Chapters 1 & 2Definition of auditingAuditing is the accumulation and evaluation of evidence about information to determine and report on the degree of correspondence between the information and established criteria. Auditing should be done by a competent, independent person who observes due professional care.

Chapters 1 & 2We realize the following from the above definition:The auditor's final result is to judge the degree of correspondence between the information and established criteria. The information is mainly the financial statements and their related notes. Established criteria are the accounting standards used, such as International Financial Reporting Standards (IFRS) or US GAAP.

The auditor cannot always be expected to audit every single transaction for the client, as this may be prohibitive in terms of time and cost. Therefore the auditor analyses the client's risks and plans and executes an audit program that includes accumulation of evidence and testing and evaluating it to arrive at the desired conclusion.The conclusion of the auditor's work is then formally stated in the auditor's report.

Three things must be possessed by the auditor. First, he should be competent (in terms of having university degrees, professional certificates, practice experience, and continuous education on contemporary issues. Second, he should be independent from the client. Third, he should apply due professional care when performing the audit and when writing the report.

Services that can be provided by audit firms:Assurance services: which include a first party (audit firm) issuing a report on a second party (ex. the client) to a third party (ex. The shareholders or a regulatory party). These services include:Audit of historical financial statements.Review of historical financial statements.Audit of prospective financial statements.Review of prospective financial statements.Forensic (fraud) auditing.Reporting on internal control effectiveness.Reporting on compliance with financial regulations.

Non-assurance services: which include a first party (audit firm) providing a service to a second party (the client). These services include:Assistance in preparing financial statements.Tax consultingOther managerial consulting, such as designing an accounting information system, internal auditing, or valuation services.

General information about audit firms:Audit firms may be of different sizes. There are:Small audit firms that can include only one or two practicing auditors. These are the majority but usually deal with very small clients.Small audit firms with few auditors.National audit firms who practice only in one country.Regional audit firms who practice in a region of countries.International audit firms, who include the Big Four firms and other international firms.The Big Four audit firms are PricewaterhouseCoopers, Deloitte, Ernst & Young, and KPMG. Other international firms include Grant Thornton and BDO.

Traditionally audit firms operated as partnerships. This gives them some secrecy about their financial affairs, but unlimited liability for their partners. However, some services are currently provided on a limited liability basis.Audit firms have different hierarchies, but in general, the lowest rank is a junior, then there are seniors, managers, and partners, respectively.

International Standards on Auditing (ISA) is the title of auditing standards issued by the International Federation of Accountants (IFAC)(through the International Auditing and Assurance Standards Board IAASB), and required in many countries, including Jordan.

Generally Accepted Auditing Standards (GAAS)These are general guidelines for audit practice in the USA. Much more detail is provided in detailed auditing standards. These guidelines include ten issues grouped into three groups:General standards: about competence, independence, and due professional care.Field Work standards: about planning the audit, analyzing the client's risks, accumulation and evaluating evidence, and other issues on execution of the audit program.Reporting standards: about the content of the audit report.For more detail, see table 2-3 page 55.

Quality control:This means methods used to ensure that the audit firm meets its professional responsibilities to clients and others. Main issues a quality control program contains include:Leadership responsibilities for quality within the firm.Compliance with relevant ethical requirements.Policies and procedures for acceptance and continuation of clients and engagements. Policies and procedures for human resources.Policies and procedures for engagement performance.Policies and procedures for monitoring effective application of other quality control elements.See table 2-4 page 60 for additional detail on quality control issues.

In addition, audit firms frequently apply peer review, with one partner reviewing the work of another partner to ensure that it is up to the required quality of performance level.

Chapter 3Audit reports

The standard unqualified audit report (unmodified report according to ISA):The AICPA standard unqualified audit report includes eight parts:The report title: which includes mentioning that the report is about an audit and that the auditor is independent.Audit report address: which is usually to the shareholders or the board of directors of the client (but not to the client's management !!).

Introductory paragraph: which includes two general items: the fact that there was an audit and the items that were audited (financial statements and related notes)Management responsibility paragraph: which includes the nature of the management's responsibilities regarding the audit. Management's responsibilities include selecting appropriate accounting policies, using reasonable accounting estimates, and maintaining an effective internal control system over financial reporting.

Auditors responsibility paragraph: which includes that the auditor's responsibilities are to express an opinion on the audited financial statements that is based on the audit, the mentioning of the audit standards used, a summary of their requirements, and the fact that the opinion is based on the audit being performed.Opinion paragraph: which includes the opinion on the fairness of presentation of the financial statements and their conformity with the required accounting standards.

The name of the audit firm and/or the related audit partner responsible for the audit.Report date: which is the date the auditor completed the audit procedures in the field.

An example of the standard unqualified audit report is on page 69, while an example of the standard unqualified audit report as per the International Standards on Auditing (ISA) can be attached to this summary. The ISA report is very similar to the AICPA report.

Note: For many large USA companies, the audit is now required to report on two issues:The freedom of the financial statements from material misstatements.The effectiveness of the company's internal control.The report discussed above and the ISA report concentrate only on the first point.

Unqualified report with explanatory paragraphThis type of report can be used when the auditor does not qualify his opinion, but nevertheless wants to emphasize a matter in the report. There might even be more than one matter to emphasize in more than one explanatory paragraph.The explanatory paragraph is added after the opinion paragraph, since it does not affect the opinion, which is unqualified.Note: Explanatory paragraphs may also be added to other types of reports (not only unqualified reports).

Main reasons that may require the addition of an explanatory paragraph:Lack of consistent application of accounting standards: such as lack of consistency with inventory valuation methods or depreciation methods.Auditor agrees with the departure from accounting standards.The existence of significant related party transactions.Important events occurring after the balance sheet date.

Accounting matter affecting the comparability of financial statements with those of the preceding year.Material uncertainties disclosed in the footnotes.Substantial doubt about going concern: such as recurring losses, recurring negative operating cash flows, and inability to repay debt on time.The latter is emphasized in ISA as very important and definitely needs an emphasis of a matter paragraph.

Reports involving other auditors:If there were other audit firms involved in auditing part of the financial statements, and the auditor wanted to mention that, the standard unqualified report paragraphs are modified to accommodate this issue. The introductory paragraph includes mentioning what part was audited by other auditors, while the scope paragraph includes that the opinion is based on the audits of both the main auditor and the other auditors.The main auditor may qualify the report if he cannot adequately judge the quality of the work done by the other auditor, or the other auditor qualified his own report on the portion he is responsible for.See page 77 for an example report.

Materiality and the audit reportIn the context of audit reports, materiality means:A misstatement in the financial statements can be considered material if knowledge of the misstatement will affect a decision of a reasonable user of the statements.

Materiality is not defined in US GAAS or in ISA and is a matter of personal judgment by the auditor, who carries the responsibility for materiality decisions. Materiality can beQuantitative: such as a percentage of a given number (ex. Total assets, net income, sales).Qualitative: relating to the nature of the item rather than its amount.

As regarding audit reportsThe departure from accounting standards or the scope restriction is immaterial: It is unlikely to affect the decision of a reasonable user.

The departure from accounting standards or the scope restriction is material: It is likely to affect some decisions or some reasonable users and affect part of the financial statements and their related notes, without overshadowing the fair presentation of the financial statements as a whole.

The departure from accounting standards or the scope restriction is very material or pervasive: it is likely to affect decisions of all users and be important and overshadow the fair presentation of the financial statements as a whole.

Scope restriction Scope restriction means that the auditor, after fulfilling his professional responsibilities and due professional care, cannot judge part of the financial statements as to whether or not it contains material misstatements. Scope restriction may be imposed by the client or be a result of the circumstances of the audit.If the scope restriction is immaterial the auditor issues a standard unqualified opinion. He does not mention the scope restriction in his report.

If the scope restriction is material the auditor issues a qualified opinion. The introductory paragraph is not changed, and the auditors responsibilities paragraph includes that the auditing standards were followed except in the restricted portion of the financial statements or their notes. After that, a paragraph or more is/are added to illustrate the scope restriction. The opinion paragraph states that except for the matters illustrated in the added paragraph before it, in case they include material misstatements, the financial statements present fairly etc.

If the scope restriction is very material or pervasive the auditor issues a disclaimer of opinion report. The introductory paragraph starts with "we were engaged to audit" rather than "we have audited", and the auditors responsibilities paragraph is partially eliminated (since there was no actual audit). After that, a paragraph or more is/are added to illustrate the scope restriction. The opinion paragraph states that due to the very material scope restriction stated in the above paragraph, the auditor is unable to express an opinion on the financial statements, and therefore he does not express it.

See example reports page 83-84.Note: In the USA, lack of independence by members of the audit team leads to a disclaimer of opinion, regardless of the quality of the financial statements and their notes.

Departure from accounting standardsDeparture from accounting standards means that the client has committed accounting errors and that the financial statements contain material misstatements (whether related to error or fraud). If the misstatements are immaterial the auditor issues a standard unqualified opinion, he does not mention the misstatements in his report.

If the misstatements are material the auditor issues a qualified opinion. The introductory and responsibility paragraphs are unchanged. He then adds a paragraph or more to report the material misstatements (and the correct treatment that should have been made, if possible). The opinion paragraph states that except for the misstatements referred to in the above paragraph, the financial statements present fairly etc.

If the misstatements are very material or pervasive the auditor issues an adverse opinion. The introductory and responsibility paragraphs are unchanged. He then adds a paragraph or more to report the very material misstatements (and the correct treatment that should have been made, if possible). The opinion paragraph states that because the misstatements referred to in the above paragraph, the financial statements do not present fairly etc.

See example reports page 84-85See table 3-2 page 86 for a summary.

Chapter 5: Professional Ethics

IndependenceIndependence is important for the auditor in order to enhance the credibility of the audit. In order to be independent, an auditor should be Independent of mind: He should be independent and free from bias in his attitude (independent in fact).Independent in appearance: He should be seen and perceived by the public as being independent.

The following issues are likely to have a positive or negative effect on auditor independence:1) Nonaudit services: Nonaudit services include accounting, management information system services, internal audit, valuation of some financial statement items, etc. The provision of nonaudit services to audit clients is useful because the auditor is the one who knows more about the client, compared to external consultants. However, the provision of nonaudit services is considered to have a negative effect on auditor independence because:

A-The auditor probably receives relatively high fees for consulting (compared to auditing), and may impair his independence so that he does not lose the consulting income.B-The auditor will probably be in a situation to audit something he has consulted the client on, and may be reluctant to say that he was wrong.

An issue related to nonaudit services is shopping for audit principles, where an auditor may be hired by a client because he gave the client a desired accounting treatment. The auditor may later find out that he was wrong and be reluctant to act correctly since he was hired in place of another auditor based on that opinion.

2- Audit committees: An audit committee is usually made from a number of non-executive members of the board of directors of a client. It has several duties including mediating between the management and the auditor on accounting disagreements. Its presence and effectiveness is therefore positive for the external audit function, as it strengthens the position of the auditor in cases of conflicts with management of the client.

In the USA, in some cases the audit committee should be comprised of financially literate individuals, and one at least being a financial expert. Also, the responsibility of hiring, firing, and determining fees of auditors is given to the audit committee. This is likely to be positive for auditor independence, as the auditor is appointed by the audit committee, but audits on the executive management, which is entirely a different party.

3- Conflicts arising from employment relationships: In general, it is bad for auditor independence if a high-rank audit officer takes a high position at a client, or a high rank client officer takes a high position at the audit firm. The audit by this audit firm of that client may have to stop for a year or more in order to regain some independence.

4- Partner rotation: This means changing the partner (and audit team) responsible for the audit of a particular client from time to time (in Jordan four years for public listed clients). This is good for independence since the long-term relations' effects are reduced. However, it may be more costly (the new team needs to incur more costs to study the client and plan the audit).

5- Ownership interests: Auditor independence is negatively affected if there is a financial relation between the auditor team members (or their close relatives) and the client (such as an investment in shares or bonds). This may make the auditor reluctant to report the truth about the client if it was bad news in order not to harm the financial interest.

Other rules of conduct:

1) Integrity and objectivity: The auditor should maintain integrity and objectivity in performing the audit, and should be free of conflicts of interest and not knowingly misrepresent facts.2) Technical standards: The auditor should follow the required auditing standards.

3)Confidentiality: The auditor should keep any information he knows about the client confidential and not disclose it to any party. Some exceptions to this rule include:A-If auditing standards require him to disclose the information (such as the audit report).B-Under authorized peer review.C-If he is called as witness in court.D-If he is charged with inadequate technical performance and wants to defend himself.

4) Contingent fees: An auditor must not accept fees that are contingent on the outcome of the audit (such as the type of report issued). This is bad for his independence as he may be inclined to produce the outcome that gives him the highest fees.

5-Discreditable acts: The auditor should not engage in acts that are discreditable to the audit profession. These include retention of the client's records, discrimination and harassment in employment practices, negligence in performing the audit, disclosure of CPA examination questions and answers, etc.

5) Advertising and solicitation: The auditor should not engage into advertising or solicitation that:A-Includes false, misleading, or deceptive information.B-Uses coercion, overreaching, or harassment.C-Insults competitors.D-Includes scenes that are impolite or otherwise discredit the profession.

6) Commission and referral fees: The auditor should not receive from audit clients commissions or referral fees to either:recommend a client's product or service to a third party, orrecommend a third party's product or service to a client.

7) Form of organization and name: While non-auditors (such as legal and other experts) may be sometimes allowed to be owners in an audit firm, they must not carry ultimate responsibility for the financial statements' audit or call themselves auditors.

Chapter 6: Audit responsibilities and objectives

The objective of the ordinary audit of financial statements by the independent auditor is the expression of an opinion on the fairness with which they present, in all material respects, financial position, results of operations, and cash flows in conformity with required accounting standards. This is expected to enhance the confidence of intended users in the financial statements.

The responsibility for adopting sound accounting policies, maintaining adequate internal control, and making fair representations in the financial statements rests with management rather than the auditor.

The auditor has a responsibility to plan and perform the audit to obtain reasonable assurance about whether the financial statements are free of material misstatement, whether caused by error or fraud. Because of the nature of audit evidence and the characteristics of fraud, the auditor is able to obtain reasonable, but not absolute, assurance that material misstatements are detected. The auditor has no responsibility to plan and perform the audit to obtain reasonable assurance that misstatements, whether caused by errors or fraud, that are not material to the financial statements are detected.

The auditor is responsible for reasonable, but not absolute, assurance for several reasons:Most audit evidence is based on sampling, so some misstatements may occur in the not sampled part.Audit evidence is persuasive, rather than conclusive.Accounting treatments include a large portion of estimation and personal judgment.Fraudulent financial statements may be very well prepared that normal audit practices may be unable to discover it, especially when collusion occurs between several perpetrators.

Errors are unintentional, while fraud is intentional. Fraud may include misappropriation of assets, fraudulent financial statements, or a mix of both.

The audit must be designed to provide reasonable assurance of detecting both material errors and fraud. The auditor must plan and perform the audit with an attitude of professional skepticism in all aspects of the engagement. Professional skepticism is an attitude that includes a questioning mind and a critical assessment of audit evidence. Auditors should not assume that management is dishonest, but the possibility of dishonesty must be considered. At the same time, auditors should not assume that management is unquestionably honest.

Six suggested characteristics of skepticism:1- Questioning mindset2- Suspension of judgement until appropriate evidence is obtained.3- Search for knowledge4- Interpersonal understanding5- Autonomy6- Self-esteem

When auditors find something suspicious or a fraud risk factor, they must increase their audit work on that issue until they discover the fraud or get assured that there is no fraud. If they still cannot detect the fraud, they may use the services of forensic auditors.

If auditors know about the existence of a fraud, they should report it to the managerial level higher than that where it was committed. If management is involved in the fraud, the auditors should write to those charged with governance (such as the audit committee and the board of directors). If even these parties are involved in the fraud, the auditor should seek legal advice on what to do to report the fraud outside the client.

Management assertions and audit objectivesManagement gives the auditor assertions about:transactions and events for the period under auditaccount balances at period-end.Presentation and disclosure.

Issues involved in such transactions include:1- Occurrence/existence: Recorded transactions have actually occurred and recorded balances actually exist, and disclosed issues have occurred.2- Completeness: All transactions and accounts and disclosures that should be included in the financial statements are actually included.

3- Accuracy/valuation/allocation: All amounts recorded for transactions and balances and disclosures are valued accurately and in conformity with accounting standards.4- Classification: Transactions and balances and disclosures are classified properly in the financial statements.

5- Cutoff: Transactions are recorded in the proper accounting period.6- Rights and obligations: The client actually has rights to the assets and is obliged to pay the liabilities.7- Understandability: Disclosures are understandable.

The auditor then plans his audit objectives (whether general or specific) to ensure that these assertions are correct.

Chapter 7: Audit evidence

Audit evidence is any information used by the auditor to determine whether the information being audited is stated in accordance with the established criteria.

Auditors use various types of evidence. Some are generated by the auditor, some by the client, and some by third parties. The evidence is expected to provide high levels of assurance about the conclusions, which generally are one of several alternative types of audit reports. The consequences of incorrect decisions from evidence include users of audited financial statements making incorrect decisions, and the possibility of the auditor being sued.

Major audit evidence decisions:Deciding on the audit procedures to use: This includes the types of audit evidence to be collected and the audit tests to be performed on them.Deciding on the sample size: This includes what quantity of each type of evidence to be collected and tests to be performed. There are many ways of selecting sample types and sizes.

Deciding on the items to select: This includes what the components of each sample should consist of. For example, if we are selecting a sample of accounts receivable, should we select randomly, or select only overdue accounts, or select the largest balances.Deciding on the timing of audit procedures: This includes deciding when to perform a procedure. An auditor may find it less costly if he can distribute the evidence procedures over the year rather than doing all of them near the year-end. This depends on his previous risk analysis of the client and how much he trusts the internal controls of the client.

Deciding on the individuals to perform the procedures: This includes deciding on the required ranks and experiences of the audit firm employees involved in performing the audit evidence procedures, and evaluating the need for external experts.

Persuasiveness of evidence:

Audit evidence, due to its nature, is generally considered persuasive, rather than conclusive. To be persuasive, audit evidence should be appropriate (in terms of quality) and sufficient (in terms of quantity).To be appropriate, audit evidence should be relevant and reliable. Being relevant means that the audit evidence should relate to fulfilling the audit objective the auditor is testing. Being reliable means that the audit evidence can be believable or worthy of trust. The following general guidelines are useful in understanding reliability of audit evidence:

Evidence is generally considered higher in reliability (compared to the opposite case) if:1- The provider of evidence is independent from the client.2- The clients internal controls are effective.3- The auditor collects the evidence personally4- The provider of information is qualified.5- The evidence is objective (does not require considerable personal judgement).6- The evidence is timely obtained.

To be sufficient, audit evidence should be of a quantity that enables the auditor to perform reliable tests and therefore make reliable conclusions. A very important issue here is the sample size.

Types of audit evidence

1- Physical Examination: This means the inspection or count by the auditor of a tangible asset. Main assets in this category include cash, inventory, and fixed assets. Physical examination is considered reliable in that the auditor collects the evidence by himself, and that it can be used to test the existence objective. However, it fails to test the rights objective (whether the asset is owned or controlled by the client) and the valuation (including the condition and possible impairment) objective for the asset.

2- Confirmation:This includes the receipt of a direct written response by an independent third party verifying the accuracy of information requested by the auditor. The auditor generally has to have the acceptance of the client before contacting many third parties (lack of this acceptance is a scope restriction).

Main types of third parties include accounts receivable, accounts payables, banks and insurance companies, clients of banks and insurance companies, lawyers, and government agencies. Information verified may include balances of accounts or other issues.Confirmations are generally considered reliable because of the independence of the provider of information (clients should not control the sending or receiving of the information), but they can be very costly and may cause inconvenience to the individuals being asked.

Confirmations can be open or closed. Open confirmations (those that require an open answer) are more useful because the respondent has to search for an answer, but likely to generate a lower response rate. Closed confirmations (those that require ticking a box as an answer) are less useful and less reliable, but likely to generate a higher response rate.

3- Inspection:This is the auditor's inspection of the client's documents and records to substantiate the information that is, or should be, included in the financial statements. There are too many documents available for testing, and the auditor tests the document itself and its relation to recorded figures and accounts. Internal documents (those that have been prepared by the client and never leaving the client) are considered less reliable than external documents (those that have been prepared by the client but seen by at least one external party, or have been prepared by an external party).

4- Inquiries of the client: This means obtaining written or oral information from the client in response to questions from the auditor. This type of information might sometimes be low in reliability because it is being provided by the clients employees (possibly lacks independence), but many types of information cannot be collected in any other way. It is also useful to check the reliability of other types of gathered information (as corroboration of evidence).Inquiries of the client need many skills by the auditors for interviewing individuals. Inquiries can be used for collecting information, assessing information, and interrogating about information.

5- Observation:This is the use of senses to assess client activities. Here the auditor may tour the clients premises or watch employees during performing their jobs.The reliability of this method is high because the auditor does it himself, but also low because observed people may change their behavior because of this knowledge.

6- Recalculation and reperformance:Recalculation involves rechecking a sample of calculations made by the client for arithmetic accuracy. Reperformance involves independent tests by the auditor of the clients accounting procedures or controls that were originally done as part of the entitys accounting and internal control system. Therefore, recalculation involves checking a computation, while reperformance involves checking a procedure. Both types are reliable because the auditor collects the evidence by himself, but less reliable because the items checked may be poor due to poor effectiveness of the internal control and accounting information system of the client.

7- Analytical procedures:Analytical procedures use comparisons and relationships (including ratio analysis) to assess whether account balances or other data appear reasonable compared to the auditors expectations.

The main sources for auditor expectations are:Client industry data and data of competitors.Similar prior-period data for the client.Client-determined expectations (such as budgets or press releases).Analyst forecasts.Expected results using nonfinancial data.

Analytical procedures are mandatory in the planning and client understanding phase and in the final checking phase, while they are optional (depending on their reliability and the auditors willingness to use them) in the substantive testing auditing phase.

Analytical procedures may help in the following issues:Understanding the clients industry and business.Assessing the clients ability to continue as a going concern.Indicating the presence of possible misstatements in the financial statements (some unexplained numbers may be observed and analyzed).Reducing detailed audit tests (if the results of analytical procedures were satisfactory and the internal control and accounting information system producing the numbers were effective).

Therefore, analytical procedures get reliability from the fact that the auditor does them himself, but this reliability is weakened if the internal control and accounting information system producing the numbers were not effective.

Corroboration of evidence

In many cases, the use of one of the above audit evidence types alone is not enough. Therefore, a piece of evidence collected from a source is later checked by collecting information related to it from other sources. This may either confirm the previous information (if results and conclusions are similar) or question it (if results and conclusions are different).

Cost of evidence

As an audit firm aims for profit, it is expected for it to try to cut cost. This is considered acceptable as long as the auditor does not compromise the quality of the audit and the fulfillment of his professional and legal responsibilities.

Audit documentation

Audit documentation is the principal record of auditing procedures applied, evidence obtained, and conclusions reached by the auditor in conducting the audit.

The purposes of audit documentation are:A basis for planning the auditA record of the evidence accumulated and the results of the tests.Data for determining the proper type of the audit report.A basis for review by supervisors or partners who do not perform detailed procedures of the audit.

The ownership of audit working papers rests with the audit firm, but rules of confidentiality apply as there are client secrets in the working papers.

CHAPTER EIGHT: Audit Planning

Client acceptance and continuance

A first step in an audit is to decide whether to accept a new client, or to continue with an old client. This decision should be made with care and under a quality control system, and not every client should be accepted regardless of any selection criteria.A new client should be investigated regarding its acceptability. This includes its standing in the business community, financial stability, and its reputation.

In summary, a prospective client should be screened as to:The client's suitability for the audit firm: This includes the nature of the client's business and whether the audit firm wants to be involved with clients in this business, the reputation of the client and its senior managers and directors, and the client's financial stability.The audit firm's suitability for the client: This includes the audit firm's size and knowledge and experience, and its independence from the client.

A main issue in the new client acceptance is that the audit firm should communicate with the client's predecessor auditor in order to evaluate whether to accept the engagement. Issues that may be considered here include reasons for the predecessor auditor leaving the client, and whether the client lacks integrity or had accounting disputes with the predecessor auditor.

Although the successor auditor is the one responsible to initiate the communication with the predecessor auditor, the latter should seek permission from the client before giving the information. However, if the client refuses to give this permission, the successor auditor will consider this as a scope limitation and might decline to accept the client.

In the case there was no predecessor auditor, or the predecessor auditor does not provide information, or if this information shows potential problems, the successor auditor may seek more information from other sources before making the acceptance or rejection decision.

As for continuing clients, issues considered before making the continuance decision include conflicts over the scope of the audit, disputes over accounting issues, lack of client's integrity, the client having very high risks, non-payment of audit fees, or an assessment that the previous fees were not sufficient and the client unwilling to increase them.

Obtaining an understanding with the client is important before starting the audit in order to reach an agreement between the audit firm and the client on what is to be done. To document this agreement, the auditor sends to the client an engagement letter, asking the client to sign it to confirm agreement with its contents. The contents of the engagement letter is likely include the following:

The objectives of the engagementThe responsibilities of the auditor and the managementThe limitations of the engagementRestrictions imposed on the audit work, if anyDeadlines for completing the auditAssistance to be provided by the client's personnel in obtaining records and documents.The amounts and method of payment of audit fees.

Having accepted the engagement, the auditor now develops an audit strategy, selects appropriate staff for the engagement, and evaluates the need for outside specialists.

Understanding the client's business and industry

A thorough understanding of the client's business and industry and knowledge about the company's operations are essential for the auditor to conduct an adequate audit. The nature of the client's business and industry affects client business risk and the risk of material misstatements in the financial statements. Recent changes in the clients' businesses (such as globalization, information technology, and the global financial crisis) increase the importance of understanding the client's business and industry.

The three most important external reasons for understanding the client's industry and environment are:

1- Some industries may be too risky and therefore affect the auditor's assessment of the client's business risk and its acceptable audit risk. In some cases, audit firms may consider some industries as too risky to select clients from.

2- The auditor should be familiar with certain inherent risks that affect all businesses in the same industry (for example, obsolescence in the clothes industry, or problems with collecting accounts receivable in the consumer loan industry).

3- Many industries (such as construction companies and financial institutions) have unique accounting requirements that the auditor should understand to evaluate whether the client's financial statements are in accordance with the required financial reporting standards.

As for internal issues the auditor is likely to need to consider, these include:1- Learning about the client's business operations and processes, and possibly touring the client's facilities and operations to gain first-hand knowledge about some risks the audit might face.

2- Identifying related parties. A related party is a party with which the client deals, where one of the two sides can influence the management or operating policies of the other (such as a parent company, a member of the senior executive management or the board of directors or their close relatives, a major supplier or a major customer). Transactions with related parties are not arm's-length transactions, and may involve some accounting problems. The main issues to consider here are whether the transactions are properly accounted for and disclosed in accordance with required accounting standards, and whether there is a significant risk of fraud in collusion with a related party.

3- Learning about the management and corporate governance systems in the company. The auditor should evaluate management's philosophy and operating style and its response to risks. In addition, the auditor should evaluate the company's governance system, including its organizational structure, the role of the board of directors and the audit committee, and the role of other corporate governance parties, such as the internal auditors and the institutional investors. The codes of ethics and minutes of meetings of the board of directors and executive management and shareholders assembly may give an indication of how the client is managed and governed.

4- Learning about the client's objectives and strategies. A good client should have clear objectives and have put clear and reasonable strategies to achieve its objectives. Auditors should in particular understand the client's objectives regarding reliability of financial reporting, effectiveness and efficiency of operations, and compliance with laws and regulations. Such issues help in assessing the client's business risk.

5- Learning about the client's measurement and performance system. This includes key performance indicators that the client's management uses to measure progress towards its objectives. These measures can be financial statement figures or other figures, such as market share. Unreasonable indicators or those tied to accounting figures must be treated with care as they increase the risk of material misstatements in the financial statements.

Having completed the above steps in understanding the client's business and industry, the auditor is ready to assess the client's business risk, which is the risk that the client will not achieve its objectives. Failure to achieve objectives can turn into a risk of material misstatements in the financial statements, whether intentional or unintentional.

After assessing the client's business risk, the auditor performs preliminary analytical procedures to better understand the client's business and to assess the possibility of material misstatements in the financial statements. (This was discussed earlier in chapter 7).

CHAPTER NINE: Materiality and Risk

Materiality

Materiality is the magnitude of an omission or misstatement that, in the light of surrounding circumstances, makes it probable that the judgment of a reasonable person relying on the information would have been changed or influenced by the omission or misstatement.

The auditor starts by setting preliminary judgement about materiality, then he allocates this preliminary judgement to segments, then he estimates the total misstatement in the segment and estimates the combined misstatement. Finally, he compares the combined estimate with his preliminary or revised judgement about materiality. Tolerable misstatement is the amount of misstatement the auditor is willing to tolerate (that is, to consider it immaterial).

RiskThe audit function includes some risk or uncertainty. A popular method of dealing with risk is called the audit risk model, which can be summarised as:

AAR = IR * CR * PDRWhere AAR stands for acceptable audit risk, IR for inherent risk, CR for control risk, and PDR for planned detection risk.

Audit risk is the risk that an unqualified audit opinion is issued on the financial statements, while in fact they contain material misstatements.

Acceptable audit risk is the risk the auditor is willing to accept that the financial statements may be materially misstated after the audit is completed and an unqualified opinion has been issued. The smaller the AAR is, the less willing the auditor is to accept the risk of material misstatements. This risk level is set by the auditor after considering certain factors.

Inherent risk is the risk that the financial statements may include material misstatements due to the nature of the company or the account(s) involved. The auditor cannot affect inherent risk, but he assesses it due to its effect on the planning and conducting of the audit. The higher the IR is, the more risky the audit is.

Control risk is the risk that the financial statements may include material misstatements that will not be prevented or detected by the client's internal control system on a timely basis. The auditor cannot directly affect control risk, but he assesses it due to its effect on the planning and conducting of the audit. The higher the CR is, the more risky the audit is.

Planned detection risk is the risk that the financial statements may include material misstatements that will not be detected by the auditor's own procedures (such as evidence collection and testing). This risk is related to the other three in the audit risk model, and is collected using the equation after determining the other three. It is directly related to the amount of audit procedures to be performed (such as evidence collection and testing), in that the lower the PDR is, the more are the audit procedures that have to be performed, and vice-versa.

Assessing Acceptable Audit RiskEngagement risk is the risk that the auditor or audit firm will suffer harm after the audit is finished, even though the audit report was correct. If the client fails in achieving its objectives or becomes bankrupt, the audit firm is likely to fall in trouble even if the audit was of high quality. For example, it may face numerous lawsuits and loss of reputation and loss of clients. There is a relation between acceptable audit risk and what likely negative consequences may happen to the audit firm in case of such trouble. Therefore, to assess AAR, the following issues are taken into consideration:

1- The degree to which external users rely on the statements: AAR is generally lowered if external users place heavy reliance on the financial statements and the audit. External users are significantly more likely to file lawsuits or cause other damage to the audit firm's reputation than internal users, who may themselves be a main reason of the collapse of the client. The following factors are likely to indicate the degree to which financial statements are relied on by external users:

A- Size: In general, the larger the client's size, the more widely its financial statements are used by external parties.B- Distribution of ownership: The financial statements of publicly held companies (especially when there are many small shareholders) are generally more widely used by external parties than those of closely held companies, such as those with a small number of large investors, those with family ownership, or partnerships.C- Nature and amount of liabilities: The more the client's liabilities are, the more likely its financial statements will be used by external creditors, such as banks, bondholders, and trade creditors.

2- The likelihood that a client will have financial difficulties after the audit report is issued: When a client goes bankrupt or has significant financial problems after the audit is completed, the audit firm is likely to face more challenges to the quality of its audit (such as lawsuits). This will likely cause AAR to be set at a lower level if the likelihood of the client's financial difficulties is higher. Some indicators of a client's financial difficulties include poor liquidity, continuing losses, financing growth only by debt, taking high risks, and poor competence of management.

3- The auditor's evaluation of management's integrity: If the auditor considers that the client's management lacks integrity, and still accepts the engagement, he is likely to set the AAR at a significantly low level.

Assessing Inherent Risk

The following factors may affect the auditor's assessment of inherent risk:1- Nature of the client's business: The more risky the nature of the client's business is, the higher is IR.2- Results of previous audits: An auditor may discover some misstatements in previous audits of the client that are likely to recur in future audits because they are systematic and the client cannot, or has not done something to, stop them. The more these types of misstatements exist, the higher is IR.

3- Initial versus repeat engagements: Having audited the client's financial statements for several years, the audit firm gains knowledge and experience about the likelihood of occurrence of some misstatements. Therefore, new clients have a higher IR compared to old ones.

4- Related parties: IR is higher when there are more related parties and more transactions with them, because these are generally more likely to include misstatements due to the nature of the relationship among the related parties.

5- Nonroutine transactions: Transactions that are unusual for a client are more likely to be incorrectly recorded than routine transactions because the client often lacks experience recording them. In addition, nonroutine transactions may be questionable and may contain some type of fraud concealment. Therefore, the more and the larger nonroutine transactions are, the larger is IR.

6- Judgment required to correctly record account balances and transactions: The more the financial reporting of the client includes personal judgements and estimates (such as allowances or fair valuation), the higher is IR due to the possible intentional and unintentional material misstatements.

7- Makeup of the population: The makeup of the population for some accounts or transactions may affect IR. For example, IR is higher for accounts receivable if a larger percentage of them (in number or amount) are overdue.

8- Factors related to fraudulent financial reporting and misappropriation of assets: The presence of fraud risk factors increases the IR. (It also affects CR)

Chapter Ten: Audits of Internal Control and Control Risk

Internal control has the following objectives:Reliability of the financial reporting process and outcomes.Efficiency (in terms of cost and revenue) and effectiveness (in terms of achieving intended goals) of operations.Ensuring compliance with laws and regulations.

Internal control only provides reasonable (not absolute) assurance about the fairness of financial statements. Reasons include:1-The cost-benefit relation: In general, the cost of implementing an internal control system should not exceed the expected benefit from it. This means that some errors may still occur since the benefit of preventing them may be less than the cost of implementing the improved system.

2- The human factor: Internal control systems are operated by humans. If humans do not understand the system or act carelessly, the system will not operate effectively.3- Collusion: The system may separate several jobs to reduce the chance of error or fraud. If employees collude to beat the system, they might succeed.

COSO components of internal controlThe COSO framework is one of the most regarded frameworks used worldwide to discuss effective internal control systems. It has five components:Control environmentRisk assessmentControl activitiesInformation and communicationMonitoring

Control environmentThe control environment consists of the actions, policies, and procedures that reflect the overall attitudes of top management, directors, and owners of an entity about internal control and its importance to the entity. It has several subcomponents:1- Integrity and ethical values: Such as managements actions to remove or reduce incentives and temptations that might prompt personnel to engage in dishonest, illegal, or unethical acts. It also includes communicating entity values and behavioral standards to employees through policy statements, codes of conduct, and by example.

2- Commitment to competence: Managements consideration for specific jobs and how those levels translate into requisite skills and knowledge.3- Board of directors and audit committee participation: The more effective this is the better is the internal control environment.4- Management philosophy and operating style: Such as the risk appetite, performance targets, bureaucracy, etc, and their effects on internal control.

5- Organizational structure: Controls should be implemented taking into account the entitys lines of responsibility and authority.6- Human resource policies and practices: In areas of hiring, training, promoting, compensating, dealing with personal problems, etc.

Risk assessmentRisk assessment for financial reporting is managements identification and analysis of risks relevant to the preparation of financial statements in conformity with accounting standards. It is important to evaluate the significance of the risk and its likelihood of occurrence, and decide the actions needed to address the risks.

Control activitiesControl activities are policies and procedures that help ensure that necessary actions are taken to address risks facing the achievement of the entitys objectives. They generally fall into five categories:Adequate separation of duties: Such as separation of the duties of custody of assets and accounting, authorization of actions and custody of related assets, operational responsibility and record-keeping responsibility, and information technology duties and user departments.

Proper authorization of transactions and activities: whether it is general authorization or specific authorization for individual actions.Adequate documents and records: including prenumbering similar documents consecutively, preparing documents as quickly as possible when transactions take place, designing documents for multiple use, and constructing documents in a manner that encourages correct preparation.

Physical control over assets and records, such as using safes, emergency alarms, and password access.Independent checks on performance: This is important in order for the other above mentioned four to perform well and not be forgotten or neglected. An internal auditing department is part of this function, as may be forcing employees to take vacations when they are replaced by others.

Information and communicationThis includes maintaining an information and communication system to initiate, record, process, and report the entitys transactions and to maintain accountability for the related assets. Your accounting information systems course is likely to give you deeper information on this issue.

MonitoringMonitoring activities deal with ongoing or periodic assessment of the quality of internal control by management to determine that controls are operating as intended and that they are modified as appropriate for changes in conditions. Several sources of information are used here, including studies of existing internal controls, internal auditor reports, exception reporting on control activities, reports by regulators, feedback from operating personnel, and complaints from customers.

See Table10-2 (p. 320-321) for a summary of COSO components of internal control.

Obtaining and documenting understanding of internal controlAn auditor starts by obtaining and documenting understanding of internal control design and operation. He then assesses control risk, designs, performs, and evaluates tests of controls, and finally decides on planned detection risk and substantive tests of details.

There are three types of methods used to obtain and document the auditors understanding of the design if internal control. These are:Narrative: This is a written description of a clients internal controls. It includes the origin of every document and record in the system, all processing that takes place, the disposition of every document and record in the system, and an indication of the controls relevant to the assessment of control risk.

Flowchart: This is a diagram of the clients documents and their sequential flow in the organization. It also includes the origin of every document and record in the system, all processing that takes place, the disposition of every document and record in the system, and an indication to the controls relevant to the assessment of control risk.Questionnaire: This asks a series of questions about the controls in each audit area as means of identifying internal control deficiencies.

It may be applicable to use more than one of the above methods together to get a clearer idea about the internal control system and its actual application in the client.

In addition to understanding the internal control system, the auditor has to evaluate the systems implementation. Some methods used here are:Update and evaluate the auditors previous experience with the entity.Make inquiries of client personnel.Examine documents and records.Observe entity activities and operations.Perform walkthroughs of the accounting system.

Assessing control riskHaving documented and initially made a view on the internal controls of the client, the auditors next step is to assess control risk. This is made in several steps:1- Assess whether the financial statements are auditableThis includes assessing whether there are any very significant issues that may make the financial statements in general not auditable, such as very poor management integrity, or very poor internal controls. In such cases, the auditor may consider quitting from this audit. If not, the auditor proceeds to the next step.

2- Determine assessed control risk supported by the understanding obtained, assuming the controls are being followedAfter obtaining an understanding of the clients internal control and initially evaluating it, the auditor makes a preliminary assessment of control risk based on what he currently already knows, which includes what the client claims to be there. This assessment is a measure of the auditors expectation that internal controls will prevent material misstatements from occurring or detect and correct them if they have occurred. This preliminary assessment is made for the specific related audit objective.

3- Use of a control risk matrix to assess control riskA control risk matrix is a method often employed by auditors to assess control risk by tying audit objectives to internal controls. The steps in doing so include:a- Identifying audit objectives for classes of transactions, account balances, and presentation and disclosure to which the control risk assessment applies.b- Identifying existing controls aimed at satisfying the audit objectives. The auditor determines what controls should exist in order to achieve the audit objectives.

c- Associating controls with related audit objectivesd- Identifying and evaluating control deficiencies (in the design or operation of the controls), significant deficiencies (one or more control deficiencies exist and the issue merits attention by those responsible for oversight of the companys financial reporting), and material weaknesses (one or more significant deficiencies make it reasonably possible that internal control will not prevent or detect material financial statement misstatements on a timely basis).

Control deficiencies, significant deficiencies, and material weaknesses are assessed on two horizons: likelihood of occurrence and significance of outcome.Control deficiencies, significant deficiencies, and material weaknesses are identified by (1) identifying existing controls, then (2) identifying the absence of key controls, then (3) considering the possibility of compensating controls, then (4) deciding whether there is a significant deficiency or material weakness, then (5) determine potential misstatements that could result from a deficiency or a weakness.

e- Associating significant deficiencies and material weaknesses with related audit objectives.f- Assessing control risk for each related audit objective.

After the previous steps are undertaken, the auditor now makes a subjective assessment of control risk for each audit objective. This may be in the form of (high moderate low) or percentage or numerical levels. This assessment may be amended as a result of the tests of controls and substantive tests of details.

Communications to those charged with governance and management letters: Auditing standards require the auditor to report some control issues to those charged with governance (such as the clients board of directors and audit committee). Those charged with governance can then interfere and improve the control problems, and therefore help both the client and the auditor. Auditors may (but are not required to) report recommendations on less significant internal control issues to the client as a value-added service.

Tests of controlsIf the auditor decides to consider relying on the internal controls of the client (the assessed control risk is low or medium), he has to test the controls in order to justify the previously made assessment of control risk. If the results of the tests of controls supports the previous assessment of control risk, then they can be used to reduce substantive testing evidence collection. If not, the previous assessment of control risk is to be reconsidered.

The operational effectiveness of internal controls can be tested using the following four procedures:Making inquiries of appropriate client personnel.Examining documents, records, and reports.Observing control-related activities.Reperforming client procedures.

The extent of use of these tests of control procedures depends on the desired level of control risk to be depended on by the auditor. The lower the level of control risk the auditor wants to use, the more extensive the tests of controls procedures will be.

After performing tests of controls and determining a final assessment of control risk, this assessment is lined to audit objectives and integrated into the determination of planned detection risk, and therefore the types of audit evidence to be collected and evaluated and the types of substantive tests of details to be performed.

Chapter 11: Fraud Auditing

Types of fraudFraudulent financial reporting is an intentional misstatement or omission of amounts or disclosures with the intent to deceive users. Most fraud includes an attempt to overstate income, but also there is fraud that intends to understate income, if this leads to lower income tax or to create earnings reserves. Some forms of fraud include earnings management, involving deliberate actions taken by management to meet earnings objectives. A form of that is income smoothing, where revenues and expenses are shifted between periods to reduce fluctuations in earnings.

Misappropriation of assets involves theft of the entity's assets. While this usually involves internal parties, such as employees and members of the executive management and the board of directors, it may sometimes involve external parties, such as customers (ex. shoplifting) or suppliers (ex. cheating in products).

Conditions for fraud

According to the fraud triangle principle, three conditions should be available in order for fraud to occur. These are: Incentives / Pressures: Management or other employees have incentives or pressures to commit fraud.Opportunities: Circumstances provide opportunities for management or employees to commit fraud.Attitudes / Rationalization: An attitude, character, or set of ethical values exists that allows management or employees to commit a dishonest act, or they are in an environment that imposes sufficient pressure that causes them to rationalize committing a dishonest act.

See page 356 and page 358 and the appendixes of ISA240 for examples of risk factors concerning the above three conditions, in the cases of fraudulent financial reporting or misappropriation of assets.

In the case of fraudulent financial reporting, incentives and pressures include a decline in the company's prospects, such as low profitability or low ability to repay debt, and a willingness to meet budgets or analysts' forecasts or conditions of debt covenants. Another important factor here is the willingness of managers to earn higher bonuses through manipulating financial statements.

As for opportunities, risk factors include the existence of significant judgements and estimates in accounting, weakness of accounting information systems and internal control, and high turnover of accounting and information technology employees.As for attitudes and rationalization, risk factors include a managerial disregard of the financial reporting process, desire to meet overly optimistic forecasts, and lack of ethics.

In the case of misappropriation of assets, incentives and pressures include financial pressures on employees, or their dissatisfaction with the company they work at. Opportunities include weakness of internal controls, such as easy access to cash or inventory or other valuable assets, and lack of adequate separation of duties or lack of keeping adequate records and documents. Attitudes and rationalization include management's attitudes towards ethics (if managers cheat then lower-level employees may consider this acceptable).

Assessing the risk of fraud

An auditor should act towards fraud in a manner of professional scepticism, neither assuming that management is dishonest or that it is unquestionably honest. This includes approaching the audit with a questionable mind throughout the audit to identify fraud risks and critically evaluate audit evidence. If auditors come across a possibility of a material misstatements due to fraud, they must thoroughly probe the issues, acquire additional evidence and perform additional tests, and consult with other team members.

Sources of information to assess fraud risks

1 -Communication among the audit team: Discussions among the members of the audit team may reveal some issues related to fraud, such as the opportunities of its occurrence due to poor controls, or the existence of some suspicious observations by some members. Sometimes, lower-level auditors (who do most of the daily work) may not be aware of the risk of something that the higher-level auditors may, due to experience, perceive as important.

2-Inquiries of management: Sometimes management may be aware of the existence of fraud or suspecting it in the company, and tell the auditor about that and about its plans to deal with it. The auditor is required to ask the client's management about their knowledge about any fraud in the entity and what they have done in response to this issue.

3-Risk factors: The auditor has to evaluate risk factors in order to consider whether there are significant possibilities of fraud in the company, whether through fraudulent financial reporting or through misappropriation of assets. The existence of one or more risk factors does not definitely mean that there is fraud, but the auditor has to give more attention to the issue.

4-Analytical procedures: Analysis using analytical procedures may show that there are differences between the reported figures and the auditor's expectations. In this case, this issue may be the result of a hidden fraud.

5- Other information: This information may be obtained through other risk assessment activities or from other sources, such as the reputation of management on integrity and honesty. Another source is receiving tips from employees or other people about the possible existence of fraud or suspicious activities in the client.

After assessing fraud risks, auditors have to document their discussions and findings in their working papers. In evaluating fraud risk factors, auditors have to consider whether the fraud risk may be reduced through better corporate governance oversight, including management's fulfilment of their responsibilities towards fraud, and the oversight of the audit committee.

Responding to the risk of fraud

After identification of risks of material misstatements due to fraud, auditors should discuss the findings with management and see whether management have applied controls to deal with the risks. Having discussed that, auditors' response to fraud risks include:1- Changing the overall conduct of the audit: Such as including fraud specialists and adding unpredictability to audit procedures to meet fraudsters' possible familiarity with the traditional procedures.

2- Designing and perform audit procedures to address fraud risks. 3- Designing and perform procedures to address management override of controls: such as examining journal entries and other adjustments for evidence of possible misstatements due to fraud, reviewing accounting estimates for biases, and evaluating the business rationale for significant unusual transactions.

Responsibilities when fraud is suspected

If fraud is suspected, the auditor gathers additional information to determine whether fraud actually exists. A popular method here is additional inquiries of management and other parties. Inquiries may be informational (to obtain new information) or assessment (to corroborate or contradict prior information) or interrogative (to determine whether individuals are deceptive this method requires sufficient experience by auditors). After that, auditors evaluate the responses to inquiry, and may perform follow-up inquiries and interviews. In interviews, auditors should observe with attention verbal and nonverbal cues used by interviewees that may indicate possible deception. (See tables 11-6 and 11-7 pages 376-377 for examples).

Other practices in response to the suspicion of fraud existence include using audit software analysis [such as Computer-Aided Audit Techniques (CAATs)] and the use of expanded substantive testing.

Specific fraud risk areas

Revenue and accounts receivable fraud risks

Revenue is usually the largest item in the income statement, and it therefore directly affects reported income, and is also easy to manipulate because of the ambiguity of the application of the revenue recognition principle, especially regarding the timing of the recognition.

Main types of revenue manipulation regarding fraudulent financial reporting include:A- Fictitious revenues (the creation of fake revenues that do not exist)B- Premature revenue recognition (recognizing revenue in periods before the periods it should be recognized in)C- Manipulation of adjustments to revenues (such as not recording sales returns and allowances, or manipulating the bad debt expense).

Main types of revenue manipulation regarding misappropriation of assets include:A- Failure to record a sale (stealing the inventory or the cash receipts and not recording the transaction in the books).B- Theft of cash receipts after a sale is recorded: (This may be committed through recording a sale return or allowance, writing-off the customer's account as bad debt, and closing the customer's account through opening another one and repeating this practice).

Purchases and accounts payable fraud risks

This usually includes the understatement of accounts payable or purchases and costs of goods sold to make the financial statements look better. Some methods used here for fraudulent financial reporting include:A- Not recording accounts payable until subsequent periods.B- Recording fictitious reductions to accounts payable.

As for misappropriation of assets, some methods used here include:A- Issuing payments to fictitious vendors and stealing the amounts.B- Stealing payments to real vendors.

Fraud risks in fixed assetsThese risks include the subjectivity of valuing fixed assets (including revaluation and impairment) and the wrong capitalisation or expensing of assets and expenses. Also, some fixed assets may be subject to theft, such as computers.

Fraud risks in payroll accounts

Some methods used in payroll fraud include:A- Overstating inventory by increasing direct labour and indirect labour costs in it.B- Overstating the costs of assets by wrong capitalising of labour used to construct them.C- Manipulating fringe benefits, such as retirement benefits.D- Creation of fictitious employees and stealing their salaries.E-Overstating individual's working hours to steal some money as additional wages.

Auditors must be aware of the above mentioned examples, and the warning signs of their existence. Some methods used here are careful analytical procedures and careful examination of document discrepancies and weaknesses in internal control systems.

CHAPTER 12: The Impact of Information Technology on the Audit Process

Currently, a very large number of businesses of different sizes rely on IT to record and process transactions. Various types of IT functions, including the internet, exist. IT integration into accounting systems has led to:Computer controls replacing manual controls, with the lower possibility of random errors, and the ability to handle too many transactions quickly and cost-effectively.Higher quality information is available at a larger quantity and speed.

Assessing risks of information technology

IT may be better for internal control of companies, but it has its own problems and risks which the company and its auditors must be aware of. These include:1-Reliance on the functioning capabilities of hardware and software: If the hardware or software were limited in their features or not well maintained or carried viruses, their functioning may be impaired.

2-Systematic versus random errors: While the errors that occur in manual systems tend to be random, errors occurring in IT systems tend to be systematic. For example, if there was an error in designing an IT system, this is likely to lead to errors in all transactions processed through this system.

3- Unauthorized access: In addition to physically unauthorized access by people having access to the IT machines, there is the risk of unauthorized access through misusing passwords or hacking.4- Loss of data: A simple delete process may lead to a loss of a large amount of data stored electronically.

5- Invisibility of audit evidence: This occurs through computer functions reducing or eliminating, or at least hiding, the evidence the auditor can use, leading to significantly less evidence to test (especially documents and records).6- Reduced human involvement: This implies that many individuals who deal with the system may never have the access to the results of their work, and therefore cannot verify the accuracy of it.

7- Lack of traditional authorization: This is because in IT systems, there are less procedures like authorised signatures and seals. In this case, the entity should be careful with IT authorisation of transactions.8- Reduced separation of duties: IT environments often lead to reduced separation of duties through combining many functions that were traditionally separated in one centralized IT function. If an individual has large access to many functions on the system, he/she might act dishonestly.

9- Need for IT experience: IT environments need special knowledge that not every employee possesses. If employees dealing with IT are not qualified, this may lead to high IT risks.

General internal controls

General controls apply to all aspects of the IT function, including IT administration, separation of IT duties, systems development, physical and online security over access to hardware, software, and related data, backup and contingency planning in the event of unexpected emergencies, and hardware controls. Because general controls often apply on an entity-wide basis, auditors evaluate general controls for the company as a whole.

Main general controls include:A- Administration of the IT function: This includes the board of directors' and senior management's attitude about IT and the perceived importance of it in the organisation from their point of view. Important topics here include oversight, resource allocation, and involvement in key IT decisions. The management may establish special committees reporting to them regarding important IT issues. The chief of IT reports to the senior management and the board of directors.

B- Separation of IT duties: Main responsibilities to be separated in an IT environment include IT management, systems development, operations, and data control. In general, those who perform programming, operating, and data controlling should be different people.

C- Systems development: This includes purchasing or developing in-house software to meet the organization's needs, and testing all software to ensure that the new software is compatible with existing hardware and software and determine whether the hardware and software can handle the needed volume of transactions.

D- Physical and online securities: IT systems need physical securities in terms of, for example, keys, cameras, security personnel, and cooling and humidity circumstances to protect the machines. The systems also need online securities to reduce the likelihood of unauthorised use and misuse, such as firewall and encryption programs.

E- Backup and contingency planning: This means having plans to deal with issues such as power failures, fire, water damage, or even theft of machines, all of which can lead to a big loss of data. F- Hardware controls: These controls are built in the computer equipment by the computer manufacturers to detect and report equipment failures.

Application internal controls

Application controls apply to processing transactions, such as controls over the processing of sales or cash receipts. Auditors must evaluate application controls for every class of transactions or account in which the auditor plans to reduce assessed control risk, because IT controls will be different across classes of transactions and accounts. Application controls are likely to be effective only when general controls are effective. Application controls can be classified into:

A- Input controls: These controls are designed to ensure that the information entered into the computer is authorised, accurate, and complete. These are important as a wrong entry would normally lead to a wrong output. Examples of input controls include management's authorisation of transactions, adequate preparation of input source documents, competent personnel, adequately designed input screens with pull-down menu lists and computer-performed validation tests, and on-line based input controls for e-commerce transactions with external parties.

B- Processing controls: These controls are designed to prevent and detect errors while transaction data are processed. They include tests for validation, sequence, arithmetic accuracy, data reasonableness, and completeness.

C- Output controls: These controls focus on detecting errors after processing is completed, rather than on preventing errors. The most important issue here is the reasonableness of the results. Controls that may apply here include reconciling computer-generated totals to manual control totals, comparing the number of units processed to the number of units submitted for processing, comparing some transaction output to its input source documents, and verifying data and times of processing to identify any out-of-sequence-processing.

Impact of information technology on the audit processAuditors involved in auditing entities with excessive IT use should possess adequate knowledge on this issue. They should evaluate the effectiveness of, first, general controls and, second, application controls and consider their effect on control risk assessment. In doing so, auditors obtain an understanding of client general controls by using methods that include:

Interviews with IT personnel and key users.Examination of system documentation such as flowcharts, user manuals, program change requests, and system testing results.Review of detailed questionnaires completed by IT staff.

After this, a preliminary control risk assessment is done, having reviewed the IT system's control weaknesses and deficiencies and their possible effects on not meeting related audit objectives and the possible existence of material misstatements in the financial statements and their related notes.

CHAPTER THIRTEEN: Audit Plan and Audit Program

Types of tests

In developing an overall audit plan, auditors use five types of tests to determine whether financial statements are fairly stated. Auditors use risk assessment procedures to assess the risk of material misstatements. The other four types of tests represent further audit procedures performed in response to the risk identified. Each audit procedure falls into one, and sometimes more than one, of these five categories. The five types of audit tests are:

Risk assessment procedures: The auditor is required to obtain an understanding of the entity and its environment, including its internal control, to assess the risk of material misstatement in the client's financial statements. The other four audit tests (discussed below) are performed in response to the auditor's assessment of the risk of material misstatements. According to the audit firm's approach to risk assessment, several different types and quantities of risks may be assessed (although there are minimum requirements). This selection of risks, and its results, significantly affects the mix of other tests performed in the audit program.

Tests of controls: The auditor's understanding of internal controls is used to assess control risk for each transaction-related audit objective (the assessment may be different for each objective). If the preliminary control risk assessment is, for example, low or medium, and the auditor wants to rely on internal controls to reduce substantive audit procedures, he has to perform tests of controls. Tests of controls are performed to obtain sufficient appropriate evidence to support the preliminary assessment of control risk. Tests of controls may include making inquiries of appropriate client personnel, examining documents and records and reports, observing control-related activities, and reperforming client procedures.

Tests of control can be either manual or automated. They are also used to determine whether the controls are effective (by testing a sample of the controls). The amount of additional evidence required for tests of controls depends on the extent of evidence obtained in gaining the understanding of internal control, and the planned reduction in control risk. Tests of controls may be performed separately, but it may be cost-effective to do them at the same time as doing substantive tests of transactions, especially if the same procedure is applied for both types of tests.

Substantive tests of transactions: Substantive tests are procedures designed to test for monetary misstatements that directly affect the correctness of financial statement balances. These tests are substantive tests of transactions, substantive tests of details of balances, and substantive analytical procedures.Substantive tests of transactions are used to determine whether all six transaction-related audit objectives (occurrence, completeness, accuracy, posting and summarization, classification, timing) have been satisfied for each class of transactions.

Substantive tests of details of balances: These tests focus on the ending general ledger balances for both balance sheet and income statement accounts. Typical types of such tests include confirming payable and receivable accounts and physical examination of tangible assets. These tests are performed to satisfy all balance-related audit objectives (existence, completeness, accuracy, classification, cutoff, detail tie-in, realizable value, rights and obligations) for each significant account.

Substantive analytical procedures: Analytical procedures involve comparisons of recorded amounts to expectations developed by the auditor. They are required by audit standards during the stages of planning and completing the audit, but they can also be used as a substantive auditing procedure in order to provide substantive evidence and indicate possible misstatements in the financial statements. If auditors believe that analytical procedures indicate a reasonable possibility of misstatement, they may perform additional analytical procedures or decide to modify tests of details.

However, if the results of analytical procedures make the auditor conclude that the client's ending balances in certain accounts appear reasonable, certain tests of details of balances may be eliminated or sample sizes reduced. The extent to which an auditor may be willing to rely on analytical procedures in support of account balances depends on several factors, including the precision of the expectation developed by the auditor, materiality, the risk of material misstatement, and the effectiveness of the client's internal control.

Selecting which types of tests to perform

Typically, auditors use all five types of tests when performing an audit of the financial statements, but certain types may be emphasised, depending on the circumstances. Several factors influence the auditor's choice of the types of tests to select, including the availability of the different types of evidence, the relative costs of each type of evidence, the effectiveness of internal controls, inherent risks, fraud risks, and business risks.

Availability of types of evidence for further audit proceduresSee Table 13-2, page 426.

We can see from the table that six out of eight possible types of evidence are available for testing balances, four for testing transactions, four for testing controls, and only two for analytical procedures. Certain types of evidence, including physical examination and confirmation, can only be used to test a balance, while inquiries of the client can be used in all types of tests.

Relative costs of audit proceduresAudit procedures are different in costs. The rule is that auditors have to fulfil their responsibilities according to laws and regulations and auditing standards. This includes collecting sufficient appropriate evidence. There are general requirements for the use of certain types of audit procedures, but after that the extent of use of each type is a matter of personal judgement. The audit firm is a profit-seeking entity, and therefore would like to fulfil its legal and professional responsibilities at the lowest possible cost. This influences the mix of audit procedures it uses.

In general, the audit procedures are classified below, according to their relative costs, with the least costly first:Analytical proceduresRisk assessment procedures (including obtaining an understanding of the entity)Tests of controlsSubstantive tests of transactionsSubstantive tests of details of balances

It is clear that the least expensive type is analytical procedures, which may include making only a few comparisons per case or using a software program, while the most expensive is substantive tests of balances, which may include too many complications in the account components, and the need to use expensive confirmation and physical examination. Tests of controls are more expensive than risk assessment procedures due to the need for more extensive testing procedures in the former.

CHAPTER 24: Completing the Audit

In this chapter, some procedures done at the end of the audit, but before the issuance of the audit report are discussed.

Review for contingent liabilities and commitments

A contingent liability is a potential future obligation to an outside party for an unknown amount resulting from activities that have already taken place. Three conditions are required for a contingent liability to exist:1- There is a potential future payment to an outside party or the impairment of an asset that resulted from an existing condition.2- There is uncertainty about the amount of the future payment or impairment.3- The