A key risk facing any audit firm is that the business will fail.  In this respect an audit firm is no different from any other business venture.


Risks specific to audit firms:


  • Litigation against the firm
  • Client loss (changes in auditors!!)
  • Disciplinary action by the professional body
  • Loss of key audit personnel


Risk Management


As part of managing their own business effectively, auditors should have a system of risk management in place.


They should identify the risks and take steps to mitigate against these risks.  For example, an auditor can mitigate against business risks by taking out key person (keyman) insurance and putting in place client care procedures.


In general, the risk of business failure for audit firms can be mitigated by observing regulatory or professional requirements.  Such requirements can be found within the International standards on auditing and the code of ethics.  The standards give a good framework within which auditors can operate.


This framework ensures that there is a standard level of quality and consistency between all audit firms.  If the international standards on auditing are not followed by auditors, they run the risk of disciplinary action by their respective professional bodies.  In addition, where there is negligence, there is also the risk of litigation and thus the risk of business failure.




Auditing standards stress the importance of quality control, both at the audit firm level and the audit engagement level.


ISQC1 Quality Control for firms that perform audits and reviews of historical financial information, and other assurance and related services engagements helps audit firms establish quality standards for their own business, while ISA 220 Quality Control for audits of historical financial information requires firms to implement quality control procedures over individual audit assignments.


Quality control at firm level


ISQC1 (11) establishes that the firm should establish a system of quality control designed to provide it with reasonable assurance that the firm and its personnel comply with professional standards and regulatory and legal requirements, and that reports issued by the firm or engagement partners are appropriate in the circumstances.


A system of quality control consists of policies designed to achieve the objectives and the procedures necessary to implement and monitor compliance with those policies.


All quality control policies and procedures should be documented and communicated to the firm’s personnel (ISQC1(17)).


Elements of a system of quality control:

  • Leadership responsibilities for quality within the firm
  • Ethical requirements
  • Acceptance and continuance of client relationships and specific engagements
  • Human resources
  • Engagement performance
  • Monitoring




The aim is to instill such policies and procedures in that the internal culture of the firm is one where quality is essential and should be considered to be the norm.  Leadership must come from the top down and with that in mind the standard recommends that a senior management person should assume the overall responsibility.


ISQC1(19) sets out that any person assigned the overall responsibility for a firm’s quality control system should have sufficient and appropriate experience and ability and the necessary authority to assume that responsibility.



The firm should establish policies and procedures designed to provide it with reasonable assurance that the firm and its personnel comply with relevant ethical requirements.  Such ethical requirements include the fundamental principles of integrity, objectivity, professional competence & due care, confidentiality and professional behaviour.


Acceptance and continuance of client relationships and specific engagements

A firm should establish policies and procedures for the acceptance and continuance of client relationships and specific engagements.  They should be designed to provide it with reasonable assurance that it will only undertake or continue relationships and engagements where it has considered (1) the integrity of the client and does not have information that would lead it to conclude that the client lacks integrity, (2) is competent to perform the engagement, (3) has the capabilities, time and resources to do so and (4) can comply with ethical requirements.


Human Resources

An audit firm’s desire for quality will require policies and procedures on ensuring excellence in its staff.  It should have sufficient personnel with the necessary experience, competence and ethical principles necessary to perform audits in accordance with the professional standards and regulatory and legal requirements.


Such policies and procedures will address the following issues:

  • Recruitment
  • Performance evaluation
  • Capabilities
  • Competence
  • Career development
  • Compensation
  • Estimation of personnel needs



Capabilities and competence can be developed through:

  • Professional education
  • Continuing professional development and training
  • Work experience
  • On the job training


Engagement performance

ISQC1(32-47) states that the firm should establish policies and procedures designed to provide it with reasonable assurance that engagements are performed in accordance with professional standards and regulatory and legal requirements, and that the firm or the engagement partner issues reports that are appropriate in the circumstances.


Through its policies and procedures, the firm seeks to establish the consistency in the quality of engagement performance.  This is often accomplished through written or electronic manuals, software tools or other forms of standardized documentation.


Ensuring good engagement performance involves a number of issues:

  • Direction
  • Supervision
  • Review
  • Consultation
  • Resolution of disputes



In ISQC1.34 the firm should establish policies and procedures designed to provide it with reasonable assurance that:

  • Appropriate consultation takes place on difficult or contentious matters
  • Sufficient resources are available to enable appropriate consultation
  • The nature and scope of such consultations are documented
  • Conclusions resulting from consultations are documented and implemented


Where an audit firm is small, this may necessitate external consulting.


Resolution of disputes

A firm should establish policies and procedures for dealing with and resolving differences of opinion.


Quality control review

A firm should establish policies and procedures requiring, for appropriate engagements, a quality control review that provides an objective evaluation of significant judgments made on an assignment and the conclusions reached in forming an opinion on a set of accounts.


An audit firm must have standards as to what constitutes a suitable quality control review.

These standards should cover:

  • The nature, timing and extent of such a review,

This could be discussions with an engagement partner, a review of financial statements and consideration of whether reporting is appropriate.  May involve some selective review of working papers particularly where there was significant judgment applied,

  • The criteria of eligibility of the reviewer,

The individual selected should have sufficient technical expertise and should be objective.

  • The documentation required –

It should show that the review was competed before the audit report is signed off.


In respect of a listed company, a quality control review must be carried out before the audit report is signed off.


In respect of a listed company, a review should consider:

  • The engagement teams evaluation of independence
  • Significant risks identified and the responses to those risks
  • Judgments with respect to materiality and significant risks
  • Whether appropriate consultation has taken place
  • Significance of misstatements identified, both amended and un-amended
  • Matters to be communicated to management
  • Whether selected working papers support conclusions reached
  • Whether report to be issued is appropriate



Firms must have policies and procedures in place to ensure that their quality control system is:

  • Relevant
  • Adequate
  • Operating effectively
  • Complied with in practice


In order to achieve the objectives, a firm must monitor the quality control system.  This should be reported to the management of the firm on an annual basis.


Types of monitoring activities:

  • Ongoing evaluation and/or
  • Periodic inspection of selected audits


Deficiencies found may be one-offs, but systematic or repetitive deficiencies will require corrective action such as:

  • Taking appropriate remedial action relating to an individual
  • Changes to the quality control system
  • Pointers to the training dept.
  • Disciplinary action against those who fail to comply with the policies and procedures


Quality control at audit engagement level


ISA 220.2 states that the engagement team should implement quality control procedures that are applicable to the individual audit engagement.  This standard applies the principles laid down in the ISQC1.


The engagement partner should

  • Take responsibility for the overall quality on each audit engagement to which the partner is assigned.
  • Consider whether members of the engagement team have complied with ethical requirements.
  • Form a conclusion on compliance with independence requirements that apply to the audit engagement.
  • Be satisfied that appropriate procedures regarding the acceptance and continuance of client relationships and specific audit engagements have been followed, and that conclusions reached in this regard are appropriate and have been documented.
  • Be satisfied that the engagement team has the appropriate capabilities, competence and time to perform the audit engagement in accordance with professional standards and regulatory and legal requirements, and to enable an auditor’s report that is appropriate in the circumstances.
  • Take responsibility for the direction, supervision and performance of the audit engagement in compliance with professional standards and regulatory and legal requirements.


Engagement performance


ISA 220.21 states that the engagement partner should take responsibility for the direction, supervision and performance of the audit engagement in compliance with professional standards and regulatory and legal requirement, and for the auditor’s report that is issued to be appropriate in the circumstances.


The audit engagement can be directed by informing members of the team of:

  • Their responsibilities such as maintaining an objective state of mind, an appropriate level of professional scepticism and performing the work in accordance with due care.
  • The nature of the entity’s business
  • Risk related issues
  • Problems that may arise
  • The detailed approach to the performance of the engagement.


Supervision includes:

  • Tracking the progress of the engagement
  • Considering the capabilities and competence of members of the team, whether they have sufficient time, they understand their instructions, and whether the work is being carried in accordance with the planned approach.
  • Addressing significant issues as they arise, considering their significance and modifying the planned approach appropriately.
  • Identifying matters for consultation by more experienced engagement team members during the engagement.


Review responsibilities are determined on the basis that the more experienced members of the audit engagement, review work performed by less experienced persons.  The reviewers consider whether:

  • The work has been performed in accordance with professional standards
  • Significant matters have been raised for further consultation.
  • Appropriate consultations have taken place and the consultations have been documented and implemented.
  • There is a need to revise the nature, timing and extent of the work performed.
  • The work performed supports the conclusions reached and is appropriately documented.
  • The evidence obtained is sufficient and appropriate to support the auditor’s report.
  • The objectives of the audit engagement procedures have been achieved.


Before the auditor’s report is issued, the engagement partner, through review of the audit documentation and discussion with the engagement team, should be satisfied that sufficient appropriate audit evidence has been obtained to support the conclusions reached and for the audit report to be issued.


When difficult or contentious issues arise, the team should consult on the matters and document the conclusions.

If the differences arise as between partner and audit team, or partner and quality control reviewer, the differences should be resolved according with the firm’s policies.

In some circumstances, it may be appropriate for the engagement team to consult outside the firm, for example, where the firm lacks the internal resources.


Quality control review

For audits of financial statements of listed companies, the engagement partner should:

  • Appoint a quality control reviewer.
  • Discuss with the reviewer significant matters which have arisen during the audit.
  • Not issue the audit report until completion of the review.



The engagement partner should consider:

  • Whether deficiencies noted from the results of the firm’s monitoring process may affect the audit engagement.
  • Whether the measures the firm took to rectify the situation are sufficient in the context of the audit.


A deficiency in the firm’s system of quality control does not indicate that a particular audit engagement was not performed in accordance with professional standards.




There are three distinct types of audit firms.

  • Big four[1]
  • Medium sized
  • Small


Their size is classified by their fee income earned.



There is merger activity at all levels as firms attempt to consolidate their position or attempt to move up the ladder.


The merger activity among the big four raises issues about monopolies.  This can result in reduced choices for larger clients.  Also, conflicts of interest may arise.


The current debate about the audit exemption limits under certain jurisdiction regulationsand the fact that it is going to rise substantially could have a significant impact on the client base of small audit firms.  They may be forced to merge to compete for the larger audit clients.



This concerns the big four and the larger of the medium sized firms.


There are two approaches to globalization:


  • Affiliation

Mainly affects the big four.  It allows a brand name to develop.


• Co-operation

Mainly affects the medium firms.  It is international co-operation through a network of sister companies.


The benefits of globalization are that audit firms can now meet the needs of international companies.

However, there can be dramatic knock on effects for international firms e.g. Andersens (Enron’s auditors).


Divesting Services

Consultancy is one of the key services which have been divested from the audit firms.  The independence ethics are certainly fuelling this.


Quality Control Regulations

These regulations impact differently on large and small firms.  Small firms may need to hire external experts.





In the previous sections we looked at frameworks within which audit firms operated.  Now, we will look at frameworks, for client companies, to ensure that they deal fairly with their members.


A string of high profile scandals and frauds in the 1980’s and the 1990’s forced for example, the UK government to set up voluntary codes of best practice to enforce good practice by directors and to communicate the adherence to good practice by management to the shareholders.

It was vital that companies were managed well i.e. there was good corporate governance.


For example: The Cadbury report (in the UK) defines Corporate Governance as: “The system by which companies are directed and controlled”.


Why is good corporate governance important?

Shareholders and managers are usually separate in a company and it is important that the management of a company deals fairly with the investment made by the owners.


In smaller companies, shareholders are fully informed about the management of the business as they are often the directors themselves.  However, in large companies the day to day running of a company is the responsibility of the directors.  Shareholders only get a look-in at the Annual Meeting.

In addition, auditors only report on the truth and fairness of financial statements.  They do not report on how the shareholders’ investment is being managed and whether their investment is subject to fraud.


Codes of best practice


Two prominent codes have been formed and are considered best practice in modern times.


  1. The Cadbury report
  2. The Combined code


The Cadbury Report


The Cadbury report was issued in 1992. Its terms of reference considered:

  • The responsibilities of executive and non-executive directors and the frequency, clarity and form in which information should be provided to shareholders.
  • The case for audit committees, their composition and role.
  • The responsibilities of auditors and the extent and value of the audit.
  • The links between auditors, shareholders and the directors.


The Cadbury report was aimed at directors of all UK PLCs, but directors of all companies are encouraged to apply the code.  Directors should state in the financial statements, normally through the directors’ report, whether they comply with the code and must give any reasons for non-compliance.


The Cadbury report covered a number of areas including the board of directors, nonexecutive directors, executive directors and the audit function.  Some of the provisions include:


Board of Directors

  • They should meet on a regular basis.
  • They should have clearly accepted divisions of responsibilities, so no one person has complete power.
  • The posts of chairman and CEO should be separate.
  • Decisions which require a single signature or several signatures need to be laid out in a formal schedule and procedures must be put in place to ensure that the schedule is followed. It will probably include material acquisitions and disposals of company assets, investments, capital projects, borrowings and foreign currency transactions.


Non-executive directors

  • They are not involved in the day to day running of the company and should bring their independent judgment to bear in the affairs of the company. Such affairs may include key appointments and standards of conduct.
  • There should be no business or financial connection between the company and the nonexecutive directors other than fees and a shareholding.
  • Their fees should reflect the time they spend on the business.
  • They should not participate in share option schemes or pension schemes.
  • Appointments of non-executive directors should be for a specific term and automatic re-appointment is discouraged.
  • Procedures should exist whereby they may take independent advice.
  • A remuneration committee consisting of non-executive directors should decide on the level of pay for executive directors.


Executive directors

  • They run the company on a day to day basis and should have service contracts in place of not more than three years in length, unless approved by the shareholders.
  • Directors’ emoluments should be fully disclosed in the accounts and should be analysed between salary and performance based pay.



  • The code states that the audit is the cornerstone of corporate governance. It is an objective and external check on the stewardship of management.
  • Some flaws exist in the framework for auditing, such as choices in accounting treatments, poor links between shareholders and auditors, price competition between audit firms and the “expectations gap” between auditors and the public.
  • Disclosing fees for audit in the financial statements should safeguard against the threat of objectivity where auditors offer other services to their audit clients.
  • Formal guidelines concerning audit rotation should be drawn up by the accounting profession.
  • The accountancy profession should be involved in setting criteria for the evaluation of internal control.
  • There is a need for auditors to report on going concern. This is now reflected in auditing standards.


The Cadbury code is quite detailed and could be cumbersome for small companies.  With this in mind a special version was formed for small listed companies (Cisco code).  Reduction in required numbers of non-executive directors and the non- requirement to split roles of CEO and chairman are the main differences.


The Combined Code


For example the UK stock exchange issues guidance on a regular basis.  In 1998, it issued the combined code.  This combined key guidance from various reports including the Cadbury report into the one code.


Some of its principles included:

  • Every company should have an effective board.
  • There should be clear divisions of responsibilities at board level.
  • There should be an appropriate balance of executive and non-executive directors.
  • A formal procedure for appointments to the board should exist.
  • The board should receive timely information in order to discharge its duties.
  • All directors should maintain and upgrade their skills and knowledge.
  • There should be an annual evaluation of its own performance.
  • All directors should be submitted to re-election at appropriate time intervals.
  • There should be appropriate levels of remuneration that is sufficient to attract, retain and motive individuals of the necessary quality required.
  • A significant portion of pay should be performance related.
  • A formal procedure for the fixing of pay levels should exist and no director should have a hand in fixing his/her own pay.
  • The board should present a balance assessment of the company’s performance.
  • The board should implement a good system of internal control.
  • The board should have meaningful communication with the shareholders and should use the Annual Meeting to communicate with investors.


For example the UK Stock exchange rules require that the annual report includes a statement of how a company has applied the principles of the combined code and must disclose whether there has been compliance with those principles.  Auditors should review this statement.


Although the stock exchange rules require the code to be complied with, there is no statutory duty for companies to do so.  It is in fact a voluntary code.

This allows for flexibility in its application although shareholders will be aware of the position due to the disclosure requirements.  There is a view though that the disclosure of non-compliance is insufficient as the Annual Meeting is not sufficient protection for shareholders.


In addition, being a voluntary code allows companies to opt out to the detriment of their shareholders and there are companies which, while unlisted, should be encouraged to apply the codes.

Making the code obligatory may create an excessive burden of requirement especially for smaller companies.


Audit Committees


Audit committees are generally made up of non-executive directors.  They are perceived to increase confidence in financial reports.


Recommendations contained in the combined code include

  • Audit committee should comprise at least three non-executive directors (two for smaller companies).
  • Its main role and responsibilities should be clearly set out in written terms of reference.
  • The committee should be provided with sufficient resources to undertake its duties.


Role and responsibilities

  • To monitor the integrity of the financial statements and other formal announcements.
  • To review the internal financial controls and the company’s control and risk management systems.
  • To monitor and review the effectiveness of the internal audit function.
  • To make recommendations regarding the appointment of external auditors and their remuneration.
  • To monitor and review the external auditor’s independence and objectivity.
  • To develop and implement policy on the engagement of the external auditor in other non-audit services.


Advantages of an audit committee

  • Provides an independent point of contact for the external auditor, particularly in the event of disagreements.
  • Can create a climate of discipline and control.
  • Increased confidence in the credibility and objectivity of financial reports, by increasing the quality of the financial reporting and enabling the non-executive directors to contribute an independent judgment.
  • Internal auditors can report directly to the committee thereby providing a greater degree of independence from management.
  • The existence of such a committee should make the executive directors more aware of their duties and responsibilities.
  • Can act as a deterrent to fraud or illegal acts by executive directors.


Disadvantages of an audit committee

  • Can be difficult to source sufficient non-executive directors with the necessary competence to be effective.
  • Auditors may not raise issues of judgment where there are formalised reporting procedures.
  • Costs may increase.
  • Findings are generally not made public, so it is not always clear what they actually do.


Internal control effectiveness


Internal control is an essential tool in having good corporate governance.


The directors of a company are responsible for putting in place an effective system of internal control.  An effective system of internal control will help management safeguard the assets of a company, prevent and detect fraud and therefore, safeguard the shareholders’ investment.


In addition, it helps ensure reliability of reporting and compliance with laws.  The use of the word help denotes the fact that there are inherent limitations in any system of internal controls and as such there can be no such thing as absolute assurance.


The directors need to set up internal control procedures and need to monitor these to ensure that they are operating effectively.


The system of internal control will reflect the control environment which depends a lot on the attitude of the directors towards risk.


A company may decide to set up an internal audit function to monitor and assess the system of internal control.


The combined code recommends that the board of directors reports on the review of internal controls.  This assessment should cover the changes in risks which the company faces and its ability to respond to these changes, the scope and quality of management’s monitoring of risk and internal control and the extent and frequency of reports to the board.  It should also assess the significant controls, failings and weaknesses that might have a material impact on the accounts.


[1] Being PricewaterhouseCoopers (PwC), Deloittes, KPMG and Ernst & Young.  All are in Rwanda

Auditors should assess the review carried out by the directors.  They should assess whether the company’s summary of the process of review is supported by documentation prepared by the directors and that it reflects that process.


This review is not as defined as an audit.  Therefore, it is only possible to give limited assurance.  For this reason, the auditors are not expected to assess whether the director’s review covers all risks and controls and whether the risks are satisfactorily addressed by the internal controls.


In order to avoid any misunderstandings, a paragraph is inserted into the audit report setting out the scope of the auditor’s role.


Auditors should bring to the attention of directors any material weaknesses they find in the system of internal control.


Auditors may report by exception if problems arise such as:

  • The auditors understanding of the review process differs somewhat from what the board says.
  • The processes that deal with material internal control aspects do not reflect what the auditor believes.
  • The board failing to make appropriate disclosures, failing to conduct a review or makes disclosures which are not consistent with what the auditor already knows.




The previous sections referred to codes which, by and, large are voluntary codes.  Companies, however, are statutory bound to comply with laws and regulations.


Some of the laws and regulations affecting companies are:

  • Company law
  • Health and safety regulations
  • Employment law
  • Civil law, both tort and contract
  • Environmental law and regulation
  • Customary law where not covered by statute


ISA 250: consideration of laws and regulations in an audit of financial statements establishes standards and guidance on the auditor responsibilities to consider laws and regulations in an audit of financial statements.


ISA 250.2 states that when designing and performing audit procedures and in evaluating and reporting the results thereof, the auditor should recognise that non-compliance by the entity with laws and regulations may materially affect the financial statements.


As with the system of internal control, an audit cannot be expected to detect non-compliance with all the laws and regulations applicable to a company.  Detection, regardless of materiality, requires consideration of the implications for the integrity of management or employees and the possible effect on other aspects of the audit.


Non-compliance can be intentional or unintentional acts of omission or inclusion by the entity.


Non-compliance is a legal determination and is beyond the auditor’s professional competence and while an auditor’s experience and training may well provide a basis for recognition, ultimately, it can only be determined by a court of law.


The further removed the non-compliance is from the events and transactions normally reflected in the financial statements, the less likely the auditor is to become aware of it or recognise non-compliance.


Responsibility of Management

It is management’s responsibility to ensure that the entity’s operations are conducted in accordance with laws and regulations.  The responsibility for the prevention and detection of non-compliance rests with management.


The following policies and procedures may assist management in discharging its responsibilities:

  • Monitoring legal requirements and ensuring that operating procedures are designed to meet these requirements.
  • Instituting and operating appropriate internal control.
  • Developing, publicising and following a code of conduct.
  • Ensuring employees are properly trained and understand the code of conduct.
  • Monitoring compliance with the code of conduct and acting appropriately to discipline employees who fail to comply with it.
  • Engaging legal advisors to assist in monitoring legal requirements
  • Maintaining a register of significant laws with which the entity has to comply within its particular industry and a record of complaints.


In larger companies, these policies and procedures may be supplemented by an internal audit function and an audit committee possibly split between a legal dept. and a compliance function.


Directors of the company have responsibility to provide information required by the auditor, to which they have a legal right of access.  Such legislation also provides that it is a criminal offence to give the auditor information or explanations which are misleading, false or deceptive.


The auditor’s consideration

The auditor cannot be held responsible for preventing non-compliance, although an annual audit may act as a deterrent.


Even though an audit is properly planned and performed in accordance with standards, there is the unavoidable risk that some material misstatements will not be detected in the financial statements.  The risk is higher with regard to material misstatements resulting from noncompliance with laws and regulations due to factors such as:

  • There are many laws and regulations that typically do not have a material effect on the financial statements (mainly operational aspects) and are not captured by the entity’s information systems.
  • The effectiveness of audit procedures is affected by the inherent limitations of internal control and the use of testing.
  • Much of the audit evidence obtained is persuasive rather than conclusive.
  • Non-compliance may involve conduct designed to conceal it, such as collusion, forgery, omission, senior management override of controls or intentional misrepresentations made to the auditor.


ISA250(12 -17) states that auditors should plan and perform the audit with an attitude of professional scepticism recognising that the audit may reveal conditions or events that would lead to questioning whether an entity is complying with laws and regulations.


The auditor would test for compliance with specific laws and regulations only if engaged to do so.


In order to plan the audit, the auditor should obtain a general understanding of the legal and regulatory framework applicable to the entity and the industry and how the entity is complying with that framework.  The auditor should recognise that some laws may give rise to business risks that have a fundamental effect on the operations of the entity.  For example, non-compliance with the licensing laws relating to a bank could force it out of business.


One of the most difficult distinctions in practice is deciding which laws are central to which businesses and when.


To obtain a general understanding of laws and regulations, an auditor would ordinarily:

  • Use the existing understanding of the entity’s industry, regulatory and other external factors.
  • Inquire of management concerning their policies and procedures regarding compliance and as to the laws and regulations that may be expected to have a fundamental effect on the operations of the entity.
  • Discuss with management the policies or procedures adopted for identifying, evaluating and accounting for litigation claims and assessments.
  • Discuss the legal and regulatory framework with auditors of subsidiaries.


ISA25018-29 lays out that, after obtaining the general understanding, the auditor should design procedures to help identify possible or actual instances of non-compliance with the laws and regulations, which are central to the entity’s ability to conduct its business and hence to its financial statements.


Further, the auditor should obtain sufficient, appropriate audit evidence about compliance with those laws and regulations, which the auditor recognises as having an effect on the determination of material amounts and disclosures in the financial statements.

Some of the laws and regulation include ones which prohibit a company from making distributions except out of distributable profits and laws which require the auditor to expressly report on non-compliance such as maintenance of proper books of account or disclosures of directors’ remuneration.


Other than those mentioned above, the auditor does not perform other audit procedures on the entity’s compliance since this would be outside the scope of the audit.


The auditor should be alert to the fact that audit procedures applied for the purposes of forming an opinion on the financial statements, such as reading of minutes, may highlight possible instances of non-compliance.  In addition, non-compliance issues might incur obligations for audit firms to report money laundering offences.


It should be noted though that there is a distinction between checking systems of compliance and checking actual compliance.


The auditor should obtain written representations from management that they have disclosed to the auditor all known actual or possible non-compliance with laws and regulations whose effects should be considered when preparing the financial statements.  In addition, where applicable, the written representations should include the actual or contingent consequences which may arise from the non-compliance.


In the absence of audit evidence to the contrary, the auditor is entitled to assume the entity is compliant with these laws and regulations.


The auditor’s responsibility in expressing an opinion on financial statements does not extend to determining whether the entity has complied in every respect with tax legislation.  The auditor only needs sufficient audit evidence to give a reasonable assurance that the tax amounts in the financial statements are not materially misstated.


ISA 250 A1 – A21 gives a number of examples where non-compliance may have occurred.


What to do when non-compliance is discovered

When the auditor becomes aware of non-compliance, the auditor should obtain an understanding of the nature of the act and the circumstances in which it has occurred, and sufficient other information to evaluate the possible effect on the financial statements.


The auditor must consider:

  • The potential financial consequences such as fines, penalties and/or litigation.
  • Whether the potential financial consequences require disclosure.
  • Whether these consequences are so serious they call into question the truth and fairness of the accounts.


When the auditor believes there is non-compliance, he must document the findings and discuss them with management.  Bear in mind that the discussions with management should be subject to compliance with legislation relating to “tipping off” particularly with any requirement to report findings direct to a third party.


When adequate information about suspected non-compliance cannot be obtained, the auditor should consider the effect of the lack of sufficient appropriate audit evidence on the audit report.  He should consider the implications in relation to the reliability of management representations.


Reporting of non-compliance

As soon as possible, the auditor should communicate with management, or obtain audit evidence that management are appropriately informed, regarding non-compliance that comes to the auditor’s attention.  If in the auditor’s judgment, the non-compliance is intentional and/or material, the auditor should communicate without delay.


If the auditor suspects senior management, then he should communicate to the next higher level, such as the audit committee.  Failing that, he should seek legal advice.


In the case of money laundering it may be appropriate to report the matter direct to the appropriate authority.


Audit report implications

  • If the auditor concludes that the non-compliance has a material effect on the accounts and has not been properly reflected, he should express a qualified or adverse opinion.
  • If the auditor has not been able to obtain sufficient evidence to evaluate whether a material non-compliance has occurred, he should qualify his report or issue a disclaimer of opinion on the basis of a scope limitation.


Third part reporting

Although the auditor has a duty of confidentiality, where non-compliance gives rise to a statutory duty to report, the auditor should do so without undue delay.


Withdrawal from the engagement

The auditor may conclude that withdrawal is necessary when remedial action is not taken, even when the non-compliance is not material.  Resignation is a step of last resort.


Money Laundering

Money laundering is a very hot topic in recent times.


Money laundering is the process by which criminals attempt to conceal the true origin and ownership of the proceeds of their criminal activity, allowing them to maintain control over the proceeds and ultimately, providing a legitimate cover for the source of their income.


Anti-money laundering legislation imposes a duty to report money laundering in respect of the proceeds of all crime.  Audit firms are required to report suspicions that a criminal offence has been committed, regardless of whether the offence has been committed by a client or by a third party.  In addition, they need to be alert to the danger of making disclosures that are likely to tip off a money launderer, as this is a criminal offence


There is no legal right not to make a report and the auditor is not constrained by his professional duty of confidence, although in all cases any such reporting must be made in good faith.  In this case, he is protected by law from having the client take a civil case against him.  However, if he did not have reasonable grounds on which to make a report to a third party, he may be sued by his client for breach of confidentiality.


Under legislation, all businesses (including audit firms) are required to set up systems to prevent money laundering such as:

  • Appointing a money laundering reporting officer, who reports direct to the Police.
  • Undertaking customer due diligence, mandatory verification of identification.
  • Reporting suspicions of money laundering.
  • Maintaining specific records, for a minimum period of five years.
  • Put in place internal controls to ensure continued compliance with the legislation
  • Training staff in all of these issues.


Failure to do these is a criminal offence.


Problems for auditors

The duty of confidentiality, which will probably require further ethical guidance, is a problem for the auditor, although firms should not risk breaking the law by not reporting.


Normal reporting requirements may conflict with money laundering offences.

For example, reporting a suspicion may have a material impact on the accounts which should be disclosed to the shareholders in an audit report.  However, this may be considered to be tipping off.  Even resigning your position could be seen as tipping off.


Question 5.1 


There has been an increase in the size of audit firms and this has been a source of concern to regulators and clients.  Some audit firms feel that mergers between the largest firms of auditors are necessary in order to meet the global demand for their services.  However, clients are concerned that such mergers will create monopolistic market for audit services which will not be in anyone’s best interests.


You are required to explain why:

  1. The larger audit firms might wish to merge.
  2. These mergers have the potential to create problems.


Question 5.2


A key risk facing audit firms is that their business will fail.  What factors causes this risk?


Question 5.3


Explain how an audit can be lost due to its size.


Question 5.4


Read Ltd carries on a wholesale book operation.  To the end of 2010 the growth in turnover to RWF25m has continued to match the rate of inflation.  Costs have been contained by reducing staff numbers from 96 to 90.  The asset turnover is holding at five times.  The accountant has prepared draft accounts and has included a directors’ responsibilities statement.

“The directors are required by company law to prepare financial statements for each financial period which give a true and fair view of the state of affairs of the group as at the end of the financial period and of the profit and loss for that period.  In preparing the financial statements, suitable accounting policies have been used and applied consistently, and reasonable and prudent judgment and estimates have been made, applicable accounting standards have been followed.  The directors are also responsible for maintaining adequate accounting records, for safeguarding the assets of the group and for preventing and detecting fraud and other irregularities.”

On reading the statement, a director comments that the statement included aspects he had always assumed were the responsibility of the auditor and complained about all these irrelevant new rules.


He requested that the accountant should prepare a memo for the board of directors what is going on.


Assume you are the accountant and draft a memo for the board explaining:

  1. The background to the directors’ responsibilities statement and its inclusion in the annual report
  2. What is meant by a true and fair view and how the board can assess whether the financial statements give a true and fair view and recommend adequate steps for safeguarding the assets and preventing and detecting fraud.
(Visited 17 times, 1 visits today)
Share this:

Written by 

Leave a Reply

Your email address will not be published. Required fields are marked *