Financial & Compliance

Audit Manual

Office of the Comptroller and Auditor General of Bangladesh

 Preface

The Supreme Audit Institution (SAI) of Bangladesh always keeps itself abreast of what is
happening in the contemporary audit world. The global platform of the Auditors General
(i.e., INTOSAI) issued International Standards of Supreme Audit Institutions, commonly
known as ISSAIs in 2010 for the guidance of government auditors across member nations. If
these professional standards are followed in the SAI of Bangladesh, it will enhance the
quality and efficiency of government auditors and help them in playing their entrusted role.
The present Manual is based on the ISSAIs.
This Financial and Compliance Audit Manual is a very important deliverable under the
present development initiative, i.e., Strengthening the Public Expenditure Management
Programme (SPEMP-B). International and national consultants and the members of the
evaluation team deserve special appreciation for contributing to this valuable product.
Meanwhile, pilot audits have been carried out in line with the Manual. From now on
financial and compliance audit will be conducted as per the Manual and other audit
standards and codes.
This Manual is relatively more comprehensive in scope than other existing Manuals in the
sense that it contains two major types of audit, namely, financial audit and compliance
audit. The Manual derives its authority from articles 128 and 132 of the Constitution of the
People’s Republic of Bangladesh and the Comptroller and Auditor General (Additional
Functions) Act, 1974 and subsequent amendments thereof.
This Manual is a living document. It will be updated periodically or as and when necessary.
Any suggestion to improve it will be most welcome. However, while applying the Manual if
any error or omission is noticed, it may please be brought to the notice of the Office of the
Comptroller and Auditor General of Bangladesh immediately for due rectification.

Masud Ahmed
Dated: Dhaka, May 2016 Comptroller and Auditor General of Bangladesh
Financial and Compliance Audit Manual
Table of Contents
Chapter 1: Introduction ..................................................................................... 1
Introduction ................................................................................................................................ 1
Ethics and Independence .............................................................................................................. 3
Quality Control .............................................................................................................................. 4
Engagement Team Management and Skills .................................................................................. 4
Due Professional Care ................................................................................................................... 5
Audit/Engagement Risk ................................................................................................................. 5
Materiality ..................................................................................................................................... 5
Professional Skepticism and Judgement ....................................................................................... 6
Documentation .............................................................................................................................. 6
Communication with Auditees and Other Stakeholders .............................................................. 6
Appendices and Annexes to this Manual ...................................................................................... 7
Chapter 2: Objective & Scope of Financial and Compliance Audit ...................... 8
Chapter 3: Audit Planning .................................................................................. 9
Audit Strategy and Audit Plan..................................................................................................... 9
Understanding the Entity and its Environment ...................................................................... 12
Understanding Entity’s Internal Control ................................................................................. 12
Risk Assessment......................................................................................................................... 15
Materiality (ISSAI 1320) ........................................................................................................... 21
Analytical Procedures (ISSAI 1520)......................................................................................... 22
Overall Audit Approach for Each Audit Area (ISSAI 1330) .................................................... 25
The Audit Assurance Model ........................................................................................................ 25
Audit Assertions .......................................................................................................................... 26
The Audit Assurance Model for significant Audit Areas ............................................................. 28
Testing Non-significant Audit Areas ............................................................................................ 31
Documenting the Audit Approach for Each Audit Area .............................................................. 32

Page | i
Decision Process for Planning Audit Approach to Audit Areas ................................................... 32
Computer Assisted Audit Techniques ......................................................................................... 33
Journal Entry Testing ................................................................................................. 35

Profiling .................................................................................................................. 36

Audit Programmes .................................................................................................... 36

Sampling (ISSAI 1530) ................................................................................................ 37

Quality Control Over Audit Fieldwork ........................................................................... 37

Chapter 4: Audit Fieldwork .............................................................................. 38

Use of Information Produced by the Entity ................................................................................ 41
Use of Information Prepared by Management’s Experts ........................................................... 42
Competence, Capability and Objectivity of Management’s Expert ............................................ 43
Obtaining an Understanding of the Work of the Management's Expert.................................... 45
Evaluating the Appropriateness of the Management's Expert's Work....................................... 45
Fieldwork for Audit Areas ......................................................................................................... 46
Nature .......................................................................................................................................... 46
Timing .......................................................................................................................................... 48
Extent........................................................................................................................................... 48
Decision Process for Approach to Testing an Assertion ......................................................... 48
Auditing from a Draft Account: Procedures for Agreeing Financial Statements and
Examining Journals and Other Adjustments ........................................................................... 50
Evaluate Presentation and Disclosures ....................................................................................... 51
Information Accompanying the Financial Statements ................................................................ 51
Testing Controls ........................................................................................................................... 52
Tests of Detail .............................................................................................................................. 52
Determining the Planned Audit Tests ......................................................................................... 58
Chapter 5: Audit Reporting .............................................................................. 64
Background ................................................................................................................................ 64
Objectives ................................................................................................................................... 64
Core Policies and Guidance ....................................................................................................... 65

Page | ii
Concluding on the Results of the Audit ....................................................................................... 65
Evaluating the Sufficiency and Appropriateness of Audit Evidence ........................................... 65
Concluding Analytical Procedures ............................................................................................... 67
Overall Review of the Financial Statements ............................................................................ 68
Consideration of Fraud Risk ..................................................................................................... 69
Inconsistency in, or Doubts Over Reliability of, Audit evidence ............................................ 70
Evaluation of Independence and Ethical Issues ...................................................................... 70
Forming an Audit Opinion......................................................................................................... 71
Types of Audit Opinion.............................................................................................................. 72
The Auditor’s Report ................................................................................................................. 74
Modi�ication to the Opinion in the Auditor’s Report (ISA 705) ............................................. 79
Qualified Opinion ........................................................................................................................ 80
Adverse Opinion .......................................................................................................................... 82
Disclaimer Opinion ...................................................................................................................... 82
Impact of a Prior Year Qualification ............................................................................................ 83
Opinion on Other Information Presented with the Accounts..................................................... 83
Negative Consistency Opinion..................................................................................................... 83
Impact on Audit Opinion ............................................................................................................. 84
Emphasis of Matter and Other Matter Paragraphs .................................................................... 85
CAG’s Reports............................................................................................................................. 87
Reports on Qualified Financial Statements ................................................................................. 88
Reports on Unqualified Financial Statements ............................................................................. 88
Report Content ............................................................................................................................ 89
Principal Accounting Officer’s Clearance .................................................................................... 89
Appendices..........................................................................................................................................91
Appendix 1 - Examples of Subject Matters, Subject Matter Information and Criteria in
Compliance Auditing ................................................................................................. 93
Appendix 2 – Examples of Sources to be used in Gaining an Understanding of the Audited
Entity and Identifying Suitable Criteria .......................................................................... 98

Page | iii
Appendix 3 – Examples of Factors Related to Assessing Risk in Compliance Auditing .......... 100

Appendix 4 - Examples of Risk Factors Related to a Particular Subject Matter ................... 103

Appendix 5 - Examples of Compliance Audit Procedures for Selected Subject Matters ........ 105

Appendix 6 - Examples of Compliance Deviations ......................................................... 108

Appendix 7- Forming an Audit Opinion on Financial Statements ..................................... 110

Annexures .......................................................................................................... 111

Annex A: Overall Audit Strategy................................................................................. 113

Annex A.1: Planning Checklist ................................................................................... 130

Annex A.2.1: Compliance Audit Letter of Engagement Template ..................................... 140

Annex A.2.2: Financial Audit Letter of Engagement Template ......................................... 147

Annex- B: Understanding the Entity and its Envirnment ................................................. 154

Annex-B.1: Notes Supporting Template and its Envirnment ........................................... 164

Annex-C: Understanding the Entity Internal Control...................................................... 173

Annex-D: IT Scope Assesment ................................................................................... 191

Annex-E: Fraud Risk Assesment ................................................................................. 199

Annex –F: Significant Risks Testing Plan ...................................................................... 210

Annex-G: Audit Area Testing Plan .............................................................................. 221

Annex- H: Materiality .............................................................................................. 241

Annex H.1: Materiality Determination Form ................................................................ 256

Annex. I: Analytical Procedures ................................................................................. 258

Annex- J: Inherent and Control Risks .......................................................................... 283

Annex- J.1: Example audit Programme-Payroll ............................................................ 296

Annex -J.2: : Example audit Programme-Funding ......................................................... 299

Annex-J.3: : Example audit Programme-Procurement ................................................... 303

Annex –J.4: : Example audit Programme-Training ........................................................ 309

Annex-J.5: : Example audit Programme-Stores and Sparesl ........................................... 313

Page | iv
Annex-J.6: : Example audit Programme- Energy Sales ................................................... 316

Annex -J.7: : Example audit Programme-Interest Income .............................................. 318

Annex -J .8: : Example audit Programme-Exchange reate fluctuations ............................. 321

Annex-J .9: : Example audit Programme-: Land and Buildings ........................................ 324

Annex-J .10: : Example audit Programme-Overall Financial Statements ........................... 326

Annex-K: Audit Sampling .......................................................................................... 332

Appendix K.1: Sample Size calculator.......................................................................... 376

Annex K.2: Sample Error evaluation Form ................................................................................ 377
Annex- L: Audit Area Lead Schudle Template ........................................................ 378

Annex-M: Control Testing ......................................................................................... 382

Annexure N.1: Audit Opinion Template for Compliance Audit......................................... 402

Annex N.2: Audit Opinion Template for Compliance Audit ............................................. 411

Page | v
 Chapter 1 Introduction
1.0 Introduction
1.1. The International Organisation of Supreme Audit Institutions (INTOSAI) has issued
“Fundamental Principles of Financial Auditing” as International Standards of Supreme
Audit Institutions (ISSAI) 200, and Financial Audit Guidelines (ISSAI 1000-1810) provide
guidance for conducting financial audits of public sector entities and include the
International Standards on Auditing (ISAs) issued by the International Auditing and
Assurance Standards Board (IAASB).
1.2. Practice Notes (PN), which are included in the INTOSAI Financial Audit Guidelines, provide
relevant guidance on applying each ISA in financial audits of public sector entities in
addition to that provided in the corresponding ISA.
1.3. INTOSAI has also issued Fundamental Principles in Compliance Auditing (ISSAI 400) to give
specific guidance on audit and reporting responsibilities relating to compliance with
authorities. This is supported by General Auditing Guidelines on Compliance Audit (ISSAI
4000, 4100 and 4200). ISSAI 4100 provides guidance for compliance audits performed
separately from the audit of financial statements whereas ISSAI 4200 provides compliance
audit guidelines related to audit of financial statement. They build upon INTOSAI’s
Fundamental Auditing Principles and have been designed to assist public sector auditors
having responsibilities related to compliance with authorities. ISSAI 4100 and 4200
supplement, should be read together with the Financial Audit Guidelines (ISSAI 1000-
2999), when having such broader responsibilities.
1.4. This OCAG Financial and Compliance Audit Manual draws on the guidance in ISSAI 1000-
2999 and 4000-4200 and interprets the way that this guidance is to be implemented by
the Office of the Comptroller and Auditor General in conducting both financial and
compliance audits in public sector entities of Bangladesh.
1.5. This Manual has been developed to provide OCAG auditors with a set of modern financial
and compliance auditing standards, concepts, techniques and quality assurance
arrangements that are consistent with the international standards as detailed above.
1.6. The purpose of this Audit Manual is to promote consistency and efficiency in the conduct
of audits, and to enhance the quality of audit work.
1.7. OCAG auditors are expected to exercise professional judgement in the application of the
principles detailed in this Manual.
1.8. This Manual is equally applicable to compliance and financial audits. Some of the text is
specifically applicable only to financial audits (e.g. paragraphs 4.69 to 4.82).
1.9. All OCAG auditors are required to familiarize themselves with the contents of the Manual
to use it as a reference for conducting audits.

Page | 1
1.10. To promote consistency in its approach to audit and in its operations, OCAG must have
an up to date Audit Manual giving guidance on policies and procedures for functions and
processes. This manual has to be revised or updated whenever there are changes in the
audit objectives, standards and techniques and any other laws, policies and applicable
directives given by the Government of Bangladesh.
1.11. The SAI Bangladesh published audit manuals under previous reform initiative known as
Reforms in Government Audit (RIGA) as per the then available standards. These manuals
continue to be used side by side with this currently available Audit Manual prepared
based on ISSAIs.
1.12. Audit staff who identify the need for revisions or have suggestions for improvement are
encouraged to communicate their observations to Deputy Comptroller and Auditor
General (Accounts and Reports) who will examine and then take suitable action.
1.13. Responsibility for keeping the Manual up-to- date is that of Deputy Comptroller and
Auditor General (Accounts and Reports) and the manual is to be reviewed every three
years. As required, these revisions will be issued to all holders of the auditing manual.
1.14. Deputy Comptroller and Auditor General (Accounts and Reports) is also responsible for
communicating the contents of the manual to staff and monitoring to ensure compliance
with the manual.
1.15. After brief details of the objective and scope of financial and compliance audit (Chapter
2), this manual covers the full audit cycle:
. Audit Planning (Chapter 3);
. Audit Fieldwork (Chapter 4); and
. Audit Reporting (Chapter 5).
1.16. More details on the general principles to be covered in an audit is given in Figure 1
below.

Page | 2
The General Principles
Figure 1: Principles to be applied in conducting an audit

Source: ISSAI 100 (Paragraph 34)

The above Figure deals with both general principles and principles related to the audit
process. Chapter 1 of this Manual gives more details of the general principles and the rest
of this manual gives more details on the principles related to the audit process.

Ethics and Independence

1.17. Auditors should comply with relevant ethical requirements and be independent. Ethic
principles should be embodied in an auditor’s behaviour. The SAIs ethical policies should
address ethical requirements and emphasise the need for compliance by each individual
auditor. Ethics ensure that the audit is conducted with a professional attitude. The key
principles of ethics are integrity, objectivity, professional competence and due care,
confidentiality and professional behaviour. Auditors should be honest, reliable and

Page | 3
 truthful when conducting an audit. Auditors should remain independent so that their
opinions/conclusions/findings will be impartial and be seen as such by third parties.
Independence is freedom from situations and relationships which could impair the
auditor’s objectivity. Independence is an attitude of mind and appearance. It safeguards
the ability to perform an audit without being affected by influences that might
compromise professional judgement. Auditors can find additional guidance in ISSAI 10-
Mexico Declaration on SAI Independence as well as ISSAI 11- INTOSAI Guidelines and
Good Practices related to SAI Independence and ISSAI 30 - Code of Ethics.

Quality Control
1.18. Auditors should perform the audit in accordance with professional standards on quality
control. The SAI’s quality control policies and procedures should comply with
professional standards. The aim is to ensure that audits are performed to a consistently
good quality. Quality control procedures should include matters such as the direction,
review, supervision of the audit process and consulting and reaching decisions on difficult
or contentious matters. Auditors can find additional guidance in ISSAI 40-Quality Control
for SAIs.

Engagement Team Management and Skills

1.19. Auditors should possess or have access to the necessary skills. The individuals in the
engagement team should collectively possess the knowledge, skills and expertise
necessary to successfully complete the audit. This includes an understanding of and
practical experience of the type of audit being undertaken; an understanding of the
applicable standards and legislation; an understanding of the entity’s operations; and the
ability and experience to exercise professional judgement. Consistent for all audits are
the needs for recruiting personnel with suitable qualifications, developing and training
employees, the preparation of manuals and other written guidance and instructions
concerning the conduct of audits, and the assignment of sufficient resources for the
audit. Auditors should maintain professional competence through continuous
professional development.
1.20. In circumstances where it is relevant or necessary and in line with its mandate, and
applicable legislation the auditor may use the work of internal auditors, other auditors or
experts. The auditor should perform procedures that provide a sufficient basis for using
the work of others and in all cases the auditor should obtain evidence concerning the
other auditor or expert’s competence and independence. However, the SAI has sole
responsibility for any audit opinion or report it might make on the subject matter and
that responsibility is not reduced by its use of the work of others.
1.21. The objectives of internal audit are different from those of the external audit. However,
both internal and external audit promote good governance through contributions to
transparency and accountability for the use of public resources as well as to promote

Page | 4
 efficient, effective, and economic public administration. This offers opportunities for
coordination and cooperation and the possibility of eliminating duplication of effort.
1.22. Some SAIs use the work of other auditors working at state, province, region, district or
parish level within the country, or in public accounting firms where they have completed
audit work related to the audit objective. These arrangements should be conducted
under agreements or contracts which include conditions to ensure work is done in
accordance with public sector auditing standards.
1.23. Auditors may require specialised techniques, methods or skills which are not available
within the SAI. Experts may be used in different ways e.g. to provide knowledge or
conduct specific work.

Due Professional Care

1.24. The auditor should plan and conduct the audit in an alert and diligent manner. Auditors
should avoid any conduct that might discredit the auditor’s work. Auditors should
perform their duties in accordance with technical and professional standards.
Supervision, coaching and review should be conducted throughout the audit process.
This includes ensuring that the audit team members understand the assignment;
ensuring that the work is carried out in accordance with the audit plan; addressing issues
that arise during the audit and monitoring the progress of the audit team members.

Audit/Engagement Risk
1.25. Auditors should manage the risk of providing incorrect opinions/ conclusions/
recommendations. The audit should be performed to reduce or manage the risk that the
auditor’s opinion/conclusion/findings/recommendations may be inappropriate or that
the audit may fail to add value, to an acceptable level. Audit risk may arise due to fraud
or error or due to the context, complexity and political sensitivity of the underlying
subject matter or the risk that audit objectives are not sufficiently focused or
penetrating.

Materiality
1.26. Auditors should consider materiality or significance throughout the audit process. In
performance audit, the term ‘significant’ is comparable to the term ‘material’ as used in
the context of financial and compliance audit. Determining materiality or significance is a
matter of professional judgement and is based on the auditor’s interpretation of
mandate and perception of the information needs of the users. Materiality or
significance considerations are relevant to all audit engagements and affect the
determination of the nature, timing and extent of audit procedures as well as evaluating
the results of the audit. In general terms, a matter may be judged material if knowledge
of it would be likely to influence the decisions of intended users. The concept of

Page | 5
 materiality recognises that some matters are important, either individually or in
aggregate, and others are not. Materiality is often considered in terms of value but the
inherent nature of characteristics of an item or a group of items may also render a
matter material. This also includes regulatory requirements. In addition to materiality by
value and by nature a matter may be material because of the context in which it occurs.
Significance can be seen as the relative importance of subject matter in relation to
policies, strategic plans, number of citizens, or stakeholders concerned, economic
magnitude, consequences for the society, etc.

Professional Skepticism and Judgement

1.27. Auditors should maintain objectivity and appropriate professional behaviour.
Professional skepticism and professional judgement are important throughout the audit
engagement. These principles are based on the interaction of professional and
behavioural characteristics that recognise the auditor’s responsibility to carry out
analyses and reach conclusions based on evidence collected whilst maintaining
professional distance, open-mindedness, receptiveness to views and arguments, and an
alert and questioning attitude. Professional judgement represents the application of
collective knowledge, skills and experience to the audit process.

Documentation

1.28. Auditors should prepare audit documentation in sufficient detail to provide a clear
understanding of work performed, evidence obtained and conclusions reached. Audit
documentation should include the audit strategy and plan and record of procedures
performed, and evidence obtained and should support the communicated results.
Documentation should be in sufficient detail to enable an experienced auditor, having no
previous connection to the audit, to understand from the audit documentation the
nature, timing and extent and the results of procedures performed; the audit evidence
obtained to support the auditor’s conclusions and recommendations; and to record
reasoning on all significant matters that required the exercise of professional judgement
and related conclusions.

Communication with Auditees and Other Stakeholders

1.29. Auditors should ensure good communication with the auditee. It is essential that the
auditee is well informed of the matters related to the audit. This is important in
developing a constructive working relationship. This communication includes the
responsibilities of the auditor for obtaining information relevant to the audit, the
responsibilities of the different parties for the audit, an overview of the scope and timing
of the audit, and providing management and those charged with governance with timely

Page | 6
 observations and findings throughout the audit. Determining the form, content and
frequency of communication is a matter of professional judgement.
1.30. Auditors should establish effective lines of communication with all relevant stakeholders.
The auditor should also establish effective communication with all relevant stakeholders
including management, those charged with governance, experts in the field and other
parties concerned as they may have information that could be useful in planning,
conducting or reporting on the audit.

Appendices and Annexes to this Manual

1.31. In addition to the basic guidance in the manual there is detailed practitioners guidance in
the Appendices and Annexes.

Page | 7
 Chapter 2 Objective & Scope of Financial and Compliance Audit

2.1. There should be a clear statement of the objective and scope of each audit assignment
carried out by or on behalf of OCAG.
2.2. One or more audit objectives (financial certification and/or compliance) should be
defined for each element of an audit assignment. This objective is a statement of what is
to be achieved by the audit.
2.3. ISSAI 100 provides standards and guidance for the following fields of public sector
auditing:
. Financial audit focusing on determining whether an entity’s financial information is
presented in accordance with an applicable financial reporting framework (Accounts
code/ forms prescribed by CAG). This is accomplished by obtaining sufficient
appropriate audit evidence to enable the auditor to express an opinion on whether
the financial information is free from material misstatement whether due to fraud
or error. ISSAI 200 elaborates on this further; and
. Compliance audit focuses on whether a particular subject matter is in compliance
with authorities identified as criteria. Compliance auditing is performed by assessing
whether activities, financial transactions and information are, in all material
respects, in compliance with the authorities which govern the audited entity. These
authorities may include rules, laws and regulations, budgetary resolutions, policy,
established codes, agreed terms or the general principles governing sound public-
sector financial management and the conduct of public officials. Examples are given
in Appendix 1 to this manual.
2.4. The audit scope is a statement of what areas will be examined by the audit, what work is
to be done and what methodology is to be used to achieve the audit objective(s). This
applies equally to financial and compliance audits.

Page | 8
 Chapter 3 Audit Planning

Audit Strategy and Audit Plan

3.1. The auditor is required to document the overall audit strategy and audit plan, as well as
significant changes to those documents made during the audit and the reasons for such
changes (Paragraph 9 of ISSAI 1300 and paragraph 12 of ISA 300).
3.2. Good planning is of great importance to the success of an audit. Without it there is a real
danger that auditors may fail to obtain sufficient, appropriate audit evidence to support
the opinions on financial statements and conclusions reached for compliance audits.
Inadequate planning may also result in less than efficient and timely audits.
3.3. Before planning commences, the auditor should prepare a client letter of engagement,
or if one exists already review it to see if revision is required (e.g. there are changes to
the audit scope). The new or revised letter of engagement should be sent to the client
for information and necessary actions. At a minimum the letter of engagement should
contain material under the following headings:
. Introduction;
. scope of the audit (mention ISSAIs);
. responsibilities of auditors - mention rights under Article 128(1) of the
Constitution of Bangladesh/other;
. the audit process;
. client responsibilities;
. audit arrangements; and
. other matters.
3.4. An example template letter of engagement is at Annex A.2. This will need to be
amended for the specific circumstances of an individual audit. For example in the case of
a compliance audit, the specific laws and regulations that the audit will be testing
compliance with should be detailed in the scope section.
3.5. The overall audit strategy as documented using the template at Annex A and audit plan
to be documented on the planning section of the electronic working papers package
should reflect the audit objectives (financial certification and/or compliance) and scope
set for the audit assignment (refer chapter 2).
3.6. In establishing the overall audit strategy and audit plan, the auditor shall:

(a) Identify the characteristics of the audit that define its scope;
(b) Ascertain the reporting objectives of the audit to plan the timing of the audit and
the nature of the communications required;

Page | 9
 (c) Consider the factors that, in the auditor’s professional judgement, are significant in
directing the auditor’s efforts;
(d) Consider the results of preliminary audit engagement activities and, where
applicable, whether knowledge gained on other audits performed by the Director
General for the entity is relevant; and
(e) Ascertain the nature, timing and extent of resources necessary to perform the
audit.
3.7. The process of establishing the overall audit strategy assists the auditor to determine,
subject to the completion of the auditor’s risk assessment procedures, such matters as:
. The resources to deploy for specific audit areas, such as the use of
appropriately experienced team members for high risk areas or the
involvement of experts on complex matters;
. The amount of resources to allocate to specific audit areas, such as the number
of team members assigned to observe the inventory count at material
locations, the extent of review of other auditors’ work in the case of group
audits, or the audit budget in hours to allocate to high risk areas;
. When these resources are to be deployed, such as whether at an interim audit
stage or at key cut-off dates; and
. How such resources are managed, directed and supervised, such as when team
briefing and debriefing meetings are expected to be held, how Director
General and manager reviews are expected to take place (for example, on-site
or off-site), and whether to complete audit quality control reviews.
3.8. The Overall Audit Strategy (for internal purposes) should be held within the electronic
working papers system. This will record the key decisions made in planning the audit and
facilitate communication of significant matters to the audit team.
3.9. The format of the Overall Audit Strategy will vary depending upon the size and
complexity of the audit and of the team structure. For simple audits, the Overall Audit
Strategy may be communicated in a team planning meeting and recorded in the minutes
of that meeting. For other audits, a memorandum setting out key decisions on scope,
timing and conduct of the audit may be appropriate.
3.10. The Overall Audit Strategy guides the audit planning process, and so it is important to
capture at this stage the Director General’s expectations and concerns for the audit so
that the audit can be planned to address them.
3.11. As part of developing the Overall Audit Strategy, the Director General will identify the
required Risk Assessment Procedures. The audit team should ensure that they follow this
planned approach, as the planning process will otherwise not have been effective or
efficient.

Page | 10
3.12. In planning the audit, the auditor should ensure that all points identified in the Overall
Audit Strategy flow through to the planned approach. Where detailed audit planning
provides additional information, for example indicating that a possible risk identified in
the Overall Audit Strategy is not relevant in the current year, the documentation should
be revised, clearly set out the basis for this conclusion and, where relevant, the
supporting audit evidence.
3.13. Any changes to the Overall Audit Strategy should be subject to the same level of review
and approval as the original Overall Audit Strategy. The changes should be clearly
documented in the electronic working papers. A formal consideration of the planning
assumptions should be undertaken at the end of the development of the Audit Plan and
at the end of the audit fieldwork stage.
3.14. To evidence that the necessary planning activities have occurred, the audit team should
complete the Audit Planning checklist as per Annex A.1.
[

Figure 2: The Audit Process (1) - Key stages of audit planning

Understanding the Understand the

Business Accounting and Internal
Control Systems

Determine
Materiality

Assess Material
Risks

Design Audit
Procedures
(For the Second stage of the audit process see Figure 5)

Page | 11
Understanding the Entity and its Environment
3.15. The auditor should gain adequate knowledge of the accountability framework and other
external factors impacting on the client entity and use Annex B to document this. When
completed electronically, Annex B should be loaded on to the Audit Management and
Monitoring System (AMMS), the automated working papers system developed by OCAG,
Bangladesh. Areas to document are:

1) Relevant industry, regulatory, and other external factors.(Ref: ISA 315 para A17-A22)

2) The nature of the entity and its operations (Ref: ISA 315 para A23-A27) - the purpose
is to enable an understanding of the classes of transactions, account balances and
disclosures to be expected in the financial statements.

3) The entity's financial reporting and accounting policies. (Ref: ISA 315 para A28)

4) The entity’s objectives and strategies, and related business risks. (Ref: ISA 315 para
A29-A35)

(5) The measurement and review of the entity’s financial performance. (Ref: ISA 315
para A36-A41)

(6) The nature and extent of the entity’s related party relationships. (Ref: ISA 550 para
A11-A14).

(Note: Further guidance on understanding the entity for compliance auditing is given in
Appendix 2 to this manual).

Understanding Entity’s Internal Control

3.16. The auditor should complete the relevant section of Annex C to assess the strength of
the Overall Control Environment, and use this form to evaluate the impact of any
identified weakness on the assessment of inherent risk for individual audit areas. When
completed electronically, Annex C should be loaded on to AMMS.
3.17. In documenting their understanding of internal control, the auditor should document the
following 5 areas:

1) Control Environment (Ref: ISA 315 para A69-A78)

3.18. The purpose of understanding the control environment is to understand whether:

(a) Management, with the oversight of those charged with governance, has created
and maintained a culture of honesty and ethical behaviour; and

Page | 12
 (b) The strengths in the control environment elements collectively provide an
appropriate foundation for the other components of internal control, and whether
those other components are not undermined by deficiencies in the control
environment.

2) The entity’s risk assessment process (Ref: ISA 315 para A79-A80)

3.19. Public sector bodies should have a risk assessment process, which should be appropriate
for the size and complexity of the entity. The risk assessment process is involved in:

(a) Identifying business risks relevant to financial reporting objectives;

(b) Estimating the significance of the risks;

(c) Assessing the likelihood of their occurrence; and

(d) Deciding about actions to address those risks.

3) Monitoring of controls (Ref: ISA 315 para A98-104)

3.20. Monitoring of controls is a process to assess the effectiveness of internal control

performance over time. It involves assessing the effectiveness of controls on a timely
basis and taking necessary remedial actions. Management accomplishes monitoring of
controls through ongoing activities, separate evaluations, or a combination of the two.
Ongoing monitoring activities are often built into the normal recurring activities of an
entity and include regular management and supervisory activities.
3.21. When completing this section of Annex C, the auditor should ensure that the following
are considered:

(a) Any additional reporting responsibilities regarding internal controls;

(b) Relevant controls that relate to compliance with authorities;

(c) Controls related to monitoring performance against the budget;

(d) Controls related to transferring budgetary funds to other entities;

(e) Controls of classified data related to national security and sensitive personal

data, such as tax and health information; and

Page | 13
 (f) Supervision and other controls performed by parties outside the entity and relate
to areas such as:

• Compliance with procurement regulations;

• Execution of the budget;
• Other areas as defined by legislation or audit mandate; and
• Management’s accountability.

4) Business controls (Ref: ISA 315 para A81-A87)

3.22. The standing information for the audit of each entity should include systems notes for
each class of transactions in the entity's operations that are significant to the financial
statements, and for monitoring controls. The system notes should include:

. the procedures, within both information technology (IT) and manual systems, by
which those transactions are initiated, recorded, processed, corrected as
necessary, transferred to the general ledger and reported in the financial
statements. This should include how regularity is ensured;

. the related accounting records, supporting information and specific accounts in

the financial statements that are used to initiate, record, process and report
transactions. This includes the correction of incorrect information and how
information is transferred to the general ledger. The records may be in either
manual or electronic form; and

. how the information system captures events and conditions, other than
transactions, that are significant to the financial statements.

3.23. System notes should clearly set out the flow of information within a business cycle, the IT
systems involved, and where control activities and data interfaces take place (including
controls over regularity). This can often be effectively documented using a system-flow
diagram. The client or their internal audit team may have already prepared systems
diagrams.
3.24. In addition to system notes on business cycles, the documentation should set out the
financial reporting process used to prepare the entity's financial statements, including
significant accounting estimates and disclosures, and the controls surrounding journal
entries, including non-standard journal entries used to record non-recurring, unusual
transactions or adjustments.

Page | 14
 5) The information system (Ref: ISA 315 para A81-A85)

3.25. The auditor should have sufficient understanding of the entity’s information systems and
their interaction with business controls (including controls over regularity) to be able to:

. identify any related risks of material misstatement or irregularity;

. identify where business controls are dependent upon general IT controls; and
. plan an effective and efficient audit.
3.26. Issues to consider when completing this section of Annex C are:
. Assessing the accounting systems
. Overall IT policy and strategy
. Development and maintenance
. Logical access security
. Physical control
. Computer Assisted Audit Techniques using IDEA software package.
3.27. The auditor should summarise the outcome of identification of IT risks and
identification of controls dependent upon IT in Annex D. When completed
electronically, Annex D should be loaded on to AMMS.

3.28. In completing Annex D, the Auditor should consider both impact and likelihood in
considering whether there are risks of material misstatement or irregularity.
[

Risk Assessment
3.29. The Fraud Risk Assessment form at Annex E is designed to assist auditors in the
evaluation of the potential risks of fraud in arriving at an assessment of the risk of
material misstatement due to fraud. When completed electronically, Annex E should be
loaded on to AMMS.
3.30. The auditor should evaluate whether the information obtained from the other risk
assessment procedures and related activities performed indicates that one or more
factors indicating potential risks are present. Whilst these factors may not necessarily
indicate the existence of fraud, they have often been present in circumstances where
frauds have occurred and, therefore, may indicate risks of material misstatement due to
fraud (ISA 240 para 24).
3.31. The auditor should identify and assess the risk of material misstatement due to fraud at
the financial statement level (pervasive risks) and at the assertion level (significant risks
and risk factors) for classes of transactions, account balances and disclosures (ISA 240
para 25).

Page | 15
3.32. For compliance audits, the auditor should assess whether there is a significant risk of
non-compliance. To do this, the auditor should use judgement to evaluate relevant
factors identified from the Risk Assessment Procedures including:
. the complexity of the regulations;
. the introduction of major new legislation or changes in existing regulations;
. services and programmes delivered through third parties; and
. payments and receipts made on the basis of claims or declarations.
3.33 Further guidance on assessing risk for compliance audits is given at Appendix 3.
3.34 The table below discusses further the features of Pervasive Risks, Specific Risks and Risk
Factors, and comments on their impact on the audit approach.

Table 1 – Identification of and audit response to Pervasive and Specific risks and risk factors

Pervasive Risk Specific Risk Risk Factor

Definition A Significant Risk at the A Significant Risk at the Risk Factors are either:
financial statement level assertion level (i.e. a . risks of material
misstatement / irregularity
that relates pervasively to Significant Risk which is
which are addressed
the financial statements as a not a Pervasive Risk). through a standard level of
whole and potentially affects A Specific Risk will be a planned testing over the
relevant assertions, and so
many assertions (for particular risk that can
do not require special
example the risk that a new give rise to a material audit consideration (for
accounting system does not misstatement. example the risk that
work). There may be multiple amount paid exceeds the
amount invoiced); or
related Specific Risks in . potential risks which have
relation to one audit been assessed as not
area or a series of audit representing a risk of
material misstatement /
areas. For example the
irregularity and so do not
risk that the Public require an audit response,
Procurement Rules are but may require
monitoring as the audit
not followed in letting
progresses (for example
large public expenditure inventory overstated
contracts – regularity where inventory is not
assertion. material).
Risk Factors may include risks
with an operational impact
but without a direct impact
on the financial statements.

Page | 16
 Pervasive Risk Specific Risk Risk Factor

Comments Pervasive Risks are risk that A Specific Risk means Where a potential risk is
do not directly relate to that there is a high risk identified through the
particular assertions for of material planning process or in the
course of the audit, the
individual audit areas. misstatement in auditor should clearly
Rather they represent relation to a particular conclude on whether it
circumstances that may audit area. requires special audit
increase the risk of material consideration, or whether it is
The auditor design audit a risk factor. Where it is a risk
misstatement across audit
procedures which are of material misstatement
areas, for example, through which is adequately
specifically responsive
management override of addressed through a standard
to the risk as this is the
internal control. level of testing, the audit
most effective and procedures which address the
Pervasive Risks are more efficient way to obtain risk must be specified.
likely to occur where there is assurance that the audit
a deficient control area is not misstated. If Where a potential risk has
environment (although the auditor did not been identified in the file and
these risks may also relate to design specifically assessed as a risk factor
other factors, such as responsive tests, he or (including a fraud risk factor),
declining economic the auditor should clearly
she would either fail to
document the basis of this
conditions). For example address the risk at all, judgement.
management’s lack of or need to perform
competence may have a substantially more
A business risk does not
pervasive effect on the testing to obtain require a response as part of
financial statements sufficient appropriate a financial audit unless it also
requiring an overall response audit evidence. involves a risk of material
by the auditor. misstatement of the financial
statements. A business risk
could impact upon the
financial statements by e.g.,
increasing costs through
inflation in the costs of
staffing, without this leading
to a risk of misstatement.

Audit The Audit Plan should The auditor should No additional audit
Response include procedures to assess the design and procedures above a standard
address the identified implementation of the level of audit testing are
Pervasive Risks on an audit.
These will typically consist of related controls and required on risk factors, as
overall responses to address plan their audit they either do not represent

Page | 17
 Pervasive Risk Specific Risk Risk Factor

the assessed risk of material approach to address a risk of material

misstatement at the this Significant Risk. misstatement/irregularity, or
financial statement level. are addressed by the
The auditor’s response
The auditor should assess standard level of planned
the design and to Specific Risks should
work to gain assurance over
implementation of the be to design and
related controls and plan perform further audit each assertion. However, the
their audit approach to procedures auditor will usually keep in
whose
address this Significant Risk. view the identified risk
nature, timing, and
Due to the nature of factors as part of maintaining
Pervasive Risks, there may extent are based on,
an attitude of professional
not be mitigating controls, in and are responsive to,
which case the extent of the the assessed risks of scepticism.
planned response should material misstatement In exceptional circumstances,
reflect the absence of the Director General or
at the assertion level.
controls assurance. Director may determine in
The planned audit their professional judgement
As Pervasive Risks do not
relate to specific Audit Areas approach should that it is appropriate to
or assertions, the audit consider the most perform procedures in
response will not typically be effective and efficient respect of a risk in order to:
in the form of substantive way to address the risk. - address concerns raised by
testing. Instead, overall
management or those
responses may include:
Where there are charged with governance;
- emphasizing to the audit adequately designed - provide insights in the
team the need to and implemented management letter as to
maintain professional controls, it may be most how this risk may be
scepticism;
efficient to test the addressed or identifying
- assigning more
experienced staff or those operating effectiveness weaknesses in
with special skills or using of the controls management’s response;
experts to the audit; mitigating the risk. or
- providing more
Substantive audit tests - identify whether there are
supervision;
- incorporating additional should be tailored to concerns that should be
elements of address the risk directly, passed to client leads.
unpredictability in the rather than simply
selection of further audit
increasing sample sizes
procedures to be
performed; using an Assurance
- where there are Factor of 3 without
deficiencies in the control further consideration of
environment responding the most appropriate
by making general

Page | 18
 Pervasive Risk Specific Risk Risk Factor

changes to the nature, audit response.

timing, or extent of audit
procedures. For example For example, the
conducting more audit auditor should consider
procedures as at the relying on controls that
period end rather than at ensure that the PPR are
an interim date, obtaining
followed in expenditure
more extensive audit
evidence from (if such controls exist
substantive procedures, and are evidenced). If
or increasing the number these controls are not in
of locations to be place or in place but not
included in the audit
properly functioning,
scope;
- independent review of the auditor would also
the audit by a quality need to carry out
assurer; additional testing of
- increased testing of expenditure
transactional controls as
transactions focussed at
well as higher level
controls; perceived areas of
- procedures to address greatest risk where the
pervasive risks of fraud or PPR are considered to
error in an entity. be most likely to be
For the example, Pervasive broken (above and
Risk that a new accounting beyond the basic level
system does not work, it of testing if compliance
would be appropriate for the
auditor to carry out with the PPR were not
additional testing to confirm considered to be a
that balances have been specific risk).
carried correctly from old to Refer for more detail to
new system, proper user the Procurement Audit
acceptance testing (UAT)
was successfully carried out Manual.
by the entity on the new
system in addition to the
normal work of checking
that the balances produced
by the accounting system
feed through correctly into
the draft financial
statements (which would be
carried out whether the

Page | 19
 Pervasive Risk Specific Risk Risk Factor

system was new or not).

3.35. Examples of risk factors for compliance audits are given at Appendix 4 to this Manual.

3.36. The following decision tree summarises how potential risks are to be classified.

Figure 3: Classification of Potential Risks

Could the risk lead to a material

misstatement or irregularity in the
financial statement?
(Consider both impact and likelihood)

Yes No

Does the risk, in the auditor’s

Risk factor
judgement, require special audit
(Including business risks with no
consideration?
financial statement impact)

Yes (significant risk)

No. It is covered through a
standard level of testing of
assertions or financial
Financial statement Assertion level
statements
level

Pervasive Risk Specific Risk

Risk factor-risk of material

misstatement which does not
require special audit consideration
Page | 20

Page | 20
3.37. The responses to Pervasive and Specific Risks should be clearly documented in the
Significant Risks Testing Plan at Annex F (which should be completed electronically).
3.38. The audit approach to obtaining assurance over assertions for Audit Areas and over the
financial statements should be documented in the Audit Area Testing Plan at Annex G
(which should be completed electronically).
3.39. When the auditor has identified Risk Factors that do not require an audit response, they
should document the reasons why they do not consider this to be a risk of material
misstatement. This can be done in the Audit Area Testing Plan.

Materiality (ISSAI 1320)

3.40. After gathering relevant information to gain knowledge of the audited entity, the auditor
needs to consider materiality, which is one of the key parameters that affect the audit
strategy. The auditor needs to ensure that the audit efforts are concentrated on those
areas and account components which are material.
3.41. Materiality is one of the basic and major concepts of auditing, central to planning and
performing the audit, evaluating the effect of identified misstatements on the financial
statements, and in forming the audit opinion. Materiality also provides preparers of
financial statements with a basis for determining how transactions and balances should
be disclosed and underlies professional standards on financial reporting. It is not possible
for the auditor to form an opinion on financial statements without considering
materiality.
3.42. Financial statements can rarely be absolutely correct and even if this were the case the
user is unlikely to require this level of precision. A degree of tolerance in their accuracy
is, therefore, accepted and this is recognized in the "properly presents", "presents fairly"
and "true and fair" opinions that the auditor gives on most of the financial statements
that he or she audits. Thus, materiality is defined as an expression of the relative
significance or importance of a particular matter in the context of the financial
statements as a whole. A matter is material if its omission would reasonably influence
the decisions of an addressee of the auditor's report; likewise a misstatement is material
if it would have a similar influence.
3.43. The meaning of materiality as per ISA 320’s general guidance :
. “misstatements, including omissions, are considered to be material if they,
individually or in the aggregate, could reasonably be expected to influence the
economic decisions of users taken on the basis of the financial statements;

Page | 21
 . judgements about materiality are made in light of surrounding circumstances,
and are affected by the size or nature of a misstatement, or a combination of
both; and
. judgements about matters that are material to users of the financial statements
are based on a consideration of the common financial information needs of users
as a group. The possible effect of misstatements on specific individual users,
whose needs may vary widely, is not considered.”
3.44. Materiality is a matter of professional judgement, and is affected by the perceived needs
of the users of the financial statements. In considering the financial information need of
users, the auditor can assume that users:
a) have a reasonable knowledge of business, accounting and economic activities
and a willingness to study the information in the financial statements with
reasonable diligence;
b) understand that financial statements are prepared, presented and audited to
the levels of materiality;
c) recognise the uncertainties inherent in the measurement of amounts based
on the use of estimates, judgement and the consideration of future events;
and
d) make reasonable economic decisions on the basis of the information in the
financial statements.
3.45. Three types of materiality are explained in more detail at Annex H. They are:
• Materiality by value
• Materiality by nature
• Materiality by context
3.46. Annex H also introduces the concepts of performance materiality and expected error.
3.47. The materiality adopted for the audit at planning stage should be documented in the
audit planning section of AMMS.

Analytical Procedures (ISSAI 1520)

3.48. Analytical procedures are the analysis of significant ratios and trends including the
resulting investigation of fluctuations and relationships that are inconsistent with other
relevant information or which deviate from predicted amounts.
3.49. Types of analytical procedure are explained in Annex I.
3.50. To carry out an effective audit the auditor must have a detailed knowledge of the
business. A structured approach to planning including the use of analytical procedures
helps to improve this knowledge. The auditor should apply analytical procedures at the
planning stage to assist in understanding the entity's business in identifying areas of

Page | 22
 potentially high inherent risk and control risk and in planning the nature, timing and
extent of other audit procedures.
3.51. Analytical procedures can be used in all audits at the planning stage to:
. confirm and improve their understanding of the organization's activities;
. identify areas of potentially high inherent risk and control risk;
. identify significant non-routine or unusual transactions and/or account balances;
. assist in planning the nature, timing and extent of substantive procedures
including substantive analytical procedures.
3.52. The knowledge which the auditor gains from analytical procedure at the planning stage
can be used to support the rest of the planning process and the development of the audit
approach for the examination of specific account balances. Where analytical procedures
used for planning reveal significant deviations from expectations the auditor will need to
develop specific procedures to discover the cause of these fluctuations.
3.53. Analytical procedures at the planning stage may also involve a preliminary analysis of the
available data in order to assist the auditor to decide whether substantive analytical
procedures could be used to provide the required audit evidence at a reasonable cost.
The auditor may, for example, carry out initial data analysis to assess the structure and
quality of data and investigate possible relationships between variables.
3.54. The auditor will usually consider information from various sources both internal and
external to the organization, when undertaking analytical procedures at the planning
stage and at later stages. Typically, the auditor may consider information such as:
• prior year financial statements;
• appropriate external reports (e.g. performance and statistical reports);
• relevant non-financial information (e.g. staff numbers, claims processed);
• interim financial statements, reports and other analysis by the organisation's
management comparing the current period results with prior periods and with
current period budgets and forecast; and
• data on significant ratios and achievements against performance targets.
3.55. In many cases, auditors should be able to obtain much of this information from the
organization's management.
3.56. The sophistication and extent of the analytical procedures applied at the planning stage
are matters for the auditor's judgement and will vary depending on the size of the
organization, its complexity and the availability of information. For some organizations
the procedures may be limited to reviewing changes in account balances between the
prior year and the current year. In other organizations the procedures might involve

Page | 23
 more extensive analysis of monthly financial statements and comparisons with non-
financial data.
3.57. Analytical procedures used in planning that result in a better understanding of the
transactions include:
• a review of the significant financial statement account balances and classes of
transactions;
• a review of organization's budget and forecasts;
• a discussion on performance and future plans with finance and operational
departments;
• an examination of statistics and other information about the organization's
activities; and
• a review of achievement against budgets and performance targets.
3.58. These procedures will help the auditor to identify change in the organization's activities
and operations which may affect its financial statements. They should also direct the
auditor’s attention to specific areas of the financial statements which require particular
consideration.
3.59. With respect to the last bullet in paragraph 3.55, the auditor may wish to compare the
actual amounts with the budgeted amounts. Analytical procedures, though, may not be
very good at comparing budgets to actual as management may simply alter the actual to
reflect the budget. Before placing too much reliance on this comparison, the auditor will
need to assess the organization's budget setting procedures. In particular, the auditor
should consider the pressures which may be placed on individual departments to
conform to the budgets and the risk that results may be manipulated, for example, by
the misallocation of expenditure between individual budget lines to ensure that budgets
are met and appropriations are not exceeded.
3.60. Other analytical procedures that the auditor may employ as part of planning are trend
and ratio analysis. For example, the auditor could plot the results from monthly
management accounts to identify non-routine transactions and unexpected fluctuations
which require explanation. Similarly, the auditor could perform ratio analysis such as:
. comparing commitments entered into as a percentage of total commitment
appropriations made available to check the level of execution of the budget; and/or
. comparing actual monthly budgetary expenditure to budget which may show that a
significant part of the expenditure is incurred during a holiday period, thereby
indicating the possible existence of a problem.
3.61. Analytical procedures carried out at the planning stages should be documented on the
planning section of AMMS.

Page | 24
Overall Audit Approach for Each Audit Area (ISSAI 1330)
The Audit Assurance Model

A. Background
3.62. In designing the audit plan, the overall objective is to obtain reasonable assurance about
whether the financial statements as a whole are free from material misstatement,
whether due to fraud or error, thereby enabling the auditor to express an opinion on
whether the financial statements are prepared, in all material respects, in accordance
with the applicable financial reporting framework.
3.63. The planned audit procedures should be designed to obtain sufficient appropriate audit
evidence through a combination of:
. Responding to Pervasive Risks to the financial statements;
. Responding to Specific Risks (relating to particular audit area assertions);
. Auditing Audit Areas (i.e. assertions not affected by Specific Risks); and
. Auditing the Financial Statements and reviewing other information.

B. Objectives
3.64. The objective of the auditor is to design and perform audit procedures in such a way as
to enable the auditor to obtain sufficient appropriate audit evidence to be able to draw
reasonable conclusions on which to base the auditor’s opinion.

C. Relevant ISSAI and ISA guidance

3.65. The basic requirements which should be adhered to in respect of OCAG audits are
contained in ISSAI 1330 and ISA 330 “The Auditor’s Response to Assessed Risks”, and
ISSAI 1500 and ISA 500 “Audit Evidence”.
3.66. All OCAG audits must comply with these standards. The guidance contained in this
section emphasises the requirements of these standards and interprets the requirements
in an OCAG context. Where relevant, the paragraphs cross-reference the application
guidance in the ISSAIs and ISAs.

D. Core policies and guidance

3.67. The theory underpinning the OCAG methodology for auditing audit areas is designed to
obtaining sufficient assurance to give a 95% confidence level that the financial
statements are not materially misstated, i.e., the audit methodology is intended to
reduce the audit risk (i.e. the risk of giving an incorrect audit opinion) to an acceptable
level of less than a 5% chance.

Page | 25
3.68. This risk is made up of:
. the risk of there being errors in the financial statements; and
. the risk that the planned audit procedures would not detect any error that
exists.
3.69. In order to keep the risk of an incorrect audit opinion to an acceptable level, the greater
the risk of errors in the financial statements, the higher the level of assurance required
from the planned audit procedures.
3.70. The required assurance is obtained by testing the assertions management have made
about each significant Audit Area. Given the nature of the OCAG’s role, the auditor’s
policy is also to obtain a minimum level of assurance over non-significant Audit Areas
which is discussed further below.

Audit Assertions
3.71. In presenting the financial statements, management is making assertions about the
information contained in them and the purpose of the audit is to test these assertions
(i.e. the audit objectives are to obtain assurance over each of these assertions). The audit
assertions which the auditor adopts are those included in Paragraph A11 of ISA 135.
These are:

(a) Assertions about classes of transactions and events for the period under audit:

. Occurrence- transactions and events that have been recorded have actually been
occurred and pertain to the entity. For example, for payroll an employee being
paid by the entity is a bona fide employee.
. Completeness- all transactions and events that should have been recorded have
been recorded. For example, for payroll that 12 months of transactions are posted
to the ledger in the year of account.
. Accuracy- amounts and other data relating to recorded transactions and events
have been recorded appropriately. For example:
 the amount paid agrees to the invoice;
 the correct amount was paid in accordance with the contract;
 the invoice was checked against the purchase order and once the
matching was satisfactory only then it was paid.
. Cut-off - transactions and events have been recorded in the correct accounting
period. For example, a payment made on 30 June 2015 charged to the financial
year ending 30 June 2015 and not the financial year ending 30 June 2016.
. Classification- transactions and events have been recorded in the proper accounts.
For example, an item of income or expenditure is charged to the correct
account/budget/economic code.

Page | 26
 (b) Assertions about account balances at the period end:

. Existence - assets, liabilities, and equity interests exist. For example, a creditor
balance is owed at the period end date and has not been paid before that date.
. Rights and obligations - the entity holds or controls the rights to assets, and
liabilities are the obligations of the entity. For example, the audited entity holds
title deeds for all tangible fixed assets included in land and buildings.
. Completeness - all assets, liabilities and equity interests that should have been
recorded have been recorded. For example, tangible fixed assets include all land
and buildings that the audited entity owns – none are excluded.
. Valuation and allocation - assets, liabilities, and equity interests are included in
the financial statements at appropriate amounts and any resulting valuation or
allocation adjustments are appropriately recorded. For example, the valuation of
the audited entity’s land and buildings has been revalued upwards to reflect the
rising value of office buildings in the area where the entity has its HQ. The
upwards valuation has resulted in a revaluation reserve.

(c) Assertions about presentation and disclosure:

. Occurrence, rights and obligations - disclosed events, transactions, and other
matters have occurred and pertain to the entity. For example, contingent
liabilities note includes only material cases that pertain to the entity.
. Completeness - all disclosures that should have been included in the financial
statements have been included. For example, a related party’s note should be
included if required.
. Classification and understandability- financial information is appropriately
presented and described, and disclosures are clearly expressed. For example, a
segmental note reflects the way the audited entity is structured and significant
allocation and apportionment methodologies are explained in the note.
. Accuracy and valuation - financial and other information are disclosed fairly and
at appropriate amounts. For example, a contingent liability is disclosed in an
account note on the basis that there is a high likelihood that a court case may be
lost within the next year that would result in a payment being made. The
estimated value is based on expert legal advice.
3.72. All the audit assertions listed at paragraph 3.69(a) above are relevant to the audit of
Government Appropriation Accounts as these are prepared on the cash basis of
accounting and only have expenditure. However, the Government Finance accounts
have cash balances and borrowings and thus the assertions about cash balances at

Page | 27
 paragraph 3.69(b) are also relevant for the audit of the Government Finance Accounts.
Assertions about presentation and disclosure at paragraph 3.69(c) are relevant for all
financial audits.
3.73. The compliance audits carried out by the OCAG also give assurance on the regularity of
transactions contained in the accounts. A transaction is considered to be regular if it is in
accordance with:
. authorising legislation;
. regulations issued under governing legislation;
. Parliamentary authorities; and
. Treasury authorities.
3.74. The OCAG compliance audits also consider the propriety of transactions. Propriety covers
the standards of conduct, behaviour and governance. It addresses issues such as fairness,
integrity, the avoidance of waste and extravagance and open competition in the letting
of contracts.
3.75. When determining the propriety of transactions the auditor should consider whether the
entity has complied with the standards of conduct and behaviour expected of those
charged with the management of public funds. This may be achieved by considering the
arrangements in place at the client against generally accepted practice in the public
sector or where necessary, drawing on precedents established following consideration of
incidents by the Public Accounts Committee and guidance issued by other entities.

3.76. Propriety is not readily susceptible to objective verification and it is not expressly covered
by the CAG's audit opinion. The auditor is not, therefore, required to undertake specific
work in support of propriety. However, if an issue of propriety is identified during the
course of audit work, the auditor must consider whether in their professional judgement
the issue is of such significance that it needs to be reported to Parliament. This
consideration should be documented in the electronic working papers.

The Audit Assurance Model for signi�icant Audit Areas

3.77. The planned audit procedures should provide assurance over each audit assertion for
every significant class of transactions, account balances, or disclosures in the financial
statements through a combination of inherent, controls and substantive assurance.
3.78. The statistical theory underpinning the OCAG audit methodology requires that to obtain
95% assurance, the sum of the Assurance Factors (AFs) from each source of assurance
should be 3.0. This will be made up of a combination of:

Page | 28
 . Inherent assurance: if a Specific Risk has been identified, then there is no inherent
assurance (and greater controls and substantive assurance will be required totalling
3.0). If no Specific Risks has been identified, then there is inherent assurance, giving
an AF of 1.0 (i.e. controls and substantive assurance only need to total an AF of 2.0).
. Controls assurance: audit procedures to test the operating effectiveness of controls
that would prevent or detect an error in an audit assertion can provide controls
assurance and reduce the substantive assurance required. Obtaining sufficient
assurance over the operating effectiveness of controls mitigating Significant Risks (i.e.
controls assurance of 2.3) requires more extensive controls testing than obtaining
controls assurance of 1.3 from tests of controls over other assertions.
. Substantive assurance: the extent of substantive audit procedures required to
obtain substantive assurance that an assertion is not materially misstated is affected
by whether there are other sources of assurance available.
3.79. The diagram in next page shows how the sources of assurance interact in obtaining
sufficient assurance.

Page | 29
 Figure 4: Build-up of audit assurance over each audit assertion are shown in the diagram

Note: Basic Substantive Procedures is the level of substantive procedures that should be planned if the auditor
plans to take controls assurance over the assertion.
Standard Substantive Procedures: This is the level of substantive procedures that should be performed by the
auditor if there are no Specific Risks over an assertion and a controls reliance approach has not been
adopted.
Focused Substantive Procedures: This is the level of substantive procedures that should be performed by the
auditor if they have identified a Specific Risk over an assertion, and either it is not planned to test controls
or reliance cannot be placed on the controls due to inadequate design or unsuccessful controls testing.

Page | 30
3.80. The auditor should plan whether to rely on controls and substantive procedures, or
substantive procedures alone, depending upon which approach is expected to be more
effective in obtaining sufficient appropriate audit evidence. In making this decision, the
auditor should also consider the efficiency of the planned approach (where effectiveness
would not be affected).
3.81. Irrespective of the assessed risks of material misstatement identified in planning, the
auditor should design and perform substantive procedures for each significant class of
transactions, account balance, and disclosure. (Ref: ISA 330 para A42-A47)
3.82. The auditor should consider where it would be appropriate to use external confirmations
as part of the substantive procedures, for example to request independent confirmations
of bank balances. (Ref: ISA 330 para A48-A51)
3.83. Where there is a Specific Risk, the auditor should design tests which are specifically
responsive to the risk, which is not necessarily achieved by simply increasing the scope of
testing.
3.84. Performing “standard” audit tests with an increased sample size is often neither effective
nor efficient to address Specific Risks – “increasing the extent of an audit procedure is
effective only if the audit procedure itself is relevant to the specific risk” (ISA 330 para
A15). Tailored audit tests and/or supplemental procedures are often more effective.

Example: Effective and ineffective responses to Specific Risks

The auditor has identified a Specific Risk of fraud through local finance staff maintaining “ghost
employees” on the system after staff leave, and changing bank details to match their own. Extending
standard audit tests would not necessarily provide assurance over this, as payments would appear to
have been correctly processed. Using Computer Assisted Audit Techniques (CAATs) to identify
examples of duplicate bank details or addresses among employees for follow-up, and using analytical
procedures to identify if there were any locations with unusually low staff turnover, would address the
Specific Risk directly.
[

Testing Non-signi�icant Audit Areas

3.85. The ISAs only require substantive audit procedures be performed for classes of
transactions, account balances, and disclosures that are material (i.e. significant Audit
Areas). However, the auditor should plan to do a minimum level of substantive
procedures on non-significant Audit Areas. This is below the level of testing that would
be required for a significant Audit Area.
3.86. The auditor should consider whether the nature of balance means that additional audit
procedures should be performed to gain assurance over any particular assertion.

Page | 31
3.87. If more complex tests are required to address an Audit Area, this may indicate that this is
in fact a significant Audit Area.
3.88. Substantive analytical procedures can, if considered appropriate by the auditor, be based
upon a comparison to prior year.
3.89. Tolerable error should be set at the lower of Performance Materiality or 25% of recorded
amount (unless a lower tolerable difference is considered appropriate).

Example: auditing a non-significant revenue audit area

Interest receipts are a non-significant element of income at a total of Tk. 1 lac (prior year Tk.
1.2 lac) made up of receipts of interest during the year being audited from a number of fixed
term bank deposits. The auditor has tested by agreeing the amount received to the trial
balance and assessing its reasonableness against the average amount of money on deposit
during the year and prevailing interest rates for fixed term deposits.

3.90. Tests of detail of non-significant Audit Areas do not have to cover all audit assertions
unless considered necessary by the auditor. The planned procedures can be either an
overstatement or understatement test i.e. either a sample of recorded items traced to
supporting evidence, or a sample of items which would be expected to be recorded
traced to the ledger (and so the test does not have to test for both occurrence and
existence). Overstatement tests would typically be appropriate for debit items, and
understatement tests for credit items.

Documenting the Audit Approach for Each Audit Area

[

3.91. The Audit Area Testing Plan at Annex G is to be used to provide a manageable means of
viewing the audit approach for audit areas and to provide a means of documenting the
sources of assurance. It is to be used in conjunction with the Significant Risks Testing Plan
at Annex F to document how the auditor plans to achieve the planned level of assurance
for each Audit Area. Both Annexes F and G should be completed electronically for each
audit and loaded on to the planning section of AMMS to support the planned audit
approach.

Decision Process for Planning Audit Approach to Audit Areas

[

3.92. The planned audit approach to each Audit Area should reflect the auditor’s consideration
of the most effective and efficient way of obtaining sufficient appropriate audit evidence
over each assertion through a combination of tests of controls and substantive
procedures, or substantive procedures alone.

Page | 32
3.93. Tests of controls are designed to evaluate the operating effectiveness of controls in
preventing, or detecting and correcting, material misstatements at the assertion level.
Designing tests of controls to obtain relevant audit evidence includes identifying
conditions (characteristics or attributes) that indicate performance of a control, and
deviation conditions which indicate departures from adequate performance. The auditor
can then test the presence or absence of those conditions to determine whether the
controls have operated effectively.

3.94. Substantive procedures are designed to detect material misstatements at the assertion
level. Designing substantive procedures includes identifying conditions relevant to the
purpose of the test that constitute a misstatement in the relevant assertion.
3.95. Substantive procedures can include substantive analytical procedures or tests of detail.
3.96. Selecting items to test through tests of detail may be done by a variety of methods,
including testing 100% of items, testing specific items, and audit sampling.

Computer Assisted Audit Techniques

3.97. Computer Assisted Audit Techniques (‘CAATs’) describes a variety of methods of using
information technology in audits, ranging from simple automation of checks such as
casting of totals through to sophisticated analyses which would not be practical without
using software.
3.98. The use of CAATs may enable 100% tests of electronic transactions and account files to
be performed efficiently. This may be particularly useful in responding to Significant
Risks.
3.99. CAATs can be used to select sample transactions from key electronic files, to sort
transactions with specific characteristics, to test an entire population or to select a
sample of transactions.
3.100. All OCAG auditors should have access to the main CAATs tool, IDEA. It is best practice to
use a number of simple CAATs during audit testing to increase the effectiveness and
efficiency of the work by the auditors e.g. replacing manual consistency checks.
3.101. Audit Team members should make use of IDEA where they judge it would be an
effective substitute for equivalent manual procedures.
3.102. The auditor may also design CAATs as risk assessment procedures or audit tests to
obtain assurance over assertions or address Significant Risks. CAATs can be used in risk
assessment procedures or audit tests.
3.103. Any use of CAATs is dependent upon handling electronic data produced by the entity. All
auditors should be aware of the need to respect and protect this data to hold it

Page | 33
 securely, only hold it for as long as is necessary, and dispose of it securely once it is no
longer needed.
3.104. When using CAATs, the auditor should evaluate whether the information is sufficiently
reliable for the purposes, including as necessary in the circumstances:
(a) obtaining audit evidence about the accuracy and completeness of the information;
(Ref: ISA 500 para A49-A50) and
(b) evaluating whether the information is sufficiently precise and detailed for the
auditor's purposes. (Ref: ISA 500 para A51)
3.105. Evidence about accuracy and completeness of information used in performing an audit
procedure can be obtained concurrently as an integral part of the audit procedure itself,
by testing controls over the preparation and maintenance of the information, or by
additional audit procedures. For example, the auditor might check that the listing being
used totals to the amount included in the trial balance, which, together with the tests
performed as part of the CAATs, would give assurance over this.
3.106. Where CAATs are relied upon for substantive assurance the testing will include vouching
back sample items selected to source documentation.
3.107. CAATs can be used to automate a number of audit procedures, such as:
. selection of statistically valid samples e.g. using Monetary Unit Sampling;
. reperforming calculations;
. reconciling the general ledger to sub-ledgers;
. recalculating totals or subtotals in files;
. analysing and summarising data (e.g. splitting into debits and credits);
. developing expectations for substantive analytical procedures;
. selection of items with particular characteristics in a balance.
3.108. CAATs can be effective as a tool for checking the accuracy and completeness of
information taken from data sets the auditor is already testing for other purposes. For
example, CAATs can be used to re-create the trial balance by performing summarisation
of account code totals.

Using Computer Assisted Audit Techniques (CAATs) as Risk Assessment Procedures or as

Audit Tests

3.109. As part of establishing the Overall Audit Strategy, the auditor should consider whether it
would be effective and efficient to use Computer Assisted Audit Techniques as risk
assessment procedures or as audit tests and document on the planning section of
AMMS.
3.110. Examples of uses of CAATs as risk assessment procedures include:

Page | 34
 . performing analyses to check what the client is telling us about the nature of
transactions;
. performing preliminary analytical procedures, such as comparisons of outturn
by location, or by types of expenditure; and
. summarising transactions with particular counterparties.

Common Examples of Using CAATs as an Audit Tests are in Journal Entry Testing and
Profiling
3.111. Other examples of possible uses of CAATs as audit tests include:
. identifying duplicate payments;
. checking numeric/date sequences such as order or invoice numbers for gaps;
. comparing addresses or other information to identify employees that are also
suppliers;
. comparing addresses or other information to identify possible ghost employees;
. identifying suppliers with only PO Boxes as addresses;
. sorting payments by value to identify transactions that fall just under
authorisation limits;
. identifying unusual items e.g.:
 employees working unusually high hours or at unusual rates;
 unusually high or frequent expense claims;
 unusual patterns in the level of usage of suppliers;
 large round-sum items;
. checking data logs for modifications to master files; and
. checking for slow-moving inventory.

Journal Entry Testing

3.112. The auditor is required to test journal entries as part of their response to the Pervasive
Risk of fraud through management override of controls.
3.113. When automated procedures are used to maintain the general ledger and prepare
financial statements, journal entries may exist only in electronic form. It may, therefore,
be most effective and efficient to use CAATs to test journal entries.
3.114. Where possible, IDEA should be used to identify journals of interest (in particular year-
end journals) and selecting some (or, if higher risk, all) of those journals for testing. For
example, IDEA can be used to identify:
. journals exceeding authorisation limits;

Page | 35
 . journals raised by individuals raising few journals in the year;
. journals containing key-words such as “correction”, “error”, “fraud”, “write-off”
etc; or
. journals posted to accounts of particular sensitivity.

Pro�iling

3.115. CAATs are usually necessary when the auditor uses profiling as a sampling technique for
tests of detail. Profiling is a sampling technique which can be used where it is possible to
identify characteristics of items within the population which would indicate whether or
not they are likely to be of audit interest. Profiling involves stratifying population into
items requiring differing levels of testing, focusing testing on the items most likely to be
of audit interest while reducing the overall extent of the procedures performed.
Examples:
a) Divide the population of the non-payroll expenditure population into expenditure
in each month of the year of account. This may indicate that there has been a
year end surge of expenditure to use up the available budget. Audit testing might
be focussed on the month when expenditure is maximum (presumably the last
month in the year of account) with a focus on finding whether expenditure was
bona fide and good value for money and not paid for in advance of need to use
up the budget;
b) Divide the population of the non-payroll expenditure population into expenditure
in each day of the week during the year of account. Extract the higher risk items
of expenditure on weekend days. If it is not normal to spend money on a
weekend, investigate a sample of weekend expenditure to confirm it is for bona
fide business purposes and not personal expenditure.

Audit Programmes
3.116. An audit programme should be written for each audit area setting out the risks specific
to the audit area (and potential consequences if the risk is realised), the objectives of
the testing, and the audit tests required to reflect the planned audit approach. Each
audit test in the audit programme should have the audit assertions that are being tested
and have a space for the auditor(s) who have carried out the audit to sign to indicate
that they have completed the test and a working paper reference for the details of the
testing carried out (working paper and/or matrix of test results).

Page | 36
3.117. Each completed audit programme should, once the audit plan has been approved, be
loaded on to AMMS to ensure that they are all completed as part of the audit.
3.118. Some examples of audit programmes are given at annexes J1 to J10.
3.119. Some examples of Compliance audit procedures for inclusion in audit programmes are
given in Appendix 5.

Sampling (ISSAI 1530)

3.120. More details on sampling methodology and the OCAG policy on using sampling for both
financial and compliance audits to extract samples for detailed testing are given at
Annex K

Quality Control Over Audit Fieldwork

3.121. All elements of planning completed by junior members of staff should be loaded on to
AMMS and reviewed by a senior member of audit staff (most usually the team leader).
The team leader is responsible for pulling together the planned audit approach,
discussing it and agreeing it with the audited entity and the responsible Director
General. The agreed audit approach should be summarised in a single document.

Page | 37
 Chapter 4: Audit Fieldwork

Figure 5: The Audit Process (2) – Audit Procedures, Concluding and Reporting

(Continues from Figure 2 which shows the first stage in the audit process)

Perform Audit
Procedures

Evaluate Results

Form an Opinion

4.1. The auditor should design and perform audit procedures that are appropriate in the
circumstances for the purpose of obtaining sufficient appropriate audit evidence (ref: ISA
500 Para A1-A25). These audit procedures should be collated by audit area and included
in audit programmes (see paragraphs 3.115 to 3.117) to ensure that all planned audit
procedures are carried out.
4.2. The auditor can obtain audit evidence to draw reasonable conclusions on which to base
the audit opinion (financial audit) or conclusions (for compliance audit) through
performing:
. Risk Assessment Procedures to identify the risks that need to be addressed
through the audit (see section in Audit Planning for more detail); and
. a combination of substantive and controls procedures.
4.3. Audit procedures to obtain audit evidence can include (individually or in combination):
. inspection;
. observation;
. confirmation;
. recalculation;
. reperformance; and
. analytical procedures (see Annex I).

Page | 38
4.4. These procedures are in addition to inquiry. Although inquiry may provide important
audit evidence, and may even produce evidence of a misstatement, inquiry alone
ordinarily does not provide sufficient audit evidence of the absence of a material
misstatement at the assertion level, nor of the operating effectiveness of controls.
4.5. The sufficiency and appropriateness of audit evidence are interrelated. Sufficiency is the
measure of the quantity of audit evidence. The quantity of audit evidence needed is
affected by the assessment of the risks of misstatement (the higher the assessed risks,
the more audit evidence is likely to be required) and also by the quality of such audit
evidence (the higher the quality, the less may be required). Obtaining more audit
evidence, however, may not compensate for its poor quality.
4.6. Appropriateness is the measure of the quality of audit evidence i.e. whether it is relevant
and reliable support for the conclusions on which the audit opinion (financial audit) or
conclusions (for compliance audit) is based. The reliability of evidence is influenced by its
source and by its nature, and is dependent on the individual circumstances under which
it is obtained. It is also important that audit evidence should be collected on a timely
basis.
Example: Inter-relationship between quality of audit evidence and sufficiency
4.7. An issue has been identified over the terms of a side-agreement to a contract and what
had been agreed with a supplier. A Specific Risk has been identified that management
may be deliberately understating a liability or contingent liability associated with the
contract. Inquiry of management and others involved in negotiating and managing the
contract could provide extensive evidence in respect of this issue. However, this evidence
may not be appropriate (given the nature of the risk identified) nor sufficient (as the
quality of the evidence is poor in addressing a risk of deliberate misstatement). Extending
the inquiries of more members of staff may not achieve sufficient assurance. A direct
confirmation from the supplier to the Engagement Team, as part of a properly controlled
confirmation process, would be high quality audit evidence that is appropriate in the
circumstances. Unless there is a risk of collusion between management and the
confirming supplier, a confirmation together with brief inquiry of a member of client staff
may constitute sufficient appropriate audit evidence in the circumstances.
4.8. The Engagement Team should consider the relevance and reliability of the information to
be used as audit evidence when designing and performing audit procedures. (Ref: ISA
500 para A26-A33)
4.9. Designing appropriate audit procedures involves identifying audit tests which provide
relevant evidence.

Page | 39
4.10. Tests of controls are designed to evaluate the operating effectiveness of controls in
preventing, or detecting and correcting material misstatements at the assertion level.
Designing tests of controls to obtain relevant audit evidence includes identifying
conditions (characteristics or attributes) that indicate performance of a control, and
deviation conditions which indicate departures from adequate performance. The auditor
can then test the presence or absence of those conditions to determine whether the
controls have operated effectively.
4.11. Substantive procedures are designed to detect material misstatements at the assertion
level. They comprise tests of detail and substantive analytical procedures. Designing
substantive procedures includes identifying conditions relevant to the purpose of the
test that constitute a misstatement in the relevant assertion.
4.12. Although it is difficult to generalise about what makes audit evidence more reliable, and
there will be exceptions (for example, information obtained from an independent
external source may not be reliable if the source is not knowledgeable, or a
management's expert may lack objectivity), para A31 of ISA 500 notes the following
general guidance on reliability of evidence:
. “The reliability of audit evidence is increased when it is obtained from
independent sources outside the entity (for example, obtain a letter directly from
the bank to confirm the audited entity’s bank balance at the end of the year of
account).
. The reliability of audit evidence that is generated internally is increased when the
related controls, including those over its preparation and maintenance, imposed
by the entity are effective (for example audit evidence supporting the accuracy of
expenditure by an organisation is increased when the auditor finds there are
effective internal controls over the expenditure e.g., separation of duties in the
procurement process, effective use of delegated financial authority limits, monthly
reporting of totals vs budget profile to those charged with governance).
. Audit evidence obtained directly by the auditor (for example, observation of the
application of a control) is more reliable than audit evidence obtained indirectly or
by inference (for example, inquiry about the application of a control).
. Audit evidence in documentary form, whether paper, electronic, or other medium,
is more reliable than evidence obtained orally (for example, a contemporaneously
written record of a meeting is more reliable than a subsequent oral representation
of the matters discussed).
. Audit evidence provided by original documents is more reliable than audit
evidence provided by photocopies or facsimiles, or documents that have been
filmed, digitised or otherwise transformed into electronic form, the reliability of

Page | 40
 which may depend on the controls over their preparation and maintenance. For
example, original invoices are better audit evidence than photocopies invoices as
changes made manually before photocopying may be difficult to identify.
4.13. When designing tests of controls and tests of detail, the auditor shall determine means
of selecting items for testing that are effective in meeting the purpose of the audit
procedure (Ref: ISA 500 para A52-A56). This may be by:
. selecting all items (100% examination);
. selecting specific items; or
. audit sampling.
4.14. Guidance on the appropriate means of selecting items to test is included in Annex K.
4.15. When designing and performing substantive analytical procedures the auditor should
determine the suitability of particular substantive analytical procedures for given
assertions, taking into account of the assessed risks of material misstatement and tests
of detail, if any, for these assertions. (Ref: ISA 520 para A6-A11)
4.16. If audit evidence obtained from different sources is inconsistent, or the auditor has
doubts over the reliability of information to be used as audit evidence, the auditor should
determine what modifications or additions to audit procedures are necessary to resolve
the matter and consider the effect of the matter, if any, on ot her aspects of the audit.
(Ref: ISA 500 para A57)
4.17. If, during audit testing or after reaching a conclusion, the auditor identifies information
that is inconsistent with the final conclusion which the auditor has reached regarding a
significant matter, the auditor should document how they have addressed the
inconsistency. (Ref: ISA 230 para A15)
4.18. Unless the auditor has reason to believe the contrary, the auditor may accept records
and documents as genuine. If conditions identified during the audit cause the auditor to
believe that a document may not be authentic or that terms in a document have been
modified but not disclosed to them, auditor should investigate further. (Ref: ISA 240 A9)
4.19. Possible procedures to investigate further may include:
. confirming directly with the third party; or
. using the work of an expert to assess the document's authenticity.

Use of Information Produced by the Entity

4.20. When using information produced by the entity, the auditor should evaluate whether the
information is sufficiently reliable for their purposes, including as necessary in the
circumstances:
a) obtaining audit evidence about the accuracy and completeness of the
information; and (Ref: ISA 500 para A49-A50)

Page | 41
 b) evaluating whether the information is sufficiently precise and detailed for the
auditor's purposes. (Ref: ISA 500 para A51)
4.21. Audit evidence about the accuracy and completeness of information used in testing is
necessary as the results of tests will be less reliable if they are based on inaccurate or
incomplete data.
4.22. Evidence about accuracy and completeness of information used in performing an audit
procedure can be obtained concurrently as an integral part of the audit procedure itself,
by testing controls over the preparation and maintenance of the information, or by
additional audit procedures.

Use of Information Prepared by Management’s Experts

4.23. The preparation of the financial statements may require expertise in fields other than
accounting or auditing, such as actuarial calculations, valuations or engineering data.
Management may employ or engage experts to provide the necessary expertise.
4.24. Where information used in the audit has been prepared using the work of an expert
employed or engaged by the entity, then the auditor should (Ref: ISA 500 para A34- A36):
 evaluate the competence, capabilities and objectivity of the expert; (Ref: ISA
500 para A37- A43)
 obtain an understanding of the work of the expert; (Ref: ISA 500 para A44-
A47) and
 evaluate the appropriateness of the expert’s work as audit evidence for the
relevant assertion .(Ref: ISA 500 para A48)
4.25. The extent of the work required depends on how significant management’s expert’s
work is in the context of the audit– i.e. the audit procedures should reflect the
materiality and risks of the balance or transaction being materially misstated.
4.26. Where the entity has used an expert because of a need for expertise in a field other than
accounting or auditing, the auditor should determine whether to use the work of an
OCAG expert. (Ref: ISA 620 para A4-A9)
4.27. The nature, timing and extent of the audit procedures required may be affected by such
matters as:
 the nature and complexity of the matter to which management's expert’s work
relates;
 the risks of material misstatement;
 the availability of alternative sources of audit evidence;
 the nature, scope and objectives of management's expert's work;

Page | 42
  whether the management's expert is employed by the entity, or is a party
engaged by it to provide relevant services;
 the extent to which management can exercise control or influence over the
work of management's expert;
 whether management's expert is subject to technical performance standards
or other professional or industry requirements;
 the nature and extent of any controls within the entity over management's
expert's work;
 the auditor’s knowledge and experience of management's expert's field of
expertise; and
 their previous experience of the work of that expert.

Competence, Capability and Objectivity of Management’s Expert

4.28. The competence, capabilities and objectivity of management’s expert should be
evaluated to assess the reliability of information produced by the expert. In assessing
this:
 competence relates to the nature and level of expertise of management's
expert;
 capability relates the ability of management's expert to exercise that
competence in the circumstances. Factors that influence capability may include,
for example, geographic location, and the availability of time and resources; and
 objectivity relates to the possible effects that bias, conflict of interest or the
influence of others may have on the professional or business judgement of
management's expert.
4.29. Information can come from:
 personal experience with previous work of that expert;
 discussions with that expert;
 discussions with others who are familiar with that expert's work;
 knowledge of that expert's qualifications, membership of a professional body
or industry association, license to practice, or other forms of external
recognition;
 published papers or books written by that expert; or
 an OCAG expert, if any, who assists the auditor in obtaining sufficient
appropriate audit evidence in respect to information produced by the
management's expert.

4.30. Relevant factors to consider include:

 whether the expert's work is subject to technical performance standards or
other professional or industry requirements, for example, ethical standards
Page | 43
 and other membership requirements of a professional body or industry
association, accreditation standards of a licensing body, or requirements
imposed by law or regulation;
 the relevance of management's expert's competence to the matter for which
that expert's work will be used, including any areas of specialty within that
expert's field;
 management's expert's competence with respect to relevant accounting
requirements, for example, knowledge of assumptions and methods, including
models where applicable, that are consistent with the financial reporting
framework; and
 whether unexpected events, changes in conditions, or the audit evidence
obtained from the results of audit procedures indicate that it may be necessary
to reconsider the initial evaluation of the competence, capabilities and
objectivity of management's expert as the audit progresses.

4.31. Threats to objectivity can arise from a variety of sources:

 self-interest threats;
 advocacy threats;
 familiarity threats;
 self-review threats; and
 intimidation threats.
4.32. Safeguards may reduce such threats, and may be created either by external structures
(for example, the management's expert's profession, legislation or regulation), or by the
management's expert's work environment (for example, quality control policies and
procedures).
4.33. Although safeguards cannot eliminate all threats to a management's expert's objectivity,
threats such as intimidation threats may be of less significance to an expert engaged by
the entity than to an expert employed by the entity, and the effectiveness of safeguards
such as quality control policies and procedures may be greater. Because the threat to
objectivity created by being an employee of the entity will always be present, an expert
employed by the entity cannot ordinarily be regarded as being more likely to be objective
than other employees.
4.34. When evaluating the objectivity of an expert engaged by the entity, it may be relevant to
discuss with management and that expert any interests and relationships that may
create threats to the expert's objectivity, and any applicable safeguards, including any
professional requirements that apply to the expert; and to evaluate whether the
safeguards are adequate. Interests and relationships creating threats may include:

Page | 44
  financial interests;
 business and personal relationships;
 provision of other services.

Obtaining an Understanding of the Work of the Management's Expert

4.35. Understanding the work of the management's expert includes obtaining an

understanding of the relevant field of expertise.
4.36. An understanding of the relevant field of expertise may be obtained in conjunction with
the determination of whether the auditors have the expertise to evaluate the work of
the management's expert, or whether they need to involve an OCAG expert in the audit
to be able to evaluate management’s expert’s work.
4.37. The auditor should obtain an understanding of:
 whether the expert's field has areas of specialty within it that are relevant to
the audit, and whether the expert is familiar with that speciality;
 whether any professional or other standards, and regulatory or legal
requirements apply to the experts work and whether these have been
followed;
 what assumptions and methods are used by the management's expert, and
whether they are generally accepted within the expert's field and appropriate
for financial reporting purposes;
 the nature of internal and external data or information the expert uses; and
 if the expert is engaged by the entity, the terms of the engagement letter or
other written agreement, including nature, scope and objectives of the work,
the respective roles and responsibilities of management and the expert, and
nature, timing and extent of communication between management and the
expert. If the expert is employed by the entity, it is less likely there will be a
written agreement of this kind. Inquiry of the expert and other members of
management may be the most appropriate way to obtain the necessary
understanding.

Evaluating the Appropriateness of the Management's Expert's Work

4.38. The auditor should evaluate the appropriateness of management’s expert’s work,
including consideration of:
 the relevance and reasonableness of that expert's findings or conclusions,
their consistency with other audit evidence, and whether they have been
appropriately reflected in the financial statements;

Page | 45
  if that expert's work involves use of significant assumptions and methods, the
relevance and reasonableness of those assumptions and methods; and
 if that expert's work involves significant use of source data the relevance,
completeness, and accuracy of that source data.

Fieldwork for Audit Areas

4.39. The overall audit objective in performing testing is to obtain sufficient appropriate audit
evidence to be able to draw reasonable conclusions on which to base the audit opinion.
Designing and implementing appropriate responses to testing the assertions,
management make about each Audit Area is a key element of obtaining this evidence.
4.40. As discussed in the Audit Assurance Model in section of Chapter 3, the overall OCAG
financial audit approach is to obtain assurance over each audit assertion for significant
classes of transactions, account balances, or disclosures in the financial statements
through a combination of inherent, controls and substantive assurance. A mix of
assurances may also be appropriate in a compliance audit, so the same sort of analysis
may be appropriate.
4.41. If, based on the audit Risk Assessment Procedures, the auditor has not identified a
Specific Risk over an assertion, then the auditor may have inherent assurance over that
assertion. The auditor, therefore, requires less assurance from controls and substantive
testing than they would if there were a Specific Risk over that assertion, as summarised
below.
4.42. Note that if one assertion in respect of an Audit Area is affected by a Specific Risk, the
auditor may still be able to take inherent assurance over other assertions i.e. a Specific
Risk does not necessarily increase the required assurance from controls and substantive
tests over all assertions in an Audit Area.
4.43. The nature, timing and extent of the planned audit procedures should be based on, and
responsive to, the assessed risks of material misstatement for the Audit Area, i.e. the
appropriate procedures to test a particular assertion will vary depending upon the nature
of the balance.

Nature
4.44. The planned audit approach to address each assertion in respect of an Audit Area should
reflect the Director General and Manager’s consideration of the most effective and
efficient way of obtaining sufficient appropriate audit evidence. This may be through a
combination of tests of controls and substantive procedures, or substantive procedures
alone.

Page | 46
4.45. The auditor should design and perform controls and/or substantive audit procedures
whose nature, timing, and extent are based on and are responsive to the assessed risks
of material misstatement at the assertion level. (Ref: ISA 330 para A4-A8)
4.46. In designing the nature, timing and extent of the audit procedures to be performed, the
auditor should consider what the risks are for the particular Audit Area which could lead
to an error in respect of a particular assertion. This consideration should reflect the
results of the Risk Assessment Procedures in respect of each assertion for the Audit
Area, including the likelihood of material misstatement due to the particular
characteristics of the relevant class of transactions, account balance, or disclosure. (Ref:
ISA 330 para A9-A18)
4.47. The auditor should obtain more persuasive audit evidence higher than their assessment
of risk. (Ref: ISA 330 para A19)
4.48. ISA 330 provides guidance on the meaning of nature, timing and extent of procedures,
and notes that the nature of the audit procedures is the most important element of
designing procedures which are responsive to the assessed risks of material
misstatement:
 the nature of an audit procedure refers to its purpose (i.e. test of controls or
substantive procedure) and its type (that is, inspection, observation, inquiry,
confirmation, recalculation, reperformance, or analytical procedure);
 timing of an audit procedure refers to when it is performed, or the period or
date to which the audit evidence applies;
 extent of an audit procedure refers to the quantity to be performed, for
example, a sample size or the number of observations of a control activity.
4.49. As well as affecting the nature, timing and extent of the planned procedures, the risks
identified may affect whether more than one procedure should be performed in
combination.
4.50. For assertions not affected by Specific Risks, the auditor can obtain assurance from:
 Controls procedures together with Tests of detail (including CAATs or reliance
on others);
 Controls procedures together with Substantive Analytic Procedures;
 Tests of detail alone (including CAATs or reliance on others); or
 Substantive Analytic Procedures alone.
4.51. The auditor should determine whether it is appropriate to plan to obtain assurance over
an assertion from the entity’s control activities.
4.52. If the auditor plans to rely on controls for assurance over particular assertions, then they
should evaluate the design and implementation of the relevant control activities, and
plan to test the operating effectiveness of the controls in the current period.

Page | 47
4.53. If auditor does not plan to rely on controls in respect of any assertions in an Audit Area,
then they do not need to evaluate the design and implementation of any controls over
that Audit Area or to perform any controls testing.
4.54. The auditor should consider whether external confirmation procedures are to be
performed as substantive audit procedures. (Ref: ISA 330 para A48-A51)
[

Timing
4.55. The auditor should consider whether it is effective and efficient to perform audit
procedures at an interim date, and perform “roll-forward” testing to the year-end.
4.56. The timing of audit procedures should reflect the nature of the risk affecting each
assertion.

Extent
4.57. The auditor should determine the extent of the controls and substantive procedures
required based upon the materiality, the assessed risk, and how much assurance they
plan to obtain from each of controls and substantive assurance. Detailed guidance on
how to determine the extent of testing is set out in the chapters on each testing
approach.

Decision Process for Approach to Testing an Assertion

4.58. Selecting an appropriate audit approach for each assertion is important both in terms of
delivering an effective audit, and also in terms of audit efficiency.
4.59. The nature of the planned procedures is the most important factor in ensuring that the
auditor obtains appropriate assurance over each assertion. Increasing the extent of an
audit procedure is effective only if the audit procedure itself is relevant to the risks over
an assertion.
4.60. Parliament and the public generally expect public bodies to have effective controls in
place to mitigate the risks that affect them. Therefore, the expectation should be that
there are appropriately designed and implemented controls in place over most Audit
Areas.
4.61. Where this is the case, it will usually be appropriate to test the operating effectiveness of
relevant controls, and then to perform a basic level of substantive procedures.
4.62. This may be carried out through substantive analytical procedures, CAATs, around
accounting estimates, or tests of detail:
 if using substantive analytical procedures, they should be predictive in nature
and performed with a tolerable error that is the lower of Performance Materiality

Page | 48
 and 10-25% of the recorded amount (with the percentage set by the team using
professional judgement).
 if using sample testing, the minimum sample size for tests of detail is 5 items, and
Monetary Unit Sampling (MUS) is typically an appropriate sample selection
method.
4.63. If appropriately designed and implemented controls are in place, but it is not effective
and efficient to test the operating effectiveness of controls, then the auditor will need to
perform a standard level of substantive procedures:
. if using sample testing, the minimum sample size for tests of detail is 5 items, and
Monetary Unit Sampling (MUS) is typically an appropriate sample selection
method; and
. if using substantive analytical procedures, the analytical procedures should be
predictive in nature and performed with a tolerable error of (Materiality x SqRt
(Recorded Amount/Materiality Base), capped at Performance Materiality.
4.64. The auditor should perform substantive procedures to obtain assurance over the
financial statements, including:
a) agreeing or reconciling the financial statements with the underlying accounting
records; and
b) examining material journal entries and other adjustments made during the
course of preparing the financial statements. (Ref: ISA 330 para A52)
4.65. The procedures around year-end journal entries will normally be combined with the
procedures performed in responding to the pervasive risk of management override of
controls. If there is a specific year-end journal process, the auditor should ensure that the
testing includes all material year-end journals.
4.66. In some accounting systems, year-end journals are reflected in an additional “Period 13”
accounting period, or otherwise segregated within the accounting system. In other
entities, adjustments may be posted directly in the preparation of the financial
statements, without adjustments necessarily being reflected in the underlying records.
4.67. The nature and extent of procedures on journal entries and other adjustments in
preparing the financial statements depends on the nature and complexity of the financial
reporting close down the process and any risks identified.
4.68. It is usually most efficient for the final audit to begin after management have prepared a
draft account. Example of procedures for agreeing financial statements to supporting
records and examining journals and other adjustments are discussed below.

Page | 49
Auditing from a Draft Account: Procedures for Agreeing Financial Statements and
Examining Journals and Other Adjustments

4.69. If the audit work on classes of transactions and account balances takes place after
management have prepared a draft account, typically agreeing or reconciling the
financial statements with the underlying accounting records will involve:
Before beginning testing as part of the year-end audit:
. obtaining management’s mapping from the trial balance to the financial
statements;
. checking that the mapping of individual lines to audit areas is appropriate;
. identifying adjustments between the trial balance and the draft account; and
. preparing lead schedules based upon the draft account.
In performing testing as part of the year-end audit:
. testing material journal entries in the preparation of the draft account (typically
as part of responding to the pervasive risk of management override of controls);
. testing material adjustments between the trial balance and the draft account;
and
. testing other journal entries and adjustments in the preparation of the draft
account where appropriate (typically most adjustments in preparing the draft
account will be tested)
In auditing the final financial statements:
. update lead schedules for adjustments between draft and final account;
. testing material journal entries between the draft and final account;
. testing material adjustments between the draft and final account; and
. testing other journal entries and adjustments in the preparation of the final
account where appropriate (typically most adjustments in preparing the final
account will be tested)
Assurance is, therefore, built up out of:
. audit of the draft account figures, including journal entries and other
adjustments between the trial balance and draft account; and
. audit of adjustments between draft account and final account.
4.70. Where it is not possible/ practicable to audit from a draft account, it may be necessary to
perform the audit work on classes of transactions and account balances from the trial
balance and later perform procedures on the financial statements. This approach may
also be appropriate in some circumstances when auditing components of groups to
facilitate the consolidation process.

Page | 50
Evaluate Presentation and Disclosures

4.71. The auditor should perform audit procedures to evaluate whether the overall
presentation of the financial statements, including the related disclosures, is in
accordance with the applicable financial reporting framework. (Ref: ISA 330 para A59)
4.72. This includes evaluating whether:
 the individual financial statements are presented in a manner that reflects the
appropriate classification and description of financial information in accordance
with the applicable financial reporting framework;
 the form, arrangement, and content of the financial statements and their
appended notes are in accordance with the applicable financial reporting
framework; and
 the terminologies used, the amount of detail given, the classification of items in
the statements, and the accounting bases used are in accordance with the
applicable financial reporting framework.

Information Accompanying the Financial Statements

4.73. The auditor should read information accompanying the financial statements that is not
included in the financial statements and ensure it is consistent with the financial
statements.
4.74. If, on reading the information, the auditor identifies a material inconsistency, the auditor
should determine whether the audited financial statements or the other information
needs to be revised.
4.75. If revision of the audited financial statements is necessary and management refuses to
make the revision, the auditor should modify the opinion in the audit report.
4.76. If revision of the information is necessary and management refuses to make the revision,
the auditor should:
a) include in the audit report an Other Matter(s) paragraph describing the material
inconsistency;
b) withhold the audit report; or
c) withdraw from the audit engagement where possible.
4.77. The Engagement Team should document in the electronic working paper file the work
performed in auditing the financial statements and disclosures. The Audit Area Testing
Plan (Annex G) includes space to document the planned procedures.
4.78. The electronic working paper file should demonstrate that the financial statements agree
or reconcile with the underlying accounting records.
4.79. The documentation on the electronic working paper file should include a referenced and
tied in version of the final financial statements.
Page | 51
4.80. A clear audit trail between initial audit work and the final account, including clear
documentation of how adjustments have been audited, is important in evidencing that
the audit opinion is appropriately supported.
4.81. The lead schedule adjustment columns provide a useful mechanism for documenting this
(see template lead schedule at Annex L).
4.82. The electronic working paper file documentation should include:
a) the results of those procedures performed to assess whether the information in the
material to be published with the financial statements is consistent with the
financial statements, including details of any material inconsistencies identified and
how they were resolved; and
b) the conclusion reached as to whether the information in the material to be
published with the financial statements is consistent with the financial statements.

Testing Controls

4.83. See Annex M for detailed guidance on how the testing of controls should be conducted
and documented, including guidance on sample sizes for different tests of control. For
both financial and compliance audits, controls testing carried out should be fully
documented on AMMS, along with recommendations for improvement in cases where
control were either found to be absent or found to be present but ineffective or not
documented properly.

Tests of Detail

Background
4.84. ‘Tests of detail’ are substantive audit procedures which do not involve analytical review.
4.85. Tests of detail can include:
 100% tests, covering every item in a population;
 Computer Assisted Audit Techniques, focussing testing on relevant items in the
population; or
 audit sampling.
4.86. The procedures performed may include:
 physical examination;
 vouching;
 recalculation;
 confirmation of individual items or transactions;
 observation; and
 inspection.

Page | 52
4.87. Appropriately designed tests of detail can provide sufficient appropriate audit evidence
to provide all of the assurance over an assertion, including when there is a Specific Risk.
4.88. Tests of detail may also be combined with tests of control or substantive analytic
procedures to provide the overall planned assurance.
4.89. Tests of detail and analytical procedures carried out should be documented in working
papers and/or matrices of test results and the completed working paper(s) should be
loaded on to AMMS.

Relevant ISA/ISSAIs and Other Guidance

4.90. The basic requirements which should be adhered to in respect of OCAG audits are
contained in International Standards on Auditing (ISAs). The main requirements and
guidance which impacts upon this area of the audit are contained in ISA 330 “The
Auditor’s Response to Assessed Risks”, ISA 500 “Audit Evidence”, and ISA 530 “Audit
Sampling”.
4.91. All OCAG audits must comply with these standards. The guidance contained here
emphasises the requirements of these standards and interprets the requirements in an
OCAG context. Where relevant, the paragraphs cross-reference the application guidance
in the ISAs.

Core Policies and Guidance

Uses for Tests of Detail
4.92. The planned audit approach to each Audit Area should reflect the auditor’s consideration
of the most effective and efficient way of obtaining sufficient appropriate audit evidence
over each assertion through a combination of tests of controls and substantive
procedures, or substantive procedures alone.
4.93. Where Tests of Detail are an effective and efficient source of substantive assurance, the
auditor should plan to use them as the substantive procedures required by ISA 330.
4.94. Depending upon the entity’s circumstances, appropriately designed Tests of Detail may
provide substantive assurance over any assertion or Audit Area.
4.95. Although it may be possible to obtain all assurance over an assertion from Tests of Detail,
the auditor should consider whether it is more effective and efficient to perform testing
in combination with Tests of Controls or Substantive Analytical Procedures.
4.96. Where there is a Specific Risk, although the auditor cannot obtain all assurance from
Substantive Analytical Procedures, it may be effective and effi cient to obtain the
assurance through a combination of Tests of Detail and Substantive Analytical
Procedures.

Page | 53
4.97. Where this is the case, the auditor may perform Tests of Detail with an Assurance Factor1
(AF) of 1.0 and Substantive Analytic Procedures with an AF of 2.0, or Tests of Detail with
an AF of 2.3 and Substantive Analytic Procedures with an AF of 0.7.
4.98. Although using both Substantive Analytical Procedures and tests of detail require teams
to perform two separate tests, this will often provide high quality audit evidence through
providing assurance from both analysis vs. appropriately generated expectations, and
tests of underlying transactions.
4.99. The planned approach should reflect the most effective and efficient approach to
obtaining the planned levels of assurance.
4.100. The appropriateness of testing an assertion through Tests of Detail (and through any
particular test) is dependent upon a number of factors including:
. the nature of the entity and its operations;
. the auditor’s knowledge of the client, gained from previous years' audits or
auditing similar entities;
. The assessment of the risks of material misstatement, including whether there is
a Specific Risk in respect of the assertion and the assessment of the risk of fraud;
. the reliability of the control environment;
. the risk of management override of controls;
. the extent to which assurance over multiple assurances can be obtained at the
same time;
. the need to incorporate an element of unpredictability into the testing;
. the availability of financial and non-financial data from internal and external
sources to enable testing including whether information is available to perform
CAATs; and
. the relative cost-effectiveness of undertaking tests of detail compared with
other means of obtaining evidence.

Planning and Performing Tests of Detail

Determine whether it is appropriate to use Tests of Detail
4.101. In planning whether to use Tests of Detail for an Audit Area, the auditor should
determine the suitability of particular Tests of Detail for each assertion, taking account
of the assessed risks of material misstatement and tests of controls, if any, for these
assertions. (Ref: ISA 520 para A6-A11)
4.102. Auditors should only plan to rely on Tests of Detail if they are an effective and efficient
means of obtaining audit evidence.

1
Assurance factors must add to 3.0 and show the planned balance between inherent assurance, controls
assurance and substantive assurance.

Page | 54
4.103. It may be appropriate to combine tests of detail with substantive analytical procedures
to obtain the overall planned level of assurance.
4.104. Substantive analytical procedures are in general an effective and efficient source of
audit evidence over large volumes of transactions which tend to be predictable over
time.
4.105. In particular, auditors should not assume that Tests of Detail based on large sample sizes
will automatically provide a high level of assurance as the assurance achieved depends
upon the nature and timing of the procedures performed, as well as their extent.

Determining how to Select Items for Testing

4.106. The auditor should determine means of selecting items for Tests of Detail that are
effective in meeting the purpose of the audit procedure. (Ref: ISA 500 para A52-A56)
4.107. There are three main selection methods available for Tests of Detail:
. 100% testing - where all transactions in the population or account balance are tested.
This may be appropriate where, for example:
 the population constitutes a small number of large value items, and so it is
time-efficient;
 there is a Specific Risk and other means do not provide sufficient appropriate
audit evidence; or
 the repetitive nature of a calculation or other process performed
automatically by an information system makes a 100% examination cost
effective.
. Selecting specific items - the auditor may decide that, based on their understanding of
the entity, assessed risks of material misstatement, and characteristics of the
population, the auditor wish to judgementally select specific items within the
population to obtain assurance. Specific items selected may include:
 High value or key items. Items where their high value, or with some other
characteristic, for example, items that are suspicious, unusual, particularly
risk-prone or that have a history of error, are selected.
 All items over a certain amount. The auditor may decide to examine items
whose recorded values exceed a certain amount so as to verify a large
proportion of the total amount of a class of transactions or account balance.
 Items to obtain information. The auditor may examine items to obtain
information about matters such as the nature of the entity or the nature of
transactions.
Selecting specific items for testing is a non-statistical sampling approach, and will
normally provide sufficient assurance over an assertion only where the auditor is able
to conclude and document that there is not a risk of material misstatement in respect

Page | 55
 of other items in the population, as it does not provide assurance over items which
have not been selected.
Selecting specific items may be appropriate for addressing a Specific Risk, where the
auditor can select all items with characteristics of interest.
. Audit Sampling - ISA 530 defines sampling as “The application of audit procedures to
less than 100% of items within a population of audit relevance such that all sampling
units have a chance of selection in order to provide the auditor with a reasonable basis
on which to draw conclusions about the entire population." Audit sampling usually
involves statistical sampling (although a non-statistical sample where all items have a
chance of selection would also enable us to draw conclusions about the whole
population).
If the auditor decides to use audit sampling as an approach, in designing the sample
approach, the auditor should consider the purpose of the audit procedure and the
characteristics of the population from which the sample will be drawn. (Ref: ISA 530
para A4-A9)
Methods of Sample Selection are:
Monetary Unit Sampling (MUS) - this is a method where the higher the value of a
transaction or balance, the more likely it is to be selected.
Judgemental Sampling - this is a method where the sample size is set judgementally,
rather than on statistical grounds. In order to provide assurance over an assertion,
the sampling method should give each item in the population a chance of selection.
Profiling - under this method the population is first divided into discrete sub-
populations with share characteristics which may be of audit interest. Sampling can
then be carried out in each sub-population. To use this method a good knowledge of
the account area is required.
Simple Random Sampling (for high error rate balances) - the main characteristic of this
method is that every transaction has the same chance of being included in the
sample.
4.108. Detailed guidance on when each approach is appropriate is set out in Annex K.
4.109. In planning Tests of Detail, the auditor should consider the appropriate direction(s) of
testing to obtain assurance over an assertion. For example, tests of detail related to the
completeness assertion may involve selecting from items that are expected to be
included in the relevant financial statement amount and investigating whether they are
included.
4.110. On the other hand, tests of detail related to the existence or occurrence assertion may
involve selecting from items contained in a financial statement amount and obtaining
the relevant audit evidence.

Page | 56
 not occur in reality/were falsified), so the auditor adds an ‘Overstatement test’ to the
audit programme. He or she will typically select a sample of transactions from a listing
of all recorded amounts, and the direction of the testing would be that he or she would
check from the recorded amounts for the sample of transactions to supporting
information.
4.113. By contrast, for the completeness assertion, the auditors require assurance that the
expenditure or receipts are not understated (as the list is not complete). Therefore, in
this case, the auditor would seek to select their sample from the source population, e.g.
for expenditure the source population might be all payments as detailed on the bank
statement or cash book, and the auditor might add a test in their audit programme to
check for a sample of payment transactions that the auditor select from the bank
statement that they are properly recorded in the listing of payments made that the
auditor is testing as part of the audit. Different tests are likely to be needed for
completeness of income, as there is a higher risk with cash receipts that all or part of the
receipt is misappropriated and never enters the bank account or the listing of receipts.

Determining the Planned Audit Tests

4.114. The appropriateness of a test to obtaining the planned level of assurance depends upon
the nature, timing and extent of the procedures performed.
4.115. The auditor should design appropriate procedures based upon:
(a) consideration of the reasons for the assessment given to the risk of material
misstatement for each assertion, including the likelihood of material misstatement
due to the particular characteristics of the Audit Area; and whether the auditor has
controls assurance; (Ref: ISA 330 para A9-A18)
(b) planning to obtain more persuasive audit evidence, the higher the Engagement
Team’s assessment of risk. (Ref: ISA 330 para A19)
4.116. The auditor may obtain more persuasive evidence by increasing the quantity of the
evidence through more extensive testing, or by obtaining evidence that is more relevant
or reliable, for example, by placing more emphasis on obtaining third party evidence.
4.117. The members of the audit team designing and performing the procedures should have a
clear understanding of what would constitute a misstatement so that the results of the
procedures can be appropriately evaluated.
4.118. If the auditor has identified a Specific Risk, he or she should plan and perform
procedures that are specifically responsive to that risk.

Nature
4.119. A test only provides assurance over an assertion if the nature of the test is appropriate.
For example:

Page | 58
 not occur in reality/were falsified), so the auditor adds an ‘Overstatement test’ to the
audit programme. He or she will typically select a sample of transactions from a listing
of all recorded amounts, and the direction of the testing would be that he or she would
check from the recorded amounts for the sample of transactions to supporting
information.
4.113. By contrast, for the completeness assertion, the auditors require assurance that the
expenditure or receipts are not understated (as the list is not complete). Therefore, in
this case, the auditor would seek to select their sample from the source population, e.g.
for expenditure the source population might be all payments as detailed on the bank
statement or cash book, and the auditor might add a test in their audit programme to
check for a sample of payment transactions that the auditor select from the bank
statement that they are properly recorded in the listing of payments made that the
auditor is testing as part of the audit. Different tests are likely to be needed for
completeness of income, as there is a higher risk with cash receipts that all or part of the
receipt is misappropriated and never enters the bank account or the listing of receipts.

Determining the Planned Audit Tests

4.114. The appropriateness of a test to obtaining the planned level of assurance depends upon
the nature, timing and extent of the procedures performed.
4.115. The auditor should design appropriate procedures based upon:
(a) consideration of the reasons for the assessment given to the risk of material
misstatement for each assertion, including the likelihood of material misstatement
due to the particular characteristics of the Audit Area; and whether the auditor has
controls assurance; (Ref: ISA 330 para A9-A18)
(b) planning to obtain more persuasive audit evidence, the higher the Engagement
Team’s assessment of risk. (Ref: ISA 330 para A19)
4.116. The auditor may obtain more persuasive evidence by increasing the quantity of the
evidence through more extensive testing, or by obtaining evidence that is more relevant
or reliable, for example, by placing more emphasis on obtaining third party evidence.
4.117. The members of the audit team designing and performing the procedures should have a
clear understanding of what would constitute a misstatement so that the results of the
procedures can be appropriately evaluated.
4.118. If the auditor has identified a Specific Risk, he or she should plan and perform
procedures that are specifically responsive to that risk.

Nature
4.119. A test only provides assurance over an assertion if the nature of the test is appropriate.
For example:

Page | 58
 . inspection of documents evidencing existence of an asset (such as a share
certificate) may not provide assurance over ownership or valuation.
. inspection of tangible assets may provide reliable audit evidence with respect to
their existence, but not necessarily about the entity's rights and obligations or
the valuation of the assets.
. evidence of post year-end receipt of payment on a debtor may evidence
valuation, but not that it was a debtor of the entity at the balance sheet date
(i.e. cut-off).
4.120. Possible tests of detail include:
. External Confirmation - This is a specific type of enquiry, where representation
of information is obtained directly from a third party. A bank certificate giving
details of a bank balance at a specific date is an example of confirmation
evidence.
. Recalculation - This involves checking the mathematical accuracy of documents
or records. Recalculation can be performed through the use of information
technology, for example, by obtaining an electronic file from the entity and
using CAATS to check the accuracy of the summarisation of the file.
. Inspection - Inspection involves examining records or documents, whether
internal or external, in paper form, electronic form, or other media, or a physical
examination of an asset. Inspection of records and documents provides audit
evidence of varying degrees of reliability, depending on their nature and source
and, in the case of internal records and documents, on the effectiveness of the
controls over their production.
4.121. Other means of obtaining audit evidence are reperformance, observation and enquiry.
In general, these are not appropriate for tests of detail:
. Re-performance - independently executing procedures that were originally
performed as, e.g., part of the client’s internal control. This may be done
manually or through the use of CAATS.
. Observation - looking at a process or procedure being performed by others.
Examples include the observation of the performance of control activities and
observation of the counting of inventory by the client staff. Observation
provides audit evidence about the performance of a process or procedure, but it
is limited to the point in time at which the observation takes place.
. Enquiry - seeking information from knowledgeable persons, both financial and
non-financial, within and outside the client’s organisation. Enquiry alone
ordinarily does not provide sufficient audit evidence and it should, therefore, be
supported with corroboration.

Page | 59
4.122. The ISAs specifically require the auditor to consider for each audit whether external
confirmation procedures should be performed. (Ref: ISA 330 para A48-A51)
4.123. Accordingly, in planning tests of detail the auditor should consider whether there are
any assertions which external confirmations would be particularly appropriate to test.
The auditor can confirm bank balances and other information relevant to banking
relationships, but it may be appropriate to obtain confirmations of:
. the terms of agreements, contracts, or transactions between an entity and
other parties, including the absence of certain conditions or side agreements;
. accounts receivable balances and terms;
. property title deeds held by lawyers for safe custody or as security;
. amounts due to lenders, including relevant terms of repayment and restrictive
covenants; or
 . accounts payable balances and terms.

Timing
4.124. Tests of detail may be performed at an interim date or at the period end.
4.125. The higher the risk of material misstatement, the more likely it is that the auditor may
decide it is more effective to perform substantive procedures nearer to, or at the
period end rather than at an earlier date, or to perform audit procedures unannounced
or at unpredictable times (for example, performing audit procedures at selected
locations on an unannounced basis). This is particularly relevant when considering the
response to the risks of fraud.

Example: Risk of fraud affecting timing of work

The auditor has identified a number of factors which indicate a Specific Risk of management
understating expenditure to avoid overspend against budget. The majority of testing had
historically been performed at an interim stage, with procedures at year-end to roll-forward
testing to year-end. However, due to the nature of the risk identified, the auditor concluded
that it would not be effective to rely on a roll-forward of completeness testing. All work on
completeness of liabilities was performed at year-end.

4.126. However, performing tests at an interim date may enable us to identify significant
matters at an early stage. This enables us to resolve them with the assistance of
management, or to develop an effective audit approach to address the issue.
4.127. Certain audit procedures can be performed only at or after the period end, for example:
. agreeing the financial statements to the accounting records;
. examining adjustments made during the course of preparing the financial
statements; and

Page | 60
 . procedures to respond to a risk that, at the period end, the entity may have
entered into improper payments in advance of need, or transactions may not
have been finalised.
4.128. Other factors that influence the auditor’s consideration of when to perform audit
procedures include:
. the control environment (as a strong control environment supports performing
work at an interim date);
. when relevant information is available (for example, electronic files may
subsequently be overwritten, or procedures to be observed may occur only at
certain times);
. the nature of the risk (for example, if there is a risk of manipulation of the
inventory balance, the auditor may wish to attend a year-end inventory count);
and
. the period or date to which the audit evidence being tested relates.

Extent
4.129. The extent of the procedures performed should reflect materiality, the assessed risk,
and the degree of assurance the auditor plans to obtain.
4.130. In general, the extent of audit procedures increases as the risk of material misstatement
increases. However, increasing the extent of an audit procedure is effective only if the
audit procedure itself is relevant to the specific risk.
4.131. The use of Computer Assisted Audit Techniques (CAATs) may enable more extensive
testing of electronic transactions and account files, which may be useful to enable more
extensive testing in response to a risk of fraud or material error. Such techniques can be
used to select sample transactions from key electronic files to sort transactions with
specific characteristics, or to test an entire population instead of a sample.

Documentation of Audit Fieldwork

4.132. All audit fieldwork carried out should be fully documented on working papers and/or
matrices of test results which should be loaded on to AMMS and cross referred to audit
programmes (referred to at paragraphs 3.115 to 3.117) with a statement as to whether
the planned assurance towards the audit assertion or assertions has been obtained, or if
not what additional work is to be carried out and/or reference to consequence for the
audit opinion. Any finding (e.g. error or control weakness) should be fully written up on
AMMS using template X noting observation, cause, effect and recommendation to
facilitate inclusion in the audit report. Also supporting documentation (e.g. photocopies
of supporting evidence should be retained).

Page | 61
4.133. Such documentation is necessary to ensure that all planned work has been properly
carried out and that sufficient evidence has been obtained to support the audit
conclusions and recommendations, and also to ensure that paragraphs in the audit
report are fully supported.
[

Concluding by Audit Area

4.134. When each individual audit programme has been completed, a conclusion should be
made for each audit area as to whether all planned work has been completed and
whether more work is needed. Any further work to that planned should be agreed with
the team leader. If no further audit work is considered necessary, then a conclusion
should be made for each audit area as to whether the planned assurance has been
obtained towards all relevant audit assertions. In cases where errors have been
identified, they should be extrapolated where appropriate to evaluate whether they are
material.
4.135. Also, for each audit area, audit findings of a similar nature should be grouped and
summarised and included in a list of all proposed findings, with observation, cause,
effect and recommendation for inclusion in the audit report.
Overall Conclusion
4.136. Conclusions for all audit areas should be brought together and summarised in order to
evaluate the total extent of error in the audit and decide the appropriate overall opinion
to give – see the next chapter for details. Further guidance on concluding is given at
paragraph 5.6.

Quality Control Over Audit Fieldwork

4.137. All working papers and matrices of test results loaded on to AMMS by junior members
of audit team should be reviewed by a senior member of audit team or team leader.
The reviewer should ensure that the working paper or matrix of test results has been
properly completed in order to evidence work done and that the appropriate test or
tests has/have been signed off on the audit programme. For each audit programme
test, the reviewer should ensure that there is a conclusion in terms of the extent to
which the results of the test give assurance towards the planned audit assertions.

Follow-up of the Recommendations of Past Audits

[

4.138. In each audit, as part of routine fieldwork, the auditor should follow-up on the
recommendations raised by previous audits where they have at that date seen no
evidence that the recommendation was implemented. The follow-up work should

Page | 62
document how the auditor has satisfied themselves that the recommendation has been
implemented. If the recommendation has not been implemented or has only been
partially implemented, then the recommendation should be once again raised in the
audit report under a section entitled ‘Follow-up of past audit recommendations’
specifying the date the recommendation was made and repeating the recommendation
and stating the circumstances/reasons for non-implementation. If the recommendation
has become unnecessary then the auditor should formally write up in their audit
findings why the recommendation should be dropped.

Page | 63
 Chapter 5 Audit Reporting
Background

5.1. The purpose of this chapter is to consider the procedures necessary to draw together the
results of the audit work and form an opinion on the financial statements (for financial
audits) and on regularity (for both financial and compliance audits), including where the
CAG qualifies or otherwise modifies his audit opinion. It provides guidance on the format
of the auditor’s report. It also sets out specific public sector aspects of reporting, including
the regularity opinion and the CAG’s reports to Parliament, as well as arrangements for
the delegation of the CAG’s responsibilities for signing the audit certificate.

Objectives

5.2. The objectives of the auditor are to:

a) design and perform analytical procedures near the end of the audit that assist the
auditor when forming an overall conclusion as to whether the financial statements
are consistent with the auditor’s understanding of the entity;
b) form an opinion on the financial statements based on an evaluation of the
conclusions drawn from the audit evidence obtained;
c) express clearly that opinion through a written report that also describes the basis for
the opinion;
d) express clearly an appropriately modified opinion on the financial statements that is
necessary when:
 the auditor concludes, based on the audit evidence obtained, that the
financial statements as a whole are not free from material misstatement; or
 the auditor is unable to obtain sufficient appropriate audit evidence to
conclude that the financial statements as a whole are free from material
misstatement; and
e) having formed an opinion on the financial statements, draw the users’ attention,
when in the auditor’s judgement is necessary to do so, by way of clear additional
communication in the auditor’s report, to:
 a matter, although appropriately presented or disclosed in the financial
statements, that is of such importance that it is fundamental to users’
understanding of the financial statements; or
 as appropriate, any other matter that is relevant to users’ understanding of
the audit, the auditor’s responsibilities or the auditor’s report.

Page | 64
5.3. In circumstances where the CAG is required under legislation to examine, certify and
report, the objectives of the auditor extend to reporting on significant matters which
should be brought to the attention of Parliament.

Relevant ISSAI and Other Guidance

5.4. The basic requirements which should be adhered to in respect of OCAG audits are
contained in International Standards of Supreme Audit Institutions (ISSAIs) and
International Standards on Auditing (ISAs). The main requirements and guidance which
impact on this area of the audit are contained in ISSAI 1700 and ISA 700 “The Auditor’s
Report on Financial Statements”, ISSAI 1705 and ISA 705 “Modifications to the Opinion in
the Auditor’s Report”, and ISSAI 1706 and ISA 706 “Emphasis of Matter Paragraphs and
Other Matter Paragraphs in the Independent Auditor’s Report”.
5.5. All OCAG audits must comply with these standards. The guidance contained in this
chapter emphasises the requirements of these standards and interprets the requirements
in an OCAG context. Where relevant, the paragraphs cross-reference the application
guidance in the ISSAIs or ISAs.

Core Policies and Guidance

Concluding on the Results of the Audit

5.6. In concluding on the results of the audit the auditor is required to perform certain
procedures which allow them to form an audit opinion. These comprise:
a) evaluating the sufficiency and appropriateness of the audit evidence obtained (ISA
330);
b) performing analytical procedures at the concluding stage of the audit (ISA 520);
c) completing an overall review of financial statements;
d) reconsidering the risk arising from fraud (ISA 240);
e) considering any inconsistency in, or doubts over the reliability of evidence (ISA 500);
and
f) reconsidering the independence and objectivity of the audit team (ISA 220).

Evaluating the Suf�iciency and Appropriateness of Audit Evidence

5.7. Based on the audit procedures performed and the audit evidence obtained, the Auditor
should evaluate before the conclusion of the audit whether the assessments of the risks
of material misstatement at the assertion level remain appropriate. (Ref: ISA 330 para
A60-A61)
5.8. An audit of financial statements is a cumulative and iterative process. As the auditor
performs the planned audit procedures, the audit evidence obtained may cause us to

Page | 65
 modify the nature, timing or extent of other planned audit procedures. Information may
come to their attention that differs significantly from the information on which the risk
assessment was based. For example:
. the extent of misstatements detected by performing substantive procedures may
alter their judgement about the risk assessments and may indicate a significant
deficiency in internal control;
. the auditor may become aware of discrepancies in accounting records, or conflicting
or missing evidence; or
. concluding analytical procedures may indicate a previously unrecognised risk of
material misstatement.
5.9. In such circumstances, the auditor may need to re-evaluate the planned audit procedures,
based on the revised consideration of assessed risks for all or some of the classes of
transactions, account balances, or disclosures and related assertions. ISA 315 contains
further guidance on revising the risk assessment.
5.10. The auditor cannot assume that an instance of fraud or error is an isolated occurrence.
Therefore, the consideration of how the detection of a misstatement affects the assessed
risks of material misstatement is important in determining whether the assessment
remains appropriate.
5.11. The auditor should conclude whether sufficient appropriate audit evidence has been
obtained. In forming an opinion, the auditor should consider all relevant audit evidence,
regardless of whether it appears to corroborate or to contradict the assertions in the
financial statements. (Ref: ISA 330 para A62)
5.12. If the auditor has not obtained sufficient appropriate audit evidence as to a material
financial statement assertion, they should attempt to obtain further audit evidence. If
the auditor is unable to obtain sufficient appropriate audit evidence, they shall express a
qualified opinion or disclaim an opinion on the financial statements.
5.13. The auditor’s judgement as to what constitutes sufficient appropriate audit evidence is
influenced by such factors as:
. the significance of the potential misstatement in the assertion and the likelihood
of its having a material effect, individually or aggregated with other potential
misstatements, on the financial statements;
. the effectiveness of management's responses and controls to address the risks;
. experience gained during previous audits with respect to similar potential
misstatements;
. the results of audit procedures performed, including whether such audit
procedures identified specific instances of fraud or error;
. the source and reliability of the available information;

Page | 66
 . persuasiveness of the audit evidence; and
. understanding of the entity and its environment, including the entity's internal
control.
5.14. The Team Leader or Director General should review and assess the audit evidence
obtained during the course of the audit and conclude whether this provides a suitable
basis for the audit opinion. This can be facilitated by on-going dialogue within the
auditors working on the audit during the course of the audit and the use of on-site or
'hot' review.

Concluding Analytical Procedures

5.15. The auditor should design and perform analytical procedures near the end of the audit to
assist in forming an overall conclusion as to whether the financial statements are
consistent with the understanding of the entity. (Ref: ISA 520 para A17-19)
5.16. Concluding Analytical Procedures are intended to corroborate conclusions formed during
the audit of individual components or elements of the financial statements. This enables
the team to draw reasonable conclusions on which to base the audit opinion.
5.17. The analytical procedures performed may be similar to those used for Preliminary
Analytical Procedures as a part of Risk Assessment Procedures, but will reflect the final
financial statement position.
5.18. Considerations when carrying out such procedures may include:
a) whether the financial statements adequately reflect the information and
explanations previously obtained and conclusions previously reached during the
course of the audit;
b) whether the procedures reveal any new factors which may affect the presentation
of or disclosures in the financial statements;
c) whether analytical procedures applied when completing the audit, such as
comparing the information in the financial statements with other pertinent data,
produce results which assist in arriving at the overall conclusion as to whether the
financial statements as a whole are consistent with their knowledge of the
entity's business;
d) whether the presentation adopted in the financial statements may have been
unduly influenced by the desire of those charged with governance to present
matters in a favourable or unfavourable light; and
e) the potential impact on the financial statements of the aggregate of uncorrected
misstatements (including those arising from bias in making accounting estimates)
identified during the course of the audit and the preceding period’s audit, if any.

Page | 67
5.19. The results of such analytical procedures may identify a previously unrecognised risk of
material misstatement. In such circumstances, ISSAI 1315 requires the auditor to revise
their assessment of the risks of material misstatement and may require the performance
of further controls and/or substantive procedures. This work should be documented on
AMMS and carried out by the team leader.

Example: Issues identified in concluding analytical procedures

The entity has a target to make efficiency savings of 2% on prior period. In the draft
account, efficiency savings of 2.5% had been made. A number of client and audit
adjustments were identified that reduced the saving. In performing the concluding
analytical procedures on the final account (i.e. after booked audit adjustments), the team
calculated the actual savings that had been made, which were 2.01%. Unadjusted audit
adjustments were equivalent to 0.02% of spend, and management had declined to adjust
them on the grounds that they were not material. The auditor considered that the
presentation adopted was unduly influenced by the desire of management to present
matters in a favourable light, and that the unadjusted misstatements were qualitatively
material.

Overall Review of the Financial Statements

[

5.20. Guidance on procedures to be performed in relation to the financial statements as a

whole is set out in Chapter 4 of the manual, Section on Auditing the Financial Statements
and Disclosures.
5.21. To the extent that they have not already done so in evaluation presentation and
disclosures, and performing analytical procedures at the concluding stage of the audit,
the Director General and Audit Manager should perform an overall review of the
financial statements and document this review on AMMS. The purpose of this review is
to determine whether:
. the financial statements have been prepared using the most appropriate
accounting policies and that such policies have been consistently applied;
. the results shown in the financial statements are consistent with their
knowledge of the business;
. all necessary disclosures are contained in the financial statements and are
appropriately presented and clearly expressed; and
. the uncorrected misstatements and disclosure deficiencies are immaterial to
the financial statements.

Page | 68
Consideration of Fraud Risk

5.22. ISA 240 'The Auditor's Responsibility Relating to Fraud in an Audit of Financial
Statements' provides detailed guidance on their responsibility to consider fraud at all
stages during the course of the audit.
5.23. The auditor should evaluate whether analytical procedures that are performed near the
end of the audit, when forming an overall conclusion as to whether the financial
statements are consistent with their understanding of the entity, indicate a previously
unrecognised risk of material misstatement due to fraud (Ref: ISA 240 para A50). This
evaluation should be documented on AMMS.
5.24. If the auditor identifies a misstatement, they should evaluate whether such a
misstatement is indicative of fraud. If there is such an indication, the auditor should
evaluate the implications of the misstatement in relation to other aspects of the audit,
particularly the reliability of management representations, recognizing that an instance
of fraud is unlikely to be an isolated occurrence. (Ref: ISA 240 para A51)
5.25. If the auditor identifies a misstatement, whether material or not, and they have reason
to believe that it is or may be the result of fraud and that management (in particular,
senior management) is involved, the auditor should re-evaluate the assessment of the
risks of material misstatement due to fraud and its resulting impact on the nature, timing
and extent of audit procedures to respond to the assessed risks. The auditor should also
consider whether circumstances or conditions indicate possible collusion involving
employees, management or third parties when reconsidering the reliability of evidence
previously obtained. (Ref: ISA 240 para A52)
5.26. If the auditor confirms that, or is unable to conclude whether, the financial statements
are materially misstated as a result of fraud the auditor should evaluate the implications
for the audit. (Ref: ISA 240 para A53)
5.27. If the auditor identifies the possible existence of fraud and consider that this fraud could
have a material impact on the financial statements the auditor must undertake
additional testing in order to confirm or dispel the suspicion of fraud. If the additional
testing undertaken does not confirm or dispel their suspicions, the auditor should discuss
the issue with the entity's management and consider whether the potential fraud has
been properly considered or corrected in the financial statements. If senior management
are involved in the fraudulent activity then to avoid the risk of tipping off, the auditor
should consider whether a report should be made to the Audit Committee (if one exists),
or if there is no Audit Committee to at least the next level of management above (as
appropriate).

Page | 69
5.28. Where the auditor confirms that the financial statements are materially misstated as a
result of fraud, or is unable to confirm otherwise, the General Director should consider
the implications for the audit opinion, in particular the audit opinion on regularity (or
overall conclusion on regularity for a Compliance audit). More detailed guidance on
modifications to the audit opinion is provided later in this chapter.

Inconsistency in, or Doubts Over Reliability of, Audit Evidence

5.29. If (a) audit evidence obtained from one source is inconsistent with that obtained from
another; or (b) the auditor has doubts over the reliability of information to be used as
audit evidence then the auditor should determine what modifications or additions to
audit procedures are necessary to resolve the matter, and should consider the effect of
the matter, if any, on other aspects of the audit. (Ref: ISA 500 para A57)
5.30. Obtaining audit evidence from different sources or of a different nature may indicate
that an individual item of audit evidence is not reliable, such as when audit evidence
obtained from one source is inconsistent with that obtained from another. This may be
the case when, for example, responses to inquiries of management, internal audit, and
others are inconsistent, or when responses to inquiries of those charged with
governance made to corroborate the responses to inquiries of management are
inconsistent with the response by management.
5.31. Forming an opinion where there is conflicting audit evidence requires careful audit
judgement. ISA 230 includes a specific documentation requirement if the auditor has
identified information that is inconsistent with final conclusion regarding a significant
matter, and the consideration of these issues, including any consultation, should be
reflected within the documentation accordingly.

Evaluation of Independence and Ethical Issues

5.32. The Director General should consider the independence and objectivity of the audit team
at the planning stage of the audit and document this consideration on AMMS.
5.33. In addition, the Director General must also consider any independence or ethical issues
which arise during the audit and evaluate the impact of any identified breaches of the
OCAG's policies and procedures to determine whether any such breaches represent a
threat to the independence and objectivity of the CAG, and if any such cases are
identified should detail consideration and relevant action on AMMS.

Page | 70
Forming an Audit Opinion
[

5.34. The auditor’s report on the financial statements shall contain a clear written expression
of opinion on the financial statements taken as a whole, based on their evaluation of the
conclusions drawn from the audit evidence obtained, including evaluating whether:
a) sufficient appropriate audit evidence as to whether the financial statements as a
whole are free from material misstatement;
b) obtain sufficient information as to whether the financial statement is free from
fraud or error;
c) uncorrected misstatements are material, individually or in aggregate. This
evaluation shall include consideration of the qualitative aspects of the entity’s
accounting practices, including indicators of possible bias in management’s
judgements; (Ref: ISA 700 para A1-A3)
d) in respect of a true and fair framework, the financial statements, including the
related notes, give a true and fair view; and
e) in respect of all frameworks the financial statements have been prepared in all
material respects in accordance with the framework, including the requirements
of applicable law.
5.35. In particular, the auditor should evaluate whether:
a) the financial statements adequately refer to or describe the relevant financial
reporting framework;
b) the financial statements adequately disclose the significant accounting policies
selected and applied;
c) the accounting policies selected and applied are consistent with the applicable
financial reporting framework, and are appropriate in the circumstances;
d) accounting estimates are reasonable;
e) the information presented in the financial statements is relevant, reliable,
comparable and understandable;
f) the financial statements provide adequate disclosures to enable the intended
users to understand the effect of material transactions and events on the
information conveyed in the financial statements; and
g) the terminologies used in the financial statements, including the title of each
financial statement, is appropriate.
5.36. For audits where an audit opinion is given on regularity, the auditor’s report shall also
contain a clear written expression, based on the auditor evaluating the conclusions
drawn from the audit evidence obtained, as to whether, in all material respects, the
resources have been applied to the purposes intended by Parliament and the financial
transactions conform to the authorities which govern them.

Page | 71
5.37. In forming a judgement on the regularity opinion, and when concluding on compliance
audits, the auditor should conclude on whether in all material respects, the transactions
presented in the financial statements have been made in accordance with:
. authorising legislation;
. regulations issued under governing legislation;
. Parliamentary authorities; and
. Treasury authorities.
5.38. Examples of compliance deviations are given in Appendix 6.
5.39. Where the auditor identifies instances of irregularity materiality considerations apply.
Their assessment of whether a failure to comply with any of the above is material to the
financial statements will depend upon the monetary value of the irregularity, the
circumstances in which it arose, the impact that it will have on the users of the account
and the level of parliamentary and public interest in the issue. A minute from the
Director General must be included on the audit file for all qualified audits.
5.40. The findings of the audit should be considered in the context of the materiality for the
audit - not merely in terms of materiality by value, but also in terms of materiality by
nature and by context. This consideration should be documented on AMMS. When
evaluating audit differences, the audit team should consider:
. the significance to the readers of the account of the uncorrected difference to the
financial statement either for individual line items or the financial statements as a
whole;
. the likelihood that the undetected misstatements (when considered with
uncorrected misstatements) may exceed materiality by value;
. the cause of the misstatement for example has it arisen as a result of fraudulent
activity; and
. whether the identified misstatement may indicate a pattern of activity. In such
circumstances the auditor must consider and document whether it is necessary to
undertake additional audit procedures to identify whether other similar audit
differences exist.
5.41. It is necessary to exercise a high degree of professional judgement in determining the
audit opinion. This judgement should be properly documented on AMMS and
reviewed/approved by team leader and Director General.

Types of Audit Opinion

5.42. ISSAI references:

• ISSAI 1700

Page | 72
 “Forming an Opinion and Reporting on Financial Statements”
• ISSAI 1705
“Modifications to the Opinion in the Independent Auditor’s Report”

5.43. The different types of ‘opinion’ are:

. Unqualified
. Qualified
. Adverse
. Disclaimer
5.44. Example of an unqualified audit opinion:
. Council of xxx
. An accruals IPSAS account
. Present fairly opinion
. Regularity paragraph
. Long form report on compliance audit work
5.45. Example of a qualified audit opinion:
. xxx- financial statements of xxx Revenue and Customs
. Qualification of regularity opinion for tax credits
. Financial statements get a true and fair opinion apart from this
. Note the opinion on other matters
. A separate report is referred to giving more details
5.46. Example of an adverse audit opinion:
. xxx -Commission’s Client Funds Account
. Adverse opinion on Note xxx “Outstanding Maintenance Arrears” which
does not give a true and fair view of the outstanding maintenance
balances as at xx June 20xx
. Report giving further details

5.47. Example of a disclaimer audit opinion:

. xxx Government 20xx
. Certain material weaknesses in internal control over financial reporting
and other limitations on the scope of the work resulted in conditions that
prevented the auditors from expressing an opinion on the fiscal years
20xx and 20xx accrual-based consolidated financial statements.
. Tests of compliance with selected provisions of laws and regulations for
fiscal year 20xx were limited by the material weaknesses and other scope
limitations discussed in the report.

Page | 73
The Auditor’s Report

5.48. It is important that the form and content of audit certificates and audit reports are
presented in a uniform fashion, as this promotes the reader’s understanding of the
certificate/report, and highlights unusual circumstances when they occur. The auditor’s
certificate/report will therefore include the following elements:
. Title;
. Addressee;
. Introductory paragraph identifying the statements to be audited;
. Respective responsibilities of those charged with governance and the auditor;
. Scope of the audit of the financial statements
. Opinion on the financial statements
. Opinion in respect of an additional financial reporting framework;
. Opinion on Other Matters
. Details of audit observations (should be included and discussion on this point
should be included between 5.74 and 5.75)
. Date of the report;
. Auditor's address; and
. Auditor's signature.
5.49. These elements, as appropriate, are considered in more detail below.

Title
5.50. The auditor’s report shall have an appropriate title. (Ref: ISA 700 para A4)
5.51. The title used for the auditor’s report should adopt the wording used in the legislation
appointing the CAG as auditor. Where there is a statutory requirement for his
examination to be certified, an audit report containing the opinion of the CAG on
financial statements is entitled ‘Audit Certificate’. Use of the word 'certificate' clearly
differentiates the audit report from any other report of the CAG. Where the CAG
undertakes the audit by statutory appointment, the terms of the statute may require him
to examine, certify and report on the financial statements. Where a separate substantive
report is not required the report will be included within the body of the audit certificate.
In such cases, the document will be entitled the 'Certificate and Report of the
Comptroller and Auditor General'.
5.52. Where the CAG is the appointed auditor in legislation, but there is no statutory
requirement to ‘certify’, the title of the audit report should be “Audit report of the
Comptroller and Auditor General to [addressee of audit report].”
5.53. For audits performed by agreement, the title used for the auditor’s report should be the
“Independent Auditor’s Report”.

Page | 74
Addressee
5.54. The auditor’s report should be appropriately addressed as required by the circumstances
of the engagement. (Ref: ISA 700 para A5).
5.55. The certificate should be appropriately addressed as required by the circumstances of
the engagement and any local regulations. The addressee would normally be the person
on whose behalf the audit was undertaken. For government entities, the audit is usually
undertaken on behalf of Parliament (as dictated by governing legislation). The legislation
appointing the CAG should be consulted to determine the appropriate addressee(s),
based on where the financial statements will be laid. The exceptions to this are where:
 legislation requires the appointment of the auditor and specifies the person
or persons to whom the auditor shall report; or
 the audited financial statements are not required to be laid before
Parliament. In such cases it is necessary to consider on whose behalf the
audit is being undertaken. Although this is normally the person, or persons,
making the appointment, the auditor may need to look behind this.

Introductory Paragraph
5.56. The auditor’s report should identify the financial statements of the entity that have been
audited, including the date of, and period covered by, the financial statements. Where
the financial statements being audited are those of a company, this section should
specify that the financial reporting framework that has been applied in their preparation
is applicable law and Bangladesh Financial Reporting Standards (BFRS)/IFRS.

Respective Responsibilities of Those Charged with Governance and the Auditor

5.57. The auditor’s report should include a statement that those charged with governance are
responsible for the preparation of the financial statements and a statement that the
responsibility of the auditor is to audit and express an opinion on the financial
statements in accordance with applicable legal requirements and International Standards
on Auditing. The report shall also state that those standards require the auditor to
comply with Ethical Standards for Auditors. (Ref: ISA 700 para A6 - A7)
5.58. Where there is a statutory requirement for the CAG to “examine, certify and report”, the
responsibility of the CAG in this paragraph of the certificate will be described as “audit,
certify and report on the financial statements”. Otherwise the description of the CAG’s
responsibilities will be “audit and express an opinion on the financial statements”.
5.59. Where the CAG is appointed by legislation to audit an entity which is not a company, the
applicable legal requirements are contained in the appointing legislation. Therefore, the
responsibility of the CAG will be described as being in accordance with the relevant Act,
rather than “applicable legal requirements and International Standards on Auditing”.

Page | 75
 Where there is no statutory basis for the audit, the equivalent sentence will end after
“on the financial statements”.
5.60. For non-company audits, the CAG chooses to audit in accordance with International
Standards on Auditing, so this section will state that “I have conducted my audit in
accordance with International Standards on Auditing”.

Scope of the Audit of the Financial Statements

5.61. The auditor’s report should include the following description of the scope of an audit:
“An audit involves obtaining evidence about the amounts and disclosures in the financial
statements sufficient to give reasonable assurance that the financial statements are free
from material misstatement, whether caused by fraud or error. This includes an
assessment of: whether the accounting policies are appropriate to the [describe nature
of entity] circumstances and have been consistently applied and adequately disclosed;
the reasonableness of significant accounting estimates made by responsible persons of
the audited entity [describe those charged with governance]; and the overall
presentation of the financial statements”. (Ref: ISA 700 para A8 – A9)
5.62. The scope section of the audit report/certificate should also identify the other
information that has been read by the auditor (in accordance with ISA 720A and ISA
720B) to identify material inconsistencies with the financial statements. This should
describe all the information the auditor expects to be published in the same document as
the financial statements and the audit report. Where the term ‘annual report’ is not an
accurate description of this information, the titles of the individual sections will need to
be specified.
5.63. Where a regularity opinion is provided, the following paragraph will be included within
the description of the scope of an audit:
“In addition, I am required to obtain evidence sufficient to give reasonable assurance
that the [income and expenditure/receipts and payments] reported in the financial
statements have been applied to the purposes intended by Parliament and the financial
transactions conform to the authorities which govern them.”

Opinion on the Financial Statements

5.64. The opinion paragraph of the auditor’s report should clearly state the auditor’s opinion
as required by the relevant financial reporting framework used to prepare the financial
statements, including applicable law.
5.65. When expressing an unqualified opinion on financial statements prepared in accordance
with a true and fair framework the opinion paragraph shall clearly state that the financial
statements give a true and fair view.

Page | 76
5.66. It is not sufficient for the auditor to conclude that the financial statements give a true
and fair view solely on the basis that the financial statements were prepared in
accordance with accounting standards and any other applicable legal requirements, as
additional disclosures or explanations may be required to give a true and fair view. (Ref:
ISA 700 para A10 – A12)
5.67. In public sector, these requirements are usually set out in an accounts direction issued by
Treasury, and the further primary statements required by accounting standards, the
auditor must refer to all such statements when expressing the audit opinion.
5.68. Public sector financial statements may include an opinion as to whether the financial
statements give a true and fair view, or the auditing framework may require an opinion
as to whether the financial statements present fairly or properly present the entity's
transactions or balances. Whichever wording is used for the opinion on the financial
statements, this will not have an impact on the extent to which the auditor observes the
requirements of Auditing Standards.

Opinion in Respect of an Additional Financial Reporting Framework

5.69. When the auditor is engaged to issue an opinion on the compliance of the financial
statements with an additional financial reporting framework the second opinion should
be clearly separated from the first opinion on the financial statements, by use of an
appropriate heading. (Ref: ISA 700 para A13)

Opinion on Other Matters

5.70. When the auditor also addresses other reporting responsibilities within the auditor’s
report on the financial statements, the opinion arising from such other responsibilities
should be set out in a separate section of the auditor’s report following the opinion(s) on
the financial statements or, where there is one, the opinion on regularity. (Ref: ISA 700
para A15 – A16)
5.71. If the auditor is required to report on certain matters by exception they should describe
the C&AG’s responsibilities under the heading “Matters on which they are required to
report by exception” and incorporate a suitable conclusion in respect of such matters.
(Ref: ISA 700 para A17 - A18)
5.72. The auditor reports by exception on whether:
. adequate accounting records have not been kept [or returns adequate for their
audit have not been received from branches not visited by their staff]; and
. the financial statements are not in agreement with the accounting records or
returns; and

Page | 77
 . all of the information and explanations required for the audit have not been
received.
5.73. For all audits on which the auditor qualifies their opinion on the basis of a limitation of
scope, they should also consider whether they need to state that proper accounting
records have not been kept.

Example: Details of Audit Observations

For each audit observation, there should firstly be a numbered title to the point in bold font
starting at 1, and size of the error should be included in the title. Below the title brief
details of the observation should be given with supporting data or reference with detailed
supporting Annexure. Below this point there should be a Cause section which should detail
the weakness or failure in internal control that allowed the observation to happen. Below
that is the effect section which should state if the point or error is material and
quantification should be given where possible (to agree with the value in the title). Below
that is the Recommendation section which will generally link to the effect section and
suggest the new or improved internal control that is needed to prevent a recurrence of the
point or error. Lastly there should be a section for management response which should be
left blank until the draft audit recommendation is sent to management for
comment/response, when they should be encouraged to say if the recommendation is
accepted and if so who will be responsible for implementing it and by when.
It is acceptable but not essential to have an interim management response for findings
raised with management at the time of the fieldwork, but space should always be left
below for the response to be confirmed in the formal clearance stage for the report.
[

Date of the Certi�icate

5.74. The date of an auditor’s report on a reporting entity’s financial statements should be the
date on which the CAG (or a delegate) signed the report expressing an opinion on those
financial statements. (Ref. ISA 700 para A19)
5.75. The auditor should not sign, and hence date, the report earlier than the date on which all
other information contained in a report of which the audited financial statements form a
part have been approved by those charged with governance and the auditor has
considered all necessary available evidence. (Ref. ISA 700 para A20 – A23)
5.76. If the certificate is signed at a date later than that on which the Accounting Officer
approved the financial statements, the Director General should obtain assurance that the
Accounting Officer would have approved the financial statements at the certification
date and ensure that the review of post balance sheet events covers the period up to the

Page | 78
 date of signature. Such assurance must be obtained from or directly on behalf of the
Accounting Officer.

Auditor's Address

5.77. The report should name the location of the office where the auditor is based.

Auditor's Signature

5.78. The auditor’s report should state the name of the auditor and be signed and dated. (Ref.
ISA 700 para A24)
5.79. For audits carried out by the OCAG, the audit certificate is signed by the CAG. Where
responsibility for signing the certificate is delegated by the CAG to the Director General,
the Director General should sign personally, with the words "for and on behalf of the
Comptroller and Auditor General" appearing below their name.
5.80. If the audit team fails to obtain all the information and explanations which, to the best
of their knowledge and belief, are necessary for the purposes of their audit, the CAG will
state this fact on his certificate. For all audits on which the auditors qualify their opinion
on the basis of a limitation of scope, the auditor should also consider whether they need
to state that proper accounting records have not been kept.

Modi�ication to the Opinion in the Auditor’s Report (ISA 705)

5.81. The auditor should modify the opinion in the auditor’s report when:
a) The auditor concludes that, based on the audit evidence obtained, the financial
statements as a whole are not free from material misstatement; (Ref: ISA 705
para A2-A7) or
b) The auditor is unable to obtain sufficient appropriate audit evidence to conclude
that the financial statements as a whole are free from material misstatement.
(Ref: ISA 705 para A8-A12)
5.82. ISA 700 establishes three types of modified opinions:
. Qualified opinion;
. Disclaimer opinion;
. Adverse opinion.
5.83. The auditor’s judgement of the nature of the matter giving rise to the opinion and the
pervasiveness of its effects on the financial statements affects the type of the opinion to
be expressed:

Page | 79
 Nature of Matter Giving Auditor’s Judgement about the pervasiveness of the
Rise to the Modification Effects or Possible Effects on the Financial Statement
Financial statements are Qualified opinion-except for Adverse opinion
materially misstated disagreement
Inability to obtain Qualified opinion- except for Disclaimer of opinion
sufficient appropriates limitation of scope
[
audit evidence

5.84. To ensure that modified certificates are clear and easy to understand, it is important to
maintain as much uniformity as possible in the content and style of the certificates.
Accordingly suggested wording has been given in ISA 705.
5.85. A flowchart outlining the steps to consider when forming an opinion on the financial
statements is set out in the Appendix 1 to this chapter.

Quali�ied Opinion

5.86. The auditor should issue a qualified opinion when:

a) Having obtained sufficient appropriate audit evidence, they conclude that
misstatements, individually or in the aggregate, are material, but not pervasive, to
the financial statements; or
b) They are unable to obtain sufficient appropriate audit evidence on which to base the
opinion, but they conclude that the possible effects on the financial statements of
undetected misstatements, if any, could be material but not pervasive. (Limitation of
scope)
5.87. Where a regularity opinion is provided as part of the audit engagement, they should
issue a qualified opinion on regularity when:
a) Having obtained sufficient appropriate audit evidence, the auditor concludes that
irregularities, individually or in the aggregate, are material to the financial
statements; or
b) They are unable to obtain sufficient appropriate audit evidence on which to base the
regularity opinion.
5.88. A material misstatement of the financial statements may arise in relation to:
. the appropriateness of the selected accounting policies;
. the application of the selected accounting policies; or
. the appropriateness or adequacy of disclosures in the financial statements.
5.89. A limitation of scope may arise from:
. circumstances beyond the control of the entity;
. circumstances relating to the nature and timing of the auditor’s work; or
. limitations imposed by management.

Page | 80
[[

[[
Limitations of Scope

5.90. Where a limitation is imposed by the entity prior to the acceptance of an audit
engagement, the auditor should consider whether it is appropriate to accept the
engagement. If a limitation is imposed by the entity after accepting the audit
engagement, and the entity will not remove the limitation, they should consider if it is
appropriate to resign from the engagement. In the public sector, where they are
appointed under statute, it is not possible to decline or withdraw from the engagement.
In these circumstances, the CAG has the statutory authority to report such matters to
Parliament.
5.91. If, after accepting the engagement, they become aware that management has imposed a
limitation on the scope of the audit that they consider likely to result in the need to
express a qualified opinion or to disclaim an opinion on the financial statements, they
should request that management remove the limitation.
5.92. If management refuses to remove the limitation, they should communicate the matter to
those charged with governance, unless all of those charged with governance are involved
in managing the entity, and determine whether it is possible to perform alternative
procedures to obtain sufficient appropriate audit evidence.
5.93. If the auditor is unable to obtain sufficient appropriate audit evidence, they should
determine the implications as follows:
. if the auditor conclude that the possible effects on the financial statements of
undetected misstatements, if any, could be material but not pervasive, the auditor
should qualify the opinion; or
. if the auditor conclude that the possible effects on the financial statements of
undetected misstatements, if any, could be both material and pervasive so that a
qualification of the opinion would be inadequate to communicate the gravity of the
situation, they should:
 withdraw from the audit, where practicable and possible under
applicable law or regulation; (Ref: ISA 705 Para A13-A14)
 if withdrawal from the audit before issuing the auditor's report is not
practicable or possible, disclaim an opinion on the financial statements.
5.94. Where the auditor is appointed under statute, it is not possible to decline or withdraw
from the engagement. In these circumstances, the CAG has the statutory authority to
report such matters to Parliament.
5.95. If the auditor is able to withdraw from an engagement, and determine they should do so,
before withdrawing they should communicate to those charged with governance any
matters regarding misstatements identified during the audit that would have given rise
to a modification of the opinion. (Ref: ISA 705 para A15)

Page | 81
Adverse Opinion

5.96. The auditor should express an adverse opinion when, having obtained sufficient
appropriate audit evidence, they conclude that misstatements, individually or in the
aggregate, are both material and pervasive to the financial statements.

5.97. The term pervasive is defined in the ISA:

Pervasive – A term used, in the context of misstatements, to describe the effects on the
financial statements of misstatements or the possible effects on the financial statements
of misstatements, if any, that are undetected due to an inability to obtain sufficient
appropriate audit evidence. Pervasive effects on the financial statements are those that,
in the auditor’s judgement:
(i) Are not confined to specific elements, accounts or items of the financial statements;
(ii) If so confined, represent or could represent a substantial proportion of the financial
statements; or
(iii) In relation to disclosures, are fundamental to users’ understanding of the financial
statements.
5.98. Reporting objectives for financial statements in the public sector, and the sensitivity of
users to misstatement, are not generally linked to single figure such as profit / loss or net
assets to the same extent as for private sector entities. Consequently, it is rarer that a
misstatement would be deemed to be pervasive to the financial statements as a whole.

Disclaimer Opinion

5.99. The auditor shall disclaim an opinion when the auditor is unable to obtain sufficient
appropriate audit evidence on which to base the opinion, and they conclude that the
possible effects on the financial statements of undetected misstatements, if any, could
be both material and pervasive.
5.100. The auditor should disclaim an opinion when, in extremely rare circumstances involving
multiple uncertainties, they conclude that, notwithstanding having obtained sufficient
appropriate audit evidence regarding each of the individual uncertainties, it is not
possible to form an opinion on the financial statements due to the potential interaction
of the uncertainties and their possible cumulative effect on the financial statements.
5.101. Reporting objectives for financial statements in the public sector, and the sensitivity of
users to misstatement, are not generally linked to single figure such as profit / loss or
net assets to the same extent as for private sector entities. Consequently, it is rarer that
a limitation in scope would be deemed to be pervasive to the financial statements as a
whole, and it would be more common to issue an opinion containing multiple
limitations in scope.

Page | 82
Impact of a Prior Year Qualification

5.102. If the auditor’s report on the prior period, as previously issued, included a qualified
opinion, a disclaimer of opinion, or an adverse opinion and the matter which give rise to
the modification is unresolved, they should modify the auditor’s opinion on the current
period’s financial statements.
5.103. In the basis for modification paragraph in the auditor’s report, they should either:
a) refer to both the current period’s figures and the corresponding figures in the
description of the matter giving rise to the modification when the effects or possible
effects of the matter on the current period’s figures are material; or
b) in other cases, explain that the audit opinion has been modified because of the
effects or possible effects of the unresolved matter on the comparability of the
current period’s figures and the corresponding figures. (Ref: ISA 710 para A3-A5)
5.104. If the matter that gave rise to the modified opinion has been resolved and properly
corrected in the prior year comparatives in the financial statements, the current
certificate does not need to refer to the previous modification. However, if the matter is
material to the current period, the auditor may want to include an emphasis of matter
paragraph to give further information about the situation.

Opinion on Other Information Presented with the Accounts

[

5.105. The auditor’s responsibilities extend to the other information disclosed in the annual
report and accounts, which they are not required to audit, but for which they are
required to consider the consistency with the accounts and with their knowledge of the
business.

Negative Consistency Opinion

5.106 ISA 720A requires the auditor to consider the consistency of all information reported
alongside the audited financial statements, including the Statement on Internal Control.

5.107. The auditor should read the other information to identify material inconsistencies, if
any, with the audited financial statements. (Ref: ISA 720 para A4-1 – A4-2)
5.108. If, on reading the other information, the auditor identifies a material inconsistency,
they shall determine whether the audited financial statements or the other
information needs to be revised.
5.109. If revision of the audited financial statements is necessary and management refuses to
make the revision, they should modify the opinion in the auditor’s report in accordance
with ISA 705.

Page | 83
5.110. If revision of the other information is necessary and management refuses to make the
revision, the auditor should communicate this matter to those charged with
governance, unless all of those charged with governance are involved in managing the
entity; and
a) include in the auditor’s report an Other Matter(s) paragraph describing the
material inconsistency in accordance with ISA 706; or
b) withhold the auditor’s report; or
c) withdraw from the engagements where withdrawal is possible under applicable
law or regulation. (Ref: ISA 720 para A6-A7, para A11-2 – A11-3)

Impact on Audit Opinion

5.111. Where the other information is consistent with the audited financial statements, no
further information is required by the auditor.
5.112. If, on reading the other information, the auditor identifies a material inconsistency or
misstatement, they should determine whether the audited financial statements or the
other information need to be amended.
5.113. Where material inconsistencies or misstatements are identified, they should try to
resolve them by discussions with those charged with governance. Where these issues
cannot be resolved through discussion, it may be appropriate for the auditor to
consider requesting those charged with governance to consult with a suitably qualified
third party, such as the entity’s lawyers, to obtain further advice.
5.114. If the auditor is still of the opinion that an amendment is required to either the audited
financial statements or the other information, but none is made, they should consider
appropriate action, including the implications for the audit opinion as follows:
. if amendments are necessary to the audited financial statements and the entity
refuses to make such amendments, they should express a qualified or adverse
opinion.
. if amendments are necessary to the other information and the entity refuses to
make such amendments, they should include an ‘Other Matter’ paragraph in the
audit certificate explaining the details of the material inconsistency. This does
not give rise to a qualified opinion in circumstances where there is no impact on
the truth and fairness of the financial statements.
5.115. The auditor should consider the nature and severity of the inconsistency or
misstatement that exists, and a distinction should be drawn between those issues that
are a matter of fact and those issues that are a matter of judgement. It is far more
difficult to disagree with a matter of judgement (such as a view on the likely outturn for
the following year) than a factual error.

Page | 84
5.116. There may be circumstances in which the auditor is aware that the expressed view of
those charged with governance is significantly at variance with the entity's internal
assessment of an issue, or is so unreasonable as not to be credible to someone with the
auditor’s knowledge. When determining what action should be taken, the auditor may
need to take legal advice, including advice on whether the auditor would be protected
by qualified privilege from a defamation claim if they were to refer to the matters in
their report or subsequently.

Emphasis of Matter and Other Matter Paragraphs

5.117. In some circumstances it may be necessary, without modifying the audit opinion, to
draw the users’ attention to a matter, disclosed or not disclosed in the financial
statements, that is relevant to the users’ understanding of the financial statements.
This may take the form of an Emphasis of Matter paragraph, or an Other Matter
paragraph. These are defined in ISA 706 as follows:
. Emphasis of Matter paragraph – A paragraph included in the auditor’s report
that refers to a matter appropriately presented or disclosed in the financial
statements that, in the auditor’s judgement, is of such importance that it is
fundamental to users’ understanding of the financial statements.
. Other Matter paragraph – A paragraph included in the auditor’s report that
refers to a matter other than those presented or disclosed in the financial
statements that, in the auditor’s judgement, is relevant to users’ understanding
of the audit, the auditor’s responsibilities or the auditor’s report.
5.118. If the auditor considers it necessary to draw users’ attention to a matter presented or
disclosed in the financial statements that, in the auditor’s judgement, is of such
importance that it is fundamental to users’ understanding of the financial statements,
the auditor should include an Emphasis of Matter paragraph in the auditor’s report
provided the auditor has obtained sufficient appropriate audit evidence that the matter
is not materially misstated in the financial statements. Such a paragraph shall refer only
to information presented or disclosed in the financial statements. (Ref: ISA 706 para A1-
A2)
5.119. An emphasis of matter paragraph would be included in the audit certificate directly
after the opinion paragraph to which it relates, and would refer to the fact that the
auditor’s opinion is not qualified in respect of the matter.
5.120. The use of an emphasis of matter paragraph should not be routine as this diminishes the
effectiveness of the communication of such matters. In addition, it should not be used
to compensate for inadequate disclosure by the reporting body – the absence of

Page | 85
 disclosures required to provide a true and fair view would lead to a qualified opinion.
We consider emphasis of matter paragraphs under four circumstances:
. there is a material uncertainty relating to the going concern assumption;
. the accounts are prepared on a basis other than going concern;
. there is a significant uncertainty relating to a future action or event which is
outside the reporting entity’s control and which, potentially, has a material
impact on the financial statements;
. where the prior year accounts were qualified and the matter giving rise to the
qualification has been resolved with appropriate disclosures or adjustments
made to the corresponding figures, but the prior period financial statements
have not been adjusted.
5.121. Uncertainties are regarded as significant when they involve a significant level of
concern about matters whose potential effect on the financial s tatements is unusually
great, or about the validity of the going concern basis. However, the opinion will be
unqualified where the auditor considers that appropriate estimates and disclosures
have been included in the financial statements. A common example of a significant
uncertainty is the outcome of ongoing major litigation.
5.122. Uncertainty contained within an accounting estimate, such as an actuarial valuation,
will not necessarily give rise to an emphasis of matter. Uncertainties inherent in
accounting estimates should be considered in accordance with ISA 540: Auditing
Accounting Estimates, including Fair Value Accounting Estimates and Related
Disclosures. Where the auditor considers that the accounting estimate is reasonable in
the circumstances, an emphasis of matter paragraph would not routinely be included in
the certificate.
5.123. The emphasis of matter paragraph should give details of the matter giving rise to the
significant uncertainty, and its possible effects on the financial statements, including
quantification if possible. Where it is not possible to quantify the effects on the
financial statements, a statement to this effect should be included. Clarity for the
reader is enhanced by using an appropriate sub-heading in the report to differentiate
the emphasis of matter paragraph from other paragraphs in the audit certificate.
5.124. In determining whether an uncertainty is significant, the Engagement Team should
consider:
. the risk that an estimate included in financial statements may be subject to
change;
. the range of possible outcomes; and
. the consequences of those outcomes on the view shown in the financial
statements.

Page | 86
5.125. An emphasis of matter paragraph may also be used to report on other matters that
affect the financial statements. An example of this is where an amendment is required
to the other information published with the audited financial statements and the entity
refuse to make the amendment – the auditor would consider referring to this in an
emphasis of matter paragraph.
5.126. If the auditor considers it necessary to communicate a matter other than those that are
presented or disclosed in the financial statements that, in their judgement, is relevant
to users’ understanding of the audit, the auditor’s responsibilities or the auditor’s
report and this is not prohibited by law or regulation, they should do so in a paragraph
in the auditor’s report, with the heading “Other Matter,” or other appropriate heading.

5.127. The following are examples of where it may be appropriate to include an Other Matter
paragraph:
. where the auditor is unable to withdraw from an engagement even though the
possible effect of an inability to obtain sufficient appropriate audit evidence due
to a limitation on the scope of the audit imposed by management is pervasive,
the auditor may consider it necessary to include an Other Matter paragraph in
the auditor’s report to explain why it is not possible for us to withdraw from the
engagement.
. where there is a material inconsistency between the financial statements and the
surrounding information arising from a misstatement in the surrounding
information; or
. where financial statements are prepared for a specific purpose in accordance
with a general purpose framework, because the intended users have determined
that such general purpose financial statements meet their financial information
needs, since the auditor’s report is intended for specific users, they may consider
it necessary in the circumstances to include an Other Matter paragraph, stating
that the auditor’s report is intended solely for the intended users, and should not
be distributed to or used by other parties.

CAG’s Reports

5.128. The CAG has wide ranging powers to report to Parliament. Such powers to report
should be used to draw to the attention of Parliament matters which are necessary for
the understanding of the financial statements or the entity's stewardship of public
funds. It may also be used where there are other significant matters associated with
the financial statements which he believes should be brought to Parliament's attention,
even in circumstances where his opinion has not been qualified.

Page | 87
Reports on Qualified Financial Statements

5.129. Where the opinion on the financial statements is qualified, a CAG's Report will normally
be presented. A separate report will always be required where:
. a limitation of scope is so pervasive as to necessitate a disclaimer of opinion;
. a disagreement is so fundamental as to lead to an adverse opinion; or
. the qualification is in respect of another material irregularity.
5.130. The first two circumstances above suggest either a fundamental breakdown in control
or disagreement on a matter which could render the financial statements totally
misleading. In either case Parliament would expect a detailed explanation beyond that
which could be given in the certificate and which could form the basis of a hearing by
the Committee of Public Accounts.
5.131. In the final circumstance outlined there have been a breach of Parliamentary control
and Parliament will wish to be informed as to the nature of the breach, the reasons for
this and the action taken by the entity to prevent such re-occurrence. The principles
underlying the irregularity may also have a wider impact on public sector.
5.132. Where the CAG issues a qualified opinion for reasons other than those stated above,
the Director General will make recommendations to the CAG on whether a separate
report is necessary or not.

Reports on Unqualified Financial Statements

5.133. The CAG may also issue reports with financial statements when the opinion is not
qualified. The Director General will be concerned with matters which have arisen
during the course of the audit which although not material to the opinion are of
sufficient importance to draw to the attention of Parliament.
5.134. These will normally fall into one of three categories:
. Improprieties - although propriety is not expressly covered in the audit opinion
Parliament has clear expectations as to the way in which public business should be
conducted. Significant improprieties which could be covered in a separate report
might include matters such as a failure to make a proper distinction between
private and public business, failure to demonstrate fair competition in the
appointment of staff or the letting of contracts, and extravagant hospitality or
expenses.
. Inadequate financial control - the CAG is not required to give an opinion on
financial control but would be expected to draw to the attention of Parliament
control weaknesses which placed public funds at significant risk either through
fraud or error.

Page | 88
 . Other matters of interest - the CAG may identify other matters which may be of
interest to the addressee of the auditor’s opinion arising from their audit.

Report Content

5.135. Each CAG’s report will need to be tailored to the circumstances of each case, and so a
standard pro-forma is not given. Nevertheless each report should make clear:
. the scope of the examination that has led to the report;
. why the CAG has considered it necessary to report;
. the precise nature of the irregularity, propriety or control weakness reported
on;
. management’s response to the issue and action taken or planned to prevent a
reoccurrence;
. whether or not the opinion on the financial statements has been qualified in
respect of the matter reported on; and
. whether the matter will have any future effect on the accounts.

Principal Accounting Officer’s Clearance

5.136. All audit reports should be approved by the CAG. Before that it should be cleared by
the Director General from the concerned the Principal Accounting Officer of the entity
the auditor is reporting on. This will ensure that:
. all material and relevant facts have been included;
. the facts are not in dispute;
. the presentation and conclusions drawn from the facts are fair;
. the report distinguishes clearly between the facts and the conclusions drawn
from them; and
. any disagreement with the conclusions on the part of the Accounting Officer
are properly presented.
5.137. Draft reports that refer to third parties should be cleared at an appropriate level with
the organisation or person concerned.
5.138. When the CAG will issue a report with the financial statements, the auditor should allow
sufficient time within certification schedule.

Page | 89
Page | 90
Appendices

Page | 91
Page | 92
Appendix 1- Examples of Subject Matters, Subject Matter Information
and Criteria in Compliance Auditing

The follow table is intended to give examples of subject matters, subject matter information
and relevant criteria. The list is not intended to be an exhaustive overview. The particular
subject matter, subject matter information and criteria will vary depending on a variety of
matters such as the mandate of the SAI and the objective of the particular audit.

Sl. Subject matter Subject matter information Criteria

No.

1 Financial performance Financial information such as . Relevant budget legislation

and use of appropriated financial statements such as an appropriations
funds. act
. Approved budget
This may involve budget
execution, including
testing that funds have
been used in accordance
with the purposes and
intentions as decided by
the legislature. In many
SAIs this type of
compliance audit may be
related to regularity
audit, including the audit
of financial statements.

More specific guidance

on this particular topic is
included in ISSAI 4200 -
Appendix 1-A.

2 Financial performance, Project financial information . Relevant legislation

for example revenues in / project accounts relating to use of
the form of: government funds (eg a
• project funds from 'single audit act')
donor agencies
• funds from . The mandated activities of
governments the audited entity
. other similar types of . The terms of the funding
funds and how they Agreement
have been used

Page | 93
Sl. Subject matter Subject matter information Criteria
No.

3 Financial performance, Financial information related to . The mandated activities of

for example revenues in the use of the grant the audited entity
the form of grants, and . The terms of the grant
how the revenues agreement
have been used
4 Financial performance, Financial information related to The terms of the contract or
for example revenues or the contract or loan agreement loan agreement
expenditures in
accordance with a
contract or loan
agreement, and how
they have been used

5 Procurement Financial information . Relevant procurement

legislation and regulations
(national and international)

. The terms of a contract

with a supplier

6 Expenditures .  Financial information . Relevant budget legislation

such as an appropriations
. Statement of compliance act
. Other relevant legislation
. Relevant ministerial
directives, government
policy requirements and
resolutions of the
legislature
. The terms of a contract

7 Program activities Activity indicators or reports Relevant agreed levels of

performance such as those set
out in laws and regulations,
ministerial directives, goals
agreed by the legislature or
the entity, international
treaties, protocols,
conventions or agreements, a
service level agreement, the
terms of a contract, generally
established industry

Page | 94
Sl. Subject matter Subject matter information Criteria
No.

standards, or reasonable
public expectations.
For example:
. number of kindergarten
places related to number
of eligible children
. number of qualified
nurses and doctors per
number of citizens
. number of miles of road
paved
. number of months
required to process
benefit payments or
building permits
. frequency and quality of
accounting information to
be provided by a service
organisation
. number of building
inspections to be
performed within a
particular time period
. measures of results
related to water quality,
etc.
8 Service delivery . A statement of service delivery Relevant legislation or
directives
. Publicly reported information

9 Probity of a public . Citizen complaints register Relevant legislation or

administrative decision directives
. Publicly reported information

10 Corporate Social A statement of compliance with Relevant legislation or

Responsibility (CSR), for CSR (or lack thereof) directives in areas such as
example the audit of human and civil rights, gender
publicly funded projects equality, workplace,
in developing countries environment, etc.

11 Behaviour / Propriety . A statement of compliance, for . Relevant legislation or

example a statement of directives covering
independence (legal behaviour of public sector
competence). officials.

Page | 95
Sl. Subject matter Subject matter information Criteria
No.

. In the public sector this . A code of ethics or internally

'statement' may sometimes be developed code of conduct
implicit and related to the
concepts of probity and . Stated values or leadership
propriety (see section on principles
criteria above). . Internal policies, manuals
and guidelines

. The terms of reference of

the organisation, the
bylaws or similar

. The terms of a contract

(e.g. agreed confidentiality
or quarantine
arrangements subsequent
to certain employment
situations)
12 Membership obligations A statement of compliance Agreed terms of membership

13 Processes related to . A statement of compliance . Relevant occupational

health and safety health and safety
. Financial transactions legislation, for example,
related to handicap access

. Policies, processes,
manuals, guidelines etc
14 Processes related to . A statement of compliance . Relevant environmental
environmental legislation, for example,
protection . Financial transactions related to water quality,
waste disposal or carbon
emissions levels

. The terms of international

environmental treaties,
protocols, conventions or
agreements

. Policies, processes,
manuals, guidelines etc
15 Internal control . A statement of compliance . An internal control
processes

Page | 96
Sl. Subject matter Subject matter information Criteria
No.

. Financial transactions framework, for example

COSO2, CoCo or similar, or
internal control
requirements set out in
relevant legislation or
generally accepted within a
jurisdiction
. Policies, processes,
manuals, guidelines etc
16 Processes particular to . A statement of compliance . Relevant legislation or
the entity's activities and directives
operations, such as . Financial transactions . Policies, processes, manuals,
payment of pensions or guidelines etc
social benefits, processing
passport or citizenship
applications, assessing
fines or other forms of
penal sentences

17 Physical characteristics A specifications document or the . A building code (size,

physical object itself height, purpose, density
measures for a particular
zoned area, etc)

. The terms of a construction

contract, or other type of
contract

18 Tax revenues, taxpayer . Individual or corporate tax . Relevant legislation or

obligations or other    returns industry specific codes
obligations involving
reporting to regulatory . Other tax forms submitted to . A tax code, revenue code or
authorities regulatory authorities (such as similar
VAT forms, reporting forms for
agencies operating within
regulated industries such as
banking and finance,
pharmaceuticals, etc)

2
COSO – Committee of Sponsoring Organisations of the Treadway Commission. CoCo = Criteria of Control Board, The Canadian Institute of
Chartered Accountants.

Page | 97
Appendix 2 – Examples of Sources to be used in Gaining an
Understanding of the Audited Entity and Identifying
Suitable Criteria
The following is an illustrative, but not exhaustive list of sources that public sector auditors may use in
identifying suitable audit criteria:

a) Laws and regulations, including the documented intentions and premises for
establishing such legislation
b) Budgetary legislation / approved budget or appropriations
c) Documents of the legislature related to budgetary laws or resolutions, and to the
premises or particular provisions for use of approved appropriations, or for
financial transactions, funds and balances
d) Legislative or ministerial directives
e) Information from regulatory authorities
f) Official records of meetings of the legislature, public accounts committee or
similar committee of the legislature, or other public bodies
g) Principles of law
h) Legal precedent
i) Codes of practice or codes of conduct
j) Internal descriptions of policies, strategic and operational plans and procedures
k) Manuals or written guidelines
l) Formal agreements, such as contracts
m) Loan or grant agreements
n) Industry standards
o) Well established theory (for example theory for which there is general consensus.
Such theory may be obtained, for example, from published information such as
technical literature and methods, professional journals, etc, or through inquiry with
knowledgeable sources such as experts in a particular field)

p) Generally accepted standards for a particular area (such standards are normally
clearly identifiable standards that have their source in some form of legislation and
that are a result of established practice and legal precedent, for example 'generally
accepted accounting principles' in a particular country)

q) For audits of propriety: Principles for sound public sector financial management and
conduct of public sector officials. Principles of conduct may arise from the

Page | 98
 legislature's or public expectations regarding the behaviour of public sector officials.
In some cases, these principles may be documented in only fragmentary ways. They
may, in some cases, only be defined as a result of their breach.

Additional sources which public sector auditors may use to obtain an understanding about the audited
entity, its environment and relevant program areas may include:

a) The entity's annual report

b) Legislative propositions and speeches

c) Websites

d) Published reports, articles in newspapers or journals, other media sources, etc

e) Knowledge obtained from previous audits

f) Information gathered through meetings and other communication

g) Minutes of Board or other management meetings

h) Internal audit reports

i) Official statistics

Page | 99
Appendix 3– Examples of Factors Related to Assessing Risk in
Compliance Auditing
The following are examples of factors that may be considered in assessing risk in a compliance audit.
The list is not intended to be exhaustive, and the factors will depend on the particular audit
circumstances.

The Audited Entity's Objective and Mandate

1. Are the audited entity's objective, mandate and legal capacity clearly stated and
readily available?
2. Have there been recent changes in mandate, objectives or program areas?
3. Are program areas or relevant subject matters clearly identifiable?
4. Do program areas overlap considerably with other entities such that there is a risk of
duplication or of fragmentation?

Organisational Structure

1. What is the legal basis of the entity (ministry, directorate, agency etc) and from
where does it derive its authority?
2. Does the audited entity have clearly defined roles and responsibilities, and related
authority attaching to these?
3. Are these roles, responsibilities and authorities clearly communicated and
understood throughout the entity?
4. If the entity is part of a hierarchic structure, and another entity is responsible for
supervision of the audited entity, how does such supervision take place?
5. Does the organisation focus on risk assessment and risk management, including risks
of non-compliance, in its operations?
6. Have there been recent organisational changes?
7. Are any activities outsourced to other entities?
8. If activities are outsourced, how is compliance and performance monitored?
9. Are there other potential risks associated with outsourcing?
10. Do personnel have adequate competence and ethical behaviour?
11. Do personnel seek relevant information and is relevant information easily accessible?
12. Is information communicated on a timely basis in the organisation?
13. Are there any aspects of organisational structure that could give rise to greater risk of
fraud?

Political Considerations

1. To which level of government does the particular entity belong and does it have
relations to other levels of government?

Page | 100
 2. What are the responsibilities (constitutional or other) of the relevant minister, or of
entity management?
3. What is experience in dealing with the entity's political vs. administrative
management?
4. Is there political consensus, or are differing views freely expressed?
5. How is the political management comprised?
6. What are program areas of political focus, visibility and sensitivity?
7. How does the working relationship between political and administrative
management function?
8. Are there any areas of particular public interest?
9. What is experience in relation to one entity exercising unfavourable influence on
other related entities in the public sector hierarchy?
10. Are there any political considerations that could give rise to greater risk of fraud?
11. Do laws and regulations contain requirements for political neutrality related to the
use of resources and funds, and what is past experience in this area?

Laws, Regulations and Other Relevant Authorities

1. Is it clear which laws, regulations and authorities apply to the audited entity and the
particular subject matter?
2. Are there overlaps or inconsistencies between different sets of legislation?
3. Is the entity a law making body, and if so what impact can the law making process
have on the rights of individuals?
4. If the entity is a law making body, has it delegated any authority to other entities,
such as regulatory authorities or private sector entities?
5. Is relevant legislation relatively new, or is it well established?
6. If new, is it clear in terms of form and content such that it may be clearly understood
and applied?
7. If well established, has legal precedent been consistent such that the legislation is
clearly understood and applied?
8. Is the relevant program area subject to significant application of judgement in its
operations?
9. If a significant amount of judgement is applied, is this done in accordance with the
intentions behind the laws and regulations?
10. If a significant amount of judgement is applied, is it applied consistently?
11. Are other bodies involved in interpreting or supplementing the relevant legislation?
12. Has the entity carried out its duties on a timely basis such that individual rights have
not been compromised, and there have not been significant negative financial
consequences due to passiveness?
13. Have channels for complaints and appeals for affected parties been used
appropriately?
14. Have any individual's / organisation's rights been compromised in any way through
the entity's interpretation and application of particular legislation or regulations?

Page | 101
 15. Are there any aspects of laws, regulations or other authorities that could give rise to
greater risk of fraud?

Significant Events and Transactions

1. Are there any significant events or transactions that may give rise to significant risks
or fraud risks (e.g. significant procurement contracts, long term construction
contracts, dealings in financial instruments such as foreign exchange contracts,
significant loans or financial speculation, privatisation etc)?
2. Does the entity possess the necessary authority and competence to enter into and
carry out significant events and transactions?
3. Have experts been engaged in connection with significant events and transactions?
4. If experts have been engaged, what precautions have been taken to ensure their
competence and objectivity?
5. How is the work of experts monitored?

Management

1. Is there stability in the management team or have there been changes in key
personnel?

2. How are members of management recruited (open and transparent processes with
real competition, or token process)?

3. Is management actively involved in assessing risk on a continual basis?

4. Has management considered the consequences of changes in the entity's

environment and the impact this may have on the audited entity?

5. Is management conservative in its approach or more willing to take risks (e.g. what is
the 'risk appetite')?

6. What initiatives has management taken to identify and avoid significant risks that
could have an adverse impact on the entity?

7. Are risk evaluations that are performed throughout the entity effectively
communicated to management at the appropriate levels?

8. Does management actively monitor and evaluate the consequences of their decisions
and actions?

9. Have previous audits identified instances of non-compliance, fraud, unlawful acts,

unethical behaviour, management bias, etc?

10. How does management balance the achievement of program objectives with the
need to manage risk, and ensure compliance with laws and regulations etc?

Page | 102
Appendix 4 Examples
- of Risk Factors Related to a Particular Subject
Matter

Procurement is a typical subject matter for compliance audits. The following table gives some
examples of risk factors relating to a compliance audit of procurement. The list is not intended to be
exhaustive. The relevant risks and risk factors will vary depending on the subject matter and the
circumstances of the particular audit.

Examples of Risk Factors Related to the Audit of Procurement

Inherent risk
1 Lack of relevant procurement legislation

2 Recent changes to the procurement legislation (eg to conform to international legislation)

3 Complex or unclear legislation, or legislation open for interpretation

4 Significant monetary amounts are involved such as defence procurement

5 Audit findings from the prior year revealed compliance deviations in regard to procurement
legislation and directives

6 Previous suspicions or instances of fraud and corruption involving management and key staff

7 Inspections by regulatory authorities (eg competition authorities)

8 Complaints received from potential suppliers about unfair practices related to awarding
tenders

9 Potential conflicts of interest

Control risk
1 Lack of good internal guidelines, including lack of clear and objective criteria

2 Recent changes in general or application controls related to procurement IT systems

3 Poor quality-control or weak monitoring activities related to suppliers

Page | 103
4 Weak or non-existent controls regarding suppliers' compliance with ethical guidelines

5 Non-existent or poor quality monitoring activities related to compliance with relevant

legislation
Detection risk
1 Audit procedures are ineffectively designed (eg performing procedures that only involve
checking transactions that are recorded, and not checking for completeness; or making
inquiries only of staff in the procurement department and not of others such as administration
or facilities management staff, suppliers or agencies that register complaints)

2 Incentives may lead management to intentionally withhold or conceal evidence (for example,
suppliers may make bribes or give kickbacks)

3 Possible management collusion or override of controls

Page | 104
Appendix 5 Examples
- of Compliance Audit Procedures for Selected
Subject Matters

This table shows illustrative examples of possible compliance audit procedures in the areas of
environmental legislation and project funds from donor organisations. It is not intended to be an
exhaustive list of procedures. Audit procedures must be designed for the particular audit
circumstances and objectives.

Sample audit procedures

Subject matter: Environmental legislation

1 Obtain an overview of relevant environmental legislation to which the entity is required

to adhere.

2 Inquire with management, and internal audit as applicable, as to the processes and
routines in place to ensure compliance with relevant environmental legislation.

3 Review manuals and systems descriptions to understand the processes and relevant
controls. Document the process and identify key controls. Test key controls as necessary.

4 Perform a media search, and other databases as applicable, to identify previous instances
of non-compliance by the entity.

5 Review any inspection reports, including those of internal audit as applicable. Follow up
any areas that may indicate significant risks of non-compliance with environmental
legislation.

6 Confirm that the audited entity has necessary permits and registration certificates as
appropriate. Evaluate procedures to ensure that these remain valid and up to date.

7 Review minutes of meetings of environmental, or health and safety committees. Follow

up as necessary.

8 Interview selected staff as to their understanding of relevant policies and procedures in

place, including training, and how these procedures operate in practice.

Page | 105
9 Inquire with management, and legal counsel as appropriate, as to any previous, existing
or potential environmental liability claims. Consider the causes and effects/impacts of any
such claims.

10 Observe processes and routines in practice (eg waste disposal – properly stored and
disposed of, etc) and document appropriately (eg photo or video evidence may be
relevant)

Sample audit procedures

Subject matter: Project funds received from a donor organisation

1 Obtain an overview of the funding agreement and any relevant legislation, directives,
mandates, etc to which the entity is required to adhere.

2 Inquire with management, and internal audit as applicable, as to the processes and routines
in place to ensure compliance with the terms of the funding agreement and relevant
legislation, directives, mandates, etc. Inquire as to routines to ensure appropriate accounting
and disclosure.

3 Review manuals and systems descriptions to understand the processes and relevant controls
related to compliance with such funding agreements. Document the process and identify key
controls. Test key controls as necessary.

4 Perform analytical procedures for assessing risks, and substantive procedures as considered
necessary. For example, compare any financial information, including project accounts, with
budget and prior year(s). Follow up suspected deviations as necessary in the circumstances.
Review project accounts for unusual or significant transactions. Follow up as necessary.

5 Select a sample of transactions related to project funds. For each transaction selected, test
compliance with the terms of the funding agreement and any relevant legislation, for
example:
. requirements related to use of funds
. proper approval and authorization
. reporting requirements
. proper accounting and disclosure, including appropriate accounting policies and
recording transactions in the appropriate periods, etc.

Page | 106
6 Where project funds have been used for specific purposes, assess the need to perform
physical inspections. Follow up as appropriate.

7 Review related correspondence, minutes of meetings etc to identify any relevant matters.
Follow up as necessary.

8 Consider the need to obtain any written confirmations from third parties and follow up as
appropriate.

9 Consider the need to obtain specific written representations from management in regard to
the funding agreement.

10 Perform cut-off testing and review after the period end as necessary to ensure funds are
accounted for in the appropriate period.

Page | 107
Appendix 6 Examples
- of Compliance Deviations

The following table provides some examples of compliance deviations and includes considerations
related to materiality and forming conclusions. The comments related to materiality and forming
conclusions are not intended to be definitive assessments of whether the particular example
constitutes a material compliance deviation or not, but rather to highlight relevant considerations.
The determination of materiality will depend on the particular circumstances and the professional
judgement of the public sector auditor.

Example of Compliance Deviation Considerations Related to Materiality and

Forming Conclusions

1 During the year, a government Based on the legislation governing the government
agency received budget agency, the agency did not have the power to make
appropriations through the Ministry grants to overseas bodies. The non-compliance may be
of Education for national material because the grant expenditure was paid out
educational purposes. The agency's to overseas bodies and was therefore not in
grant expenditure for the year compliance with relevant authorities, nor was it
included TK. 1 Crore to overseas applied to the purposes intended by the legislature.
high tech manufacturers.

2 During the year, a government In this case, actual expenditures were in excess of
agency incurred expenditures of amounts authorised through the approved budget.
TK. 100 in excess of the total This non-compliance may be material because it was a
expenditure of TK. 5000 authorised clear violation of clearly established authorities.
by the budget approved by the Depending on the circumstances, including the type of
legislature. expenditures, it may also be very sensitive in nature.

3 A citizen is entitled to a monthly Although the monetary amounts involved may not be
pension of TK. 1000. The material to the financial statements of the government
government agency has only been agency, the consequences of the noncompliance are
paying out TK. 900 per month. The likely to be very significant to the individual pensioner
payments were also made after the living on a fixed income. If the non-compliance is due
dates stipulated in the legislation. to a system weakness, the non-compliance may also
affect many other citizens. The non-compliance may
therefore be material in terms of the impact on citizens
and society in general.

4 A single mother is entitled to While this compliance deviation may have been
monthly child benefits for each child positive for the recipient, it is not in accordance with
under age 18. The government the legislation and its intentions, and may therefore be
agency has paid out unfair to other beneficiaries. If the

Page | 108
Example of Compliance Deviation Considerations Related to Materiality and
Forming Conclusions

child benefits for a 19 year old child. non-compliance is due to a system weakness, the non-
compliance may also affect many other citizens. The
non-compliance may therefore be material in terms of
the impact on citizens and society in general.

5 The terms of a building code require The non-compliance may be significant due to
annual inspections to be performed. qualitative aspects such as safety implications.
The government agency has not Although no particular monetary amounts are
performed inspections for the past involved, the non-compliance may be material due to
five years. the potential consequences it may have on the safety
of the building occupants. In the event of a disaster,
there is also a risk that the noncompliance may result
in significant liability claims which could have material
financial implications for the government agency as
well.

6 The terms of a funding agreement The non-compliance may or may not be material
state that the recipient of the funds depending on whether or not the financial statements
must prepare financial statements were subsequently prepared and sent, the extent of
and send them to the donor the delay, the reasons for the delay, any consequences
organisation by a certain date. The that may arise as a result of the non-compliance, etc.
financial statements have not been
prepared and sent by this date.

7 Significant system weaknesses were This type of compliance deviation relates to the due
identified in relation to revenues process rights of individual citizens. Certain citizens
collected in accordance with a tax were being assessed too much tax, while others were
code. The weaknesses were due to not being assessed at all. Depending on the
incorrect interpretation of the tax circumstances, and because it involves a system
code by the audited entity. Numerous weakness, the deviation may be material.
instances of taxpayers being assessed
more than they were obligated to pay
were identified.

Page | 109
 Appendix 7 -

1. This diagram is adapted for our purposes from the version contained in ISA 700

Page | 110
Annexures

Page | 111
 Annex A -

Overall Audit Strategy

This document is intended as a stand-alone document which sets our overarching audit strategy. It is
used to frame an agenda of questions for the initial planning meeting between the Director General or
Director, Manager and any other invited audit team members, to set the high level strategy. It is also
used to record the decisions reached about the scope, timing and direction of the audit and how the
more detailed audit plan should be developed.5
The Overall Audit Strategy should identify from our existing understanding the Significant Risks for the
audit, and the risk assessment procedures required refreshing, extending or confirming our existing
understanding and identifying any further risks for our audit. A Significant Risk is defined in the ISAs as
“an identified and assessed risk of material misstatement that, in the auditor's judgement, requires
special audit consideration.”
The significant risks section is at the start of this document for ease of reference throughout the audit.
However, teams must ensure that the factors contained in all sections of this document are given
proper consideration in identifying and assessing risks.
The form should not be used to replicate information from detailed planning documentation – it should
be focused on only the key information and issues for the audit.

A. What are the Significant Risks for our audit and how will we respond to them?

In planning our response to Significant Risks, consider:

 identifying the classes of transactions, account balance, or disclosures as precisely as possible
(e.g. payments during particular periods, transactions with certain counterparties, assets held
in particular locations, etc);
 identifying how management get comfort over the risk and test related controls or plan
procedures to earn the right to rely on the output of their procedures as part of our overall
assurance;
 testing transactional level controls that mitigate the specific risk;
 using external confirmations (including to confirm contractual terms or the absence of side-
agreements as part of our assurance);
 using Computer Assisted Audit Techniques to identify items potentially affected by the risk; and

5
Considerations for establishing the Overall Audit Strategy are included in the Appendix to ISA 300, (and examples
of fraud risk factors which may be relevant to consider are included in the Appendices to ISA 240.)

Page | 113
  using specialist or more experienced staff to carry out the audit procedures addressing Specific
Risks or the audit as a whole in the case of Pervasive Risks.

What are Pervasive Risks, including risks of fraud, which affect our approach at an overall financial
statement level? (e.g. significant reorganisation of the entity’s finance function, implementation of a
new financial system, issues over going concern) What are our planned responses?


Parent risk
(P), group Controls which address the
risk (G) or risk and planned extent of
Pervasive risk Planned overall responses
both? (N/A controls work (at minimum
if not a D&I)
group audit)
Fraudulent
Financial
Reporting

Are there additional risks of management override of control beyond those included in ISA
240? Are there any specific considerations for how we should perform the required
responses? Are there any additional responses required?

Controls which address the

Risk of
risk and planned extent of Planned overall responses?
management
controls work (at minimum
override through
D&I)
Journals

Significant unusual
transactions

Bias in accounting
estimates

Page | 114
What are the Specific Risks, including risks of fraud, affecting specific classes of transactions,
account balances and disclosures? Which assertions are affected, and what is our planned
response?


Controls which
Parent risk
address the Planned
(P), group Audit area(s)
risk and substantive
Specific risk (G) or and Assertion(s)
planned extent procedures (and
Risk both? (N/A component(s) affected
of controls other responses
if not a group affected
work (at as appropriate)
audit)
minimum D&I)

If we have not identified a Specific Risk of fraud in revenue recognition, how will we rebut the
presumption of this risk in ISA 240?

THE ENGAGEMENT TEAM SHOULD TRANSFER THE SIGNIFICANT RISKS IDENTIFIED TO THE
SIGNIFICANT RISKS TESTING PLAN. THIS LIST SHOULD BE UDPATED IF ANY ADDITIONAL
SIGNIFICANT RISKS ARE IDENTIFIED, AND THE APPROACH AGREED WITH THE DIRECTOR
GENERAL OR DIRECTOR AND MANAGER. ANY RISKS WHICH ARE NOT SIGNIFICANT (AND ARE
ADEQUATELY COVERED BY STANDARD AUDIT PRODECURES) BUT WHICH THE ENGAGEMENT
TEAM CONSIDERS NECESSARY TO DOCUMENT AT THIS STAGE SHOULD BE ENTERED AS RISK
FACTORS IN SECTION H.

Page | 115
B. What do we understand about the reporting entity6?
What is the nature of the entity?
ACCOUNT TYPE

What are the statutory objectives and remit of the organisation?



What are the entity’s associated organisational objectives and strategies?



What are the key elements of the general framework of authorities for the entity? Is there a
risk of irregular or novel and contentious transactions?


What are the key elements of the statutory framework on specific benefits, grants, services
and income?
.

Have there been any significant changes in the period, including any new statutory activities
(e.g. new grant schemes, statutory functions)?


What are the key performance measures which might indicate a risk to the manipulation of
financial reporting (including financial KPIs)?


What issues were identified in the prior year management letter, and are we aware of any
progress in resolving these issues?


What else do we understand from other audit work relevant to the entity?

6
Group auditors should complete this form in respect of both the group and parent/core department, and also
complete Appendix A, Group Audits.

Page | 116
C. What do we understand about the entity’s internal controls?
What are the key features of our understanding of the entity’s internal control?
(This may cover: the “tone from the top” and quality of the overall control environment; the entity’s risk
assessment processes and the output of these processes; the entity’s information systems and processes
including the financial reporting process; and how the entity monitors its internal control systems)

Are there any concerns about the processes and controls in place to ensure the regularity of
transactions? Are there any concerns about propriety of transactions?


Does the entity’s internal control support the reliable processing of financial information?
 .

Are there areas where we need both controls and substantive assurance to obtain sufficient
appropriate audit evidence (e.g. high volume automated transactions, regularity in complex
frameworks of authorities)?

Do we plan to rely on tests of controls as part of our audit approach?

If we are planning on relying on high level controls for assurance, what procedures will we
perform to evidence that the controls are sufficiently precise to mitigate the risk of material
misstatement in each area we plan to rely upon?

Are we planning to rely on controls which are dependent upon the IT systems? If so, how will
we gain assurance over the design, implementation and operation of IT controls?


Page | 117
What is our understanding about internal audit’s role in the organisation and its relevance to
the financial audit?


Do we plan to rely on the work of internal audit? What procedures do we need to perform to
earn the right to rely on their work?


D. What is our understanding of the entity’s �inancial reporting?

What is the entity’s financial reporting framework?
Accounting framework

Will we issue a regularity opinion?

Are there any complex or specialised accounting issues for the entity?


What is our understanding of the quality of the entity’s financial reporting and close process,
including associated controls?


What is the historical level of errors identified through our audit?



Are there any issues relating to the appropriateness of the entity’s selection and application of
accounting policies, including changes to these policies?


Page | 118
Are there any issues relating to the appropriateness of the entity’s selection and application of
methods of making accounting estimates, including changes to these methods?


Are there any issues relating to non-standard disclosures? (Not in conformity with Generally
Accepted Accounting Procedures)


What is our understanding of the quality of the entity’s controls over the regularity of
transactions?


What is the historical level of irregularities identified through our audit?

E. What is material to the entity’s �inancial statements?

What are appropriate bases to consider in setting materiality?


What qualitative factors should affect our assessment of materiality?



What is the level of total anticipated error for the accounts which should be used in setting
Performance Materiality?


Are there items which we would expect to be material by nature or context and for which we
intend to set a lower materiality and Performance Materiality?


Page | 119
USE THE MATERIALITY ASSESSMENT FORM TO ESTABLISH PLANNING MATERIALITY AND
PERFORMANCE MATERAILITY AS PART OF ESTABLISHING THE OVERALL AUDIT STRATEGY

F. Other issues
Are there any significant accounting estimates?


Do we plan to rely on the work of management’s experts? What procedures do we need to

perform to earn the right to rely on their work?


Do we plan to rely on the work of our own experts? What procedures do we need to perform
to earn the right to rely on their work?


Do we plan to use any assistance from our framework partners (other than use of experts)?


What are the factors affecting the going concern assessment? What procedures do we need
to perform in respect of this?


Are there any concerns with respect to commitments and contingencies? What procedures do
we need to perform in respect of this?


Are there any concerns with respect to laws and regulations? What procedures do we need to
perform in respect of this?


Page | 120
Are there any concerns with respect to related party transactions and disclosures? What
procedures do we need to perform in respect of this?


Are there any particular considerations around handling personal data that the engagement
team should be aware of? In particular, will we need to handle high volume or high sensitivity
personal data?


Are there any issues around our independence which should be considered in planning the
engagement?


Are there any other issues which should be considered in planning or performing the
engagement?
(e.g. security clearances, audit protocols, client liaison contacts, etc)

Page | 121
G. What are the key issues from the client’s perspective?
Understanding the client’s key concerns can assist in identifying Significant Risks to the audit
which we were otherwise unaware of. It may also identify ways, in the context of an efficient
audit approach, of adding value by providing more detailed reporting of our findings or
through reasonable extensions of our procedures to address their concerns. In addition,
promoting improvements in internal control may produce audit efficiencies going forward
(or in the current year).

Who are the key client personnel, and what relationship do we have with them?

Name Role Comments

What concerns the Accounting Officer, the Finance Director and the Audit Committee Chair?

(In particular, what concerns the Accounting Officer about delivering the entity’s objectives, the Finance
Director about financial reporting and controls, and the Audit Committee Chair about the entity’s
governance? What is their view of the key risks facing the entity? How do they get comfortable over
the risks with financial statement impact?)

What concerns the entity’s key stakeholders?

Page | 122
What are the expectations of key client personnel from the audit and the OC&AG generally?

What actions, if any, in our audit approach would address client or stakeholder concerns and
expectations, or otherwise add value? How can we promote beneficial change in the entity’s
financial management and reporting, conduct and provision of services?

Action Allocated to

H. What other risk factors have we identi�ied?

(Risk Factors are either:

. risks of material misstatement or irregularity which are addressed through standard

planned testing over the relevant assertions, and so do not require any additional specific
audit response; or

. potential risks which have been assessed as not representing a risk of material
misstatement/irregularity, and so do not require an audit response.

Risk Factors may include business risks with an operational impact but without a direct impact
on the financial statements.)

What other risk factors have we identified that the engagement team should consider as the
audit progresses?
This consideration will normally not involve additional procedures, but represents part of
maintaining an attitude of professional skepticism. The list should include fraud risk factors (ISA
240 para 11 “events or conditions that indicate an incentive or pressure to commit fraud or

Page | 123
provide an opportunity to commit fraud.”). However, any risks of material misstatement due
to fraud should be treated as Significant Risks.

Additional Procedures
Comments on why required (if any beyond
Pervasive /
Risk Factor considered only a Risk consideration by the team
Assertions affected
Factor of its potential impact as
the audit progresses)

THE ENGAGEMENT TEAM SHOULD TRANSFER THE OTHER RISK FACTORS IDENTIFIED TO THE
AUDIT AREA TESTING PLAN. THIS LIST SHOULD BE UDPATED IF ANY ADDITIONAL RISK FACTORS
ARE IDENTIFIED DURING THE AUDIT, AND THEIR ASSESSMENT AS A RISK FACTOR RATHER
THAN SIGNIFICANT RISK AGREED WITH THE DIRECTOR AND MANAGER.

I. What risk assessment procedures are required?

This section would be expected to be completed on a “by exception” basis

ISA 315 requires the performance of risk assessment procedures to identify and assess the risks
of material misstatement. Where we are familiar with the entity, we may be able to use
information obtained from our previous experience with the entity and from previous audits,
subject to the requirement in ISA 315 para 9 to “determine whether changes have occurred
since the previous audit that may affect its relevance to the current audit.” This may be by
inquiry alone, or, where appropriate, by performance of other appropriate audit procedures.

Page | 124
Step in the Risk Assessment Procedures Planned approach (be as specific as
possible)

Preliminary Analytical Procedures

Understanding the Entity and its Environment

Relevant industry, regulatory, and other external

factors

The nature of the entity and its activities

The entity's financial reporting and accounting policies

The entity's objectives and strategies, and related

business risks.

The measurement and review of the entity's financial

performance.

The nature and extent of the entity’s related party

relationships

Understanding the Entity’s Internal Control

Control Environment

The entity’s risk assessment process

Monitoring of controls

Business controls

The information system

Communication

Controls relevant to the audit (evaluation of design and implementation required each year)

 Controls addressing Significant Risks

Page | 125
Step in the Risk Assessment Procedures Planned approach (be as specific as
possible)

 Controls we intend to rely on in our audit

 General IT controls (where we plan to test

their operating effectiveness)
 Financial reporting process controls

 Governance Statement controls

 Overall regularity controls

 Other controls – detail any required

Required planning inquiries

Management

Those Charged with Governance

Internal Audit

Others e.g. in-house legal council, operational staff

Identify significant classes of transactions, account balances and disclosures

Identification process

IT Scope assessment

Identify any IT risks

Identify any controls we plan to rely on dependent

upon general-IT controls

Fraud Risk assessment

Identify any fraud risk from our planning not already

identified

Page | 126
J. What else should we consider in planning our audit approach?

(excluding our responses to Significant Risks, which are discussed above)

This section would be expected to be completed on a “by exception” basis

Will the client perform a hard close? What work should we perform on the hard close?
[

(A “hard close” is a month-end close performed with the same rigour as a year-end close, which enables
balance sheet and income testing at an interim date, with e.g. substantive analytic procedures used to
provide assurance over the year-end balance sheet position)

If the client will not be performing a hard close, is it still appropriate to perform testing at an interim
date? What work should be performed at interim?

(Any planned work should reflect the quality of the close process – e.g. we may not be able to get
assurance over accruals or accrued expenditure at interim)

Which classes of transactions, account balances and disclosures do we plan to obtain controls
assurance over? Which controls are suitably precise to provide the assurance required?


Are there Audit Areas where it would be appropriate to use external confirmations?

(Other than bank circularisation of cash at bank, overdrafts, and bank loans – these are required for all
accounts other than Government Banking Service accounts)

Are there Audit Areas where Computer Assisted Audit Techniques can provide either
additional or more efficient assurance over the balance?
 IDEA transaction sampling

Page | 127
Are there other aspects to our approach to testing Audit Areas that should be specified as part
of the Overall Audit Strategy?

(Comment by exception where the Director General or Director wishes to specify an approach
– e.g. specific tests over regularity of grants, areas where substantive analytic procedures
would be more appropriate than tests of details, etc)


K. What engagement team do we need?

Do we need to involve specialists in any areas of the engagement


Who are the key members of the engagement team?

Name Role Relevant skills knowledge Years on engagement

and experience

Assignment Director

Audit Manager

Overall Team Lead

Page | 128
L. What is the reporting timetable?
Date Key stage of the audit

Central planning meeting

Mission Planning

Field work

Receipt of first draft accounts

Receipt of signed accounts

Audit opinion to be signed

Draft Report/Management letter to be sent

Page | 129
 Annex A.1 -
[

Financial and Compliance Audit Planning Checklist

Instructions
This checklist is for recording the progress and completion of the audit plan. The only element of
planning which will need to be completed subsequently in the electronic working paper system is the
importing of standard testing work programmes and addition of any customised tests.

In the table below, document the date each planning activity task has been completed, name of the
audit team member who has completed it, any relevant notes (including conclusions) and attach any
relevant papers which are necessary.

Page | 130
 Date
Activity Initials Notes Link/
completed
attachment
or N/A
A1: Preliminary Engagement Activities
Perform procedures to ensure that we can perform the audit.

For all new audits ensure that:

1) Engagement
. the Director or Director General's
Activities: New consideration of whether the audit should
clients be accepted is documented; and
. the C&AG has approved acceptance of the
engagement.

Consider whether delegated signature of the

2) Delegated certificate/audit report is appropriate for the
Authority audit, and if so consider whether the relevant
C&AG approval has been granted.

3) Engagement For all continuing clients update the

Activities: Engagement Risk Management Checklist.
[
Continuing
clients

Issue a revised letter of engagement/

4) Letter of
understanding.
Engagement/
Ensure a signed copy of the letter of
Understanding
engagement / understanding is held on file.
5) EQCR Consider whether the audit requires an External EQCR required
Quality Control Review and request that one is where:
appointed if necessary.

Page | 131
 . the Director or
Director
General expects
to remove a
long standing
qualification,
i.e. where the
accounts have
been qualified
in respect of
more than one
period for a
recurring
reason;
. the largest and
most complex
accounts; or
. where there
are unusual
circumstances
or risks in an
audit.

A2: Overall Audit Strategy

The Engagement Director must establish an Overall Audit Strategy
6) Client Planning Make enquiries of the key client contact(s)
Enquiries relevant to the forthcoming audit.

[[
Perform preliminary analytical procedures as
7) Preliminary
determined in the Overall Audit Strategy,

Page | 132
 Analytical including at least one the following items:
[[[[[

Procedures  Identification of new revenue and

expenditure streams;
 the performance measures against which
the entity is assessed and the impact
that these may have on the reported
results of the organisation; and
[

 a comparison of the draft financial

statements (or projected figures) against
the prior year’s figures, including
examination of trends.
Determine whether the findings indicate any
additional significant risks to the audit.
8) Materiality Materiality
Determine materiality and performance
Determination Form
materiality (Financial and Compliance Audit
Annex H.1
Annex H and H.1)
MANDATORY

Hold an overall audit strategy meeting, which

9) Overall Audit must be attended by the Director General or
Strategy Director and Manager (others at the invitation OAS Annex A
of the Director General or Director). This
MANDATORY
meeting may be led by a facilitator but if not,
will be led by the Director or General Director.

Record the Overall Audit Strategy and record

here the Director’s approval of the Overall
Audit Strategy.

Page | 133
10) Risk Assessment As part of the Overall Audit Strategy, determine OAS
Procedures and document what further Risk Assessment
MANDATORY
Procedures are required.

A3: Risk Assessment Procedures

11) Inquiries Perform required inquiries of:

1. Management
2. Internal audit; and
3. Others as appropriate.

12) Evaluate the Understand the work that Internal Audit plans
work of Internal to perform, and any findings to date, to identify
Auditor whether there are opportunities to use their
work, or whether they are indicative of further
significant risks:
1. Review the Internal Audit Plan for the
year and any relevant reports currently
available.
2. Document our consideration of the
plan and the reports issued so far.

Page | 134
13) Understanding Update our understanding of the entity and its Annex B
the Entity and environment, sufficiently to inform our risk MANDATORY
its Environment assessment.

14) Understanding Update our understanding of the entity’s Annex C

the Entity's internal control, sufficiently to inform our risk
MANDATORY
Internal Control assessment.
This may include updating the system notes of
the client’s key financial reporting and related
systems.

15) IT Risks Consider whether there are any further IT Scope Assessor
indications of significant risks related to IT. Annex D
MANDATORY
Consider whether there are any further Fraud Risk
16) Fraud Risks
indications of significant risks of fraud. Assessment form
Annex E
MANDATORY
Consider whether there are any historic
17) Brought forward accounting judgements which will have a
accounting significant impact on the current year financial
judgements statements. Ensure that any relevant
documentation supporting these judgements is
brought forward as standing information to be
assessed and updated later in the audit process
(this may include technical papers, evidence of
liaison with clients).
Conclude as to whether our risk assessment
18) Conclude on procedures have identified any further

Page | 135
new risks significant risks or changed our assessment of
risks identified in the Overall Audit Strategy.

If any changes are required to the Overall Audit

Strategy, these should be included and a
revised version filed following discussion and
approval by the Director or Director General.
This may be done by updating the original form
and highlighting changes on that document.

However if there are many changes, a separate

document may be required to log each
amendment to the Overall Audit Strategy and
ensure it is approved by the Director or Director
General.

A4: The Audit Plan

Document and agree the planned responses to significant risks and the planned responses to areas not affected by
significant risks.
Produce an audit plan to
19) Audit Plan respond to the significant risks SRTP Annex F &
(in the SRTP) and the audit AATP Annex G - both
areas not affected by MANDATORY
significant risks (in the AATP)
using standard testing
programmes from the Testing
Options Support Tool
wherever possible.
20) Director’s Confirm the Director’s Step in Electronic
approval of the planned Working papers

Page | 136
 Approval of Plan procedures which are system
included in the SRTP and
AATP.

21) EQCR Review of Confirm External Quality

the Audit Plan Control Review of the audit
plan, attach a copy of the
EQCR’s comments and their
approval of the plan.

22) Audit Planning Produce and submit an Audit

Report Planning Report to the client.

23) Project Planning Agree relevant details of how

with Client the audit will be performed
with the client. This should
not include the detail of our
planned testing approach, but
should normally cover:

. the audit timetable;

. information request
lists;
. personal data requests;
and
. any other aspects of the
audit plan dependent
upon co-ordination with
the client.

Page | 137
 A5: Administrative Matters
Complete the following
administrative tasks:
24) Admin
. Establish a budget.
. Where relevant agree a
fee with the client.
. Complete the planning
section of a personal data
processing form.
. Ensure that the client is
aware of the OCAG policy
on personal data
handling.
. A privacy impact
assessment has been
completed where
appropriate.
. Document the
declarations of team
members’ independence.

Hold a team briefing for all

25) Team Briefing team members who did not
attend the Overall Audit
Strategy meeting. The
briefing should include
discussion of the risk of
material misstatement
including those due to fraud.
If not all team members are

Page | 138
able to attend (including
specialists in the engagement
team), document how the
Director General or Director
has determined the matters
discussed should be
communicated to those not
attending.

Page | 139
 Annex A.2.1-

Compliance Audit Letter of Engagement Template

Government of The people’s Republic of Bangladesh
[Insert Address of Auditor]

[Insert Address of Auditee]

Subject: Letter of engagement regarding the compliance audit of [Insert Name of Entity]

Reference:

Sir,

1. INTRODUCTION
1.1 The purpose of this letter is to set out the basis on which the Comptroller and Auditor
General (C&AG) audits the [Insert details of activities being audited] of the [Insert
Name of Entity] and the respective responsibilities of the Secretary of the [Insert Name
of Entity] as Accounting Officer and the OCAG, acting on behalf of the C&AG. This
engagement will be conducted with the sole objective of our expressing an opinion on
[Insert Name of Entity]’s compliance with [Insert details of legislation or other
regulations that govern the activities being audited].

The terms of the audit engagement are set out below. This letter will remain effective
until a new audit engagement letter is issued.

2. SCOPE OF THE AUDIT

2.1 The compliance audit will be conducted in accordance with the International Standards
for Supreme Audit Institutions (ISSAIs) and will cover the [Insert details of activities
being audited] for the [Insert Name of Entity] for the financial year [Insert Financial
Year].

3. Responsibilities of auditors

3.1 The C&AG audits the [Insert details of activities being audited] under Article 128(1) of
the Constitution of Bangladesh which states that the public accounts of the Republic and
of all courts of law and all authorities and officers of the Government shall be audited
and reported on by the Auditor-General and for that purpose he or any person
authorized by him in that behalf shall have access to all records, books, vouchers,
documents, cash, stamps, securities, stores or other government property in the
possession of any person in the service of the Republic, and section 5(1) the Comptroller
and Auditor General (Additional Functions Act) 1974 which states that the Auditor-

Page | 140
 General may audit the accounts of any Statutory Public Authority (public enterprise) or
local authority and shall submit his report on such audit to the President for laying it
before Parliament. [PLEASE ALSO INCLUDE DETAILS OF ANY OTHER RULES, LAWS AND
REGULATIONS APPLICABLE TO THE SCOPE OF THE COMPLIANCE AUDIT]

3.2 Consequently, the C&AG is responsible for reporting whether in his opinion the [Insert
details of activities being audited] of [insert name of entity] are, in all material
respects, in compliance with the authorities which govern them. This responsibility
includes performing procedures to obtain audit evidence about whether the
expenditure and income have been applied to the purposes intended by the legislature.
Such procedures include the assessment of the risks of material non-compliance.

4. The compliance audit process

4.1 The audit will be conducted in accordance with the International Standards of Supreme
Audit Institutions (ISSAIs). These Standards require that we comply with ethical
requirements and plan and perform our audit to obtain reasonable assurance of
detecting errors, irregularities and illegal acts.
4.2 We shall obtain an understanding of the accounting and internal control systems to
assess their adequacy as a basis for the preparation of the [Insert details of activities
being audited] and to establish whether proper accounting records have been
maintained by the [name of entity]. We shall expect to obtain such appropriate
evidence as we consider sufficient to enable us to draw reasonable conclusions
therefrom.
4.3 The nature and extent of our procedures will vary according to our assessment of the
[Insert name of entity] and, where we wish to place reliance on it, the internal control
system, and may cover any aspect of the operations that we consider appropriate.

4.4 Limitations of a compliance audit

4.4.1We will plan our audit so that we have a reasonable expectation of detecting material
instances of non compliance with relevant rules, laws and regulations in relation to the
[Insert details of activities being audited] including those resulting from fraud, error or
non-compliance with laws or regulations, but our examination should not be relied
upon to disclose all areas of non compliance as may exist. Due to the test nature and
other inherent limitations of compliance audit there is an unavoidable risk that some
material misstatement may remain undiscovered.

4.4.2 Our work on internal control will not be sufficient to enable us to express any
assurance on whether or not the [Insert name of entity] internal controls are
effective. Our audit of the [Insert details of activities being audited] cannot be relied

Page | 141
 upon to draw to your attention all matters that may be relevant to your consideration
as to whether or not the system of internal control is effective.

4.5 Management representations

As part of our audit process we will request from management written

representations on matters material to the [Insert details of activities being audited]
where other sufficient appropriate evidence cannot reasonably be expected to exist,
and where management may have made certain oral representations (Letter of
Representation).

4.6 Reliance on third parties

4.6.1 Use of Experts

Where we judge that it is appropriate to use the work of an expert we will-

. obtain sufficient appropriate audit evidence that such work is adequate for the
purposes of the audit;
. evaluate the professional competence of the expert;
. evaluate the objectivity of the expert;
. ensure that the scope of the work of the expert is adequate for our purposes;
and
. evaluate the appropriateness of the expert’s work as audit evidence regarding
the assertions being considered.

4.7 Communications

4.7.1 At the start of our audit, we may issue an Audit Plan, containing details of identified
risks and planned audit work on the [Insert name of entity] for the coming year. This
will detail where the audit team intends to make use of other auditors or experts.

4.8.2 At the end of each audit we will report formally to you on:

. Any significant weaknesses in, or observations on, the accounting and internal
control system including areas of non compliance with applicable authorities;
. Errors and instances of non compliance with relevant rules, laws and
regulations identified in the course of the audit (unless deemed clearly trivial);
. Uncorrected misstatements;
. Expected modifications to the audit report; and
. Any other matters of interest.

5. CLIENT RESPONSIBILITIES

5.1 Our audit will be conducted on the basis that the Secretary [Insert name of entity] and
those charged with governance acknowledge and understand that they have
responsibility for:

Page | 142
 (a) For such internal control as the Secretary[Insert name of entity] and those
charged with governance determines is necessary to enable compliance with
applicable rules, laws and regulations; and
(b) To provide us with:
. Access to all information of which the Secretary [Insert name of entity] and
those charged with governance are aware that is relevant to our audit such
as records, documentation and other matters;
. Additional information that we may request for the purpose of the audit;
and
. Unrestricted access to persons within the entity from whom we determine it
necessary to obtain audit evidence.

6. AUDIT ARRANGEMENTS

6.1 Access to Data and Personal Data

As part of our audit work we may need access to personal data which the [Insert name
of entity] holds. We will manage any personal data in accordance with the Statement
on the Management of Personal Data at the OCAG (Annex 1).

6.2 Health and Safety

Members of the audit team will be in touch with relevant [Insert name of entity] to
discuss practical arrangements and the timing of audit visits. However, we would
appreciate your co-operation in relation to the provision of support for our employees
covering health, safety and emergency arrangements applicable to your premises.

6.3.2 The [Insert name of entity] is also responsible for the controls over, and the security
of their website. The examination of the controls over the maintenance and integrity of
the [Insert name of entity]’s website is beyond the scope of our audit.

7. OTHER MATTERS

7.1 Use of Report & Confidentiality

Any formal report or other unpublished reports from us may not be provided to third
parties. Such consent will be granted only on the basis that such reports are not
prepared with the interests of anyone other than the [Insert name of entity] in mind
and that we accept no duty or responsibility to any other party as concerns the reports.

7.2 Quality of service

We would like to provide you at all times with a high quality service to meet your needs.
If at any time you would like to discuss with us how our service to you could be
improved, please raise the matter immediately with me.

Page | 143
ACCEPTANCE:
8.1 Once agreed, this arrangement will remain effective for future years unless it is
terminated, amended or superseded. Should you wish to discuss any aspects of this
before signing at the foot of this letter and returning a copy, please do not hesitate to
contact me.

Yours Sincerely,

Date:

Director General

For and on behalf of

The Office of the Comptroller and Auditor General

Page | 144
ANNEX- A.2.1.1: Statement on the Management of Personal Data at the
OCAG

1. The CAG and the OCAG have privileged and wide-ranging access to data and
information to support the discharge of the audit function and ensure that the OCAG’s
reports to Parliament are factual, accurate and complete. This data relates both to
public servants and individual citizens. We have a duty to respect this privileged access
and to ensure that the personal information entrusted to us is safeguarded properly.
[

2. We take our obligations for data protection seriously. We have a body of data policies
and IT standards, guidelines and procedures designed to ensure data protection. We
keep our requests for personal data to the minimum necessary to complete our work
and retain any personal information we obtain only for as long as we need it. We take
appropriate measures to safeguard the integrity and confidentiality of data we hold from
unauthorised access. All of our staff and contractors have an obligation to comply with
our data protection policies.

3. Our definition of sensitive personal data includes data which, when held alone or in
combination, could cause embarrassment, harm or financial loss to the data subject if
disclosed to or tampered with by an unauthorised third party. We have separate
arrangements in place for classified data.

4. To help you understand our commitment, we have developed a series of Personal Data
Statements, which all our staffs subscribe to:

. We will only request personal data for use in discharging our statutory and other
audit functions and for lawful purposes. These requests are kept to the minimum
necessary to carry out our work.

. Our requests for personal data will be authorised by a senior employee. Each of
our audits is led by a Director or Director General who is personally responsible
for authorising any request for personal data in connection with that audit;
maintaining records of the data held; ensuring it is securely and appropriately
processed; ensuring it is securely and appropriately retained; and for certifying its
destruction.
. We will agree with you in advance how we will use, secure, destroy and account
for the personal data you provide to us. We have a series of protocols which
specify the measures for protecting personal data during transfer from the
information provider, whilst we retain the information for audit purposes, for secure
destruction of the data and for long term storage where this is required by
professional standards.

Page | 145
. We will notify you when we destroy personal data you have provided to us.

. We ensure our contractors operate suitable procedures for personal data protection
before we pass such data to them. From time to time we contract with third
parties who support us in discharging our responsibilities. Access to personal
information will only be given to organisations which can show that they are
capable of maintaining the standards defined in these statements.
. We audit our compliance with our data protection policies, in order to be assured
that protection is in accordance with the terms of this Statement. These include
checks on compliance carried out independently of the OCAG Directors responsible
for the security of data on their audits.

Page | 146
 Annex- A.2.2

Financial Audits Letter of Engagement

Government of The people’s Republic of Bangladesh
[Insert Address of Auditor]

[Insert Address of Auditee]

Subject: Letter of engagement regarding the financial audit of [Insert Name of Entity]

Reference:

Sir,
1. INTRODUCTION
1.1 The purpose of this letter is to set out the basis on which the Comptroller and Auditor General
(CAG) audits the [Insert details of statements being audited] of the [Insert Name of Entity] and
the respective responsibilities of the Secretary of the [Insert Name of Entity] as Accounting
Officer and the OCAG, acting on behalf of the CAG. This engagement will be conducted with the
sole objective of our expressing an opinion on the [Insert details of statements being audited].

The terms of the audit engagement are set out below. This letter will remain effective until a
new audit engagement letter is issued.

2. SCOPE OF THE AUDIT

2.1 The financial audit will be conducted in accordance with the International Standards for
Supreme Audit Institutions (ISSAIs) and will cover the[Insert details of statements being
audited] for the[Insert Name of Entity] for the financial year[Insert Financial Year].

3. Responsibilities of auditors

3.1 The CAG audits the [Insert details of statements being audited] under Article 128(1)of the
Constitution of Bangladesh which states that the public accounts of the Republic and of all
courts of law and all authorities and officers of the Government shall be audited and reported on
by the Auditor-General and for that purpose he or any person authorized by him in that behalf
shall have access to all records, books, vouchers, documents, cash, stamps, securities, stores or
other government property in the possession of any person in the service of the Republic, and
section 5(1) the Comptroller and Auditor General (Additional Functions Act) 1974 which states
that the Auditor-General may audit the accounts of any Statutory Public Authority (public
enterprise) or local authority and shall submit his report on such audit to the President for laying
it before Parliament.

3.2 Consequently, the CAG is responsible for reporting whether in his opinion the [Insert details of
statements being audited] give a true and fair view and whether the activities, financial
transactions and information reflected in the financial statements are, in all material respects, in
compliance with the authorities which govern them. This responsibility includes performing
procedures to obtain audit evidence about whether the agency's expenditure and income have

Page | 147
 been applied to the purposes intended by the legislature. Such procedures include the
assessment of the risks of material non-compliance.

4. The financial audit process

4.1 The audit will be conducted in accordance with the International Standards of Supreme Audit
Institutions (ISSAIs). These Standards require that we comply with ethical requirements and
plan and perform the audit to obtain reasonable assurance over whether the [Insert details of
statements being audited] are free from material misstatement.

4.2 We shall obtain an understanding of the accounting and internal control systems to assess their
adequacy as a basis for the preparation of the [Insert details of statements being audited] and
to establish whether proper accounting records have been maintained by the [name of entity].
We shall expect to obtain such appropriate evidence as we consider sufficient to enable us to
draw reasonable conclusions there from.

4.3 The nature and extent of our procedures will vary according to our assessment of the [Insert
name of entity] and, where we wish to place reliance on it, the internal control system, and may
cover any aspect of the operations that we consider appropriate.

4.4 Limitations of a financial audit

4.4.1We will plan our audit so that we have a reasonable expectation of detecting material
misstatements in the[Insert details of statements being audited] or accounting records
(including those resulting from fraud, error or non-compliance with laws or regulations), but
our examination should not be relied upon to disclose all such material misstatements as may
exist. Due to the test nature and other inherent limitations of a financial audit there is an
unavoidable risk that some material misstatement may remain undiscovered.

4.4.2Our work on internal control will not be sufficient to enable us to express any assurance on
whether or not the [Insert name of entity] internal controls are effective. Our audit of the
[Insert details of statements being audited] cannot be relied upon to draw to your attention all
matters that may be relevant to your consideration as to whether or not the system of internal
control is effective.

4.5 Management representations

As part of our audit process we will request from management written representations on
matters material to the [Insert details of statements being audited] where other sufficient
appropriate evidence cannot reasonably be expected to exist, and where management may
have made certain oral representations (Letter of Representation).

4.6 Reliance on third parties

4.6.1 Another auditor
Where we place reliance on another auditor, we will consider how the work of the other
auditor will affect the audit. We shall consider the professional competence of the other

Page | 148
 auditor in the context of this engagement and perform procedures to obtain sufficient evidence
that the work of the other auditor is adequate for our purposes.

4.6.2 Use of Experts

Where we judge that it is appropriate to use the work of an expert we will:

. obtain sufficient appropriate audit evidence that such work is adequate for the
purposes of the audit;
. evaluate the professional competence of the expert;
. evaluate the objectivity of the expert;
. ensure that the scope of the work of the expert is adequate for our purposes; and
. evaluate the appropriateness of the expert’s work as audit evidence regarding the
assertions being considered.

4.7 Communications

4.7.1At the start of our audit, we may issue an Audit Plan, containing details of identified risks and
planned financial audit work on the [Insert name of entity] for the coming year. This will detail
where the audit team intends to make use of other auditors or experts.

4.8.2 At the end of each audit we will report formally to you on:

. Any significant weaknesses in, or observations on, the accounting and internal control
system including areas of non compliance with applicable authorities;
. Errors identified in the course of the audit (unless deemed clearly trivial);
. Uncorrected misstatements;
. Expected modifications to the audit report; and
. Any other matters of interest.

5. CLIENT RESPONSIBILITIES

5.1 Our audit will be conducted on the basis that the Secretary [Insert name of entity] and those
charged with governance acknowledge and understand that they have responsibility for:

(a) The preparation of financial statements that show a true and fair view in accordance
with International Financial Reporting Standards;
(b) For such internal control as the Secretary[Insert name of entity] and those charged
with governance determines is necessary to enable the preparation of financial
statements that are free from material misstatement, whether due to fraud or error;
and
(c) To provide us with:
 Access to all information of which the Secretary [Insert name of entity] and
those charged with governance are aware that is relevant to the preparation of
the financial statements such as records, documentation and other matters;
 Additional information that we may request for the purpose of the audit; and

Page | 149
  Unrestricted access to persons within the entity from whom we determine it
necessary to obtain audit evidence.
5.2 In addition to the responsibility for the preparation and presentation of the financial statements
described above, management is also responsible for ensuring that the activities, financial
transactions and information reflected in the financial statements are in compliance with the
authorities which govern them.

6. AUDIT ARRANGEMENTS

6.1 Access to Data and Personal Data

As part of our audit work we may need access to personal data which the [Insert name of entity]
holds. We will manage any personal data in accordance with the Statement on the Management
of Personal Data at the OCAG (Annex 1).

6.2 Health and Safety

Members of the audit team will be in touch with relevant [Insert name of entity] to discuss
practical arrangements and the timing of audit visits. However, we would appreciate your co-
operation in relation to the provision of support for our employees covering health, safety and
emergency arrangements applicable to your premises.

6.3.2The [Insert name of entity] is also responsible for the controls over, and the security of their
website. The examination of the controls over the maintenance and integrity of the [Insert
name of entity]’s website is beyond the scope of our audit.

7. OTHER MATTERS

7.1 Use of Report & Confidentiality

Any formal report or other unpublished reports from us may not be provided to third parties.
Such consent will be granted only on the basis that such reports are not prepared with the
interests of anyone other than the [Insert name of entity] in mind and that we accept no duty
or responsibility to any other party as concerns the reports.

7.2 Quality of service

We would like to provide you at all times with a high quality service to meet your needs. If at
any time you would like to discuss with us how our service to you could be improved, please
raise the matter immediately with me

Page | 150
ACCEPTANCE:

8.1 Once agreed, this arrangement will remain effective for future years unless it is terminated,
amended or superseded. Should you wish to discuss any aspects of this before signing at the
foot of this letter and returning a copy, please do not hesitate to contact me.

Yours Sincerely,

Date:

Director General
For and on behalf of
The Office of the Comptroller and Auditor General

Page | 151
ANNEX-A.2.2.1: Statement on the Management of Personal Data at the
OCAG

1. The CAG and the OCAG have privileged and wide-ranging access to data and
information to support the discharge of the audit function and ensure that the OCAG’s
reports to Parliament are factual, accurate and complete. This data relates both to
public servants and individual citizens. We have a duty to respect this privileged
access and to ensure that the personal information entrusted to us is safeguarded
properly.

2. We take our obligations for data protection seriously. We have a body of data policies
and IT standards, guidelines and procedures designed to ensure data protection. We
keep our requests for personal data to the minimum necessary to complete our work
and retain any personal information we obtain only for as long as we need it. We
take appropriate measures to safeguard the integrity and confidentiality of data we hold
from unauthorised access. All of our staff and contractors have an obligation to
comply with our data protection policies.
3. Our definition of sensitive personal data includes data which, when held alone or in
combination, could cause embarrassment, harm or financial loss to the data subject if
disclosed to or tampered with by an unauthorised third party. We have separate
arrangements in place for classified data.
[

4. To help you understand our commitment, we have developed a series of Personal

Data Statements, which all our staffs subscribe to:

. We will only request personal data for use in discharging our statutory and other
audit functions and for lawful purposes. These requests are kept to the minimum
necessary to carry out our work.

. Our requests for personal data will be authorised by a senior employee. Each of
our audits is led by a Director or Director General who is personally responsible
for authorising any request for personal data in connection with that audit;
maintaining records of the data held; ensuring it is securely and appropriately
processed; ensuring it is securely and appropriately retained; and for certifying its
destruction.

. We will agree with you in advance how we will use, secure, destroy and
account for the personal data you provide to us. We have a series of protocols
which specify the measures for protecting personal data during transfer from the
information provider, whilst we retain the information for audit purposes, for
secure destruction of the data and for long term storage where this is required
by professional standards.

. We will notify you when we destroy personal data you have provided to us.

Page | 152
. We ensure our contractors operate suitable procedures for personal data
protection before we pass such data to them. From time to time we contract
with third parties who support us in discharging our responsibilities. Access to
personal information will only be given to organisations which can show that they
are capable of maintaining the standards defined in these statements.
. We audit our compliance with our data protection policies, in order to be
assured that protection is in accordance with the terms of this Statement. These
include checks on compliance carried out independently of the OCAG Directors
responsible for the security of data on their audits.

Page | 153
 Annex- B
UNDERSTANDING THE ENTITY AND ITS ENVIRONMENT
The purpose of this form is to document our understanding of the entity and its environment.
Where appropriate, we should reference to supporting documents included in standing information
in the file.

The questions within the form cover the areas where we typically need an understanding to be able
to identify and assess risks of material misstatement or irregularity, and so plan and perform an
effective audit.

This understanding is part of the standing information on the file. Each year we should perform
appropriate Risk Assessment Procedures, as set out in the Overall Audit Strategy, to confirm or
update our understanding. Where the director expects the standing information will remain
current, we will perform procedures to determine that this information remains relevant. These
procedures should consist of inquiry and, where appropriate, observation and inspection.

Where changes are needed to the standing information, we should obtain appropriate evidence for
the changes and document what that evidence is. Depending upon what the update is, this may be
through inquiry, examination of documentation, observation, or other means.

The areas where we should have an understanding of the entity and its environment are listed in the
table below. Suggested points of focus that may be useful to consider for each element are available
by reading the comments attached to each heading. These can be seen by opening the Reviewing
Pane (using the Reviewing toolbar and Show -> Reviewing Pane). If the comments appear as
“balloons” next to the text, these can be hidden using the Reviewing toolbar and Show-> Options,
and uncheck “Use balloons in Print and Web layout”.

If, having confirmed/updated our understanding of the entity and its environment, we have
identified a potential risk of material misstatement/irregularity or information which will affect
whether there is a risk, this should be discussed with the Engagement Manager and Engagement
Director and clearly concluded upon.

Click on the underlined links to jump directly to the relevant factors.

(1) Relevant industry, regulatory, and other external factors (Ref: ISA 315 A17-A22, ISA 250 A7, ISA
540 A13-A15)

(2) The nature of the entity and its activities (Ref: ISA 315 para A23-A27)

(3) The entity's financial reporting and accounting policies (Ref: ISA 315 para A28)

(4) The entity's objectives and strategies, and related business risks (Ref: ISA 315 para A29-A35)

(5) The measurement and review of the entity's financial performance (Ref: ISA 315 para A36-A41)

(6) The nature and extent of the entity’s related party relationships (Ref: ISA 550 para A11-A14)

Page | 154
 CONCLUSION ON UNDERSTANDING THE ENTITY AND ITS ENVIRONMENT
[

(1) Relevant industry, regulatory, and other external factors (Ref: ISA 315 para A17-A22)

Relevant industry, regulatory and other external factors

Description of Risk
Assessment
Procedures
performed in
current year to
Standing information
determine whether
Including: (Update as required based on Risk Standing
Assessment Procedures performed) Information
remains relevant

(As set out in

Overall Audit
Strategy)

a) What is the Authorising Legislation

for the entity? What activities
does it authorise?
b) What are the Regulations issued
under Authorising Legislation?
How do they affect the entity’s
operations?

c) What activities of the entity is there

Parliamentary Authority for?

Note: Though this directly relates to

resource accounts, the principles apply to
all central government bodies.

d) What does the client need Treasury

approval for? What does the client
have delegated authority from
Treasury for?

Note: Though this directly relates to

resource accounts, the principles apply to
all central government bodies.

Page | 155
e)Are there other elements of the
legal and regulatory framework
applicable to the entity which
affects its operations? How does it
comply with that framework?

f) What is the nature of the entity’s

relationship with its sponsoring
Department?

g) What aspects of the Political

Environment affect the entity’s
operations?

h) What aspects of the Business

Environment affect the entity’s
operations?

i) How might future events affect the

entity?

j) Are there any other factors to

consider?

Consider any other external factors that

may influence the business, operations or
financial reporting of the client.

Page | 156
(2) The nature of the entity and its operations (Ref: ISA 315 para A23-A27)

The purpose of understanding the nature of the entity and its operations is to enable an understanding
of the classes of transactions, account balances and disclosures to be expected in the financial
statements.

The nature of the entity [[

Description of Risk
Assessment
Standing information Procedures performed
in current year to
Including: (Update as required based on Risk determine whether
Assessment Procedures performed) Standing Information
remains relevant
(As set out in Overall
Audit Strategy)
a) What is the nature of the entity’s
operations?

Where not obvious, consider indicating

how significant audit areas relate to the
entity’s operations.

b) What are the entity’s ownership

and governance structures?

c) What types of investments is the

entity making or planning to
make (including investments in
special-purpose entities)?

d) How is the entity structured and

how is it financed?

e) What factors might affect

whether the entity is a going
concern?

Page | 157
(3) The entity's financial reporting and accounting policies (Ref: ISA 315 para A28)

The entity’s financial reporting and accounting policies

Description of Risk
Assessment
Procedures
performed in current
Standing information
year to determine
Including: (Update as required based on Risk whether Standing
Assessment Procedures performed) Information remains
relevant

(As set out in Overall

Audit Strategy)

a) What financial reporting framework

does the entity use for financial
reporting? Are there any specific
considerations that should be
noted?

b) Are there any historic judgements on

accounting treatments to keep in
view?

c) How does the entity select and apply

accounting policies?
This should include estimation techniques
used in applying accounting policies.

d) What changes have there been to the

entity’s accounting policies in the
period? What are the reasons for
any changes?

e) Are there any financial reporting

standards and laws and regulations
that are new to the entity? When
and how will the entity adopt such
requirements)?

f) What are the principal accounting

estimates in the entity’s financial

Page | 158
 statements required by the financial
reporting framework (including
disclosures)?

g) How do management identify the

need for new accounting estimates
(including disclosures)? How do
management make those
accounting estimates?

h) Are the entity’s accounting policies

and estimation techniques used
appropriate given:
. the nature of its operations?
. the requirements of the
financial reporting
framework?
. accounting policies used
elsewhere in government, or,
where relevant, in relevant
industries?

Page | 159
(4) The entity’s objectives and strategies, and related business risks (Ref: ISA 315 para A29-
A35)

The entity’s objectives and strategies and related business risks

Description of Risk
Assessment
procedures performed
Standing information in current year to
Including: determine whether
(Update as required based on Risk Standing Information
Assessment Procedures performed) remains relevant

(As set out in Overall

Audit Strategy)

What are the entity’s

objectives and strategies?

What business risks are

associated with the objectives
and strategies and how might
they impact the entity?

Page | 160
(5) The measurement and review of the entity’s financial performance (Ref: ISA 315 para
A36-A41)

The measurement and review of the entity’s financial performance

Description of Risk
Assessment
Procedures performed
Standing information in current year to
Including: determine whether
(Update as required based on Risk Standing Information
Assessment Procedures performed) remains relevant

(As set out in Overall

Audit Strategy)

a) How is the entity’s financial

performance measured and
reviewed?

b) What are the entity’s Financial

and Performance Reporting
Requirements?

c) Are there any relevant external

measures of financial
performance available?

Page | 161
(6) The nature and extent of the entity’s related party relationships (Ref: ISA 550 para A11-
A14)

(Note: It is usually effective to cross reference to standing documentation listing related parties.)

The nature and extent of the entity’s related party relationships

Description of Risk
Assessment
Procedures performed
Standing information in current year to
Including: determine whether
(Update as required based on Risk Standing Information
Assessment Procedures performed) remains relevant

(As set out in Overall

Audit Strategy)

a) What processes does the entity

have in place to identify, account
for, and disclose related party
relationships and transactions?

b) What is the authorisation and

approval process for significant
transactions and arrangements
with related parties?

c) How does the entity authorise and

approve significant transactions
and arrangements outside the
normal course of business?

d) What is the identity of the entity’s

related parties, including changes
from the prior period?

The client should supply a full listing

of related parties each year.

e) What is the nature of the

relationships between the entity
and these related parties?

Page | 162
 For on-going simple relationships
this can be a link to the description
in the financial statements. For
complex, unusual or new
relationships provide details as
relevant.

f) Has the entity entered into any

transactions with these related
parties during the period? If so,
what is the nature and purpose of
the transactions?

Page | 163
 Annex-B.1
Notes to assist Completion of Annex B
1) Relevant industry, regulatory, and other external factors (Ref: ISA 315 para
A17-A22)
a) What is the Authorising Legislation for the entity? What activities does it authorise?

Authorising legislation includes primary sources of authority which govern the way in which
an activity is performed, and the objectives pursued. Factors to consider may include:
. Acts of Parliament (express authorisation or prohibiting of specific activities, defined
duties and limitations of Ministers and Officers, discretion permitted, authority to
raise fees / collect receipts and rules thereof). Where expenditure is made (or
revenue raised) under legislative authority, payments (or receipts) must comply with
all relevant provisions. Strict compliance with the terms of enabling legislation is
necessary for the regularity of income and expenditure.
. International Treaties and Agreements (the provisions of relevant treaties binding on
the client, including subscription or other liabilities). There are specific requirements
for notifying Parliament of proposals to create non-statutory liabilities, including
liabilities to pay subscriptions or any other commitments, contingent or otherwise,
under international treaties.

b) What are the Regulations issued under Authorising Legislation? How do they affect the
entity’s operations?
Delegated legislation takes a variety of forms, including rules, regulations and orders. Delegated
legislation must always be intra vires, i.e. within the scope of the enabling power in the relevant
Act. Factors to consider may include:
. Statutory Instruments such as detailed regulations for payment of grants or subsidies or
performance targets set under statutory provisions
. Effect of delegated legislation on the client’s financial statements
. The client’s mechanisms for monitoring compliance with specific conditions attached to
delegated legislation (own compliance or that of others)
. Ministerial Directions made under the authority of an Act of Parliament (detailed grant
memorandum, compliance with a management statement, financial memorandum).
Activities or transactions which are in breach of Ministerial direction under the authority of
an Act of Parliament are irregular.

Page | 164
c) What activities of the entity is there Parliamentary Authority for?

Principles of Appropriation: A sum appropriated to a particular service cannot be used for

another service, the appropriation may not be exceeded, and the sum is available only in the
financial year for which it was appropriated. Consider the purposes for which Parliamentary
provision is made as described in the ambit of the Estimate and the specific sums authorised for
those purposes. Factors to consider may include:
. Regularity of expenditure in respect of ambit of services and correct financial year and
the history of any previous irregularities. The ambit is the formal description of services
to be financed from the Budget. Expenditure can, therefore, be legally incurred only on
services which are covered by the ambit of the Budget.

The history of budgets being exceeded in the past. An Excess Spend (over budget) is taken very
seriously since it represents a failure by a department/public body to keep its expenditure
within the limits approved by Parliament.

d) What does the client need Ministry of Finance approval for? What does the client have delegated
authority from the Ministry of Finance for?

The majority of Public Bodies require Ministry of Finance approval for all expenditure, including that
authorised by statute. In practice delegated authority takes the form of a standing authorisation
setting out the levels, programmes, objects and the time period. Consider the nature and extent of
standing Ministry of Finance delegations and any requirements for the client to seek specific
Treasury approval for particular expenditures or write-offs. Any expenditure which falls outside the
department's delegated authority and which is not approved by Treasury is irregular. The same
applies to any expenditure incurred in breach of a condition attached to a Ministry of Finance
approval. Factors to consider may include:
. Ministry of Finance delegations applied to the client (powers of write-off, expenditure
levels, authorities for letting major projects, authorities to participate in joint ventures,
personnel policies, receipts and sources of finance). A delegation does not remove the
obligation on Departments to submit any novel or contentious spending proposals to
Ministry of Finance. The Accounting Officer is responsible for ensuring that prior Ministry of
Finance approval is obtained in writing in all cases where required.
. Authorities governing personnel policies (remuneration, pensions)
. Authorities governing fees, charges and miscellaneous income
. Utilisation of savings on individual Budget lines and subheads to offset excess expenditure in
other Appropriation areas, Ministry of Finance authorisation of virement requests).

Page | 165
e) Are there other elements of the legal and regulatory framework applicable to the entity which
affects its operations? How does it comply with that framework?

For example anything set out in the authorising legislation that is applicable to the running of
companies, Codes of Conduct, General Financial Rules.

f) What is the nature of the entity’s relationship with its sponsors?

Consider the extent to which the client is subject to detailed oversight from its sponsoring
ministry/department and the Ministry of Finance. Factors to consider may include:
. The approval of senior appointments to the client
. Sponsor department representation on the client’s Board
. The sponsor department’s role in setting business objectives and reviewing corporate
and annual business plans
. Sponsoring department monitoring of client performance (consider the impact on
potential results manipulation)
. Degree of sponsoring department influence on key client decisions
. Requirements for management control set out in the management statement / financial
memorandum/or any other agreements between the audited entity and sponsor.

g) What aspects of the Political Environment affect the entity’s operations?

In most areas of our work we are auditing on behalf of Parliament and through them the wider
public. A high level of such interest may put pressure on the client and increase audit risk. It will also
raise the profile of the audit. Consider any interest of the Government, Parliament, media and
pressure groups in the client’s activities and any specific factors that may influence the conduct of
business or the reporting of its results. We should also consider whether the level of interest is likely
to increase during the course of the audit, for example due to a forthcoming change in status or
review of activities. Factors to consider may include:
. Government initiatives (quality improvements, major investments, changes to services, PFI,
PPP, contracting out, Modernising Government)
. Public Accounts Committee interest
. Other Select Committee/Inquiry interest
. Funding from foreign donors (programme oversight, actions against the client, funding
implications)
. Influence / interest of general press and specialist trade press
. Relationships with Ministry of Finance (Comprehensive Spending Review, Departmental
Investment Strategy, Public Service Agreements).

Page | 166
 h) What aspects of the Business Environment affect the entity’s operations?

Financial statements are reports on the state of a business and its performance, whether the
business is commercial or non-commercial. To understand, interpret and audit the financial
statements we need to understand the business. Consider the client’s business environment and
those factors that may impact on the achievement of its objectives. Factors to consider may include:
. The entity’s strategy or objectives and related business risks (ISA 315 para A30)
. Location (single or multi-site)
. Competitors and alternative suppliers
. External regulation or review of activities
. Relationship and circumstances of any suppliers or others upon which the client is reliant for
the provision of service
. Dependence upon labour (skilled requirements, union activity)
. Method of funding
. Reliance upon fee and income generation
. Sensitivity of activities and results to general external economic factors (inflation, exchange
and interest rates, unemployment).

i) How might future events affect the entity?

Consider any planned or potential future events, including changes in legislation, new programmes
/ services, known developments and changes in technology that may affect the client. Factors to
consider may include:
. Proposals to change programmes and services administered by the client. Change of funding
arrangements
. Proposals to reorganise the client in terms of geographical location, structure, early
retirement and redundancy programmes
. New legislation (new Regulations and Directives)
. Major changes in technological and operational methods (this could include a move to the
provision of on-line services to the public and the adoption of e-Procurement)
. Structural or business model changes.
[

j) Are there any other factors to consider?

Consider any other external factors that may influence the business, operations or financial
reporting of the client.

Page | 167
(2) The nature of the entity and its operations (Ref: ISA 315 para A23-A27)

a) What is the nature of the entity’s operations?

Where not obvious, consider indicating how significant audit areas relate to the entity’s
operations.

b) What are the entity’s ownership and governance structures?

c) What types of investments is the entity making or planning to make (including investments in
special-purpose entities)?
d) How is the entity structured and how is it financed?
e) What factors might affect whether the entity is a going concern?
Consider factors which could impact on our evaluation of the entity’s going concern assessment.
Factors to consider may include:
. whether the management and those charged with governance have performed a
preliminary assessment of the entity’s ability to continue as a going concern
. whether there are events or conditions that individually or collectively may cast significant
doubt upon the entity’s ability to continue as a going concern
. management’s plans to address going concern issues.

(3)The entity's financial reporting and accounting policies (Ref: ISA 315 para
A28)
This section will only be relevant to entities or activities (e.g. fund management) of an entity
audited that have a financial reporting framework. It might not be relevant to all compliance
audits undertaken.

(a) What financial reporting framework does the entity use for financial reporting? Are there any
specific considerations that should be noted?

The financial reporting frameworks that could be relevant to Bangladesh include those for the
Finance Accounts, Appropriation Accounts for individual departments, Financial Statements
required under the terms of Donor Funding Agreements such as PEDP 3, Frameworks required for
reporting Fund Management, Management Reports prepared by Chief Accounts Officers of
Ministries, Project reports submitted by Project Directors and BAS compliant Financial Statements
that are required to be prepared by Government Owned Limited Companies.

(b) Are there any historic judgements on accounting treatments to keep in view?

For example, a judgement over which standard applies to a particular class of transactions, or over
the appropriate presentation of a recurring transaction stream.

Page | 168
 This will only be relevant for audits of financial statements that are prepared under a recognised
framework like International Standards of Accounting [Note that the pilot audits of Government
owned Companies carried out under Round 2 revealed that the Financial Accounts audited by
external firms of Chartered Accountants did not comply fully with International Accounting
Standards despite their having been given a clean audit opinion].
[

(c) How does the entity select and apply accounting policies?

Points to consider include:

. the methods the entity uses to account for significant and unusual transactions
. whether there is an established process for selecting and approving accounting policies and
estimation techniques
. the effect of significant accounting policies in controversial or emerging areas for which there is
a lack of authoritative guidance or consensus. This should include estimation techniques used in
applying accounting policies.

See comments on 3 (b) above. Only applicable for audits of financial statements prepared under a
recognised framework like International Accounting Standards.

(d) What changes have there been to the entity’s accounting policies in the period? What are the
reasons for any changes?

See comments on 3 (b) and 3 (c) above.

(e) Are there any financial reporting standards and laws and regulations that are new to the entity?
When and how will the entity adopt such requirements)?

For example changes in donor reporting requirements or changes to the required format for
appropriation accounts.

(f) What are the principal accounting estimates in the entity’s financial statements required by the
financial reporting framework (including disclosures)?

For example, provisions, revaluations and impairment estimates [Will only be applicable for
accounts prepared under a recognised framework like IAS].

(g) How do management identify the need for new accounting estimates (including disclosures)?
How do management make those accounting estimates?

Consider:

. the method, including models, used in making accounting estimates

. relevant controls
. whether management uses experts

Page | 169
 . the assumptions used
. changes in circumstances affecting accounting estimates
  . the extent of uncertainty in estimates

Will only be applicable for accounts prepared under a recognised framework like IAS.

(h) Are the entity’s accounting policies and estimation techniques used appropriate given?

. the nature of its operations?

. the requirements of the financial reporting framework?
. accounting policies used elsewhere in government, or, where relevant, in relevant
industries?

Will only be applicable for accounts prepared under a recognised framework like IAS.

(4) The entity’s objectives and strategies, and related business risks (Ref: ISA
315 A29-A35)
What are the entity’s objectives and strategies?

What business risks are associated with the objectives and strategies and how might they impact
the entity?

Points to consider include:

. Industry developments (a potential related business risk might be, for example, that the
entity does not have the personnel or expertise to deal with the changes in the industry)
. New products and services (a potential related business risk might be, for example, that
there are exposures to new types of liabilities or regulations)
. Expansion of the business (a potential related business risk might be, for example, that the
demand has not been accurately estimated)
. New accounting requirements (a potential related business risk might be, for example,
incomplete or improper implementation, or increased costs)
. Regulatory requirements (a potential related business risk might be, for example, that
there is increased legal exposure)
. Current and prospective financing requirements (a potential related business risk might
be, for example, the loss of financing due to the entity's inability to meet requirements)
. Use of IT (a potential related business risk might be, for example, that systems and
processes are incompatible)

Page | 170
 . The effects of implementing a strategy, particularly any effects that will lead to new
accounting requirements (a potential related business risk might be, for example,
incomplete or improper implementation.

* It is unlikely that any of the entities audited in Bangladesh would have a formal risk
management policy or risk registers, but they should be encouraged to do so. The bullets above
can act as a prompt for the audit teams to identify risks for the Significant Risk Testing Plan in
the meantime.
[

(5) The measurement and review of the entity’s financial performance (Ref: ISA
315 para A36-A41)
a) How is the entity’s financial performance measured and reviewed?

This section will only be relevant to entities or activities of an entity audited that have a financial
reporting framework. It might not be relevant to all compliance audits undertaken.

Points to consider include:

. key performance indicators (financial and non-financial)

. key ratios, trends and operating statistics
. period-on-period financial performance analyses
. budgets, forecasts, variance analyses, segment information and divisional
departmental or other level performance reports
. employee performance measures and incentive compensation policies
. comparison of the entity’s performance with that of others

Unlikely to be relevant within the Bangladesh Accounting Framework apart from any variances
against budgets reported to the Boards of entities audited.

(6) The nature and extent of the entity’s related party relationships (Ref: ISA
550 para A11-A14)
Disclosure requirements will only be applicable if the Accounting Framework applicable to the
entity being audited requires it.

a) What processes does the entity have in place to identify, account for, and disclose related party
relationships and transactions?
Examples of related party relationships include:

. sponsoring bodies / departments

. subsidiary bodies
. other public sector bodies
. defined benefit pension schemes for employees

Page | 171
 . board members / trustees
. key management staff
. for departments, their Ministers
. the families and connected businesses of each of the above.
 
b) What is the authorisation and approval process for significant transactions and
arrangements with related parties?

c) How does the entity authorise and approve significant transactions and arrangements
outside the normal course of business?

d) What is the identity of the entity’s related parties, including changes from the prior
period? The client should supply a full listing of related parties each year?

e) What is the nature of the relationships between the entity and these related parties?
For on-going simple relationships this can be a link to the description in the financial
statements. For complex, unusual or new relationships, provide details as relevant.

f) Has the entity entered into any transactions with these related parties during the
period? If so, what is the nature and purpose of the transactions?

None of the Entities audited under the Government Framework are likely to have procedures
for identifying related party transactions. However complying with the relevant procedures are
part of the ISSAI requirements. Also, this is a key aspect of fraud prevention for example in
relation to the awarding of large contracts.

Page | 172
 Annex-C
UNDERSTANDING THE ENTITY’S INTERNAL CONTROL
We should confirm/update our understanding each year as part of our risk assessment procedures. The
purpose of this form is to summarise our understanding of the entity’s internal control. This form
should:
. document our understanding of the overall control environment;
. link to our systems notes of control cycles; and
. link to where we have evaluated the design and implementation of controls (or, if this will be
done later in the audit, where this will be documented).

Where appropriate, we should reference to supporting documents included in the file.

This understanding is part of the standing information on the file. Each year we should perform
appropriate Risk Assessment Procedures, as set out in the Overall Audit Strategy, to confirm or update
our understanding.

Where the director expects the standing information will remain current, we will perform procedures
to determine that this information remains relevant. These procedures should consist of inquiry and,
where appropriate, observation and inspection.

Where we plan to evaluate the design and implementation of a control, we will do so each year, which
will involve evaluating:
. the design of a control requires a team to assess whether, if it operates as designed, it would
reliably prevent or detect and correct material misstatement or irregularity.
. the implementation of a control requires a team to obtain evidence that it is implemented as
designed (by walking through the relevant process, sighting evidence of the operation of a
control, observation of the operation of the control, or other audit evidence).

Where changes are needed to the standing information, we should obtain appropriate evidence for the
changes and document what that evidence is. Depending upon what the update is, this may be
through inquiry, examination of documentation, observation, or other means.

The areas where we should have an understanding of the entity’s internal control are listed in the table
below. Suggested points of focus that may be useful to consider for each element are available by
reading the comments attached to each heading. These can be seen by opening the Reviewing Pane
(using the Reviewing toolbar and Show -> Reviewing Pane). If the comments appear as “balloons” next
to the text, these can be hidden using the Reviewing toolbar and Show-> Options, and uncheck “Use
balloons in Print and Web layout”.

If, having confirmed/updated our understanding of the entity’s internal control and its environment,
we have identified a potential risk of material misstatement/irregularity or information which will
affect whether there is a risk, this should be discussed with the Engagement Manager and Engagement
Director and clearly concluded upon.
Page | 173
Click on the underlined links to jump directly to the relevant factors.
1) Control Environment (Ref: ISA 315 para A69-A78)

2) The entity’s risk assessment process (Ref: ISA 315 para A79-A80)

3) Monitoring of controls (Ref: ISA 315 para A98-104)

4) Business controls (Ref: ISA 315 para A81-A87)

5) The information system (Ref: ISA 315 para A81-A85) and, if considered necessary:
Annex A – Access Security
Annex B – Change Management
6) Communication (Ref: ISA 315 para A86-A87)

7) Controls relevant to the audit (Ref: Para para A66-A68, A88-97)

Page | 174
Click on the underlined links to jump directly to the relevant factors.
1) Control Environment (Ref: ISA 315 para A69-A78)

2) The entity’s risk assessment process (Ref: ISA 315 para A79-A80)

3) Monitoring of controls (Ref: ISA 315 para A98-104)

4) Business controls (Ref: ISA 315 para A81-A87)

5) The information system (Ref: ISA 315 para A81-A85) and, if considered necessary:
Annex A – Access Security
Annex B – Change Management
6) Communication (Ref: ISA 315 para A86-A87)

7) Controls relevant to the audit (Ref: Para para A66-A68, A88-97)

Page | 174
 Control environment

Description of Risk
Assessment Procedures
Standing information performed in current year
(Update as required based to determine whether
Including:
on Risk Assessment Standing Information
Procedures performed) remains relevant
(As set out in Overall Audit
Strategy)
d) How does the entity’s
organisational structure and
assignment of authority and
responsibility contribute to
maintaining an appropriate
control environment?

e) How do the entity’s Human

Resources policies and procedures
contribute to maintaining an
appropriate control environment?

f) What impact do any other relevant

factors have upon the effectiveness
of the control environment?

2) The entity’s risk assessment process (Ref: ISA 315 para A79-A80

Public sector bodies should have a risk assessment process, which should be appropriate for
the size and complexity of the entity. The risk assessment process is involved in:
(a) Identifying business risks relevant to financial reporting objectives;

(b) Estimating the significance of the risks;

(c) Assessing the likelihood of their occurrence; and

(d) Deciding about actions to address those risks.

Page | 176
 The entity’s risk assessment process

Description of Risk
Assessment
Standing information Procedures performed
in current year to
Including: (Update as required based on Risk determine whether
Assessment Procedures performed) Standing Information
remains relevant
(As set out in Overall
Audit Strategy)
a) Does management have an
effective Risk Assessment
Process?
b) Does management use the
Risk Assessment Process to
effectively identify and respond
to risks of fraud or
irregularity?
c) What are the results of
management’s Risk
Assessment Process?
Cross-reference to a copy of
the results of management’s
process. Read and summarise
any results of the client’s risk
assessment process that indicate
potential risks of material
misstatement or irregularity.

Page | 177
3) Monitoring of controls (Ref: ISA 315 A98-104)

Public sector bodies should have a risk assessment process, which should be appropriate for the size
and complexity of the entity. The risk assessment process is involved in:

(a) identifying business risks relevant to financial reporting objectives;

(b) estimating the significance of the risks;

(c) assessing the likelihood of their occurrence; and

(d) deciding about actions to address those risks.

Monitoring of controls

Description of Risk
Assessment
Procedures performed
Standing information in current year to
Including: (Update as required based on Risk determine whether
Assessment Procedures performed) Standing Information
remains relevant
(As set out in Overall
Audit Strategy)
a) How does management
monitor the effectiveness of
the entity’s internal control?

What sources of information

about the operation of
controls are used in
monitoring and how reliable
are they?

b) How reliable is the entity’s

Overall Financial Reporting
and Budgetary Control?

c) How effective is Internal

Audit as part of the entity’s

Page | 178
 Monitoring of controls

Description of Risk
Assessment
Procedures performed
Standing information in current year to
Including: (Update as required based on Risk determine whether
Assessment Procedures performed) Standing Information
remains relevant
(As set out in Overall
Audit Strategy)
monitoring of controls?

d) What impact do any other

relevant factors have upon
the entity’s monitoring of
controls?

Page | 179
4) Business controls (Ref: ISA 315 para A81-A87)

The standing information in the file should include systems notes for each class of
transactions in the entity's operations that are significant to the financial statements and for
monitoring controls. The system notes should include:

. the procedures, within both information technology (IT) and manual systems, by
which those transactions are initiated, recorded, processed, corrected as necessary,
transferred to the general ledger and reported in the financial statements. This
should include how regularity is ensured;
. the related accounting records, supporting information and specific accounts in the
financial statements that are used to initiate, record, process and report transactions.
This includes the correction of incorrect information and how information is transferred
to the general ledger. The records may be in either manual or electronic form; and
. how the information system captures events and conditions, other than transactions,
that are significant to the financial statements.

System notes should clearly set out the flow of information within a business cycle, the IT
systems involved, and where control activities and data interfaces take place (including
controls over regularity). This can often be effectively documented using a system-flow
diagram. The client or their internal audit team may have pre-prepared systems diagrams.
In addition to system notes on business cycles, our documentation should set out the
financial reporting process used to prepare the entity's financial statements, including significant
accounting estimates and disclosures, and the controls surrounding journal entries, including
non-standard journal entries used to record non-recurring, unusual transactions or
adjustments.

Page | 180
 Description of Risk
Assessment Procedures
Link to systems note
Control cycle performed in current year to
(Update as required based on
(Amend as appropriate to the determine whether Standing
Risk Assessment Procedures
entity) Information remains relevant
performed)
(As set out in Overall Audit
Strategy)
Receipts

Payments

Cash

5) The information system (Ref: ISA 315 para A81-A85)

We should have sufficient understanding of the entity’s information systems and their interaction with
business controls (including controls over regularity) to be able to:
. identify any related risks of material misstatement or irregularity;
. identify where business controls are dependent upon general IT controls; and
. plan an effective and efficient audit.

Completing this section of the form

This section of the form documents our general understanding of the entity’s information systems.
Where appropriate, teams should link to detailed documentation of general IT controls held as
standing information in the file. If the client has a document which sets out how they comply with the
GSI security requirements, this may be an appropriate form of documentation (but this does not
provide assurance that IT controls have been implemented or are operating effectively).

Based upon our general understanding we should identify whether there are any IT related risks or we
will need to test general IT controls. This assessment can be performed in the IT Scope Assessment
form.

We should complete Annex A of this form if we plan to rely on controls dependent upon general IT
controls, or if the Engagement Director considers appropriate due to the complexity and significant of
the entity’s IT environment (as set out in the Overall Audit Strategy).

Page | 181
We should complete Annex B of this form if there have been significant changes in the IT system in the
year, or if the Engagement Director considers appropriate due to the complexity and significant of the
entity’s IT environment (as set out in the Overall Audit Strategy).

Description of Risk
Assessment Procedures
Standing information performed in current
year to determine
Issue (Update as required based on Risk whether Standing
Assessment Procedures performed) Information remains
relevant
(As set out in Overall
Audit Strategy)
What is/are the entity’s IT
system(s) involved in financial
reporting?

To what extent does the entity

use the automated controls
and checks within the IT
system?

How is the entity’s IT system

managed?

What is the in-house IT

team’s structure/what is the
structure of the relationship
with outsourced suppliers?

Is there any internal or

external assurance over the
operation of the IT system
(e.g. internal audit, or attack
and penetration testing)?

Is there an IT strategy, how

is it set, and how does it
align to the business strategy?

Page | 182
 Description of Risk
Assessment Procedures
Standing information performed in current
year to determine
Issue (Update as required based on Risk whether Standing
Assessment Procedures performed) Information remains
relevant
(As set out in Overall
Audit Strategy)
Is an IT Risk Assessment
performed? What are the
findings of the risk
assessment?

Data centre and network

operations:

If the entity uses data centres

or networks in financial
reporting, how is appropriate
security maintained over the
data?

Access Security:

What is the high level

approach to systems security,
including physical security of
servers?

Where we consider we need

to perform work on general IT
controls per the IT scope
assessment form, please
complete Annex A.

Change management:

How does the entity manage

changes to IT systems
involved in financial reporting

Page | 183
 Description of Risk
Assessment Procedures
Standing information performed in current
year to determine
Issue (Update as required based on Risk whether Standing
Assessment Procedures performed) Information remains
relevant
(As set out in Overall
Audit Strategy)
or in controls over regularity
of transactions?

Have there been significant

changes to the information
systems environment during the
year?

If there have been significant

changes, please complete
Annex B.

Other general aspects of the

IT environment relevant to the
audit

Complete the IT Scope Assessment form based upon this understanding and, if necessary,
complete Annex A and/or Annex B.

Page | 184
6) Communication (Ref: ISA 315 para A86-87)

Communication
Description of Risk
Assessment
Procedures performed
Standing information in current year to
Including:
(Update as required based on Risk determine whether
Assessment Procedures performed) Standing Information
remains relevant
(As set out in Overall
Audit Strategy)
a)How does the entity
communicate financial
reporting matters
internally?

b)How does the entity

communicate to
employees policies on
business practices and
ethical behaviour?

c) How does the entity

communicate financial
reporting matters
externally?

Page | 185
(7) Controls relevant to the audit (Ref: ISA 315 para A66-A68, A88-97)

We are required to evaluate the design and implementation of controls relevant to the audit in order
to develop a sufficient understanding to plan and perform our audit, including, where relevant, IT
controls. Depending on the timing of planning and of when these controls operate, we may perform
this evaluation at the planning stage or later in our audit.
Where we plan to evaluate the design and implementation of a control, we will do so each year, which
will involve evaluating:
. the design of a control requires a team to assess whether, if it operates as designed, it
would reliably prevent or detect and correct material misstatement or irregularity.
. the implementation of a control requires a team to obtain evidence that it is implemented
as designed (by walking through the relevant process, sighting evidence of the operation
of a control, observation of the operation of the control, or other audit evidence).

Link in the table below to where our work on the evaluation of the design and implementation of
controls has been performed.

Issues relevant to D&I of

Link to summary of D&I
Nature of control controls not already noted
work above
(Update by exception)
Controls that address Significant Risks

(including where we plan to test their

operating effectiveness)

Other business cycle controls where

we plan to test the operating
effectiveness of controls (including
application controls)
(including where we need to test controls
because we consider we cannot get
sufficient assurance from only performing
substantive testing)
General IT controls where we plan to
test their operating effectiveness

(The IT scope assessor indicates whether

we need to do so)

Page | 186
 Issues relevant to D&I of
Link to summary of D&I
Nature of control controls not already noted
work above
(Update by exception)
Month and year-end close process

Accounting policies and financial

statement production

Monitoring

Journals

Overall regularity controls

Other controls requiring Design &

Implementation work7 per the Overall
Audit Strategy (provide details)

7
work to confirm the control is designed properly and implemented in a way that makes it auditable
(i.e. there is evidence of its operation)

Page | 187
 Annex C.1.A - Access Security

This annex should be completed if we plan to rely on controls dependent upon general IT controls, or if
the Engagement Director considers appropriate due to the complexity and significance of the entity’s IT
environment (as set out in the Overall Audit Strategy).

Description of Risk
Standing information Assessment Procedures
performed in current year to
Issue (Update as required based
determine whether Standing
on Risk Assessment
Information remains relevant
Procedures performed)
(As set out in Overall Audit
Strategy)

What is the high level approach

to systems security including
physical security of servers?

Has the entity achieved any IT

Quality standard accreditation?

What is the policy regarding

passwords?

What are the policies regarding

user profiles and access?

How are joiners’ access

privileges set?

What happens to leavers’

access privileges?

(When staffs leave, what is the

process for disabling their accounts
and access privileges, and how
long does it take?)

How are administrator rights

Page | 188
 Description of Risk
Standing information Assessment Procedures
performed in current year to
Issue (Update as required based
determine whether Standing
on Risk Assessment
Information remains relevant
Procedures performed)
(As set out in Overall Audit
Strategy)

controlled?

What Physical Access

mechanisms are in place?

How are remote third party

systems accesses, including
Electronic Data Interchange
transactions) controlled?

How is the Firewall used and

controlled?

Page | 189
 Annex C.1. B – Change management

This annex should be completed if there have been significant changes in the IT system in the year, or if
the concerned Director considers it appropriate due to the complexity and significant of the entity’s IT
environment (as set out in the Overall Audit Strategy).

This includes programme changes, system software acquisition, change and maintenance and
application system acquisition, development and maintenance.

Description of Risk
Assessment Procedures
Standing information
performed in current year
Issue (Update as required based on to determine whether
Risk Assessment Procedures Standing Information
performed) remains relevant
(As set out in Overall
Audit Strategy)
Is there an Overall
Development Approach to IT
systems?

How do projects get approved?

Is there a separate
development environment?

How are new systems

accredited?

How are new systems tested

before being placed in the live
environment?

How are systems / changes

migrated into the live
environment?

Page | 190
 Annex-D
IT SCOPE ASSESSMENT

Summarise below the outcome of identification of IT risks and identification of controls

dependent upon IT.

Consider both impact and likelihood in considering whether there are risks of material
misstatement or irregularity.

Audit
Summary Question Answer Link Comments
response

Identification of IT risks

Have any potential risks of material

1 misstatement or irregularity relating to IT
been identified?

Do any of these represent Pervasive

2
Risks?

Do any of these represent Specific

3
Risks?

Do any of these require other testing to

4 be performed (i.e. there is a risk of
material misstatement or irregularity)?

Do any of these represent Risk Factors,

which should be kept in view through
5
the audit but do not require any
additional specific audit response?

Identification of controls dependent upon

IT

Do we plan to obtain assurance from

6
the operating effectiveness of controls
(e.g. controls over regularity of grants,
payroll controls, expenditure controls)?

Page | 191
 Are any of the controls which we plan
to rely on dependent upon general IT
7 controls (including operational systems)
(e.g. application controls calculating grant
payments in line with scheme rules)?

Page | 192
 Based upon our understanding of the entity's information systems, consider whether there
are any Significant Risks, other issues requiring a response or Risk Factors relating to IT.

(Expand for examples of risks)

Consider both impact and likelihood in considering whether there are risks of material
misstatement or irregularity.

Does this
represent a
Significant
Risk,
require
Explanation of
other
classification of
testing, or
whether a risk /
Question (expand grouped cells for represent a
Answer other comments
examples) Risk Factor
(Link if
which does
transferred to
not require
AASF)
any
additional
specific
audit
response?

IT system and staffing

Have there been significant new

IT systems related to financial
1
reporting or regularity of
transactions in the year?

Have there been other significant

2 changes in the IT environment in
the year?

Are there any inconsistencies

3 between the entity’s IT strategy
and its business strategies?

Page | 193
 Is there an insufficient level of
staffing of the IT department with
4
sufficient skills to mitigate the
risks to the business?

Have there been changes in key

5
IT personnel in the period?

Is the management of the IT

system outsourced? (Note -
6 even if this does not represent a
Significant Risk, this may affect
our audit approach)

Operation of IT system

From our understanding of the

information systems, are there any
indications that the financial
accounting systems (or systems
involved in the regularity of
transactions) are inaccurately
7
processing data (in particular are
there IT-related instances of past
misstatements, irregular
transactions, history of errors or a
significant amount of adjustments
at period end?)?

From our understanding of controls

around journals, are there
inappropriate access controls over
8
entries to the financial accounting
system or systems involved in
regularity of transactions?

Page | 194
 From our understanding of the
information systems, is there
inappropriate segregation of duties
9 within the financial reporting
system, systems involved in the
regularity of transactions or the IT
system?

Are management aware of any

breakdowns in the operation of IT
controls around the financial
10
accounting system or systems
involved in the regularity of
transactions?

Application controls

Are there IT application controls

which do not appear to be
11 appropriately designed or
implemented (without mitigating
controls)?

Are there changing circumstances

for the entity which may require a
12
control response outside the scope
of existing automated controls?

Other
Are spreadsheets used to
generate figures for inclusion in
13
the financial statements, or in
ensuring the regularity of
transactions, (without appropriate

Page | 195
 controls to check the design of
the spreadsheets and control
changes to them)?

Are there any other factors that

indicate one or more actual or
14
potential risks related to IT
controls or environment?

Page | 196
 Based upon our understanding of the entity's internal control and in particular of the
entity's information systems, consider whether any of the controls we plan to rely on are
dependent upon general IT controls.

Expand for examples of issues.

Expand to comment by transaction cycle or other disaggregated basis.

Comments on
transaction
cycles / audit
areas where we

Question Answer Impact on audit plan to rely on

controls

Comments/
details of
assessment

Automated controls

Are any of the controls which

we plan to rely on automated
controls (e.g. controls which
directly affect or control the
1 processing of a transaction or
event through the operation of
controls within application
software, automated controls
over regularity of transactions)?

Manual controls

The purpose of considering how

general IT controls support
manual controls is to identify
whether the effective operation
of the manual control is

Page | 197
 dependent upon general IT
controls. If a general IT control
needs to operate effectively to
enable a manual control to
work, we would need to test
the general IT control as well.

If the information systems

processed data incorrectly, would
2 this impact upon the operation
of any of the controls that we
plan to rely upon?

If access controls to the

information systems did not
operate effectively, could
3 inappropriate access to the
system prevent the effective
operation of any of the controls
that we plan to rely on?

If the information system did not

enforce segregation of duties,
4 would this prevent the effective
operation of any of the controls
that we plan to rely on?

If changes have been made to

the information systems in the
year, could inappropriate
5 changes or unforeseen effects of
changes prevent the effective
operation of any of the controls
that we plan to rely on?

Page | 198
 Annex-E
Fraud Risk Assessment
Introduction

The Fraud Risk Assessment form is designed to assist auditors in the evaluation of the potential
risks of fraud in arriving at an assessment of the risk of material misstatement due to fraud.

The Engagement Team should evaluate whether the information obtained from the other risk
assessment procedures and related activities performed indicates that one or more factors
indicating potential risks are present. Whilst these factors may not necessarily indicate the
existence of fraud, they have often been present in circumstances where frauds have occurred
and, therefore, may indicate risks of material misstatement due to fraud. (ISA 240 para 24)

The Engagement Team should identify and assess the risk of material misstatement due to fraud at
the financial statement level and at the assertion level for classes of transactions, account balances
and disclosures. (ISA 240 para 25)

Identification of potential risks of fraud

Three conditions are generally present when fraud exists:

- an incentive or pressure to commit fraud;

- a perceived opportunity to commit fraud; and

- an ability to rationalise the fraudulent actions.

In assessing potential risks of fraud the Engagement Team should have mind to the existence of
these conditions.

ISA 240 provides examples of factors to consider in assessing the risk of material misstatement due
to fraud. Although these cover a broad range of circumstances, they are only examples and other
indicators may exist.

Use of this form

This form consists of four tabs:

- "Financial Reporting" which considers the factors listed in the ISA which may give rise to a
significant risk of material misstatement arising from fraudulent financial reporting;

Page | 199
 - "Misappropriation" which considers the factors listed in the ISA which may give rise to a
significant risk of material misstatement arising from misappropriation of assets;

- "Misappropriation External" which considers possible indicators of risks of misappropriation

by individuals not employed by the entity which may give rise to a risk of irregularity (while
not being a fraud risk under ISA 240) arising from misappropriation of assets; and

- "Summary of assessment" which draws together the results of our consideration of potential
risks and documents our conclusion as to whether the results of that consideration indicate a
risk of material misstatement arising from fraud (which would be a Significant Risk) or are
otherwise indicative of a risk of material irregularity.

Each tab contains a series of high level questions addressing the presence of indicators of a risk of
material misstatement due to fraud. Where relevant detailed indicators to consider when
assessing whether the factor is present are listed. The questions and indicators are drawn from the
annexes to ISA 240. Whilst these cover a broad range of circumstances they are only examples and
teams should consider whether other potential risks exist as indicated by the risk assessment
procedures performed.

Engagement Teams should consider whether, as a result of the evidence obtained from the
performance of risk assessment procedures, they have any evidence to indicate that there are
indications of a risk of material misstatement.

In assessing the indicators identified, the Engagement Team should consider whether individually
or in aggregate they indicate a risk of material misstatement due to fraud, taking account of
existence of the conditions generally present when fraud exists.

If any risks of material misstatement are identified, they should be classified as a Pervasive or
Specific Risk in accordance with para 27 of ISA 240 and the engagement teams should plan and
perform appropriate responses as per any other Significant Risk.

If any risks of material irregularity are identified, we should consider whether they represent a
Significant Risk. We should plan and perform responses as per a Significant Risk or other risk of
material misstatement as appropriate.

Page | 200
 Annex-E.1

Fraud Risk Assessment

Summarise below the considerations of potential risks identified through our risk
assessment procedures.
Consider both impact and likelihood in considering whether there are risks of material
misstatement or irregularity.

Do these
individually or
in aggregate
Comments
indicate
(including any
- a risk of
explanation
material
required of
misstatement Is this a
Potential why we
(which, as a Pervasive
risks consider
Summary Questions fraud risk, is a or a Response
identified for potential risks
Significant Specific
the entity identified do
Risk); or Risk?
not give rise
- or a risk of
to risks of
material
material
irregularity
misstatement)
(including
Significant
Risks)?

Fraudulent financial reporting

Do incentives or pressures
exist which increase the risk of
fraudulent financial reporting?
Does the existence of
opportunity indicate an
increased risk of fraudulent
financial reporting?

Page | 201
Do the attitudes of staff, or
other conditions, exist which
would enable staff to
rationalize their actions,
indicate an increase risk of
fraudulent financial reporting?

Is there a risk of material

misstatement relating to
fraudulent financial reporting?

Misappropriation of assets by
employees or management

Do incentives or pressures
exist which increase the risk of
fraudulent misappropriation of
assets?

Does the existence of

opportunity indicate an
increased risk of fraudulent
misappropriation of assets?

Do the attitudes of staff, or do

conditions exist which would
enable staff to rationalize their
actions, indicate an increased
risk of fraudulent
misappropriation of assets?

Is there a risk of material

misstatement relating to
misappropriation of assets?

As a result of the work performed considering potential risks relating to fraudulent financial
reporting or misappropriation of assets by employees or management, have we identified any risks
of material irregularity, including Significant Risks, to be addressed through the audit?*

Page | 202
Misappropriation of assets by
individuals or groups external
to the organisation

Does the existence of

opportunity indicate an
increased risk of
misappropriation of assets by
individuals or groups external
to the entity?

Do incentives exist which

increase the risk of
misappropriation of assets by
individuals or groups external
to the entity?

Is there a history or
expectation of
misappropriation of assets by
individuals or groups external
to the entity?

As a result of the work performed considering potential risk relating to misappropriation of assets by
individuals or groups external to the entity, have we identified any risks of material irregularity,
including Significant Risks, to be addressed through the audit?

* misappropriation of assets is irregular and risk of material misappropriation of assets due to fraud is
considered, which places an emphasis on misappropriation by management or employees.

Page | 203
Consider potential risks relating to misstatements arising from fraudulent financial
reporting.

Potential
Question (expand grouped cells for
Indicators Answer risk(s)
examples)
identified

Do incentives or pressures exist which increase

the risk of fraudulent financial reporting?

Is financial stability or profitability is threatened - High vulnerability to

by economic, industry, or entity operating rapid changes, such as
conditions? changes in technology,
product obsolescence,
or interest rates.
- New accounting,
statutory, or regulatory
requirements.
- High degree of
competition or market
saturation, accompanied
by declining margins.
Significant declines in
customer demand and
increasing business
failures in either the
industry or overall
economy.
- Operating losses making
the threat of bankruptcy,
foreclosure, or hostile
takeover imminent.
- Recurring negative cash
flows from operations or
an inability to generate
cash flows from
operations while
reporting earnings and
earnings growth.

Page | 204
 - Rapid growth or unusual
profitability especially
compared to that of
other companies in the
same industry.
Do excessive pressures exist for management to - Profitability or trend level
meet the requirements or expectations of third expectations of
parties? investment analysts,
institutional investors,
significant creditors, or
other external parties
(particularly expectations
that are unduly
aggressive or unrealistic),
including expectations
created by management
in, for example, overly
optimistic press releases
or annual report
messages.
- Need to obtain additional
debt or equity financing
to stay competitive –
including financing of
major research and
development or capital
expenditures.
- Marginal ability to meet
exchange listing
requirements or debt
repayment or other debt
covenant requirements.
-Perceived or real adverse
effects of reporting poor
financial results on
significant pending
transactions, such as
business combinations or
contract awards.

Page | 205
Does the information available indicate that the - Significant financial
personal financial situation of management is interests in the entity.
threatened by the entity’s financial performance? - Significant portions of
their compensation (for
example, bonuses, stock
options, and earn-out
arrangements) being
contingent upon
achieving aggressive
targets for stock price,
operating results,
financial position, or
cash flow.
- Personal guarantees of
debts of the entity.
Is there excessive pressure on management
or operating personnel to meet financial
targets established (by sponsors), including
sales or profitability incentive goals?
Do other incentives or pressures exist?

Does the existence of opportunity indicate

an increased risk of fraudulent financial
reporting?

Do the attitudes of staff, or other conditions,

exist which would enable staff to rationalize
their actions, indicate an increase risk of
fraudulent financial reporting?

Page | 206
Consider potential risks relating to misstatements arising from misappropriation of assets
by employees or management.

Potential risk(s)
Question (expand grouped cells for examples) Answer
identified

Do incentives or pressures exist which increase the risk of

fraudulent misappropriation of assets?

Does the existence of opportunity indicate an increased risk

of fraudulent misappropriation of assets?

Do the attitudes of staff, or do conditions exist which would

enable staff to rationalize their actions, indicate an increase
risk of fraudulent misappropriation of assets?

Page | 207
Consider potential risks of irregularities arising from misappropriation of assets by
individuals or groups external to the entity.

Question (expand grouped Potential risk(s)

Indicators Answer
cells for examples) identified

Does the existence of

opportunity indicate an
increased risk of
misappropriation of assets
by individuals or groups
external to the entity?

Are we aware of any - Complex legislative framework or

characteristics or requirements including those
circumstances that may covering taxes and benefits.
increase the susceptibility of - The entity administer a complex series
assets to misappropriation? of schemes or processes which could
be subject to manipulation or
misunderstanding.

Is the internal control over - The entity's processing caseload has

designed to prevent or been subject to significant increase in
detect the misappropriation the levels of business.
of assets inadequate? - As part of the controls system the
entity is required to operate a pre-
screening or eligibility checks, e.g.
credit referencing, Companies House
checks, financial standing / track
record enquiries.
- Service delivery systems have been
changed to facilitate improved
service delivery speeds.

- Functions performing control activities

have been cut back, e.g. due to
budget constraints.

Are there other factors

indicating that opportunities
exist?

Page | 208
Do incentives exist which - The entity is involved in delivering
increase the risk of services or benefits directly to
misappropriation of assets individuals who derive a personal
benefit from it.
by individuals or groups
- Entitlement to a benefit or credit
external to the entity?
scheme also provide the individual
with passported entitlements to other
benefits.
Is there a history or - The entity's estimates of losses arising
expectation of from external fraud are high or have
increased.
misappropriation of
- The C&AG's audit opinion on regularity
assets by individuals or has been qualified in the past in
groups external to the respect of external fraud and
entity? misappropriation
- There has been a substantial increase
in caseload services or benefits
delivered by the entity which is not
consistent with changes in the
external environment.

Page | 209
 Annex F -
Significant Risks Testing Plan (SRTP)
Introduction

The Significant Risks Testing Plan is intended as the key form of summarising the audit plan for
addressing the Pervasive Risks and Specific Risks in the audit. The approach for other areas of
the audit is summarised in the Audit Area Testing Plan. The aims of the Testing Plans are to
provide a manageable means of viewing the overall audit approach and to facilitate discussion
of the approach at the planning meeting.

The form also provides a method by which additional members of the audit team can view the
overall audit approach resulting from the risk and controls assessment and to enable managers
and directors to easily review the planned approach.

The form does not document the results of testing which will be documented in the Pervasive
and Specific Risks folders in AMMS.

The form should be completed electronically if possible.

Format of the form and instructions on use

Auditors are required to first populate the Significant Risks Testing Plan with the Pervasive
Risks and Specific Risks arrived at as part of the planning process.

On the Pervasive Risks sheet auditors should document what the Pervasive Risk is, any
mitigating management controls, and the steps taken to address the risk.

On the Presumed Fraud Risks sheet auditors should document the responses to the risk of
Management Override, and whether there is a risk of fraud in revenue recognition for the
entity and related responses.

On the Specific Risks sheet auditors should document what the risk is, the audit area and
assertion affected, any mitigating management controls, and the steps taken to address the
risk.

The information included in this form should be consistent with the documentation of the
approach in the Overall Audit Strategy (updated to reflect issues identified during the Risk
Assessment Procedures)

Page | 210
 Annex- F.1

Controls
Control design Summary of overall responses to
mitigating the
and Pervasive Risk (including controls
risks identified pervasive
implementation tests and/or substantive procedures
risks
assessment if appropriate)
identified
cells will
expand to fit
one line if (Adequate /
Link Link
se Alt+Enter to Not adequate)
w line to start
ame cell)

ancial Reporting

Page | 211
 Annex F -1.1

Do the
planned
procedure
s provide
all of the
assurance
No. needed
over the

of controls

assessment
IT controls?
relevant

minimum D&I)
step reference

assertion(
Controls assurance

Audit area(s) affected

Substantive assurance

s) for the

summary / step reference

Audit assertion(s) affected

Audit

Description of the Specific Risk

Control effectiveness assessment

planned extent of controls work (at

Control design and implementation
Area(s)

Is the control dependent upon general

Planned to test operating effectiveness

Substantive test to address the specific
identified risks - procedure summary /

Controls test description and procedure

(Note - Note - (Adequat (Controls (Yes / (Effective (i.e. will
(Planned
cells will if more e / Not should No) / Not more
procedures
automatic than adequate
address effective) should be work be
ally one )
each (include tailored to needed
expand assertion
assertion link) address the on the
to fit affected,
if control L assertion
more these Li risk itself
(Yes / assurance i for the
than one will n and the Link
line if need to No) is to be n Audit
k assertion it
required. be taken k Area)
relates to,
Use typed in over that (add
rather than
Alt+Enter
assertion being general comment
to force
) procedures. as
a new
required)
line to
start Procedures

Page | 212
 within the may include
same CAATs or
cell)
work to
place
reliance upon
the work of
management.
Procedures
should not
consist solely
of
substantive
analytical
procedures
unless
controls
assurance
obtained)

Page | 213
 Annex-F.2

Planned responses

Control design (including those

Considerations Controls required by ISA 240,
and
Presumed Fraud Risk particular to the mitigating the and any other overall
implementation
client risk responses, tests of
assessment
control or substantive
procedures considered
appropriate)
(Adequate / Not
Link
adequate) Link

Revenue recognition

ISA 240 has a rebuttable presumption of

fraud in revenue recognition.
Complete as applicable:

The risk of fraud in revenue recognition

for income has/has not been rebutted and
has/has not been raised as a specific
risk.

Page | 214

Page | 214
 Management override of controls.
Note - this risk cannot be rebutted, and
there are required responses in respect of
journal entries, accounting estimates, and
significant or unusual transactions. These
responses should be tailored to the
circumstances of the entity. If there are
additional risks of management override of
controls, these should also be reflected
below or as Pervasive or Specific Risks

Journal testing

Para 32 of ISA 240 requires the

engagement team to test the appropriateness
of journal entries recorded in the general
ledger and other adjustments made in the
preparation of the financial statements. In
designing and performing audit procedures for
such tests, the auditor shall:

(i) Make inquiries of individuals involved in

the financial reporting process about
inappropriate or unusual activity relating to
the processing of journal entries and
other adjustments;
(ii) Select journal entries and other
adjustments made at the end of a
reporting period; and

Page | 215
(iii) Consider the need to test journal entries
and other adjustments throughout the
period.
Bias in accounting estimates
Para 32 of ISA 240 requires engagement
teams to review accounting estimates for
biases and evaluate whether the
circumstances producing the bias, if any,
represent a risk of material misstatement due
to fraud. In performing this review, the
auditor shall:
(i) Evaluate whether the judgements and
decisions made by management in
making the accounting estimates included
in the financial statements, even if they
are individually reasonable, indicate a
possible bias on the part of the entity's
management that may represent a risk
of material misstatement due to fraud. If
so, the auditor shall reevaluate the
accounting estimates taken as a whole;
and
(ii) Perform a retrospective review of
management judgements and assumptions
related to significant accounting estimates
reflected in the financial statements of
the prior year. (Ref: ISA 240 Para
A45-A47)

Page | 216
Significant or unusual transactions

Para 32 of ISA 240 requires for significant

transactions that are outside the normal
course of business for the entity, or that
otherwise appear to be unusual given the
auditor's understanding of the entity and its
environment and other information obtained
during the audit, the auditor shall evaluate
whether the business rationale (or the lack
thereof) of the transactions suggests that
they may have been entered into to engage
in fraudulent financial reporting or to conceal
misappropriation of assets. (Ref: ISA 240
Para A48)

Page | 217
 Assertions about classes of transactions and events for the period under audi

All transactions and events that should have been recor

Completeness C
have been recorded.

Transactions and events that have been recordedh

Occurrence O
occurred and pertain to the entity.

Amounts and other data relating to recorded transactions

Accuracy A
events have been recorded appropriately.

Transactions and events have been recorded in the cor

Cut Off Cu
accounting period.

Financial transactions are in accordance with the legisla

authorising them, regulations issued by a body with the po
Regularity R
to do so under governing legislation, Parliamentary autho
and HM Treasury authority.

Transactions and events have been recorded in the pro

Classification Cl
accounts.

Page |218
 Assertions about account balances at the period end

All assets, liabilities and equity interests that should have been
Completeness C
recorded have been recorded.

Existence E Assets, liabilities, and equity interests exist.

Assets, liabilities and equity interest are included in the financial

Valuation and allocation V statements at appropriate amounts and any resulting valuation
or allocation adjustments are appropriately recorded.

The entity holds or controls the rights to assets, and liabilities

Rights and obligations R&O
are the obligations of the entity.

Page | 219
 Assertions about presentation and disclosure

All disclosures that should have been included in the

Completeness C
financial statements have been included

Disclosed events, transactions and other matters have

Occurrence O
occurred

Financial and other information is disclosed fairly and at

Accuracy and Valuation A&V
appropriate amounts

Disclosed events, transactions and other matters pertain to

Rights and obligations R&O
the entity

Classification and Financial information is appropriately presented and

Cl&U
Understandability described, and disclosures are clearly expressed

Page | 220
 Annex-G

Audit Area Testing Plan

Introduction

The aims of the Audit Area Testing Plan is to provide a manageable means of viewing the
audit approach for audit areas and to provide a means of documenting the sources of
assurance.

The form also provides a method by which additional members of the audit team can
view the planned audit approach and to enable managers and directors to easily review
the planned approach.

The form does not document the results of testing, which should be recorded on the
Audit Area Lead Schedule together with confirmation that the testing plan has been
completed as planned, or that changes have been made to the plan.

If our evaluation of the design and implementation of controls we planned to rely on, or
tests of the operating effectiveness of those controls, indicate that we cannot rely on
them, this testing plan should be updated and changes made documented on the Lead
Schedule.
The form can be used to satisfy the requirements of the Audit Area Testing Approach test
in each audit area. The planned approach for each audit area should reflect the Overall
Audit Strategy (e.g. whether to rely on controls and any other issues identified in the
OAS). If any changes are made to the planned approach, this should be agreed with the
Director and updated on the OAS. The planned Procedure Steps should reflect this
Testing Plan.

Format of the form and instructions on use

Auditors are required to first populate the Testing Plan for Audit Areas with the
Pervasive Risks and Specific Risks and audit areas arrived at as part of the planning
process, and highlighted on Part 2 of the Understanding the Business Form and the
Entity Level Management Controls Form.

The "Financial Statements" tab should be used to document planned tests to address
risks that could affect any audit area or the financial statements as a whole, including
related parties, overall regularity issues, going concern, or laws and regulations. Where
these issues give rise to a Significant Risk, this should be documented on the Significant

Page | 221
Risk Testing Plan.

The "Audit Areas" tab(s) should be used to document the approach to testing each
assertion for Audit Areas. Audit Areas should be identified at a sufficient level of
granularity to enable us to plan our testing approach, and so should consist of items with
a similar nature, risks and controls. A financial statement note item may be made up of
several separate Audit Areas.

Auditors should indicate whether each audit area is significant or not, and the planned
control approach.

If a Specific Risk has been identified affecting an assertion, auditors should indicate
whether either:

- the Specific Risk will be extending the testing documented on this Testing Plan
(e.g. performing substantive testing with an AF of 3.0, rather than 2.0); or
- the tests addressing the Specific Risk will be in addition to the testing documented
on this Testing Plan
In either instance, auditors should cross-reference the link to the relevant Specific Risk on
the Significant Risks Testing Plan.

The form indicates the required level of substantive assurance given the planned audit
approach.

The final columns of the plan are the summarised substantive procedures that will be
carried out in each audit area. The summary of procedures shows the procedures on
assertions which are not Specific Risks: procedures to address Specific Risks are dealt with
on the Audit Approach Summary Form. Hyperlinks should be used to indicate where
additional information can be found.

Auditors can record any risk factors identified to keep in view during testing on the "Risk
Factors" tab. These are either:

- risks of material misstatement or irregularity which are addressed through standard

planned testing over the relevant assertions, and so do not require any additional
specific audit response; or
- potential risks which have been assessed as not representing a risk of material
misstatement/irregularity, and so do not require an audit response.

Page | 222
 Annex-G.1

RISK FACTORS IDENTIFIED

Summarise below any risk factors identified in planning (i.e. either:

- risks of material misstatement or irregularity which are addressed through standard

planned testing over the relevant assertions, and so do not require any additional
specific audit response; or

- potential risks which have been assessed as not representing a risk of material
misstatement/irregularity, and so do not require an audit response).

The below risk factors should be considered through the audit as part of maintaining an
attitude of professional skepticism and, if necessary due to changes in circumstance or
our understanding of the risk factors, additional procedures performed.

Pervasive / Audit Comments on

Procedures required (if any -
area(s) and why
typically not required, but may
Risk factor assertion(s) considered
be performed to reassess
potentially only a risk
whether a risk at year-end)
affected factor

Page | 223
 Audit Areas- Financial Statements Annex- G.2

Do we plan
Are there any related Other comments on
Area to rely on
Significant Risks? planned procedures
controls?

(Add others as Test in Details Link to (By exception as

Requirement
required, e.g. Teammate SRTP required, e.g. where
Opening balances need to specify what
for initial audit is done beyond the
engagements) standard
procedures)

Confirm that the

audited figures for last
TB: Trial
year's accounts have
Trial balance balance
been correctly posted as
opening figures
the opening balances in
the general ledger.

Ensure that the Trial

Balance has been
TB: General
correctly drawn from
ledger to TB
the General Ledger.

Demonstrate that the

TB:
audit area totals
Reconciliation
reconcile to the trial
to audited
balance and or draft
figures
account.

Page | 224
 Page | 225
Annex-G.3 Substantive tests description and procedure summary / step

reference

Planned substantive assurance

Planned controls assurance

Planned inherent assurance

ve any Specific Risks been identified for this assertion, and will they be

addressed by this testing?

Is the control dependent upon general IT controls?

planned work to

effectiveness if
implementation

planned test of
of the control,
Description of the

designed and
appropriately

implemented
evaluate the

design and

operating
AND the
Audit Areas- Income

Description of the control which addresses the assertion

Do we plan to rely on the operating effectiveness of controls?

Audit assertion

Significant or non-significant audit area

Value used in assessing significance of audit area

Audit area
 Link

Page | 226
Where assertions are not covered by controls assurance
(which is typically the case for classification), additional
procedures will need to be set out herein.

Link to the related Specific Risk on the

Significant Risks Testing Plan

Link to planned IT controls work

(Yes / No)

Link to planned controls work

Documentation

assertions are
should clearly
balance as a
address each

assurance is
to be taken

state which

covered by
assertion if

controls.)
(Controls

over the
control

whole.
should

(Only required if we plan to test the operating

effectiveness of the control)

(Evaluation of D&I for Specific Risks where we

do not plan to test OE is on the SRTP)

Occurrence Completeness Accuracy Cut Off

(Significant / Non-Significant)

[Specify source - e.g. PY, budget, P9, draft

accounts]

(Note - cells will automatically expand to fit more Income

than one line if required. Use Alt+Enter to force
a new line to start within the same cell.) Type 1
 Page | 227

Classification Regularity Occurrence Completeness Accuracy Cut Off Classification

Income
Type 2
 Page | 228

Regularity Occurrence Completeness Accuracy Cut Off Classification Regularity

Income Type 3
 and procedure summary / step

Page | 229
Substantive tests description
Annex-G.4 Link

reference

assurance (which
Where assertions
are not covered

need to be set
procedures will
is typically the

classification),
by controls

out herein.
additional
case for
substantive
assurance
controls
assurance
inherent
assurance
identified for
Link to the related Specific Risk on
this assertion,
the Significant Risks Testing Plan
and will they
Audit Areas-Expenditure

be addressed
Is the control
Link to planned IT controls work
dependent
upon general
IT controls? (Yes / No)
g
implementatio Link to planned controls work
n of the
control, AND
assertion if control assurance is to be
the planned
taken over the balance as a whole.
test of
Documentation should clearly state
operating
which assertions are covered by
effectiveness
the control controls.)
(Only required if we plan to test the
which
operating effectiveness of the control)
addresses the

rely on the (Evaluation of D&I for Specific Risks

operating where we do not plan to test OE is
effectiveness on the SRTP)
of controls?
Audit
Occurrence
assertion
g
non-
(Significant / Non-Significant)
significant
audit area
assessing [Specify source - e.g. PY, budget,
significance P9, draft accounts]
of audit area
(Note - cells will automatically expand
to fit more than one line if required.
Audit area Expenditure
Use Alt+Enter to force a new line to
start within the same cell.)
 Page | 230

Completeness Accuracy Cut Off Classification

 Page | 231

Regularity
 Audit Areas-Payroll Annex-G.5
Description of the
planned work to Substantive
Description
evaluate the design and tests
Do we plan of the
implementation of the Have any Specific Risks description
to rely on control
control, AND the been identified for this and
Audit the operating which
planned test of assertion, and will they be procedure

audit area
area effectiveness addresses
operating effectiveness addressed by this testing? summary /

Audit assertion
of controls? the

general IT controls?
if appropriately step

Value used in assessing

significance of audit area
assertion

Planned controls assurance

Planned inherent assurance

Significant or non-significant
designed and reference

Is the control dependent upon

Planned substantive assurance

implemented
(Note -
cells will
Where
automatic
assertions
ally
are not
expand (Controls should Link to
covered by
to fit address each the
(Evaluation (Only controls
more assertion if control related
[Specify of D&I for required if assurance
than one assurance is to be Specific
source - Specific Risks we plan to Link to (which is
line if taken over the (Yes Risk on
e.g. PY, where we do test the planned typically the
required. balance as a whole. / the Link
budget, not plan to operating controls case for
Use Documentation should No) Signific
P9, draft test OE is effectivenes work classification
Alt+Enter clearly state which ant
accounts] on the s of the ),
to force assertions are Risks
SRTP) control) additional

(Significant / Non-Significant)
a new covered by Testing
Link to planned IT controls work

procedures
line to controls.) Plan
will need
start
to be set
within the
out herein.
same
cell.)

Payroll
Occurrence
Page | 232
 Page | 233

Completeness Accuracy Cut Off Classification Regularity

 Link

need to be set
not covered by

procedures will
classification),
assertions are

typically the

out herein.
(which is
assurance

additional
case for
controls

Page | 234
Substantive tests description and procedure summary / step

Where
reference
Annex-G.6

Planned substantive assurance

Planned controls assurance

Planned inherent assurance

Have any Specific Risks been identified for this assertion, and will Link to the related Specific Risk on the
they be addressed by this testing? Significant Risks Testing Plan

Link to planned IT controls work

Is the control dependent upon general IT controls?
(Yes / No)

Link to planned controls work

Description of the planned work to evaluate the design and (Controls should address each assertion if
implementation of the control, AND the planned test of operating control assurance is to be taken over the
effectiveness if appropriately designed and implemented balance as a whole. Documentation should
Audit Areas-Receivables

clearly state which assertions are covered by

controls.)

(Only required if we plan to test the

Description of the control which addresses the assertion
operating effectiveness of the control)

(Evaluation of D&I for Specific Risks where

Do we plan to rely on the operating effectiveness of controls?
we do not plan to test OE is on the SRTP)

Audit assertion

Significant or non-significant audit area (Significant / Non-Significant)

[Specify source - e.g. PY, budget, P9, draft

Value used in assessing significance of audit area
accounts]

(Note - cells will automatically expand to fit

more than one line if required. Use
Audit area

Alt+Enter to force a new line to start within

the same cell.)
 Page | 235
Rights and Valuation and
Existence Completeness Existence
obligations allocation

Receivables
Cash
 Page | 236
Rights and
Completeness
obligations
 Link
Substantive tests
description and
Annex-G.7

Page | 237
covered by

out herein.
classificatio

procedures
(which is
assurance

to be set
assertions

additional

will need
the case
typically
are not

controls
Where
procedure summary /

n),
for
step reference

Planned substantive
assurance

Planned controls
assurance
Planned inherent
assurance

Have any Specific Link to the related Specific Risk on the Significant Risks Testing Plan
Risks been identified
for this assertion, and
will they be addressed Link to planned IT controls work
by this testing?

(Yes / No)
Is the control
dependent upon
Link to planned controls work
Audit Areas-Accounts Payable

general IT controls?
control, AND the planned test
of operating effectiveness if
work to evaluate the design

appropriately designed and

Description of the planned

and implementation of the

(Controls should address each assertion if control assurance is to be taken over

implemented

the balance as a whole. Documentation should clearly state which assertions are
covered by controls.)

Description of the
control which (Only required if we plan to test the operating effectiveness of the control)
addresses the
assertion
Do we plan to rely on
the operating (Evaluation of D&I for Specific Risks where we do not plan to test OE is on the
effectiveness of SRTP)
controls?
Existe

Audit assertion
nce

Significant or non-
(Significant / Non-Significant)
significant audit area

Value used in
assessing significance [Specify source - e.g. PY, budget, P9, draft accounts]
of audit area
automaticall

to fit more

to force a
Audit area

Accounts
within the
y expand

than one

Alt+Enter
(Note -
cells will

new line
required.

to start

payable
line if

cell.)
same
Use
 Page | 238

Rights and
Completeness and
obligations
allocation
Assertions about classes of transactions and events for the period under audit

Transactions and events that have been recorded have

Occurrence O
occurred and pertain to the entity.

All transactions and events that should have been recorded

Completeness C
have been recorded.

Amounts and other data relating to recorded transactions and

Accuracy A
events have been recorded appropriately.

Transactions and events have been recorded in the correct

Cut Off Cu
accounting period.

Transactions and events have been recorded in the proper

Classification Cl
accounts.

Financial transactions are in accordance with the legislation

authorising them, regulations issued by a body with the power
Regularity R
to do so under governing legislation, Parliamentary authority
and HM Treasury authority.

Assertions about account balances at the period end

Existence E Assets, liabilities, and equity interests exist.

The entity holds or controls the rights to assets, and liabilities

Rights and obligations R&O
are the obligations of the entity.

All assets, liabilities and equity interests that should have been
Completeness C
recorded have been recorded.

Assets, liabilities and equity interest are included in the

Valuation and allocation V financial statements at appropriate amounts and any resulting
valuation or allocation adjustments are appropriately recorded.

Page | 239
Assertions about presentation and disclosure

Disclosed events, transactions and other matters have

Occurrence O
occurred

Disclosed events, transactions and other matters pertain to the

Rights and obligations R&O
entity

All disclosures that should have been included in the financial

Completeness C
statements have been included

Classification and Financial information is appropriately presented and described,

Cl&U
Understandability and disclosures are clearly expressed

Financial and other information is disclosed fairly and at

Accuracy and Valuation A&V
appropriate amounts

Page | 240
 Annex- H

Materiality, Performance Materiality and expected error

Application of Materiality in the Audit Process

1. There are three main factors which have to be considered when determining whether a
matter is material: value, nature, and context. Thus it may not always be the value of an
item which primarily determines what is material; but the very nature of the item or the
context in which it occurs. Items may be material individually, or in total and certain parts
of an account may be of more interest than others to the user(s).

2. Materiality plays an important part at two key stages of the audit process. The aspects of
value, nature, and context will influence the role of materiality at these stages in different
ways.

Materiality at the Planning Stage

3. The auditor's aim should be to have a reasonable expectation of detecting material errors,
omissions, or misstatements in the account, should they exist. Setting an appropriate
planning materiality (coupled with the appropriate risk analysis) should satisfy that
expectation. At the planning stage, materiality by value is likely to be the main
determinant; materiality by nature and context normally are not considered, except in
very general terms. To set materiality by value, the auditor should attempt to determine
the highest level of error or misstatement that might be tolerated by the perceived users
of the accounts. The level set is a matter of judgement. Guidelines in the form of
percentage range limits can be used to assist in the judgement process and to achieve a
level of consistency.

Sensitivity

4. Sensitivity deals with the consequences of errors on loss of future revenue, the level of
public interest in the accounts, etc. Sensitivity is normally not a factor that is taken into
account when setting materiality. Rather, it is a factor that is taken into account when
assessing audit risk and potentially inherent risk as well. Also taking sensitivity into
account when assessing materiality would be erroneously double-count the factor.
5. As discussed further below, there may be exceptional circumstances where a matter is so
sensitive that it would affect the user’s perception of what is material. In that case, the

Page | 241
 auditor would need to take sensitivity into account when determining the materiality
amount.

Setting Planning Materiality

6. The auditor normally selects one overall amount for planning materiality. This recognizes
that the audit opinion relates to the financial statement as a whole and the results in each
area need to be given the appropriate level of attention relative to its significance to the
account as a whole.

7. Auditors also normally select one overall amount for a very practical reason. It is normally
not possible to audit one component to a different materiality amount than another
component, for several reasons:
• Components are inter-related. Revenues and cash receipts, for example, come from
the same transaction cycles, as do purchases, payables and payments. One cannot
use one amount to audit revenues and other cash.
• There may be misclassifications in the accounts. For example, an expenditure may
be recorded as a reduction in revenue, or an operating expenditure may be included
in capital expenditures. Given these possibilities, it is not possible to audit
expenditures and revenues (or various classes of expenditures) to different
materiality amounts.
8. There may be instances where one part of the financial statement that is considered to be
so sensitive that it will affect the users’ perception of materiality. In such cases, given the
fact that components are interrelated and the auditor needs to worry about
misclassifications, the auditor would normally need to audit the entire financial statement
to the lower materiality amount. In exceptional circumstances, though, the auditor may be
able to isolate the relevant balances and transactions and audit just them to a lower
materiality amount.
9. In determining materiality by value we attempt to assess the highest level of error across
the financial statements as a whole that we would expect the user to tolerate. In doing this
we need to take into account the particular characteristics of the entity we are auditing and
the interest shown in them by parliament or concerned ones. We do not, therefore,
prescribe a fixed level of materiality in either absolute or relative terms which must be
applied in all cases. Nevertheless, in line with most audit organizations, we offer range
limits to help inform judgement and achieve a level of consistency across all the financial
statements we audit.
10. In all cases the audit working paper should clearly demonstrate the reasons for setting
materiality at any given level. The ranges need to be applied intelligently and are no
substitute for potential judgement based on a thorough understanding of the entity’s

Page | 242
 activities and the interest shown in them by parliament. In applying them we should
always begin by asking ourselves two questions:
. What are the users (such as Parliament) most likely to be concerned about?
. What level of accuracy could the users reasonably expect?
11. Based on the above, when setting materiality, the auditor often uses the following
process:
a) Identify probable users of the financial statements.
b) Identifying the classes of users with the most exacting standards of precisions
which are most significantly affected by the financial statements.
c) Identify the information in the financial statements that is most important to these
users (e.g., cash flow, revenue or expenditure, etc). One or more of these amounts
may serve as the base for computing the measures of auditing materiality.
d) Determine the highest percentage of the base amounts that could be in error
without significantly affecting the decisions of the users of financial statements.
e) Apply that percentage, or lower one, to the base amount to compute the
measures of planning materiality.
12. The main users for most national accounts audited by the OCAG will be the national
elected body, or central authority, and the extent to which they may be interested in, or
influenced by, the information contained in the accounts will often be the major factor
affecting the calculation of materiality for the account or its component parts. There may
be other significant users, such as the general public, and the auditor should consider
whether their interests also affect the materiality decisions for other accounts and the
prime users will generally be the governing body.
13. It should be noted that the materiality amount that is determined at this step of the
general planning phase is used for the audit of all components, all financial statement
assertions and related compliance with authority objectives, etc. There is no need to
allocate the amount to the various financial statement components, etc. or to use a lower
‘test materiality’ amount.
14. The materiality level and the basis for determining it should be documented and approved
by the appropriate department head.
15. Our determination in the planning process of the tolerable level of error (i.e. the level of
misstatements which would be considered material) provides a basis for:
a) determining the nature, timing and extent of risk assessment procedures;
b) identifying and assessing the risks of material misstatement; and
c) determining the nature, timing and extent of further audit procedures.

Guidelines

Page | 243
16. Determining the materiality level is always relative and always requires judgement;
therefore, it is usually not possible to lay down specific rules or absolute numerical
measurements that will be valid in every case. Despite this, though, various guidelines
have been developed that can be used to assist in the exercise of professional judgement.
These guidelines can be used as a way of arriving at the one overall planning materiality
amount to be used on the audit.
Determining Materiality and Performance Materiality for the financial statements as a
whole
17. The appropriate level of materiality for an audit is a matter of professional judgement. The
materiality for the financial statements as a whole may be set using as a starting point a
percentage of one or more benchmarks in the financial statements, such as:
. total costs
. net costs (expenses less revenues or expenditure less receipts)
. total assets
. net assets
. total equity
18. This is sometimes referred to as quantitative materiality, as it is largely based on
quantitative factors while taking into account broader considerations through the
selection of the appropriate benchmark and percentages to apply.
19. The appropriate benchmark or benchmarks to use will be affected by a number of factors,
including (Ref: ISA 320 para A4):
. the elements of the financial statements (for example, assets, liabilities,
equity, revenue, expenses);
. whether there are items on which the attention of the users of the
particular entity's financial statements tends to be focused;
. the nature of the entity, where the entity is in its life cycle, and the
industry and economic environment in which the entity operates; and
. the relative volatility of the benchmark.
20. Public bodies audited by the OCAG are generally expenditure-driven meaning gross
expenditure is often the most appropriate benchmark for setting materiality. Audits of
Ministry financial statements should have materiality set on the basis of gross
expenditure, rather than on cash funding figures.
21. If one-off items give rise to an exceptional increase or decrease in a benchmark in the
current period, it may be appropriate to use a normalised figure for the purposes of
assessing materiality. Accordingly, we would normally consider current period, prior
period, and budget or forecast financial results and position in assessing materiality.

Page | 244
22. The OCAG considers materiality in the context of a series of ranges of percentages of
benchmarks. The ranges we normally apply in the OCAG are 0.5 per cent to 1 per cent of
gross expenditure/turnover or gross assets and 5 percent to 10 percent of average surplus
or profit with a presumption towards lower levels of materiality in large accounts. This is
summarised in the table below:

Range 0.5% 1% 2% 5% 10%

Base
Gross expenditure Increased Sensitivity
Turnover/income Consider
Gross Assets Consider
Average Surplus Consider

23. Other measures such as net expenditure (after income) or net assets may be appropriate
for particular entities.
24. The auditor should select materiality on the basis of a consideration of the different bases
available and the particular circumstances of the entity.
25. ISA 450 requires the reassessment of materiality prior to the evaluation of errors. It is
usually preferable to set materiality based upon taking account of a range of bases, rather
than based upon a fixed percentage of a single base, to reduce the risk of materiality no
longer being appropriate if an adjustment is required to the current year figures. Example:
setting materiality on a range of bases of budgeted expenditure is Tk. 9,50,00,000 (prior
year actual Tk.9,80,00,000). Budgeted gross assets are Tk. 7,00,00,000 (prior year
Tk.7,50,00,000). Materiality was assessed at the planning stage as Tk.9, 00,000 considering
the benchmarks together (rather than taking 1% of expenditure). At year-end, actual out
turn was Tk. 8,90,00,000 and gross assets Tk.7,20,00,000. Planning materiality was
assessed as continuing to be appropriate.
26. Usually a single materiality figure is set for all primary statements. However, it may be that
where an entity is primarily intended to hold public assets, the interest of the users of the
accounts are primarily in relation to the balance sheet (or the income and expenditure
statement) in which case it may be appropriate to use a single materiality figure.
27. If two materiality figures are to be used then audit tests should be carefully planned to take
account of the impact of balance sheet items on the income and expenditure statement.

Performance Materiality
28. In addition, the auditor should determine the Performance Materiality which will be used
for the purposes of assessing the risks of material misstatement and planning the nature,
timing and extent of our audit procedures.

Page | 245
29. “Performance Materiality” is equivalent to planning precision, and the terms are used
interchangeably herein.
30. We plan the audit based upon Performance Materiality in order to leave a margin for
undetected misstatements. The appropriate level to adopt involves professional
judgement, and should reflect our understanding of the entity (including any additional
information obtained during our risk assessment procedures), prior period misstatements,
and our expectations of current period misstatements. (Ref: ISA 320 para A12)
31. Performance Materiality is normally set at 90% of (materiality less expected error). This
ensures that sufficient evidence is obtained in support of the audit opinion.
32. The expected level of error in the financial statements is a matter of professional
judgement, which is influenced by a number of factors including:
. the level of errors identified by the prior year audit (including both adjusted and
unadjusted errors);
. whether we expect the client to have corrected unadjusted prior year
misstatements;
. the quality of the entity’s control environment; and
. whether we expect the entity to adjust for identified misstatements in the current
year financial statements.
33. In the absence of other indications of the likely level of error in the financial statements, it
may be appropriate to use the prior year level of errors identified in the income and
expenditure statement as the expected level of errors.
34. In some circumstances, misstatements below the materiality for the financial statements
as a whole may be reasonably expected to influence users of the accounts. If this is the
case, the auditor should also determine a lower materiality level or levels to be applied to
the particular classes of transactions, account balances or disclosures affected. (Ref: ISA
320 pA2-A11)
[

(a) Example: Calculation of Performance Materiality

. Materiality is TK 5,00,000
. The expected error for the financial statements as a whole is Tk. 1,50,000
. Performance Materiality might therefore be set at (Tk. 5,00,000 – Tk.
1,50,000) X 90% = Tk.3,15,000.
(b) Example: Calculation of Performance Materiality where difficult to revise
Materiality
The entity has a number of accounting locations around the country which are
material to the financial statements. In practice, any testing needs to be performed
at local locations due to the entity’s accounting and document management

Page | 246
 systems. The auditor, therefore, considered that it was appropriate to increase the
extent of work to reduce the possibility that testing might need to be extended due
to identification of errors from testing. Performance Materiality was, therefore, set
at 80% of Materiality less expected error:
. Materiality is Tk. 5,00,000
. The expected error for the financial statements as a whole is Tk. 1,50,000
. Performance Materiality might, therefore, be set at (Tk. 5,00,000–Tk.
1,50,000) X 80% = Tk. 2,80,000.
35. A higher Performance Materiality reduces the planned scope of work, but increases the
risk that actual errors will exceed the expected error rate and thus require additional
testing to be performed when the results of testing are assessed. Performance Materiality
should not be set at a level higher than 90% of Materiality.
36. Setting a lower Performance Materiality increases the planned scope of work. However,
this may be appropriate if it would be particularly costly or impractical to extend testing if
issues are identified (for example, due to an entity having a tight reporting timeframe, or
many locations). When this is the case, the auditor may consider it appropriate to set a
lower Performance Materiality. Performance Materiality would not normally be set below
80% of Materiality less Expected Error.
37. It is usually more efficient to be prudent in the level of expected error used in setting
Performance Materiality rather than risking having to extend testing if actual errors
exceed expected errors.

38. If a lower materiality is set for certain audit areas, a lower Performance Materiality should
also be established for those areas. Factors indicating a lower materiality for certain audit
areas may be appropriate. Para A10 of ISA 320 states, “Whether law, regulation or the
applicable financial reporting framework affect users' expectations regarding the
measurement or disclosure of certain items (for example, related party transactions, and
the remuneration of management and those charged with governance)”.

39. The key disclosures in relation to the industry in which the entity operates (for example,
research and development costs for a pharmaceutical company).
40. Whether attention is focused on a particular aspect of the entity's business that is
separately disclosed in the financial statements (for example, a newly acquired business).”
41. There may be disclosures in financial statements which are effectively tested on a 100%
basis with an expectation that the amount disclosed will be precise. These are typically:
. senior staff or board members’ remuneration;
Page | 247
 . particulars of losses that require separate disclosure;
. audit fee;
. prior year figures;
. details of special payments, write-offs and losses;
. specific legal settlements; and
. amounts which should be agreed to other accounts.

Impact of Materiality on Extent of Testing

42. The lower the materiality, the greater the amount of work. Lowering the materiality
amount normally results in:
. Larger sample sizes for both tests of controls and for substantive tests of
details;
. More items become high value transactions needing to be audited 100%;
. Lower amounts being used for determining which fluctuations found during
analytical procedures need to be followed up.
43. Lowering the materiality amount can also increase the chances of the auditor having to
issue a reservation of opinion. The maximum error that the auditor can tolerate at the
evaluation phase (the Upper Error Limit – UEL) cannot exceed the materiality amount.

Trivial misstatements
44. ISA 450 requires the auditor to accumulate identified misstatements unless they are
clearly trivial and so the accumulation of such amounts clearly would not have a material
effect on the financial statements. The guidance as to what is clearly trivial is given in para
A2 of ISA 450 as :
"Clearly trivial" is not another expression for "not material”. Matters that are clearly trivial
will be of a wholly different (smaller) order of magnitude than materiality determined in
accordance with ISA 320, and will be matters that are clearly inconsequential, whether
taken individually or in aggregate and whether judged by any criteria of size, nature or
circumstances. When there is any uncertainty about whether one or more items are clearly
trivial, the matter is considered not to be clearly trivial.
45. We should establish and include in our documentation the level below which
misstatements, unless qualitatively more significant, would be regarded as clearly trivial.
The level at which misstatements would be regarded as clearly trivial would normally be in
the range 1-2% of materiality. The minimum level for clearly trivial would normally be the
level of rounding in the account.
46. The level selected is a matter of professional judgement.

Page | 248
47. When we identify misstatements in the audit, if they are greater than the threshold set
they should be accumulated and evaluated.
48. If they are less than the threshold, we should still accumulate and evaluate items which
are qualitatively of interest. In particular, misstatements indicative of fraud should be
accumulated and evaluated regardless of size.

49. If an item is less than the threshold, we do not need to accumulate or evaluate the
misstatement or report it to management or those charged with governance.

Materiality at the Reporting Stage

50. At the reporting stage materiality serves as a condition for evaluating the errors or
misstatements uncovered and considering the need for qualification to the audit
certificate. It also helps with determining the need to insist on separate disclosure for
certain items within the accounts as required by statute or regulations.
[

51. Throughout the audit and its conclusions, the auditor is required to evaluate the results of
his/her tests. Normally, all errors will be aggregated, and extrapolated if appropriate, to
give the best estimate of most likely errors in the account. To this should be added an
allowance for further possible errors to arrive at the maximum possible error (called the
upper error limit in ACL) which could exist in the account, to enable the auditor to
establish the degree of assurance necessary for the audit opinion.

Factors Affecting Reporting of Materiality

52. If information comes to light during the audit which would have caused us to have
established a different materiality level for the financial statements as whole or individual
account areas, we should revise our materiality figure accordingly. (Ref: ISA 320 para A13)

Example: Reductions in materiality for changes in circumstances

We set materiality based upon budgets. An increased need for the entity’s services
was then identified, leading to approved increased spending in the second half of the
year. We, therefore, reassessed materiality to reflect the increased level of activity of
the entity. We re-set materiality higher. Then, a machinery of government change was
announced which significantly reduced the size of the entity and was implemented
before the year-end. We, therefore, reduced materiality to reflect the revised scope
of the entity.

Page | 249
53. If materiality is revised to a lower level, the auditor should determine whether it is also
necessary to revise Performance Materiality, and whether the nature, timing and extent
of the audit procedures remain appropriate.

54. When we evaluate the uncorrected misstatements we have identified, it is possible that
misstatements individually or in aggregate below materiality will be assessed as material
to the financial statements on qualitative grounds or are indicative of the possibility of
other misstatements. Accordingly, when evaluating misstatements, we evaluate the size,
nature and cause of misstatements.
55. The quantitative considerations are discussed above. As for qualitative aspect, these are
sometimes referred to as "materiality by nature and materiality by context".

Materiality by Nature

56. As the term implies, materiality by nature is concerned with the inherent characteristics of
a balance or group of balances rather than just their value. A matter may be material by
nature because either:
a) there are specific disclosure requirements that demand a higher degree of
accuracy than would normally be expected;
b) they are sensitive;
c) they are expenditures required to be authorized in advance by the Ministry of
Finance or any responsible body but have failed to be so authorized;
57. Auditors need to remember that materiality needs to be assessed from the users’ point of
view. Just because an account balance can be audited to a very exacting amount does not
mean that the auditor should do so, or that errors larger than what could reasonably have
been expected should be considered to be material errors. For example:
a) Some items are capable of precise determination (e.g., cash at bank and on
hand, bank overdrafts and loans). While any departure from the exact figure
would call for justification, this does not mean that the departure is material.
b) Some items are such that precision is both desirable and achievable (e.g.,
salaries and wages). Again, though, departures from these amounts do not mean
that a material error exists.
58. Similarly, the auditor should not confuse potential misstatements with materiality. For
example, the entity may be reporting revenues from customs or excise duties that are
approximately the same amount as the previous year, but where it is known that the
tariffs had been raised. This is an indication of a potential misstatement, as opposed to
something that affects the determination of materiality.

Page | 250
59. Similarly, a change in an accounting policy that might affect the financial statements
materially is not something to consider when determining the materiality amount itself –
the auditor determines materiality, considers the impact of the change in accounting
policy, and then determines if the impact is material. If so, the auditor then ensures that
there is appropriate disclosure of the change.
60. Auditors must also not confuse materiality and risk. For example, there may be:
. significant transactions which are subject to high degree of management
involvement;
. transactions or balances not in the ordinary course of business;
. suspicious or unusual items, etc;
. significant accounts or items where there is known to be a high probability of
material error;
. a large number of year-end adjustments.
61. These are areas where there may be a high probability of material error, but are not
factors to take into account when setting the materiality amount itself.

Compliance Audit interpretation

62. Compliance Auditors should note that irregular transactions are not automatically
material by nature, and the risk of transactions being irregular should be considered in the
same way as other considerations of materiality by nature of a balance.
63. The financial information needs of legislators and the public as users of public sector
accounts should be considered, with typical considerations being:
. the need for openness and transparency, for example if there are particular
disclosure requirements for senior staff remuneration;
. public expectations and public interest which might deem separate disclosure of
special payments, write offs and losses necessary; and
. the context in which a matter appears, for example if the matter is also subject to
compliance with authorities, legislation or regulations. For example situations
where a loss is turned into a deficit or where expenditure limits are exceeded.

Materiality by Context

64. An error, omission or misstatement may not be material by value or by nature but may be
important because of the circumstances in which it arises and/or the context in which it
occurs. The auditor should also be aware that certain misstatements may be material by
context because they affect critical points in the accounts and have the effect of changing
the meaning of the account. Here are two aspects of materiality by context.

Page | 251
 a) Materiality in the General Context

65. To a large degree what matters most is whether an item is material or not in the general
context, that is, in its effect on the view portrayed by the accounts as a whole. This view
of materiality accords best with overall definition of materiality, that is, a matter would be
regarded as material only if it is likely to distort the general picture revealed by the
financial statements. Thus it would be an inexcusable waste of audit time to pursue
individual errors of Tk. 5 and Tk. 10 in a batch of payment vouchers of large amounts
unless the total of such errors runs into hundreds or thousands of Taka or fraud is
suspected.

b) Materiality in the Particular Context

66. The particular context relates to the total of which an item forms part or should form part,
e.g. the total of sundry debtors comprising a series of individual debtor balances. Even
though an item is not material in the general context, it may nevertheless be material in
the particular context and vice versa. Much depends on the nature of the item concerned
and its significance in its own right.
67. From the audit organizations point of view the question of materiality may be focused
essentially on:
a) matters which are material regardless of the amount involved, and
b) matters which are material because of the amounts involved.
68. In the former class fall such matters as items which are material by virtue of their nature,
by virtue of statutory requirements, or which are material in principle. In regard to the
second category, materiality can only be judged in relative terms depending on the
circumstances of each individual case.
Technical Consideration

69. The materiality threshold (standard) should be set at the lowest level of misstatements
that users might find unacceptable.
70. The materiality threshold should take account of the requirement of the budgetary
authorities and the general public.

71. It may be necessary to revise the planned materiality threshold for an audit because, for
example, the overall total value of the financial statements is significantly different from
that assumed when setting the materiality threshold at planning stage. The auditor must
be properly aware of the need for such revision.

Page | 252
72. The determination of materiality threshold is normally a matter of audit organization
policy either as to the precise way in which the threshold is determined and approved as a
basic element in audit planning or as to the actual threshold amount for a particular audit.
73. The materiality threshold is used to evaluate the importance of the impact of
misstatements uncovered by the audit. The auditor should determine the overall most
likely error in the financial statements, adding an allowance for further possible error to
get a maximum possible error (called the upper error limit), and comparing this total to
the materiality threshold.
74. If the estimate of the upper error limit exceeds the materiality threshold the auditor has
several choices which are discussed later in the ‘evaluation’ phase. These include carefully
re-examining all his/her evidence, including the possible range of error in statistical
estimation procedures and extrapolation, with a view to qualifying his opinion on the
financial statements covered by the audit.
75. As the auditor’s judgements in relation to materiality threshold, both prior to and
throughout the audit are fundamental to the conduct of the audit and to the final
interpretation of its results, such judgements should be thoroughly documented in the
working paper and subjected to careful management review and approved.

Summary

76. To summarize, setting materiality is, therefore, a decision which requires the auditor to
exercise his judgement about the importance of errors to the user of the accounts. There
is no prescriptive rule to fit all cases. The audit is planned in totality to provide reasonable
assurance that errors or misstatements do not remain in the account above the level
which the auditor considers acceptable, but within this overall position there may be
misstatements which, because of their particular significance, will need to be considered
separately. Apart from statutory and other specific requirements the overriding
consideration will usually be their importance to the primary users of the accounts.

Documentation requirements

77. The Engagement Team should document the values used for, and the factors considered
in determining:
. materiality for the financial statements as a whole;
. if applicable, the materiality level or levels for particular classes of
transactions, account balances or disclosures;
. performance materiality; and
. any revision of [the above] as the audit progresses.

Page | 253
78. We should also document the amount below which misstatements would be regarded as
clearly trivial, and how we have communicated this to those charged with governance.
79. The Materiality Determination Form at Annex H1 is designed to enable the Engagement
Team to document the above.

Page | 254
Expected Total Errors
80. Before leaving the subject of materiality, there is one other matter that the auditor needs
to consider at this stage of the audit – total expected errors. To illustrate, assume that the
auditor selects a sample and concludes that the most likely error (MLE) in the sample is Tk.
15,00,000. If materiality is Tk. 30,00,000, does the auditor have an acceptable result? The
answer is “it depends”. Because the auditor has only selected a sample, there is a chance
that the actual error in the population is larger than Tk. 30,00,000. What the auditor
needs to do is to ensure that he/she has sufficient assurance that the maximum possible
error (called the upper error limit) in the population is less than the Tk. 30,00,000
materiality amount.
81. To do this, when planning and performing many analytical procedures and substantive
test of details, the auditor reduces the materiality amount by his/her estimate of the most
likely error that will exist in the financial statements as a whole. This estimate is referred
to as the “expected total errors.”
82. To determine the expected total errors, the auditor should consider:

• The errors found in previous years;

• The strength of the control environment and the internal control systems, and
changes that the entity has made to them to prevent these errors from recurring or
to detect and correct them; and
• Other changes to the entity’s business or its internal control structure that could
affect the size of the errors.
83. Earlier we noted that the materiality amount that is determined at this step of the general
planning phase is used for the audit of all components. There is no need to allocate the
amount to the various financial statement components. Consistent with this approach, the
expected total errors being used for a particular test must be the expected total errors in
the financial statements as a whole, and not just the expected error in the population
being audited. When auditing the completeness of income tax receipts, for example, the
auditor would need to allow for errors not only in that test, but for errors found in other
tests of income tax receipts and for errors found in other financial statement component.

Page | 255
 Annex-H.1
MATERIALITY DETERMINATION FORM

Data should be entered in cells shaded yellow. Hyperlinks to detailed documents should be provided where relevant.

Quantitative considerations

At the planning stage use expected full year position

Current
Materiality base 0.5% 1% 5% 10%
year (Taka)
Gross expenditure - -
Turnover/ income - -
Net expenditure (after income) (if relevant) - -
Assets - -
Surplus - -
Other (specify if required)) - - - -

Rationale for materiality selected including for the benchmark or benchmarks used

Chosen materiality -
Anticipated Most Likely Error for account -
(typically the additional safety margin would set Performance Materiality at 90% of
-
Additional safety margin Materiality less Anticipated MLE for the account - amend as appropriate)
Memo - total anticipated error -
Chosen level of Performance Materiality -

Page | 256
Rationale behind expected level of error and percentage used in setting Performance Materiality

Percentage of materiality considered

clearly trivial (normally 1-2% materiality)
Clearly trivial -

Comments on level of misstatement considered clearly trivial

Qualitative considerations
Detail below any considerations of materiality by context or nature:

Account Areas with lower level of materiality and Performance Materiality

The following areas have been determined by the auditor to be appropriate to test to a lower level of materiality and Performance Materiality
Performance materiality is set pro-rata to the reduction in materiality for the balance - amend manually if a different level is appropriate

Materiality Performance
Account area (and assertion if relevant) Rationale for level selected
(Taka) Materiality (TK.)

None

-
-

Page | 257
 Annex. I
Analytical Procedures
Introduction

1. Substantive analytical procedures consist of evaluations of financial information through

analysis of plausible relationships between both financial and non-financial data.
Substantive analytical procedures also involve any investigation necessary into identified
fluctuations or relationships that are inconsistent with other relevant information or that
differ from expected values by a significant amount. (Ref: ISA 520 para A1-A3).

Nature of Analytical Procedures

2. Analytical procedures include a variety of techniques used by the auditor to study

relationships between data and to test their plausibility. The data may be on financial as
well as non-financial and may arise from internal and external sources. In broad terms,
analytical procedures involve looking at figures in the financial statements to see if they
are consistent with each other and with the auditor's knowledge of the organization and
its activities.
3. The auditor can employ analytical procedures where it can be assumed that there are
relationships between items in the financial statements and between items in the account
and non-financial data. Analytical procedures include a range of specific techniques:
• The study of changes in account balances over prior periods leading to a prediction
for the current period (e.g., the regular repayment of a loan over XX years);
• the comparison of financial information with anticipated results (e.g. examining
performance variances against budgets and forecasts);
• the study of relationships between account balances over time;
• the computations that give a prediction of a given account balance (e.g., using
independent data on staff numbers and average pay rates to predict the total staff
costs for the period, and using farm data to predict per hectare payments to
farmers);
• the study of relationships between financial and non-financial information, which
may confirm the auditor's understanding of the financial information or direct
his/her attention towards unusual or unexpected account figures (e.g., license

Page | 258
 income against the number of licenses, or agricultural storage costs against
records of physical stocks).

4. Various methods may be used in performing the above procedures. These range from
simple comparison to complex analysis using advanced statistical techniques. Analytical
procedures may be applied on consolidated financial statements, components of financial
statements and individual elements of financial information. The auditor's choice of
procedures, methods and level of application is a matter of professional judgement.

5. Analytical procedures assist the auditor to:

. understand the entity's business, including current year transactions and
events
. identify account balances or transaction that may have high inherent or control
risks;
. identify and understand the significant accounting policies; and
. determine the nature, timing and extent of other audit procedures to be
performed.

6. Where we are able to develop a reliable expectation to compare the recorded amounts
against, Substantive Analytical Procedures can provide sufficient appropriate audit
evidence to provide assurance:
. on their own for assertions not affected by Specific Risks; or
. in combination with tests of controls or tests of detail for Specific Risks.
7. Substantive Analytical Procedures involve developing an expectation of the value of an
income stream, type of expenditure, year-end balance, or disclosure, based upon an
understanding of plausible relationships between financial and non-financial data. (Ref:
ISA 520 para A1-A3)
8. Where a suitable expectation has been developed and actual results are within a tolerable
amount of the expectation, this provides the planned level of substantive assurance.
9. Where fluctuations or relationships are identified that are inconsistent with other relevant
information or that differ from expected values by a significant amount, we investigate
the reasons for these and either:
. obtain the planned level of assurance by identifying appropriate evidence to
support the explanations received;
. identify misstatements in the recorded amounts; or
. (unusually) identify evidence that the identified relationship is not an
appropriate basis for Substantive Analytical Procedures and revise our planned
approach.

Page | 259
10. We may develop an expectation based upon:
. comparable information for prior periods;
. anticipated results of the entity, such as budgets or forecasts, or expectations
of the auditor, such as an estimation of depreciation;
. similar entity information, such as a comparison of cost levels to similar
entities;
. relationships that would be expected to conform to a predictable pattern
based on the entity's experience, such as National Insurance as a proportion of
salary costs; or
. relationships between financial information and relevant non-financial
information, such as payroll costs to number of employees, number of
individuals eligible for a grant, etc.
11. The planned audit approach to each Audit Area should reflect the Engagement Director
and Engagement Manager’s consideration of the most effective and efficient way of
obtaining sufficient appropriate audit evidence over each assertion through a combination
of tests of controls and substantive procedures, or substantive procedures alone.
12. Where Substantive Analytical Procedures are an effective and efficient source of
substantive assurance, the auditor should plan to use them as the substantive procedures
required by ISA 330.
13. Depending upon the entity’s circumstances, an appropriately designed Substantive
Analytical Procedure may provide assurance over any assertion or Audit Area, either on its
own or in combination with Tests of detail.
14. However, we should not rely upon Substantive Analytical Procedures alone to obtain
assurance over Specific Risks – some assurance should come from controls or from Tests
of detail.
[

15. Substantive Analytical Procedures may be an efficient way to obtain assurance over
completeness of expenditure or income (and so also completeness of liabilities and
receivables).
16. Substantive Analytical Procedures are unlikely on their own to provide sufficient
appropriate evidence for compliance audits. However, this depends upon the
circumstances of the entity and the nature of the balance being considered.
For example, an analytical procedure may not provide sufficient assurance over regularity
of grant expenditure, however:
. a substantive analytical procedure may provide sufficient appropriate audit
evidence that payroll expenditure has been within the pay remit for the
organisation;

Page | 260
 . for an organisation with limited requirements over regularity from authorities,
undertaking similar activities to the prior period, substantive analytical procedures
over expenditure, combined with an overall review for new types of expenditure
and consideration of their regularity, may provide sufficient appropriate audit
evidence.
17. When auditing Specific Risks through substantive procedures alone, the extent of tests of
detail and Substantive Analytical Procedures may vary to obtain the planned level of
assurance. Teams may either:
. perform Substantive Analytical Procedures with an Assurance factor (AF) of 2.0, and
Tests of detail with an AF of 1.0; or
. perform Substantive Analytical Procedures with an AF of 0.7, and Tests of detail
with an AF of 2.3.
18. Although using both Substantive Analytical Procedures and tests of detail require teams to
perform two separate tests, this will often provide high quality audit evidence through
providing assurance from both analysis compared to appropriately generated
expectations, and tests of underlying transactions.
19. The planned approach should reflect the most effective and efficient approach to
obtaining the planned levels of assurance.

Viability of Analytical Procedures

20. The extent to which the auditor can use analytical procedures will depend on a number of
factors including:

• The nature of the organization and its operations. Some organizations are very
stable and hence comparisons to the previous year, etc. are relatively easy to
perform. As such, the current year’s account balances and transactions can be
predicted with reasonable accuracy.
• The knowledge of the organization gained from previous audits. Analytical
procedures require knowledge of then entity – often more than is required to
perform sampling procedures.
• The availability of appropriate financial and non-financial information from internal
and external sources. If the necessary information is not available, then the
procedures cannot be performed.
• The relevance, level of detail and reliability of the various forms of information
available. If the available information is not reliable, then the procedures cannot
be performed.

Page | 261
• the extent to which the account or the items to be examined can be predicted with
reasonable accuracy;
• the comparability and independence of information from different sources. If the
data in the accounts being compared are coming from the same source, then the
comparison will have limited value.
• Audit team attributes. In order to properly plan, perform and evaluate the results
of an analytical procedure, one must have a sound understanding of the entity, the
industry and the data being analysed. Should the audit team not possess a
sufficient understanding to perform a particular analytical procedure, then the
procedure should not be performed.
• The inherent risk and the control risk. The higher these risks, the greater the
possibility that the data to be used in the analytical procedure is unreliable. In
particular, should management officials be able to override specific internal
controls and manipulate the data, they may be able to alter the data so as to hide
significant fluctuations, over-expended appropriations, etc.
• The component and the specific financial audit assertion for which audit evidence
is required. Analytical procedures are generally more useful in providing assurance
for revenue and expenditure accounts than for balance sheet accounts. For
example, analytical procedures may be very useful in providing assurance as to the
completeness and measurement of many revenue and expenditure accounts.
However, they are usually not very good at testing the validity or ownership of
assets.
• Related compliance with authority objective for which audit evidence is required.
Analytical procedures are often not particularly good at obtaining assurance with
respect to most compliance with authority objectives. For example analytical
procedures will not be very good at determining if:
o The services were actually performed or the goods were actually received;
o The expenditures are consistent with the nature of the appropriation to
which they were charged;
o The expenditures, borrowings or cash received are in accordance with the
applicable legislation; or
o The cash received was for an approved tax or other approved revenue
source.

For all of these, a detailed examination of specific expenditure transactions,

borrowing transactions, or revenue transactions is normally the best way to obtain
assurance with respect to these compliance with authority objectives.

Page | 262
 • Analytical procedures are often not particularly good at determining if there are
appropriations that have been exceeded but have not been so disclosed. This is
because entity officials may simply adjust the books or defer the recording of
expenditures to hide such situations. A detailed examination of journal vouchers
and the coding on specific transactions, and a detailed review of the year-end cut-
off, are normally the best way to obtain assurance with respect to this particular
compliance with authority objective
• Costs and benefits of obtaining assurance from analytical procedures. Generally,
analytical procedures take less time to apply than a test of details and, therefore,
have the potential to be a more efficient source of audit evidence. Cost and benefit
considerations include:
o The ease and cost of obtaining and assessing the reliability of the data to be
used in the analytical procedure;
o The ease and cost of applying the analytical procedure, including obtaining
appropriate explanations for all significant fluctuations; and
o The ease and cost of obtaining assurance from other sources of audit
assurance.

Trend Analysis and Ratio Analysis

21. Analytical procedures often are categorized as either trend analysis or ratio analysis.

Trend Analysis

22. Trend analysis looks at changes in a given account balance or financial statement line over
past accounting periods.
23. As discussed in more detail below, trend analysis can be performed with various degrees
of sophistication/complexity. For example, a simple diagnostic approach may be used
where the auditor compares the actual current year value with the past trend to
determine if it appears to be out of line. Conversely, a predictive approach may be used
where the auditor adjusts the previous years’ trend amounts for known changes in order
to predict the current year’s amount.

24. The more complex techniques are capable of giving more accurate predictions and
therefore will provide more substantive assurance than the less complex procedures.
However, as techniques increase in complexity; more audit effort is usually required to
perform them. A balance has to be struck between the costs and benefits of each
technique.

Page | 263
25. Trend analysis techniques include:
• graphical methods;
• period to period comparisons;
• weighted averages;
• moving averages;
• statistical time series analysis.
26. Graphical methods and period-to-period comparisons are often appropriate at the
planning and review stages of the audit to identify the area of focus.

Ratio Analysis

27. Ratio analysis is a method that involves comparing relevant relationships between
financial statement figures. This isolates stable, common or irregular relationships
between account balances over a period of time. Ratio analysis is particularly useful
where the ratios can be calculated for a sufficient number of years to allow trends to be
properly recognized and evaluated.
28. The most commonly used ratio analysis method is financial ratio analysis.

Financial Ratio Analysis

29. Financial ratio analysis involves balances within financial statements to understand the
relationship between those balances and help identify changes in the relationship over
time. Investigating the relationships between account balances can help auditors to
understand the information contained in financial statements.

30. A wide range of financial ratios should be employed by the auditor depending on the
nature of the organization and its financial statements. Gross profit margin (operating
profit against sales), stock turnover (cost of sales against stock values, and debtor days
(trade debtors against total credit sales) are three important ratios commonly examined in
a trading organization. Certain financial ratios which involve the measurement of an
entity's current assets against its current liabilities can provide a useful measure of its
ability to meet its short-term obligations and may direct attention to liquidity problems.
31. Ratio analysis can be an effective technique provided the following conditions apply:
• the ratios to be compared must be calculated using the same methodology;
• the account figures in the ratio to be compared are calculated using the same
accounting policies;
• the ratio is expected to be relatively stable between periods.

Page | 264
Categories of Analytical Procedures

32. Analytical procedures can be grouped into five general categories. Each category can
involve the use of either trend analysis or ratio analysis.
33. As a general rule, each category can provide a greater amount of assurance than the
previous category. However, there are numerous factors, other than the type of analytical
procedure being performed, that affects the amount of assurance that can be obtained
from a particular procedure. These other factors are discussed below.

Category 1: General reviews for reasonableness

34. This category of analytical procedures involves a high level comparison of current
information with that of previous periods, with budgets or with statistics available from
the entity. No pre-determined threshold amount is specified for identifying significant
fluctuations. The process is sometimes referred to as “eyeballing” the financial statements
– the auditor looks for accounts that appear to be unusual in amount, in volume of
activity, etc.
35. The objective of this type of analysis is generally attention directing as opposed to
obtaining audit assurance.

36. Although this type of analytical procedure normally does not provide any assurance, it can
contribute immensely to an understanding of how the entity operates, how different
components should interrelate, and how the financial statements should present the
underlying events.
37. As a result, general reviews for reasonableness should be conducted during the general
planning phase and the evaluation phase of the audit.

Category 2: Comparative analysis

38. This category of analytical procedures involves comparing the current year's reported
amounts (or ratios) with those of the prior year (or years). The data from the previous
year(s) are not adjusted for known changes in the factors affecting the data. Comparative
analysis assumes that the prior year's data provide a sufficiently accurate estimate of the
current year's amount and, therefore, can be used to identify any significant fluctuations
from the current year's recorded amount. A pre-determined threshold amount is specified
for identifying significant fluctuations.
39. For example, the auditor may decide to compare the employee related expenses (pay,
allowances, etc.), operating expenses (fees, communications, utilities, etc.) and income
tax receipts to the equivalent amounts for the previous year. The auditor would then
follow up differences greater than the threshold amount.

Page | 265
40. This type of analytical procedure can provide a low level of substantive assurance.

Category 3: Predictive analysis

41. Predictive analysis involves comparing the current year's reported amounts (or ratios)
with a prediction of what the current year's amounts (or ratios) should be based upon the
trend of the amounts (or ratios) from the previous year (or years). The data from the
previous year(s) are adjusted for all known changes in the factors affecting the data. A
pre-determined threshold amount is specified for identifying significant fluctuations.
[

42. For example, before making a comparison of the employee related expenses for the
current year to the equivalent expenses for the previous year, the auditor could adjust the
previous year’s amounts for known changes in the average pay scales and in the number
of staff within the specific entity for which the comparison is being made.
43. Similarly, before making a comparison of income tax receipts for the current year to the
equivalent amounts for the previous year, the auditor could adjust the previous year’s
amounts for known changes in income tax rates.
44. Because the prior year’s amounts are adjusted for known changes before the comparison
is made, this type of analytical procedure can produce a more precise estimate than
would be the case with comparative analysis. As a result, it can provide a higher level of
substantive assurance than comparative analysis.

Category 4: Statistical analysis

45. This category of analytical procedures involves analyzing the known behaviour of variables
and developing an equation (model) that explains the relationship between these
variables. A pre-determined threshold amount is specified for identifying significant
fluctuations.
46. For example, the auditor may have reliable monthly payroll expenditure, together with
corresponding monthly figures for average numbers of staff in post, for the past few
years. It would then be possible to develop a statistical model for the prediction of payroll
expenditures in terms of staff numbers and time, and to use this model to predict
expenditure in the current period from the corresponding staff numbers. The auditor
would input data on employee related expenses for the previous several years into the
software package. The software package would then estimate the amount of employee
related expenses for the current year.
47. Although this category is similar to predictive analysis, statistical analysis provides more
accurate predictions and objectively measures the confidence level and the achieved level
of precision of the prediction. As a result, it can provide an even higher level of
substantive assurance than predictive analysis.

Page | 266
Category 5: Overall verification procedures

48. This category of analytical procedures involves building up an estimate of an account

balance from known and verified (as opposed to analysed) data. For example, the auditor
could verify the number of rental units by type of unit, the average rent by type of unit,
and the vacancy rate by type of unit. For each type of unit the auditor could then multiply
the number of units times the average rent times the vacancy rate and compare the result
to the revenue received from the rents.
49. As another example, the auditor could verify the monthly salary for each employee on the
payroll and use that data to estimate the total payroll expenditure for salaried employees.
50. A pre-determined threshold amount is specified for identifying significant fluctuations.
51. Overall verification procedures usually result in a very accurate estimate of the account.
For this reason, and because the inputs are verified (as opposed to analysed), this
category of analytical procedures generally produces a very high level of substantive
assurance.

Factors Affecting the Assurance that can be derived from Analytical Procedures
52. The degree of assurance derivable from a particular type of analytical procedure depends
on many factors that must be considered by the auditor. Outlined below are the key
factors affecting the effectiveness of an analytical procedure.
Category to which the procedure belongs

53. The quality of an analytical procedure depends on the category to which it belongs. As we
move from general reviews for reasonableness through to overall verification procedures,
a more comprehensive analysis of the underlying relationships is usually performed. This,
in turn, results in a greater amount of substantive assurance.
54. While guidelines should not replace the use of professional judgement, the following may
be useful for determining the amount of assurance that is usually achievable from each
category of analytical procedures:

Type of Analytical Procedure Assurance

General reviews for reasonableness Nil

Comparative analysis A = 0.7

Predictive analysis Up to A = 2.3

Statistical analysis Up to A = 2.3

Overall verification procedures Up to A = 2.3

Page | 267
Threshold amount used to determine significant fluctuations

55. If the auditor sets a low threshold amount he/she will have more fluctuations to follow up
than if the auditor selected a high threshold amount. As a result, the lower the threshold
amounts, the higher the assurance that can be achieved.
56. In setting the amount to be used for identifying significant fluctuations, the auditor should
consider the planned precision determined for the audit. The threshold amount to be
used for identifying significant fluctuations should be directly related to this planned
precision amount.
57. With a statistical analysis software package, the planned precision and the desired level of
assurance are keyed in and the software package automatically calculates the amount to
be used. For other types of analytical procedures, the auditor must set the threshold
amount subjectively using his/her professional judgement.
58. Items comprising an account balance can be analysed using a number of different data
profiles. For example, when analysing payroll expenditures for the government, the
auditor could analyse the expenditures:
• For the government as a whole;
• By ministry, department, and/or agency, etc;
• By division or by staff classification; and/or
• For the year as a whole or for each month.

59. Data used can be entity-wide data (e.g., payroll related expenses for the ministry as a
whole), disaggregated by one level (e.g., payroll expenditures for each division or by
staff category), or disaggregated by two levels (e.g., payroll expenditures for each staff
category within each division).

Quality of the relationship

60. The quality of an analytical procedure is only as good as the quality of the underlying
relationship upon which it is built. In seeking to identify the quality of a relationship, the
factors described in the following paragraphs should be considered.
61. Simplicity of the relationship: The fewer the factors that could cause changes in an
account over time, the easier it should be to estimate the current year’s balance and
follow up significant fluctuations. As more factors are added, it becomes increasingly
difficult to design an analytical procedure that will adequately capture each factor's
impact on the account.

62. Plausibility of the relationship: A plausible relationship is one that the auditor may
reasonably expect to exist based on an understanding of the business and the accounting

Page | 268
 Grade Staff Pay Rate Predicated Actual Difference
Number Total Total

No. Tk. Tk. Tk. %

Secretary 1.0 69,818 69,818 70,234 416 0.60
Additional Secretary 4.0 59,127 236,508 245,510 9,002 3.81
Directors 3.0 48,461 145,383 154,079 8,696 5.98
Assistant Secretary 26.0 44,631 1,160,406 1,198,541 38,135 3.29
Principal 118.5 31,602 3,744,837 3,755,146 10,309 0.28
Staff Officer 376.5 18,450 6,946,452 6,905,384 -41,041 -0.59
Executive Officer 571.5 15,839 9,051,988 9,020,459 -31,529 -0.35
Admin Officer 847.0 10,396 8,805,412 8,952,468 147,056 1.67
Support Grade Band 1 35.0 10,021 350,735 365,946 15,211 4.34
Support Grade Band 2 259.0 8,870 2,297,330 2,304,846 7,516 0.33
Administrative 1624.0 7,755 12,594,120 12,661,752 67,632 0.54
Assistant
Etc. Etc. Etc. Etc. Etc. Etc.
Total for all grades 7777.5 969,867,127 97,605,433 738,306 0.76

Comparisons against the actual amount and the predicted amount can be seen in the
table above. Differences were calculated for each grade as well as the overall
difference for all grades combined. Payroll expenditure was predicted at Tk.9,68,67,127
in comparison to an outturn of Tk.9,76,05,433. The outturn was Tk.7,38,306 (0.76%)
more than the prediction. This difference was within the tolerable difference of
Tk.17,02,610 (1.74%). No material fluctuations were found.
However, there were some significant fluctuations for particular grades. Significant
fluctuations for each grade were defined as differences greater than +/-1.75% (the
tolerable difference). The highlighted fluctuations were investigated to ensure they
were not material by context or nature. Possible discrepancies could also be due to the
use of contract staff at a higher or lower level, or a small minority of staff not covered
by the main grading structure.

Step 6: Evaluation
The expected value was well within the tolerable range and hence substantive
assurance was achieved from the analytical procedure. Fluctuations within grades
greater than +/- 2.5% were invested and no material error was found.

Example 2
Step 1: Determine whether it is appropriate to use Substantive Analytical Procedures
Testing the accuracy and completeness of income generated during the year from

Page | 279
b) Independence of the data

71. For data to be independent, each item being used in the analysis should come from a
source that is different than the source of the amount being analysed. This ensures a
stronger test, as it is unlikely that errors will occur in both sets of data simultaneously.
72. If the items are not coming from an independent source, the auditor would need to verify
the completeness and accuracy of the items being used in the analysis.
73. The most independent internal sources are records maintained by different people.
Examples would include shipping records, production records, personnel records and
similar records that are not part of the basic accounting records.
74. If external data are available and used in the analysis, it would ordinarily satisfy the
independence criteria. However, care must still be exercised in determining whether the
data is relevant. For example, industry statistics are often several years out of date.

c) Level of data aggregation

75. In general, the less aggregated the data, the better the analysis that will result, and the
greater the amount of assurance that can be obtained. This is because the less aggregated
the data, the less chance there is that errors in one specific account will be hidden by
appropriate fluctuations in other accounts.
For example, the auditor may decide to simply compare revenues by major category
(direct taxes and indirect taxes) to the equivalent amounts for the previous year. A better
test would be to do the comparison at a less aggregated level – personal income taxes,
corporate income taxes, property taxes, etc.
As another example, the auditor may attempt to do an overall verification procedure on
the total payroll expenditure. The auditor may get data about staff numbers and grades
from personnel systems which are maintained independently of data on pay. As a first
approximation, the auditor may try to predict total payroll costs in the period by
multiplying numbers in each grade by the mid-point of the pay scale for the grade.
However, such a method fails to take account of the numbers of staff in each grade at
different points on the pay scale. The auditor may be able to use data on lengths of time
in the grade to refine the procedures by using a weighted average pay rate for each grade,
rather than simply the mid-point of each scale. Even further refinements might take
account of other variables, such as annual performance bonuses.

d) Measurement frequency and number of periods of data used

76. Generally, the greater the number of data observations used in the analysis, the stronger
the evidence provided through the analytical procedure. The more frequently one can

Page | 270
 observe a particular relationship, the more one can be assured of the consistency of the
relationship. For example:
• Monthly observations generally provide more useful information (and
assurance) than annual observations; and
• Using several years’ data in the analysis generally provides more assurance than
only using the most recent year’s data.

Documentation

77. As with all audit work the auditor should ensure that his working papers adequately
document the planning performance and results of and conclusions from analytical review
work.
78. Working papers should consist of:
a) an outline programme of the review work; e.g. account areas to be considered;
overall review work on account figures, allocations of time;
b) a summary of significant figures and relationships;
c) details of all significant variations considered;
d) details of the results of investigations into such variations including explanations
obtained from management and the steps taken to verify them;
e) the audit conclusion reached; and
f) Information considered necessary for assisting with the planning of subsequent
audit.
79. The sources and dates of the acquisition of figures used should be clearly indicated. A
record of the dates and ratios used for analytical review purposes for each accounts
should be kept on audit files.

Planning and Performing Substantive Analytical Procedures

80. Planning and performing Substantive Analytical Procedures requires the Engagement
Team to use professional judgement in:
. determining whether it is appropriate to use Substantive Analytical Procedures;
. determining whether the data used to develop an expectation is reliable;
. developing the expectation based upon an identified relationship in the data;
. determining the tolerable difference;
. investigating results of Substantive Analytical Procedures; and
. concluding upon the Substantive Analytical Procedure.

81. Achieving the planned level of assurance is dependent upon the quality of the design of
the Substantive Analytical Procedure.

Page | 271
82. The steps involved are discussed further below.

Determine whether it is appropriate to use Substantive Analytical Procedures

83. In planning whether to use Substantive Analytical Procedures to test an Audit Area, the
auditor should determine the suitability of particular Substantive Analytical Procedures for
each assertion, taking account of the assessed risks of material misstatement and tests of
detail, if any, for these assertions. (Ref: ISA 520 para A6-A11)
84. Engagement Teams should only plan to rely on Substantive Analytical Procedures if they
give a comparable quality of audit evidence to a test of detail.
85. In general, Substantive Analytical Procedures based upon a predictive model provide
higher quality audit evidence than comparative analytical procedures. For example, a
Substantive Analytical Procedure using an expectation based upon approved salary
bandings for various grades in the organisation multiplied by an audited head-count for
each grade provides higher quality audit evidence than one using an expectation based
upon total salary expense for the prior year.
86. However, depending upon the circumstances, relatively simple predictive models (such as
the above expectation of payroll) or comparative analyses (e.g. vs. prior year adjusted for
inflation when level of activity and cost of work performed are validly both expected to
remain the same) may be appropriate.

87. The appropriateness of Substantive Analytical Procedures will depend upon the nature of
the assertion and our assessment of the risk of material misstatement. For example, if
controls over processing of payments are deficient, we may decide to use tests of detail
for expenditure rather than substantive analytical procedures.
88. Substantive Analytical Procedures may also be appropriate to perform in combination
with tests of detail. For example, when obtaining audit evidence regarding the valuation
of accounts receivable balances, we may apply analytical procedures to an ageing of
customers' accounts in addition to performing tests of detail on subsequent cash receipts
to determine the collectability of the receivables.

Determining whether the data used to develop the expectation is reliable

89. The auditor should evaluate the reliability of data used to develop our expectation, taking
account of source, comparability, and nature and relevance of information available, and
controls over preparation. (Ref: ISA 520 para A12-A14)
90. The auditor should confirm with management that they consider the relationship used to
be a plausible basis for developing an expectation.

Page | 272
91. Factors to consider include:
• source of the information available - for example, information may be more
reliable when it is obtained from independent sources outside the entity;
• comparability of the information available - for example, broad economic data
such as the overall inflation rate may not be appropriate for a department with
particular cost pressures;
• nature and relevance of the information available - for example, whether budgets
have been established as results to be expected rather than as goals to be
achieved;
• controls over the preparation of the information that are designed to ensure its
completeness, accuracy and validity - for example, controls over the preparation,
review and maintenance of budgets; and
• prior year knowledge and understanding – e.g. knowledge that there have been
issues in prior years with the accuracy of a data source.
92. We may consider it appropriate to test the operating effectiveness of controls over the
entity's preparation of information used by the auditor in performing substantive
analytical procedures – if they are operating effectively, this would give greater
confidence in the Substantive Analytical Procedures. The operating effectiveness of
controls over non-financial information may often be tested in conjunction with other
tests of controls (e.g. controls over payroll may also give assurance over data on
headcounts).

Developing the expectation

93. The Engagement Team should develop an expectation of recorded amounts or ratios and
evaluate whether the expectation is sufficiently precise to identify a misstatement that,
individually or when aggregated with other misstatements, may cause the financial
statements to be materially misstated. (Ref: ISA 520 para A15)
94. The precision of a Substantive Analytical Procedure is affected by considerations such as:
• the accuracy with which the expected results of substantive analytical procedures
can be predicted - for example, we may expect greater accuracy when predicting
payroll costs than when comparing discretionary expenses, such as advertising, to
prior periods;
• the degree to which information can be disaggregated - for example, substantive
analytical procedures may be more effective when considering an expectation of
salary costs by grade, or by different divisions, rather than the overall salary cost;
and

Page | 273
 • the availability of the information, both financial and non-financial - for example, we
may consider whether financial information, such as budgets or forecasts, and non-
financial information is available to design substantive analytical procedures. If the
information is available, we should consider its reliability as discussed above.
95. It is unrealistic to expect analytical procedures to predict financial amounts or ratios
exactly. Hence expected values, or the range within which they are likely to lie, need to be
estimated. To help ensure that any bias that might be introduced by the auditor is limited,
the expected values (and/or their range) should be estimated before the analytical
procedure is performed.
96. The expected value or its range should be determined using professional judgement. In
some cases, where a statistically-based analytical procedure is used, (for example
regression analysis), the range can be set to the confidence limits for that expected value.
If the estimated range or the uncertainty associated with the expected value is very wide,
the Substantive Analytical Procedure may not be able to provide adequate assurance that
the actual amount is not materially misstated.
97. A more complex procedure, with accurate and detailed input data, and a more complex
model will usually provide higher precision and hence a higher level of assurance.

Determining the tolerable difference

98. The auditor should determine the amount of any difference of recorded amounts from
expected values that is acceptable without further investigation. This is termed as the
‘tolerable difference’. (Ref: ISA 520 para A16)
99. The tolerable difference should be determined before comparing the expectation to the
recorded amount.

100.The level of assurance that is to be obtained from any Substantive Analytical Procedure is
dependent upon the amount of assurance needed from that procedure to reduce audit
risk to a specified level. The risk assessment performed at the planning stage, as well as
results of other audit procedures, should be used to determine the level of assurance
required from the analytical procedure. As the level of assurance increases, the
corresponding level of precision required for the analytical procedure should also
increase.
101.It is not possible to use Substantive Analytical Procedures on their own to obtain
assurance over Specific Risks (i.e. Substantive Analytical Procedures cannot be performed
with an AF of 3.0).

Page | 274
Substantive Analytical Procedures with AF of 2.0

102.If performing Substantive Analytical Procedures to obtain an Assurance Factor of 2.0, the
tolerable difference is given by:

where

Materiality = the materiality level of the whole account

Actual Amount = the recorded amount that is being audited (i.e. the figure recorded in
the accounts)

Materiality Base = the value used to calculate materiality, e.g. Gross Expenditure

The tolerable difference is capped at 90% of Performance Materiality. For example, in

cases where the account area value can exceed the materiality base (for example,
where the surplus generated by an entity is adopted as the most appropriate
materiality base) the tolerable difference should be set at 90% Performance
Materiality.

Substantive Analytical Procedures with AF of 0.7

103.If performing Substantive Analytical Procedures to obtain an Assurance Factor of 0.7, the
tolerable difference is given by setting a percentage of 10-25% of the recorded amount,
capped at Performance Materiality. The auditor should use professional judgement in the
context of the circumstances in the audit to determine what an appropriate threshold
percentage is.

Substantive Analytical Procedures for non-significant balances

104.If performing Substantive Analytical Procedures over non-significant balances, the auditor
should set tolerable error at the lower of Performance Materiality or 25% of the recorded
amount. The Substantive Analytical Procedure may be based upon a simple comparison to
prior year if the auditor considers this to be effective and efficient. Example: auditing a
non-significant other payables balance. Other payables is a non-significant balance of TK.
10,00,000 (prior year TK. 12,00,000) made up of deposits on a number of leases which
mostly have several years to run. One lease expired in the year and the client exited the
premises. The auditor has tested with a comparative substantive analytical procedure
comparing to prior year less the lease expiring in the year, with a tolerable difference of
Tk. 2,50,000 (25% of recorded amount).

Page | 275
Investigating Results of Substantive Analytical Procedures

105.The auditor should compare the recorded amount to the expectation that they have
developed.
If:
. the variance between recorded amount and expectation is within the tolerable
difference; and
. there are no fluctuations or relationships apparent from the analysis which are
inconsistent with other audit evidence or expectations;

then the Substantive Analytical Procedure has provided the planned assurance.

If:
. the variance between recorded amount and expectation is greater than the
tolerable difference; or
. the auditor identifies fluctuations or relationships apparent from the analysis
which are inconsistent with other audit evidence or expectations,

then the auditor should investigate the differences.

106.The auditor should:

a) Inquire of management as to the reasons for the differences, and obtain appropriate
audit evidence relevant to management's responses; and
b) Perform other audit procedures as necessary in the circumstances. (Ref: ISA 520
para A20-A21)
107.The auditor may be able to evaluate management’s responses in the context of his/her
understanding of the entity and other audit evidence obtained, or he/she may need to
obtain additional audit evidence to support their explanations.
108.If management’s explanations indicate that there are additional factors that should have
been considered in establishing his expectation, he will usually revise the expectation and
evaluate whether the revised expectation and recorded amount are within tolerable
difference.
109.The evidence supporting revised expectation should be of equivalent quality to initial
expectation.
110.On occasion auditor may go through more than one cycle of this process before arriving at
an audit conclusion.

Page | 276
Concluding on Substantive Analytical Procedures

111.If management is unable to provide an explanation, or the explanation, together with the
audit evidence obtained relevant to management's response, is not considered adequate,
the auditor should consider whether a misstatement has been identified.
112.If auditor do not consider there to have been a misstatement identified, he may conclude
that the identified relationship is not an appropriate basis for Substantive Analytical
Procedures and revise his planned approach to include alternative substantive
procedures.
113.Auditor should not automatically adopt an alternative approach without understanding
why the relationship identified was inappropriate.
Consideration of misstatements

114.If auditor identified a misstatement, he should consider whether he has achieved the
planned level of assurance or whether additional procedures are required. If the
misstatement identified exceeds the expected error rate assessed at the planning phase
(i.e. is greater than Materiality – Performance Materiality), he should clearly document his
rationale for conclusion on the adequacy of the scope of work performed.
115.As substantive analytical procedures are effectively 100% tests of an assertion, auditors
will usually provide the planned level of assurance even if they detect a misstatement
which exceeds the expected error rate for the audit identified at planning stage (i.e. a
misstatement greater than the difference between Materiality and Performance
Materiality).
116.Auditors should understand the nature and cause of the misstatement and determine
whether they indicate that other misstatements may exist.
117.This may be due to a previously unidentified Significant Risk.
118.Indications that other misstatements may exist include if a misstatement arose from a
breakdown in internal control, or from inappropriate assumptions or valuation methods
that have been widely applied by the entity.
119.If there is a risk that other misstatements may exist that, aggregated with identified
misstatements, may be material, then the auditor should revise the Overall Audit Strategy
and the Audit Plan.

Example 1
Step 1: Determine whether it is appropriate to use Substantive Analytical Procedures
Confirming the accuracy and completeness of payroll expenditure, during the interim
stage of the audit to obtain substantive assurance. Reasonableness testing using
modelling techniques to predict payroll would achieve the required level of assurance.

Page | 277
Step 2: Determine whether the data used to develop the expectation is reliable
Independent personnel records relating to payroll were available from Human
Resources within a computerised format, allowing the data to be obtained and
manipulated efficiently. It would be reasonable to use this data to predict a
relationship with payroll, and auditor usually checked a small sample of 5 items for
accuracy.
Step 3 Develop the expectation
Independent data obtained included; 1) staff numbers by grade, 2) pay scale for each
grade, 3) length of time in each grade. The same rates of pay were applied throughout
the year. A weighted average pay rate was calculated for each member of staff, using
the length of time spent in that grade. This produced an estimate of the average
position on the relevant pay scale according to grade for each member of staff. The
addition of the individual averages by grade produced the estimated aggregated
payroll profile.
Step 4: Determine the tolerable difference
The planned level of precision specified using the tolerable difference formula is given
below .

Figures from the account displayed the following; Actual Amount = Tk. 9,76,05,453, Materiality
Base = Tk. 29,70,00,000 and Materiality = Tk. 29,70,000. Therefore:

Tolerable = Tk. 29,70,000 ×

Tk. 9,76,05,453
Difference
Tk. 29,70,00,000
=Tk. 77,02,610 or 1.74%

Step 5: Investigate results of analytical procedures (including significant fluctuations)

An extract of the results for a selection of grades, together with summary data for all
grades are given in the table below.

Page | 278
 Grade Staff Pay Rate Predicated Actual Difference
Number Total Total

No. Tk. Tk. Tk. %

Secretary 1.0 69,818 69,818 70,234 416 0.60
Additional Secretary 4.0 59,127 236,508 245,510 9,002 3.81
Directors 3.0 48,461 145,383 154,079 8,696 5.98
Assistant Secretary 26.0 44,631 1,160,406 1,198,541 38,135 3.29
Principal 118.5 31,602 3,744,837 3,755,146 10,309 0.28
Staff Officer 376.5 18,450 6,946,452 6,905,384 -41,041 -0.59
Executive Officer 571.5 15,839 9,051,988 9,020,459 -31,529 -0.35
Admin Officer 847.0 10,396 8,805,412 8,952,468 147,056 1.67
Support Grade Band 1 35.0 10,021 350,735 365,946 15,211 4.34
Support Grade Band 2 259.0 8,870 2,297,330 2,304,846 7,516 0.33
Administrative 1624.0 7,755 12,594,120 12,661,752 67,632 0.54
Assistant
Etc. Etc. Etc. Etc. Etc. Etc.
Total for all grades 7777.5 969,867,127 97,605,433 738,306 0.76

Comparisons against the actual amount and the predicted amount can be seen in the
table above. Differences were calculated for each grade as well as the overall
difference for all grades combined. Payroll expenditure was predicted at Tk.9,68,67,127
in comparison to an outturn of Tk.9,76,05,433. The outturn was Tk.7,38,306 (0.76%)
more than the prediction. This difference was within the tolerable difference of
Tk.17,02,610 (1.74%). No material fluctuations were found.
However, there were some significant fluctuations for particular grades. Significant
fluctuations for each grade were defined as differences greater than +/-1.75% (the
tolerable difference). The highlighted fluctuations were investigated to ensure they
were not material by context or nature. Possible discrepancies could also be due to the
use of contract staff at a higher or lower level, or a small minority of staff not covered
by the main grading structure.

Step 6: Evaluation
The expected value was well within the tolerable range and hence substantive
assurance was achieved from the analytical procedure. Fluctuations within grades
greater than +/- 2.5% were invested and no material error was found.

Example 2
Step 1: Determine whether it is appropriate to use Substantive Analytical Procedures
Testing the accuracy and completeness of income generated during the year from

Page | 279
 tickets issued for an exhibition held within a museum. Modelling techniques accounting
for variations in ticket type and price would produce an estimate for income to achieve
the required level of assurance.

Step 2: Determine whether the data used to develop the expectation is reliable
Independent data on the number of tickets issued by type were available from a
computer system that sequentially numbered each ticket. Simple manipulation of the
system would determine the exact number of issued tickets and hence it would be
reasonable to use this data source.
Step 3: Develop the expectation
Independent data obtained included (1) number of tickets issued by type for each
month, (2) the price of each ticket by type. The same charges of each ticket were
applied throughout the year. The numbers of tickets sold were multiplied by the price
of the ticket to give an income amount for each month. The addition of the individual
monthly estimates produced the aggregated income total.

Step 4: Determine tolerable difference

Figures from the account displayed the following: Actual Amount = Tk. 53,239
Materiality Base = Tk.8,66,489 and Materiality = Tk.8,665. Hence

Tolerable = Tk. 8,665 ×

Difference Tk. 53,239

Tk. 866,489
=Tk. 2,148 or 4.03%

Step 5: Investigate results (including significant fluctuations)

The results from the prediction for each month and ticket type are given in the table
below.

Page | 280
 Predicated
Ticket Sales by Type Price (TK.) Income
Month (TK.)
1 Day 4 Day 1 Day 4 day

1,264
January 32 16 22 35
35 2,788
February 44 52 22
35 2,876
March 48 52 22
35 4,188
April 44 92 22
35 4,476
May 108 60 22
35 4,644
June 52 100 22
35 10,112
July 116 216 22
35 4,912
August 96 80 22
35 3,772
September 76 60 22
35 2,756
October 68 36 22
35 2,368
November 44 40 22
35 3,280
December 60 56 22
47,436
Total 788 860
Comparisons against the outturn annual income of Tk. 53,239 and the predicted
income of Tk. 47,436 showed there was a difference of Tk. 5,803 or 10.90%. This
significant difference was larger than the tolerable difference of Tk. 2,148 or 4.03%.
Hence a material fluctuation was found and needed to be investigated.
Further examination of the records showed that the prices for both a 1 day and a 4 day
pass were increased from July that year and the initial estimate did not reflect this. The
results from the adjusted predictions are given in the table below.

Page | 281
 Ticket Sales by Type Price (TK.) Predicated
Income (TK.)
Month 1 Day 4 Day 1 Day 4 day
22 1,264
January 32 16 35
22 35 2,788
February 44 52
22 35 2,876
March 48 52
22 35 4,188
April 44 92
22 35 4,476
May 108 60
22 35 4,644
June 52 100
25 40 11,540
July 116 216
25 40 5,600
August 96 80
25 40 4,300
September 76 60
25 40 3,140
October 68 36
25 40 2,700
November 44 40
25 40 3,740
December 60 56
51,256
Total 788 860
A comparison of the outturn income against the adjusted prediction showed a
difference of Tk.1,983 or 3.72%. This difference is now within the required tolerable
difference.
Step 6: Evaluation
The adjusted predicted value was within the tolerable range and hence substantive
assurance was achieved from the analytical procedure.

Page | 282
 Annex- J
Inherent and Control Risk

Inherent Risk (IR)

1. Inherent risk is the susceptibility of an account balance or class of transactions to

misstatement that could be material, individually or when aggregated with misstatements
in other balances or classes, assuming there were no related internal controls.

2. The auditor needs to assess inherent risk at the component and at the financial statement
assertion/related compliance with authority objective level. This is because inherent risk
can differ by component and, within each component, by financial statement
assertion/related compliance with authority objective. For example, the inherent risk of
the recorded cash amount actually existing may be much higher than the inherent risk
that is not properly valued.

3. The auditor usually assesses inherent risk for all components and assertions/objectives.
The auditor assesses inherent risk on the significant components to ensure that the audit
is effective (i.e., the auditor does not under-audit the high risk areas). The auditor assesses
inherent risk on the less significant components to ensure that the audit is efficient (i.e.,
to avoid over-auditing the low risk areas).

4. Inherent risk needs to be assessed in a hypothetical environment – the auditor needs to

assume that there are no internal controls in place.

Factors Affecting Inherent Risk

5. Inherent risk factors incorporate characteristics of an entity, a transaction, or account that

exist due to:

. the nature of the entity's programmes; and/or

. the nature of material transactions and accounts.

a) Nature of the Entity's Programmes

6. The mission of an entity includes the implementation of various programs or services. The
characteristics of these programmes or services affect the entity's susceptibility to errors
and irregularities and sensitivity to changes in economic conditions. In this regard the
following specific conditions may indicate the presence of inherent risk:

Page | 283
 . Programmes are significantly affected by new/changing governmental regulations,
economic factors, and/or environmental factors.
. Difficult accounting issues are associated with the administration of a significant
programme(s).
. Major uncertainties or contingences, including long-term commitments, related to
a particular programme(s).
. New (in existence less than 2 years) or changing (undergoing substantial
modification or reorganization) programmes lack written policies or procedures,
lack adequate resources, have inexperienced managers, lack adequate systems to
measure performance, and generally have considerable confusion associated with
them.
. Programmes that are phasing out (to be eliminated within 1 or 2 years) lack
adequate resources, lack personnel motivation and interest, or involve close out
activities for which controls have not been developed.
. Significant programmes have a history of improper administration, affecting
operating activities.
b) Nature of material transactions and accounts

7. The nature of an entity's transactions and accounts has a direct relation to the risk of
errors or irregularities. For example, accounts involving subjective management
judgement (that is, loss allowance) are usually of higher risk than those involving objective
determinations. Specific inherent risk conditions in this regard will include:
• New types of transactions exist;
• Significant related and/or third party transaction exist;
• Classes of transactions or accounts have one or more of the following characteristics:
i) difficult to audit;
ii) subject to significant management judgement;
iii) susceptible to manipulation, loss or misappropriation;
iv) susceptible to inappropriate application of an accounting policy; and
v) susceptible to problems with realization or valuation.
• Accounts have complex underlying calculations or accounting principles;
• Accounts in which the underlying activities, transactions, or events are operating
under severe time constraints; and

Page | 284
 • Accounts in which activities, transactions, or events involve the handling of unusually
large cash receipts, cash payments, or wire transfers.
Control Risk (CR)

8. Control risk is the risk that internal control may fail to prevent, or detect in time, material
error or irregularity in account balance or class of transactions, when combined with error
in other balances or classes. Some control risk is always bound to exist because of the
inherent limitations of any system of internal control, whether in the system itself or in
the method of its day-to-day operation and application.
9. Control risk is a function of the strength of the entity's preventive and detective internal
controls. This risk is conversely related to the quality of these controls because good
detective controls will help discover and lead to the correction of any errors that occur.
The better the controls, the more it is possible for auditors to rely on them, with a
corresponding reduction in the extent of, and/or alteration of the nature and timing of
substantive audit procedures.
Factors Affecting Control Risk

10. In the planning chapter of this Manual, the concept of the control environment has been
discussed. In this section, specific conditions that may indicate a weak control
environment, and hence a high control risk are being discussed. The same analysis could
be done for control procedures also. [

a) Management's Philosophy and Operating Style

11. Management's philosophy and operating style encompass a broad range of beliefs,
concepts, and attitudes. Such characteristics may include management's approach to take
and monitor operational/programme risks, attitudes and actions towards financial
reporting, and emphasis on meeting financial and operating goals. The specific factors in
this regard include:

. Management lacks concern about internal controls and the environment in which
specific controls function.
. Management demonstrates an aggressive approach to risk taking.
. Management demonstrates an aggressive approach to accounting policies.
. Management has a history of completing significant or unusual transactions near
the year's end, including transactions with related parties.

Page | 285
 . Management is reluctant to consult auditors/consultants on accounting issues,
adjust the financial statements for misstatements, or make appropriate
disclosures.
. Top-level management lacks the financial experience/background necessary for
the positions held.
. Management is slow to respond to crisis situations in both operating and financial
areas.
. Management uses unreliable and inaccurate information to make business
decisions.
. Unexpected reorganization or replacement of management staff or consultants
occurs frequently.
. Management personnel have a high turnover.
. Individual members of top management are unusually closely identified with
specific major projects.
. Obtaining adequate audit evidence is difficult due to a lack of documentation and
evasive or unreasonable responses to inquiries.
. Financial arrangements/transactions are unduly complex.
. Financial arrangements/transactions are accounted for in a way that does not
appear to reflect the substance of the transaction.

b) The Entity's Organizational Structure

12. An entity's organizational structure provides the overall framework for planning, directing,
and controlling operations. The organizational structure should appropriately assign
authority and responsibility within the entity. An organizational structure includes the
form and nature of an entity's organizational units. Concerning this part, the specific
factors include:

. The organizational structure is inappropriate for the entity's size and complexity.
. The structure inhibits segregation of duties for initiating transactions, recording
transactions, and maintaining custody over assets.
. Recent changes in management structure disrupt the organization.
. Operational responsibilities do not coincide with the divisional structure.
. Delegation of responsibility and authority is inappropriate.

Page | 286
 . A lack of definition and understanding of delegated authority and responsibility
exists at all levels of the organization.
. Inexperienced and/or incompetent accounting personnel are responsible for
transaction processing.
. The number of supervisors is inadequate or supervisors are inaccessible.
. Key financial staffs have excessive workloads.
. Policies and procedures are established at inappropriate levels.
. The system for communicating policies and procedures is ineffective.
. Activities are dominated and controlled by a single person or a small group.

c) Methods of Assigning Authority and Responsibility

13. An entity's policies or procedures for assigning authority for operating activities and for
delegating responsibility affect the understanding of established reporting relationships
and responsibilities. The specific factor may include:
. The entity's policies are inadequate regarding the assignment of responsibility
and the delegation of authority for such matters as organizational goals and
objectives, operating functions, and regulatory requirements.
. Employee job descriptions do not adequately delineate specific duties,
responsibilities, reporting relationships, and constraints.

d) Management's Control Methods for Monitoring and Following up on Performance

14. These control methods affect managements direct control over the exercise of authority
delegated to others and ability to supervise overall entity activities. The specific factor
may include:
. Management is not sufficiently involved in reviewing the entity's performance.
. Management control methods are inadequate to investigate unusual or
exceptional situations and to take appropriate and timely corrective action.
. Management lacks concern for and does not effectively, establish and monitor
policies for developing and modifying accounting systems and control techniques.

Page | 287
f) The Effectiveness of Internal Audit
15. The following may indicate the presence of control risk:
. The audit staff is responsible for making operational decisions or for controlling
other original accounting work subject to audit.
. Management personnel are inexperienced for the tasks assigned.
. Training activities are minimal including little or no participation in formal courses
and seminars and inadequate on-the-job training.
. Resources to effectively conduct audits and investigations are inadequate.
. Audits are not focused on areas of highest exposure to the entity.
. Standards against which the auditor's work is measured are minimal or non-
existent.
. Performance reviews are non-existent or irregular.
. The audit planning process is non-existent or inadequate, including little or no
concentration on significant matters and little or no consideration of the results
of prior audits and current developments.
. Supervision and review procedures are non-existent or inadequate.
. Working paper documentation (audit programmes, evidence of work performed,
and support for audit findings) is incomplete.

f) Personnel Policies and Practices

16. Personnel policies and practices affect an entity's ability to employ sufficient competent
personnel to accomplish its goals and objectives. Such policies and practices include
hiring, training, evaluating, promoting, compensating, and assisting employees in the
performance of their assigned responsibilities by giving them the necessary resources.

17. The following indicate specific conditions of weak control environment:

. Personnel policies for hiring and retaining capable people are inadequate.
. Standards and procedures for hiring, promoting, transferring, retiring, and
terminating personnel are insufficient.
. Training programmes do not adequately offer employees the opportunity to
improve their performance or encourage their advancement.
. Written job descriptions and reference manuals are inadequately maintained.

Page | 288
 . Communication of personnel policies and procedures at field locations is
inadequate.
. The channels of communication for personnel reporting suspected improprieties
are inappropriate.
. Policies on employee supervision are inappropriate or obsolete.

g) Influences External to the Entity

18. Influences outside an entity's authority may affect its operations and practices. Such
influences include monitoring and compliance requirements imposed by legislative
bodies, general business conditions, and other economic factors. The specific factors
include:
. The functioning of oversight bodies (including Parliamentary Committees).
. Estimates are sensitive to economic conditions affecting the entity or related
entities.
. The media has exhibited special interest in the entity or one of its programs.
. Management's follow-up action in response to communications from legislative
or regulatory bodies is not timely or appropriate.

19. When assessing the functioning of oversight bodies, the following would normally indicate
that these bodies would not have a positive influence on internal control:

. Oversight bodies demonstrate little concern toward controls and the speed with
which internal and external auditors' recommendations are addressed.
. Oversight bodies have little involvement in and scrutiny of activities.
. Little interaction occurs between oversight bodies and the internal auditor and
external auditors.
. Oversight bodies demonstrate little concern for compliance with applicable laws,
regulations, and contractual requirements.

h) Management's Control Methods over Budget Formulation and Execution

20. Management's budget control methods affect the authorized use of appropriated funds.
The specific factors which indicate control weakness may include:

Page | 289
 . Little or no guidance material and instructions are available to provide direction
to those preparing the budget information.
. Management demonstrates little concern for reliable budget information.
. Management participation in directing, and reviewing the budget process is
inadequate or limited.
. Management is not involved in determining when, how much and for what
purpose expenditures can be made.

i) Management's Control Methods over Compliance with Laws and Regulations

21. The followings are the factors that indicate control weakness:
. Management is unaware of the applicable laws and regulation and potential
problems.
. A mechanism to inform management of the existence of illegal acts does not
exist.
. Management neglects to react to identify instances of noncompliance with laws
and regulations.
. Management is reluctant to provide evidential matter necessary to evaluate
whether noncompliance with laws and regulations has occurred.
. Management is not responsive to changes in legislative or regulatory bodies'
requirements.
. Policies and procedures for complying with laws and regulation are weak or non-
existent.
. Policies on such matters as acceptable business practices, conflicts of interest,
and codes of conduct are weak or non-existent.

j) Management's Ability to Promptly Identify and React to Changing Conditions

22. Since conditions external to and within an entity will continue to change, management's
ability to identify and react to such changes can affect achievement of the entity's
objectives. The extent to which such changes require management's attention depends on
the effect they may have in the particular circumstances. Specific factors concerning this
may include:

. The mechanisms for identifying and communicating events, activities, and

conditions that affect operation or financial reporting objectives are insufficient.
. Accounting and/or information systems are not modified in response to changing
conditions.
. No consideration is given to designing new or alternative controls in response to
changing conditions.
. Management is unresponsive to changing conditions.

Page | 290
Assessing Inherent Risk and Control Risk

23. The assessment of Inherent Risk (IR) and Control Risk (CR) is clearly a subjective process
requiring the exercise of professional judgement.
24. When assessing IR and CR in the planning stage, the auditor must consider each
component and each financial statement assertion/related compliance with authority
objective separately. This is because the risk often differs among components and
assertions/objectives.
25. Because the auditor must ensure that the inherent risk and control risk are low enough to
support the desired inherent assurance and control assurance for all significant error
conditions, he or she must usually assess the risk for each of the significant error
conditions on which assurance is being planned. This will be necessary even when the
auditor subsequently decides to develop an audit strategy solely by assertion, related
authority objective or by components.
26. While assessing IR and CR, the auditor should identify conditions that significantly increase
inherent and control risk. When considering control risk, the auditor would consider,
among other matters, identified control environment weakness.
27. The auditor identifies specific inherent risks and control risks based on information
obtained earlier in the planning phase, primarily from understanding the entity's
operations and preliminary analytical procedures.
28. The auditor can also consider misstatements found in previous years. If there were
significant audit adjustments, the auditor may not know if the misstatements were due to
there being a high inherent risk or a high control risk, but the auditor would know that the
combined risk was high. Similarly, if there have been no misstatements found in previous
years, the auditor would have an indication that the combined risk was low.
29. After considering his/her knowledge of the entity and factors affecting these risks, the
auditor should identify and document any significant inherent and control risk in the risk
analysis forms (see the risk analysis forms at Annexes D and E).
30. For each inherent and control risk identified, the auditor should document the nature and
extent of the risk; the conditions that gave rise to that risk and the specific accounts, line,
items and related assertions affected.
31. Finally, based on the information gathered and the factors identified, the auditor should
determine the assessment of each of inherent and control risk as low or high.

. Low risk: based on the evaluation of inherent risk and control risk, but prior to
the application of substantive audit procedures, the auditor believes that any
aggregate misstatements do not exceed planning materiality; or

Page | 291
 . High risk: based on the evaluation of inherent risk and control risk, but prior to
the application of substantive procedures, the auditor believes that it is likely that
any aggregate misstatements exceed planning materiality. As a result, the
auditor will need to obtain most, if not all, audit reliance from substantive tests.

Detection Risk
32. Detection risk is the risk that an auditor's substantive procedures will not detect a
misstatement that exists in an account balance or class of transactions that could be
material, individually or when aggregated with misstatements in other balances or classes
of transactions.
33. This figure is used to determine the extent of substantive testing required to ensure that
we have sufficient evidence to support the audit opinion.
34. Detection risk is usually grouped into two categories – analytical procedures and
substantive tests of details. The latter includes 100% examinations of individually
significant transactions (high value and key items), and sampling.
35. Detection risk arises partly from uncertainties that exist when the auditor does not
examine 100% of transactions and balances, and partly from uncertainties that exist even
if he were to carry out a 100% examination.
36. The auditor should consider the assessed level of inherent risk and control risk in
determining the nature, timing and extent of substantive procedures required to reduce
the assessed level of audit risk to an acceptable level. In this regard, the auditor would
consider:

. The nature of substantive procedures, for example, using tests directed towards
independent parties outside the entity rather than tests directed towards parties
or documentation within the entity or using tests of details for particular audit
objective in addition to analytical procedures.
. The timing of substantive procedures, for example, performing at end of period
rather than at an earlier date; and
. The extent of substantive procedures, for example, using a larger sample size.

37. For a given audit risk, there is a converse relationship between detection risk and the
combined level of inherent and control risks. When inherent and control risks are high,
acceptable detection risk needs to be low to reduce audit risk to an acceptably low level.
On the other hand, when inherent and control risks are low (and when the auditor does
sufficient tests of controls to support his/her assessment of control risk), an auditor can
accept a higher detection risk and still reduce audit risk to an acceptably low level.

Page | 292
38. The assessed level of inherent and control risks cannot be sufficiently low to eliminate the
need for the auditor to perform substantive procedures. Regardless of the assessed levels
of inherent and control risks, the auditor should perform some substantive procedures on
material account balances and classes of transactions.
39. The auditor's assessment of the components of audit risk may change during the course of
an audit. For example, information may come to the auditor's attention when he/she
performing substantive procedures that differ significantly from information on which the
auditor originally assessed inherent and control risks. In such cases the auditor would
modify the planned substantive procedures based on a revision of the assessed levels of
inherent and control risks.
40. The higher the assessment of inherent and control risks the more audit evidence the
auditor should obtain from the performance of substantive procedures. When both
inherent and control risks are assessed as high the auditor needs to consider whether or
not substantive procedures can provide sufficient appropriate audit evidence to reduce
detection risk and, therefore, audit risk to an acceptably low level.

Illustration of the Interrelationship of the Components of Audit Risk

41. The following table shows how the acceptably level of detection risk may vary based on
assessment of inherent and control risks:

Auditor's Assessment of control risk

High Low
Auditor’s Assessment of High Low Medium
inherent risk Low Medium High

42. There is a converse relationship between detection risk and the combined level of
inherent risk and control risk.

Sampling Risk
43. Sampling risk arises from the obvious fact that only a sample is selected for the audit tests,
so that items in a population falling outside the selected sample may or may not contain
material error. In other words, conclusions might be reached which could have been
different had the whole population been examined. That is, a particular sample may
contain proportionately more or fewer monetary errors, internal control deviations or
compliance with authority deviations than exist in the population. Sampling risk increases
from zero as the sample size decreases from 100% of the audited population.
44. The auditor is concerned with two aspects of sampling risk when performing substantive
tests of details:

Page | 293
 . Risk of incorrect acceptance is the risk that the sample supports the conclusions that
the population is not materially misstated even though, in fact, the population is
materially misstated; and
. Risk of incorrect rejection is the risk that the sample supports the conclusion that the
population is materially misstated even though it is not. In other words, the risk those
unfavourable conclusions might be reached on the basis of a sample where as a 100%
examination might have revealed no material error.
45. The latter risk is usually assumed to be negligible. Entity officials will normally not accept a
qualified opinion without insisting on more work being done. This additional work will
normally lead the auditor to the correct conclusion.

46. The auditor is also concerned with two aspects of sampling risk in performing tests of
internal control:

. Risk of over-reliance on internal control is the risk that the sample supports the
auditor's planned degree of reliance on the control even though the true deviation rate
does not justify such reliance; and
. Risk of under-reliance on internal control is the risk that the sample does not support
the auditor's planned degree of reliance on the control even though the true deviation
rate supports such reliance.
47. As with substantive testing and the risk of incorrect rejection, the risk of under-reliance on
internal control is normally assumed to be minimal. If the auditor wanted to report the
weaknesses/deviations in internal control, entity officials would often insist on more work
being done. The additional work would normally lead to the correct conclusion.

Non-Sampling Risk

48. Non-sampling risk is the risk that, even if the auditor carries out a 100% examination of all
transactions and balances, material error or irregularity may yet remain undetected owing
to human error in audit. It exists owing to factors such as inadequately trained audit staff,
failure to exercise due care and diligence, inappropriate audit procedures, inadequate
audit supervision etc. Given factors such as these, a much better term for ‘non-sampling
risk’ is ‘audit performance risk’.
Because non-sampling risk is not subject to measurement and, unlike sampling risk,
cannot be controlled through changes in sample size, the following precautions should be
taken:
. Test objectives and descriptions of procedures to be performed and errors or
deviations to be found should be stated unambiguously.

Page | 294
 . Auditors should be properly instructed and supervised to ensure that errors or
deviations are recognized and correctly dealt with.
. Audit working papers should be carefully reviewed.

49. The auditor normally assumes that non-sampling risk (audit performance risk) is nil when
the auditor complies with the Bangladesh Government Auditing Standards.

Analytical Procedures Risk

50. As noted above, auditors often divide detection risk into two components – analytical
procedures and substantive tests of details. The auditor must consider the nature and
effectiveness of his/her analytical procedures. As the auditor performs analytical
reviews of the ratios and trends and/or additional detailed audit procedures, reliance on
substantive tests of details can be reduced from what would be required in the absence
of these other procedures. The auditor, therefore, can use a lower reliance level for the
substantive tests of details, with a corresponding reduction in the size of sample.
51. When auditors increase reliance on analytical procedures, they should very carefully
evaluate any unusual conditions revealed by any of the tests performed. The auditor
cannot find an unusual condition in one test and then ignore it because the other tests
fail to reveal it. The failure of any single test to reveal a condition of interest does not
positively indicate that it does not exist; therefore, unusual circumstances revealed in
any test require further investigation, regardless of the outcome of other tests.

Page | 295
 Annex- J.1

Audit Programme: Records and Accounting entries of ‘Payroll’ of the Ministry

of Fisheries and Livestock
The payments of ‘pay-roll’ of the Ministry of Fisheries and Livestock should be done with
compliance of the existing rules and regulations and directives of the Ministry of Finance. The
benefits and other facilities provided to the employees should not be inflated or undermined.
Arrear claims should be paid as per regulations.
System Objective
To ensure that the payments have been made according to the existing rules and regulations
and arrear claims and other benefits are duly paid off. The budget estimation for payroll has to
be justified as well.

Details of Risks Potential Consequences

Payment of inflated amounts (due to wrong Irregular payment made, possibility of
1 pay fixation). fraud
2 Pay roll records are not maintained properly. possibility of fraud
Payments are made to the employees with no
3 assigned activities.
possibility of fraud
Cause financial loss to government,
4 Improper appointment/ ghost employees.
possibility of fraud
Cause financial loss to government,
5 Payment of undue higher scale.
possibility of fraud
Cause financial loss to government,
6 Inaccurate pension payment.
possibility of fraud

Audit Objectives
Evaluate the main controls over the ‘payroll’ payment entries to ensure that:
 All the payments are made with compliance to the existing rules and regulations and
the directives of the Ministry of Finance.
 Payments are approved by the competent authorities.
 All the documents and vouchers are properly kept and correctly recorded.
 Proper compilation of Accounts.
 Physical employees are paid rather than ghost employees.

Page | 296
‘Pay roll’ entries of the Ministry of Fisheries and Livestock

Auditee: Ministry of Fisheries and Livestock. WP Ref

Period YF 2011-12 Prepared Date
Under by
Review:
Audit Test Audit Signed/date WP
assertions Ref
Collect a detail list of pay-roll in the FY 2011 – 12 of the
concerned departments and sort the list in three
categories according to nature (pay-fixation, last pay
certificates, arrear payments). Select random samples of
size 5 from each lot ( for field offices size 3) and examine
the following:

1. Determine whether payrolls are calculated Regularity,

accurately.
Accuracy
2. Match gross pay with pay fixation data.
Regularity,

3. Determine whether allowances are calculated as Accuracy

per government rules. Regularity
Accuracy,

4. Match gross pay with audit register. Occurrence

Accuracy
Regularity
Regularity
Accuracy,
5. Determine whether all deductions are correctly
calculated as per rules. Accuracy,

6. Determine whether gross pay and net pay are Classification,

correctly calculated. Accuracy, Cut off

7. Verify whether there are evidences that arithmetic Accuracy,

calculations have been checked.

8. Verify that an LPC is available for all cases Cut off,

selected.

9. Ensure that total deductions are not greater than

basic pay. Classification,

Page | 297
10. Re-calculate the pay fixation for each member of Cut off,
the sample and assess if the pay fixations have
been correctly calculated, in accordance with
Government Orders.
11. Select a sample of pay-bills and check the net Completeness,
amount of the pay-bill against the cheque amount
credited against the bank in proper time.
Regularity,
12. Select a sample of employees and physically verify
their presence/existence.
13. Payments are booked in exact code and in proper
period, the total payment does not exceed Accuracy
budgeted amount.

Page | 298
 Annex J.2 -
Example Audit Programme – Funding

Funding is received from the donors and paid into the Consolidated Fund. Funding from the Centre is
then sent to the field offices where it is spent.

System Objective

Funding by the donors is received in a timely manner and allocated to the correct
classification/financial year and is spent in conformity with the donor wishes.

Details of Risks Potential Consequences

Disclosure error on face of financial statements

Funding received from a donor and (one donor’s figure too high and another’s too
1
allocated to a different donor low). The donors are likely to spot this
(embarrassing if OCAG doesn’t spot it)

As above but for one donor, illegal act, damage

Funding received from a donor and
2 to reputation for GOB, donor would be
misappropriated
reluctant to release more funds

Funding received and recorded at a lower

3 As per 2 above
amount

Funding received and not recorded in a

As per 1 above (can be for just one donor, or
4 timely manner/ recorded in the wrong
more)
financial year

Contribution of different donors not

5 Donors’ demand not met
separately shown in FS

Discrepancy between field office statements

6 Accounts inaccurate, 2, 3 or 4 above
and central records (mismatch)

Closing balance and Opening balance

7 Accounts inaccurate
mismatch

Discrepancy between the total resources

8 Accounts inaccurate
and the total expenditure

9 Misleading /False disclosures Accounts inaccurate

10 Financial Statement overstated/misstated Accounts inaccurate

Page | 299
 Details of Risks Potential Consequences

11 Arithmetic errors Accounts inaccurate

Untraceable expenditure / Significant

12 Accounts incomplete
amounts remain unauditable

Weakness in accounts keeping & inaccurate

13 Reconciliation of accounts not confirmed
accounts, 2 , 3, 4 above

Funds are allocated and accounted for on

15 Classification of accounts not followed
the wrong accounts head and code

Disbursement Link Indicators (DLIs) not

16 Donors cease to provide funding
achieved

17 Re-appropriation made but not authorized Accounts inaccurate

Audit Objectives for funding

The main controls over funding are to ensure that:

 Amounts disclosed in the financial statements are true and fair;

 Fund received is allocated to the correct donor and at the correct amount and in the correct
financial year.
 Fund is not completely or partially misappropriated;
 Fund is spent in accordance with donor wishes;
 Fund received at the centre and all funds timely disbursed to the field offices.
 Expenditure statements from the field are timely collected and reconciled to the central
accounts.

Audit Objective Definition

Completeness All funds relevant to the period have been recorded.

Occurrence All amounts of funds actually occurred during the financial period.

Accuracy All receipts of funds have been recorded at the correct value during the period.

Classification Funds have been properly classified in the government accounts to the correct
heads and codes.

Page | 300
Audit Objective Definition

Cut-off Funds have been recorded in the correct accounting period.

Regularity Funds are treated and accounted for in line with GOB regulations and donor
guidelines.

Funding

Auditee: Directorate of Primary WP Ref

Education

Period Under Review: Year ending 30 June 2013 Prepared by Date

Reviewed by Date

Audit Test Audit assertions Signed/ WP

date Ref

1. Obtain a listing of all funds received from each

donor (directly from each donor) – obtain source of
funding, amounts and dates:

a) Check total and individual amounts and dates Completeness,

agree to the Appropriation Accounts;
Occurrence, Accuracy,
Cut-off

b) Check total and individual amounts and dates Completeness,

agree to draft account disclosure (including
Occurrence, Accuracy,
quarterly figures).
Classification
Cut-off

2. Obtain a listing of projects funded from the

Consolidated Fund – obtain amounts and dates:
Completeness,
a) Check total and individual amounts and dates Occurrence, Accuracy,
agree to the Appropriation Accounts; Regularity
Cut-off

Completeness,

Page | 301
 b) Check total and individual amounts and dates Occurrence, Accuracy,
agree to draft accounts disclosure (including Regularity
quarterly figures). Classification
Cut-off

3. Obtain central records of funding amounts and Completeness,

dates send to field offices. Check total and Occurrence, Accuracy,
individual amounts and dates agree to the Field Regularity,
Office statements; Cut-off

4. Obtain details of all re-appropriations. For each, Regularity

check that there was appropriate level of Classification,
authorisation in conformity with delegated Cut-off
authority limits

5. Look for evidence of appropriate internal control in

the area of funding, e.g.

a) reconciliations of amounts of funding received

Completeness,
from donors and GOB to accounts disclosure.
Occurrence, Accuracy,
b) accuracy of quarterly reporting – for one quarter Regularity,
selected at random check for evidence of
internal control to confirm accuracy of the Classification,
figures reported. Cut-off

Page | 302
 Annex-J.3
Example Audit Programme: – Capital Expenditure, Supplies and services &
Repairs and maintenance
Capital Expenditure, supplies and services and repairs and maintenance are made by the Director
General (Programme Director) of Primary Education for the procurement of assets and equipment,
supplies and services and repairs and maintenance.

System Objective

Procurement of bona fide assets and equipment, supplies and services and repairs and maintenance for
which there is a genuine need and the amount is spent in conformity with the Public Procurement
Rules and in a timely manner.

Details of Risks Potential Consequences

Expenditure for which there was no genuine Overstatement of capital expenditure in the
1
need financial statements and irregular expenditure

Fraud / Irregular expenditure / Loss of Overstatement of capital expenditure in the

2
fund/Misuse financial statements and irregular expenditure

Without approval/ Beyond DPP provision Overstatement of capital expenditure in the

3
/Questionable expenditure financial statements and irregular expenditure

Failure to fully apply the Public Procurement Overstatement of capital expenditure in the
4
Rules/Violation of PPR financial statements and irregular expenditure

Expenditure charged to the wrong year of Under or overstatement of capital expenditure

5
account in the financial statements

Expenditure authorised by an individual in

6 Violation of delegation of financial powers
excess of his delegated authority limit

Expenditure charged to the wrong ledger Misclassification of expenditure in the financial

7
code/in the incorrect account figure statements

For capital expenditure, stock entry &

8 distribution report of capital assets and Fraud, violation of Government rule
equipment not confirmed

For capital expenditure, quality of assets and

9 Misuse of money
equipment was low

Page | 303
 Details of Risks Potential Consequences

10 VAT/other taxes are paid where appropriate Government deprived from revenue

For repairs and maintenance, payments in

11 respect of non-project vehicles or overly Irregular expenditure
frequent repairs in excess of need

Risk that goods received are not of an

12 appropriate quality and so represent bad Poor value for money
value for money

Audit Objectives for capital expenditure, supplies and services and repairs and maintenance

The main controls over capital expenditure, supplies and services and repairs and maintenance are to
ensure that:

 There was a genuine need for the item/service;

 The item/service was bona fide and non-fraudulent.

 The procurement was in consistency with the Public Procurement Rules;

 The amount is charged to the correct year of account;

 The individual who authorises does so at an amount within their delegated authority limit;

 The amount is charged to the correct ledger code/account figure; and

 Taxes are paid as appropriate.

 Quality of capital assets and equipment was ensured

 Stock register and distribution reports were maintained

 Payments are not made for non-project vehicles.

Audit Objective Definition

Completeness All capital expenditure, supplies and services and repairs and maintenance relevant
to the period has been recorded.

Occurrence All amounts of capital expenditure, supplies and services and repairs and
maintenance actually occurred during the financial period.

Accuracy All capital expenditure, supplies and services and repairs and maintenance have

Page | 304
Audit Objective Definition

been recorded at the correct value during the period.

Classification Capital expenditure, supplies and services and repairs and maintenance have been
properly classified in the government accounts to the correct heads and codes.

Cut-off Capital expenditure, supplies and services and repairs and maintenance have been
recorded in the correct accounting period.

Regularity Capital expenditure, supplies and services and repairs and maintenance are treated
and accounted for in line with GOB regulations and donor guidelines.

Auditee: Directorate of Primary WP Ref

Education

Period Under Review: Year ending 30 June 2013 Prepared by Date

Reviewed by Date

WP
Audit Test Audit assertions Signed/
date Ref

1. Obtain a listing of all capital expenditure, supplies

and services and repairs and maintenance in the
financial year (including payee, amounts, dates
and tax paid):

a) Check total agrees to the Appropriation Completeness,

Accounts; Cut-off

b) Check quarterly and annual totals agree to Completeness,

draft account disclosure (including quarterly Classification,
figures). Cut-off

2. Evaluate what assurance for the capital Controls

expenditure, supplies and services and repairs To be determined
and maintenance account area can be taken
from the high level review of quarterly outturn
against budget by the Principal Accounting
Officer in reports submitted to the donors.

Page | 305
 3. Obtain the monthly cheque reconciliation. Check 5 Controls,
months including the year-end month (June). For Accuracy, Occurrence,
each, check that they give assurance on whether Cut-off,
the payments have been made accurately by the Completeness,
payments offices and in the correct year of
account.

4. Obtain minutes of the Ministry’s monthly review Controls

meeting regarding projects. Review these To be identified
minutes for anything of concern regarding capital
expenditure, supplies and services and repairs and
maintenance (and in such cases, if any, investigate
further)

5. For a sample of transactions from the listing used

for test & check that:

a) there is evidence that tender opening was

done in conformity with the PPR; Regularity
b) check the evaluation report was done in Regularity
conformity with the PPR;
c) there was a submission of a performance Regularity
guarantee by the awarded bidder (where Accuracy
appropriate);
d) the contract was made in conformity with the Regularity
terms of the tender documents and the
conditions of the approving authority;
e) payment was within the authoriser’s Regularity
delegated authority limit;
f) review the contract execution to ensure that
the goods were received at the right Regularity
amount/quality/specification and in the Occurrence, Accuracy
correct financial year (etc) by checking Cut-off
amount received agrees to stock and issue
register, distribution register, invoice,
purchase order, requisition slip (signed by
authorised officer);
g) check to accounting documents eg. cash book Cut-off
to confirm that the amount was charged to Classification
the correct year of account and charged to
the correct accounts code.
h) If the payment is for repairs and maintenance Occurrence,

Page | 306
 to a vehicle, check to the log book that this is Regularity
a genuine project vehicle and the amount
spent agrees.
i) check the bills/vouchers are Accuracy
genuine/authentic

6. Reconcile the figures of the Ministry/DPE with Completeness

those of the Chief Accounts Office (single test of Classification
relevance to all audit areas). Accuracy
Cut-off

7. Look for evidence of appropriate internal

control in the area of capital expenditure,
supplies and services and repairs and
maintenance, e.g.

a) accuracy of quarterly reporting – for one

Completeness,
quarter selected at random check for
evidence of internal control to confirm
accuracy of the figures reported
Occurrence,
b) there is a evidenced system of delegation
of financial authority which is observed in
practice;
c) there is periodic review of outturn in Accuracy,
comparison to budget and explanations for Regularity
variance are given as appropriate.
d) there is good evidence of segregation of
duties throughout the procurement process
Classification
(e.g. different officers initiate, receipt,
and authorise payment)
e) there is control over changes to supplier
details (e.g. change in address details)
– all such changes should be properly Cut-off
evidenced, initiated by one officer and
authorised by a different officer.
f) there is appropriate review and checking
by higher authorities in compliance with

Page | 307
 the PPR.

NB: there should be evidence that all internal

controls were in place throughout the financial
year being tested.

Page | 308
 Annex –J.4

Example of Audit Programme: Training

Total expenditure: 8,55,51,109

Training Expenditure is made by NAPE, PTI, RPATC.

System objective

There is a genuine need of training and it contributes to the skill development.

Details of Risks Potential Consequences

1 Participants list was not proper Training objectives were not confirmed

2 Training subjects were not relevant Training objectives were not achieved

Participants attendance sheet was not

3 Loss of money, fraud
confirmed

Training objectives were frustrated,

4 Procurement of training materials was not ok
misappropriation

Distribution of training materials was not

5 Loss of money, fraud
confirmed

Training honorarium/allowance was not

6 Violation of govt. rules
appropriate

VAT/other taxes are not paid where

7 Govt. deprived of revenue
appropriate

Training module was not prepared and

8 Improper training
followed

Audit Objectives for training expenditure

The main controls over training expenditure are to ensure that:

 There was a genuine need for the training;

 Training was effective and result based.

 Training materials procurement was consistent with the Public Procurement Rules;

 The amount is accounted for to the correct head of account;

Page | 309
  The individual who authorises does so at an amount within their delegated authority limit;

 The amount is charged to the correct ledger code/account figure; and

 Taxes are paid as appropriate.

Audit Objective Definition

Completeness All training expenditure relevant to the period has been recorded.

Occurrence All amounts of training expenditure actually occurred during the financial period.

Accuracy All training expenditure has been recorded at the correct value during the period.

Classification Training expenditure has been properly classified in the government accounts to the
correct fund.

Cut-off Training expenditure has been recorded in the correct accounting period.

Regularity Training expenditure is treated and accounted for in line with GOB regulations and
donor regulations.

Page | 310
Auditee: Directorate of Primary WP Ref
Education

Period Under Review: Year ending 30 June 2013 Prepared by Date

Reviewed by Date

Audit Test Audit assertions Signed/date WP

Ref

1. Obtain a listing of all training expenditure in the

financial year (including payee, amounts, dates and
tax paid):

a) Check total agrees to the allocation; Accuracy,

Regularity
b) Check quarterly and annual totals agree to draft
account disclosure (including quarterly figures). Completeness,
Accuracy,
Cut-off,
Classification
2. Evaluate what assurance for the training expenditure Controls
account area can be taken from the high level
monitoring.

3. Obtain the monthly cheque reconciliation. Check 5 Accuracy

months including the year-end month (June). For Occurrence Cut-
each, check that they give assurance on whether the off
payments have been made accurately by the
payments offices. Completeness

4. Obtain minutes of the Ministry’s monthly review To be identified

meeting regarding projects. Review these minutes
for anything of concern regarding training
expenditure (and in such cases, if any, investigate
further).

5. For a sample of transactions from the listing used for

test check that:
a) there is evidence that procurement was done in Regularity
conformity with the PPR;
b) the procurement was made in conformity with Regularity
the terms of the tender documents and the
conditions of the approving authority;
c) Training carried out was in conformity with the

Page | 311
 training module guideline Occurrence,
d) the payment was within the authoriser’s Regularity,
delegated authority limit; Accuracy
e) amount was accounted for to the correct head of
Regularity
account;
f) amount was accounted for to the correct ledger Classification
code.
Classification

6. Reconcile the figures of the Ministry/DPE with those of Completeness

the Chief Accounts Office (single test of relevance to all Classification
audit areas). Accuracy
Cut-off
7. Look for evidence of appropriate internal control in the
area of civil works, e.g.

a) accuracy of quarterly reporting – for one quarter

selected at random check for evidence of internal Completeness,
control to confirm accuracy of the figures Occurrence,
reported. Accuracy,
b) there is a evidenced system of delegation of Regularity
financial authority which is observed in practice .
c) there is periodic review of outturn in comparison Classification
to budget and explanations for variance are given
Cut-off
as appropriate.
d) there is good evidence of segregation of duties
throughout the procurement process (eg
different officers initiate, receipt , and authorise
payment).
e) there is control over changes to supplier details
(e.g. change in address details) – all such changes
should be properly evidenced, initiated by one
officer and authorised by a different officer.
f) there is appropriate review and checking by
higher authorities in compliance with the PPR.

NB: There should be evidence that all internal controls

were in place throughout the financial year being
tested.

Page | 312
 Annex-J.5

Example Audit Programme: STORES AND SPARES

Stores and spares include operating stocks of cables, pole and pole fittings, meters, tools, equipment
and others.

This work is documented in working paper Ref: CWE001

Audit Objective Definition

Completeness Stores and spares reported in the accounts is complete.

Existence Stores and spares reported in the statement of financial position at 30 June xxxx,
existed.

Rights and DESCO have rights and obligations over the Stores and spares – i.e. that they own
Obligations them.

Valuation and Stores and spares are valued and allocated correctly in the statement of financial
allocation position at 30 June xxxx.

Presentation and Stores have been properly disclosed and presented in the financial statements.
Disclosure

Page | 313
Auditee: DESCO WP Ref

Period Under Review: Year ending 30 June xxxx Prepared by Date

Reviewed by Date

Test Assertion Completed Date

by

Select a sample of stock from the stock register- Existence

. Physically inspect the stock. Valuation and

allocation
. Inspect the condition of the stock.

. If the stock has been issued since 30 June xxxx

and is no longer in stock at the date of the
inspection, inspect documents to prove that it
was issued after 30 June xxxx.

. If DESCO has a LIFO/ FIFO policy, check that this

is being followed.

Select a sample of stock purchased during the year:

Perform the following tests:

1. Obtain a copy of stock requisition order. Existence

2. Check that there was proper approval from Rights and obligations,
management for the purchase of this stock. Valuation and
allocation
3. Inspect a copy of the stock delivery report to
check when the stock was received.

Completeness testing of stores can be linked to the Completeness

results of the testing of Operating Expenditure and
Administrative Expenditure.

Were any items identified in admin or operating

expenses testing purchases of stores and spares? If yes,
then make sure they are also included in the Stores and
spares register at 30 June xxxx.

Visit the main warehouse and physically select and note

Page | 314
down any 30 different lines of stores and spares. Then
ask management to show these stock lines in Tally (this
is to make sure that they have been included in Tally Completeness
and to give the auditor assurance that Stock reported is
complete). Document this work.

Complete the disclosure checklist to ensure that the Presentation and

amounts have been disclosed correctly. Disclosure

Page | 315
 Annex-J.6

Example Audit Programme - ENERGY SALES

Energy Sales represents revenue received from the billing of energy consumption, demand charges,
service charge and, meter and transformer rent.

This work is documented in working paper Ref: ES001

Audit Objective Definition

Completeness All sales relevant to the period have been recorded

Occurrence All sales reported occurred during the financial period

Accuracy Sales have been recorded using the correct tariff rate and are reported net of VAT

Classification Sales revenue has been classified in the accounts and account heads

Cut-off Sales have been recorded in the correct fiscal year

Regularity Sales have been generated and reported in accordance with the relevant rules and
regulations

Presentation and Sales have been properly disclosed and presented in the financial statements.
Disclosure

Page | 316
Auditee: DESCO WP Ref

Period Under Review: Year ending 30 June 2013 Prepared Date

by

Reviewe Date
d by

Audit Test Audit Signed/ WP

assertions date Ref

1. Obtain a listing of all sales generated during the year.

From the monthly summary of bills that DESCO has
provided, select September xxxx, December xxxx,
March xxxx and June xxxx for further testing. Obtain
the report that supports this month.
Perform the following tests:
a) Check that the total of the monthly report agrees Occurrence
to the amount recorded in Tally for the months. Accuracy
b) Within each month, select one bill from each of Regularity
the S&D for testing. Cut-off
Classification
c) For each bill check the following:
Partial
(i) Agree the total figure for the month selected completeness
to the monthly report;

(ii) Make sure the monthly report is prepared

correctly from the Monthly Operation Data;
(iii) Recalculate the bill to make sure it is
calculated correctly;
(iv) Confirm that the bill being tested complies
with necessary rules and regulations;
(v) Check whether the bill has been recorded in
the correct Fiscal Year; and
(vi) Check that the bill has been classified
correctly as energy sales.
2. Perform a sample test from new connections and ensure Completeness
that these amounts have also been included in Tally for
FY 30 June xxxx.
3. Complete the disclosure checklist to ensure that the Disclosure
amounts have been disclosed correctly.

Page | 317
 Annex J.7 -
INTERESTMENT INCOME
Total Value: Tk.xxxxx

Interest income is interest from Short Term deposits, Fixed Deposit receipts and interest on late
payment of penalties.

This work is documented in working paper Ref: I001

Audit Objective Definition

Completeness All interest income relevant to the period has been recorded.

Occurrence All interest income reported occurred during the financial period.

Accuracy Interest income has been calculated correctly.

Classification Interest income has been classified in the accounts and account heads.

Cut-off Interest income has been recorded in the correct fiscal year.

Regularity Interest income has been generated and reported in accordance with the relevant
rules and regulations.

Presentation and Interest Income has been properly disclosed and presented in the financial
Disclosure statements.

Page | 318
Auditee: DESCO WP Ref

Period Under Review: Year ending 30 June xxxx Prepared by Date

Reviewed by Date

Test Assertion Performed by Date

1. Perform a sample test from a sample of FDR/ SDR/

late payment penalties in the FY 30 June xxxx and
recalculate the interest income, to make sure the FDR/
STD is authorised correctly, classified correctly and is
accurate.
Occurrence
Perform the following tests:
Accuracy
(i) Inspect supporting evidence to prove that this
Regularity
transaction occurred.
(ii) Agree the details on the supporting documents Cut-off
to tally.
(iii) Check that the interest has been calculated Classification
correctly.
(iv) Ensure that this transaction accords to rules
and regulations.
(v) Check that the transaction is recorded in the
correct fiscal year in Tally .
(vi) Check that this transaction is posted to the
correct ledger code in Tally.
2. Audit team to check that where a deposit has been Completeness
placed each month, that 12 months of Fixed Deposit
and Short Term Deposit have indeed been recognised
in tally for the year. The auditor is to do any work
necessary to be satisfied that all the late penalty
interest that should have been included in the fiscal
year, have indeed been included.

3. Complete the disclosure checklist to ensure that the Disclosure

amounts have been disclosed correctly.

Page | 319
Miscellaneous Income: Occurrence

9. Compare the current year figure to last year and check Accuracy
whether the variance is within 10%. If the variance is
with 10% do no more work If it is more than 10% Regularity
obtain explanations for any significant variance. Cut-off

Classification

Completeness

Disclosure

Page | 320
 Annex J .8 -

EXCHANGE RATE FLUCTUATIONS

Total Value: Tk. xxxxxx

Exchange rate is the gain or loss resulting from the translation of DESCOs transactions that are
denominated in foreign currency.

This work is documented in working paper Ref: FE001

Audit Objective Definition

Completeness All exchange gains and losses relevant to the period has been recorded.

Occurrence Exchange gains and losses reported occurred during the financial period.

Accuracy Exchange gains and losses have been calculated correctly.

Classification Exchange gains and losses have been classified in the accounts and account heads.

Cut-off Exchange gains and losses have been recorded in the correct fiscal year.

Regularity Exchange gains and losses have been generated and reported in accordance with
the relevant rules and regulations.

Presentation and Exchange gains have been properly disclosed and presented in the financial
Disclosure statements.

Page | 321
Auditee: DESCO WP Ref:

Period Under Review: Year ending 30 June Prepared by Date

2013

Reviewed by Date

Audit Test Audit Assertion Test performed Date

by

Select a sample of exchange transactions in the

financial year ending 30 June xxxx and ensure the
transaction occurred, is accurate, is classified
correctly and is regular.

Perform the following tests:

1. Inspect supporting evidence to prove

that this transaction occurred.
Occurrence
2. Agree the details on the supporting
documents to tally. Accuracy

3. Check that the loan was translated at Regularity

the correct exchange rate. Cut-off
4. Are all the other amounts in the Classification
calculation correct?

5. Ensure that this transaction accords to

rules and regulations.

6. Check that the transaction is recorded

in the correct fiscal year in Tally.

7. Check that this transaction is posted to

the correct ledger code in Tally.

8. The auditor should inspect the exchange loss Completeness

calculations and consider whether there are
any other foreign loans or transactions
denominated in foreign currency that should

Page | 322
 also be included, and make sure that they
have been.

9. Complete the disclosure checklist to ensure Disclosure

that the amounts have been disclosed
correctly.

Page | 323
 Annex-J .9
ASSETS
PROPERTY, PLANT AND EQUIPMENT

Total Value: Tk. xxxxxx

PPE includes land and buildings, sub-stations transformers, distribution lines and vehicles.

This work is documented in working paper Ref: PPE001

Audit Objective Definition

Completeness PPE reported in the accounts is complete.

Existence PPE reported in the statement of financial position at 30 June 2013, existed.

Rights and BTCL have rights and obligations over PPE – i.e. that they own the assets.
Obligations

Valuation and PPE is valued and allocated correctly in the statement of financial position at 30 June
allocation 2013.

Page | 324
Auditee: BTCL WP Ref

Period Under Review: Year ending 30 June xxxx Prepared by Date

Reviewed by Date

Audit Test Audit Assertion Performed by Date

1. Select a sample of assets from the Fixed Asset

Register.
Existence
Perform the following tests:
(i) Physically inspect the asset to make sure the Rights and obligations
assets exist (Note: if the asset has been Valuation and
disposed of since 30 June xxxx, inspect the allocation
disposal documents to prove it was in
existence at 30 June xxxx).
(ii) Check the condition of the asset. Rights and obligations
(iii) Inspect the title deeds / ownership documents
to confirm that BTCL owns the asset.
Regularity
(iv) Select a sample from the listing of Property
Plant and Equipment additions (PPE purchased Valuation and
during the financial year ending 30 June xxxx) allocation
and make sure the procurement process has
been followed properly for each. Also check to
supporting documentation to confirm that the
purchase price is accurate.

(v) Completeness testing of PPE can be linked to

the results of the testing of Operating Completeness
Expenditure and Administrative Expenditure.
(vi) Were any items identified in admin or
operating expenses testing that should be
fixed assets? If yes, then make sure they are
included in the Fixed Assets register at 30 June Completeness
xxxx.

2. Complete the disclosure checklist to ensure that Disclosure

the amounts have been disclosed correctly.

Page | 325
 Annex-J .10
Example Audit Programme
OVERALL FINANCIAL STATEMENTS TESTING

This work is documented in working paper:

Audit Objective:

To ensure that the reporting requirements for the preparation of financial statements have been
followed.

To ensure all the risks that were identified at the planning stage have been addressed. To document
what the overall impact of the risks have been on the audit and whether there remains any impact at
the completion stage.

Auditee: DESCO WP Ref

Period Under Review: Year ending 30 June 2013 Prepared Date

by

Reviewed Date
by

Audit Test Audit Assertion Performed Date

by

Significant Risks

1. Complete the tests in the Significant Risks Testing To be specified by the

Plan (SRTP) that the audit team has written and auditor
planned to complete during field work to address
the Presumed Risk of Fraud (ISSAI 240). These
tests related to (i) Revenue Recognition, (ii)
Journals testing, and (iii) Bias in accounting
estimates.
2. Have any new significant risks been identified
To be specified by the
during the audit? If so, what is the risk and what
auditor
has the auditor done to mitigate and control this
risk?

Page | 326
Risk Factors

3. The risk factors were noted in the Audit Area To be specified by the
Testing Plan (AATP). For some of them no further auditor
work was required. For others the audit team
agreed to perform further work during field work
stage. The audit team must refer back to the AATP
and make sure that all the additional work they
planned to complete during field work to address
these risk factors has been completed. Make sure
To be specified by the
the work is properly documented and referenced.
auditor
4. For each risk factor identified at the planning stage,
the audit team must write an update on whether
the risk factor has become a significant risk. The
audit team must explain whether the risk has any
significant impact on the audit.
Overall regularity work
Regularity
5. Review each transaction stream for new activities
and obtain evidence that the activities are regular.
Regularity
6. Consider whether there is evidence that the entity
has breached its pay and allowances limits set by
the Finance Ministry. Regularity

Laws and regulations

Regularity
7. Consider whether unusual transaction streams are
within the entity's remit (i.e. is an activity that it is
allowed and authorised to be engaged in).
8. Test compliance with laws and regulations that
directly affect the financial statements.
Regularity
For other laws and regulations

9. Inquire of management and, where appropriate,

Regularity
those charged with governance, as to whether the
entity is in compliance with such laws and Presentation and
regulations; and Disclosure,
10. Inspect correspondence, if any, with the relevant Classification and
licensing or regulatory authorities. Understandability
Going concern
Presentation and
11. Evaluate management's assessment of the entity's Disclosure,
ability to continue as a going concern. Classification and

Page | 327
12. Consider whether management's assessment Understandability
includes all relevant information of which the
auditor is aware as a result of the audit.
13. Inquire of management as to its knowledge of Presentation and
events or conditions beyond the period of Disclosure,
management's assessment that may cast Classification and
significant doubt on the entity's ability to continue Understandability
as a going concern.

Related Parties Presentation and

Disclosure,
14. Ensure that all the related parties that we have
Classification and
identified are included in management's
Understandability
consideration of related parties.

15. Evaluate whether the identified related party

relationships and transactions have been
appropriately accounted for in accordance with
the applicable financial reporting framework.

16. Review the related parties disclosures against the

disclosure checklist to confirm that the
disclosures are complete. Where the correct
disclosures have been made audit any figures
considered to be material to supporting
documentation.

Comparative information

17. Consider whether the results of current year Presentation and

testing indicate a possible material misstatement Disclosure,
in the comparative information. Classification and
Understandability
Trial balance

18. Confirm that the audited figures for last year's

accounts have been correctly posted as the
opening balances in the general ledger.
Presentation and
Disclosure,
Classification and
19. Ensure that the Trial Balance has been correctly Understandability
drawn from the General Ledger.
Accuracy

Page | 328
 Accuracy
20. Demonstrate that the audit area totals reconcile to
the trial balance and or draft account.

Tie through of the Financial Statements

21. Review the financial statements, including

completing disclosure checklist, to ensure all Disclosure
required disclosures are included.

22. Examine material journal entries and other Accuracy

adjustments made during the course of preparing
the financial statements.

23. Check that the accounting policies disclosed are Presentation and
complete, accurate and comply with the relevant Disclosure,
standards. Classification and
Understandability
24. Confirm that all prior year comparative figures are
correctly brought forward from the previous year Accuracy
into the draft account.

25. Cast and cross cast all figures in the draft accounts
Accuracy
and related notes.
Accuracy
26. Cross reference all lines in the accounts to
supporting audit working papers. Accuracy,
Presentation and
27. Ensure the Statement of Cash Flows and
Disclosure,
supporting notes agree to supporting
Classification and
documentation and have been correctly prepared.
Understandability

Accuracy,
28. Ensure the Statement of Changes in Taxpayers' Presentation and
Equity agrees to supporting documentation, Disclosure,
corresponds to our understanding of the entity's Classification and
activities in year and has been correctly prepared. Understandability

Page | 329
Audit of non-audit area disclosures Accuracy,
Presentation and
29. Agree disclosure of auditor's remuneration to fee Disclosure,
assessment on plan and in fee file. For Classification and
consolidated accounts, ensure this includes Understandability
confirming that audit fees for consolidated
entities' auditors are accurate and correctly
disclosed.
Completeness,
30. Ensure the capital commitment note is complete Accuracy,
and accurate. Presentation and
Disclosure,
Classification and
31. Ensure that disclosures are complete and Understandability
appropriate for the audited body."

Completeness,
32. Review the analyses of receivables and payables,
Accuracy,
and assess the client's methodology for
Presentation and
identifying the categories of balances. Ensure
Disclosure,
those balances are accurate and categorised in
Classification and
line with BAS requirements.
Understandability
33. Review the entity's segmental analysis, ensure that
it is properly prepared and any allocation between Completeness,
segments has been reasonably performed. Accuracy,
Presentation and
Disclosure,
34. Confirm that new leases have been appropriately Classification and
categorised and correctly disclosed in the financial Understandability
statements.
Completeness,
Accuracy,
Presentation and
Subsequent events Disclosure,
Classification and
35. Obtain evidence that all events occurring between
Understandability
the balance sheet date and the date of the audit
report requiring adjustment or disclosure have
been appropriately reflected in the financial Completeness,
statements. Accuracy,
Presentation and
Disclosure,

Page | 330
Review of other information Classification and
Understandability
36. Review the annual report to ensure that it is
consistent with the financial statements. Completeness,
Accuracy,
Presentation and
Disclosure,
Classification and
Understandability

Page | 331
 Annex-K
AUDIT SAMPLING
INTRODUCTION

At the early developmental stage of auditing detailed examination of all items was common.
As auditees grew in size, the detailed work required increased to a level where a 100%
examination became neither necessary nor practicable, nor can it guarantee 100% accuracy
anyway.
A financial audit consists of obtaining evidence to form an opinion about an account. The
evidence has to be sufficient, relevant and reliable. Sufficient evidence is the quantity of
evidence necessary to provide the auditor with reasonable assurance that the account is not
materially misstated.
The auditor has the following options open to him when deciding how much testing of a
population to do. He/she will probably use a combination of all of these options while carrying
out his/her audit of the whole account. The options could be to:
1. Examine all the transactions or items in a population (100% testing). 100% testing of an
entire account is normally unnecessary and usually it would be impracticable anyway.
However, in carrying out any test as part of the overall audit, the auditor may
sometimes decide that a particular population requires 100% examination. For
example, the auditor might test all the items making up a balance if the amounts were
individually material.
2. Examine less than 100% of the transactions or items. Whenever the auditor tests less
than 100% of the population, he/she has to select in some way the transactions or items
to be examined. Selective testing procedure falls into two categories:
a) High value and key item selection. These collectively are often referred to as
individually significant transactions, and the auditor normally audits 100% of
them.
High value items are those which individually could have a significant effect on
the auditor’s opinion because of their monetary value.
To arrive at the cut-off amount above which items are considered to be high
value, the auditor should use a percentage of planned precision (planning
materiality less the expected total errors). If monetary-unit sampling is being
used, the high value amount can be set equal to the sampling interval. If MUS is

Page | 332
 not being used, the auditor could set the cut-off amount conservatively at one-
quarter planned precision or less.

Key items are items that the auditor usually also wishes to examine 100% based
on his/her knowledge and experience. There may, for example, be unusual items
revealed by his/her scrutiny of the accounting records and statements. They may
be considered especially worthy of interest because of their nature (for example,
year-end adjustments).

How the auditor goes about testing key items depends on their number and
materiality. As noted, he/she normally examines 100% of them but, if there a
large number of similar transactions, the auditor may examine the items which
are most important in his/her judgement. If those do not reveal any significant
errors, the auditor may decide to sample the remainder of them.
Examining 100% of high value items and key items does not constitute audit
sampling because the auditor can reach a conclusion only on the items he/she
has examined and not on the whole population from which the items have been
drawn. However, if the total of the remaining is insignificant, the auditor might
feel justified in forming an opinion on an account balance by examining only the
high value items and key items.

b) Sampling. Here the auditor employs a sampling method with the aim of drawing a
conclusion about the whole population by auditing a representative sample of the
transactions. The sample would be drawn from the whole population, less the
individually significant items that have been examined 100%.
Thus sampling is defined as the application of an audit procedure to less then 100
percent of the item within an account balance or class of transactions for the
purpose of evaluating audit evidence about some characteristics of the items
(balances or class of transactions) selected in order to form or assist in forming a
conclusion concerning the population from which the sample was drawn.
Clearly the auditor wants his/her conclusion, based on examining only a sample,
to be the conclusion he/she would have reached if he/she had examined the
whole population. To achieve this, the auditor’s sample needs to have the same
characteristics as the whole population. In other words, the sample needs to be
representative of the population from which it has been drawn. In fact, it is

Page | 333
 impossible to be sure that a sample is truly representative of its population and
there is always a risk (known as the sampling risk) that the auditor will come to
the wrong conclusion about the whole population simply because he/she has
examined only part of it. The auditor must therefore try to control the sampling
risk through careful planning and selection of the sample. But there will always
be some uncertainty which he/she must take into account when evaluating the
results of testing the sample. This is true whatever sampling method the auditor
adopts.
Objective of Sampling
Sampling is only one source of audit assurance. To obtain assurance with respect
to the internal control system to support his/her assessment of control risk, the
auditor uses review, inquiry, observation and walk-through procedures, as well as
sampling. For substantive tests, the auditor also uses analytical procedures and
the testing of individually significant transactions.

These other audit procedures are often more cost-effective than sampling.
Therefore, on a lot of audits the auditor will first consider the assurance that
he/she can obtain from these other sources of assurance, and then look to
sampling to provide the required remaining amount of assurance. With this
approach, the objective of sampling is to reduce detailed checking to the
minimum consistent with the required level of overall audit assurance.
The auditor, of course, must not do less than is required. The portion of the
population to be examined in detail must be determined and selected so that the
risk of not detecting material errors, omissions and irregularities is minimized to
the level that would not seriously affect the accuracy of the audit opinion.

STATISTICAL AND NON-STATISTICAL SAMPLING

Sampling methods can be broadly categorized as statistical or non-statistical. However,
both statistical and non-statistical methods have the following features in common.
(a) They both require the exercise of audit judgement in planning, selecting and
evaluating the sample. (The use of the term “judgemental sampling” as the
opposite of statistical sampling is therefore misleading).
(b) The auditor must make sure that he/she samples from the whole population and
that the population is complete.

Page | 334
 (c) Before beginning his/her examination of the sample, the auditor should consider
the audit objective of the test and define what will constitute an error.
(d) The sample should be selected without bias towards any particular items.
(e) The sample must be large enough to ensure that the risk of it being untypical of the
whole population is reduced to the level that the auditor has determined to be
necessary to achieve the desired level of overall audit assurance.
(f) The results of the sample test must be evaluated in relation to the whole
population.

There are two basic sample selection rules:

(i) The sample conclusion only applies to the population from which it is selected; and
(ii) The sample should be representative of the population from which it is selected.

The rule in (i) applies to both statistical and non-statistical sampling and is the primary
reason for what is written in (b) above – since the sample conclusion only applies to the
population from which it was selected, the auditor must ensure that he/she samples
from the entire population. If, for example, the auditor wants to conclude on the
expenditures for the entire year, the auditor should select his/her sample from the entire
year. If the sample is selected from only one or two months, say, the sample results can
only be projected over those one or two months, and the sample conclusion only relates
to those one or two months.

The rule in (ii) relates directly to (d) above – in order to ensure that the sample is
representative of the population from which it was selected, it should be selected
without any bias towards any particular item.

The auditor has a better chance of achieving (ii) (and (d)) with a statistical sample than
he/she does with a non-statistical sample. When using a non-statistical sample, though,
the auditor should still strive to ensure that his/her sample is as representative of the
population as is possible.

Whether the auditor uses statistical or non-statistical sampling, the auditor considers the
same factors when determining the required sample size, and performs the same sample
evaluation. In effect, only difference between statistical and non-statistical sampling is
the way in which the sample items are selected. With statistical sampling, the sample
items are selected in a way that is designed to produce a sample that is representative of

Page | 335
the population. With non-statistical sampling, the auditor does not use as rigorous a
selection method as he/she does with statistical sampling.
Given the above, the main advantages of statistical sampling over non-statistical
sampling are:

. Because each sampling unit has an equal and known chance of selection, there is
a better chance that the sample will be representative of the population than is
the case with a non-statistical sample. When expressing an opinion on financial
statements, having a representative sample is very important.
. Because there is a better chance that the sample will be representative of the
population, the sample results are more objective and defensible, as are the
projections of those results to the population as a whole.
. It provides a direct estimate of the maximum possible error (referred to as the
upper error limit (UEL).
When not using statistical sampling, the auditor normally compensates for the less
rigorous selection techniques by increasing the size of the statistical sample. The auditor
could, for example:
. Increase the sample size by 20% if he/she thinks that the sample is a very good
approximation of a statistical sample;
. Increase the sample size by 50% if he/she thinks that the sample is a good
approximation of a statistical sample; and
. Increase the sample size by 100% (double it) if he/she thinks the sample is a
reasonable approximation of a statistical sample.

As noted above, when using a non-statistical sample the auditor should still strive to
ensure that his/her sample is as representative of the population as is possible. To
illustrate, assume that the auditor:

(i) Determines the required statistical sample size to be 40; and

(ii) Doubles it because he/she is not taking a statistical sample.

It would not be appropriate for the auditor to then select the first 80 items from the
population, select the largest 80 items, etc. The auditor must still make a reasonable
attempt at selecting a sample that is representative of the population from which it was
selected.

Page | 336
BASIC CONCEPTS AND DEFINITIONS

Sampling

Sampling is the selection of a sub-set of a population. The auditor takes a sample to reach a
conclusion about the population as a whole. As such, it is important that the sample be
representative of the population from which it was selected

Statistical sampling

Quite simply, statistical sampling is the selection of a sub-set of a population in such a way that
each sampling unit has an equal and known chance of selection.

Statistical Sampling can also be defined as an audit sampling that uses the laws of probability
for selecting and evaluating a sample from a population for the purpose of reaching at a
conclusion about the population.

Sampling unit

The sampling unit is the specific item of which the population is assumed to be composed for
sampling purposes.

As an example, consider a population of purchases for the year. Let’s assume that the
purchases are recorded by cash disbursement, that each disbursement may relate to several
supplier invoices, and that each supplier invoice may relate to several purchases. In this
example, the sampling unit could be:

. Each cash disbursement;

. Each supplier invoice within each cash disbursement;
. Each purchase within each supplier invoice; or
. Each Tk. within each purchase.
If the auditor set individual cash disbursement as the sampling unit, the sample selection
process would be much simpler than if the auditor set an individual purchase within a supplier
invoice as the sampling unit. However, by setting each cash disbursement as the sampling unit,
the auditor would have to audit all supplier invoices and all purchases within each selected
cash disbursement.
[

Page | 337
Physical unit

The physical unit is the specific document (cash disbursement, individual supplier invoice or
individual purchase, for example) to which the sampling unit is assumed to relate.

The physical unit is normally the same as the sampling unit. The primary exception is monetary
unit sampling where the sampling unit is each individual monetary unit (Tk.).

Population size

The population size is the number of sampling units (cash disbursements, supplier invoices,
purchases or Tk.) in the population.

The population size will vary depending on the sampling unit being used. For example, our
population of purchases for the year may be composed of 16,000 cash disbursements, 30,000
supplier invoices, 70,000 purchases, and 100,000,000 Tk. Depending on which sampling unit
was selected, any of these amounts could constitute the population size.

Population value

The population value is the monetary amount of the population being sampled. In the above
example, it would be Tk. 100,000,000.

As discussed above, there could be individually significant transactions that the auditor wants
to examine. These could be very large transactions or high risk transactions. What auditors
often do is audit 100% of these transactions, and takes a sample of the remaining transactions.

To arrive at the population value for sampling purposes, the auditor needs to subtract the total
value of the individually significant transactions from the total population value. For example,
if the auditor decides to audit all transactions greater than Tk. 500,000 and to take a sample of
the remaining transactions, the total value of the items greater than Tk. 500,000 would be
removed from the population value when determining the required sample size.

Sometimes the auditor does not know the population value at the time he/she wishes to
determine the sample size. For example, the auditor may wish to select a sample of supplier
invoices for the year, and may wish to start auditing the transactions well before the end of
the year. In this case, the auditor will have to make an estimate of the population value at the
planning stage. However, should one of the “normal” sample selection approaches for MUS be

Page | 338
used, the sample size will automatically be adjusted for any over or underestimations of the
population value.

Sampling risk

Sampling risk is the chance that a sample is not representative of the population from which it
was selected.

Sampling risk can result in the auditor reaching an incorrect conclusion about the population
from which the sample was selected. The auditor could either incorrectly conclude that:

. The population is not materially misstated when, in fact, it is materially misstated; or

. The population is materially misstated when, in fact, it is not materially misstated.
When planning an audit, auditors normally try to control the first risk and normally do not
concern themselves with the second risk. This is because, should an auditor conclude that a
population is materially misstated, entity officials will normally conduct an investigation to
determine if the auditor is correct. This follow-up work would normally lead the auditor to the
correct conclusion.

Confidence level

The confidence level is the degree of assurance that the auditor has that the sample is
representative of the population from which it was selected. This is the converse of the
sampling risk.

If the auditor uses a 95% confidence level, this means that there is a 95% chance that the
sample will be representative of the population from which it was selected, and that the audit
results will be correct. Put another way, there is a 5% chance that the sample is not
representative of the population, and therefore the auditor may not reach a correct conclusion
from the results of the work.
[

Precision gap widening and basic precision

Planned precision is the materiality amount less the expected total errors for the financial
statements as a whole.

Page | 339
For example:

Materiality Tk. 30,00,000

Expected total errors in financial statements TK. 8,16,500

Planned precision Tk. 21,83,500

When planning a statistical sample, though, there is one other factor that needs to be taken
into account – precision gap widening.

The reason why we need to consider precision gap widening is because, for each additional Tk.
1 in the most likely error, the upper errors limit (maximum possible error) increases by more
than Tk. 1. Simply subtracting the expected total errors from materiality does not deal with
this effect. Therefore, planned precision needs to be reduced by a further amount. This further
amount is referred to as precision gap widening.

Planned precision less precision gap widening is referred to as “basic precision”. It is equal to
the error that could exist in the population even if no errors were found in the sample. It
therefore represents the upper error limit when the most likely error is nil.

FACTORS AFFECTING SAMPLE SIZE

Many of the factors discussed above will affect the sample size, as is illustrated in the following
table:

Impact on
Sample Size if
Factor Comments
Factor Increases

Population value Increase If population value increases with all other factors remaining
the same, materiality and planned precision become smaller
percentages of the population value. Hence, the auditor would
need a more precise estimate of the error in the population.
This would require a larger sample size.

Population size Nil, except for very For populations with less than 10,000 sampling units, the
small populations sample size may be slightly less than would otherwise be the
case.

Variability of Nil for all types of Variability is only a factor for those types of sampling plans

Page | 340
 Impact on
Sample Size if
Factor Comments
Factor Increases

sampling units sampling illustrated based on a standard deviation. ACL does not support these
in this section. types of sampling plans, and they are rarely used in practice.

Materiality Decrease If materiality increases with all other factors remaining the
same, materiality and planned precision become larger
percentages of the population value. Hence the auditor would
not need to have as precise an estimate of the error in the
population. The auditor could then decrease the required
sample size.

Planned Decrease Same discussion as materiality.

precision

Expected total Increase The expected total errors are subtracted from the materiality
errors amount to arrive at planned precision. Increasing expected
total errors decreases planned precision, which increases the
sample size.

Confidence level Increase Increasing the confidence level means that the auditor wants
to be more certain about the results of his/her procedure. The
auditor will need to take a larger sample to do this.

Sampling risk Decrease Increasing the sampling risk is the same as decreasing the
confidence level. The auditor is willing to be less certain about
the results of his/her procedure, and can therefore take a
smaller sample.

METHODS OF SAMPLING
Methods of sampling may vary according to whether the auditor is working in a computerized
or non-computerized environment. Statistical sampling is well suited to a computerized
environment, but both statistical and non-statistical can be used in a non-computerized
environment.

Page | 341
Statistical Sampling

Non-computerized Environment
The statistical methods most applicable to a non-computerized environment are:
i) Monetary unit sampling: (MUS)
ii) Simple Random Sampling (SRS)

i) Monetary Unit Sampling (MUS)

Monetary unit sampling is the preferred method of statistical sampling for substantive
tests where the auditor wishes to determine the monetary effect of the errors found. It
involves considering the total value of the population as individual monetary units (e.g. Tk.)
treating them as the population (e.g. total expenditure of Tk. 30,000 equals a population of
30,000 units); taking a sample from them and examining each payment which contains an
element of the sample.

The main advantage of MUS is that non-statisticians find it relatively easy to use after the
minimum of training. The one possible disadvantage is that, to obtain a truly statistical
sample, the process requires the values of all items to be totaled cumulatively before
selection is made. In manual accounting systems this could be time consuming although
most systems probably include some totaling (for example totaling of individual ledger
pages) which will enable manual selection to be undertaken.

Monetary unit sampling gives a higher chance or probability of selection to high valued
item (units with high recorded values) and a comparatively lower chance of selection to
small valued items or selection is based on the size of the units in the population.

Selecting sample items with probabilities proportional to the recorded amounts is an

alternative to ‘stratifying’ the population by recorded amounts. This method is simpler
than stratified sampling. This has made the selection technique increasingly popular in
auditing practice.

Merits of MUS
1. MUS satisfies the objectives of accepted auditing standards and can easily be used
within the conceptual framework of audit sampling.
2. MUS solves the problem of detecting a very small number of large misstatements by
giving the larger items a much greater chance of being included in the audit sample.

Page | 342
 This is achieved by breaking up the big, but infrequent physical units into small but
frequent monetary units.
3. MUS can be applied to a combination of several account balances. Accounts can be
tested together because the sampling units (individual Tk. amounts) are homogeneous.
4. The sample size is much smaller than is normally required by the variable sampling
methods (those that involve the determination of a standard deviation), and should
generally be smaller than that required when stratified sampling is used.

Demerits of MUS
1. Physical units that are understated have a lower probability of selection because they
contain a smaller number of Tk. to be selected for sampling. Further, MUS cannot find
misstatements in physical units with a book value of zero.
2. It may overstate the “true” upper error limit when a LOT of misstatements are found
and cause the auditor to reject a correct client book value.
With respect to the first demerit, auditors rarely test populations to find
understatements or missing transactions/amounts; rather, they examine reciprocal
populations. For example, to find understatements of year-end payables, auditors
would not test the year-end payable balance; rather, auditors would look at supplier
invoices processed after the year-end, cash disbursements made after the year-end
date, etc.
As for the second demerit, if there are a lot of errors in the sample, it is likely that the
“true” upper error limit will exceed the materiality amount anyway.

Selecting an MUS Sample:

To illustrate the use of MUS, suppose the auditor is sampling a population of Tk.
100,000 expenditure balance that is contained on 500 individual payment vouchers.
Instead of viewing the population as 500 different physical units from which to draw a
sample, the auditor would think of the population as TK. 100,000 individual monetary
units (single Tk. units) from which to draw a sample.
When an individual Tk. is selected for examination, the Tk. is not tested by itself.
Instead the auditor audits the physical unit (the corresponding voucher, etc.) within
which it belongs.
In applying monetary unit sampling, auditors may use a random number table or
computer generated random numbers to select a random Tk. from the population.

Page | 343
However, systemic selection with a random start is usually recommended for its
procedural simplicity. Its steps are:
1. Calculate the average sampling interval by dividing the total number of Tk. in the
population by the sample size.
Average Sampling Interval (ASI)= Total recorded amount of the population
Sample size
Note: There is another formula that allows the auditor to determine the sampling
interval without knowing the population value. See Annex B.
2. Select a starting point from one Tk. to the amount of the sampling interval (may use
the attached random number table, Annex-Ran).

3. Set the starting point on the calculator at minus the random start.
4. Start adding the book values of each voucher until the total exceeds zero. That gets
you the first sample item.
5. From the total in (4), subtract the sampling interval to produce a negative
amount. Then start adding the book values of the subsequent vouchers. When
the total goes positive, that is your next sample item.
6. Again subtract the sampling interval to again get a negative total. (Note: The
auditor may need to do this more than once if the sample item selected is more
than two times the sampling interval.) Then again start adding the physical units.
Continue until you have counted through the population and have the sample.
(Detailed illustration for MUS is presented below)

Another sample selection method is cell selection. It combines both the

systematic and the random methods. The population is divided into cells, each
with Tk. equal to the sampling interval. The auditor then selects a random Tk.
amount from each cell.
This method would be very time-consuming to apply manually, but is available on
IDEA.

Page | 344
ii) Simple Random Sampling
Simple random sampling uses random numbers to identify the sample transactions.
The size of the sample is determined in the same way as for MUS. Each item in the
population is given an equal chance of selection by allocating a consecutive number
(for example if the total number of transaction is 1500 then each transaction can be
given a number between 1 and 1500) then the required sample size is selected using
random numbers.

The main advantage of this method is that it is suitable for selecting transactions which
are pre-numbered and accessible in numerical order, e.g. cheques from check book
stubs, and invoices filed and numbered on receipt. Its disadvantage is that it selects
transactions irrespective of their value so where the transactions in the population vary
in value the sample might concentrate on low value high volume transactions. For this
reason it is best used for populations where the items do not vary widely in value, for
example pay and pensions.
Computerized Environment
Statistical sampling may be carried out more cost effectively in a computerized
environment. Both MUS and SRS are well suited to computerized environments and
the comments on the methodologies described above apply.

Attributes Sampling
Introduction
Attribute sampling is used in practice to refer to three different sampling plans that
are generally used by auditors to test the operating effectiveness of internal control
policies and procedures by estimating the rate of deviation from proper
performance. These sampling plans include:

Monetary-Unit Sampling
Monetary unit sampling is, in effect, a form of attribute sampling. (Another name
given to monetary unit sampling is monetary attribute sampling.)

As noted above, monetary unit sampling produces a sample where the larger
transactions have a greater chance of selection. Seeing as auditors are usually
interested in monetary errors, they would usually be more concerned about internal

Page | 345
control deviations (unapproved supplier invoices, for example) in larger transactions
than in smaller ones.
The same sample selection techniques as are noted above (random, systematic and
cell) can be used for MUS for tests of controls.

Physical attribute sampling

Physical attribute sampling is a sampling plan that is used to estimate the rate of
(percentage) of occurrence of a specific quality (attribute) in a population. It answers
the question “How many?” It is a common statistical sampling plan in auditing. An
attribute sampling plan might for example be used to estimate the number of
invoices paid twice. Attribute sampling would also help the auditor answer the
question “How often”. The auditor using attribute sampling might conclude “there is
only a 5% risk that the true rate of double payment in the population exceeds 6% of
the total population (6%x1,000) or we are 95 percent confident that, from say a
population of 1,000 payments the risk of double payment would not exceed 60
(6%X1,000).”

Discovery Sampling
This is essentially the same as attribute sampling with one difference – the auditor
assumes a nil deviation rate. The auditor selects the sample and, if he/she finds no
deviations, then the auditor might conclude; “Since I did not observe an occurrence
in the sample there is only a 5 percent risk that a payroll sheet exists in the
population at a rate greater than 2 percent”.

All three attribute sampling plans deal with qualitative characteristics of the
population. They are used primarily by internal and independent external auditors in
tests of controls when the auditor wants to estimate the extent to which prescribed
internal control procedures are being followed.
These plans might be used in the following areas.

Cash Disbursement Tests: This is for occurrences where discount are not taken,
invoices not properly approved, invoices are not checked for clerical accuracy, and
other failure on sales posting and misstatements.

Page | 346
Payroll Tests: Apply where misstatements in hours, rates, extensions, deductions,
lack of appropriate approvals or excessive vacation time occur.

Inventory Tests: Inventory items not properly priced, and misstatements in perpetual
inventory records.

Cash Receipts Tests: Erroneous discounts allowed, and entries posted to incorrect
accounts.
Attribute Sampling and Tests of Internal Control
In executing a test of controls, the auditor is generally concerned with the frequency
of deviations from prescribed control procedures. When using attribute sampling,
items being tested or evaluated must be either indicative of deviation from proper
performance or not a deviation in performance. The objective of attributes sampling
as it is used for test of controls or special purpose studies is to obtain a reasonable
level of confidence that the population deviation rate is not beyond a certain level.
Acceptable auditing Standards require the auditor to obtain a sufficient
understanding of the auditee’s internal control structure to plan the audit and assess
control risk. The auditor's understanding of the procedures obtained through inquiry
or reference to written instructions, and an understanding of their function and
limitations is based on the auditor’s training, experience and judgement. The
auditor’s understanding of the internal control structure is documented using a flow
chart, internal control questionnaire, or written narrative. Based on this information
the auditor makes a preliminary assessment of the effectiveness of the prescribed
internal control structures assuming that internal controls are operating effectively.
At this point, the auditor may decide that it is not efficient to perform additional
internal control work. Then he/she will assess control risk based solely on the
evidence obtained while obtaining an understanding of the internal control structure.
If the auditor decides that it is efficient to obtain additional evidence about internal
control, he/she will make a judgement about the planned assessed level of control
risk, and the planned tests of controls needed to support that level of control risk.
Implicit in this judgement is a consideration of the cost and benefits of the test of
controls. A particular internal control will only be tested if the cost of testing the
control is less than the benefit obtained from reduced substantive testing.

Page | 347
 A judgement has to be made by the auditor about the determination of which test of
controls may be performed using audit sampling. If a control is of a type that does
not leave evidence of performance, audit sampling cannot be used to test its
operating effectiveness.

Non-statistical Sampling

Non-statistical sampling can be defined as an audit sampling in which auditors do not

utilize statistical techniques to select the sample.
As noted above, when using a non-statistical sample the auditor should still strive to
ensure that his/her sample is as representative of the population as is possible. The
sample selection technique should, therefore, be an approximation of a random
selection, a systematic selection, etc.

As also noted above, the way in which the sample is selected is the only real
difference between statistical and non-statistical sampling. In both cases, the auditor
considers the same factors when determining the sample size, and when evaluating
the sample results. To apply this method, auditors are expected to have sufficient
knowledge about the population to justify a basis for a non-statistical sample to
reach a reasonable conclusion about the population.

Merits of Non-statistical Sampling

Non-statistical sampling may be of use when the extra time required to select a
statistical sample would exceed the time required to audit the extra sample items
that are selected to compensate for not having a statistical sample. This could occur
when, for example, selecting a statistical sample would be very costly and/or
impractical.

Page | 348
The following table illustrates some of the factors to consider when deciding on a
statistical or a non-statistical sample:
Favours

Statistical Non-statistical
Factors Sampling Sampling

a. Set-up time

high X

low X

b. Computerization

Yes X

No X

c. Volume of data

large X

small X

There are circumstances where a purely non-statistical method of selection for

representative testing is appropriate, for example, where the audited entity
maintains unnumbered manual records which are not cumulatively totaled in some
form. In these circumstances the auditor can apply an approximation of, say, an MUS
sample using his/her judgement. In doing so, the auditor should weigh his/her
sample towards high value items but ensuring that a few lower value items are
selected. This can be done in several ways but two methods are:
. Quota Sampling
. Simulated MUS
Using Quota sampling, the auditor selects the sample transactions in proportion to
certain characteristics in the population. For example, if 30% of the total monetary
amount for all grants is in the items over Tk. 10,000 and 70% of the total monetary

Page | 349
 amount is in the items under Tk. 10,000, then in a sample size of 100, 30 transactions
would be over Tk. 10,000 and 70 under TK. 10,000.
Using simulated MUS the auditor selects the sample transactions by identifying
judgmentally the higher value items in the population. If the sample is selected from
entries in the ledger then the auditor should select a number of ledger pages equal to
the sample size (this can be done using random numbers or the higher value
transaction from each pages) and take one of the higher value transactions from each
page.
[

When sampling accounts consisting of a small number of transactions or with a small

monetary value (and hence the resulting sample size would be small) the costs of
applying statistical sampling may be out of proportion to the objectivity provided. In
these circumstances the auditor can:
(a) calculate the required sample size for a statistical sample and increase it (as
detailed below);
(b) Select a few high value transactions which amount to a large percentage of value
of the account or account area; and
(c) Select the rest of the sample from the remainder of the items.

Whatever the sampling method used the auditor should document:

(a) the size of the sample and the factors which determined the size;
(b) the method by which the items were selected;
(c) the results of the tests and the most likely error for the whole population; and
(d) a conclusion about the maximum level of possible error in the whole population
based upon his/her judgement and the degree of assurance with which the
conclusion is formed.

Summary
The auditor designing a non-statistical sampling plan considers the same factors as the auditor
designing, a statistical plan. In both cases, the auditor defines test objectives, population,
sampling unit, materiality, expected total error, and confidence level. The auditor then
performs the desired audit procedures on the sample and evaluates the sample results.

Page | 350
STAGES IN SAMPLING
1. Planning Stage (Problem Recognition Phase)
In order to plan the sample properly, the following matters need to be carefully
considered:
a) Audit Objective: In planning the sample, the auditor should first identify the purpose
of the audit procedures he/she wishes to perform on the sample. This would involve
a consideration of the financial statement assertions and the related compliance with
authority objectives and the specific error conditions, and whether a substantive test
or a test of controls was being performed.
b) Population and Sampling Unit: A population is a collection of items from which a
sample is drawn and about which the sample provides information. The population
should be precisely defined because a conclusion based on a sample cannot be
extended beyond the population to which the sample relates.
The audit objective also should be considered when defining the population. For
example, if the characteristic being tested is a specific accuracy control over inventory
purchases, it would not be efficient to define the population as all voucher register
(purchase journal) transactions, because that population would include many items
unrelated to inventory.
Because an item that has been erroneously excluded from a population to be sampled
cannot be selected for testing, the auditor should perform supplementary procedures to
assure that the sampled population is complete. Procedures in other phases of the audit
will often provide assurance about population completeness.
Defining Physical Unit: As noted above, the physical unit is the element in the population
for which characteristics are to be measured to estimate those characteristics for the
whole population. In a substantive test, the sampling unit may be any element, provided
that the value of all such elements equals the total value to be audited. If, for example,
the auditor wishes to verify the total balance of accounts receivable by confirmation, any
of the following could be specified as the sampling unit.
- Branch (selected branches should then be verified in total);
- Total customer balances (the usual method when using confirmation;
- Open invoices- outstanding invoices (may be more productive if customers are
unable to confirm total balances and may be more efficient than total customer
balances because increases in sample size may be offset by reduction in the time

Page | 351
 required to perform alternative procedures on accounts for which confirmations
have not been received, that is, non-responding accounts);
- Line items on open invoices (may be appropriate in the case of very complex
invoicing procedures).

Selection of the physical unit for a substantive test should be based on considerations of
convenience, economy and effectiveness, because sampling results do not depend on
the level of detail (or aggregation) in the sampling unit.
Planned Precision and Basic Precision: These terms are discussed above. Planned
precision represents the materially amount for the financial statements as a whole, less
the expected total errors for the financial statements as a whole.
Basic precision is also discussed above. As noted in that discussion, if the auditor uses a
statistical sampling software package, the software will automatically calculate this
amount for the auditor.
A critical component in determining planned precision is the anticipated amount of
monetary error in the financial statements. The number and magnitude of errors
expected influence sample sizes because, as the number and Tk. value of errors increase,
larger sample sizes are required to obtain the desired precision.
It should be stressed that, since materiality is predetermined and fixed, an over-
estimation of the most likely error in the financial statements will result in a lower
planned precision and a need to test more extensively in order to achieve a more tighter
precision. On the other hand, under-estimation of the most likely error, while reducing
the extent of testing, will normally lead to unacceptable results – the upper error limit will
exceed materiality.
[

Error and deviations: During the design of a sample, the auditor should specify what
constitutes an error or deviation, and each selected item should be evaluated according
to the specifications. A representative sample provides an estimate of the characteristics
in the entire population. Thus, errors or deviations in a sample should be projected to
the population or stratum from which the sample was selected in order to draw an audit
conclusion.

Sampling risk: Sampling risk arises from the possibility that a test applied to a sample will
result in a conclusion that may be different from the conclusion that the auditor should
reach if the test (audit) were applied in the same way to all sampling unit in the

Page | 352
 population. That is, a particular sample may contain proportionately more or fewer
monetary errors or compliance deviations than exist in the population. Sampling risk
increases from zero as the sample size decreases from 100% of the audited population.
Non-sampling Risk: Non sampling risk includes such factors as selecting audit procedures
that are not appropriate for the audit objective, failing to recognize errors or deviations in
documents examined, etc.

2. Execution Stage (Evidence Collection)

Determining Sample Size
The auditor should use the Sample size calculator form and Annex K.1 to determine the
MUS or non-MUS sample size. However, in completing this for, the auditor should
consider the additional guidance given below.

The knowledge, experience and sound judgement of the auditor is very important in
determining the amount of work to be carried out during the process of the audit no
matter which sampling procedure is adopted.
If the auditor decides to test items from a population, he/she needs to select the items in
a logical fashion. This normally involves testing the following:
a) Those items which in his/her judgement should be examined 100%. These should
include:
i) High value items: Selection is based on the premise that if errors are to occur
in the large value items, then these items should be looked at as they will be
of a material nature.
ii) Key items: These are items which require particular attention. These key
items may be unusual or suspicious items revealed by scrutiny of
transactions and statements or they may be considered particularly worthy
of interest because of their type or may have been identified by the auditor
as a weak area where transactions appear prone to error. These items will
be selected entirely based on the auditor’s understanding of the inherent
and control risks and the auditor’s professional judgement.

b) A representative selection of the remaining items. The auditor wants a

representative selection because, if a sample is to be relied on to conclude on
the population then that sample should be a good representation of the
population on the whole.

Page | 353
The sample size when using Monetary Unit Sampling is based upon:
. the monetary value of the population;
. Performance Materiality;
. the Assurance Factor required from substantive testing; and
. whether there are any items in the population larger than Performance
Materiality/Assurance Factor.

The process for testing an assertion through Monetary Unit Sampling consists of:
. determining whether it is appropriate to use Monetary Unit Sampling;
. calculating the sample size and sampling interval;
. selecting sampled items;
. performing tests of detail; and
. evaluating the results of procedures performed.

In using Monetary Unit Sampling, the expected level of error in the account as a whole,
including in the balance being tested, is reflected in the Performance Materiality figure
used (as this is Materiality less the anticipated level of errors).
MUS sample sizes are 50% larger for Specific Risks than for other assertions if we do not
have controls assurance. It therefore may not be efficient and effective to rely upon MUS
testing alone to obtain assurance over Specific Risks. Teams should consider:
. testing the operating effectiveness of controls to reduce the extent of
substantive testing required;
. using Computer Assisted Audit Techniques to address the Specific Risk
more precisely; or
. performing procedures to earn the right to rely upon work performed by
the entity to obtain assurance over the Specific Risk.

The process for testing an assertion through Monetary Unit Sampling consists of:
. determining whether it is appropriate to use Monetary Unit Sampling;
. calculating the sample size and sampling interval;
. selecting sampled items;
. performing tests of detail; and
. evaluating the results of procedures performed.

Page | 354
Note - a multi-location sampling approach is generally required if transactions are processed
or accounting records are held at a number of locations in such a way that a sample
cannot be extracted from across the entire population. In most cases, the locations
are too numerous for it to be practicable to visit them all. The sample therefore needs
to be drawn in two stages ~ the number of locations to be visited, and the number of
items to test at those locations. When evaluating the results the auditor needs to
extrapolate the error at each location and across all locations.

Calculate the Sample Size and Sampling Interval:

The auditor should calculate the sampling interval (“SI”) using the following formula:

Where:

Assurance factor (“AF”) = a factor reflecting the level of assurance required from
substantive testing. As discussed in the Manual section on the Audit Assurance
Model, the AF required from substantive testing reflects whether there is a
Specific Risk and whether we have assurance over the operating effectiveness of
controls in respect of the assertion being tested. This is a reliability factor
calculated from the cumulative Poisson distribution. The value of the factor is
linked to the assurance level being taken from the work:

Page | 355
Performance Materiality =as discussed the manual section on Materiality and
Performance Materiality, this is the level of precision that we are planning to
achieve around the estimate of any error identified in the population.
It is usually possible, using IDEA, to identify items greater than the sampling interval and
then to select the remainder of the sample from the residual population. Where
this is the case, the auditor should calculate the sample size using the following
formula

Where:
Residual population value = the value of the set of data from which a sample is selected
and about which we wish to draw conclusions, less items which are greater than
the sampling interval.
Note that the sample size calculation for the residual population is equivalent to
((Residual population value X Assurance Factor)/Performance Materiality)
Excluding items greater than the sampling interval from the calculation reduces the
sample size required of smaller items. If it is not practical to separate out items

Page | 356
 greater than the sampling interval, the sample size can alternatively be calculated
as:

Sample Size = Population Value

Sampling Interval

Where:
Population value = the value of the entire set of data from which a sample is selected and
about which we wish to draw conclusions, including any items which are greater than the
sampling interval.
If we identify any additional items for testing which we consider should be included in our
sample (“key items”) these should also be excluded from the residual population.

Example: MUS sample size and sampling interval calculations

Population value = Tk.70,00,000
Materiality = Tk.5,00,000
Performance Materiality = Tk.3,50,000
Assurance Factor = 2.0
Sampling interval = Tk.3,50,000/2.0 = Tk.1,75,000
There are no items greater than the sampling interval, and so:
Sample size = Tk.70,00,000/Tk.1,75,000 = (Tk. 70,00,000 x 2.0)/Tk.3,50,000 = 40

Monetary Unit Sampling can result in statistically small sample sizes. This is due to the
way in which the materiality is based on a consideration of the financial statements as a
whole, with samples for individual balances effectively part of a wider sampling exercise
for the whole account. Thus several small samples can in fact be part of a larger robust
exercise across the whole account.

Statistically small sample sizes can reduce the quality of the assurance achieved, as the
sampled items may not be representative of the population. To address this risk, the
minimum sample size for any MUS sample is 5 items, with a minimum of 10 items when
testing Specific Risks, including items greater than the sampling interval.

Page | 357
As noted below, if we are unable to select the sample in a systematic way, the sample size
should be increased to the greater of 30 items or 125% of the original sample size.
Select Sampled items
Sampling is reliant upon the quality of the data from which the sample is selected, the
sample source. The auditor should check that the sample source is suitable and that the
source is a complete and accurate record of the total population to be audited.
The sample source should be tied to the trial balance and any reconciling items tested.
The use of computer assisted techniques is usually an effective way to agree the general
ledger to the trial balance and identify potential duplicate entries.
It is important to note that any items excluded from the sample source cannot be said to
be represented in the results of the sample. Such exclusions bring bias to the sample
results and this bias should be considered in the evaluation of the results of testing.
When selecting the sampled items, the auditor should ensure that where possible bias is
avoided. The sample source should be examined to check for patterns in the way in which
the data is stored. It may be that the records are arranged by size or that certain
transaction sizes repeat on a regular basis. The auditor needs to be aware of these
patterns so that the selection method remains representative of the population.
When selecting items for testing, the auditor should take into account the purpose and
objectives of the audit test and should not be drawn by easily available items, interesting
looking files or allow the audited body to select the samples on their behalf. The best way
to ensure a statistical sample is to use a random technique, random samples can be
drawn using this web link http://www.randomizer.org/form.htm, IDEA, EXCEL or random
number tables.

Auditors should not attempt to guess random numbers.

If there are items which appear to be potentially of audit interest, we would usually
extend the sample to include these additional “key items”, documenting why we have
done so. Key items should be excluded from the residual population.
It is usually possible, using IDEA, to identify items greater than the sampling interval and
then to select the remainder of the sample from the residual population on a random
basis within each “cell”.

Page | 358
Where this is the case, the auditor should:
. select all high-value items (i.e. those larger than the sampling interval) for
testing;
. divide the residual population up into “cells” using the sampling interval; and
. select an item at random from each “cell” based upon the value of the item.

An acceptable approximation to this approach can be achieved by selecting items at

random within the cell without consideration of their value.

Example: Selection of items from the residual population

The residual population consists of 9 items with a total recorded value of Tk.3,300.
The sampling interval is Tk.1,100.
The residual population is divided into three cells of Tk.1,100 each and a sample of three
items is selected, one from each cell.
If it is not practical to use IDEA, we may not be able to separate out the items greater than
the sampling interval and select the remainder of the sample from the residual
population.

However, even if “manually” picking the sample, it will usually still be practical to select
the sample in the systematic way by:
. randomly generating a start-point less than or equal to the sampling
interval;
. working out a cumulative total for each item within the population
. selecting items to pick by taking the start point (as a negative number),
and adding the sampling interval; and
. picking items in the ledger breakdown at each of the points indicated
by this calculation.

i.e. rather than picking items at random within each cell, picking the overall sample so that
the items selected are randomly determined.

If using this approach, the auditor should consider particularly carefully whether there are
any systematic patterns in the data set which may mean that this is approach does not
generate a representative sample.

Items which are greater than the sampling interval may be “picked” more than once using
this method of selecting the sample. We do not need to select additional items, but

Page | 359
should document that this is why number of sampled items is below the sample
calculation.
Example: Selection of items using a manual MUS sample
It is not possible to obtain an electronic breakdown of the balance, and so the MUS
sample has been picked from a print-out. The population consists of 9 items, with a total
recorded value of Tk. 3,300.
The sampling interval is Tk. 1,100, and the random start-point is Tk. 450.
Items are selected at:
-Tk.450+Tk.1,100 = Tk.650
Tk.650+Tk.1,100 = Tk.1,750
Tk. 1,750+Tk.1,100 = Tk.2,850
The next sampling interval would select an item higher than the remainder of the
population, and so three items are selected for testing.
Where, due to practical reasons, it is not possible to carry out the selection using either of
these methods, the sample can be selected at random within the population. However, to
take account of the additional risk involved that bias may be introduced in the sample, the
sample size should be uprated either to a minimum sample size of 30 or if the original
sample size is greater than this by 25 per cent.

Perform tests of detail

The auditor should plan and perform appropriate tests of detail on each item selected to
obtain assurance over the relevant assertions.
If a planned procedure is not applicable to a selected item, the auditor should perform the
procedure on a replacement item. This item would normally be selected at random from
within the same sampling interval. (Ref: ISA 530 A14)
If we are unable to apply the planned procedure, or suitable alternative procedures, to a
selected item, we should treat that item as a misstatement. (Ref: ISA 530 A15-A16)
In designing the procedures to be performed, we should be clear what would count as a
misstatement.
For example, in testing completeness of liabilities, a misposting between the accounts for
two creditors would not represent a misstatement (although we may need to consider
whether this affects other areas of our audit, including our reliance on controls).
If the selected items are not tested appropriately, this will invalidate the tests being
performed. The auditor should:

Page | 360
 . make sure that the audit test complies with the audit plan so that the
responses to the tests provide the required evidence;
. test the sample item against the evidence;
. verify any discrepancies between the book value and audit value;
. gain explanations and evidence for those explanations - these must
be credible and from an appropriate source; and
. record results accurately.
Evaluate results of procedures performed
The auditor should use the Error evaluation form at Annex K.2 to evaluate the errors
found in the sample testing. However, the auditor should also consider the more detailed
guidance given below.

The auditor should evaluate:

(a) the results of the sample testing; and (Ref: ISA 530 A21-A22)
(b) whether the test has provided a reasonable basis for conclusions
about the population that has been tested. (Ref: ISA 530 A23)

For MUS sampling, this should be done by:

. assessing the impact of the nature and cause of misstatements
identified;
. calculating the Most Likely Error (“MLE”) and upper and lower error
limits from the tests performed; and
. assessing whether the results of tests of detail provide the planned
level of assurance through a quantitative assessment of the
misstatements.
If we have not identified any errors in our testing, the planned assurance will have been
achieved unless we have identified any other issues for consideration.

Qualitative assessment of misstatements

We should understand the nature and cause of the misstatements identified and
determine whether they indicate that other misstatements may exist, including whether
they impact upon other areas of the audit (Ref: ISA 530 A17).
This may be due to a previously unidentified Significant Risk.

Page | 361
Indications that other misstatements may exist include if a misstatement arose from a
breakdown in internal control, or from inappropriate assumptions or valuation methods
that have been widely applied by the entity.
If there is a risk that other misstatements may exist that, aggregated with identified
misstatements, may be material, then the auditor should revise the Overall Audit
Strategy and the Audit Plan.
In understanding the nature and cause of misstatements, we may identify that many have
a common feature, for example, type of transaction, location, or time period. In such
circumstances, we may decide to identify all items in the population that possess the
common feature, and extend audit procedures to those items.

In addition, such misstatements may be intentional, and may indicate the possibility of
fraud. The auditor should consider whether it is necessary to revaluate the assessed risks
of material misstatement and to revise the Overall Audit Strategy and the Audit Plan.
Quantitative assessment of misstatements
If we have identified misstatements using a sample selected through Monetary Unit
Sampling then we should evaluate the results of procedures by assessing whether the
Upper Error Limit (“UEL”) is greater than Materiality (i.e. whether the most likely error,
plus additional precision, is greater than the expected error rate).

The auditor should evaluate whether we have achieved the planned level of assurance
from an MUS test by comparison of the Most Likely Error + Performance Materiality +
Additional Precision to Materiality.
This calculation gives us the Upper Error Limit of the misstatements identified (In other
words, we have obtained reasonable assurance that the misstatements identified do not
exceed the Upper Error Limit). If the Upper Error Limit is less than materiality, we
accordingly have reasonable assurance that the balance is not materially misstated.

If the Upper Error Limit is above Materiality, then we may not have obtained sufficient
assurance from the work performed. We should evaluate the impact on our audit and
whether any additional procedures are required, as discussed below.
In addition to evaluating the impact of the misstatements identified upon the testing
performed on each balance, the errors identified should be included in the Accumulation
of Misstatements form for evaluation on an overall basis.

Page | 362
To determine the Most Likely Error, we should project misstatements found in sampled
populations.
In the extremely rare circumstances we consider a misstatement discovered in a sample
to be an anomaly, we should perform additional procedures to obtain sufficient
appropriate audit evidence to obtain a high degree of certainty that the misstatement
identified does not affect the remainder of the population.

The Most Likely Error should be calculated as:

o Most Likely Error = Known Errors + Projected Errors
o Where:
o Known errors are those from 100 per cent testing such as high value
items and key items, plus any anomalous errors (i.e. those we have
evidence it is inappropriate to project over the population); and
o Projected errors are the extrapolated impact of errors found by
sampling. (Ref: ISA 530 A18-A20)

The Projected Errors should be calculated as:

o Projected error = sum of sample taints x sampling interval.
The sample taint is the proportion of the item in error:
o Sample taint = (Book value - audited value) ÷ book value.
For example if a Tk.14,000invoice should have been Tk 8,500, then the taint is
(14,000-8,500) ÷ 14,000 = 39%.
If we have identified any errors in the testing, we should calculate the Additional Precision
using by calculating the Error taints for each identified error. The table for calculating the
Error taints is included in the Appendix to this Chapter. The calculation of Additional
Precision is therefore:
. Additional Precision = sum of (error taint for each error x sample taint
for that error) x sampling interval
Where we are testing non-significant balances, it is not necessary to calculate error taints.
However, if errors are identified we should consider whether the balance is in fact non-
significant.
Example: MUS evaluation of misstatements
Population being tested = Tk.10 Crore
Materiality = Tk.70 Lac

Page | 363
Performance Materiality = Tk.50 lac
Assurance Factor = 2.0
Sampling interval = Tk. 50 Lac/2.0 = Tk.25 Lac
There are no high value items (items greater than the sampling interval) or key items.
Sample size = Tk. 10 Croe/Tk.25 Lac = 40
Three errors were identified:
. book value of Tk. 10,000 and actual amount of Tk. 8,000, an error of
Tk.2,000;
. book value of Tk.6,000 and actual amount of Tk.a 5,000, an error of
Tk.600; and
. book value of Tk.5,000 and actual amount of Tk. 5,500, an error of
Tk.(500).
The sample taints for these items are:
. Tk. 2,000/Tk.10,000 = 20%;
. Tk. 600/Tk.6,000 = 10%; and
. Tk.(500)/Tk.5,000 = (10%).

The sum of the sample taints is therefore 20%.

Projected error = sum of taints x SI = 20% x Tk. 2.5m = Tk.500,000
There are no high value items, key items, or anomalies so no known errors, so:
MLE = Projected Errors + Known Errors = Tk. 500,000 + Tk. nil = Tk.500,000
Additional precision for overstatements is calculated from the sum of the error taints:
. 1st error: error taint factor x sample taint = 0.75 x 20% = 0.1125
. 2nd error: error taint factor x sample taint = 0.55 x 10% = 0.0550
(Note: see appendix below for error taint factors)

Total additional precision is therefore 0.1675 x SI = 0.1675 x Tk. 25 Lac = Tk.418,750 for
overstatements.
Additional precision for understatements is calculated from the error taint

. 1st error: error taint factor x sample taint = 0.75 x (10%) = 0.0750.
(Note: see appendix below for error taint factor)
The additional precision is therefore 0.0750 x SI = 0.0750 x Tk.25 Lac = Tk. 187,500 for
understatements.

Page | 364
The Upper Error Limit for overstatements is therefore:

MLE + Performance Materiality + Additional Precision = Tk. 5,00,000 + Tk. 50 Lac + Tk.
418,750 = Tk.59,18,750.

This is below Materiality of Tk. 70 Lac, and so we have reasonable assurance (i.e. 95%
confidence) that the balance is not materially overstated.
The Upper Error Limit for understatements is therefore:
. MLE + Performance Materiality + Additional Precision = Tk. 5,00,000 + Tk.
50 Lac + Tk. 1,87,500 = Tk.56,87,500.

This is below Materiality of Tk.70 Lac, and so we have reasonable assurance (i.e. 95%
confidence) that the balance is not materially understated.

Responding to quantitative assessment of misstatements

If the UEL exceeds Materiality, the auditor should follow the process set out in the below
flow-chart to evaluate the scope of work performed.

Page | 365
The process is as follows:

. Teams should consider whether their planning assumptions remain appropriate. In

particular, teams should consider:
. whether the expected error rate remain appropriate, and revisit the assessment of
Performance Materiality if required; and
. if we have concluded controls are operating effectively, whether this conclusion
remains appropriate.

If we increase the expected error rate and reduce Performance Materiality, we should reflect
the revised approach throughout the file.

. Teams should then consider whether the misstatements identified appear to be

due to a systematic error, or random (non-systematic).
. For systematic errors, teams should attempt to obtain evidence enabling them to
quantify the total error:

If we are able to quantify the error, then we would conclude that we have achieved the
planned assurance from the test and the scope of work is adequate.

If we are not able to quantify the error, then this indicates a scope limitation to our audit.

. For random (non-systematic) errors, teams should first recheck the calculation of
the error and additional precision.

If this indicates the UEL is below materiality, then we would conclude that we have achieved
the planned assurance from the test and the scope of work is adequate.

Otherwise, we should perform additional testing to obtain adequate assurance.

. The auditor should assess a lower Performance Materiality for this Audit Area, and
increase the extent of testing to reflect this (i.e. increase the extent of testing to
that which would have been performed if we had assumed a higher error rate).
. The additional sample should be calculated as: ((Population x Assurance
Factor)/(90% x (Materiality – Actual error rate)) – Original Sample.

If the additional testing reduces the UEL below materiality, then we would conclude that we
have achieved the planned assurance from the test and the scope of work is adequate.

Page | 366
If the additional testing does not reduce the UEL below materiality (due to additional errors
being identified), then this indicates a scope limitation to our audit.

Compliance Audit

Monetary Unit Sampling can be used in testing compliance with authorities (the regularity
assertion).

Although it is often appropriate to test a number of assertions including regularity through

MUS testing, auditors should consider whether there are more effective and efficient ways to
obtain assurance over each assertion.

In particular, if Substantive Analytical Procedures would provide sufficient appropriate audit

evidence over other audit assertions, but not over regularity, it may be appropriate to design
an alternative approach to obtaining regularity assurance rather than testing several assertions
through MUS testing.

Example: obtaining assurance over regularity and other assertions separately

Due to the nature of the entity’s staffing and pay arrangements, substantive analytical
procedures are an effective basis for obtaining assurance over occurrence, completeness and
accuracy of payroll expenditure (with partial assurance over cut-off, with additional comfort
from a direct test of the year-end cut-off of timesheets).

Regularity assurance is obtained by checking that:

. the pay awards agreed as part of the pay round were in line with the pay remit; and
. no irregular types of activity by the entity have been noted.

IT considerations

It will usually be most efficient to obtain an electronic listing of the population in order to
perform MUS testing. Before selecting sample items to be tested, auditors should first ensure
that this listing is reconciled to the amount(s) included in the draft account or trial balance,
and test any reconciling items.

Documentation of MUS
There are no specific documentation requirements for Monetary Unit Sampling. The work
performed should be documented in sufficient detail to enable an experienced auditor, having

Page | 367
no previous connection with the audit, to understand the nature, timing and extent of the
procedures performed and their results.

Documentation should usually include:

. the total value of the population;
. the source of the listing used to generate the sample;
. the calculation of sample sizes, including sampling interval;
. the random start point used to generate the sample;
. any further details relevant to understanding how sampled items were selected;
. the tests performed on sampled items and how these address each assertion;
. the results of the tests performed; and
. our investigation of the nature and cause of misstatements or irregularities and
evaluation of their impact.

Quality and reviewing guidance

MUS testing can be a simple and effective way of obtaining assurance over assertions.
However, this is dependent upon the tests performed addressing the risk we want assurance
over.
If we do not perform tests on each sampled item to address an assertion, we do not obtain
assurance over that assertion.

Example: Obtaining assurance over freehold property through MUS tests

The client has a large number of premises, and we are testing freehold land (which is not
depreciated) using MUS sampling to obtain assurance over existence, rights and obligations,
and valuation and allocation. In order to obtain assurance over each of these assertions, the
items selected each need to be tested in order to check:

. for existence, that the land in question in fact exists by visiting the site (or other
checks);
. for rights and obligations, that the land belongs to the client by checking the title
deeds; and
. for valuation and allocation, that there are not indicators of impairment, that the
revaluation has been appropriately calculated, and that the item is appropriately
categorised.
Other procedures will be performed to obtain assurance over completeness.

Page | 368
Without performing each test, we would not obtain assurance over each assertion. E.g.
without checking the title deeds (or another relevant test) we would not get assurance over
rights and obligations.

Representative Sample selection Methods

After determining the sample size the auditor should select a representative sample from the
population (i.e. the characteristics of the sample should not be expected to differ from those
of the population except for the impact of sampling risk).

Among the possible sample selection methods the auditor can use are:
a) Simple Random sampling
A selection method whereby sampling units in the population are consecutively
numbered and the sample to be audited is determined by random number table,
lottery or computer (i.e. is a sample in which each sampling unit has an equal, non-
zero probability of selection each draw.)
The most widely used method of simple random sampling is the random number
table. The random number table can be identified by referring to the name of the
table, the page number, row number and column number.
Steps in using random number table:
i. determine the range of vouchers or monetary value to be sampled in
order to obtain the number of digits required.
ii) find starting point in the table; open a page and place your pencil
somewhere on the table, use the digit nearest the pencil point as starting
digit.
iii) proceed in a predetermined order down the column or across the column
select numbers of sufficient digits unit required sample size have been
drawn.
b) Haphazard Sampling
Haphazard Sampling is a sample consisting of sampling units selected by the auditor
without any reason for including or omitting particular items. It is, in effect, an
approximation of a random sample.

Page | 369
c) Systematic Sampling
Systematic sampling involves the sequential numbering and arrangement of all items
in the population in serial order, and subsequent selection of the number of items
required for the sample by drawing every ‘K’ item from the population. It is a
method by which every ‘K’ sampling unit is selected after a random start.
Systematic selection for MUS is illustrated above. For physical attribute sampling, it
can be done as follows:

i) determine the sample interval

Sample interval = Population = K
Sample size
ii) determine the starting point between 1 and K (the sampling interval). This
is often done selecting a random number between 1 and K.
iii) add K on the starting number to get the second item to be included in the
sample
Ex. suppose a sample of 300 items from a record containing 18,000 items
is going to be drawn.
sample interval = K = 18000 = 60
300
If the random starting point is 48, the sampling units to be included in the
sample are 48, 108, 168, 228, and 288.

Remark
1. In case K is not an integer, we round it down. For instance if K=60.5, it
will be taken as K = 60.
2. The actual sample size may differ from the designed by one or a little
more, depending on the value of K and the element selected first, but
this difference is negligible when the sample size is reasonably large.
For instance, if we want to select 3 items from 20, we get K=6.6 6. If
the random number between 1 and 6 is 5 then the 5th, 11th, and 17th
are the ones to be selected. If the selected random number is 1 we
might have selected the 1st, 7th, 13th and 19th or four items.
3. Even though the application procedures are easy, there is a slight risk
that it may produce a biased (unrepresentative) sample. This could
occur, for example, if the population itself has some order to it, and

Page | 370
 the sampling interval matches that order. For example, let’s say that
we are auditing payroll and the division is structured as follows:
a) Each supervisor has a staff of 6 reporting to him/her;
b) The payroll records list the supervisor first, followed by
his/her staff, followed by the next supervisor and his/her
staff, etc.
If the sampling interval was “7”, the auditor would have a sample that
contained only supervisors (if the random start was 1) or no
supervisors (if the random start was 2 to 7).

The risk of this happening is, of course, very small – the sampling
interval would need to exactly match the pattern in the population.
Furthermore, if MUS was used, the risk of this happening would be
virtually zero because, in the above example, the total payroll for each
division would need to match the sampling interval. If, though, the
auditor was concerned about it, he/she could use more than one
random start.
4. Do not substitute one sample item for another (unselected)
population item. (In general, population items that are not selected
should not be substituted for sample items that are difficult to audit or
locate.) Instead, the auditor will normally try to find other ways to
verify the existence, measurement, etc. of the unlocatable item and, if
he/she is unable to do so, the auditor normally assumes that the item
is in error by 100% of its recorded (book) value.

d) Block sampling
This method involves selection of items in a given block or sequence. Thus, the
auditor may decide that he/she will examine all debtors whose names begin with the
letter ‘D’ or he/she may decide that he/she will select all transactions of a particular
month.
This is actually not a sampling method at all. The reasoning is as follows:
. As noted above, a sample conclusion only applies to the population from
which it is selected. In our first example above, the population not all
debtors; it is only the debtors whose names begin with the letter ‘D’ – there
is no chance for debtors with names beginning with any other letter to be

Page | 371
 selected. Similarly, in the second example, the population is not the whole
year; it is only the one month – there is no chance for transactions in other
months to be selected.
. We have not “sampled” from the populations from which the transactions
were selected – we’ve selected 100% of the transactions.

In addition to being defective because the sample is virtually never selected from the
population on which the auditor wishes to reach a conclusion (all debtors or the
entire year in the above examples), it also may not be efficient because it may result
in more transactions being selected than would be required under a representative
sample. For example, if all transactions in one month are selected, the auditor will
likely have selected somewhere around one-twelfth of the transactions for the year. A
“typical” statistical sample size would be much smaller.

Given the above, block sampling is not recommended for routine use. The only times
when its use should be considered are when, for example:
. It would be extremely difficult or time-consuming to select a representative
sample from the entire population on which the auditor wishes to reach a
conclusion; and
. The auditor can, through procedures other than his/her sample, reach a
conclusion with respect to the rest of the population on which he/she wishes to
reach a conclusion. These other procedures could include, for example, analytical
procedures.
e) Stratified Random Sampling
A stratified random sample is obtained by drawing simple random samples from
separate strata in the population. The primary purpose of stratification is to bias the
sample towards the larger monetary amounts.
Given this primary purpose, stratification is not necessary when MUS is used.
That is because MUS automatically biases the sample size the larger monetary
units. MUS is, in effect, an infinite form of stratification.

When physical attribute sampling is used, there is no bias towards the larger
monetary amounts. Therefore, stratification may be used with physical attribute
sampling in order to so bias the sample items.

Page | 372
Stratification may also be used to:
. Achieve some efficiency by grouping sampling units with similar
characteristics into separate strata.
. Get estimates of the parameters of each stratum (separate estimate)
instead of a population estimate at large.
The first step in carrying out a stratified sample is to divide the population into
strata that are mutually exclusive sub-populations.

These strata have to be:

. Non-overlapping (that is, every element must belong to one and only
one stratum).
. Different from each other but relatively homogeneous within a
stratum with regard to the measurement of interest (the logic behind
to this is that, if we know the population items are virtually
homogenous, we need only a small sample to describe them).
. Such that the exact number of elements in each stratum must be
known.
In stratified sampling, we stratify the population and draw samples from each.
We then derive the estimates from them separately, then combine these
estimates to cover the whole population provided the above conditions are
fulfilled. The basis for stratifying the sampling units must be among the items of
information on the record, such as recorded amounts, type of item, storage
location (for goods) or volume of activity based on time and cost.

In choosing among these possibilities, the auditor considers the following:

 What basis will be most efficient?
 what basis will be least expensive to implement?

Stratification
When stratifying the sampling units the auditor must choose:
The number of strata
The location of stratum boundaries
The method of allocating the total sample to the strata.

Page | 373
Number of Strata
There are no restrictions on the numbers of strata in the sample design. However,
as a practical matter, unless the strata are clearly distinct from one another, little
gain is made after a division into six strata.
Stratum Boundaries and Formations
The auditor can select the stratum boundaries as desired. If logical division exist
in the population, they can be used (e.g., product line, type of item, location, and
geographic areas).
In stratifying population, the first step is to decide on the non-sampled stratum
(i.e., those to be examined 100%). Some auditors, as a rule of thumb, take those
transaction items whose monetary value exceed one quarter of planned
precision, or use what would be the sampling interval if MUS was used.
One useful approach is to select stratum boundaries so that each stratum
contains approximately the same total Tk. (monetary) amount (except the 100
percent checked or non sampled stratum). To use monetary stratification, the
total population amount is reduced by the 100 percent stratum amount and the
remainder amount is divided by the desired numbers of strata. This yields the
target total Tk. amount for a single stratum. The stratum boundaries are then
selected so that each stratum has nearly the desired monetary amount. Usually
four to six strata, including the 100 percent stratum is reasonable.
In defining strata and their boundaries, consideration must be given to the cost
(implementation expense) and benefit (effectiveness of the test). From a cost
perspective, recorded book amounts are widely used as a basis for population
stratification. If possible, manual stratification of a very large population should
be avoided, because it is time consuming and expensive.

Page | 374
Page | 375
 Appendix K.1

Sample size calculator form Instructions

MUS Planning Put the relevant account
Form information into the yellow
Account
cells, the remaining cells are
Account area
Population Value automaticallyAnnex-K.1
calculated.
Assurance factor 3.0
Materiality Average Sampling Interval
Anticipated error (ASI) - is used to equally
Safety percentage 90% divide the population to
Performance materiality -
allow the selection of one
Estimated sample size Number Value (TK.) item from each interval

Total population value - Warning - A warning will

appear if the ASI is above
Less: High value items
materiality as this would
Less: Key items
mean that any 100% errors
Represented population -
MUS sample size -
would breach materiality.
Total sample size -
Average sampling
interval -

Uplift to sample size when not picked

using MUS
In some circumstances, it may not be possible or practicable to use
MUS sampling to select a sample of recorded amounts. If that is the
case, expand by clicking on the + symbol and complete the below to
calculate the sample size.
Uplift to sample size 25%

High value items -

Key items -

Uplifted sample size -

Revised total sample size -

Page | 376
 Annex K.2

Sample error evaluation form

Audit area
Total Population Value (TK.)
Total Population Size
High Value and Key Items Value (TK.)
Number of High Value and Key Items
Represented Population Value (TK.)
Represented Population Size
Materiality
Anticipated Error
Performance Materiality
ASI
Assurance Factor 3.0
Confidence Level
Total Sample Size
Random Sample Size

Instructions

1. Input account information into

the yellow cells only.

2. Proceed to the Data sheet.

Warning - A warning will appear if

the ASI is above materiality as this
will mean that any 100% errors
will breach materiality.

Information- If additional testing

has been carried out, both
performance materiality and the
ASI should be recalculated to
reflect this.

Page | 377
 Annex- L

LEAD SCHEDULE TEMPLATE

Instructions

The Significant Risks Testing Plan and Audit Area Testing Plan sets out the risks and testing
approach for each audit area.

This form is designed to summarise our understanding of the nature of and movements in the
audit areas for the year, that the testing plan has been completed, any audit adjustments
identified, the final accounts figures, and any management letter points identified.

The form can be used to satisfy the requirements of the Audit Conclusions Tests in each audit
area.

Also included is an issue log sheet, on which all of the individual issues for the audit area in
question.

Auditors may find this useful to keep track of all of the errors that are found on each audit
area.

Page | 378
 Page | 379
Management Letter
Points (Hyperlink)

Unadjusted Errors Calculated from Issues Log

Link to Final Accounts Hyperlink to Final Accounts

Final Account Figure TK. '000s

Total Adjustments Calculated from Issues Log

extrapolate
testing and
completed

quantified
assessed,
Have we

planned

errors?
d any
and
Lead Schedule

our

identification

update Audit

Risks Testing
Area Testing
changes and

Plan and/or

appropriate
reasons for

Significant
document
(Including

Specific

Plan as
of new

If yes,
Risks)

Have there been any

changes to Testing Plan?
Link to Testing
Plan for Audit

Comments on current
Areas:

year balance and

movements

% movement on prior
year

Movement on prior year

Prior year final account
figure TK. '000s

Link to Trial Balance Hyperlink to TB

Draft Account Figure TK. '000s

Insert Audit Area(s)

Audit Areas
SCHEDULE

(items with similar nature, risks and

controls)
LEAD

(should match list in Audit Area

for:

Testing Plan)
Totals - - - - - - -
Ok Ok

Overall Assessment Please add

Have we obtained sufficient assurance to support the true and fair opinion? comments/explanation below,
if appropriate.
Is the audit area free from material misstatement (either through error or irregularity)?

Have all unadjusted errors been assessed and extrapolated?

Have we obtained sufficient assurance to support the regularity opinion?

Disclosure Notes
Provide details of associated disclosure notes eg note reference
and hyperlink to testing.

Page | 380
 Issues Log

ISSUES LOG
for: Income & Contributions in Kind

Financial Statement Issue Other Adjusted or Total of Total of

Audit Area Note Line (narrative + Financial unadjusted adjusted unadjusted
link to Statement items items

Disclosure
exception) Note Line

Financial Error/
Correcting Entry
and Audit
Area

Enter the
Audit Area
Enter the and related
necessary Financial
correcting Statement
journal for Note Line for
Provide details Select error Enter status
Insert Note line this account the other side
of the issue type of the error
area (Enter of the
Dr's as +ve correcting
and Cr's as - entry - this
ve) could be more
than one
area.

- -
- -
- -
- -
- -
- -
Total - - -

Page | 381
 Annex-M
Controls Testing
1. If we are able to obtain assurance over the operating effectiveness of appropriately
designed and implemented controls, this reduces the extent of our substantive
procedures. Controls tests are audit procedures designed to evaluate the operating
effectiveness of controls in preventing, or detecting and correcting, material
misstatements.

2. Using controls testing is often the most effective way to obtain sufficient appropriate audit
evidence regarding the assessed risks of material misstatement. Controls are never
completely infallible and hence we are always required to perform substantive testing in
addition to tests of controls.

3. Although we are not responsible for the system of internal control, we are able to play a
valuable role in advising on improvements to the existing system of internal control
identified through our tests or from comparison with other entities.

4. As controls testing reduces the scope of substantive procedures, it is important that we are
clear how the controls being tested provide assurance over each assertion that we are
relying on them for, and that we have appropriate evidence to support our conclusion that
the control would prevent or detect a material misstatement.

5. As has been explained in the section on Audit Planning, in the course of the planning
process, we should identify the controls which we plan to rely on in our testing, and obtain
an understanding of them by evaluating their design and implementation. (Ref: ISA 315
A66-A68)
6. The auditor's assessment of the risks of material misstatement is informed by our
understanding of the control environment. An effective control environment may allow the
auditor to place more reliance on internal controls and upon the reliability of audit
evidence generated within the entity itself. If there are weaknesses in the control
environment which management cannot overcome the auditor would normally seek more
extensive evidence from substantive testing.
7. The process of understanding the entity’s internal control and planning where to rely on
controls may be an iterative process, with our conclusions about the wider control
environment leading us to re-evaluate our approach to controls. E.g.:

Page | 382
 • we planned to rely on controls over accruals, and evaluated their design and
implementation. However, we concluded that weaknesses in the general control
environment indicated that we should not plan to rely on any controls in this
organisation;

• we may plan to test a Specific Risk substantively, evaluate the design and
implementation of relevant controls, determine that they are adequately designed to
prevent or detect material misstatement, and decide to plan to rely on their
operating effectiveness; or

• we may not initially plan to rely on controls to test expenditure, but from our general
understanding of the entity’s internal control may determine it would be appropriate
to do so, and evaluate the design and implementation of expenditure controls before
going on to test their operating effectiveness.

8. At the audit assertion level, the auditor should ensure that the proposed audit procedures
are responsive to the assessed risks of material misstatement or material irregularity. In
designing the audit procedures, including deciding whether to rely upon the operating
effectiveness of controls, the auditor must have regard to:
. the significance of each risk;
. the likelihood that a material misstatement or material irregularity will occur;
. the characteristics of the transactions and balances; and
. the nature of the specific internal controls (in particular, whether they are manual
or automated).

Evaluation of design and implementation of controls

9. Where we are planning on relying on the operating effectiveness of a control, we should:

• identify the Audit Areas and assertions which we are seeking to rely upon controls
over;

• for each assertion, identify the control activity or control activities that we are
planning to test;

• understand what the policies and procedures involved in the control activity are,
including:

 the individuals involved in the process

 how exceptions, misstatements or unusual items should be handled, and
whether any have arisen in the year

Page | 383
  if the control is dependent upon underlying IT controls (e.g. depends upon
a system generated report) and how this relates to IT controls;
 whether there are instances where the control activity has operated
inappropriately; and
 whether there have been any modifications to the control activity in the
period.

• evaluate whether the control appears to be appropriately designed, including

whether it is sufficiently precise to prevent or detect material misstatements;

• identify what characteristics would indicate adequate performance of the control,

and what conditions would indicate deviations from adequate performance of the
control;

• test an item to see that the control has been implemented as designed; and

• evaluate the implementation of the control.

10. We should also consider whether the control is dependent upon other controls (indirect
controls), and, if so, whether it is necessary to obtain audit evidence that the indirect
controls are appropriately designed and implemented (and then test their operating
effectiveness). (Ref: ISA 330 A30-A31)

Example: Precision of a management control

11. The entity has a monthly management accounts process. The results for the year to date
are compared to budget, and variances of over 5% are investigated and reported upon to
the board, which reviews the management accounts. As only variances over 5% year-to-
date in aggregated data are investigated or reported upon, the Engagement Team
concluded that this is not sufficiently precise to prevent or detect material misstatements
12. If the control is adequately designed and implemented, we may continue with the
planned approach of testing its operating effectiveness.

13. A control is appropriately designed if, possibly in combination with other controls we have
assessed, it is capable of either preventing or detecting and correcting material
misstatements effectively.

14. A control is appropriately implemented if it exists and it is being used by the entity.

15. If the entity has used substantially different controls at different points in the period, we
should evaluate each of them separately if we are seeking to rely on the operating
effectiveness of controls throughout the period.

Page | 384
16. We can evaluate the implementation of controls through similar types of procedures to
tests of the operating effectiveness of controls, or through walkthroughs. The types of
procedures performed may include:

• inquiry of entity personnel (coupled with other procedures);

• walkthroughs;
• observing the operation of a specific control; or
• inspecting documents and reports.
17. Walkthroughs involve following one or more transactions through the accounting system
and its controls to confirm the auditor's understanding of the controls, to help them to
document the accounting process and provide an indication of how the controls operate
in practice. Walkthroughs are particularly useful where the auditor is concerned with
controls over individual transactions.
18. Depending upon the reasons, if the control is not adequately designed and implemented,
we may conclude that we need assurance over the operation of a complementary or
alternative control to achieve assurance over the assertion, in which case we should
evaluate the design and implementation of the other control as well.
19. Alternatively, we may conclude that a controls approach is inappropriate to testing that
assertion.
20. If we identify controls which are not adequately designed or implemented, including
where a control that we would expect is absent, we should consider whether this has an
impact upon our assessment of the risks of material misstatement. We should also report
the control deficiency to management.

21. For example, if we evaluated the design and implementation of controls over purchasing
and identified that there was no segregation of duties between creating suppliers on the
system, inputting orders, or processing payments, in addition to assessing the design of
controls as inadequate, we may identify a Specific Risk of fraud.
22. Control procedures may be classified as:

• preventative controls, which aim to prevent misstatements arising; or

• detective controls, which aim to identify misstatements and correct them.

23. Controls may also be classified as:

• transaction level controls, which operate around the initiation and processing of
transactions; or

Page | 385
 • monitoring controls, which operate by considering e.g. reports of results, or by
monitoring that transactional level controls have operated as expected.

24. Monitoring controls are generally detective in nature, and transactional controls are
generally preventative in nature.

Example: Types of controls

25. The following are examples of controls falling into the different classifications:

• All invoices must be approved by a department head prior to payment. The

invoices are signed off by the department head and checked by the AP clerk prior
to processing. This is a preventative transactional control.

• Prior to the processing of the payment run, the Financial Controller reviews a
sample of items in the batch to see that the sign-off has occurred. This is a (low-
level) preventative monitoring control which checks that the transactional control
has operated effectively.

• Central finance check a sample of transactions for proper authorisation throughout

the purchase to pay cycle each month. This is a detective monitoring control.

26. Where there are multiple controls which address a control objective or risk, we would
normally evaluate detective or monitoring controls in preference to preventative or
transactional controls, provided that they address the control objective or risk with
sufficient precision to detect and correct a material misstatement.
27. Examples of types of control include:

• High level monitoring controls, such as a regular critical review of management

accounts against an appropriately detailed budget, risk based reviews of
operations by management, the use of directors' statements on the state of their
risks/controls and other performance data.

• Organisational controls, which derive from the way in which the organisation is
structured and can be both detective and preventive. They will normally include
well-defined responsibilities and the segregation of incompatible functions such as
the initiation, processing and recording of transactions.

• Authorisation controls, which will normally operate at the individual transaction

level and will be preventive in nature. Their purpose will be to stop a transaction
being processed if it has not been approved at an appropriate level. Good

Page | 386
 authorisation controls will be specific about who can approve what, the extent of
checking required before approval and how the check should be evidenced.

• Operational controls, which are concerned with the completeness and accuracy of
processing and may be either preventive or detective. They may include
comparison of one set of documents to another (e.g. purchase orders to invoices);
and the use of control totals and reconciliations.

• Physical controls, which are usually designed to be preventative and include

controls over access to assets and accounting records through simple physical
measures such as passes and safes but also logical controls such as password
access to computer files.

28. Further examples of the types of controls we would expect to see in respect of particular
risks are set out below:

• Transactions governed by complex regulations. Mitigating controls might be based

on the use of procedural manuals and management re-performance or review of
transactions to check compliance;

• Functions carried out at a number of different locations. Mitigating controls could

address risks of weakened management control or of inconsistencies between the
locations. Controls might include budgets and outturn comparisons within each
location and between locations and checks to ensure that procedural manuals and
supervisory arrangements are followed;

• Transactions based on claims or certificates from external parties. Mitigating

controls could include established criteria for claims, standard requirements for
evidence to support claims and independent verification;

• Transactions not in the normal course of business. Mitigating controls might be the
production of exception reports and documented follow-up actions, and senior
management/board authorisation;

• Accounting estimates. Mitigating controls might include management or

independent reviews of the basis of the estimates and checks on supporting
documentation; and

• Period-end adjustments. It is possible to introduce a material error with an

accounting adjustment, even though the control procedures have operated
effectively up to that point. Mitigating controls might include detailed checking

Page | 387
 and management review of supporting documentation for accounting
adjustments.

29. Where controls we plan to rely upon are dependent upon general IT controls, we should
consider the procedures we need to perform over IT controls, as discussed further below.

The effect of testing internal controls on our audit approach

30. If the entity has strong internal controls, tests of controls may provide assurance over any
assertion or Audit Area.
31. However, the most effective and efficient approach to testing will depend on the relative
difficulty of testing controls and performing substantive tests, which is affected by:

• whether a limited number of controls provide assurance over multiple assertions

and Audit Areas; and

• the size of particular balances and so sample sizes if performing tests of detail.

32. We should obtain more persuasive audit evidence the greater the reliance we are placing
on the operating effectiveness of the control. (Ref: ISA 330 A25)

33. Accordingly, where we are planning to rely on controls that address Specific Risks, we
should obtain more persuasive evidence by varying the nature, timing and extent of our
procedures.

34. No control system can guarantee proper administration and the completeness and
accuracy of transactions. We cannot, therefore, obtain all audit evidence solely from
controls. In evaluating and testing controls, the Engagement Team should be aware of
these limitations and the factors that may diminish the effectiveness of control systems,
such as:

• the precision with which the control may be expected to operate (i.e. if comparing
to a budget, how much volatility would be expected anyway, and so how small a
misstatement may be identified);

• the potential for controls to be overridden by those responsible for them;

• improper application of controls due to human error as a result of mistaken

judgement or interpretation, carelessness or distraction;

• the inability of standardised control systems to deal with non-routine transactions;

and

Page | 388
 • control breakdown due to changes in processing transactions and the
development of non-standard procedures.

35. We should only perform tests of controls on controls that are suitably designed to
prevent, or detect and correct, a material misstatement in an assertion. If the entity has
used substantially different controls at different times during the period under audit, we
should consider each separately considered separately.

Overview of tests of operating effectiveness of controls

36. A test of operating effectiveness of controls consists of a combination of inquiry and other
audit procedures.
37. The procedures performed should be designed to obtain audit evidence over:

• how the controls were applied at relevant times during the period under audit;

• whether they operated consistently throughout the period; and

• who operated the controls (or, if automated, how they were applied). (Ref: ISA 330
A26-29)

38. Inquiry alone is not sufficient to provide evidence of the operating effectiveness of
controls.
39. The nature of the procedures performed will depend upon the nature of the control.
For example, if operating effectiveness is evidenced by documentation, we may inspect
it to obtain audit evidence about operating effectiveness. For other controls, however,
documentation may not be available or relevant, such as segregation of duties or
control activities performed by a computer. We may obtain evidence about these
controls through procedures such as observation or the use of CAATs.

40. Where we are testing the operating effectiveness of controls, as part of testing their
design and implementation, we will have understood how the control is intended to
operate, and determined that it is adequately designed to prevent or detect material
misstatements.
41. We will also have identified what characteristics would indicate adequate performance
of the control, and what conditions would indicate deviations from adequate
performance of the control.
42. In our test of the operating effectiveness of the controls, we should:

• calculate the required sample size for the control test;

Page | 389
 • select instances of the control to test;

• perform the planned procedures to test the selected instances; and

• evaluate whether the control has been performed as expected in each instance,
or whether there were deviations from adequate performance of the control.

43. In planning the tests of the operating effectiveness of controls we should also consider
whether the control is dependent upon other controls (indirect controls), including
general IT controls, and, if so, whether it is necessary to obtain audit evidence that the
indirect controls are appropriately designed and implemented and are operating
effectively. (Ref: ISA 330 A30-A31)

Example: Controls dependent upon indirect controls

44. The auditor planned to test the effectiveness of a user review of exception reports of
purchases in excess of authorisation. The user review and related follow-up is the control
being tested. However, this is dependent upon controls over the accuracy and
completeness of the information in the reports (e.g. the general IT-controls) which are
indirect controls supporting the control objective.

Timing of tests of operating effectiveness

45. Tests of the operating effectiveness of controls are more extensive than the procedures
performed in evaluating their implementation, although this will involve similar types of
procedures.
46. The auditor may therefore decide as part of establishing the Overall Audit Strategy that it
is efficient to test the operating effectiveness of controls at the same time as evaluating
their design and determining that they have been implemented.
47. Alternatively, we may plan to test controls alongside substantive tests on the same
transactions. Although the purpose of a test of controls is different from the purpose of a
test of detail, both may be accomplished concurrently by performing a test of controls and
tests of detail on the same transaction, also known as a dual-purpose test.

48. For example, we may design, and evaluate the results of, a test to examine an invoice to
determine whether it has been approved and to provide substantive audit evidence of a
transaction.

49. A dual-purpose test is designed and evaluated by considering each purpose of the test
separately. The documentation in the audit file should be clear as to which elements of
testing are used for which tests.

Page | 390
50. We may perform controls tests during and/or at the end of the period being audited.
Some tests of controls can be best performed after a period end, for example, controls
over year-end provisions. Where possible, though, the auditor should seek to conduct
controls testing before the period end, to identify significant matters at an early stage so
that they may be resolved before the year-end.

Period covered by tests of operating effectiveness of controls

51. We should test the controls which operated at the time, or throughout the period, for
which we plan to rely on those controls. I.e.:

• if we are relying on controls over assertions in respect of balance sheet amounts,

we should test the operating effectiveness of year-end controls; and

• if we are relying on controls over assertions in respect of income statement or

cash-flow amounts, we should test the operating effectiveness of the controls
throughout the year. (Ref: ISA 330 A32)

52. In practice, we typically will use tests of controls to provide assurance over both the
income statement and the balance sheet, and so will test throughout the period including
at the year-end.

53. If we test the operating effectiveness of controls during an interim period, at year-end the
Engagement Team should obtain audit evidence about significant changes to those
controls subsequent to the interim period.

54. Depending upon circumstances, we may obtain evidence about whether or not controls
have changed significantly through one or more of:

• inquiry of management;

• walking through a transaction to check that the controls are still implemented in
the way we had understood;

• examining process manuals or other documentation; or

• other procedures appropriate to the control being tested.

55. If there have been significant changes in the controls after our testing, we should either:

• evaluate the design and implementation of the new control and test its operating
effectiveness; or

Page | 391
 • not take controls assurance for the remainder of the year, and increase the
extent of our substantive procedures on transactions in the stub period to the
year-end.

56. If there have not been significant changes in the controls, the auditor should determine
the additional audit evidence to be obtained for the remaining period. (Ref: ISA 315 A33-
A34)
57. The assessment of the extent of the procedures required to obtain additional evidence
should take account of the significance of the identified risks at the assertion level, the
degree of assurance obtained to date and the length of the remaining period.
58. In most cases, the auditor will need to extend the controls testing to cover the entire
period or confirm that the control remained in place and review the entity’s monitoring of
that control over the remaining period.
59. If we plan to test controls for the stub period, we will usually split our controls sample
between the interim period and the stub period. For example, if we are testing a daily
control to obtain AF 1.3 of assurance three quarters of the way through the accounting
period, we might test 11 items at interim and 4 items from the stub period (the last
quarter of the accounting period) at year-end to achieve the total sample size of 15 items.

60. OCAG policy is not to rely on evidence of the operating effectiveness of controls from
controls tests performed during previous audits. All controls should be tested in full in the
period being audited.

Extent of tests of operating effectiveness of controls

61. Obtaining controls assurance reduces the extent of our substantive audit testing.
Accordingly, where we are seeking more assurance from tests of controls, such as when
testing controls over a Specific Risk, we increase the extent of our tests of controls.

62. In determining the extent of tests of controls, we should also consider:

• the frequency of the control;

• the expected rate of deviation from a control;

• the relevance and reliability of the audit evidence to be obtained regarding the
operating effectiveness of the control at the assertion level;

• the length of time during the period that we are relying on the operating
effectiveness of the control (typically, this will be the full period); and

Page | 392
 • the extent to which audit evidence is obtained from tests of other controls related
to the assertion (typically, we will only need to test one control to obtain
assurance over an assertion).

63. The table below summarises the expected level of tests of controls, depending upon:

• the frequency of the operation of the control;

• the level of assurance expected from the test;

• whether a control deviation would be expected in the operation of the control,

and

• whether the control relates to individual transactions or batches of

transactions/transactions within a particular period.

64. If we are only relying upon the operation of a control for part of the year, the sample sizes
should be reduced on a pro-rata basis.

65. If we are going to take assurance from the operation of a control, we would normally not
expect any deviations in its operation. However, for controls which operate many times a
day we may plan to accept a certain level of control deviations. If so, we would plan to
test a larger sample of items to obtain assurance that the control is operating sufficiently
reliably to provide assurance over the tested assertions.

Example: Sample size for testing a control that operates many times a day

66. We are testing the operating effectiveness of a transactional control over occurrence and
valuation of invoices being processed in accounts payable:

• the control does not address a Specific Risk;

• this control is performed many times a day;

• we would expect there to be one deviation in the operation of the control from
our sample.

• The sample size required is 65 items.

Page | 393
Example: Sample size for testing a control over a year-end accounting estimate

67. We are testing the operating effectiveness of a control over completeness of a provision.
The control operates through a detailed review of items which might be included in the
provision and checking that they have been appropriately treated:

. the control addresses a Specific Risk;

. the control is performed only at the year-end;
. we would not expect there to be a deviation in the operation of the control – if this
had occurred this would mean that the control had not operated effectively due to
the low frequency of operation of the control. The sample size required is one item.

Nature of tests of operating effectiveness of controls

Selecting items for testing

68. The auditor should select items for testing that is an effective means of obtaining evidence
to obtain the planned level of assurance. (Ref: ISA 500 A52-A56) In general, this will be
through selecting a representative sample, i.e. selecting items for the sample in such a
way that each “sampling unit” in the population has a chance of selection. (Ref: ISA 530
A12-A13)

69. For tests of controls, the nature of the “sampling units” we are picking between will vary
depending upon the nature of the control and the detail of how it operates.
70. For example testing a control based upon month-end reconciliation reviews, the sampling
unit may be months (if there is a single review carried out of a file of reconciliations), or
may be individual reconciliations (if many different individuals prepare and review
particular reconciliations at different stages in the month end process)

71. Depending upon the details of the control, this may increase how frequently the control
has operated during the year and so the required extent of testing.
72. The auditor should perform the planned audit tests on each selected item, which should
reflect the nature of the control and of the assurance that we are seeking to obtain from
the testing.
73. If the planned test is not applicable to the selected item, the auditor should perform the
procedure on a replacement item. (Ref: ISA 530 A14)

Page | 394
Example: Selecting Replacement Items

74. The planned test is a check of the authorisation of invoices over Tk. 5,000 for payment by
the financial controller. (A report of invoices paid under Tk. 5,000 is produced and
reviewed at month-end – as these are in aggregate immaterial for the year, we do not
plan to test this control). We selected a sample of payments at random from a listing of
payments. One of the items selected was for Tk. 2,000. This payment should not have
been subject to the control we are testing, and we selected a replacement item to
complete our sample.

75. If the auditor is unable to perform the planned tests, or a suitable alternative test, upon a
selected item, we should treat that item as a deviation from the prescribed control. (Ref:
ISA 530 A15-A16)
76. For example, if we are unable to find a selected reconciliation to see whether it has been
prepared, or are unable to obtain evidence that it was prepared and reviewed on a timely
basis, this should be treated as a deviation in the operation of the control.

Types of tests to perform

77. We may obtain evidence of the operating effectiveness of controls in a number of ways,
depending on the nature of the control that is being tested. We would ordinarily use some
combination of the following techniques:

• Observation and Enquiry - watching what people do, how they do it and asking
questions. It is unlikely that the Engagement Team will be able to cover the entire
period with this technique, so it will not usually provide sufficient evidence on its
own for manual controls. In addition, individuals may perform controls differently
when observed than at other times.

• Examination - reviewing documentary evidence of how controls have operated at

other times, for example, showing that transactions have been properly
authorised, or records of management reviews. This will give us more assurance
about the continuous operation of controls. Examination may include
walkthroughs or re-performing the control.

• Re-performance - where a control operates over individual transactions, it will

usually be necessary to examine a sample that was subject to the control to check
that the control has been applied. The Engagement Team may, for example, check
a sample of invoices to evidence that the goods/services were received.

Page | 395
Evaluating the results of tests of controls

78. The key part to this level of control testing is to check that the controls are fit for purpose.
This means that a detective control is detecting errors and corrective action is
implemented and followed up, and that a preventative control is preventing the errors
with appropriate follow up action to ensure repetition does not happen.

79. In principle, the evaluation of results is simple. If the control operates, we may take the
planned level of assurance from controls. If it does not, the auditor will undertake
alternative substantive procedures. It is, however, important that the auditor uses their
judgement in evaluating the results and consider in all cases of apparent control
deviations:

• The nature and cause of the deviation. This will help the auditor to identify the
potential impact of the deviation and therefore the additional procedures that
they will need to complete. For example, it may be that the deviation can be
isolated to a particular location, time or other set of circumstances. In such cases,
provided the auditor can satisfy themselves that they can identify all similar
circumstances - the auditor can target their testing in these areas and may be able
to take assurance from controls in others;

• The possibility of compensating controls. The auditor may have identified a control
as key where there are, in fact, higher levels or compensating controls that operate
in the event of a deviation. For example, the auditor may identify a failure to check
and authorise an invoice for payment at a supervisory level but then find that all
such "unauthorised" invoices are identified during processing and subject to
checking at a higher management level; and

• The impact of the deviation on the initial risk assessment and other sources of
audit evidence. Where the auditor finds significant breakdowns in the general
system of control they should consider the implications for the entire audit
approach and in particular the reliability of management representations on the
effectiveness of internal controls.

Evaluating Control Deviations

80. If we detect deviations in the operation of controls on which we plan to rely, the auditor
should make specific inquiries to understand these matters and their potential
consequences, and should determine whether: (Ref: ISA 330 A41)

Page | 396
 a) the tests of controls that have been performed provide an appropriate basis for
reliance on the controls;

b) additional tests of controls are necessary; or

c) the potential risks of misstatement need to be addressed using substantive

procedures.

81. The auditor investigate the nature and cause of any deviations identified in the operation
of controls, and evaluate their possible effect on the purpose of the audit procedure and
on other areas of the audit. (Ref: ISA 530 A17) Where necessary, we should obtain
evidence to support our understanding of the impact of the deviation and any mitigating
factors.
82. The auditor needs to exercise judgement in evaluating the impact of control deviations.
Apparently minor deviations in how a control has operated may indicate that it is not
operating to prevent or detect misstatements, whereas in other circumstances these may
not be significant.

Example: evaluation of control deviations

83. We are testing the operating effectiveness of a monthly balance sheet reconciliation
control. The preparer and reviewer of each reconciliation are required to sign and date
the reconciliation when complete. In testing, we have identified that a number of the
balance sheet reconciliation templates have been set up with the relevant sign-offs on
electronically, with the date automatically updating to the current date through a formula.
Depending upon the information obtained when investigating this deviation, this may or
may not prevent us relying upon the operating effectiveness of the control.
84. For example:

• on investigation, individuals involved in the reconciliation process advised that

there was also a monthly control sheet that preparers and reviewers sign and
date. If this has been appropriately signed-off for each tested reconciliation, we
may conclude that this deviation does not affect our ability to place assurance
upon the control; or

• on investigation, individuals involved in the reconciliation process advised that

they just left their sign-off on the cover sheet. In some circumstances, the sign-off
was by individuals who had left the entity at the date in question, and there was
not evidence available showing follow-up of the selected reconciliations.

Page | 397
 Accordingly we may conclude that it is not possible to evidence that the control
has operated effectively, and so cannot place reliance upon it.

85. When the auditor considers a deviation discovered in a sample to be an anomaly, the
auditor should obtain a high degree of certainty that the deviation is not representative
of how the control has operated through the period considered. The auditor should
obtain this degree of certainty by performing additional audit procedures to obtain
sufficient appropriate audit evidence that the deviation does not affect the remainder of
the population.
86. When we are testing controls which operate daily or less frequently, then failures or
inappropriate use of the controls will usually prevent us from being able to take
assurance from the operating effectiveness of controls.
87. For monthly or quarterly controls which are based on cumulative information that is
prepared on a regular basis and the control failure is not at the end of the financial
period, the auditor may assess that the effective operation of the control towards the
period end still gives the controls assurance that they planned to obtain. If a control
ceases to operate in the period, the auditor cannot take the planned assurance for the
entire financial period but may be able to take some limited assurance and reduce the
level of substantive testing for the period when the control operated effectively. These
are matters of judgement, which should be clearly documented.
88. When seeking to rely on controls which operate many times a day, we may expect a
deviation in the operation of the control. If we expect this at the planning phase, we
would set our sample size accordingly as discussed above. If we did not anticipate a
deviation at the planning stage, or more than one deviation is detected during testing,
then this would usually prevent us from being able to take assurance from the operating
effectiveness of controls.
89. Auditors should consider whether a failure in controls testing indicates a wider control
environment weakness and, in particular, whether the original assessment of the risk of
material misstatement, of fraud and of irregularity remains valid. This judgement should
be documented.

Overall evaluation of the results of controls testing

90. The auditor should evaluate whether the tests performed have provided a reasonable
basis for conclusions about the operating effectiveness of the control being tested, and
to obtain the planned assurance. (Ref: ISA 530 A23)
91. When evaluating the operating effectiveness of relevant controls, the auditor should
evaluate whether misstatements that have been detected by substantive procedures

Page | 398
 indicate that controls are not operating effectively. The absence of misstatements
detected by substantive procedures, however, does not provide audit evidence that
controls related to the assertion being tested are effective. (Ref: ISA 330 A40)

92. A material misstatement detected by our procedures is a strong indicator of the

existence of a significant deficiency in internal control.
93. When the auditor assesses that they cannot take the planned level of audit assurance
from controls testing, they must revisit the planning assumptions and resubmit the Audit
Plan for review and approval of a revised audit approach by the Director or General
Director.

Controls testing for Compliance Audit

94. We may rely on the operating effectiveness of controls over compliance with laws and
regulations (the regularity assertion) in the same way as from tests of controls over
other audit assertions.
95. When we are planning to rely on a control which provides assurance over multiple
assertions, we should consider carefully whether this will provide assurance on
regularity.

Example: Review of payroll costs against budget

96. Management perform a detailed monthly review of payroll expenditure against budget,
monitoring closely the impact of changes in headcount etc.
97. However, this does not necessarily provide assurance over regularity – for example, if
the budget was based upon salary increases in excess of the pay remit.

IT considerations

98. Information Technology controls should be considered as an integral part of the

financial audit. It is important that all members of the auditor understands IT concepts,
appreciates the technical risks and is able to understand the impact of unmanaged IT
risk on the business.
99. Public sector organisations may make extensive use of information technology (IT) to
process financial transactions and to produce their financial statements. These systems
should be considered when we are planning the tests of the operating effectiveness of
internal controls.
100. Where we are planning to test the operating effectiveness of controls which are
dependent upon general IT controls (indirect controls), we should consider whether it

Page | 399
 is necessary to obtain audit evidence that general IT controls are appropriately
designed and implemented and are operating effectively. (Ref: ISA 330 A30-A31)
101. For example, if we plan to test the effectiveness of a user review of exception reports
detailing sales in excess of authorised credit limits, the user review and related follow up
is the control that is directly being tested. Controls over the accuracy of the information
in the reports, including the general IT-controls, are described as " indirect" controls.
102. Where it is necessary to test general IT controls, the auditor should determine which
general IT controls it is necessary to test to obtain the required assurance.
103. This should reflect the risks that the IT system presents to the effective operation of the
business controls which we plan to rely on. The rationale for the approach adopted
should be clearly documented.
104. When we are planning to test the operating effectiveness of IT application control, we
should also test the operating effectiveness of general IT controls.
105. Because of the inherent consistency of IT processing, it will usually only be necessary to
test a single instance of the operation of an automated application control.
106. An automated control can be expected to function consistently unless the program
(including the tables, files, or other permanent data used by the program) is changed.
Once we have determined that an automated control is functioning as intended (which
could be done at the time the control is initially implemented or at some other date), we
will usually plan to perform tests to determine that the control continues to function
effectively. Such tests might include determining that:

• changes to the program are not made without being subject to the
appropriate program change controls;

• the authorised version of the program is used for processing transactions; and

• other relevant general controls are effective.

107. Such tests also might include determining that changes to the programs have not been
made, as may be the case when the entity uses packaged software applications without
modifying or maintaining them. For example, we may inspect the record of the
administration of IT security to obtain audit evidence that unauthorised access has not
occurred during the period.

Documentation of controls testing

108. The results of all controls testing should be clearly documented showing:

Page | 400
 • how the planned tests of controls address the assertions tested;

• what work was carried out when and by whom;

• which documents were examined, which procedures were observed and which
staff were interviewed;

• what control failings were identified, how these were investigated and the impact
of these on the planned level of assurance;

• where appropriate, the additional procedures undertaken as a result of the control

failings;

• any recommendations to management resulting from the auditors’ work; and

• our conclusions on the extent of reliance to be drawn from our tests of controls.

109. We should clearly document our assessment of whether control deviations indicate a
wider control environment weakness and whether the original assessment of the risk of
material misstatement, of fraud and of irregularity remains valid.
110. If we plan to use audit evidence about the operating effectiveness of controls obtained
in previous audits, the auditor should include in the audit documentation the
conclusions reached about relying on such controls that were tested in a previous audit.

Page | 401
INSERT NAME OF DIRECTORATE Office of the Comptroller and Auditor General

Executive Summary

Annexure N.1

Audit Opinion Template for Compliance Audit

AUDIT REPORT

Comptroller and Auditor

General of Bangladesh

Audit of [insert details of activities being audited] for the year [insert year]

[INSERT NAME OF RELEVANT DIRECTORATE]

Page | 402
INSERT NAME OF DIRECTORATE Office of the Comptroller and Auditor General

Executive Summary

Handling
This document and the copyright comprised therein is and remains the property of the Office of the Comptroller and Auditor General. It contains
information which has been obtained by the Office of the Comptroller and Auditor General under statutory powers solely to discharge statutory functions
and has been prepared as the basis for an official document. Except as expressly permitted by law, neither the document nor any of its content may be
reproduced, stored in a retrieval system and/or transmitted in any form or by any means, or disclosed to any person other than the original recipient
without the prior written permission of the Office of the Comptroller and Auditor General. It must be safeguarded at all times to prevent publication or
other improper use of its content. Unauthorised use or disclosure may result in legal proceedings.

Audit Timetable Audit carried out by: Distribution:

[insert name] Secretary,

(Deputy Director and Team Leader, [insert name] Division Ministry of [insert
[insert name] name]

audit directorate) Deputy Controller and Auditor General,

Audit and reporting
Field audit [insert date] Team members:
to [insert date]
1 [Insert name]
Assistant Director
3 [Insert name]
Audit &Accounts Officer
4 [Insert name]
S A S Superintendent
5 [Insert name]
Auditor

Page | 403
INSERT NAME OF DIRECTORATE Office of the Comptroller and Auditor General

Executive Summary

Draft report issued [insert date] [Job titles are examples only]

Management response [insert date] Work supervised by:

Final report issued [insert date] [insert name], Director General.

[insert name]

Audit

Directorate

Purpose & Background Audit Scope

Purpose The objective of this audit was to form an opinion on the [insert name of
The CAG conducts audits under Article 128(1)of the entity and activities being audited]’s compliance with [insert details of the
Constitution of Bangladesh which states that the public underlying rules, laws and regulations applicable to the scope of the
accounts of the Republic and of all courts of law and all compliance audit] for the [insert period covered] and conclude if:
authorities and officers of the Government shall be audited
and reported on by the Auditor-General and for that purpose . in all material respects, [insert name of entity being audited]
he or any person authorized by him in that behalf shall have complies with applicable laws, rules and regulations.
access to all records, books, vouchers, documents, cash, *INSERT IF RELEVANT The scope of the audit did not include [insert details,
stamps, securities, stores or other government property in the
for example, review of controls relevant to IT systems.]
possession of any person in the service of the Republic.
Additionally, section 5(1) of the CAG (Additional Functions)
Act, 1974 empowers the C&AG to audit the revenue and
expenditure of statutory public authorities, public enterprises
and local authorities

Page | 404
INSERT NAME OF DIRECTORATE Office of the Comptroller and Auditor General

Executive Summary

Consequently, the CAG is responsible for reporting whether in

his opinion the financial statements give a true and fair view
and whether they have been properly prepared in accordance
with the relevant regulations.
Background
[Insert brief details of organisation, activities and legislative
details being audited]

Page | 405
INSERT NAME OF DIRECTORATE Office of the Comptroller and Auditor General

Executive Summary

Overall Conclusion – Meaning of Overall Conclusion

COMPLIANCE
[Insert details of activities being audited, for example, use of project -funds by an entity] is in compliance, in
Green : Unqualified
 opinion all material respects, with

[insert details of the underlying rules, laws and regulations applicable to the scope of the compliance audit,
for example :the terms of the funding agreement dated xx.xx.20XX].

Except for the instance of non-compliance noted in the Basis for the Qualified Conclusion paragraph above,
Amber : Qualified
 opinion -Disagreement [insert name and activities of entity being audited] is in compliance, in all material respects, with [insert
details of the underlying rules, laws and regulations applicable to the scope of the compliance audit].

Except for the possible effect of the instance of non-compliance noted in the Basis for the Qualified
Amber : Qualified
 opinion -Scope Conclusion paragraph above, [insert name of entity and activities being audited] is in compliance, in all
limitation material respects, with [insert details of the underlying rules, laws and regulations applicable to the scope of
the compliance audit].

Because of the significance of the matter noted in the Basis for the Adverse Conclusion paragraph above,
Red : Adverse opinion
 [insert name and activities of entity being audited] is not in compliance, in all material respects, with the
terms of [insert details of the underlying rules, laws and regulations applicable to the scope of the
compliance audit].

Because of the significance of the matter noted in the Basis for the Disclaimer paragraph above, I am unable
Red : Disclaimer of
 opinion to, and therefore do not express a conclusion on[insert name and activities of entity being audited] 's
compliance with of [insert details of the underlying rules, laws and regulations applicable to the scope of the
compliance audit].

Page | 406
INSERT NAME OF DIRECTORATE Office of the Comptroller and Auditor General

Executive Summary

The People’s Republic of Bangladesh

[Insert name of entity being audited]

Audit Certificate [insert period end date]

REPORT ON [INSERT DETAILS OF ENTITY BEING AUDITED]’s COMPLIANCE WITH THE TERMS OF [INSERT DETAILS
OF UNDERLYING RULES, LAWS AND REGULATIONS APPLICABLE TO THE SCOPE OF THE COMPLIANCE AUDIT]

I have audited [insert name of entity being audited]'s compliance with the [insert details of the underlying rules, laws and regulations applicable
to the scope of the compliance audit] as set out in the [insert details of any accounting framework, for example project accounts, and period end
date only if applicable.] under Article 128(1) of the constitution of Bangladesh, and section 5(1) of the Comptroller and Auditor General
(Additional Functions Act) 1974.

Management’s responsibility
According to [insert details of the underlying rules, laws and regulations applicable to the scope of the compliance audit], the management of
[insert name of entity being audited] is responsible for [insert details of management responsibilities, for example, maintaining internal controls
that are adequate to ensure compliance with underlying rules, laws and regulations ].

Page | 407
INSERT NAME OF DIRECTORATE Office of the Comptroller and Auditor General

Executive Summary
Auditor’s Responsibility
My responsibility is to express a conclusion on [insert name of entity being audited]’s compliance with [insert details of the underlying rules,
laws and regulations applicable to the scope of the compliance audit] based on my audit. My work was conducted in accordance with
International Standards of the Supreme Audit Institutions (ISSAIs).Those standards require that I comply with ethical requirements and plan and
perform the audit so as to obtain reasonable assurance

as to whether [insert name of entity being audited] is in compliance with [insert details of the underlying rules, laws and regulations applicable
to the scope of the compliance audit].

Scope of the audit

An audit involves performing procedures to obtain sufficient appropriate evidence to support my conclusion. The procedures performed depend
on the auditor's professional judgement, including assessing the risk of material non-compliance, whether due to fraud or error. The audit
procedures performed are those I believe are appropriate in the circumstances. I believe that the audit evidence gathered is sufficient and
appropriate to provide the basis for my conclusion.

Basis for opinion

Qualified opinion –Disagreement [Include description and quantification of the disagreement for example not being in compliance with terms of
a rental agreement – effect of this for example, fines and penalties arising, can be quantified but are not material]

Qualified opinion -Scope limitation [Include description and quantification of the disagreement for example making grants to bodies outside the
entities remit – amounts cannot be quantified]

Page | 408
INSERT NAME OF DIRECTORATE Office of the Comptroller and Auditor General

Executive Summary

Adverse opinion [Include description and quantification of the matter that led to the adverse opinion for example, not being in compliance with
terms of a rental agreement – effect of this for example, fines and penalties arising, can be quantified but are material]

Disclaimer of opinion [Include description and quantification of the matter that led to the disclaimer of opinion for example, inability to obtain
any evidence regarding compliance with a building code to not being able to enter unsafe buildings for a material proportion of buildings in the
scope.]

Opinion
Based on the audit work performed, I found that [insert name of entity being audited] is in compliance, in all material respects, with [insert
details of the underlying rules, laws and regulations applicable to the scope of the compliance audit].

[See narrative in the traffic light table above for opinions to be included when the report is modified.

[Insert name of Director General]

Director General, [Insert name of Audit Directorate]

[Insert date]

Page | 409
INSERT NAME OF DIRECTORATE Office of the Comptroller and Auditor General

Executive Summary

DETAILED FINDINGS AND RECOMMENDATIONS

FINDING 1.

Observation

Cause

Effect

Recommendation 1

Client response to Recommendation 1

Page | 410
INSERT NAME OF DIRECTORATE Office of the Comptroller and Auditor General

Executive Summary
Annex N.2

Audit Opinion Template for Financial Audit

AUDIT REPORT

Comptroller and Auditor

General of Bangladesh

[INSERT NAME OF CLIENT]

Audit of Financial Statements Year end [insert year end]

Page | 411
INSERT NAME OF DIRECTORATE Office of the Comptroller and Auditor General

Executive Summary
Handling
This document and the copyright comprised therein is and remains the property of the Office of the Comptroller and Auditor General. It contains
information which has been obtained by the Office of the Comptroller and Auditor General under statutory powers solely to discharge statutory functions
and has been prepared as the basis for an official document. Except as expressly permitted by law, neither the document nor any of its content may be
reproduced, stored in a retrieval system and/or transmitted in any form or by any means, or disclosed to any person other than the original recipient without
the prior written permission of the Office of the Comptroller and Auditor General. It must be safeguarded at all times to prevent publication or other
improper use of its content. Unauthorised use or disclosure may result in legal proceedings.

Audit Timetable Audit carried out by: Distribution:

[insert name] Secretary,

(Deputy Director and Team Leader, [insert name] Division Ministry of [insert name]
[insert name]
Deputy Controller and Auditor General,
audit directorate) Audit and reporting

Field audit [insert date] Team members:

to [insert date]
1 [Insert name]
Assistant Director
3 [Insert name]
Audit &Accounts Officer
4 [Insert name]
S A S Superintendent
5 [Insert name]
Auditor

Draft report issued [insert date] [Job titles are examples only]

Page | 412
INSERT NAME OF DIRECTORATE Office of the Comptroller and Auditor General

Executive Summary

Management response [insert date] Work supervised by:

Final report issued [insert date] [insert name], Director General. [insert
name]

Audit

Directorate

Page | 413
INSERT NAME OF DIRECTORATE Office of the Comptroller and Auditor General

Executive Summary

Purpose & Background Audit Scope

Purpose The objective of this audit was to form an opinion on the [insert details of
The C&AG conducts audits under Article 128(1)of the statements being audited] of [insert name of entity being audited] for [insert
Constitution of Bangladesh which states that the public year] and conclude if:
accounts of the Republic and of all courts of law and all
the statement was free from material misstatement whether due to
authorities and officers of the Government shall be audited
and reported on by the Auditor-General and for that purpose fraud or error and;
he or any person authorized by him in that behalf shall have in all material respects, [insert name of entity being audited]
access to all records, books, vouchers, documents, cash,
comply with applicable rules and regulations [except for the matter
stamps, securities, stores or other government property in
detailed below*].
the possession of any person in the service of the Republic.
Additionally, section 5(1) of the C&AG (Additional Functions) This includes an assessment of: whether the accounting policies are
Act, 1974 empowers the C&AG to audit the revenue and appropriate to the circumstances of [insert name of entity being audited]
expenditure of statutory public authorities, public enterprises and have been consistently applied and adequately disclosed; the
and local authorities reasonableness of significant accounting estimates made by [insert name of
Consequently, the C&AG is responsible for reporting whether entity being audited]; and the overall presentation of the financial
in his opinion the financial statements give a true and fair statements.
view and whether they have been properly prepared in
accordance with the relevant regulations. *INSERT IF RELEVANT The scope of the audit did not include [insert details,
for example, review of compliance with Securities and Exchange Rules
Background
1987, review of controls relevant to IT systems.]
[Insert brief details of historical and legislative background
and governance structure]

Page | 414
INSERT NAME OF DIRECTORATE Office of the Comptroller and Auditor General

Executive Summary

Overall Conclusion – Meaning of Overall Conclusion

FINANCIAL STATEMENTS
The financial statements give a true and fair view of the financial position of [insert name of entity being
Green : Unqualified
 opinion audited] as at [insert period end date] and of its financial performance and its cash flows for the period then
ended in accordance with [insert details of accounting framework].

Amber : Qualified Except for the effects of the matter described in the Basis for Qualified Opinion paragraph, the financial
 opinion -Disagreement statements give a true and fair view of the financial position of [insert name of entity being audited] as at
[insert period end date] and of its financial performance and its cash flows for the period then ended in
accordance with [insert details of accounting framework].
Except for the possible effects of the matter described in the Basis for Qualified Opinion paragraph, the
Amber : Qualified
 opinion -Scope financial statements give a true and fair view of the financial position of [insert name of entity being audited]
limitation as at [insert period end date] and of its financial performance and its cash flows for the period then ended in
accordance with [insert details of accounting framework].

Red : Adverse opinion Because of the significance of the matter discussed in the Basis for Adverse Opinion paragraph, the financial
 statements do no give a true and fair view of) the financial position of [insert name of entity being audited]
as at [insert period end date].

Red : Disclaimer of Because of the significance of the matters described in the Basis for Disclaimer of Opinion section below, I
 opinion have not been able to obtain sufficient appropriate audit evidence to provide a basis for an audit opinion.
Accordingly, I do not express an opinion on the financial statements.

Page | 415
INSERT NAME OF DIRECTORATE Office of the Comptroller and Auditor General

Executive Summary

Overall Conclusion – Meaning of Overall Conclusion

COMPLIANCE
The activities, financial transactions and information reflected in the financial statements are in compliance
Green : Unqualified
 opinion with the authorities which govern them.

Except for the matters described in the Basis for Qualified Opinion on Compliance above, in all material
Amber : Qualified
 opinion -Disagreement respects the activities, financial transactions and information reflected in the financial statements are in
compliance with the authorities which govern them.

Except for the possible effects of matters described in the Basis for Qualified Opinion on Compliance above,
Amber : Qualified
 opinion -Scope in all material respects the activities, financial transactions and information reflected in the financial
limitation statements are in compliance with the authorities which govern them.

Because of the significance of the matter discussed in the Basis for Adverse Opinion on Compliance
Red : Adverse opinion
 paragraph above, the activities, financial transactions and information reflected in the financial statements
are not in compliance with the authorities which govern them.

Because of the scope limitation described in the Basis for Disclaimer on Compliance paragraph above, I am
Red : Disclaimer of
 opinion unable to form an opinion as to whether the activities, financial transactions and information reflected in the
financial statements are in compliance with the

authorities which govern them.

Page | 416
INSERT NAME OF DIRECTORATE Office of the Comptroller and Auditor General

Executive Summary

The People’s Republic of Bangladesh

[Insert name of entity being audited]

Audit Certificate [insert period end date]

THE CERTIFICATE AND REPORT OF THE COMPTROLLER AND AUDITOR GENERAL TO PARLIAMENT

I have audited the Financial Statements of [insert name of entity being audited] under Article 128(1) of the constitution of Bangladesh, and
section 5(1) of the Comptroller and Auditor General (Additional Functions Act) 1974.The Financial Statements comprise [insert details of
statements being audited] for the financial year ended [insert period end date].

These financial statements have been prepared under the accounting policies set out within them.

Management’s responsibility for the financial statements

Management is responsible for preparing Financial Statements that give a true and fair view in accordance with Bangladesh Accounting
Standards (BAS) and [insert details of any other applicable accounting framework, eg Bangladesh Companies Act] and for such internal control as
management determines is necessary to enable the preparation of financial statements that are free from material misstatement, whether due
to fraud or error.

Page | 417
INSERT NAME OF DIRECTORATE Office of the Comptroller and Auditor General

Executive Summary
Auditor’s Responsibility

My responsibility is to express an opinion on these financial statements based on conducting the audit in accordance with International
Standards of the Supreme Audit Institutions (ISSAIs). Those standards require that I comply with ethical requirements and plan and perform the
audit to obtain reasonable assurance about whether the financial statements are free from material misstatement.

I believe that the audit evidence we have obtained is sufficient and appropriate to provide a basis for my opinion. [Please delete this sentence
for adverse and disclaimers of opinion.]
[

Scope of the audit of the Financial Statements

An audit involves performing procedures to obtain audit evidence about the amounts and disclosures in the financial statements. The
procedures selected depend on the auditor’s judgement, including the assessment of the risks of material misstatement of the financial
statements, whether due to fraud or error. In making those risk assessments, the auditor considers internal control relevant to the entity’s
preparation of the financial statements in order to design audit procedures that are appropriate in the circumstances, but not for the purpose of
expressing an opinion on the effectiveness of the entity’s internal control. An audit also includes evaluating the appropriateness of accounting
policies used and the reasonableness of accounting estimates made by management, as well as evaluating the overall presentation of the
financial statements.

We believe that the audit evidence we have obtained is sufficient and appropriate to provide a basis for my audit opinion.

Basis for opinion

Qualified opinion –Disagreement [Include description and quantification of the disagreement for example stock was not stated at the lower of
cost and net realisable value and the effect on the financial statements is xx]
Page | 418
INSERT NAME OF DIRECTORATE Office of the Comptroller and Auditor General

Executive Summary
Qualified opinion -Scope limitation [Include description of the area where it was not possible to obtain evidence, for example in relation to the
valuation of an investment]

Adverse opinion [Include description and quantification of the matter that led to the adverse opinion for example, the non consolidation of a
subsidiary, and the effects on the financial statements]

Disclaimer of opinion [Include description and quantification of the matter that led to the disclaimer of opinion for example, inability to obtain
access to the working papers of an outgoing auditor to review opening balances and comparatives]

Opinion
In my opinion, the financial statements, in all material respects, give a true and fair view of the financial position of [insert name of entity being
audited] as at [insert period end date] , and (of) its financial performance and its cash flows for the year then ended in accordance with
International Financial Reporting Standards.

[See narrative in the traffic light table above for opinions to be included when the report is modified.]

Report on Compliance

Management's Responsibility for Compliance

In addition to the responsibility for the preparation and presentation of the financial statements described above, management is also
responsible for ensuring that the activities, financial transactions and information reflected in the financial statements are in compliance with
the authorities which govern them.

Page | 419
INSERT NAME OF DIRECTORATE Office of the Comptroller and Auditor General

Executive Summary
Auditor's Responsibility
In addition to the responsibility to express an opinion on the financial statements described above, my responsibility includes expressing an
opinion on whether the activities, financial transactions and information reflected in the financial statements are, in all material respects, in
compliance with the authorities which govern them. This responsibility includes performing procedures to obtain audit evidence about whether
the agency's expenditure and income have been applied to the purposes intended by the legislature. Such procedures include the assessment of
the risks of material non-compliance.

We believe that the audit evidence we have obtained is sufficient and appropriate to provide a basis for my opinion.

Opinion on Compliance
In my opinion, in all material respects, the activities, financial transactions and information reflected in the financial statements are in
compliance with the authorities which govern them.

Basis for opinion

Qualified opinion –Disagreement [Include description and quantification of the disagreement for example making grants to bodies outside the
entities remit – amounts can be quantified]

Qualified opinion -Scope limitation [Include description and quantification of the disagreement for example making grants to bodies outside the
entities remit – amounts cannot be quantified]

Adverse opinion [Include description and quantification of the matter that led to the adverse opinion for example, pension payments not being
made on a timely basis to pensioners in contravention of the applicable legislation, amounts can be quantified and are pervasive to the areas
being reviewed]
Page | 420
INSERT NAME OF DIRECTORATE Office of the Comptroller and Auditor General

Executive Summary

Disclaimer of opinion [Include description and quantification of the matter that led to the disclaimer of opinion for example, inability to obtain
any backing documentation regarding compliance with laws and regulations in relation to a significant proportion of expenditure reviewed]

[Insert name of Director General]

Director General, [Insert name of Audit Directorate]

[Insert date]

Page | 421
INSERT NAME OF DIRECTORATE Office of the Comptroller and Auditor General

Executive Summary

DETAILED FINDINGS AND RECOMMENDATIONS

FINDING 1.

Observation

Cause

Effect

Recommendation 1

Client response to Recommendation 1

Page | 422