Sie sind auf Seite 1von 828

FINAL COURSE STUDY MATERIAL

PAPER 3

Advanced Auditing and


Professional Ethics

Volume – 1

BOARD OF STUDIES
THE INSTITUTE OF CHARTERED ACCOUNTANTS OF INDIA
This study material has been prepared by the faculty of the Board of Studies. The
objective of the study material is to provide teaching material to the students to enable
them to obtain knowledge and skills in the subject. Students should also supplement their
study by reference to the recommended text book(s). In case students need any
clarifications or have any suggestions to make for further improvement of the material
contained herein they may write to the Director of Studies.
All care has been taken to provide interpretations and discussions in a manner useful for
the students. However, the study material has not been specifically discussed by the
Council of the Institute or any of its Committees and the views expressed herein may not
be taken to necessarily represent the views of the Council or any of its Committees.
Permission of the Institute is essential for reproduction of any portion of this material.

© The Institute of Chartered Accountants of India

All rights reserved. No part of this book may be reproduced, stored in a retrieval system,
or transmitted, in any form, or by any means, electronic, mechanical, photocopying,
recording, or otherwise, without prior permission, in writing, from the publisher.

Website : www.icai.org E-mail : bosnoida@icai.org

Published by Dr. T.P. Ghosh, Director of Studies, ICAI, C-1, Sector-1, NOIDA-201301
Typeset and designed at Board of Studies, The Institute of Chartered Accountants of India.
PREFACE
Auditing is an important area of core competency of the Chartered Accountancy profession.
Millions of investors, potential investors and other stakeholders of an organization repose faith
and confidence on the auditor’s report and the Indian Chartered Accountancy Profession has
aptly served the society and contributed for the national growth and development. This
became possible simply because of adherence to the strict norms of professional self-
discipline and pursuance of the global class auditing and assurance practices.
On the wake of many corporate failures in the USA, Sarbanes–Oxley Act was enacted which
encompasses newer ideas of internal control and Peer review apart from reinforcing old best
practices of auditing and assurance. Enhanced role of the auditors has also been perceived at
home in the context of implementing code of corporate governance and various fiscal
legislations.
Students of the Final level must appreciate these developments, understand and apply the
same even in their day to day work. Students should in the first instance focus on learning of
auditing concepts, procedures and techniques from the study material. The knowledge being
so derived may be related by the students to the practical work in the field of auditing which
they do as part of their training. Auditing is largely a practical and application oriented
discipline.
Students should learn the auditing concepts and techniques as also their intricacies purely for
the purposes of applying them in their audit work. The auditing knowledge inputs provided to
the students by the Institute through the study material and other publications and the
practical training inputs provided by the audit firms during the articleship training stage
compliment one another. Students should, as part of their articleship training, involve
themselves deeply in the professional audit work done by their principals, for the purpose of
getting an intense practical knowledge and learning skills in Auditing.
Here are few tips for examination preparation. Students must familiarise themselves with the
syllabus in detail. Since they are expected to exhibit “advanced knowledge”, it is absolutely
essential that they should be able to apply theoretical knowledge to diverse practical
situations. Therefore, students must study intensively AASs, Accounting Standards, relevant
provisions of the Companies Act, 1956, case laws, etc. A good knowledge of these would help
you to tackle practical-oriented questions in the examination. The Institute’s professional
pronouncements like Accounting Standards, Statements on Standard Auditing Practices and
Guidance Notes on various matters relating to Accountancy, Auditing and Taxation etc. are of
critical importance to CA Final students as they form the base of their knowledge and its
application to practical problems in the relevant subject areas. Students are expected to have
a good insight of the contents of the above publications for their immediate purpose of
examinations and also otherwise in their day to day work they are expected to make use of
them. Some of these publications have been incorporated at the appropriate places in the
study material. While reading through the chapters, you must take special note of various
pronouncements issued by the Institute. As a matter of practical convenience, all important
guidance notes and AASs have been covered at appropriate places. Some important guidance
notes have been covered in the Advanced Accounting study material as well. Students must
read monthly Journal “The Chartered Accountant” and the students’ newsletter “The Chartered
Accountant Student” regularly. The Institute’s monthly Journal “The Chartered Accountant” is a
valuable source of articles on topical interest, relevant notifications and clarifications by
Government of India, RBI, SEBI, etc., information on contemporary developments in
Accounting, Finance, Auditing and Corporate and Tax Laws, etc. Students, especially Final
students, should regularly keep in touch with the Journal to enrich their knowledge base,
relevant for examination and other purpose. “The Chartered Accountant Student”, the
students’ monthly newsletter, published by the Board is another regular channel of
communication with students which contributes to the fund of knowledge required of CA
students, through articles, case studies, reports, academic updates, announcements, etc.
Students may also refer to compilation of suggested answers of Final (Old) Course to the
extent these are relevant for the Final (New) Course. In addition, video CDs of various topics
will also be made available which students may listen. These CDs contain lectures of eminent
experts in the field of auditing.
This study material is divided into twenty three chapters covering in details principles of
Auditing, Audit and Assurance Standards issued by the ICAI , specific audit issues classified
by organizations like Company Audit , audit of Banks , Audit of General Insurance Business ,
Audit of Co-Operative Societies and Audit of Public Sector Undertakings, special audit issues
like audit under Fiscal Laws , role of auditor under clause 49 of the Listing Agreement , Audit
of Consolidated Financial Statements, Investigation and Due Diligence. In Chapter 21, the
latest concept of Peer Review has been explained in details, which are considered as an
important step towards maintenance and improvement of audit quality. In Chapter 22, relevant
aspects of the Sarbanes Oxley requirements are elaborated which will help the students to
appreciate the global trend in auditing and build up international perspective. Lastly, in
Chapter 23 Professional Ethics are dealt with which is regarded as a foundation to the audit
function, which is essentially developed on the foundation of ethical norms, which has so far
brought name and fame to the profession. All students of Final course should read this chapter
with sincerity and imbibe the norms explained. These norms should be the guiding force while
they will work as a chartered accountant.
This study material is developed by a team of experts comprising of CA. T.P.Ghosh, Director
of Studies, CA.Vikas Kumar, Executive Officer, Ms.Srishti Gupta and Ms.Ginni Aggarwal,
Management Trainees in the Board of Studies. Contributions are also made by
CA.K.S.Chauhan, Kanpur and CA.D.R.Sengupta, Kolkata. While preparing this material,
various publications of the ICAI are adopted appropriately. Moreover, a good portion of this
study material is taken from the Advanced Auditing study materials of the Final (Old) Course
prepared by Shri Vijay Kapoor, Director, ICAI. The Board of Studies acknowledges the
contributions made by all these faculty members.
We would welcome suggestions to make this study material more useful to the students. In
case of any doubt, students are welcome to write to the Director of Studies, The Institute of
Chartered Accountants of India, C-1, Sector-1, Noida-201 301.
SYLLABUS
PAPER 3 : ADVANCED AUDITING AND PROFESSIONAL ETHICS
(One Paper- Three hours - 100 marks)
Level of Knowledge: Advanced knowledge

Objectives:

(a) To gain expert knowledge of current auditing practices and procedures and apply them in
auditing engagements,
(b) To develop ability to solve cases relating to audit engagements.
Contents:
1. Auditing Standards, Statements and Guidance Notes
Auditing and Assurance Standards (AASs); Statements and Guidance Notes on Auditing
issued by the ICAI; Significant differences between Auditing and Assurance Standards
and International Standards on Auditing.
2. Audit strategy, planning and programming
Planning the flow of audit work; audit strategy, planning programme and importance of
supervision: review of audit notes and working papers; drafting of reports; principal’s
ultimate responsibility; extent of delegation; control over quality of audit work; reliance on
the work of other auditor, internal auditor or an expert.
3. Risk Assessment and Internal Control
Evaluation of internal control procedures; techniques including questionnaire, flowchart;
internal audit and external audit, coordination between the two.
4. Audit under computerized information system (CIS) environment
Special aspects of CIS Audit Environment, need for review of internal control especially
procedure controls and facility controls. Approach to audit in CIS Environment, use of
computers for internal and management audit purposes: audit tools, test packs,
computerized audit programmes; Special Aspects in Audit of E-Commerce Transaction.
5. Special audit techniques
(a) Selective verification; statistical sampling: Special audit procedures; physical
verification of assets, direct confirmation of debtors and creditors
(b) Analytical review procedures
(c) Risk-based auditing.
6. Audit of limited companies
Statutory requirements under the Companies Act 1956; Audit of branches: joint audits;
Dividends and divisible profits % financial, legal, and policy considerations.
7. Rights, duties, and liabilities of auditors; third party liability.
8. Audit reports; Qualifications, notes on accounts, distinction between notes and
qualifications, detailed observations by the statutory auditor to the management vis-a-vis
obligations of reporting to the members.
9. Audit Committee and Corporate Governance
10. Audit of Consolidated Financial Statements, Audit Reports and Certificates for Special
Purpose engagements; Certificates under the Payment of Bonus Act, import/export
control authorities, etc.; Specific services to non-audit clients; Certificate on Corporate
Governance.
11. Special features of audit of banks, insurance companies, co-operative societies and non-
banking financial companies.
12. Audit under Fiscal Laws, viz, Direct and Indirect Tax Laws.
13. Cost audit
14. Special audit assignments like audit of bank borrowers, audit of stock and commodity
exchange intermediaries and depositories; inspection of special entities like banks,
financial institutions, mutual funds, stock brokers.
15. Special features in audit of public sector companies. Directions of Comptroller and
Auditor General of India under Section 619; Concepts of propriety and efficiency audit.
16. Internal audit, management and operational audit Nature and purpose, organisation,
audit programme, behavioural problems; Internal Audit Standards issued by the ICAI;
Specific areas of management and operational audit involving review of internal control,
purchasing operations, manufacturing operations, selling and distribution, personnel
policies, systems and procedures. Aspects relating to concurrent audit.
17. Investigation and Due Diligence.
18. Concept of peer review
19. Salient features of Sarbanes – Oxley Act, 2002 with special reference to reporting on
internal control.
20. Professional Ethics
Code of Ethics with special reference to the relevant provisions of The Chartered
Accountants Act, 1949 and the Regulations thereunder.
VOLUME-1

ADVANCED AUDITING AND PROFESSIONAL ETHICS

CONTENTS

CHAPTER 1 : AUDITING STANDARDS, STATEMENTS AND GUIDANCE NOTES - AN


OVERVIEW
1.1 Introduction ................................................................................................... 1.1
1.2 Historical Retrospect ..................................................................................... 1.2
1.3 Auditing and Assurance Standards Board – Scope and Functions .................... 1.2
1.4 Framework of AASs and Guidance Notes on Related Services ........................ 1.4
1.5 Auditing Standards ........................................................................................ 1.6
1.6 Guidance Notes........................................................................................... 1.29
1.7 Guidance Note(S) on Related Services......................................................... 1.35
1.8 Authority Attached to the Documents issued by the Institute .......................... 1.35

CHAPTER 2: AUDIT STRATERGY, PLANNING AND PROGRAMMING


2.1 Commencing an Audit.................................................................................... 2.1
2.2 Formulating an Audit Programme ................................................................... 2.4
2.3 Designing Audit Strategy ............................................................................. 2.17
2.4 Using the work of an Expert ......................................................................... 2.20
2.5 Relying upon the work of Internal Auditor ..................................................... 2.23
2.6 Using the work of another Auditor ................................................................ 2.23
2.7 Principal’s ultimate Responsibility ................................................................ 2.23
2.8 Reliance on the Management or other Certificates by the Auditor .................. 2.24
2.9 Management Representations ...................................................................... 2.26
2.10 Drafting of Report ........................................................................................ 2.27
2.11 Control of Quality of Audit Work ................................................................... 2.28
CHAPTER 3: RISK ASSESSMENT AND INTERNAL CONTROL
3.1 Introduction ................................................................................................... 3.1
3.2 Internal Control System - Nature, Scope, Objective and Structure.................... 3.2
3.3 Components of Internal Control ...................................................................... 3.6
3.4 Review of the System of Internal Control ........................................................ 3.7
3.5 Methods of Recording .................................................................................... 3.9
3.6 Evaluation of Internal Control ....................................................................... 3.19
3.7 Internal Control and Risk Assessment .......................................................... 3.20
3.8 Internal control in Small Business Enterprises .............................................. 3.26
3.9 Reporting to clients on Internal Control Weaknesses ..................................... 3.26

CHAPTER 4: AUDIT UNDER COMPUTERISED INFORMATION SYSTEM (CIS)


ENVIRONMENT
4.1 Introduction ................................................................................................... 4.1
4.2 Scope of Audit in a CIS Environment .............................................................. 4.1
4.3 Impact of changes on Business Processes (for shifting from manual to electronic
medium)........................................................................................................ 4.3
4.4 Audit Approach in a CIS environment ............................................................. 4.3
4.5 Types of Computer Systems .......................................................................... 4.7
4.6 Effect of Computers on Internal Controls ...................................................... 4.12
4.7 Effects of Computers on Auditing ................................................................. 4.14
4.8 Internal controls in a CIS environment .......................................................... 4.15
4.9 Consideration of Control Attributes by the Auditors ....................................... 4.17
4.10 Internal control requirement under CIS Environment ..................................... 4.17
4.11 Approach to Auditing in a CIS Environment................................................... 4.19
4.12 Review of Checks and Controls in a CIS Environment ................................... 4.21
4.13 Auditors Involvement in the Clients System Development and Documentation
Control........................................................................................................ 4.28
4.14 Computer assisted audit techniques (CAATs) ............................................... 4.31
CHAPTER 5: SPECIAL AUDIT TECHNIQUES
5.1 Introduction ................................................................................................... 5.1
5.2 Statistical Sampling in Auditing .................................................................... 5.10
5.3 Audit of Fixed Assets ................................................................................... 5.18
5.4 Audit Risk ................................................................................................... 5.20
5.5 Risk-Based Audit ......................................................................................... 5.22
5.6 Materiality and Audit Risk ............................................................................ 5.24

CHAPTER 6: THE COMPANY AUDIT


6.1 Introduction ................................................................................................... 6.1
6.2 Appointment of Company Auditor ................................................................... 6.1
6.3 Remuneration.............................................................................................. 6.12
6.4 Functions, Duties and Rights of Auditors ...................................................... 6.19
6.5 Audit of Branches ........................................................................................ 6.26
6.6 Reliance on the Work and Report of the other Auditor ................................... 6.28
6.7 Joint Audit................................................................................................... 6.31
6.8 Gist of Important Circulars ........................................................................... 6.34
6.9 Compliance with Relevant Provisions of the Companies Act, 1956 ................. 6.39
6.10 Auditor’s Duty under Companies Act, 1956 ................................................... 6.45
6.11 Final Accounts Preparation and Presentation................................................ 6.51
6.12 Significance of True and Fair ....................................................................... 6.54
6.13 Divisible Profits, Dividends and Reserves ..................................................... 6.55
6.14 Depreciation................................................................................................ 6.77

CHAPTER 7: LIABILITIES OF AUDITORS


7.1 Nature of Auditor’s Liability ............................................................................ 7.1
7.2 Professional Negligence ................................................................................ 7.3
7.3 Cases Concerning the Civil Liability of Auditors for Negligence...................... 7.15
7.4 Civil Liabilities under the Companies Act ...................................................... 7.17
7.5 Criminal Liability under the Companies Act ................................................... 7.22
7.6 Cases Concerning the Misconduct of Auditors under the
Chartered Accountants Act .......................................................................... 7.25
7.7 Liabilities under Income Tax Act,1961 .......................................................... 7.27

CHAPTER 8: AUDIT REPORT


8.1 Auditor’s opinion ........................................................................................... 8.1
8.2 The Auditor’s Report on Financial Statements................................................. 8.4
8.3 Statement on Qualifications in the Auditor’s Report ....................................... 8.16
8.4 Distinction between Audit Report and Certificate ........................................... 8.32
8.5 Audit Reports and Certificates for Special Purposes ...................................... 8.35
8.6 Audit of Company Prospectuses................................................................... 8.38
8.7 Audit Reports/Certificates on Financial Information in Offer Documents ......... 8.41
8.8 Statement on the Companies (Auditor’s Report) Order, 2003 ......................... 8.54

CHAPTER 9: AUDIT COMMITTEE AND CORPORATE GOVERNANCE


9.1 Introduction ................................................................................................... 9.1
9.2 Definition of Corporate Governance................................................................ 9.2
9.3 Management’s Responsibility ......................................................................... 9.3
9.4 Audit Committee under Clause 49 .................................................................. 9.3
9.5 Functions of the Audit Committee................................................................... 9.6
9.6 Review of Information by Audit Committee...................................................... 9.6
9.7 Audit Committee Under Section 292 A of The Companies Act, 1956 ................ 9.7
9.8 Audit Committee – A Comparative .................................................................. 9.8
9.9 Role of Auditor in Audit Committee and Certification of
Compliance of Conditions of Corporate Governance...................................... 9.10
9.10 Disclosures ................................................................................................. 9.22
9.11 Report on Corporate Governance ................................................................. 9.23
9.12 Auditors’ Certificate ..................................................................................... 9.24
CHAPTER 10: AUDIT OF CONSOLIDATED FINANCIAL STATEMENTS
10.1 Introduction ................................................................................................. 10.1
10.2 Definitions................................................................................................... 10.2
10.3 Responsibility of Parent ............................................................................... 10.2
10.4 Responsibility of the Auditor of the Consolidated Financial Statements .......... 10.2
10.5 Audit Considerations ................................................................................... 10.3
10.6 Auditing the Consolidation ........................................................................... 10.5
10.7 Special Considerations ................................................................................ 10.7
10.8 Management Representations .....................................................................10.10
10.9 Reporting ...................................................................................................10.11
10.10 When the Parent’s Auditor is also the Auditor of its Subsidiaries...................10.11
10.11 When the Parent’s Auditor is not the Auditor of its Subsidiary (ies) ...............10.11

CHAPTER 11: AUDIT OF BANKS


11.1 Introduction ................................................................................................. 11.1
11.2 Special Features ......................................................................................... 11.2
11.3 Legal Framework......................................................................................... 11.3
11.4 Form and Content of Financial Statements ................................................... 11.3
11.5 Audit of Accounts ........................................................................................ 11.6
11.6 Internal Control in Certain Selected Areas ...................................................11.16
11.7 Verification of Assets and Balances.............................................................11.20
11.8 Capital Adequacy .......................................................................................11.70
11.9 Concurrent Audit ........................................................................................11.70

CHAPTER 12: AUDIT OF GENERAL INSURANCE COMPANIES


12.1 Introduction ................................................................................................. 12.1
12.2 Legal Framework......................................................................................... 12.2
12.3 Insurance Regulatory and Development Authority (IRDA) Act, 1999
and Regulations Framed there under............................................................ 12.5
12.4 Features of Accounting System of Insurance Companies............................... 12.5
12.5 Audit of Accounts .......................................................................................12.16
12.6 Specific Control Procedures related to General Insurance Business..............12.19
12.7 Audit Procedures ........................................................................................12.20
12.8 Items Relating to Balance Sheet .................................................................12.28
12.9 Reinsurance ...............................................................................................12.35
12.10 Co-Insurance .............................................................................................12.41
12.11 Solvency Margin .........................................................................................12.41

CHAPTER 13: AUDIT OF CO-OPERATIVE SOCIETIES


13.1 Introduction ................................................................................................. 13.1
13.2 Auditor and Management ............................................................................. 13.2
13.3 Special features of Co-operative Audit.......................................................... 13.7
13.4 Right and Duties of Co-operative Auditors .................................................... 13.9
13.5 Form of Audit Report ..................................................................................13.10
13.6 Audit, Inquiry and Inspection of Multi-State Co-operative Societies ...............13.11

CHAPTER 14: AUDIT OF NON-BANKING FINANCIAL COMPANIES


14.1 Introduction ................................................................................................. 14.1
14.2 Audit Procedure .......................................................................................... 14.2
14.3 Audit Check-List .......................................................................................... 14.6
14.4 Auditor’s duty .............................................................................................. 14.9

CHAPTER 15: AUDIT UNDER FISCAL LAWS


15.1 Introduction ................................................................................................. 15.1
15.2 Audit(s) Under the Income-Tax Act, 1961 ..................................................... 15.1
15.3 Tax Audit under section 44AB ...................................................................... 15.4
15.4 Audit Provisions under Vat Law ...................................................................15.53
CHAPTER 16: COST AUDIT
16.1 Concept of Cost Audit .................................................................................. 16.1
16.2 Types of Cost Audit ..................................................................................... 16.2
16.3 Advantages of Cost Audit............................................................................. 16.3
16.4 Functions of Cost Auditor............................................................................. 16.4
16.5 Programme of Cost Audit ............................................................................. 16.7
16.6 General Features of Cost Records ............................................................... 16.8
16.7 Cost Audit under the Companies Act ...........................................................16.15
16.8 Steps in Cost Audit .....................................................................................16.17
16.9 Right and Duties of Cost Auditor .................................................................16.22

CHAPTER 17: SPECIAL AUDIT ASSIGNMENTS


17.1 Audit of Members of Stock Exchanges ......................................................... 17.1
17.2 Functioning of Stock Exchanges................................................................... 17.2
17.3 Rolling Settlement ......................................................................................17.11
17.4 Derivatives .................................................................................................17.12
17.5 Circuit Filters of Circuit Breakers.................................................................17.13
17.6 Accounting for Stock Exchange Transactions...............................................17.14
17.7 Conduct of Audit.........................................................................................17.16
17.8 Auditor’s Report .........................................................................................17.23
17.9 Audit of Mutual Funds .................................................................................17.24
17.10 Audit of Depositories ..................................................................................17.27
17.11 Certification Pursuant to Companies (Acceptance of Deposit) Rules, 1975 ....17.28
17.12 Environmental Auditing ...............................................................................17.31
17.13 Energy Audit ..............................................................................................17.35
17.14 Audit of Accounts of Non-Corporate Entities (Bank Borrowers) .....................17.36
17.15 Audit of Depositories ..................................................................................17.40
Note: Chapters 18-23 of Advanced Auditing And Professional Ethics and Appendices I-III
are in Volume-2.
1
AUDITING STANDARDS, STATEMENTS AND GUIDANCE
NOTES – AN OVERVIEW

Introduction
1.1 The past decade has been one of unprecedented change in the global economy and
capital markets. Key aspects of the current business environment include a globalized, highly
competitive, expanding economy; explosive growth in the development and use of technology;
dramatic increases in new economy service- and technology-based businesses with
predominantly intangible assets; unparalleled expansion in the number of public entities; large
increases in the number of individuals who directly or indirectly own equity securities; and
unprecedented growth in the market value of those securities.
The expanded use of technology in both the operating and financial systems of companies
also has significantly affected the audit environment, forcing audit firms to recruit, train and
deploy a large number of information technology specialists to support their audit efforts. It
also has caused firms to reconsider their audit methods and techniques in an effort to harness
technology to improve audit efficiency and effectiveness.
In the changing environment, it is obvious that a professional accountant should to adhere to
standards and procedures laid down by the professional accountancy bodies of which he is a
member while discharging his duties in a responsible manner. In this direction, the role of a
professional accounting body is to lay down such standards and procedures with the aim of
providing guidance to members. The Institute of Chartered Accountants of India (ICAI) has
been formulating auditing and accounting standards for the guidance of its members on its
own volition in the larger interests of the society. In this chapter, we provide an overview of
auditing standards and guidance notes issued by the Institute from time to time. Though these
standards and guidance notes have been dealt at appropriate places, the main purpose is to
acquaint and inculcate appreciation on the part of students in a focused manner as to
significance of the standards in their day to day auditing activities. Towards the end of the
Chapter, the clarification issued by the Council of the Institute is also included, which would go
a long way in understanding as well as significance to the mandatory status of “Statements”
and “Standards”.
1.2 Advanced Auditing and Professional Ethics

Historical Retrospect
1.2 The Institute, since its inception, has been committed to research in the field of
accountancy. As early as in 1955, the Council set up the Research Committee. The Council
at that point of time felt the necessity to establish such a Committee to deal with the growing
complexities of the problems faced by membership at large and with a view to ensuring the
highest of traditions and technical competence in the discharge of the duties by chartered
accountants.
As back as in 1964, the Council published the “Statement on Auditing Practices” as prepared
by the Research Committee not only for the benefit of its members but also for others outside
the profession, who might be interested in this subject. It was hoped that this Statement
would provide valuable guidance in the performance of audits, particularly of companies. The
Council of the Institute fully realised that techniques of accounting and auditing had undergone
and were undergoing important changes. Since the members were expected to keep pace
with recent developments, this Statement attempted to set out practices which were generally
accepted in other countries and which the Council considered desirable in the light of
prevailing circumstances in India. The issuance of the Statement on Auditing Practices might
be considered as a path break as far as establishing sound auditing practices is concerned.
The Statement was further revised in 1968 and 1977.
Prior to establishment of the Auditing Practices Committee (APC), the Research Committee
issued the following Statements in Auditing:
♦ Statements on Qualifications in Auditor’s Report
♦ Statement on the Manufacturing and Other Companies (Auditor’s Report) Order,
1975/1988 (Issued under Section 227(4A) of the Companies Act, 1956)
♦ Statement on Responsibilities of Joint Auditors
♦ Statement on Payments to Auditors for Other Services
Auditing and Assurance Standards Board – Scope and Functions
1.3 The Following are the important points as regards scope and functions of Auditing and
Assurance Standards Board –
1.3.1 Setting up of AASB - The International Federation of Accountants (IFAC) came into
existence in 1977 and constituted International Auditing Practices Committee (IAPC) to
formulate International Auditing Guidelines. These guidelines were later on converted into
International Standards on Auditing (ISA). Considering the developments in the field of
auditing at international level, the need for issuing Standards and Guidance Notes in tandem
with international standards but conforming to national laws, customs, usages and business
environments was felt. With this objective, our Institute constituted the Auditing Practices
Committee (APC) on September 17, 1982, to spearhead the new framework of Statements on
Standard Auditing Practices (SAPs) and Guidance Notes (GNs) inter alia to replace various
chapters of the old omnibus Statement on Auditing Practices issued in 1964.
Auditing Standards, Statements and Guidance Notes – An Overview 1.3

In July, 2002, the Auditing Practices Committee has been converted into an Auditing and
Assurance Standards Board by the Council of the Institute, to be in line with the international
trend. A significant step has been taken aimed at bringing in the desired transparency in the
working of the Auditing and Assurance Standards Board, through participation of
representatives of various segments of the society and interest groups, such as, regulators,
industry and academics. The nomenclature of SAPs has also been changed to Auditing and
Assurance Standards (AASs).
1.3.2 Scope and Functions of AASB - The main function of the AASB is to review the existing
auditing practices in India and to develop Statements on Auditing and Assurance Standards
(AASs) so that these may be issued by the Council of the Institute. While formulating the
AASs, the AASB takes into consideration the ISAs issued by the IAPC, applicable laws,
customs, usages and business environment in India. The AASs are issued under the authority
of the Council of the Institute. The AASB also issues Guidance Notes on the issues arising
from the AASs wherever necessary. The AASB has also been entrusted with the
responsibility to review the AASs at periodical intervals.
1.3.3 Scope of AASs - The AASs apply whenever an independent audit is carried out; that is,
in the independent examination of financial information of any entity, whether profit oriented or
not, and irrespective of its size, or legal form (unless specified otherwise) when such an
examination is conducted with a view to expressing an opinion. The AASs may also have
application, as appropriate, to other related functions of auditors. Any limitation on the
applicability of a specific AAS is made clear in the introductory paragraph of the AAS.
1.3.4 Procedure for issuing AASs - Broadly, the following procedure is adopted for the
formulation of AASs:
♦ The AASB determines the broad areas in which the AASs need to be formulated and the
priority in regard to the selection thereof.
♦ In the preparation of AASs, the AASB is assisted by Study Groups constituted to
consider specific subjects. In the formation of Study Groups, provision is made for
participation of a cross-section of members of the Institute.
♦ On the basis of the work of the Study Groups, an exposure draft of the proposed AAS is
prepared by the Committee and issued for comments by members of the Institute.
♦ After taking into consideration the comments received, the draft of the proposed AAS is
finalised by the AASB and submitted to the Council of the Institute.
♦ The Council of the Institute considers the final draft of the proposed AAS, and, if
necessary, modifies the same in consultation with the AASB. The AAS is then issued
under the authority of the Council.
1.3.5 Compliance with the AASs - While discharging their attest function, it is the duty of the
members of the Institute to ensure that the AASs are followed in the audit of financial
information covered by their audit reports. If for any reason a member has not been able to
perform an audit in accordance with the AASs, his report should draw attention to the material
1.4 Advanced Auditing and Professional Ethics

departures therefrom. Auditors are expected to follow AASs in the audits commencing on or
after the date specified in the Standard.
1.3.6 Linkage between AASs and Disciplinary Proceedings - The AASs (as well as other
statements on auditing) represent the generally accepted procedure(s) of audit. As such, a
member who does not perform his audit in accordance with these statements and fails to
disclose the material departures therefrom, becomes liable to the disciplinary proceedings of
the Institute under clause (9) of Part I of the Second Schedule to the Chartered Accountants
Act, 1949 which specifies that a member of the Institute shall be guilty of professional
misconduct if he “fails to invite attention to any material departure from the generally accepted
procedure of audit applicable to the circumstances”.
Framework of AASs and Guidance Notes on Related Services
1.4 Framework of Auditing and Assurance Standards and Guidance Notes on Related
Services issued recently distinguishes audits from related services. Related services comprise
reviews, agreed-upon procedures and compilations. As illustrated in the diagram below, audits
and reviews are designed to enable the auditor to provide high and moderate levels of
assurance respectively, such terms being used to indicate their comparative ranking.
Engagements to undertake agreed-upon procedures and compilations are not intended to
enable the auditor to express assurance.
Auditing _____Related Services_____
Nature of service Audit Review Agreed- Compilation
upon
Procedures

Comparative High, but Moderate No No


level of not absolute assurance assurance assurance
assurance assurance
provided by the
auditor

Report provided Positive Negative Factual Identificatio


assurance assurance findings of n of
on on procedures information
assertion(s) assertion(s) compiled

Assurance in the above context refers to the auditor's satisfaction as to the reliability of an
assertion being made by one party for use by another party. To provide such assurance, the
auditor assesses the evidence collected as a result of procedures conducted and expresses
a conclusion. The degree of satisfaction achieved and, therefore, the level of assurance
Auditing Standards, Statements and Guidance Notes – An Overview 1.5

which may be provided is determined by the procedures performed and their results. In an
audit engagement, the auditor provides a high, but not absolute, level of assurance that the
information subject to audit is free of material misstatement expressed positively in the audit
report. In a review engagement, the auditor provides a moderate level of assurance that the
information subject to review is free of material misstatement. This is expressed in the form
of negative assurance. For agreed-upon procedures, auditor simply provides a report of the
factual findings, no assurance is expressed. Instead, users of the report draw their own
conclusions from the auditor's work. In a compilation engagement, although the users of the
compiled information derive some benefit from the involvement of a member of the Institute,
no assurance is expressed in the report. Objective of an audit is to enable the auditor to
express an opinion whether the financial statements are prepared, in all material respects, in
accordance with an identified financial reporting framework "give a true and fair view".
Absolute assurance in auditing is not attainable as a result of such factors as the need for
judgement, the use of test checks, the inherent limitations of any accounting and internal
control systems and the fact that most of the evidence available to the auditor is persuasive,
rather than conclusive, in nature. The objective of a review of financial statements is to
enable an auditor to state whether, on the basis of procedures which do not provide all the
evidence that would be required in an audit, anything has come to the auditor's attention that
causes the auditor to believe that the financial statements are not prepared, in all material
respects, in accordance with an identified financial reporting framework. While a review
involves the application of audit skills and techniques and the gathering of evidence, it does
not ordinarily involve on assessment of accounting and internal control systems, tests of
records and of responses to inquiries by obtaining corroborating evidence through inspection,
observation, confirmation and computation, the auditor attempts to become aware of all
significant matters, the procedures of a review make the achievement less likely than in an
audit engagement, thus the level of assurance provided in a review report is correspondingly
less than that given in an audit report. In an engagement to perform agreed-upon
procedures and auditor is engaged to carry out those procedures of an audit nature to which
the auditor and the entity and any appropriate third parties have agreed and to report on
factual findings. The report is restricted to those parties that have agreed to the procedures
to be performed since others, unaware of the reasons for the procedures, may misinterpret
the results. In a compilation engagement, a member of the Institute is engaged to use
accounting expertise as opposed to auditing expertise to collect, classify, and summaries
financial information. The procedures employed are not designed and do not enable the
member to express any assurance on the financial information. However, users derive some
benefit as a result of the member's involvement because the service has been performed
with due professional skill and care. An auditor is associated with financial information when
the auditor attaches a report to that information or consents to the use of the auditor's name
in a professional connection. If the auditor is not associated in this manner, third parties can
assume no responsibility of the auditor.
1.6 Advanced Auditing and Professional Ethics

Auditing Standards
1.5 Till date, AASB has issued thirty four AASs. A brief summary of each AAS is given below:
1.5.1 AAS 1 : Basic Principles Governing an Audit - The Statement defines ‘audit’ as an
independent examination of financial information of any entity, whether profit oriented or not,
and irrespective of its size or legal form, when such an examination is conducted with a view
to express an opinion thereon. This Statement also describes the basic principles which
govern the auditor's professional responsibilities and which should be complied with whenever
an audit is carried out. These basic principles, as laid down by the Standard, are as follows:-
♦ Integrity, objectivity and independence
♦ Confidentiality
♦ Skills and competence
♦ Work performed by others
♦ Documentation
♦ Planning
♦ Audit evidence
♦ Accounting systems and internal controls
♦ Audit conclusions and reporting
Compliance with the aforestated basic principles requires the application of auditing
procedures and reporting practices appropriate to the particular circumstances.
This AAS became operative for all audits relating to accounting periods beginning on or after
April 1, 1985.
1.5.2 AAS 2 : Objective and Scope of the Audit of Financial Statements - This AAS describes
the overall objective and scope of the audit of general purpose financial statements of an
enterprise by an independent auditor. The Statement lays down that the objective of an audit
of financial statements, prepared within a framework of recognised accounting policies and
practices and relevant statutory requirements, if any, is to enable an auditor to express an
opinion on such financial statements. However, the auditor's opinion is in no way an
assurance as to the future viability of the enterprise or the efficiency or effectiveness with
which management has conducted the affairs of the enterprise. Besides, the Statement also
states that the scope of an audit of financial statements will be determined by the auditor
having regard to the terms of the engagement, the requirements of the relevant legislation and
the pronouncements of the Institute. However, the terms of engagement cannot restrict the
scope of an audit in relation to matters which are prescribed by statute or the pronouncements
of the Institute. The statement also requires the auditor to assess the reliability and
sufficiency of the information contained in the underlying accounting records and other source
data and also determine whether the relevant information is properly disclosed in the financial
statements.
Auditing Standards, Statements and Guidance Notes – An Overview 1.7

The statement furthermore clarifies that due to pervasive rather than conclusive nature of
audit evidence, test nature and other inherent limitations of an audit, together with the
inherent limitations of any system of internal control, there is always an unavoidable risk that
some material misstatement might remain undiscovered. The auditor should also set out the
constraints on the scope of the audit, in his audit report.
This standard is operative for all audits relating to accounting periods beginning on or after
April 1, 1985.
1.5.3 AAS 3 : Documentation - The AAS deals with the working papers prepared or obtained
by the auditor and retained by him, in connection with the performance of his audit and the
advantages of maintaining working papers. The AAS, broadly, lays down that the working
papers should record the audit plan, the nature, timing and extent of audit procedures
performed, and the conclusion drawn from evidence obtained. The AAS divides working
papers into two categories – first, permanent audit files which are updated currently with
information of continuing importance to succeeding audits; and second, current audit files
which contain information relating primarily to the audit of a single period. The AAS also lays
down that working papers are the property of the auditor, however, the latter may at his
discretion make portions thereof or extracts therefrom available to his clients. The AAS also
prescribes the duration for which working papers are to be retained.
This AAS became operative for all audits relating to accounting periods beginning on or after
July 1, 1985.
1.5.4 AAS 4 (Revised) : The Auditor's Responsibility to Consider Fraud and Error in an Audit
of Financial Statement - The purpose of this AAS is to establish standards on the auditor's
responsibility to consider fraud and error in an audit of financial statements. While this AAS
focuses on the auditor's responsibilities with respect to fraud and error, the primary
responsibility for the prevention and detection of fraud and error rests with both those charged
with governance and the management of an entity. In this Standard, the term 'financial
information' encompasses 'financial statements'. In some circumstances, specific legislations
and regulations may require the auditor to undertake procedures additional to those set out in
this AAS. This AAS becomes operative for all audits relating to accounting periods
commencing on or after April 1, 2003.
♦ When planning and performing audit procedures and evaluating and reporting the
results thereof, the auditor should consider the risk of material misstatements in the
financial statements resulting from fraud or error.
♦ In planning the audit, the auditor should discuss with other members of the audit team,
the susceptibility of the entity to material misstatements in the financial statements
resulting from fraud or error.
♦ When planning the audit, the auditor should make inquiries of management:
• to obtain an understanding of:
1.8 Advanced Auditing and Professional Ethics

¾ management's assessment of the risk that the financial statements may be


materially misstated as a result of fraud; and
¾ the accounting and internal control systems management has put in place to
address such risk;
• to obtain knowledge of management's understanding regarding the accounting and
internal control systems in place to prevent and detect error;
• to determine whether management is aware of any known fraud that has affected
the entity or suspected fraud that the entity is investigating; and
• to determine whether management has discovered any material errors.
♦ When assessing inherent risk and control risk in accordance with AAS 6 (Revised),
“Risk Assessments and Internal Control”, the auditor should consider how the financial
statements might be materially misstated as a result of fraud or error. In considering the
risk of material misstatement resulting from fraud, the auditor should consider whether
fraud risk factors are present that indicate the possibility of either fraudulent financial
reporting or misappropriation of assets.
♦ Based on the auditor's assessment of inherent and control risks (including the results of
any tests of controls), the auditor should design substantive procedures to reduce to an
acceptably low level the risk that misstatements resulting from fraud and error that are
material to the financial statements taken as a whole will not be detected. In designing
the substantive procedures, the auditor should address the fraud risk factors that the
auditor has identified as being present.
♦ When the auditor encounters circumstances that may indicate that there is a material
misstatement in the financial statements resulting from fraud or error, the auditor should
perform procedures to determine whether the financial statements are materially
misstated.
♦ When the auditor identifies a misstatement, the auditor should consider whether such a
misstatement may be indicative of fraud and if there is such an indication, the auditor
should consider the implications of the misstatement in relation to other aspects of the
audit, particularly the reliability of management representations.
♦ When the auditor confirms that, or is unable to conclude whether, the financial
statements are materially misstated as a result of fraud or error, the auditor should
consider the implications for the audit.
♦ The auditor should document fraud risk factors identified as being present during the
auditor's assessment process and document the auditor's response to any such factors.
If during the performance of the audit, fraud risk factors are identified that cause the
auditor to believe that additional audit procedures are necessary, the auditor should
Auditing Standards, Statements and Guidance Notes – An Overview 1.9

document the presence of such risk factors and the auditor's response to them.
♦ When the auditor identifies a misstatement resulting from fraud, or a suspected fraud, or
error, the auditor should consider the auditor's responsibility to communicate that
information to management, those charged with governance and, in some
circumstances, when so required by the laws and regulations, to regulatory and
enforcement authorities also.
♦ If the auditor has identified a material misstatement resulting from error, the auditor
should communicate the misstatement to the appropriate level of management on a
timely basis, and consider the need to report it to those charged with governance.
♦ The auditor should inform those charged with governance of those uncorrected
misstatements aggregated by the auditor during the audit that were determined by
management to be immaterial, both individually and in the aggregate, to the financial
statements taken as a whole.
♦ If the auditor has:
• identified a fraud, whether or not it results in a material misstatement in the financial
statements; or
• obtained evidence that indicates that fraud may exist (even if the potential effect on
the financial statements would not be material);
♦ the auditor should communicate these matters to the appropriate level of management
on a timely basis, and consider the need to report such matters to those charged with
governance.
♦ If the auditor concludes that it is not possible to continue performing the audit as a result
of a misstatement resulting from fraud or suspected fraud, the auditor should:
• consider the professional and legal responsibilities applicable in the circumstances,
including whether there is a requirement for the auditor to report to the person or
persons who made the audit appointment or, in some cases, to regulatory
authorities;
• consider the possibility of withdrawing from the engagement; and
• if the auditor withdraws:
¾ discuss with the appropriate level of management and those charged with
governance, the auditor's withdrawal from the engagement and the reasons for the
withdrawal; and
¾ consider whether there is a professional or legal requirement to report to the
person or persons who made the audit appointment or, in some cases, to
1.10 Advanced Auditing and Professional Ethics

regulatory authorities, the auditor's withdrawal from the engagement and the
reasons for the withdrawal.
1.5.5 AAS 5 : Audit Evidence - The AAS deals with the various aspects of `audit evidence' on
the basis of which the auditor expresses his opinion. The AAS lists the factors which may
affect the sufficiency and appropriateness of audit evidence. The AAS also deals with the
compliance and substantive procedures to be performed for obtaining assurance regarding
various assertions such as existence, effectiveness, continuity, completeness, valuation,
measurement etc., of assets/liabilities. The Statement, inter alia, prescribes the various
methods for obtaining audit evidence - inspection, observation, enquiry and confirmation,
computation and analytical review. The AAS also lays down general rules regarding the
extent of reliability of evidence having regard to source and nature of audit evidence.
This AAS is operative for all audits relating to accounting periods beginning on or after
January 1, 1989.
1.5.6 AAS 6 (Revised) : Risk Assessments and Internal Control - The purpose of this AAS is
to establish standards on the procedures to be followed to obtain an understanding of the
accounting and internal control systems and on audit risk and its components: inherent risk,
control risk and detection risk. This Standard becomes operative for all audit relating to
accounting periods beginning on or after April 1, 2002.
♦ The auditor should obtain an understanding of the accounting and internal control
systems sufficient to plan the audit and develop an effective audit approach. The
auditor should use professional judgement to assess audit risk and to design audit
procedures to ensure that it is reduced to an acceptably low level.
♦ In developing the overall audit plan, the auditor should assess inherent risk at the level
of financial statements. In developing the audit programme, the auditor should relate
such assessment to material account balances and classes of transactions at the level
of assertions made in the financial statements, or assume that inherent risk is high for
the assertion, taking into account factors relevant both to the financial statements as a
whole and to the specific assertions. When the auditor makes an assessment that the
inherent risk is not high, he should document the reasons for such assessment.
♦ The auditor should obtain an understanding of the accounting system sufficient to
identify and understand:
• major classes of transactions in the entity's operations;
• how such transactions are initiated;
• significant accounting records, supporting documents and specific accounts in the
financial statements; and
• the accounting and financial reporting process, from the initiation of significant
transactions and other events to their inclusion in the financial statements.
Auditing Standards, Statements and Guidance Notes – An Overview 1.11

♦ The auditor should obtain an understanding of the control environment sufficient to


assess management's attitudes, awareness and actions regarding internal controls and
their importance in the entity.
♦ The auditor should obtain an understanding of the control procedures sufficient to
develop the audit plan.
♦ After obtaining an understanding of the accounting system and internal control system,
the auditor should make a preliminary assessment of control risk, at the assertion level,
for each material account balance or class of transactions.
♦ The preliminary assessment of control risk for a financial statement assertion should be
high unless the auditor:
• is able to identify internal controls relevant to the assertion which are likely to
prevent or detect and correct a material misstatement; and
• plans to perform tests of control to support the assessment.
♦ The auditor should document in the audit working papers, the understanding obtained of
the entity's accounting and internal control systems; and the assessment of control risk.
When control risk is assessed at less than high, the auditor would also document the
basis for the conclusions.
♦ The auditor should obtain audit evidence through tests of control to support any
assessment of control risk which is less than high. The lower the assessment of control
risk, the more evidence the auditor should obtain that accounting and internal control
systems are suitably designed and operating effectively.
♦ Based on the results of the tests of control, the auditor should evaluate whether the
internal controls are designed and operating as contemplated in the preliminary
assessment of control risk.
♦ Before relying on procedures performed in prior audits, the auditor should obtain audit
evidence which supports this reliance.
♦ The auditor should consider whether the internal controls were in use throughout the
period.
♦ Before the conclusion of the audit, based on the results of substantive procedures and
other audit evidence obtained by the auditor, the auditor should consider whether the
assessment of control risk is confirmed. In case of deviations from the prescribed
accounting and internal control systems, the auditor would make specific inquiries to
consider their implications. Where, on the basis of such inquiries, the auditor concludes
that the deviations are such that the preliminary assessment of control risk is not
supported, he would amend the same unless the audit evidence obtained from other
tests of control supports that assessment. Where the auditor concludes that the
1.12 Advanced Auditing and Professional Ethics

assessed level of control risk needs to be revised, he would modify the nature, timing
and extent of his planned substantive procedures.
♦ The auditor should consider the assessed levels of inherent and control risks in
determining the nature, timing and extent of substantive procedures required to reduce
audit risk to an acceptably low level.
♦ Regardless of the assessed levels of inherent and control risks, the auditor should
perform some substantive procedures for material account balances and classes of
transactions.
♦ The higher the assessment of inherent and control risks, the more audit evidence the
auditor should obtain from the performance of substantive procedures. When the
auditor determines that detection risk regarding a financial statement assertion for a
material account balance or class of transactions cannot be reduced to an acceptable
level, the auditor should express a qualified opinion or a disclaimer of opinion as may be
appropriate.
♦ The auditor should make management aware, as soon as practical and at an
appropriate level of responsibility, of material weaknesses in the design or operation of
the accounting and internal control systems, which have come to the auditor's attention.
1.5.7 AAS 7 : Relying upon the Work of an Internal Auditor - This AAS deals with the
procedures which should be applied by the external auditor in assessing the work of an
internal auditor for the purpose of placing reliance upon that work. The AAS, inter alia, states
that, the external auditor should evaluate the internal audit function and also internal audit
work to the extent he considers that it will be relevant in determining the nature, timing and
extent of his compliance and substantive procedures. However, the report given by him is his
sole responsibility which is not in any way reduced because of the reliance he places on
internal auditor's work. The AAS also deals with scope and objectives of internal audit
function, aspects to be considered in general evaluation of internal audit function such as
organisational status, scope of functions, technical competence and due professional care,
specific evaluation of internal audit work, as also the coordination between the internal and the
external auditor.
This AAS became operative for all audits relating to accounting periods beginning on or after
April 1, 1989.
1.5.8 AAS 8 : Audit Planning - The purpose of this AAS is to amplify various principles
regarding `planning', i.e., the auditor should plan his work to enable him to conduct an
effective audit in an efficient and timely manner; that plans should be based on knowledge of
client's business; and that plans should cover, among other things, knowledge of client's
accounting systems, policies and internal control procedures, establishing the expected
degree of reliance to be placed on internal control; determining nature, timing and extent of
audit procedures; and, coordinating the work to be performed. The AAS also deals with the
Auditing Standards, Statements and Guidance Notes – An Overview 1.13

factors to be considered in audit planning and development of audit plan, and acquiring the
knowledge of client's business, as also the timing for audit plan.
This AAS became operative for all audits relating to accounting periods beginning on or after
April 1, 1989.
1.5.9 AAS 9 : Using the Work of an Expert - Though an auditor is responsible for forming and
expressing his opinion on financial information, he is entitled to rely on the work performed by
others, provided he exercises adequate skill and care and is not aware of any reason to
believe that he should not have so relied. The auditor should obtain reasonable assurance
that work performed by other auditors/experts is adequate for his purpose. This AAS
discusses auditor's responsibility in relation to, and the procedures the auditor should consider
in using the work of an expert as audit evidence. The AAS also deals with factors to be
considered in determining the need to use an expert's work, evaluating skill, competence and
objectivity of the expert and his work. The AAS also lays down the considerations in referring
to an expert's work in the auditor's report.
This AAS became operative for all audits relating to accounting periods beginning on or after
April 1, 1991.
1.5.10 AAS 10 (Revised) : Using the Work of Another Auditor - This AAS discusses the
procedures to be applied in situations where an independent auditor reporting on the financial
statements of an entity, uses the work of an independent auditor with respect to the financial
statements of one or more divisions or branches included in the financial statement of the
entity. The Statement also discusses the principal auditor's responsibility in relation to his use
of the work of other auditor. This Standard becomes operative for all audit relating to
accounting periods beginning on or after April 1, 1995.
♦ When the principal auditor uses the work of another auditor, the principal auditor should
determine how the work of the other auditor will affect the audit.
♦ The auditor should consider whether the auditor's own participation is sufficient to be
able to act as the principal auditor.
♦ When planning to use the work of another auditor, the principal auditor should consider
the professional competence of the other auditor in the context of specific assignment if
the other auditor is not a member of the Institute of Chartered Accountants of India.
♦ The principal auditor should perform procedures to obtain sufficient appropriate audit
evidence, that the work of the other auditor is adequate for the principal auditor's
purposes, in the context of the specific assignment.
♦ The principal auditor should consider the significant findings of the other auditor.
♦ There should be sufficient liaison between the principal auditor and the other auditor.
♦ The other auditor, knowing the context in which his work is to be used by the principal
auditor, should co-ordinate with the principal auditor.
♦ When the principal auditor concludes, based on his procedures, that the work of the
1.14 Advanced Auditing and Professional Ethics

other auditor cannot be used and the principal auditor has not been able to perform
sufficient additional procedures regarding the financial information of the component
audited by the other auditor, the principal auditor should express a qualified opinion or
disclaimer of opinion because there is a limitation on the scope of audit.
♦ When the principal auditor has to base his opinion on the financial information of the
entity as a whole relying upon the statements and reports of the other auditors, his
report should state clearly the division of responsibility for the financial information of
the entity by indicating the extent to which the financial information of components
audited by the other auditors have been included in the financial information of the
entity, e.g., the number of divisions/ branches/subsidiaries or other components audited
by other auditors.
1.5.11 AAS 11 : Representations by Management - This AAS establishes standards on the
use of management representations as audit evidence, the procedures to be applied in
evaluating and documenting management representations, and the action to be taken if
management refuses to provide appropriate representations. The AAS also deals with the
basic elements of a management representation letter, covering items like accounting policies,
fixed assets, capital commitments, investments, inventories, current assets and liabilities etc.
The AAS lays down, among other things, that in respect of management representation
relating to matters material to the financial statements, the auditor should seek corroborative
audit evidence from sources inside/outside the entity; evaluate whether the representations
appear to be reasonable and consistent with other audit evidence obtained; and consider
whether the individuals making the representations can be expected to be well-informed on
the matter.
The AAS became operative for all audits relating to accounting periods beginning on or after
April 1, 1995.
1.5.12 AAS 12 : Responsibility of Joint Auditors - This AAS deals with the professional
responsibilities which the auditors undertake in accepting appointments as joint auditors. The
AAS, inter alia, lays down that the joint auditors should, normally, by mutual discussion, divide
the audit work among themselves. The division of work among joint auditors as also the areas
of work to be covered by all of them should be adequately documented and preferably
communicated to the entity. The AAS also states that each joint auditor is responsible only for
the work allotted to him, whether or not he has prepared a separate report on the work
performed by him. The AAS describes the areas for which joint auditors are jointly and
severally responsible. As per the AAS, each joint auditor is entitled to assume that the other
joint auditors have carried out their part of the audit work in accordance with generally
accepted audit procedures. It also deals with the reporting responsibilities of the joint
auditors.
The AAS became effective for all audits relating to accounting periods commencing on or after
April 1, 1996.
1.5.13 AAS 13 : Audit Materiality - The AAS 13 establishes standards on the concept of
materiality and its relationship with audit risk. The AAS states that information is material if its
Auditing Standards, Statements and Guidance Notes – An Overview 1.15

misstatement could influence the economic decisions of the users taken on the basis of the
financial information and that materiality depends on the size and nature of the items, judged
in the particular circumstances of its misstatements. Materiality should be considered by the
auditor in determining nature, timing and extent of his audit procedures and in evaluating the
effect of misstatements. The AAS also states that materiality should be considered both at
overall financial information level and in relation to individual account balances and classes of
transactions. Besides, there exists an inverse relationship between materiality and the degree
of audit risk. This AAS also deals with the factors influencing materiality, factors to be
considered relating to materiality and audit risk in evaluating audit evidence as also the duties
of an auditor when uncorrected misstatements approach materiality level.
The AAS became effective in respect of audits relating to accounting periods beginning on or
after April 1, 1996.
1.5.14 AAS 14 : Analytical Procedures - AAS 14 establishes standards on application of
analytical procedures during an audit. The AAS, inter alia, lays down that the auditor should
apply analytical procedures at the planning and overall review stages of the audit. The auditor
should apply analytical procedures at the planning stage to assist in understanding the
business and in identifying areas of potential risk and at or near the end of the audit to
corroborate conclusions formed during the audit of individual elements of financial statements
and to arrive at overall conclusion as to reasonableness of the financial statements. The AAS
also deals with advantages of performing analytical procedures, matters comprising analytical
procedures, factors to be considered when performing analytical procedures as substantive
procedures, and the factors influencing the extent of reliance that can be placed on results of
analytical procedures.
The AAS became operative for all audits relating to accounting periods beginning on or after
April 1, 1997.
1.5.15 AAS 15 : Audit Sampling - The AAS establishes standards on the design and
selection of an audit sample and evaluation of the sample results, and applies to both
statistical and non-statistical sampling methods. The AAS, inter alia, lays down that
performing audit procedures on samples and evaluating sampling results can provide
sufficient appropriate audit evidence. When designing an audit sample, the auditor should
consider the specific audit objectives, the population from which auditor wishes to draw
sample, the sample size, sampling risk, tolerable error and the expected error. The AAS also
extensively deals with each of the aforesaid items and illustrates the factors influencing
sample size for tests of control and those for substantive procedures.
The AAS became effective for all audits relating to accounting periods beginning on or after
April 1, 1998.
1.5.16 AAS 16 : Going Concern - This AAS, inter alia, states that when planning and
performing audit procedures and in evaluating the results thereof, the auditor should consider
the appropriateness of the going concern assumption underlying the preparation of financial
statements. When the going concern assumption becomes doubtful, the auditor should gather
sufficient appropriate audit evidence to attempt to resolve, to the auditors satisfaction, the said
doubt. The AAS also deals with the factors to be considered in evaluating the going concern
1.16 Advanced Auditing and Professional Ethics

assumption; the procedures for evaluating the audit evidence regarding appropriateness of
going concern; the duties of the auditor and reporting requirements in case going concern
question is either not resolved or going concern assumption is considered inappropriate.
This AAS became effective for all audits relating to accounting periods beginning on or after
April 1, 1999.
1.5.17 AAS 17 : Quality Control for Audit Work - The AAS establishes standards on quality
control policies and procedures of an audit firm regarding audit work generally; and
procedures regarding the work delegated to assistants on an individual audit. At firm level,
the objectives of the quality control policies to be adopted by an audit firm normally include
professional requirements, skills and competence, assignment, delegations, consultation,
acceptance and intention of clients and monitoring. The AAS, inter alia, lays down that audit
firm should implement quality control policies and procedures designed to ensure that all
audits are conducted in accordance with AASs. At individual audit level, the AAS also deals
with aspects like providing direction and supervision to the assistants to whom work on
individual audits has been delegated, and also reviewing their performance.
The AAS became effective for all audits relating to accounting periods beginning on or after
April 1, 1999. Having regard to the importance of AAS for the auditor, this has been
discussed at length later in the Chapter.
1.5.18 AAS 18 : Audit of Accounting Estimates - The objective of this AAS is to establish
standards on the audit of accounting estimates contained in financial statements viz, the
auditor should obtain sufficient appropriate audit evidence regarding accounting estimates.
However, the AAS is not applicable to the examination of prospective financial information.
Since, accounting estimates are the responsibility of the management, the auditor needs to
obtain sufficient appropriate audit evidence as to whether and accounting estimate is
reasonable in the circumstances, and when required, appropriately disclosed in the financial
statements. According to the AAS, the auditor should follow either or all of the following
procedures to audit an accounting estimates:-
(A) Review and test the process used by management to develop the estimate; including
evaluation of date and evaluation of assumptions underlying the estimates; testing the
calculations involved in the estimate; comparison of estimates and actual results of prior
periods; and evaluation of the approval procedures of the management.
(B) Comparison of the management’s estimate with an independent estimate;
(C) Review of subsequent events which confirm the estimates.
The final assessment of reasonableness of an accounting estimates would be based on the
auditor’s knowledge of the client’s business and its consistency with other audit evidence
obtained during the audit. If the auditor is of the opinion that the accounting estimate
prepared by the management is significantly different from that assessed by him, he should
request the management to revise the same. If the management refuses to revise its
estimate, it would be considered as a misstatement and the auditor would need to consider its
effect on the financial statements. This AAS became operative for all audits commencing on
or after April 1, 2000.
Auditing Standards, Statements and Guidance Notes – An Overview 1.17

1.5.19 AAS 19 : Subsequent Events - This AAS outlines the auditor’s responsibility in respect
of subsequent events; viz, the auditor should consider the effect of subsequent events on the
financial statements and on the auditor’s report. The AAS defines subsequent Events as
significant events occurring between the balance sheet date and the date of the auditor’s
report. The AAS also refers to Accounting Standard 4, “Contingencies & Events Occurring
After the Balance Sheet Date” for the purposes of “Subsequent Events”. The AAS requires
the auditor to obtain sufficient appropriate audit evidence that all “subsequent events”, have
been identified and adjusted/disclosed, where required, in the financial statements, by
employing the following procedures:-
♦ Review of management’s procedures to identify subsequent events.
♦ Reading of minutes of meetings of shareholders, board of directors etc.
♦ Reading the latest available interim financial information, budgets, forecasts etc.
♦ Inquiring the lawyers of the entity as to the litigations and claims.
♦ Inquiring management as to any subsequent events after the balance sheet date,
affecting the financial statements.
In case of subsequent events materially affecting the financial statements, the auditor would
consider whether such events have been properly accounted for in the financial statements.
Where the management does not account for such events, the auditor would need to express
a qualified or an adverse opinion as appropriate.
The AAS becomes operative for all audits commencing on or after 1st April, 2000.
1.5.20 AAS 20 : Knowledge of the Business - This AAS deals with the definition of the
knowledge of the business, its importance to the auditor and the audit staff, its relevance to
the audit; and how the auditor obtains and uses the knowledge. The auditor should have or
should obtain knowledge of the business efficient to identity and understand the events,
transactions and practices, which in his judgement might have a significant effect on the
financial statements or on examination or audit report. The auditor should be such knowledge
to assess inherent and control risks and to determine the nature, timing and extent of audit
procedures.
Auditor’s level of knowledge would include a general knowledge of the economy and the
industry within which the entity operates and a more particular knowledge of how the entity
operates. In case of a new engagement, the auditor would need to obtain a preliminary
knowledge of the industry and of nature of ownership/management and operations of the
entity. For continuing engagements, the auditor would need to update and reevaluate
information gathered previously and would also perform procedures designed to identify
significant changes that have taken place since the last audit. The AAS illustrates a number
of sources from which the knowledge can be obtained, viz., previous experience with
entity/industry, discussion with senior operating personnel of the entity, discussion with
internal auditors, review of internal audit reports, discussion with legal advisors etc.
1.18 Advanced Auditing and Professional Ethics

The knowledge so obtained would assist the auditor in assessing risks and identifying
problems, planning and performing audit effectively and efficiently, evaluating audit evidence,
and providing better services to clients. The auditor should ensure that the audit staff should
obtain sufficient knowledge of the business. Effective use of knowledge requires the auditor to
consider its effect on the financial statements taken as a whole and also consider whether the
financials statement assertions are consistent with his knowledge of the business.
The AAS is operative for all audits commencing on or after 1st April, 2000.
1.5.21 AAS 21 : Consideration of Laws and Regulations in an Audit of Financial Statements -
The AAS lays down the standards in respect of the auditor’s responsibility regarding
consideration of laws and regulations in an audit of financial statements, viz., in planning and
performing audit procedures and in evaluating results thereof, the auditor should recognize
that non-compliance by the entity with laws and regulations may materially affect the financial
statements. The AAS, however, provides that:
(a) Whether an act constitutes non-compliance is a legal determination that is ordinarily
beyond the auditor’s professional competence, and is generally based on the advice of
an informed expert qualified to practice law but ultimately can only be decided by a court
of law.
(b) The responsibility of ensuring that the entity’s operations are carried out in accordance
with laws and regulations and that of prevention and detection of non-compliance is that
of the management.
(c) The auditor is not and cannot be held responsible for preventing non-compliance, and
audit, however, may act as a deterrent.
(d) The risk that some material misstatements of financial statements are not detected by
audit is higher in case of material misstatements resulting from non-compliance with laws
and regulations.
(e) The auditor should recognise that the audit may reveal conditions or events that would
lead to questioning the compliance with laws and regulations by the entity and should,
accordingly, plan and perform the audit.
After obtaining a general understanding of the legal and regulatory framework applicable to
the entity, and its compliance therewith, the auditor should perform procedures to identify the
instances the non-compliance affecting the financial statements. The auditor should also
obtain evidence regarding compliance with such laws and regulations which effect the
determination of material amounts and disclosures in financial statements.
The AAS requires the auditor to obtain written representations from management regarding
possible or actual non-compliance with laws and regulations whose affects should be
considered while preparing financial statements.
When the auditor becomes aware of information regarding a non-compliance, he should obtain
an understanding of the nature of the act, the circumstances in which it had occurred, and
sufficient other information to evaluate the possible effect on the financial statements. The
auditor should also document the findings and discuss them with management. When the
Auditing Standards, Statements and Guidance Notes – An Overview 1.19

aforesaid information cannot be obtained, the auditor should consider the effect of lack of
evidence on his report.
The AAS also requires that the auditor should as soon as practicable communicate the non-
compliance to the appropriate level of management.
If the auditor concludes that the non-compliance materially affects the financial statements,
the auditor should express a qualified or an adverse opinion.
In case where the entity does not take remedial steps deemed necessary by the auditor, even
though the non-compliance is not material to the financial statements, the auditor must
withdraw from the engagement.
The AAS is operative for all audits commencing on or after 1st July, 2001.
1.5.22 AAS 22 : Initial Engagements - Opening Balances - This AAS establishes standards
regarding audit of opening balances in case of initial engagements, i.e., when the financial
statements are audited for the first time or when the financial statements for the preceding
period were audited by another auditor. The auditor should obtain sufficient For initial audit
engagements the auditor should obtain sufficient audit evidence that the closing balances of
the preceding period have been correctly brought forward to the current period; that the
opening balances do not contain misstatements that materially affect the financial statements
for the current period; also that appropriate accounting policies are consistently applied. The
auditor would also need to be satisfied regarding the following matters in respect of the
opening balances:
♦ Accounting policies followed by the entity;
♦ Nature of audit report of the preceding period - clean/ qualified etc.;
♦ Nature of opening balances and the risk of their misstatement in the current period;
♦ Materiality of opening balances relative to the financial statements for the current
period.
If the auditor is unable to obtain sufficient appropriate audit evidence concerning opening
balances, the auditor should express a qualified or a disclaimer of opinion, as appropriate.
If the opening balances contain misstatements which materially affect the financial statements
for the current period and the effect of the same is not properly accounted for and adequately
disclosed, the auditor should express qualified opinion or an adverse opinion, as adequate.
The AAS is effective for all audits commencing on or after 1st July, 2001.
1.5.23 AAS 23 : Related Parties - This AAS establishes standards on the auditor’s
responsibilities and audit procedures regarding related parties and transactions with such
parties. It requires that the auditor should perform audit procedures designed to obtain
sufficient appropriate audit evidence regarding the identification and disclosure by
management of related parties and the related party transactions that are material to the
financial statements. AAS requires that the auditor should review information provided by the
management of the entity identifying the names of all known related parties and should
perform the necessary procedures such as review of records, minutes books, income-tax
1.20 Advanced Auditing and Professional Ethics

returns, relevant agreements, etc. to enable completeness of this information. AAS also
requires the auditor to satisfy himself that where the financial reporting framework requires
disclosure of related party relationships, such disclosure is adequate.
While auditing transactions with related parties, the auditor should review information provided
by directors and key management personnel of the entity identifying related party transactions
and should be alert for other material related party transactions. The auditor should also
consider the adequacy of control procedures over the authorisation and recording of related
party transactions. In examining the identified related party transactions, AAS requires that the
auditor should obtain sufficient appropriate audit evidence as to whether these transactions
have been properly recorded and disclosed. The auditor should obtain a written
representation from management concerning the completeness of information provided
regarding the identification of related parties; and the adequacy of related party disclosures in
the financial statements.
Finally, if the auditor is unable to obtain sufficient appropriate audit evidence concerning
related parties and transactions with such parties or concludes that their disclosure in the
financial statements is not adequate, the auditor should express a qualified opinion or a
disclaimer of opinion in the audit report, as may be appropriate.
Appendix to the AAS also gives an example of a management representation letter regarding
related parties. This AAS becomes operative for all audits related to accounting periods
beginning on or after 1st April, 2001.
1.5.24 AAS 24 : Audit Considerations Relating to Entities Using Service Organisations -
The purpose of this Standard is to establish standards for an auditor whose client uses a
service organisation. This AAS also describes the reports of the auditors of the service
organisation, which may be obtained, by the auditor of the client. This Standard becomes
operative for all audits related to accounting period beginning on or after April 1, 2003.
♦ The auditor should consider how a service organisation affects the client's accounting
and internal control systems so as to plan and develop an effective audit approach.
♦ While planning the audit, the auditor of the client should determine the significance of
the activities of the service organisation to the client and their relevance to the audit.
♦ If the auditor concludes that the activities of the service organisation are significant to
the entity and relevant to the audit, the auditor should obtain sufficient information to
understand the accounting and internal control systems of the service organisation and
to assess control risk at either the maximum, or a lower level if tests of control are
performed.
♦ When the auditor uses the report of a service organisation's auditor, the auditor of the
client should consider the professional competence of the other auditor in the context of
specific assignment if the other auditor is not a member of the Institute of Chartered
Accountants of India.
♦ When using a service organisation auditor's report, the auditor of the client should
Auditing Standards, Statements and Guidance Notes – An Overview 1.21

consider the nature of and content of that report.


♦ The auditor should consider the scope of work performed by the service organisation's
auditor and should assess the usefulness and appropriateness of reports issued by the
service organisation's auditor.
♦ For those specific tests of control and results that are relevant, the auditor of the client
should consider whether the nature, timing and extent of such tests provide sufficient
appropriate audit evidence about the effectiveness of the accounting and internal control
systems to support the client auditor's assessed level of control risk.
♦ When the auditor of the client uses a report from the auditor of a service organisation,
no reference should be made in the client auditor's report to the service organisation's
auditor's report.
1.5.25 AAS 25 : Comparatives - This Auditing and Assurance Standard (AAS) establishes
standards on auditor's responsibilities regarding comparatives. This Standard becomes
operative for all audits relating to accounting period beginning on or after April 1, 2003.
♦ The auditor should determine whether the comparatives comply, in all material respects,
with the financial reporting framework relevant to the financial statements being audited.
♦ The auditor should obtain sufficient appropriate audit evidence that the corresponding
figures meet the requirements of the relevant financial reporting framework.
♦ When the comparatives are presented as corresponding figures, the auditor's report
should not specifically identify comparatives because the auditor's opinion is on the
current period financial statements as a whole, including the corresponding figures.
♦ When the auditor's report on the prior period, as previously issued, included a qualified
opinion, disclaimer of opinion, or adverse opinion and the matter which gave rise to the
modification in the audit report is:
• unresolved, and results in a modification of the auditor's report regarding the current
period figures, the auditor's report should also be modified regarding the
corresponding figures; or
• unresolved, but does not result in a modification of the auditor's report regarding the
current period figures, the auditor's report should be modified regarding the
corresponding figures.
♦ In such circumstances, the auditor should examine that:
• appropriate disclosures have been made; or
• if appropriate disclosures have not been made, the auditor should issue a modified
report on the current period financials modified with respect to the corresponding
figures included therein.
1.22 Advanced Auditing and Professional Ethics

♦ When the prior period financial statements are not audited, the incoming auditor should
state in the auditor's report that the corresponding figures are unaudited.
1.5.26 AAS-26 : Terms of Audit Engagement - The purpose of this Auditing and Assurance
Standard (AAS) is to establish standards on agreeing the terms of the engagement with the
client; and the auditor's response to a request by a client to change the terms of an
engagement to one that provides a lower level of assurance. This Standard becomes
operative for all audits relating to accounting periods beginning on or after April 1, 2003.
♦ The auditor and the client should agree on the terms of the engagement.
♦ In the interest of both client and auditor, the auditor should send an engagement letter,
preferably before the commencement of the engagement, to help avoid any
misunderstandings with respect to the engagement.
♦ On recurring audits, the auditor should consider whether circumstances require the
terms of the engagement to be revised and whether there is a need to remind the client
of the existing terms of the engagement.
♦ An auditor who, before the completion of the engagement, is requested to change the
engagement to one which provides a lower level of assurance, should consider the
appropriateness of doing so.
♦ Where the terms of the engagement are changed, the auditor and the client should
agree on the new terms.
♦ The auditor should not agree to a change of engagement where there is no reasonable
justification for doing so.
♦ If the auditor is unable to agree to a change of the engagement and is not permitted to
continue the original engagement, the auditor should withdraw and consider whether
there is any obligation, either contractual or otherwise, to report the circumstances
necessitating the withdrawal to other parties, such as the board of directors or
shareholders.
1.5.27 AAS-27 : Communications of Audit Matters with those Charged with Governance -
The purpose of this Auditing and Assurance Standard (AAS) is to establish standards on
communications of audit matters arising from the audit of financial statements between the
auditor and those charged with governance of an entity. These communications relate to audit
matters of governance interest as defined in this AAS. This AAS does not provide guidance
on communications by the auditor to parties outside the entity, for example, external
regulatory or supervisory agencies. This Auditing and Assurance Standard is effective for all
audits relating to accounting periods beginning on or after April 1, 2003.
♦ The auditor should communicate audit matters of governance interest arising from the
audit of financial statement with those charged with governance of an entity.
♦ The auditor should determine the relevant persons who are charged with governance
Auditing Standards, Statements and Guidance Notes – An Overview 1.23

and with whom audit matters of governance interest are to be communicated.


♦ The auditor should consider audit matters of governance interest that arise from the
audit of financial statements and communicate them with those charged with
governance. Such matters may include:
♦ The auditor should communicate audit matters of governance interest on a timely basis.
♦ The auditor's communication with those charged with governance may be made orally or
in writing.
♦ When audit matters of governance interest are communicated orally, the auditor should
document in the working papers the matters communicated and any responses to those
matters.
♦ If the auditor considers that having regard to the facts and circumstances of the case a
modification of the auditor's report on financial statements is required, as described in
AAS 28, “The Auditor's Report in Financial Statements" communications between the
auditor and those charged with governance cannot be regarded as a substitute.
1.5.28 AAS-28 : The Auditor's Report on Financial Statements - The purpose of this Auditing
and Assurance Standard (AAS) is to establish standards on the form and content of the
auditor's report issued as a result of an audit performed by an auditor of the financial
statements of an entity. Much of the standards laid down by this AAS can be adapted to
auditor's reports on financial information other than financial statements. This Auditing and
Assurance Standard becomes operative for all audits relating to accounting periods beginning
on or after April 1, 2003.
♦ The auditor should review and assess the conclusions drawn from the audit evidence
obtained as the basis for the expression of an opinion on the financial statements.
♦ The auditor's report should contain a clear written expression of opinion on the financial
statements taken as a whole.
♦ The auditor's report should have an appropriate title.
♦ The auditor's report should be appropriately addressed as required by the
circumstances of the engagement and applicable laws and regulations.
♦ The auditor's report should identify the financial statements of the entity that have been
audited, including the date of and period covered by the financial statements.
♦ The report should include a statement that the financial statements are the responsibility
of the entity's management and a statement that the responsibility of the auditor is to
express an opinion on the financial statements based on the audit.
♦ The auditor's report should describe the audit as including:
1.24 Advanced Auditing and Professional Ethics

• examining, on a test basis, evidence to support the amounts and disclosures in


financial statements;
• assessing the accounting principles used in the preparation of the financial
statements;
• assessing the significant estimates made by management in the preparation of the
financial statements; and
• evaluating the overall financial statement presentation.
♦ The report should include a statement by the auditor that the audit provides a
reasonable basis for his opinion.
♦ The opinion paragraph of the auditor's report should clearly indicate the financial
reporting framework used to prepare the financial statements and state the auditor's
opinion as to whether the financial statements give a true and fair view in accordance
with that financial reporting framework and, where appropriate, whether the financial
statements comply with the statutory and regulatory requirements.
♦ The date of an auditor's report on the financial statements is the date on which the
auditor signs the report expressing an opinion on the financial statements.
♦ Since the auditor's responsibility is to report on the financial statements as prepared
and presented by management, the auditor should not date the report earlier than the
date on which the financial statements are signed or approved by management.
♦ The report should name specific location, which is ordinarily the city where the audit
report is signed.
♦ The report should be signed by the auditor in his personal name. Where the firm is
appointed as the auditor, the report should be signed in the personal name of the
auditor and in the name of the audit firm.
♦ An unqualified opinion should be expressed when the auditor concludes that the
financial statements give a true and fair view in accordance with the financial reporting
framework used for the preparation and presentation of the financial statements.
♦ The auditor should modify the auditor's report by adding a paragraph to highlight a
material matter regarding a going concern problem where the going concern question is
not resolved and adequate disclosures have been made in the financial statements.
♦ The auditor should consider modifying the auditor's report by adding a paragraph if
there is a significant uncertainty (other than going concern problem), the resolution of
which is dependent upon future events and which may significantly affect the financial
statements.
♦ A qualified opinion should be expressed when the auditor concludes that an unqualified
Auditing Standards, Statements and Guidance Notes – An Overview 1.25

opinion cannot be expressed but that the effect of any disagreement with management
is not so material and pervasive as to require an adverse opinion, or limitation on scope
is not so material and pervasive as to require a disclaimer of opinion. A qualified opinion
should be expressed as being 'subject to' or 'except for' the effects of the matter to
which the qualification relates.
♦ A disclaimer of opinion should be expressed when the possible effect of a limitation on
scope is so material and pervasive that the auditor has not been able to obtain sufficient
appropriate audit evidence and is, accordingly, unable to express an opinion on the
financial statements.
♦ An adverse opinion should be expressed when the effect of a disagreement is so
material and pervasive to the financial statements that the auditor concludes that a
qualification of the report is not adequate to disclose the misleading or incomplete
nature of the financial statements.
♦ Whenever the auditor expresses an opinion that is other than unqualified, a clear
description of all the substantive reasons should be included in the report and, unless
impracticable, a quantification of the possible effect(s), individually and in aggregate, on
the financial statements should be mentioned in the auditor's report.
♦ When there is a limitation on the scope of the auditor's work that requires expression of
a qualified opinion or a disclaimer of opinion, the auditor's report should describe the
limitation and indicate the possible adjustments to the financial statements that might
have been determined to be necessary had the limitation not existed.
♦ The auditor may disagree with management about matters such as the acceptability of
accounting policies selected, the method of their application, or the adequacy of
disclosures in the financial statements. If such disagreements are material to the
financial statements, the auditor should express a qualified or an adverse opinion.
1.5.29 AAS-29 : Auditing in a Computer Information System Environment - The purpose of
this Auditing and Assurance Standard (AAS) is to establish standards on procedures to be
followed when an audit is conducted in a computer information systems (CIS) environment.
For the purposes of this AAS, a CIS environment exists when one or more computer(s) of any
type or size is (are) involved in the processing of financial information, including quantitative
data, of significance to the audit, whether those computers are operated by the entity or by a
third party. This Auditing and Assurance Standard (AAS) becomes operative for all audits
related to accounting periods beginning on or after April 1, 2003.
1.5.30 AAS-30 : External Confirmations - The purpose of this Auditing and Assurance
Standard (AAS) is to establish standards on the auditor's use of external confirmations as a
means of obtaining audit evidence.
External confirmation is the process of obtaining and evaluating audit evidence through a
direct communication from a third party in response to a request for information about a
1.26 Advanced Auditing and Professional Ethics

particular item affecting assertions made by management in the financial statements. In


deciding to what extent to use external confirmations, the auditor considers the characteristics
of the environment in which the entity being audited operates and the practice of potential
respondents in dealing with requests for direct confirmation.
The process of external confirmations, ordinarily, consists of the following:
♦ Selecting the items for which confirmations are needed.
♦ Designing the form of the confirmation request.
♦ Communicating the confirmation request to the appropriate third party.
♦ Obtaining response from the third party.
♦ Evaluating the information or absence thereof.
This Auditing and Assurance Standard is effective for audits related to accounting periods
beginning on or after 1st April, 2003.
1.5.31 AAS-31 : Engagements to Compile Financial Information - The purpose of this Auditing
and Assurance Standard (AAS) is to establish Standards on professional responsibilities of an
accountant when an engagement to compile financial statements or other financial information
is undertaken and the form and content of the report to be issued in connection with such a
compilation so that the association of the name of the accountant with such financial
statements or financial information is not misconstrued by a user of those statements or
information as having been audited by him.
♦ In all circumstances when an accountant’s name is associated with financial information
compiled by him, the accountant should issue a report.
♦ The accountant should obtain an acknowledgement from management of it
responsibility for the accuracy and completeness of the underlying accounting data and
the complete disclosure of all material and relevant information.
♦ It is in the interest of both the accountant and the entity that the accountant sends an
engagement letter documenting the key terms of appointment. An engagement letter
confirms the accountant’s acceptance of the engagement and helps avoid
misunderstanding regarding matters such as the objective and scope of the engagement
and the extent of auditors responsibilities.
♦ The accountant should read the complied information and consider whether it appears
to be appropriate in form and free from obvious material misstatements.
♦ If the accountant becomes aware of material non-compliance with any applicable
Accounting Standard (s), the same should be brought to the attention of management
and, if the same is not rectified by the management, it should be included in the Notes
to Accounts and the compilation report of the accountant.
♦ The financial statements on other financial information compiled should be approved by
Auditing Standards, Statements and Guidance Notes – An Overview 1.27

the client before the compilation report is signed by the accountant.


This Auditing and Assurance Standard is applicable to all compilation engagements beginning
on or after April 1, 204.
1.5.32 AAS-32 : Engagements to Perform Agreed-upon Procedures regarding Financial
Information - The purpose of this AAS is to establish standards and provide guidance on the
auditor’s professional responsibilities when an engagement to perform agreed-upon
procedures regarding financial information is undertaken and on the form and content of the
report that the auditor issues in connection with such an engagement.
♦ The objective of an agreed-upon procedures engagement is for the auditor to carry-out
procedures of an audit nature to which the auditor and the entity and any appropriate
third parties have agreed and to report on factual findings.
♦ The auditor should ensure with representatives of the entity and, ordinarily, other
specified parties who will receive copies of the report of factual findings, that there is a
clear understanding regarding the agreed procedures and the conditions of the
engagement.
♦ The auditor should carry out the procedures agreed-upon and use the evidence
obtained as the basis for the report of factual findings.
♦ The procedures applied in an engagement to perform agreed-upon procedures may
include:
• Inquiry and analysis
• Recomputation, Comparison and other clerical accuracy checks
• Observation
• Inspection
• Obtaining confirmations
♦ The report on an agreed-upon procedures engagement needs to describe the purpose
and the agreed-upon procedure of the engagement in sufficient detail to enable the
reader to understand the nature and the extent of the work performed. The report should
also clearly mention that no audit or review has been performed.
This Auditing and Assurance Standard is applicable to all agreed-upon procedures
engagements beginning on or after April 1, 2004.
1.5.33 AAS.33 : Engagements to Review Financial Statements - The purpose of this Auditing
and Assurance Standard (AAS) is to establish standards and provide guidance on the
auditor's1 professional responsibilities when an engagement to review financial statements is

1
As explained in the Framework of Statements on Standard Auditing Practices and Guidance Notes on
Related Services, the SAPs (now AASs) and Guidance Notes use the term "auditor" when describing both auditing and
1.28 Advanced Auditing and Professional Ethics

undertaken and on the form and content of the report that the auditor issues in connection with
such a review. This AAS is directed towards the review of financial statements. However, it is
to be applied to the extent practicable to engagements to review financial or other related
information, for example, interim financial statements prepared by an entity pursuant to
Accounting Standard (AS) 25, Interim Financial Reporting.
The objective of a review of financial statements is to enable an auditor to state whether, on
the basis of procedures which do not provide all the evidence that would be required in an
audit, anything has come to the auditor's attention that causes the auditor to believe that the
financial statements are not prepared, in all material respects, in accordance with the financial
reporting framework used for the preparation and presentation of the financial statements2
(negative assurance).
1.5.34 AAS-34 : Audit Evidence - Additional Considerations for Specific Items - The purpose
of this Auditing and Assurance Standard (AAS) is to establish standards on the auditor's
responsibilities, audit procedures and provide additional guidance to that contained in AAS 5,
"Audit Evidence", with respect to certain specific financial statement amounts and other
disclosures. Application of the standards and guidance provided in this AAS will assist the
auditor in obtaining audit evidence with respect to the specific financial statement amounts
and other disclosures. The auditor should perform audit procedures designed to obtain
sufficient appropriate audit evidence during his attendance at physical inventory counting. The
auditor should carry out audit procedures in order to become aware of any litigation and
claims involving the entity which may have a material effect on the financial statements. The
auditor should perform audit procedures designed to obtain sufficient appropriate audit
evidence for valuation and disclosure of long term investments. When long-term investments
are material to the financial statements, the auditor should obtain sufficient appropriate audit
evidence regarding their valuation and disclosure. The auditor should perform audit
procedures designed to obtain sufficient appropriate audit evidence for appropriate disclosure
of segment information.

related services which may be performed. Such reference is not intended to imply that a person performing related
services need be the auditor of the entity's financial statements.

2
Paragraph 3- of Framework of Statements on Standard Auditing Practices" and Guidance Notes on
Related Services, issued by the Institute of Chartered Accountants of India, discusses the financial reporting framework.
The paragraph reads as under:
"Financial Reporting Framework
Financial statements are ordinarily prepared and presented annually and are directed towards the common information
needs of a wide range of users. Many of those users rely on financial statements as their major source of information
because they do not have the power to obtain additional information to meet their specific information needs. Thus,
financial statements need to be prepared in accordance with one, or a combination of:
(a) relevant statutory requirements, e.g., the Companies Act, 1956, for companies; (b) accounting standards issued by
the Institute of Chartered Accountants of India; and (c) other recognized accounting principles and practices. E.g., those
recommended in the Guidance Notes issued by the Institute of Chartered Accountants of India.”
Auditing Standards, Statements and Guidance Notes – An Overview 1.29

(Students may note that the Framework of AASs and Guidance Notes on Related Services and
AAS 1 to AAS 34 are reproduced in Volume to the book)
Guidance Notes
1.6 Various technical committees of the Institute are involved in the task of issuing guidance
notes on topics relating to accounting and auditing for guidance of the members. Some of the
important topics in auditing on which guidance notes have been issued are discussed below:
1.6.1 Independence of Auditors - Professional integrity and independence is an essential
characteristic of any member of the accounting profession. A detailed note on this topic was
first published by the Council in 1968. In the light of the experience gained over a period of
years, this note was revised by the Council and published as a guidance note in 1975. The
revised Guidance Note contains essentially a discussion on relevant section of the Companies
Act, 1956, and the provisions of the Chartered Accountants Act, 1949 which aim at ensuring
independence of auditors.
1.6.2 Provision for proposed Dividend - Proposed dividend does not represent a liability nor
does it amount to a provision, pending the approval of the shareholders in General Meeting.
Since the meeting to approve the accounts would take place after the Balance Sheet date,
there could not be any liability in respect of the proposed dividend on the date of the Balance
Sheet. The Council is of the opinion that merely because the form requires proposed dividend
to be shown under “Current Liabilities and Provisions”, it does not mean that in fact the
proposal for the dividend becomes a liability or is necessarily a provision. However, forms of
accounts laid down under the Insurance Act, 1938 and the Banking Regulation Act, 1949, in
both of which it is not a requirement to show “proposed dividend” and it cannot be contended
that merely because proposed dividend is not shown in the accounts, that the accounts of
Insurance and Banking Companies do not disclose a ‘true and fair’ view.
Since, however, the form of Balance Sheet prescribed in Part 1 of Schedule VI requires
“proposed dividends” to be shown under “Provisions”, and since paragraph 3(xiv) of Part II of
the same Schedule requires the “proposed dividends” to be disclosed, the Council is of the
opinion that, though on correct accounting principles, the proposed dividend does not become
a liability for reasons mentioned above, the attention of the shareholders would have to be
drawn to the fact that no appropriation has been made for the proposed dividend, the amount
in respect of which should be specified.
The Council of the ICAI , therefore, recommends that the fact that provision for proposed
dividend has not been made should be disclosed by means of a note in the accounts and that
the auditor should refer to the note in his report and make his report subject thereto.
1.6.3 Auditing of Liquidators - Members of the profession are called upon to conduct the audit
of the accounts submitted by a Liquidator in a voluntary winding-up under Section 551. There
are no statutory provisions in regard to the manner of conducting such audit, nor is there any
statutory provision regarding the form in which the auditors' report is to be submitted after
such an audit under Section 551. The Research Committee has considered this question in all
its aspects and its recommendations in this connection are outlined below:
1.30 Advanced Auditing and Professional Ethics

First, the professional skill and audit procedures to be applied in case of an audit under
Section 531 would be similar to those applied in the case of the normal audit of a company.
Secondly, there should be a fair measure of uniformity in the reports submitted by auditors
conducting an audit under Section 551 of the Companies Act, 1956. The Research Committee
recommends that the report of the auditor may be on the following lines:
(a) Whether he has obtained all the information and explanations, which to the best of his
knowledge and belief, were necessary for the purposes of his audit,
(b) Whether in his opinion, proper books of account as required by the Companies Act, 1956
and Companies (Court) Rules, 1959 have been kept by the Liquidator, so far as appears
from his examination of these books,
(c) Whether the Liquidator's Account relating to realisations and disbursements is in
agreement with the books and records produced before him,
(d) Whether in his opinion, and to the best of his information and according to the
explanations given to him, the Liquidator's Account including Annexure I (excepting items
included in I (a) in so far as they relate to estimates of the Liquidator and items 4, 5, 6
and 7), Annexure II, III, 1V and V, give the information required by the Companies Act,
1956, and the Companies (Court) Rules, 1059 in the manner so required and give a true
and correct view of the realisations and disbursements of the Liquidator.
Thirdly, “in order to establish a healthy convention, the Council recommends that, where a
chartered accountant acts as a liquidator, the statements of accounts to be filed under Section
551(1) of the Companies Act, 1956, should be audited by a qualified chartered accountant
other than the chartered accountant who is the liquidator of the company”.
1.6.4 Guidance Note on Section 293 A of the Companies Act and the Auditor - The Guidance
Note was first issued by the Company Law Committee in 1976 when, under Section 293A of
the Companies Act, 1956, companies were prohibited from making contributions to a political
party or for any political purpose. Since elaborate amendments were incorporated in Section
293A by the Companies (Amendment) Act, 1985, which came into force from May 24, 1985,
the Company Law Committee revised the existing Guidance Note in consonance with the
amended provisions in 1986.
1.6.5 Guidance Note on Auditor’s Report on Revised Accounts of Companies Before
Circulation to Shareholders – This Guidance Note considers the question of the manner in
which the auditor should report on accounts amended by the Board after approval and
authentication under section 215 of the Companies Act, 1956. This Guidance Note was
issued by the Council in December, 1979.
The Balance Sheet and the Profit and Loss Account of companies, approved by the Board of
Directors and authenticated on its behalf in terms of Section 215 of the Companies Act and
audited and reported upon by the statutory auditors are amended by the Companies for
various reasons, before circulation to the shareholders. In such cases, the amended accounts
are re-approved by the Boards of the Companies and statutory auditors are requested to make
a report once again on the amended accounts.
Auditing Standards, Statements and Guidance Notes – An Overview 1.31

The Council recommends that members of the Institute, when called upon to issue a report on
the amended accounts for the same period consequent upon the revision of the Balance
Sheet and/or the Profit and Loss Account should ensure that unless all copies of the original
accounts and report are returned to the auditor, and adequate disclosure of the fact of the
revision on the accounts already approved by the Board and reported upon by the statutory
auditors appears as a specific Note on the amended accounts. In case the statutory auditor is
satisfied that the disclosure so made by the company in the Note on the accounts is adequate,
there may not be any further need for the auditor to refer to the revision of the Balance Sheet
and/or the Profit and Loss Account in his report. However, if the Notes to accounts do not
contain any note on the revision or if such a note is contained therein but not considered by
the statutory auditor as adequately comprehensive, it will be the duty of the statutory auditor to
refer to the fact of revision of the accounts in his report.
1.6.6 Guidance Note on Certificate to be Issued by the Auditor of a Company Pursuant to
Companies (Acceptance of Deposits) Rules, 1975 - Section 58A of the Companies Act, 1956,
contains certain restrictions on acceptance of deposits by companies. The rules framed in
1975 were amended in 1978 when a provision was made for certification by auditors of the
Return of Deposits to be filed by companies.
Rule 10(1) of the Companies (Acceptance of Deposits) Rules, 1975 as it stands after the
amendment referred to above requires, every company to which these rules apply shall, on or
before the 30th day of June of every year, file with the Registrar, a return in the form annexed
to these rules and furnishing the information contained therein as on 31st day of March of that
year, duly certified by the auditor of the Company. It follows, therefore, that every company to
which these rules apply shall prepare the return as on 31st March of every year, shall get the
return certified by the concerned auditor and shall submit the audited return to the Registrar of
Companies by 30th June.
It may be observed that neither the amended Rule 10 of the Companies (Acceptance of
Deposits) Rules, 1975 nor the form of return prescribed thereunder provides the manner in
which the auditor should certify the return. Even in the form of return, no space has been
provided for auditors' certificate. Consequently, no statutory guidance is available to the
auditor as regards the scope, manner and limitations inherent in this requirement of
certification.
This guidance note was issued by the Company Law Committee in 1979 for aiding the
members in correctly understanding the implications involved and for securing uniformity in
approach. For a detailed discussion refer to Chapter 17.
1.6.7 Guidance Note on Accountants’ Report on Profit Forecasts and/or Financial Forecasts -
Traditionally, the attest function performed by the members has been in relation to past
events. However, our growing and dynamic society seeks professional association in its
exercises relating to future events. A manifestation of this is the requirement of banks and
financial institutions regarding the preparation of projected cash flow and profitability
statements by intending borrowers for the purpose of making an appropriate appraisal of their
loan applications. These institutions placed a great reliance on such statements if they were
prepared or reviewed by chartered accountants. Research Committee issued this guidance
1.32 Advanced Auditing and Professional Ethics

note in 1982 to provide guidance to members for preparation and review of profit and financial
forecasts for submission to banks and financial institutions.
1.6.8 Guidance Note on Audit Reports and Certificates for Special Purposes - The increasing
involvement of members in giving audit reports or certificates on special purpose statements
or other information prepared by an enterprise necessitated the need for guidance to the
auditor regarding various facets of such assignments including the form and contents of audit
reports and certificates for special purposes. In view of this, the Research Committee of the
Institute brought out this Guidance Note on Audit Reports and Certificates for Special
Purposes in 1984.
1.6.9 Guidance Note on Audit of Accounts of Members of Stock Exchanges - The provision
for audit of accounts of members of stock exchanges by chartered accountants was
introduced with effect from the financial year commencing April 1, 1984. The Research
Committee issued this guidance note explaining the implications of this new provision in 1984.
In response to the changes in the working of Stock Exchanges because of introduction of new
concepts, this guidance note was amended in 2002. Refer to Chapter 17 for a detailed
discussion.
1.6.10 Guidance Note on Tax Audit under Section 44AB of the Income-Tax Act - This
Guidance Note was first issued by the Taxation Committee in 1985 and was revised in 1989
and 1998. Recently when tax audit forms were revised, the Fiscal Laws Committee has
revised this guidance note in 1999. Refer to Chapter 15 for a detailed discussion.
1.6.11 Guidance Note on Audit of Accounts of Non-Corporate Entities (Bank Borrowers) - The
Professional Development Committee issued this guidance note in 1985 when RBI issued a
circular advising all scheduled banks to ensure that non-corporate borrowers enjoying
aggregate working capital credit limits of Rs.10 lakh or more from the banking system get their
accounts audited by chartered accountants in the prescribed manner. Refer to Chapter 17 for
a detailed discussion.
1.6.12 Guidance Note on Reports in Company Prospectuses - This Guidance Note was
issued by Company Law Committee in 1985. In order that the prospective investors in
companies may make their decisions on the basis of proper and adequate information, the
Companies Act, 1956, introduced stringent requirements which the companies were required
to comply with whenever they intended to offer shares or debentures for public subscription. It
was in this context that the requirements relating to issuance of prospectuses by companies
assumed importance. The legal formalities in this behalf sought to ensure that the information
which would be relevant for the investors to make investment decisions should be complete,
comprehensive and at the same time truthful. The requirements, inter alia, included certain
reports to be given by the chartered accountants about the companies to the investors. This
Guidance Note explains the manner of giving such reports given by our members.
1.6.13 Guidance Note on Audit of Abridged Financial Statements - The Companies
(Amendment) Act, 1988, brought about significant changes in Section 219 of the Companies
Act, 1956. By virtue of these amendments, a company listed on a recognised stock exchange
could send abridged balance sheet and abridged profit and loss account to its members, etc.
subject to certain conditions. The form of these abridged financial statements had been
Auditing Standards, Statements and Guidance Notes – An Overview 1.33

prescribed by the Central Government. The Companies Act, 1956, did not specifically require
audit of abridged financial statements. The audit of abridged financial statements assured the
readers that the relevant information was properly disclosed in such statements and thus
lended a greater degree of credibility to them. Considering this, the AASB issued this
Guidance Note in 1990 which provides guidance to the members on issues relating to such
audit.
1.6.14 Guidance Note on Certification of Documents for Registration of Charges - The
Department of Company Affairs had directed the appropriate authorities to take the documents
relating to registration of a charge, on record, if such documents were duly certified as correct,
among others, by a chartered accountant in practice. This, in retrospect reflected the growing
faith in the competence of members of our profession. Since the procedure for registration of
charges involves a number of documents, the Corporate Laws Committee issued this
guidance note in 1994, with a view to provide guidance to the members, who may be called
upon to certify the relevant documents.
1.6.15 Guidance Note on Audit of Banks - The Institute had, in 1967, issued a study on audit
of banks. However, banking is a dynamic activity, which has constantly been undergoing a
change. In recent years, there has been a remarkable change in the nature, volume and
spread of transactions of banks. Apart from this, the non-traditional functions of banks, e.g.,
foreign exchange activities, merchant banking, portfolio management, investment, etc. have
acquired considerable importance during this period. Another significant development from
the auditors’ view point was the issuance, by the Reserve Bank of India, of detailed guidelines
regarding income recognition, asset classification, provisioning and other related matters. Yet
another development which affected the work of bank auditors was the revision of formats of
financial statements. Accordingly, in 1994, AASB issued this comprehensive guidance note
for the guidance of our members on, amongst others, these important issues. In 2001, a
thoroughly revised guidance note was issued by the Institute. Refer to Chapter 11 for a
detailed discussion.
1.6.16 Guidance Note on Audit Reports / Certificates on Financial Information in Offer
Documents - Investors’ confidence is an important pre-requisite for the sustained development
of capital markets to ensure economic development of a country. One of the confidence
building measures was the provision of detailed relevant information to the investors for taking
well-informed investment decisions. In this context, an offer document for corporate securities
is like a window through which the prospective investors get authentic details about the
prospects of a company. Recognising this, SEBI issued Guidelines for Disclosure and
Investors Protection which required, inter alia, more transparent, detailed, and dependable
offer documents which would promote investors confidence to maintain a conducive
investment atmosphere in Indian capital market. SEBI has also been issuing clarifications to
the aforesaid Guidelines with a view to, inter alia, enhancing the qualitative characteristics of
offer documents. Much of the information contained in an offer document is financial in
nature. To impart credibility to the financial information, Schedule II to the Companies Act,
1956, requires some important financial information to be contained in the auditor’s report and
the report of the accountant in Schedule II now has to be adjusted for amounts in respect of
the qualifications in the report of the auditor on annual accounts, previous year adjustments,
1.34 Advanced Auditing and Professional Ethics

change in accounting policies, etc. so as to provide a uniform trend of profit in the statement of
profit to the prospective investors. The said clarifications also required additional financial
information to be disclosed in the offer document, e.g., accounting ratios. These new
requirements have increased the responsibility of the reporting auditors and accountants. The
Research Committee issued this Guidance Note in 1996.
1.6.17 Guidance Note on Revision of Audit Report - A revision of audit report may be
warranted in other instances involving reasons such as apparent mistakes, wrong information
about facts, subsequent discovery of facts existing at the date of the audit report, etc. The
nature and range of instances may vary from one enterprise to another depending upon facts
and circumstances. The Guidance Note on Revision of Audit Report provides guidance
regarding revision of the audit report if the same has been issued, in case the auditors
consider.
1.6.18 Guidance Notes on Audit of Items in Financial Statements - AASB has issued
guidance notes on audit of various items appearing in the financial statements from time to
time. These guidance notes explain the manner in which audit of records relating to these
items should be carried out. These guidance notes have been issued on the following topics:
♦ Fixed Assets
♦ Investments
♦ Inventories
♦ Debtors and Loans and Advances
♦ Cash and Bank Balances
♦ Miscellaneous Expenditure
♦ Liabilities
♦ Revenue
♦ Expenses
1.6.19 Guidance Note on Special Considerations in the Audit of Small Entities - The objective
of this Guidance Note is to describe the characteristics that are commonly found in small
entities and indicate how they might affect the application of AASs. This Guidance Note, thus,
includes:
(a) discussion of the characteristics of small entities; and
(b) guidance on the application of AASs to the audit of small entities;
1.6.20 Guidance Note on Audit of Consolidate Financial Statements - The Guidance Note on
Audit of Consolidate Financial Statements lays down the audit principles and procedures in
case an entity consolidates financial statements. Special consideration like permanent
consolidation adjustments current consolidation adjustments etc. and the reporting have also
been dealt with.
Auditing Standards, Statements and Guidance Notes – An Overview 1.35

1.6.21 Guidance Note on Computer Assisted Audit Techniques - For Computerised


Information System (CIS) environment Computer Assisted Audit Techniques (CAATs) enjoy
wide acceptability on account of ease of use, reliability, cost and time effectiveness and
analytical capabilities. Recognising the developments in the field of technology and its impact
on the accounting profession in India, Auditing and Assurance Standards Board had issued
AAS 29. ‘Audit in Computer Information System Environment’. This Guidance Note is issued
as a sequel to that AAS. The Guidance Note deals with the concepts of CAATs and related
pertinent issues like what CAATs are, how to use, test and control them. This Guidance Note
applies to all uses of CAATs when a computer of any type or size is involved whether that
computer is operated by the entity or by a third party. Refer to Chapter 4 for a detailed
discussion.
Guidance Note(S) on Related Services
1.7 The framework for auditing and related services makes it clear that there can be different
layers of assurance depending upon the nature of services being performed by the chartered
accountant. Related Services comprise of Review engagements, Agreed upon Procedures
and Compilation Engagement. Reviews engagements involve providing moderate assurance
(or negative assurance) but other two services, viz., and compilation and agreed upon
procedures provide no assurance at all. The Institute has issued guidance notes covering
these aspects of related services in a comprehensive manner.
Authority Attached to the Documents Issued by the Institute
1.8 The Institute has, from time to time, issued ‘Statements’ and ‘Guidance Notes’ on a
number of matters. With the formation of the Accounting Standards Board and the Auditing
and Assurance Standards Board, Accounting Standards and Auditing and Assurance
Standards have also been issued. The level of authority attached to these documents and the
degree of compliance required in respect thereof has been explained by the Institute through
its various announcements issued from time to time.
1.8.1 Statements - The ‘statements’ have been issued with a view to securing compliance by
members on matters which in the opinion of the council of the institute are critical for the
proper discharge of their functions. ‘statements’ therefore are mandatory. Accordingly, while
discharging their attest function, it is the duty of the members of the institute.
(a) to examine whether ‘Statements’ relating to accounting matters are complied with in the
presentation of financial statements covered by their audit. In the event of any deviation
from such ‘Statements’, it is their duty to make adequate disclosures in their audit reports
so that the users of financial statements may be aware of such deviations; and
(b) to ensure that the ‘Statements’ relating to auditing matters, are followed in the audit of
financial information covered by their audit reports. If, for any reason, a member, has not
been able to perform an audit in accordance with such ‘Statements his report should
draw attention to the material departures there from.
A list of ‘Statements issued by the Institute which are in force is given below:
(i) Statement on Auditing practices.
1.36 Advanced Auditing and Professional Ethics

(ii) Statement on Payments to Auditors for Other Services,


(iii) Statement on the Companies (Auditor’s Report) Order, 2003 (Issued under Section
227(4A) of the Companies Act, 1956).
(iv) Statement on Qualifications in Auditor’s Report.
(v) Statement on the Amendments to Schedule VI to the Companies Act.
1.8.2 Guidance Notes - ‘guidance notes’ are primarily designed to provide guidance to
members on matters which may arise in the course of their professional work and on which
they may desire assistance in resolving issues which may pose difficulty. Guidance notes are
recommendatory in nature. A member should ordinarily follow recommendations in a guidance
note relating to an auditing matter except where he is satisfied that in the circumstances of the
case, it may not be necessary to do so. Similarly, while discharging his attest function, a
member should examine whether the recommendations in a guidance note relating to an
accounting matter have been followed or not. If the same have not been followed, the member
should consider whether keeping in view the circumstances of the case, a disclosure in his
report is necessary.
1.8.3 Accounting Standards and Auditing and Assurance Standards - The ‘accounting
standards’ and ‘auditing and assurance standards’ establish standards which have to be
complied with to ensure that financial statements are prepared in accordance with generally
accepted accounting standards and that auditors carry out their audit in accordance with the
generally accepted auditing practices. They become mandatory on the dates specified in the
respective document or notified by the council.
There can be situations in which certain matters are covered both by a ‘Statement’ and by an
‘Accounting Standard’/ ‘Auditing and Assurance Standard. In such a situation, the ‘Statement’
prevails till the time the relevant ‘Accounting Standard’/ Auditing and Assurance Standard
becomes mandatory. Once an ‘Accounting Standard’/ ‘Auditing and Assurance Standard’
becomes mandatory, the concerned ‘Statement’ or the relevant part thereof automatically
stands withdrawn.
Auditing and Assurance Standards (AASs) establish standards, which have to be complied
with to ensure that auditors carry out their duties in accordance with the generally accepted
auditing practices. They become operative (i.e., mandatory) in respect of audit of all
enterprises on the dates specified in the respective AASs or notified by the Council. The
duties of the members of the Institute in relation to operative AASs are similar to those in
respect of ‘Statements’ relating to auditing matters, as described in paragraph 2 (b) above.
1.8.4 Accounting Standards - Accounting Standards are formulated by the Accounting
Standards Board and issued by the Council of the Institute. The Accounting Standards are
issued for use in the presentation of ‘general purpose financial statements’ which are issued to
the public by such ‘commercial, industrial or business enterprises’ as may be specified by the
Institute from time to time and subject to the attest function of its members. They become
mandatory on the dates specified in the respective Accounting Standards or notified by the
Council in this behalf.
Auditing Standards, Statements and Guidance Notes – An Overview 1.37

(a) The term ‘General Purpose Financial Statements’ includes balance sheet, statement of
profit and loss and other statements and explanatory notes which form part thereof,
issued for the use of shareholders/members, creditors, employees and public at large.
(b) The reference to ‘commercial, industrial or business enterprises’ is in the context of the
nature of activities carried on by an enterprise rather than with reference to its objects.
The Accounting Standards apply in respect of commercial, industrial or business
activities of any enterprise, irrespective of whether it is profit oriented or is established for
charitable or religious purposes. Accounting Standards will not, however, apply to those
activities which are not of commercial, industrial or business nature (e.g. an activity of
collecting donations and giving them to flood affected people). The exclusion of an entity
from the applicability of the Accounting Standards is permissible only if no part of the
activity of entity is commercial, industrial or business in nature. In other words, even if a
very small proportion of the activities of an entity is considered to be commercial,
industrial or business in nature, then it can not claim exemption from the application of
Accounting Standards. In such a case the Accounting Standards will apply to all its
activities including those which are not commercial, industrial or business in nature.
The Companies Act, 1956, as well as many other statutes require that the financial statements
of an enterprise should give a true and fair view of its financial position and working results.
This requirement is implicit even in the absence of a specific statutory provision to this effect.
However, what constitutes ‘true and fair’ view has not been defined either in the Companies
Act, 1956, or in any other statute. The Accounting Standards (as well as other
pronouncements of the Institute on accounting matters) seek to describe the accounting
principles and the methods of applying these principles in the preparation and presentation of
financial statements so that they give a true and fair view.
The ‘Preface to the Statements of Accounting Standards’ issued by the Institute in 2004 states
(paragraphs 6.1 and 6.3):
“6.1 While discharging their attest function, it will be the duty of the members of the
Institute to examine whether the Accounting Standard is complied with in the
presentation of financial statements covered by their audit. In the event of any
deviation from the Accounting Standard, it will be their duty to make adequate
disclosures in their reports so that the users of such statements may be aware of
financial deviations.”
“6.3 Financial Statements can not be described as complying with the Accounting
Standards unless they comply with all the requirements of each applicable
standard.”
Once an Accounting Standard becomes mandatory, the duties of an auditor with respect to
such standard are the same as those specified at paragraph 2(a) above.
1.38 Advanced Auditing and Professional Ethics

*Accounting Standards 4 and 5 were made mandatory in respect of accounting periods


commencing on or after 1.1.1987 for all commercial industrial or business enterprises.
Accounting Standards 1, 7, 8, 9 and 10 were initially made mandatory in respect of accounting
periods commencing on or after 1.4.1991 for companies governed by the Companies Act,
1956 as well as for other commercial, industrial or business enterprises except the following:
(a) Sole proprietory concerns/individuals (b) Partnership firms (c) Societies registered under
the Societies Registration Act (d) Trusts (e) Hindu undivided families (f) Associations of
persons.
Accounting Standards 1, 7, 8, 9 and 10 were made mandatory in respect of general purpose
financial statements of enterprises listed at (a) to (f) above, for accounting periods
commencing on or after 1.4.1993 where such statements were statutorily required to be
audited under any law. In this regard, the Council of the Institute has clarified that the
mandatory accounting standards also apply in respect of financial statements audited under
Section 44AB of the Income tax Act, 1961. Accordingly, members should examine compliance
with the mandatory accounting standards when conducting such audit. AS-6 was made
mandatory in respect of accounts for periods commencing on or after 1.4.1995. The remaining
Accounting Standards i.e. AS 11, 12, 13, 14 and 15 have been made mandatory with effect
from the dates specified in the standards themselves.
While discharging their attest function, the members of the Institute may keep the following in
mind with regard to mandatory Accounting Standards.
AS I - Disclosure of Accounting Policies - In the case of a company, members should
qualify their audit reports in case :
(a) accounting policies required to be disclosed under Schedule VI or any other provisions of
the Companies Act, 1956, have not been disclosed, or
(b) accounts have not been prepared on accrual basis, or
(c) the fundamental accounting assumption of going concern has not been followed and this
fact has not been disclosed in the financial statements, or
(d) proper disclosures regarding changes in the accounting policies have not been made.
Where a company has been given a specific exemption regarding any of the matters stated in
paragraph 16 above but the fact of such exemption has not been adequately disclosed in the
accounts, the member should mention the fact of exemption in his audit report without
necessarily making it a subject matter of audit qualification.
If accounting policies have not been disclosed at one place or if certain significant accounting
policies have not been disclosed, by a company on the ground that their disclosure is not
required under the Companies Act, 1956, the member should disclose the fact in his audit
report without necessarily making it a subject matter of audit qualification. Such a disclosure

*The Council has classified the enterprises for the purpose of applicability of Accounting Standards into three
Categories, viz. Level I, Level II and Level III. This scheme comes into effect in respect of accounting periods
commencing on or after 1-4-2004
Auditing Standards, Statements and Guidance Notes – An Overview 1.39

would not constitute a reservation, qualification or adverse remark except where the auditor
has specifically made it a subject matter of audit qualification. Accordingly in the case of a
company, the Board of Directors need not provide information or explanation with regard to
such a disclosure (except where the same constitutes a qualification) in their report under sub-
section (3) of Section 217 of the Companies Act, 1956.
In the case of enterprises not governed by the Companies Act, 1956, the member should
examine the relevant statute and make suitable qualification in his audit report in case
adequate disclosures regarding accounting policies have not been made as per the statutory
requirements. Similarly, the member should examine if the fundamental accounting
assumptions have been followed in preparing the financial statements or not. In appropriate
cases, he should consider whether, keeping in view the requirements of the applicable laws, a
qualification in his report is necessary. In the event of non-compliance, by enterprises not
governed by the Companies Act, 1956, with the disclosure requirements of AS1 in situations
where the relevant statute does not require such disclosures to be made, the member should
make adequate disclosure in his audit report without necessarily making it a subject matter of
audit qualification.
Other Mandatory Accounting Standards - While making a qualification, the auditor should
follow the requirements of the ‘Statement on Qualifications in Auditor’s Report’ issued by the
Institute. Subject to this, non-compliance with any of the requirements of a mandatory
Accounting Standard other than AS 1 by any enterprise should be a subject matter of
qualification except that, to the extent that the disclosure requirements in the relevant
standard are in addition to the requirements of the Companies Act, 1956, or any other
applicable statute, the member should disclose the fact of non - compliance with such
disclosure requirements in his audit report without necessarily making it a subject matter of
audit qualifications.
Financial Statements Prepared on a Basis other than Accrual - With regard to the
fundamental accounting assumption of accrual, the Council of the Institute has made a
specific announcement that in respect of individuals/bodies covered by para AS I - Disclosure
of Accounting Policies above, the auditor should examine whether the financial statements
have been prepared on accrual basis. In cases where the statute governing the enterprise
requires the preparation and presentation of financial statements on accrual basis but the
financial statements have not been so prepared, the auditor should qualify his report. On the
other hand, where there is no statutory requirement for preparation and presentation of
financial statements on accrual basis, and the financial statements have been prepared on a
basis other than ‘accrual’, the auditor should describe in his audit report, the basis of
accounting followed, without necessarily making it a subject matter of a qualification. In such
a case the auditor should also examine whether those provisions of the accounting standards
which are applicable in the context of basis of accounting followed by the enterprise have
been complied with or not and consider making suitable disclosures/qualifications in his audit
report accordingly.
1.40 Advanced Auditing and Professional Ethics

Manner of Making Qualification Disclosure in the Audit Report - In making a


qualification/disclosure in the audit report in respect of non-compliance with a Statement, AAS,
Accounting Standard or Guidance Note, the auditor should consider the materiality of the
relevant item. Thus, the auditor need not make qualification/disclosure in respect of items
which, in his judgement, are not material.
While making a qualification, the auditor should follow the requirements of the ‘Statement on
Qualifications in Auditor’s Report’ issued by the Institute.
A disclosure, which is not a subject matter of audit qualification, should be made in the
auditor’s report in a manner that it is clear to the reader that the disclosure does not constitute
an audit qualification. The paragraph containing the auditor’s opinion on true and fair view
should not include a reference to the paragraph containing the aforesaid disclosure.
Examples of Qualifications/Disclosures in the Audit Report - Given below are some
examples which illustrate the manner of making qualification/disclosure in the audit report. It
may be clarified that these examples are aimed only at illustrating the manner of making
qualifications/disclosures and are not intended in any way to be exhaustive.
Examples of Qualifications
(a) Where proper disclosures regarding changes in accounting policies have not been made
by a company.
"The profit and loss account and balance sheet comply with the accounting standards
referred to sub-section (3C) of Section 211 of the Companies Act, 1956, except
Accounting Standard (AS) 5, 'Net Profit or Loss for the Period, Prior Period Items and
Changes in Accounting Policies', as the company has not disclosed in its accounts the
fact of change, from this year, in the method of providing depreciation on plant and
machinery from straight-line method to written-down value method, as also the effect of
this change. As a result of this change, the net profit for the year, the net block as well
as the reserves and surplus are lower by Rs. …. Each as compared to the position which
would have prevailed had this change not been made.
Subject to the above, we report that ……..".
(b) Where a manufacturing company has accounted for interest income on receipt basis and
not on time proportion basis.
"The profit and loss account and balance sheet comply with the accounting standards
referred to in sub-section (3C) of Section 211 of the Companies Act, 1956, except
Accounting Standard (AS) 9, 'Revenue Recognitions', as the company has followed the
policy of accounting for interest income on receipt basis rather than on time proportion
basis. As a result, the net profit for the year and the current assets are understated by
Rs…… each as compared to the position which would have prevailed if the company had
accounted for interest income on time proportion basis.
Subject to the above, we report that ….."
Auditing Standards, Statements and Guidance Notes – An Overview 1.41

(c) Where an enterprise has capitalised financing costs related to certain fixed assets for
periods after such assets were ready to be put to use.
"The profit and loss account and balance sheet comply with the accounting standards
referred to in sub-section (3C) of Section 211 of the Companies Act, 1956, except
Accounting Standard (AS) 16, 'Borrowing Costs', as interest payable on borrowings
related to the acquisition of fixed assets has been capitalised for the periods after which
the assets were put to use. Consequently, the net profit for the year, the net block of
fixed assets and the reserves and surplus have been overstated by Rs….. each as
compared to the position which would have prevailed if the company had complied with
the requirements of AS 16.
Subject to the above, we report that ……"
Examples of Disclosures
(a) Where a company has not disclosed all significant accounting policies and has also not
disclosed the accounting policies at one place.
"The profit and loss account and balance sheet comply with the accounting standards
referred to in sub-section (3C) of Section 211 of the Companies Act, 1956, except
Accounting Standard (As) 1, 'Disclosure of Accounting Policies', as the company has
disclosed those accounting policies the disclosure of which is required by the Companies
Act, 1956. Other significant accounting policies, relating to treatment of research and
development costs have not been disclosed nor have all the policies been disclosed at
one place.
We report that ….."
(b) Where a partnership firm does not make adequate disclosures regarding the revaluation
of its fixed assets.
"During the year, the enterprise revalued its land and buildings. The revalued amounts of
land and buildings are adequately disclosed in the balance sheet. However, the method
adopted to compute the revalued amounts has not been disclosed, which is contrary to
Accounting Standard (AS) 10, 'Accounting for Fixed Assets' issued by the Institute of
Chartered Accountants of India.
We report that ……."
(c) Where a sole proprietary concern enterprise follows cash basis of accounting.
"It is the policy of the enterprise to prepare its financial statements on the cash receipts
and disbursements basis. On this basis revenue and the related assets are recognised
when received rather than when earned, and expenses are recognised when paid rather
than when the obligation is incurred.
In our opinion, the financial statements give a true and fair view of the assets and
liabilities arising from cash transactions of …….. at ……… and of the revenue collected
and expenses paid during the year then ended on the cash receipts and disbursements
basis as described in Note X."
1.42 Advanced Auditing and Professional Ethics

Applicability of Accounting Standards to charitable and/or religious organisations - The


Accounting Standards Board has received a query as to whether the accounting standards
formulated by it are applicable to organisations whose objects are charitable or religious. The
Board has considered this query and its views in the matter are set forth in the following
paragraphs.
The Preface to the Statements of Accounting Standards states:
“The Institute will issue Accounting Standards for use in the presentation of the general
purpose financial statements issued to the public by such commercial, industrial or
business enterprises as may be specified by the Institute from time to time and subject to
the attest function of its members”.
The reference to commercial, industrial or business enterprises in the aforesaid paragraph is
in the context of the nature of activities carried on by an enterprise rather than with reference
to its objects. It is quite possible that an enterprise has charitable objects but it carries on,
either wholly or in part, activities of a commercial, industrial or business nature in furtherance
of its objects. The Board believes that Accounting Standards apply in respect of commercial,
industrial or business activities of any enterprise, irrespective of whether it is profit oriented or
is established for charitable or religious purposes. Accounting Standards will not, however,
apply to those activities which are not of a commercial, industrial or business nature. (e.g. an
activity of collecting donations and giving them to flood affected people).
It is also clarified that exclusion of an entity from the applicability of the Accounting Standards
would be permissible only if no part of the activity of such entity was commercial, industrial or
business in nature. For the removal of doubts, it is clarified that even if a very small
proportion of the activities of an entity was considered to be commercial, industrial or business
in nature, then it could not claim exemption from the application of Accounting Standards. The
Accounting standards would apply to all its activities including those which were not
commercial, industrial or business in nature.
2
AUDIT STRATEGY, PLANNING AND PROGRAMMING

Commencing an Audit
2.1 Auditing has been conceived of to provide a highly useful technical service to the economy
to know performances in financial and other appropriate terms in a reliable manner. It is
needless to say that multitudes of significant decisions in the economic society are taken
based on the financial information and, therefore, ensuring reliability of such information is an
imperative necessity. Any such important technical function as auditing requires a thorough
planning to avoid slips and omissions which may take place because of the complexity,
volume and technicality of the economic operations. AAS-1 on Basic Principles Governing an
Audit of Financial Statements states that audit planning is necessary to conduct an effective
audit in an efficient and timely manner. It has been stated that the audit plans should be based
on a knowledge of client’s business. AAS-8 issued by the Institute deals with ‘Audit Planning’.
According to this, plans should be made to cover, among other things:
(a) acquiring knowledge of the client’s accounting system, policies, and internal control
procedures;
(b) establishing the expected degree of reliance on internal control;
(c) determining and programming the nature, timing and extent of the audit of procedures to
be performed; and
(c) coordinating the work to be performed.
Planning in auditing encompasses developing an overall plan for the expected scope and
conduct of the audit and developing an audit programme showing the nature, timing and
extent of audit procedures. Planning is a continuous process and changes in conditions or
unexpected results of audit procedures may cause revisions of the overall plan as well as the
detailed audit programme. It is necessary to document reasons of significant changes in audit
planning. Careful and adequate audit planning is helpful in: (i) ensuring devotion of
appropriate attention to important areas of the audit, (ii) promptly identifying potential
problems, (iii) completing the work expeditiously, (iv) proper utilisation of assistants, and (v)
co-ordination of work done by other auditors and experts.
2.1.1 Before Engagement - Before an auditor accepts a new appointment, he should
communicate by a letter with the retiring auditor to see if there is any professional reason why
2.2 Advanced Auditing and Professional Ethics

the appointment should be refused. Such communication is an ethical requirement as opposed


to a legal requirement, and it can also be seen as a matter of professional courtesy to the
previous holder of the post. The duty to communicate should be explained to the potential
client, from whom authority must be obtained before writing. If such authority is not
forthcoming or if the existing auditor is prevented from revealing anything of the client’s affairs,
then the appointment should not be accepted; for such would be a strong indication that
something is amiss. Normally the communication will be a routine matter, but occasionally
circumstances may reveal which could affect an acceptance decision. Such circumstances
may range from failure to pay fees, to dubious trading practices, and even to undue pressure
being placed upon auditors to comply with directors’ wishes concerning the accounts. The
requirement to communicate may be seen as one of the ways in which the profession seeks to
protect itself against this latter ever-present risk.
If the audit is that of a limited company, the scope of the work is defined by statute. But if the
client is a partnership or sole trader, then it will be very necessary to discuss the precise
scope of the work that is required, carefully distinguishing between audit and accountancy
work and any other services. The extent of any audit work must be precisely defined to
ensure that there are no misunderstandings as to the scope of work. And whatever may be
the type of audit, at this stage it will also be appropriate to discuss the basis for charging the
fee. These and other matters must be put in writing to safeguard the auditor in case of future
legal disputes, and this is the best achieved by an engagement letter as discussed below.
2.1.2 Audit Engagement Letter - AAS-26 deals with Terms of Audit Engagement. The
engagement letter has the following functions:
♦ To define the scope of the audit in the event that it is not defined by statute.
♦ To confirm any verbal agreements, including the basis on which fees will be charged.
♦ To confirm any other services which are to be provided, or to point out other services
which may possibly be of interest and value to the client.
♦ To emphasise that the directors are primarily responsible for producing ‘true and fair’
accounts.
♦ To explain in outline how the auditor will approach his task; this can assist considerably
in preventing future misunderstandings.
♦ To stress that the audit should not be relied upon necessarily to prevent or detect fraud
and error as this is not its main purpose; although it should also be stressed that normal
audit procedures can be expected to considerably reduce the likelihood of such
occurrences.
Many audit firms have standard engagement letters to cover different circumstances. Two
copies of the letter should be sent, one to be signed and returned by the client as
acknowledgement of and agreement to the terms contained therein.
2.1.3 Commencement procedures - Once a satisfactory reply has been received from the
retiring auditor, and the engagement has been documented in the form of an engagement
letter, the auditor can begin collecting the information necessary to commence his detailed
Audit Strategy, Planning and Programming 2. 3

work. This will include:


♦ A copy of the regulations (if any) of the client, e.g., Memorandum and Articles of
Association, or partnership agreement, or club rules, etc.
♦ Details as to the nature of the business.
♦ Details of physical location of factories, offices, shops, etc.
♦ An organisation chart of the client’s staff, with special emphasis on those employees with
whom the auditor is likely to have regular contact.
♦ An accounts manual, or other details as to the accounting system and the accounting
records of which it is composed.
♦ Copies of previous annual accounts.
♦ Details of the financial history of the company, noting whether it is listed or unlisted, and
whether it is director controlled.
♦ Names and addresses of the client’s advisers, including solicitors, stockbrokers, bankers
and management consultants.
♦ Copies of important documents, such as leases, debenture deeds and major contracts.
During the course of acquiring the information it can be extremely valuable to visit the client’s
various locations, and to meet the employees with whom the auditor is likely to have frequent
dealings. In this way a very valuable initial impression can be gained of the efficiency of the
company and of the sort of problems that may be encountered during the course of the audit.
2.1.4 Knowledge of the client’s business - As per AAS 8, the knowledge of the client’s
business is one of the critical element in formulating the audit programme. Having regard to
significance of this aspect, AAS 20 elaborates on this aspect.
The auditor needs to obtain a level of knowledge of the client’s business that will enable him
to identify the events, transactions and practices that, in his judgement, may have a significant
effect on the financial information. Among other things, the auditor can obtain such
knowledge from:
♦ The client’s annual reports to shareholders.
♦ Minutes of meetings of shareholders, Board of Directors and important committees.
♦ Internal financial management reports for current and previous periods, including
budgets, if any.
♦ The previous year’s audit working papers, and other relevant files.
♦ Firm personnel responsible for non-audit services to the client who may be able to
provide information on matters that may affect the audit.
♦ Discussions with the client.
♦ The client’s policy and procedures manual.
2.4 Advanced Auditing and Professional Ethics

♦ Relevant publications of the Institute of Chartered Accountants of India and other


professional bodies, industry publications, trade journals, magazines, newspapers or text
books.
♦ Consideration of the state of the economy and its effect on the client’s business.
♦ Visits to the client’s premises and plant facilities.
With respect to the previous year’s audit working papers and other relevant files, the auditor
should pay particular attention to matters that require special consideration and whether they
might affect the work to be done in the current year.
Discussions with the client might include such subjects as:
♦ Changes in management, organisation structure and activities of the client.
♦ Current Government legislation, rules, regulations and directives affecting the client.
♦ Current business developments affecting the client.
♦ Existence of parties in whom directors or persons who are substantial owners of the
entity are interested and with whom transactions are likely.
♦ New or old premises and plant facilities.
♦ Recent or impending changes in technology, type of products or services and production
or distribution methods.
♦ Significant matters arising from previous year’s financial statements, audit report and
management letters, if any.
♦ Changes in accounting practices and procedures and in the system of internal control.
♦ Scope and timing of the examination.
♦ Assistance of client’s personnel in data preparation.
♦ Relevance of any work to be carried out by the client’s internal auditors.

Formulating an Audit Programme


2.2 In PCC study material, we have discussed audit programme generally so as to enable the
students to know the utility and nature of audit programmes. It is useful for students to know
how to plan an audit programme. The next step in planning is to prepare a written audit
programme setting forth the procedures that are needed to implement the overall plan of audit.
The programme, in addition, may contain audit objectives for each area and should have
sufficient detail to serve as a set of instructions to the assistants involved in the audit and as a
means to control the proper execution of work. It may be emphasised that a clear spelling out
of audit objectives for each area is important to link up the procedures with audit objectives
and to ensure a purposeful audit. For example, in the area of fixed assets, audit objectives
can be the following:
(i) Ascertaining their existence on the balance sheet date;
Audit Strategy, Planning and Programming 2. 5

(ii) Confirming ownership;


(iii) Finding out encumbrances attaching the assets, if any;
(iv) Determining the valuations;
(v) Presentation of relevant information for a proper understanding of their nature value and
usefulness;
(vi) Proper categorisation of assets;
(vii) Generally ascertaining whether the assets are in good working order.
Procedures of verification for this purpose may include physical verification, review of working
papers, document verification including verification of loan documents, checking of provisions
for depreciation, review of accounting policy on fixed assets, verification of compliance with
legal requirements about disclosure and verification of jobs work performed by the assets.
This linkage in the mind of the assistants on job is imperative and without this the audit would
be just a mechanical performance. They should be able to identify the assertions made in the
Balance Sheet and Profit and Loss Account because that provides key to the auditor’s
selection of the procedures. The important matters which need to be considered in this regard
are:
(a) Nature of business in which the organisation is engaged.
(b) Overall plan prepared for the audit.
(c) System of internal control and accounting procedures.
(d) Size of the organisation and structure of its management.
(e) Information regarding the organisation of business.
(f) Accounting policies followed by the client.
(a) Nature of business in which the organisation is engaged - On his first appointment,
the auditor should examine in detail the financial and accounting organisation of the business
by visiting the client’s office; by observing different stages through which papers pass before
each transaction is authorised and recorded; the record that is kept and the titles of books in
which it is kept. In the case of an industrial concern, he must also visit the factory to acquaint
himself with the different processes of manufacture, the quantitative records maintained and
the manner in which statistics are compiled in respect of losses in process. He also must find
out the technical details of manufacture so that he can test check that the quantities of
materials shown to have been issued for various processes of manufacture are in consonance
with the technical formulae reported to him, and that losses in different processes are not
larger than those anticipated.
The nature of business carried on by the concern has a great relevance to different audit
procedures. The auditor, therefore, should draw up the programme of audit on a consideration
of the technical, financial and accounting set-up of the company. In addition, for his general
guidance, he must study the audit programme of different types of business to find out audit
procedures that are considered suitable under different conditions and circumstances. The
2.6 Advanced Auditing and Professional Ethics

Institute of Chartered Accountants of India has brought out Technical Guides concerning audit
of specified industries, for example; sugar, textiles, type, advertising, etc. Students will do well
to read them to understand the several technical aspects to be gone into while undertaking the
audit of such industries. The nature and size of the business is a basic fact to be reckoned in
devising the audit procedures and in assessing the adequacy of the internal control in
recognition of this, the auditors are required to give their assessment of the internal controls in
relation to the nature and size of the company under the Companies (Auditor’s Report) Order,
2003.
(b) Overall plan - Overall plan for the audit programme should be drawn up to ensure a
systematic approach to the work. If in drawing the audit programme, any divergence from the
overall plan becomes necessary, first the overall plan should be modified after due
consideration and thereafter only the matter may be taken in the audit programme. The frame
provided by the overall plan should be strictly adhered to.
(c) System of internal control and accounting procedures - The existence of a system of
internal control is essential for every business organisation. It ensures that both financial and
statistical records are checked continuously; it also unearths errors, both of omission and of
commission. The auditor, in framing his opinion on financial statements needs reasonable
assurance that transactions are properly authorised and recorded in the accounting records
and that transactions have not been omitted. Internal control may contribute to the reasonable
assurance the auditor seeks. Therefore it has become an accepted audit practice to study
and evaluate internal control. The study and evaluation of internal control helps the auditor to
establish the reliance he can place on the internal control in determining the nature, timing an
extent of his substantive auditing procedures. The auditor also obtains an understanding of
the accounting system to identify points in processing of transaction and handling of assets
where errors or fraud may occur. When the auditor relies on internal control, it is at these
points that he must be satisfied that internal control procedures applied by the entity are
effective for his purpose.
In the context of our country, the study and evaluation of internal control has become a
standard audit procedure for the contribution it can make towards satisfactory discharge of
auditing responsibilities and also for the very nature of statutory duty cast on company
auditors. Maintenance of accurate and complete accounting records constitutes an integral
part of internal control. Under Section 227(3) of the Companies Act, an auditor has to report,
inter alia, whether proper books of account required by law have been maintained by the
company. Maintenance implies maintenance in a complete and accurate manner and it
requires a study and evaluation by the auditor. It amounts to a statutory requirement to study
and evaluate this aspect of internal control. Further, the CARO, 2003 issued under Section
227(4A) of the Companies Act directly requires the auditor to study and evaluate internal
control in specific areas.
Before commencing an audit, it is essential that the auditor should verify that proper records of
transactions entered into by the entity have been maintained and that accounting data
collected has been duly analysed. For the purpose, he should examine the procedures
followed for recording transactions. He should also verify that there exists a system of internal
Audit Strategy, Planning and Programming 2. 7

control which guards against occurrence of mistakes and frauds. The verification of the system
of the internal control obtaining in the client’s office is thus the primary duty of the auditor. He
carries it out by examining the manner in which it operates and by application of procedural
checks and test checks to a number of transactions of different kinds recorded in the books.
The auditor’s examination of the system of internal control should have three features: review
and preliminary evaluation, testing of compliance and evaluation.
(i) Review and preliminary evaluation - The auditor should review the accounting system
and related internal control to gain an understanding of the flow of transactions and the
specific control procedures to be able to make a preliminary evaluation and identification
of these aspects of internal control on which it might be efficient and effective to rely in
conducting his audit. He should enquire whether the internal controls intended to be
relied upon were in use throughout the period for which accounts were made up. If
substantially different controls were in use at different times during the period, the auditor
should consider each of them separately. A break-down in internal controls for specific
portions of the period would necessitate a separate consideration of the nature, timing
and extent of audit procedures to be applied for that period. The review is made by
reference to documents i.e., manuals, job descriptions and flow charts and discussions
with related personnel of the client. It may be useful to trace a transaction through the
accounting system to assist in understanding that system and its related internal controls.
Different techniques such as narrative description, questionnaire and flow-chart are
available to the auditor to record information relating to internal control. Selection of the
particular technique is a matter of auditor’s own judgement the purpose of preliminary
evaluation is to identify the particular controls on which the auditor still intends to rely and
to test them through compliance procedures. The auditor may also decide not to rely on
any particular internal control.
(ii) Test of compliance - Compliance tests should be conducted by the auditor to gain
evidence that those internal controls on which he intends to rely operate generally as
identified by him and that they function effectively throughout the period of intended
reliance. Based on the results of his compliance procedure including observed
deviations, the auditor should evaluate whether the internal controls are adequate for his
purposes. If based on the results of compliance procedure, the auditor concludes that a
particular control cannot be substantially relied upon; he should ascertain whether there
exists another control that may satisfy his purpose. For example, if he finds that materials
are not regularly checked for quantity when received at the Receiving Section but Stock
Section carries out a quantity check before accepting the materials in stock, he may
prefer to rely on Stock Section checking for receipt of the materials as correct quantity,
provided further that the Stock Section records are properly and regularly maintained. If
he cannot find another supportive control procedure, he may have to modify the nature,
timing and extent of his substantive audit procedure. The compliance procedure normally
should be applied to transactions selected from those of the whole period under
examination. Compliance procedure is essentially a testing procedure. It demands that
important sections of the record of the concern or selected items of income and
expenditure of transactions should be examined “in depth” and by the application of
2.8 Advanced Auditing and Professional Ethics

procedural tests to ensure that the transactions have been properly authorised,
evidenced and recorded. In certain cases, for purpose of verification, it is necessary to
observe the operation of the system by actual attendance, e.g., in the case of stock-
taking, payment of wages, etc. The examination in depth is a method whereby a few
selected transactions are traced through various stages from the origin to the conclusion:
at each stage, the record and the authority are examined and the operation of internal
check and delegation of authority considered. For example, to verify in depth a payment
to a creditor in respect of goods supplied, it will be necessary to examine the following
documents:
♦ The invoice and the statement of account received from the supplier.
♦ The evidence that goods have been entered in stock records.
♦ The goods received note and inspection certificate.
♦ A copy of the original order and the authority therefore.
The number of transactions selected for examination in depth, generally, can be reduced
as the intricacy of examination increases. For example, while examining payments to
creditors for goods supplied, the auditor, after he has verified all the acknowledgements
for payments, need examine only a proportion of these cases with the suppliers’ invoices
and statements and a still smaller proportions of the evidence that goods have been
recorded in the stock records and so on until a comparatively small proportion is verified
completely in depth. In addition, there are several other audit tests which can be applied
to strengthen the effectiveness of the system of internal control, e.g., procedural test. In
the case of a small concern, a large proportion of transactions should be selected for
examination in depth or application of procedural tests than is necessary in the case of a
large concern since the latter would normally have a more comprehensive system of
internal control. Further, in selecting items for examination as well as for deciding the
scope of tests, the auditor should consider to what extent the transactions under review
are material in relation to the affairs of the company as a whole. In addition to the annual
review of all procedures, it is desirable that each year the auditor makes an intensive
review of the accounting procedures relative to one main aspect of the activities of the
business, e.g., purchases, sales, payment of wages and salaries. In this way, it would be
possible for him to review the main aspects of the system of internal control over a period
of years.
(iii) Evaluation - It is essentially an objective process of application of auditor’s judgement to
determine whether all or any of the internal controls in the client’s organisation can be
relied upon in carrying out the audit. Based on the degree of reliance which may be full,
partial or none, the auditor will programme for the substantive verification of transactions
for expression of audit opinion. The results of compliance procedure directly provide the
basis for this evaluation and, in turn, basis to determine the nature, timing and extent of
the substantive audit procedure. In evaluating the auditor recognises that some
deviations from compliance may have occurred.
Audit Strategy, Planning and Programming 2. 9

If the tests applied by the auditor reveal certain mistakes in accounting due to which
either some transactions have not been recorded or have been wrongly recorded, the
auditor should ascertain the nature and causes thereof. In case they are the result of
some inherent defect in the system of recording, their impact on the true and fair position
of the records should be assessed by extending the area selected for examination. For
example, if it is the duty of the sales manager to verify that various items of goods have
been correctly billed to customers and the examination of sales invoices that reveals
wrong rates have been applied in the case of one or two invoices, it should be assessed
whether the mistake are accidental or otherwise. If, however, there are many such
instances, the presumption would be that the sales manager had failed to discharge his
duty. If despite this, the auditor is satisfied that the magnitude of discrepancies or
irregularities is not sufficiently large to affect the true and fair character of the accounts of
the concern, he may decide to rely upon the control. In such a case, he needs only
report the result of his findings to the management with a recommendation that the
system of internal control be strengthened in such ways as he considers appropriate. If,
however, the auditor considers that the internal control is inadequate to such an extent
that reliance cannot be placed, he may have to extend his substantive audit procedure
significantly. If he is still not satisfied that the records are sufficiently reliable, he should
state in his report that books of account have not been properly kept.
In the end, the auditor should prepare a memorandum as regards the system of internal
control in operation, the test checks applied and matters observed on their application as
a general guide for drawing up the programme of audit. In specific terms he will identify
the controls which he has decided to rely upon, the controls which may be relied upon
only in conjunction with another control and the controls which cannot be relied upon
together with appropriate basis.
(d) Size of the organisation and structure of its management - An increase in the size of
the organisation enhances the complexity of the examination of its accounting records
specially when it has a number of branches, deals in several products or has a very large
turnover. With the increase in the size ordinarily the scope and extent of the system of internal
control also should increase but it may not be so in every case. It has been the experience
that while many small businesses have excellent controls, some of the large enterprises are
deficient in their operational controls. For example, the reports of the Comptroller and Auditor
General on audit of accounts of Public Enterprises show that some of them have a very poor
system of internal control. In such cases, the magnitude of the tasks of the auditor increases
considerably.
The structure of management of a concern is governed by law as well as its status in the
industry. For instance, management structure of a company is one contemplated by the
Companies Act. It is simple or elaborate, depending upon the position the company occupies
in the trade or industry in which it is engaged. For example, a company which is big and is
engaged in diverse trade or business, would have a large Board of Directors, a number of
whole-time directors and a team of qualified managers to attend to different aspects of the
business activity-technical, financial accounting, commercial, etc. On the other hand, a small
2.10 Advanced Auditing and Professional Ethics

company may only have a managing director who attends to all the affairs of the company and
a small board of directors to guide its operations.
The structure of management of a co-operative society is the one contemplated by the Co-
operative Societies Act. Usually, its affairs are managed by persons who neither have had
formal training nor any commercial or administrative experience. Moreover, on account of the
limitation on shareholdings, no member of the managing committee has a sizeable investment.
Thus, self-interest which is an incentive to efficient management, is absent in a co-operative
enterprise. On that account the Co-operative Societies Act provides a detailed control over
the working of co-operative institutions by a Governmental agency (the Registrar).
It is also important for the auditor to examine the character of management for determining the
seat of power. If he is satisfied, it would not be necessary for him to examine each and every
decision taken by the management in so far as it affects the finances of the company. In the
alternative, it would be his duty to examine these matters in greater detail. For instance, in the
case of a concern in which powers and duties of the management are distributed among a
large number of persons and the work of each person is being effectively supervised by the
top management, by obtaining reports, etc., it may be sufficient for the auditor to carry out only
a balance sheet audit, provided the application of procedural tests shows that accounts are
properly maintained. On the other hand, in the case of a co- operative society or a proprietary
or partnership concern, it would be necessary for the auditor to examine the correctness and
validity of a large number of transactions entered into by them.
(e) Information as regards organisation of the business - To plan audit programme, it is
necessary that the auditor should obtain from his client information as regards the
undermentioned matters:
♦ Client’s history and business.
♦ Purpose and nature of engagement.
♦ Time schedule for the completion of audit.
Before accepting a new audit, the auditor should satisfy himself as to the desirability of being
associated with the job. If the concern is not known to him, he should enquire into its
standing, financial background, nature of business and other similar matters. As far as
practicable, he should also try to ascertain the reputation of the concern as also the honesty
and integrity of principal executive. On the basis of the enquiries made he should gather
information on the following points:
♦ Date of incorporation and commencement of business.
♦ The name of subsidiary companies or affiliates as well as the nature of business carried
on by each of them. The auditor should have information as regards work of all the
companies associated with the client through common ownership of capital or the
management.
♦ Details of products manufactured or services rendered and methods of their distribution.
Audit Strategy, Planning and Programming 2. 11

♦ The status in the industry or in the geographical areas or among similar concerns
operating within the State.
♦ Location of plants and offices together with a description of activities at each location.
♦ The names of financial, technical and tax consultants working for the company.
♦ Names and designations of officers holding important positions in the administration of
the company, the duties of each officer being demarcated separately.
♦ The objective for which the audit is being conducted so that where necessary the auditor
may take the necessary precautions to see that he may not incur any liability for
negligence to a person or persons to whom these reports might be presented. This
matter has become of special importance since the decision in the case of Hedley Byrne
& Co. Ltd. vs. Heller and Partners Limited (an English case) and the case of Equity
Funding in the United States. If the engagement is in the nature of a tax audit, he must
plan to have all the pertinent facts recorded in his working paper. This he should do in all
other cases as well.
It is desirable that the auditor should know the date when the audit report shall be required.
This would depend on the purpose for which the auditor has been engaged. In case it is for
filing the income-tax return, the date by which the same is ordinarily required to be filed should
be ascertained. On the other hand, if the audit is for release of financial statements to the
shareholders for the annual meeting, the last date by which the notice should be issued should
be ascertained. This would indicate to him the last date by which the audit report should be
submitted. This information would be helpful to him in preparing a time schedule of his work
and that of his assistants so that the audit can be completed by the date the audit report would
be required. In drawing up the time schedule adequate provision should be made for
unforeseen complications and other delays. This time-schedule should separately show time
that a partner would be required to spend and that which the supervisor and senior assistants
and junior assistants would be required to spend. These, in turn must be coordinated with the
demands on them of other clients to attain an economical staff utilisation.
(f) Accounting and management policies - In view of the provisions under Clause (3) (xv)
of Part II of Schedule VI to the Companies Act, it is necessary for an auditor to know whether
there has been any change in the basis of accounting in order that he may report its effect to
the shareholders; also, the accounting principles require a disclosure of change in the basis of
accounting. On these considerations, on the first appointment it is necessary that the auditor
should review the financial statements of the past several years, audited by his predecessors
specially those of the immediately preceding previous year. This would reveal to him a great
deal of information regarding accounting and management policies which have been followed
in the past and whether these have been employed consistently. The policies affecting
accounts of business engaged in diverse trades differ; but they invariably deal with the
following matters:
(i) The method of maintaining the record of stocks, preparation of the closing inventory and
the basis of its valuation.
(ii) The basis adopted for making a provision for payment of bonus to staff.
2.12 Advanced Auditing and Professional Ethics

(iii) Treatment to be accorded to research and development expenses.


(iv) Provision of depreciation in respect of assets, which strictly do not require to be
depreciated according to Sub-section (2) of Section 205 of the Companies Act, e.g.,
goodwill, development expenses, mining rights and leaseholds, etc.
(v) Provisions for gratuities payable to staff on retirement.
(vi) Provision for expenses on post sale services that would have to be rendered to
customers in respect of sales of various items of machinery or equipment.
(vii) Treatment to be accorded to items of deferred revenue expenditure.
(viii) Procedure for inclusion of expenses for arriving at cost of fixed assets.
In this regard, it is important to note that the Institute of Chartered Accountants of India has
always recommended that the auditor should critically examine the accounting policies
adopted by the management and test them for conformity with the accounting standards
recommended by the Institute, where available, or with any other authoritative statement. It
may also be noted that the Institute of Chartered Accountants of India has issued Accounting
Standard-1 and recommended disclosure of significant Accountants Policies. Similarly, the
vertical form of balance sheet introduced in the Schedule VI to the Companies Act requires
disclosure of Accounting Policies. The prime test should be that whether the treatment is
consistent with the basic principles of accounts. It may be noted that AS-1 in mandatory for all
corporate as well certain specified non-corporate entities. The Companies (Amendment) Act,
1999 has also made it obligatory on the part of companies to follow Accounting Standards
(Refer to Section 211).
2.2.1 Drawing up the audit programme - After the auditor has collected the aforementioned
information, he will be in a position to draw up the programme of audit. He can now decide
the areas to be covered by audit, also those to be covered in detail and those which should be
covered by the applications of the test checks. He will also be able to decide the specific audit
procedures which should be applied in each case. These procedures vary widely because of
the conditions under which each concern operates, its form of organisation, its nature of
business and the condition of its accounts. On this account, it is not practicable to draw up a
typical audit programme. When an auditor is appointed to audit the accounts of an entity for
the first time, the audit programme should be developed in three stages stated below:
(i) To begin with, a broad outline of the audit programme should be drawn up.
(ii) After the internal and accounting procedures have been reviewed, the details should be
filled up on a consideration of the deficiencies in the system of internal control.
(iii) After the detailed checking formality is over, the extent to which the special procedures
need to be applied should be determined, e.g., independent verification of balances of
debtors and creditors, physical inspection of fixed assets, personal inspection of various
items of stock included in closing inventories and testing their values. At times, special
procedures may have to be applied on a consideration of the nature of business e.g.
verification of provision for tax liability in case of a shipping company regarding freight
Audit Strategy, Planning and Programming 2. 13

booked in different countries or for making a provision for unexpired liability in case of an
insurance company, etc.
At each subsequent engagement the programme should be reviewed and, if necessary,
modified on account of:
(i) experience gained during the previous audits;
(ii) important changes that have taken place in the business specially in the system of
internal control, accounting procedures or in the structure of management or of the scope
of business; and
(iii) evaluation of internal control made for the current year.
Given below are a few circumstances where in the audit programme would have to be suitably
altered:
(1) If the audit procedures were designed for a certain volume of turnover and subsequently
the volume has substantially increased. Also, when there have been significant changes
in the accounting organisation, procedures and personnel subsequent to the audit
procedures.
(2) Where during the course of an audit, it has been discovered that internal control
procedures were not as effective as assumed at the time the audit programme was
framed.
(3) Where there has been an extraordinary increase in the amount of book debts or that in
the value of stocks as compared to that in the previous year.
(4) When a suspicion is aroused during the course of audit or information has been received
that assets of the company have been misappropriated.
It may be noted that the audit plan and related programme should be reconsidered as the
audit progresses. Such re-consideration is based on the auditor’s review of internal control,
his preliminary evaluation thereof and the result of his compliance and substantive
procedures.
2.2.2 Development of an overall plan - Overall plan is basically intended to provide direction
for audit work programming and includes the determination of timing, manpower development
and co-ordination of work with the client, other auditors and other experts. The auditor should
consider the following matters in developing his overall plan for the expected scope and
conduct of the audit:
♦ Terms of his engagement and any statutory responsibilities
♦ Nature and timing of reports or other communication.
♦ Applicable legal or statutory requirements.
♦ Accounting policies adopted by the client and changes in those policies.
♦ Effect of new accounting or auditing pronouncements on the audit.
♦ Identification of significant audit areas.
2.14 Advanced Auditing and Professional Ethics

♦ Setting of materiality levels for audit purposes.


♦ Conditions requiring special attention, such as the possibility of material error or fraud or
involvement of parties in whom directors or persons who are substantial owners of the
entity are interested and with whom transactions are likely.
♦ Degree of reliance he expects to be able to place on accounting system and internal
control.
♦ Possible rotation of emphasis on specific audit areas.
♦ Nature and extent of audit evidence to be obtained.
♦ Work of internal auditors and the extent of their involvement, if any, in the audit.
♦ Involvement of other auditors in the audit of subsidiaries or branches of the client.
♦ Involvement of experts.
♦ Allocation of work to be undertaken between joint auditors and the procedures for its
control and review.
♦ Establishing and co-ordinating staffing requirements;
Documentation of the overall planning on due consideration of the above should be done for
drawing a systematic, logical and an adequate audit programme. An illustration of
documentation of overall plan may be as under:
Plan dated 17.10.XX
1. Name and address of the client : Progressive Industries Ltd., 52, J. Bose Road,
Calcutta.
2. Nature of professional work : Annual audit under the provisions of Companies
Act, 19XX
3. Period for which the professional : Accounting year ending on 31st services required
March, XXXXY
4. Particulars of establishment of the : (i) Registered office and Head office client at the
client above address.
(ii) Factory at Tiljala.
(iii) Branches at Bombay, Madras, Delhi and
Kanpur (all the branches to be audited by
separate branch auditors).
5. Latest date within which the : 30th September, XXXX
company is to hold its annual
general meeting
6. Manner of audit agreed to with the : Interim checking up to 30.XX. to be completed by
client December, XYXX. and followed by an interim
report to the Board. Final audit to be completed
Audit Strategy, Planning and Programming 2. 15

and report submitted by 5th August, 19XX.


7. Man hours required to completing : Interim audit for the first half-year involved 350
the audit in preceding year in two man hours and the final phase of audit involved
phases 450 man hours.
8. Assistants deputed in the previous : Mr. Jayanta –Senior
year Mr. Alokesh - Semi-Senior
Mr. Pulokesh - Articled Student
Mr. Bilkash – Inventory, cash
Mr. Raman - Security verification
Mr. Robin - alongwith the other three.
9. Partner-in-charge of the previous : Mr. T. Roychowdhury
year
10. Letter of appointment for 1994-95 : Received on 5.10.XXXX
11. Any non-statutory duty : Yes, Certification to Royalty statement and Export
statement besides reports to the Board on interim
verification
12. Any letter of engagement issued : Yes, dated on 12.10.XXXX.
13. Any change in the scope, volume : No significant change intimated/assessed.
or nature of work intimated, or
assessed
14. Assistants to be deputed for 1994- : Mr. Alokesh - Senior
95 Mr. Pulokesh - Semi-Senior
Mr. Rohin – Articled Student for interim checking.
Plan for final checking will be made later.
15. Number of man hours expected to : 320 man hours
be devoted in the interim checking
16. Is thorough evaluation of internal : No, It will be due next year. This year, apart from
control due this year? overall evaluation, indepth evaluation will be done
on payroll and transport.
17. Any change in the accounting : No, as per the discussion held on 15.10.XXXX
policies compared with the with the company management.
previous year
18. Any statement/ standard :
pronouncement/note issued by the -----
ICAI during the period that may
have a bearing on the present audit
19. Does any area of accounting : Yes, Payroll, Transport Discounts, Rebates,
require special attention in view of Reliefs on sales, consumption of raw materials.
2.16 Advanced Auditing and Professional Ethics

the observations made on the


previous year’s accounts in the
audit report or in the working
papers?
20. Detailed audit or test audit : Normally test audit; verification of debtor’s
balance and value of inventory will be done by
adopting statistical sampling plan.
21. Whether inventory verification will : Yes, by arrangement with the client.
be witnessed Also, surprise verification of some of the selected
items should be done after the physical
verification by the management is over.
22. Whether cash and investment will : Yes, also surprise verification before year-end
be physically verified day.
23. How the fixed assets shall be : Documentary verification and scrutiny of physical
verified verification of working papers of the company.
24. How other areas to be examined/ : By reference to documents, vouchers,
verified confirmations, etc. as may be appropriate.
25. Associated party transaction : Officially confirmed list of associated parties
should be obtained and bonafides and
reasonableness of transactions ascertained.
26. How to establish materiality of : Bases provided by Schedule VI and the AAS-13.
transaction Partner-in-charge should be consulted where
consultation is required.
27. Is there only internal audit system : Yes, the internal auditor reports to the Managing
headed by a qualified internal Director.
auditor? If yes, to whom does the
internal auditor report?
28. Review of internal audit programme : Should be completed before drawing up detailed
and report/reports audit programme. Also, Areas of work sharing
should be discussed with the Internal Auditor at
that stage.
29. When, the reports of Branches : On 15.7.XXXX
auditor expected
30. Need for review of previous year’s : Yes, should be done in the light of points 16, 19,
audit programme 20, 21, 22, 25 and 28 by the Senior-in-charge and
shown to partner-in-charge.
31. Partner-in-charge of this year’s : Mr. T. Roychowdhury.
audit
Audit Strategy, Planning and Programming 2. 17

Designing Audit Strategy


2.3 As stated earlier, audit planning is the process of gathering information and designing
audit strategies; the main output of audit planning is a tailored audit approach supported by
appropriate administrative arrangements. Audit strategy is concerned with designing
optimised audit approaches that seek to achieve the necessary audit assurance at the lowest
cost within the constraints of the information available. Audit procedures should be relevant to
the important assertions, and as cost effective as possible to perform. Audit strategy
generally involves the following steps:
(i) Obtaining knowledge of business.
(ii) Performing analytical procedures at initial stages.
(iii) Evaluating inherent risk.
(iv) Evaluating Internal Control system for strategy purpose.
(v) Formulating the strategy.
Let us deal with above stages step-wise:
(i) Obtaining Knowledge of Business - AAS-20 on, “Knowledge of Business” states that in
performing In performing an audit of financial statements, the auditor should have or
obtain knowledge of the business sufficient to enable the auditor to identify and
understand the events, transactions and practices that, in the auditor's judgment, may
have a significant effect on the financial statements or on the examination or audit report.
Knowledge of the business is a frame of reference within which the auditor exercises
professional judgment. Understanding the business and using this information
appropriately assists the auditor in:
♦ Assessing risks and identifying problems.
♦ Planning and performing the audit effectively and efficiently.
♦ Evaluating audit evidence.
♦ Providing better service to the client.
Finally, the auditor should ensure that the audit staff assigned to an audit engagement
obtain sufficient knowledge of the business to enable them to carry out the audit work
delegated to them. The auditor would also ensure that the audit staff understands the
need to be alert for additional information and the need to share that information with the
auditor and other audit staff.
To make effective use of knowledge about the business, the auditor should consider how
it affects the financial statements taken as a whole and whether the assertions in the
financial statements are consistent with the auditor's knowledge of the business.
(ii) Performing Analytical Procedures - AAS-14 on, “Analytical Procedures” states that the
auditor should apply analytical procedures at the planning and overall review stages of
the audit. Analytical procedures may also be applied at other stages.
2.18 Advanced Auditing and Professional Ethics

The purpose of analytical procedures at the planning stage is attention-directing;


corroboration is not normally necessary at this stage beyond this stage beyond the
discussions that would usually take place with the client during the planning of the audit.
The use of analytical procedures during the planning stage requires the extensive use of
accounting and business knowledge and experience to assess the potential for material
misstatement in the financial statements as a whole, because the key aspect of the task
is to identify the relevant risk indicators and to interpret them properly. Furthermore,
analytical techniques applied during the planning stage are not generally as precise as
the analytical techniques at the substantive stage.
(iii) Evaluating Inherent Risk - To assess inherent risk, the auditor would use professional
judgement to evaluate numerous factors, having regard to his experience of the entity
from previous audit engagements of the entity, any controls established by management
to compensate for a high level of inherent risk, and his knowledge of any significant
changes which might have taken place since his last assessment. Examples of are such
factors are:
At the Level of Financial Statements:
♦ Management’s experience and knowledge and changes in management during the
period, for example, the inexperience of management may affect the preparation of
the financial statements of the entity.
♦ Unusual pressures on management, for example, circumstances that might
predispose management to misstate the financial statements, such as the industry
experiencing a large number of business failures or an entity that lacks sufficient
capital to continue operations.
♦ The nature of the entity’s business, for example, the potential for technological
obsolescence of its products and services, the complexity of its capital structure, the
significance of related parties and the number of locations and geographical spread
of its production facilities.
♦ Factors affecting the industry in which the entity operates, for example, economic
and competitive conditions as indicated by financial trends and ratios, and changes
in technology, consumer demand and accounting practices common to the industry.
At the level of Account Balance and Class of Transactions:
♦ Quality of the accounting system.
♦ Financial statements are likely to be susceptible to misstatement, for example,
accounts which required adjustment in the prior period or which involve a high
degree of estimation.
♦ The complexity of underlying transactions and other events which might require
using the work of an expert.
♦ The degree of judgement involved in determining account balances.
Audit Strategy, Planning and Programming 2. 19

♦ Susceptibility of assets to loss or misappropriation, for example, assets which are


highly desirable and movable such as cash.
♦ The completion of unusual and complex transactions, particularly at or near period
end.
♦ Transactions not subjected to ordinary processing.
(iv) Evaluating Internal Control - The auditors’ assessment of the control environment is
crucial to the decision on whether to make an extended assessment of controls. This is
because a good control environment is conducive to the maintenance of a reliable
system of accounting and control procedures. For strategy purposes the auditor should
obtain a sufficient understanding of the control environment. The auditor needs an
understanding of the accounting systems, regardless of whether the audit strategy will
involve an extended assessment of internal accounting controls. This should be done by:
(a) documenting the extent to which the system is computerised; and
(b) preparing or updating overview flowcharts to record the files and transactions
relating to significant systems-derived account balances.
If there are significant computer systems, the auditor should obtain an understanding or
the IT controls so decide whether to make an extended assessment of monitoring
controls. Whether it is necessary to carry out any preliminary work for strategy purposes
to ascertain whether IT controls are likely to be satisfactory will depend on the auditor’s
previous knowledge about IT controls. For an existing audit, the objective will normally
be to carry out the minimum work necessary to update this previous understanding. If
more information is needed, or if the engagement is new or substantially changed, the
auditor should carry out an overview assessment of IT controls. However, even if auditor
has not carried out an overview assessment of the IT controls for strategy purposes, it
may be necessary to do so later, to help design and perform substantive tests and draw
conclusions on whether proper accounting records have been kept. Whether this work is
done before determining the strategy or subsequently as part of the fieldwork is a matter
of audit efficiency.
(v) Formulating the Strategy - The auditor should develop the strategy by:
(a) considering the results of gathering or updating information about the client; and
(b) making preliminary judgements about materiality, inherent risk and control
effectiveness. These will include identification of the system(s) the auditor
proposes to subject to an extended assessment of controls.
The initial assessment of the quality and complexity of the client’s systems will affect the
amount of the information the auditor needs to gather. Sometimes, on a new
engagement, the appropriate strategy may be obvious from a limited amount of
investigative work. In other cases, the necessary information gathering will be extensive.
The auditor should consider the following matters:
(a) For many existing clients, the majority of the information the auditor needs will
2.20 Advanced Auditing and Professional Ethics

already exist in the prior year’s strategy and in the audit programme. Accordingly, it
will often be possible to restrict the work to updating existing knowledge,
considering whether there are any significant new or changed risks and confirming
that there are no new or substantially changed significant systems.
(b) On a new, large or complex engagement the auditor may be uncertain about the
extent of information that should be gathered. Accordingly, in such cases the
engagement partner, the engagement manager and the in-charge should consider
together their knowledge of the matters listed in the preceding paragraph before
undertaking further information gathering. This will ensure that the information-
gathering process is carried out in as efficient and effective a manner as possible.
(c) If the auditor determines that there have been significant changes to risks, systems
and other client circumstances, it may be necessary to gather extensive information
before determining the strategy. For example, more information would be required
for a client with an acquisition or a significant new system than for a client with a
stable, unchanging business and accounting environment.
(d) If the auditor has had substantial contact with the client in the current period it may
be possible to determine the strategy without gathering additional information.
Finally, audit strategy may be evolved after considering the following:
(a) The engagement objectives.
(b) The results of the business review, including major developments in the client’s
business and industry, significant operating results and financial arrangements.
(c) Preliminary judgements as to materiality.
(d) Identified inherent risks. The team should also consider the risk of fraud and, in
particular, any evidence of a high level of risk to the firm. They should take into
account the results of procedures for the acceptance and continuation of clients.
(e) The degree to which the team should carry out further assessment of controls as a
means of reducing substantive tests.
(f) The broad nature, extent and timing of substantive tests, or changes to the previous
year’s strategy for substantive testing.
(g) Main points relating to planning and controlling the audit or comments on the
adequacy of the existing arrangements.

Using the Work of an Expert


2.4 During the audit the auditor may seek to obtain, in conjunction with the client or
independently, audit evidence in the form of reports, opinions, valuations, and statements of
an expert.
Audit Strategy, Planning and Programming 2. 21

Examples are:
♦ valuations of certain types of assets, for example, land and buildings, plant and
machinery, works of art, and precious stones.
♦ determination of quantities or physical condition of assets, for example, minerals stored
in stockpiles, mineral and petroleum reserves, and remaining useful life of plant and
machinery.
♦ determination of amounts using specialised techniques or methods, for example, an
actuarial valuation.
♦ the measurement of work completed and to be completed on contracts in progress for the
purpose of revenue recognition.
♦ legal opinions concerning interpretations of agreements, statutes, regulations,
notifications circulars, etc.
When determining whether to use the work of an expert or not, the auditor should consider:
♦ the materiality of the item being examined in relation to the financial information as a
whole.
♦ the nature and complexity of the item including the risk of error therein, and
♦ the other audit evidence available with respect to the item.
Skills and competence of the expert - When the auditor plans to use the expert’s work as
audit evidence, he should satisfy himself as to the expert’s skills and competence by
considering the expert’s:
♦ professional certification, licence or membership in an appropriate professional body.
♦ experience and reputation in the field in which the auditor is seeking evidence.
However, when the auditor uses the work of an expert employed by him, lie will not need to
inquire into his skills and competence.
Objectivity of the expert - The auditor should also consider the objectivity of the expert. The
risk that an expert’s objectivity will be impaired increases when the expert is:
♦ employed by the client, or
♦ related in some other manner to the client.
Accordingly, in these circumstances, the auditor should (after taking into account the factors
stated above) consider performing more extensive procedures than would otherwise have
been planned, or lie might consider engaging another expert.
Evaluating the work of an expert - When the auditor intends to use the work of an expert, he
should examine evidence to gain knowledge regarding the terms of the experts’ engagement
and such other matters as:
♦ the objectives and scope of the expert’s work,
♦ a general outline as to the specific items in the expert’s report,
2.22 Advanced Auditing and Professional Ethics

♦ confidentiality of the client’s information used by the expert.


The auditor should seek reasonable assurance that the expert’s work constitutes appropriate
audit evidence in support of the financial information, by considering:
♦ the source data used,
♦ the assumptions and methods used and, if appropriate, their comparison with the prior
period, and
♦ the results of the expert’s work in the light of the auditor’s overall knowledge of the
business and of the results of his audit procedures.
♦ the auditor should also satisfy himself that the substance of the expert’s findings is
properly reflected in the financial information.
The auditor should consider whether the expert has used source data which are appropriate in
the circumstances. The procedures to be applied by the auditor should include:
♦ making inquiries of the expert to determine how he has satisfied himself that the source
data are sufficient, relevant and reliable, and
♦ conducting audit procedures on the data provided by the client to the expert to obtain
reasonable assurance that the data are appropriate.
The appropriateness and reasonableness of assumptions and methods used and their
application are the responsibility of the expert. The auditor does not have the same expertise
and, therefore, cannot always challenge the expert’s assumptions and methods. However, the
auditor should obtain an understanding of those assumptions and methods to determine that
they are reasonable, based on the auditor’s knowledge of the client’s business and on the
results of his audit procedures.
Normally, completion of the above procedures will provide the auditor with reasonable
assurance that he has obtained appropriate audit evidence in support of the financial
information. In exceptional cases where the work of an expert does not support the related
representations in the financial information, the auditor should attempt to resolve the
inconsistency by discussions with the client and the expert. Applying additional procedures,
including possibly engaging another expert, may also assist the auditor in resolving the
inconsistency.
If after performing these procedures, the auditor concludes that:
♦ the work of the expert is inconsistent with the information in the financial statements, or
that
♦ the work of the expert does not constitute sufficient appropriate audit evidence (e.g.
where the work of the expert involves highly technical matters or where, on grounds of
confidentiality, the expert refuses to make available to the auditor the source data used
by him, he should express a qualified opinion, a disclaimer of opinion or an adverse
opinion, as may be appropriate.
Audit Strategy, Planning and Programming 2. 23

Reference to the Expert in the Auditor’s Report - When expressing an unqualified opinion,
the auditor should not refer to the work of an expert in his report. If, as a result of the work of
an expert, the auditor decides to express other than an unqualified opinion, it may in some
circumstances benefit the reader of his report if the auditor, in explaining the nature of his
reservation, refers to or describes the work of the expert. Where in doing so, the auditor
considers it appropriate to disclose the identity of the expert, he should obtain prior consent of
the expert for such disclosure if such consent has not ready been obtained.

Relying upon the Work of Internal Auditor


2.5 AAS-7 entitled ‘Relying upon the Work of an Internal Auditor’ deals with the procedure
which should be applied by the internal auditor for the purpose of placing reliance upon that
work. It should, however, be remembered that the external auditor has sole responsibility for
his report and for the determination of the nature, timing, extent of the auditing procedures but
much of the work of the internal audit function may be useful to him in his examination of the
financial information. The responsibility of the external auditor is not reduced by any means
because of the reliance placed upon the internal auditor’s work.

Using the Work of another Auditor


2.6 When the auditor uses work performed by other auditors, the auditor should obtain
reasonable assurance that such work is adequate for the purpose of the audit. Such a
situation may arise in case a company having branch or having different branch auditors or the
auditor is using the work of another independent auditor with respect to the financial statement
of one or more subsidiaries or associated companies. Generally when another auditor has
been appointed for the branch / division/ component, the principal auditor would be entitled to
rely upon the work of such auditor unless there are circumstances to indicate that he should
not rely. The procedure to be followed by the company auditor in relation to branch auditor is
outlined in Chapter on the Company Audit. It should however be noted that the aforesaid
instances do not cover cases where two or more auditors are appointed as joint auditors nor
does it deal with the auditor’s relationship with the predecessor auditor.

Principal’s Ultimate Responsibility


2.7 “When the auditor delegates work to assistants or uses work performed by other auditors
and experts, he will continue to be responsible for forming and expressing his opinion on the
financial information. However, he will be entitled to rely on work performed by others,
provided he exercises adequate skill and care and is not aware of any reason to believe that
he should not have so relied. In the case of any independent statutory appointment to perform
the work on which the auditor has to rely in forming his opinion, such as in the case of the
work of branch auditors appointed under the Companies Act, 1956 the auditor’s report should
expressly state the fact of such reliance.”
2.24 Advanced Auditing and Professional Ethics

Reliance on the Management or other Certificates by the Auditor


2.8 It is customary for the company auditor to obtain certificates from the management
certifying the value of inventories, Provision for liabilities, the disclosure of contingent liabilities
etc. The object of this practice is to obtain information for which the management can be
specifically held responsible. However, possession of such certificates does not absolve the
auditor from carrying out a proper audit. Letter of representation obtained from the
management will not protect the auditor in a legal action for negligence if he has failed to
perform his duties according to the generally accepted auditing standards and procedures.
Thus, an auditor who fails to count cash, put to test the inventory figures, verify debtors and
liabilities according to the recognised practices, will derive little support from certificates of
directors or company officials certifying the accuracy of these items. At best certificates can
only act as the second line of defence for an auditor who has carried out his work with
reasonable care and skill.
Although the judgement in the Kingston Cotton Mill’s case held that there is no duty on the
auditor to take stock physically, that he may, in the absence of suspicious circumstances rely
upon the certificate of a responsible official has not been categorically overruled,
contemporary professional auditing practice requires a thorough investigation into the
adequacy or otherwise of the internal check system regarding the movement and periodic
counting of stocks with particular enquiry into deviations from the prescribed procedure.
Certain cases, decided long after the Kingston Cotton Mill’s case were quite forthright in
stating that a blind acceptance of certificate from the management by the auditor, without
putting the same to appropriate tests and intelligent scrutiny, does not amount to a proper
performance of duty. Mention may be made in this connection of the case of Thomas Gerrard
& Son (1967) and Colmer v Merrett Son & Street (1964). The development of the professional
practices mentioned above is the result of the timely notice taken by the accounting profession
of the gradual erosion of the dictum in the Kingston Cotton Mills case.
It is clear, therefore, that the request for a certificate and its receipt constitute no more than
the initial step in the auditor’s verification of the relevant item whereby he seeks to obtain from
those legally responsible, viz., the directors, the conscious acknowledgement of the amount at
which the item concerned is stated. It should, however, be noted that it would not be
considered proper for an auditor to seek or accept certificates from the management when the
subject-matter is such as is capable of direct verification by the auditor himself. For example,
cash in hand at the end of the year can be verified by the auditor himself and obtaining a
certificate without actually undertaking the verification will amount to a non-performance of
duty.
Notwithstanding anything stated above, the auditor can accept certificates from the director
and the officials under the following circumstances:
(1) The subject matter should not be capable of direct verification of the auditor and should
be one which is accepted to be beyond the competence of a professionally qualified
accountant.
Audit Strategy, Planning and Programming 2. 25

(2) There exist proper records and “internal check” in the client’s system that can enable the
directors or the officials to prepare and issue the certificate. The auditor should review
such records and internal checks to ascertain their reliability,
(3) The certificate should be prima facie in agreement with the records maintained.
(4) The certificate should be put to common sense tests by the auditor.
During the course of an audit, an auditor may have to deal with certificates from outside
parties such as the company’s bankers, architects, agents, warehousemen, etc.
The bankers may certify the investments or securities held by them on behalf of the company,
the architect may certify the value of property held as security and an agent or distributor may
certify the value of property held as representatives of the company. The question of auditor’s
duty in such circumstances was discussed in Re. City Equitable Fire Insurance Co. Ltd. It was
held that a company’s brokers are not the proper people to have the custody of its securities,
however respectable and responsible those brokers may be. On the other hand, banks in the
ordinary course of business hold securities for their customers and, therefore, an auditor
would be justified in accepting the certificate of a respectable bank whilst verifying the
existence of the securities.
As a general rule, it may be stated that, before accepting and relying upon a certificate from a
third party, the auditor should satisfy himself that:
(a) the party issuing the certificate is reputable and trustworthy;
(b) the certificate relates to an item which is normally dealt with or held by such party;
(c) the auditor himself is not in a position to verify the item because of its technical nature or
because it would be too costly, cumbersome for him to do so.
(d) the certificate is prima facie reliable and reasonable; and reference to the third party is
available in the books and documents of the client as in possession of the concerned
goods, property and/or securities belonging to the client.
(iii) Not infrequently, during the course of an audit, local issues arise which have a bearing
on accounts. A chartered accountant is not necessarily competent to interpret law and,
therefore, it may be desirable for him to obtain legal advice from his own or his client’s
attorney or counsel. But before accepting a legal opinion, the auditor should satisfy himself
about the competence and impartiality of the lawyer. If a written opinion is sought, the auditor
should ensure that the case for opinion is properly drawn up so that all the relevant facts are
brought to the notice of the legal adviser. If a verbal opinion is being obtained, the auditor
should attend the conference at which the matter is to be discussed to make sure that the
facts are correctly presented.
Even if the legal opinion turns out to be erroneous the auditor cannot be held to be negligent
in the performance of his duties if he has acted honestly and in good faith and if the opinion
relied upon was prima facie reasonable. However, an auditor is under no compulsion to
accept a legal opinion, if he has reasons to believe that such opinion is erroneous or
inadequate.
2.26 Advanced Auditing and Professional Ethics

Management Representations
2.9 Representations by management are the single most important source of audit evidence to
an auditor and, thus, have significant implication for an auditor to formulate his opinion on the
financial information. AAS-11 on “Representations by Management” expounds in detail to
establish standards on the use of management representations as audit evidence the
procedures to be applied in evaluating and documenting management representations, and
the action to be taken if management refuses to provide appropriate representations. AAS-9
emphasises that the auditor should obtain representations from management, where
considered appropriate. AAS 9 became operational for all audits relating to accounting period
beginning on or after April 1995.
Acknowledgement by Management of its Responsibility for the Financial Information -
The auditor should obtain evidence that management acknowledges its responsibility for the
appropriate preparation and presentation of financial information and that management has
approved the financial information.
Representation by Management as Audit Evidence - The auditor should exercise his
professional judgement in determining the matters on which he wishes to obtain
representations from management. Similarly, the matters on which the auditor wishes to
obtain such representations in writing should be determined by the auditor using his
professional judgement. However, representations should be obtained from management
invariably in writing on matters material to financial information, either individually or
collectively, when other sufficient appropriate audit evidence cannot reasonable be expected
to exist. During the course of an audit, management makes many representations to the
auditors either unsolicited or in response to specific enquiries. When such representations
relate to matters which are material to the financial information, the auditor should:
(a) seek corroborative audit evidence from sources inside or outside the entity;
(b) evaluate whether the representations made by management appear reasonable and
consistent with other audit evidence obtained, including other representations; and
(c) consider whether the individuals making the representations can be expected to be well-
informed on the matter.
Representations by management cannot be a substitute for other audit evidence that the
auditor could reasonably expect to be available. For example, a representation by
management as to the quantity, existence and cost of inventories is no substitute for adopting
normal audit procedures regarding verification and valuation of inventories. If the auditor is
unable to obtain sufficient appropriate audit evidence that he believes would be available
regarding a matter which has or may have a material effect on the financial information, this
will constitute a limitation on the scope of his examination even if he has obtained a
representation from management on the matter.
In certain instances such as where knowledge of the facts is confined to management or
where the matter is principally one of intention, a representation by management may be the
only audit evidence which can reasonably be expected to be available. For example, intention
of management to hold a specific investment for long-term appreciation.
Audit Strategy, Planning and Programming 2. 27

If a representation by management is contradicted by other evidence, the auditor should


examine the circumstances and, when necessary, reconsider the reliability of other
representations made by management.
Documentation of Representations by Management - The auditor should document in his
working papers evidence of management’s representations. A written representation is better
audit evidence than an oral representation and can take the form of:
(a) a representation letter from management;
(b) a letter from the auditor outlining the auditor’s understanding of management’s
representations, duly acknowledged and confirmed by management;
(c) a duly authenticated copy of relevant minutes of meetings of the board of directors or
similar body.
Basic Elements of a Management Representation Letter -
(i) A management representation letter should be addressed to the auditor containing the
relevant information and be appropriately dated and signed.
(ii) A management representation letter would normally be dated the same date as the
auditor’s report on the financial information or a date prior thereto. However, in certain
circumstances, in respect to specific transactions or events, separate representation
letters may also be obtained during the course of audit.
(iii) A management representation letter should ordinarily be signed by the members of the
management who have primary responsibility for the entity and its financial aspects, e.g.,
managing director, finance director.
(iv) If management refuses to provide representations on any matter that the auditor
considers necessary, this will constitute a limitation on the scope of his examination. In
such circumstances, the auditor should evaluate any reliance he has placed on other
representations made by management during the course of his examination and consider
if the refusal may have any additional effect on his report.
(v) In case management is not willing to give in writing the representations made by it during
the course of audit, the auditor should himself prepare a letter in writing setting out his
understanding of management’s representations that have been made to him during the
course of audit and send it to the management with a request to acknowledgement and
confirm that his understanding of the representations is correct. If the manage refuses to
acknowledge or confirm the letter sent by the auditor, this will constitute a limitation on
the scope of his examination. In such circumstances, the auditor should evaluate any
reliance on those representations and consider if the refusal may have any additional
effect on his report.

Drafting of Report
2.10 AAS 28 establishes standards on the form and content of the auditor’s report issued as
a result of an audit performed by an auditor of the financial statements of an entity. The
2.28 Advanced Auditing and Professional Ethics

auditor should review and assess the conclusions drawn from the audit evidence obtained as
the basis for the expression of an opinion on the financial statements. This review and
assessment involves considering whether the financial statements have been prepared in
accordance with an acceptable financial reporting framework applicable to the entity under
audit. It is also necessary to consider whether the financial statements comply with the
relevant statutory requirements.
The auditor’s report should contain a clear written expression of opinion on the financial
statements taken as a whole. The auditor’s report includes the following basic elements,
ordinarily, in the following layout:
(a) Title;
(b) Addressee;
(c) Opening or introductory paragraph;
(d) Scope paragraph (describing the nature of an audit);
(e) Opinion paragraph containing;
(f) Date of the report;
(g) Place of signature; and
(h) Auditor’s signature.
A measure of uniformity in the form and content of the auditor’s report is desirable because it
helps to promote the reader’s understanding of the auditor’s report and to identify unusual
circumstances when they occur. A statute governing the entity or a regulator may require the
auditor to include certain matters in the audit report or prescribe the form in which the auditor
should issue his report. For detail students may refer AAS 28 (The Auditor’s Report on
Financial Statements).

Control of Quality of Audit Work


2.11 AAS-1 on Basic Principles Governing an Audit of Financial Statements lists control of the
quality of work performed by others as one of the basic principles governing an audit. The
relevant parts are reproduced below:
When the auditor delegates work to assistants or uses work performed by other auditors and
experts, he will continue to be responsible for forming and expressing his opinion on the
financial information. However, he will be entitled to rely on work performed by others,
provided he exercises adequate skill and care and is not aware of any reason to believe that
he should not have so relied. In the case of any independent statutory appointment to perform
the work on which the auditor has to rely in forming his opinion, such as in the case of the
work of branch auditors appointed under the Companies Act, 1956 the auditor’s report should
expressly state the fact of such reliance. The auditor should carefully direct, supervise and
review the work delegated to assistants. The auditor should obtain reasonable assurance that
work performed by other auditors or experts is adequate for his purpose.
Audit Strategy, Planning and Programming 2. 29

As is clear from the aforesaid principle, an auditor is required to control the audit work
delegated to assistants and work performed by other auditors and experts. Accordingly, the
procedure to be followed by a statutory auditor in controlling the quality of audit work
performed by assistants, the quality of work performed by experts, the question of relying
upon the work of the internal auditor and the assessment of work performed by others is
discussed in the following paragraphs:
2.11.1 Control of the quality of work-Audit staff - As stated earlier, as per the basic principles
governing an audit, the auditor is required to carefully direct, supervise and review the work
delegated to assistants. It may be noted that the nature and extent of a firm’s quality control
procedures depend on a number of factors such as the size and nature of its practice, its
geographic dispersion, its organisation and appropriate cost benefit considerations.
Accordingly, the procedures adopted by the individual firm will vary as will the extent of their
documentation. The audit staff includes all partners and professional staff of an audit firm and
other personnel, namely audit assistants involved in an individual audit other than the auditor.
The AAS lists the policies and procedures to be adopted by an audit firm to provide
reasonable assurances regarding the quality of audit work generally and procedures to be
adopted by an auditor to comply with this basic principle as it relates to the work delegated to
assistants in an individual audit. The controls suggested in the AAS all discussed in the
following paragraphs:
2.11.2 General quality controls - Quality controls are the policies and procedures adopted by a
firm to provide reasonable assurance that all audits done by the firm are being carried out in
accordance with the Basic Principles Governing an Audit, as set out in Auditing and
Assurance Standard (AAS) 1. An audit firm should adopt quality control policies that
incorporate the following objectives and should implement appropriate procedures that provide
reasonable assurance of achieving those objectives:
(a) Professional requirements - Personnel in the firm should adhere to the principles of
integrity, objectivity, independence and confidentiality. Firms should therefore frame
appropriate procedures to ensure compliance with this policy. For instance an important
procedure would be to communicate the firms policies relating to independence to
personnel at all levels within the firm.
(b) Skills and competence - The firm should be staffed by personnel who have attained and
who maintain the skills and competence required to enable them to fulfil their
responsibilities. Implementation of this policy would involve following proper recruitment
procedures designed to obtain appropriately qualified personnel and procedures to
maintain a high degree of skills through periodic staff training, continuing professional
educational programmes and dissemination of information relating to current
developments in professional/technical standards.
(c) Assignment - Audit work should be assigned to personnel who have the degree of
technical training and proficiency required in the circumstances. If, however, special skills
required for the conduct of an audit e.g. a good EDP background to evaluate controls
over computer programs are not available within the firm, then reliance will have to be
placed on work delegated to outside experts.
2.30 Advanced Auditing and Professional Ethics

(d) Delegation - There is to be sufficient direction, supervision and review of work at all
levels to provide reasonable assurance that the work performed meets appropriate
standards of quality.
(e) Consultation - Whenever necessary, consultation within or outside the firm is to occur
with those who have appropriate expertise.
(f) Acceptance and retention of clients - An evaluation of prospective clients and a
review, on an ongoing basis, of existing clients is to be conducted. In making a decision
to accept or retain a client, the firm’s independence and ability to serve the client properly
are to be considered.
(g) Monitoring - The continued adequacy and operational effectiveness of quality control
policies and procedures is to be monitored.
A firm’s general quality control policies and procedures should be communicated to its
personnel in a manner that provides reasonable assurance that the policies and procedures
are understood. The form of communication would vary depending on the size of the firm and
the criticality of various policies and procedures and need not necessarily be documented in
all instances.
Special procedures should be developed to ensure that all personnel are kept fully aware of
the pronouncements of the Institute of Chartered Accountants of India, changes in the law and
appropriate notifications and clarifications issued by statutory authorities.
The firm should carry out an evaluation of a prospective client prior to acceptance and should
review, on an ongoing basis, the association with existing clients. In making a decision to
accept or continue with a client a firm should consider its own independence, its ability to
service a client properly, and the integrity of the client’s management.
In evaluating the firm’s ability to service the clients properly, consideration should be given to
the need for technical skills, knowledge of the industry and availability of suitable personnel.
In evaluating the integrity of the client’s management, consideration should be given to the
possibility of reviewing financial information available regarding the prospective client, such as
annual reports. Communication with the previous auditor may also provide significant
information or other similarly significant matters as also the predecessor’s understanding as to
the reason for the change in auditors.
2.11.3 Control on Individual Audits-
Delegation - Any delegation of work to assistants should be in a manner that provides
reasonable assurance that such work will be performed by persons having independence and
the degree of skills and competence required in the circumstances. Some of the factors which
need to be considered in this context are:
(i) Audit size and complexity
(ii) Personnel availability
Audit Strategy, Planning and Programming 2. 31

(iii) Special expertise required


(iv) Timing of the work to be performed.
The auditor and assistants with supervisory responsibilities should consider the skills and
competence of assistants in performing the work that is delegated to them and in deciding on
the extent of direction, supervision and review appropriate in each situation.
Direction - Appropriate directions should be given to assistants to whom work is delegated.
Direction involves informing assistants of their responsibilities and the objectives of the
procedures they are to perform. It also involves informing them of matters, such as the nature
of the entity’s business and possible accounting or auditing problems that may affect title
nature, timing, and extent of audit procedures with which they are involved.
Supervision - Supervision is closely related to both direction and review and may involve
elements of both.
Personnel carrying out supervisory responsibilities should perform the following functions
during the performance of an audit.
(a) Monitor the progress of the work to determine that:
♦ assistants appear to have the necessary skills and competence to carry out their
assigned tasks:
♦ assistants appear to understand the audit directions; and
♦ the work is being carried out in accordance with the audit programme and other
planning documents.
(b) Become informed of significant accounting and auditing questions raised during the audit,
assess their significance and modify the audit programme where appropriate.
(c) Resolve any differences of professional judgement between personnel.
The use of standardized forms, checklist and questionnaires assist in the performance of audit
and supervision of audit work.
Review - The work performed by each assistant should be reviewed by personnel of equal or
higher competence to determine whether:
(a) the work has been performed in accordance with professional and firm standards and
specific policies and procedures adopted by the audit firm;
(b) the work performed and the results obtained have been adequately documented;
(c) all significant audit matters have been resolved; and
2.32 Advanced Auditing and Professional Ethics

(d) the objectives of the audit procedures have been achieved and the conclusions
expressed are consistent with the results of the work performed and support the auditor’s
opinion on the financial information.
The following major review stages can often be identified in an audit:
(a) Review of the initial audit plan and the audit programme.
(b) Review of the study and evaluation of internal control, including compliance procedures,
and of the modifications, if any, made to the audit programme as a result thereof.
(c) Review of the documentation of the audit evidence obtained and the conclusions drawn
therefrom.
(d) Review of the financial information and proposed auditor’s report.
3
RISK ASSESSMENT AND INTERNAL CONTROL

Introduction
3.1 Audit risk means the risk that the auditor gives an inappropriate audit opinion when the
financial statement are materially misstated. Thus, it is the risk that the auditor may fail to
express an appropriate opinion in an audit assignment.
An auditor may consider audit risk both at overall level as well as at the level of individual
account balances or classes of transactions. This means that at overall level the auditor
applies their professional judgement to determine the extent of risk which he considers to be
an acceptable level. At account balance level, audit risk refers to the risk that error in
monetary terms exists beyond a tolerable error limit in the account balances or class of
transaction which the auditor fails to defect.
The Internal Control structure in an organization is referred to as the policies and procedures
established by the entity to provide reasonable assurance that the objectives are achieved.
The control structure in an organization basically has the following components:
1. Control Environment - Control environment covers the effect of various factors like
management attitude; awareness and actions for establishing, enhancing or mitigating the
effectiveness of specific policies and procedures.
2. Accounting System - Accounting system means the series of task and records of an entity
by which transactions are processed for maintaining financial records. Such system identifies,
assemble, analyze, calculate, classify, record, summarize and report transactions and other
events.
3. Control Procedure - Policies and procedures means those policies and procedures in
addition to the control environment and accounting systems which the management has
established to achieve the entity’s specific objectives.
In this regard, Auditing Assurance Standard No.1 : Basic Principles Governing an Audit also
specifies that management is responsible for maintaining an adequate accounting system
incorporating various internal controls to the extent that they are appropriate to the size and
nature of the business. There should be reasonable assurance for the auditor that the
accounting system is adequate and that all the accounting information required to be recorded
has in fact been recorded. Internal controls normally contribute to such assurance. The auditor
3.2 Advanced Auditing and Professional Ethics

should gain an understanding of the accounting system and related internal controls and
should study and evaluate the operation of those internal controls upon which he wishes to
rely in determining the nature, timing and extent of other audit procedures. Where the auditor
concludes that he can rely on certain internal controls, he could reduce his substantive
procedures which otherwise may be required and may also differ as to the nature and timing.
Specific Requirement under Auditing and Assurance Standard Number - 6 Risk Assessment
and Internal Control." In AAS-6 (Revised ) - “Risk Assessment and Internal Control”
procedures to be followed to obtain an understanding of accounting and internal control
systems and on audit risk and its components has been explained. AAS-6 defines the system
of internal control as the plan of organization including methods and procedures adopted in
achieving management objectives, like:
(a) adherence to policies;
(b) safeguarding of assets;
(c) prevention and detection of fraud and error;
(d) accuracy and completeness of accounting records; and
(e) timely preparation of reliable financial information.
AAS-6 further states that the auditor should obtain an understanding of the accounting and
internal control system sufficient to plan the audit and develop an effective audit approach.
The auditor should use professional judgement to assess audit risk and to design audit
procedures to ensure that it is reduced to an acceptable low level.
Internal Control System - Nature, Scope, Objectives and Structure
3.2 The Following are the Nature, Scope, Objectives and Structure of an Internal Control
Audit:
Nature - A set of internally generated policies and procedures adopted by the management of
an enterprise is a prerequisite for an organisations efficient and effective performance. It is
thus, a primary responsibility of every management to create and maintain and adequate
system of internal control appropriate to the size and nature of the business entity.
AAS-6 defines the system of internal control as all the policies and procedures adopted by
the management of an entity to assist in achieving management’s objective of ensuring, as
far as practible, the orderly and efficient conduct of its business.
Scope - The scope of internal controls extends beyond mere accounting controls and
includes all administrative controls concerned with the decision - making process leading to
managements authorization of transaction, such controls include, production method,
time and motion study, pricing policies, quality control, work standard, budgetary control,
policy appraisal, quantitative controls etc. In an independent financial audit, the auditor is
primarily concerned with those policies and procedures having a bearing on the assertions
underlying the financial statements. These comprise primarily controls relating to
safeguarding of assets, prevention and detection of fraud and error, accuracy and
completeness of accounting records and timely preparation of reliable financial information.
Risk Assessment and Internal Control 3.3

Administrative controls, on the other hand, have only a remote relationship with financial
records and the auditor may evaluate only those administrative controls which have a
bearing on the reliability of the financial records.
Objectives - The objectives of internal control systems are determined by the management,
after considering the nature of business, scale operations, the extent of professionalism of
the management etc. AAS-6, identifies the following objectives of internal controls relating to
the accounting system:
(i) Transactions are executed through general or specific management authorization.
(ii) All transactions are promptly recorded in an appropriate manner to permit the
preparation of financial information and to maintain accountability of assets.
(iii) Assets and records are safeguarded from unauthorized access, use or disposition.
(iv) Assets are verified at reasonable intervals and appropriate action is taken with regard
to the discrepancies.
The basic accounting control objectives which are sought to be achieved by any accounting
control system are:
(a) whether all transactions are RECORDED;
(b) Whether recorded transactions are REAL;
(c) whether all recorded transactions are PROPERLY VALUED;
(d) whether all transactions are RECORDED TIMELY;
(e) whether all transactions are PROPERLY POSTED;
(f) whether all transactions are PROPERLY CLASSIFIED AND DISCLOSED;
(g) whether all transactions are PROPERLY SUMMARIZED;
If the response to all the above answer is positive, the auditor would be justified in limiting
his account balance tests considerably. In case of excellent companies it may also be
possible to rely on account balance with minimum of external tests, such as direct
confirmation, management representation etc,. Where in a system a particular control is
found to be deficient, audit attention can be focused on the areas where basic accounting
control objectives are not being adhered to. For example, if it found that sales transactions
are not being properly valued in accordance with the price list determined by the
management, the auditor would have to perform extensive searching tests on sales invoices
to assure himself that the recoverable amounts are correctly posted. He may also want to
expand his confirmation request at the year end to cover a large majority of debtors.
Limitations of Internal Control - An Internal Control system can provide only reasonable
assurance that the management’s objectives in establishing the system are achieved. That
is, no internal control system can provide absolute assurance that the control objectives are
achieved. This is due to the fact that any internal control system has certain internal
limitations. The limitations may arise due to:
(i) Controls have to be cost-effective.
3.4 Advanced Auditing and Professional Ethics

(ii) Most controls address transaction of usual and routine nature. They fail in respect of
transactions of unusual nature.
(iii) The potential of human error remains in any system of control.
(iv) In any system of control, the possibility of circumvention of controls through collusion
between two or more persons might exist.
(v) A member of the management may himself override the controls.
(vi) Controls may not keep pace with changes in condition.
(vii) Management itself may manipulate transactions or accounting estimates.
The inherent limitation of internal control system requires the auditor to perform substantive
procedure to be able to express an opinion.
Structure - In order to achieve the objectives of internal controls, it is necessary to establish
adequate control policies and procedures. Most of these policies and procedures cover:
Segregation of duties - Transaction processing are allocated to different persons in such a
manner that no one person can carry through the completion of a transaction from start to
finish or the work of one person is made complimentary to the work of another person. The
purpose is to minimize the occurrence of fraud and errors and to detect them on a timely
basis, when they take place. The following functions are segregated -
(a) authorization of transactions;
(b) execution of transactions;
(c) physical custody of related assets; and
(d) maintenance of records and documents, while allocating duties, the considerations of
cost and efficacy should be kept in mind as there is a tendency to stretch the allocation
of tasks involved in a job to more persons than what is required resulting in cumbersome
procedures, over elaboration of records and unduly high cost of administration.
Apart from segregation of duties, periodic rotation of duties of personnel is also desirable.
The rotation of duties seeks to ensure that if a fraud and error is committed by a person, it
does not remain undetected for long. It also ensures that a person cannot develop vested
interest by holding a position for to long. Rotation of duties also ensures that each employee
keeps his work up to date. This also makes an employee to be careful because he is aware
that his performed tasks will be reviewed by others when duties are rotated.
Authorization of Transaction - Delegation of authority to different levels and to particular
persons are required to establish by the management for controlling the execution of
transaction in accordance with prescribed conditions. Authorization may be general or it may
be specific with reference to a single transaction. It is necessary to establish procedures
which provide assurance that authorizations are issued by persons acting within the scope of
their authority, and that the transactions conform to the terms of the authorizations. This
objective can be achieved by making independent comparison of transaction document with
general or specific authorizations, as the case may be.
Risk Assessment and Internal Control 3.5

Adequacy of Records and Documents - Accounting controls should ensure that -


(i) Transactions are executed in accordance with management’s general or specific
authorization.
(ii) Transactions and other events are promptly recorded at correct amounts.
(iii) Transactions should be classified in appropriate accounts and in the appropriate period
to which it relates.
(iv) Transaction should be recorded in a manner so as to facilitate preparation of financial
statements in accordance with applicable accounting standards, other accounting
policies and practices and relevant statutory requirements.
(v) Recording of transaction should facilitate maintaining accountability for assets
(vi) Assets and records are required to be protected from unauthorized access, use or
disposition.
(vii) Records of assets such as sufficient description of the assets (to facilitate identification)
its location should also be maintained so that the assets could be physically verified
periodically.
For prompt, accurate, complete and appropriate recording of accounting transaction, several
procedures are often established by the management. The assurance that transactions have
been properly recorded can also be obtained through a comparison of records with an
independent source of information which provides an indication of the execution of the
relevant transactions.
Accountability and Safeguarding of Assets - The process of accountability of assets
commences from acquisitions of assets its use and final disposal. Safeguarding of assets
requires appropriate maintenance of records, their periodic reconciliation with the related
assets. Assets like cash, inventories, investment scrips require frequent physical verification
with book records. The frequency of reconciliation would differ for different assets depending
upon their nature and amount. Assets which are considered sensitive or susceptible to error
need to be reconcile more frequently than others. For proper safeguarding of assets, only
authorized personnel should be given access to such asset. This not only means physical
access but also exercising control over processing of documents relating to authorization
for use and disposal of assets. It is essential to have effective controls over physical custody
of cash, inventories, investments and other fixed assets. In some cases, as per requirement,
special procedures regarding physical custody of assets may have to be designed by the
management.
Independent Checks - Independent verification of the control systems, designed and
implemented by the management, involves periodic or regular review by independent
persons to ascertain whether the control procedures are operating effectively or not. Such
process may be carried out by specially assigned staff under the banner of external audit.
3.6 Advanced Auditing and Professional Ethics

Components of Internal Controls


3.3 The overall systems of inter control comprises of Administrative Control and Accounting
Controls, Internal Checks and Internal Audit are important constituents of Accounting
Controls.
Internal Check System - Internal check system implies organization of the overall system of
book-keeping and arrangement of Staff duties in such a way that no one person can carry
through a transaction and record every aspect thereof. It is a part of overall control system
and operates basically as a built-in-device as far as organization and job-allocation aspects
of the controls are concerned. The system provides existence of checks on the day to day
transactions which operate continuously as part of the routine system whereby the work of
each person is either proved independently or is made complimentary to the work of another.
The following are the objectives of the internal check system:
(i) To detect error and frauds with ease.
(ii) To avoid and minimize the possibility of commission of errors and fraud by any staff.
(iii) To increase the efficiency of the staff working within the organization.
(iv) To locate the responsibility area or the stages where actual fraud and error occurs.
(v) To protect the integrity of the business by ensuring that accounts are always subject to
proper scrutiny and check.
(vi) To prevent and avoid the misappropriation or embezzlement of cash and falsification of
accounts.
The effectiveness of an efficient system of internal check depends on the following
considerations -
(i) Clarity of Responsibility - The responsibility of different persons engaged in various
operations of business transactions should be properly identified. A well integrated
organizational chart depicting the names of responsible persons associated with specific
functions may help to fix up responsibility.
(ii) Division of Work - The segregation of work should be made in such a manner that the
free flow of work is not interrupted and also helps to determine that the work of one person is
complementary to the other. Then, it is suggested that rotation of different employees
through various components of job should be effectively implemented.
(iii) Standardization - The entire process of accounting should be standardized by creating
suitable policies commensurate with the nature of the business, so as to strengthen the
system of internal check.
(iv) Appraisal - Periodic review should be made of the chain of operations and work flow.
Such process may be carried out by preparing an audit flow chart.
The general condition pertaining to the internal check system may be summarized as under -
(i) no single person should have complete control over any important aspect of the
business operation. Every employee’s action should come under the review of another
Risk Assessment and Internal Control 3.7

person.
(ii) Staff duties should be rotated from time to time so that members do not perform the
same function for a considerable length of time.
(iii) Every member of the staff should be encouraged to go on leave at least once a year.
(iv) Persons having physical custody of assets must not be permitted to have access to the
books of accounts.
(v) There should exist an accounting control in respect of each class of assets, in addition,
there should be periodical inspection so as to establish their physical condition.
(vi) Mechanical devices should be used, where ever practicable to prevent loss or
misappropriation of cash.
(vii) Budgetary control should be exercised and wide deviations observed should be
reconciled.
(viii) For stock taking, at the close of the year, trading activities should, if possible be
suspended, and it should be done by staff belonging to several sections of the
organization.
(ix) The financial and administrative powers should be distributed very judiciously among
different officers and the manner in which those are actually exercised should be
reviewed periodically.
(x) Procedures should be laid down for periodical verification and testing of different sections
of accounting records to ensure that they are accurate.
The scope of statutory audit is limited by both time and cost. Therefore, it is increasingly being
recognized that for an audit to be effective especially in case of large organization, the
existence of a system of internal check is essential.
Internal Audit - Internal audit may be defined as, an independent appraisal function
established within an organization to examine and evaluate its activities as a service to the
organization. The scope of the internal audit is determined by the management. Internal
auditing includes a series of processes and techniques through which an organizations own
employees ascertain for the management, by means of on-the-job observation, whether
established management controls are adequate, and are effectively maintained; records and
reports financial, accounting and otherwise reflect actual operation and results accurately and
properly; each division, department or other units are carrying out the plans, policies and
procedures for which they are responsible.
For a detailed discussion on internal audit refer to Chapter 19.

Review of the System of Internal Controls


3.4 The review of the internal control system enables the auditor -
(i) to formulate his opinion as to the reliance he may place on the system itself i.e. whether
the system is such as would enable the management to produce a true and fair set of
3.8 Advanced Auditing and Professional Ethics

financial statements; and


(ii) to locate the areas of weakness in the system so that the audit programme and the
nature, timing and extent of substantive and compliance audit procedures can be
adjusted to meet the situation. For example, if the auditor is not satisfied with the control
system as regards debtors, he may decide to have a wider coverage for confirmation of
debtor’ balances. Normally, investments and cash are physically verified at the end of the
period and this routine is known to the client and his employees. In case the auditor
comes across a weakness in the control either he may provide in the programme for a
surprise cash count or investment verification on a day preceding or succeeding the
routine verification. In such a case, a surprise check will be more useful if it is
undertaken after the routine verification is over. Similarly if he is of the view that because
of weak controls the possibility of wrong billing to customers exists, be may extend the
programme for comparison of the invoices with the forwarding notes and for checking of
the extensions and castings of the invoices.
Deciding the point of time appropriate for undertaking the review of the internal controls
is a matter for individual judgement of the auditor. This decision can be taken on a
consideration of the size and complexity of the client’s operations. If the auditor, because
of his continuing relationship with his client, is already aware of the features and efficacy
of internal controls, he may just review the changes that have taken place in the
intervening period because of changes in the operations of the client. However, a
comprehensive review in such cases must be made at an interval of, say, 3 years.
Ordinarily, the review of internal controls should be undertaken as a distinct phase of
audit before finalisation of the audit programme. However, if the size of operations is
rather small, the review can be undertaken in conjunction with other audit procedures
and the programmes can be adjusted for any extension or elimination of checking.
When the auditor finds inadequacies or weaknesses in the internal control system, he
should advise his client about such inadequacies and weaknesses and the
consequences that may follow. It should be the duty of the auditor to see, in the course of
his audit, how far the inadequacies and weaknesses have been removed. He will take
this into account in preparing his audit report. It is a useful practice to note the following
after each function, set out in the audit programme -
(i) Any change in the system of internal control from that record in the appropriate
section of the internal control questionnaire.
(ii) Any further weakness noted in the internal control.
(iii) Any instance where the prescribed system or procedure has not been followed.
These should be considered in deciding whether any further modification in the audit
programme is called for. Also, these should be communicated to the client and confirmation
should be sought as regards changes in the system.
The review of internal control consists mainly of enquiries of personnel at various organisa-
tional levels within the enterprise together with reference to documentation such as
procedures, manuals, job description and flow-charts, to gain knowledge about the controls
Risk Assessment and Internal Control 3.9

which the auditor has identified as significant to his audit. The auditor may trace a few
transactions through the accounting system to assist in understanding that system and it is
related to internal controls. The auditor’s preliminary evaluation of internal controls should be
made on the assumption that the controls operate generally as described and that they
function effectively throughout the period of intended reliance. The purpose of the preliminary
evaluation is to identify the particular controls on which the auditor still intends to rely and to
test through compliance procedures. Different techniques are used to record information
relating to an internal control system. Selection of a particular technique is a matter for the
auditor’s judgement.

Methods of Recording
3.5 The following are the methods of recording:
3.5.1 Questionnaire - Because of the widespread experience that auditors possess about the
business operations in general and the knowledge about the appropriate control, most of the
auditing firms have developed their own standardised internal control questionnaire on a
generally applicable basis. In developing the standard questionnaire, endeavour is made to
make it as wide as possible so that all situations, generally found, are included therein but all
of these may not be applicable in a particular case. A questionnaire is a set of questions
framed in an organised manner, about each functional area, which has as purpose the
evaluation of the effectiveness of control and detection of its weakness if any. A questionnaire
usually consists of several separate sections devoted to areas such as purchases, sales,
debtors, creditors, wages, etc. The questionnaire is intended to be filled by the company
executives who are in charge of the various areas. However, this poses some practical
difficulties. The questionnaire is to travel from executives and, therefore, it may take a pretty
long time to be filled; also the questions may not be readily intelligible to busy executives and
there is a possibility of the questionnaire being misplaced while travelling from one table to
another. Having regard to these difficulties, it is now almost an accepted practice that the
auditor (or his representative) arranges meetings with the executives concerned and gets the
answers filled by each executive. Sometimes, the auditor himself may be required to fill the
answers. In such a case, he should ensure that the concerned executive has initiated the
answers as a token of his agreement therewith.
Questions are so framed as generally to dispense with the requirement of a detailed answer to
each question. For this purpose, often one general question is broken down into a number of
questions and sub-questions to enable the executive to provide a just ‘Yes’, ‘No’ or ‘Not
applicable’ form of reply. Questions are also framed in such a manner that generally a “No”
answer will effect weakness in the control system. This requires giving a positive power to the
question, keeping in view what the proper control should be. Consider the question ‘Are all
receipts recorded promptly and deposited in bank daily? If the answer to this is ‘Yes’, it fits
with the plan of good internal control. But if it is ‘No’ it indicates weakness in the system in as
much as the moneys received may not be recorded and may be defalcated because the
cashier has continued control over the amount for an uncertain period. However, this should
not be taken as an unbreakable rule. Questions may be framed also when a ‘Yes’ answer
would indicate weakness. The only thing that should be borne in mind is that the scheme of
3.10 Advanced Auditing and Professional Ethics

questions should be consistent, sequential, logical, and if possible corroborative. Wherever it


is necessary, slightly detailed answers also may be asked for to bring clarity to the matter. In
the use of standardized internal control questionnaire, certain basic assumptions about
elements of good control are taken into account. These are -
(i) Certain procedures in general used by most business concerns are essential in achieving
reliable internal control. This is a time-tested assumption. Deposit into bank of the entire
receipts of a day or daily balancing of the cash book and ledgers or periodic
reconciliation with the control accounts are examples of widely used practices which are
considered good internal control practices. Besides, basic operations giving rise to these
practices exist in all businesses irrespective of their nature.
(ii) Organisations are such that permit an extensive division of duties and responsibilities.
The larger the organisation, the greater is the scope of such division.
(iii) Employees concerned with accounting function are not assigned any custodial function.
(iv) No single person is thrust with the responsibility of completing a transaction all by
himself.
(v) There should always be evidence to identify the person who has done the work whether
involving authorisation, implementation or checking.
(vi) The work performed by each one is expected to come under review of another in the
usual course of routine.
(vii) There is proper documentation and recording of the transactions.
The questionnaire serves the purpose of a record so far as the auditor is concerned about the
state of internal control as given to him officially. A question naturally arises as to whether it is
necessary to issue questionnaire for every year of the auditor’s engagement. For the first year
of engagements issue of questionnaire is necessary. For subsequent years, the auditor,
instead of issuing a questionnaire again, may request the client to confirm whether any
change in the nature and scope of business has taken place that necessitated a
corresponding change in the control system, or whether, even without a change in the nature
and scope of business, the control system has undergone a change. If there has been a
change, the auditor should take note of its and enter appropriate comments on the relevant
part of the questionnaire. However, it would be a good practice in the case of continuing
engagements to issue a questionnaire irrespective of any change, say, every third year. This
will obviate unnecessary trouble of filling the answers every time and to that extent the client’s
and the auditor’s own time will be saved. The rationale for issuance of a questionnaire every
three years, in the case of even no change, lies in altering the client as regards unnoticed and
unspectacular changes that might have taken place during the intervening period; also this will
make the client more control-conscious. Questionnaires can be prepared for various aspects
of the internal control system. A few sample questionnaires are given in Annexure 3.1.
3.5.2 Check List - It is a series of instructions or questions on internal control which the auditor
must follow or answer. When a particular instruction is carried out, the auditor initials the
space opposite the instruction. If it is in the form of a question the answer generally ‘Yes’, ‘No’
Risk Assessment and Internal Control 3.11

or ‘Not Applicable’ is entered opposite the question. A check list is more in the nature of a
reminder to the auditor about the matters to be checked for testing the internal control system.
While a questionnaire is basically a set of questions put to the client, a check list which may
be in a form of instructions, questions or just points to be checked may be meant for the
auditor’s own staff it is a set of instructions or points; it may be meant for the client if it is in the
form of questions. The question form of check list may even be meant for the auditor’s own
staff. For example, questions in the check list may be formed in the following manner (this is
an illustrative set of questions to be answered by the audit staff).
1. Have you checked that the cashier
(i) is not responsible for opening the incoming mails;
(ii) does not authorise any of the ledgers;
(iii) does not authorise any expenditure or receipt;
(iv) does not sign cheques;
(v) takes his annual leave regularly;
(vi) inks and balances the cash book everyday;
(vii) verifies physical cash balance with the book figure daily at the end of the day;
(viii) prepares monthly bank reconciliation statement;
(ix) holds no other funds or investment;
(x) holds no unnecessary balance in hand;
(xi) does not pay money without looking into compliance with proper procedure and due
authorisation; and
(xii) has tendered proper security or has executed a fidelity bond?
When the check list is in question form it is hardly different from a questionnaire. However,
generally questionnaire is a popular medium for the evaluation of the internal control system.
The basic distinction between internal control questionnaire and check list are as under:
1. The ICQ incorporates a large number of detailed questions but the check list generally
contains questions relating to the main control objective with the area under review.
2. ICQ, the weaknesses are highlighted by the ‘Yes’ while in the check list, it is indicated by
‘No’.
3. The significance of ‘No’ in an ICQ does indicate a weakness but the significance of that
weakness is not revealed automatically. However, in the check list, a specific statement
is required where an apparent weakness may prove to be material in relation to the
accounts as a whole.
3.5.3 Flow chart - The flow charting technique can also be resorted to for evaluation of the
internal control system. It is a graphic presentation of internal controls in the organisation and
is normally drawn up to show the controls in each section or sub-section. As distinct from a
narrative form, it provides the most concise and comprehensive way for reviewing the internal
3.12 Advanced Auditing and Professional Ethics

controls and the evaluator’s findings. In a flow chart, narratives, though cannot perhaps be
totally banished are reduced to the minimum and by that process, it can successfully bring the
whole control structure, specially the essential parts thereof, in a condensed but wholly
meaningful manner. It gives a bird’s eye view of the system and is drawn up as a result of the
auditor’s review thereof. It should, however, not be understood that details are not reflected in
a flow chart. Every detail relevant from the control point of view and the details about how an
operation is performed can be included in the flow chart. Essentially a flow chart is a diagram
full with lines and symbols and, if judicious use of them can be made, it is probably the most
effective way of presenting the state of internal controls in the client’s organisation. A properly
drawn up flow chart can provide a neat visual picture of the whole activities of the section or
department involving flow of documents and activities. More specifically it can show -
(i) at what point a document is raised internally or received from external sources;
(ii) the number of copies in which a document is raised or received;
(iii) the intermediate stages set sequentially through which the document and the activity
pass;
(iv) distribution of the documents to various sections, department or operations;
(v) checking authorisation and matching at relevant stages;
(vi) filing of the documents; and
(vii) final disposal by sending out or destruction.
As a matter of fact a very sound knowledge of internal control requirements is imperative for,
adopting flow-charting technique for evaluation of internal controls; also it demands a highly
analytical mind to be able to see clearly the inter division of a job and the appropriate control
at relevant points.
It has been stated earlier that flow charts should be made section-wise or department-wise.
The suggestion has been made to ensure readability and intelligibility of the flow charts.
Drawing of a flow chart - A flow chart is normally a horizontal one in which documents and
activities are shown to flow horizontally from section to section and the concerned sections are
shown as the vertical column heads; in appropriate cases an individual also may be shown as
the vertical column head. Care should be taken to see that the first column head is devoted to
the section or the individual wherefrom a transaction originates and the placements of other
column heads should be in the order of the actual flow of the transaction. It has been started
earlier that a flow chart is a symbolic representation the flow of activity and related documents
through the section from origin to conclusion. These can be sales, purchases, wages,
production, etc. Each one of the main functions is to be linked with related functions for
making a complete course. Purchase is to be linked with sundry creditors and payments; sales
with sundry debtors and collections. By this process, a flow chart will become self contained,
complete and meaningful for evaluation of internal controls.
Risk Assessment and Internal Control 3.13

Generally, a questionnaire is also enclosed with a flow chart, incorporating questions, the
answers to which are to be looked into from the flow chart. This is an evaluation of the control
system through the process of flow charting. The internal control questionnaire contains ques-
tions; answers are available in the flow chart and they will reveal weakness, if any, in the
system. In fact, the questionnaire is a guide for the study of a control system through flow
charts.
3.14 Advanced Auditing and Professional Ethics

We may examine the flow charting techniques for evaluation of internal controls on the sales
and debtors function. Let us assume that these are -
1. Order receiving function.
2. Despatch function.
3. Billing function.
4. Accounting in the debtors’ ledger.
5. Main accounting function.
6. Inventory recording function.
All these functions are carried out in distinct sections. As regards the Order Receiving
Section, let us further assume that the section receives orders:
(i) through mail;
(ii) by telephone; and
(iii) through the company’s salesmen.
Basing the receipts of orders of customers, the section raises internal “Sales advices”. These
sales advices are consecutively numbered (by reference to the last number on the order book)
and entered in the order book with the consecutive number, date, the party and other relevant
details. The orders received from customers are temporarily filed in the alphabetical order.
The sales advices are prepared in sets of four with a noting for the customer’s sales-tax
status. All the four copies are sent to the despatch section. The despatch section, after
despatch of the goods, sends back to the Order receiving Section the last copy of the sales
advice after entering thereon the date of despatch and the quantity despatched. Upon receipt
of the last copy, the Order receiving Section enters the date of dispatch and the quantity
despatched in the order book. If the quantity despatched is fulfillment of the quantity ordered,
the last copy of the sales invoices is annexed to customer’s order and filed in the customer’s
file. If, however, the order is only partly executed, the copy of the sales advice is kept in a
temporary file in numerical order. Periodically this file is checked to determine the unfulfilled
orders and, if stock is then available, the Section again initiates fresh sales advices in respect
of the unfulfilled part and all the processes, as in the case of original, are repeated. The last
copy of the original set is annexed to the customer’s order and kept in the customer’s file.
The salesmen use the same advice form as is being used by the order receiving section.
For the purpose of drawing a flow chart to incorporate the above narration it is useful to know -
1. the point for originating the flow of transaction.
2. the documents, internal and external, and the flow of the transaction, number of copies,
distribution flow and the details.
3. the books, if any, maintained and the details recorded there in and the source or sources
for the details.
4. that there exists an alternative possibility.
Risk Assessment and Internal Control 3.15

The flow chart for the above may be as under -

CHART 1
We can extend the activity flow now to the despatch section which is the logical second stage
of operation. The work and procedure content of the despatch section is assumed to be as
follows:
After the receipt of the sales advices in sets of four, the despatch section arranges despatch
of materials and put the date of despatch and the quantities despatched; the head of the
Section initials the advices. The last copy of the advice is sent back to the Order Receiving
Section. The first copy is sent as a packing slip with the goods, the second copy goes to the
Billing Department and the third copy accompanies the goods when delivered to the buyer
and, obtaining the buyer’s acknowledgement of the receipt of the goods therein, is received
back and filed date-wise. In case of goods not directly delivered to the buyers, i.e., when the
goods are sent either by rail, road or water transport, the copy constitutes the basis for raising
the relevant forwarding note on the basis of which R.R. etc., can be prepared.
3.16 Advanced Auditing and Professional Ethics

The flow chart for the despatch section may be as follows -

CHART 2
This flow is taken to the Billing Section. The Section generally accumulates the second copy
of the Sales Advice for two or three days and prepares sales invoices in sets of four. The
pricing of the sales invoice is done by reference to the company’s current price list or the
catalogue. The number of the sales advice is entered on the corresponding invoice which is
pre-numbered, also, the number of the invoice is recorded on the copy of the sales advice
which is then filed alphabetically. The first copy of the invoice is sent to the customer while the
second, third and fourth copies are respectively sent to the sundry debtors’ ledger clerk, the
Stock Section and the Accounts Section. The Billing Section also is responsible for raising
credit notes on the basis of documents received. Credit notes are also prepared in sets of four
and are distributed in exactly the same way as invoices. The stocks of invoice and the credit
note forms remain in the Billing Section.
Risk Assessment and Internal Control 3.17

The Flow Chart for this Section is given below -

CHART 3
Now, in the order of the flow of activities, more sectional flow charts can be prepared to cover
the activities in the Accounts Section and the Stock Section and they together, when
sequentially assembled, will constitute the complete flow chart for the sales transactions and
sundry debtors recordings.
(These flow charts have been prepared on the basis of the approach and the symbols used in
the book “Analytical Auditing” by Skinner and Anderson. Students who desire to study the
subject of preparation of flow charts further may refer to Chapter 4 of that book.)
It is now left for us to see how these flow charts reveal the state of internal control. A close
look into flow charts will show the following:
(i) The advices are sent by salesmen; though prepared on the same sales advice form as is
prepared in the section, there is no check that all the advices sent by salesmen have
been received. This may entail loss of business because of non-receipt of sales advice.
(Refer to the flow chart for the Order Receiving Section).
3.18 Advanced Auditing and Professional Ethics

(ii) The raising of sales advises on the basis of telephonic orders, irrespective of the party’s
standing and record of performance is risky from the business point of view. (Refer to the
flow chart for the Order Receiving Section).
(iii) There is no system of prior credit sanction to the parties; in consequence, there may be
despatch of goods to bad credit risks. (Refer to the flow chart for the Despatch Section).
(iv) There is no check that all the second copies of the sales advices sent by the Despatch
Section have been received by the Billing Section. The possibility of despatch not being,
billed exists, (Refer to the flow chart for the Despatch as well as the Billing Section.
(v) There is no check in respect of pricing, extension and addition on the invoice or the credit
notes. This may result in loss of revenue for wrong pricing or wrong calculation. (Refer to
the flow chart for Billing Section).
(vi) It is not clear whether the supporting documents are adequate for authorising the issue of
credit notes where there is a need for a greater caution. (Refer to the flow chart for Billing
Section).
So far we have seen the points of weaknesses that are evident from these flow charts. For a
clearer understanding of the flow chart as a medium for evaluating internal controls, the
following further points may be useful:
(a) There exists proper numerical control over orders booked (except the case for the
salemen’s orders).
(b) There is a permanent and continuous record of the orders booked in the form of order
book.
(c) There is a definite basis for raising sales advices.
(d) The order book record is always kept complete by entering the information about the
execution of the order and this keeps the information about the pending orders ready at
any moment.
(e) Partly executed orders are reviewed from time to time so that as soon as goods are
available, the same may be despatched to customers.
(f) The customer’s purchase order and the related sales advises are matched and kept
together in the customer’s file.
(g) The sales advices are initialed by the Despatch Section head as token of his having
satisfied himself about the correctness of the entries as regards the quantity despatched
and the date of despatch.
(h) Record of actual direct delivery is maintained through the copy of the sales advice
bearing the customer’s, acknowledgement of his having received the goods. Similarly,
the record of out station deliveries is kept in the copy of the forwarding note annexed to
the sales advice copy.
(i) Documents have as many copies as are necessary for ensuring proper flow and proper
control. There is no wastage through unnecessary copies nor any hold up because of
Risk Assessment and Internal Control 3.19

inadequacy of copies.
(j) There are supporting documents for raising invoices and credit notes.
(k) The distribution of invoices and credit notes is such as would enable the recording of
billing at the relevant centres independent of each other.
(l) There is control over the number of invoices and credit notes by pre-numbering.
Thus, by flow charting has an auditor can very clearly see the inter- relationships of the
activities and flows and how they are integrated from stage to stage. However, the
auditor has to be careful about the readability and intelligibility of the chart. Identification
of all individual functions in a section is also highly relevant for preparation of the flow
chart. The smaller the segment, the better is the possibility of quick comprehension.
Naturally, the auditor should try to see each section as the natural assembly of distinct
and identified components.

Evaluation of Internal Control


3.6 The auditor, in forming his opinion on financial information, needs reasonable assurance
that transactions are properly authorised and recorded in the accounting records and that
transactions have not been omitted. Internal controls, even if fairly simple, may contribute to
the reasonable assurance the auditor seeks. The auditor’s objective in studying and evaluating
internal controls is to establish the reliance he can place thereon in determining the nature,
timing and extent of his substantive auditing procedures.
Compliance procedures are tests designed to obtain reasonable assurance that those internal
controls on which audit reliance is to be placed are in effect. These procedures include tests
requiring inspection of documents supporting transactions to gain evidence that controls have
operated properly (for example, verifying that the document has been authorised) and
enquiries about the observation of controls which leave no audit trial (for example, determining
who actually performs each function trial not merely who is supposed to perform it).
The auditor should review the accounting system and related internal controls to gain an
understanding of the flow of transactions and the specific control procedures to be able to
make a preliminary evaluation and identification of those internal controls on which it might be
effective and efficient to rely in conducting his audit. The purpose of preliminary evaluation is
to identify the particular controls on which the auditor intends to rely and to test through
compliance procedures. It should be remembered that preliminary evaluation of the internal
control is made on the assumptions that the controls operates generally as described and that
they function effectively throughout the period of intended reliance.
Compliance procedures should be conducted by the auditor to gain evidence that those
internal controls on which he intends to rely operate generally as identified by him and that
they function effectively throughout the period of intended reliance. The concept of effective
operation recognises that some deviations from prescribed controls may have occurred.
Deviations from prescribed controls may be caused by such factors as changes in key
personnel, significant seasonal fluctuations in volume of transactions and human error. The
auditor should make specific enquiries concerning these matters, particularly as to the timing
3.20 Advanced Auditing and Professional Ethics

of staff changes in key control functions. He should then ensure that his compliance
procedures appropriately cover such a period of change or fluctuation.
Based on the results of his compliance procedures, the auditor should evaluate whether the
internal controls are adequate for his purposes. If based on the results of the compliance
procedures, the auditor concludes that it is not appropriate to rely on a particular internal
control to the degree previously contemplated, he should ascertain whether there is another
control which would satisfy his purpose and on which he might rely (after applying appropriate
compliance procedures). Alternatively, he may modify the nature, timing or extent of his
substantive audit procedures.
The auditor’s compliance procedures normally should be applied to transactions selected from
those of the entire period under examination. When, however, a shorter period is initially
tested, the auditor needs to consider what is necessary to provide reasonable assurance as to
the reliability of the accounting records for the whole period. The auditor’s judgement as to
the nature, timing and extent of compliance or substantive procedures to be applied to
transactions occurring in the remaining period will be affected by such factors as the following-
(a) the results of the procedures already conducted;
(b) the responses to enquiries as to whether the internal control system is still operating in
the same manner as when studied and evaluated;
(c) the length of the remaining period
(d) the nature and amount of transactions or balances involved;
(e) the auditor’s evaluation of internal control environment, especially supervisory controls;
and
(f) the substantive procedures which the auditor intends to carry out irrespective of the
adequacy of internal controls.
The aforesaid study and discussion to give an overall idea of the control plan as it is and may
be considered as the first step of evaluation. This is followed by a process which enables the
auditor to know the specific control, its appropriateness and weakness of redundancy in the
context of the specific operation. This process is essentially a question and answer exercise.
For this, the auditor should have sufficient knowledge and experience about what should be
the appropriate and exact control in the given circumstances for the specific operation.
Accordingly, he frames questions for the answers to which will provide him insight into the
effectiveness or otherwise of the given controls. This question- answer exercise can be
undertaken either by framing a questionnaire or a check list.

Internal Control and Risk Assessment


3.7 The auditor should obtain an understanding of the control environment sufficient to
assess management's attitudes, awareness and actions regarding internal controls and their
importance in the entity. Such an understanding would also help the auditor to make a
preliminary assessment of the adequacy of the accounting and internal control systems as a
basis for the preparation of the financial statements, and of the likely nature, timing and extent
Risk Assessment and Internal Control 3.21

of audit procedures.
The auditor should obtain an understanding of the control procedures sufficient to develop the
audit plan. In obtaining this understanding, the auditor would consider knowledge about the
presence or absence of control procedures obtained from the understanding of the control
environment and accounting system in determining whether any additional understanding of
control procedures is necessary. Because control procedures are integrated with the control
environment and the accounting system, as the auditor obtains an understanding of the
control environment and the accounting system, some knowledge about control procedures is
also likely to be obtained, for example, in obtaining an understanding of the accounting system
pertaining to cash, the auditor ordinarily becomes aware of whether bank accounts are
reconciled regularly. Ordinarily, development of the overall audit plan does not require an
understanding of control procedures for every financial statement assertion in each account
balance and transaction class.
3.7.1 Control Risk -
Preliminary Assessment of Control Risk - After obtaining an understanding of the
accounting system and internal control system, the auditor should make a preliminary
assessment of control risk, at the assertion level, for each material account balance or class of
transactions.
The preliminary assessment of control risk is the process of evaluating the likely effectiveness
of an entity's accounting and internal control systems in preventing or detecting and correcting
material misstatements. The preliminary assessment of control risk is based on the
assumption that the controls operate generally as described and that they operate effectively
throughout the period of intended reliance. There will always be some control risk because of
the inherent limitations of any accounting and internal control system.
The auditor ordinarily assesses control risk at a high level for some or all assertions when:
(a) the entity's accounting and internal control systems are not effective; or
(b) evaluating the effectiveness of the entity's accounting and internal control systems would
not be efficient.
In the above circumstances, the auditor would obtain sufficient appropriate audit evidence
from substantive procedures and from any audit work carried out in the preparation of financial
statements.
The preliminary assessment of control risk for a financial statement assertion should be high
unless the auditor:
(a) is able to identify internal controls relevant to the assertion which are likely to prevent or
detect and correct a material misstatement; and
(b) plans to perform tests of control to support the assessment.
Documentation of Understanding and Assessment of Control Risk - The auditor should
document in the audit working papers:
(a) the understanding obtained of the entity's accounting and internal control systems; and
3.22 Advanced Auditing and Professional Ethics

(b) the assessment of control risk.


When control risk is assessed at less than high, the auditor would also document the basis for
the conclusions.
Different techniques may be used to document information relating to accounting and internal
control systems. Selection of a particular technique is a matter for the auditor's judgement.
Common techniques, used alone or in combination, are narrative descriptions, questionnaires,
check lists and flow charts. The form and extent of this documentation is influenced by the
size and complexity of the entity and the nature of the entity's accounting and internal control
systems. Generally, the more complex the entity's accounting and internal control systems
and the more extensive the auditor's procedures, the more extensive the auditor's
documentation will need to be.
Tests of Control - Tests of control are performed to obtain audit evidence about the
effectiveness of the:
(a) design of the accounting and internal control systems, that is, whether they are suitably
designed to prevent or detect and correct material misstatements; and
(b) operation of the internal controls throughout the period.
Tests of control include tests of elements of the control environment where strengths in the
control environment are used by auditors to reduce control risk.
Some of the procedures performed to obtain the understanding of the accounting and internal
control systems may not have been specifically planned as tests of control but may provide
audit evidence about the effectiveness of the design and operation of internal controls relevant
to certain assertions and, consequently, serve as tests of control. For example, in obtaining
the understanding of the accounting and internal control systems pertaining to cash, the
auditor may have obtained audit evidence about the effectiveness of the bank reconciliation
process through inquiry and observation.
When the auditor concludes that procedures performed to obtain the understanding of the
accounting and internal control systems also provide audit evidence about the suitability of
design and operating effectiveness of policies and procedures relevant to a particular financial
statement assertion, the auditor may use that audit evidence, provided it is sufficient to
support a control risk assessment at less than a high level.
Tests of control may include:
♦ Inspection of documents supporting transactions and other events to gain audit evidence
that internal controls have operated properly, for example, verifying that a transaction has
been authorised.
♦ Inquiries about, and observation of, internal controls which leave no audit trail, for
example, determining who actually performs each function and not merely who is
supposed to perform it.
♦ Re-performance of internal controls, for example, reconciliation of bank accounts, to
ensure they were correctly performed by the entity.
Risk Assessment and Internal Control 3.23

♦ Testing of internal control operating on specific computerised applications or over the


overall information technology function, for example, access or program change controls.
The auditor should obtain audit evidence through tests of control to support any assessment of
control risk which is less than high. The lower the assessment of control risk, the more
evidence the auditor should obtain that accounting and internal control systems are suitably
designed and operating effectively.
When obtaining audit evidence about the effective operation of internal controls, the auditor
considers how they were applied, the consistency with which they were applied during the
period and by whom they were applied. The concept of effective operation recognises that
some deviations may have occurred. Deviations from prescribed controls may be caused by
such factors as changes in key personnel, significant seasonal fluctuations in volume of
transactions and human error. When deviations are detected the auditor makes specific
inquiries regarding these matters, particularly, the timing of staff changes in key internal
control functions. The auditor then ensures that the tests of control appropriately cover such a
period of change or fluctuation.
In a computer information systems environment, the objectives of tests of control do not
change from those in a manual environment; however, some audit procedures may change.
The auditor may find it necessary, or may prefer, to use computer-assisted audit techniques.
The use of such techniques, for example, file interrogation tools or audit test data, may be
appropriate when the accounting and internal control systems provide no visible evidence
documenting the performance of internal controls which are programmed into a computerised
accounting system.
Based on the results of the tests of control, the auditor should evaluate whether the internal
controls are designed and operating as contemplated in the preliminary assessment of control
risk. The evaluation of deviations may result in the auditor concluding that the assessed level
of control risk needs to be revised. In such cases, the auditor would modify the nature, timing
and extent of planned substantive procedures.
Quality and Timeliness of Audit Evidence - Certain types of audit evidence obtained by the
auditor are more reliable than others. Ordinarily, the auditor's observation provides more
reliable audit evidence than merely making inquiries, for example, the auditor might obtain
audit evidence about the proper segregation of duties by observing the individual who applies
a control procedure or by making inquiries of appropriate personnel. However, audit evidence
obtained by some tests of control, such as observation, pertains only to the point in time at
which the procedure was applied. The auditor may decide, therefore, to supplement these
procedures with other tests of control capable of providing audit evidence about other periods
of time.
In determining the appropriate audit evidence to support a conclusion about control risk, the
auditor may consider the audit evidence obtained in prior audits. In a continuing engagement,
the auditor will be aware of the accounting and internal control systems through work carried
out previously but will need to update the knowledge gained and consider the need to obtain
further audit evidence of any changes in control. Before relying on procedures performed in
3.24 Advanced Auditing and Professional Ethics

prior audits, the auditor should obtain audit evidence which supports this reliance. The auditor
would obtain audit evidence as to the nature, timing and extent of any changes in the entity's
accounting and internal control systems since such procedures were performed and assess
their impact on the auditor's intended reliance. The longer the time elapsed since the
performance of such procedures the less assurance that may result.
The auditor should consider whether the internal controls were in use throughout the period. If
substantially different controls were used at different times during the period, the auditor would
consider each separately. A breakdown in internal controls for a specific portion of the period
requires separate consideration of the nature, timing and extent of the audit procedures to be
applied to the transactions and other events of that period.
The auditor may decide to perform some tests of control during an interim visit in advance of
the period end. However, the auditor cannot rely on the results of such tests without
considering the need to obtain further audit evidence relating to the remainder of the period.
Factors to be considered include:
♦ The results of the interim tests.
♦ The length of the remaining period.
♦ Whether any changes have occurred in the accounting and internal control systems
during the remaining period.
♦ The nature and amount of the transactions and other events and the balances involved.
♦ The control environment, especially supervisory controls.
♦ The nature, timing and extent of substantive procedures which the auditor plans to carry
out.
Final Assessment of Control Risk - Before the conclusion of the audit, based on the results
of substantive procedures and other audit evidence obtained by the auditor, the auditor should
consider whether the assessment of control risk is confirmed. In case of deviations from the
prescribed accounting and internal control systems, the auditor would make specific inquiries
to consider their implications. Where, on the basis of such inquiries, the auditor concludes that
the deviations are such that the preliminary assessment of control risk is not supported, he
would amend the same unless the audit evidence obtained from other tests of control supports
that assessment. Where the auditor concludes that the assessed level of control risk needs to
be revised, he would modify the nature, timing and extent of his planned substantive
procedures.
3.7.2 Relationship between the Assessments of Inherent and Control Risk - Management
often reacts to inherent risk situations by designing accounting and internal control systems to
prevent or detect and correct misstatements and therefore, in many cases, inherent risk and
control risk are highly interrelated. In such situations, if the auditor attempts to assess
inherent and control risks separately, there is a possibility of inappropriate risk assessment.
As a result, audit risk may be more appropriately determined in such situations by making a
combined assessment.
Risk Assessment and Internal Control 3.25

3.7.3 Detection Risk - The level of detection risk relates directly to the auditor's substantive
procedures. The auditor's control risk assessment, together with the inherent risk assessment,
influences the nature, timing and extent of substantive procedures to be performed to reduce
detection risk, and therefore audit risk, to an acceptably low level. Some detection risk would
always be present even if an auditor were to examine 100 percent of the account balances or
class of transactions because, for example, most audit evidence is persuasive rather than
conclusive.
The auditor should consider the assessed levels of inherent and control risks in determining
the nature, timing and extent of substantive procedures required to reduce audit risk to an
acceptably low level. In this regard the auditor would consider:
(a) the nature of substantive procedures, for example, using tests directed toward
independent parties outside the entity rather than tests directed toward parties or
documentation within the entity, or using tests of details for a particular audit objective in
addition to analytical procedures;
(b) the timing of substantive procedures, for example, performing them at period end rather
than at an earlier date; and
(c) the extent of substantive procedures, for example, using a larger sample size.
There is an inverse relationship between detection risk and the combined level of
inherent and control risks. For example, when inherent and control risks are high,
acceptable detection risk needs to be low to reduce audit risk to an acceptably low level.
On the other hand, when inherent and control risks are low, an auditor can accept a
higher detection risk and still reduce audit risk to an acceptably low level. Refer to the
Appendix to this AAS for an illustration of the interrelationship of the components of audit
risk.
While tests of control and substantive procedures are distinguishable as to their purpose, the
results of either type of procedure may contribute to the purpose of the other. Misstatements
discovered in conducting substantive procedures may cause the auditor to modify the previous
assessment of control risk. Refer to the Appendix to this AAS for an illustration of the
interrelationship of the components of audit risk.
The assessed levels of inherent and control risks cannot be sufficiently low to eliminate the
need for the auditor to perform any substantive procedures. Regardless of the assessed
levels of inherent and control risks, the auditor should perform some substantive procedures
for material account balances and classes of transactions.
The auditor's assessment of the components of audit risk may change during the course of an
audit, for example, information may come to the auditor's attention when performing
substantive procedures that differs significantly from the information on which the auditor
originally assessed inherent and control risks. In such cases, the auditor would modify the
planned substantive procedures based on a revision of the assessed levels of inherent and
control risks.
3.26 Advanced Auditing and Professional Ethics

The higher the assessment of inherent and control risks, the more audit evidence the auditor
should obtain from the performance of substantive procedures. When both inherent and
control risks are assessed as high, the auditor needs to consider whether substantive
procedures can provide sufficient appropriate audit evidence to reduce detection risk, and
therefore audit risk, to an acceptably low level. When the auditor determines that detection
risk regarding a financial statement assertion for a material account balance or class of
transactions cannot be reduced to an acceptable level, the auditor should express a qualified
opinion or a disclaimer of opinion as may be appropriate.

Internal Control in Small Business Enterprises


3.8 The auditor needs to obtain the same degree of assurance in order to give an unqualified
opinion on the financial statements of both small and large entities. However many controls
which would be relevant to large entities are not practical in small business. For example, in a
small business, accounting procedures may be performed by a few persons. These persons
may have both operating and custodial responsibilities and segregation of functions may be
missing or severely limited. Inadequate segregation of duties may, in some cases, be offset
by supervisory controls exercised by the owner. This supervisory function by the owner
becomes possible because of the fact that he has direct personal knowledge of the business
and involvement in the business transactions. In circumstances where segregation of duties is
limited and the evidence of supervisory controls is lacking the evidence necessary to support
the auditor’s opinion on the financial information may have to be obtained largely through
substantive procedures.

Reporting to Clients on Internal Control Weaknesses


3.9 During the course of audit work, the audit may notice material weaknesses in the internal
control system. Material weaknesses are defined as absence of adequate controls on flow of
transactions that increases the possibility of errors and frauds in the financial statements of
the entity. For example, if monthly age-wise analysis of debtors is not performed then it may
result in inadequate provisioning of bad debts for the fiscal year under audit.
The auditor should communicate such material weaknesses to the management or the audit
committee, if any, on a timely basis. This communication should be, preferably, in writing
through a letter of weakness or management letter. Important points with regard to such a
letter are as follows:
(a) The letter lists down the area of weaknesses in the system and offers suggestions for
improvement.
(b) It should clearly indicate that it discusses only weaknesses which have come to the
attention of the auditor as a result of his audit and that his examination has not been
designed to determine the adequacy of internal control for management.
(c) This letter serves as a valuable reference document for management for the purpose of
revising the system and insisting on its strict implementation.
Risk Assessment and Internal Control 3.27

(d) The letter may also serve to minimize legal liability in the event of a major defalcation or
other loss resulting from a weakness in internal control.
It should be appreciated that by writing a letter to the management about the weaknesses in
the system, the auditor is not absolved from his duty to report the shortcomings in the
accounts by way of qualification where the defects have not been corrected to the auditor’s
satisfaction weighing the materiality of weaknesses and their impact, if considered necessary.
The practice of the issue of letter of weaknesses has a great merit in relieving the auditor
from liability in case serious frauds or losses have occurred, which probably would not have
taken place had the client taken due note of the auditor’s points in the letter of weakness. In
the case Re S.P. Catterson & Ltd. (1937, 81, Act L.R. 62), the auditor was acquitted of the
charge of negligence for employee’s fraud in view of the fact that he had already informed the
client about the unsatisfactory state in the specific areas of accounts and had suggested
improvements which were not acted upon by the management.

Self-examination Questions
1. Indicate which of the following are administrative controls:
(a) Attendance record of employees.
(b) Purchase requisition.
(c) Stock control account.
(d) Invitation for quotations.
(e) Inspection of goods received as to quality.
(f) Fire insurance of the factory.
(g) Indemnity Bond.
(h) Bank reconciliation.
(i) Budget.
(j) Observation of the disbursement of wages.
2. Explain three important elements of internal controls?
3. Read the following and state whether proper controls exist or not. In case answer is
negative, state the reason:
(i) Raw jute purchased by a jute mill is weighed on trolleys and the jute purchase
officer who is present at the time of weighment signs the weighment record.
(ii) Post Office Savings Bank Certificates, being investments, are lodged with the
banker for sale custody and collection when due. The company also maintains a
register showing details of the certificates, their dates of maturity, etc. in view of the
fact that the certificates are numerous the company official reviews the register on a
half-yearly basis and advises the bank to collect the matured ones.
3.28 Advanced Auditing and Professional Ethics

(iii) As a matter of routine, a budget is prepared well in advance in respect of each


financial year. The annual budget is broken down to quarterly budgets for facilitating
review. At the expiry of each quarter a thorough reconciliation is made between the
budgeted figures and the actuals.
(iv) The cashier, being a highly reliable person, is discouraged from taking periodic
leave; he is compensated by extra payment.
(v) Annual stock-taking is carried out by employees drawn from various sections-but
not a single one from the stock section.
(vi) Wages sheets are prepared in the time section.
(vii) Before finalising any sales tender, the sales manager sends the tenders to the
costing section for proper product or job costing.
(viii) Cheques up to Rs. 1,000 are signed by the accountant and those in excess are
jointly signed by the finance manager and the accountant.
(ix) The cashier is under instruction to carry cash in hand just enough to meet next
day’s requirements. Excess requirement of the day, if any, is met by borrowing from
the executive director.
(x) The moment bank balance falls below a certain level, the bank is under a standing
instruction to transfer securities lodged with it for safe custody to the pledge account
of a requisite amount and raise the balance to certain level. After the inflow of cash
into the account, the bank is to re-transfer the securities.
4. State the reasons for the following procedural requirements, all of help to strengthen
internal control:
(a) The gateman of a cinema house is required to tear each ticket presented for
admission into two and hand over the stub to the patron.
(b) After the chief accountant signs the disbursement cheques, they are listed and the
supporting data are retained in the Accounts Department but the cheques are
passed on to the Mailing Department for onward transmission.
(c) The copy of the “Goods Received Note” passed on to the quality inspector for
Quality Report does not contain the name and particulars of the supplier.
(d) Department Attendance Registers are maintained in the factory even though the
workers while entering the factory are to punch their respective clock-cards.
(e) In a bank no director, officer or employee is entitled to act on behalf of a customer
in relation with any transaction with the bank.
(f) The driver of each vehicle is to maintain a log book showing details of trips and
petrol purchased. The log-book is presented to the Office Manager once a week for
his verification.
Risk Assessment and Internal Control 3.29

5. Comment on the following questions in a questionnaire prepared by an audit firm.


(i) What is the nature of business?
(ii) Is there a case that more than one fund is under the charge of a single employee?
(iii) Is cash given against I.O.Us.?
(iv) Do you have a daily physical verification of petty cash and postage stock?
(v) Do you keep -inventory of table stationery?
(vi) Is there a typists’ pool in your organisation?
(vii) What are the thrusts in your advertisement campaign?
(viii) Who looks after your investments?
(ix) Are payers required to sign vouchers for all disbursements?
(x) Do you obtain clearance from the Credit Control Department in each and every
case, before supplies are made on credit?
6. Prepare a flow chart in respect of the function of the Sales Ledger Clerk?
7. Tick the items given below that can be known by a study of the organisation chart of
concern:
(a) Scope of the business
(b) Accountability.
(c) Line and staff functions.
(d) Job division.
(e) Internal check.
(f) Accounting records.
(g) Inter-relationship of the functionaries.
(h) Exercise of authority.
(i) Personnel policy.
(j) Accounting policies.
(k) Authority for exceeding limits.
(l) Clerical distribution.

Answer to the Self-examination Questions


1. (a), (e), (f), (o)
2. (i) Job division
(ii) Separation of recording and custodial functions.
(iii) Internal auditing.
3.30 Advanced Auditing and Professional Ethics

3. (i) No; because the jute purchase officer, who is directly in touch with supplying
parties, has opportunity of causing wrong weights being recorded at the cost of the
mill.
(ii) No; there is a gap of six months in between two reviews and there will be loss of
interest in respect of certificates maturing in the intervening period.
(iv) No; opportunity for a second person to look into details about what the cashier has
been doing.
(v) No; provides no opportunity manipulation.
(vi) No; it involves the company into avoidable borrowings and provides opportunities
for wrong payments to the executive director instead the estimation of the next
day’s requirement should be made a little more liberally, taking into account the past
experience about excess requirement.
(vii) No; it provides uncontrolled latitude to the bank to convert company’s securities
meant, for safe custody into security for funds borrowed.
4. (a) The pass collected by the gate man can be checked against total sale of ticket as
per the counterfoils of ticket books. Any presentation of unauthorised tickets will be
known; also the patrons will carry with them the evidence of their authorised entry
into the exhibition hall by retaining the stub.
(b) It provides an independent record with the Accounts Department about daily issue
and actual forwarding of cheques.
(c) The quality inspector should not know the supplying party in the interest of an
objective quality inspection.
(d) It records actual attendance to the work and also helps to keep check on wastage of
time in reaching his work spot.
(e) It avoids conflict of interest.
(f) It enables exercise of control over trips and consumption of control; also
unauthorised trips or excessive consumption of petrol may be known at an early
date.
5. Items (i) to (iv) and (viii) to (x) are all right.
(v) From materiality point of view the question is not relevant.
(vi) Normally, an auditor is not concerned with the typing organisation of the client.
(vii) Not of any direct relevance from the point of view of accounting control.
7. (b), (d), (c), (g), (h).
Risk Assessment and Internal Control 3.31

Annexure I
Sample Internal Control Questionnaire
I. Investments
(i) Segregation and rotation of duties: Is there a proper segregation of duties? Are the following
functions relating to investments segregated?
(a) Authorization of transactions relating to investments.
(b) Execution of transactions.
(c) Recording of transactions.
(d) Physical custody of investment scrips.
(ii) Are the duties of various persons relating to investments rotated periodically?
Authorization of Transactions
(i) Are the authorities for acquisition, disposal and other decisions relating to investments clearly laid
down? Are the limits on authorities of managers at various levels clearly defined?
(ii) Are the procedures for acquisition, disposal, etc., of investments?
(iii) Are the relevant legal provisions duly considered in taking decisions regarding acquisition/disposal of
investments? (For example, in the case of insurance companies, there are restrictions regarding the
nature of investments that can be acquired. Similarly, in the case of other companies, the law lays down
conditions which have to be followed if investments exceed prescribed limits.)
(iv) Are the transactions of acquisition/ disposal of investments in the form of shares, debentures, etc.,
required to be executed only through brokers who are members of recognized stock exchanges? Are
there any limits on exposure with each broker (e.g., there may be a limit on the total value of transactions
outstanding with a broker at any point of time)? Do these limits appear reasonable?
Maintenance of Records and Documents
(i) Are all transactions relating to investments recorded properly and promptly? Is there an investment
register (or other appropriate record) wherein particulars relating to investments are recorded? Are the
records sufficiently detained to facilitate identification of investments and determination of their cost? In
particulars, whether the records show, in respect of each investment, the nature of investment, or cum
interest, due dates of interests or the likely dates of the receipt of the dividends, financial year of the
enterprise in which the investment has been made, date of maturity (in the case of debentures and
similar investments), purchased price and incidental costs (brokerage, stamp fee, etc.)?
(ii) Are all accretions to investments (i.e., bonus shares, right shares, etc?) Properly recorded? Similarly
are changes in the nature of investments (e.g. conversion of debentures into equity shares) properly
recorded?
(iii) Do the records include particulars of significance developments relating to investments, e.g., Right
offers, bonus announcements, options for conversion, warrants, etc.? For e.g., do the records show
whether rights were offered and whether they were subscribed or soled or otherwise renounced?
(iv) Is a proper record maintained in respect of scrips belonging to third parties which are in the
possession of the enterprise ( e.g., as security for loans granted)? Are there adequate procedures to
ensure that the scrips belonging to third parties can be readily identified?
(v) Are proper records maintained in respect of investments which have been sent for registration of
transfer, splitting-up or similar purposes? Does the enterprise keep a photo copy ( or other detailed
3.32 Advanced Auditing and Professional Ethics

record) of all transfer deeds and investment certificates sent for registration of transfer, split, etc., So
that the necessary details are available even if the original documents are lost?
(vi) Is the validity of transfer deeds accompanying the investment scrips acquired by the enterprise
checked? Is it ensured that the investments scrips along with the transfer deeds are lodged with the
company / transfer agent within the validity period?
(vii) Is immediate action taken in case of bad deliveries, i.e., where the company / transfer agent returns
the documents without affecting the transfer due to certain defects?
Accountability for and Safeguarding of Investments
(i) Are all investments held in the name of the enterprise? Are the circumstances in which investments
may not be held in the name of the enterprise clearly specified? Are the authorities for approving the
acquisition or holding of investments in the name of other persons clearly laid down? Are adequate
measures taken to safeguard the interests of the enterprise in such cases?
(ii) Are investment scrips kept under lock and key in the custody of a responsible official? Are there
adequate safeguard against theft, fire, etc?
(iii) Are there any special safeguards against misappropriation of investment scrips which are
accompanied by blank transfer deeds? (In blank transfer deeds, the name of the transferee is not filled
in. They are, therefore, particularly prone to misappropriation. Special safeguards in respect of
investment scrips accompanied by blank transfer deeds include dual custody, separate storage of
transfer deeds and related scrips, etc.)
(iv) Are investment scrips kept with third parties only in appropriate cases (e.g., as security for loan
from a bank ) and under proper authorization? In such cases, is there a system of obtaining certificates
from the third parties periodically? Do the certificates contain sufficient details of investments held by
the third parties? Is there a system whereby a periodic review is made to ensure that all such
investments in the hands of third parties are safe?
(v) Is there a system of periodic physical verification of the scrips? Are the differences between the
results of physical verification and the book records analyze? Is there a proper follow-up on all
discrepancies noticed on physical verification?
Independent Checks
(i) Is there a regular internal audit of transactions relating to investments, including a review of the rates
at which the various transactions have been effected? Does the internal audit examine whether the
rates conform to the prevalent market rates? In case of divergence, does the internal audit specifically
examine the authorization for the relevant transactions and the reasons for not effecting the
transactions at market rates?
(ii) Is there an independent review of compliance with rules and regulations governing investments? Is
there also a review of compliance with conditions attached to certain investments which restrict the
right of ownership/disposal of investments (for e.g., certain shares allotted to promoters cannot be sold
by them for a certain period)?
II. Inventories
Segregation and Rotation of Duties
(i) Are the duties relating to inventories properly segregated? As far as possible, the persons
responsible for handling physical inventories should not be assigned any duties relating to purchasing,
billing or accounting.
(ii) Are the duties of various persons relating to inventories rotated periodically?
Risk Assessment and Internal Control 3.33

Authorization of Purchases, Receipts and Issues


(i) Have the authorities for purchases, receipt of goods and their issuance from stores been clearly laid
down?
(ii) Are issues from stores made only against proper requisition notes or Challans approved by
authorized managers?
(iii) Are transfers of inventory items from one department to another made only after obtaining the
approval of authorized managers?
Maintenance of Records and Documents
(i) Is there a proper documentation of receipt of goods from suppliers as well as issue of goods from
the factory?
(ii) Is there a proper documentation of transfer of inventory items from one department to another?
(iii) Is there a perpetual inventory system whereby receipts and issues are recorded in the inventory
records as soon as they take place?
(iv) Are perpetual inventory records reconciled periodically with financial records / cost accounting
records?
(v) Does the enterprise have a proper cost accounting system for determining the cost of work-in-
process and finished goods?
(vi) Are overhead absorption rates properly determined in the light of current experience?
(vii) Are actual costs compared with standard and / or budgeted costs and the variance analyze and
properly adjusted?
(viii) Are proper records maintained in respect of waste, scrap, returnable containers and by-products?
(ix) Are proper records maintained in respect of inventories belonging to the enterprise but lying with
third parties such as public warehouses, consignees, sub- contractors, goods sent to customers on
approval, etc.?
(x) Are proper records maintained in respect of stocks belonging to third parties which are in the
possession of the enterprise, e.g., for processing?
(xi) Are there adequate cut-off procedures to ensure that:
(a) goods purchased but not yet received are included in the inventories, purchases are debited and a
liability is created from the same, and
(b) goods sold but not yet despatched are excluded from inventories, sales are credited and the
amount of sundry debtors is suitably adjusted?
Accountability for, and safeguarding of, inventories
Storage
(ii) Is the storage of various items of inventories methodical? Does it protect them against damage,
deterioration, etc?
(ii) Is the access to areas where inventories are stored , restricted? Are there suitable safeguards to
ensure that inventory item cannot be taken out of the stores without proper authorization?
Insurance
(i) Have different items of inventories been insured against fire, theft, riots, etc.?
(ii) Is the insurance cover adequate? Is it reviewed periodically?
3.34 Advanced Auditing and Professional Ethics

(iii) Is insurance premium paid up- to-date?


(iv) Are the insurance policies / cover notes kept in proper custody?
Physical Stock Taking
(i) What is the system of stock taking - continuous, annual or both?
(ii) How effective is the system of continuous / annual stock taking? In this regard the following
aspects may be specifically examined.
(a) Is there a well laid down procedure for stock taking?
(b) Are persons responsible for stock taking independent of the stores personnel?
(c) Are there written instructions for stock taking, particularly regarding proper identification and
counting of stocks and for recording the quantities and the condition of the stocks? Are these
instructions proper?
(iii) Are stocks belonging to third parties which are in the possession of the enterprise physically
segregated from the stocks of the enterprise, or otherwise properly identified during the course of
physical stock taking? Are confirmations regarding the quantity and quality obtained from third
parties, in respect of stocks held on their behalf, on a regular basis during the year as also at the
year-end?
(iv) Are physical verification sheets checked for arithmetical accuracy and internal consistency by a
person other than the person who prepares them?
(v) Are variations between stocks as per physical stock taking and stock records as per the books
investigated and adjusted in the stock records and financial accounts with proper authorization?
Inventories held by third parties
Are stocks held with third parties physically verified periodically by the third party or by the enterprise?
Are certificates obtained from the holders of the stocks regarding the quantity and quality of the stocks
on a regular basis during the year as well as at the year-end?
Independent Checks
Is there an internal audit of inventories?
III. Fixed Assets
A. Segregation and rotation of duties
(i) Is there a proper segregation of various duties relating to fixed assets? As far as possible, the
following duties should be assigned to different persons.
(a) Authorizations of acquisitions and disposals.
(b) Execution of transactions relating to acquisitions and disposals.
(c) Recording of transactions.
(d) Physical custody of items.
(ii) Are duties of various persons relating to fixed assets rotated periodically?
B. Authorization of acquisitions, Transfer and Disposal
(i) Is there an effective system of capital budgeting with well laid down procedures? The following aspects
are particularly important in this regard.
(a Are proposals for capital expenditure invited from various departments of the enterprise well-in-time?
Risk Assessment and Internal Control 3.35

(b) Are the proposals received in a properly laid down format which provides for complete details
about the financial, commercial and technical aspects of a proposal?
(c) Are the proposals for capital expenditure scrutinized by a committee consisting of senior managers
and then a composite budget put up to the top management or governing body for approval?
(d) Is the approved budget communicated in writing to various departments including the purchase
department and the accounts department?
(ii) Is prior written authorization of a manager at a sufficiently senior level required for incurring capital
expenditure for items included in the budget?
(iii) Is there a well laid down procedure for acquisition of items of fixed assets? Does the procedure
provide for adequate controls, particularly with regard to invitation of quotations, selection of suppliers,
and approval of prizes, payment terms and other terms of the purchase contract including technical
specifications and delivery schedule? Are there sufficient safeguard to ensure timely delivery /
construction of fixed assets, such as provision for penalty in case of delayed delivery, etc.?
(iv) Where purchases are made on the basis of competitive bids, is there a requirement for
documenting the reasons for making purchases otherwise than at the lowest price?
(v) Are controls over receipts of items of fixed assets effective? In particular are the technical
specifications of the items received verified with the purchase order before accepting them? In case
any items are rejected, are debit notes raised promptly?
(vi) Is there a periodic comparison of capital expenditure incurred with the capital budget? In cases
where the amounts actually expended indicate the likelihood of cost over-runs, are supplementary
budgets prepared and got approved from competent authority?
(vii) Is there a system of obtaining prior approval of a senior manager in case of transfer of fixed
assets (e.g., from one department or unit to another department or unit)?
(viii) Are there adequate controls over disposal of fixed assets, especially with regard to the following?
(a) Are fixed assets scrapped or retired from use only on written authorization of a senior manager?
(b) Are limits prescribed on the authority of the specified managers to scrap or retire fixed assets?
(c) Are there proper controls over disposal of fixed assets, particularly with regard to invitation of
quotations, approval of prices, etc.?
(d) Is there a proper documentation of the disposal of fixed assets?
Maintenance of Records and Documents
(i) Does the enterprise maintain proper records of all fixed assets? Do the records contain details of
such fully depreciated assets also which are in use or are kept for disposal? Are the records kept up-
to-date and reconcile periodically with financial accounts? Do the records contain such particulars as
date of purchase, supplier’s name, identification number, details of cost, location, estimated life,
estimated residual value, rate of depreciation, accumulated depreciation till date and where applicable,
measurement of impairment loss on assets?
(ii) Is a proper record maintained in respect of fixed assets given by the enterprise on lease and of
assets owned by others but used by the enterprise?
(iii) Where applicable, does the enterprise maintain proper records of intangible assets?
(iv) Does the system ensure that all disposals are recorded in the books of account promptly?
(v) Is a register containing particulars of title deeds of land and buildings maintained? Are the title
3.36 Advanced Auditing and Professional Ethics

deeds kept in safe custody? Are these deeds periodically verified?


Where such deeds have been lodged as security against loans, are certificates of lodgment obtained
periodically from banks financial institutions or other parties with whom the title deeds have been
lodged?
(vi) Are registration books of vehicles maintained properly and verified periodically?
(vii) Does the enterprise maintain detailed records of projects under construction? Are job numbers
assigned to each such project? Is there a proper system for identifying the direct expenditure incurred
on each project ( e.g., Cost of materials and stores, wages ) and for allocation or apportionment of
overheads to various projects? Is a separate account maintained in the ledger to monitor the actual
amounts expended on each projects?
(viii) Is the basis of allocating expenditure between capital and revenue proper?
Accountability for and safeguarding of, Fixed Assets
(ii) Is there a system whereby each item of fixed assets is given an identification number indicating its
location, use, etc.? Is the identification number marked on the item in such a manner that it cannot be
removed easily?
(ii) Are there adequate safeguards to protect the items of fixed assets from theft, fire, etc., Such as
restricting access to items of fixed assets to authorized personnel and use of devices like locks,
burglar alarms, etc.?
(iii) Are the items of fixed assets properly insured? In this regard, the following aspects are particularly
important.
(a) Is the insurance cover against fire, flood, theft and other losses adequate?
(b) Is the adequacy of insurance cover reviewed periodically?
(c) Are insurance policies renewed on a timely basis?
(d) Are values of items of fixed assets determined properly for the purpose of insurance? Do insurance
policies cover replacement values of fixed assets? Is the system of determining replacement values
proper?
(e) In case certain assets are left uninsured, is it on the basis of a conscious decision by an authorized
manager? Is such a decision properly recorded?
(f) In case the enterprise resorts to self-insurance, is there a proper system whereby adequate funds
are allocated to the self-insurance fund? Does the past experience indicate that the self-insurance
fund is adequate to take care of the various kinds of possible losses?
(iv) Are fixed assets verified periodically on the basis of a well laid down written procedure?
(v) Does the verification procedure extend to fixed assets with third parties? In case it is not possible
to physically verify the fixed assets with third parties, is there a procedure for obtaining confirmation
from such third parties?
(vi) Is there a proper follow-up on discrepancies between the book records and the results of physical
verification? Are these discrepancies investigated and responsibilities fixed? Are fixed asset records
and financial accounts adjusted, with proper approval of a senior manager, to take cognizance of the
discrepancies noticed on physical verification?
(vii) Is there a system of identifying and reporting damaged, obsolete and idle fixed assets? Is there an
adequate follow-up on such fixed assets? Are the fixed asset records and financial accounts adjusted,
with the approval of a senior manager, to recognize the fall in the value of fixed assets due to damage
Risk Assessment and Internal Control 3.37

obsolescence or idleness?
Independent Checks
Is there an internal audit of fixed assets? Is the internal audit work relating to fixed assets properly
planed and executed?
IV. Sales
Processing Orders and Dispatching Goods
(i) Are standard price lists maintained? Is a special sanction from a senior manager required in the
case of sales at prices lower than the standard prices?
(ii) Does the system of allowing quantity rebates and discounts provide for adequate controls? In
particular, is there a clear cut policy for allowing such rebates and discounts? Are the authorities of
various managers in this regard clearly laid down and are they reasonable?
(iii) Are special sanctions required in case of sales to affiliate companies or individuals, or other
enterprises in which the managerial personnel or senior employees are interested?
(iv) Is there a well-defined policy for making sales to employees at concessional prices? Does it lay
down any limits in this regard?
(v) Is there a timely preparation of a written sale order on receipt of an order from a customer?
(vi) Are sale orders pre-numbered? Is a lack of continuity in sale order numbers duly enquired into?
(vii) Is there a proper authorisation of credit, price, quantity and other important terms of the sale
order?
(viii) Is there a system of fixing credit limits for regular customers? Are these limits approved by a
senior manager as per the credit policy determined by the top management? Are these limits reviewed
periodically in the light of the experience in dealing with the customer?
(ix) Is credit limit of the customer concerned checked before sanctioning the credit on the sale order? Is
up-to-date information on the extent of credit already extended to the customer readily available for this
purpose?
(x) Is a copy of each sale order sent to the despatch department and to the accounts department?
(xi) Is a despatch document, e.g., A goods outward Challans, prepared at the time the goods are
despatched to the customer? Is it matched with the bill of lading or the railway receipt/ transporter’s
receipt?
(xii) Are despatch documents pre-numbered and missing document numbers duly enquired into?
(xiii) Is there a system of checking each consignment of goods leaving the premises with the related
despatch document?
(xiv) Is a copy of the despatch document, i.e., Goods outward Challans/gate pass sent to the customer
and to the accounts department?
(xv) Is an acknowledgment of receipt of goods obtained from the customer or from his agent on the
copy of the despatch document?
Billing Customers and Recording Sales
(i) Is there a system of preparing sale invoices immediately on receipt of despatch documents?
(ii) Do the sale invoices contain all the relevant details including the name of the customer, description
and quantity of goods sold, sale price, freight, insurance, sales tax and other charges as well as other
3.38 Advanced Auditing and Professional Ethics

major terms of the sale?


(iii) Are the sale invoices properly checked (particularly for prices, calculation and terms of payment)
and authorised before despatch? Are the particulars such as the name of the customer, quantity, etc.,
As appearing in the copies of the sale orders, gate pass/other despatch document, and the railway
receipt/transporter’s receipt/bill of lading compared with those in the invoices to ensure that proper
amounts have been billed to appropriate customers.
(iv) Is the original invoice sent to the customer immediately and entries made in the accounting
records on a timely basis?
(v) Are sale invoices pre-numbered and entered sequentially in the sale summary sheet or the sale
book? Is a lack of continuity in sale invoice numbers duly enquired into?
(vi) Are copies of sale order, despatch document, railway receipt/transporter’s receipt/ bill of lading
attached with the relevant invoice?
Follow-up on Sales after-sale Service
(i) What is the nature of after-sale service rendered by the enterprise?
(ii) Does the enterprise maintain adequate records (e.g., Customer cards) of after- sale service
provided to each customer? Does the format of the record provide for a clear distinction between
customers being serviced under warranty period and those under maintenance contracts?
(iii) Are the service engineers required to fill up a form describing the services rendered/ parts
replaced on each visit? Is the form required to be signed by the customer?
(iv) Are cases of major replacements reviewed by a senior official?
(v) Are service engineers authorised to collect cash and issue provisional receipts to customers in the
case of chargeable parts? In such a case, are they required to deposit the cash so collected the same
day along with copies of provisional receipts? Are the provisional receipts pre-numbered? Are missing
receipt numbers duly enquired into?
(vi) Is the customer sent a final invoice/receipt for the services rendered and/or for the parts replaced?
(vii) Are invoices entered into the customer cards immediately?
(viii) Is there a periodic comparison of the cost of parts replaced free of charge with the budgeted
figures? Are any unusual fluctuations duly investigated?
Sale returns
(i) Does the system relating to sale returns prescribe limits on the authority of managers at various
levels to accept return of goods? (These limits may be in terms of value of the goods returned and the
period during which they are returned.)
(ii) Are the returned goods accepted only after they have been properly inspected for their quantity and
quality?
(iii) Is an inward return note prepared promptly against each sale return, indicating the quantity and
specifications of the goods received back?
(iv) Are the inward returned notes per-numbered? Are missing note numbers duly enquired into?
(v) Are returned goods sent to the stores immediately? Are inward return notes entered promptly in
inventory records?
(vi) Is a credit note prepared on the basis of the inward return note? It is properly checked with
reference to the relevant inward return note before it is approved and sent to the customer? Are
Risk Assessment and Internal Control 3.39

appropriate entries made in the books of account promptly?


(vii) Is there a proper control over the issue of credit notes specially with regard to the authority for
issuing the same?
(viii) Are credit notes pre-numbered? Are missing credit note numbers duly enquired into?
(ix) Is the sale commission paid in respect of goods returned recovered through an appropriate debit
note?
(x) Are sale returns analyzed with reference to the reasons? Are appropriate follow-up steps taken?
Claims by Customers
(i) Are all claims ( for shortfall in quantity, or for poor quality, or for delay in delivery and similar other
reasons) approved by an authorized manager? Is the approval granted only after a proper examination
of the matter?
(i) Is a credit note sent to the customer in respect of each approved claim? Are appropriate entries
made in the books of accounts promptly?
Import Entitlements
Are adequate records maintained in respect of import entitlements against export of goods? Are the
entitlements properly utilized?
Overall Controls
(i) Is there a proper segregation of duties in the various segments of the total sales cycle? Have the
duties relating to sales been so allocated that different persons are entrusted the functions of (a)
authorization of sales (b) execution of sale transactions, (c) recording of sales, and (d)
custody of goods? Are the duties of various persons relating to sales rotated periodically?
(ii) Are there adequate cut-off procedures in relation to sales?
(iii) Are there adequate cut-off procedures in relation to sale returns?
(iv) Is there an internal audit of the entire sales cycle?
(v) Is there a system of sending monthly statements of accounts to regular customer? Are the
discrepancies intimated by customers in their response and are they properly dealt with?
V. Purchases
Processing Purchase Orders
(i) What is the organization of the purchase function? Are purchases centralized or decentralized?
(ii) Does the purchase procedure provide for preparation of written purchase requisitions by authorized
personnel? Are these prepared in a standard format? Does the format require furnishing of sufficient
details about quantity required, technical specifications, delivery schedule, etc.?
(iii) Have the authorities regarding sanctioning of purchases been clearly laid down? Is the distribution
of authorities proper? Have limits been prescribed within which purchases can be sanctioned by each
authority?
(iv) Is a list of approved suppliers maintained for each major item? Is the list updated regularly? Does
it contain appropriate remarks in respect of suppliers who fail to comply with the terms of purchase
orders? Are purchases made from approved suppliers only?
(v) Are tender / quotations invited from more than one supplier (usually three or more) on the basis of
a clear cut specification of the item required?
3.40 Advanced Auditing and Professional Ethics

(vi) Have any long-term purchase contracts been entered into with the suppliers? Are the stipulations
regarding price, specification of goods, etc., in such contracts clear and unambiguous?
(vii) Where tenders / competitive quotations are invited, it is ensured that no supplier gets an undue
advantage? For example, are quotations opened at one time by a senior officer and in the presence of
the representatives of the suppliers? In case negotiations are carried on after the opening of the
tenders / quotations, is an equal opportunity given to all the short-listed suppliers?
(viii) Is a special authorization required in case the lowest quotation is not accepted?
(ix) What is the system of approving prices and other terms and conditions in case purchase are not
made on the basis of competitive quotations, e.g., Emergency purchases or purchases involving small
amounts? Is the system reasonable?
(x) In case a price variation clause or variation in terms of delivery, insurance, etc. Is to be included in
the purchase order / agreement, does it require prior approval of prescribed authorities?
(xi) Are specific approvals required for the following?
(a) Purchases from entities or individuals which are affiliates of the enterprise, e.g., Holding company,
subsidiaries, associates, joint ventures, organizations in which managerial personnel (e.g., Directors,
senior managers) are interested, etc. In case the law governing the enterprise (e.g., Companies Act,
1956, in the case of a company) lays down certain requirements in respect of such purchases, does
the system ensure compliance with such requirements? Is there a system by which all managerial
personnel up to a certain level are required to disclose their interest in various organizations?
(b) Purchase of abnormally large value.
(c) Entering into long-term purchase contracts, the purchases under which are likely to involve a large
amount over a period of time.
(xii) Are purchase orders pre-numbered? Are unused forms kept in proper custody? Are missing
numbers duly enquired into?
(xiii) Are purchase orders sufficiently detailed and precise so as to leave no scope for
misunderstanding? (For this purpose, a purchase order should clearly mention the name of the
supplier, the description of the goods ordered their quantity, price as well as other terms and
conditions relating to delivery, freight, payment, etc.)
(xiv) Is a copy of purchase order required to be signed by the supplier signifying his acceptance of the
terms of the order? In appropriate cases (e.g., For long-term purchase contracts or contracts involving
large amounts), are formal purchase agreements entered into with the suppliers?
(xv) Are copies of each purchase order / agreement forwarded to the goods receiving department and
the accounts department?
(xvi) Is there a periodic review of purchase orders which remain partly or fully unexecuted beyond the
due dates?
Receiving Goods
(i) Are all goods and suppliers received only in the receiving department? Where goods can also be
received by others, e.g., User departments / customers / sub-contractors, is there a procedure for
obtaining confirmation about he quantity and quality of the goods received?
(ii) Is every receipt of materials supported by a goods received note? Are the goods received notes pre-
numbered? Are missing goods received duly enquired into?
(iii) Is there a procedure for verifying the quantities of materials at the time of receipt through counting
Risk Assessment and Internal Control 3.41

weighing / measurement?
(iv) Is the quality of the materials checked on receipt? Are the specifications of materials received
matched with those in the purchase order? Are proper laboratories or other analyses conducted in
appropriate cases?
(v) In case of shortage of quantity or variations from specifications given in the purchase order, does the
receiving department reject the materials? In such a case, is an outward return note prepared, indicating
the quantity and specifications of goods to be returned? Are the goods returned promptly and an
acknowledgment of return of goods obtained from the supplier? Where materials are accepted despite
shortage or variations from specifications, is the shortage in quantity or the nature of qualitative
defects/variations from specifications mentioned on the challan sent to the supplier as well as on the
goods received note?
(vi) Does the receiving department send a copy of each goods received note containing its remarks
regarding the quantity and quality of the materials received to the following?
(a) Accounts department.
(b) Purchase department.
(c) Stores or the department to which the materials received are sent.
(vii) Are the materials received sent to the stores or to the requisitioning department promptly?
Recording Purchases
(i) Are the suppliers invoices received directly in the accounts department where they are matched
with the purchase order, the goods received note and the record of advance payments (where
applicable)?
(ii) Are all invoices checked thoroughly to ensure that the terms and conditions of the relevant
purchase orders / agreements have been complied with?
(iii) Are invoices checked for arithmetical accuracy? Does the person responsible for such checking
initial the invoice?
(iv) Are all invoices entered promptly in the purchase book?
(v) In case of variation of quantity or quality of materials received vis-a-vis those specified in the
purchase order, or in case in non-compliance with other terms and conditions of the purchase order,
are debit notes raised promptly against the suppliers concerned, on the basis of the observations of
the receiving department / examination of the suppliers! Invoices? Similarly, are debit notes raised
promptly against the suppliers concerned for goods returned, on the basis of the copies of the outward
return notes?
(vi) Are debit notes pre-numbered? Are missing numbers duly enquired into?
(vii) Is there a proper control over the issue of debit notes specially with regard to the authority for
issuing the same?
(viii) Are debit notes recorded promptly in the books of account?
(ix) Is each invoice given a running serial number? Is the serial number as marked on an invoice also
marked on the supporting documents attached to the invoice such as purchase order, goods received
note, etc.?
(x) Is it ensured that duplicate invoices are accepted only with proper authorization and only in such
cases where the original invoices were not received? Are duplicate invoices prominently marked
duplicate and attached with the supporting documents regarding the relevant purchase?
3.42 Advanced Auditing and Professional Ethics

(xi) Where the accounts department has received a written intimation from the purchase department that
the supplier has supplied the goods to the representatives / customers / sub-contractors of the
enterprise, is a proper entry made in the books of account recognizing the purchase ( even though the
goods have not been physically received in the stores)?
(xii) Are advance against purchases made only as per the terms of the purchase order and with proper
authority?
(xiii) Are all advances for purchases reviewed periodically and followed up properly?
(xiv) Is there a system of periodic reconciliation of the goods paid for as per financial accounts with the
goods received as per stores record?
Overall Controls
(i) Is there a proper segregation of duties in the various segments of the total purchase cycle? Have the
duties relating to purchases been so allocated that different persons are entrusted the functions of (a)
authorization of purchases, (b) execution of purchase transactions, (c) recording of purchases, and (d)
custody of goods? Are the duties of various persons relating to purchases rotated periodically?
(ii) Are the adequate cut-off procedures in relation to purchases? (These procedures seek to ensure that
the purchase of a preceding or a subsequent accounting period are not included in the purchases of the
current period, and vice versa. For example, an enterprise may have a system whereby the goods
receiving department is required to intimate to the accounts section the serial number of the last goods
received note issued on the last day of the Accounting year. Another example of cut-off procedures is
the use of new goods received note books from the commencement of a new accounting year, the old
books being handed over to an authorized officer. Similarly, appropriate cut-off procedures are
required to identify goods in which property has passed to the enterprise but which have not been
received by the end of the accounting year.)
(iii) Are the adequate cut-off procedures in relation to purchase returns?
(iv) Is there an internal audit of the entire purchase cycle?
(v) Is there a system of sending monthly statements of account to suppliers? Are the discrepancies
intimated by suppliers in their responses properly dealt with?
4
AUDIT UNDER COMPUTERISED INFORMATION
SYSTEM (CIS) ENVIRONMENT

Introduction
4.1 Information Technology throughout the world has revolutionized and dramatically changed
the manner in which the business is conducted today. Computerization has a significant effect
on organization control, flow of document information processing and so on. Auditing in a CIS
environment even though has not changed the fundamental nature of auditing, it has definitely
caused substantial changes in the method of evidence collection and evaluation. This also
requires auditors to become knowledge about computer environment (Hardware, software
etc.) and keep pace with rapidly changing technology, even to the extent of using
sophisticated Audit software. Students are advised to study the technical issue relating to
Information Technology from the study material of paper 6.
Scope of Audit in a CIS Environment
4.2 Impact of computerisation on audit approach needs consideration of the following factors:
(1) High speed - In a CIS environment information can be generated very quickly. Even
complex reports in specific report format can be generated for audit purposes without much
loss of time. This cuts down the time enabling the auditor to extend their analytical review for
under coverage with high speed of operation, the Auditor can expand their substantive
procedures for collection of more evidence in support of their judgement.
(2) Low clerical error - Computerised operation being a systematic and sequential
programmed course of action the changes of commission of error is considerably reduced.
Clerical error is highly minimised.
(3) Concentration of duties - In a manual environment the auditor needs to deploy separate
individuals for carrying out the verification process. In a CIS environment, the traditional
approach does not apply in many cases, as computer programs perform more than one set of
activities at a time thereby concentrating the duties of several personnel involved in the work.
(4) Shifting of internal control base -
(i) Application systems development control - Systems development control should be
designed to provide reasonable assurance that they are developed in an authorised and
efficient manner, to establish control, over:
4.2 Advanced Auditing and Professional Ethics

a) testing, conversion, implementation, and documentation of new revised system.


b) changes to application system.
c) access to system documentation.
d) acquisition of application system from third parties.
(ii) Systems software control - Systems software controls are designed to provide
reasonable assurance that system software is acquired or developed in an authorised
and efficient manner including:
a) authorisation, approval testing, implementation and documentation of new system
software systems software modifications.
b) putting restriction of access to system software and documentation to authorised
personnel.
(5) Disappearance of manual reasonableness - The shift from traditional manual information
processing environment to computerised information systems environment needs a detailed
analysis of the physical system for transformation into a logical platform. In creating such
logical models many stages required under manual operations are either deleted or managed
to create a focused computer system. In such creative effort, the manual reasonableness may
be missing.
(6) Impact of poor system - If system analysis and designs falls short of expected standard
of performance, a computerised information system environment may do more harm to
integrated business operation than good. Thus, care has to be taken in adopting manual
operations switch-over to computerised operations for ensuring performance quality
standards.
(7) Exception reporting - This is a part of Management information system. Exception
Reporting is a departure from straight reporting of all variables. Here the value of a variable is
only reported if it lies outside some pre-determined normal range. This form of reporting and
analysis is familiar to the accountant. The main strength of exception reporting lies in its
recognition that to be effective information must be selectivity provided.
(8) Man-machine interface / human-computer interaction - Man-machine interface ensures
maximum effectiveness of the information system. Organisation concentrated on presenting
information that is required by the user and to present that information in the most uncluttered
way. It is required to determine what information was necessary to achieve through a careful
analysis of the job or task for which the user needed the information.
Human-computer interaction is a discipline concerned with the design, evaluation and
implementation of interactive computing systems for human use and with the study of the
major phenomena, surrounding them. The approach is user centered and integrates
knowledge from a wide range of disciplines.
Audit under Computerised Information System (CIS) Environment 4.3

Impact of Changes on Business Processes (For Shifting From Manual To Electronic


Medium)
4.3 The effect of changes on accounting process may be stated as under:
A. Primary Changes
(1) Process of recording transactions - The process of recording transaction undergoes a
major change when accounting process are computerised under CIS environment, the order of
recording transaction from basic document to prime books and finally to principal book may
not be followed strictly in sequential from as is observed in manual system. In many cases all
the three processes Prime book of Entry →Ledger →Final accounts (Balance Sheet and
Profit and Loss Account) are carried on simultaneously.
(2) From of accounting records - Mechanisation often results in the abandonment in whole
or in part of the primary records. Punch card installation or electronic data processor changes
the form of both intermediate and ultimate records much more radically than manual records.
(3) Use of loose-leaf stationeries - Bound hand written records as used in manual
accounting processes are replaced by loose-leaf machine written records in electronic
medium. In a computerised information system, magnetic tapes, floppy disks, diskettes, print-
outs replace the traditional records. This necessarily require proper control over such records
to prevent their unauthorised us, destruction or substitution.
(4) Use of accounting code – In computerised information systems, alpha-numeric codes are
extensively used to represent names and description. The accountants as well as the Auditors
has to get themselves familiarised with the use of such codes which initially may pose
considerable problems in understanding the various transactions.
(5) Absence of link between transaction - In a computerised information system
environment, there may be an inadequacy or even total absence of cross-reference between
the basic documents, primary records and the principal records. This create special problems
for the auditors. The auditors may find it difficult to trace a transaction from start to finish there
by having a doubt in their mind as to loss of audit trials.
B. Recent Changes
The growth and development in the field of information technology is a fast paced one and
unless the auditors are alert to such developments and take pre- emptive action in upgrading
their knowledge, they may find difficulty in coping with such advancement.
Following are a few instance of the recent changes which the may need to be addressed in
discharging their responsibilities in such environment:
(1) Mainframes are substituted by mini/micro users.
(2) There is a shift from proprietary operating system to more universal ones like UNIX,
LINUX, Programming in 'C' etc.
(3) Relational Date Base Management (RDBMS) are increasingly being used.
4.4 Advanced Auditing and Professional Ethics

(4) The methodology adopted for systems development is becoming crucial and CASE
(Computer Aided Software Engineering) tools are being used by many organisation.
(5) End user computing is on the increase resulting in decentralized data processing.
(6) The need for data communication and networking is increasing.
(7) Common business documents are getting replaced by paperless electronic data interface
(EDI).
(8) Conventional data entry giving way to scanner, digitized image processes, voice
recognition system etc.
The Impact of all such change on auditing may be summarised as:
(a) wide- spread end-user computing may result in unintentional errors creeping into
systems owing to inept handling. Also coordinated program modification may not be
possible.
(b) improper use of decision support system can have serious repercussion. Also their
underlying assumption must be clearly documented.
(c) Usage of sophisticated audit software would be a necessity.
(d) Auditors non-participation at System Development Life Cycle State (SDLC) pose
considerable problem in understanding the operational controls.
(e) Data communication and net working would introduce new audit risk.
(f) The move toward paperless EDI would eliminate much of the traditional audit trail
radically changing the nature of audit trails.
Audit Approach in a CIS Environment
4.4 Based on The knowledge and expertise of Auditors in handling computerised data, the
audit approach in a CIS environment could be either:
A. A Black-box approach i.e., Auditing around the computer, or
B. A White-box approach i.e., Auditing through the computer.
Audit under Computerised Information System (CIS) Environment 4.5

A. The Black Box Approach

Client Input CPU Client Output

Auditing Around The Computer

Compare with
Client Output
Auditor's
Predetermined Output

In the Black box approach or Auditing around the computer, the Auditor concentrates on input
and output and ignores the specifics of how computer process the data or transactions. If input
matches the output, the auditor assumes that the processing of transaction/data must have
been correct.
In testing, say, Payroll Application, the auditor might first examine selected time cards for
hours worked and employee earning cards for rates and then trace these to the payroll
summary output and finally compare hours, rates and extensions. The comparison of inputs
and outputs may be done manually with the assistance of the computer. The computer
assisted approach has the advantage of permitting the auditor to make more comparisons
than would be possible, if done manually.
Auditing around the computer has the advantage of ease of comprehension as the tracing of
documents to output does not require any in-depth study of application program.
A major disadvantage, however, is that the auditor not having directly tested the control,
cannot make assertions about the underlying process. Moreover, in some of the more complex
computer systems intermediate printout may not be available for making the needed
comparisons.
4.6 Advanced Auditing and Professional Ethics

B. The White Box Approach

Auditor’s
Input CPU Client Output

Auditing Through The Computer

Compare with
Client Output
Predetermined Output

The processes and controls surrounding the subject are not only subject to audit but also the
processing controls operating over this process are investigated. In order to help the auditor to
gain access to these processes computer Audit software may be used. These packages may
typically contain:
(a) interactive enquiry facilities to interrogate files.
(b) facilities to analyze computer security logs for unusual usage of the computer.
(c) the ability to compare source and object (compiled) program codes in order to detect
dissimilarities.
(d) the facility to execute and observe the computer treatment of "live transaction" by moving
through the processing as it occurs. e) the generation of test data.
f) the generation of aids showing the logs of application programs. The actual controls and
the higher level control will be evaluated and then subjected to compliance testing and, if
necessary, substantive testing before an audit report is produced.
Audit under Computerised Information System (CIS) Environment 4.7

It is obvious, that to follow this approach the auditor needs to have sufficient knowledge of
computers to plan, direct-supervise and review the work performed.
The areas covered in an audit will concentrate on the following controls:
(1) Input controls,
(2) Processing control,
(3) Storage control,
(4) Output control and
(5) Data transmission control.
The auditor will also need to be satisfied that there are adequate controls over the prevention
of unauthorised access to the computer and the computerised database. The auditors task will
also involve consideration of the separation of functions between staff involves in transaction
processing and the computerised system and ensuring that adequate supervision of personnel
is administered.
The process of auditing is not a straight forward flow of work from start to finish to be
completed by satisfying oneself against a standard checklist or a list of questions. It involves
exposure, experiences and application of knowledge and expertise to differing circumstances.
No two information system is same. From the view point of analysis of computerised
information system, the auditors need not only have adequacy on knowledge regarding
information requirement and computer data security they must also get exposed to system
analysis and design so as to facilitate post implementation audit.
Types of Computer Systems
4.5 There is large variety of computer systems applicable to accounting and other type of
information processing. The nature and type of system affect the various types of controls for
its efficient and effective functioning Computer System may be broadly classified as under:
A) System configuration, and
B) Processing systems.
A. Systems configuration
System configuration may be classified as:
(1) Large system computers - In large system computers, the processing task of multiple
user is performed on a single centralised computer, i.e., all inputs move directly from the
terminal to central processors and after processing goes back to users from central
processors. All the terminals in these systems were called 'dumb terminals' as these terminals
were not capable of processing data on their own and casually serve only as input/output
terminals. With time, these systems have become more efficient and sophisticated. In many
instances dumb terminals have given way to intelligent terminals i.e., allowing data processing
at local levels.
4.8 Advanced Auditing and Professional Ethics

(2) Stand alone personal computers - A stand alone system is one that is not connected to
or does not communicate with another computer system. Computing is done by an individual
at a time. All input data and its processing takes place on the machine itself. Many small
business rely on personal computers for all their accounting functions.
(3) Network computing system - A network is a group of interconnected system sharing
services and interacting by a shared communication links. All networks have something to
share, a transmission medium and rules for communication. Network share hardware and
software resources. Hardware resources include:
(a) Client Server - A server in a network is dedicated to perform specific tasks to support
other computers on the network. Common types of servers are:
(b) File Server - File servers are the network applications that store, retrieve and move data.
(c) Data base server - Most of the data base are client server based. Database servers
provide a powerful facility to process data.
(d) Message Server - They provide a variety of communication methods which takes the
form of graphics, digitized audio/video etc.,
(e) Print Server - Print server manages print services on the network.
Software resource sharing provides a facility to share information in the organisation.
The networks can also be classified on the basis of areas covered. Software resources
include:
(1) Local area network - In a local area network (LAN), two or more computers located within
a small well-defined area such as room, office or campus are connected through cables. One
of the computers acts as the server, it stores the program and data files centrally. These
programs and data files can be accessed by the other computers forming part of the LAN. LAN
provide the additional advantage of sharing programs, data and physical resources like hard
disks peripherals.
(2) Wide area network - Networks that employ public telecommunications facilities to provide
users with access to the resources of centrally located computers. A WAN uses the public
switched telephone network, high speed fibre optic cable, ratio links or the internet. When a
LAN extend in the metropolitan area using the WAN technology, it is called Metropolitan Area
Network (MAN).
WAN uses modem to connect computers over telephone lines (PSTN) PSTN system transfer
analog signals. Therefore, public telephone system are not appropriate to connect computers.
Modems are used to convert analog signals into digital and vice versa.
(3) Distributed data processing - The term has been used to cover many varities of
computer system. It consists of hardware located at least two geographically distinct sites
connected electronically by telecommunications where processing / data storage occur at two
or more than one sites. The main computer and the decentralised units communicate via
communication links. A more integrated connection occur with 'cooperative processing where
processing is handled by two cooperating geographically distinct processors. One processor
Audit under Computerised Information System (CIS) Environment 4.9

send the output of its processing to another for completion. The system becomes more
complex, where operating system of both machines are different. Cooperative operating
system may be required under such situation.
(4) Electronic data interchange (EDI) - EDI can be defined as:
The transfer of electronic data from one organisations computer system to another's, the data
being structured in a commonly agreed format so that it is directly usable by the receiving
organisation computer system.
EDI may be introduced where a group of organisations wish to ensure that electronic
transactions are passed between one another. EDI groups require EDI services in order to
effect the data exchanges. These are often provided by a third party in more than merely the
transmission of the data. By providing these services the third party adds value to the data
transmission and is thus called value added network (VAN). The following benefits accrue
under EDI systems.
a) The speed with which an inter-organisational transaction is processed is minimised.
b) the paperwork involved in transaction processing is eliminated.
c) the costs of transaction processing are reduced, as much of the need for human
interpretation and processing is removed.
d) reduced human involvement reduces error.
B. Processing system
Transaction processing systems include:
(1) Batch processing - Under batch processing a large volume of homologous transactions
are aggregated and processed periodically. There are four steps in batch processing.
(a) Occurrence of transaction - The occurrence of business events is recorded in the source
document.
(b) Recorded in a Transaction file - A batch of source is periodically transferred to the data
entry operator to extract information from the source document and enter it into the computer
format. Data entry is usually done off line. The computerised format is the transaction file to be
processed in the system. Once the data entry is done, the records entered are confirmed with
the source document. Once the records are checked, the source documents are stored
separately for future reference.
(c) Updation of Master file - After all the data is entered in the system and it is processed
and summarised, the master files are updated.
(d) Generation of output - After processing and master file updation, the report, as required
are periodically generated.
Batch processing system are used for processing large volumes of repetitive transactions
where control considerations and efficient utilisation of computing capacity are important.
4.10 Advanced Auditing and Professional Ethics

(2) On Line Processing System - One line processing refers to processing of individual
transactions as they occur from their point of origin as opposed to accumulating them into
batches. This is possible by direct access devices such as magnetic disk and number of
terminals connected to and controlled by a central processors. In this way, various
departments in a company can be connected to the processor by cables.
Apart from transaction processing and file updating, inquires are also handled by the on-line
processing system. On-line processing ensures that the records are in a updated status at any
time whereas this is not so with batch processing, but the fact remains that online processing
is costly.
(3) Interactive Processing - Under this processing mode, a continuous dialogue exists
between the user and the computer. It is also called 'transaction driven' processing as
transactions dealt with completely on an individual basis through all the relevant processing
operations before dealing with the next transaction occur and enquiries to be dealt with on an
immediate response basis.
(4) On-line real time processing - The term ' Real Time' refers to the technique of updating
files with transaction data immediately after the occurrence of the event. Real time system are
basically on-line system with one speciality in enquiry processing. The response of the system
to the enquiry itself is used to control the activity. The response of a real time system is one
type of feed back control system. The response time would naturally differ from one activity to
another. Real time system usually operates in multi-programming and multi-processing. This
increases both availability and reliability of the system. CPU's in real time systems should
possess the capability of 'Program Interrupts'. These are temporary stoppage of halts in the
execution of a program so that more urgent message can be handled on priority. Some
computer systems are dedicated to real time operations and others are designed to operate in
both batch and real time modes so that they can also serve as stand by units to each other.
(5) Time Sharing - A time-sharing allows access to a CPU and files through many remote
terminals. Multiprogramming is the method of implementing time shared operations. In
transaction processing, time sharing occurs when a computer processes transactions of more
than one entity.
(6) Service Bureau - A service bureau is a company that processes transaction for other
entities. Such units may handle the computer processing for small companies that singly do
not have sufficient transactions to justify the acquisition of a computer.
Advanced processing system further includes:
(a) Decision Support System - A Decision Support System (DSS) can be defined as a
system that solving provided tools to managers to assist them in soloing semi-structured and
an unstructured problem. A DSS is not intended to make decisions for managers, but rather to
provide managers with a set of capabilities that enables them to generate the information that
is required by them for decision making. In other words, a DSS supports the human decision
making process, rather then providing a means to replace it.
Audit under Computerised Information System (CIS) Environment 4.11

The decision-support system are characterised by:


(i) they support semi-structured or unstructured decision making
(ii) they are flexible enough to respond to the changing needs of decision makers, and,
(iii) they are easy to operate.
A decision-support system has 4 basic components:
(i) The Users – represent managers at any given level of authority in the organisation.
(ii) Data bases – contains both routine and non-routine data from both internal and external
sources.
(iii) Planning Language – include general purpose planning language like spread
sheets/special purpose planning languages, SAS, SPSS, Minilab etc;
(iv) Model Base – Model base is the 'Brain' of the decision support system because it
perform data manipulations and computations with the data provided by the user and
data base.
(b) Expert System - An expert system a computerised information system that allows non-
experts to make decision comparable to that of an expert. Expert system are used for complex
or ill structured tasks that require experience and special knowledge in specific subject areas.
As expert system typically contains
(i) Knowledge Base - This includes data, knowledge, relationships, rules of thumb to and
decision rules used by experts to solve a particular type of problem. A knowledge base is
the computer equivalent of all the knowledge and insight that an expert or a group of
experts develop through years of experience in their field.
(ii) Inference Engine - This program contain the logic and reasoning mechanisms that
stimulate the expert system logic process and deliver advice. It uses data obtained from
both the knowledge base and the user to make associations and inference, forms its
conclusion and recommends a course of action.
(iii) Use interface - This program allows the user to design, create, update, use and
communicate with the expert system.
(iv) Explanation Facility - This facility provides the user with an explanation of the logic the
expert system use to arrive.
(v) Knowledge acquisition Facility – Building a knowledge base (also called knowledge
engineering), involves both a human expert and a know ledge engineer. The knowledge
engineer is responsible for extracting an individuals expertise and using the knowledge
acquisition facility to enter into the knowledge base.
(7) Integrated File System - These systems update many files simultaneously as transaction
is processed. Processing of a sales order updates the accounts receivable control accounts
and the related subsidiary ledger is also updated and the sales control and sales details are
also posted as the sales order is processed.
4.12 Advanced Auditing and Professional Ethics

Integrated data base system contains a set of interrelated master files that are integrated in
order to reduce data redundancy. The software used to control input processing and output is
referred to as Data Based Management System (DBMS) which handles the storage, retrieval,
updating and maintenance of the data in the data base.
Integrated files are most commonly associated with OLRT (on-line real time) system and pose
the greatest challenge to the Auditor's. Controls within these systems are harder to test and
assess due to the danger of file destruction.
Files may be physically stored on disk in the following way:
'Sequentially' records are physically ordered by some field (e.g., employee number).
'Randomly' records are stored at a physical address computed by an algorithm working on a
field value.
'Indexed' records are physically stored randomly with a sequentially ordered index field (e.g.
by customer) and a pointer to the physical location of each record.
'Indexed Sequential' records are physically stored sequentially ordered by some field
together with an index which provides access by some possibly other field.
If files are required to be processed sequentially, then they may be stored sequentially. The
sequential update of an employee master file by time sheet data is an example. However, if
individuals records are required to be accessed from time to time by some field e.g. employee
name, then one of the other storage method may be used.
Effect of Computers on Internal Controls
4.6 nternal control system include separation of duties, delegation of authority and
responsibility, a system of authorisation, adequate documents and records, physical control
over assets and records, management supervision, independent checks on performance and
periodic reconciliation of assets with records. In CIS environment, all these components must
exist but computers affects the implementation of these internal control in many ways. Some
of the effects are as under:
(1) Separation of Duties - In a manual system, different persons are responsible for carrying
out function like initiating, recording of transaction, safeguarding of assets, does not always
apply in a computer system. For example, in a computer system, a program may carryout
reconciliation of vendor invoice against a receipt document and also prepare a cheque
payable to a creditors. Such operation through a program will be considered as incompatible
functions in a manual system.
In minicomputer and microcomputer environments, separation of incompatible function could
be even more difficult. Some such forms, allows, users to change programs and data entry
without providing a record of these changes. Thus, it becomes difficult to determine whether
incompatible function have been performed by system users.
(2) Delegation Of Authority And Responsibility - A structured authority and responsibility is
an essential control within manual and computer environment. In a computer system however,
a clean line of authority and responsibility might be difficult to establish because some
Audit under Computerised Information System (CIS) Environment 4.13

resources are shared among multiple users. For instance, one objective of using a data base
management system is to provide multiple users with access to the same data, thereby
reducing the control problems that arise with maintaining redundant data, when multiple users
have access to the same data and the integrity of the data is somehow violated, it is not
always easy to trace who is responsible for corrupting the data and who is responsible for
identifying and correcting the error. Some organisation identified a single user as the owner of
the data.
(3) Competent And Trustworthy Personnel - Skilled, competent, well-trained and
experienced in formation system personnel have been in short supply. Since substantial power
is often vested in the person responsible for the computer information system
development, implementation, operation and maintenance within the organisation, competent
and trustworthy personnel is very much in demand. Unfortunately, the non availability of
competent personnel, forced many organisation to compromise on their choice of staff.
Moreover, it is not always easy for organisation to assess the competence and integrity of
their system staff. High turnover among those staff has been the norm. Some information
systems personnel lack a well developed sense of ethics and some enjoy in subverting
controls.
(4) System Of Authorisation - Management authorisation of transaction may be either:
a) general authorisation to establish policies for the organisation,
b) specific authorisation applying to individual transactions. In manual system, auditors
evaluate the adequacy of procedures for authorisation by examining the work of
employees. In a computer system, authorisation procedures often are embedded within a
computer program. In a computer system, it is also more difficult to assess whether the
authority assigned to individual persons is constant with managements policies. Thus, in
evaluating the adequacy of authorisation procedures, auditors have to examine not only
the work of employees but also the varacity of the programme processing.
(5) Adequate Documents And Records - In a manual system, adequate documents and
records are required to provide an audit trail of activities within the system. In computer
system, document support might not be necessary to initiate, execute and records some
transaction. The task of a visible audit trail is not a problem for auditors, provided the systems
have been designed to maintain a record of all events and that they are easily accessible. In
well-designed computer systems, audit trails are more extensive than those maintained in
manual systems unfortunately not all computer systems are well designed. This creates a
serious control problem.
(6) Physical Control Over Assets And Records - Physical access to assets and records is
critical in both manual systems and computer system. In a computer system the information
system assets and records may be concentrated at a single site. The concentration of
information systems assets and record also increases the losses that can arise from computer
abuse or disaster. If the organisation does not have another suitable backup, it might be
unable to continue operations.
4.14 Advanced Auditing and Professional Ethics

(7) Adequate Management Supervision - In a computer system, supervision of employee


might have to be carried out remotely. Supervisory controls must be built into the computer
system to compensate for the controls that usually can be exercised through observation and
in inquiring computer system also make the activities of employees less visible to
management. Because many activities are electronically controlled managers must
periodically access the audit trial of employee activities and examine it for unauthorised
actions.
(8) Independent Checks On Performance - Checks by an independent person help to detect
any errors or irregularities. In a computer system, if a program code is authorised accurate,
and complete the system will always follow the laid down procedures in absence of other type
of failures like hardware or systems software failure. Thus, independent checks on the
performance of programs often have little value. Instead, the control emphasis shifts to
ensuring the veracity of programme code. Auditors, must now evaluate the controls
established for program development, modification operation and maintenance.
(9) Comparing Recorded Accountability With Assets - In a manual system, independent
staff prepare the basic data used for comparison purposes. In a computer system software is
used to prepare this data. If unauthorised modifications occur to the program or the data files
that the program uses, an irregularity might not be discovered, because traditional separation
of duties no longer applies to the data being prepared for comparison purposes.
Effects of Computers on Auditing
4.7 The objective of auditing, do not undergo a sea change in a CIS environment. Auditor
must provide a competent, independent opinion as to whether the financial statements records
and report a true and fair view of the state of affairs of an entity. However, computer systems
have affected how auditors need to collect and evaluate evidence. These aspects are
discussed below:
(1) Changes to Evidence Collection - Collecting evidence on the reliability of a computer
system is often more complex than collecting evidence on the reliability of a manual system.
Auditors have to face a diverse and complex range of internal control technology that did not
exist in manual system, like:
a) accurate and complete operations of a disk drive may require a set of hardware controls
not required in manual system,
b) system development control include procedures for testing programs that again are not
necessary in manual control.
Since, Hardware and Software develop quite rapidly, understanding the control technology is
not easy. With increasing use of data communication for data transfer, research is focussed
an cryptographic controls to project the privacy of data. Unless auditor's keep up with these
developments, it will become difficult to evaluate the reliability of communication network
competently.
The continuing and rapid development of control technology also makes it more difficult for
auditors to collect evidence on the reliability of controls. Even collection of audit evidence
Audit under Computerised Information System (CIS) Environment 4.15

through manual means is not possible. Hence, auditors have to run through computer system
themselves if they are to collect the necessary evidence. Though generalized audit softwares
are available the development of these tools cannot be relied upon due to lack of information.
Often auditors are forced to compromise in some way when performing the evidence collection
(2) Changes to Evidence Evaluation - With increasing complexity of computer systems and
control technology, it is becoming more and more difficult for the auditors to evaluate the
consequences of strength and weaknesses of control mechanism for placing overall reliability
on the system.
Auditors need to understand:
a) whether a control is functioning reliably or multi functioning,
b) traceability of control strength and weakness through the system. In a shared data
environment a single input transaction may update multiple data item used by diverse,
physically disparate user, which may be difficult to understand.
Consequences of errors in a computer system is a serious matter as errors in computer
system tend to be deterministic, i.e., an erroneous program will always execute data
incorrectly. Moreover, the errors are generated at high speed and the cost and effort to correct
and rerun program may be high. Errors in computer program can involve extensive redesign
and reprogramming. Thus, internal controls that ensure high quality computer systems should
be designed implemented and operated upon. The auditors must ensure that these control are
sufficient to maintain assets safeguarding, data integrity, system effectiveness and system
efficiency and that they are in position and functioning.
Internal Controls in a CIS Environment
4.8 Internal control is an essential prerequisite for efficient and effective management of any
organisation. Basically, they are the policies and procedure adopted by a management to
achieve the entity's specific objectives like, physical verification of assets, periodic review and
reconciliation of accounts, specific control on computer generated data etc.
An internal control is a CIS system depends on the same principal as that of manual system.
Thus, the plan of organisation, delegation of powers, system authorisation, distribution of
duties etc., are determined on similar consideration as in a manual system. However, in a CIS
environment, due to difference in approach there is various other types of controls which are
quite specific to CIS environment.
In setting up an internal control system in a CIS environment, the overall CIS operation need
to be broken down into defined subsystem and controls established accordingly, addressing
each function separately so that auditors can place reliance on them. The basic components
that can be identified in a CIS environment are:
♦ Hardware (CPU, Monitor, Printers etc.)
♦ Software (Operating system, application programs, Data base management system etc.)
♦ People (Data entry operator, CIS organisation, end users)
4.16 Advanced Auditing and Professional Ethics

♦ Transmission media
Once components have been identified, auditors must evaluate their reliability with respect to
each type of error or irregularity that might occur.
The reliability of a component is a function of the controls that act on the component. A control
is stated to be a set of activities designed to prevent, detect or correct errors or irregularities
that affect the reliability of the components. The set of all control activities performed in a
system constitutes the control subsystem within a system. Its function is to establish execute
modify and maintain control activities so that the reliability of the system in maintained at an
acceptable level. In a computer system many different types of controls are used to enhance
component reliability. Major classes of control that the auditor must evaluate are:
(1) Authenticity Controls - Authenticity control are exercised to verify the identify of the
individuals or process involved in a system (e.g. password control, personal identification
numbers, digital signatures)
(2) Accuracy Control - Accuracy control ensure the correctness of data and processes in a
system (e.g. program validation cheek that a numeric field contains only numeric, overflow
checks, control totals, hash total etc.)
(3) Completeness Control - Completeness control attempt to ensure that no data is missing
and that all processing is carried through to its proper conclusion. (e.g. program validation
check, sequence check etc.)
(4) Redundancy Control - Redundancy controls attempts to ensure that a data is processed
only once. (e.g. batch cancellation stamp, circulating error files etc.)
(5) Privacy Controls - Privacy controls ensure that data is protected from inadvertent or
unauthorised disclosure. (e.g. cryptograph, data compaction, inference control etc.)
(6) Audit Trail Controls - Audit trail control ensure traceability of all events occurred in a
system. This record is needed to answer queries, fulfil statutory requirements, minimise
irregularities, detect the consequences of error etc. The accounting audit trail shows the
source and nature of data and process that update the database. The operations audit trail
maintains a record of attempted or actual resource consumption within a system.
(7) Existence Controls - Existence controls attempt to ensure the ongoing avail ability of all
system resources (e.g., database dump and logs for recovery purposes duplicate hardware,
preventive maintenance, check point and restart control)
(8) Asset Safeguarding Controls - Asset safeguarding control attempt to ensure that all
resources within a system are protected from destruction or corruption (e.g. physical barriers,
libraries etc.)
(9) Effectiveness Controls - Effectiveness control attempt to ensure that systems achieve
their goals. (e.g. monitoring of user satisfaction, post audits, periodic cost benefit analysis
etc.)
(10) Efficiency Controls - Efficiency controls attempt to ensure that a system uses minimum
resources to achieve its goals.
Audit under Computerised Information System (CIS) Environment 4.17

Consideration of Control Attributes by the Auditors


4.9 In evaluating the effects of a control, the auditor needs to assess the reliability by
considering the various attributes of a control. Some of the attributes are:
(1) whether the control is in place and is functioning as desired.
(2) generality versus specificity of the control with respect to the various types of errors and
irregularities that might occur.
General control inhibit the effect of a wide variety of errors and irregularities as they are
more robust to change controls in the application sub-system which tend to be specific
control because component in these sub-system execute activities having less variety.
(3) Whether the control acts to prevent, detect or correct errors.
The auditor focuses here on
i) Preventive controls: Controls which stop errors or irregularities from occurring.
ii) Detective controls: Controls which identify errors and irregularities after they occur.
iii) Corrective controls: Controls which remove the effects of errors and irregularities
after they have been identified.
Auditors expect to see a higher density of preventive controls at the early stages of
processing or conversely they expect to see more detective and corrective controls later
in system processing.
(4) the number of components used to execute the control.
Multi-component controls are more complex and more error prone but they are usually
used to handle complex errors and irregularities.
Internal Control Requirement Under CIS Environment
4.10 The requirement of internal control under CIS environment may cover the following
aspects:
(1) Organisation And Management Control - Controls are designed to establish an
organisational frame work for CIS activities including:
a) Policies and procedures relating to control functions.
b) Appropriate segregation of incompatible functions.
(2) Application System Development and Maintenance Control - Control are designed to
provide reasonable assurance that systems are developed and maintained in an authorised
and efficient manner, to establish control over:
a) testing, conversion, implementation and documentation of new revised system.
b) changes made to application system.
c) access to system documentation.
d) acquisition of application system from third parties.
4.18 Advanced Auditing and Professional Ethics

(3) Computer Operation Controls - Designed to control the operation of the system and to
provide reasonable assurance that:
a) the systems are used for authorised purposes only.
b) access to computer operation is restricted to authorised personnel.
c) only authorised programs are to be used.
d) processing errors are detected and corrected.
(4) System Software Control - Controls are designed to provide reasonable assurance that
system software is acquired or developed in an authorised and efficient manner including:
a) authorisation, approval, testing, implementation and documentation of new system
software and system software modification.
b) restriction of access to system software and documentation to authorised personnel.
(5) Data Entry And Program Control - Designed to provide assurance:
a) an authorisation structure is established over transaction being entered into the system.
b) access to data and program is restricted to authorised personnel.
(6) Control Over Input - Control are designed to provide reasonable assurance that:
a) transactions are properly authorised before being processed by the computer.
b) transactions are accuratelyconverted into machine readable from and recorded in
the computer data files.
c) transaction are not lost, added, duplicated or improperly changed.
d) incorrect transactions are rejected, corrected and if necessary, resubmitted on a timely
basis.
(7) Control Over Processing and Computer Data Files - Controls are designed to provide
reasonable assurance that:
a) transactions including system generated transactions are properly processed by the
computer.
b) transaction are not lost, added duplicated or improperly changed.
c) processing errors are identified and corrected on a timely basis.
(8) Control Over Output - Designed to provide reasonable assurance that
a) results of processing are accurate.
b) access to output is restricted to authorised personnel.
c) output is provided to appropriate authorised personnel on a timely basis.
(9) Other Safeguards - Other safeguards include:
a) Offsite back-up of data and program.
Audit under Computerised Information System (CIS) Environment 4.19

b) Recovery procedures for use in the event of theft, loss or intentional or accidental
destruction.
c) Provision of offsite processing in the event of disaster.
Approach to Auditing in a CIS Environment
4.11 The institute of Chartered Accountants of India has come out with Auditing Assurance
Standard 29 - Auditing in a computer Information System Environment, which emphasis that
the overall objective and scope of an audit do not change in a CIS environment. However, the
use a computer changes the processing, storage, retrieval and communication of financial
information and may affect the accounting and internal control systems employed by the
entity.
The standard requires the auditor to consider the effect of the factor like, (a) the extent of use
of computers for preparing accounting information( c) efficacy of internal control over input,
processing, analysis and reporting undertaken in the CIS installation and ( c) the impact of
computerisation on the audit trail that could otherwise be expected to exist in a manual
system.
The standard provides for the following:
(1) Skill and Competence - The standard provides that an auditor should have sufficient
knowledge of the computer information systems to plan, direct, supervise control and review
the work performed. The sufficiency of knowledge would depend on the nature and extent of
the CIS environment. The auditor should consider whether any specialized CIS skills are
needed in the conduct of the audit. If the answer is in affirmative the auditor would seek the
assistance of an expert possessing such skills.
(2) Planning - In regard to planning, the standard specifies that, the auditor should obtain an
understanding of the significance and complexity of the CIS activities and the availability of the
data for use in the audit.
The auditor should also obtain an understanding of the accounting and internal control system
in terms of AAS - 6 ( Revised ) to plan the audit and to determine the nature, timing and the
extent of the audit procedures.
Auditors understanding the process would include -
a) The computer information systems infrastructure ( hardware, operating system (s) and
application software used by the entity, including changes therein since last audit, if any )
b) The significance and complexity of computerized processing in each significant
accounting application, Significance relates to materiality of the financial statement
assertions affected by the computerized processing.
c) Determination of the organizational structure of the client; CIS activities and the extent of
concentration or distribution of computer processing throughout the entity, particularly, as
they may affect segregation of duties.
d) The auditor needs to determine extent of availability of data by reference to source
documents, computer files and other evidential matters. Computer information systems
4.20 Advanced Auditing and Professional Ethics

may generate reports that might be useful in performing substantive tests (particularly
analytical procedures). The potential for use of CAATS may permit increased efficiency in
the performance of audit procedures, or may enable the auditor to economically apply
certain procedures to the entire population of transactions.
(3) Risk - When the computer information systems are significant the auditor should assess
whether it may influence the assessment of inherent and control risks.
The nature of the risks and the ICS in CIS environment include the following:
(a) Lack of Transaction Trails - Some computer information systems are designed so that a
complete transaction trail that is useful for audit purposes might exist for only a short period of
time or only in computer readable form. Where a complex application system performs a large
number of processing steps, there may not be a complete trail. Accordingly errors embedded
in an application’s program logic may be difficult to detect on a timely basis by manual
procedures.
(b) Uniform processing of Transactions - Computer programs processing transactions
uniformly, virtually eliminating the occurrence of clerical errors. However, if programming error
exists all transactions will be processed incorrectly.
(c) Lack of Segregation of functions - Many controls become concentrated in a CIS
environment allowing data processing of incompatible functions.
(d) Potential for errors and Irregularities - The potential for human error in the
development, maintenance and execution of computer information systems may be greater
than in manual systems, because of the level of detail inherent in these activities. Also, the
potential for individuals to gain unauthorized access to data or to alter data without visible
evidence may be greater in CIS environment than in manual systems.
(e) Initiation or Execution of Transactions - In a CIS process certain types of transactions
are triggered internally by the system, the authorization for which may not be documented as
in manual system. In such cases, management; authorization of these transactions may be
implicit.
(f) Dependence of Other Controls over Computer Processing - Certain manual control
procedures are dependent on computer generated reports and outputs for their effectiveness.
In term, the effectiveness and consistency of transaction processing controls are dependent
on the effectiveness of general computer information systems controls.
(g) Increased management Supervision - Computer information can offer management a
variety of analytical tools that can enhance the effectiveness of the entire internal control
structure.
(h) Use of Computer - Assisted Audit Techniques - The Auditor may apply general or
specialized computer audit techniques and tools in the execution of audit tests.
While evaluating the reliability of the accounting and internal control systems, the auditor
would consider whether these systems:
(i) Ensure that authorized, correct and complete data is made available for processing;
Audit under Computerised Information System (CIS) Environment 4.21

(ii) Provide for timely detection and correction of errors.


(iii) Ensure that the case of interruption in the work of the CIS environment due to power,
mechanical or processing failures, the system restarts without distorting the complection
of the entries and records;
(iv) Ensure that accuracy and completeness of output;
(v) Provide adequate data security against fire and other calamities, wrong processing,
frauds etc.,
(vi) Prevent unauthorized amendments to the program;
(vii) Provide for safe custody of source code of application software and data files.
(4) Risk Assessment - The auditor in accordance with AAS-6 " Risk Assessment and Internal
Controls ”, should make an assessment of inherent and control risk for material financial
statement assertions.
Risk may result from deficiencies in,
(a) Program development and maintenance,
(b) System software support;
(c) Operations
(d) Physical CIS security;
(e) Control over access to specialized utility programs;
These deficiencies would tend to have a negative impact on all application systems that are
processed through the computer.
Risk may also increase the potential for errors or fraudulent activities in;
(a) Specific applications.
(b) Specific data base or master files, or
(c) Specific processing activities.
As new CIS technologies are emerging for data processing and Clients are adopting the same
for building complex computer systems, these may increase risk which needs further
consideration
(5) Documentation - The Auditor should document the audit plan, the nature, timing and
extent of audit procedures performed and the conclusions drawn from the evidence obtained.
In an audit in CIS environment, some of the audit evidence may be in electronic form. The
auditor should satisfy himself that such evidence is adequately and safely stored and is
retrievable in its entirety as and when required.
Review of Checks and Controls in a CIS Environment
4.12 General controls in a CIS environment falls under the three basic control approaches as
seen under manual system, i.e. Feedback, feed-forward and preventive control. Apart from the
three - fold categorization computer based information system also required different controls,
4.22 Advanced Auditing and Professional Ethics

though the emphasis is on preventive controls, Controls are present over many aspects of the
computer system and its surrounding social environment. They operate over data moving into,
through and out of the computer to ensure correct, complete and reliable processing and
storage. There are other controls present over staff, staff involvement with the computer and
access to data. Further controls are effective at preventing deterioration or collapse of the
entire computing function.
Erroneous data processing by a computer system is likely to be the result of incorrect data
input. This is the major point at which the human interfaces with the machine and it is here
where important controls are placed.
4.12.1 Review Process -
(1) Organization Structure / Control - CIS function in an organization need to be so
organized that different groups are formed to perform different duties in a large CIS
installation. Some of the typical function that must be performed by select group includes:
(a) Data Administrator - Generates the data requirements of the users of information system
services: formulates data policies, plans the evaluation of the Corporate data bases, maintains
data documentation.
(b) Database Administrator - Responsible for the operational efficiency of corporate
database, assist users to use database better.
(c) System Analyst - Manages information requirement for new and existing applications,
designs information systems architectures to meet these requirements, facilitates
implementation of information systems, writes procedures and users documentation.
(d) System Programmers - Maintains and enhances operating systems software, network
software, library software, and utility software, provides when unusual systems failure occurs.
(e) Application Programmer - Designs programs to meet information requirements, codes,
tests and debugs programs documents programs, modify program to remove errors, improve
efficiency.
(f) Operation Specialist - Plans and control day-to-day operations, monitors and improves
operational efficiency along with capacity planning.
(g) Librarian - Maintains library of magnetic media and documentation.
Auditors should be concerned about two matters:
i) Responsibilities of each job position must be clear; and incumbents must fully understand
their duties, authority and responsibilities.
ii) The jobs performed within the information system function should maintain separation of
duties to the extent possible. Without separation of duties, errors and irregularities might
remain undetected.
(2) Documentation Control - Systems and programs as well as modifications, must be
adequately documented and properly approved before being used: Documentation ordinarily
assumes the following form:
Audit under Computerised Information System (CIS) Environment 4.23

a) A system flowchart;
b) A program flowchart;
c) Program change;
d) Operator instructions;
e) Program description (explaining the purpose for each part of the program)
Adequate documentation evidencing approval of changes minimises the probability of
unauthorized system and program changes that could result in loss of control and decreased
reliability of financial data.
(3) Access Control - Access controls are usually aimed at for preventing unauthorized
access. The controls may seek to prevent persons who are authorised for access from
accessing restricted data and program, as well as preventing unauthorized persons from
gaining access to the system as a whole.
(a) Segregation Controls
♦ Access to program documentation should be limited to those persons who require it in
the performance of their duties.
♦ Access to data files and programs should be limited to those individuals authorized to
process data.
♦ Access to computer hardware should be limited to authorized individuals ( e.g. Computer
operators).
(b) Limited Physical Access to the computer Facility
♦ The physical facilities that hold the computer equipment, files and documentation should
have controls to limit access only to authorized individuals.
♦ Types of controls may include, (a) using a guard, (b) automated key cards, (c ) manual
key locks, (d) new access devices like, fingerprints, palm prints, or other biometric
devices.
(c) Visitor entry Logs - Entry logs should be uses to determine and documents those who
have had access to the area.
(d)Hardware and Software access controls - Access control software like ‘user
identification’ may be used. User identification is a frequently used control and is a
combination of a unique identification code and a confidential password.
(e) Call back - It is a specialized form of user identification in which the user dials the system,
identifies him and is disconnected from the system. Then, either an individual manually finds
the authorized telephone number or the system automatically finds the authorized telephone
number of the individual and finally the user is called back.
(f) Encryption - In encryption data is encoded when stored in computer files / and or
before transmission to or from remote locations. This coding protects data because to use the
data unauthorized users must not only obtain access, but must also decrypt the data i.e.,
4.24 Advanced Auditing and Professional Ethics

decode it from encoded form.


(g) Computer Application Controls - Programmed application controls apply to specific
application rather than multiple applications.
These controls operate to assure the proper input and processing of data. The input steps
converts human readable data into computer readable form. All CIS application are classified
under 3 heads: Input, Processing and output.
(4) Input Controls - Input into the CIS system should be properly authorized and approved.
The system should verify all significant data fields used to record information i.e., Should
perform editing of the data. Conversion of data into machine readable form should be
controlled and verified for accuracy.
For validation of input controls, the following procedure can be applied:
(a) Pre-printed form - All constant information be printed on a source document. For
example, if only limited number of responses to a question is considered appropriate then
preprint the responses and have the user tick or circle the correct responses deleting those
that are inappropriate.
(b) Check Digit - Errors made in transcribing and keying data can have serious
consequences. One control used to guard against these types of errors is a ‘Check Digit’.
A Check Digit is a redundant digit (s) added to a code that enables the accuracy of other
characters in the code to be checked. The check digit can act as a prefix or suffix character or
it can be placed somewhere in the middle of the code. When the code is entered, a program
recalculates the check digit to determine whether the entered check digit and the calculated
check digit are the same. If they are the same, the code is most likely to be correct.
Calculation Of Check Digit
A simple way is to add the digits in a number and assign the result as a suffix.
Example: The number is 2148 the check digit is
2+1+4+8=15 i.e., 5 (dropping tens digit ). The code is 21485
However, this does not protect transposition error, like 2814. The incorrect code will still
produce the correct check digit.
This problem can be overcome by Module -11 test ; The Calculation steps are as under:
- The desired number = 2148.
- Make weighed average = 2x5 + 1x4 + 4x3 + 8x2 =42
- Divide by Modules 11 = 42/11 -3 with remainder 9
- Subtract the remainder from the modules = 11-9 =2 (check digit)
- Check digit is added as a suffix = 21482.
The check digit can be recalculated for verification as under:
- The encoded number = 21482
Audit under Computerised Information System (CIS) Environment 4.25

- Weighted average = (2x1)+(8x2)+(4x3)+(1x4)+(2x5) = 44.


- Division by the modules = 44/11 = 4 with no remainder.
If the remainder is zero, there is a high probability that the code is correct.
(c) Completeness Totals - To input data erroneously is one type error. To leave out or lose
data completely is another type of error against which controls are provided.
(i) Batch Control Totals - The transactions are collected together in batches of say, 50
transactions. A total of all the data value of some important field is made. For example, if a
batch of invoices is to be inputed a total of all the invoices amounts might be calculated
manually. The control total is then compared with a computer generated control total, after
input of batch transaction. A difference indicates either a lost transaction or the input of an
incorrect invoice total. The method is not foot proof as compensating errors is possible.
(ii) Batch Hash Total - The idea is similar to control totals except that Hash totals are
meaningless totals prepared purely for control purposes. The total of all customer account
numbers in a batch is meaningless but may be used for control by comparing it with computer
generated hash totals.
(iii) Batch Record Totals - Account is taken of the number of transactions and this is
compared with the record count produced by the computer at the end of the batch.
(iv) Sequence Checks - Documents may be pre-numbered sequentially before entry and at
a later stage the computer will perform a sequence check and display any missing number.
(d) Reasonableness Checks - These are sophisticated forms of limit checks. An example
might be a check on an electricity meter reading. The check might consists of subtracting the
last reading recorded from the current reading and comparing this with the average usage for
that quarter. If the reading differs by a given percentage then it is investigated before
processing.
(e) Field Checks - The following types of field checks may be applied:
(i) Missing data / blank - Is there any missing data in the field? If a code should contain 2
hyphens, though they might be in a variable position, can only one be detected? Does the field
contain blanks when data always should be present.
(ii) Alphabetic / Numeric - Does a field that should contain only alphabetic or numeric
contain alphanumeric characters?
(iii) Range - Does the data for a field fall within its allowable value range?
(iv) Master Reference - If the master file can be referenced at the same time input data is
read, is there a master file match for the key field?
(v) Size - If variable - length fields are used and a set of permissible sizes is defined does the
field delimiter show the field to be one of these valid sizes?
(vi) Format Mask - Data entered into a field might have to conform to a particular format, like
‘yy mm dd’
(f) Record Checks - The following types of record checks can be applied:
4.26 Advanced Auditing and Professional Ethics

(i) Reasonableness - Even though a field value might pass a range check, the contents of
another field might determine what is a reasonable value for the field.
(ii) Valid-Sign-Numeric - The content of one field might determine which sign is valid for a
numeric field.
(iii) Size - If Variable - length records are used, the size of the record is a function of the
sizes of the variable length fields or the sizes of fields that optionally might be omitted from the
record. The permissible size of the fixed and variable - length records also might depend on a
field indicating the record type.
(g) File Checks - In file checks, validation control examines whether the characteristics of a
file used during data entry are matching with the stated characteristics of the file. For example
if auditors validate some of the characteristic of data that is keyed into an application system
against a master file, they can check whether they are using the latest version of the master
file.
(5) Processing Controls - When input has been accepted by the computer, it usually is
processed through multiple steps. Processing controls are essential to ensure the integrity of
data. Almost all of the controls mentioned under input may also be incorporated during
processing stage.
Processing validation checks primarily ensure that computation performed on numeric fields
are authorized, accurate, and complete. The following validation checks may be indicated in
this regard.
(i) Overflow - Overflow can occur if a field used for computation is not initiated to zero at
start. Some error in computation occurs, or unexpected high values occur.
(ii) Range - An allowable value range can apply to a field.
(iii) Sign Test - The contents of one record type field might determine which sign is valid for
a numeric field.
(iv) Cross – Footing - Separate control totals can be developed for related fields and cross
footed at the end of a run.
(v) Run-to-Run Control - In a tape based system, the processing of transaction file may
involve several runs, for instance, a tape based order processing system might have a
transaction tape that is used to update first a stock master file, then a sales ledger followed by
a general ledger, various control totals may be passed from one run to the next as a check on
completeness of processing.
(6) Recording Control - Recording controls enable records to be kept free of errors and
transactions details that are input into the system.
(a) Error Log - This is particularly important in batch entry and batch processing system.
Many of the accuracy checks can only be carried to during run time processing. It is important
that a detected error does not bring the run to a halt, on discovery, the erroneous transaction
is written to a error log file, which is examined at the end of processing. The errors can then
be corrected or investigated with the relevant department before being input and processed.
Audit under Computerised Information System (CIS) Environment 4.27

(b) Transaction Log - The transaction log provides a record of all transactions entered into
the system as well as storing transaction details such as the transaction reference number,
the date, the account number, the type of transaction the amount and the debit and credit
references. The transaction will be "Stamped” with details of input. These typically include
input time, input date, input day, terminal number and user number. It is used for multi-access
main frame systems accounting transactions. The transaction log can form the basis of an
audit trail and may be printed out for investigation during an audit.
(7) Storage Control - These controls ensure the accurate and continuing and reliable storage
of data. Data is a vital resource for an organization and is the heart of CIS activities. Special
care must be taken to ensure the integrity of the database or file system. The controls are
particularly accidental erasure of files and the precision of back-up and recovery facilities.
The following checks may be considered:
(a) Physical Protection Against Erasure - Magnetic tape files have rings that may be
inserted if the files are to be written or erased. Read only files have the ring removed. The
controls in respect of floppy disks have a plastic lever, which is switched for read only
purposes.
(b) External Label - These are attached to tape reels or disk packs to identify the contents.
(c) Magnetic Labels - These consists of magnetic machine readable information encoded on
the storage medium identifying its contents. File header labels appear at the start of a file and
identify the file by name, give the date of last update and other information. This is checked by
a software prior to file up dating. Trailer labels at the end of files often contain controls that are
checked against those calculated during file processing.
(d) File Back - up Routines - Copies are held of important files for security purposes. As
the process of providing back-up often involves a computer operation in which one file is used
to produce another, a fault in this process would have disastrous results; if both the master
and the back-up were lost.
(e) Database Back - up routines - The contents of a data base held on a direct access
storage device (DASD) such as magnetic disk are periodically dumped on to a back-up file.
The back-up is usually a tape which is then stored together with the transaction log tape of all
transactions occurring between the last and the current dump. If a fault in database, such as
disk crash, happens afterwards the state of the data base can be recreated using the dumped
data base tape, the stored transaction and the current log of transactions occurring between
the dump and the crash point.
(f) Cryptographic Storage - Data is commonly written to files in a way that uses standard
coding like ASCII or EBCDIC. It can be interpreted easily by unauthorized reader gaining
access to the file. If the data is confidential or sensitive then it may be scrambled prior to
storage and described on reading.
The security process involves the conversion of the plain text message or data into cipher text
by the use of an encryption algorithm and an encryption key. The opposite process, uses a
description key to reproduce the plain text or message. If the encryption and decryption key
4.28 Advanced Auditing and Professional Ethics

are identical the entire procedure is called Symmetric Cryptograph, otherwise, it is known as
asymmetric cryptograph.
(8) Output Control - Output control ensures that the results of data processing are accurate,
complete and are directed to authorize recipient. The auditor should examine whether audit
trail relating to output was provided and the date and time when the output was so provided.
This would enable the auditor to identify the consequences of any errors discovered in the
output.
Auditors Involvement In The Clients System Development And Documentation Control
4.13 Auditors both external and internal, may be consulted while designing appropriate
controls over the development of computerized system within an enterprise. Such association
may help the auditors in suggesting appropriate trails in post implementation audit.
The major functions may be elaborated as under:
Analysis of the system involves identification understanding and critically examining the
system and its inter-related parts (sub-system). For the purpose of achieving the goals
(objectives) set for the CIS as a whole, through modification, changed inter-relationship of
components, deleting or merging or separating or break-up of component. They may also
involve upgrading the system as a whole.
The Methodology involves:
(A) Identification of the system (setting system boundary ), the system objectives, the system
components, and
(B) Understanding the role and inter-relationships of elements with other elements of the
same system.
Through this identification and understanding process the capability (or background) to
analyze and compare various alternatives regarding components and system functioning is
generated.
In order to develop a Computerized Information System it is necessary to pass through a
number of distinct stages. These stages (as shown in the schematic) are completed in
sequence. The process cannot progress from one stage to the next until it has completed all
the required work of the stage. In order to ensure that a stage is satisfactorily and some
deliverable is produced at the stage end, generally, this is a piece of documentary evidence
on the work carried out. This is known as the ‘exit criteria for the stage’.
System Development Life Cycle Stage
A. Stages and Objectives → Deliverable output
B. Systems Investigation and Feasibility Report →Feasibility Report.
C. System Analysis →Logical Model Of The System
D. System Design → The Intended System Design In Broad Outline.
E. Detailed Design →A Detailed Physical Specification Of The System
Audit under Computerised Information System (CIS) Environment 4.29

F. Implementation →The New System With Documentation Procedure


G. Changeover →The New System With Documentation Procedure
H. Evaluation and Maintenance →Evaluation Report.
It is common for some of the tasks carried out during a stage of the process to be initially
unsatisfactory.
This should come to light when the exit criteria are considered. The relevant tasks will need to
be redone before exit from the stage can be made. Although slooping within a stage is quite
common but once a stage has been left it should not be necessary to return to it from a later
stage.
The benefits of this staged approach are:
(1) Sub-division of a complex, lengthy project into discrete chunks of time, makes the project
more manageable and thereby promotes better project control.
(2) Although different parts of a project may develop independently during a stage, the parts
of the project reaches the same point of development at the end of the stage. This
promotes coordination between the various components of large projects.
(3) The deliverables being documentation provide a historical trace of the development of
the project. At the end of each stage the output documentation provides an initial input
into the subsequent stage.
(4) The document deliverables are designed to be communication tools between analyst,
programmers, users and management. This promote easy assessment of the nature of
the work completed during the stage.
(5) The stages are designed to the ‘natural’ division points in the development of the project.
(6) The stage allows a creeping commitment to expenditure during the project.
Project Stages
(A) Determination of Scope and Objective - Before an analyst can attempt to undertake a
reasonable systems investigation, analysis and design, there must be some indication given of
the agreed overall scope of the project. The documentation provided on this acts as the
analysts initial terms of reference.
(B) System Investigation and Feasibility Study - The output of this stage is a report on the
feasibility of a technical solution to the problems or opportunities mentioned in the statement
of scope and objectives in stage A. The solution will be present in broad outlines.
(C) System Analysis - Provided that the project has been given the ago ahead as a result of
the feasibility study, the next task for the analyst is to build a logical model of the existing
system. This will be partly based on information gathered from the existing system during the
stage of system investigation and partly on new information.
The purpose of this stage is to involve a decomposition of the functions of the system into
their logical constituents and the production of a logical model of the process and data flows
4.30 Advanced Auditing and Professional Ethics

necessary to perform these through data flow diagram.


(D) System Design - Once the analysis is complete the analyst has a good idea of what is
logically required of the new system. There will be a number of ways that this logical model
can be incorporated into a physical design. The analyst will suggest two or three design
alternatives to management together with their implication.
Management will then decide amongst them.
(E) Detailed Design - Detailed physical specifications need to be made so that the system
can be purchased / build and installed. There are a number of distinct areas that must be
considered. These areas can be summarized as:
A) Software, D) Schedule for Implementation.
B) Hardware E) Security
C) Data Storage F) User Machine Interface
The Systems Specifications is a highly detailed set of documents covering every aspect of the
system.
(F) Implementation - During implementations the system as specified is physically created.
The hardware is purchased and installed. The programs are written and tested individually.
The database or file structure is created and historic data from the old system is loaded.
Particular attention will be paid to security features surrounding the conversion of existing
files, whether manual or computer based on the new system.
(G) Changeover - Changeover is that time during which the old system is replaced by the
newly designed computer system. This period may be short if, at the time the new system
starts, running the old system is discarded. Alternative method of changeover exists. The old
system can be run in parallel with the new.
(H) Evaluation and Maintenance - At this time, the system is running and in continual
system use. It should be delivering the benefit for which it was designed and installed. Any
initial problem in running will be rectified. Throughout the remainder of the useful life of the
system it will have to be maintained if it is to provide a proper service.
The maintenance will involve hardware and software. It is normal to transfer the maintenance
of the hardware to the manufacturer of the equipment or some specialist third party
organization. The software need to be maintained as well. This will involve corrective actions
for errors in program that become apparent after an extended period of use. Programs may
also be altered to enable the machines to run with greater technical efficiency.
It is customary, to produce an evaluation report on the system after it has been functioning for
some time. This will be drawn up after the system has settled into its normal daily functioning.
The report will compare the actual system with the objectives required to be designed.
Shortcomings, if any, are identified and corrective actions are taken.
Audit under Computerised Information System (CIS) Environment 4.31

Computer Assisted Audit Techniques (CAATs)


4.14 The overall objectives and scope of an audit do not change when an audit is conducted in
a Computer Information Systems (CIS) environment. The application of auditing procedures
may, however, require the auditor to consider techniques known as Computer Assisted Audit
Techniques (CAATs) that use the computer as an audit tool for enhancing the effectiveness
and efficiency of audit procedures. CAATs are computer programs and data that the auditor
uses as part of the audit procedures to process data of audit significance, contained in an
entity’s information systems.
Uses of CAATs - CAATs may be used in performing various auditing procedures, including
the following:
♦ tests of details of transactions and balances, for example, the use of audit software for
recalculating interest or the extraction of invoices over a certain value from computer
records;
♦ analytical procedures, for example, identifying inconsistencies or significant fluctuations;
♦ tests of general controls, for example, testing the set-up or configuration of the operating
system or access procedures to the program libraries or by using code comparison
software to check that the version of the program in use is the version approved by
management ;
♦ sampling programs to extract data for audit testing;
♦ tests of application controls, for example, testing the functioning of a programmed
control; and
♦ reperforming calculations performed by the entity’s accounting systems.
Audit Software - CAATs allow the auditor to give access to data without dependence on the
client, test the reliability of client software, and perform audit tests more efficiently. caats may
consist of package programs, purpose-written programs, utility programs or system
management program. a brief description of the programs commonly used is given below.
♦ Package Programs are generalized computer programs designed to perform data
processing functions, such as reading data, selecting and analyzing information,
performing calculations, creating data files and reporting in a format specified by the
auditor.
♦ Purpose-Written Programs perform audit tasks in specific circumstances. These
programs may be developed by the auditor, the entity being audited or an outside
programmer hired by the auditor. In some cases, the auditor may use an entity’s existing
programs in their original or modified state because it may be more efficient than
developing independent programs.
♦ Utility Programs are used by an entity to perform common data processing functions,
such as sorting, creating and printing files. These programs are generally not designed
for audit purposes, and therefore may not contain features such as automatic record
counts or control totals.
4.32 Advanced Auditing and Professional Ethics

♦ System Management Programs are enhanced productivity tools that are typically part of
a sophisticated operating systems environment, for example, data retrieval software or
code comparison software. As with utility programs these tools are not specifically
designed for auditing use and their use requires additional care.
Considerations in the Use of Caats - When planning an audit, the auditor may consider an
appropriate combination of manual and computer assisted audit techniques. in determining
whether to use caats, the factors to consider include:
♦ the IT knowledge, expertise and experience of the audit team;
♦ the availability of CAATs and suitable computer facilities and data;
♦ the impracticability of manual tests;
♦ effectiveness and efficiency; and
♦ time constraints.
Before using caats the auditor considers the controls incorporated in the design of the entity’s
computer systems to which caat would be applied in order to determine whether, and if so,
how, caats should be used.
It Knowledge, Expertise And Experience Of The Audit Team : Auditing and Assurance
Standard (AAS) 29, “auditing in a computer information systems environment” deals with the
level of skill and competence the audit team needs to conduct an audit in a cis environment. it
provides guidance when an auditor delegates work to assistants with cis skills or when the
auditor uses work performed by other auditors or experts with such skills. specifically, the
audit team should have sufficient knowledge to plan, execute and use the results of the
particular caat adopted. the level of knowledge required depends on “availability of caats” and
“suitable computer facilities”.
Availability of CAATS and Suitable Computer Facilities - The auditor considers the
availability of caats, suitable computer facilities and the necessary computer-based
information systems and data. The auditor may plan to use other computer facilities when the
use of caats on an entity’s computer is uneconomical or impractical, for example, because of
an incompatibility between the auditor’s package program and entity’s computer. Additionally,
the auditor may elect to use their own facilities, such as pcs or laptops. The cooperation of the
entity’s personnel may be required to provide processing facilities at a convenient time, to
assist with activities such as loading and running of CAAT on the entity’s system, and to
provide copies of data files in the format required by the auditor.
♦ Impracticability of Manual Tests - Some audit procedures may not be possible to
perform manually because they rely on complex processing (for example, advanced
statistical analysis) or involve amounts of data that would overwhelm any manual
procedure. In addition, many computer information systems perform tasks for which no
hard copy evidence is available and, therefore, it may be impracticable for the auditor to
perform tests manually. The lack of hard copy evidence may occur at different stages in
the business cycle.
Audit under Computerised Information System (CIS) Environment 4.33

Effectiveness and Efficiency - The effectiveness and efficiency of auditing procedures may
be improved by using CAATs to obtain and evaluate audit evidence. CAATs are often an
efficient means of testing a large number of transactions or controls over large populations by:
♦ analyzing and selecting samples from a large volume of transactions;
♦ applying analytical procedures; and
♦ performing substantive procedures.
Matters relating to efficiency that an auditor might consider include:
♦ the time taken to plan, design, execute and evaluate CAAT;
♦ technical review and assistance hours;
♦ designing and printing of forms (for example, confirmations); and
♦ availability of computer resources
In evaluating the effectiveness and efficiency of CAAT, the auditor considers the continuing
use of CAAT application. The initial planning, design and development of CAAT will usually
benefit audits in subsequent periods.
Time Constraints
Certain data, such as transaction details, are often kept for a short time and may not be
available in machine-readable form by the time auditor wants them. Thus, the auditor will need
to make arrangements for the retention of data required, or may need to alter the timing of the
work that requires such data.
Where the time available to perform an audit is limited, the auditor may plan to use CAAT
because its use will meet the auditor’s time requirement better than other possible procedures.
Using CAATs -The major steps to be undertaken by the auditor in the application of CAAT are
to:
(a) set the objective of CAAT application;
(b) determine the content and accessibility of the entity’s files;
(c) identify the specific files or databases to be examined;
(d) understand the relationship between the data tables where a database is to be
examined;
(e) define the specific tests or procedures and related transactions and balances affected;
(f) define the output requirements;
(g) arrange with the user and IT departments, if appropriate, for copies of the relevant files
or database tables to be made at the appropriate cut off date and time;
(h) identify the personnel who may participate in the design and application of CAAT;
(i) refine the estimates of costs and benefits;
(j) ensure that the use of CAAT is properly controlled;
4.34 Advanced Auditing and Professional Ethics

(k) arrange the administrative activities, including the necessary skills and computer
facilities;
(l) reconcile data to be used for CAAT with the accounting and other records;
(m) execute CAAT application;
(n) evaluate the results;
(o) document CAATs to be used including objectives, high level flowcharts and run
instructions; and
(p) assess the effect of changes to the programs/system on the use of CAAT.
Testing CAAT - The auditor should obtain reasonable assurance of the integrity, reliability,
usefulness, and security of CAAT through appropriate planning, design, testing, processing
and review of documentation. This should be done before reliance is placed upon CAAT. The
nature, timing and extent of testing is dependent on the commercial availability and stability of
CAAT.
Controlling CAAT Application - The specific procedures necessary to control the use of
CAAT depend on the particular application. In establishing control, the auditor considers the
need to:
(a) approve specifications and conduct a review of the work to be performed by CAAT;
(b) review the entity’s general controls that may contribute to the integrity of CAAT, for
example, controls over program changes and access to computer files. When such
controls cannot be relied on to ensure the integrity of CAAT, the auditor may consider
processing CAAT application at another suitable computer facility; and
(c) ensure appropriate integration of the output by the auditor into the audit process.
Procedures carried out by the auditor to control CAATs applications may include:
(a) participating in the design and testing of CAAT;
(b) checking, if applicable, the coding of the program to ensure that it conforms with the
detailed program specifications;
(c) asking the entity’s staff to review the operating system instructions to ensure that the
software will run in the entity’s computer installation;
(d) running the audit software on small test files before running it on the main data files;
(e) checking whether the correct files were used, for example, by checking external
evidence, such as control totals maintained by the user, and that those files were
complete;
(f) obtaining evidence that the audit software functioned as planned, for example, by
reviewing output and control information; and
(g) establishing appropriate security measures to safeguard the integrity and confidentiality
of the data.
Audit under Computerised Information System (CIS) Environment 4.35

When the auditor intends to perform audit procedures concurrently with online processing, the
auditor reviews those procedures with appropriate client personnel and obtains approval
before conducting the tests to help avoid the inadvertent corruption of client records.
To ensure appropriate control procedures, the presence of the auditor is not necessarily
required at the computer facility during the running of CAAT. It may, however, provide
practical advantages, such as being able to control distribution of the output and ensuring the
timely correction of errors, for example, if the wrong input file were to be used.
Audit procedures to control test data applications may include:
♦ controlling the sequence of submissions of test data where it spans several processing
cycles;
♦ performing test runs containing small amounts of test data before submitting the main
audit test data;
♦ predicting the results of the test data and comparing it with the actual test data output, for
the individual transactions and in total;
♦ confirming that the current version of the programs was used to process the test data;
and
♦ testing whether the programs used to process the test data were the programs the entity
used throughout the applicable audit period.
When using CAAT, the auditor may require the cooperation of entity staff with extensive
knowledge of the computer installation. In such circumstances, the auditor considers whether
the staff improperly influenced the results of CAAT.
Self-examination Questions
1. Define and give an example of general controls, application controls and user controls.
2. Differentiate between auditing around and through the computer.
3. Differentiate between batch processing and online real time processing.
4. What is an EDI system.
5. Why are systems and programs documentation important to effective internal control.
6. Explain the following checks and controls
Control total Check digit
Hash total Reasonableness check
Sequence check Transaction log
7. Why auditors might prefer to review general control before reviewing application
controls?
8. Why auditors prefer to apply a combination of techniques in directly testing computer
controls.
4.36 Advanced Auditing and Professional Ethics

9. Identify the advantages and disadvantages of each of the following: Test data approach.
ITF approach.
10. Parallel simulation is though to be an automated version of auditing around the computer.
Explain why?
11. What is the impact of IT on the audit procedures.
12. Why the adequacy of controls in a sophisticated computerized environment more
important than in a computerized system that maintains hard copy evidence.
Audit under Computerised Information System (CIS) Environment 4.37

Annexure
I. Stand-Alone Personal Computers (Pcs)
Stand-Alone PCs
01. “PCs” are economical yet powerful self-contained general purpose computers consisting typically
of a processor, memory, video display unit, data storage unit, keyboard and connections for a
printer and communications. Programs and data are stored on removable or non-removable
storage media.
02. PC’s can be used to process accounting transactions and produce reports that are essential to
the preparation of financial statements. The PC may constitute the entire computer-based
information system or merely a part of it.
03. Generally, IT environments in which PCs are used are different from other IT environments.
Certain controls and securities, measures that are used for large computer systems may not be
practicable in PC. On the other hand, certain types of control procedures need to be emphasised
due to the characteristics of PC and the environments in which they are used.
PC Configurations
04. A PC can be used in various configurations. These include
(a) a stand-alone workstation operated by a single user or a number of users at different times;
(b) a workstation which is part of a local area network of PCs; and
(c) a workstation connected to a central computer.
05. The stand-alone workstation can be operated by single user or a number of users at different
times accessing the same or different programs. The programs and data are stored in the PC or
in close proximity and, generally, data are entered manually through the keyboard. The user of
the stand-alone workstation who process generally, data are entered manually through the
keyboard. The user of the stand-alone workstation who processes accounting applications may
be knowledgeable about programming and typically performs a number of functions, i.e., entering
data, operating application programs and, in some cases, writing the computer program
themselves. This programming may include the use of third-party software packages to develop
electronic spreadsheets or database applications.
06. A local area network is an arrangement where two or more PCs are linked together through the
use of special software and communication lines. Typically, one of the PCs will act as the file
server which manages the network. A local area network allows the sharing of resources such as
storage facilities and printers. Multiple users, for example, can have access to information, data
and programs stored in shared files. A local area network may be referred to as distributed
system.
07. PCs can be linked to central computers and used as part of such systems, for example, as an
intelligent on line workstation part of a distributed accounting system. Such an arrangement may
be reffered to as an on-line system. A PC can act as an intelligent terminal because of its logic,
transmission, storage and basic computing capabilities.
08. Since control considerations and the characteristics of the hardware and software are different
when a PC is linked to other computers, such environments are described in other Guidance
4.38 Advanced Auditing and Professional Ethics

Statements. However, to the extent that a micro computer which is linked to another computer
can also be used as a stand-alone workstation, the information in this statement is relevant.
Characteristics of PCs
09. Although PCs provide the user with substantial computing capabilities, they are small enough to
be transportable, are relatively inexpensive and can be placed in operation quickly. Users with
basic computer skills can learn to operate a PC easily since many operating system software and
application programs are “user-friendly” and contain step-by-step instructions. Another
characteristic is that operating system software, which is generally supplied by the PC
manufacturer, is less comprehensive than that found in larger computer environments; e.g., it
may not contain as many control and security features, such as password controls.
10. Software for a wide range of PC applications can be purchased from third-party vendors to
perform, e.g., general ledger accounting, accounts receivable, production and inventory, control.
Such software packages are typically used without modification of the programs. Users can also
develop other applications with the use of generic software packages, such as electronic
spreadsheets or database, purchased from third-party vendors.
11. The operating system software, application programs and data can be stored and retrieved from
removable storage media, including diskettes, cartridges and removable hard disks. Such storage
media, owing to its small size and portability, is subject to accidental erasure, physical damage,
misplacement or theft, particularly by persons unfamiliar with such media or by unauthorised
users. Software, programs and data can also be stored on hard disks that are not removable.
Internal Control in PC Environments
12. Generally the IT environment in which PCs are used is less structured than a centrally-controlled
IT environment. In the former application programs can be developed relatively quickly by users
possessing only basic data processing skills. In such cases, the controls over the system
development process for example, adequate documentation and operations, for example, access
control procedures, which are essential to the effective control of a large computer environment,
may not be viewed by the developer, the user or management as being as important or cost-
effective in a PC environment. However, because the data are being processed on a computer,
users of such data may tend to place unwarranted reliance on the financial information stored or
generated by a PC. Since PCs are oriented to individual end-users, the degree of accuracy and
dependability of financial information produced will depend upon the internal controls prescribed
by management and adopted by the user. For example, when there are several users of a single
PC, without appropriate controls, programs and data stored on non-removable storage media by
one user may be susceptible to unauthorised access, use, alteration or theft by other users.
13. In a typical PC environment, the distinction between general IT controls and IT application
controls may not be easily ascertained.
Management Authorisation for Operating PCs
14. Management can contribute to the effective operation of stand-alone PCs by prescribing and
enforcing policies for their control and use. Management’s policy statement may include:
(a) management responsibilities;
(b) instructions on PC use;
Audit under Computerised Information System (CIS) Environment 4.39

(c) training requirements;


(d) authorisation for access to programs and data;
(e) policies to prevention authorised copying of programs and data
(f) security, back-up and storage requirements;
(g) application development and documentation standards;
(h) standards of report format and report distribution controls;
(i) personal usage policies;
(j) data integrity standards;
(k) responsibility, for programs, data and error correction; and
(l) Appropriate segregation of duties.
Physical Security – Equipment
15. Because of their physical characteristics, PCs are susceptible to theft, physical damage,
unauthorised access or misuse. This may result in the loss of information stored in the PC, for
example, financial data vital to the information system.
16. One method of physical security is to restrict access to PCs when not in use by using door locks
or other security protection during non-business hours. Additional physical security over PCs can
be established, for example, by:
(a) locking the PC in a protective cabinet or shell;
(b) using an alarm system that is activated any time the PC is disconnected or moved from its
location;
(c) fastening the PC to a table; or
(d) installing locking mechanism to control access to the on/off switch may not prevent PC theft,
but may be effective in controlling unauthorised use.
Physical Security – Removable and Non-Removable Media
17. Programs and data used on a PC can be stored on removable storage media or non-removable
storage media. Diskettes and cartridges can be removed physically from the PC, while hard disks
are normally sealed in the PC or in a stand-alone unit attached to the PC. When a PC is used by
many individuals, users may develop a casual attitude toward the storage of the application
diskettes or cartridges for which they are responsible. As a result, critical diskettes or cartridges
may be misplaced, altered without authorisation or destroyed.
18. Control over removable storage media can be established by placing responsibility for such media
under personnel whose responsibilities include duties of software Custodians or librarians.
Control can be further strengthened when a program and data file check-in and check-out system
is used and designated storage locations are locked. Such control procedures help ensure that
removable storage media are not lost, misplaced or given to unauthorised personnel. Physical
control over non-removable storage media is probably the best established with locking devices.
19. Depending on the nature of the program and data files, it is appropriate to keep current copies of
diskettes, cartridges and hard disks in a fire-proof container, either onsite, offsite or both. This
4.40 Advanced Auditing and Professional Ethics

applies equally to operating system and utility software and backup copies of hard disks.
Program and Data Security
20. When PCs are accessible to many users, there is a risk that programs and data may be altered
without authorisation.
21. Because PC operating system software may not contain many control and security features, there
are several control procedure which can be built into the application programs to help ensure that
data are processed and read as authorised and that accidental destruction of data is prevented.
These techniques, which limit access to programs and data to authorised personnel, include:
(a) segregating data into files organised under separate file directories;
(b) using hidden files and secret file names;
(c) employing passwords; and
(d) using cryptography.
22 The use of a file directory allows the user to segregate information is removable and non-
removable storage media. For critical and sensitive information, this technique can be
supplemented by assigning secret file names and “hiding” the files.
23. When PCs are used by multiple users, an effective control procedure is the use of passwords,’
which determine the degree of access granted to a user. The password is assigned and
monitored by an employee who is independent of the specific system to which the password
applies. Password software can be developed by the entity, but in instances it will be purchased.
In either case, control procedures can be strengthened by installing software that has a low
likelihood of being thwarted by users.
24. Cryptography can provide an effective control for protecting confidential or sensitive programs
and information from unauthorised access and modification by users. It is general used when
sensitive data are transmitted over communication lines, but it can also be used on intimation
processed by a PC. Cryptography is the process of programs transforming programs information
into an unintelligible form. Incryption and dycryption of data require the use of special programs
and a code key known only to those users to whom the programs or information is restricted.
25. Directories and hidden files, user authentication software and cryptography can be used for PCs
that have both removable and non-removable storage media. For PCs that have removable
storage media, an effective means of program and data security is to remove diskettes and
cartridges from the PC and place them in custody of the users responsible for the data or the file
librarians.
26. An additional access control for confidential or sensitive information; stored on non-removable
storage media is to copy the information diskette or cartridge and delete the files on the non-
removable storage media. Control over the diskette or cartridge can then be established in the
same manner as over other sensitive or confidential data stored in diskettes or cartridges. The
user should be aware that many software programs include in “erase” or “delete” function, but that
such a function may not actually clear erased or deleted files from the hard disk. Such functions
may merely clear the file name from the hard disk directory. Programs and data are in fact
removed from the hard disk only when new data are written over the old files or when special
Audit under Computerised Information System (CIS) Environment 4.41

utility programs are used to clear the files.


Software and Data Integrity
27. PCs are oriented to end-users for development of application programs, entry and processing of
data and generation of reports. The degree of accuracy and dependability of financial information
produced will depend on the internal controls prescribed by management and adopted by users,
as well as on controls included in the application programs. Software and data integrity controls
may ensure that processed information is free of errors and that software is not susceptible to
unauthorised manipulation, i.e., that authorised data are processed in the prescribed manner.
28. Data integrity can be strengthened by incorporating control procedures such as format and range
checks and cross checks of results. A review of purchased software may determine whether it
contains appropriate error checking error trapping facilities. For user developed software,
including electronic spreadsheet templates and database applications, management may specify
in writing the procedures for developing and who processes the data may be expected to
demonstrate that appropriate data were used and that calculations and other data handling
operations were performed properly. The end-user could use this information to validate the
results of the application.
29. Adequate written documentation of applications that are processed on the PC can strengthen
software and data integrity controls further. Such documentation may include step-by-step
instruction, a description of reports prepared, source of data processed, a description of individual
reports, files and other specifications, such as calculations.
30. If the same accounting application is used at various locations, application software integrity and
consistency may be improved when application programs are developed and maintained at one
place rather than by each user dispersed throughout an entity.
Hardware, Software and Data Back-Up
31. Back-up refers to plans made by the entity to obtain access to comparable hardware, software
and data in the event of their failure, loss or destruction. In a PC environment, users are normally
responsible for processing, including identifying important programs and data files to be copied
periodically and stored at a location away from the micro-computers. It is particularly important to
establish back-up procedures for users to perform on a regular basis. Purchased software
packages from third-party vendors generally come with a back-up copy or with a provision to
make a back-up copy.
The Effect of PCs on the Internal Control Structure
32. The effect of PCs on the information system and the associated risks will generally depend on:
(a) the extent to which the PC is being used to process transactions;
(b) the type and significance of financial transactions being processed; and
(c) the nature of files and programs utilised in the applications.
33. The characteristics of PC systems, described earlier in the statement, illustrate some of the
considerations in designing cost effective control procedures for stand-alone PCs. A summary of
some of the key considerations and their effects on general IT application controls is described
below.
4.42 Advanced Auditing and Professional Ethics

General IT Controls - Segregation of Duties


34. In a PC environment, it is common for users to be able to perform two or or more of the following
functions in the information system:
(a) initiating and authorising source documents;
(b) entering data into the system;
(c) operating the computer;
(d) changing programs and data files;
(f) using or distributing output; and
(g) modifying the operating systems
35. In other IT environments, such functions would normally be segregated through appropriate
general IT controls. This lack of segregation of functions in a PC environment may;
(a) allow errors to go undetected; and
(b) permit the perpetration and concealment of fraud.
IT Application Controls
36. The existence and use of a appropriate access controls over software, hardware and data files,
combined with controls over input, processing and output of data may, in coordination with
management policies, compensate for some of the weaknesses in general IT controls in PC
environments. Effective controls may include:
(a) a system of transaction logs and batch balancing;
(b) direct supervision; and
(c) reconciliation of record counts or cash totals.
37. Control may be established by an independent function which would normally :
(a) receive all data for processing;
(b) ensure that all data are authorised and recorded;
(c) follow up all errors detected during processing;
(d) verify the proper distribution of output; and
(e) restrict physical access to application programs and data files.

The Effect of a PC Environment on Audit Procedures


38. In a PC environment, it may not be practicable or cost effective for management to implement
sufficient controls to reduce the risks of undetected errors to a minimum level. Thus, the auditor
may often assume that control risk is high in such systems.
39. In this situation, the auditor may find it more cost-effective, after obtaining an understanding of
the control environment and flow of transactions, not to make a review of general IT controls or IT
application controls, but to concentrate the audit efforts on substantive tests at or near the end of
the year. This may entail more physical examination and confirmation of assets, more tests of
details, larger sample sizes and greater use of computer-assisted audit techniques, where
Audit under Computerised Information System (CIS) Environment 4.43

appropriate.
40. Computer-assisted audit techniques may include the use of client software’ (database, electronic
spreadsheet or utility software) which has been subjected to review by the auditor, or the use of
the auditor’s own software programs. Such software may be used by the auditor, for example, to
add transactions or balances in the data files for comparison with control records or ledger
account balances, to select accounts or transactions for detail testing or confirmation or to
examine databases for unusual items.
41. In certain circumstances, however, the auditor may decide to take a different approach. These
circumstances may include PC systems that process a large number of transactions when it
would be cost effective to perform audit work on the data at a preliminary date. For example, an
entity processing a large number of sales transactions on a stand-alone PC may establish control
procedures which reduce control risk; the auditor may decide, on the basis of a preliminary
review of controls, to develop an audit approach which includes testing of those controls on which
he intends to rely.
42. The following are examples of control procedures that an auditor may consider when assessing
control risk in relation to stand-alone PCs;
(a) Segregation of duties and balancing procedures:
(i) segregation of functions as listed in paragraph 36;
(ii) rotation of duties among employees;
(iii) reconciliation of system balances to general ledger control accounts; and
(iv) periodic review by management of the processing schedule and reports which identify
individuals that used the system.
(b) Access to the PC and its files:
(i) placement of the PC within sight of the individual responsible for controlling access
to it;

(ii) the use of key locks on the computer and terminals;


(iii) the use of passwords for access to the PCs programs and data files; and
(iv) restriction on the use of utility programs.
(c) Use of third-party software:
(i) review of application software prior to purchasing, including functions, capacity and
controls;
(ii) adequate testing of the software and the modifications to it prior to use; and

(iii) ongoing assessment of adequacy of the software to meet user requirements.


4.44 Advanced Auditing and Professional Ethics

II Auditing Guidance Statement: On-Line Computer Systems


01. The purpose of this guidance (issued by the IASC) describe the effects of an on-line computer
system on the internal control structure and on audit procedures.
On-line Computer Systems:
02. Computer systems that enable users to access data and programs directly through terminal
devices are referred to as on-line computer systems. Such systems may be based on mainframe
computers, minicomputers or PCs structured in a network environment.
03. On-line systems allow users to initiate various functions directly. Such functions include:
(a) entering transactions, for example, sales transactions in a retail store, cash withdrawals in a
bank and shipment of goods in a plant;
(b) making, inquiries, for example, current customer account or balance information;
(c) requesting reports, for example, a list of inventory items with negative ‘on hand’ quantities;
and
(d) updating master files, for example, setting up new customer accounts and changing general
ledger codes.
04. Many different types of terminal devices may be used in on-line computer systems. The functions
performed by these terminal devices vary widely depending on their logic, transmission, storage
and basic computer capabilities. Types of terminal devices include:
(a) General Purpose Terminals, such as:
(i) basic keyboard and screen - used for entering data without any validation within the
terminal and for displaying from the computer system on the screen. For example, in
entering a sales order, the product code is validated by the main computer and the
result of the validation is displayed on the terminal screen;
(ii) intelligent terminal - used for the functions of the basic keyboard and screen with the
additional functions of validating data within the terminal, maintaining transaction logs
and performing other local processing. In the above sales order example, the correct
number of characters in the product code is verified by the intelligent terminal and
existence of the product code master file is verified by the main computer;
(iii) PC - used for all of the functions of an intelligent terminal with additional local
processing and storage capabilities. Continuing the above example, all verification of
the product code may be performed on the PC.
(b) Special Purpose Terminals, such as:
(i) point of sale devices-used to record sales transactions they occur and to transmit
them to the main computer on-line cash registers and optical scanners used in the
retail trade are typical point of sale devices :
(ii) automated teller machines - used to initiate, validate, record, transmit and complete
various banking transactions. Depending on the design of the system, certain of these
functions are performed by the automated teller machine and others are performed
on-line by the main computer.
Audit under Computerised Information System (CIS) Environment 4.45

05. Terminal devices may be located either locally or at remote sites. Local terminal devices are
connected directly to the computer through cables, whereas remote terminal devices require the
use of telecommunications to link them to the computer. Terminal devices may be used by many
users, for different purposes, in different locations, all at the same time. Users may be within the
entity or outside, such as customers or suppliers. In such cases application software and data are
kept on-line to meet the needs of the users. These systems also require other software, such as
access control software which monitors on-line terminal devices.
06. In addition to the users of these systems, programmers may use the online capabilities through
terminal devices to develop new programs and maintain existing programs. Computer supplier
personnel may also have on-line access to provide maintenance and support services.
Types of On-line Computer Systems
07. On-line computer systems may be classified according to how information is entered into the
system; how it is processed and when the results are available to the user. For purposes of this
statement, on-line computer systems functions are classified as follows:
(a) On-line/Real Time Processing.
(b) On-Line/Batch Processing.
(c) On-Line/Memo Update (and Subsequent Processing).
(d) On-Line/Enquiry.
(e) On-Line Downloading/Uploading Processing.
On-Line/Real Time Processing
08. In an on-line/real time processing system, individual transactions are entered at terminal devices,
validated and used to update related computer files immediately. An example is cash receipts
which are applied directly to customers’ accounts. The results of such processing are then
available immediately for inquiries or reports.
On-Line/Batch Processing
09. In a system with on-line input and batch processing, individual transactions are entered at a
terminal device, subjected to certain validation checks and added to a transaction file that
contains other transactions entered during the period. Later, during a subsequent processing
cycle the transaction file may be validated further and then used to update the relevant master
file. For example, journal entries may be entered and master file being updated on a monthly
basis. Inquiries of, or reports generated from, the master file will not include transactions entered
subsequent to the last master file update.
On-Line/Memo Update (and Subsequent Processing)
10. On-line input with memo update processing, also known as shadow, update, combines on-
line/real time processing and on-line/batch processing. Individual transactions immediately update a
memo file containing information which has been extracted from the most recent version of the master
file. Inquiries are made from this memo file. These same transactions are added to a transaction file
for subsequent validation and updating of the master file on a batch basis. For example, the withdrawal
4.46 Advanced Auditing and Professional Ethics

of cash through an automated teller machine, where the withdrawal is checked against the customer’s
balance on the memo file, is immediately posted to the customer’s account on that file to reduce the
balance by the amount of the withdrawal. From the user’s perspective, this system will seem no
different than on-line/real time processing since the results of data that are entered are available
immediately, even though the transactions have not been subjected to complete validation prior to the
master file update.
On-Line/Inquiry
11. On-line inquiry restricts users at terminal devices to making inquiries of master files. In such
systems, the master files are updated by other systems, usually on a batch basis. For example,
the user may inquire of the credit status of a particular customer, prior to accepting an order from
that customer.
On-Line Downloading/Uploading Processing
12. On-line downloading refers to the transfer of data from a master file to an intelligent terminal
device for further processing by the user. For example, data at the head office representing
transactions of a branch may be downloaded to a terminal device at the branch for further
processing and preparation of branch financial reports. The results of this processing and other
locally processed data may be uploaded to the head office computer.
Characteristics of On-line Computer Systems
13. The characteristics of on-line computer systems may apply to a number of the types of on-line
systems discussed in the previous section. The most significant characteristics relate to on-line
data entry and validation, on-line access to the system by users, possible lack of visible
transaction trail and potential programmer access to the system. The particular characteristics of
a specific on-line system will depend on the design of that system.
14. When data are entered on-line, they are usually subject to immediate validation checks. Data
failing this validation would not be accepted and a message may be displayed on the terminal
screen, providing the user with the ability to correct the data and re-enter the valid data
immediately. For example, if the user enters an invalid inventory part number, an error message
will be displayed enabling the user to re-enter a valid part number.
15. Users may have on-line access to the system that enables them to perform various functions,
e.g., to enter transactions and to read, change or delete programs and data files through the
terminal devices. Unlimited access to all of these functions in a particular application is
undesirable because it provides the user with the potential ability to make unauthorised changes
to the data and programs. The extent of this access will depend upon such things as the design of
the particular application and the implementation of software designed to control access to the
system.
16 An on-line computer system may be designed in a way that does not provide supporting
documents for all transactions entered into the system. However, the system may provide details
of the transactions on request or through the use of transaction logs or other means. Illustrations
of these types of systems include orders received by a telephone operator who enters them on-
line without written purchase orders, and cash withdrawals through the use of automated teller
Audit under Computerised Information System (CIS) Environment 4.47

machines.
17. Programmers may have on-line access to the system that enables them to develop new programs
and modify existing programs. Unrestricted acess provides the programmer with the potential to
make unauthorised changes to programs and obtain unauthorised access to other parts of the
system. The extent of this access depends on the requirements of the system. For example, in
some systems, programmers may have access only to programs maintained in a separate
program development and maintenance library; whereas, in emergency situations which require
changes to programs that are maintained on-line, programmers may be authorised to change the
operational programs. In such cases, formal control procedurs would be followed subsequent to
the emergency situation to ensure appropriate authorisation and documentation of the changes.
Internal Control in an on-line Computer System
18. Certain general IT controls are particularly important to on-line processing. These include:
(a) access controls-procedures designed to restrict access to programs and data. Specifically,
such procedures are designed to prevent or detect:
(i) unauthorised access to on-line terminal devices, programs and data;
(ii) entry of unauthorised transactions-
(iii) unauthorised changes to data files;
(iv) use of operational computer programs by unauthorised personnel; and
(v) use of computer programs that have not been authorised.
These access control procedures include the use of passwords and specialised access-
control software such as on-line monitors that maintain control over menus, authorisation
tables, passwords, files and programs that users are permitted to access the procedures
also include physical controls such as the use of key locks on terminal devices:
(b) controls over passwords - procedures for the assignment and maintenance of passwords to
restrict access to authorised users;
(c) system development and maintenance controls-additional procedures to ensure that
controls essential to on-line applications such as passwords, access controls, on-line data
validation and recovery procedures, are included in the system during its development and
maintenance;
(d) programming controls - procedures designed to prevent or detect improper changes to
computer programs which are accessed through on-line terminal devices. Access may be
restricted by controls such as the use of separate operational and program development
libraries and the use of specialised program library software. It is important for on-line
changes to programs to be adequately documented;
(e) transaction logs - reports which are designed to create an audit trail for each on-line
transaction. Such reports often document the source of a transaction (terminal, time and
user) as well as the transaction’s details.
19. Certain IT application controls are particularly important to on-line processing. These include :
(a) pre-processing authorisation - permission to initiate a transaction, such as the use of a
4.48 Advanced Auditing and Professional Ethics

bank card together with a personal identification number before making a cash withdrawal
through an automated teller machine;
(b) terminal device edit, reasonableness and other validation tests - programmed routines that
check the input data and processing results for completeness, accuracy and
reasonableness. These routines may be performed on an intelligent terminal device or on
the central computer;
(c) cut-off procedures - the procedures which ensure that transaction are processed in the
proper accounting period. These are particularly necessary in systems which have a
continuous flow or transactions. For example, in on-line systems where sales order and
shipments are being recorded through the use of on-line terminal devices in various
locations, there is a need to coordinate the actual shipment of goods, inventory relief and
invoice processing;
(d) file controls - procedures which ensure that the correct data files are used for on-line
processing;
(e) master file controls - changes to master files are controlled by procedures similar to those
used for controlling other input transaction data. However, since master file data may have
a pervasive effect on processing results, more stringent enforcement of these control-
procedures may be necessary;
(f) balancing - the process of establishing control totals over data being submitted for
processing through the on-line terminal devices and comparing the control totals during
and after processing to ensure that complete and accurate data are transferred to each
processing phase.
Effect of On-Line Computer Systems on the Internal Control Structure
20. The effect of an on-line computer system on the information system and the associated risks will
generally depend on:
(a) the extent to which the oil-line system is being used to process transactions;
(b) the type and significance of financial transactions being processed; and
(c) the nature of files and programs utilised in the applications.
21. Risk of fraud or error in on-line systems may be reduced in the following circumstances:
(a) if on-line data entry is performed at or near the point where transactions originate, there is
less risk that the transactions will not be recorded;
(b) if invalid transactions are corrected and re-entered immediately, there is less risk that such
transactions will not be corrected and re-submitted on a timely basis;
(c) if data entry is performed on-line by individuals who understand the nature of the
transactions involved, the data entry process may be less prone to errors than when it is
performed by, individuals unfamiliar with the nature of the transactions;
(d) if transactions are processed immediately on-line, there is less risk that they will be
processed in the wrong an accounting period.
Audit under Computerised Information System (CIS) Environment 4.49

22 Risk of fraud or error in on-line computer systems may be increased for the following reasons:
(a) if on-line terminal devices are located throughout the entity, the opportunity for unauthorised
use of a terminal device and the entry of unauthorised transactions may increase;
(b) on-line terminal devices may provide the opportunity for unauthorised uses such as:
(i) modification of previously entered transactions or balances;
(ii) modification of computer programs; and
(iii) access to data and programs from remote locations;
(c) if on-line processing is interrupted for any reason, for example, due to faulty
telecommunications, there may be a greater chance that transactions or files may be lost
and that recovery may not be accurate and complete;
(d) on-line access to data and programs through telecommunications may provide greater
opportunity for access to data and programs by unauthorised persons.
23. On-line computer systems may also have an effect on control procedures. The characteristics of
on-line computer systems, as described earlier in this statement, illustrate some of the
considerations influencing the effectiveness of controls in on-line computer systems. Such
characteristics may have the following consequences:
(a) there may not be source documents for every input transaction;
(b) results of processing may be highly summarised; for example only totals from individual
on-line data entry devices can traced to subsequent processing;
(c) the on-line computer system may not be designed to provide printed reports; for example,
edit reports may be replaced by edit messages displayed on a terminal device screen.
Effect of On-Line Computer Systems on Audit Procedure
24. The following matters are of particular importance to the auditor in an on-line computer system:
(a) authorisation, completeness and accuracy of on-line transactions
(b) integrity of records and processing, due to on-line access to the system by many users and
programmers;
(c) changes in the performance of audit procedures including the use of CAAT’s due to matters
such as:
(i) the need for auditors with technical skills in on computer systems;
(ii) the effect of the on-line computer system on the timing of auditing procedures;
(iii) the lack of visible transaction trails;
(iv) procedures carried out during the audit planning stage (see paragraph 25);
(v) audit procedures performed concurrently with on-line processing (see paragraph 26);
and
(vi) procedures performed after processing has taken place (see paragraph 27).
4.50 Advanced Auditing and Professional Ethics

25. Procedures carried out during the planning stage may include:
(a) the participation on the audit team of individuals with technical proficiency in on-line
computer systems and related controls;
(b) preliminary determination during the risk assessment process impact of the system on the
audit procedures. A well designed and controlled on-line system will affect the auditor’s
assessment of control risk and influence the nature, timing and extent of audit procedures.
26. Audit procedures performed concurrently with on-line processing include compliance testing of
the controls over the on-line applications. For example, this may be by means of entering test
transactions through the on-line terminal services or by the use of audit software. These tests
may be used by the auditor either to confirm his understanding of the system or to test controls
such as passwords and other access controls. The auditor would be advised to review such tests
with appropriate client personnel and to obtain approval prior to conducting the tests in order to
avoid inadvertent corruption of client records.
27. Procedures performed after processing has taken place may include:
(a) compliance testing of controls over transactions logged by the on-line system for
authorisation, completeness and accuracy;
(b) substantive tests of transactions and of processing results rather than tests of controls,
where the former may be more cost effective or where the system is not well-designed or
controlled;
(c) re-processing transactions as either a compliance or substantive procedure.
28. The characteristics of on-line computer systems may make it more effective for the auditor to perform a
pre-implementation review of new on-line accounting applications than to review the applications after
installation. This pre-implementation review may provide the auditor with an opportunity to request
additional functions, such as detailed transaction listings, or controls within the application design. It
may also provide the auditor with sufficient time to develop and test audit procedures in advance of
their use.
III Auditing Guidance Statement: Database Systems
Introduction
01 The purpose of this note (issued by the IASC) is to describe the effects of a database system on
the internal control structure and on audit procedures.
Database Systems
02. Database systems are comprised principally of two essential components, the database and the
database management system (DBMS). Database systems interact with other hardware and
software aspects of the overall computer system.
03. A database is a collection of data that is shared and used by a number different users for different
purposes. Each user may not necessarily be aware of all the data stored in the database or of the
ways that the data may be used for multiple purposes. Generally, individual users are aware only
of the data that they use and may view the data as computer files utilised by their applications.
Audit under Computerised Information System (CIS) Environment 4.51

04. The software that is used to create, maintain and operate the database is referred to as DBMS
software. Together with the operating system, the DBMS facilitates the physical storage of the
data, maintains the interrelationships among the data, and makes the data available to application
programs. Usually, the DBMS software is supplied by a commercial vendor.
05. Database systems may reside on any type of computer system, including a PC system. In some
PC environments, database systems are used by a single user. Such systems are not considered
to be databases for the purposes of this Statement. The contents of this Statement, however, are
applicable to all multiple user environments.
Database System Characteristics
06. Database systems are distinguished by two important characteristics data sharing and data
independence. These characteristics require the use of a data dictionary (paragraph 10) and the
establishment of a database administration function (paragraphs 10-14).
Data Sharing
07. A database is composed of data which are set up with defined relationships and are organised in
a manner that permits many users to use the data in different application programs. Individual
applications share the data in the database for different purposes. For example, an inventory item
unit cost maintained by the database may be used by one application program to produce a cost
of sales report and by another application program to prepare an inventory valuation.
Data Indepedence From Application Programs
08. Because of the need for data sharing, there is a need for data independence from application
programs. This is achieved by the DBMS recording the data once for use by various application
programs. In non-database systems, separate data files are maintained for each application and
similar data used by several applications may be repeated on several different files. In a database
system, however, a single file of data (or database) is used by many applications, with data
redundancy kept to a minimum.
09. DBMS’s differ in the degree of data independence they provide. The degree of data
independence is related to the ease with which personnel can accomplish changes to application
programs or to the database. True data independence is achieved when the structure of data in
the database can be changed without affecting the application programs, and vice versa.
Data Dictionary
10. A significant implication of data sharing and data independence is the potential for the recording
of data only once for use in several applications. Because various application programs need to
access this data, a software facility is required to keep track of the location of the data in the
database. This software within the DBMS is known as a data dictionary. It also serves as a tool
to maintain standardised documentation and definitions of the database environment and
application systems.
Database Administration
11. The use of the same data by various application programs emphasises the importance of
centralised coordination of the use and definition of data and the maintenance of its integrity,
4.52 Advanced Auditing and Professional Ethics

security, accuracy and completeness. Coordination is usually performed, by a group of individuals


whose responsibility is typically referred to as ‘database administration”. The individual who
heads this function may be referred to as the “database administrator”. The database
administrator is responsible generally for the definition, structure, security, operational control and
efficiency of databases, including the definition of the rules by which data are accessed and
stored.
12. Database administration tasks may also be performed by individuals who are not part of a
centralised database administration group. Where the tasks of database administration are not
centralised, but are distributed among existing organisational units, the different tasks still need to
be coordinated.
13. Database administration tasks typically include:
(a) defining the database structure - determining how data are defined, stored and accessed by
users of the database in order to ensure that all their requirements are met on a timely
basis;
(b) maintaining data integrity, security and completeness - developing, implementing and
enforcing the rules for data integrity, completeness and access. Responsibilities include:
(i) defining who may access data and how the access is accomplished, i.e. through
passwords and authorisation tables;
(ii) preventing the inclusion of incomplete or invalid data;
(iii) detecting the absence of data;
(iv) securing the database from unauthorised access and destruction; and
(v) arranging total recovery in the event of a loss;
(c) coordinating computer operations related to the database-assigning responsibility physical
computer resources and monitoring their use relative to the operation of the database;
(d) monitoring system performance - developing performance measurements to monitor the
integrity of the data and the ability of the database to respond to the needs of users;
(e) providing administrative support - coordinating and liaising with the vendor of the DBMS;
assessing new releases issued by the vendor of the DBMS and the extent of their impact on
the entity, installing new releases and ensuring that appropriate internal education is
provided.
14. In some applications, more than one database may be used. In these circumstances, the tasks of
the database administration group will need to ensure that:
(a) adequate linkage exists between databases;
(b) coordination of functions is maintained; and
(c) data contained in different databases are consistent.
Internal Control in a Database Environment
15. Generally, internal control in a database environment requires effective controls over the
database, the DBMS and the applications. The effectiveness of internal controls depends to a
Audit under Computerised Information System (CIS) Environment 4.53

great extent on the nature of the database administration tasks, described in paragraphs 11-14
and how they are performed.
16. Due to data sharing, data independence and other characteristics of database systems, general
EDP controls normally have a greater influence that, EDP application controls on database
systems. General EDP controls over the database, the DBMS and the activities of the database
administration function have a pervasive effect on application processing. The general EDP
controls of particular importance in a database environment can be classified into the following
groups:
(a) standard approach for development and maintenance of application programs;
(b) data ownership;
(c) access to the database; and
(d) segregation of duties.
Standard Approach for Development and Maintenance of Application Programs
17. Since data are shared by many users, control may be enhanced when a standard approach is
used for developing each new application program and for application program modification. This
includes following a formalised, step-by-step approach that requires adherence by all individuals
developing or modifying an application program. It also includes performing an analysis of the
effect of new and existing transactions on the database each time a modification is required. The
resulting analysis would indicate the effects of the changes on the security and integrity of the
database. Implementing a standard approach to develop and modify application programs is a
technique that can help improve the accuracy, integrity and completeness of the database.
Data Ownership
18. In a database environment, where many individuals may use program, to input and modify data, a
clear and definite assignment of responsibility is required from the database administrator for the
accuracy and integrity of each item of data. A single data owner should be assigned
responsibility for defining access and security rules, such as who can use the data (access) and
what functions they can perform (security). Assigning specific responsibility for data ownership
helps to ensure the integrity of the database. For example, the credit manager may be the
designated “owner” of a customer’s credit limit and would therefore be responsible for determining
the authorised users of that information. If several individuals are able to make decisions affecting
the accuracy and integrity of given data, the likelihood increases of the data becoming corrupted
or improperly used.
Access to the Database
19. User access to the database can be restricted through the use of passwords. These restrictions
apply to individuals, terminal devices and programs. For passwords to be effective, adequate
procedures are required for changing passwords, maintaining secrecy of passwords and
reviewing and investigating attempted security violations. Relating passwords to defined terminal
devices, programs and data helps to ensure that only authorised users and programs can access,
amend or delete data. For example, the credit manager may give salesmen authority to refer to a
customer’s credit limit, whereas a warehouse clerk may not have such authorisation.
4.54 Advanced Auditing and Professional Ethics

20. Users access to the various elements of the database may be further controlled through the use
of authorisation tables. Improper implementation of access procedures can result in unauthorised
access to the data in the database.
Segregation of Duties
21. Responsibilities for performing the various activities required to design, implement and operate a
database are divided among technical, design, administrative and user personnel. Their duties
include system design, database design, administration and operation. Maintaining adequate
segregation of these duties is necessary to ensure the completeness, integrity and accuracy of
the database. For example, those persons responsible for modifying personnel database
programs should not be the same persons who are authorised to change individual pay rates in
the database.
The Effect of Databases on the Internal Control Structure
22. The effect of a database system on the information system and the associated risks will generally
depend on:
(a) the extent to which databases are being used by accounting applications;
(b) the type and significance of financial transactions being processed;,
(c) the nature of the database, the DBMS (including the data dictionary), the database
administration tasks and type applications (e.g. batch or on-line update); and
(d) the general EDP controls which are particularly important in a database environment.
23. Database systems typically provide the opportunity for greater reliability of data than non-
database systems. This can result in reduced risk of fraud or error in the accounting system fraud
or error in the accounting system where databases are used. following factors, combined with
adequate controls, contribute to this, improved reliability of data:
(a) improved consistency of data is achieved because data are recorded and updated only once,
rather than in non-database systems, where the same data are stored in several files and
update., at different times and by different programs;
(b) integrity of data will be improved by effective use of facilities included in the DBMS, such as
recovery/restart routines, generalised edit find validation routines, and security and control
features;
(c) other functions available with the DBMS can facilitate control, and audit procedures. These
functions include report generators which may be used to create balancing reports, and
query languages, which may be used to identify inconsistencies in the data.
24. Alternatively, risk of fraud or error may be increased if database systems are used without
adequate controls. In a typical non-database environment, controls exercised by individual users
may compensate for weaknesses in general EDP controls. However, in a database system, this
may not be possible, as inadequate database administration controls cannot always be
compensated for by the individual users. For example, accounts receivable personnel cannot
effectively control accounts receivable data if other personnel are not restricted from modifying
accounts receivable balances in the database.
Audit under Computerised Information System (CIS) Environment 4.55

The Effect of Databases on Audit Procedures


25. Audit procedures in a database environment will be affected principal by the extent to which the
data in the database are used by the accounting system. Where significant accounting
applications use a common database, the auditor may find it cost-effective to utilise some of the
procedures in the following paragraphs.
26. In order to obtain an understanding of the database control environment and the flow of
transactions, the auditor may consider the effect of the following on audit risk in planning the
audit.
(a) the DBMS and the significant accounting applications using the database;
(b) the standards and procedures for development and maintenance of application programs
using the database;
(c) the database administration function;
(d) job descriptions, standards and procedures for those individual responsible for technical
support, design, administration and operation of the database;
(e) the procedures used to ensure the integrity, security and completeness of the financial
information contained in the database and
(f) the availability of audit facilities within the DBMS.
27. During the risk assessment process, in assessing control risk related to the use of databases in
the information system, the auditor may consider how the controls described in paragraphs 17-21
are used in the system. The auditor would perform tests of control to support an assessment to
control risk that is less than high.
28. Where the auditor decides to perform compliance or substantive test related to the database
system, audit procedures may include using the functions of the DBMS (see paragraph 23) to :
(a) generate test data;
(b) provide an audit trail;
(c) check the integrity of the database;
(d) job descriptions, standards and procedures for those individual responsible for technical
support, design, administration and operation of the database;
(e) obtain information necessary for the audit.
When using the facilities of the DBMS, the auditor will need to obtain reasonable -assurance
regarding their correct functioning.
29. Where the auditor assesses control risk as less than high in relation to the database system, he
would consider whether performing additional substantive tests on all significant accounting
applications which use the database would achieve his audit objective, as inadequate database
administration controls cannot always be compensated for by the individual users.
30. The characteristics of database systems may make it more effective for the auditor to perform a
pre-implementation review of new accounting applications rather than to review the applications
after installation. This pre-implementation review may provide the auditor with an opportunity to
4.56 Advanced Auditing and Professional Ethics

request additional functions, such as built-in audit routines, or controls within the application
design. It may also provide the auditor with sufficient time to develop and test the audit
procedures in advance of their use.
5
SPECIAL AUDIT TECHNIQUES

Introduction
5.1 Normally, an audit programme specifies the techniques to be employed in the specific
case by relating the techniques to the respective areas of accounting. Chapter 3 of the
Professional Competence Course Study Material contains various techniques generally
employed for auditing the books of account. For example, the techniques of posting, checking
and casting all related to the subsidiary books of account and the principal books of account.
Vouching will be in respect of all the transactions whether appearing in the cash book or in
any journal. The confirmation technique is appropriate in relation to personal accounts
balances, bank balances or securities lodged with others. In this Chapter, we shall deal with
some of these techniques in greater detail.
5.1.1 Confirmation - AAS 5 (Audit Evidence) defines confirmation as a method of collecting
audit evidence which consists of the response to an inquiry to corroborate information
contained in the accounting records. It may be interesting to note that the AICPA included
direct confirmation of sundry debtors in its Auditing Standards after the decision of Mckesson
and Robbins. Same procedure is applicable in case of creditors as well. For example, the
auditor requests confirmation of receivable by direct communication with debtors. The
Guidance Note on Audit of Sundry Debtors, Loans and Advances issued by the Institute of
Chartered Accountants of India has recommended that balances outstanding against debtors
and as loan and advances should be confirmed by a procedure of communication with the
parties. The Guidance Note provides the following:
The checking of the debtors’ ledger balances does not merely involve a comparison of the
balances in the ledger with those shown in the schedule. Each account should be scrutinised
in order to do the ‘aging’ of the debtors. The debtors’ schedule should have appropriate
columns to indicate the period over which each account is outstanding. The auditors must not
assume that any balance which is confirmed is necessarily realisable. Where debts are written
off, the auditor should satisfy himself whether the write off was based on appropriate
considerations of the relevant facts. Debts often include claims made against insurance
companies, shipping companies, railways, etc. and the auditor should ascertain that the claims
are realisable. Correspondence should be seen in all major cases in order to ascertain
whether the claims have been acknowledged and whether there is a reasonable possibility of
their being realised. If it appears that they are not collectible, they should be shown as
5.2 Advanced Auditing and Professional Ethics

doubtful. These recommendations can be applied to creditors as well. Based on the above
recommendations an outline of a confirmation procedure may be as under:
1. The confirmatory letters should be sent out within a period of 15 to 21 days of the end of
the year, even when the audit is taken up much later in respect of balances either as at
the date of the Balance Sheet or as at another selected date before the close of the year.
2. If the number of balances is large, letters may be issued only in respect of major debtors
and creditors, selected according to some system. Having selected the accounts, the
balances wherein are to be confirmed, the client should be requested to prepare
statements of account showing the position of the balances as at the date of
confirmation. A nil balance account should also be included.
3. The statements of account prepared by the client should be compared by the auditor with
the balances of debtors and creditors. Therefore, he should maintain control over them
until they are posted.
4. Either each statement of account should contain a request for confirmation of the balance
shown therein or it should be forwarded with a separate letter by the auditor or the client,
as may have been mutually agreed upon, The letter or the statement should show the
address of the auditor to which the statements of account after the confirmation are to be
returned. A stamped envelope containing the auditor’s name and address should be
enclosed.
5. Letters or statements should be posted under the supervision of the auditor.
6. In cases where replies are not received within a reasonable time, a reminder should be
sent out by the auditor. Letters received back undelivered should be sent again at the
correct address.
7. On receipt of replies from the parties, it should be verified that either the balances have
been confirmed or the amounts confirmed can be satisfactorily reconciled with the
balances shown by the books of account of the client. The client should be requested to
prepare reconciliation statements where necessary.
8. In every case, where a reconciliation statement has been prepared, it should be verified
that the difference in the amount confirmed and that shown by the books of account is
not the result of an omission to credit any amount received from the party or failure to
debit him with any amount of sales or to credit him with the value of goods received with
a view to suppressing or inflating profit.
9. If the difference is the result of some dispute or claim for allowance or return, etc. not
afforded to a party, it should be confirmed that there exists a provision equal to the
difference which ultimately may have to be credited to him.
Direct confirmation procedure may be performed both for sundry creditors and sundry debtors.
Special precautions in respect of creditors to be taken are as under:
(i) The Creditors’ ledger trial balance should be extracted by the client and agreed with the
Control Account, if any, before balances are selected for confirmation.
Special Audit Techniques 5.3

(ii) The provision made for the amount payable in respect of goods received within the last
week of the close of the year should be verified by comparing entries in the Goods
Inward Register with the Purchase Journal.
(iii) A certificate should be obtained from the client that all the liabilities which have accrued
up to the date of the Balance Sheet have been taken into account.
Special precautions in respect of sundry debtors to be taken are as under:
(i) The Debtors’ ledger trial balance should be extracted by the client and agreed with the
Control Account, if any, before balances are selected for confirmation.
(ii) The adjustment of sales made at the close of the year should be verified by comparing
the entries in the Goods Outward Register for two weeks before the close of the year with
these in the Sales Journal.
(iii) The accounts to be verified by direct confirmation should be settled on the basis of
internal control procedures.
5.1.2 Inquiry – AAS 5 mentions inquiry as one of the methods of collecting audit evidence by
seeking appropriate information from knowledgeable persons inside or outside the entity.
Inquiries may range from formal written inquiries addressed to third parties to informal oral
inquiries addressed to persons inside the entity. Responses to inquiries may provide the
auditor with information which he did not previously possess or may not provide him with
corroborative evidence. The need for inquiry may arise at every stage of auditing. Wherever
any transaction or entry is not readily understandable or its effects are not readily apparent,
the auditor should not hesitate to make enquiry from the appropriate official of the client.
Apart from this, students should remember that the auditor of a company has to make a
statement in his report on whether he has obtained all the information and explanations that
he considered necessary for his audit. This requirement suggests that inquiry is one of the
processes of the whole scheme of auditing and, accordingly, the Companies Act, 1956 has
given certain powers to the auditor in Section 227(1) and has cast certain duties on company
officials in Section 221. Besides, Section 227(IA) of the Companies Act, 1956 casts upon the
auditor a specific duty to inquire into certain specified transactions. How the auditor is
expected to perform the duty of enquiry as contained in Section 227(lA) is given in Chapter
“Audit Report”.
5.1.3 Observation - According to AAS 5, observation consists of witnessing a process being
performed by others. For example, the auditor may observe the counting of inventories by the
client personnel or the performance of internal control procedures that leave no audit trail.
5.1.4 Analytical Review Procedures - Analytical review procedures may be defined as
substantive tests of financial information made by a study of comparisons and relationship
among data. Analytical procedures include comparison of financial information with:
♦ comparable information for a prior period or periods,
♦ anticipated results, such as budgets or forecasts, and
♦ similar industry information, such as a comparison of the entity’s ratio of sales to accounts
5.4 Advanced Auditing and Professional Ethics

receivable with industry averages or with other entities of comparable size in the same
industry.
Essentially these procedures ensure that the various items making up the financial statements
are consistent with:
(a) Each other (for example, the relationship between debtors and sales, or current assets
and current liabilities).
(b) Known trends.
(c) The auditor’s knowledge of the business.
The auditor should ask the following questions:
(a) What data, ratios and statistics exist which are of significance for the business?
(b) What should they be compared with (i.e., what yard-stick)?
(c) Are there any variations between (a) and (b) which the auditors would expect to occur?
Analytical procedures also include study of relationships:
♦ among elements of financial information that would be expected to conform to a
predictable pattern based on the entity’s experience, such as a study of gross margin
percentages, and
♦ between financial information and relevant non-financial information, such as a study of
payroll costs to number of employees.
Various methods may be used in performing the above procedures. These range from simple
comparisons to complex analyses using advanced statistical techniques. Analytical
procedures may be applied to consolidated financial information, financial information of
components (such as subsidiaries, divisions or segments), and individual elements of financial
information. The choice of procedure, methods and level of application is a matter of
professional judgment.
The following table summarizes the position:

Types of data, ratios etc. Comparison with


Financial data (e.g., items in annual (i) Corresponding previous period.
statements, management accounts, budgets, (ii) Budgets and forecasts (if available).
etc.)
Non-financial data (e.g., production and (i) Entries in accounting records.
employment statistics) (ii) Other financial data.
Ratios and percentages (developed from (i) Preceding period.
financial and non- financial data; for example (ii) Budgets and forecasts.
inventory turnover ratio)
(iii) Industry Statistics.
Special Audit Techniques 5.5

Analytical procedures are used for the following purposes:


(a) To assist the auditor in planning the nature, timing and extent of other auditing
procedures.
(b) As a substantive test to obtain evidential matter about particular assertions related to
account balances or classes of transactions.
(c) As an overall review of the financial information in the final review stage of the audit.
Analytical procedures should be applied to some extent for the purposes referred to in (a) and
(c) above for all audits of financial statements. In addition, in some cases, analytical
procedures can be more effective or efficient than tests of details in reducing detection risk for
specific financial statement assertions.
Analytical procedures in planning the audit - In the planning stage, analytical procedures
assist the auditor in understanding the client’s business and in identifying areas of potential
risk by indicating aspects of and developments in the entity’s business of which he was
previously unaware. This information will assist the auditor in determining the nature, timing
and extent of his other audit procedures. Analytical procedures in planning the audit use both
financial data and non-financial information, such as number of employees, square feet of
selling space, volume of goods produced and similar information.
Analytical procedures used as substantive tests - The auditor’s reliance on substantive
tests to reduce detection risk relating to specific financial assertions may be derived from the
tests of details, from analytical information procedures, or from a combination of both. The
decision about which procedure or procedures to use to achieve a particular audit objective is
based on the auditor’s judgement about the expected effectiveness and efficiency of the
available procedures. The auditor will normally inquire of management as to the availability,
and reliability of information needed to apply analytical procedures and the results of any such
procedures performed by the client. The auditor may find that it is efficient to use analytical
data prepared by the client, provided he is satisfied that such data are properly prepared.
When the auditor intends to perform analytical procedures, he should consider the following:
♦ The objective of the analytical procedures, and the extent to which he may be able to rely
on their results.
♦ The nature of the entity - for example, analytical procedures may be more effective when
applied to financial information on individual sections of a business operation or to
financial statements of components of diversified entities, than when applied to the
financial statements of the entity as a whole.
♦ The availability of information, either financial such as budgets or forecasts or non-
financial such as the number of units produced or sold.
♦ The reliability of the information available - for example, experience may indicate that
budgets are prepared with insufficient care.
♦ The relevance of the information available - for example, budgets may have been
established as goals to be achieved rather than expected results.
5.6 Advanced Auditing and Professional Ethics

♦ The comparability of the information available - for example, broad industry data may not
be comparable to that of an entity that produces and sells specialized products.
♦ The knowledge gained by the auditor during previous examinations, together with his
understanding of the effectiveness of internal controls and the types of problems that in
preceding periods have given rise to accounting adjustments.
The auditor should consider the need for testing the controls over the preparation of non-
financial information, if any, used in applying analytical procedures. When such controls are
adequate, the auditor will have greater confidence in the reliability of the non-financial
information and, therefore, he will have a greater degree of assurance as to the results of his
analytical procedures. The controls over non-financial information can often be tested in
conjunction with compliance procedures performed in the study and evaluation of the
accounting system and related internal controls. For example, an entity in establishing
internal controls over the processing of sales invoices may include controls over the recording
of unit sales in conjunction with his compliance procedures to test the controls over the
processing of sales invoices.
Extent of reliance on analytical procedures - The application of analytical procedures is
based on the expectation that relationships among data exist and continue in the absence of
known conditions to the contrary. The presence of these relationships provides audit evidence
as to the completeness, accuracy and validity of the data produced by the accounting system.
However, reliance to be placed on the results of analytical procedures will depend on the
auditor’s assessment of the risk that the analytical procedures may identify relationships as
expected when, in fact, a material misstatement exists. The extent of reliance that the auditor
places on the results of analytical procedures depends on the following factors:
♦ Materiality of the items involved in relation to the financial information taken as a whole
(e.g. when inventory balances are significant to the financial information, the auditor does
not rely only on analytical procedures in forming his conclusions). On the other hand, he
may rely solely on analytical procedures for certain expense items when they are not
individually significant to the financial information taken as a whole and there is an
absence of unexpected fluctuations.
♦ Other audit procedures directed toward the same audit objectives, for example, other
procedures performed by the auditor in reviewing the collectability of accounts receivable,
such as the review of subsequent cash receipts, might confirm or dispel questions raised
from the application of analytical procedures to an aging of customers’ accounts.
♦ Accuracy with which the expected results of analytical procedures can be predicted, for
example, the auditor will normally expect greater consistency in comparing gross profit
margins from one period with another than in comparing discretionary expenses, such as
research or advertising.
♦ Evaluation of internal controls, for example, if the auditor has concluded that internal
controls over sales order processing are weak, he may have to rely more on the tests of
details of transactions and balances than on analytical procedures in drawing his
conclusion on sales.
Special Audit Techniques 5.7

This technique has been discussed at the PCC level. However in view of importance of this
technique in the context of growing complexities, diversities and volumes of business, it
requires a more detailed treatment in the specific area of ratio analysis and related matters. It
should be appreciated that an audit programme will be realistic only after the auditor has
modified in the light of his experience of the changes and of the state of internal controls
operating in the organisation. If the auditor can perceive some of the imperatives under which
the management operates and the relationship of the business with the economy and
environment, he would be able to make the audit programme far more objective. Conflict of
interests, inflation, inter-company relations, scarcity conditions, captive market, control by the
State, etc. are some of the forces that condition a company’s working and management
approach to a large extent.
The auditor normally performs an audit by placing reliance on the internal control system. A
company’s control system may provide for a maximum holding of a particular raw material but
if the raw material is a controlled commodity and the supply is irregular, it is obvious that the
internal control rule about the maximum or minimum holding of the raw material is of no use to
the management which is concerned with the running of the business. As and when the
company is allotted a quota or permit for that material irrespective of any consideration, the
management will avail of the same. Besides the management will not mind even to procure
such material from the open market at a price different from the controlled price, if the
materials are needed. For goods to be imported it is often the practice to ask for and obtain
an import license for a quantity far larger than is reasonably needed simply to avoid the
procedural red tape involved in obtaining a license. Internal control systems, howsoever
good, will be of no use in such cases.
It should also be understood that significant non-routine transactions are entered into
sometimes in complete disregard of the laid down rules of control. The internal control system
may be good as far as the transactions that have been recorded. But if certain transactions
are omitted altogether, the internal control system may not be in a position to reveal anything
about them. An auditor should always bear in mind these limitations of the control system.
These limitations have made it even more important for the auditor to supplement his routine
audit programme, by overall tests which are based on judgment of what is reasonable. Ratio
analysis is an audit approach that helps the auditor to make an overall assessment of the data
by reference to attendant factors.
Relevance of Ratio and Trend Analysis - Ratio analysis is an important supplement to the
audit process which has the merit of bringing to focus the abnormalities, deviations and
unexpected variations. A ratio measures the relative magnitude of two related factors. It does
not have any significance of its own except to provide material for further analysis,
interpretation and conclusion. It is a means to objectively assess or diagnose the financial
health of a business. The auditor can take a broad view of the data under audit by adopting
ratio analysis. He can assess whether the data is reasonable, valid and consistent. Through
the process of ratio analysis, any abnormal relationship between two related matters is most
likely to be disclosed. It, however, presupposes certain amount of knowledge on the part of
the auditor about what should be the reasonable relationship. This may be acquired by the
auditor from his knowledge and experience gained elsewhere or from the knowledge of the
5.8 Advanced Auditing and Professional Ethics

past relationships. In addition, if there exists certain known relationship, the matter becomes
simpler. For example, if the rate of Provident Fund contribution is 10% of the basic pay and
dearness allowance, either set of the data can be proved by the other having regard to the
given relationship. If the auditor finds the Provident Fund contribution to be of the order of say
6% of the total of basic pay after dearness allowance, this immediately alerts him that some
abnormal feature exists, though he should not hasten to the conclusion that it is an error.
There may be circumstances, e.g., newly appointed employees are not entitled to the
Provident Fund benefit for certain period or there may be some retired persons re-employed
who are not entitled to any provident fund benefit.
Therefore, it may be said that ratio analysis makes it possible for the auditor to locate problem
areas which can thereafter be subjected to scrutiny for confirming that the problem really
exists or it is manifestation of some real abnormality that business has experienced during the
period covered by the audit. This may help also in forestalling an approaching danger before it
has done much damage. It is felt that if, at the audit planning stage, the data are subjected to
ratio analysis; the auditor would be in a position to plan his audit programme more
purposefully. He will be able to devote an appropriate amount of time and effort in areas
where abnormalities have been detected. The analysis of ratios and relationships has two
phases:
1. The determination and measurement of changes and inter- relationships in data.
2. The scrutiny, explanation and evaluation of the changes and their significance in light of
the circumstances.
It has been stated earlier that data must be inter-related for any effective ratio analysis. Apart
from this, certain businesses have their own features. A business with high sales volume at a
low margin of profit is expected to have a high inventory turnover ratio. If the ratio is low, it
will be a pointer for further probe. Similarly, a business offering cash discount for prompt
settlement of accounts will have a high debtors’ turnover ratio. A business dealing with a
widely needed scarce material will in most cases have customer’s advances against supply
rather than any debtors’ balances. On the other hand, in a business where Government is the
principal buyer, it is the general nature that the margin of profit is high and the debtors
outstanding quite large. For the auditor to properly understand the implications of ratios, such
background knowledge is essential.
Also, the auditor is expected to possess the knowledge of normal relationship between related
variables in the business he is auditing so that he can discern deviation from the normal and
assess significant variation in the relationship. This knowledge can be derived from either a
comparison with the concerned business’s past corresponding data or by reference to
readymade data available about the industry from some official source or by comparing the
data with the corresponding data found in another company engaged in the same line of
industry in similar circumstances.
The external data are generally considered to be objective and independent in character.
These, however, should be used with discretion. The basis and method of compilation, the
period covered and the source and author of the data are some of the considerations needed
before they are used for comparisons. In India, the Reserve Bank of India Bulletin, the
Special Audit Techniques 5.9

Bombay Stock Exchange Directory, the Calcutta Stock Exchange Directory, Kothari’s
Economic and Industrial Guide are some of the publications that contain reliable financial
information about companies, individually or as a class. However, they should not be
considered as a readymade material for comparison because the manner of compilation, the
circumstances, etc., may be dissimilar. Subject to review of these data for adjustment these
may be used for comparison.
Most of the ratios known to us from our study of Advanced Accounting can be used by the
auditor in evaluating different aspects of the financial health of a concern. However, the
auditor should be experienced and skillful enough to know what ratio is appropriate for his
purpose, what they would reveal and how to relate matters; also, what can be expected as a
result of particular ratio. For example, to know whether the concern’s cost of sales bears the
normal relation to sales, the auditor may compute gross profit ratio. Now if the gross profit
ratio shows any abnormality, depending upon the abnormality, further inference may be drawn
for verification and confirmation. If the gross profit ratio is higher than normal, the possibilities
that immediately should strike one are: (i) sales overstated, (ii) stock overstated or over
valued, (iii) purchases understated, (iv) wages and other costs understated, etc. Now the
auditor, having localised the problem areas, can check them extensively to find out whether
the doubts are true or certain abnormal situations did prevail that accounts for the distortion.
It is also natural for the auditor to expect the ratio of gross profit to net profit to be up in such
circumstances unless explained by other abnormal factors working in the opposite direction.
For example, the selling and distribution cost or interest on borrowings might have gone up
significantly to eat up the excess margin of gross profit. Take another example: suppose the
turnover ratio (Sales/Capital) shows a considerable improvement over the last year and there
is no concurrent increase in the solvency or liquidity ratios. The auditor should inquire why it
is so. It is quite possible that the company has evolved a better system of financial
management. It is also possible that (i) sales have been inflated or (ii) the credit policy was
defective to result into huge accumulation of debtors or (iii) there had been defalcation of
sales proceeds. There are certain quantitative ratios which may be particularly helpful to the
auditor, e.g., the ratio between the main raw material consumed to total production may prove
both the figures. Auditors can use a number of other quantitative ratios like ratio of man hours
to production to verify the accuracy of figures in the Profit and Loss Account and the Balance
Sheet. It would thus be seen that by working out ratios, the auditor can identify areas where
detailed enquiries are called for. Like, a physician, he examines symptoms, analyses them
and works out a diagnosis. Such a procedure may prove immensely helpful when used as a
supplementing technique to the normal vouch and post audit.
Ratio analysis can be of great use for overall checks. It is to be expected that figures of sales
will change together with changes in purchases, wages, expenses, etc. But the mutual
relationship of most related figures can change only because of extraordinary circumstances,
favourable or adverse. Working out the relationship of ratios, therefore, and comparing them
with the previous years, corresponding ratios serve to establish the apparent reasonableness
of the figures. To the extent reasonableness is established, the auditor may feel to be on a
firm ground when he issues his report. Of course, it should be noted that ratios are one of the
ways of application of overall tests.
5.10 Advanced Auditing and Professional Ethics

A good approach is to study the trends. Trend analysis is of course mainly resorted to in
investigations. However, it may, be developed as a useful audit tool also to locate areas
showing abnormalities. If trends of sales and purchases are studied over a reasonable period
say 5 years - any distortion in their relations will be apparent. Similarly, trend of cost of
production can be studied along with the trend of the major components of cost. Even the
trend of significant ratios can be studied by the auditor over a number of years either by
plotting them on a graph paper or by setting them chronologically. The objective of
comparison of absolute figures by reference to the corresponding figures of the previous year
has been stated by the Government in the context of the requirement in the Schedule VI to the
Companies Act, as follows:
“The intention of displaying the figures relating to the previous year is to facilitate the
comparative study of the items in the Balance Sheet and Profit and Loss Account, so that the
significance of the figures for the current year can be more readily appreciated and
understood”.
These all highlight one fact: those relevant ratios may be of great value for proper financial
analysis and this may bring out the problem areas on which the auditor is directly interested.
Students are referred to Study Material in Advanced Accounting.
Investigating unusual fluctuations and Items - When analytical procedures identify unusual
fluctuations and items, that is, relationships that are unexpected or inconsistent with evidence
obtained from other sources, the auditor should investigate them. The investigation usually
begins with inquiries of management and the auditor should:
♦ Corroborate management’s responses - for example, by comparing them with his
knowledge of the business and other evidence obtained during the course of the audit.
♦ Consider the need to apply other audit procedures based upon the results of such
inquiries.
Further investigation, by means of audit procedures designed to produce a satisfactory
conclusion, would be required if management is unable to provide an explanation or if the
explanation is not considered adequate.
Analytical procedures used in the overall review - In forming his overall conclusion that the
financial information as a whole is consistent with his knowledge of the entity’s business and
relevant economic conditions, the auditor should perform analytical procedures at or near the
end of the audit. The conclusions drawn from the results of such procedures are intended to
corroborate conclusions formed during the audit on individual elements of financial information
and assist in arriving at the overall conclusion as to the reasonableness of the financial
information. However, they may also identify areas requiring further procedures.
Statistical Sampling in Auditing
5.2 According to AAS-5 on ‘Audit Evidence”,
“The audit evidence should, in total, enable the auditor to form an opinion on the financial
information. In forming such an opinion, the auditor does not normally examine all of the
information that is available to him because he can reach a conclusion about an account
Special Audit Techniques 5.11

balance, class of transactions or a control by way of judgmental or statistical sampling


procedures”.
Statistical sampling technique is increasingly becoming popular with the auditors. Statistical
sampling in auditing stands for the technique of forming an opinion about a group of items on
the basis of an examination of a few of the items. It may be recalled that test checking
technique is one of the accepted auditing techniques, which most of the professional bodies of
the world, including the Institute of Chartered Accountants of India have recommended for use
by the members on a proper consideration of facts and applicability. We have also seen the
shortcomings of the test check technique as a basis for forming informed opinion about the
accounts under audit. Statistical sampling technique may be considered as a refined
application of the test check technique which has all the advantages of the latter with the
shortcomings removed. The greatest merit of statistical sampling technique lies in its being
based on the statistical theory of probability. It is however, not as simplistic as the test
checks.
On the basis of the audit carried out, an auditor is required to give a report containing his
opinion, about truth and fairness of the accounting statements. In expressing his opinion the
auditor never guarantees absolute accuracy of the accounting statements; but he takes a risk
of being challenged about the validity of his opinion. Even after a complete checking, he
cannot be sure that the accounts and the resulting accounting statements are absolutely free
from error, manipulation, fraud or mistake. However, the opinion that he expresses,
represents his overall assessment of the truth and fairness of the accounting statement based
on his satisfaction that he has applied all professional skill at his command to see that no
material error or fraud exists to distort the true and fair view of the accounting statements.
When he checks only a part of the total accounting data in lieu of checking of all the data, it is
obvious that the degree of satisfaction obtainable from the latter would not be available;
however, a small loss of the degree of satisfaction will be more than compensated by the
considerable savings in time and costs for having checked only a fraction of the total data. It
is again true that bigger the sample, the greater would be the satisfaction, but from a practical
consideration the minimum requisite sample size, if determined statistically will be adequate to
express an opinion about the overall truth and fairness of the total data within a reasonable
range of precision and with reasonable confidence.
It is important to recognize that certain testing procedures do not come within the definition of
sampling. Tests performed on 100% of the items within a population do not involve sampling.
Likewise the technique of selecting all items within a population which have a particular
significance (e.g., all items over a certain amount) does not qualify as sampling with respect to
the portion of the population examined nor with respect to the population as a whole, since the
items were not selected from the total population on a basis that was expected to be
representative. Such items might imply some characteristic of the remaining portion of the
population but would not be the basis for a valid conclusion about the remaining portion of the
population.
5.12 Advanced Auditing and Professional Ethics

5.2.1 Design of the sample and its evaluation - In designing an audit sample, the auditor has
to consider the following -
Audit objectives - The auditor should first consider the specific audit objectives to be
achieved to enable him to determine the audit procedure or combination of procedures which
is likely to be the best to achieve those objectives. In addition, when audit sampling is
appropriate, the nature of the audit evidence sought and possible error conditions or other
characteristics relating to that evidence will assist the auditor in defining what constitutes an
error and what population should be used for sampling. For example, when performing
compliance tests of a company’s purchasing procedures, the auditor will be concerned with
matters such as whether an invoice was clerically checked and properly approved. On the
other hand, when performing substantive tests of invoices processed during the period, the
auditor will be concerned with matters such as the proper reflection of the monetary amounts
of such invoices in the financial information.
Population - The population is the entire set of data from which the auditor wishes to sample
in order to reach a conclusion. The auditor determine that the population from which he draws
the sample is appropriate for the specific audit objective. For example, if the auditor’s
objective were to test for overstatement of accounts receivable, his population could be
defined as the accounts receivable trial balance. On the other hand, if he was testing for
understatement of accounts payable, his population would not be the accounts payable trial
balance but could be subsequent disbursements, unfair invoices, unmatched receiving reports
or other populations that would provide evidence of understatement of accounts payable. The
individual items that make up the population are known as sampling units. The population can
be divided into sampling units in a variety of ways. For example, if the auditor’s objective is to
test the validity of the entity’s accounts receivable, he could define the sampling unit for
confirmation purposes as either customer balances or individual customer invoices. The
auditor should define the sampling unit in order to obtain an efficient and effective sample to
achieve the particular audit objective. Further regarding population, it should be noted:
(a) ‘Population’, or ‘field’, or ‘universe’ (i.e. the total number of items potentially subject to
scrutiny within a defined area, must be sufficiently large.
(b) The system which produces the records to be tested must be sufficiently reliable.
(c) All items within a particular population must be homogeneous, i.e. they must all fall within
the same ‘category’.
(d) Items within the population must be both (i) identifiable; and (ii) accessible.
Such selection should therefore be entirely random, and for this purpose random number
tables are often used. The difficulty often arises, however, that the items within the population
are themselves not identifiable in a way which enables such random selection to take place.
Petty cash vouchers, for example, are rarely preprinted with a sequential numbering series
and randomness will thus have to be ensured in some other way; it will hardly be practical for
the auditor himself to set about entering the numbers on the vouchers.
Confidence level - The reliability referred to is usually termed the confidence level. More
precisely, in an auditing context, it is the mathematical probability that the error rate in the
Special Audit Techniques 5.13

sample will not differ from the error rate in the population by more than a stated amount.
Confidence level is conveniently expressed as a percentage. Thus, when we speak of a
confidence level of 90% we mean that there are 90 chances that the item would fall within the
confidence intervals of about 90 to 100, against 10 chances, i.e. the risk we take, that it will
not (once again, at a specified level of precision). The confidence level is therefore seen to be
complementary to risk.
Precision - The precision may be defined with which we can describe the attributes of a given
population. For example, our sample may be chosen such that the errors in the population can
be proved to be within 5 percent of the monetary value. But how precise do we require this
percentage to be? The bigger our sample, clearly the more precise we can be, but we can
never be completely precise for the same reasons as we can never be 100 percent confident.
The degree of precision required will depend on the materiality of the items in question. For
example, if Rs. 3,000 of errors in a sales ledger population of Rs. 100,000 would be
considered to be just not material, then 3 percent would be our precision limits. From this you
will deduce that confidence level and precision limits are essentially inter-related, and the two
combined would determine the quality of testing. The auditor’s assessment of the following
factors will primarily be responsible for selecting total limit:
(i) Evaluation of the functioning of the system of internal control in the area under
examination.
(ii) Materiality of the amounts involved.
5.2.2 Defining error - The auditor must determine the significance of potential error as it will
determine the way in which tests should be conducted. Tolerable error is the maximum error in
the population that the auditor would be willing to accept and still conclude that the result from
the sample has achieved his audit objective. Tolerable error is considered during the planning
stage and is related to the auditor’s preliminary judgement about materiality. The smaller the
tolerable error, the larger the sample size the auditor will require. Further, we must determine
the significance of potential errors, for this will in turn determine the way in which we conduct
our tests. For example, in compliance testing any error will be significant irrespective of its
monetary value, because any failure of internal control procedures reduces the reliance that
we can place on those procedures. Hence tests of detail will have to be extended. It is not the
size of the error that is significant in these circumstances, but its nature, (indeed there may be
no monetarily quantifiable misstatement at all e.g. a payroll may not have been check cast, but
it may still be correct). With substantive testing, on the other hand, we are interested in
discovering whether there is material misstatement, so in this situation it is purely the amount
of the error that is relevant.
5.2.3 Sample size - When determining the sample size, the auditor should consider sampling
risk, the tolerable error, and the expected error. Examples of some factors affecting sample
size are contained in Tables 1 and 2.
5.2.4 Sampling risk - Sampling risk arises from the possibility that the auditor’s conclusion,
based on a sample, may be different from the conclusion that would be reached if the entire
population were subjected to the same audit procedure. The auditor is faced with sampling
risk in both tests of control and substantive procedures as follows:
5.14 Advanced Auditing and Professional Ethics

(a) Tests of Control


(i) Risk of Under Reliance: the risk that, although the sample result does not support the
auditor’s assessment of control risk, the actual compliance rate would support such an
assessment.
(ii) Risk of Over Reliance: the risk that, although the sample result supports the auditor’s
assessment to control risk, the actual compliance rate would not support such an
assessment.
(b) Substantive Procedures
(i) Risk of Incorrect Rejection: the risk that, although the sample result support the
conclusion that a recorded account balance or class of transactions is materially mis-
stated, in fact it is not materially mis-stated.
(ii) Risk of Incorrect Acceptance: the risk that, although the sample result supports the
conclusion that a recorded account balance or class of transactions is not materially mis-
stated in fact it is materially mis-stated.
The risk of under reliance and the risk of incorrect rejection affect audit efficiency as they
would ordinarily lead to additional work being performed by the auditor, or the entity, which
would establish that the initial conclusions were incorrect. The risk of over reliance and the
risk of incorrect acceptance affect audit effectiveness and are more likely to lead to an
erroneous opinion on the financial statements than either the risk of under reliance or the risk
of incorrect rejection.
Sample size is affected by the level of sampling risk the auditor is willing to accept from the
results of the sample. The lower the risk the auditor is willing to accept, the greater the
sample size will need to be.
5.2.5 Tolerable error - Tolerable error is the maximum error in the population that the auditor
would be willing to accept and still conclude that the result from the sample has achieved the
audit objective. Tolerable error is considered during the planning stage and, for substantive
procedures, is related to the auditor’s judgement about materiality. The smaller the tolerable
error, the greater the sample size will need to be.
In tests of control, the tolerable error is the maximum rate of deviation from a prescribed
control procedure that at the auditor would be willing to accept, based on the preliminary
assessment of control risk, in substantive procedures, the tolerable error is the maximum
monetary error in an account balance or class of transactions that the auditor would be willing
to accept so that when the results of all audit procedures are considered, the auditor is able to
conclude, with reasonable assurance, that the financial statements are not materially mis-
stated.
5.2.6 Expected error - If the auditor expects error to be present in the population, a larger
sample than when no error is expected ordinarily needs to be examined to conclude that the
actual error in the population is not greater than the planned tolerable error. Smaller sample
size are justified when the population is expected to be error free. In determining the expected
error in a population, the auditor would consider such matter as error levels identified in
Special Audit Techniques 5.15

previous audits, changes in the entity’s procedures, and evidence available from other
procedures.
Statistical sampling procedures - There are many different types of statistical sampling
plans, but whatever type is used, procedures for conducting a test will be as follows:
(a) decide on the relevant confidence level and precision limits;
(b) calculate the sample size using an appropriate formula or tables designed for the
purpose;
(c) select the sample using random methods:
(d) carry out the necessary tests;
(e) appraise the results.
The most common types of plans adopted by auditors are: Acceptance sampling (with
discovery sampling a variation) or Estimation sampling, which may be used to determine:
(a) population variables, or
(b) population attributes.
Selection with the aid of the computer - The auditor may use a computer to render
considerable assistance in the performance of statistical sampling tests, employing the
following methods:
(a) Interval sampling - The computer is programmed to select every nth item stored on
magnetic tape, and the items so selected can be copied on to a separate tape and
printed out in the form required by the auditor.
(b) Random number selection - The technique of random number selection can be
computerised, the random numbers being stored on tape or generated by the computer
separately for each application.
(c) Random Interval selection - The dangers of selecting a biased example by the use of a
uniform interval can be avoided through the use of random variation of the interval
between successive items. Random intervals are selected from random number tables
maintained on magnetic tape, or produced by means of a random number generator
program.
While applying statistical sampling, it should be remembered that materiality is one of the
major considerations to decide whether or not a sample should be selected. For instance in
case of certain enterprises like real estate builders, agents, merchant houses, etc. the total
number of transactions may be relatively very small and hence are not appropriate for the
selection of a sample. Even in case of major enterprises, there are certain items which are so
significant that the records relating to them should be scrutinized by the auditor at new item by
item basis. For example, the year end closing entries in the journal may be manipulated and,
therefore, each entry must be carefully examined and authenticated by the auditor. In actual
practice many firms of Chartered Accountants have found limited use of statistical sampling
than anticipated by them. The various reasons which may be attributed to this state of affairs
5.16 Advanced Auditing and Professional Ethics

are as under:
(i) Audit has never been a mathematical discipline,
(ii) Designing and sampling schemes properly take unduly long time.
(iii) To draw valid conclusions on the basis of statistical sampling, all members of the audit
team should have an excellent grasp of the statistical principles involved,
5.2.7 Selection of the sample - The auditor should select sample items in such a way that the
sample can be expected to be representative of the population. This requires that all items in
the population have an opportunity of being selected. While there are a number of selection
methods, three methods commonly used are -
Random selection, ensures that all items in the population have an equal chance of selection,
for example by use of random number tables.
Systematic selection, involves selecting items using a constant interval between selections,
the first interval having a random start. The interval might be based on certain number of
items (for example, every 20th voucher number) or on monetary totals (for example, every
Rs.1,000 increase in the cumulative value of the population). When using systematic
selection, the auditor would need to determine that the population is not structured in such a
manner that the sampling interval corresponds with a particular pattern in the population. For
example, if in a population of branch sales, a particular branch’s sales occur only as every
100th item and the sampling interval selected is 50, the result would be that the auditor would
have selected all or none of the sales of that particular branch.
Haphazard selection, may be an acceptable alternative to random selection, provided the
auditor attempts to draw a representative sample from the entire population with no intention
to either include or exclude specific units. When the auditor uses this method, care needs to
be taken to guard against making a selection that is biased, for example, towards items which
are easily located, as they may not be representative.
5.2.8 Analysis of errors in the sample - In analysing the errors detected in the sample, the
auditor will first with a view to evaluating the sample results, the auditor should analyse any
errors detected, project such errors and reasons the sampling risk need to determine that an
item in question is in fact an error. In designing the sample, the auditor will have defined those
conditions that constitute an error by reference to the audit objectives. For example, in a
substantive procedure relating to the recording of accounts receivable, a mis-posting between
customer accounts does not affect the total accounts receivable. Therefore, it may be
inappropriate to consider this an error in evaluating the sample results of this particular
procedure, even though it may have an effect on other areas of the audit such as the
assessment of doubtful accounts.
When the expected audit evidence regarding a specific sample item cannot be obtained, the
auditor may be able to obtain sufficient appropriate audit evidence through performing
alternative procedures, For example, if a positive account receivable confirmation has been
requested and no reply was received, the auditor may be able to obtain sufficient appropriate
audit evidence that the receivables is valid by reviewing subsequent payments from the
Special Audit Techniques 5.17

customer. If the auditor does not, or is unable to, perform satisfactory alternative procedures,
or if the procedures performed do not enable the auditor to obtain sufficient appropriate audit
evidence the item would be treated as an error.
The auditor would also consider the qualitative aspects of the errors. These include the
nature and cause of the error and the possible effect of the error on other phases of the audit.
In analysing the errors discovered, the auditor may observe that many have a common
feature, for example, type of transaction, location, product line, or period of time. In such
circumstances, the auditor may decide to identify all items in the population which possess the
common feature, thereby producing a sub-population, and extent audit procedures in this
area. The auditor would then perform a separate analysis based on the items examined for
each sub-population.
5.2.9 Projection of errors - The auditor projects the error results of the sample to the
population from which the sample was selected. There are several acceptable methods of
projecting error results. However, in all the cases, the method of projection will need to be
consistent with the method used to select the sampling unit. When projecting error results, the
auditor needs to keep in mind the qualitative aspects of the errors found. When the population
has been divided into sub-population, the projection of errors is done separately for each sub-
population and the results are combined.
5.2.10 Reassessing Sampling Risk - The auditor needs to consider whether errors in the
population might exceed the tolerable error. To accomplish this, the auditor compares the
projected population error to the tolerable error taking into account the results of other audit
procedures relevant to the specific control or financial statement assertion. The projected
population error used for this comparison in the case of substantive procedures is net of
adjustments made by the entity. When the projected error exceeds tolerable error, the auditor
reassesses the sampling risk and if that risk is unacceptable, would consider extending the
audit procedure or performing alternative audit procedures.
Table 1: Examples of Factors influencing Sample Size for Tests of Control
Conditions leading to...
Factor Smaller Sample Size Larger Sample Size
Assessment of control risk Higher Preliminary Lower preliminary
assessment of control risk assessment of control risk
Tolerable error Higher acceptable rate of Lower acceptable rate of
deviation deviation
Allowable risk of over Higher risk of over reliance Lower risk of over reliance
reliance
Expected error or deviation Lower expected rate of Higher expected rate of
deviation in population deviation in population (1)
Number of items in Virtually no effect on sample
population size unless population is
small.
5.18 Advanced Auditing and Professional Ethics

(1) High expected deviation rates ordinarily warrant little, if any, reduction of control risk and
therefore, tests of controls might be omitted.

Table 2: Examples of Factor influencing Sample Size for Substantive Procedures


Conditions leading to …..
Factor Smaller Sample Size Larger Sample Size
Assessment of control risk Lower control risk Higher control risk
Reduction in detection risk Greater use of other Reduced use of other
because of other substantive substantive tests substantive tests
tests related to the same
financial statement
assertions
Tolerable error Smaller measure of Tolerable Large measure of tolerable
error error
Expected error Smaller errors or lower Large errors or higher
frequency frequency
Population value Smaller monetary Larger monetary significance
significance to the financial to the financial statements
statements.
Number of items in Virtually no effect on sample
population size unless population is
small
Acceptable level of detection Higher acceptable level of Lower acceptable level of
risk detection risk detection risk
Stratification Stratification of the No stratification of the
population, if appropriate population

Audit of Fixed Assets


5.3 The Guidance Note on Audit of Fixed Assets issued by the ICAI recommends that the
verification of fixed assets consists of examination of related records and physical verification.
The auditor should normally verify the records with reference to the documentary evidence
and by evaluation of internal controls.
The verification of records would include verifying the opening balances of the existing fixed
assets from records such as the Schedule of fixed assets, ledger or register balances to
acquisition of new fixed assets should be verified with reference to supporting documents such
as orders, invoices, receiving reports and title deeds. Self-constructed fixed assets and
capital work-in-progress should be verified with reference to the supporting documents such
as contractors’ bills, work orders and independent confirmation of the work performed from
Special Audit Techniques 5.19

other parties. When fixed assets have been written off or fully depreciated in the year of
acquisition, the auditor should examine whether these were recorded in the fixed assets
register before being written off or depreciated. In respect of retirement of fixed assets, the
auditor should examine whether retirements were properly authorised, whether depreciation
accounts have been properly adjusted, whether the sale proceeds, if any, have been
accounted for and the resulting gains or losses, if material, have been properly adjusted and
disclosed in the profit and loss account. In case the asset has impaired the auditor must
ensure that the asset has met the criteria as specified in AS 28, “impairment of Assets”.
Further, if conditions so warrants the reversal norms of impairment loss are duly complied
with.
The ownership of assets like land the buildings should be verified by examining title deeds. In
case the title deeds are held by other persons such as bankers or solicitors, independent
conformation should be obtained directly by the auditor through a request signed by the client.
Physical verification of fixed assets is primarily a responsibility of the management. The
management is required to carry out physical verification of fixed assets at appropriate
intervals in order to ensure that they are in existence. However, the auditor should satisfy
himself that such verification was done by the management wherever possible and by
examining the relevant working papers. The auditor should also examine whether the method
of verification was reasonable in the circumstances relating to each asset. The
reasonableness of the frequency of verification should also be examined by the auditor in the
circumstances of each case. The auditor should test check the books records of fixed assets
with the physical verification reports. He should examine whether discrepancies noticed on
physical verification have been properly dealt with.
The auditor should see that the fixed assets have been valued and disclosed as per the
requirements of law and generally accepted accounting principles. The auditor should test
check the calculations of depreciation and the total depreciation arrived at should be
compared with that of the preceding years to identify reasons for variations. He should
particularly examine whether the depreciation charge is adequate keeping in view the
generally accepted basis of accounting for depreciation. The Institute has also recommended
that the company should provide deprecation so as to write off the asset over its normal
working life. The company may provide depreciation at higher rate than the rates prescribed
under Schedule XIV to the Companies Act, 1956, if it feels that the normal working life of the
asset is low. However, if the company feels that the normal working life of the assets is much
higher, it cannot provide depreciation at the rates lower than the rate prescribed by the
Schedule XIV to the Companies Act, 1956. In such a case the rates given in Schedule XIV
should be followed.
Re-valuation of fixed assets implies re-statement of their books values on the basis of
systematic scientific appraisal which would include ascertainment of working condition of each
unit of fixed assets. It would also include making technical estimates of future working life and
the possibility of obsolescence. Such an appraisal is usually made by independent and
qualified persons such as engineers, architects, etc. To the extent possible, the auditor
should examine these appraisal. As long as the appraisal appears reasonable and based on
5.20 Advanced Auditing and Professional Ethics

adequate facts, he is entitled to accept the revaluation made by the experts.

Audit Risk
5.4 Students may recall that according to AAS-2, on “Objective and scope of Financial
Statements”, there is unavoidable risk that even some material misstatements may remain
undiscovered due to the test nature and other inherent limitations of any system of internal
control. AAS-5 on “Audit Evidence” also makes it clear that an auditor’s judgement as to what
is sufficient and appropriate audit evidence is affected by the degree of risk of misstatement.
Therefore, it becomes significant that an auditor is aware of risks which are inherent in any
audit with reference to materiality of transactions involved and accordingly test and evaluate
internal control systems so as to assess the extent of risk. In the following paragraphs, first of
all various facts of audit risks are discussed followed by relationship between materiality and
audit risk. Following this, the procedure to be adopted by an auditor to assess risk in the
internal control system is elaborated.
Low-risk areas are those which require the application of routine “nuts and bolts” audit
procedures in the ordinary course of vouching, casting, checking, etc., at both compliance and
substantive stages, usually occupying up to 80% of all audit effort. High-risk areas are those
which should be the primary concern of partners and senior managers, and will include such
matters as:
(a) adequacy of provisions;
(b) full disclosure of liabilities, including contingent liabilities;
(c) interpretation of AASs and company legislation;
(d) post–balance sheet review of subsequent events;
(e) analytical reviews on draft financial statements;
(f) implications of tax legislation;
(g) detecting overstatement of assets, e.g. by capitalising expenditure;
(h) identifying high-value items and ‘error-prone’ conditions, and
(i) drafting the audit report itself.
Concept of audit risk - Audit risk is the risk that an auditor may give an inappropriate opinion
on financial information that is materially misstated. For example, an auditor may give an
unqualified opinion on financial statements without knowing that they are materially misstated.
Such risk may exist at overall level or while verifying various transactions and balance-sheet
items.
1. Audit risk at the financial statement level - Audit risk is considered at the financial
statement level during the audit planning process. At this time, the auditor should
undertake an overall audit risk assessment based on his knowledge of the client’s
business, industry, management, control environment and operations. Such an
assessment provides preliminary information about the general approach to the
engagement, the auditor’s staffing needs and the framework within which materiality and
Special Audit Techniques 5.21

audit risk assessments can be made at the individual account balance or class of
transactions level. As part of this overall risk assessment, the auditor should consider
whether there is potential for pervasive problems, for example, liquidity or going concern
problems.
2. Audit risk at the account balance and class of transactions level - The majority of
audit procedures are directed to, and carried out at the account balance and class of
transactions level. Accordingly, audit risk should be considered by the auditor at this level
taking into account the results of the overall audit risk assessment made at the financial
statement level. To assess inherent risk, the auditor uses professional judgement to
evaluate numerous factors, examples of which are:
At the financial statement level:
♦ the integrity of management;
♦ management experience, knowledge and changes during the period (e.g. the in ex-
perience of management may affect the preparation of the financial statements of the
entity);
♦ unusual pressures on management (e.g. circumstances that might predispose
management to mis-state the financial statements, such as an entity in an industry
experiencing a large number of business failures or an entity that lacks sufficient capital to
continue operations);
♦ the nature of the entity’s business (e.g. its technological obsolescence of products and
services, complex capital structure, significance of related parties, and the number of
locations and geographical spread of its production facilities); factors affecting the
industry in which the entity operates (e.g. economic and competitive conditions, and
changes in technology, accounting practices common to the industry and, if available,
financial trends and ratios);
At the Account balance and class of transaction level:
♦ financial statement of accounts likely to be susceptible to misstatement (e.g. a financial
statement of account which required adjustment in the previous period);
♦ the complexity of underlying transactions which might require the use of the work of an
expert;
♦ the amount of judgement involved in determining account balances;
♦ susceptibility of assets to loss or misappropriation;
♦ the completion of unusual and complex transactions, particularly at or near year end; and
♦ transactions not subjected to the normal processing mode.
Assessment of audit risk by reference to its components - The paragraphs that follow
provide guidance directed to the assessment of audit risk at both the overall and the account
balance and class of transactions level. Three components of audit risk are:
♦ inherent risk (risk that material errors will occur);
5.22 Advanced Auditing and Professional Ethics

♦ control risk (risk that the client’s system of internal control will not prevent or correct such
errors); and
♦ detection risk (risk that any remaining material errors will not be detected by the auditor).
The nature of each of these types of risk and their interrelationship is discussed below:
Inherent risk - is the susceptibility of an account balance or class of transactions to
misstatement that could be material, individually or when aggregated with mis-statements in
other balances or classes, assuming that there were no related internal controls. It is a
function of the entity’s business and its environment and the nature of the account balance or
class of transactions. For example, accounts involving a high degree of management
judgement, or that are difficult to compute, such as a complex accounting estimate, or that
involve highly desirable and movable assets, such as jewellery, or that are particularly
susceptible to changes in consumer demand or technology that could affect their value, will
involve more inherent risk than other accounts.
Control risk - is the risk that misstatement that could occur in an account balance or class of
transactions and that could be material, individually or when aggregated with mis-statements
in other balances or classes, will not be prevented or detected on a timely basis by the system
of internal control. There will always be some control risk because of the intrinsic limitation of
any system of internal control. To assess control risk, the auditor should consider the
adequacy of control design, as well as test adherence to control procedures. In the absence
of such an assessment, the auditor should assume that control risk is high.
Detection risk - is the risk that an auditor’s procedures will not detect a misstatement that
exists in an account balance or class of transactions that could be material, individually or
when aggregated with misstatements in other balances or classes. The level of detection risk
relates directly to the auditor’s procedures. Some detection, risk would always be present
even if an auditor were to examine 100 percent of the account balance or class of transaction
because, for example, the auditor may select an inappropriate audit procedure, misapply an
appropriate audit procedure or misinterpret the audit results.
Interrelationship of the components of audit risk - Inherent and control risks differ from
detection risk in that they exist independently of an audit of financial information. Inherent and
control risks are functions of the entity’s business and its environment and the nature of the
account balances or classes of transactions, regardless of whether an audit is conducted.
Even though inherent and control risks cannot be controlled by the auditor, the auditor can
assess them and design his substantive procedures to produce an acceptable level of
detection risk, thereby reducing audit risk to an acceptably low level.

Risk-Based Audit
5.5 Audit should be risk-based or focused on areas of greatest risk to the achievement of the
audited entity’s objectives. Risk-based audit (RBA) is an approach to audit that analyzes audit
risks, sets materiality thresholds based on audit risk analysis and develops audit programmes
that allocate a larger portion of audit resources to high-risk areas.
The auditor does not normally need to perform specific audit procedures on all areas of audit.
Special Audit Techniques 5.23

He only needs to design audit programmes and procedures on areas earlier identified as
major risks that could result in the financial statements being materially misstated. RBA is an
essential element of financial audit- both in the attest audit of the financial statements and in
the audit of financial systems and transactions including evaluation of internal controls. It
focuses primarily on the identification and assessment of the financial statement misstatement
risks and provides a framework to reduce the impact to the financial statement of these
identified risks to an acceptable level before rendering an opinion on the financial statements.
It also provides indicators of risks as a basis of opportunity for improvement of auditee risk
management and control processes. This affords an opportunity to the auditee to improve its
operations from recommendations on risks that do not have a current impact on the financial
statements but impact the audited entity’s operational strategies and performance over the
longer term.
In the context of performance audit, it is the risk to delivery of an activity or scheme or
programme of the entity with economy, efficiency and effectiveness. Awareness of areas that
puts the programme or resources at risk from the point of view of economy, efficiency and
effectiveness helps focus audit attention on them. The risk analysis provides a framework for
assurance in performance auditing.
5.5.1 Audit risk analysis - The auditor should perform an analysis of the audit risks that impact
on the auditee before undertaking specific audit procedures. Risk assessment is a subjective
process. It is part of the professional judgment of the auditor and of the particular
circumstances. In Para 5.4 ‘audit risk’ has been explained in details. It is the risk that the
auditor may unknowingly fail to appropriately modify his opinion on financial statements that
are materially misstated.
Audit risks are brought about by error and fraud:
♦ Error is an unintentional mistake resulting from omission, as when legitimate transactions
and/or balances are excluded from the financial statements; or by commission, as when
erroneous transactions and/or balances are included in the financial statements.
♦ Fraud is an intentional misstatement in the accounting records or supporting documents
from which the financial statements are prepared. It is intended to deceive financial
statement users or to conceal misappropriations.
The auditor has the responsibility to plan and perform the audit to obtain reasonable
assurance about whether the financial statements are free of material misstatements, whether
caused by error or fraud.
An error risk may arise from an error in principle, estimate, critical information processing,
financial reporting process or disclosure.
Fraud risk involves manipulation, falsification of accounting records, or misrepresentation in
the financial statements of events, transactions or other significant information, or
misapplication of accounting principles or misappropriation of funds.
5.5.2 General Steps in the Conduct of RBA - RBA consists of four main phases starting with
the identification and prioritization of risks, to the determination of residual risk, reduction of
5.24 Advanced Auditing and Professional Ethics

residual risk to acceptable level and the reporting to auditee of audit results. These are
achieved through the following:
♦ Understand auditee operations to identify and prioritize risks
♦ Assess auditee management strategies and controls to determine residual audit risk
♦ Manage residual risk to reduce it to acceptable level
♦ Inform auditee of audit results through appropriate report
Understanding auditee operations involves processes for reviewing and understanding the
audited organization’s risk management processes for its strategies, framework of operations,
operational performance and information process framework, in order to identify and prioritize
the error and fraud risks that impact the audit of financial statements. The environment in
which the auditee operates, the information required to monitor changes in the environment,
and the process or activities integral to the audited entity’s success in meeting its objectives
are the key factors to an understanding of agency risks. Likewise, a performance review of the
audited entity’s delivery of service by comparing expectations against actual results may also
aid in understanding agency operations.
Assessment of management risk strategies and controls is the determination as to how
controls within the auditee are designed. The role of internal audit in promoting a sound
accounting system and internal control is recognized, thus the SAI should evaluate the
effectiveness of internal audit to determine the extent to which reliance can be placed upon it
in the conduct of substantive tests.
Management of residual risk requires the design and execution of a risk reduction approach
that is efficient and effective to bring down residual audit risk to an acceptable level. This
includes the design and execution of necessary audit procedures and substantive testing to
obtain evidence in support of transactions and balances. More resources should be allocated
to areas of high audit risks, which were earlier known through the analytical procedures
undertaken.
The results of audit shall be communicated by the auditor to the audited entity. The auditor
must immediately communicate to the auditee reportable conditions that have been observed
even before completion of the audit, such as weaknesses in the internal control system,
deficiencies in the design and operation of internal controls that affect the organization’s ability
to record, process, summarize and report financial data.
Materiality and Audit Risk
5.6 The concise Oxford Dictionary defines the term “material” as “important or essential.
Whatever is important or essential in a given auditing situation would automatically be
material. It is a relative term and what may be material in one set of circumstances may not
be so in another. The concept of materiality is fundamental to the process of aggregation,
classification and presentation of accounting information. Questions of materiality arise in
various circumstances. The Statement on Auditing Practices issued by the Institute of
Chartered Accountants of India states that the recommendations contained therein apply
primarily to items which are material and significant in relation to the affairs of a company.
Special Audit Techniques 5.25

Items of little or no significance may be dealt with as may be found expedient, as it is neither
desirable nor necessary that members should devote their time and energies in the pursuit of
matters of a trivial nature. However, freedom to deal expediently with non- material items
should not extend to a group of items whose cumulative effect on the accounts may be
material or significant.
The auditor has to keep this in view while examining the truth and fairness of the statements
of account. The auditor has to satisfy himself that the statements exhibit a true and fair state
of affairs having regard to all material aspects. At various places of Part II of Schedule VI to
the Companies Act reference is made to materiality and the same is also a matter of
importance in relation to items in the balance sheet.
It is clear from the above that the concept of materiality is fundamental to the accounting
process, right from the stage of aggregation to preparation of the annual accounts. The Profit
and Loss Account and the Balance Sheet of a company with a view to disclosing a true and
fair state of affairs, are to be drawn up in accordance with the form and disclosure
requirements prescribed in the Schedule VI to the Companies Act. The concept of materiality
has implicit as well as explicit recognition in the requirements contained in Schedule VI: As
regard implicit recognition, the very items which have been identified for a distinct disclosure
both in Part I and Part II of Schedule VI, are based on materiality consideration Viewed from
legislative angle, for example, disclosure of remuneration paid to the auditor. Explicit
reference to materiality exists at a number of places in Part II of Schedule VI and that requires
due consideration and judgement at the time of preparation of the profit and loss account by a
company. Clause 2 (b) of Part II of Schedule VI requires the disclosures of every material
feature including credits or receipts and debits or expenses in respect of non-recurring
transactions or transactions of an exceptional nature. Some more specific instances of
mention of the materiality consideration in Part II of Schedule VI are as follows:
(1) Aggregate if material, of any amounts set aside to reserves, aggregate, if material of any
amounts withdrawn from such reserves, aggregate, if material of the amount set aside to
provisions made for meeting specific liabilities and aggregate if material, of the amounts
withdrawn from such provisions are required to be disclosed.
(2) Profits or Losses in respect of transactions of a kind not usually undertaken by the
company, should be disclosed, if material in amount.
(3) Amount, if material, by which any items shown in the Profit and Loss Account are
affected by any change in the basis of accounting should be disclosed.
However, what is material has not been defined by the statute. Even though the statute has
not defined the concept of materiality, in a way, we can say that it has provided some sort of
guidance in this matter in specific circumstances. For example, Part II of Schedule VI requires
the following disclosures.
(1) Any item under which expenses exceed 1 per cent of the total revenue of the company or
Rs. 5,000 whichever is higher should be shown as a separate and distinct item.
(2) All those items of raw materials which in value individually account for 10 per cent or
more of the total value of the raw material consumed shall be shown as separate and
5.26 Advanced Auditing and Professional Ethics

distinct items with quantities thereof in the break-up. Likewise, in giving the break-up of
purchases. stocks and turnover, items like spare parts and accessories should be shown
as separate and distinct items if their value as individual items account for 10 percent or
more of the total value of purchases, stock or turn over.
The following are some of the specific requirements in the form of balance sheet based on
materiality consideration implicit in the very process of prescribing the format in Part I of
Schedule VI.
1. Loans from Directors should be shown separately.
2. Nature of interest, if any, of any director with the bankers or other officers of the company
at any time during the year should be disclosed by way of a note.
3. The maximum amount due by directors or other officers of the company at any time
during the year should be disclosed by way of a note.
Further, wherever there is a change in the basis of accounting, the effect thereof, even if it is
small, must be disclosed, it being a material factor for assessing the causes of the change in
the profitability of the company.
AAS-13 on “Audit Materiality” requires that the auditor should consider materiality and its
relationship with audit risk when conducting an audit. According to it, information is material if
its misstatement (i.e., omission or erroneous statement) could influence the economic
decisions of users taken on the basis of the financial information. Materiality depends on the
size and nature of the item, judged in the particular circumstances of its misstatement. Thus,
materiality provides a threshold or cut-off point rather than being a primary qualitative
characteristic which the information must have if it is to be useful. It stresses that the
assessment of what is material is a matter of professional judgement.
The concept of materiality recognises that some matters, either individually or in the
aggregate, are relatively important for true and fair presentation of financial information in
conformity with recognized accounting policies and practices. The auditor considers
materiality at both the overall financial information level and in relation to individual account
balances and classes of transactions. Materiality may also be influenced by other
considerations, such as the legal and regulatory requirements, non-compliance with which
may have a significant bearing on the financial information, and considerations relating to
individual account balances and relationships. This process may result in different levels of
materiality depending on the matter being audited. Although the auditor ordinarily establishes
an acceptable materiality level to detect quantitatively material misstatements, both the
amount (quantity) and nature (quality) of misstatements need to be considered. An example
of a qualitative misstatement would be the inadequate or improper description of an
accounting policy when it is likely that a user of the financial statements would be misled by
the description.
The auditor needs to consider the possibility of misstatements of relatively small amounts that,
cumulatively, could have a material effect on the financial information. For example, an error in
a month-end (or other periodic) procedure could be an indication of a potential material
misstatement if that error is repeated each month or each period, as the case may be.
Special Audit Techniques 5.27

5.6.1 Relationship between Materiality and Audit Risk - when planning the audit, the auditor
considers what would make the financial information materially misstated. The auditor’s
preliminary assessment of materiality, related to specific account balances and classes of
transactions, helps the auditor decide such questions as what items to examine and whether
to use sampling and analytical procedures. This enables the auditor to select audit procedures
that, in combination, can be expected to support the audit opinion at an acceptably low degree
of audit risk.
There is an inverse relationship between materiality and the degree of audit risk, that is, the
higher the materiality level, the lower the audit risk and vice versa. For example, the risk that a
particular account balance or class of transactions could be misstated by an extremely large
amount might be very low, but the risk that it could be misstated by an extremely small amount
might be very high. The auditor takes the inverse relationship between materiality and audit
risk into account when determining the nature, timing and extent of audit procedures. For
example, if, after planning for specific audit procedures, the auditor determines that the
acceptable materiality level is lower, audit risk is increased. The auditor would compensate for
this by either:
(a) reducing the assessed degree of control risk, where this is possible, and supporting the
reduced degree by carrying out extended or additional tests of control; or
(b) reducing detection risk by modifying the nature, timing and extent of planned substantive
procedures.
5.6.2 Materiality and Audit Risk in Evaluating Audit Evidence - The auditor’s assessment of
materiality and audit risk may be different at the time of initially planning the engagement from
that at the time of evaluating the results of his audit procedures. This could be because of a
change in circumstances or a change in the auditor’s knowledge as a result of the audit. For
example, if the audit is planned prior to period end, the auditor will anticipate the results of
operations and the financial position. If actual results of operations and financial position are
substantially different, the assessment of materiality and audit risk may also change.
Additionally, the auditor may, in planning the audit work, intentionally set the acceptable cut off
level for verifying individual transactions at a lower level than is intended to be used to
evaluate the results of the audit. This may be done to cover a larger number of items and
thereby reduce the likelihood of undiscovered misstatements and to provide the auditor with
the margin of safety when evaluating the effect of misstatements discovered during the audit.
In forming his opinion on the financial information, the auditor should consider whether the
effect of aggregate uncorrected misstatements on the financial information is material.
Qualitative considerations also influence an auditor in reaching a conclusion as to whether the
misstatements are material.
The aggregate of uncorrected misstatements comprises:
(a) specific misstatements identified by the auditor, including the net effect of uncorrected
misstatements identified during the audit of previous periods; and
(b) the auditor’s best estimate of other misstatements which cannot be specifically identified
(that is, projected errors).
5.28 Advanced Auditing and Professional Ethics

When the auditor tests an account balance or class of transactions by an analytical procedure,
he ordinarily would not specifically identify misstatements but would only obtain an indication
of whether misstatements might exist in the balance or class and possibly its approximate
magnitude. If the analytical procedure indicates that misstatements might exist, but not its
approximate amount, the auditor ordinarily would have to employ other procedures to enable
him to estimate the aggregate misstatement in the balance or class.
When an auditor uses audit sampling to test an account balance or class of transactions, he
projects the amount of known misstatements identified by him in his sample to the items in the
balance or class from which his sample was selected. That projected misstatement, along with
the results of other substantive tests, contributes to the auditor’s assessment of aggregate
misstatement in the balance or class.
If the aggregate of the uncorrected misstatements that the auditor has identified approaches
the materiality level, or if auditor determines that the aggregate of uncorrected misstatements
causes the financial information to be materially misstated, he should consider requesting the
management to adjust the financial information or extending his audit procedures. In any
event, the management may want to adjust the financial information for known misstatements.
The adjustment of financial information may involve, for example, application of appropriate
accounting principles, other adjustments in amounts, or the addition of appropriate disclosure
of inadequately disclosed matters. If the management refuses to adjust the financial
information and the results of extended audit procedures do not enable the auditor to conclude
that the aggregate of uncorrected misstatements is not material, the auditor should express a
qualified or adverse opinion, as appropriate.
5.6.3 Responsibility of Management - Management may decide to adjust the financial
statements for some, or all, of the mis-statements the auditor brings to its attention. In
evaluating whether the financial statements give a true and fair view (or “are presented fairly”),
the auditor should take into account the aggregate of all uncorrected misstatements, including
those involving estimates. The aggregation of mis-statements should include the auditor’s the
best estimate of the total misstatements in the account balances or classes of transactions
examined, not just the misstatements that he identified. If the aggregate uncorrected
misstatements exceed the final assessment of materiality for the financial information, account
balances or classes of transactions, the auditor should, after performing additional work if
needed, request management to correct the material mis-statement and, if management
refuses, issue a qualified or adverse opinion.
6
THE COMPANY AUDIT

Introduction
6.1 The shareholders of the company are the real owners of the Company. They invest their
money in the company. However the management of the company lies in the hands of the
directors. Generally the shareholders do not have the skills required to understand the financial
statements. Thus audit of account of company has been made compulsory in order to protect the
interest of the shareholders. Audit of accounts ensures that the statements of account are properly
drawn up and they disclose all the requisite information. Auditor must also ensure that the
company has not violated any of the provisions contained in the companies Act, 1956. Although
compliance with the relevant provisions of the companies Act, 1956 is the responsibility of the
directors and officers of the company, nevertheless the auditor must make a report to the
shareholders where non compliance results in affecting the accounts materially.
Appointment of Company Auditor
6.2 The following are the important considerations regarding the appointment of the company
auditor :
6.2.1 Who can be Auditor - Section 226 of the Companies Act, 1956 deals with the
qualification of company auditors. It intends to ensure that the auditors are independent of the
companies they audit. A body corporate can not be appointed as an auditor because it has a
limited liability. Clause (b) of sub-section (3) of Section 226 of the Act disqualifies an officer or
employee of the company from being appointed as its auditor. According to a clarification of
the Department of Company Affairs the legal position is as follows:
“Where the chartered accountant is employed whole-time, he is an employee of the
company. In other cases, generally speaking there would appear to be only a
contract for service and not a contract of service between the company and
chartered accountant, In Dhrangadhra Chemicals Works v. State of Saurashtra
(1957 S.CA, p. 216) the Supreme Court has laid down that the prima facie test for
determination of the relationship between master and servant is the existence of the
right in the master to supervise and control the work done by the servant not only in
matter of directing that work the servant is to do, but also the manner in which he
shall do his work, or to borrow the words of Lord Uthwatt, the proper test is whether
6.2 Advanced Auditing and Professional Ethics

or not the hirer had authority to control the manner of execution of the act in
question. Applying this test in any case, where the chartered accountant is
consulted only professionally on income tax matters by a company, he can not be
said to be an officer or employee of the company.
“A Chartered Accountant’s main business is to render professional service for
reward like a lawyer or a doctor. Where such service is rendered professionally and
not as an officer or employee of the company, a chartered accountant is not
disqualified under Section 226(3)(b) of the Companies act, 1956".
It is, however, clear that there is no prohibition on a relative of a director or a partner of such
relative to be appointed as an auditor. The provisions of Section 297(1) would also not apply
to the appointment of such a person as an auditor because an audit is in the nature of
rendering personal service obtained not on the basis of the lowest tender but on account of
professional expertise irrespective of cost involved. However, the appointment of an auditor
who is a relative of a director or a firm of auditors in which a director of the company or his
relative is a partner would be an office of profit under Section 314 requiring the consent of the
company by a special resolution, if the total monthly remuneration exceeds prescribed limits
(Section 314). Prior consent of the company and approval of Central Government (Company
Law Board) would also be required in appropriate cases. Moreover, a chartered accountant in
practice shall be deemed to be guilty of professional misconduct under the Chartered
Accountants Act, 1949 if he expresses his opinion on the financial statements of any
enterprise, in which he, his firm or a partner in his firm or any of his relatives have a
substantial interest, unless he discloses the interest also in his report. The term “relatives” is
to be construed with reference to Section 6 of the Companies Act. Similarly, the expression
“substantial interest” is to have the same meaning as is assigned thereto under Explanation 3
to Section 13 of the Income Tax Act, 1961. Further, clause (d) of sub-section (3) of Section
226 of the Act states that a person indebted to the company for an amount exceeding Rs.
1,000 or a person who, has given any guarantee or provide any security in connection with the
indebtedness of any third person to the company for an amount exceeding Rs. 1,000 is not
qualified for appointment as an auditor. Some special situations are discussed below:
(a) In this context, a question may come up as to whether such indebtedness would arise in
cases where, in accordance with the terms of appointment by a client, the auditor
recovers his fees on a progressive basis as and when a part of the work is done without
waiting for the completion of the whole job. According to the Research Committee of the
Institute “a question often arises as to whether indebtedness arises in cases where in
accordance with the terms of his engagement by a client (e.g. resolution passed by the
general meeting) the auditor recovers his fees on a progressive basis as and when a part
of work is done without waiting for the completion of the whole job. In these
circumstances, where in accordance with such terms, the auditor recovers his fees on a
progressive basis, he cannot be said to be indebted to the company at any stage.”
The Company Audit 6. 3

(b) A question of indebtedness may also be raised where an auditor of a company


purchases goods or services from the company audited by him. In such a case, if the
amount outstanding exceeds Rs. 1,000, irrespective of the nature of the purchase or
period of credit allowed to other customers, the provisions concerning disqualification of
auditors as contained in Section 226(3)(d) will be attracted.
(c) Another question which arises for consideration is whether a partner is disqualified from
appointment as auditor when the firm of which he is a partner is indebted to the company
in excess of the limit prescribed and whether the firm is disqualified from appointment as
auditor when a partner of the firm is indebted in excess of the prescribed limit. In both
cases disqualification will apply because when a firm is appointed as an auditor, each
partner is deemed to be so appointed and when a firm is indebted each partner is
deemed to be indebted.
(d) There may also be situations in which, though the appointment is made in the individual
name of a partner, the work is in fact carried out by the firm and the fees are credited to
the account of the firm. In such situations, the firm will be deemed to be acting as auditor
and the disqualification will be attracted in the case of indebtedness either of firm or a
partner.
Section 226(3) has been amended by the Companies (Amendment) Act, 2000 whereby a
person holding any security carrying voting rights after a period of one year from December
13, 2000 shall be disqualified from being appointed as auditor of the company. The aim of the
provision is to curb possible insider trading on the part of auditors.
6.2.2 Reappointment of Auditors - The Companies Act, 1956 stipulates that the office of an
auditor in a company is a continuing one and, therefore, has laid down that an auditor shall
hold office from the conclusion of the annual general meeting in which he is appointed till the
conclusion of the next annual general meeting. Except in cases of appointment of the first
auditor, appointment or filling of casual vacancies in the office of the auditor, companies are
required to appoint the auditor or auditors in the annual general meeting as a routine feature.
The appointment is subject to the following conditions:
(i) The auditor proposed to be appointed or re-appointed must possess the qualifications
prescribed under Section 226 of the Companies Act, i.e., he must be a Chartered
Accountant (holding Certificate of Practice) within the meaning of the Chartered
Accountants Act, 1949 or a Restricted State Auditor [Section 226(l) & (2)].
(ii) A firm of Chartered Accountants whereof all the partners practising in India are qualified
for appointment may also be appointed as the auditor in its firm name [Section 226(l)].
(iii) The proposed auditor does not suffer from the disqualifications enumerated in sub-
sections (3) and (4) of Section 226 of the Companies Act.
6.4 Advanced Auditing and Professional Ethics

(iv) In the case of re-appointment of the retiring auditor, it should be ensured that:
(a) he has not given notice to the company in writing of his unwillingness to be re-ap-
pointed;
(b) no resolution has been passed at the annual general meeting appointing somebody
else instead of the retiring auditor or providing expressly that the retiring auditor
shall not be reappointed;
(c) no notice of the intended resolution to appoint some other person or persons in
place of retiring auditor was received by the company that could not be proceeded
with due to death, incapacity or disqualification of other person or persons [Section
224(2)].
(d) a written certificate has been obtained from the proposed auditor to the effect that
the appointment or re-appointment, if made, will be in accordance with the limits
specified in sub-section (1B) of Section 224.
Appointment in a general meeting of the company means appointment by the shareholders of
the company. Upon an auditor being appointed in the annual general meeting, the company is
to give intimation thereof to the concerned auditor within seven days of the appointment,
whether it is a case of a new auditor being appointed or the retiring auditor being re-
appointed. The auditor, in his turn, upon receipt of the intimation from the company about his
‘appointment’ is required to send a written communication to the concerned Registrar of
Companies within 30 days of the receipt of the intimation stating whether he has accepted or
declined the appointment.
It should also be noted that the auditors shall hold office until conclusion of the next annual
general meeting meaning thereby that the non-holding of the next annual general meeting or
its adjournment without considering the business of appointment or re-appointment of
auditors, shall in no way affect the factual conclusion of the next annual general meeting of
the company. Notionally, it cannot be presumed that the auditor’s term expires on the date on
which the annual general meeting ought to have been held. A detailed clarification has been
issued by the Department of Company Affairs in this regard according to which:
“The tenure of an auditor is laid down in Section 224(l); it is from the conclusion of
the annual general meeting to the conclusion of the next annual general meeting
and cannot therefore, be for any particular year or financial year as such. The duty
of the auditor is laid down in Section 227(2), whereunder the auditor in office has to
audit every balance sheet and profit and loss account and every other document in
it or annexed to it which is laid before the general meeting held during his tenure of
office. In view of the provisions in Section 224(l), there can only be one annual
general meeting held during the tenure of office of any particular auditor. That also
shows that the auditor’s appointment is not related to any particular balance sheet
or profit and loss account or to any particular financial year.
The Company Audit 6. 5

“In the above context the Board decided that the tenure of an auditor appointed under
Section 224 of the Companies Act will continue upto the factual conclusion of the next
general meeting held by the company.”
6.2.3 Defective appointment - Where the appointment of a person as the auditor in the
annual general meeting is void ab initio, it appears that the provision of Section 224(3) will be
attracted and the appointment of the auditor can be made by the Central Government.
Filling of a casual vacancy - A casual vacancy in the office of the auditor can be filled by the
Board of Directors, provided such vacancy has not been caused by the resignation of the
auditor. In the case of a casual vacancy arising on account of resignation, only the company
in general meeting can fill the vacancy. The expression ‘casual vacancy’ has not been defined
in the Act. Taking its natural meaning, it stands for the vacancy created by the auditor ceasing
to act after he was validly appointed and the appointment was accepted. This may arise due
to a variety of reasons which include death, resignation, disqualification, dissolution of the firm
of auditors, etc. The provision to require filling of casual vacancy caused by the resignation of
the auditor by the annual general meeting is in consonance with the principle of auditor’s
independence. This process may bring out facts regarding the auditor’s resignation to the
notice and scrutiny of the shareholders. Any abuse of authority or financial impropriety by the
management, that might have contributed to the resignation, will be known. If the resigning
auditor could be found to be conscientious and honest the general meeting may even request
him to reconsider his decision and take appropriate steps to cure the evils, if any, in the
management. The auditor appointed to a casual vacancy shall hold office till the conclusion of
the next general meeting. However, it should be noted that a casual vacancy does not arise in
the office of auditors on the expiry of one year of their appointment if the annual general
meeting is not held in time. According to the Annual Report of the Institute of Chartered
Accountants of India for the year ended 31 March, 1971:
“A case of an alleged unjustified removal of auditors was reported to the Council where
the existing auditors were removed and new auditors were appointed by the board of
directors before holding the annual general meeting, on the footing that a casual vacancy
in the office of the auditors of the company had occurred on the expiry of the period of
one year, even though no annual general meeting was held. On a review of the facts
and circumstances of the case reported, it was held that the change of auditors sought to
be made in the circumstances was not justified and in the Council’s opinion the
appointment sought to be made of the new auditors was not valid, since no vacancy had
arisen in the office of the auditors. The Council felt that the existing auditor continued to
be the statutory auditor until the conclusion of the next annual general meeting. The
decision was communicated both to existing auditors and new auditors who were also
informed that accepting the appointment in such circumstances would not be proper.”
6.2.4 Appointment of Auditor by Central Government - Where, at the annual general
meeting, no auditors are appointed or re-appointed, the Central Government may appoint a
6.6 Advanced Auditing and Professional Ethics

person to fill the vacancy. It is the duty of the company to give notice of the fact that no
auditor was appointed in the annual general meeting to the Central Government within 7 days
of the annual general meeting. In case of any default to give notice to the Central
Government, the company and every officer in default shall be punishable with Fine that may
extend to Rs. 5000.
6.2.5 Ceiling on Audits - It has been mentioned earlier that before appointment is given to
any auditor, the company must obtain a certificate from him to the effect that the appointment,
if made, will not result in an excess holding of company audit assignments by the auditor
concerned over the limit laid down in Section 224(1B). Section 224(1B) of the Companies Act
as amended by Companies (Amendment) Act, 1988 provides that no company or its Board of
Directors shall appoint or re-appoint any person who is in full time employment elsewhere or
firm as its auditor if such firm or person is, at the date of such appointment or re-appointment,
holding appointment as auditor of the specified number of companies. Specified number has
been defined to mean 20 company audits subject to a further limit of 10 company audits in
respect of companies having paid up capital of Rs. 25 lakhs or more. Further it provides that in
the case of a firm of auditors, specified number of companies shall be construed as the
number of companies specified for every partner of the firm who is not in full-time employment
elsewhere.
(Note: It may be noted that the intention of the Central Government in amending this section
was to plug the loophole whereby chartered accountants in full-time employment could not be
considered for the purpose of conducting company audits. However, the amended section
tends to suggest that an individual chartered accountant in full time employment practising as
a sole proprietor can audit 20 companies while a chartered accountant practising as a sole-
proprietor not in full-time employment elsewhere can audit unlimited number of companies).
The limit of 20 company audits is per person. In the case of an auditing firm having 3 partners,
the overall ceiling will be 3 ×20 = 60 company audits of which not more than 30 should be in
companies having paid-up capital of Rs. 25 lakh or more. Sometimes a single chartered
accountant can be a partner or proprietor in a number of auditing firms. In such a case, all the
firms in which he is a partner or proprietor will be together entitled to 20 company audits on his
account, subject to the sub- ceiling of 10 large company audits. How they allocate the 20
audits between themselves is their affair. Explanation II after sub-section (1C) of Section 224
further amplifies the manner of identifying the audit units for calculating the specified number.
Under this explanation, when an auditor is appointed to audit even a part of company’s
accounts, the part will be considered as a unit of audit for the purpose of calculation of the
ceiling. Often one comes across what is known as joint audit when two or more auditors are
appointed to audit the accounts of a company. Each of the joint auditors is considered an
auditor for the purpose; any joint audit held by an auditor will be included as one audit unit for
the purpose of calculating ceiling. However, appointment as a branch auditor will not be
counted. The question arises whether the audits of branches of Indian companies and the
audits of Indian business accounts of foreign companies which have established their place of
business in India and are doing business in India are to be taken into account for computing
The Company Audit 6. 7

the limit of 20 companies as laid down in Explanation I of sub-section (1C) of Section 224 of
this Act. The Department of Company Affairs clarified that “the branch auditor of Indian
companies, appointed under Section 228 of the Act, audits the accounts of the particular
branch only for which he is appointed and forwards his report to the auditor appointed under
Section 224 of the Act and hence he cannot be equated with the company auditor appointed
under Section 224 who has to report to the annual general meeting on the, account of the
company as a whole including the branches audited by branch auditor. The words “any part of
which” appearing in Explanation II cannot have any reference to branch audit which as noted
above does not fit into the context of Section 224. The said words relate to the antecedent
number and not companies in so far as they are of any material significance to the context.
Hence, the branch audits are not to be included while calculating the specified number of 20
units.”
As regards the audit of the accounts of foreign companies, the Department is of the view that
they are outside the scope of Section 224 since the definition of company under Section 3 of
the Act does not include a foreign company. Hence the audit of the accounts of foreign
companies is also not to be included within the specified number of 20 as laid down in
explanation I to sub-section (1C) of Section 224 of the Act. A point has been raised as to
whether companies limited by guarantee are to be included in reckoning “specified” number of
auditors within the meaning of Explanation I to sub-section (1B) and (1C). This has been
examined and the Department is of the view that such companies as having no share capital
are to be excluded from the reckoning.
The Companies (Amendment) Act, 2000 has also amended Section 224(1B) dealing with
ceiling on company audits. Pursuant to this amendment, the private companies will be
excluded while computing the ceiling limit of 20 companies, as the case may be.
Consequently, the auditor can accept audit of any number of private companies subject to the
overall limits laid down by guidelines of the Institute. The guidelines finalised by the Council
are reproduced below:
“No.1-CA(7)/53/2001: In exercise of the powers conferred by clause (ii) of Part II of the
Second Schedule to the Chartered Accountants Act, 1949, the Council of the Institute of
Chartered Accountants of India hereby specifies that a member of the Institute in practice shall
be deemed to be guilty of professional misconduct, if he holds at any time appointment of
more than the “specified number of audit assignments of the companies under Section 224
and /or Section 228 of the Companies Act, 1956”.
Provided that in the case of a firm of chartered accountants in practice, the specified number
of audit assignments shall be construed as the specified number of audit assignments for
every partner of the firm.
Provided further that where any partner of the firm of chartered accountants in practice is also
a partner of any other firm or firms of chartered accountants in practice, the number of audit
assignments which may be taken for all the firms together in relation to such partner shall not
6.8 Advanced Auditing and Professional Ethics

exceed the specified number of audit assignments in the aggregate.


Provided further that where any partner of a firm or firms of chartered accountants in practice
accepts one or more audit assignments in his individual capacity, or in the name of his
proprietary firm, the total number of such assignment which may be accepted by all firms in
relation to such chartered accountant and by him shall not exceed the specified number of
audit assignments in the aggregate.
Explanation:
1. For the above purpose, the specified number of audit assignments means :
(a) in the case of a chartered accountant in practice or a proprietary firm of chartered
accountant, thirty audit assignments whether in respect of private companies or
other companies.
(b) in the case of a firm of chartered accountants in practice, thirty audit assignments
per partner in the firm, whether in respect of private companies or other companies.
Provided that out of such specified number of audit assignments, the number of audit
assignments of public companies each of which has a paid-up share capital of rupees
twenty-five lakhs or more, shall not exceed ten.
2. In computing the specified number of audit assignments:
(a) the number of such assignments, which he or any partner of his firm has accepted
whether singly or in combination with any other chartered accountant in practice or
firm of such chartered accountants, shall be taken into account.
(b) the audit of the head office and branch offices of a company by one chartered
accountant or firm of such chartered accountants in practice shall be regarded as
one audit assignment.
(c) the audit of one or more branches of the same company by one chartered
accountant in practice or by firm of chartered accountants in practice in which he is
a partner shall be construed as one audit assignment only.
(d) the number of partners of a firm on the date of acceptance of audit assignment shall
be taken into account.
(e) a chartered accountant in full time employment elsewhere shall not be taken into
account
3. This notification shall come into force from the date of its publication in the Official
Gazette.
4. A chartered accountant in practice as well as firm of chartered accountants in practice
shall maintain a record of the audit assignments accepted by him or by the firm of
chartered accountants, or by any of the partner of the firm in his individual name or as a
partner of any other firm as far as possible, in the following manner:
The Company Audit 6. 9

S.No Name of the Registration Date of Date of Date on which


company/Audit Number Appointment Acceptance Form 23-B
Assignment filled with
Registrar of
Companies
1 2 3 4 5 6

6.2.6 Auditor not to be appointed except with the approval of the company by a Special
Resolution - Section 224A provides for appointment of auditors in certain cases only by a
special resolution. It should be remembered that normally an auditor can be appointed or re-
appointed by an ordinary resolution. However, in terms of Section 224A, a company in which
not less than 25% of the subscribed capital is held by (i) a public financial institution or a
government company or the Central Government or any State Government, or (ii) any financial
or other institution established by any Provincial or State Act in which a State Government
holds not less than 51% of the subscribed share capital, or (iii) a nationalised bank or an
insurance company carrying on general insurance business, or (iv) any combination of the
above categories, shall appoint or re-appoint an auditor in the annual general meeting only by
passing a special resolution. In case the aforesaid company omits or fails to pass a special
resolution in the annual general meeting to appoint an auditor or auditors it shall be deemed
that no auditor or auditors have been appointed, and thereupon the Central Government’s
power to appoint the auditors pursuant to Section 224(3) will become exercisable. In
determining whether the appointment calls for a special resolution or not the measuring
yardstick is the proportion of the subscribed capital held by the various categories mentioned
above. If any of them singly or several of them jointly held 25% of the subscribed capital of
the company as on the day of the closing of the register of members before the annual general
meeting of the company will be covered by the provisions of Section 224A and, consequently,
the appointment of the auditor can only be made by passing a special resolution. It should be
noted that subscribed capital includes preference share capital also. In this case a doubt has
been expressed in some quarters about the material date for considering the 25% holding - as
to whether it should be the date of passing of the special resolution. The Department of
Company Affairs has clarified that “material date is the date of the annual general meeting at
which the resolution is required to be passed. Moreover, since generally articles of
association of companies provide for closure of the register of members before the general
meeting during a period not exceeding thirty days at any one time, it is unlikely that the
position regarding shareholding in the company will be different between the date of issue of
notice and date of the general meeting. In exceptional cases, however, where a change in the
shareholding pattern in the company has taken place between the date of issue of notice of
the general meeting and the date of actual passing of this resolution regarding appointment of
auditor, the company may either (i) adjourn the meeting to another date, and later issue the
required notice in accordance with law, and thereafter, pass a special resolution required to be
passed under Section 224A of the Act; or (ii) omit or pass over the item on the agenda
regarding appointment of auditor.
6.10 Advanced Auditing and Professional Ethics

In the event of the company adopting the procedure at (ii) above, the situation would then be
covered by Sub-section (2) of Section 224A of the Act. It has also been clarified by the
Department that irrespective of the circumstances in which a nationalised bank is holding
shares (whether beneficially or as security for loan advanced to constituents), if the name of
the bank is entered in the register of members of the company as holder of shares, such
holding of shares will have to be taken into account for the purposes of Section 224A of the
Act.
6.2.7 Appointment of Auditor of a Government Company - A Government company has been
defined in Section 617 of the Companies Act as “any company in which not less than 51% of
the paid-up share capital is held by the Central Government or by any State Government or
governments or partly by the Central Government and partly by one or more State
Governments, and includes a company which is a subsidiary of a Government company as
thus defined.” In respect of any Government company appointment of auditor is governed by
the provisions of Section 619 of the Companies Act, 1956. According to this Section, the
auditor of a Government company shall be appointed or re-appointed by the Comptroller and
Auditor General of India. However, the appointment will be subject to the ceiling discussed
above.
The aforesaid provisions applicable to the appointment of auditors of Government companies
also apply to another category of companies even though they are not Government
companies. This provision is contained in Section 619B of the Companies Act (in force on and
from 1.2.1975). If, in a company, not less than 51% of the paid up share capital is held by:
(a) the Central Government and one or more Government companies;
(b) any State Government, or Governments and one or more Government companies;
(c) the Central Government, and one or more State Governments and one or more
Government companies;
(d) the Central Government, one or more corporations owned or controlled by the Central
Government;
(e) the Central Government, one or more State Governments and one or more corporations
owned or controlled by the Central Government;
(f) one or more corporations owned or controlled by the Central Government or the State
Governments;
(g) more than one Government company or by combination of above.
The auditor of such a company shall be appointed by the Comptroller and Auditor General of
India.
According to the clarification issued by the Department, Nationalised Banks, General
Insurance Corporation of India and Industrial Development Bank of India are
corporations/institutions owned or controlled by the Central Government within the meaning of
Section 619B. But co-operative institutions, Industrial Credit and Investment Corporation of
The Company Audit 6. 11

India, Unit Trust of India and Industrial Finance Corporation are not covered under Section
619B. However, the aforesaid list of corporations is only illustrative and not exhaustive.
It should be noted that the provision of Section 224A which requires a special resolution for
the appointment of auditor and Section 619B have made the acceptance of the position of
auditor in a company somewhat difficult. Before acceptance of the appointment given by any
company on the strength of an ordinary resolution an auditor should specifically satisfy himself
that the company is not covered by either Section 224A or Section 619B which require
compliance with special procedure. Otherwise, he may find the appointment to be a nullity.
6.2.8 Auditor appointed at an Annual General Meeting failing to accept appointment - Can
the Board of Directors be authorised by the General Meeting to appoint auditors in the event
of auditors, appointed at annual general meeting, fail to accept the appointment? For knowing
the correct legal procedure that should be followed in such a case, the Research Committee of
the Institute had posed the following query to its Counsel:
(1) A company appointed auditors for the current year by a resolution passed in the Annual
General Meeting as under:
“Resolved that Shri X (Chartered Accountant) be re-appointed as auditor for the current
year on the overall remuneration of Rs...............only.”
“Resolved further that Shri Y (Chartered Accountant) be and hereby re-appointed as a
joint auditor for the current year on an overall remuneration of Rs......... only. Further
resolved that in the event of both or either of the auditors declining the assignments,
the Board may fill up the vacancy at their own discretion.”
(2) The Board of Directors, subsequently, passed a resolution as under:
“Resolved that in the event of any of the Auditors declining to accept the assignment,
Shri Z should be appointed as joint auditor.”
(3) The last para of the resolution of the General Meeting and the resolution itself of the
Board of Directors, were intended to meet a contingency of the appointments being
declined by any or both of the auditors appointed by the General Meeting, since the
remuneration fixed by the General Meeting was less than that proposed by the retiring
auditors, and as such there was a possibility of the appointments being rejected by the
auditors on that account.
(4) Y declined to accept the assignment and Z was called upon to intimate his willingness
or otherwise to accept the assignment pursuant to the resolution of the Board of
Directors.
The Counsel’s opinion was sought on the following points:
(a) Whether the vacancy caused by Y declining to accept the appointment constituted a
casual vacancy under Sub-section 6 (a) of Section 224 or due to resignation of an
6.12 Advanced Auditing and Professional Ethics

auditor; and
(b) Was the appointment of Z, made by the Board of Directors in place of Y, valid?
The Counsel was of the opinion that the Board of Directors could appoint an auditor only
under the circumstances completed under Sub-section 5 and under Sub-section 6(a) of
Section 224. Further that, in the specific case referred to him for opinion, the refusal of Y to
accept the appointment as joint auditor did not create a vacancy either casual or by
resignation since Y’s appointment had not become effective. Further, the appointment of
auditor having been made by shareholders, sub-section (3) could not be invoked. Thus, Z
could only be appointed by shareholders at a general meeting.
6.2.9 When appointment is made to fill up a vacancy caused by resignation of the previous
Auditor - An auditor, before accepting the appointment in place of an auditor or who has
resigned, should verify that the resolution appointing him as the auditor at the general meeting
was duly moved and approved by the share holders. In addition, he should refer to the
resignation submitted by the previous auditor and also communicate with him so as to
ascertain: (i) the circumstances which led up to his resignation; and (ii) whether there existed
any circumstances on account of which he should not accept the appointment. He should also
see whether the requirements of Section 224 (6) in respect of such an appointment have been
complied with.
[Notes: (1) Though there is no provision in the Act for an auditor ceasing to hold office on
becoming bankrupt or insane, it will not be possible for a person of unsound mind or an
undischarged insolvent to hold such office, as he will not under Sections 8 and 10 of the
Chartered Accountants Act, 1949 have his name on the Register of Chartered Accountants.
(2) In the case of appointment of an auditor to act jointly with an existing auditor, the
procedure would be similar to that where the existing auditor is being removed (as discussed
hereinafter). In practice, however, compliance with the formalities would not give rise to any
difficulties, since the existing auditor’s consent to the proposal, it is expected, will have been
secured in advance. (3) Students should also refer to the Guidance Note on Compliance with
provisions of Sections 224 and 225 of the Companies Act in the context of Clause 9 of Part I
of the First Schedule to the C.A. Act as reproduced in the Code of Ethics.]

Remuneration
6.3 Under Section 224(8) of the Act, it is fixed:
(a) in case of an auditor appointed by the Board or the Central Government, may be fixed by
the Board or the Central Government as the case may be; and
(b) subject to clause (a) above, shall be fixed by the company in General meeting or in such
manner as the company in general meeting may determine. For this purpose, the
expression “remuneration” should be deemed to include any sums paid by company in
respect of the auditor’s expenses.
The Company Audit 6. 13

Students may note that the Act does not require that the remuneration should be fixed at the
same meeting of the company at which the appointment is made. It may, therefore, be fixed
at a subsequent meeting. Where a retiring auditor has been re-appointed, his remuneration in
the absence of any resolution fixing a different remuneration, is considered to be the amount
already fixed, in respect of the previous appointment. Where, in addition to the normal audit,
the auditor is also required to undertake the writing up of the books, to prepare the annual
accounts of the company and do the income-tax or secretarial work, he is entitled to receive
remuneration in addition to the normal fee for the audit. Such additional remuneration is a
matter of arrangement with the directors. But any remuneration paid as fees, expenses or
otherwise for such service must be disclosed in the Profit & Loss Account. The remuneration
paid to the auditor is required to be shown in the Profit & Loss Account separately:
(a) as auditor;
(b) as adviser or in any other capacity in respect of:
(i) taxation;
(ii) company law matters;
(iii) management service; and
(c) in any other manner.
The Council of the Institute of Chartered Accountants of India in the ‘Statement on Payment to
Auditors for other Services’ has recommended that the fees paid to the auditors for other
services rendered should be disclosed in the profit and loss account of the companies under
the following heads in order to give precise and correct information to shareholders and others
who read the accounts:
(i) tax representation;
(ii) company law matters;
(iii) management services;
(iv) internal auditing;
(v) other services.
In case of joint audit, if other services were rendered by one of the joint auditors or in case of
a company having a branch, the other services were rendered by the branch auditor, a
disclosure should be made accordingly.
Section 224(8)(aa) has been inserted whereby it is provided that, in the case of an auditor
appointed under section 619 by the Comptroller and Auditor General of India, the
remuneration shall be fixed by the company in a general meeting or in such manner as the
company in general meeting may determine. Earlier this power was vested in the Central
Government.
6.14 Advanced Auditing and Professional Ethics

6.3.1 Rendering other services - One often finds that statutory auditors of the companies are
called upon to render other services to the client like tax consultancy, internal audit,
management consultancy, etc. The issues arising out of this practice have been considered
by the Institute of Chartered Accountants of India. The views of the Institute in this regard are
given below:
The payments for other services which are statutory required on the face of the published
accounts of a company represent perfectly legitimate payments for services rendered by the
auditors to the company which services the company needs and from which the benefit
derived by the company and the shareholders at large is more than commensurate with the
cost thereof. The very fact that the law requires specific disclosure of the payment for other
services shows that the Parliament did contemplate rendering of such services and did not
consider anything “prima facie” wrong about them. The other services which might be usefully
rendered by an auditor of a company against payment of additional fees may comprise the
following:
(a) Taxation Representations before the tax authorities and tax planning and advisory
services.
(b) Management Services which may include advice on the installation of a costing or
budgetary control system, management information system, selection of Senior Per-
sonnel in the Finance Department, etc.
(c) Company Law Services which include giving advice in relation to compliance with the
various provisions and procedures under the Companies Act.
(d) Investigation of accounts for various purposes, e.g., in case of purchase of business,
suspected fraud, etc.
(e) Advice in connection with amalgamation and merger, scheme of reconstruction and
reorganisation, etc.
(f) Valuation of shares of limited companies for various purposes.
(g) Issue of certificates as required by the Government and other authorities for various
specific purposes, for example,
(i) Certificates required by the Reserve Bank of India for exchange control purposes.
(ii) Certificates of gross profit and available surplus under the Payment of Bonus Act.
(iii) Certificate for consumption for raw materials, production, exports, etc. required by
the Joint Chief Controller of Imports,
(iv) Certificates at the specific request of lending institutions, both national and
international.
(v) Certificates based on verification of financial records to various Government, public
and other authorities.
The Company Audit 6. 15

(h) Special assignments required by a company for its own benefit, for example, a surplus
verification of cash or inventories or surprise visit to branches under special cir-
cumstances.
(i) Review of systems and procedures and of the internal controls, particularly, in relation to
cash transactions, purchases made by the company, inventories’ sale effected by the
company, etc. Such a review is followed by recommendation for internal control for the
benefit of the company.
(j) Audits of ancillary institutions of the company like the Employee’s provident fund, etc., in
respect of which usually the fees are paid by the company itself.
From the above illustrative list of the various services rendered by the auditors for which
additional fees are paid, it will be appreciated that it is only normal and natural for a company
to need such services and to pay for them. The next question is whether there is anything
wrong in such services rendered by the company’s auditors if they are competent to render
them. This question may be viewed from the angle of the benefit of the company and the
shareholders, on the one hand, and its effect on the independence of the auditor, on the other.
Sometimes, it may be desirable that the services are rendered by the company’s own auditor
who is expected to have overall knowledge of the accounts and the financial affairs of the
company and, also from the point of view of ensuring effectiveness of the work, fairness of the
opinion expressed on the certificate issued and also the benefit to the company as well as its
shareholders, this is desirable. It is emphasized that the other services rendered are also
those which are considered essential and beneficial to the company by the management and
they would normally have to be rendered by a professional accountant or other similar agency.
If the services are not rendered by the company’s own auditor, they will have to be rendered
by some other Chartered Accountant or by some other similar agency. The company’s auditor
with his overall knowledge of the affairs of the company would be in a much better position to
render such services compared to others. The cost of other services to the company when
rendered by its own auditor may also be comparatively less because he would need to expend
less direct time on the job than a person who has not audited the accounts. He can draw
upon the work already performed in the course of the audit where as another person may
need to follow certain procedures which have already been covered by the statutory auditor.
It is usually a matter of advantage to the company and the Income Tax Department if the tax
representation of the company is handled by its own auditor. The intimate knowledge which
the auditor possesses of the company’s business affairs and accounts is of material help in
the representation before the tax authorities. Chances of errors and accidental misstatements
or omissions are reduced and the tax officers are then able to complete the assessments more
expeditiously and with a greater degree of confidence. The work done by the auditor in
rendering other services may enable him to get a greater insight into the accounts and affairs
of the company, which would enable him to carry out a more effective and more purposeful
audit. For example, an auditor who has been engaged for rendering managements services to
6.16 Advanced Auditing and Professional Ethics

the company by way of a review of the systems and procedures and the internal control
systems of the company would acquire valuable additional knowledge which would certainly
help to perform a more efficient audit. It may also be clarified that there is no compulsion on
the company to engage its own auditors for rendering other services. If the company so
chooses it can engage the services of any other person. It is for the management of the
company to judge as to which course would be in the best interest of the company. If the
management, for valid reasons, concludes that it can have more efficient and less expensive
services from its own auditor, there seems to be no justifiable reason why it should be
deprived of such services. In recent time, there has been a growing appreciation in business
and industrial circles of the constructive and effective assistance that a chartered accountant
can render to the management in various fields. This has opened up new horizons particularly
for the young members in the profession who are in a very good position to develop these new
skills and to use them to the advantage of every one concerned. An analysis published in the
press suggested that it is the bigger firms who derive most benefit from rendering other
services. In fact, most young entrants to the profession who, in their early career, would have
comparatively fewer clients, do render varied services to their clients with mutual advantage
without sacrificing public interest. Many young and promising members of the profession are
trained to render management services, taxation and company law services, etc. to their
clients. Any unreasonable restriction on company auditors in the matter of rendering other
services would unjustifiably hit this young generation whom the Institute considers its pillars of
strength. Such a restriction would retard professional development and would at the same
time not be in the interests of the company and its shareholders nor in the public interest.
The Institute, of course, is quite mindful of the utmost necessity of ensuring high standard of
independence and integrity by its members in the performance of their duties as company
auditor. From time to time, the Council of the Institute has issued recommendations to its
members with this object in view. For Example, a Notification issued by the Council lays down
that a statutory auditor cannot act as a cost auditor. The Council has also advised its
members to refrain from expressing professional opinion on financial statements of a company
in which he or his relatives are substantially interested. The Council has also advised the
members to be always on guard and not to accept any professional assignment under such
circumstances that his independence may be affected. However, the Institute does not
consider that there is anything inherently improper in the auditor receiving an additional fee for
services rendered under such circumstances that his independence is not likely to be
adversely affected. It is not proper to suggest that mere receipt of fees for such services is
likely to taint the auditor’s conscience or that such payment of other fees which under
statutory requirements are disclosed on the face of the accounts are made with an untoward
or ulterior motive. There is no doubt that an auditor should not seek favour from his client
company nor should he has a financial interest in the company if he has to maintain his
independence and authority. However, the rendering of useful professional service in
consideration of a fees is not a matter of favour nor does it amount to have a financial interest
The Company Audit 6. 17

in the company. It would, therefore, be entirely incorrect to suggest that a company’s auditor
compromises his independence or obtains an undue advantage or interest in the company
merely by accepting an engagement for rendering other professional services to his client on
payment of specific fees for such services.
It may also be stated that the Institute has provided enough safeguard for ensuring proper
performance of duties by its members. A very strict disciplinary control is maintained by the
Institute and action is quickly taken by the Disciplinary Committee against erring members. In
disciplinary matters the standard maintained by the Institute is so high that there has been not
a single case where the High Court has enhanced the punishment suggested by the Institute
for an erring member. In most of the cases the High Court has reduced the punishment. It
may also be pointed out that a practising Chartered Accountant is precluded from engaging in
business or activities which are not directly within the scope of his profession. Thus, the other
services rendered by a company’s auditor are only such services which are directly within the
scope of the accountancy profession. Therefore, there is hardly any possibility of any misuse
or abuse if other professional services are rendered by the auditor.
The Council issued this note in the hope that it would clarify the matter with regard to the
payment of fees to auditors in ‘other capacity’. Such services and such payments are perfectly
legal and perfectly within the code of conduct and ethics of the professional. There need not
be any misgiving in this matter nor any apprehension that by such payments the public interest
of the generality of the shareholders is compromised. While the Council of the Institute will
continue to exercise the utmost vigilance in order to ensure the highest standards of
independence and discipline, it would be a mistake to stand in the way of normal professional
development, where such development does, not compromise the auditor’s independence or
authority. In fact, the Council actively encourages diversification in the professional services
rendered by the members of the profession so that new horizons and more avenues of useful
and constructive work may open up for the young entrants to the profession. This approach is
in keeping with the profession’s desire to play its proper role in the affairs of the nation by
contributing its utmost for developing the natural resources of the country, increasing the
national wealth and improving the standards of the millions of our countrymen.
6.3.2 Recommendations regarding disclosures for payments to auditors for other services -
By Notification No. 455 dated 27, April 1974, the Government amended the requirements of
Part II of Schedule VI to the Companies Act, 1956 as a result of which, the fees paid to
auditors, whether as fees, expenses or otherwise, for services rendered as auditor and adviser
or in any other capacity in respect of taxation matters, company law matters, management
service and in any other manner are required to be disclosed separately. Even prior to the
issuance of the aforesaid Notification, the Council had recommended disclosure of the break-
down of the fees paid to the auditor in other capacity under certain heads. Whilst the break-
down required by the aforesaid Notification is somewhat narrower than the break-down earlier
recommended by the Council, in the interest of better and fuller disclosure, the Council
6.18 Advanced Auditing and Professional Ethics

recommended that such disclosure, in respect of fees paid to the auditor in other capacity
should continue to be under the following head:
(i) for taxation matters;
(ii) for company law matters;
(iii) for management services;
(iv) for internal audit; and
(v) for other services.
It may happen that the fees paid to the auditor in other capacity may have been fixed or
settled in a composite manner in respect to more than one head. In such a case, it is
recommended that the composite amount may be disclosed describing that it was fixed as
such for the specified matters.
A question arises as to whether, if a company pays fee or remuneration to one of the partners
of a firm which is acting as its auditor, separate disclosure is required in respect of the fee or
remuneration so paid. The Council is of the view that the requirement as to the separate
disclosure of fees paid in other capacity should be more properly construed in the context of
the spirit behind such requirement and, accordingly, recommends that even in the aforesaid
case separate disclosure should be made in respect of fees paid by the company to the
partner of the firm which is its auditor.
Sometimes, the company may pay fees in other capacity to one out of several firms of joint
auditors. In such a case, in the interest of proper disclosure, it may be indicated that the fee is
paid to one of the joint auditors specifying the name of such auditor to whom the fee is paid.
Likewise a company may pay fee to its branch auditor appointed under Section 228 of the
Companies Act, 1956 for services rendered in other capacity. In such a case also while
disclosing the fee paid in other capacity the fact that it was paid to a branch auditor may be
specified. It may be noted that according to the Institute of Chartered Accountants of India,
there does not arise a situation of conflict, legal or ethical, when the statutory auditor renders
other services, e.g., tax advice, management consultancy etc. to the client at the same time.
6.3.3 Management Consultancy and Other Services - A member of the Institute in practice
shall be deemed to be guilty of professional misconduct, if he accepts the appointment as
statutory auditor of Public Sector Undertaking(s)/Government Company(ies)/Listed
Company(ies) and other Public Company(ies) having turnover of Rs. 50 crore or more in a
year and accepts any other work(s) or assignment(s) or service(s) ,in regard to the same
Undertaking(s)/Company(ies) on a remuneration which in total exceeds the fee payable for
carrying out the statutory audit of the same Undertaking/Company.
Provided that in case appointing authority(ies)/regulatory body(ies) specify(ies) more stringent
condition(s)/restriction(s), the same shall apply instead of the conditions/restrictions specified
in this Notification.
The Company Audit 6. 19

Explanation:
1. The above restrictions shall apply in respect of fees for other work(s) or service(s) or
assignment(s) payable to the statutory auditors and their associate concern(s) put
together;
2. For the above purpose,
♦ the term “other work(s)" or "service(s)" or "assignment(s)" shall include Management
Consultancy and all other professional services permitted by the Council pursuant to
Section 2(2)(iv) of the Chartered Accountants Act, 1949 but shall not include:
(i) audit under any other statute;
(ii) certification work required to be done by the statutory auditors; and
(iii) any representation before an authority
♦ the term "associate concern" means any corporate body or partnership firm which
renders the Management Consultancy and all other professional services permitted by
the Council wherein the proprietor and/ or partner(s) of the statutory auditor firm and/ or
their "relative(s)" is/are Director / s or partner / s and/or jointly or severally hold"
substantial interest" in the said corporate body or partnership;
♦ the terms "relative" and "substantial interest" shall have the same meaning as are
assigned under Appendix (10) to the Chartered Accountants Regulations, 1988.
3. In regard to taking up other work(s) or service(s) or assignment(s) of the
undertaking/company referred to above, it shall be open to such associate concern or
corporate body to render such work(s) or service(s) or assignment(s) so long as
aggregate remuneration for such other work(s) or service(s) or assignment(s) payable to
the statutory auditor I s together with fees payable to its associate concern(s) or
corporate body(ies) do/does not exceed the aggregate of fee payable for carrying out the
statutory audit.
4. This notification shall apply for any appointment(s) on or after 1st April, 2002.

Functions, Duties and Rights of Auditors


6.4 The following are the functions, duties and rights of auditors:
6.4.1 Functions of an Auditor under the Companies Act, 1956 - The primary function of an
auditor is to report on different types of financial statements prepared in a variety of situations
mentioned below:
(i) Reporting on Balance Sheet and Profit & Loss Account - It is the primary duty of the
auditor of a company to make a report to the shareholders on the accounts examined by him
and on every Balance Sheet and Profit & Loss Account as well as any other document
declared by the Act to be part of and annexed to the Balance Sheet or Profit & Loss Account,
6.20 Advanced Auditing and Professional Ethics

which are laid before the company in general meeting during his tenure of office. The report
should state whether, in his opinion and to the best of his information and according to the
explanations given to him, the said accounts give the information required by the Act in the
manner so required and give a true and fair view:
(a) in the case of balance sheet, of the state of the company’s affairs as at the end of its
financial year; and
(b) in the case of the profit and loss account the amount of profit or loss during the financial
year.
The matters which should be dealt with by the auditor in his report are set out in detail in sub-
section (3) of section 227. Also, the auditor is to inquire and, if necessary, to report on the
matters Specified in Section 227 (1A).
Power of Government to amplify the scope of audit - By the Companies (Amendment) Act
1965, sub-section (4A) has been added to section 227 empowering the Central Government to
direct, by a general or a special order, that in case of any class or description of companies,
as may be specified in the order, the auditor’s report should also include a statement on such
matters as may be specified therein. It is a general power which authorises the Government
to extend the scope of audit in case of a particular class of companies. Exercising this power
the Government of India issued the Manufacturing and other Companies (Auditor’s Report)
Order 1975. This Order was applicable to the following categories of companies:
(a) Manufacturing, mining or processing;
(b) Supplying and rendering services;
(c) Trading; and
(d) Financing, investment, chit fund, nidhi or mutual benefit companies.
The 1975 Order was replaced by the 1988 Order which came into force w.e.f. November 1,
1988. The 1988 Order has been further substituted by the Companies (Auditor’s Report)
Order, 2003.
(ii) Report to be set out in the Prospectus - Section 60 (3) of the Companies Act 1958,
contemplates three circumstances under which it is necessary for a Chartered Accountant to
report on the statements of account, operating results and assets and liabilities of a going
company which issues a prospectus. Part II or Schedule II to the set contains the reports to be
included in prospectus.
(iii) Certification of Statutory Report - Every public company limited by shares and every
company limited by guarantee and having share capital must prepare a statutory report for
being placed before the shareholders in accordance with section 165. It should be certified by
the auditor of the company, in so far as the report relates to the shares allotted by the
company, cash received in respect of such shares and payments of the company. A deemed
The Company Audit 6. 21

public company will not be required to hold statutory meeting or issue statutory report if a
period of 6 months has expired after incorporation at the time, it is so deemed.
(iv) “Special Audit” (Section 233 A) - It is an audit procedure alternative to investigation
when the Central Government is authorised to adopt in the under mentioned circumstances:
(a) when the affairs of the company are not being managed in accordance with sound
business principles or prudent commercial practices; or
(b) when it is being managed in a manner likely to cause serious injury or damage to the
interest of the trade, industry or business to which it pertains; or
(c) when the financial position of the company is such as would endanger its solvency.
The procedure is a short cut to an investigation and is simpler. It is therefore preferred in
cases where, instead of a detailed roving enquiry, information is required on certain specific
points. The Central Government is authorised to determine the scope of such an examination
so that it may be able to obtain such information as it may require to prove or disprove any
suspicion that it may have, either on the basis of any information in its possession or those
aroused from a perusal of the statements of account. To conduct such an audit, the Central
Government may appoint a person who is a Chartered Accountant, whether or not he is the
auditor of the company. The special auditor for purposes of carrying on the audit is invested
with the same powers and has the same duties as the statutory auditor except for the fact,
instead of making a report to the company; he has to report to the Central Government.
The Government on receipt of the report, may take such action on it as it considers necessary
but, if it fails to do so within a period of four months from the date of the receipt of the report,
the Government is required to send to the company either a copy or the relevant extract of the
report with its comments thereon and require the company either to circulate the copy or the
extract among the members or have them read before the members at the next General
Meeting.
(v) Report on the Accounts prepared on voluntarily winding-up - When, on company
being put to voluntary winding-up, the directors of the company make a declaration of
solvency, it should be accompanied by a copy of the report of the auditors of the company on
the Profit and Loss Account of the company for the period commencing from the date up to
which the last such account was prepared and ending on the latest practicable date,
immediately before the declaration is made, as well as, the Balance Sheet of the company on
last mentioned date embodying the statement of the company’s assets and liabilities as at that
date (section 488).
(vi) Report on the Accounts of Liquidators - When a company is being wound up by the
Court, its liquidator, at such times as may be prescribed by the Court, but not less than twice
at year, present to the Court an account of amounts received and paid by him. It is obligatory
for the Court to have the accounts audited (Section 462). Furthermore, in the case of a
6.22 Advanced Auditing and Professional Ethics

company, which is being wound voluntarily under the supervision of the Court or by the Court,
unless the liquidation is concluded within one year of its commencement, the liquidator must
file a statement of receipts and payments in the prescribed form, duly audited:
(a) in the case of a winding-up by or subject to the supervision of the Court, in the Court; and
(b) in the case of voluntary winding -up, with the Registrar (section 551).
But such an audit is not necessary in a case where the provisions of section 462 are
applicable.
(vii) Other Duties of the Company Auditor - The auditor can be called upon to carry out the
undermentioned duties:
(a) To assist the Inspector appointed by the Central Government either on the application of
the members or on a report by the Registrar of Companies under section 235 of the Act,
in the investigation of the affairs of the company. Such a duty extends to all persons who
were employed as auditors whether as statutory or as internal auditors [section 240 (1)
(b)].
(b) To assist Government in the prosecution of directors, provided the auditor is not himself
involved in pursuance of the Inspector’s report under section 241 of the Act, [section 242
(1)].
(c) To give such reasonable assistance as is necessary in cases where prosecution has
been instituted against delinquent officers and members of the company in the capacity
of an officer of the company [section 545 (7)].
(d) In the event of his being engaged in the formation of a company, to make a declaration
that all the requirements of the Act have been complied with [section 33 (2)].
6.4.2 Nature of duties of a Company Auditor - Though in sub-sections 1A, (2), (3), (4) and
4A of section 227, the duties of the auditor are set out in some detail, the Act does not
prescribe the procedures that should be followed for the examination of books of account or
verification of assets and liabilities included in the Balance Sheet of a company. Neither does
the Act define the scope of such an examination (except requiring verification of propriety of
certain transactions stated in sub-section (lA) of Section 227 or looking into the matters
specified in the Companies (Auditor’s Report) Order 2003, nor does it suggest the attitude of
mind with which the task should be approached. It is because these are matters in regard to
which members, it is expected, would be guided by informed opinion in the profession;
especially the statements issued by professional bodies, or by the pronouncements of learned
judges in cases concerning the duties and responsibilities of auditors, under different
conditions and circumstances.
Generally, it is the duty of the auditor to examine the company’s books of account to ascertain
that they do, in fact, truly and fairly record the transactions entered into by the company, and
to verify that the statements of account, drawn up on the basis of the books, truly and fairly
The Company Audit 6. 23

reflect the financial position disclosed by them. The scope and depth of checking of the entries
in the books for the verification of the statement of account is, to a large extent, a matter which
the auditor must determine himself on taking into account the conditions of the record in the
books, existence of the system of internal control and the character of the management. If the
books of account do not contain a complete record of the transactions, or are kept in a manner
that either the amount of the revenue receipts, or that of expenditure, or the values of assets
or the amounts of liabilities cannot be properly ascertained he must report the fact to the
shareholders. [Subsection (4) of Section 227]. However, the report should be qualified in this
regard only after the auditor has verified the condition of the records.
The directors are responsible for maintenance of accounts and for financial control of the
affairs of the company. Under section 209 of the Companies Act, they are responsible for
ensuring the maintenance of adequate records and the preparation of annual accounts
showing a true and fair view of the state of affairs of the company. They are also responsible
for safeguarding the assets of the company. If they fail to exercise the requisite degree of
supervision, they cannot plead in defence that the auditor had not drawn their attention to the
dangers to which the assets were exposed.
It is a primary duty of the auditor to verify the books of account presented to him for audit and
to report on the final statements of account. However, he does not guarantee or certify them
as a result, after the audit has been completed, if a fraud is discovered, the auditor would not
be liable for any breach of duty or negligence, for any failure to perform his duties
competently, provided he had conducted the audit with due care and skill in consonance with
professional standards.
It is expected, however, that the auditor would not accept the financial position of the company
as shown by books of account, before making a thorough enquiry so as to satisfy himself that
the books of account in fact show the true position and it is properly reflected in the
statements of account reported upon by him. The compliance with the accounting standards is
also required to be ensured by the auditor.
Often, a question is asked that if the internal check is found by the auditor to be inadequate,
should he extend his examination to trace down any fraud or would it be enough if he merely
reports that the internal check is inadequate. The informed opinion in the profession in this
regard is that, it being the duty of the auditor to report any loss or defalcation resulting from
the non-existence of internal check, he must extend his examination, if circumstances so
warrant, but he need not imagine the spectre of a loss which might have been suffered where
in fact, no loss has occurred.
Another duty of the auditor is to see that the Balance Sheet of the company is drawn up in the
form contained in the of Schedule VI to the Companies Act; also, that the Profit and Loss
Account contains all the information required to be disclosed according to the Part II of the
same Schedule.
6.24 Advanced Auditing and Professional Ethics

The Companies (Amendment) Act, 2000 has further amplified the duties of an auditor under
the Companies Act, 1956 by introducing additional reporting requirements under clauses (e)
and (f) of Section 227(3) of the Act where by the auditor shall state his observations having
adverse effects on functioning of company in thick type or italics [clause (e)] and ascertain
whether any Director of the Company suffers any disqualification under section 274 (1)(g)
[clause (f)]. The Institute has issued a Guidance Note on Section 227(3)(e) and (f) of the
Companies Act, 1956 explaining in detail the manner of reporting by the auditor.
The Companies (Second Amendment) Act, 2002 has added Clause (g) in section 227(3),
whereby the auditor’s report shall have to state whether the cess payable u/s 441A has been
paid and if not, the details of the amount of cess not so paid. Section 441A provides for levy
and collection of cess on turnover or gross receipt of companies.
Cess on Companies - A cess on companies will be levied for purpose of rehabilitation or
revival of sick industrial companies. The provisions are made in sections 441A to 441F, which
are placed in part relating to winding up of company by Tribunal.
Section 441A(1) provides that there shall be levied and collected, for the purposes of
rehabilitation or revival or protection of assets of the sick industrial company, a levy by way of
cess. It shall not be less than 0.005% and not more than 0.1% on the value of annual turnover
of every company or its annual gross receipt, whichever is more as the Central Government
may, from time to time, specify by notification in the Official Gazette.
Every company shall pay to the Central Government the cess referred to in section 441A(1)
within three months from the close of every financial year. [Section 441A(2)]. Every company
shall furnish, in such form as may be prescribed, to the Central Government and the Tribunal
the details of its turnover and gross receipts with payment of cess. [section 441A(3)]. The
Central Government may, be rules made in this behalf, specify the manner in which the cess
shall be paid u/s 441A(2) [section 441A(4)].
Can the scope of the audit be restricted - Though the scope of an audit cannot be restricted
(Newton v. Birmingham Small Arms & Co.) it has been held in Pendleburys Ltd. v. Ellis Green
and Co. that where the directors of a private company are its sole shareholders and the
auditor has reported to the directors that he has not been able to satisfactorily examine the
entries in the company’s cash book, in view of inadequacy of the system of recording entries,
he cannot be held guilty of negligence for not having qualified his report to the shareholders.
The decision, though good law at the time it was delivered, may not now provide protection to
auditors in similar circumstances, if a third party is aggrieved.
Auditor’s Report - An audit report should be clear, specific and complete, in order that
anyone who has an occasion to read it may know exactly what is wrong with the company. An
Auditor who gives the shareholders “the means of information” in respect of company’s
financial position, does so, at his peril and runs the serious risk of being held judicially to have
failed to discharge his duty (Lindley L.J in Re London and General Bank).
True and Fair - By the substitution of these words in the report which an auditor makes on the
statements of account of a company for the words “true and correct” by the Companies Act,
The Company Audit 6. 25

1956, the scope of the responsibility of the auditor has been widened. The statements of
account, as a result should not only correspond with the entries as contained in the books of
account but should also present a true and fair view of financial position of the company. This
demands:
(a) that the statements must disclose all material facts affecting the profits made, losses
incurred, the valuation of assets possessed or liabilities owned by the company. For
example, if there has been a loss of some stocks of raw-material by fire, which were not
insured, or certain amounts have had to be paid on account of losses suffered in the
past, in respect of which no provision existed in the books of account, these facts should
be disclosed separately and, if material, commented upon;
(b) that all unusual, exceptional or non-recurring items of income and expenditure must be
disclosed separately;
(c) that the propriety of transactions specified in sub-section (1A) of Section 227, where any
one of these has been entered into, should be examined;
(d) that the statements of account should neither over or understate the financial position of
the company;
(e) that events, subsequent to the close of the year, which enable the auditor to determine in
a better way the profits or the financial position of the company, as at the close of the
year, must be taken into account;
(f) that the statements of account should be drawn up in conformity with the accepted
standards of accounting principles consistently applied from year to year; and
(g) that the accounts should comply with the requirements as to the disclosure contained in
Schedule VI to the Companies Act, 1956.
In the context of ascertainment of true and fair view and drafting of the audit report, it is
necessary that students also acquaint themselves with the requirement of the Accounting
Standards issued by the Accounting Standards Board of the Institute of Chartered
Accountants of India. While discharging their attest functions it will be ‘the duty of the
members of the Institute to ensure that the Accounting Standards are implemented in the
presentation of financial statements covered by their audit reports. In the event of any
deviation from the standards, it will be also their duty to make adequate course in their reports
so that the users of such statements may be aware of such deviations. Now it is incumbent
upon the management of a company to ensure whether the financial statements have
complied with the accounting should are not in terms of section 211 of the Companies Act,
1956.
6.4.3 Rights of an Auditor - These are set out in detail in Sections 227(l) and 231.
The right of access to the “books of account” and “vouchers” must be construed as a right to
inspect all the books of account and records kept whether in compliance with the statutory
6.26 Advanced Auditing and Professional Ethics

provision or for financial purpose at a reasonable time, either with or without notice. Section
227 casts a duty specifically on the officers and other persons associated with the
management of the company to furnish any particulars or information required by the company
or auditor for being included in the Final Accounts or in any documents to be annexed thereto.
The auditor’s power to obtain information and explanation is indeed very wide and, in case any
information is refused, the auditor may report to the members that he has not been able to
obtain all the information or the explanations he required. It is the duty of the management to
balance and agree the books and prepare the final statements of account. Until this has been
done, the auditor normally should not start the audit. If a person other than the statutory
auditor has been appointed to audit the accounts of a branch or branches, it would be the duty
of the branch auditor to forward his report to the statutory auditor before he makes the
accounts of the company.
Audit of Accounts governed by Special Acts - The duties and responsibilities of an auditor
in case of companies which are governed by a special Act, is much the same as in case of
others except to the extent that these have been modified by the provisions contained in the
relevant special Act.
Accordingly, sub-section (6) of section 211 of the Companies Act provides that the final
accounts of companies governed by a special Act, and drawn up according to requirements
thereof, would not be considered as not disclosing a true and fair view on the ground that they
do not disclose information not requiring disclosure under the special Act.

Audit of Branches
6.5 The following are the points regarding audit of branches:
6.5.1 Relevant provisions of Companies Act, 1956 - In accordance with the principle of
independent professional audit of the company accounts, the Companies Act, 1956 in Section
228 has provided for the audit of accounts of branches. Section 2(9) of the Companies Act,
1956 defines a branch office as:
(i) any establishment described as a branch by the company;
(ii) any establishment carrying on either the same or substantially the same activity as that
carried on by the head office of the company; or
(iii) any establishment engaged in any production, processing or manufacturing but does not
include any establishment specified in any order made by the Central Government under
Section 8.
Under Section 8, the Central Government has the power to declare any establishment
falling under (i) or (ii) above as not a branch office in relation to the company owning it.
Section 228 of the Companies Act, 1956 provides that where a company has a branch
office, the accounts of that office shall be audited either by the company’s auditor
appointed under Section 224 or by another auditor possessing qualifications prescribed
The Company Audit 6. 27

under Section 226. In the case of a branch situated outside India, any of the above or an
accountant qualified to act as auditor in the country concerned can be appointed as the
branch auditor. The scheme of Section 228 presumes that normally the company auditor
shall be appointed as the branch auditor. However a company may decide to have the
branch accounts audited by a person other than the company auditor in a general meeting.
In such a situation, the company is required to appoint the branch auditor from out of the
eligible categories in the same meeting or it is to authorize the Board of Directors to
appoint one in consultation with the company’s auditor appointed under Section 224.
6.5.2 Branch Auditor Appointment and Powers - In the opinion of the Institute of Chartered
Accountants of India, the appointment of branch auditors in consultation with the company’s
statutory auditor should not be taken to mean that the statutory auditor is in any way taking
responsibility in respect of the work done by the branch auditor. The provision regarding
consultation with the statutory auditor only implies that the statutory auditor should be satisfied
that prima facie, he is not aware of any reason why the proposed auditor should not be
appointed as branch auditor. For example, where an auditor or a partner of his has been the
subject matter of adverse disciplinary proceedings under the Chartered Accountants Act and
the statutory auditor knows it, it may well be necessary for the statutory auditor to bring this to
the notice of the Board of Directors.
The branch auditor shall have the same powers and duties in respect of the audit of the
branch accounts as the company auditor has in relation to the company accounts. The
powers that the company auditor enjoys in relation to branch accounts are the rights (i) to
have access at all times to the books of accounts and vouchers of the branch, (ii) to visit the
branch, and (iii) to obtain information and explanation considered necessary for the audit of
the branch accounts. But the branch auditor, unlike the company auditor, will not have the
right to attend the general meeting of the company or to receive the notice and other related
communications in connection with the general meeting. The branch auditor is required to
prepare a report on the accounts of the branch office examined by him and forward the same
to the company’s auditor. It is obvious that when the company auditor himself is the auditor for
the branch accounts, there cannot be any question of any report being made on the branch
accounts audited. He as the auditor for the company, is under a duty to make a report on the
consolidated accounts in accordance with Section 227(2) of the Companies Act.
The branch auditor shall receive such remuneration as may be fixed for him by the general
meeting appointing him or by the Board of Directors, if so authorised by the general meeting.
Also, he is to hold office subject to the terms and conditions specified by the appointing body.
Naturally it is reasonable to presume that the branch auditor will not necessarily hold office for
the same statutory period as is held by the statutory auditor under Section 224.
6.5.3 Exemption of Branches from audit requirements in certain situations - Though
independent professional scrutiny of the branch accounts is the principle in providing audit,
the legislature, having regard to the element of materiality and other considerations, has
provided that under certain circumstances the accounts of the branch may not be audited
6.28 Advanced Auditing and Professional Ethics

[Section 228(4)]. The Companies (Branch Audit Exemption) Rules, 1961 have been issued to
provide for the exemptions; under the above Rules a branch of a company carrying on
manufacturing, processing or trading activity accounting for average quantum of activity not
exceeding higher of Rs. 2 lakhs or 2% of the average total turnover of the company shall be
exempt from the purview of compulsory audit of branch accounts. Quantum of activity means
the highest out of the following:
(i) the aggregate value of the goods or articles produced, manufactured or processed, or
(ii) the aggregate value of the goods or articles sold and of services rendered, or
(iii) the amount of the expenditure, whether of a revenue or a capital nature, incurred by a
branch office during a financial year.
The average of the quantum of activity is to be computed by including the activities for the
three years immediately preceding the year in respect of which the question of exemption is
to be determined. In case the company did not exist for all the three years referred to
above, the number of years in which the company actually existed will constitute the base of
computing the average. It should be noticed that the question of exemption is to be
considered every year by reference to the yardstick given above. The exemption discussed
above is mandatory in nature, if the condition about the quantum of activity is met. There
may be exemption also on other grounds. But these exemptions are discretionary, subject to
the satisfaction of the Central Government. The grounds on which exemption may be
granted by the Central Government are the following:
(i) If there are satisfactory arrangements for the scrutiny and check at regular intervals of
the accounts of the branch office of a company, not carrying on manufacturing or
processing or trading activities, by a person who is competent to scrutinise and check the
accounts.
(ii) If arrangements are made for the audit of the accounts of the branch office by a person
possessing the qualifications necessary for appointment as a branch auditor, even
though such person is an employee of the company.
(iii) If a branch auditor is not likely to be available at a reasonable cost, having regard to the
nature and quantum of activity carried on at the branch or having regard to any other
reason.
(iv) If for any other reason, the Central Government is satisfied that exemption may be
granted.
The company auditor in his report is to make a mention about exemption from audit granted to
any of the branches of the company under the Companies (Branch Audit Exemption) Rules,
1961.

Reliance on the Work and Report of the Other Auditor


6.6 Occasionally, an auditor may be called upon to report on financial statements, part of
The Company Audit 6. 29

which has been audited by other auditor or auditors. This phenomenon is particularly present
where the accounts of subsidiaries, audited by other auditors, are consolidated with the
holding company’s accounts also where branch accounts audited by other auditors are
merged in the head- office account, this problem arises. In our country, consolidation of the
subsidiaries accounts with the holding company’s accounts is not a legal requirement.
However, listed companies are required to get their accounts consolidated as per the SEBI’s
requirement. In that connection, companies are required to comply with the requirements of
AS-21. Under the Companies Act, 1956 branch accounts may be audited by auditor different
from the company auditor provided of course he holds the requisite qualification. The Institute
of Chartered Accountants of India has come out with an Auditing and Assurance Standard
(AAS) 10 - “Using the Work of another Auditor”.
6.6.1 Company’s Auditor in relation to Branch Accounts, Branch Audit and Branch Auditor -
When the company’s auditor himself is the auditor for the branch accounts, he treats the
whole company as an audit unit and ensures that the branch accounts have been properly
incorporated in the main office accounts. There remains no question of any separate report on
the branch accounts for consideration. Also there is no question of any separate and distinct
right to visit the branch or to have access to the books, accounts and vouchers. When the
branch accounts are audited by a person other than the company’s auditor it is necessary to
define the position of the company auditor in relation to branch accounts and branch auditor.
The Companies Act, under Section 228(2), has given a right to the company’s auditor to visit
the branch and to have access to the books, accounts and vouchers maintained at branch
even when the branch audit is conducted by a person other than the company’s auditor. Also,
the Companies (Branch Audit Exemption) Rules, 1961 has retained this right for the
company’s auditor in respect of branches granted exemption from audit this is a right given to
the company auditor and not a duty cast on him. If in his own assessment of the situation, he
considers it necessary for the proper audit of the accounts of the company, he may visit the
branch and may have access to the books, accounts and vouchers maintained there; but it is
not compulsory that he must visit the branch or branches.
As regards foreign branch of a banking company, however it is sufficient if the company’s
auditor is allowed access to the copies and extracts from the books and accounts of the
branch as have been transmitted to the principal office of India. Under Section 228(3)(c), the
company’s auditor is required to deal with the branch audit report received from the branch
auditor, in preparing his own report. The manner in which to deal with the report is left to him.
This requirement is supplemental to the main duty cast on him under Section 227(3)(c) to
state in his report whether the branch audit report has been forwarded to him and how he has
dealt with the same. It is clear that the law has left the question of how to deal with branch
audit report to the company auditor and only requires him to state in his report how he has
dealt with the same. In other words, full freedom of judgement has been given to the company
auditor to decide the prima facie relevance and impact of the branch audit report on the total
company accounts. Certain matters may appear material and important in the limited context
of the operations of the branch but may be considered not much significant in the setting of
6.30 Advanced Auditing and Professional Ethics

the total company accounts. He, therefore, may incorporate the points, if any, made in the
branch audit report if he considers the same relevant in making the consolidated accounts true
and fair. He, at his discretion may drop any or all the qualifications made in the branch audit
report. However, if the branch audit report contains qualifications on matters specially
required to be disclosed in the company accounts, pursuant to the Schedule VI requirements,
then it is obvious that the company auditor is left with no choice but to incorporate them in his
own report after confirming the accuracy of the report, if he so feels. For example, if the
branch audit report contains a qualification about non-disclosure of loans granted by the
branch to a firm of which a partner is the subsidiary of the company, the auditor has to include
it in his report unless he has reasons to doubt the veracity of the branch audit report itself.
It should be understood that this discretion allowed to the company auditor is highly sensible.
Since the company auditor is to report upon the combined accounts of the main office and the
branches, it is he who can judge the requirements of true and fair in an overall context, having
regard to materiality, accounting principles and the requirements of disclosure. For example, if
depreciation on the fixed assets of the branch has not been charged in the branch accounts,
no doubt the branch accounts will not show a true and fair view and it will be quite legitimate
for the branch auditor to qualify his report on that point. But if the company auditor can satisfy
himself that such charge of depreciation has been in fact made in the head office books, he
will not retain the branch auditor’s qualification in his report. It should also be understood that
discretion is simultaneously a very big responsibility on the company auditor. If he omits any of
the qualifications appearing in the branch audit report, without sufficient consideration, he and
not the branch auditor will be responsible for the omission.
It seems that in a situation where the branch audit is being conducted by a person other than
the company auditor the law has recognised a degree of overlapping responsibility. The legal
opinion obtained by the Institute of Chartered Accountants of India and published in the
“Opinion regarding certain provisions of the Companies Act, 1956”, in this context, holds the
view that the company’s auditor has a certain measure of responsibility in respect of the
accounts and papers of the branch. This is shown by the fact that he has a right to visit the
branch and has access to the papers and documents of the branch. He is in substance in
overall supervision as the company’s auditor and, in that capacity, he has to make disclosure
of anything in regard to the branch which he thinks is not in order and which has come to his
notice.
The Auditing and Assurance Standards Board of the Institute of Chartered Accountants of
India in their Auditing and Assurance Standard entitled “Using The Work of Another Auditor”
(AAS 10) has reviewed the relationship between the statutory auditor and the branch auditor
and has come to a conclusion that the statutory auditors would not be responsible for work
entrusted to branch auditors except in circumstances which should have aroused his
suspicion, about the achievability of work performed by the branch auditor.
The statutory auditor would normally be entitled to rely upon the work of the branch auditor
The Company Audit 6. 31

unless there are special circumstances to make it essential for him to visit the branch and / or
to examine the books of account and other records of the said branch. When using the work of
the branch auditor, the statutory auditor should ordinarily advise the branch auditor of the use
that is to be made of his work and report. He should make sufficient arrangements for the
coordination of their efforts at the planning stage of his audit. He should advise the branch
auditor of the significant accounting, auditing and reporting requirements and obtain
representation as to compliance with them. Ascertain from the other auditor any limitation on
the scope of his work imposed by the terms of engagement. The statutory auditor should also
consider the significant audit findings of the other auditor.
The statutory auditor is not required to evaluate the professional competence or independence
of the branch auditor, except in situations which create doubt about the professional
competence or independence of the other auditor. Where the statutory auditor’s report is other
than unqualified, the principal auditor should also document how he has dealt with the
qualifications or adverse remarks contained in the branch auditor’s report in framing his own
report. There should be sufficient liaison between the principal auditor and the branch auditor.
For this purpose, the principal auditor may find it necessary to issue a written communication
to the branch auditor.
The branch auditor, knowing the context in which his work is to be used by the principal
auditor, should cooperate with him and assist him actively, for example, by bringing to the
principal auditor’s immediate attention any significant findings requiring to be dealt with at
entity level, adhering to the time table for audit of the branches, etc. He should ensure
compliance with the relevant statutory requirements. Similarly, the principal auditor should
advise the other auditor of any matters that come to his attention that he thinks may have an
important bearing on the branch auditor’s work. If the branch auditor qualifies his report, the
principal auditor should consider whether the subject of the qualification is of such nature and
significance, in relation to the financial statements of the entity on which the principal auditor
is reporting, that it requires a qualification in his report.
The principal auditor would not be responsible in respect of the work entrusted to the branch
auditors, except in circumstances which should have aroused his suspicion about the
reliability of the work performed by the branch auditors. When the principal auditor has to base
his opinion on the financial statements of the entity as a whole relying upon the statements
and reports of the other auditors, his report should state clearly the division of responsibility
for the financial statements of the entity by indicating the extent to which the financial
statements of branches audited by the other auditors have been included in the financial
statements of the entity, e.g., the number of branches / divisions audited by other auditors.

Joint Audit
6.7 The practice of appointing Chartered Accountants as joint auditors is quite widespread
in big companies and corporations. With a view to providing a clear idea of the professional
6.32 Advanced Auditing and Professional Ethics

responsibility undertaken by the joint auditors, the Institute of Chartered Accountants of India
had issued a statement on the Responsibility of Joint Auditors which now stands withdrawn
with the issuance of AAS 12 on “Responsibility of Joint Auditors” w.e.f. April, 1996. Basic
principles laid down in AAS 12 are discussed in following paragraphs:
Division of Work - Where joint auditors are appointed, they should, by mutual discussion,
divide the audit work among themselves. The division of work would usually be in terms of
audit of identifiable units or specified areas. In some cases, due to the nature of the business
of the entity under audit, such a division of work may not be possible. In such situations, the
division of work may be with reference to items of assets or liabilities or income or expenditure
or with reference to periods of time. Certain areas of work, owing to their importance or owing
to the nature of the work involved, would often not be divided and would be covered by all the
joint auditors. The division of work among joint auditors as well as the areas of work to be
covered by all of them should be adequately documented and preferably communicated to the
entity.
Coordination - Where, in the course of his work, a joint auditor comes across matters which
are relevant to the areas of responsibility of other joint auditors and which deserve their
attention, or which require disclosure or require discussion with, or application of judgement
by, other joint auditors, he should communicate the same to all the other joint auditors in
writing. Thus should be done by the submission of a report or note prior to the finalisation of
the audit.
Relationship among joint auditors - In respect of audit work divided among the joint
auditors, each joint auditor is responsible only for the work allocated to him, whether or not he
has prepared as separate report on the work performed by him. On the other hand, all the
joint auditors are jointly and severally responsible:
(a) in respect of the audit work which is not divided among the joint auditors and is carried
out by all of them;
(b) in respect of decisions taken by all the joint auditors concerning the nature, timing or
extent of the audit procedures to be performed by any of the joint auditors. It may,
however, be clarified that all the joint auditors are responsible only in respect of the
appropriateness of the decisions concerning the nature, timing or extent of the audit
procedures agreed upon among them; proper execution of these audit procedures is the
separate and specific responsibility of the joint auditor concerned;
(c) in respect of matters which are brought to the notice of the joint auditors by any one of
them and on which there is an agreement among the joint auditors;
(d) for examining that the financial statements of the entity comply with the disclosure
requirements of the relevant statute; and
(e) for ensuring that the audit report complies with the requirements of the relevant statute.
The Company Audit 6. 33

If any matters of the nature referred above are brought to the attention of the entity or other
joint auditors by an auditor after the audit report has been submitted, the other joint auditors
would not be responsible for those matters. Subject to paragraph (b) above, it is the
responsibility of each joint auditor to determine the nature, timing and extent of audit
procedures to be applied in relation to the area of work allocated to him; The issues such as
appropriateness of using test checks or sampling should be decided by each joint auditor in
relation to his own area of work. This responsibility is not shared by the other joint auditors.
Thus, it is the separate and specific responsibility of each joint auditor to study and evaluate
the prevailing system of internal control relating to the work allocated to him. Similarly, the
nature, timing and extent of the enquiries to be made in the course of audit as well as the
other audit procedures to be applied are solely the responsibility of each joint auditor.
In the case of audit of a large entity with several branches, including those required to be
audited by branch auditors, the branch audit reports/returns may be required to be scrutinised
by different joint auditors in accordance with the allocation of work. In such cases, it is the
specific and separate responsibility of each joint auditor to review the audit reports/returns of
the divisions/branches allocated to him and to ensure that they are properly incorporated into
the accounts of the entity. In respect of the branches which do not fall within any divisions or
zones which are separately assigned to the various joint auditors, they may agree among
themselves as regards the division of work relating to the review of such branch returns. It is
also the separate and specific responsibility of each joint auditor to exercise his judgement
with regard to the necessity of visiting such divisions/branches in respect of which the work is
allocated to him.
A significant part of the audit work involves obtaining and evaluating information and
explanations from the management. This responsibility is shared by all the joint auditors
unless they agree upon a specific pattern of distribution of this responsibility. In cases where
specific responsibility of each joint auditor to obtain appropriate information and explanations
from the management in respect of such divisions/zones/units and to evaluate the information
and explanations so obtained by him. Each joint auditor is entitled to assume that the other
joint auditors have carried out their part of the audit work in accordance with the generally
accepted audit procedures. It is not necessary for a joint auditor to review the work performed
by other joint auditors or perform any tests in order to ascertain whether the work has actually
been performed in such a manner. Each joint auditor is entitled to rely upon the other joint
auditors for bringing to his notice accounting principles or any material error noticed in the
course of the audit. Where separate financial statements of a division/branch are audited by
one of the joint auditors, the other joint auditors are entitled to proceed on the basis that such
financial statements comply with all the legal and professional requirements regarding the
disclosures to be made and present a true and fair view of the state of affairs and of the
working results of the division/branch concerned, subject to such observations as may be
communicated by the joint auditor concerned.
6.34 Advanced Auditing and Professional Ethics

Reporting Responsibilities - Normally, the joint auditors are able to arrive at an agreed
report. However, where the joint auditors are in disagreement with regard to any matters to be
covered by the report, each one of them should express his own opinion through a separate
report. A joint auditor is not bound by the view of the majority of the joint auditors regarding
matters to be covered in the report and should express his opinion in a separate report in case
of a disagreement.
For the purpose of computation of the number of company audits held by an auditor pursuant
to the ceiling rule introduced in the Companies Act, 1956 each joint auditorship in a company
will be counted as one unit.

Gist of Important Circulars


6.8 A gist of some important circulars issued from time to time by the Company Law
Department is given below:
Another meeting to be held by directors for considering reservation, qualification,
etc., made in auditor’s report - In case the auditors’ remarks are not available to the board
at the time of its consideration and authentication of the balance-sheet and profit and loss
account under Section 215(3), the board has to meet once again to consider the
reservations, qualifications made in auditor’s report and give their explanations to the said
remarks in terms of Section 217(3) - Source: Letter No. 8/22(215)/76-CL-V, dated 16-8-
1978.
Need for appointment of independent auditors - Where due to near relationship of an
auditor with managing or a whole-time director, the independence of an auditor is likely to
be jeopardised, he shall use his good sense, and acting in the best traditions of the
profession, refrain from accepting the appointment - Source: The Chartered Accountant,
Vol. XII, Part XI, May, 1964 issue.
Statutory auditor cannot be internal auditor - If the statutory auditor of the company is
also the internal auditor, it will not be possible for him to give an independent and objective
report under-Section 227. As such a statutory auditor of a company cannot also be its
internal auditor - Source: Circular No. 29/76(1)/[76-CL-V], dated 27-8-1976 as corrected by
Circular No. 5/[77(1)/1/76-CL- V], dated 8-4-1977.
Statutory auditor cannot undertake work of writing books of account - The acceptance
of the book-keeping work by the statutory auditor is likely to place the statutory auditor in a
rather vulnerable position in the matter of free expression of his professional opinion as an
auditor on the annual accounts of the company. Such practice deserves to be discouraged -
Source: Extract from Seventh Annual Report on Working and administration of Companies
Act, 1956 - Year ended 31st March, 1963.
Retiring auditor can be deemed to be reappointed or automatically appointed at
annual general meeting- It is not correct to say that in the absence of the resolution to the
The Company Audit 6. 35

effect that that retiring auditors shall not be reappointed, the retiring auditors shall stand
reappointed as auditors of the company. Where auditors are not appointed or reappointed in
accordance with the provisions of the Act including section 224(2), as read with sections
225, 190 and 224(3) relating to the Government’s power to appoint auditors becomes
attracted in the matter - Source: Circular No. 5/72, dated 21-2-1972.
Continuation of tenure of auditor up to factual conclusion of next annual general
meeting - Where no annual general meeting is held, the tenure of an auditor appointed
under section 224 will continue up to the factual conclusion of the next annual general
meeting held by the company - Source: Clarification issued by Department of Company
Affairs.
Signing of Form 23B by auditors in firm’s name without disclosing identity of
signatory - The intimation in token of acceptance or refusal to accept the appointment is
only a ministerial act which can be performed by a duly authorised person on behalf of the
auditor’s firm. It is, however, necessary that the identity of person who signs Form No. 23B,
whether he be a partner or a clerk of the firm, must be disclosed as such, as it will not be
enough if the form is signed only in the firm’s name, without disclosing the identity of the
signatory since the firm has no locus standi of its own in the eye of law - Source: Letter No.
7/26/76-IGC, dated 31-10-1977.
Requirement of sending certificate by auditors to Registrar - The intimation for the
appointment or reappointment of a person or firm as the auditor under sub-section (1C) of
Section 224 does not provide for prescribing any form for furnishing the said intimation to
the Registrar - Source: Circular No. 20/75[35/3/75-CL-III], dated 22-9-1975.
Guarantee companies are not to be counted in reckoning specified number of audits -
Such companies as have no share capital, i.e. guarantee companies, are to be excluded
from the reckoning of ‘specified’ number of companies within the meaning of Explanation 1
to sub-sections (1B) and (1C) - Source: Letter No. 8/12(224)/74-CL.-V, dated 28-9-1974.
Branch audits of Indian companies and audit of Indian business accounts of foreign
companies not to be included while calculating specified number of audits - The
branch auditor of the Indian Companies appointed under section 228 audits the accounts of
the particular branch only for which he is appointed and forwards his report to the auditor
appointed under section 224 and, hence, he cannot be equated with the company’s auditors
appointed under section 224. Hence, the branch audits are not to be included while
calculating the specified number of 20 audits. The audit of the accounts of companies is
also not to be included within the specified number of 20 as laid down under Explanation I to
sub-section (1C) of Section 224 - Source: Circular No. 21/75(35/3/75-CL-III), dated
24- 9-1975.
Central Government’s power to appoint auditors exercisable only where auditors are
not appointed in annual general meeting - It is only where an auditor is not appointed at
6.36 Advanced Auditing and Professional Ethics

an annual general meeting that the Central Government can exercise the powers under
section 224(3) - Source: Letter No. 35/13/74-CL-III, dated 21-11-1974.
Material date for appointment or reappointment of auditor is date of annual general
meeting at which special resolution is required to be passed - The material date for the
appointment or reappointment of an auditor is the date of the annual general meeting at
which the special resolution is required to be passed. Moreover, since generally, articles of
association of companies provide for closure of the register of members before general
meeting during period not exceeding thirty days at any one time, it is unlikely that the
position regard shareholding in the company will be different between the date of issue of
notice and date of the general meeting.
In exceptional cases, however, where a change in the shareholding pattern in the company
has taken place, between the date of issue of notice of the general meeting and the actual
passing of this resolution regarding appointment of auditor, the company may either:
(i) adjourn the meeting to another date, and later issue the required notice in accordance
with the law and thereafter pass the special resolution required to be passed under
section 224A, or
(ii) omit or pass over the item on the agenda regarding appointment of auditor.
In the event of the company adopting the procedure at (ii) above, the situation would be
then covered by sub-section (2) of section 224A-Source: Circular No. 2/76(1/176-CL-V),
dated 5-6-1976.
Interpretation of expression “other than retiring” as occurring in section 225(1) -
Passing of a resolution in the annual general meeting appointing another person as an
auditor of the company without mentioning the words ‘instead of him is quite sufficient and
valid’ under Section 224(2)(c) and similarly a special notice proposing to move a resolution
to appoint a new person as an auditor of the company without mentioning the words ‘in
place of retiring auditor’ is sufficient compliance under section 225(l) - Source: Circular No.
22/76(35/4/76 - CL-III), dated 26- 7-1976.
Service of copy of special notice to retiring auditors to be effected by registered post-
The copy of the special notice under Section 225(2) should be sent to the retiring auditors
by the registered AD post-Source: Circular No. 2/81(1/1/81-CL- V), and 8/20(225)/81-CL-
(V), dated 17-10-1981.
Consequence of non-forwarding of notice to retiring auditors - The effect of non-
forwarding of notice under Section 225(2) to the retiring auditors will make the resolution for
appointing or removing auditors illegal and ineffective - Source: Circular No. 35/6/68-CL-III,
dated 18-11-1969.
Proprietary firm, whether qualifies for appointment as auditor - A company must
appoint the proprietor of the proprietary firm by his name in his individual capacity as its
The Company Audit 6. 37

auditor and the auditor’s report will have to be signed by the proprietor himself in his own
name - Source: Circular No. 8/1229/56-PR, dated 20-3-1957.
Where chartered accountant renders services professionally and not as an officer
company, he is not disqualified under section 226(3)(b) - A chartered accountant’s main
business is to render professional service for reward like a lawyer or a doctor. Where such
service is rendered professionally and not as an officer or employee of the company’ a
chartered accountant is not disqualified under section 226(3)(b) - Source: Circular Letter No.
8/1/57-PR, dated 11-7-1957.
Section 215 not contravened where audit of final accounts is completed before
approval of balance sheet by board of directors of company - The Company Law Board
does not consider that there is any contravention of section 215 in a case where the audit of
the final accounts is completed before the approval of the balance sheet by the board of
directors of the company - Source: Letter No. 8/13(215)/65-CL- V, dated 29-9-1996.
Instances of lapses on part of auditors - The auditors will not be fulfilling their duties if
they have given clean certificate on the company accounts audited by them without looking
into matters which were clearly relevant to a ‘true and fair’ view of the affairs of the
companies concerned. It would not be a proper discharge of their responsibilities of auditors
were not to disclose the infringements of the provisions of the Companies Act or those of
the other important laws, much less to draw company’s attention to inadequate depreciation,
to under- or over-valuation of current assets like stock-in-trade, to improper allocation of
reserves, to improper classification of debts and loans, etc. Source: Extract from Third
Annual Report on Working and Administration of Companies Act, 1956 Year ended
31-3-1959.
Statutory auditor is to refer to branch audit only when branch accounts are audited by
a person other than himself - The company’s auditor need refer in his report to the branch
audit only when the branch accounts are audited by a person other than himself - Source:
Letter No. 8/46(1)/61 -PR, dated 9-5-1961.
Followance of procedure of section 225 for appointment of branch auditor - The term
‘auditor’ mentioned in section 225 means statutory auditor. It would be preferable if
companies followed the procedure laid down in section 225, in all cases, including that for
appointment of branch auditor - Source: Extract from Minutes of Meeting of Bombay
Chambers’ Company Law Sub-Committee with Secretary, Department of Company Law
Administration, held on 2-6-1961.
Branch audit can be conducted at head office without visiting branches - For the
auditor of the branch accounts there is no compulsion to visit branches, but here again it is
a matter for the auditors to decide - Source: Letter No. 8/16(1)/61-PR, dated 9-5-1961.
Place of manufacture can be deemed to be branch office for purposes of carrying out
audit - The place of manufacture, for the purpose of carrying out an audit, shall be regarded
6.38 Advanced Auditing and Professional Ethics

as a branch office and should be audited as such under Section 228 unless it is exempted
from audit under the Companies (Branch Audit Exemption) Rules, 1961. As regards any
accounts or other papers relating to this branch office kept at the head office, it is for the
concerned auditor to decide about the procedure he should follow - Source: Letter No.
8/16(1)/61-PR, dated 9-5-1961.
Copy of branch audit report could be sent to the board of directors simultaneously
with transmission of original branch audit report to statutory auditor - There can be no
administrative objections to a copy of the branch audit report being sent to the board of
directors simultaneously with the direct transmission of the original branch audit report to
the statutory auditor - Source: Letter No. I0(1)-CL-VI/61, dated 27-4-1961.
Interpretation of definition of “accounts” as occurring in Section 228 (3)(c) - The
‘accounts’ maintained in the branch office would necessarily depend largely on type of
businesses carried on in branch. However, two requirements, in addition to the other
requirements of Section 227 that might be applicable to any particular branch that have to
be complied with, are namely, the auditors should certify that (a) proper books of account
have been kept a branch; and (b) that the accounts or returns of the branch show a true and
fair view of working of the branch - Source: Extract from Fifth Annual Report on Working and
Administration of Companies Act, 1956 - Year ended 31st March, 1961.
The revised guiding principles on which applications of banking companies for exemption
from branch audit be dealt with, were formulated keeping in view the fact that the accounts
of the branches of banking companies are generally inspected regularly by their trained
inspectors, and the further- fact that many banks have a large number of branch offices
spread throughout the country - Source: Extract from Sixth Annual Report on Working and
Administration of Companies Act, 1956 - Year ended 31st March, 1962.
Signing of auditors’ report in firm’s name - The partner concerned shall invariably sign in
his own hand for and on behalf of the firm appointed to audit a company’s accounts, and
this is what is required by the provisions of the Act - Source: Circular No. 26/72 (F. No.
14/12/72- CL- V), dated 29- 7-1972.
Appointment of a chartered accountant who is not in practice - There is no
inconsistency between the provisions of the Chartered Accountants Act and section 233A
whereby the Central Government has been empowered to appoint a chartered accountant
who is not in practice for the special audit of a company - Source: Letter No. 8/16(1)/1,
dated 9-5-1961.
Appointment of cost auditors in firm’s name - Whether cost audit report could be
signed by merely affixing firm’s name - In cases where a firm of cost auditors is approved
for appointment under sub-section (2) of section 233B, the cost audit report shall be signed
by any one of the partners of the firm responsible for the conduct of cost audit in his own
hand, for and on behalf of the firm, which has been approved for appointment as cost
The Company Audit 6. 39

auditors of the company. In any case, the report should not be signed by merely affixing the
firm’s name - Source: Letter No. 52/409/60-CLB, dated 24-8-1984.
Whether appointment of cost auditor as internal auditor permissible - The cost auditor
should not be the internal auditor of a company for the period for which he is conducting the
cost audit - Source: Circular No. 1/83, dated 20-1-1983.

Whether cost auditor is under legal obligation to make disclosure of full details in his
cost audit report - The duties of the cost accountants appointed to conduct an audit of cost
accounts of the company flow directly from the above provisions and as such they should in
strict compliance therewith ensure that full and complete details in respect of the accounts of
the company are furnished in their reports. Any request that certain details may not be
disclosed in the report (on any ground whatsoever) should be inconsistent with the object and
purpose of the Cost Audit Report Rules and the requirements there under. The cost auditors
should, if necessary, bring such instances to the notices of Government by a specific note in
their reports - Source: Circular No. 3/83, dated 18-3-1983.

Compliance with Relevant Provisions of the Companies Act, 1956


6.9 One of the fundamental duties of the auditor is to verify that the statements of account
are properly drawn up and they disclose all the required information. In the process, he must
also ascertain that the company has not violated any of the provisions contained in the
Companies Act, 1956. Since the auditor is not associated with day-to-day management of the
company, compliance with the relevant provisions of the Companies Act, 1956 is the
responsibility of the directors and officers of the company. Nevertheless, where non-
compliance results in affecting the accounts materially, the auditor must make a report to the
shareholders. He can properly discharge such onerous duty only if he is aware of the duties of
the management prescribed by the Companies Act, 1956.
The Companies Act, 1956 lays down detailed provisions regarding various matters and casts
an obligation upon directors and officers of the company to carry out the requirements of the
law. Generally speaking, it is the duty of the directors and the management to ensure that the
provisions of the Companies Act, 1956 have been complied with. However, where non-
compliance with the provisions of the Companies Act, 1956 has a bearing upon the accounts
and transactions of the company, the auditor would in the normal course of his inquiry become
aware of the breaches of the Act and may have an obligation to bring this to the attention of
the shareholders. A brief list of some of the important sections of the Companies Act, 1956 is
given below:
6.40 Advanced Auditing and Professional Ethics

Section
4. Explains the meaning of Holding Company and Subsidiary Company.
10FA. Dissolution of Company Law Board.
10FB-10FP Contribution of National Company Law Tribunal.
10FQ-10GF Appellate Tribunal.
13. This Section prescribes requirements with respect to the Memorandum of
Association.
31. Alteration of Articles of Association of a company; by special resolution.
43A. This Section described the circumstances under which a private company would
become a public company under the Act. This section has been amended by
Companies (Amendment) Act, 2000.
49. This Section requires that the investments of a company are held in its own
name, except as otherwise permitted by it and the auditor should see that its
provisions have been complied with.
58A. This Section read with Rules framed thereunder regulates acceptance and
renewal of deposits by certain classes of companies.
58AA. Small Depositors.
60A. Concept of Shelf Prospectus.
60B. Concept of information memorandum and red herring prospectus introduced.
62. Civil liabilities for misstatements in prospectus.
63. Criminal liabilities for misstatements in the prospectus.
68B. Initial offer of securities to be in dematerialised form in certain cases.
69. This Section prohibits any allotment of shares unless the minimum subscription
stated in the prospectus has been received in cash. It also provides that all
monies received from applicants for shares shall be kept deposited in a
scheduled bank for the period specified in sub-section (4).
71. Effect of irregular allotment.
73. This Section deals with allotment of shares and debentures to be dealt in on a
recognised stock exchange.
75. This Section deals with the return of allotment.
76. This Section deals with underwriting commission and brokerage. Attention is
invited to sub-section (4A) which prohibits the payment of commission in certain
circumstances.
The Company Audit 6. 41

77. This Section prohibits a company from purchasing its own shares or giving a
loan or guarantee in order to facilitate the purchase of its shares except under
certain circumstances and it should be seen that no loans are made in
contravention of its provisions.
77A,77AA These Sections deals with buy back of shares by the company.
& 77B.
78. This Section deals with the application of securities premium amounts received.
It should be seen that these provisions are complied with.
79. If a company has made an issue of shares at a discount it should be seen that
the provisions of this Section have been complied with.
79A. This Section deals with Issue of sweat equity shares by a company.
80. This Section deals with the terms and conditions on which redeemable
preference shares may be issued.
80A. Redemption of irredeemable preference shares.
81. This Section gives the existing equity shareholders of a public company the right
to be offered any shares subsequently issued subject to certain limitations and
conditions. Where any shares are issued by a company, it should be seen that
the provisions of Section 81 have been complied with
86. New issues of share capital to be only of two kinds: The concept of equity share
capital with differential voting rights introduced.
93. Deals with the payment of dividend in proportion to the amount paid up under
certain circumstances.
94. Deals with the alteration of share capital.
94A. This Section provides for the increase in share capital under orders of the
Central Government relating to conversion of debentures or loans into share
capital.
100 & 102. These Sections deal with the reduction of share capital under a court’s order.
108. Transfer not to be registered except on production of instrument of transfer.
109. Transfer by a legal representative.
109 A & Nomination of shares/Transmission of shares.
109 B.
6.42 Advanced Auditing and Professional Ethics

117A/117B Creation of Debenture Trust Deed, Appointment and duties of debenture


& 117C. trustees and liability of company to create security and debenture redemption
reserve.
143. Company’s Register of charges.
149. This Section lays down certain restrictions on public companies in regard to
commencement of business including new business.
152A. Register and Index of beneficial owners
165. Statutory Meeting and Statutory Report.
192A. Passing of resolutions by postal ballot.
197A. Company not to appoint more or employ certain different categories of
managerial personnel at the same time.
198. This Section deals with overall managerial remuneration and minimum
remuneration to managerial personnel. Any breach of this section should be
brought to the attention of the shareholders.
199. This Section provides that the commission or other remuneration payable to any
officer or employee of the company (other than a director, or manager) if fixed at
a percentage of the company’s net profits, should be calculated on the net profits
as set out in Sections 349, 350 & 351.
200. This Section prohibits payment by a company to its officers and employees
remuneration free of tax calculated with reference to the tax payable by the
employee.
204. This Section deals with restrictions on appointment of a firm or body corporate to
an office or place of profit under a company for a term exceeding five years at a
time.
205. This Section deals with payment of dividends only out of profits after providing
for depreciation, etc. The Section further requires compulsory transfer of profits
to reserve and regulates excess transfers in accordance with the Rules. Concept
of interim dividend introduced.
205A. This Section deals with transfer of unpaid dividends to a separate Unpaid
Dividend Account in a Scheduled Bank. Rules framed under this Section regulate
the utilisation of past reserves for declaration of dividends.
205C. Establishment of Investor Education and Protection Fund.
208. If a company has paid interest on its share capital it should be ascertained that
the provisions of this Section have been complied with.
The Company Audit 6. 43

209. This Section provides for the keeping of proper books of account by a company.
It should be noted that the auditor is specifically required to report if proper
books of account are not kept. Attention is invited to the provisions of Section
541, and in particular to sub-section (2)(b). Attention is also invited to the rules
issued from time to time by the Central Government under sub-section (1)(d) of
Section 209, which prescribe the requirements for maintenance of cost records
by certain classes of companies. Section 209(3) requires keeping books on
accrual basis of accounting.
210. This Section deals with annual accounts and balance sheet of a company. It
includes provisions regarding the accounts to be laid before the annual general
meeting of the company, definition of the term “financial year” etc.
210A. This Section requires constitution of National Advisory Committee on Accounting
Standards.
211. This Section, together with Schedule VI to the Act, deals with the form and
contents of the Balance Sheet and Profit and Loss Account. Compliance with
accounting standards has been made mandatory.
215. The auditor should ascertain that the account have been properly authenticated
as required by this Section before he signs the report on the accounts.
216. This Section requires Profit and Loss Account to be annexed and Auditor’s
Report to be attached to the Balance Sheet.
217(2AA). Board's Report to include Director's Responsibility Statement.
222. This Section provides that any document to be annexed or required to be
annexed to company’s account shall not include Board’s report.
224, 225
& 226 These Sections deal with the appointment, removal, remuneration, qualification,
etc. of the auditors. Before consenting to act as an auditor he should certify that
the number of companies of which he is the auditor is within the limits specified
in Section 224 (lB).
224A. Section 224A requires appointment of auditors by a special resolution under
certain circumstances.
227. It deals with power and duties of an auditor. The auditor is required to report to
the shareholders in the terms set out in this Section. Attention is invited to the
Statement on Section 227(lA) issued by the Institute. Attention is also invited to
the orders issued by the Government titled Companies (Auditor’s Report) Order
2003, pursuant to sub-section (4A) and the Statement issued by the Institute
under this order. Compliance with the accounting standards referred to in sub-
6.44 Advanced Auditing and Professional Ethics

section (3C) of Section 211, should be opined by the auditor. Clauses (e) and (f)
also added to sub-section (3) of section 227.
228. This Section deals with the audit of the accounts of a company. It should be
seen that the provisions of the Section read with the Companies (Branch Audit
Exemption) Rules 1961 have been complied with.
229. This Section deals with signing of audit report by the auditor.
233A. This Section deals with the power of the Central Government to direct special
audit in certain cases.
233B. This Section deals with the power of the Central Government to direct audit of
cost accounts in certain cases.
268& 269. These Sections deal with appointment, re-appointment and variation etc.,
relating to Managing Directors, and Wholetime Directors.
292A. Audit Committees.
293. Restriction on the Powers of a Board.
293A & These Sections prescribe certain limitations in respect of donation to charitable
293B. organisations, political parties, National Defence Fund etc.
295. This Section prohibits, except under certain conditions, loans to directors etc.,
and other persons connected with them. If any loans are given in contravention
of this Section, the auditor should report the matter.
296. This Section deals with application of Section 295 to book debts in certain cases.
297. This Section deals with contacts between a company and its director or his
relative, a firm in which the director or relative is a partner, any other partner in
such a firm or a private company of which the director is a member or director.
The auditor should see that the provisions of this Section have been complied
with where transactions with such parties have come to his attention. The
auditor should enquire whether the company has observed the terms and
conditions stipulated by the Central Government in its approval wherever
applicable.
299 & 301. These Sections deal with the Register of contracts, companies and firms in
which directors are interested.
309. 310 & These Sections deal with remuneration of directors. Wherever applicable, the
311. terms and conditions of the orders of the Central Government should be looked
into.
314. This Section requires a special resolution of the shareholders for the
appointment of a director and/or his relative to an office of profit under the
The Company Audit 6. 45

Company. In respect of monthly remuneration exceeding specified amount


approval of the Central Government is also necessary vide sub-section (1B). If
any such appointment has been made, it should be seen that the provisions of
this Section have been prima facie complied with. “Office or place of profit” is
defined in sub-section (3).
317. This Section deals with the terms of office of a managing director.
318 & 319. These Sections deal with compensation to directors for loss of office.
349. This Section deals with the manner of computing the profits for the purposes of
determining the remuneration of various classes of managerial personnel.
350. Ascertainment of depreciation.
372A. This Section deals with Inter-corporate loans and investments.
417 & 418. These Sections make provision regarding the treatment of security deposits of
employees and company’s provident fund schemes.
424A-424L Revival and Rehabilitation of Sick Industrial Companies (Second Amendment,
Companies Act)
591. This Section deals with foreign companies. Where prima facie the provisions of
sub-section (2) are attracted, the company should comply with the rules which
may be framed under this Section. The auditor should enquire into the
compliance with such of the Sections as have a bearing on his role as auditor.
594. This Section deals with the accounts of foreign companies.
619. This Section deals with special provisions relating to Government companies.
619B. This Section extends the applicability of Section 619 to non-government
companies under certain circumstances. The auditor shall enquire from the
company whether the conditions are prima facie attracted.

Auditor’s Duty Under Companies Act, 1956


6.10 The following are the duty of an auditor under companies act 1956:
(i) Register of mortgages and charges - Every company under Section 143 is required to
keep a Register of charges to enter therein all the charges specifically affecting the property of
the company as well as the floating charges on the undertaking or on the property of the
company. The particulars of each property charged that should be entered in the register are:
(a) a short description of the property; (b) the amount of charge: and (c) the names of the
persons entitled to exercise the charge. This register should be examined by the auditor to
ascertain whether any of the assets belonging to the company except bearer securities, is
subject to charge, and, if so, its nature. Section 143(2) of the Companies Act, 1956, lays down
that if any officer of a company knowingly omits, or willfully authorises or permits the
ommission of any entry required to be made in pursuance of Section 143(l), he may be
6.46 Advanced Auditing and Professional Ethics

punishable with fine which may extend to five hundred rupees.


(ii) Register of contracts with companies and firms in which the directors are
interested - This Register is maintained pursuant to sub-section (1) of Section 301. It contains
a record of particulars of contracts or arrangements that attract the provisions of Sections 297
and 299; dates of Board meetings at which contracts were approved and that of the names of
directors who voted for or against the proposal. The names of firms and bodies corporate in
which the Directors are interested, of which a notice has been given by the directors under
sub-section 297(2)(c) are also entered in it.
The provisions of Section 297 are not applicable to; (a) contracts or arrangements for the sale
or purchase or supply of goods, materials or services, if the value or cost thereof in any year
does not exceed Rs. 5000; and (b) contracts, etc., by banking companies for the collection of
bills in the ordinary course of business, and transactions of banking and insurance companies
in the ordinary course of business with any director, relative, partner, etc., referred to in
Section 297(2) (c).
It is the duty of the auditor to examine the Register to find out whether transactions of
purchase or sale of goods in which a director or directors were interested were entered into
under the sanction of the Board and the directors concerned had disclosed their interest.
(iii) Register of investment or loan made, guarantee given or security provided in
relation to any body corporate - In pursuance of sub-section (5) (a) of Section 372A, every
company shall keep a register showing the following particulars in respect of every investment
or loan made, guarantee given or security provided by it in relation to any body corporate
under sub-section (1), namely:
(i) the name of the body corporate; (ii) the amount, terms and purpose of the investment or
loan or security or guarantee; (iii) the date on which the investment or loan has been made;
and (iv) the date on which the guarantee has been given or security has been provided in
connection with a loan.
The particulars of investment, loan, guarantee or security referred to in clause (a) shall be
entered chronologically in the register aforesaid within seven days of the making of such
investment or loan, or the giving of such guarantee or the provision of such security.
The register referred to in sub-section (5) shall be kept at the registered office of the company
concerned shall be open to inspection at such office and extracts may be taken therefrom and
copies thereof may be required, by any member of the company to the same extent, in the
same manner on payment of the same fees as in the case of the register of members of the
company; and the provisions of Section 163 shall apply accordingly.
(iv) Register of investments held in the names of Nominees - Normally, a company is
expected to hold investments in its own name [Section 49]. But where under sub-sections (2),
(3), (4) and (5) of Section 49, investments have been made in the names of nominees, a
register must be kept and the following particulars recorded therein:
(a) the nature, value and such other particulars as may be necessary to identify the shares
The Company Audit 6. 47

or securities.
(b) the name of the person or the bank in whose name or custody the shares or securities
are standing.
The auditor should examine the register during the course of inspection of securities.
(v) Register of directors, managing director, manager and secretary - Under the
provisions of Section 303 of the Companies Act, it is obligatory for a company to maintain a
record, in a register, of the names and addresses and that of other particulars relevant for the
administration of the Act in respect of all the officers aforementioned. Under sub-section (2) of
the aforesaid Section, any change in the officers or any of the particulars of an officer must be
incorporated in the register and notified to the Registrar of Companies within 30 days of the
change taking place. Particulars of original appointment also should be notified to the
Registrar within 30 days of appointment.
The auditor should refer to this register to find out the names of persons who had held
different offices during the year under audit to confirm that various transactions entered into by
the company have been authorised by a competent person.
(vi) Register of shareholding of directors and manager - It contains a record of the
particulars of shares and debentures of the company, as well as those of similar securities in
the capital of any other body corporate, which is a subsidiary or holding company or subsidiary
of the company’s holding company held by a director or which lie in trust with him or of which
he has any right to become the holder whether on payment or not. This register is being
maintained pursuant to the requirement under Section 307.
Where the auditor carries out a share transfer audit, he should see that the purchase and sale
of shares by the directors are properly recorded in the register. But in the course of regular
audit, he is not expected to check the accuracy of entries in the register.
(vii) Managerial Remuneration - Disclosure in the accounts is made. Elaborate provisions
are contained under Clause (4) of Part II of Schedule VI to the Companies Act in the matter of
disclosure of remuneration paid during the financial year to the group of persons commonly
referred to as managerial personnel. The information required to be disclosed is:
(a) Remuneration paid or payable for the financial year to the directors (including managing
directors, or managers).
(b) Other allowances or commission including guarantee commission (details are to be
given).
(c) Any other perquisites or benefits in cash or kind (stating approximate money value where
practicable).
(d) Pensions, gratuities, payment from Provident Fund in excess of own contribution and
interest thereon, compensation for loss of office, consideration in connection with
retirement from office, separately.
6.48 Advanced Auditing and Professional Ethics

A note showing the computation of net profits in accordance with Section 349 of the Act with
relevant details of calculation of the commission payable by way of such profits the directors
(including managing directors or managers) should be given.
Personal expenses of directors - All payments to directors by way of remuneration or
perquisites whether in the case of a public or private company are required to be authorised
both in accordance with the provisions of the Companies Act and Articles of Association of the
company. In some cases, depending upon the provisions contained in the Articles, the
remuneration may require sanction of the shareholders either by an ordinary or special
resolution while, in other cases, it may require only approval of the Directors. In the case of
public companies and private companies which are subsidiaries of public companies, sanction
of the Government is also necessary. If the terms of appointment of a director include payment
of expenses of personal nature then such expenses can be incurred by the company. Where,
however, the contract with the director or the conditions of employment does not contain any
provision for payment of expenses of a personal nature, then there is no warrant for incurring
or reimbursement of such expenses by the company and if such expenses are paid the auditor
should disclose the fact in his report, as also in the accounts. Attention in this regard is invited
to Section 227(IA)(e) of the Companies Act.
(viii) Employees’ Securities (Section 417) - All moneys or securities deposited by the
employees of a company in pursuance to their contract of service must be kept deposited by
the company with a Scheduled Bank or in Post Office Saving Bank Account; or in the State
Bank of India within 15 days of receipt; also such moneys or securities must not be used for
any purpose except for purpose is agreed to in the contract of service.
(ix) Employees’ Provident Fund (Section 418) - All moneys contributed to a Provident Fund
constituted by a company for its employees, together with interest accrued thereon shall have
to be deposited in a:
(i) Post Office Saving Bank account, or
(ii) Special Account to be opened in the State Bank of India or a Scheduled Bank, or
(iii) shall be invested in the securities referred to in clauses (a) to (e) of Section 20 of the
Indian Trusts Act, 1882
The term contribution referred to above means contribution both by the employee and the
employer. The deposit is to be made within 45 days of the date of the contribution or of the
receipt of or accrual of the interest.
(x) Inter-Corporate Loans and Investments (Section 372A) - 372A (1) No company shall,
directly or indirectly:
(a) make any loan to any other body corporate;
(b) give any guarantee, or provide security, in connection with a loan made by any other
The Company Audit 6. 49

person to, or to any other person by, any body corporate; and
(c) acquire, by way of subscription, purchase or otherwise the securities of any other body
corporate, exceeding sixty per cent, of its paid-up share capital and free reserves, or
hundred per cent of its free reserves, whichever is more:
Provided that where the aggregate of the loans and investments so far made, the amounts for
which guarantee or security so far provided to or in all other bodies corporate, along with the
investment, loan, guarantee or security proposed to be made or given by the Board, exceeds
the aforesaid limits, no investment or loan shall be made or guarantee shall be given or
security shall be provided unless previously authorised by a special resolution passed in a
general meeting:
Provided further that the Board may give guarantee, without being previously authorised by a
special resolution, if,
(a) a resolution is passed in the meeting of the Board authorising to give guarantee in
accordance with the provisions of this section;
(b) there exists exceptional circumstances which prevent the company from obtaining
previous authorisation by a special resolution passed in a general meeting for giving a
guarantee; and
(c) the resolution of the Board under clause (a) is confirmed within twelve months, in a
general meeting of the company or the annual general meeting held immediately after
passing of the Board resolution, whichever is earlier:
Provided also that the notice of such resolution shall indicate clearly the specific limits,
the particulars of the body corporate in which the investment is proposed to be made or
loan or security or guarantee to be given, the purpose of the investment, loan or security
or guarantee, specific sources of funding and such other details.
(2) No loan or investment shall be made or guarantee or security given by the company
unless the resolution sanctioning it is passed at a meeting of the Board with the consent
of all the directors present at the meeting and the prior approval of the public financial
institution referred to in Section 4A, where any term loan is subsisting, is obtained:
Provided that prior approval of a public financial institution shall not be required where
the aggregate of the loans and investments so far made, the amounts for which
guarantee or security so far provided to or in all other bodies corporate, along with the
investments, loans, guarantee or security proposed to be made or given does not exceed
the limit of sixty per cent, specified in sub-section (1), if there is no default in repayment
of loan instalments or payment of interest thereon as per the terms and conditions of
such loan to the public financial institution.
(3) No loan to any body corporate shall be made at a rate of interest lower than the
prevailing bank rate, being the standard rate made public under Section 49 of the
6.50 Advanced Auditing and Professional Ethics

Reserve Bank of India Act, 1934.


(4) No company, which has defaulted in complying with the provision of Section 58A, shall,
directly or indirectly:
(a) make any loan to any body corporate; (b) give any guarantee, or provide security, in
connection with a loan made by any other person to, or to any other person by, any
body corporate; and (c) acquire, by way of subscription, purchase or otherwise the
securities of any other body corporate, till such default is subsisting.
(5) (a) Every company shall keep a register showing the following particulars in respect of
every investment or loan made, guarantee given or security provided by it in relation
to any body corporate under sub-section (1), namely :
(i) the name of the body corporate;
(ii) the amount, terms and purpose of the investment or loan or security or
guarantee;
(iii) the date on which the investment or loan has been made; and (iv) the date on
which the guarantee has been given or security has been provided in
connection with a loan.
(b) The particulars of investment, loan, guarantee or security referred to in clause (a)
shall be entered chronologically in the register aforesaid within seven days of the
making of such investment or loan, or the giving of such guarantee or the provision
of such security.
(6) The register referred to in sub-section (5) shall be kept at the registered office of the
company concerned and (a) shall be open to inspection at such office; and (b) extracts
may be taken therefrom and copies thereof may be required, by any member of the
company to the same extent, in the same manner, and on payment of the same fees as
in the case of the register of members of the company; and the provisions of Section 163
shall apply accordingly.
(7) The Central Government may prescribe guidelines for the purposes of this section.
(8) Nothing contained in this section shall apply
(a) to any loan made, any guarantee given or any security provided or any investment
made by,
(i) a banking company or an insurance company, or a housing finance company
in the ordinary course of its business, or a company established with the
object of financing industrial enterprises, or of providing infrastructural
facilities;
(ii) a company whose principle business is the acquisition of shares, stock,
debentures or other securities;
The Company Audit 6. 51

(iii) a private company, unless it is a subsidiary of a public company;


(b) to investment made in shares allotted in pursuance of clause (a) of sub-section (1)
of Section 81.
(c) to any loan made by a holding company to its wholly owned subsidiary;
(d) to any guarantee given or any security provided by a holding company in respect of
loan made to its wholly owned subsidiary; or
(e) to acquisition by a holding company, by way of subscription, purchases or
otherwise, the securities of its wholly owned subsidiary.
(9) If default is made in complying with the provisions of this section, other than sub -section
(5), the company and every officer of the company who is in default shall be punishable
with imprisonment which may extend to two years or with fine which may extend to fifty
thousand rupees:
Provided that where any such loan or any loan in connection with which any such
guarantee or security has been given, or provided by the company, has been repaid in
full, no punishment by way of imprisonment shall be imposed under this sub-section, and
where such loan has been repaid in part, the maximum punishment which may be
imposed under this sub-section by way of imprisonment shall be appropriately reduced:
Provided further that all persons who are knowingly parties to any such contravention
shall be liable, jointly and severally, to the company for the repayment of the loan or for
making good the same which the company may have been called upon to pay by virtue of
the guarantee given or the securities provided by such company.
(10) If default is made in complying with the provisions of sub-section (5), the company and
every officer of the company who is in default shall be punishable with fine which may
extend to five thousand rupees and also with a further fine which may extend to five
hundred rupees for every day after the first day during which the default continuous.
Explanation: For the purposes of this section, (a) “loan” includes debentures or any deposit of
money made by one company with another company, not being a banking company; (b) “free
reserves” means those reserves which, as per latest audited balance sheet of the company,
are free for distribution as dividend and shall include balance to the credit of the securities
premium account but shall not include share application money.

Final Accounts Preparation and Presentation


6.11 Statutory Requirements - Section 211 governs the form and contents of the Balance
Sheet and the Profit and Loss Account. The provisions thereunder, however, are not
applicable to an insurance or banking company or a company engaged in the generation or
supply of electricity or to any other class of companies for which a form of balance sheet and
profit and loss account has been specified in or under the Act governing such class of
6.52 Advanced Auditing and Professional Ethics

companies. The provisions that companies, other than those aforementioned, should comply
with are:
(a) That every balance sheet of a company should give a true and fair view of the state of
affairs of the company as at the lend of financial year and should be in the form set out in
Part I of Schedule VI or as near thereto as circumstances admit or such other form as
may be approved by the Central Government either generally or in any particular case;
while preparing the balance sheet, due regard should be had as far as may be to the
general instructions for the preparation of balance sheets under heading “Notes” at the
end of the Part I; and
(b) That every profit and loss account of a company should give a true and fair view of the
profit or loss of the company for the financial year and should comply with the
requirements of Part II of Schedule VI, so far as they are applicable thereto.
The Central Government is authorised under sub-section (3) to exempt, by a notification in the
Official Gazette, any class of companies from compliance with any of the requirements in
Schedule VI if, in its opinion, it is necessary to grant the exemption in the public interest. The
exemption may be granted unconditionally or subject to such conditions as may be specified in
the notification. The Central Government also may, on the application of or with the consent
of the Board of Directors of the company by order modify in relation to that company any of
the requirements of the Act as to the matters to be stated in the company’s balance sheet or
profit and loss account for the purpose of adopting them to the circumstances of the company.
Thus in order that the statements of account of a company may exhibit a true and fair view of
the state of affairs of a company, it is necessary:
(i) that the information required by law (as specified in Schedule VI to the Act) should be
disclosed; and
(ii) that the same to be displayed in the manner required.
The Companies (Amendment) Act, 1999 has inserted following sub-sections in Section 211
namely:
(3A) Every profit and loss account and balance sheet of the company shall comply with the
accounting standards.
(3B) Where the profit and loss account and the balance sheet of the company do not comply
with the accounting standards, such companies shall disclose in its profit and loss account
and balance sheet, the following, namely: (a) the deviation from the accounting standards; (b)
the reasons for such deviation; and (c) the financial effect, if any, arising due to such
deviation.
(3C) For the purposes of this section, the expression “accounting standards” means the
standards of accounting recommended by the Institute of Chartered Accountants of India
The Company Audit 6. 53

constituted under the Chartered Accountants Act, 1949, as may be prescribed by the Central
Government in consultation with the National Advisory Committee on Accounting Standards
established under sub-section (1) of Section 210A:
Provided that the Standards of accounting specified by the Institute of Chartered Accountants
of India shall be deemed to be the Accounting Standards until the Accounting Standards are
prescribed by the Central Government under this sub-section.
Constitution of National Advisory Committee on Accounting Standards - The Central
Government may, by notification in the official Gazettee, constitute an Advisory Committee to
be called the National Advisory Committee to be called the National Advisory Committee on
Accounting Standards (hereafter in this section referred to as the “Advisory Committee”) to
advise the Central Government on the formulation and laying down of accounting policies and
accounting standards for adoption by companies or class of companies under this Act.
Form of the Balance Sheet - Now a days, the shares in companies are held by a wide
variety of persons, a majority of whom are not conversant with the principles of accounting
or with the form in which the final statements of accounts are drawn up. As a result, there
have been complaints from several quarters that the traditional form in which the balance
sheet of a company is drawn up, known as the “T” form, is not satisfactory, for it does not
disclose clearly whether the value of the equity of the share holders has increased or
decreased and, if so, by what amount. On this ground, it has been suggested that instead,
the balance sheet should be drawn up in the columnar form. [Students are invited to see
the published accounts of any big company]. The Balance Sheet of a company shall be
either in horizontal form or vertical form. Some of the advantages of final statements of
account being drawn in a columnar form are as under:
(i) When the final accounts are drawn up in this form, the financial position of the company
can be readily comprehended by a layman.

(ii) The profit and loss account discloses clearly the amount of trading or non-trading profit
earned during the year,that brought forward from the previous year, and the
appropriations out of the total profits recommended by the Board of Directors.

(iii) The Balance Sheet discloses the amount of debt and shareholders’ equity. It further
discloses the position of assets held against them segregated into fixed assets and
working capital.

(iv) The form is capable of presenting together comparative figures of a number of years.

(v) The relationship between the various balances (ratios) can be easily worked out.
Schedule VI –
Part I of Schedule VI contains the form in which the Balance Sheet of a company should be
6.54 Advanced Auditing and Professional Ethics

drawn up, and states the information as regards different assets and liabilities which should be
disclosed therein. At the end of the form, there are general instructions which should be
followed in the preparation of the Balance Sheet. This part has again two sub-parts (IA) and
(IB). The former gives the form of balance sheet in traditional horizontal form while the latter
introduced in late 1978, provides the vertical form of the balance sheet. This vertical form can
be used by companies without the necessity of any permission.
Part II of the Schedu