements (considerations, audit procedures, disclosure).
l Post-balance sheet events (ISA 560)
• Up to the date of the audit report.
• Up to the date of the issue of the statements.
• After the date of the issue of the statements.
l Concluding and reporting (ISA 260, 700, 701, 705, 706 and ISAE 3000)
• Opinion on the financial statements.
• Compliance with quality control (ISQM 2; ISA 220).
• Consideration of other information in documents that include audited finan-
cial statements (ISA 720).
• Comparison of the draft statements with the financial statements.
• Reporting to:
– management;
– those charged with governance;
– shareholders.
l Post-audit review
• Staff evaluation.
• Appropriateness of re-engagement.
• Aspects of importance in respect of future audits.
• Invoicing.

4. PROCEDURES TO PERFORM
4.1 SUBSTANTIVE PROCEDURES RELATING TO THE FINANCIAL
STATEMENT CLOSING PROCESS
The auditors substantive procedures shall include the following audit proced-
ures related to the financial statement closing process:
l agreeing or reconciling information in the financial statements with the
underlying accounting records, including agreeing or reconciling informa-
tion in disclosures;
l examining material journal entries and other adjustments made during the
course of preparing the financial statements.

14–6
 CHAPTER 14: Completion of the audit

4.2 ADEQUACY OF THE AUDIT EVIDENCE

The auditor should consider whether adequate audit evidence was obtained
and documented, together with the procedures performed.
L Audit evidence (ISA 500 and ISAE 3000)
The auditor should consider whether the audit evidence obtained:
• is sufficient: – to reduce the risk to an acceptable level; and
– to justify his/her opinion on the fair presentation of
the statements.
• is appropriate: – reliable, relevant.
– consider the nature (written/verbal) and source
(internal/external).
L Documentation (working papers) (ISA 230)
The auditor should consider whether the working papers:
• contain sufficient information of the work performed and audit evi-
dence obtained;
• are properly cross-referenced to the working papers, trial balance and
financial statements; and
• are adequately reviewed by senior staff members and the audit partner.
L Obtain as standard confirmation
• an attorney’s letter (enquiry from legal advisers); and
• a management representation letter.

4.3 EVALUATION OF MISSTATEMENTS IDENTIFIED DURING THE AUDIT

The auditor should consider the audit differences to determine the effect there-
of on the financial statements and the audit opinion.
L Determine final materiality (ISA 450)
The auditor’s determination of planning and performance materiality is
often based on estimates of the entity’s financial results because of the
fact that actuals may not yet be known or available. It may therefore
be necessary to revise planning materiality based on the actual financial
results. This materiality figure will then be used to evaluate the effect of
uncorrected misstatements.
L Consider the nature of misstatements
Misstatements: These are the differences between the amount included
in the financial statements and the amount as supported
by the audit evidence.

14–7
 Dynamic Auditing

Nature of misstatements:
• factual misstatements (amounts, accounting treatment, disclosure);
• judgemental misstatements (inherent uncertainties, scope limitation);
and
• projected misstatements (the auditor’s best estimate of misstatements
in populations or the projection of misstatements identified in audit
samples to entire populations from which the samples were drawn).
The auditor should consider in respect of the identified misstatements, the
amounts involved and the nature thereof. The auditor should further con-
sider the risk that undetected misstatements may still exist.
L Consider the state of provisions and contingent liabilities/contin-
gencies
The auditor should consider whether contingencies that include provisions
and contingent liabilities are properly accounted for and disclosed in the
financial statements (e.g. litigation, claims, warranty costs, etc.).
L Materiality of misstatements and the effect thereof on the financial
statements and audit opinion
The auditor should consider the effect of the misstatements on the finan-
cial information in accordance with his/her final materiality amount.
Schedule of misstatements The auditor lists all misstatements found
(overs and unders): during the audit on the list of misstate-
ments for consideration of their effect on
the financial statements:
• separately in respect of each line
item audited (individual level); and
• joint/total effect of all differences
taken together (total level).
The above involves both a qualitative and a quantitative evaluation of the
materiality of the misstatements, both individually and then in aggregate.
NOTE: Unadjusted misstatements of previous periods can affect the fair
presentation of the financial statements and must be carried for-
ward from year to year on the list of misstatements so that the
cumulative effect of unadjusted differences on the financial state-
ments can be considered.
Non-material misstatements: will not affect the fair presentation of the
statements:
• report to management;
• consider whether the cumulative effect is
not material; and
• carry it forward to the list of misstatements.

14–8
 CHAPTER 14: Completion of the audit

Material misstatements: request the client to change the financial

statements:
• YES: unqualified audit report; and
• NO: qualify the audit report.
The auditor may determine an amount below which misstatements would
be clearly trivial. Misstatements below this amount will therefore not be
accumulated because the auditor is of the opinion that the accumulation of
such amounts would not have a material effect on the financial statements.
L Search for information that could affect the fair presentation of the
financial statements
• Search for unrecorded liabilities
The auditor should perform the following audit procedures to identify
unrecorded liabilities. They can consist of:
– inspection of/reading through minutes of meetings of share-
holders, board of directors, board committees and management
for the period covered during the audit and thereafter;
– enquiry from internal and external legal advisers (ISA 501);
– enquiry from management and obtainment of a management
representation letter on:
* the existence of legal actions and pending litigation;
* guarantees provided; and
* the insurance cover;
– read through the correspondence files of:
* the South African Revenue Service;
* suppliers and clients; and
* bankers, etc.
– work through contracts and material agreements. Note:
* guarantees, penalty clauses; and
* determination of price/profit amounts;
– work through accounting records for entries that could indicate
unrecorded/undisclosed transactions (e.g. cashbook, journal, etc.).
• Search for related party transactions
The procedures will include the following (ISA 550):
– Review prior years’ working papers for names of related parties.
– Review the entity’s procedures for identification of related parties.
– Enquire as to the affiliation of directors and officers with other
entities.

14–9
 Dynamic Auditing

– Review share registers/records for names of major shareholders.

– Review minutes of board and committee meetings, as well as
shareholders’ meetings.
– Review statutory registers, for example register of directors’ interests
in contracts.
– Enquire of other auditors about their knowledge of related parties.
– Review tax and other statutory returns.
– Review the accounting records for abnormal transactions.
– Review confirmation letters for indication of related party trans-
actions, for example loans and bank confirmations for guarantor
relationships, etc.
– Investigate investment transactions, for example equity interests
acquired or sold.
– Consider the adequacy of the internal control procedures over the
authorisation and recording of related party transactions.
– Review information provided by management regarding related
party transactions and be alert for other similar transactions.
– Obtain a management representation letter in respect of related
party transactions.

4.4 OVERALL REVIEW OF THE FINANCIAL INFORMATION

The auditor should perform an overall review of the financial information to
determine if it is fairly stated in the financial statements.
L Draft financial statements
Obtain the draft financial statements during the completion of the audit
process and:
• test the castings and calculations on the statements;
• cross-reference (or agree) the draft financial statements to the trial
balance and working papers.
L Final analytical procedures (ISA 520)
During the completion phase of the audit, the auditor should perform final
analytical procedures based on the draft financial statements.
The purpose of this is to serve as a general reasonableness test to deter-
mine whether the conclusion on the line items in the statements is reason-
able, and to identify possible areas which require further procedures.
NOTE: The final analytical procedures will consist of a comparison of the
amounts in the draft financial statements with the previous year’s
statements, budgets, information and trends of the industry and
elements of the financial statements (e.g. debtors, sales, etc.).

14–10
 CHAPTER 14: Completion of the audit

L Consider the fair presentation of the financial statements

The purpose of the overall review at the end of the audit is to determine:
• whether the financial statement assertions are complied with;
• whether the information contained in the statements agrees with the
auditor’s knowledge of the business and the audit evidence obtained;
and
• whether the financial information as contained in the statements, is
fairly presented.
The factors to consider:
• Compliance with the fundamental accounting principles and Account-
ing Framework requirements:
– matching, prudence, consistency, going concern.
• The accounting policy applied:
– compliance with the relevant financial reporting framework;
– applicability; and
– consistency of the application thereof.
• Financial position and results of operations:
– consider whether the position and results of the operations as
reflected in the statements, agree with the audit evidence obtain-
ed from the working papers and the auditor’s knowledge of the
business;
– consider the appropriateness of the going concern assumption of
the financial statements.
• Fairness of presentation and disclosure:
– consider whether the amounts in the financial statements are, in
accordance with the applicable financial reporting framework and
the statutory requirements, correctly:
* classified; and
* disclosed;
– consider compliance with the statutory requirements and regula-
tions:
* also ensure that the substance of the transaction is met rather
than its legal form.

14–11
 Dynamic Auditing

4.5 CONSIDERING WHETHER OR NOT THE LIABILITIES EXCEED

THE ASSETS
The auditor should consider whether the liabilities do not exceed the assets,
based on the fair value of the assets and liabilities.
Where the entity is trading whilst the liabilities exceed the assets, this will:
l affect the going concern and the audit opinion, and
l probably be indicative of the existence of a Reportable Irregularity in terms
of section 45 of the Auditing Profession Act.
The auditor’s considerations and procedures where the liabilities exceed the
assets will be dealt with further in section 7.

4.6 CONSIDERATION OF POST-BALANCE SHEET EVENTS

The auditor should consider events that occurred after the balance sheet date
that could affect the financial statements.
The auditor’s considerations and procedures in respect of subsequent events
will be dealt with in section 6.

4.7 CONCLUDING AND REPORTING

The auditor formulates his/her opinion and reports on the financial statements.
This entails:
l formulating an opinion on the financial statements (ISA 700, 701, 705, 706
and ISAE 3000);
l performing a quality control review to determine if the firm’s policies have
been adhered to (ISA 220);
l considering the reasonableness of other information in documents which
contain audited statements (ISA 720);
l comparing the final financial statements with the draft audited statements;
and
l reporting to:
• management;
• those charged with governance; and
• shareholders.

4.8 POST-AUDIT REVIEW

l Perform a staff evaluation.
l Consider aspects of importance in respect of future audits and document
them in the next year’s working papers.
l Consider the viability of re-engagement and issue a letter of engagement if
necessary.
l Invoicing of the client.

14–12
 CHAPTER 14: Completion of the audit

5. GOING CONCERN CONSIDERATIONS

During the completion of the audit, the auditor must consider whether the entity is
still a going concern. This directly affects the audit opinion.
SOURCE REFERENCE: ISA 570 “Going Concern” (revised)

5.1 GOING CONCERN CONCEPT

The concept accepts that the entity will continue in operational existence for
the foreseeable future. This means in particular that the income statement and
the balance sheet are prepared on the assumption that no intention or neces-
sity
exists to liquidate or curtail significantly the scale of operations.
L Management’s responsibility
Management is responsible for considering whether the going concern
assumption is appropriate and then preparing the financial statements
accordingly.
L The auditor’s responsibility
The auditor is responsible to consider whether uncertainty exists that may
cause the financial statements to be misstated. For this, audit procedures
need to be performed.

5.2 FORESEEABLE FUTURE

The auditor considers the foreseeable future but there is no certainty on the
outcome of future events. The financial statements should reflect the predict-
able position.
The foreseeable future refers, but is not limited to, one year after the balance
sheet date (as defined in the Accounting Framework, IAS 1).

5.3 THE AUDITOR’S CONSIDERATION OF THE GOING CONCERN CONCEPT

At the planning stage the auditor should consider the risk that the going con-
cern concept underlying the financial statements may be inappropriately
applied. The auditor considers events and conditions relating to the going
concern assertion when performing risk assessment procedures.
During the review and evaluation phase the auditor should reconsider the
going concern concept (this could differ from that in the planning phase) by
evaluating management’s assessment of the ability of the entity to continue as
a going concern, and their actions in this regard.

14–13
 Dynamic Auditing

5.4 FACTORS WHICH MAY CAUSE CONCERN AS TO THE ENTITY’S ABILITY

TO CONTINUE AS A GOING CONCERN
L Financial indicators
• net current assets/liability-position;
• substantial fixed term borrowings approaching maturity without realis-
tic prospects of renewal or repayments, or excessive reliance on short-
term borrowings to finance long-term assets;
• adverse key financial ratios;
• indications of withdrawal of financial support;
• negative cash flows;
• substantial losses;
• arrear or discontinuance of dividends;
• inability to pay creditors on due dates or difficulty in complying with
loan agreements;
• change from credit to cash-on-delivery transactions at the request of
suppliers; and
• inability to obtain financing for necessary new product developments
or other necessary investments.
L Operating indicators
• loss of key management without replacement;
• loss of major markets, franchises or licences;
• loss of major suppliers or shortage of supplies; and
• labour difficulties.
L Other indicators
• pending legal proceedings against the entity that may, if successful,
result in judgements that could not be met;
• non-compliance with statutory requirements or regulations;
• a decision by management to discontinue the whole, or a substantial
part, of the business; and
• changes in legislation that may adversely affect the entity.

14–14
 CHAPTER 14: Completion of the audit

5.5 PROCEDURES TO ASSESS THE APPLICABILITY OF THE GOING

CONCERN
If events or conditions have been identified (based on 5.4 above) that may cast
doubt on the ability of the entity to continue as a going concern, the auditor
must perform additional procedures in order to obtain sufficient and appro-
priate audit evidence on whether material uncertainty exists regarding the
going concern status of the entity. These procedures will include:
l Discuss with management future plans, including:
• sale of assets/financial lease instead of purchase;
• expiry dates of loans renewed/extended/debt deferred/subordina-
tion/restructuring;
• expenses deferred/reduced; and
• additional equity capital obtained.
l Consider information obtained from outside sources in respect of the
going concern (media, etc.).
l Obtain a management representation letter in respect of the going con-
cern.
l Analyse and discuss cash flow, profit and other projections with manage-
ment.
l Analyse and discuss the entity’s latest available financial statements.
l Review the terms of debentures and loan agreements and determine if
they had been breached.
l Read minutes of directors, and committee, management and sharehold-
ers’ meetings for indications of financial problems.
l Enquire of the legal advisers regarding litigation and claims.
l Confirm the existence and enforceability of agreements for financial sup-
port.
l Consider the entity’s ability to fulfil clients’ orders.
l Review post-balance sheet events.
l Perform analytical procedures in respect of prior years, budgets, etc.

14–15
 Dynamic Auditing

5.6 CONSIDER THE EFFECT ON THE AUDITOR’S REPORT

Based on the audit evidence obtained by performing the procedures above,
the auditor will then determine the effect of an uncertainty or a difference (entity
is not a going concern) on the audit opinion.
L Going concern problem: financial statements prepared on liquidation
basis: unmodified opinion.
L Uncertainty about going concern:
• adequately disclosed in the unqualified opinion with a Material
statements: Uncertainty Related to the Going Con-
cern paragraph;
• not disclosed or not material: qualified opinion with an expla-
adequately disclosed: nation of the facts giving rise to the
uncertainty under the Basis for Qualified
Opinion paragraph
pervasive (fundamental): adverse opinion
with an explanation of the facts giving
rise to the uncertainty under the Basis
for Adverse Opinion paragraph
L Multiple uncertainties regarding the applicability of the going concern:
• disclaimer of opinion.

5.7 COMMUNICATING WITH THOSE CHARGED WITH GOVERNACE

Unless all those charged with governance are part of management, the auditor
shall communicate the following to those charged with governance:
l whether the events or conditions constitute a material uncertainty;
l whether management’s use of the going concern basis is appropriate for
preparation of the financial statements;
l the adequacy of related disclosure in the financial statements; and
l the applicable implications for the auditor’s report.

14–16
 CHAPTER 14: Completion of the audit

6. SUBSEQUENT EVENTS
Auditors should consider the possibility that events could occur after the balance
sheet date that could affect the financial statements. The auditor thus needs to
perform procedures to identify such events.
SOURCE REFERENCE: ISA 560 “Subsequent events”
IAS 10 “Events after the balance sheet date”

6.1 DEFINITIONS
Events after the balance sheet date: These are events, favourable and
unfavourable, that occurred between
the balance sheet date (end of the
period) and the date on which the fi-
nancial statements are approved for
issue. There are two types of events,
namely:
• those that provide additional evi-
dence of conditions that existed at
end of the period; and
• those that are indicative of condi-
tions that arose subsequent to the
period-end.
Subsequent events: These refer to events that occurred
between the end of the period and the
date of the auditor’s report, or infor-
mation discovered after the date of the
auditor’s report.

6.2 EVENTS UP TO THE DATE OF THE AUDITOR’S REPORT

The auditor should perform procedures to obtain evidence that all events up to
the date of the auditor’s report which require adjustment or disclosure of the
financial statements, are dealt with in the financial statements.
Such audit procedures should be performed as close as possible to the date
of the auditor’s report.
L Procedures to identify events
• Review procedures performed by management to identify events.
• Inspect minutes of meetings of shareholders, the board of directors,
audit committees and executive committees, and enquire about mat-
ters where minutes are not available.
• Review the latest interim financial statements, budgets, etc.
• Enquire from legal advisers on pending litigation/claims, etc.
• Consider relevant information which came to the auditor’s attention
from sources outside the entity.

14–17
 Dynamic Auditing

• Enquire from management whether subsequent events occurred which

may affect the financial statements. Examples of enquiries include:
– the current status of items accounted for on preliminary or incon-
clusive data;
– whether new contracts, commitments, etc., were entered into;
– whether material assets were sold/disposed of;
– whether new issues of shares/debentures were made/planned;
– appreciation of assets;
– whether any assets were sold at lower than book value;
– developments on risk areas;
– whether any extraordinary accounting adjustments were made;
and
– applicability of the going concern.
• In respect of group situations, if a component is audited by another
auditor, the principal auditor should:
– consider the procedures performed by the other auditor to identify
subsequent events; and
– inform the other auditor of the planned date of the auditor’s report.
L Actions in respect of events discovered
The auditor should ensure that such events are properly accounted for
and disclosed in the financial statements.

6.3 INFORMATION DISCOVERED AFTER THE DATE OF THE AUDIT REPORT,

BUT BEFORE THE FINANCIAL STATEMENTS ARE ISSUED
(CAN STILL CHANGE THE AUDIT REPORT)
After the date of the audit report, the auditor does not have any duty to perform
procedures/make enquiries in respect of the financial statements.
During the period from the date of the audit report and the date of issue of the
financial statements, it is the responsibility of management to inform the auditor
of facts which may affect the financial statements.
L Actions of the auditor if he/she becomes aware of facts that may
materially affect the financial statements
• Consider whether the financial statements should be adjusted.
• Discuss the matter with management.
• If management changes the statements:
– perform audit procedures on the revised statements; and
– issue a new audit report, with a date not earlier than the revised
financial statements.

14–18
 CHAPTER 14: Completion of the audit

• If management refuses to change the statements, and the auditor

deems it necessary:
– if the auditor’s report has not yet been issued: qualify;
– if the report has already been issued to the entity, inform man-
agement not to make the auditor’s report available to third parties;
– if it is released, the auditor should take steps to limit reliance on
his/her report.

6.4 INFORMATION DISCOVERED AFTER THE FINANCIAL STATEMENTS

HAVE BEEN ISSUED
After the issue of the statements, the auditor does not have any duty to make
enquiries about such statements.
L Actions of the auditor if he/she becomes aware of facts which could
affect the auditor’s report
• Consider whether the financial statements should be changed.
• Discuss the matter with management.
• If management changes the statements:
– perform audit procedures on the amended statements;
– review procedures performed by management to inform persons
in possession of the old statements that they have been replaced;
– issue a new auditor’s report:
* with a date not earlier than the revised financial statements;
and
* which must contain an emphasis of matter paragraph that
refers to a note in the statements about the change.
• If management refuses to change the statements, and the auditor
deems it necessary, he/she must:
– inform management that he/she is going to act; and
– take steps to limit reliance by third parties on his/her report:
* such steps will depend on legal advice obtained and the
auditor’s legal duties and responsibilities.

6.5 FACTORS TO CONSIDER AND PROCEDURES TO PERFORM WHERE

MANAGEMENT REFUSES TO AMEND THE STATEMENTS
The ISA does not provide any guidance in this regard. However, an earlier
version did provide the following guidance:
L Factors that will determine the auditor’s actions to limit reliance on
his/her report where management refuses to change the statements
The actions will depend on:
• The steps taken by management to prevent reliance on the state-
ments.

14–19
 Dynamic Auditing

• The auditor’s certainty that persons will rely on the statements.

• The auditor’s ability to contact persons in possession of the state-
ments.
• The time lapse since the date of the issue of the auditor’s report.
• The approaching issue of the next financial statements.
• The issue of subsequent financial statements by management.
• The legal position of the auditor in view of legal advice obtained.
L Actions of the auditor to prevent reliance being placed on his/her
auditor’s report (where the statements were not changed)
Actions:
• Attend the annual general meeting and state his/her case.
• Inform each person who the auditor is aware of as being in possession
of the original financial statements that reliance can no longer be
placed on his/her auditor’s report.
• Inform each person, of whom the auditor is aware, that will rely on
his/her audit opinion, that reliance can no longer be placed on his/her
opinion.
• Do an announcement through the public media that reliance can no
longer be placed on the auditor’s report.
• Inform regulating bodies with jurisdiction over the entity that reliance
can no longer be placed on the auditor’s report.
• Act in terms of section 45 of the Auditing Profession Act.
• Consider advice of legal advisers.

6.6 SECURITIES OFFERED TO THE PUBLIC

The auditor must perform procedures to ensure that there are no facts that
should have been stated in the document.

7. TRADING WHILST THE LIABILITIES EXCEED THE ASSETS

(FACTUAL INSOLVENCY)
The auditor should consider the conditions that exist and the procedures to follow
where the entity is trading whilst the liabilities exceed the assets.
SOURCE REFERENCE: SAICA Guideline: Trading whilst factually insolvent
Circular 2/2002 “Subordination agreements”
Circular 3/2002 “Letters of support”
IRBA Guide: Reportable Irregularities in terms of
the Auditing Profession Act (2015)

14–20
 CHAPTER 14: Completion of the audit

7.1 BACKGROUND
This guideline deals with circumstances where an entity is trading whilst the
liabilities exceed the assets (factual insolvency). It also deals with the auditor’s
statutory reporting responsibility in terms of section 45 of the Auditing Profes-
sion Act.
Where the liabilities of an entity exceed its assets and the entity continues to
trade, there is a major risk of irregularities, consisting of:
l common law fraud;
l the intent to defraud; and
l reckless trading.

7.2 CONSIDERATIONS IN RESPECT OF IRREGULARITIES

The considerations involved are concerned with irregularities that may
qualify as a material irregularity in terms of section 45 of the Auditing Pro-
fession Act.
l The financial position of the company must be considered on the basis of
the fair value of the assets and liabilities (not book values). Consider the
going concern values based on the assumption that the entity will continue
to do business.
l The simple fact that the liabilities exceed the assets does not represent an
irregularity. This does, however, create a condition that may give rise to
irregularities consisting of:
• Fraud
– Common law fraud
Consists of the intent to act in a manner that may cause real or
potential loss.
NOTE: Where directors order items and incur debts, they are
presenting the seller with a gentlemen’s agreement and
assurance that they will be able to pay for the items. If
they know there is no likelihood of payment and that there
are no means to pay, they are committing fraud.
– Intent to defraud under the Companies Act
Consists of the fact that the company’s business is run with the
express and implicit intent to defraud the creditors.
NOTE: Common law fraud applies to all types of entities, whereas
the Companies Act is of a statutory nature and applies
only to companies.
• Recklessness in terms of the Companies Act
Persons who participate in the reckless carrying on of a business, or in
a gross negligent manner, are guilty of an offence.

14–21
 Dynamic Auditing

7.3 ACTION OF THE AUDITOR WHERE LIABILITIES EXCEED THE ASSETS

l Consider the financial position based on the fair value of the assets and
liabilities (going concern values).
l If the liabilities still exceed the assets, carefully consider compliance with
the requirements of section 45 of the Auditing Profession Act, namely:
• consider the existence of an unlawful act or omission in terms of the
common law and the Companies Act relating to fraud, recklessness,
and negligence;
• committed by any person responsible for the management of the
entity;
• material financial loss to members or creditors: harmful or potentially
harmful practice resulting in monetary losses;
Yes: act in terms of section 45:
• report the irregularity to the IRBA and within three days to the man-
agement in terms of section 45;
• state full particulars of the irregularity;
• discuss with management within 30 days;
• consider management’s reply carefully (consider the steps taken by
management to satisfy the auditor that no irregularity exists);
• report findings to the IRBA;
• document all considerations in full in the working papers; and
• obtain legal advice to support the opinion.
No: document the findings/reasons in the working papers.

7.4 STEPS THAT MANAGEMENT MAY TAKE TO SATISFY THE AUDITOR

THAT NO IRREGULARITY IS TAKING PLACE, OR THAT STEPS HAVE
BEEN TAKEN TO PREVENT THE LOSS
These include:
l the provision of proof that the company can be reasonably expected to
make such profits that the assets will exceed the liabilities within the fore-
seeable future;
l conversion of loan to share capital, issue of new share capital;
l providing guarantees for debts;
l entering into subordination or back ranking agreements;
l providing letters of support from the holding company;
l applying for a liquidation order (winding-up order); or
l applying for Business Rescue.

14–22
 CHAPTER 14: Completion of the audit

The auditor must ensure that the proposed steps are viable and attainable.
This is done by:
l inspection of minutes, decisions, etc.;
l inspection of documentation (contracts, agreements, etc.);
l enquiring of third parties; and
l considering/investigating of management plans and proposed actions.
Considerations in respect of subordination agreements
Subordination agreements are binding legal undertakings by a creditor not to
demand repayment of debts for a certain period.
L Auditor’s considerations in respect of subordination agreements
The auditor must consider the following in respect of subordination
agreements:
• the intent and the ability of the creditor to honour the agreement;
• whether the creditor has the legal right to enter into the subordination
agreements;
• the factual solvency of the creditor on the day of subordination:
– whether the creditor’s assets exceed the liabilities after subordin-
ation;
– whether the subordination could lead to a “disposition without
value”;
• whether the agreement is in writing;
• whether the agreement complies with all the legal requirements;
• whether it is properly signed by an authorised official of the creditor/
accepted by the client;
• whether the subordinated amount is sufficient for the assets to exceed
the liabilities, excluding the subordinated amount;
• the proper disclosure of the subordination agreement in the financial
statements;
• the validity and existence of the agreement on the date of the audit
report; and
• for overseas creditors providing subordination agreements, the legal
and statutory requirements of that country.
L Considerations by the auditor of the subordinate
The auditor of the subordinate must consider:
• the materiality of the subordinated amount;
• the provision for possible losses; and
• the disclosure of the subordination in financial statements.

14–23
 Dynamic Auditing

L Letters of support
This is a letter from a creditor, normally the parent company, in which
support is pledged for the financial position of a company. The auditor
should consider the legal power and commitment indicated by the letter of
support and, if necessary, obtain legal advice.

14–24
 15 `

MANAGEMENT CONSULTING SERVICES,

SPECIAL AUDIT INVESTIGATIONS, ASSURANCE
ENGAGEMENTS OTHER THAN AUDITS OR
REVIEWS OF HISTORICAL FINANCIAL
INFORMATION, SUSTAINABILITY
REPORTING AND INTERNAL AUDIT SERVICES

Page
1. Introduction .................................................................................................. 15–3
1.1 General principles .............................................................................. 15–3
1.2 Ethical principles ................................................................................ 15–3
2. Management consulting services ................................................................ 15–5
2.1 Definition ............................................................................................ 15–5
2.2 Performing management consulting services ................................... 15–5
2.3 Principles for the provision of management consulting services ...... 15–5
2.4 Management consulting practice ...................................................... 15–6
2.5 Scope of management consulting services ...................................... 15–6
2.6 Matters to be agreed upon with a client in the engagement letter.... 15–7
2.7 Carrying out the work ......................................................................... 15–7
3. Special investigations................................................................................... 15–8
3.1 Definition ............................................................................................ 15–8
3.2 Principles............................................................................................ 15–9
3.3 Due diligence investigations .............................................................. 15–9

15–1
 Dynamic Auditing

Page
3.4 The consideration of environmental matters in the audit of financial
statements .......................................................................................... 15–12
3.5 Performance auditing ......................................................................... 15–16
4. Assurance engagements other than audits or reviews of historical
financial information ..................................................................................... 15–17
4.1 Ethical requirements .......................................................................... 15–18
4.2 Quality control .................................................................................... 15–18
4.3 Engagement acceptance and continuance ...................................... 15–18
4.4 Planning the engagement .................................................................. 15–19
4.5 Obtaining evidence ............................................................................ 15–20
4.6 Reporting............................................................................................ 15–21
5. Sustainability reporting ................................................................................. 15–22
5.1 Background........................................................................................ 15–22
5.2 Assurance on sustainability reporting ............................................... 15–23
5.3 Level of assurance ............................................................................. 15–23
5.4 Preconditions for engagement........................................................... 15-24
6. Internal audit services .................................................................................. 15–25
6.1 Definition ............................................................................................ 15–25
6.2 Scope ................................................................................................. 15–25
6.3 Principles for distinguishing between external and internal
auditing .............................................................................................. 15–26
6.4 Procedures for performance of the work ........................................... 15–26
6.5 Provision of internal audit services by audit firms ............................. 15-27
6.6 Co-operation with external auditors ................................................... 15–27
6.7 Aspects that the external auditor should consider to determine if
use can be made of internal audit work (ISA 610) ............................ 15–27
6.8 Examples of work performed by internal audit on which external
audit can place reliance/use.............................................................. 15–28
6.9 Audit work to establish reliance on the work of internal audit ........... 15–29
6.10 The use of internal auditors to provide direct assistance on the
audit ................................................................................................... 15–29
6.11 Benefits to the external auditor of reliance on the work of internal
auditors .............................................................................................. 15–30
6.12 Additional audit procedures where reliance on internal audit is not
justified ............................................................................................... 15–30

15–2
 CHAPTER 15: Management consulting services, special audit investigations

1. INTRODUCTION
In this chapter, the focus will be on management consulting services, special
audit investigations, independent assurance reports and internal audit services
that the auditor can provide to the client.
SOURCE REFERENCES
ISA 610: “Using the work of internal auditors”
ISAE 3000 “Assurance engagements other than audits or reviews of histor-
ical financial information”
The following standards are dealt with in chapter 16:
ISRE 2400: “Engagements to review financial statements”
ISRS 4400: “Engagements to perform agreed-upon procedures”
ISRS 4410: “Engagements to compile financial information”
ISAE 3400: “The Examination of Prospective Financial Information”
ISAE 3402, “Assurance Reports on Controls at a Service Organisation”, is
dealt with in chapter 9.
ISAE 3410, “Assurance Engagements to Report on Greenhouse Gas State-
ments” is beyond the scope of this book.

1.1 GENERAL PRINCIPLES

Before accepting any engagement, a practitioner should carry out proper pre-
engagement activities, including the assessment of client integrity and the
completion of an engagement letter.
Whilst performing any engagement, the practitioner should:
l comply with all ethical requirements;
l implement quality control procedures applicable to the engagement;
l plan the work properly in order to ensure an effective engagement;
l plan and perform the work with an attitude of professional scepticism;
l document the work performed during the engagement in order to provide
evidence that the engagement was carried out in terms of the engagement
conditions.

1.2 ETHICAL PRINCIPLES

A practitioner providing consulting services should behave professionally at all
times and comply with all aspects of the Code of Professional Conduct.
l Integrity: The practitioner must act with honesty and objectivity.
l Objectivity: The practitioner must act in the best interests of the
client under the specific circumstances.

15–3
 Dynamic Auditing

The practitioner is obliged to determine, when providing

any professional service, whether or not there are any
threats to compliance with the fundamental principle of
objectivity.
The existence of threats to objectivity when providing
any professional service will depend upon the particular
circumstances of the engagement and the nature of the
work that the practitioner is performing.
l Independence: The practitioner must act in such a way that independ-
ence is maintained.
Where management consulting services are provided to
attest clients, the practitioner should consider self-
interest and self-review threats to independence.
The practitioner must not perform any management
functions or make management decisions.
The practitioner’s actions must be limited to making
recommendations and providing advice.
l Conflicts of Conflicts of interest create threats to objectivity or other
Interest: fundamental principles. Such conflicts might arise where
an accountant undertakes professional activity related to
a matter:
x for two or more parties whose interests are in con-
flict; or
x where the accountant’s interests are in conflict with
those of the client.
l Professional The practitioner should not undertake significant tasks
competence unless he or she has, or can obtain, sufficient specific
and due care: training or experience and should seek appropriate
expert advice and assistance when required. Clients
should also not be misled as to the level of expertise or
experience of the practitioner.
l NOCLAR: The practitioner should also bear in mind the require-
ments of sections 225 and/or 360 of the Code relating to
Responding to Non-Compliance with Law and Regula-
tions.
If safeguards cannot eliminate or reduce the threat to an acceptable level, the
practitioner should decline or terminate the relevant engagement.
Where any ethical threats are identified, the practitioner should evaluate the
significance of these threats and apply safeguards where necessary to elim-
inate them or reduce them to an acceptable level.

15–4
 CHAPTER 15: Management consulting services, special audit investigations

Examples of such safeguards include:

l withdrawing individuals from the engagement team;
l supervisory procedures;
l terminating the financial or business relationship giving rise to the threat;
l discussing the issue with higher levels of management within the firm;
l discussing the issue with those charged with governance of the client; and
l reporting to regulators where necessary.

2. MANAGEMENT CONSULTING SERVICES

2.1 DEFINITION
Management consulting services comprise the provision of professional advice
and technical assistance to a client to enable the client to achieve the object-
ives of the enterprise.

2.2 PERFORMING MANAGEMENT CONSULTING SERVICES

The principles related to management consulting services apply to any mem-
ber registered with SAICA, or any person under the member’s control.
The above persons can be held responsible for non-compliance with the rele-
vant Standards.

2.3 PRINCIPLES FOR THE PROVISION OF MANAGEMENT CONSULTING

SERVICES
Concerning management consulting services:
l The practitioner is responsible only to the client for any findings, conclusions
or recommendations presented.
l The scope of the work is limited to that agreed with the client.
l The work is performed for the benefit of the client, without any obligation to
third parties.
When reporting on the work:
l Reports involving assurance work, reviews and compilations should comply
with the relevant Standards set out above.
l Reports should be consistent with the nature of the work undertaken and
should set out the purpose of the engagement.
l Reports should restrict distribution to the persons for whom they are intended
and indicate any limitation of liability.
l Reports should set out the nature of work undertaken and also include appro-
priate comments, findings, conclusions and recommendations for the client
to use as a basis for decision-making.

15–5
 Dynamic Auditing

2.4 MANAGEMENT CONSULTING PRACTICE

Management consulting or advisory services may be performed by a sole
practitioner, individuals within a partnership or through a company or close
corporation. It is not necessary for fellow members to be chartered account-
ants, provided that no audit services are provided.

2.5 SCOPE OF MANAGEMENT CONSULTING SERVICES

Consulting services include but are not necessarily limited to:
l Consultations: Providing advice to clients based on existing
personal knowledge, for example:
• reviewing and commenting on a business
plan, tax consultations, etc.
l Advisory services: Formulating findings and conclusions and making
recommendations for the client to consider and
which the client can use as a basis for decision-
making, for example:
• assistance with strategic planning; and
• establishing the requirements for an informa-
tion system.
l Implementation Assisting the client in the implementation of an
services: action plan, for example:
• installation of a computer system for the client;
and
• assistance with mergers.
l Transaction services: Providing assistance with specific transactions,
for example:
• valuations; and
• potential mergers.
l Staff and other support Providing staff and support to clients, for example:
services: • data-processing facilities; and
• internal audit services.
l Product services: Providing products to the client, as well as the
installation and maintenance of the products, for
example:
• the installation of computer software.
Other examples include:
l accounting advisory and financial management advisory services;
l business consulting, including personnel and change management;
l internal audit, risk and compliance advisory services;

15–6
 CHAPTER 15: Management consulting services, special audit investigations

l corporate governance and audit committee advisory services;

l sustainability reporting advisory services (refer to section 5 of this chapter);
l corporate finance services;
l business rescue and recovery services;
l financial risk management services;
l information technology (IT) advisory services;
l dispute advisory and resolution services;
l ethics and integrity monitoring;
l fraud risk management;
l intellectual property advisory services.

2.6 MATTERS TO BE AGREED UPON WITH A CLIENT IN THE ENGAGEMENT

LETTER
l Nature, scope and objectives of the engagement.
l The duties and responsibilities of the client.
l The duties and responsibilities of the practitioner.
l Limitations within which the engagement must be performed.
l An analysis of any risks underlying the engagement which could lead to
the objectives not being achieved.
l An analysis of the benefits for the client if the assignment is successful.
l The proposed working plan.
l Normal routine matters which are included in any engagement letter, such
as:
• limitation of liability;
• restrictions on the use of reports; and
• the basis on which fees will be charged.
Refer also to the SAICA Publication, “Engagement Letters for Non-Assurance
Services”, which includes an illustrative engagement letter and terms and con-
ditions for non-assurance services, as well as examples of scope paragraphs
for certain individual types of service.

2.7 CARRYING OUT THE WORK

Where management consultants perform an assignment, the fundamental
principles for the performance of any assignment apply. Specifically, the fol-
lowing areas apply:
L Engagement considerations
• Perform a client investigation. Consider:
– independence;
– conflict of interest;

15–7
 Dynamic Auditing

– the client’s business standing/integrity of management/business

risk, etc.;
– changes in the entity; and
– communication with the auditor of the entity if the practitioner is
not already the auditor.
• Consider the requirement for competence and resources, specifically:
– financial and technical knowledge required must be identified and
provided for; and
– the need for specialist expertise must be identified and suitable
experts must be identified.
L Planning
• Obtain an understanding of the entity – its business, industry, etc.
• Formulate a plan to perform the assignment.
L Performing the assignment
• Obtain knowledge and evidence through procedures, such as inspec-
tion, observation, enquiry and confirmation where applicable.
• Obtain sufficient evidence to support the content of the report.
• Document the procedures performed, evidence obtained, conclusions,
etc. in the working papers.
• Supervise and review the work performed by staff.
L Reporting
Discuss all proposed reports with the client before submitting the final
report in writing.

3. SPECIAL INVESTIGATIONS
3.1 DEFINITION
Special investigations comprise investigations by practitioners for clients con-
cerning information other than annual financial statements, for example:
l Performance audits: To determine whether the client’s business is
operated in an economic, efficient and effective
manner.
l Forensic audits: Investigations to determine whether:
• fraud has occurred; and
• where fraud has been confirmed, the extent
and details thereof and the amounts involved
(e.g. for insurance purposes or in support of
a prosecution).
l Investigations in respect of mergers/take-overs: Reasonableness of infor-
mation contained in the financial statements.

15–8
 CHAPTER 15: Management consulting services, special audit investigations

l Compliance with contracts: Whether or not the provisions of contracts are

being met.
l Investigation of the effectiveness of internal controls.
l Reviews for compliance with corporate governance principles.
l Environmental audits: To determine whether or not the client complies with
laws, regulations and best practice concerning environmental issues.
l Due diligence investigations: Determine the reasonableness of information
in financial statements, contracts, etc.
l Other investigations and regulatory compliance.
NOTE: The above investigations are generally covered under assurance
engagements other than audits or reviews of historical financial infor-
mation – refer to section 4 of this chapter.

3.2 PRINCIPLES
3.2.1 Nature of the investigation and the related report
The nature of the investigation will determine the level of assurance required
and to be expressed, or not expressed, and the anticipated form of the report
to be issued.
L Reasonable or limited assurance
This will apply where there are suitable criteria against which to measure
the subject matter. Assurance will be expressed in the report, in positive
(reasonable assurance) or negative (limited assurance) terms.
The format of a limited assurance report is covered in chapter 16
(ISRE 2400: “Engagements to Review Financial Information”).
L Applicability of ISAE 3000
Reasonable assurance or limited assurance reports may fall within the
ambit of ISAE 3000: Assurance engagements other than audits or reviews
of historical financial information – Refer to section 4 of this chapter.
L Report setting out factual findings
This will apply where the auditor expresses no assurance but reports on
the results of the agreed-upon procedures performed.
This is covered in chapter 16 (ISRS 4400: “Agreed-upon procedures”).
L Applicability of ISAs
Although not all work of this nature constitutes an audit in terms of ISAs,
the principles set out in the ISAs remain applicable, specifically those
concerning quality control and documentation.

3.3 DUE DILIGENCE INVESTIGATIONS

L Definition
Due diligence investigations comprise special investigations to provide
assurance to the parties involved in a transaction.

15–9
 Dynamic Auditing

Auditors are frequently engaged by a buyer of an entity to perform audit

work designed to establish whether the seller has been 'diligent' in the
disclosure of all relevant issues. (There is nothing to prevent a seller from
appointing an auditor to establish due diligence before the sale.)
The crucial issue is to ascertain the nature of work required by the buyer.
Due diligence could involve:
• a full scope audit of financial statements (although not necessarily in
terms of IFRS);
• a limited assurance review of financial statements;
• agreed upon procedures; and/or
• additional work of a consulting nature such as assessing the impact of
significant contracts, risks to the business, human resources issues,
the calibre of staff and management, the adequacy of systems, envi-
ronmental issues etc. (The latter work would require the application of
ISA 315 – “Understanding the nature of the enterprise” and may
require the use of experts (ISA 620).) Financial audit work would not be
necessary if the seller has already provided audited financial state-
ments, but the due diligence work could then include a review of the
seller's auditors' working papers (ISA 600).
L Circumstances when required
Due diligence investigations are often performed as part of the finalisation
of:
• take-overs, mergers and acquisitions;
• contracts and agreements, etc.
L Procedures for financial due diligence investigations
The principles, requirements and procedures listed in 3.2 also apply in this
case. Specifically:
• Pre-engagement activities:
– consider acceptability of the engagement; and
– if accepted, document the conditions of the engagement in an
engagement letter.
• Plan the work and the areas to be covered:
– assets and liabilities;
– contingencies; and
– income and expenses.
• Perform the investigation:
– normal audit procedures of inspection, observation, enquiry and
confirmation; and
– document the procedures, evidence obtained and findings.

15–10
 CHAPTER 15: Management consulting services, special audit investigations

• Reporting:
Investigations of this nature will probably meet the requirements for
agreed-upon procedures engagements. Thus, the procedures per-
formed, and the related findings will be set out in the report, without
any audit assurance being expressed.
L Areas to be covered and procedures to be performed during finan-
cial due diligence investigations
• General
– Statutory details: Memorandum of Incorporation, minutes.
– Annual financial statements (current and previous years): To
determine trends and patterns.
– Management accounts: Trends, patterns and areas which require
further investigation.
– Budgets (assets, income and expenses, cash flow): To determine
trends and patterns.
– Strategic plans.
– Standing, reputation and experience in the business community:
quality of products, service, etc.
– Management: * integrity and reputation; and
* contracts with management.
– Agreements with suppliers, customers, other parties: Conditions,
etc.
– Existing contracts: conditions, obligations, profitability, etc.
– Intellectual property: Existence, conditions, tax treatment.
– Staff: Quality, years of service, experience.
• Statement of financial position (assets and liabilities)
– Receivables: * Composition, large debtors, collection condi-
tions and terms; and
* allowance for bad debts.
– Payables: *
Composition, large creditors, payment condi-
tions; and
* unrecorded liabilities and obligations.
– Inventory: * Confirm existence and ownership through
inventory counts, inventory records; and
* allowances for obsolete, damaged inventory
and NRV.
– Property, plant and equipment:
* Confirm existence and ownership.
* Assess the fair value of the assets.

15–11
 Dynamic Auditing

– Bank and overdraft facilities: Liquidity and cash resources.

– Loans: Conditions, interest, security.
• Liabilities
– Tax returns: Tax liability.
– Liabilities, guarantees, etc.: Conditions, commitments and contin-
gencies.
– Environmental liabilities: Pollution, restoration of the environment,
rectification of damage etc.
• Statement of comprehensive income (income and expenses)
– Profitability and profit margins.
– Contracts for income and expenses: Conditions and renewal
possibilities.
– Nature of income, expenses and completeness of recording.
• Conditions of the agreement
– Obligations of the seller and the buyer.
– The basis for determination of the price and terms.

3.4 THE CONSIDERATION OF ENVIRONMENTAL MATTERS IN THE AUDIT

OF FINANCIAL STATEMENTS
Whilst this section deals specifically with considerations related to environ-
mental matters, the content is no more than an application of fundamental
auditing principles.
L Background
The auditor should, during the audit, consider the effect of environmental
aspects on the financial statements. This applies to both audit engage-
ments and review engagements.
In particular, the auditor should:
• obtain knowledge of specific environmental requirements, regulations,
etc., that apply to the business;
• obtain sufficient knowledge of environmental aspects regarding the
business;
• consider the risk emanating from environmental aspects;
• consider the internal controls instituted to address the risk;
• design appropriate substantive procedures to address the risk;
• consider the use of the work of others, such as experts (ISA 620);
• obtain a management representation letter in respect of environmental
aspects;
• consider the impact of the environmental aspects on the financial
statements and audit report; and

15–12
 CHAPTER 15: Management consulting services, special audit investigations

• consider compliance by the entity with environmental laws and regula-

tions (ISA 250).
L Environmental matters have an impact on the risk of misstatement in
financial statements, specifically in respect of provisions, valuation of
assets and disclosures.
Examples include:
• environmental laws and regulations may affect the value of assets
(Impairment of assets: IAS 36);
• liabilities for restoration work resulting from pollution;
• liabilities for rectification work and/or damages related to pollution
resulting from the transportation or dumping of hazardous waste;
• the disclosure of contingent liabilities in respect of environmental
aspects; and
• the impact of non-compliance with environmental laws on the going
concern concept.
IAS 10, dealing with events after the reporting period, should also be
considered, as well as IAS 37, dealing with provisions and contingent lia-
bilities.
L Management’s responsibility
Management is responsible for identifying, accounting for and disclosing
environmental issues.
Management is also responsible for the identification and management of
risks.
Management should implement sufficient internal controls to control envi-
ronmental aspects – this may lead to specific environmental systems
being implemented.
L The auditor’s responsibility
The auditor is not and cannot be held responsible for non-compliance with
environmental laws and regulations by entities.
The auditor should, however, plan and perform the audit in such a manner
that material misstatement or non-compliance with laws and regulations
will be detected – this requires an attitude of professional scepticism in
respect of environmental aspects.
L Impact on the auditor’s procedures
• Planning:
The auditor should, during the planning of the audit, obtain an under-
standing of environmental aspects that may affect the financial state-
ments. This forms part of risk assessment procedures.

15–13
 Dynamic Auditing

To obtain an understanding of environmental aspects, the auditor

would normally:
– consider existing knowledge of the industry and the business;
– enquire of management as to the entity’s policies and procedures
for compliance with environmental laws and regulations;
– enquire of management as to environmental laws and regulations
that could have a fundamental effect on the business; and
– discuss with management the policy and procedures for the
identification, accounting for and disclosure of legal claims, litiga-
tion and liabilities in respect of environmental aspects.
Examples of enquiries of management:
– enquiries to obtain an understanding of the business entity and
environment, for example in respect of environmental laws and
regulations, environmental risks, etc.; and
– enquiries concerning the control environment and control proced-
ures in respect of environmental issues.
• Risk assessment
The auditor would perform risk assessment procedures, including an
analysis of management’s risk identification and risk management.
– Inherent risk: The auditor considers the nature of the busi-
ness, the industry and the risks related to envi-
ronmental aspects.
– Control risk: The auditor considers the effectiveness of the
control environment and the internal controls
implemented by management to address envi-
ronmental issues.
– Detection risk: Detection risk has a direct impact on the
assertions and the auditor’s substantive pro-
cedures. The level of inherent and control risk
will directly influence the nature, timing and
extent of substantive procedures to address
environmental issues.
• Substantive procedures
Substantive procedures must address conditions that may indicate that
the financial statements are misstated:
– problems in respect of environmental issues indicated by reports
of environmental experts, internal auditors, etc.;
– contraventions of environmental legislation and regulations as
indicated by correspondence;

15–14
 CHAPTER 15: Management consulting services, special audit investigations

– media reports concerning the entity’s environmental issues;

– environmental issues dealt with in correspondence with legal
advisors; and
– abnormal increases in legal fees relating to environmental issues.
These factors assist the auditor to assess the risks of misstatement set
out earlier in this section.
Substantive procedures in respect of environmental issues will include:
– enquiry of management, reading minutes, etc., for information
concerning environmental issues;
– analytical procedures addressing environmental issues;
– assessment of estimates of environmental liabilities (in terms of
ISA 540);
– consultation with internal auditors, experts and environmental audit-
ors;
– enquiries of legal advisers.
• Using the work of others
The auditor might need to use the work of experts concerning environ-
mental issues. Specific procedures would then be performed accord-
ingly.
Environmental experts
Consider reliance on the work of experts as per ISA 620 (see chapter 7).
Internal auditors
Consider relying on the work of internal audits concerning environ-
mental issues as per ISA 610 (see chapter 7).
Environmental audits
Environmental audits can be performed by internal auditors, external
auditors and experts. In practice, it will often be necessary to use
multidisciplinary teams of experts.
• Management representations
The auditor should obtain representations from management concern-
ing environmental aspects, specifically that all environmental issues
are properly accounted for and disclosed in the financial statements.

15–15
 Dynamic Auditing

• Reporting
The auditor should consider the impact of misstatement of financial
information resulting from environmental issues on the audit report.
– Inclusion of a possible emphasis of matter paragraph.
– Uncertainty: Qualification of the audit report.
– Disagreement: Qualification of the audit report.
Audit reporting is dealt with in chapter 16.

3.5 PERFORMANCE AUDITING

L Definitions
A performance audit may be described as an independent auditing process
carried out by a performance auditor to evaluate the measures instituted by
management, or the lack thereof, to ensure that resources have been
acquired economically and are utilised efficiently and effectively, and to report
thereon to management and, if appropriate, to the regulator concerned.
Economy: Refers to the acquisition of the appropriate quality and
quantity of financial, human and physical resources at the
appropriate time and place, and at the lowest possible
cost.
Efficiency: Refers to the use of resources so that output is maximised
for any given set of resource inputs, or input is minimised
for any given quantity and quality of output provided.
Effectiveness: Refers to the extent of the achievement of set or pre-
determined objectives or other intended effects of pro-
grammes, operations, activities or processes.
L Objective
The objective of performance auditing is to independently report to man-
agement concerning the existence and effectiveness (or otherwise) of
appropriate performance measures and criteria.
L Audit process
The audit process for performance auditing comprises:
• Normal pre-engagement activities.
• Planning of the work:
– Obtain an understanding of the entity and its business processes.
– Identify areas of focus to concentrate upon.
– Identify audit objectives and criteria against which to measure
compliance.
– Prepare an audit programme.

15–16
 CHAPTER 15: Management consulting services, special audit investigations

• Perform audit procedures to assess compliance with the audit object-

ives and criteria:
– Obtain audit evidence.
– Consider the use of the work of others (e.g. internal audit and
experts).
• Reporting.
• Quality control for audit work.

4. ASSURANCE ENGAGEMENTS OTHER THAN AUDITS OR REVIEWS

OF HISTORICAL FINANCIAL INFORMATION
SOURCE REFERENCE: ISAE 3000: “Assurance engagements other than
audits or reviews of historical financial
information”
This statement relates directly to assurance engagements on information other
than historical financial information, for example providing assurance on a prof-
it forecast, or the effectiveness of internal controls.
The statement does not apply to:
l agreed-upon procedures and compilations as these are covered by
separate statements (refer to chapter 16);
l management consulting;
l engagements to testify in legal proceedings;
l giving opinions that are incidental to engagements and neither intended
nor represented to provide assurance.
Providing assurance on a profit forecast (Reporting on prospective Financial
Information) is dealt with in chapter 16.
The principles and requirements as set out in the Framework for Assurance
Engagements (see chapter 1) apply equally. Additional considerations may
however, apply, depending on the nature of the subject matter, the information
to be reported on and the criteria against which the information may be meas-
ured.
Assurance engagements could be attestation engagements or direct engage-
ments.
l An attestation engagement involves the practitioner concluding on the
absence of material misstatement in information that has been measured
or evaluated against relevant criteria by a third party.
l A direct engagement involves the practitioner measuring or evaluating
information against relevant criteria and concluding on the reported out-
come of the evaluation or measurement.

15–17
 Dynamic Auditing

4.1 ETHICAL REQUIREMENTS

The practitioner must comply with all ethical requirements set out in the Code
of Conduct.

4.2 QUALITY CONTROL

The fundamental quality control principles also apply, both at;
l the firm level (ISQC1), to ensure that the firm and its personnel comply
with quality control principles; and
l the individual engagement level for the work performed.

4.3 ENGAGEMENT ACCEPTANCE AND CONTINUANCE

The following considerations and procedures apply:
l A practitioner should only accept an assurance engagement if:
• client acceptance criteria have been met;
• the staff performing the engagement have the necessary skills and
competence;
• the subject matter under investigation is clearly identified, and is the
responsibility of a party other than the intended users;
• the criteria to be applied in evaluating the subject matter are relevant,
complete, reliable, neutral and understandable;
• these criteria are available to the users;
• the practitioner expects to be able to obtain sufficient evidence to
support the conclusions;
• no limitation on the scope of the practitioner’s work is imposed that
may lead to a disclaimer of opinion;
• it is possible to report on the subject matter; and
• the users are identified.
The practitioner should not accept the engagement unless these precon-
ditions are met.
l Ethical requirements must be adhered to, specifically:
• independence and objectivity requirements, including the absence of
any conflict of interest;
• professional competence and due care – the practitioner should have
the competence and resources (including human resources) to per-
form the work; and
• communication with the auditor of the entity, if the practitioner is not
also the auditor.

15–18
 CHAPTER 15: Management consulting services, special audit investigations

l Agreeing on the terms of the engagement in an engagement letter, setting

out:
• the terms of the engagement;
• the responsibilities of each party;
• the basis on which fees will be charged.
l The practitioner should exercise professional scepticism in the event of a
client request to change the terms of engagement, for example, a request
to change from reasonable assurance to limited assurance or from assur-
ance to non-assurance. If the practitioner accepts such a change, evi-
dence obtained prior to the change may not be disregarded.

4.4 PLANNING THE ENGAGEMENT

The practitioner must apply appropriate assurance skills and techniques in
determining the nature, timing and extent of procedures.
The following considerations and procedures apply:
l Obtain an understanding of the entity sufficient to be able to perform the
engagement.
l Understand the accounting systems and related controls sufficiently to be
able to perform the engagement.
l Obtain a more detailed understanding of the subject matter under investi-
gation and the engagement circumstances.
l Assess the appropriateness of the subject matter and consider the char-
acteristics of the subject matter.
NOTE: If the practitioner finds that the subject matter under investigation
is not appropriate, the practitioner should withdraw from the
engagement or modify the conclusion, issue an adverse con-
clusion, or note a disclaimer.
l Assess the suitability of the criteria:
• Criteria can be established (e.g. whether or not a control works) or
developed.
• The practitioner should consider whether the established criteria are
appropriate.
l Consider materiality:
• Materiality levels should be established and considered. Both quantita-
tive and qualitative factors should be considered.
• Materiality will have an impact on the nature, timing and extent of the
evidence gathering procedures.
l Consider the assurance engagement risk:
• This comprises inherent, control and detection risk and will have a
direct impact on the nature, timing and extent of procedures per-
formed.

15–19
 Dynamic Auditing

l Considerations in respect of the use of an expert.

• The normal considerations and procedures for using the work of an
expert will apply (ISA 620).

4.5 OBTAINING EVIDENCE

l Sufficient appropriate evidence should be obtained to support the assur-
ance expressed.
• The nature, timing and extent of procedures for gathering evidence will
be determined by the assurance expressed:
– Reasonable assurance (positive):
Standard audit procedures such as tests of controls, analytical
reviews and tests of detail, encompassing observation, enquiry,
inspection, confirmation, etc.
– Limited assurance (negative):
Normally limited to understanding the subject matter, analytical
review procedures and enquiries. This may, however, vary accord-
ing to the circumstances.
– Agreed upon procedures
In this case, audit procedures are agreed specifically with the
client and are set out in both the engagement letter and the report.
The nature of these specific procedures would probably include
the standard procedures set out above, although the auditor
would carry out only those procedures agreed with the client and
would simply report the factual findings without giving any audit
assurance.
• When gathering audit evidence, the auditor should always apply
professional judgment and exercise professional scepticism.
l The auditor should obtain written representations from responsible parties
on the subject matter and criteria.
l If the auditor becomes aware of any matter that raises the possibility of a
material modification being made to the information, the auditor should
perform additional procedures sufficient to enable a proper conclusion as
to whether or not the auditor’s conclusion should be modified.
l Consider, up to the date of the report, events after the reporting date that
may affect the report.
l Document the considerations, procedures performed, evidence obtained
and conclusions in the working papers.

15–20
 CHAPTER 15: Management consulting services, special audit investigations

4.6 REPORTING
l Evaluate the sufficiency and appropriateness of the evidence obtained.
l Draw a clear conclusion about the subject matter.
l Prepare the report in writing.
Report content
• Title: Independent assurance report.
• Addressee: To whom the report is directed.
• Identification of the level of assurance provided, a description of the
subject matter and a reference to relevant statements prepared or
made by the responsible party.
• Identification of the applicable criteria.
Where applicable:
– a description of any significant limitations associated with the
measurement of the subject matter against the criteria;
– possible restriction of use/distribution of the report, and a statement
alerting users to the specific purpose for which the criteria are
designed.
• A statement identifying the responsible party and the practitioner’s
related responsibilities.
• A statement that the engagement was performed in accordance with
the ISAEs.
• A statement concerning compliance with quality control requirements.
• A statement concerning compliance with the Code of Professional
Conduct.
• An informative description/summary of the procedures performed:
– In the case of a limited assurance engagement, a statement that
the procedures performed are less extensive than those for a rea-
sonable assurance engagement and that the level of assurance is
thus lower.
• The practitioner’s conclusion:
– Where conclusions are modified, the matters giving rise to the modi-
fication(s) should be described.
Conclusions should be modified where:
• there is a limitation on the scope of the practitioner’s work;
• the responsible party’s assertions are not fairly stated; and
• the subject matter (information) and the related measurement against
appropriate criteria are not fairly set out.

15–21
 Dynamic Auditing

5. SUSTAINABILITY REPORTING
5.1 BACKGROUND
5.1.1 King IV Code
The King IV Code recommends integrated reporting and the inclusion of sus-
tainability reporting in the integrated report.
l Sustainability reporting differs from traditional financial reporting in the
sense that it is primarily focused on all stakeholders of the company and
not only on the shareholders.
l Although specific guidance exists regarding the content of sustainability
reporting, the principle is that it should be based on the information needs
and expectations of the stakeholders.
l The information needs and expectations of stakeholders can only really be
determined through a proper stakeholder engagement process.
l The King Code also suggests that the sustainability report should focus on
how the company made its money, including the impact (both positive and
negative) on the environment, society and other stakeholder groupings.
l This will require companies to carefully consider such impacts in order to
report effectively.
l Guidance on sustainability reporting also suggests that performance
should be quantified according to key performance indicators (KPIs),
compared from year to year, as well as compared with suitable bench-
marks.
Whilst assurance on sustainability reporting is not governed by statute, the
King Code recommends that external assurance be obtained on the sustain-
ability section of the integrated report.
5.1.2 Proposed SAAEPS1 – “Sustainability Assurance Engagement Concepts:
Evaluating the Rational Purpose, the Appropriateness of the Underlying
Subject Matter and the Suitability of Criteria”
SAAEPS1 was circulated for comment by the IRBA in November 2017. Whilst
this document may not yet be used or relied upon until it is released as a pro-
nouncement, it may still be regarded as a reflection of current thinking.
5.1.3 Disaggregation of Key Performance Indicators
KPIs typically fall into the following broad areas:
l environmental performance;
l social performance;
l economic performance;
l governance;

15–22
 CHAPTER 15: Management consulting services, special audit investigations

l health and safety;

l customer satisfaction;
l human rights.

5.2 ASSURANCE ON SUSTAINABILITY REPORTING

External assurance could be provided by performing:
l a full scope audit giving an opinion; or
l a review providing limited assurance; or
l a combination of the two.
The auditor and client would need to agree on the nature of the work to be
done, in order to fully satisfy the requirements of all stakeholders.
Clients will identify and evaluate the various KPIs and are likely to request the
auditor to perform assurance procedures regarding selected KPIs.
There is also an opportunity for the auditor to provide consulting services to
assist the client by evaluating the processes, records and reports that gather
and substantiate the required information related to the various KPIs.

5.3 LEVEL OF ASSURANCE

The following matters should be considered when deciding on the most appro-
priate level of assurance to be obtained.
A reasonable assurance engagement:
l This would provide reasonable, although not absolute, assurance.
l An advantage would be that a detailed audit would provide users of the
report with a high level of assurance.
l Such an audit would, however, be time-consuming and the fee may there-
fore be excessive in relation to the benefits.
A limited assurance review:
l A review would provide only limited assurance but could well be accept-
able to the users of the report.
l The principal advantage of a review is that it would save time and costs.
A combination with reasonable assurance applied to selected KPIs and
limited assurance applied to others.
Another form of engagement that could be performed would be an agreed-
upon procedures engagement:
l This form of engagement will not provide any assurance at all and might
therefore not completely meet the principles set out in the King Codes,
which specifically refer to an assurance report.

15–23
 Dynamic Auditing

l Compliance with the King Codes would, however, still be achieved by

disclosing acceptable reasons for not following the recommended prac-
tice.
l An agreed-upon procedures engagement would achieve savings in terms
of time and costs.
As companies develop the necessary processes, records and reports, it is
most likely that both the scope of sustainability reporting engagements and the
level of assurance provided will increase.

5.4 PRECONDITIONS FOR ENGAGEMENT

Matters specific to sustainability reporting that the auditor would consider over
and above the steps discussed in section 4 of this chapter:
l Understanding the sustainability reporting information, the underlying sub-
ject matter and the entity context and, whether or not the subject matter is:
x identifiable;
x measurable;
x capable of evaluation;
x relevant;
x complete;
x reliable; and
x free from bias.
l Considering the information needs of users.
l Considering the scope of reporting, namely which KPIs and disclosures
will be used and which disclosed KPIs are scoped into the engagement.
Where aspects will be excluded from the engagement, the auditor needs
to determine and consider the reason(s) for this.
l Applying professional judgement to the impact of any omissions.
l Considering whether or not there is a sound reporting infrastructure,
including:
x a relevant reporting framework;
x appropriate reporting policies and procedures;
x appropriate reporting systems and controls; and
x governance and oversight.
l Considering the competence and objectivity of the persons who selected
the measurement criteria and the extent of judgement required.
l Considering the type of engagement and that there is a reasonable expec-
tation that sufficient evidence can be obtained.

15–24
 CHAPTER 15: Management consulting services, special audit investigations

l Developing insight on whether or not the information provided and the

engagement scope are appropriate for the information needs of the users.
If these preconditions are not present, the practitioner will discuss the engage-
ment with the client and:
l decline the engagement; or
l consider a change in the scope of the engagement; or
l consider a different form or engagement such as agreed upon proced-
ures.

6. INTERNAL AUDIT SERVICES

SOURCE REFERENCE: ISA 610 “Using the work of internal auditors”
6.1 DEFINITION
Internal auditing may be described as a management function by which
employees of the entity review/monitor the activities and systems on an ongo-
ing basis to ensure that the entity functions effectively and that management
objectives are met.
The definition of internal audit, as defined by the Institute of Internal Auditors,
is:
An independent, objective assurance and consulting activity designed to
add value and improve an organisation’s operations. It helps an organ-
isation accomplish its objectives by bringing a systematic, disciplined
approach to evaluate and improve the effectiveness of risk management,
control, and governance processes.

6.2 SCOPE
Internal audit work could include:
l risk management;
l implementation, monitoring and review of internal controls and systems;
l examination of financial and operating information;
l review of operating activities;
l review of compliance with laws and regulations;
l assessment of governance practices;
l performance of special investigations for management, for example:
• forensic (fraud) investigations;
• feasibility studies;
• compliance with policy measures and good business practices;
• performance audits; and
• environmental audits.

15–25
 Dynamic Auditing

Structure of the internal audit function

The following structures might exist in practice:
l Separate internal audit depart- Especially in large organisations.
ment
l External auditors provide internal Independence is a consideration.
audit services. This is prohibited in the case of listed
companies.
l Other auditing firms provide Independence and cost effectiveness
internal audit services are considerations.

6.3 PRINCIPLES FOR DISTINGUISHING BETWEEN EXTERNAL

AND INTERNAL AUDITING
Internal audit External audit
l A management function l An attest function.
l Reports to management (as l Reports to shareholders.
well as audit committee)
l Functions independently within l Independent, external auditors
the organisation, but is still part perform the function.
of the organisation
l Obtains mandate from l Obtains mandate from legislation.
management/audit committee.

6.4 PROCEDURES FOR PERFORMANCE OF THE WORK

The fundamental principles which apply in respect of external audits also apply
in respect of internal audits.
l An understanding of the operations, activities, etc., must be acquired.
l The work must be planned:
• Materiality must be determined (usually relating to individual line
items).
• Risk must be considered: Risk approach and profiles should be com-
piled/formulated.
• The work must be planned.
• An audit approach must be formulated.
• Audit programmes must be prepared.
l Audit evidence must be obtained through inspection, observation, enquiry,
confirmation and reperformance.
l Proper conclusions should be documented.
l Proper reports should be issued.
l Internal auditors generally agree the scope of their work with the audit
committee and report to the audit committee.

15–26
 CHAPTER 15: Management consulting services, special audit investigations

6.5 PROVISION OF INTERNAL AUDIT SERVICES BY AUDIT FIRMS

Many enterprises outsource the internal audit function to audit firms, although
to firms other than their external auditors.
Internal audit services are generally not offered to audit clients because of the
self-review threat involved but many firms offer these services to audit clients of
other firms.

6.6 COOPERATION WITH EXTERNAL AUDITORS

Irrespective of the degree of autonomy and objectivity, internal auditors remain
employees of or contractors to the entity. As a result, the internal audit function
is not independent of the entity as is required of the external auditor when
expressing an opinion on financial statements.
The external auditor has sole responsibility for the audit opinion expressed,
and that responsibility is not reduced by the external auditor’s use of the work
of the internal auditors.
Where, however, the internal audit function functions effectively and efficiently,
internal audit work already performed could affect the nature, scope and timing
of external audit procedures.
If the external auditor uses specific work of the internal auditors, the external
auditor shall include in the audit documentation the conclusions reached
regarding the evaluation of the adequacy of the work of the internal auditors,
and the audit procedures performed by the external auditor on that work.

6.7 ASPECTS THAT THE EXTERNAL AUDITOR SHOULD CONSIDER

TO DETERMINE IF USE CAN BE MADE OF INTERNAL AUDIT WORK
(ISA 610)
l The extent to which their organisational status and policies and proced-
ures support their objectivity:
• Their independence, do they report to those charged with govern-
ance?
• Are they free of conflicting responsibilities, e.g., do they not have any
operating or managerial responsibilities outside of the IA function?
• Are employment decisions overseen by those in charge of govern-
ance?
• There are no limitations on their work.
• Their freedom to communicate.
l The scope of their functions:
• The nature and extent of their assignments and management’s reac-
tion to their reports.

15–27
 Dynamic Auditing

l Their level of competence:

• The policies used for HR processes, e.g., hiring training and assign-
ment.
• Their technical competence and membership of a professional body
including their training and qualifications.
• Their knowledge of the entity and its financial reporting requirements.
• Whether the Internal Audit function is adequately resourced.
l Whether or not they apply a systematic and disciplined approach includ-
ing quality control (exercise due professional care):
• The existence, adequacy and use of documented procedures.
• The existence of quality control procedures.

6.8 EXAMPLES OF WORK PERFORMED BY INTERNAL AUDIT ON WHICH

EXTERNAL AUDIT CAN PLACE RELIANCE/USE
l Internal control/system work
• Review of systems of control not covered by external audit.
• Review of systems in line with a rotation plan agreed with external
audit.
• Evaluation of systems for the remaining period of the year where
external audit has tested the system at an interim date.
• Inspection by internal audit of detected/suspected weaknesses in
internal controls identified by external audit:
– reason for occurrence;
– corrections; and
– effective functioning once corrected.
l Substantive procedures:
• Attendance of inventory counts at certain branches/areas not covered
by external audit.
• Extracting certain information for external audit purposes, for example:
– samples for audit purposes;
– evidence/documentation for review by external auditors; and
– extraction of data for external auditors’ analytical procedures.
• Preparation of schedules, etc., for use by external audit.

15–28
 CHAPTER 15: Management consulting services, special audit investigations

6.9 AUDIT WORK TO ESTABLISH RELIANCE ON THE WORK OF INTERNAL

AUDIT
Work performed by the external auditor could include:
l performing a review of their work programme and working papers;
l observing and enquiring concerning internal audit procedures;
l considering whether or not:
• the work was performed by persons with adequate training and pro-
ficiency;
• conclusions are supported by audit evidence and are appropriate;
• exceptions, errors and abnormal items were properly resolved.
l reperforming items already assessed by internal audit;
l performing tests on similar items.

6.10 THE USE OF INTERNAL AUDITORS TO PROVIDE DIRECT ASSISTANCE

ON THE AUDIT
Where the external auditor plans to use internal auditors to provide direct
assistance on the audit and this is not prohibited by law or regulation, the
external auditor shall evaluate the objectivity and competence of the internal
auditors.
The external auditor shall not use an internal auditor to provide direct assist-
ance if significant threats to objectivity and competence exist.
In determining the nature and extent of work that may be assigned to internal
auditors and the necessary direction, supervision and review, the external
auditor shall consider:
l the amount of judgment involved;
l the risk of material misstatement;
l the external auditor’s evaluation of the existence and significance of
threats to objectivity and competence.
The external auditor shall not use internal auditors to perform procedures that:
l require significant judgments in the audit;
l relate to high risks of material misstatement where judgment required is
more than limited;
l relate to work with which the internal auditors have been involved;
l relate to audit decisions regarding the internal audit function.
The external auditor shall communicate with those charged with governance
concerning the nature and extent of the planned use of internal auditors.

15–29
 Dynamic Auditing

The external auditor shall evaluate whether or not the external auditor is still
sufficiently involved in the audit, given the external auditor’s sole responsibility
for the audit opinion.
Prior to using internal auditors to provide direct assistance, the external auditor
shall obtain:
l written agreement that the internal auditors will be allowed to follow the
external auditor’s instructions, and that the entity will not intervene in the
work the internal auditor performs for the external auditor;
l written agreement from the internal auditors that they will keep confidential
specific matters as instructed by the external auditor and inform the exter-
nal auditor of any threat to their objectivity.
The external auditor shall direct, supervise and review the work performed by
internal auditors on the engagement.

6.11 BENEFITS TO THE EXTERNAL AUDITOR OF RELIANCE ON THE WORK

OF INTERNAL AUDITORS
Such benefits will include the following:
l cost-effective audit;
l audit risk limited;
l expertise of internal auditors;
l good relationship/co-operation with client’s staff; and
l compliance with management’s requests.

6.12 ADDITIONAL AUDIT PROCEDURES WHERE RELIANCE ON INTERNAL

AUDIT IS NOT JUSTIFIED
Circumstances where the external auditor might conclude that reliance is not
justified could include:
l where the external auditor’s evaluation of the internal audit function con-
cludes that the criteria set out in section 6.5 are not met;
l where the external auditor’s review of work performed by the internal audit
yields unsatisfactory results.
In these circumstances, additional audit work would be necessary.
Additional procedures would include:
l informing those charged with governance of the reasons for not relying on
the work of internal audit;
l planning the external audit without placing reliance on the work of internal
audit;
l evaluating the impact thereof on the audit risk; and
l documenting the reasons and considerations in the working papers.

15–30
 16
REPORTING

Page
1. Introduction .................................................................................................. 16–3
2. Auditor’s reports on financial statements – reports giving
reasonable assurance .................................................................................. 16–4
2.1 Regulatory aspects ............................................................................ 16–5
2.2 Reporting in terms of law or regulation .............................................. 16–6
2.3 Reporting definitions .......................................................................... 16–6
2.4 Basic elements of the auditor’s report ............................................... 16–9
2.5 Reporting key audit matters ............................................................... 16–12
2.6 Decisions affecting the audit opinion ................................................ 16–18
2.7 Effect on the form and content of the audit report ............................. 16–21
2.8 Wording of a modification of the audit opinion .................................. 16–21
2.9 Emphasis of matter paragraphs and other matter paragraphs ......... 16–22
2.10 Notes on uncertainties/scope limitations ........................................... 16–23
2.11 Notes on going concern considerations ............................................ 16–23
2.12 Additional reporting responsibilities .................................................. 16–24
2.13 Illustrations of audit reports................................................................ 16–25
2.14 Communication with those charged with governance ...................... 16–27
2.15 Disclosure of audit tenure .................................................................. 16–28
2.16 Reporting and compliance with financial reporting frameworks ....... 16–28
2.17 Comparative information .................................................................... 16–30
2.18 Other information in documents which include audited
financial statements ........................................................................... 16–31
2.19 Availability of other information after the date of the auditor’s
report .................................................................................................. 16–32
2.20 Conforming amendments to other ISA standards ............................. 16-33

16–1
 Dynamic Auditing

Page
3. Assurance engagements other than audits or reviews of historical
financial information ..................................................................................... 16–33
4. Special purpose audit engagements ........................................................... 16–34
4.1 Reports expressing opinions ............................................................. 16–34
4.2 Reports expressing limited assurance .............................................. 16–37
4.3 Review of interim financial information .............................................. 16–41
4.4 Engagements to perform agreed-upon procedures regarding
financial information ........................................................................... 16–43
5. Engagements to compile financial information ............................................ 16–45
5.1 Objective of a compilation engagement ............................................ 16–45
5.2 Terms of the engagement .................................................................. 16–46
5.3 Performing the engagement .............................................................. 16–46
5.4 Reporting............................................................................................ 16–47
6. Profit forecasts.............................................................................................. 16–48
6.1 Background........................................................................................ 16–48
6.2 Critical aspects that the reporting accountant must consider
before accepting the engagement .................................................... 16–49
6.3 Objectives of a review of a profit forecast ......................................... 16–50
6.4 Terms of the engagement .................................................................. 16–50
6.5 Performing the engagement .............................................................. 16–51
7. The examination of prospective financial information .................................. 16–51
7.1 Acceptance of the engagement ........................................................ 16–52
7.2 Knowledge of the business................................................................ 16–53
7.3 Period covered ................................................................................... 16–53
7.4 Procedures ......................................................................................... 16–53
7.5 Reporting............................................................................................ 16–54
8. Assurance engagements to report on the compilation of pro forma
financial information included in a prospectus ............................................ 16–54
8.1 Introduction ........................................................................................ 16–54
8.2 Engagement acceptance .................................................................. 16–54
8.3 Planning and performing the engagement ........................................ 16–55
8.4 The report ........................................................................................... 16–55
9. Giving second opinions................................................................................ 16–56

16–2
 CHAPTER 16: Reporting

1. INTRODUCTION
The purpose of an audit of financial information is to enhance users’ confidence
in financial information through the auditor expressing an independent opinion on
whether or not financial statements comply, in all material respects, with an
appropriate financial reporting framework. On completing an audit engagement
in accordance with International Standards on Auditing (ISAs), the auditor informs
the users of the financial statements about the nature of the work performed and
the conclusions that have been reached. The content, format and type of report
are determined by the nature of the work performed as agreed to in the engage-
ment letter.
ISA 700 deals with the auditor’s responsibility to form an opinion and report,
giving reasonable assurance, on a complete set of general-purpose financial
statements, whilst ISA 800, 805 and 810 deal with the auditor’s responsibility in
regard to special purpose audit engagements.
ISAEs deal with assurance engagements other than audits or reviews of historical
financial information, whilst ISREs deal with the responsibilities relating to report-
ing, giving limited assurance, on review engagements.
ISRSs deal with related services engagements – reporting on agreed upon pro-
cedures and compilation engagements.
The principal objective of most audits is to report, in writing, an opinion on finan-
cial statements and the majority of audit reports in South Africa relate to the audit
of annual financial statements of companies as required by section 30 of the
Companies Act.
ISA 700 and the related statements listed on the following page were subjected
to significant revision in 2015, with an effective date of 15 December 2016. The
objectives were to:
l achieve global commonality;
l provide enhanced communication value for users;
l provide transparency;
l create robust interaction between users, auditors and those charged with
governance;
l improve audit quality and users’ perception thereof;
l improve perceptions of the relevance of the auditing profession;
l provide value through the audit opinion;
l provide informative reports; and
l provide relevant, decision-useful information for users.
The reporting standards require, for all assurance reporting circumstances, more
explicit descriptions of the respective responsibilities of management and the
auditor.

16–3
 Dynamic Auditing

The standards require the auditor to identify and discuss key audit matters affect-
ing the audit (refer to section 2.5 of this chapter), apply professional scepticism in
areas where key audit matters are identified and require management, and those
charged with governance to give attention to the “Key Audit Matters” section of
the report.
In terms of the format of the report, the standards require the auditor’s opinion to
be presented first as this is the crux of the report, followed by a “Basis for Opin-
ion” section for unmodified opinions, a statement concerning independence and
other ethical responsibilities, a description of auditor responsibilities and the key
features of an audit, and information for users of financial information concerning
key audit matters.
The report also identifies, in the responsibilities section, situations where those
charged with governance are separate from management.

2. AUDITOR’S REPORTS ON FINANCIAL STATEMENTS – REPORTS GIVING

REASONABLE ASSURANCE
SOURCE REFERENCES: ISA 700 “Forming an Opinion and Reporting on
Financial Statements”
ISA 701 “Communicating Key Audit Matters in the
Independent Auditor’s Report”
ISA 705 “Modifications to the Opinion in the Inde-
pendent Auditor’s Report”
ISA 706 “Emphasis of Matter Paragraphs and
Other Matter Paragraphs in the Independ-
ent Auditor’s Report”
ISA 720 “The Auditor’s Responsibilities relating to
Other Information in Documents contain-
ing Audited Financial Statements”
SAAPS 2 “Financial Reporting Frameworks and
audit opinions”
SAAPS 3 “Illustrative independent auditor’s reports”
Also of significant relevance are:
ISA 570 Going Concern
ISA 260 Communication with Those Charged with
Governance
ISAs 210, 220, 230, 510, 540, 600 and 710, all of
which were updated with conforming amendments
when the reporting statements were revised.
The objective of an audit of financial statements is to enable the auditor to
express an opinion, giving reasonable assurance, as to whether or not the financial

16–4
 CHAPTER 16: Reporting

statements present fairly, in all material respects, the financial position of the enti-
ty at a specific date and the results of the entity’s operations and cash flows for
the period then ended, in accordance with an applicable financial reporting
framework. If this is not the case, the financial statements will be materially mis-
stated, which will lead to a modified audit opinion. A modified audit opinion would
also be necessary where the auditor is unable to conclude on fair presentation
and the absence of material misstatement.
In considering fair presentation and compliance with the applicable financial
reporting framework, the auditor will evaluate the qualitative aspects of the enti-
ty’s accounting practices, including indications of possible bias in management’s
judgements.
In particular, the auditor will consider whether or not;
l sufficient appropriate and acceptable audit evidence has been obtained;
l there is reasonable assurance that the financial statements achieve fair pre-
sentation;
l the financial statements are prepared in accordance with the disclosed finan-
cial reporting framework;
l uncorrected misstatements, if any, are material;
l the financial statements adequately disclose the significant accounting pol-
icies;
l the accounting policies are appropriate and consistently applied;
l the accounting estimates made by management are reasonable;
l the information presented in the financial statements is relevant, reliable,
comparable and understandable;
l the financial statements provide for adequate disclosure of all material
aspects; and
l the terminology used in the financial statements is applicable.

2.1 REGULATORY ASPECTS

Section 30 of the Companies Act 71 of 2008 requires a company to prepare
annual financial statements within six months after the end of its financial year.
The Act sets out a number of criteria where company annual financial state-
ments must be audited, the most common of which are:
l public companies;
l state-owned companies;
l other companies which have a Public Interest Score of greater than
350 points or whose financial statements are not independently compiled
and which have a Public Interest Score of greater than 100 points.
A company’s Public Interest Score is determined by reference to the number of
shareholders (1 point per shareholder); the number of employees (1 point per
employee); the size of its turnover (1 point per R million); and the amount of its
external liabilities (1 point per R million).

16–5
 Dynamic Auditing

Any company may, however, be audited voluntarily at the option of the com-
pany.
In terms of the Regulations to the Act, companies that have a Public Interest
Score between 100 and 350 would typically be required to have their financial
statements independently reviewed unless exempted in the case of a closely
held private company. Reviews are discussed in section 4.2 of this chapter.
Section 44 of the Auditing Profession Act (26 of 2005) states the prerequisites
for an unqualified report by an auditor on any set of financial statements.

2.2 REPORTING IN TERMS OF LAW OR REGULATION

Whilst South African audit reports are generally prepared in terms of the ISAs,
the standards continue to allow for reference to the ISAs in an audit report
where law or regulation specifies the layout or wording of the report.
In such cases, any other reporting responsibilities prescribed by law or regu-
lation in addition to those required by ISAs, are reported either in a separate
section in the audit report or, if addressing the same topics required by ISAs,
in the same section, provided that the audit report clearly differentiates the
other reporting responsibilities from reporting required by the ISAs.
Where financial statements are prepared under both IFRS and separate juris-
diction requirements, two separate audit opinions would be required.

2.3 REPORTING DEFINITIONS

Unqualified report
An audit report where there is neither a modification of the audit opinion, nor
any other modification to the report such as an “Emphasis of Matter” or an
“Other Matter” section.
Unmodified opinion
An unmodified opinion will be expressed when the auditor concludes that
sufficient appropriate audit evidence has been obtained and that the financial
statements are:
l free from material misstatement;
l fairly presented in all material respects;
l prepared in accordance with the applicable financial reporting framework;
and
l where appropriate, in compliance with applicable statutory requirements.
An unmodified opinion states that the financial statements present a true and
fair view (or present fairly) of the financial information in all material respects, in
accordance with the applicable financial reporting framework.

16–6
 CHAPTER 16: Reporting

When giving an unmodified opinion, it would not be appropriate to use terms

such as “subject to” or “with the foregoing explanation”.
Modified opinion
The auditor’s report would be modified if the auditor:
l concludes that, based on the audit evidence obtained, the financial state-
ments as a whole are not free from material misstatement (also referred to
as “disagreement”); or
l is unable to obtain sufficient appropriate audit evidence to conclude that
the financial statements as a whole are free from material misstatement
(also referred to as “uncertainty” and may result from a limitation in the
scope of the audit).
Misstatements
Misstatements (also commonly referred to as “audit differences”) refer to
errors, omissions or inappropriate disclosures in the financial statements.
Material misstatements
Misstatements are material where they are likely to affect the judgement of a
user of the financial statements. Materiality is dealt with in more detail in the
chapters concerning Planning the Audit and Concluding on the Audit.
l Information is material if the omission or misstatement thereof could
influence the economic decisions of users taken on the basis of the finan-
cial statements.
l The auditor should consider the materiality of misstatements for both their:
Quantitative nature: The amounts of identified misstatements,
together with the net effect of any unadjusted
audit differences from previous years;
and
Qualitative nature: The nature of the misstatements, irrespective
of the amounts involved.
A matter is fundamentally misstated or pervasive where that specific matter is
so material that the financial statements as a whole become unusable.
Whether misstatements are material or material and pervasive
The term “pervasive” is used in the context of misstatements to describe an
uncertainty or misstatement that is so serious that it is fundamental to users’
understanding and reading of the financial statements as a whole.
A material misstatement would be considered pervasive if it is:
l not confined to specific elements in the financial statements (i.e. misstate-
ments affect a number of balances);
or

16–7
 Dynamic Auditing

l a misstatement is substantial in its own right notwithstanding of the fact

that it may be confined to a single element or balance;
or
l the misstatement is fundamental to a user’s understanding of the financial
statements.
The question of material but not pervasive versus material and pervasive is a
very subjective one.
In practice, there are some obvious issues, for example:
l A set of financial statements where virtually everything is materially wrong
(disagreement) or potentially materially wrong (uncertainty) clearly meets
the first criterion and would probably be considered pervasive.
l A set of financial statements where the single largest item is grossly incor-
rect (disagreement) or potentially grossly incorrect (uncertainty) would be
likely to meet the second and third criteria and would probably be consid-
ered pervasive.
“Grossly” implies that the error or potential error is much greater than
materiality, but this begs the question “How much greater is ‘grossly’?”
The answer to this question is one of professional judgement.
Note the use of the words “likely” and “probably”. These words are used
because each case requiring modification of the opinion is unique and would
have to be considered on its individual merits.
It is not possible to generalise and a practitioner must apply professional
judgement to the merits of each unique case.
A practitioner would also have to consider the qualitative and quantitative
factors affecting each issue in the context of the need to provide decision use-
ful information to the users of financial statements.
Types of modified opinion
A modified opinion could involve a qualified opinion, an adverse opinion or a
disclaimer of opinion.
Qualified opinion
An auditor would issue a qualified opinion where misstatements are material
but not pervasive or where possible misstatements are likely to be material but
not pervasive. There are thus two possible sets of circumstances where an
auditor would issue a qualified opinion:
l the auditor has evidence that misstatements are material but not pervasive
(“disagreement”); or
l the auditor is unable to obtain evidence concerning possible misstate-
ments and the effect is likely to be material but not pervasive (“uncer-
tainty”).

16–8
 CHAPTER 16: Reporting

When issuing a qualified opinion, the auditor would conclude that the financial
statements “present fairly” the financial information, in all material respects,
“except for” the effect of identified or possible misstatements.
Adverse opinion
An adverse opinion is issued where the auditor has evidence that misstate-
ments are material and pervasive (“disagreement”).
In this case, the auditor would express an opinion that the financial statements
“do not present fairly” the financial information.
Disclaimer of opinion
A disclaimer of opinion is issued where the auditor is unable to obtain sufficient
evidence to provide a basis for an opinion (“uncertainty”) and the effect is ma-
terial and pervasive.
In this case, the auditor would decline to express an opinion on the financial
information.
Key audit matters
Key audit matters refer to matters that, in the auditor’s professional judgement,
are of the most significance in the audit of the financial statements for the cur-
rent period.

2.4 BASIC ELEMENTS OF THE AUDITOR’S REPORT

The auditor’s report should contain the following basic elements:
Title and addressee
The report is headed “Independent Auditor’s Report”.
The report is addressed to the person/s for whom the financial statements have
been prepared. This will depend on the circumstances of the engagement. In
the case of a company, this is typically “To the Shareholders of …”
This is normally followed by the heading “Report on the Audit of Financial
Statements” OR “Report on the Audit of the Consolidated Financial State-
ments”, although this heading is unnecessary if there is no “Report on Other
Legal and Regulatory Requirements”.
Auditor’s opinion
The auditor’s opinion is set out under a section headed “Opinion”.
This section commences with a paragraph that:
l states that the financial statements have been audited;
l identifies each of the financial statement components that comprise the
complete set of financial statements;
l specifies the date and period covered by the financial statements.

16–9
 Dynamic Auditing

This is followed by the opinion paragraph. The audit opinion refers directly to
the accounting framework under which the financial statements were prepared.
An unmodified opinion would be expressed when the auditor concludes that
the financial statements present a true and fair view (or present fairly).
Where a modified opinion is issued, this heading is changed to “Qualified
Opinion”, “Adverse Opinion” or “Disclaimer of Opinion”.
Where International Financial Reporting Standards (IFRS) or International
Accounting Standards (IAS) are not used as the financial reporting framework,
the reference to the financial reporting framework in the wording of the opinion
section identifies the jurisdiction or origin of the financial reporting framework.
Basis for opinion
This section informs the user that the audit was conducted in accordance with
ISAs, that the auditor is independent of the company and that the audit evi-
dence obtained is sufficient and appropriate to provide a basis for the opinion.
The section also makes specific reference to the relevant codes of ethics and
states that the auditor has fulfilled the appropriate ethical responsibilities.
Where a modified opinion is issued, this heading is changed to “Basis for
Qualified Opinion”, “Basis for Adverse Opinion” or “Basis for Disclaimer of
Opinion”
Going concern (where applicable)
A separate going concern section, headed “Material Uncertainty Related to
Going Concern”, is required in the event of a going concern uncertainty.
Key audit matters (where applicable)
A “Key Audit Matters” (KAM) section is required only for auditor’s reports on
the financial statements of listed entities, although auditors may agree voluntar-
ily to include KAM in other reports. KAM are dealt with in detail in section 2.5 of
this chapter.
Management’s responsibilities for the financial statements
Management’s (typically the directors) responsibilities are described under a
section headed “Responsibilities of Management (and Those Charged with
Governance) for the Financial Statements”.
If those responsible for financial statement oversight are different to manage-
ment, this heading is changed to include “Those Charged with Governance”.

16–10
 CHAPTER 16: Reporting

This section describes management’s responsibility for the preparation and fair
presentation of the financial statements in accordance with the applicable
financial reporting framework and states that this responsibility includes:
l assessing and monitoring the enterprise’s ability to continue to operate as
a going concern; and
l maintaining such internal control as is necessary to enable the preparation
of financial statements that are free from material misstatement, whether
due to fraud or error.
Auditor’s responsibilities
The auditor’s responsibilities are described under a section headed “Auditor’s
Responsibilities for the Audit of the Financial Statements”.
This section states that the responsibility of the auditor is to obtain reasonable
assurance that the financial statements are free from material misstatement,
whether due to fraud or error, and that, whilst reasonable assurance is a high
level of assurance, it is not a guarantee of the absence of misstatement. The
auditor simply obtains sufficient acceptable evidence to provide a basis for the
opinion giving reasonable assurance.
This section also briefly explains the concept of materiality.
Additional detail concerning the auditor’s responsibilities must be provided,
but this may be included in the report or communicated through an appendix
or a website link to an authority such as IRBA.
This additional information states that the audit was conducted in accordance
with International Standards on Auditing, briefly explains the audit process and
refers specifically to:
l the fact that auditors understand internal controls relevant to the audit in
order to design audit procedures but not for the purpose of expressing an
opinion on these controls;
l the auditor’s evaluation of the appropriateness of the accounting policies
used, the reasonableness of accounting estimates made by management,
and the overall presentation of the financial statements;
l the auditor’s conclusion on the appropriateness of management’s use of
the going concern basis of accounting.
Where a company is listed, the report would state that the auditor reports key
audit matters and communicates with those charged with governance, includ-
ing providing them with a statement concerning ethical compliance.
In the case of the audit of consolidated financial statements, where certain
subsidiaries are audited by other auditors (ISA 600), the report would state that
the group auditor is solely responsible for the group audit.

16–11
 Dynamic Auditing

Other auditing responsibilities

If the audit report is required to address other reporting responsibilities in
addition to the responsibility under the ISAs to report on the financial state-
ments, these other reporting responsibilities must be addressed in a separate
section in the auditor’s report, headed “Report on Other Legal and Regulatory
Requirements” or using alternative headings appropriate to the content of the
section. This section is inserted below the section dealing with the auditor’s
responsibilities.
An example would be the requirement to report irregularities in terms of sec-
tion 44(2) and (3) of the Auditing Profession Act.
Supplementary information
Supplementary, or additional, information could be referred to in a separate
“Other Information” paragraph inserted after key audit matters. Ideally, man-
agement should present any supplementary information in a way that differen-
tiates it from the main body of the audited financial statements.
If management does not do this, the auditor would identify the supplementary
information and explain that this information is not audited (refer to section 2.18
of this chapter).
Auditor’s signature
The auditor’s report should be signed.
This may be either in the name of the firm, the personal name of the auditor, or
both. In the case of a listed company, the individual auditor’s name should be
given.
The auditor’s professional accounting designation (CA (SA)) and licensing
designation (Registered Auditor) should also be given.
Date and address
The auditor should date the report on the financial statements no earlier than
the date on which sufficient appropriate audit evidence on which to base the
opinion on the financial statements was obtained and the date on which the
directors (or relevant governance body) accepted responsibility for the finan-
cial statements.
The report names the location or jurisdiction where the auditor practices.

2.5 REPORTING KEY AUDIT MATTERS

As stated in the definitions section of this chapter (section 2.3), key audit
matters (KAM) are defined as matters that, in the auditor’s professional judge-
ment, are of the most significance in the audit of the financial statements for the
current period.

16–12
 CHAPTER 16: Reporting

Reporting on KAM is required only for auditor’s reports on financial statements

of listed entities although this may be required by law or regulation for other
entities, such as public interest entities or public sector entities.
Auditors may voluntarily agree to include KAM after consultation with those
charged with governance.
Before reporting on KAM, the auditor would discuss these with those charged
with governance.
Where applicable, the auditor is required to identify and report each individual
KAM unless law or regulation precludes disclosure or the auditor determines
that the matter should not be communicated (this should be extremely rare and
relates to unique circumstances where the adverse consequences of disclo-
sure would reasonably be expected to outweigh the public interest benefits).
The reporting of KAM is prohibited where the auditor disclaims an opinion but
is still required where a qualified or adverse opinion is issued.
In limited circumstances, the auditor might decide that there are no KAM and
would report this fact.
Deciding on which matters are key audit matters
There should be a limited number of KAM, confined only to those audit issues
of greatest importance that are likely to significantly affect a user’s interpre-
tation of the financial statements.
It is not possible to generalise as to which matters to include as the auditor
would apply careful judgement in considering the merits of each unique issue
and selecting the most significant matters from those:
l discussed with those charged with governance;
l that required significant audit attention; and
l that proved to be the most significant to the audit.
As part of this process, the auditor would also consider:
l significant risks;
l risks requiring special audit consideration;
l audit judgements relating to areas of significant management judgement
(for example complex accounting estimates);
l the effect of significant events or transactions on the audit;
l the nature and extent of communication with those charged with govern-
ance;
l matters which required communication with regulators;

16–13
 Dynamic Auditing

l the relative importance to intended users’ understanding of the financial

statements;
l the extent of audit effort and specialised skills required;
l the complexity and subjectivity underlying accounting policies;
l the materiality, quantitatively or qualitatively, of corrected and accumu-
lated uncorrected misstatements due to fraud or error;
l significant control deficiencies relevant to each matter;
l difficulties in applying audit procedures, evaluating the results of those
procedures, and obtaining relevant and reliable evidence; and
l whether or not legal advice was needed.
Examples of key audit matters (“KAM”)
Whilst KAMs are likely to relate to unique circumstances relating to specific
audits and significant judgement is required, the examples set out below pro-
vide some guidance concerning the identification of KAMs.
Whilst the audits of the companies used in the examples below would involve
several significant matters, such as those identified in the above section, not all
of those matters would be identified as KAMs .
Example 1: Recognition of revenue
The introduction of IFRS15 has brought about complexities in the allocation of
sales prices where individual sales contracts contain separate performance
obligations for various distinct goods or services. In these cases, the trans-
action price has to be allocated to each performance obligation in proportion
to the relative stand-alone selling price for the promised good or service under-
lying each performance obligation.
The likely KAM could relate to:
l the estimation of the separate amounts allocated to each performance
allocation;
l the period over which each price allocation is recognised;
l the effect of the time value of money.
Example 2: Property company
The company develops shopping centres for purposes of deriving rental
income.

16–14
 CHAPTER 16: Reporting

Given poor economic conditions, possible KAM would potentially include:

l the determination of the fair values of investment property;
l impairment of property, particularly new developments where building
costs have escalated and there are difficulties in finding tenants;
l the recoverability of arrear rentals outstanding by tenants who are in finan-
cial difficulty.
Going concern is also likely to be an issue but this could lead to a modification
of the report, rather than a KAM (refer to section 2.11 of this chapter).
Example 3: Construction company
The company derives revenue from long-term construction contracts.
Ignoring economic conditions, possible KAM would potentially include:
l the recognition of contract revenue for contracts in progress: this would
depend on significant accounting estimates concerning the future out-
comes of contracts;
l “Uncertified revenue”: this relates to contract revenue that the company
expects to receive in due course but that has not yet been finalised;
l provisions, such as those for disputed amounts claimed by clients or
subcontractors;
l given poor economic conditions, the impairment of underutilised construc-
tion plant might arise.
Example 4: Retailers
Given poor economic conditions, possible KAM would potentially include:
l the recoverability of receivables;
l the valuation of inventories, specifically in regard to the allowance for
obsolescence and net realisable values.
Example: 5. Banks
The valuation of financial instruments is likely to be a KAM.
The advent of the revised IFRS9 creates more complexity in the accounting
estimates underpinning the impairment of receivables.
Given poor economic conditions, the question of the recoverability of receiv-
ables and loans will, almost inevitably, be a KAM.

16–15
 Dynamic Auditing

Example 6: Goodwill
Given poor economic conditions, the possible impairment and recoverable
amount of goodwill will also, almost inevitably, be a KAM.
Example 7: Deferred tax assets
The recognition of deferred tax assets requires accounting estimates of utilisa-
tion.
Key audit matters from previous years
The auditor does not have to update KAM reported in previous years, although
it would be wise to consider if these remain KAM for the current year.
The relationship between key audit matters and modified audit opinions,
emphases of matter and other matters
Reporting a matter as a KAM may not be used as a substitute or alternative for:
l proper financial statement disclosure; and
l reporting on a going concern where separate reporting is required (refer
to section 2.11 of this chapter).
An issue that would lead to a modification of the opinion is not a KAM. For this
reason, the wording of a KAM should not imply:
l that the matter has not been appropriately resolved by the auditor in
forming the opinion on the financial statements; or
l imply discrete or separate opinions on individual elements of the financial
statements (“piecemeal opinion”).
Whilst a modified opinion is a KAM in its own right, the issue would be described
separately in the Basis for Opinion section.
Similarly, emphases of matter and other matters are dealt with separately in the
report and cannot be used as a substitute for communicating a KAM.
Describing key audit matters in the report
The wording of the KAM section of the report is also a matter of professional
judgement and, when formulating this section, the auditor should:
l be entity-specific;
l avoid standardised wording; and
l avoid overly technical language.
The auditor should seek to achieve a balance between being consistent, com-
parable, relevant and decision useful. The auditor should also clearly set out
any relationship between KAM and other sections of the report.

16–16
 CHAPTER 16: Reporting

The description of each KAM should include:

l why the matter was considered to be a KAMM;
l reference to the related disclosure(s); and
l how the matter was addressed in the audit.
This section could include, at a high level, a brief overview of:
• aspects of the auditor’s response or approach;
• procedures performed;
• the overall outcome of the audit procedures; and
• key observations related to the matter.
SAICA has published a list of examples of actual KAM reported by the auditors
of South African listed companies. These examples illustrate the principles set
out above and cover a broad range of topics, including all of the examples
mentioned above. This information is available at
https://www.saica.co.za/Portals/0/documents/TheNewAuditorReport.pdf.
These examples also provide guidance concerning how auditors report the
brief overview of their response and procedures performed.
The order in which key audit matters are presented in the report
There is no specific requirement related to the order in which KAM are present-
ed.
The following two approaches seem logical:
l In order of significance. This would, however, require significant judge-
ment.
l The order in which the items are referred to in the financial statements.
Documenting key audit matters
The revisions to ISA 230 require the auditor to document professional judge-
ments made, concerning why a matter that required significant audit attention
is or is not a KAM, and, where applicable;
l if no KAM are reported, the rationale for this; and
l why a matter identified as a KAM was not communicated in the report.
Consideration should also be given to documenting the rationale for why all
matters communicated to those charged with governance were not matters
that required significant auditor attention.

16–17
 Dynamic Auditing

Planning for key audit matters

Whilst not prescribed in the standards, it seems logical that matters likely to be
reported as KAM would be identified at the planning stage of the audit and
discussed with the audit committee and those charged with governance at an
early stage of the audit.
Notwithstanding the above, the final assessment of KAM is based on the audit
outcomes and the determination of KAM might change during the course of the
audit. For this reason the final discussions concerning KAM would be part of
the auditor’s reporting of audit findings.
Practical difficulties related to reporting key audit matters
These include difficulties related to:
l communicating the issues to users in non-technical terms;
l describing the issues to users who do not have background information
concerning the audit;
l the time-consuming process of engaging with management and those
charged with governance concerning KAM;.
l explaining the issues in a simple and concise manner;
l dealing with issues that are not required to be disclosed in the financial
statements. For example, the introduction of a new IT system might have a
profound impact on financial reporting systems and, as such, might
become a KAM. In such cases, it seems logical for the auditor to request
management to disclose the issue and its impact in the annual report.

2.6 DECISIONS AFFECTING THE AUDIT OPINION

First consideration – sufficient acceptable audit evidence
The auditor concludes whether or not it has been possible to obtain sufficient
acceptable audit evidence to be able to express an opinion that the financial
statements are free from material misstatement.
If this is the case, an unmodified opinion is issued and the report may be
finalised without further consideration.
If this is not the case, the auditor will conclude that it may be necessary to
modify the audit report.
l Where the issue(s) relates to fair presentation, this would imply a modifica-
tion of the audit opinion.

16–18
 CHAPTER 16: Reporting

l Where the issue(s) does not relate to fair presentation, the auditor would
consider including an Emphasis of Matter or an Other Matter section in the
report, without modifying the opinion (refer to section 2.9 of this chapter).
Second consideration – take action to avoid any modification
Upon reaching the conclusion that it may be necessary to modify the opinion,
the auditor would do the following:
l Discuss the issues with management and those charged with governance:
• concur on the facts surrounding the issues; and
• ask for further information and explanations.
l Request management to adjust the financial statements where necessary.
l If the auditor remains convinced that a modification of the opinion may be
necessary:
• The auditor should inform those charged with governance of the cir-
cumstances that may lead to a modification, including the wording of
the proposed modification.
• This serves to inform them of the facts and give them the opportunity to
confirm the matters and to take action, where possible, to avoid a
modification.
Examples of matters likely to affect the auditor’s opinion:
Disagreement with management, for example, disagreement concerning:
l the recorded amounts in the financial statements (material uncorrected
misstatements or audit differences);
l the appropriateness of accounting policies selected;
l the appropriateness of accounting estimates used;
l the method of application of accounting policies;
l the adequacy of disclosure in the financial statements;
l the classification of long-term amounts shown as current; or
l impaired assets where the carrying value is no longer justified.
Limitation on the scope of the audit work (uncertainty):
l imposed by circumstances, for example:
• the auditor was unable to observe an inventory count;
• inadequate controls over cash receipts in the case of clubs, societies,
etc.;
• loss/destruction of accounting records; or
• accounting breakdown.

16–19
 Dynamic Auditing

l imposed by the client, for example:

• the auditor is unable to carry out an important audit procedure such as
obtaining an independent opinion concerning the carrying value of
property; or
• the auditor is denied access to information needed to verify significant
transactions or balances.
Third consideration – effect on the audit opinion
Upon reaching the conclusion that it is necessary to modify the opinion, the
auditor should consider whether:
l the issue is material or both material and pervasive; and
l the issue relates to a disagreement or uncertainty or scope limitation.
The auditor’s opinion may be affected as follows:

Nature of aspect Audit opinion

which gave rise to
modification Material, but not pervasive Material and pervasive

Financial statements are Qualified opinion (“except for”) Adverse opinion

materially misstated
(disagreement)

Inability to obtain sufficient Qualified opinion (“except for”) Disclaimer of opinion

appropriate audit evidence
(uncertainty or scope
limitation)

• Qualified opinion:
– Although an unqualified opinion cannot be expressed, the dis-
agreement with management or the limitation on scope is not so
material and pervasive that an adverse opinion or disclaimer of
opinion is required.
– The qualified opinion is expressed as being “except for” the
effect(s) of the specific matter(s) to which the qualification relates.
• Disclaimer of opinion:
– The possible effect of a limitation of scope is so material and
pervasive (fundamental) that the auditor is unable to obtain suffi-
cient audit evidence.
– The auditor is unable to express an opinion on the financial
statements.
• Adverse opinion:
– The effect of a disagreement with management is so material and
pervasive (fundamental) to the financial statements that a qual-
ified audit opinion is inadequate to disclose the misleading or
incomplete nature of the financial statements.

16–20
 CHAPTER 16: Reporting

2.7 EFFECT ON THE FORM AND CONTENT OF THE AUDIT REPORT:

Basis for opinion section
Where the auditor modifies the opinion, the Basis for Opinion section would
provide a description of the matter(s) giving rise to the modification and a
quantification of the possible effects on the financial statements.
Modified opinion
Where the auditor modifies the audit opinion, the auditor uses the heading
“Qualified Opinion”, “Adverse Opinion”, or “Disclaimer of Opinion”, as appro-
priate, for the opinion section.
Where the auditor expresses a qualified opinion due to a material misstate-
ment, the opinion section will state that, in the auditor’s opinion, “. . . except for
the effect of the matter(s) described in the Basis for Qualified Opinion section,
the financial statements present fairly . . .”.
Where the modification arises from an inability to obtain sufficient appropriate
audit evidence, the auditor uses the phrase “. . . except for the possible effects
of the matter(s) . . .”.
Where the auditor expresses an adverse opinion, the Opinion section states
that, in the auditor’s opinion, “Because of the significance of the matter(s)
described in the Basis for Adverse Opinion section, the financial statements do
not present fairly . . .”
Where the auditor disclaims an opinion due to an inability to obtain sufficient
appropriate audit evidence, the Opinion section states that “The auditor does
not express an opinion on the financial statements . . . Because of the signifi-
cance of the matter(s) described in the Basis for Disclaimer of Opinion section,
the auditor has not been able to obtain sufficient appropriate audit evidence to
provide a basis for an audit opinion”.
The section describing the auditor’s responsibility should also be amended
where the auditor was not able to obtain sufficient and appropriate audit evi-
dence to provide a basis for the audit opinion.

2.8 WORDING OF A MODIFICATION OF THE AUDIT OPINION

Specimens setting out illustrative wordings for modified reports may be found
in SAAPS 3 and various ISA statements as listed in section 2.13 of this chapter.
A review of the various specimens identifies issues that need to be dealt with in
the wording. The Basis for Opinion section should:
l identify the issue(s) that led to the modification;
l enable a user to find the relevant information in the financials;

16–21
 Dynamic Auditing

l explain why the issues are significant and how the issues affect the audit –
why does the auditor disagree with client or why is the auditor unable to
obtain evidence;
l illustrate or explain the effect on the financial statements. It is noted that
this will not necessarily be possible if the auditor is unable to obtain suffi-
cient evidence.
Even if the report includes an adverse opinion or a disclaimer, the section
should deal with any other issues that would have led to a modified opinion.

2.9 EMPHASIS OF MATTER PARAGRAPHS AND OTHER MATTER

PARAGRAPHS)
SOURCE REFERENCE: ISA 706 “Emphasis of Matter Paragraphs and
Other Matter Paragraphs”
These terms relate to additional communication in the auditor’s report which
does not affect the auditor’s opinion. They are provided with the aim of drawing
the users’ attention to information that is:
l appropriately presented and disclosed in the financial statements, but of
such importance that it is fundamental to the users’ understanding of the
financial statements;
l relevant to the users’ understanding of the audit, the auditor’s respon-
sibilities or the auditor’s report.
Emphasis of matter paragraph
An emphasis of matter is used to highlight an important matter that is correctly
dealt with on the financial statements, such as an accounting note.
The section should be headed “Emphasis of Matter”.
An emphasis of matter is inserted below the “Basis for Opinion” section, head-
ed “Emphasis of Matter” and should state that the audit opinion is not modified
in respect of the matter.
Whether an emphasis of matter appears above or below the KAM section
depends on the auditor’s judgement concerning the significance of the matter.
Examples of where an emphasis of matter paragraph might be used include:
l an uncertainty surrounding outstanding/pending litigation which is proper-
ly disclosed and provided for, where necessary, in the financial state-
ments;
l the early application of a new accounting standard;
l subsequent events which are properly disclosed in the financial state-
ments;
l a situation where other information bound with the financial statements is
inconsistent with the financial statements.

16–22
 CHAPTER 16: Reporting

Other matter paragraphs

Other matters are highlighted in order to communicate to users such matters
as are relevant, in the auditor’s opinion, to understand the audit, the auditor’s
responsibilities or the auditor’s report.
The Other Matters section deals with information that does not directly affect
the financial statements – matters that are not presented in the financial state-
ments and are not KAM but, nevertheless, are relevant to the audit, for
example:
l It is not possible for the auditor to withdraw from the engagement because
of statutory requirements.
l Distribution of the audit report is restricted.
l The auditor was not the auditor in the previous year.
Situations where the auditor is required to address other reporting responsibil-
ities are not dealt with under Other Matters but under a separate section –
Other Legal and Regulatory Matters.
Such information is typically added below the KAM section.

2.10 NOTES ON UNCERTAINTIES/SCOPE LIMITATIONS

In the event that management seeks to impose a scope limitation on the audit:
l the auditor should request that management remove the limitation;
l if management refuses, the auditor should communicate this to those
charged with governance and determine whether or not evidence can be
obtained through alternative procedures;
l an auditor who is unable to obtain evidence through alternative proced-
ures, should:
• modify the audit opinion in the case of a material scope limitation; or
• withdraw from the engagement. If this is not possible, a modification or
disclaimer of the opinion would need to be considered.

2.11 NOTES ON GOING CONCERN CONSIDERATIONS

The Standards require a reporting focus on going concern by providing explicit
descriptions of the responsibilities of management and the auditor.
Where applicable, the report would include a separate Going Concern section
in the event of material uncertainty, with the heading “Material Uncertainty
Related to Going Concern”.
“Close calls”
“Close calls” refer to situations where, although there is doubt concerning an
enterprise’s ability to operate as a going concern, management is satisfied that
the enterprise will be able to continue to operate as a going concern and has
made appropriate disclosure.

16–23
 Dynamic Auditing

In the event of a “close call”, the auditor is required to challenge the adequacy
of going concern disclosures and obtain sufficient audit evidence to support
management’s assertions and disclosures.
Reporting on going concern
Matters relating to going concern, such as “close calls”, may be determined to
be KAM and communicated as KAM in the auditor’s report in accordance with
new ISA 701.
However, where material going concern uncertainty remains, this is not report-
ed as a KAM but reported separately in the audit report in a section headed
“Material Uncertainty Related to Going Concern”.
Provided that there is a reasonable expectation that Going Concern is appro-
priate and the uncertainty is adequately disclosed in the statements, the
auditor will issue an unmodified opinion.
If adequate disclosure is not made in the financial statements, the auditor will
express a qualified opinion or adverse opinion, as appropriate.
Where the financial statements have been prepared on a going concern basis
but, in the auditor’s judgement, management’s use of the going concern
assumption in the financial statements is inappropriate, the auditor will express
an adverse opinion.
Examples of going concern modifications are set out in ISA 570.

2.12 ADDITIONAL REPORTING RESPONSIBILITIES

Where the client includes supplementary schedules with the statements, the
auditor indicates that these documents do not form part of the annual financial
statements and are not audited. This is included in the “Other Matters” section.
Common examples include detailed profit and loss statements and tax com-
putations.
Where the auditor is obliged to report non-compliance with law and/or legisla-
tion/regulation, notwithstanding the fact that the financial statements are not
affected, this information would be included in the report under the heading
“Other Legal and Regulatory Requirements”.
Where the auditor has reported a reportable irregularity under section 45 of the
Auditing Profession Act (26 of 2005), section 44(3)(e) of the Act requires the
auditor to state that fact in the audit report. This is a qualification of the report
but the audit opinion would not be modified unless the financial statements are
affected.

16–24
 CHAPTER 16: Reporting

2.13 ILLUSTRATIONS OF AUDIT REPORTS

Illustrations of audit reports in the revised format may be found in SAAPS 3 and
the appendices to ISA 700, ISA 705, ISA 706, ISA 570 (Going Concern), ISA
510 (Opening Balances) and ISA 600 (Component Auditors).
SAAPS 3 includes a number of illustrative reports that are not included in the
ISAs and which do not repeat the illustrative reports included in the ISAs.
The following pages set out a single illustration of an unmodified audit report
where the consolidated financial statements and separate financial statements
are presented together, and the financial statements are prepared under IFRS.
Independent Auditor’s Report
To the Shareholders of ABC Limited
Report on the Audit of the Consolidated and Separate Financial Statements
Opinion
We have audited the consolidated and separate financial statements of ABC Limited (the group)
set out on pages … to …, which comprise the statements of financial position as at 31 December
20X1, and the statements of profit or loss and other comprehensive income, the statements of
changes in equity and the statements of cash flows for the year then ended, and notes to the
financial statements, including a summary of significant accounting policies.
In our opinion, the consolidated and separate financial statements present fairly, in all material
respects, the consolidated and separate financial position of the group as at 31 December 20X1,
and its consolidated and separate financial performance and consolidated and separate cash
flows for the year then ended in accordance with International Financial Reporting Standards and
the
requirements of the Companies Act of South Africa.
Basis for Opinion
We conducted our audit in accordance with International Standards on Auditing (ISAs). Our
responsibilities under those standards are further described in the Auditor’s Responsibilities for the
Audit of the Consolidated and Separate Financial Statements section of our report. We are inde-
pendent of the group in accordance with the Independent Regulatory Board for Auditors Code of
Professional Conduct for Registered Auditors (IRBA Code) and other independence requirements
applicable to performing audits of financial statements in South Africa. We have fulfilled our other
ethical responsibilities in accordance with the IRBA Code and in accordance with other ethical
requirements applicable to performing audits in South Africa. The IRBA Code is consistent with the
International Ethics Standards Board for Accountants Code of Ethics for Professional Accountants
(Parts A and B). We believe that the audit evidence we have obtained is sufficient and appropriate
to provide a basis for our opinion.
Key Audit Matters
Key audit matters are those matters that, in our professional judgement, were of most significance
in our audit of the consolidated and separate financial statements of the current period. These mat-
ters were addressed in the context of our audit of the consolidated and separate financial state-
ments as a whole, and in forming our opinion thereon, and we do not provide a separate opinion
on these matters.
[Description of each key audit matter in accordance with ISA 701.]
Responsibilities of the Directors for the Consolidated and Separate Financial Statements
The directors are responsible for the preparation and fair presentation of the consolidated and
separate financial statements in accordance with International Financial Reporting Standards and

16–25
 Dynamic Auditing

the requirements of the Companies Act of South Africa, and for such internal control as the direct-
ors determine is necessary to enable the preparation of consolidated and separate financial
statements that are free from material misstatement, whether due to fraud or error.
In preparing the consolidated and separate financial statements, the directors are responsible for
assessing the group’s and the company’s ability to continue as a going concern, disclosing, as
applicable, matters related to going concern and using the going concern basis of accounting
unless the directors either intend to liquidate the group and / or the company or to cease opera-
tions, or have no realistic alternative but to do so.
Auditor’s Responsibilities for the Audit of the Consolidated and Separate Financial State-
ments
Our objectives are to obtain reasonable assurance about whether the consolidated and separate
financial statements as a whole are free from material misstatement, whether due to fraud or error,
and to issue an auditor’s report that includes our opinion. Reasonable assurance is a high level of
assurance, but is not a guarantee that an audit conducted in accordance with ISAs will always
detect a material misstatement when it exists. Misstatements can arise from fraud or error and are
considered material if, individually or in the aggregate, they could reasonably be expected to influ-
ence the economic decisions of users taken on the basis of these consolidated and separate
financial statements.
As part of an audit in accordance with ISAs, we exercise professional judgement and maintain pro-
fessional scepticism throughout the audit. We also:
Ɣ Identify and assess the risks of material misstatement of the consolidated and separate finan-
cial statements, whether due to fraud or error, design and perform audit procedures respon-
sive to those risks, and obtain audit evidence that is sufficient and appropriate to provide a
basis for our opinion. The risk of not detecting a material misstatement resulting from fraud is
higher than for one resulting from error, as fraud may involve collusion, forgery, intentional
omissions, misrepresentations, or the override of internal control.
Ɣ Obtain an understanding of internal control relevant to the audit in order to design audit proced-
ures that are appropriate in the circumstances, but not for the purpose of expressing an opin-
ion on the effectiveness of the group’s and the company’s internal control.
Ɣ Evaluate the appropriateness of accounting policies used and the reasonableness of account-
ing estimates and related disclosures made by the directors.
Ɣ Conclude on the appropriateness of the directors’ use of the going concern basis of account-
ing and based on the audit evidence obtained, whether a material uncertainty exists related to
events or conditions that may cast significant doubt on the group’s and the company’s ability
to continue as a going concern. If we conclude that a material uncertainty exists, we are
required to draw attention in our auditor’s report to the related disclosures in the consolidated
and separate financial statements or, if such disclosures are inadequate, to modify our opinion.
Our conclusions are based on the audit evidence obtained up to the date of our auditor’s
report. However, future events or conditions may cause the group and / or the company to
cease to continue as a going concern.
Ɣ Evaluate the overall presentation, structure and content of the consolidated and separate
financial statements, including the disclosures, and whether the consolidated and separate
financial statements represent the underlying transactions and events in a manner that
achieves fair presentation.
Ɣ Obtain sufficient appropriate audit evidence regarding the financial information of the entities
or business activities within the group to express an opinion on the consolidated financial
statements. We are responsible for the direction, supervision and performance of the group
audit. We remain solely responsible for our audit opinion.
We communicate with the directors regarding, among other matters, the planned scope and timing
of the audit and significant audit findings, including any significant deficiencies in internal control
that we identify during our audit.
We also provide the directors with a statement that we have complied with relevant ethical require-
ments regarding independence, and to communicate with them all relationships and other matters
that may reasonably be thought to bear on our independence, and where applicable, related safe-
guards.

16–26
 CHAPTER 16: Reporting

From the matters communicated with the directors, we determine those matters that were of most
significance in the audit of the consolidated and separate financial statements of the current period
and are therefore the key audit matters. We describe these matters in our auditor’s report unless
law or regulation precludes public disclosure about the matter or when, in extremely rare circum-
stances, we determine that a matter should not be communicated in our report because the
adverse consequences of doing so would reasonably be expected to outweigh the public interest
benefits of such communication.
Report on Other Legal and Regulatory Requirements
In terms of the IRBA Rule published in Government Gazette Number 39475 dated 4 December
2015, we report that [XX firm] has been the auditor of ABC Limited for [X] years.
[Auditor’s Signature]
[Name of individual registered auditor]
[Capacity if not a sole practitioner: e.g. Director or Partner]
Registered Auditor
[Date of auditor’s report]
[Auditor’s address]

2.14 COMMUNICATION WITH THOSE CHARGED WITH GOVERNANCE

SOURCE REFERENCE: ISA 260 “Communication with Those Charged with
Governance”
Introduction
The auditor should communicate important matters regarding the audit of
financial statements and the findings of the audit to those charged with the
governance of an entity.
Communication is required to adequately inform all with whom the auditor
would normally communicate in their governance capacity.
The standard requires inclusive two-way communication between the auditor
and those charged with governance and requires the auditor to make appro-
priate enquiries of those charged with governance.
Communication should be on a timely basis and the auditor should keep
proper documentation of the communication, including management’s com-
munication of matters of governance interest to those charged with govern-
ance.
Communication should be in writing and any oral communication should be
documented in the working papers.
Persons responsible for governance
This relates to those responsible for overseeing the strategic direction of the
entity and obligations related to the accountability of the entity.
Those charged with governance could include the main board, subgroups,
committees or individuals. The standard acknowledges that, in a small enter-
prise, those charged with governance and management are the same people,
whereas a larger company would have independent non-executive directors
and separate audit and risk committees, etc.

16–27
 Dynamic Auditing

Reporting structures
The auditor decides to whom to address such communications. This will usu-
ally be those charged with governance, namely the whole board or the audit
committee.
To avoid misunderstandings, the auditor should set out in the engagement
letter the structure as well as the matters to be reported.
Matters to be communicated
Matters the auditor should communicate include:
l the auditor’s responsibilities in relation to the financial statement audit;
l the planned scope and timing of the audit;
l significant findings from the audit and, specifically, KAM; and
l aspects relating to auditor independence. For listed entities, a statement
must be provided that the engagement team and others within the firm
complied with the relevant ethical requirements for independence and
provided details of possible threats to independence and how these
threats were addressed.

2.15 DISCLOSURE OF AUDIT TENURE

The reporting requirement to disclose audit tenure applies only to public
interest entities, typically listed companies and entities governed by specific
legislation (refer to Paragraph 290.26 of the IRBA Code of Professional Con-
duct).
The audit firm is required to disclose the number of years that the firm continu-
ously served as auditor in the Other Legal and Regulatory Matters section.
Where a firm has merged, the period to be disclosed is the longest period –
from the date when any one of the merged firms was appointed.

2.16 REPORTING AND COMPLIANCE WITH FINANCIAL REPORTING

FRAMEWORKS
SOURCE REFERENCE: SAAPS 2 (Revised 2018) “Financial reporting frame-
works and the audit report”
A financial reporting framework is a basis of preparing financial statements
which has been established by a recognised organisation such as a standard-
setting body.

16–28
 CHAPTER 16: Reporting

General purpose and special purpose frameworks

In order to determine the acceptability of the financial reporting framework, the
auditor determines whether the financial statements are prepared to meet:
l the common financial information needs of a wide range of users (general
purpose financial statements); or
l the financial information needs of specific users (special purpose financial
statements
In both cases the auditor follows the guidance per ISA 700.
The following laws and regulations, for example, contain prescribed applicable
financial reporting frameworks:
l The Companies Act and Regulations;
l The JSE Listing Requirements;
l The Public Finance Act 1 of 1999 (PFMA) and Regulations;
l The Municipal Finance Management Act 56 of 2003 (MFMA); and
l Directives issued by the ASB.
Examples of general purpose frameworks include:
l International Financial Reporting Statements (IFRS);
l International Financial Reporting Statements for Small and Medium-Sized
Enterprises (IFRS for SMEs);
l Generally Accepted Municipal Accounting Practice (GAMAP);
l Standards of Generally Recognised Accounting Practice (GRAP); and
l The Modified Cash Standard.
In South Africa, all public companies are required to comply with International
Financial Reporting Standards (this is the responsibility of the directors).
Examples of special purpose frameworks include:
l The Regulatory Reporting Requirements for Retirement Funds in South
Africa; and
l A basis of accounting applied by an entity that comprises a set of criteria
used in preparing financial statements which applies to all material items
and which has been designed specifically for the intended users of the finan-
cial statements of the entity.
The auditors’ responsibility
The auditor’s responsibility would be set out in the terms of engagement and
would typically be to audit the financial statements and to determine whether or
not the entity complies in all material respects with the selected financial
reporting framework. If there is any non-compliance, the auditor should con-
sider the impact on the audit opinion and the related reporting responsibilities.

16–29
 Dynamic Auditing

Before accepting an engagement involving a special purpose framework, the

auditor must understand the framework and the selection and application of
accounting policies. The auditor must then:
l consider the acceptability of the reporting framework, specifically;
• relevance of the framework to the entity and the purpose of the finan-
cial statements;
• whether or not all information that could affect interpretation of the
financial statements is included;
• reliability;
• freedom from bias; and
• whether or not the financial statements are clear and comprehensive.
l the purpose of the financial statements;
l the untended users;
l steps taken by management to ensure that the framework is acceptable.
If the auditor determines that the proposed framework is not acceptable, the
auditor should not accept the engagement.
Appendices to SAAPS 2
Appendices 2 and 3 of SAAPS 2 set out a flow diagram and a list of financial
reporting frameworks respectively.

2.17 COMPARATIVE INFORMATION

SOURCE REFERENCE: ISA 510 “Initial Audit Engagements – Opening
Balances”
ISA 710 “Comparative Information – Correspond-
ing Figures and Comparative Financial
Statements”
The auditor should evaluate whether or not any comparative information agrees
with the amounts and other disclosures presented in the prior period and
whether or not the accounting policies applied in the comparative information
are consistent with those applied in the current period.
If the auditor becomes aware of a possible material misstatement in compar-
ative information, the auditor should perform such additional audit procedures
as are necessary in the circumstances to obtain sufficient appropriate audit
evidence to determine whether a material misstatement exists.
If opening balances are materially misstated, it would be possible to issue an
unmodified opinion on the financial position at the end of the year with a dis-
claimer on the results of operations.
If the auditor had audited the prior period’s financial statements, the auditor
should also follow the requirements of ISA 560.

16–30
 CHAPTER 16: Reporting

2.18 OTHER INFORMATION IN DOCUMENTS WHICH INCLUDE AUDITED

FINANCIAL STATEMENTS
SOURCE REFERENCE: ISA 720 “The auditor’s responsibilities relating
to other information in documents con-
taining audited financial statements”
Entities often include their audited financial statements and auditor’s report in
the integrated report together with a wide range of other information.
An IRBA Staff Audit Practices Alert defines the annual report as including;
l the annual financial statements;
l the integrated report (where applicable); and
l any other documents forming part of the entity’s annual financial state-
ments or integrated report.
King IV, the JSE Listing Requirements and the Companies Act also identify
documents that might accompany financial statements, such as:
l the Director’s Report;
l the Audit Committee’s Report (where applicable); and
l the Company Secretary’s Certificate (where applicable).
Given that SAAPS 3 concludes that the audit opinion does not extend to these
documents, the auditor does not have a responsibility to perform audit proced-
ures thereon.
The auditor must, however, review the other information to ensure that the other
information does not contradict the information included in the audited financial
statements.
Any such contradiction may cast doubt on:
l conclusions drawn from audit evidence previously obtained; and
l the basis for the audit opinion on the financial statements.
A misstatement of fact exists when such information, not related to the issues in
the financial statements, is incorrectly stated or presented.
The auditor must arrange with the client to gain timeous access to the other
information before the date of the auditor’s report.
Material inconsistencies
An auditor, who becomes aware of a contradiction in the other information,
must establish whether:
l the audited financial statements must be changed; or
l the other information must be changed.

16–31
 Dynamic Auditing

The auditor must then inform management of the proposed changes.

l If the audited financial statements should be changed and management
refuses to do so, the auditor must consider the need to modify the audit
opinion.
l If the other information should be changed and management refuses, the
auditor must:
• report on this under the heading “Supplementary Information”;
• obtain legal advice;
• consider other actions such as withholding the auditor’s report and,
where legally permitted, withdrawing from the engagement.
Material misstatement of facts in the other information
An auditor who becomes aware that the other information contains incorrect
facts (which are not related to the information in the financial statements), will
not want to be associated with this incorrect information.
In the case of material misstatement of facts, the auditor must:
l discuss the matter with management and those charged with governance
and consider whether or not the other information is valid; and
l where the other information is misstated and management refuses to
correct the matter:
• advise management to consult with third parties (for example legal
advisers) and thereafter to re-evaluate the facts;
• obtain legal advice; and
• consider the reportable irregularity reporting obligations in terms of
section 45 of the Auditing Profession Act. An example would be a case
where the contradiction is likely to mislead users.

2.19 AVAILABILITY OF OTHER INFORMATION AFTER THE DATE

OF THE AUDITOR’S REPORT
Should the other information not be available at the date of the auditor’s report,
the auditor must read it as soon as possible thereafter.
An auditor who discovers a material inconsistency or misstatement of fact after
the reporting date must determine whether the client should change the finan-
cial statements or the other information.
l If the audited financial statements have to be changed, the auditor must
act in accordance with ISA 560 “Subsequent events”.
l If the other information must be changed and:
• management agrees, procedures must be performed to review the
procedures followed by the client to inform persons in possession of
information that it has changed;

16–32
 CHAPTER 16: Reporting

• management refuses, then the auditor should take further action, such
as:
– informing management in writing of the circumstances;
– obtaining legal advice; and
– considering the reportable irregularity reporting responsibilities in
terms of section 45 of the Auditing Profession Act.

2.20 CONFORMING AMENDMENTS TO OTHER ISA STANDARDS

Because of their specific relevance to reporting, the following Standards were
updated with conforming amendments at the time of the revision of the Report-
ing Standards:
l ISA 210 – Engagement Terms;
l ISA 220 – Quality Control;
l ISA 230 – Documentation;
l ISA 510 – Initial Engagements;
l ISA 540 – Accounting Estimates/Fair Value;
l ISA 580 – Management Representations;
l ISA 600 – Component Auditors;
l ISA 710 – Comparative Information.
Whilst the following standards were not updated at that time, they are consid-
ered to be relevant to the reporting decisions:
l ISA 240 – Fraud and Error;
l ISA 315 – Risks;
l ISA 330 – Response to Risks;
l ISA 450 – Misstatements;
l ISA 540 – Accounting Estimates/Fair Value.

3. ASSURANCE ENGAGEMENTS OTHER THAN AUDITS OR REVIEWS

OF HISTORICAL FINANCIAL INFORMATION
SOURCE REFERENCE: ISAE 3000 “Assurance engagements other than
audits or reviews of historical financial
information”
This statement is dealt with in detail in chapter 15.

16–33
 Dynamic Auditing

4. SPECIAL PURPOSE ENGAGEMENTS

Beyond reporting on audited annual financial statements, an auditor is often
requested to undertake other engagements and to issue a report on information
other than financial statements prepared in accordance with IFRS.
Different categories of special reports can be identified, each of which is issued
under different circumstances, and thus provide different levels of assurance for
the user:
l reports expressing opinions (ISA 800, 805 and 810);
l assurance engagements other than audits or reviews of historical financial
information (see above);
l reports expressing limited assurance (review engagements) (ISRE 2400);
l review of interim financial information (ISRE 2410); and
l reports on factual findings (ISRS 4400).

4.1 REPORTS EXPRESSING OPINIONS

SOURCE REFERENCE: ISA 800 “Special considerations – Audits of finan-
cial statements prepared in accordance
with special purpose frameworks”
ISA 805 “Special considerations – Audits of single
financial statements and specified elem-
ents, accounts or items”
ISA 810 “Engagements to report on summary
financial statements”

4.1.1 Terms of the engagement

The auditor and the client must agree on the nature of the engagement and the
format and contents of the report that will be issued on completion of the
engagement. These issues should be clarified in the engagement letter, which,
because of the unique nature of each engagement, would be very specific in
dealing with the scope of work and the respective responsibilities of manage-
ment and the auditor.

4.1.2 Considerations when planning and performing the audit

The auditor must comply with all ISA requirements relevant to the engagement,
adapted where necessary.
The firm should implement proper quality control procedures and policies
(ISQC1) and the individual auditor should implement quality control proced-
ures appropriate to the engagement (ISA 220).
The engagement partner should possess competence in assurance skills and
techniques, and competence in financial reporting.

16–34
 CHAPTER 16: Reporting

The auditor must consider the acceptability of the financial reporting framework
applied in the preparation of the financial information and the steps taken by
management to determine that the applicable framework is appropriate.
The accounting framework and materiality limits should be agreed upon with
the client.
The auditor should also obtain an understanding of the purpose for which the
financial information is prepared, and the intended users.

4.1.3 Considerations when forming an opinion

The auditor must comply with the requirements of ISA 700, adapted as neces-
sary, when formulating the audit opinion.
The statement also emphasises the importance of communication with those
charged with governance.

4.1.4 Reporting
To prevent the report being used for purposes other than those for which it was
prepared, the report should include:
l the purpose for which it was prepared; and
l restrictions on its distribution and use.
Important interpretations of an agreement, etc. on which the financial state-
ments are prepared must be described in the report and referred to in the
opinion section.
Illustrations of reports are included as appendices to the Standards.
L Reports on financial statements prepared in accordance with a special
purpose framework (ISA 800)
This applies in respect of financial statements prepared on a basis other
than IFRS, for example:
• on a cash basis;
• in compliance with a contract;
• in accordance with a basis used for tax calculations; and
• in compliance with government requirements.
The report states the basis on which the financial statements were pre-
pared and refers to the relevant notes in the financial statements.
The report must also describe the purpose for which the financial state-
ments were prepared and, if necessary, the intended users. An emphasis
of matter paragraph would be used for this information and could also be
used to point out that the financial statements might not be useful for any
purpose other than that for which they were intended.
The explanation of management’s responsibility for the financial state-
ments should also refer to management’s responsibility to determine the
appropriateness of the applicable financial reporting framework.

16–35
 Dynamic Auditing

The auditor’s opinion should state whether or not the financial statements
were prepared in all material respects in accordance with the specified
accounting framework.
If the accounting framework is not complied with or not properly disclosed
in the financial statements, the audit report must be modified.
L Reports on single financial statements or components (ISA 805)
This applies where the auditor expresses a separate opinion on a compo-
nent of the financial statements, for example, a balance sheet or the inven-
tory account.
This could be a separate audit, or part of the audit of the annual financial
statements. However, the auditor expresses an opinion only on the com-
ponent audited.
As every ISA 805 engagement is unique, the auditor is required to exer-
cise significant professional judgement when considering matters to be
included in the report.
In conducting the audit, the auditor would consider the following:
• The interrelationship between items should be considered, for example
debtors and sales.
• Materiality is determined in respect of the component of the financial
statements being reported upon.
• The report on the component is separate from the report on the annual
financial statements as a whole.
• The auditor’s report must include the following:
– the accounting basis applicable to the component; and
– an opinion on whether or not the component information was, in
all material respects, prepared in accordance with the specified
framework.
If the auditor’s report on the complete financial statements is modified, or
has been withheld, the auditor must consider whether the component
being reported on is sufficiently material to form a significant part of the
financial statements of the whole enterprise.
If the audit opinion on the complete financial statements is modified,
includes an Emphasis of Matter, reports uncertainty related to going con-
cern, highlights an uncorrected misstatement in other information or
reports KAM, the auditor must consider the effect that this may have on
the audit report on the single component.
Where applicable, ISA 570 (Going Concern) and ISA 701 (KAM) would
apply fully to the audit of the component and the approach to these issues
would be specific to the component.

16–36
 CHAPTER 16: Reporting

The auditor shall not express an unmodified opinion on a single financial

statement where an adverse opinion or disclaimer of opinion has been
expressed on the complete set of financial statements as a whole.
L Reports on summary financial statements (ISA 810)
This applies where the auditor reports on summarised financial statements
derived from annual financial statements audited by the same audit firm.
• The auditor may only report on the summarised financial statements if
the firm audited the annual financial statements and expressed an
opinion thereon.
• The summarised financial statements:
– contain less detail than the annual financial statements;
– should clearly indicate that they are summarised statements;
– should refer the reader to the audited annual financial statements
for a better understanding of the financial information; and
– should contain an introductory paragraph stating that the informa-
tion was derived from the audited financial statements.
• The auditor’s report should express an opinion on whether the summa-
rised statements are consistent with the audited statements.

4.2 REPORTS EXPRESSING LIMITED ASSURANCE

SOURCE REFERENCE: ISRE 2400 “Engagements to review historical
financial information”
Note: ISRE 2400 applies when a practitioner who is not the auditor of an enti-
ty undertakes an engagement to review financial statements.
An engagement to express a moderate level of assurance is generally referred
to as a review engagement. Negative assurance will be expressed in the
report.
During a review engagement, the reviewer should obtain sufficient appropriate
evidence, primarily through enquiry and analytical review procedures, to be
able to draw a conclusion.
The report states that nothing has come to the reviewer’s attention in the
course of the work which causes the reviewer to believe that the information
covered by the report does not conform to a specified set of criteria and there-
fore needs modification.
Section 30 of the Companies Act requires a review of the annual financial
statements of companies with a Public Interest Score greater than 100.

4.2.1 Accepting the engagement

The reviewer should comply with the relevant ethical requirements.

16–37
 Dynamic Auditing

The reviewer should ensure that the parties involved have a clear under-
standing of the moderate level of assurance that is to be given.
The reviewer and the client should agree on the terms of the engagement in an
engagement letter – a specimen is included as an appendix to the ISRE.

4.2.2 Performing the engagement

l The reviewer should implement quality control procedures applicable to
the engagement.
l The work should be planned and performed with an attitude of profes-
sional scepticism, given that circumstances may exist that could cause the
financial statements to be materially misstated.
l The same levels for materiality would apply as would be the case for an
audit.
l The reviewer should be cognisant of the risk that a client might deliberately
request a lower level of assurance, such as a review, because of a belief
that a review would not detect material misstatements that would be
detected by a full audit.
l The reviewer must obtain an understanding of the entity and its environ-
ment, and the applicable financial reporting framework, in order to identify
areas in the financial statements where material misstatement is likely to
arise, thus providing a basis for designing procedures to address those
areas.
l The procedures are limited to procedures of a review nature, and will
include the following:
• enquiry as explained below; and
• performing analytical review procedures as explained in the chapter
on analytical procedures.
l The reviewer should make enquiries, primarily of persons responsible for
financial and accounting matters, and perform analytical and other review
procedures to be able to draw a conclusion as to whether or not anything
has come to the reviewer’s attention that causes the reviewer to believe
that the interim financial information is not prepared, in all material
respects, in accordance with the applicable financial reporting framework.
• A review does not require tests of accounting records through inspec-
tion, observation or confirmation.
• Review procedures usually do not entail a study of the internal controls
or physical verification or confirmation by outside parties.
l Evidence should be obtained that the financial information agrees with the
underlying accounting records.

16–38
 CHAPTER 16: Reporting

l The reviewer should, through enquiry, ensure that management has identi-
fied all events up to the date of the financial statements that may require
adjustment or disclosure.
• Where doubt exists regarding the going concern ability of the entity,
the reviewer should enquire from management regarding any plans
that will improve the situation and the feasibility of these plans.
• The adequacy of disclosures regarding going concern should be
considered.
l A client may not restrict the scope of the investigation.
l If the evidence indicates that the information is reliable, the reviewer has
the right to assume that the information does not have to be amended.
l The reviewer should consider the materiality of uncorrected misstatements
and the effect on the opinion.
l Further procedures include:
• enquiries regarding all material assertions in the financial statements;
• enquiries regarding actions taken at meetings of shareholders, the
board, etc.;
• reading the financial statements to determine whether or not they
appear to correspond with the reviewer’s information;
• obtaining reports from other auditors, and if necessary, engaging with
them to review financial statements or components; and
• making enquiries of persons responsible for the financial statements,
whether all transactions have been recorded, whether the financial
statements have been prepared in accordance with the accounting
policy stated, changes in accounting principles, etc.
l The reviewer should obtain written representations from management that:
• management acknowledges responsibility for the design and imple-
mentation of internal control;
• the financial statements have been prepared and presented in accord-
ance with the applicable financial reporting framework;
• management believes that uncorrected misstatements are immaterial;
• all facts relating to fraud or suspected fraud have been disclosed to
the auditors;
• management has disclosed:
– the result of its assessment of the risk that the interim financial
statements may be misstated because of fraud;
– all known non-compliance with laws and regulations; and

16–39
 Dynamic Auditing

– all post balance sheet date events that may require adjustment or
disclosure.
l If there is evidence that the information is not reliable, the reviewer should
perform additional procedures to remove the uncertainty.
l The auditor is required to obtain sufficient evidence to support the con-
clusions in the report.

4.2.3 Reporting
Specimen reports are set out in the Annexures to ISRE 2400 and in SAAPS 3.
The report should describe the scope of the review and the procedures per-
formed. It should also be stated that further material facts could be discovered
if an audit were performed. The distribution of the report may be limited if so
required by the reviewer.
The report should contain the following basic elements:
l title, which shall clearly indicate that it is the report of an independent
practitioner for a review engagement;
l addressee;
l opening or introductory paragraph, including;
• identification of the financial statements on which the review has been
performed;
• reference to the significant accounting policies and other explanatory
information; and
• a statement that the financial statements have been reviewed.
l a statement that management is responsible for the preparation and fair
presentation of the financial information in accordance with the applicable
financial reporting framework;
l a statement that the auditor is responsible for expressing a conclusion on
the financial information based on the review;
l a statement that the review of the interim financial information was con-
ducted in accordance with ISRE 2400 and that such a review consists of:
• making enquiries; and
• applying analytical and other review procedures;
l a statement that:
• a review is substantially less extensive than an audit;
• a review does not enable the auditor to become aware of all significant
matters that might be identified in an audit; and
• that no audit opinion is expressed;
l a paragraph under the heading “Conclusion” that contains:
• the practitioner’s conclusion on the financial statements as a whole;
and

16–40
 CHAPTER 16: Reporting

• a reference to the applicable financial reporting framework used to

prepare the financial statements;
l when the practitioner’s conclusion on the financial statements is modified:
• a paragraph that contains the practitioner’s modified opinion; and
• a paragraph that provides a description of the matters giving rise to
the modification;
l a reference to the practitioner’s obligation to comply with the relevant
ethical requirements;
l date of the report;
l the location in the jurisdiction where the practitioner practices;
l practitioner’s signature.

4.3 REVIEW OF INTERIM FINANCIAL INFORMATION

SOURCE REFERENCE: ISRE 2410 “Review of interim financial information
performed by the independent auditor of
the entity”
The purpose of ISRE 2410 is to establish standards and provide guidance on the
auditor’s professional responsibilities when undertaking an engagement to review
the interim financial information of an audit client, and on the form and content of
the report. The term “auditor” is used throughout this section, not because an
audit is performed but because the scope of ISRE 2410 covers the review of
interim financial information by the independent auditor of the entity.
Interim financial information is financial information that is prepared and present-
ed in accordance with an applicable financial reporting framework and compris-
es
either a complete or condensed set of financial statements for a period that is
shorter than the entity’s financial year.
NOTE: As the auditor performing the review is also the auditor of the entity,
certain audit procedures required for the audit of the financial state-
ments may be performed in conjunction with the review (for example the
reading of minutes and certain interim audit procedures).

4.3.1 General principles

l The auditor should comply with all ethical requirements relevant to the
audit of the annual financial statements of the entity.
l The auditor should implement quality control procedures applicable to the
engagement.
l The auditor should plan and perform the review with an attitude of profes-
sional scepticism.

16–41
 Dynamic Auditing

4.3.2 Objective of an engagement to review interim financial information

The objective of a review of interim financial information differs from an audit
conducted in terms of International Standards on Auditing (ISAs). A review
consists of enquiries and applying analytical and other review procedures. A
review may bring significant matters affecting the interim financial information to
the auditor’s attention but it does not provide all of the evidence required for an
audit.

4.3.3 Performing the engagement

l The auditor and the client should agree on the terms of the engagement in
an engagement letter. A specimen engagement letter is included as an
appendix to the ISRE.
l The auditor should obtain an understanding of the entity and its environ-
ment, including its internal control, as it relates to the preparation of both
annual and interim financial information.
• An auditor who has previously audited the entity’s financial information
would already have obtained the required understanding and will
simply update this information during the performance of this specific
engagement.
• An auditor who has not yet performed an audit of the annual financial
statements of the entity in terms of ISAs should obtain this under-
standing as required by ISA 315.
l In common with ISRE 2400, the procedures are limited to procedures of a
review nature, and will include the following:
• enquiring from and having discussions with management and staff;
and
• performing analytical review procedures such as those set out in the
examples contained in the appendix to the ISRE.
l The auditor should consider the materiality of uncorrected misstatements
and the effect on the opinion.
l The auditor should obtain written representations from management,
similar to those required in terms of ISRE 2400:
l The auditor should ensure that any accompanying information is not
materially inconsistent with the interim financial information.

4.3.4 Reporting
Ideally, the report should conclude that nothing has come to the auditor’s
attention that causes the auditor to believe that the interim financial information
does not present the financial information fairly and in accordance with the
applicable reporting framework. Should this conclusion not be reached, the
auditor should modify the report.
Examples of review reports are included appendices to the ISRE.

16–42
 CHAPTER 16: Reporting

The auditor should issue a written report that contains:

l title;
l addressee;
l identification of the interim financial information reviewed, including;
• identification of the title of each of the statements contained in the
complete or condensed interim financial statements; and
l paragraphs, similar to those required by ISRE 2400, setting out the respective
responsibilities of management and the practitioner, and describing a
review and its limitations;
l a conclusion as to whether or not anything has come to the auditor’s
attention that causes the auditor to believe that the interim financial infor-
mation does not give a true and fair view, or does not present that infor-
mation fairly, in all material respects, in accordance with the applicable
financial
reporting;
l date;
l location where the auditor practices; and
l the auditor’s signature.

4.4 ENGAGEMENTS TO PERFORM AGREED-UPON PROCEDURES

SOURCE REFERENCE: ISRS 4400 (Revised) “Agreed-upon procedures
engagements”
An agreed upon procedures engagement is one where the practitioner is
required to perform only those specific procedures to which the practitioner,
the entity and any other third parties have agreed. ISRS 4400 (Revised) is
applicable to financial and non-financial subject matter.
Agreed upon procedures engagements are seen as a cost-effective mech-
anism for clients to provide reliable information to users on specific reporting
requirements, without incurring the cost of a full scope audit.
On completion of such an engagement:
l the practitioner reports on the findings of the agreed upon procedures;
and
l no assurance is expressed, as the readers of the report themselves evalu-
ate the procedures performed and the findings thereof; and
l any restriction on the distribution of the report is based on the discretion of
the practitioner.
The practitioner is required to exercise professional judgment throughout the
engagement.

4.4.1 Acceptance of the engagement

The practitioner should comply with all ethical requirements relevant to the
engagement.

16–43
 Dynamic Auditing

The practitioner should ensure that he/she understands the purpose of the
engagement. The engagement should be declined if the practitioner becomes
aware of any facts or circumstances indicating that the procedures are inap-
propriate for the purpose of the engagement. The engagement should also
only be accepted if all conditions are met.
An engagement letter should be issued to the client and other relevant parties
that clarifies the conditions of the engagement.
An illustrative engagement letter is included as an appendix to the ISRS.

4.4.2 Performance of the procedures

The practitioner should implement quality control procedures applicable to the
engagement.
Planning
The work must be properly planned to enable the practitioner to perform an
effective engagement.
Documentation
Procedures performed during the engagement should be properly docu-
mented in the working papers, to provide evidence that the engagement was
carried out in terms of the engagement conditions and in accordance with
ISRS.
Procedures and evidence
Only the agreed-upon procedures should be carried out and the results of the
procedures should be used as the basis for the report of the findings.

4.4.3 Reporting
The report must describe the purpose and the procedures of the engagement
in sufficient detail to enable the reader to understand the nature and extent of
the work performed.
The report of findings should contain:
l title;
l addressee (the client who engaged the practitioner to perform the agreed-
upon procedures);
l identification of specific financial or non-financial information to which the
agreed-upon procedures have been applied;
l responsibilities of the engaging party, the responsible party and the practi-
tioner;

16–44
 CHAPTER 16: Reporting

l a statement that the procedures performed were those agreed upon with
the client;
l a statement that the engagement was performed in accordance with the
ISRS;
l a statement dealing with the practitioner’s independence;
l identification of the purpose for which the agreed-upon procedures were
performed;
l a description of the practitioner’s procedures and findings, including
sufficient details of errors and exceptions found.
l a statement that the procedures performed do not constitute either an
audit or a review and, as such, no assurance is expressed.
l a statement that, if the practitioner performed additional procedures, an
audit or a review, other matters might have come to light that would have
been reported;
l a statement (where applicable) that the report relates only to the informa-
tion specified and that it does not extend to the entity as a whole;
l the report may refer to the work performed by a practitioner’s expert. The
wording of the report shall not imply that the practitioner’s responsibility for
performing the procedures and reporting the findings are reduced
because of the involvement of the expert;
l date of the report;
l practitioner’s address;
l practitioner’s signature.

5. ENGAGEMENTS TO COMPILE FINANCIAL INFORMATION

SOURCE REFERENCE: ISRS 4410 “Compilation engagements”
5.1 OBJECTIVE OF A COMPILATION ENGAGEMENT
The objective of the engagement is to use the practitioner’s accounting exper-
tise (as opposed to auditing expertise) to collect, classify and summarise
information.
l The information is processed into an understandable form without testing
the underlying assertions.
l The compilation procedures are not designed to and do not allow the
auditor to express assurance on the financial statements.
A compilation engagement can include the preparation of annual financial
statements for:
l entities not requiring audited annual financial statements;
l entities audited by the same firm; or
l entities audited by another firm.

16–45
 Dynamic Auditing

A compilation engagement can also include the preparation of:

l incomplete financial statements;
l monthly management accounts;
l special purpose financial statements (e.g. prepared in terms of a takeover
agreement);
l financial statements for a part of a company (e.g. a branch or division); or
l financial statements for a close corporation.

5.2 TERMS OF THE ENGAGEMENT

A proper engagement letter, documenting the terms of the engagement, should
be issued to ensure that all parties understand their responsibilities.
An illustrative engagement letter is included as an appendix to the ISRS.

5.3 PERFORMING THE ENGAGEMENT

The practitioner must comply with all relevant ethical principles.
Planning
The work must be properly planned to enable the practitioner to perform an
effective engagement.
Documentation
Procedures performed during the engagement should be properly docu-
mented in the working papers, to provide evidence that the engagement was
carried out in terms of the engagement and in accordance with the ISRS.
Compilation procedures
l The practitioner should:
• obtain a general understanding of the business and the entity;
• be familiar with the accounting principles and practices of the industry;
and
• be familiar with the appropriate format and contents of the financial
information in the industry.
l The practitioner is not required to:
• enquire about the completeness and reliability of the information
supplied by management;
• assess the internal controls; or
• substantiate any matters or explanations.

16–46
 CHAPTER 16: Reporting

l If the practitioner becomes aware that information supplied by manage-

ment is incorrect, incomplete or otherwise unsatisfactory, the practitioner
should do the following:
• perform additional procedures which are normally not necessary; and
• request management to supply additional information. (If management
refuses to do so, the accountant must withdraw from the engagement.)
l The practitioner should read the compiled information and consider:
• the appropriateness of presentation; and
• whether or not the information appears to be free from material mis-
statement, for example:
– mistakes in the application of accounting policies;
– non-disclosure of accounting policies, departure from the policies;
or
– non-disclosure of any material items.
l The financial reporting framework and any departures therefrom must be
disclosed with the financial information.
l If the practitioner becomes aware of material misstatements, the following
procedures should be followed:
• request the client to adjust the matter; and
• if the client refuses to make the necessary adjustments, withdraw from
the engagement.
l A management representation letter should be obtained with specific
mention of:
• the accuracy and completeness of the financial information; and
• the completeness of disclosure of all relevant information.

5.4 REPORTING
Where any information has been compiled by a practitioner, a report must be
issued.
Reports on compilation engagements should contain the following:
l title;
l addressee;
l a statement that the engagement was performed in accordance with this
ISRS;
l a description of the responsibilities of management and those charged
with governance;
l identification of the financial information noting that it is based on informa-
tion provided by management;

16–47
 Dynamic Auditing

l identification of the financial information, including the title of each element

of the financial information if it comprises more than one element, and the
date of the financial information or the period to which it relates;
l a description of the practitioner’s responsibilities in compiling the financial
information;
l a description of what the compilation engagement entails in accordance
with the ISRS;
l explanations that:
• since a compilation engagement is not an assurance engagement, the
practitioner is not required to verify the accuracy or completeness of
the information provided by management for the compilation; and
• the practitioner does not therefore express an audit opinion or a review
conclusion on whether or not the financial statements are prepared in
terms of the applicable financial reporting framework.
l it may also be appropriate for the practitioner to refer to the special pur-
pose for which or party for whom the information has been prepared, or for
the practitioner to add a caution designed to ensure that the report is not
used for purposes other than those intended;
l a paragraph, where necessary, drawing attention to any material depar-
tures from the applicable financial reporting framework;
l date;
l practitioner’s address;
l practitioner’s signature.

6. PROFIT FORECASTS
Whilst reporting on profit forecasts falls within the ambit of ISAE 3400, “The exam-
ination of prospective financial information” (section 7 of this chapter), the follow-
ing information is relevant.
This section should be read in conjunction with section 7 on prospective financial
information.

6.1 BACKGROUND
A profit forecast is an estimate of future financial results of an entity and is
based on assumptions that imply conditions that will exist in the future. Profit
forecasts are usually prepared for specific purposes, namely:
l to obtain new share capital;
l on application for a stock exchange listing;

16–48
 CHAPTER 16: Reporting

l to obtain financing; and

l for reporting to shareholders.
L Periods covered by profit forecasts
Profit forecasts may be for:
• past accounting periods for which audited financial statements have
not yet been prepared;
• current financial periods; and/or
• future accounting periods.
L Format of profit forecasts
Profit forecasts are usually, but not necessarily, expressed in financial
terms. Certain terminology (although amounts are not mentioned) may
constitute a profit forecast, for example “profits will be higher than those of
the previous year”. If terminology used implies a probable profit, or places
an estimate on such profits, this serves as a profit forecast.
L Responsibility for profit forecasts
The directors are solely responsible for the profit forecasts and the under-
lying assumptions.
L Role of the reporting accountant
• The reporting accountant is responsible for the inspection of the profit
forecast in terms of:
– the accounting accuracy;
– the accounting principles applied;
– the preparation thereof in terms of the directors’ assumptions; and
– the reasonability of the assumptions.
• An auditor’s name should not be attached to a forecast of future earn-
ings in a manner indicating the assumption of responsibility for the
accuracy and attainment thereof. An auditor can only evaluate the rea-
sonableness of assumptions and the preparation of a reasonable fore-
cast in terms of the accounting principles and the policies applied.

6.2 CRITICAL ASPECTS THAT THE REPORTING ACCOUNTANT MUST

CONSIDER BEFORE ACCEPTING THE ENGAGEMENT
The reporting accountant must consider:
l the nature of the entity’s forecasting procedures;
l the reliability of prior forecasts;
l the period covered by the forecast (usually this should not exceed the
current accounting period, or a maximum of one year after year end);

16–49
 Dynamic Auditing

l whether or not the nature of the entity’s business makes forecasts possible
(e.g. profits may be inconsistent);
l the date by which the report is required, as the reporting accountant must
have sufficient time to perform the work; and
l management’s integrity.

6.3 OBJECTIVES OF A REVIEW OF A PROFIT FORECAST

Procedures should be performed to determine whether or not:
l the profit forecast was properly prepared based on the assumptions;
l the assumptions provide a reasonable basis for the preparation of the
profit forecast;
l the forecast has been prepared in accordance with the accounting pol-
icies usually applied (if accounting policies have been changed, this must
be disclosed); and
l the calculations performed during the preparation of the profit forecast are
accurate.

6.4 PERFORMING THE ENGAGEMENT

The responsibilities of the reporting accountant and the directors must be
confirmed in an engagement letter. This should specifically state that:
l the directors are solely responsible for the profit forecasts and the under-
lying assumptions;
l the reporting accountant is responsible for the investigation of the profit
forecast in terms of:
• accounting accuracy;
• the application of accounting principles; and
• preparation in terms of the directors’ assumptions.

6.5 PERFORMING THE ENGAGEMENT

L General procedures
The following general principles should be applied during the review of the
profit forecast:
• The investigation must be performed under the supervision of persons
who have the necessary technical training and competence.
• Independence must be maintained.
• Due professional care should be applied.
• Work must be planned, with proper staff supervision.
• The processes used for preparation of the profit forecasts should be
understood.
• Sufficient evidence to substantiate the report should be obtained.

16–50
 CHAPTER 16: Reporting

• Objectivity must be maintained.

• Proper documentation of work done, procedures performed and infor-
mation obtained should be maintained.
L Specific procedures
The reporting accountant should perform procedures on the following
matters:
• the nature and background of the entity’s business:
– audit procedures should be performed to obtain an understanding
of the business (e.g. enquiries, media, audit working papers);
• the accounting policies usually applied in the financial statements;
• the assumptions underlying the profit forecast:
– document the assumptions in the audit working papers;
– examine the reasonableness of the assumptions through audit
procedures:
* enquiries of management/experts/outside parties;
* examinations of documentation such as contracts, etc.;
* confirmations from outside parties and experts;
* observation of the condition of assets; and
* analytical review procedures.
• the procedures used by the entity to prepare the profit forecast:
– enquiry and examination of documentation;
– checking of calculations; and
– checking of approval by management.
• the accuracy of any actual results included in the profit forecast:
– compare to actual results per the:
* audited financial statements;
* unaudited financial statements;
* interim financial statements;
* management accounts and monthly reports; and
* budgets.

7. THE EXAMINATION OF PROSPECTIVE FINANCIAL INFORMATION

SOURCE REFERENCE: ISAE 3400 “The examination of prospective
financial information”
Prospective financial information means financial information based on assump-
tions about events that may occur in the future and possible actions by an entity.

16–51
 Dynamic Auditing

Prospective financial information can include financial statements or one or more

elements of financial statements, and may be prepared:
l as an integrated management tool, for example to assist in evaluating a
possible capital investment; or
l for distribution to third parties in, for example:
• a prospectus to provide potential investors with information about future
expectations;
• an annual report to provide information to shareholders, regulatory bodies
and other interested parties; and
• a document for the information of lenders which may include, for example,
cash flow forecasts.
Prospective information therefore relates to events and actions that have not yet
occurred and may not occur. The auditor is therefore not in a position to express
an opinion on whether or not the results shown in the prospective financial infor-
mation will be achieved.
The auditor must obtain sufficient acceptable evidence that:
l management’s best-estimate assumptions on which the prospective financial
information is based are not unreasonable and, in the case of hypothetical
assumptions, that such assumptions are consistent with the purpose of the
information;
l the prospective financial information is properly prepared on the basis of the
assumptions;
l the prospective financial information is properly presented and all material
assumptions are adequately disclosed, including a clear indication as to
whether they are best-estimate assumptions or hypothetical assumptions;
and
l the prospective financial information is prepared on a consistent basis with
historical financial statements, using appropriate accounting principles.
Given the types of evidence available regarding the above, the auditor will not be
in a position to obtain a level of assurance sufficient to provide a positive expres-
sion of opinion that the assumptions are free from material misstatements. Only a
moderate level of assurance is therefore provided.

7.1 ACCEPTANCE OF THE ENGAGEMENT

Before accepting an engagement, the auditor should consider the following:
l the intended use of the information;
l whether the information will be for general or limited distribution;
l the nature of the assumptions, that is, whether they are best-estimate or
hypothetical assumptions;
l the elements to be included in the information; and
l the period covered by the information.

16–52
 CHAPTER 16: Reporting

An engagement should not be accepted where the assumptions are clearly

unrealistic or where it is clear that the financial information will be inappropriate
for its intended use.

7.2 KNOWLEDGE OF THE BUSINESS

A level of knowledge should be obtained that is sufficient to evaluate whether
or not all significant assumptions have been identified.
The auditor should also consider the entity’s process for preparing prospective
financial information. The following should be considered:
l the internal controls over the process and the experience of the persons
preparing the prospective financial information;
l the nature of the documentation supporting the assumptions;
l the extent to which statistical, mathematical and computer-assisted tech-
niques are used;
l the methods used to develop and apply assumptions; and
l the accuracy of prospective financial information prepared in prior periods
and the reasons for significant variances.

7.3 PERIOD COVERED

Assumptions become more speculative as the length of the period increases,
mainly because the length of time decreases management’s ability to make
best-estimate assumptions.
The period covered by the prospective financial information is therefore import-
ant and should be considered by the auditor.

7.4 PROCEDURES
The following will impact on the nature, timing and extent of the procedures to
be performed by the auditor:
l the likelihood of material misstatement;
l the knowledge obtained during any previous engagements;
l management’s competence regarding the preparation of prospective finan-
cial information;
l the extent to which prospective financial information is affected by manage-
ment’s judgement; and
l the adequacy and reliability of the underlying data.
The auditor should also obtain written representations from management
regarding the intended use of the prospective financial information, the com-
pleteness of the assumptions and acceptance of management’s responsibility.

16–53
 Dynamic Auditing

7.5 REPORTING
The auditor’s report should specifically state the following:
l that the examination has been performed in accordance with this ISAE;
l where applicable, a reference to the purpose and/or restricted distribution
of the information;
l a statement of negative assurance as to whether or not the assumptions
provide a reasonable basis for the prospective financial information;
l an opinion as to whether or not the prospective financial information is
properly prepared on the basis of the assumptions and is presented in
accordance with the relevant financial reporting framework; and
l appropriate caveats concerning the achievability of the results indicated
by the information.

8. ASSURANCE ENGAGEMENTS TO REPORT ON THE COMPILATION

OF PRO FORMA FINANCIAL INFORMATION INCLUDED IN A PROSPECTUS
SOURCE REFERENCE: ISAE 3420 “Assurance engagements to report on
the compilation of pro forma financial
information included in a prospectus”

8.1 INTRODUCTION
This standard deals with reasonable assurance engagements undertaken by a
practitioner to report on pro forma financial information included in a prospectus.
The purpose of pro forma information included in a prospectus is solely to
illustrate the impact of a significant event or transaction on unadjusted financial
statements as if the event or transaction had taken place at an earlier date. Pro
forma financial information therefore does not represent the actual picture.

8.2 ENGAGEMENT ACCEPTANCE

Before accepting an engagement the practitioner should:
l consider the competence and resources required to perform the engage-
ment;
l determine the suitability of the applicable criteria;
l evaluate the wording of the opinion prescribed by the relevant law or
regulation;
l consider whether or not the relevant law or regulation permit references to
a modified opinion on the financial statement, where applicable;
l consider whether or not it is possible to obtain sufficient understanding of
the entity and its accounting and financial reporting practices in cases
where the entity’s financial information has never been audited; and
l obtain an agreement with the responsible party that it acknowledges and
understands its responsibilities.

16–54
 CHAPTER 16: Reporting

8.3 PLANNING AND PERFORMING THE ENGAGEMENT

The practitioner should determine whether or not the applicable criteria are
suitable, and as a minimum should determine:
l that the unadjusted pro forma financial information was extracted from a
reliable source;
l that any adjustments are:
• directly attributable to specific events or transactions;
• factually supportable; and
• consistent with the entity’s applicable financial reporting framework
and accounting policies;
l whether or not the applicable criteria are consistent with applicable legis-
lation and unlikely to be misleading.
Materiality should be considered when planning and performing the engage-
ment.
The practitioner should also:
l obtain evidence about the appropriateness of the source from which the
unadjusted financial information has been extracted;
l obtain evidence about the appropriateness of the pro forma adjustments;
l obtain evidence about the calculations within the pro forma financial
information; and
l evaluate the presentation of the pro forma financial information.

8.4 THE REPORT

An illustrative report is included as an appendix to the ISAE.
The practitioner should form an opinion on whether or not the pro forma finan-
cial information has been compiled, in all material respects, by the responsible
party on the basis of the applicable criteria.
The report should include the following basic elements:
l a title clearly indicating that it is an independent report;
l an addressee as agreed in the terms of the engagement;
l introductory paragraphs identifying:
• the pro forma financial information;
• the source of the information;
• the period covered; and
• the relevant criteria.
l a description of the practitioner’s responsibilities;
l a statement that the engagement was performed in accordance with
ISAE 3420;
l the conclusion;

16–55
 Dynamic Auditing

l the practitioner’s signature;

l the date of the report; and
l the location in the jurisdiction in which the practitioner practices.

9. GIVING SECOND OPINIONS

It may be required from a second auditor to give a second opinion on an
accounting matter being considered by the entity’s current auditor.
In this context:
l the current auditor is the auditor currently responsible for the audit of the
entity; and
l the second auditor is any other auditor expressing an opinion on the applica-
tion of accounting principles to a particular transaction(s).
This could also apply to giving second opinions in other circumstances, for
example the application of tax laws.
The following principles apply when giving second opinions:
l General opinions (relative to hypothetical situations and not a specific entity
or circumstances) should be avoided.
l Opinions should be in writing and should indicate that they only pertain to the
specific situation.
l Second auditors should be sensitive to the risks associated with giving
second opinions:
• Facts supplied to the second auditor could be different from those pro-
vided to the current auditor.
• The second auditor might not be made aware of all relevant facts.
l The provision of second opinions could be a threat to the independence of
the second auditor or could be seen as criticism of a professional colleague.
Thus, whilst it would be appropriate to give a second opinion on a technical
issue, registered auditors should not give second opinions:
• regarding opinions expressed on financial statements; or
• on the application of auditing standards.
The auditor’s written report should include the following:
l a brief description of the nature of the engagement;
l identification of the client;
l a statement of the relevant facts, circumstances, assumptions and sources of
the information;
l a description of the appropriate accounting standards;
l a statement that responsibility for proper accounting treatment rests with
management;

16–56
 CHAPTER 16: Reporting

l a statement that any change in facts, circumstances and assumptions may

change the opinion; and
l a separate paragraph at the end of the report, indicating that:
• the report is intended solely for the information and use of the specified
parties;
• an identification of the specified parties to whom use is restricted; and
• a statement that the report should not be used by anyone other than the
intended users.

16–57
 17
AUDITING OF ACCOUNTING ISSUES
WITH SUPPLEMENT CONCERNING
DERIVATIVE FINANCIAL INSTRUMENTS

Page

Auditing Accounting Issues

1. Introduction .................................................................................................. 17–3
2. Audit risk related to estimation uncertainty .................................................. 17–3
3. Specific risks ................................................................................................ 17–4
4. Audit responses to risk ................................................................................. 17–5
5. Examples of estimation uncertainty ............................................................. 17–7
6. Specific audit responses to individual accounting estimates...................... 17–8

Supplement – Derivative Financial Instruments

1. Introduction – Auditing derivative financial instruments .............................. 17–9
2. Definition and types of derivative ................................................................. 17–10
3. Risks to the enterprise .................................................................................. 17–11
4. Accounting treatment ................................................................................... 17–14
5. Responsibilities ............................................................................................ 17–15
6. General controls ........................................................................................... 17–15
7. Flow of information and documents ............................................................. 17–18
8. Audit considerations..................................................................................... 17–21
8.1 Engagement activities ........................................................................ 17–21
8.2 Planning ............................................................................................. 17–21
8.3 Obtaining audit evidence................................................................... 17–27
8.4 Evaluating and concluding ................................................................ 17–29
8.5 Reporting to those charged with governance ................................... 17–29
9. Examples of audit procedures ..................................................................... 17–29

17–1
 CHAPTER 17: Auditing of accounting issues with supplement concerning derivative financial instruments

AUDITING ACCOUNTING ISSUES

SOURCE REFERENCES: ISA540
“Auditing Accounting Estimates, and
Related Disclosures
ISA 540 refers to ISAs 315, 330, 500 and 501 and sets:
l higher expectations for risk assessment;
l more detailed expectations for audit responses to identified risks.
ISA 540 also strongly emphasises:
l quality control and the application of due care and skill (ISQC 1 and ISA 220);
l audit documentation (ISA 230);
l the use of specialists (ISA 620).

1. INTRODUCTION
This chapter includes a supplement which is different to most other chapters in
that it deals with one specific class of balance, derivative financial instruments,
and the related flows of transactions. The supplement does, however, follow the
auditing principles set out in previous chapters and, by so doing, serves as an
illustration of the application of auditing principles in an area where the effect of
accounting principles is significant.
The majority of financial statement audits in South Africa relate to the statutory
audit of companies in terms of the Companies Act.
The audit reports on these engagements typically state that the financial state-
ments present fairly, in all material respects, the financial position of the company,
its financial performance and its cash flows, prepared in terms of IFRS (com-
panies that use IFRS for SMMEs are less likely to be investing in complex finan-
cial instruments).
Auditors of such enterprises need a thorough knowledge of financial reporting
and the relevant IFRS standards in order to enable them to express an opinion on
the financial statements.
Our readers should already be thoroughly familiar with IFRS through their studies
in financial reporting.
A significant audit risk, at the overall financial statement level, would be that
aspects of the financial statements do not comply with IFRS. This, in turn, leads to
specific risks.

2. AUDIT RISK RELATED TO ESTIMATION UNCERTAINTY

As is apparent from the overview of specific risks set out below, one of the most
significant risks facing auditors is the risk of uncertainty related to accounting
estimates. This risk flows from various factors including:

17–3
 Dynamic Auditing

l the complexity of many estimates;

l the need for management to make assumptions and use judgment;
l possible management bias.
Risk assessment procedures would include understanding:
l the related financial reporting and regulatory requirements;
l the nature of expected accounting estimates;
l how management identifies transactions and balances that give rise to esti-
mates;
l how management makes accounting estimates – their methods, selection of
assumptions and data, and their use of specialised skills;
l how the risk of management bias is managed/mitigated;
l what steps management have taken to reduce estimation uncertainty;
l how management has addressed any need for changes in bases of estima-
tion compared to previous years;
l internal controls related to the estimates.

3. SPECIFIC RISKS
It is not the purpose of this chapter to cover risks, responses and procedures in
any detail as these topics are covered in chapters 7 (Audit evidence), 8 (Engage-
ment and planning activities), 12 (The auditor and internal control) and 13 (Sub-
stantive procedures). This section focuses only on risks that arise from
compliance with IFRS and outlines responses to those risks. The supplement then
focuses on derivatives in more detail.
Specific risks include:
l Recognition:
The risk that the client recognises assets or liabilities that do not meet the
recognition criteria per IFRS or fails to recognise assets or liabilities that do.
Assertions affected:
Existence, occurrence, rights and obligations and, separately, completeness.
l Measurement:
Initial measurement is generally less of an issue but subsequent measure-
ment often requires complex accounting estimates to determine fair values.
Measurement can, however, be an issue where there are complexities in
determining original cost or amortised cost.
There are also subsequent measurement issues related to the:
• determination of fair values;
• determination of useful lives and residual values in the case of property,
plant and equipment, and intangible assets;
• determination of recoverable amounts in the case of impairment.

17–4
 CHAPTER 17: Auditing of accounting issues with supplement concerning derivative financial instruments

Assertions affected:
Classification, accuracy, valuation, allocation.
l Presentation and disclosure:
The risk that information is not properly presented and disclosed in terms of
IFRS.
l Tax implications:
The risk that tax and deferred tax are not properly dealt with where tax and
accounting values of an item are likely to differ.
Assertions affected:
All assertions concerning tax and deferred tax.

4. AUDIT RESPONSES TO RISK

Audit responses would depend on the auditor’s assessment of the level of inher-
ent risk at the individual balance and assertion level. A matter emphasised in
ISA 540 is that the reasons for the inherent risk assessments must be docu-
mented and reacted to.
At an overall level, encompassing all balance and assertions, responses would
involve assessing management’s policies, procedures, and controls, where
applicable, for the recording and reporting of transactions and balances, and
would include the assessment of the control environment and management’s
integrity and competence.
Testing controls
Where an enterprise performs regular accounting estimates on an ongoing basis,
controls are likely to exist over these activities and the auditor may be able to
evaluate and test controls over the estimates. Possible examples include:
l financial service enterprises which perform regular fair value assessments of
financial instruments. This is dealt with in more detail in the supplement to
this chapter concerning derivatives;
l retail enterprises which perform regular assessments of inventory obsoles-
cence;
l enterprises engaged in long term contracts and which perform regular assess-
ments of the outcomes of those contracts.
Controls are likely to focus on checking and approving the estimates, and
management supervision and review.
Substantive procedures at the assertion level
Where inherent risk is not low, the auditor would need to perform detailed sub-
stantive procedures to obtain sufficient audit evidence. Examples include:
l reviewing events up to the date of the audit report;
l testing management’s estimates and the underlying data;
l developing audit estimates or ranges of estimates.

17–5
 Dynamic Auditing

Where the above procedures do not provide sufficient evidence, or where the
assessed risk is high, possible additional audit responses, at the assertion level,
are set out below.
l Recognition (existence, occurrence, rights and obligations assertions):
Audit evidence relating to these assertions can generally be obtained by
confirmation and the inspection of documents such as contracts, supporting
documents and invoices.
l Recognition (completeness assertion):
Audit evidence can generally be obtained through confirmations, inspection
of underlying records and documents, enquiry and analytical review.
l Measurement (classification and accuracy assertions):
Audit evidence concerning initial measurement is generally obtained from
tests of transactions and underlying records.
l Measurement (valuation and allocation assertions):
• Where there are complexities in determining original measurement or
amortised cost, audit evidence could be obtained through inspection of
documents and reperformance/recalculation.
• Where fair values and other accounting estimates are involved, the auditor
should perform specific procedures related to those accounting esti-
mates. This is dealt with later in the supplement.
• Management’s assessments of the residual values and useful lives of
physical assets, such as property, plant, equipment and vehicles, can
often be evaluated against market values, trade journals and past trends
(analytical review). The auditor could also use the services of a specialist
(ISA 620).
Past trends could also apply to intangibles such as software, websites
and product development.
• In the case of impairment, value on sale and costs to sell can often be
evaluated as above. However, value in use typically requires a projection
of future benefits – an accounting estimate.
l Presentation and disclosure assertions:
The auditor usually checks presentation and disclosure in detail.
The auditor’s familiarity with the Conceptual Framework, IAS 1 and relevant
individual standards will enable meaningful assessment of the accounting
issues.
Note the importance of disclosing significant accounting estimates and the
bases on which these estimates were determined.
l Tax implications:
Audit evidence can be obtained through the involvement of tax specialists
and analysing and reperforming the current and deferred tax calculations for
compliance with relevant tax legislation.

17–6
 CHAPTER 17: Auditing of accounting issues with supplement concerning derivative financial instruments

The auditor would check the adjustments to the income tax computation and
the workings concerning deferred taxation.
Where deferred tax assets are recognised, the auditor would need to evalu-
ate the directors’ assessment of the estimated manner in which timing differ-
ences are expected to be realised by comparing this to evidence obtained
for other areas of the audit, including cash flow forecasts, business plans,
minutes of directors meetings and knowledge of the business.

5. EXAMPLES OF ESTIMATION UNCERTAINTY

Examples of situations where accounting estimates apply are set out below.
What is apparent from these examples is that many, if not most, rely on financial
models incorporating projections of future outcomes and cash flows.
l Share based payments (IFRS 2) – The estimation of the fair values of shares
and share options.
Also, possibly the fair value of goods or services exchanged for shares.
l Business combinations (IFRS 3) – Determining the fair value of assets, liabil-
ities, contingencies and commitments acquired in a business combination,
including goodwill and other intangible assets.
l Financial instruments (IFRS 9), including complex financial instruments that
are not traded in an active market – Determining fair values.
l Expected credit losses (IFRS 9) – IFRS 9 creates more complexity in the
accounting estimates underpinning the impairment of receivables, partic-
ularly concerning concepts such as probability of default and loss given
default.
l Revenue from contracts (IFRS 15) – The estimation of the separate amounts
allocated to each performance allocation and the period over which each
price allocation is recognised.
Estimation of the outcome of long-term contracts.
l Inventory obsolescence (IAS 2) – Determining net realisable value in the light
of market trends.
l Measurement of inventory cost (IAS 2) – Issues could arise concerning the
identification of costs to be included in inventories, estimates of capacity,
assumptions concerning how overheads are allocated and the treatment of
variances.
l Deferred tax assets (IAS 12) – Determining the probable future utilisation of
deferred tax assets.
l Depreciation method (IAS 16) – Determining useful lives and residual values.
l Employee pension liabilities (IAS 19) – Determining values of pension assets
and commitments.
l Impaired assets (IAS 36) – Determining value in use.

17–7
 Dynamic Auditing

l Provisions (IAS 37) – Determining probable losses, for example warranty obli-
gations, provisions related to decommissioning funds or estimated costs aris-
ing from litigation settlements and judgments.
l Investment Property (IAS 40) – Determining fair value.

6. SPECIFIC AUDIT RESPONSES TO INDIVIDUAL ACCOUNTING ESTIMATES

As each accounting estimate is unique, it is not possible to describe audit
responses for every eventuality.
Most accounting estimates, however, involve future projections and discounting
thereof. In these cases, the following responses are common at a high level:
l Assessing whether or not management has appropriate processes for deter-
mining the assumptions.
l Assessing the competence, capabilities and objectivity of management’s
experts and verifying their qualifications.
l Obtaining input from independent specialists (ISA 620).
Assessing the appropriateness of management’s financial models/future
cash flows, including anticipated growth rates.
l Testing key data inputs, both observable and unobservable, into financial
models and the reasonableness of the ranges attributed to the sensitivity of
the inputs.
l Observable inputs could be tested by relatively straightforward audit proced-
ures of confirmation, inspection and reperformance.
Unobservable inputs are more likely to require specialist expertise.
l Considering the relevance and reliability of the data.
l Evaluating the assumptions and estimates applied.
l Reviewing the appropriateness and reasonableness of significant assump-
tions, including discount rates.
l Performing sensitivity analyses on the significant assumptions to evaluate the
extent of their impact on fair values.
l Assessing discount rates used by benchmarking these against independent
data.
l Evaluating the results of procedures against audit procedures on other key
balances to assess whether or not there is any indication of bias.
l Performing analytical reviews and assessing whether or not the estimates are
within a reasonable range of possible outcomes.
l Recalculating the estimates, including recalculation of present values.
Checking the accounting issues and related disclosures including the
accounting policy notes on the determination of fair values.
l Obtaining detailed representations from management concerning specific
assumptions and the reasonableness and sensitivity of projections.

17–8
 CHAPTER 17: Auditing of accounting issues with supplement concerning derivative financial instruments

SUPPLEMENT – DERIVATIVE FINANCIAL INSTRUMENTS

SOURCE REFERENCES: ISA 501: Audit Evidence – Specific Considera-

tions for Selected Items
IAPN 1000: “Special considerations in auditing
Financial Instruments”

1. INTRODUCTION – AUDITING DERIVATIVE FINANCIAL INSTRUMENTS

Financial instruments may be in cash, equity, contractual rights or obligations,
contracts settled in equity instruments, contracts on non-financial items, or certain
contracts issued by insurers. This encompasses a wide range of financial instru-
ments ranging from simple loans, receivables, payables and deposits to complex
derivatives, structured products, and commodity contracts.
This supplement deals specifically with derivative financial instruments as these
are typically recognised and disclosed at fair value, although the text concerning
areas other than measurement and valuation applies equally to instruments
measured at fair value or amortised cost. This supplement does not, however,
deal with instruments such as cash, simple loans, trade receivables and pay-
ables or equity investments. Insurance contracts are a specialised area and are
thus also excluded.
The term “derivatives” is a generic term used to categorise a wide variety of
financial instruments whose value “depends on” or is “derived from” an under-
lying rate or price, such as an interest rate, exchange rate, equity price, or com-
modity price.
The use of derivative financial instruments by companies, government entities,
institutional investors and financial institutions is becoming more commonplace.
The instruments themselves are becoming increasingly complex and accounting
requirements are expanding and requiring users of derivatives to provide fair val-
ue and other information about these activities in their financial statements.
The primary objectives of derivative activities are to manage current or antici-
pated financial or related risks arising from day-to-day transactions and, thereby,
to manage the enterprise’s financial position and results of operations (operation-
al risk management).
For many entities, the use of derivatives has reduced exposures to changes in
exchange rates, interest rates and commodity prices, as well as other risks. Many
entities also use derivatives to manage pricing and market risks directly related to
the production or use of a commodity or product.
This is referred to as “hedging”, which involves using financial instruments (the
“hedging instruments”) to offset fluctuations in the fair values of items that affect
future cash flows (“hedged items”).
The inherent characteristics of derivative activities or derivative financial instru-
ments may result in increased business risk, increased audit risk, and new chal-
lenges to the auditor. Values of derivatives may be volatile, and management
may not fully understand the risks arising from using derivatives.

17–9
 Dynamic Auditing

The purpose of this supplement is to provide guidance in auditing derivative

financial instruments. This supplement deals with aspects and considerations that
could affect the audit process and procedures to be performed in respect of the
financial statement assertions affected by derivatives.
The supplement also provides a realistic example of the application of auditing
principles to a single balance and flow of transactions.

2. DEFINITION AND TYPES OF DERIVATIVE

This section is deliberately kept at a simple level because readers will have
studied derivatives and the related terminology as part of their studies in Finan-
cial
Reporting and Financial Management.
l A derivative is a financial instrument:
• whose value changes in response to variations in a specified interest rate,
security price, commodity price, foreign exchange rate, index of prices or
rates, a credit rating or credit index, or similar variable;
• that requires either no initial net investment or a limited initial net invest-
ment relative to other types of contract that have a similar response to
market conditions;
• that is settled or to be settled at a future date.
l Derivative contracts are entered into between an enterprise and a third party,
referred to as “the counterparty”.
l Derivatives can be bought or sold in two ways.
Over-the-counter (OTC) derivatives: Contracts made privately between
parties such as swap agreements.
This market is the larger of the two markets and, because these contracts are
made privately between the parties and are unregulated, there is significant
risk related to determining fair values and assessing the possibility of default
on the part of the counterparty.
Exchange-traded derivatives: Standardised derivative contracts transacted
on an organised exchange such as the South African Futures Exchange
(SAFEX). Because these are settled through a clearing house, they are less
subject to default risk and fair values are generally aligned to market value.
Derivatives are typically used for:
l Risk management: “Physical derivatives” act as hedges where, typically,
the derivatives track various market prices or indices whilst the enterprise is
trading in the underlying products or holding the underlying market securities
in portfolios.
l Speculation (“trading”): The enterprise might use “synthetic derivatives” in
seeking to benefit, in the short term, from anticipated market movements.
Whilst significant returns can be achieved, the exposure to potential loss is
much more significant.

17–10
 CHAPTER 17: Auditing of accounting issues with supplement concerning derivative financial instruments

l Investment: Derivatives are held for long term gain.

The importance of the above distinction is in the concept that risk management is
a prudent aspect of operations, whereas speculation and investment attract risk.
Common types of derivatives include options, forward contracts, futures, swaps,
collars, floors, caps, forward cover, credit default swaps and swaptions (combin-
ations of swaps and options) and embedded derivatives.
Complex derivatives may have a combination of the characteristics of some or all
of these.

3. RISKS TO THE ENTERPRISE

Derivatives often possess features that create specific risks to the enterprise.
These risks, in turn, affect the audit. Examples include:
l Management and those charged with governance might lack:
• an understanding of the risks of using derivatives;
• sufficient skills and experience to manage those risks;
• the expertise to value derivatives appropriately.
Management’s failure to fully understand the risks would have a direct effect on
their ability to manage these risks, and could even threaten the financial viability
of the enterprise.
l The enterprise might lack sufficient controls over derivatives.
l The enterprise might hedge or speculate inappropriately.
l Cash flows may be minimal until maturity.
l There is no principal balance and no fixed regular amounts are paid or
received.
l Both risks and rewards can be substantially greater than the initial outlay.
l The fair value of assets or liabilities arising from derivatives may considerably
exceed the amounts initially recognised in the accounting records.
l To this should be added the risks related to “contagion”. The term “conta-
gion” refers to a “domino effect”, where a failure in one sector of a market or
an economy can lead to a broader market failure.
Specific risks
l Off-balance-sheet risk: Many derivatives are subject to the risk that losses
might exceed the amount recognised in the financial statements.
l Market risk: The risk of losses arising as a result of adverse changes in the
fair value of the financial instruments. This is affected by price risk, which, in
turn, is affected by:
• Interest rate risk: The risk of an adverse effect on financial instruments
because of interest rate changes – funds borrowed at a floating rate
would expose the enterprise to any rise in rates.

17–11
 Dynamic Auditing

• Foreign exchange risk: Risk of losses because of foreign exchange rate

changes – impacts on future cash flows.
l Liquidity/solvency risk (going concern risk): Risk of the enterprise not
having sufficient funds to honour cash outflows or commitments.
l Influence of economic factors: These, combined with the business pur-
pose of derivative activities, may influence the enterprise’s decision to buy,
sell or hold derivatives.
l Hedging risk: Derivatives classified as hedges are subject to the risk that
market conditions will change to the extent that the hedge is no longer effect-
ive.
l Credit risk (counterparty risk): Risk of default by counterparties. Risk is
increased where declining industries or economies are involved.
l Legal risk: Risk that non-compliance with laws and regulations could invali-
date a contract.
l Settlement risk: Risk that one side of a transaction must be settled before
other related exchanges require settlement.
l Speculative investing in derivatives is associated with higher risk than activ-
ities related to day-to-day operations.
l Fair value risk: Determining fair values can be particularly difficult, especially
where an over-the-counter transaction has been customised to meet parties’
needs. Whilst the fair values of listed derivatives can be determined from
“observable inputs”, such as the financial press and independent brokers
and dealers, determining the fair values of derivatives that are not traded
(“inactive markets”) or not traded regularly (“not liquid”) requires valuation
models. The risk is that fair value is not determined correctly because of
“model risk” relating to the appropriateness of the underlying assumptions
(“unobservable
inputs”) and the inherent imperfections and subjectivity of models.
Determining fair values might involve the use of third-party pricing sources or
valuation specialists.
l Cross-border risk: Valuation risk increases where derivatives are traded in
cross-border contracts because of different exchange rates, differing laws
and regulations and differing economic conditions.
l Completeness risk: Where derivatives do not involve cash flows at incep-
tion, or have irregular or end of contract cash flows, there is an increased risk
that such contracts will not be identified, or will be only partially identified and
recorded in the financial statements, thus increasing the risk related to the
completeness of financial information.
l Completeness risk related to embedded derivatives: Management may be
less likely to identify embedded derivatives (contracts where the derivative is
an embedded feature of an agreement).
l Complex financial instrument risk: Risk of not properly understanding the
risks, technical issues, exposures and complex accounting issues associated
with dealing in financial instruments.

17–12
CHAPTER 17: Auditing of accounting issues with supplement concerning derivative financial instruments

l Experience risk: Risk related to possible lack of relevant experience within

the enterprise.
l External risk: Risk related to external factors such as declining industries.
l Taxation treatment risk: Taxation of derivatives is complex and could lead
to errors in calculations.
l Reputational risk: Loss of public confidence as a result of adverse publicity
involving the company’s derivatives trading (e.g. insider trading by dealers).
l Securities lending risk: This risk affects “physical derivatives” where,
although the derivative investments are underpinned by investments in “real”
securities, these securities are “lent” to other financial institutions in return for
a “rental” which is used to boost the profits of the investors in the derivatives.
This can create severe counterparty and liquidity risks because of the length
of time required to unwind positions in the underlying markets.
Operational risk
As complexity increases, there is additional risk related to the specific processing
required for derivatives. Specific risks might relate to:
l The control environment might be weak because management does not
understand, or is unclear about, the activities of the treasury function.
l Derivatives not being adequately addressed by the enterprise’s risk man-
agement policies and procedures.
l Losses resulting from inadequate or failed internal processes and systems,
or from external events.
l Fraud from both internal and external sources.
l The risk of fraud is particularly high where remuneration incentives depend
on performance.
l Incomplete or inaccurate recording of derivatives.
l Inappropriate documentation or insufficient monitoring.
l Transactions are incorrectly recorded or processed.
l Inadequate updating of valuation techniques and models used to measure
fair values.
l Undue reliance being placed by staff on the accuracy of valuation tech-
niques, without adequate review.
l Information technology – Entities often use sophisticated information tech-
nology systems to manage derivative activities, identify risks and exposures,
and provide support regarding decisions.
l Losses arising because of a lack of proper disaster recovery or contingency
plans.
l Failure of the system to monitor or control all exposures.
l Breach of board guidelines, exposing the company to risks.
l Unrecorded exposures because not all transactions and expenses are cap-
tured by the system.
l Unauthorised payments.

17–13
 Dynamic Auditing

l Deals contracted at off market rates.

l Disputes with counterparties over contract terms.
l Situations where the accounting treatment of transactions is inconsistent with
the underlying substance.
l Failure to safeguard assets or protect the enterprise against claims.
Risks related to service organisations (ISA 402 and ISAE 3402)
Some entities use service organisations to manage derivative transactions or
maintain related records.
This may strengthen controls where a service provider has greater experience
with derivatives and may also allow for greater segregation of duties.
However, this may also increase risk, because of differences in control culture
and the fact that transactions are processed at some distance.
Specific risks relate to:
l how well the service organisation’s services are monitored;
l the integrity and confidentiality of the information;
l contingency arrangements;
l possible related party issues, where a service organisation may enter into its
own derivative transactions with the enterprise whilst also providing services
to the enterprise.

4. ACCOUNTING TREATMENT
This section is kept at a simple level because readers will have studied the relat-
ed accounting issues as part of their studies in Financial Reporting.
International Accounting Standards on Financial Instruments prescribe specific
accounting treatments and disclosures for financial instruments.
Accounting treatment
Depending on their accounting classification, financial instruments are recog-
nised at either amortised cost or fair value.
Accounting for derivatives may also depend on whether or not the derivative
forms part of a hedging relationship.
The decisions concerning accounting treatment are governed by the enterprise’s
model for management of financial instruments, the relevant contractual cash flow
characteristics and whether or not instruments are held to collect contractual
cash flows or for trading.
Measurement
Whilst amortised cost is comparatively straightforward, recognition or subsequent
measurement at fair value and the related determination and accounting treat-
ment of gains, losses and fair value adjustments may be complex. Complex
accounting estimates are usually needed to determine fair values.
Whilst simplistically, an enterprise would initially recognise most derivatives at
cost, there are circumstances where fair value at inception would differ from cost,
giving rise to a “day 1” gain or loss.

17–14
 CHAPTER 17: Auditing of accounting issues with supplement concerning derivative financial instruments

Thereafter, the fair value of derivatives is likely to change daily leading to regular
subsequent measurement, regular restatements of fair value and recognition of
gains and losses in the current accounting period.
Impairment
Accounting standards provide an impairment model based on providing for
expected losses, significant increases in credit risk and the treatment of credit
impaired financial assets.
This is of less relevance to derivatives because these are usually subsequently
measured at fair value and the financial model used to determine the fair value of
a derivative asset should take account of credit risk.
Effect on the financial statements
As a result, the accounting treatment and methods used by the enterprise are
significant in their effect on the financial statements and the procedures to be
performed by the auditor.

5. RESPONSIBILITIES
The audit of financial statements does not relieve management and those charged
with governance of their responsibilities.
Management is responsible for preparing and presenting the enterprise’s finan-
cial statements.
Those charged with governance (persons entrusted with the supervision, control
and management functions of an enterprise) are responsible for the design and
implementation of internal controls to monitor risks and financial controls and pro-
vide reasonable assurance that the enterprise’s use of derivatives complies with
its risk management policies. They should also ensure that the enterprise com-
plies with relevant laws and regulations and that financial reporting of derivative
activities is reliable.
The auditor’s responsibility related to derivative financial instruments is to consider
whether or not management’s assertions related to derivatives result in fair
presentation and financial statements that are prepared in accordance with the
identified accounting framework.

6. GENERAL CONTROLS
Control environment
The control environment influences the tone of an enterprise and the control
consciousness of its people and is the foundation for all other components of
internal control. Part of the control environment is management’s attitude towards,
and awareness of, derivative activities, and it is the role of those charged with
governance to determine an appropriate attitude towards risk and monitor and
manage the enterprise’s exposures to specific risks. To effectively monitor and
manage exposure to risk, the enterprise implements a structure that:

17–15
 Dynamic Auditing

l is appropriate and consistent with the enterprise’s attitude toward risk as

determined by those charged with governance;
l specifies the approval levels for the authorisation and purpose of trans-
actions;
l sets permitted approval levels that reflect the expertise of those involved in
derivative activities;
l sets appropriate limits for maximum allowable exposures – these levels may
vary depending on the counterparty or the type of risk;
l provides for independent monitoring of risks and control procedures;
l provides for independent timeous reporting of exposures, risks and the
results of derivative activities;
l establishes guidelines to ensure that derivative activities fulfill the enterprise’s
needs;
l provides clear rules concerning the allowable extent of participation in deriv-
ative markets.
The following elements of the control environment are particularly important in
relation to derivative activities:
l Direction from management, including policies and procedures that consider
the:
• level of management expertise;
• sophistication of the enterprise’s internal control and monitoring systems;
• asset/liability structure;
• capacity to maintain liquidity and absorb losses of capital;
• types of derivative that will meet management’s objectives;
• uses of derivatives that will meet management’s objectives, for example
whether derivatives may be used for speculative or hedging purposes.
l Ensuring that the concepts underpinning the general control environment
have been communicated to all responsible for derivative activities. Whilst an
enterprise may have a sound culture of governance and control, the com-
plexity of treasury or derivative activities may result in this culture not reach-
ing those directly responsible for derivative activities.
l Incentive compensation systems: Where incentive compensation systems
apply to staff involved in derivative transactions, proper guidelines, limits and
controls must be established to prohibit transactions inconsistent with the
overall objectives of the enterprise’s risk management strategy.
l Policies for the purchase, sale and holding of derivatives that are appropriate
and consistent with the enterprise’s attitude toward risk and the expertise of
those involved in derivative activities.
l Segregation of duties and the assignment of personnel.
l Risk control – The function responsible for reporting on and monitoring deriv-
ative activities. Key responsibilities might include:

17–16
CHAPTER 17: Auditing of accounting issues with supplement concerning derivative financial instruments

• setting and monitoring risk management policies;

• designing risk limit structures;
• developing disaster scenarios;
• subjecting open position portfolios to sensitivity analysis;
• conducting reviews of unusual movements in positions;
• reviewing and analysing new derivative products.
Where a separate risk control function does not exist, carrying out these
functions would be management’s responsibility.
l Where an enterprise uses sophisticated information technology systems to
manage derivative activities, IT security and control considerations must be
considered.
Given the risks, management may enforce a stricter control environment over
derivative activities than it does elsewhere within the enterprise.
Control objectives
Relevant control objectives include the following:
l Authorisation: Transactions are executed in accordance with approved
policies.
l Complete and accurate information: Information is recorded timeously and
is complete and accurate.
l Prevention and detection of errors: Misstatements are prevented or detect-
ed timeously.
l Monitoring: Activities are monitored on an ongoing basis.
l Valuation: Changes in value are appropriately accounted for and disclosed.
l Information processing: Controls over information processing and elec-
tronic funds transfers will help to ensure that derivative activities are correctly
reflected in the enterprise’s records.
The level of sophistication of an enterprise’s internal control will vary according to
the complexity of the derivatives, the related risks and the volume of transactions.
Basic general controls
l Segregation of duties between:
• deal initiation (front office);
• authorisation of limits, counterparties and management control (middle
office);
• processing, confirmation and valuation of open positions (back office);
• settlement (separate function).
l Management reviews:
• management involvement and review of all transactions;

17–17
 Dynamic Auditing

• the use by management of artificial intelligence (AI) enabled software

would be a powerful tool to identify anomalies and unusual transactions.
l Staffing and organisation:
• training of all personnel involved in derivatives;
• recruitment policy and background checks on dealers, etc.;
• code of ethics communicated to all personnel and enforced by the enter-
prise;
• dealers to comply with policies and rules.
l Strong internal audit function which:
• reviews the treasury functions regularly;
• reviews the appropriateness of and compliance with policies and pro-
cedures;
• tests the treasury controls.
l Regular reconciliation of:
• open positions;
• accounts with counterparties;
• bank accounts.

7. FLOW OF INFORMATION AND DOCUMENTS

Entities with high volumes will probably have a dealing room (front office) where
there are specialist dealers and will separate the duties between dealers and the
back office. Dealers typically initiate contracts verbally per telephone or via elec-
tronic platforms. The back office checks the trades conducted.
Documents
l Dealing records: Terms, signatures, authorisation.
l Contracts: Type, period, terms, interest rate, fees.
l Settlement slips: Records of funds transfers.
l Position reports: Setting out details of open positions.
l Reconciliations: Bank reconciliations, clearing accounts, subsidiary ledgers
to general ledger.
l Exception reports: Access violations, exceeding of limits, terms, etc., dealing
with non authorised parties.
l Confirmations from third parties: Prices, interest rates, etc., from third
parties/stock exchanges.
The flow of information and related specific controls are set out in the tables on
the following two pages.

17–18
 CHAPTER 17: Auditing of accounting issues with supplement concerning derivative financial instruments
Flow of information in a treasury department
Front office Middle office Back office Settlement
l Dealers deal in derivatives l Management l Confirmation and recording l Receiving and payment office
l Control over systems, limits, l Internal control procedures
counterparties, open position
l Reconciliations

Control over derivatives

Controls over front office Controls over middle office Controls over back office Controls over settlement and
(dealers) (systems, management, reporting, (confirmation and recording) receipts
valuation of open positions)
l Dealing with authorised parties l Management responsible for All contract terms and conditions l Access to systems restricted
only setting the following: confirmed directly with the using passwords
l All deals are recorded • limits per dealer counterparty l Disbursement of funds
l No cell phones/tablets /devices • authorised counterparties Dealing records: authorised only after checking of
17–19

allowed to prevent insider • interest rate limits l signed by dealer supporting documentation
trading • day limits per trader l authorised by back office official l Funds paid or transferred only to
l No dealings for dealer’s own l Access controls and security l reconciled to external records authorised parties
account (to prevent fraud) controls: such as confirmations, bank and
l Access restricted to systems • systems set passwords and l Follow up of funds receivable.
broker/counterparty statements
using passwords restrict access to systems, l use of artificial intelligence l Receipt of money identified,
l Access to front office physically dealers, etc. recorded and matched to records
software to monitor transactions
restricted • f rewalls and report anomalies l Bank account and broker/
l Expense limits set per type of • exception reports produced l sequentially numbered and counterparty reconciliations
instrument and counterparty, by the system of any violations recorded by the system l Proper security controls where
and authorisation needed if l Authorisation and review by • report of missing numbers electronic funds transfer is used
exceeded management of: followed up by senior officials
l Dealing records: • daily transactions /audit trails • matching of dealing records
• sequentially numbered • exception reports of access with actual transactions
• computerised for sequence violations, limits exceeded, recorded on the ledger
check etc. account
• recording of terms • report of unrecorded dealing
• signed by dealer records, follow up

(continued)
 Control over front office Control of middle office (systems, Controls over back office Controls over settlement and
(dealers) management, reporting, valuation of (confirmation and recording) receipts
open position)

• authorised by senior l Changes to limits, authorised l Where sequential records are

management (middle office) counterparties’ details, etc. not suitable for operations,
• date stamping of all dealing • authorised by senior management recording of dealers’ telephone
records • done under management control conversations and computer
• where appropriate, and reviewed records can be used for follow
comparative prices obtained • formal approval of changes up
from at least two • controlled numerically
counterparties • authorised by management
• sensitivity/volatility analysis • reviewed after changes made by
performed before entering into management

Dynamic Auditing
transactions l Daily reconciliations of:
l Telephone calls voice recorded • bank accounts
17–20

in case of any disputes • clearing and suspense accounts

• dealing reports to brokers/
counterparty statements/
confirmations
• dealing reports to general ledger
accounts
• entity records to those of service
providers
l Reconciliations reviewed daily by
management and authorised
l Valuations of open positions:
• valuation models independently
reviewed by management
• inputs to valuation models
independently reviewed
• internal experts as objective as
possible
 CHAPTER 17: Auditing of accounting issues with supplement concerning derivative financial instruments

8. AUDIT CONSIDERATIONS
8.1 ENGAGEMENT ACTIVITIES
Engagement conditions
An understanding should be established with the enterprise that the purpose of
the audit is to express an opinion on the financial statements and not to pro-
vide assurance on the adequacy of the enterprise’s risk management process-
es or its controls over derivative activities.
This understanding should be formalised in the engagement letter.
Competence and resources
The auditor should determine the competence and resources requirements for
the engagement.
Where a client is dealing in derivatives, skills and knowledge should be obtained
in respect of the:
l operating and risk profile of the industry in which the enterprise operates;
l derivative financial instruments used by the enterprise, and their charac-
teristics;
l enterprise’s information system for derivatives;
l methods for valuation of derivatives;
l requirements of the financial reporting framework for financial statement
assertions related to derivatives;
l requirement for specific competencies would result in the auditor:
• applying strong quality control practices and procedures, both at the
firm level (ISQC1) and at the engagement level (ISA 220);
• allocating a more senior level of staff to the engagement;
• exercising greater supervision over staff (ISA 220);
• using the work of internal audit where possible (ISA 610);
• using use of the work of specialists (ISA 620).

8.2 PLANNING
Understanding the enterprise and its environment
Factors affecting day-to-day operations would have an effect on the enter-
prise’s derivative activities because derivative activities often support these
business activities.
An understanding should be obtained of the following:
l General economic factors
• The general state of the economy.
• Interest and market rates, including the term structure of interest rates,
and the availability of finance.

17–21
 Dynamic Auditing

• Inflation and currency revaluation.

• Foreign currency rates and exchange controls.
l The industry
• The price risk in the industry.
• Commodity prices.
• The market and competition.
• Cyclical or seasonal activity.
• Declining or expanding operations.
• Adverse conditions (e.g. declining demand, excess capacity and
serious price competition).
• Foreign currency transactions, translation and economic exposure.
l The enterprise
• Knowledge and experience of management and those charged with
governance.
• Integrity of management and staff.
• Availability of timely and reliable management information.
• Objectives for the use of derivatives (management of operational risks,
hedging or speculation).
l The enterprise’s use of derivatives
• The nature and purpose of the enterprise’s use of derivatives.
• The characteristics of markets relevant to the derivatives used by the
enterprise, including the liquidity or volatility of those markets.
• Management’s methodology for valuing derivatives.
Risk assessment procedures
Risk assessment procedures include enquiries of management, internal audit
and those charged with governance and would also involve analysis of finan-
cial information (analytical review), observation and inspection.
Where the use of derivatives is significant, the auditor would assess manage-
ment’s procedures to identify and manage risks. Aspects concerning risk are
dealt with in section 3 of this supplement.
The auditor should consider the understanding of the enterprise and the key
financial risks when assessing the components of audit risk.
The need for professional scepticism will increase owing to the complexity of
derivatives, particularly concerning the sufficiency and appropriateness of
audit evidence where estimates, specialists and financial models are used to
determine fair values, particularly where markets are illiquid.
Examples of specific audit risks are set out later in this supplement.
Fraud risk is likely to be significant.

17–22
CHAPTER 17: Auditing of accounting issues with supplement concerning derivative financial instruments

l Accounting and internal control systems

The extent of an enterprise’s use of derivatives and the relative complexity
of the instruments are important determinants of the necessary level of
sophistication of both the enterprise’s accounting system and control proced-
ures.
l Accounting system
Derivatives may require complex and repetitive accounting entries.
The accounting system should be able to process these entries with
minimal manual intervention.
As the sophistication of the derivative activities increases, so should the
sophistication of the accounting system.
The auditor should remain alert to possible changes in the audit approach
where the accounting system lacks the appropriate level of sophistication.
l Control environment
The auditor should understand how the control environment for derivatives
responds to management’s assessment of risk.
The auditor would also consider the extent of the involvement of internal
audit.
The characteristics of a sound control environment are set out later in this
supplement.
l Internal controls
Internal controls over derivatives should prevent or detect issues that
hinder an enterprise from achieving its objectives.
These objectives may relate to operational issues, financial reporting or
compliance, and internal controls are necessary to prevent or detect
issues in each of these areas.
Fundamental internal controls over derivative activities are set out later in
this supplement.
Audit risk
Audit risk should be assessed at the assertion level.
l All assertions
Risk for all assertions is increased by the business risk factors set out in
section 3 of this supplement.
Inherent risk
Significant risks are likely to exist in the following areas:
l Existence and occurrence:
Transactions may lack appropriate authorisation.
There is also the possibility of fraudulent transactions.

17–23
 Dynamic Auditing

l Rights and obligations:

Rights and obligations might not be clearly understood and accounted for.
l Completeness:
Exposures resulting from derivative transactions could be omitted from the
financial statements.
Fraud risk is increased owing to the possibility of concealment of obliga-
tions.
l Valuation and allocation:
The complexity of derivatives raises the issue of estimation uncertainty,
defined in ISA 540 as “the susceptibility of an accounting estimate and
related disclosures to an inherent lack of precision in its measurement”.
This is complicated by the nature and reliability of the information to sup-
port fair values.
Fraud risk is increased by the possibility of deliberate misstatement of fair
values.
There is also an increased risk related to impairment of financial assets
depending on the financial stability of counterparties.
l Classification:
The accounting issues discussed in section 4 of this supplement increase
the risk that derivatives may be accounted for under an incorrect category,
resulting in inappropriate accounting treatment as well as incorrect (or
even fraudulent) valuation and measurement (accuracy).
l Accuracy:
Because of estimation uncertainty and the possibility of fraud, derivative
transactions might not be recorded at appropriate amounts, and gains
and losses might not be properly reported, disclosed or allocated to the
correct period.
l Presentation and disclosure:
Because of the complexity of the related financial reporting requirements,
presentation and disclosure might be incomplete, inappropriate or not
understandable.
Fraud risk is a particularly significant consideration where employees receive
performance incentives.
Control risk
The assessment of control risk would depend on:
l the auditor’s evaluation of internal controls;
l whether or not the auditor is testing controls.
Control risk remains at the maximum if the auditor does not test controls.

17–24
CHAPTER 17: Auditing of accounting issues with supplement concerning derivative financial instruments

Detection risk
Matters that affect detection risk include:
l Risk of legal liability:
The risk of liability to third parties who rely on the auditor's report.
l Completeness, valuation and cut off assertions for derivatives:
The auditor may have difficulty obtaining evidence concerning whether or
not all derivatives are recorded, determining fair values and establishing
that rights, obligations and values are recorded appropriately and in the
correct period.
l Reliance on third parties:
Where specialists are used to value derivatives at year end.
Materiality
When planning the audit, materiality may be difficult to assess in relation to
derivative transactions, particularly considering their characteristics.
Materiality cannot be based on statement of financial position values alone, as
these may fluctuate and year-end values may be small in relation to total expos-
ures.
For this reason, auditors may place more emphasis on profit and loss/
statement of comprehensive income indicators when quantifying materiality, as
these are often better indicators of volume.
When assessing materiality, the auditor should consider the potential effect of
error on significant classes of account balance or classes of transactions.
Highly leveraged or complex derivatives may have a significant effect on the
financial statements and thus, regardless of year-end value, would form part of
a significant class of account balance or transaction.
Formulating an audit approach – response to risk
l Evaluating controls
The auditor is obliged to evaluate controls which manage significant risks.
Control evaluation would include design and implementation procedures
(commonly referred to as “D&Is”):
• Design procedures:
The auditor seeks to determine, through enquiry, observation and
inspection, whether or not controls are properly designed.
• Implementation procedures:
The auditor seeks to determine, through enquiry, observation, inspec-
tion and reperformance, whether or not controls have been imple-
mented. This usually involves a small sample, often of only one item
(commonly referred to as “walk throughs”).

17–25
 Dynamic Auditing

l Testing controls
Testing of controls would be necessary where it is not practicable to
obtain sufficient evidence through substantive procedures only.
Note that, whilst the auditor is required to evaluate controls that manage
significant risks, testing of controls is not mandatory and an auditor could
follow a wholly substantive approach.
Testing of controls would be appropriate where:
• significant risks are managed by internal controls;
• reliance on internal controls is justified as proven by the design and
implementation procedures referred to above;
• sophisticated corporate treasury operations and systems exist;
• extensive dealing in derivatives takes place.
Approach
• Test controls that manage significant risks.
• Modify the nature, timing and extent of substantive procedures
accordingly.
l Wholly substantive approach
This would be appropriate where:
• substantive procedures prove to be more efficient and cost effective;
• inherent risk is high and internal controls are weak;.
• the number of derivative transactions is limited, regardless of whether
or not systems are sound.
Approach
• Nature:
Detailed audit procedures on derivatives with the emphasis on com-
pleteness and valuation.
• Timing:
Additional work on both transactions and year-end balances (open
positions).
• Extent:
Extended tests of detail on derivative contracts and obligations.
Extensive use of analytical procedures.
Artificial intelligence (AI) enabled software could be used to review
transaction and identify anomalies and unusual transaction.
Other considerations
l The use of specialists: Especially to determine the fair values of open
positions at year end (ISA 620).
Note that these could be management experts or independent auditor’s
specialists. Additional procedures may be necessary where management
experts are involved.

17–26
 CHAPTER 17: Auditing of accounting issues with supplement concerning derivative financial instruments

l Going concern considerations: High going concern risk may arise from
derivative exposures and would affect the audit approach and audit pro-
cedures.
l The use of the work of internal auditors and the coordination of their work
with external audit (ISA 610).
l Service organisations (ISA 402 and ISAE 3402):
The auditor should consider how the client’s use of a service organisation
affects the enterprise’s accounting control system:
• whether or not controls operated by a service organisation should be
tested;
• whether or not data extracted from systems managed by the service
organisation is reliable and how to verify the reliability of that data.

8.3 OBTAINING AUDIT EVIDENCE

Audit evidence should be obtained through a combination of tests of control
and substantive procedures, or through the performance of extensive substan-
tive procedures.

8.3.1 Tests of controls

When designing tests of controls, the auditor would consider whether or not
controls provide appropriate evidence concerning the specific objectives set
out below.
Objectives
l Authorisation:
• Derivatives have been used in compliance with agreed policies and
guidelines and within the terms of authority limits and mandates for
undertaking business with approved counterparties.
• Correct decision-making processes have been followed and the logic
behind entering into selected transactions is clearly understandable.
• Switches between hedging and trading portfolios are properly author-
ised.
l Occurrence of transactions, existence of year-end balances, rights
and obligations (validity):
• Transactions recorded are bona fide and with genuine counterparties.
• Properly authorised confirmations have been sent or received.
• Early termination of derivatives is controlled.
l Accuracy:
• Incoming confirmations and other documentation received from coun-
terparties are matched and reconciled.
• Valuations have been correctly carried out by appropriately qualified
persons.

17–27
 Dynamic Auditing

l Completeness and accuracy:

• Transactions have been completely and accurately recorded in the
accounting records, the management accounts and annual financial
statements.
l All objectives:
• Reconciliations are performed and reviewed on a regular basis. This is
a key control.

8.3.2 Substantive procedures

In performing detailed substantive audit procedures, auditors seek to ensure
that the financial statement assertions set out below are addressed.
Assertions
l Existence:
Derivative transaction exist at the accounting date.
l Rights and obligations:
Derivative transactions pertain to the enterprise at the accounting date,
and rights and obligations are clearly understood and accounted for.
l Occurrence:
Derivative transactions were entered into by the enterprise during the
relevant period, and the cause for any change in status of the transaction
(e.g. from a hedge to trading) is reasonable.
l Completeness:
All derivative transactions and exposures are recorded in the accounting
records.
l Valuation and allocation:
Derivative transactions are correctly categorised in accordance with
accounting standards and appropriate accounting treatments are fol-
lowed.
Derivative transactions are subsequently measured at appropriate fair
values and an appropriate, but not excessive, allowance is made for
impairment of financial assets.
l Accuracy:
Derivative transactions are initially recognised, measured and properly
recorded at the correct amount, and gains and losses are correctly allo-
cated to the proper period.
l Presentation and disclosure:
Derivative transactions are properly disclosed, classified and described in
accordance with the applicable reporting framework (e.g. relevant
accounting standards).

17–28
 CHAPTER 17: Auditing of accounting issues with supplement concerning derivative financial instruments

8.4 EVALUATING AND CONCLUDING

Evaluating audit evidence for the assertions relating to derivatives requires
considerable judgement, because the veracity of the assertions, particularly
valuation, is based on highly subjective judgement.
Competent members of the audit team should be involved in this phase of the
audit process.

8.5 REPORTING TO THOSE CHARGED WITH GOVERNANCE

Whilst auditing the area of derivatives, the auditor may become aware of mat-
ters to be communicated to management or those charged with governance,
including:
l material weaknesses in accounting and internal control systems;
l poor understanding by management of derivative activities and the related
risks;
l the absence of policies, strategies and objectives for using derivatives;
l the absence of proper segregation of duties.

9. EXAMPLES OF AUDIT PROCEDURES

Tests of controls
Whether or not audit procedures would include tests of controls is discussed
earlier in this supplement.
Tests of controls could include:
General
l A review of the minutes of meetings of those charged with governance or the
risk management committee for evidence of periodic review of derivative
activities, adherence to policies, and hedging effectiveness.
l Enquiry of employees, inspection of signatures, and source documents to
ascertain whether or not control measures needed to maintain the integrity of
the system are indeed incorporated into the system.
l Ascertaining through enquiry and observation whether or not applicable
segregation of duties exists between deal initiation, processing and confir-
mation, valuation of open positions, accounting and management reporting
and settlement.
In the case of all examples listed below, the auditor would enquire concerning the
prompt resolution of anomalies and discrepancies and inspect evidence of this.
Question – Are the procedures described below tests of controls or sub-
stantive audit procedures?
Readers may ask this question having noted that certain procedures appear to
be repeated under both tests of controls and substantive procedures.

17–29
 Dynamic Auditing

The issue is not in the nature or description of the procedure – it is in the purpose.
If the procedure is performed to determine whether or not a control function is
performed appropriately, that would be a test of controls. If evidence concerning
compliance with controls is not obtained, the same procedure might be neces-
sary but its nature would be substantive. The substantive sample size would also
be larger because control risk has not been reduced.
Dealing
l Enquire of dealers and ascertain what procedures are followed to ensure that
dealings in new derivative instruments are authorised.
l Inspect dealing records for signatures/authorisation.
l Enquire concerning the methods used to ensure that all transactions entered
into by dealers are recorded.
l Inspect a sample of records of deals with fixed exposure limits and ensure
that exposure limits are not exceeded.
l Inspect a sample of dealing records to ensure that deal amounts are within
authorised limits and within any other limits defined by senior management.
l Inspect a sample of counterparties and compare to the list of authorised
counterparties to ensure that the enterprise trades only with approved coun-
terparties.
l Enquire of relevant employees and observe that access to the deal making
systems and related records is restricted.
Recording
l Inspect a sample of derivative dealings and agree to external confirmations.
l Enquire of employees and observe that incoming confirmations are received
by an independent department and agreed to internal records.
l Inspect reconciliations to ensure that dealing records are reconciled periodi-
cally to external records such as bank and broker statements, as well as the
accounting records.
l Enquire of employees concerning the appropriateness of policies for the
retention of dealing records.
l Inspect dates on dealing records to ensure that all dealings are promptly
processed.
l Reperform the accuracy of processing.
l Enquire of employees concerning the appropriateness of cut off procedures
designed to ensure complete and accurate processing in the proper period.
Settlement
l Observe and enquire of employees concerning access to settlement systems
and related records.
l Enquire whether or not funds can be disbursed only after appropriate author-
isation has been effected.
l Inspect signatures on documents.

17–30
CHAPTER 17: Auditing of accounting issues with supplement concerning derivative financial instruments

l Select a sample of payments and compare the beneficiaries to the author-

ised list of counterparties to ensure that funds are paid only to authorised
counterparties.
l Inspect the accounting records to ensure that the receipt of funds is properly
identified, recorded immediately upon receipt and matched to operating rec-
ords.
l Review bank reconciliations.
l Inspect signatures evidencing reviews of bank reconciliations.
l Enquire concerning control over bank reconciliations and follow up of recon-
ciling items.
l Enquire whether or not management reviews are undertaken regularly and
inspect evidence of this.
System, accountability, management control and open positions (middle
office)
l Inspect authorisation documents from senior management concerning
amounts exceeding authorised values. Enquire whether or not such values
are reported and approved and what other action is taken by senior man-
agement.
l Enquire of management and consider whether or not trading limits are regu-
larly reviewed by management for appropriateness.
l Inspect signatures for evidence of management review of reconciliations
between dealing records and the accounting records.
l Inspect the reconciliations of suspense and clearing accounts and inspect
signatures as proof of review.
l Inspect reconciliations setting out settlements of profit and loss positions.
l Enquire whether or not these reconciliations are performed regularly.
l Inspect a sample of internal and external confirmations and compare the
details to recorded open positions.
l Enquire of management whether or not open positions are independently
valued.
l Enquire of management whether or not valuation models are independently
reviewed.
l Enquire of management whether or not inputs to valuation models are inde-
pendently verified.
l Inspect documents for authorisation of inputs for valuation models.
l Enquire of management whether or not the accounting treatment in respect
of each type of derivative instrument is formally considered and approved.
l Enquire of management whether or not appropriate risk management tech-
niques have been implemented, particularly where speculative derivative
transactions are entered into.

17–31
 Dynamic Auditing

l Enquire of internal audit concerning the functioning of the system and the
results of the internal audit work performed.
l Enquire concerning staff practices – recruitment, training, code of conduct,
etc.
Substantive procedures
Substantive procedures could include:
l Procedures of a general nature
• Obtain a list of outstanding derivative contracts (open positions) at period
end, and:
– Agree the total to the accounting records.
• Consider the effectiveness of internal controls over derivatives and the
effect on the nature, timing and extent of substantive procedures.
• Agree balances per the derivatives accounts in the accounting records to
the trial balance and financial statements.
• Obtain a management representation letter concerning derivatives. Place
emphasis on completeness and valuation.
l Existence and rights and obligations
• Confirm contract details and open positions with counterparties.
• For selected derivative contracts entered into during the period, obtain
dealing records, inspect the related contracts/ agreements to establish
that:
– the deal was approved by the dealer;
– the deal was within counterparty and trading limits (or that any devia-
tions were approved);
– the deal records agree to the accounting records;
– the details agree with outward and inward confirmations;
– the purpose of the deals was appropriately documented (e.g. trading
or hedging);
– a legal contract exists and legal opinion was obtained where neces-
sary.
l Valuation and accuracy
• Select a sample of outstanding derivative contracts at period end, and:
– agree individual items to dealer’s position records;
– agree terms to contracts;
– verify rates and prices used in valuing positions to independent mar-
ket sources/market prices.
• Verify contract valuations at fair value by:
– assessing the appropriateness of valuation models;
– assessing the assumptions underpinning the models;

17–32
CHAPTER 17: Auditing of accounting issues with supplement concerning derivative financial instruments

– assessing the competence and objectivity of any management

experts involved in valuation (isa 620);
– checking all verifiable (observable) inputs to source documentation,
such as financial statements, contracts, financial press, correspond-
ence, etc.;
– using independent specialists (ISA 620) where necessary (“unobserv-
able inputs”?);
– specifically to confirm contract valuations or provide independent
valuations for comparison to those of management;
– assessing the volatility of the market;
– comparing recorded fair values to market prices for recent trans-
actions;
– inspecting documentation relating to subsequent settlement;
– recalculation;
– reperforming present value computations;
– assessing discount rates used against benchmark rates such as
market rates, internal rates of return and cost of capital;
– checking profit and loss calculations;
– concluding whether or not appropriate bases of measurement are
applied to specific contracts (e.g. hedge contracts valued on the
same basis as the underlying asset or liability being hedged);
– tracing the recording of gains and losses to the accounting records.
• Obtain dealers’ records and reconciliations of dealers’ records to the
accounting records, and:
– check mathematical accuracy;
– trace details to appropriate source documents such as confirmations,
subsystems, etc.;
– investigate large or unusual reconciling items.
l Valuation – impairment
• Consider the creditworthiness of each counterparty by inspection of
trading and settlement records and enquiry of management.
• Where appropriate, inspect financial and credit reports relating to coun-
terparties.
l Completeness and cut off
• Circularise counterparties and perform appropriate follow-up procedures.
• Note that confirmation requests should ask for details of all open positions
with each counterparty.

17–33
 Dynamic Auditing

• Review reconciliations to broker statements and follow up any reconciling

items.
• Review period-end bank account reconciliations and consider the need
for cut-off adjustments.
• Review the sequence of dealing records.
• Check year-end cut off.
• Analyse significant suspense or clearing accounts and follow up any
reconciling items.
• Inspect agreements and correspondence for possible unrecorded trans-
actions.
• Review post year-end transactions.
• Enquire of enterprise staff concerning unrecorded transactions.
• Review unmatched documents or confirmations.
• Inspect a sample of recent dealings at year end and the first dealings
after year end and follow these through to the accounting records
accounts to ensure that proper cut off procedures are applied.
l Analytical procedures
Investigate any unexpected or unusual changes in the volume and nature of
derivative transactions and in authorised counterparties between the current
period and the prior period.
• Use artificial intelligence (AI) enabled software to review transaction and
identify anomalies and unusual transactions.
• Analyse the occurrence, ageing and volume of reconciling items.
• Review the volume and value of transactions recorded in suspense and
exception accounts.
• Analyse profits and losses by product type and consider the success of
hedging strategies.
l Presentation and disclosure
• Inspect the financial statements and ensure that derivatives are correctly
accounted for and disclosed in terms of IFRS.

17–34