Question 2

(a)   ISA 500 Audit Evidence states that the auditor should use assertions for classes of transactions, account balances and presentation and disclosures in sufficient detail to form a basis for the assessment of risks of material misstatement and the design and performance of further audit procedures.

 

Required:

 

(i) Explain the meaning of 'sufficiency' and 'appropriateness' in the context of audit evidence. Provide ONE (1) relevant example for each term.

(4 marks)

 

(ii) Give FOUR (4) examples of audit evidence under each of the following categories:

1. Evidence obtained from independent sources outside the entity

2. Evidence generated internally by the entity

3. Evidence obtained directly by the auditor

4. Evidence obtained indirectly by the auditor

(16 marks)

 

(iii) Distinguish a negative confirmation letter from a positive confirmation letter.

(4 marks)

 

(B) Understanding the control elements and control activities are important to auditors.

 Required:

(i) Identify and explain any FOUR (4) elements of the control environment that are being affected by the information technology system. (8 marks)

(ii) Discuss FOUR (4) categories of control activities that are being affected by the information technology system.

A. Audit Evidence

1. Audit evidences obtained by the auditors will be the basis of the opinion that will be issued in the Auditors report. It is important to know when the evidences that the auditors obtained and accumulated are enough for the auditors to be able to express an opinion and also to support such opinion issued in the auditors report. The two characteristics of a good audit evidence are sufficient (sufficiency of audit evidence) and appropriate (appropriateness of audit evidence). Sufficiency of audit evidence pertains to the quantity of the audit evidence obtained, if it is already enough to satisfy the auditors in their procedures. It is a measure of how many evidence to be obtained so that the auditors have the assurance that the risk of material misstatements to a certain account is low. One example of this is when their is a fraud risk exist in an account, the quantity of audit evidence that are needed to be obtained will increase for the auditors to ensure that no fraud has really occurred or no material misstatements have occurred due to fraud. On the other hand, Appropriateness of audit evidence pertains to the measure of quality of the audit evidence obtained, for the audit evidence to be appropriate it has to be both relevant and reliable meaning the audit evidence obtained. Relevance means that the audit evidence directly answers the procedures performed by the auditors while reliability means that the audit evidence obtained are acceptable and contained no or fewer misstatements. One example of appropriateness of audit evidence is when an auditor audits a certain account, say for example revenue, the audit evidence they have to obtain for it to be appropriate are the revenue schedules, official receipts for revenue and any documents that are related to revenue.

2. Independent Sources: Pertain to evidence which came from a third party related/not related to the Company. Bank Confirmation Replies, Fair Value Report of Investment Property by third party appraiser, Actuarial valuation report by independent actuary (for audit of retirement benefit obligations) and Bank Statements

Internal Evidence: Pertain to evidence obtained from the Company itself. Purchase Invoices of all purchases, Official Receipts of all Sales transactions, Aging computation schedule of Receivables and Payables and Minutes of Board and Stockholders meeting

Obtained Directly: Pertain to the evidence obtained/performed directly by the auditor. Interest income recalculation (recalculated amount of interest income earned), Rental Income recalculation (recalculated amount of all revenue earned for the year), Receivable Confirmation replies, Count Sheet of Inventories in which the auditor physically observes the Inventory count

Obtained Indirectly: Pertain to supplement evidence in which the auditor is not able to obtain from the Company so they do an alternative way to obtain it. Receiving Report for Inventories, Shipping Report for Inventories Sold and Purchased, Customer Contracts, Legal Confirmation replies for outstanding litigations

3. A negative and positive confirmations are used when the auditor wants to confirm the balance of receivables/payables as of a certain period. A negative confirmation is used when the auditor wants the recipient of the letter to reply only if there is a discrepancy on the balance per Client's record. In simple words, it was called negative confirmation because the recipient will only reply when he 'disagrees' on the amount/balance per client's record. It is also appropriate to use negative confirmation when it only involves small amounts because one disadvantages of using negative confirmation is that the auditors do not have assurance that the letter really reaches the recipient. It can be that the letter never reaches the recipient because it was lost by the messenger and therefore the recipient was not able to reply. Since the recipient has no reply the auditor will assume that there is no discrepancy in the balance. If you use negative confirmation for big balances then the same thing happens, then the auditor will not know that there is a misstatement on that account and it will be significant because it involves big amount. A positive confirmation is preferable to be used for bigger amounts of balances. Positive confirmation is used when the auditors want the recipient to reply to the letter to confirm that the balance reflected per client's record is correct. Non-reply will be investigated by the auditors and requires additional audit procedures. One audit procedure that can address this in case the auditor did not receive reply in positive confirmation is the subsequent collection testing.

B. Understanding Internal Control

1. Monitoring - Pertains to the review of Management to the internal controls of the Company to ensure that they are still operating effectively and still prevents errors to happen. It is affected by IT system, because the way that the management review the effectiveness of internal controls they use IT applications to make the job less difficult and to make more precise decisions. And also everything is done automatedly.

Risk Assessment - It is the process of the Company to identify, evaluate and manage risks that may occur. It is an important aspect of internal control because every risk should be mitigated so that the goal of the Company can be achieved without hindrance. IT system affect the way the management does the risk assessment by way of using IT applications and employing IT professionals to ensure that all risks (probability of system errors) are given focus and are being mitigated.

Communication - It pertains to the exchange of useful information among the people (usually management level) inside the Company so that the tasks and the goals are aligned and that both are being achieved. IT system affects this because nowadays one way to improve communication to people is by using IT applications such as Skype, MS Teams and many more. They are being used to have easy access to communication especially now that the world is facing COVID-19 and that most of the businesses are working from home. So it is a great tool to be used to ensure that all tasks are still being carried out to meet the goals of the Company.

Control Activities - Pertain to the tools that are used by the Company, either manual or automated, to help the management to prevent or reduce the risks that can hinder the achievement of the goals of the Company. It is most affected by IT system because control activities become a lot easier with the help of IT system innovations. Automations nowadays are becoming the new norm on how to properly manage internal controls of businesses because manuals may be easily overriden. Automated access may bring more confidence to the management that there is a slim possibility of override.

5. Segregation of Duties - Mean that all the accounting duties (recording, authorization, safekeeping of assets) are not delegated to only one person. It is greatly affected by IT system because of the innovations brought about by the improvement of IT system the management may ensure that duties are properly delegated to different persons by giving them restricted access to the computer system of the Company.

Authorizations and Approvals - This simply means that the authorization and approval must be delegated to a higher position of the management and whoever has the authority and approval should not have access to the records of the books of the Company. Simply because to prevent that he would make his own approval to purchase something but not record it and that should be prevented by the Management. This is pretty similar to segregation of duties. IT System affects this by requiring passwords to persons who have authority and giving them restrictions of access to accounting records.

Physical Controls: This means that the safekeeping of assets is delegated to a person who does not have access to accounting records and has no authority and approval so that misuse of assets are being prevented. IT system affects this by installing CCTV cameras to places/warehouse to monitor/track if the assets are being properly taken care of. Also, to establish and help the Company for the physical counting of inventories by using machines and tools that will help them make the job easier.

Human resource controls - These are controls that focus on employees behavior, employees performance and developing and upholding policies and procedures. IT system helps the Company to better monitor this by implementing feedback systems so that the management will be able to assess the employee's performance. Also, IT system helps the Company by way of the innovations in IT applications in which Human Resources can use to aid them for a better employee performance assessment.