Audit Manual

Cowater File No. 00.
622
Project for Improvement of Financial Reporting and Auditing (PIFRA)

Audit Component - Credit #2921 PAK
AUDIT COMPONENT No. 100
Financial Audit Manual
Prepared for:
The Department of the Auditor-General of Pakistan
Prepared by:
Cowater International Inc., Ottawa, Canada
April 2005
1. ORGANISATION AND PURPOSE OF THE MANUAL
1.1 Purpose of the Audit Manual

The purpose of this Audit Manual is to provide DAGP auditors with a set of modem auditing
standards, concepts, techniques, and quality assurance arrangements that are consistent with
international standards, for auditing entities in the Government of Pakistan. The Manual
covers the entire audit cycle from planning to follow up.
This Audit Manual lays out what is expected of the auditors of the Department of the Auditor-
General of Pakistan (DAGP). It provides the standards by which the audits are to be
conducted. It provides guidance with regard to the methods and approaches to audit that can
be applied by the auditors in carrying out their duties.
1.2 Types of audits dealt with

This Manual focuses on regulatory audit, as defined by INTOSAI Auditing Standards, which
have been adopted by the Department of the Office of the Auditor-General of Pakistan.
Regulatory audit embraces:

• Attestation of financial accountability of accountable entities, involving examination of
financial records and expression of opinions on financial statements;
• Attestation of financial accountability of the government administration as a whole;
• Audit of financial systems and transactions, including an evaluation of compliance with
applicable statutes and regulations;
• Audit of internal controls and internal audit functions;
• Audit of the probity and propriety of administrative decisions taken within the audited
entity; and,
• Reporting of any other matters arising from or relating to the audit that DAGP considers
should be disclosed.
1.3 Audit entities dealt with

DAGP’s mandate includes the audit of federal, provincial and district government accounts
which encompass government ministries, departments and agencies, self-accounting entities
and exempt entities. The types of entities being audited include financial institutions,
commercial entities, public utilities, and tax-collecting entities.
1.4 Accounting Responsibility Structure of the Government of

Pakistan
The following is a brief summary of the accounting structure of the Pakistan government.
Federal government. The Controller General of Accounts (CGA) has primary responsibility
for the completeness and accuracy of the Federation’s financial statements. Reporting to the
CGA, the Accountant General Pakistan Revenues (AGPR) is responsible for the centralised
Audit Manual - Chapter 1 1-1

accounting and reporting of federal transactions. Additionally the AGPR is responsible for the
consolidation of summarised financial information prepared by federal self-accounting entities.
The AGPR receives accounts and reports from the sub-offices of the AGPR, district accounts
officers, principal accounting officers of self accounting entities, federal treasuries and the
State Bank of Pakistan/National Bank of Pakistan. The AGPR, in turn, provides annual
accounts to the CGA.
There are AGPR sub-offices in each of the provinces that act as the district accounts officers
in respect of federal government transactions.
Provincial governments. The CGA also has primary responsibility for the completeness and
accuracy of the financial statements of the provincial governments.
Reporting to the CGA, the accountant general of each province is responsible for the
centralised accounting and reporting functions within his/her respective province.
District governments. Each province is divided into districts. The district coordination officer
of each district is the principal accounting officer of that district. The district coordination
officer is supported by executive district officers who, in turn, supervise offices headed by
drawing and disbursing officers.
Principal Accounting Officers (PAOs). Each ministry and department has a PAO. For the self
accounting entities, the PAOs have been delegated authority to maintain their own accounts.
They provide monthly accounting data to the AGPR and to the accountant generals.
District Accounts Officers (DAOs). The DAOs are responsible for the accounting functions of
the districts. They have authority to pre-audit bills, issue payments, and record government
transactions at the district level. They receive reports from the drawing and disbursing officers
and bank scrolls from the State Bank of Pakistan/National Bank of Pakistan. They report
district and provincial transactions to the Accountant General responsible for the province in
which their districts are located. They also report federal transactions to the AGPR.
Departmental treasuries. Departmental treasuries are established to record specific accounting

transactions such as income and sales taxes and customs duties.
Drawing and Disbursing Officers (DDOs) . The DDOs are responsible for the accounting, cash
and personnel functions of specific entities. They submit bills for pre-audit to the district
accounts officers, and report to the district coordination officer of each district. They also
report to the principal accounting officer of their entity.
DAGP’s mandate includes the audit of the entire process described above.
1.5 Stages of audit work dealt with

This Manual covers the entire audit cycle for both the financial attestation and compliance
with controls aspects of regulatory audits, including planning, fieldwork, evaluation of
findings, reporting and follow up. While many of the same procedures apply to both
attestation and compliance audit activities, sometimes different approaches are required to
meet specific audit objectives. Where this is the case, the different approaches are described.
This Manual also deals with such quality assurance techniques as supervision and review.
1-2 Audit Manual - Chapter 1

1.6 Organisation of the manual
The Manual begins with several Chapters that provide background material on audits in
general, DAGP’s mandate, and the auditing standards adopted by DAGP.
This is followed by a discussion of DAGP’s management structure and the annual planning
process by which DAGP establishes its departmental goals and resource needs.
The auditors’ responsibilities through the complete audit cycle - the planning, fieldwork,
evaluation, reporting and follow-up of individual audits - are presented using a framework
adopted, in one form or another, by many SAIs and private sector audit firms around the world.
This framework integrates the auditing concepts for all phases of the audit.
Throughout the manual, various quality assurance procedures are introduced. The Manual
concludes with a summary of these procedures.
The Manual also contains a number of annexes that provide additional details and guidance
material on specific matters, as well as a glossary of the terms used.
1.7 Links to other guidance material

This manual is supported by a standard audit working paper kit and a set of tailored audit
guidelines. This Manual also makes reference to other DAGP documentation in existence at
the time that this Manual was produced.
1.8 Standard audit working paper kit

The kit includes standard audit programme guides, checklists and forms, and a table of
contents that follows a suggested standard working paper indexing scheme.
The kit also includes samples of the various supervision instruments used in DAGP.
1.8.1 Audit guidelines for specialised areas
This Manual and the standard audit working paper kit are applicable to the regulatory audits of
all audit areas. These documents are complemented by tailored audit guidelines that show how
the concepts in the manual, and the programmes, checklists, forms and supervision
instruments in the working paper kit, are applied to perform financial audits in certain specific
audit areas.
1.9 Need for professional judgment

Despite the detailed guidance presented in this Manual, professional judgment is always
required. It is not possible to present guidance material in sufficient detail to eliminate the
need for professional judgment and general knowledge of auditing theory. Nor is it possible to
select one audit approach and mandate its use in all circumstances.
There are many possible approaches to obtaining the required level of audit assurance, each
appropriate in certain circumstances. The auditor must be prepared to consider the
circumstances of each audit and determine the best approach.

1.10 Updating the Audit Manual
DAGP’s work, like the work of any SAI, continues to evolve. Consequently, this Manual
should be periodically up-dated to ensure that it reflects the current policies and procedures of
the office and to provide the most appropriate assistance to the auditors. Each auditor is
therefore encouraged to identify areas in which the Manual requires updating or enhancement.
With appropriate up-dating, this Manual will continue to provide a clear statement of the
authorities, responsibilities and policies of DAGP and a practical guide to auditors as they
carry out their responsibilities in a professional and conscientious manner.

2. ROLE OF THE AUDITOR-GENERAL
2.1 Parliamentary Control and Public Accountability

Accountability of elected officials and the public servants that implement their policies is a
cornerstone of democratic government. In Pakistan, the government is formed of elected
representatives of the people, and is required by the Constitution to seek a fresh mandate every
five years.
To ensure the administrative machinery of the government performs its functions in

accordance with the aspirations of the people, the National Assembly (lower house of the
Parliament) and the four Provincial Assemblies constitute Standing Committees on Public
Accounts (PACs). The PACs are mandated to oversee the implementation of government
policies and programmes.
The Government departments and agencies are held accountable for any major departure from
the approved budget and for significant violations of rules and regulations. The Auditor-
General of Pakistan reviews the financial statements submitted by each Government
department and agency and reports findings to the President and Provincial Governors who
submit them to the National and Provincial Assemblies respectively. The legislatures assign
these reports to the PACs for detailed scrutiny. Each PAC holds hearings at which secretaries
of the ministry, divisions and departments submit their responses to the Auditor-General’s
observations. Based on this testimony, each PAC then makes its recommendations to the
National Assembly. This process ensures that departments and agencies are accountable to
government for implementation of policies in accordance with regulations.
2.2 Introduction to Auditing

Auditing is the process by which the Auditor-General of Pakistan (or such officer of the
department as may be authorised in this regard by general or special order) evaluates the
financial statements that have been submitted for audit by the ministries, departments and
agencies, against the government’s accounting and financial administration policies to enable
them to prepare a report or state an opinion on the financial statements.
Section 3.4 of DAGP’s Auditing Standards requires that a financial audit will include a test of
compliance with applicable laws and regulations.
To ensure that an audit has value, it should be conducted in accordance with generally
accepted auditing standards (GAAS). These standards have developed over many generations
of auditors around the world to provide the basis for ensuring complete, accurate, honest and
transparent reporting of financial operations.
2.3 Legislative Basis

The authority under which the Auditor-General of Pakistan conducts audits is given by Article
169 of the Constitution of the Islamic Republic of Pakistan. In addition, Articles 168 to 171
also relate to the work of the Auditor-General.
Until 1 July 2001, most of DAGP’s audit work was performed under Articles 168 to 171 of the
Constitution, and the Pakistan (Audit and Accounts) Order, 1973.

Effective 1 July 2001, the Pakistan (Audit and Accounts) Order, 1973 was replaced by the
following two ordinances:
• Auditor-General’s (Functions, Powers and Terms and Conditions of Service) Ordinance,
2001 (Auditor-General Ordinance); and
• Controller General of Accounts (Appointment, Functions and Powers) Ordinance, 2001
(Controller General Ordinance).
Among other things, these ordinances elaborate on the functions, powers and responsibilities
of the Auditor-General of Pakistan in line with the provisions of Article 169 of the
Constitution.
Section 7 of the Auditor-General’s (Functions, Powers and Terms and Conditions of Service)
Ordinance, 2001 (Auditor-General Ordinance) states that “The Auditor-General shall, on the
basis o f such audit as he may consider appropriate and necessary, certify the accounts ” ... “o f
the Federation, o f each Province and o f each district”. A financial attestation audit leads to
the certifications called for in Section 7 of the Auditor-General Ordinance.
In addition, Section 8 of the Auditor-General Ordinance mandates an audit of expenditures of

the Federation and of each province and Section 12 of the Auditor-General Ordinance
mandates an audit of the receipts of the Federal Government and of each Province and each
district.
2.4 Vision, Mission and Values

DAGP has developed a set of guiding principles for the exercise of its mandate. These
principles - the Vision, Mission and Values - are as follows:
The Vision of DAGP is to add value to public resources.
The Mission of DAGP is to develop our auditing and accounting capabilities to establish
ourselves as a credible professional institution that promotes good governance and public
accountability.
The Values held by DAGP are:
Accountability. DAGP holds itself accountable for the achievement of its vision, mission, and
these stated values.
Professionalism. DAGP conducts all of its activities in an open, transparent, disciplined and
highly ethical manner that is worthy of professional respect and trust.
Integrity. DAGP takes an objective, fair, honest and balanced approach to all of its activities.
Excellence. DAGP strives for excellence in all of its activities.
Reliability. DAGP produces high quality products that are timely, accurate, useful, clear and
candid.

Cooperative and constructive spirit. DAGP works with parliamentarians and with its audit
entities, staff, suppliers, consultants and other parties with whom it deals in a professional,
cooperative and constructive manner.
Innovative spirit. DAGP constantly looks for ways to improve its audit practices, operations
and other activities.
Making a difference. DAGP constantly looks for ways to improve the operations of the entities
that it audits.
Risk managers. DAGP managers and staff are encouraged to accept challenges, and to take
and manage the risks required for DAGP to achieve its vision, mission and stated values.
Open communications. DAGP maintains open and timely communications with

parliamentarians and with its audit entities, staff, suppliers, consultants and other parties with
whom it deals.
A respectful workplace. DAGP provides a workplace in which a diverse workforce can strive
for excellence and professional competence, and where individuals can realise their full career
potential.

3. THE JOB OF THE AUDITOR
The auditor is a professional with a special role to play in ensuring the integrity of the
operations of the Government of Pakistan and safeguarding its assets. As such the auditor
must fulfil certain expectations with respect to performance of duties and ethical conduct. The
auditor is employed pursuant to a set of formal conditions and should expect appropriate
protection in the fulfilment of his or her responsibilities. These issues are outlined below.
3.1 Expectations
Auditors work in teams. Audit teams perform their work in accordance with DAGP’s
Auditing Standards, which are described in detail in Chapter 4. The audit teams should fulfil a
number of general expectations in performing their duties:
• At least one auditor within the audit team should be fully conversant with the rules and
regulations concerning the accounts to be audited.
• The audit team should subject the audit entity to a complete and thorough check according
to the audit programme within the constraints of the time available. Any failure to
complete the prescribed audit programme must be reported clearly and fully to the Audit
Manager.
• Each auditor is expected to use professional judgment in carrying out all aspects of an
audit programme.
• Although it is not the responsibility of the auditor to detect fraud, every auditor is expected
to take appropriate action wherever a situation of fraud is suspected.
3.2 Conditions of Employment

The conditions of employment of auditors within DAGP have been formally and extensively
documented in the Auditor-General’s Manual of Standing Orders. Please refer to the Manual
of Standing Orders for details.
3.3 Code of Ethics

Introduction
Concept, Background and Purpose of the Code of Ethics
1. The Auditor General of Pakistan (AGP) has deemed it essential to establish a Code of
Ethics for auditors in the public sector.
2. This Code of Ethics is a comprehensive statement of the values and principles which
should guide the daily work of auditors. The independence, powers and responsibilities of
the public sector auditor place high ethical demands on the Department of the Auditor
General of Pakistan and the staff deployed on audit work. This code of ethics for auditors
in the public sector outlines the ethical precepts of civil servants in general and the
particular requirement of auditors, including the latter’s professional obligations.
3. With the Lima Declaration of Guidelines on Auditing Precepts as its foundation, this Code
of Ethics should be seen as a necessary complement, reinforcing the Auditing Standards

issued by the Auditor General of Pakistan in June 2002 in line with INTOSAI Code of
Ethics and Auditing Standards.
4. The Code Ethics is directed at the individual auditor, the Auditor-General of Pakistan,
executive officers and all individuals working for or on behalf of the AGP who are
involved in audit work.
It is the responsibility of the AGP to ensure that all its auditors acquaint themselves with
the values and principles contained in this Code of Ethics and act accordingly.
5. The conduct of auditors should be beyond reproach at all times and in all circumstances.
Any deficiency in their professional conduct or any improper conduct in their personal life
places the integrity of auditors, The Department of AGP that they represent, and the
quality and validity of their audit work, in an unfavourable light, and may raise doubts
about the reliability and competence of the Department of the AGP itself. This code of
ethics for auditors should promote trust and confidence in the auditors and their work.
6. It is of fundamental importance that the Department of the AGP is looked upon with trust,
confidence and credibility. The auditor promotes this by adopting and applying the ethical
requirements of the concepts embodied in the key words Integrity, Independence and
Objectivity, Confidentiality and Competence.
Trust, Confidence and Credibility
7. The legislative and/or executive authority, the general public and the audited entities are
entitled to expect the conduct and approach of the officers and the staff of the Department
of the AGP to be above suspicion and reproach and worthy of respect and trust.
8. Auditors should conduct themselves in a manner which promotes co-operation and good
relations among themselves and within the profession. The support of the profession by its
members and their co-operation with one another are essential elements of professional
character. The public confidence and respect that an auditor enjoys is largely the result of
the cumulative accomplishments of all auditors, past and present. It is therefore in the
interest of auditors, and the public, for auditors to conduct themselves in a fair and
balanced way.
9. The legislative and/or executive authority, the general public and the audited entities
should be fully assured of the fairness and impartiality of all the work the Department of
the AGP.
10. In all parts of society there is a need for credibility. It is therefore essential that the reports
and opinions of the Department of the AGP are considered to be thoroughly accurate and
reliable by knowledgeable third parties.
11. All work performed by the Department of the AGP must stand the test of legislative and
executive scrutiny, public judgments on propriety, and examination against this Code of
Ethics.
Integrity
12. Integrity is the core value of this Code of Ethics. Auditors have a duty to adhere to high
standards of behaviour (e.g. honesty and candidness) in the course of their work and in

their relationships with the staff of audited entities. In order to sustain public confidence,
the conduct of auditors should be above suspicion and reproach.
13. Integrity, including financial, moral, and intellectual integrity, can be measured in terms of
what is right and just. Integrity requires auditors to observe both the form and the spirit of
auditing and ethical standards. Integrity also requires auditors to observe the principles of
independence and objectivity, maintain irreproachable standards professional conduct,
make decisions with the public interest in mind, and apply absolute honesty in carrying out
their work and in handling the resources of the Department of the AGP.
Independence, Objectivity and Impartiality
14. Independence from the audited entity and other outside interest groups is indispensable for
auditors. This implies that auditors should behave in a way that increases, or in no way
diminishes, their independence.
15. Auditors should strive not only to be independent of audited entities and other interested
groups, but also to be objective in dealing with the issues and topics under review.
16. It is essential that auditors are independent and impartial, not only in fact but also in
appearance.
17. In all matters relating to the audit work, the independence of auditors should not be
impaired by personal or external influence. Independence may be impaired, for example,
by external pressure or influence on auditors; prejudices held by auditors about
individuals, audited entities, projects or programmes; recent previous employment with the
audited entity; or personal or financial dealings which might cause conflicts of loyalties or
of interests. Auditors have an obligation to refrain from becoming involved in all matters
in which they have a vested interest.
18. There is need for objectivity and impartiality in all work conducted by auditors,
particularly in their reports, which should be accurate and objective. Conclusions in
opinions and reports should, therefore, be based exclusively on evidence obtained and
assembled in accordance with the auditing standards of the Department of the AGP.
19. Auditors should make use of information brought forward by the audited entity and other
parties. This information is to be taken into account in the opinions expressed by the
auditors in an impartial way. The auditor should also gather information about the views
of the audited entity and other parties. However, the auditor’s own conclusions should not
be affected by such views.
Political neutrality
20. It is important to maintain both the actual and perceived political neutrality of the
Department of the AGP. Therefore, it is important that auditors maintain their
independence from political influence in order to discharge their audit responsibilities in
an impartial way. This is relevant for auditors since Department of the AGP works closely
with the legislative authorities, which is empowered by law to consider the reports of the
AGP.

Conflicts of interest
21. When auditors are permitted to provide advice or services other than audit to an audited
entity, care should be taken that these services do not lead to a conflict of interest. In
particular, auditors should ensure that such advice or services do not include management
responsibilities or powers, which must remain firmly with the management of the audited
entity.
22. Auditors should protect their independence and avoid any possible conflict of interest by
refusing gifts or gratuities that could influence or be perceived as influencing their
independence and integrity. Government servants, Conduct Rules, 1964 shall also apply in
this regard.
23. Auditors should avoid all relationships with managers and staff in the audited entity and
other parties that may influence, compromise or threaten the ability of auditors to act and
be seen to be acting independently.
24. Auditors should not use their official position for private purposes and should avoid
relationships that involve the risk of corruption or may raise doubts about their objectivity
and independence.
25. Auditors should not use information received in the performance of their duties as a means
of securing personal benefit for themselves or for others. Neither should they divulge
information that would provide unfair or unreasonable advantage to other individuals or
organisations, nor should they use such information as means for harming others.
Professional Secrecy
26. Auditors should not disclose information obtained in the auditing process to third parties,
either orally or in writing, except for the purposes of meeting the statutory or other
identified responsibilities of the Department of the AGP as part of its normal procedures or
in accordance with relevant laws.
Competence
27. Auditors have a duty to conduct themselves in a professional manner at all times and to
apply high professional standards in carrying out their work to enable them to perform
their duties competently and with impartiality.
28. Auditors must not undertake work they are not competent to perform.
29. Auditors should know and follow applicable auditing, accounting, and financial
management standards, policies, procedures and practices. Likewise, they must possess a
good understanding of the constitutional, legal and institutional principles and standards
governing the operations of the audited entity.
Professional Development
30. Auditors should exercise due professional care in conducting and supervising the audit and
in preparing related reports.

31. Auditors should use methods and practices of the highest possible quality in their audits.
In the conduct of the audit and the issue of reports, auditors have a duty to adhere to basic
principles and generally accepted auditing standards.
32. The Department of the AGP has a continuous obligation to update and improve the skills
of officers and staff in the discharge of their professional responsibilities.
Glossary
The terms used in this Code of Ethics have the same interpretation or definition as those used
in the Auditing Standards.
3.4 Protection of the Auditor

Auditors must have the freedom to carry out audits in a conscientious and thorough manner.
There is an onus on the auditor to carry out the audits in a fair, objective and courteous manner
(and comply with the Code of Ethics presented in the Section above). In turn, the auditor
expects to receive cooperation and courtesy from those being audited.
Any serious attempts to hinder or impede the conduct of the audit should be brought to the
attention of the Audit Manager. Any concern of possible intimidation or threat to the auditor
must be taken seriously both by the auditor and the management of DAGP. A formal process
should be followed wherever the auditor, or the conduct of the audit, is threatened, or a risk of
impedance is perceived. This process involves the following steps:
• Whenever the auditor senses any problems in the conduct of the audit, he/she should
ensure that all meetings are held with at least two auditors present and that notes of these
meetings are clearly documented;
• The auditor should inform his/her supervisor or Audit Manager in writing of any serious
incidents or concerns with specific details of what transpired;
• A course of action is proposed by the Audit Manager, if necessary, in consultation with
senior management within DAGP;
• Depending on the seriousness of the situation, and the nature of the problem, one or more
of the following courses of action should be implemented:
* The Audit Manager raises the issue with the Principal Accounting Officer, or equivalent;
* A letter, signed by the Auditor-General or Deputy Auditor-General, is submitted to the
Principal Accounting Officer, or equivalent, and/or sent to the Controller General;
* The composition of the audit team is changed;
* If necessary, after consultation with the Auditor-General, seek a legal opinion or other
course of action; and
• Whenever an individual auditor is not satisfied with the action taken, they have the right to
report their concern to the Assistant Auditor-General, Personnel, a Deputy Auditor-
General or the Auditor-General.

4. DAGP AUDIT STANDARDS
4.1 Basic Principles in Government Auditing
4.1.1 The general framework of the auditing standards of the Auditor General of Pakistan is
based on the principles of the latest INTOSAI Auditing Standards.
4.1.2 The INTOSAI auditing standards consist of four parts.

a) Basic principles
b) General standards
c) Field standards
d) Reporting standards
These standards have been developed to provide a framework for the establishment of
procedures and practices to be followed in the conduct of an audit, including audits of
computer-based systems. They should be viewed in the context of the particular
constitutional and legal provisions applicable to the Department of the Auditor General of
Pakistan.
4.1.3 The basic principles for auditing standards are basic assumptions, consistent premises,
logical principles and requirements which help in developing auditing standards and
serve the auditors in forming their opinions and reports, particularly in cases where no
specific standards apply.
4.1.4 Auditing standards should be consistent with the principles of auditing: They also
provide guidance for the auditor that helps determine the extent of auditing steps and
procedures that should be applied in the audit. Auditing Standards constitute the
criteria or yardsticks against which the quality of the audit results are evaluated.
4.1.5 Interpretations, explanation and amendments of these standards are the prerogative and
responsibility of the AGP.
4.1.6 The basic principles are:
a) The Department of the AGP will ensure compliance with the auditing standards in all
matters that are deemed material. These standards will be applied to ensure that the
work is of consistently high quality.
b) The Department of the AGP shall apply its own judgment to the diverse situations that
arise in the course of government auditing (see paragraph 4.1.14)
c) With increased public consciousness, the demand for public accountability of persons
or entities managing public resources has become increasingly evident so that there is
a need for the accountability process to be in place and operating effectively (see
paragraph 4.1.19)
d) Development of adequate information, control, evaluation and reporting systems

within the government will facilitate the accountability process. Management is
responsible for correctness and sufficiency of the form and content of the financial
reports and other information (see paragraph 4.1.21)

e) Appropriate authorities should ensure the promulgation of acceptable accounting
standards for financial reporting and disclosure relevant to the need of the government,
and audited entities should develop specific and measurable objectives and
performance targets (see paragraph 4.1.23)
f) Consistent application of acceptable accounting standards should result in the fair

presentation of the financial position and the results of operations (see paragraph
4.1.26)
g) The existence of an adequate system of internal control minimises the risk of errors
and irregularities (see paragraph 4.1.28)
h) Legislative enactments would facilitate the co-operation of audited entities in

maintaining and providing access to all relevant data necessary for a comprehensive
assessment of the activities under audit (see paragraph 4.1.30)
i) All audit activities should be within the audit mandate of the Auditor General of
Pakistan (see paragraph 4.1.32)
j) The Department of the AGP shall work towards improving techniques for auditing the
validity of performance measures (see paragraph 4.1.41)
4.1.7 The following paragraphs discuss the importance of the basic principles for auditing.
4.1.8 The basic auditing principles stipulate that:
The Department of the AGP shall ensure compliance with the auditing standards in all
matters that are defined as material. These standards will be applied to ensure that the
work is of consistently high quality.
4.1.9 In general terms, a matter may be judged material if knowledge of it would be likely to
influence the user of the financial statements or the performance audit report.
4.1.10 Materiality is often considered in terms of value but the inherent nature or
characteristics of an item or group of items may also render a matter material—for
example, where the law or regulation requires it to be disclosed separately regardless
of the amount involved.
4.1.11 In addition to materiality by value and by nature, a matter may be material because of
the context in which it occurs. For example, considering an item in relation to:
a) The overall view given to the financial information;
b) The total of which it forms a part;
c) Associated terms and issues;
d) The corresponding amount in previous years.
4.1.12 Sometimes the Department of the AGP carries out activities that by strict definition do
not qualify as audits, but which contribute to better government, e.g., (a) gathering

data without conducting substantial analysis, (b) legal work, (c) an assistance mission
for members of the elected Assemblies as regards investigations and consultations of
files of the Department of the AGP. These non-audit activities provide valuable
information to decision-makers and should be of consistently high quality.
4.1.13 To ensure that high quality work is done, appropriate standards must be followed. The
objectives of the particular type of work or the particular assignment should dictate the
specific standards that are followed. The Department of the AGP shall establish a
policy for implementing these standards to ensure that the work and products are of
high quality.
The Department of the AGP shall apply its own judgment to the diverse situations that
arise in the course of government auditing (see paragraph 4.1.6b)
4.1.15 Audit evidence plays an important part in the auditor’s decision concerning the
selection of issues and areas for the audit and the nature, timing and extent of audit
tests and procedures.
4.1.16 The terms of the audit mandate with which the Department of the AGP is endowed
override any accounting or auditing conventions with which they conflict, and hence
have a crucial bearing on the auditing standards that the Department applies.
4.1.17 The Department of the AGP must judge the extent to which external auditing
standards are compatible with the fulfilment of its mandate.
4.1.18 For some elements of the mandate of the AGP, particularly in regard to the audit of
financial statements, the audit objectives may be akin to the objectives of audits in the
private sector. Correspondingly, private sector standards for the financial statements
auditing which are promulgated by official regulatory bodies might be applicable to
the government auditor.
With increased public consciousness, the demand for the public accountability of persons
or entities managing resources has become increasingly evident so that there is a greater
need for the accountability process to be in place and operating effectively (see
paragraph 4.1.6c)
4.1.20 Public enterprises are also required to fulfil public accountability obligations. Public
enterprises may include commercial undertakings, e.g. entities established by statute or
executive order or in which the Government has a controlling interest. Irrespective of
the manner in which they are constituted, their functions, degree of autonomy or
funding arrangements, such entities are ultimately accountable to the respective
legislature.
Development of adequate information, control, evaluation and reporting systems within

the government will facilitate the accountability process. Management is responsible for

correctness and sufficiency of the form and content of the financial reports and other
information (see paragraph 4.1.6d)
4.1.22 The correctness and sufficiency of the financial reports and statements are the entity’s
expression of the financial position and the results of operations. It is also the entity’s
obligation to design a practical system which will provide relevant and reliable
information.
Appropriate authorities should ensure the promulgation of acceptable accounting

standards for financial reporting and disclosure relevant to the needs of the government,
and audited entities should develop specific and measurable objectives and performance
targets (see paragraph 4.1.6e)
4.1.24 The Department of the AGP shall work with the accounting standards setting
organisations to help ensure that proper accounting standards are issued for the
government.
4.1.25 The Department of the AGP shall also recommend to the audited entities that
measurable and clearly stated objectives be established and that performance targets be
set for these objectives.
Consistent application of acceptable accounting standards should result in the fair

presentation of the financial position and the results of operations (see paragraph 4.1.6f)
4.1.27 The assumption that consistency in application of accounting standards is a

prerequisite of fairness means that an audited entity must comply with accounting
standards appropriate in the circumstances, as well as the requirements of applying
such accounting standards in a consistent manner. An auditor should not consider
compliance with accounting standards in a consistent manner as a definitive proof of
presenting fairly the various financial reports. Fairness is an expression of an auditor’s
opinion that goes beyond the limits of consistent application of accounting standards.
Such an assumption emphasises that the auditing standards are no more than the
minimum requirements for an auditor’s obligation. Going beyond that minimum is for
the auditor’s judgment.
The existence of an adequate system of internal control minimises the risk of errors or
irregularities (see paragraph 4.1.6g)
4.1.29 It is the responsibility of the audited entity to develop adequate internal control
systems to protect its resources. It is not the auditor’s responsibility. It is also the
obligation of the audited entity to ensure that controls are in place and functioning to
help ensure that applicable statutes and regulations are complied with, and that probity
and propriety are observed in decision making. However, this does not relieve the
auditor from submitting proposals and recommendations to the audited entity where
controls are found to be inadequate or missing.

4.1.30 The Basic auditing principles stipulate that:
Legislative enactments would facilitate the co-operation of audited entities in

maintaining and providing access to all relevant data necessary for a comprehensive
assessment of the activities under audit (see paragraph 4.1.6h)
4.1.31 The Department of the AGP must have access to the sources of information and data
as well as access to officials and employees of the audited entity in order to carry out
properly its audit responsibilities. Enactment of legislative requirements for access by
the auditor to such information and personnel will help minimise future problems in
this area.
All audit activities should be within the audit mandate of the AGP (see paragraph 4.1.6i)
4.1.33 The essential function of the department of the AGP is to uphold and promote public
accountability. This jurisdictional function requires the Department to make sure that
whoever is charged with dealing with public funds is accountable to it and is in this
regard subject to its jurisdiction.
4.1.34 There exists an important complementarity between this jurisdictional authority and
the other characteristics of audit. This characteristic should be viewed as a part of the
logic of the general objective pursued by external audit and more particularly those
which relate to accounting management.
4.1.35 The full scope of government auditing includes regularity and performance audit.
4.1.36 Regularity audit embraces:
a) Attestation of financial accountability of accountable entities, involving examination

and evaluation of financial records and expression of opinions of financial statements;
b) Attestation of financial accountability of the government administration as a whole;
c) Audit of financial systems and transactions including an evaluation of compliance with

applicable statutes and regulations;
d) Audit of internal control and audit functions;
e) Audit of the probity of administrative decisions taken within the audited entity; and
f) Reporting of any other matters arising from or relating to the audit that the Department
of the AGP considers should be disclosed.
4.1.37 Performance audit is concerned with the audit of economy, efficiency and
effectiveness and embraces:
a) Audit of the economy of administrative activities in accordance with sound

administrative principle and practices, and management policies;

b) Audit of the efficiency of utilisation of human, financial and other resources, including
examination of information systems, performance measures and monitoring
arrangements, and procedures followed by audited entities for remedying identified
deficiencies; and
c) Audit of the effectiveness of performance in relation to the achievement of the

objectives of the audited entity, and audit of the actual impact of activities compared
with the intended impact.
4.1.38 In practice there can be an overlap between regularity and performance auditing, and
in such cases classification of a particular audit will depend on the primary purpose of
that audit.
4.1.39 The mandate of the Department of the AGP shall clearly delineate its powers and
responsibilities in relation to performance auditing in all areas of government activity,
among other things to facilitate the application of appropriate auditing standards.
4.1.40 Public accountability will be more effectively promoted where the mandate enables
the Department of the AGP to conduct, or direct the conduct of, regularity and
performance auditing of all public enterprises.
4.1.41 The general auditing principles stipulate that
The Department of the AGP shall work towards improving techniques for auditing the
validity of performance measures (see paragraph 4.1.6j)
4.1.42 The expanding audit role of the auditors will require them to improve and develop new
techniques and methodologies to assess whether reasonable and valid performance
measures are used by the audited entity. The auditors should avail themselves of
techniques and methodologies of other disciplines.
4.1.43 The scope of the audit mandate will determine the scope of the standards to be applied
by the Department of the AGP.
4.2 General standards in Government Auditing
4.2.1 This section deals with general standards in government auditing. The general
auditing standards describe the qualifications of the auditor and/or the auditing
institution so that they may carry out the tasks related to field and reporting
standards in a competent and effective manner.
4.2.2 The general auditing standards are that the Department of the AGP shall adopt
policies and procedures to:
a) Recruit personnel with suitable qualifications (see paragraph 4.2.3)
b) Develop and train employees of the Department of the AGP to enable them to perform
their tasks effectively, and to define the basis for the advancement of auditors and
other staff (see paragraph 4.2.5)
c) Prepare manual and other written guidance and instructions concerning the conduct of
audit (see paragraph 4.2.13).

d) Support the skills and experience available within the Department of the AGP and
identify the skills which are absent; provide a good distribution of skills to auditing
tasks and assign a sufficient number of persons for the audit; and have proper planning
and supervision to achieve its goals at the required level of due care and concern (see
paragraph 4.2.15)
e) Review the efficiency and effectiveness of the Department internal standards and
procedures (see paragraph 4.2.25)
4.2.3 The general standards for Department of the AGP include:
The Department shall frame policies and develop procedures to recruit personnel with
suitable qualifications (see paragraph 4.2.2a)
The following paragraph explains recruitment as an auditing standard.
4.2.4 Personnel of the Department of the AGP shall possess suitable academic qualifications
and be equipped with appropriate training and experience. The Department shall
establish, and regularly review, minimum educational requirements for the
appointment of auditors.
4.2.5 The general standards include:
The Department shall frame policies and procedures to develop and train its employees
to enable them to perform their tasks effectively and to define the basis for the
advancement of auditors and other staff (see paragraph 4.2.2b)
The following paragraphs explain training and development as an auditing standard.
4.2.6 The Department shall take adequate steps to provide for continuing professional
development of its personnel, including, as appropriate, provision of in-house training
and encouragement of attendance at external courses.
4.2.7 The Department shall maintain an inventory of skills of personnel to assist in the
planning of audits as well as to identify professional development needs.
4.2.8 The Department shall establish and regularly review criteria, including educational
requirements, for the advancement of auditors and other staff of the SAI.
4.2.9 The Department shall also establish and maintain policies and procedures for the
professional development of audit staff regarding the audit techniques and
methodologies applicable to the range of audits it undertakes.
4.2.10 Personnel of the Department of the AGP shall have a good understanding of the
government environment, including such aspects as the role of the legislature, the legal
and institutional arrangements governing the operations of the executive and the
charters of the public enterprises. Likewise, trained audit staff must possess an
adequate knowledge of the Department’s auditing standards, policies, procedures and
practices.

4.2.11 Audit of financial systems, accounting records and financial statements requires
training in accounting and related disciplines as well as a knowledge of applicable
legislation and executive orders affecting the accountability of the audited entity.
Further, the conduct of performance audits may require, in addition to the above,
training in such areas as administration, management, economics and the social
sciences.
4.2.12 The Department shall encourage its personnel to become members of a professional
body relevant to their work and to participate in that body’s activities.
The Department shall adopt policies and develop procedures to prepare manuals and
other written guidance and instructions concerning the conduct of audits (see paragraph
4.2.2c)
The following paragraph explains written guidance as an auditing standard.
4.2.14 Communication to staff of the Department of the AGP by means of circulars

containing guidance, and the maintenance of an up-to-date audit manual setting out its
policies, standards and practices, is important in maintaining the quality of audits.
The Department shall frame policies and develop procedures to support the skills and
experience available within the Department and identify those skills which are absent;
provide a good distribution of skills to auditing tasks and a sufficient number of persons
for the audit and have proper planning and supervision to achieve its goals at the
required level of due care and concern (see paragraph 4.2.2d)
The following paragraphs explain the use o f skills as an auditing standard.
4.2.16 Resources required to undertake each audit need to be assessed so that suitably skilled
staff may be assigned to the work and a control placed on staff resources to be applied
to the audit.
4.2.17 The extent to which academic attainment should be related specifically to the audit
task varies with the type of auditing undertaken. It is not necessary that each auditor
possess competence in all aspects of the audit mandate. However, policies and
procedures governing the assignment of personnel to audit tasks should aim at
deploying personnel who have the auditing skills required by the nature of the audit
task so that the team involved on a particular audit collectively possesses the necessary
skills and expertise.
4.2.18 It shall be open to the Department of the AGP to acquire specialised skills from
external sources if the successful conduct of an audit so requires in order that the audit
findings, conclusions and recommendations are perceptive and soundly based and
reflect an adequate understanding of the subject area of the audit. It is for the
Department of the AGP to judge, in its particular circumstances, to what extent its
requirements are best met by in-house expertise as against employment of outside
experts.

4.2.19 Policies and procedures governing supervision of audits are important factors in the
performance of the SAI’s role at an appropriate level of competence. The Department
of the AGP shall ensure that audits are planned and supervised by auditors who are
competent, knowledgeable in the standards and methodologies, and equipped with an
understanding of the specialities and peculiarities of the environment.
4.2.20 For the audit of financial statements which cover the executive branch of government
as a whole, the audit teams deployed shall be equipped to undertake a co-ordinated
evaluation of departmental accounting systems, as well as of central agency co
ordination arrangement and control mechanisms. Teams will require a knowledge of
the relevant government accounting and control systems, and an adequate expertise in
the auditing techniques applied by the Department to this type of audit.
4.2.21 Unless the Department is equipped to undertake, within a reasonable time-scale, all
relevant audits, including performance audits covering the whole of every audited
entity’s operations, criteria shall be needed for determining the range of audit activities
which, within the audit period or cycle, will give the maximum practicable assurance
regarding performance of public accountability obligations by each audited entity.
4.2.22 In determining the allocation of its resources among different audit activities, the
Department shall give priority to any audit tasks which must, by law, be completed
within a specified time frame. Careful attention shall be given to strategic planning so
as to identify an appropriate order of priority for discretionary audits to be undertaken.
4.2.23 Assignment of priorities compatible with maintaining the quality of performance

across the mandate involve the exercise of judgment by the Department of the AGP in
the light of available information. Maintenance of a portfolio of data pertaining to the
structure, functions and operations of audited entities will assist the department in
identifying areas of materiality and vulnerability and areas holding potential for
improvements in administration.
4.2.24 Before each audit is undertaken proper authorisation for its commencement shall be
given by designated personnel within the Department of the AGP. This authorisation
shall include a clear statement of the objectives of the audit, its scope and focus,
resources to be applied to the audit in terms of skills and quantum, arrangements for
reviews of progress at appropriate points, and the dates by which fieldwork is to be
completed and a report on the audit is to be provided.
The Department of the AGP shall frame polices and develop procedures to review the
efficiency and effectiveness of its internal standards and procedures (see paragraph
4.2.2e)
The following paragraphs explain quality assurance reviews as an auditing standard.
4.2.26 Because of the importance of ensuring a high standard of work by the Department of
the AGP it shall pay particular attention to quality assurance programmes in order to
improve audit performance and results. The benefits to be derived from such
programmes make it essential for appropriate resources to be available for this purpose.
It is important that the use of these resources be matched against the benefits to be
obtained.

4.2.27 The Department of the AGP shall establish systems and procedures to:
a) Confirm that integral quality assurance processes have operated satisfactorily.
b) Ensure the quality of the audit report; and
c) Secure improvements and avoid repetition of weaknesses.
4.2.28 As a further means of ensuring quality of performance, additional to the review of

audit activity by personnel having line responsibility for the audits concerned, the
Department shall establish its own quality assurance arrangements. That is, planning,
conduct and reporting in relation to a sample of audits may be reviewed in depth by
suitably qualified personnel of the Department not involved in those audits, in
consultation with the relevant audit line management regarding the outcome of the
internal quality assurance arrangements and periodic reporting to the top management
of the Department.
4.2.29 It is appropriate for the Department of the AGP to institute their own internal audit
function with a wide charter to assist it to achieve effective management of its own
operations and sustain the quality of its performance.
4.2.30 The quality of the work of the Department shall be enhanced by strengthening internal
review and by independent appraisal of its work.
4.2.31 The Department shall ensure that applicable standards are followed on all audits and
that deviations from the standards which are determined to be appropriate are
documented.
4.3 Standards with Ethical Significance

4.3.1 The general auditing standards include
a) The auditor and the Department of the AGP must be independent (see paragraph 4.3.2)
b) The Department of the AGP shall avoid conflict of interest between the auditor and the
entity under audit (see paragraph 4.3.28)
c) The auditor and the Department of the AGP must possess the required competence
(see paragraph 4.3.30)
d) The auditor and the department of the AGP must exercise due care and concern in
complying with these auditing standards. This embraces due care in planning,
specifying, gathering and evaluating evidence, and in reporting findings, conclusions
and recommendations (see paragraph 4.3.36)
4.3.1 Independence
4.3.2 The general standards for the auditor and the Department of the AGP include:
The auditor and the Department must be independent (see paragraph 4.3.1a)

4.3.3 Whatever the form of government, the need for independence and objectivity in audits
is vital. An adequate degree of independence from both the legislature and the
executive branch of government is essential to the conduct of audit and to the
credibility of its results.
4.3.4 The legislature is one of the main users of the services of the Department of the
Auditor General of Pakistan. It is from the Constitution and the legislation that the SAI
derives its mandate, and a frequent feature of the Department’s function is its reporting
to the legislature. The SAI can be expected to work closely with the legislature,
including with any committees empowered by the legislature to consider its reports.
Such liaison can contribute to effective follow-up of the Department’s work.
4.3.5 The important results of audits of the carrying-out of the budget and of administration
and disputes and disagreements with audited administrations shall be brought to the
attention of the legislative body by way of report or special communication.
4.3.6 Special committees created within the legislative body may be charged with
examining, in the presence of delegates from the audited services and other
representatives, the comments in the reports and special communications of the
Department of the AGP.
4.3.7 The Department of the AGP may give members of the legislature factual briefings on
audit reports, but it is important that it maintains its independence from political
influence, in order to preserve an impartial approach to its audit responsibilities. This
implies that the Department of the AGP shall not be responsive, nor give the
appearance of being responsive, to the wishes of particular political interests.
4.3.8 While the Department of the AGP observes the laws enacted by the legislature,
adequate independence requires that it not otherwise be subject to direction by the
legislature in the programming, planning and conduct of its work in accordance with
its mandate and adopt methodologies appropriate to audits. The Department of the
AGP needs freedom to set priorities and programme the audits to be undertaken.
4.3.9 In cases where the legislature requests the AGP to undertake any audit, the
Department of the AGP shall be free to determine the manner in which it conducts its
work, including those tasks requested by the legislature.
4.3.10 It is appropriate for the legislation to specify minimum reporting requirements,

including the matters to be subject to an audit opinion and a reasonable time within
which reports should be made. Apart from that, flexible arrangements for the
Department’s reporting to the legislature, without restriction on content or timing of
reports, would support the maintenance of independence.
4.3.11 It is necessary that the Department of the AGP is provided with sufficient resources,
for the effective exercise of its mandate.
4.3.12 The executive branch of the government and the SAI do have common interests in the
promotion of public accountability. But the essential relationship with the executive is
that of external auditor. As such the reports of the AGP are expected to assist the
executive by drawing attention to deficiencies in administration and recommending
improvements. Care should be taken to avoid participation in the executive’s functions
of the kind that would militate against the independence and objectivity of the
Department of the AGP in the discharge of its mandate.

4.3.13 It is important for the independence of the Department of the AGP that there be no
power of direction by the executive in relation to the Department’s performance of its
mandate. The Department shall not be obliged to carry out, modify or refrain from
carrying out, an audit or suppress or modify audit findings, conclusions and
recommendations.
4.3.14 A degree of co-operation between the Department of the AGP and the executive is
desirable in some areas. The SAI shall be ready to advise the executive in such matters
as accounting standards and policies and the form of financial statements. The
Department must ensure that in giving such advice it avoids any explicit or implied
commitment that would impair the independent exercise of its audit mandate.
4.3.15 Maintenance of the independence of the Department of the AGP does not preclude
requests by the executive proposing matters for audits. But to enjoy adequate
independence, the Department shall have the discretion to decline any such request. It
is fundamental to the concept of SAI independence that decisions as to the audit tasks
comprising the programme shall rest finally with the Department of the AGP.
4.3.16 A sensitive area in relationships between the Department of the AGP and the executive
concerns provision of resources to the Department. In varying degrees, reflecting
constitutional and institutional differences, arrangements for the SAI’s resource
provision may be related to the executive branch of government’s financial situation
and general expenditure policies. As against that, effective promotion of public
accountability requires that the Department of the AGP be provided with sufficient
resources to enable it to discharge its responsibilities in a reasonable manner.
4.3.17 Any imposition of resource or other restriction by the executive which would constrain
the exercise of its mandate by the Department of the AGP would be an appropriate
matter for report by the Department to the legislature.
4.3.18 The legal mandate should provide for full and free access by the Department of the
AGP to all premises and records relevant to audited entities and their operations and
should provide adequate powers for the Department to obtain relevant information
from persons or entities possessing it.
4.3.19 Unless specifically prevented by law, the executive shall permit access by the
Department of the AGP to sensitive information which is necessary and relevant to the
discharge of the responsibilities of the Department.
4.3.20 The Department of the AGP shall ensure that its mandate and its independent status is
well understood in the community. The Department shall, as appropriate opportunities
arise, undertake an educational role in that regard.
4.3.21 Functional independence of the Department of the AGP need not preclude
arrangements with executive entities in regard to its administration in matters such as
personnel management, property management or common purchasing of equipment
and stores, though executive entities shall not be in a position to take decisions that
would jeopardise the independence of the Department in discharging its mandate.
4.3.22 The Department of the AGP must remain independent from audited entities. It shall,
however, seek to create among audited entities an understanding of its role and
function, with a view to maintaining amicable relationships with them. Good
relationships can help the department to obtain information freely and frankly and to

conduct discussions in an atmosphere of mutual respect and understanding. In this
spirit, the Department while retaining its independence, can agree to be associated
with reforms which are planned by the Administration in areas such as public accounts
or financial legislation or agree to be consulted about the preparation of draft laws or
rules affecting its competence or its authority. In these cases it is not, however, a
matter of the Department interfering in administrative management but a matter of co
operating with certain administrative services by giving them technical assistance or
by putting financial management experience of the Department at their disposition.
4.3.23 In contrast to private sector audit, where the auditor’s agreed task is specified in an
engagement letter, the audited entity is not in a client relationship with the Department
of the AGP. The Department has to discharge its mandate freely and impartially,
taking management views into consideration in forming audit opinions, conclusions
and recommendations, but owing no responsibility to the management of the audited
entity for the scope or nature of the audits undertaken.
4.3.24 The Department of the AGP shall not participate in the management or operations of
an audited entity. Audit personnel should not become members of management
committees and, if audit advice is to be given, it shall be conveyed as audit advice or
recommendation and acknowledged clearly as such.
4.3.25 Any personnel of the Department of the AGP having close affiliations with the
management of an audited entity, such as social, kinship or other relationship
conducive to a lessening of objectivity, shall not be assigned to audit that entity.
4.3.26 Personnel of the Department of the AGP should not become involved in instructing
personnel of an audited entity as to their duties. In those instances where the
Department decides to establish a resident office at the audited entity with the purpose
of facilitating the ongoing review of its operations, programmes and activities,
personnel of the Department of the AGP shall not engage in any decision making or
approval process which is considered the auditee’s management responsibilities.
4.3.27 The Department of the AGP may co-operate with academic institutions and enter
formal relationships with professional bodies, provided the relationships do not inhibit
its independence and objectivity, in order to avail itself of the advice of experienced
members of the profession at large.
4.3.2 Conflict of interest
4.3.28 The Department of the AGP shall avoid conflict of interest between the auditor and the
entity under audit (see paragraph 4.3.1b)
4.3.29 The Department of the AGP performs its role by carrying out audits of the accountable
entities and reporting the results. To fulfil this role, the Department needs to maintain
its independence and objectivity. The application of appropriate general auditing
standards assists the Department to satisfy these requirements.

4.3.3 Competence
4.3.30 The general standards for the auditor and the Department of the AGP include:
The auditor and the Department must possess the required competence (see paragraph
4.3.1c)
The following paragraphs explain competence as an auditing standard.
4.3.31 The mandate of the Department of the AGP generally imposes a duty of forming and
reporting audit opinions, conclusions and recommendations. This duty shall remain
that of the heads of the Audit offices.
4.3.32 Discussions within the SAI promote the objectivity and authority of opinions and
decisions. Decision and opinions as such relating to conclusions, findings and
recommendations in the Audit reports are taken in the name of the AGP.
4.3.33 Since the duties and responsibilities thus borne by the Department of the AGP are
crucial to the concept of public accountability, the Department must apply to its audits,
methodologies and practices of the highest quality. It is incumbent upon it to formulate
procedures to secure effective exercise of its responsibilities for audit reports,
unimpaired by less than full adherence by personnel or external experts to its standards,
planning procedures methodologies and supervision.
4.3.34 The Department of the AGP needs to command the range of skills and experience
necessary for effective discharge of the audit mandate. Whatever the nature of the
audits to be undertaken under that mandate, the audit work shall be carried out by
persons whose education and experience is commensurate with the nature, scope and
complexities of the audit task. The department shall equip itself with the full range of
up-to-date audit methodologies, including systems-based techniques, analytical review
methods, statistical sampling and audit of automated information systems.
4.3.35 In view of the wide and discretionary nature of mandate of the Department of the AGP,
the task of the ensuring quality of performance across the whole mandate becomes
more complex. The Department shall, therefore, ensure, within itself, a high standard
of management.
4.3.4 Due care
4.3.36 The general standards for the auditor and the Department of the AGP include
The auditor and the Department must exercise due care and concern in complying with
the auditing standards. This embraces due care in specifying, gathering and evaluating
evidence, and in reporting findings, conclusions and recommendations (see paragraph
4.3.1d)
The following paragraphs explain due care as an auditing standard.
4.3.37 The Department of the AGP must be, and be seen to be, objective in its audit of
entities and public enterprises. It should be fair in its evaluations and in its reporting of
the outcome of audits.

4.3.38 Performance and exercise of technical skill should be of a quality appropriate to the
complexities of a particular audit. Auditors need to be alert for situations, control
weaknesses, inadequacies in record keeping, errors and unusual transactions or results
which could be indicative of fraud, improper or unlawful expenditure, unauthorised
operations, waste, inefficiency or lack of probity.
4.3.39 Where an authorised or recognised entity sets standards or guidelines for accounting
and reporting by public enterprises, the Department of the AGP may use such
guidelines in the course of its examination.
4.3.40 If the department of the AGP employs external experts as consultants it must exercise
due care to assure itself of the consultants’ competence and aptitude for the particular
tasks involved. This standard applies also where outside auditors are engaged on
contract with the Department. In addition care must be taken to ensure that audit
contracts include adequate provision for the SAI to determine the planning, the audit
scope, the performing, and the reporting on the audit.
4.3.41 Should the Department of the AGP, in the performance of its functions, need to seek
advice from specialists external to the Department, the standards for exercise of due
care in such arrangements have a bearing also on the maintenance of quality of
performance. Obtaining advice from an external expert does not relieve the
Department of responsibility for the opinions formed or conclusions reached on the
audit task.
4.3.42 When the Department of the AGP uses the work of another auditor(s), it must apply
adequate procedures to provide assurance that the other auditor(s) has exercised due
care and complied with relevant auditing standards, and may review the work of the
other auditor(s) to satisfy itself as to the quality of that work.
4.3.43 Information about an audited entity acquired in course of the auditor’s work must not
be used for purposes outside the scope of an audit and the formation of an opinion or
in reporting in accordance with the auditor’s responsibilities. It is essential that the
Department of the AGP maintain confidentiality regarding audit matters and
information arising from its audit task. However, the Department must be entitled to
report offences against the law to proper prosecuting authorities.
4.4 Field Standards in Government Auditing

4.4.1 The purpose of field standards is to establish the criteria or overall framework for the
purposeful, systematic and balanced steps or actions that the auditor has to follow.
These steps and actions represent the rules of research that the auditor, as a seeker of
audit evidence, implements to achieve a specific result.
4.4.2 The field standards establish the framework for conducting and managing audit work.
They are related to the general auditing standards, which set out the basic requirements
for undertaking the tasks covered by the field standards. They are also related to the
reporting standards, which cover the communication aspect of auditing, as the result of
carrying out the field standards constitute the main source for the contents of the
opinion or report.

4.4.3 The field standards applicable to all types of audit are:
a) The auditor shall plan the audit in a manner which ensures that an audit of high
quality is carried out in an economic, efficient and effective way and in a timely
manner
b) The work of the audit staff at each level and audit phase shall be properly supervised
during the audit; and documented work shall be reviewed by a senior member of the
audit staff
c) The auditor, in determining the extent and scope of the audit, shall study and evaluate
the reliability of internal control
d) In conducting regularity (financial) audits, a test should be made of compliance with

applicable laws and regulations. The auditor should design audit steps and procedures
to provide reasonable assurance of detecting errors, irregularities, and illegal acts that
could have a direct and material effect on the financial statement amounts or the
results of regularity audits. The auditor also should be aware of the possibility of
illegal acts that could have an indirect and material effect on the financial statements
or results of regularity audits.
In conducting performance audits, an assessment should be made of compliance with

applicable laws and regulations when necessary to satisfy the audit objectives. The
auditor should design the audit to provide reasonable assurance of detecting illegal
acts that could significantly affect audit objectives. The auditor also should be alert to
situations or transactions that could be indicative of illegal acts that may have an
indirect effect on the audit results.
Any indications that an irregularity, illegal act, fraud or error may have occurred
which could have a material effect on the audit should cause the auditor to extend
procedures to confirm or dispel such suspicions.
The regularity audit is an essential aspect of government auditing. One important

objective which this type of audit assigns to the Department of the AGP is to make
sure, by all the means put at its disposal, that the Government budget and accounts are
complete and valid. This will provide legislature and other users of the audit report
with assurance about the size and development of the financial obligations of the
Government. To achieve this objective the Department will examine the accounts and
financial statements of the administration with a view to assuring that all operations
have been correctly undertaken, completed, passed, paid and registered. The audit
procedure normally results, in the absence of irregularity, in the granting of an
unqualified certificate
e) Competent, reliable, relevant and reasonable evidence should be obtained to

support the auditor’s judgment and conclusion regarding the organisation, programme,
activity or function under audit
f) In regularity (financial) audit, and in other types of audit when applicable, auditors
should analyse the financial statements to establish whether acceptable accounting
standards for financial reporting and disclosure are complied with. Analysis of
financial statements should be performed to such a degree that a rational basis is
obtained to express an opinion on financial statements

4.4.1 Planning
4.4.4 The field standards include:
The auditor should plan the audit in a manner which ensures that an audit of high
quality is carried out in an economic, efficient and effective way and in a timely manner
The following paragraphs explain planning as an auditing standard.
4.4.5 The Department of the AGP shall give priority to any audit tasks which must be
undertaken by law and assess priorities for discretionary areas within mandate of the
AGP.
4.4.6 In planning an audit, the auditor should:
a) Identify important aspects of the environment in which the audited entity operates;
b) Develop an understanding of the accountability relationships;
c) Consider the form, content and users of audit opinions, conclusions or reports;
d) Specify the audit objectives and the tests necessary to meet them;
e) Identify key management systems and controls and carry out a preliminary
assessment to identify both their strengths and weakness;
f) Determine the materiality of matters to be considered;
g) Review the internal audit of the audited entity and its work programme;
h) Assess the extent of the reliance that might be placed on other auditors, for
example, internal audit;
i) Determine the most efficient and effective audit approach;
j) Provide for a review to determine whether appropriate action has been taken on
previously reported audit findings and recommendations; and
k) Provide for appropriate documentation of the audit plan and for the proposed
fieldwork.
4.4.7 The following planning steps are normally included in an audit;
a) Collect information about the audited entity and its organisation in order to assess
risk and to determine materiality;
b) Define the objective and scope of the audit;
c) Undertake preliminary analysis to determine the approach to be adopted and the

nature and extent of enquiries to be made later;
d) Highlight special problems foreseen when planning the audit;

e) Prepare a budget and a schedule for the audit;
f) Identify staff requirements and a team for the audit; and
g) Familiarise the audited entity about the scope, objectives and the assessment
criteria of the audit and discuss with them as necessary.
The SAI may revise the plan during the audit when necessary.
4.4.2 Supervision and Review
The work of the audit staff at each level and audit phase should be properly supervised
during the audit, and documented work should be reviewed by a senior member of the
audit staff
The following paragraphs explain supervision and review as an auditing standard.
4.4.9 Supervision is essential to ensure the fulfilment of audit objectives and the
maintenance of the quality of the audit work. Proper supervision and control is
therefore necessary in all cases, regardless of the competence of the individual auditors.
4.4.10 Supervision should be directed both to the substance and to the method of auditing. It
involves ensuring that:
a) The members of the audit team have a clear and consistent understanding of the audit
plan;
b) The audit is carried out in accordance with the auditing standards and practices of the
Department of the AGP.
c) The audit plan and action steps specified in that plan are followed unless a variation is
authorised;
d) Working papers contain evidence adequately supporting all conclusions,

recommendations and opinions;
e) The auditor achieves the stated audit objectives; and
f) The audit report includes the audit conclusions, recommendations and opinions, as
appropriate.
4.4.11 All audit work should be reviewed by a senior member of the audit staff before the
audit opinions or reports are finalised. It should be carried out as each part of the audit
progresses. Review brings more than one level of experience and judgment to the audit
task and should ensure that:
a) All evaluations and conclusions are soundly based and are supported by competent,
reliable, relevant and reasonable audit evidence as the foundation for the final audit
opinion or report;

b) all errors, deficiencies and unusual matters have been properly identified, documented
and either satisfactorily resolved or brought to the attention of the more senior
officer(s) of the department; and
c) changes and improvements necessary to the conduct of future audits are identified,
recorded and taken into account in later audit plans and in staff development activities
4.4.3 Study and Evaluation of Internal Control
4.4.12 The field standards include
The auditor, in determining the extent and scope of the audit, should study and evaluate
the reliability of the internal control
The following paragraphs explain internal control as an auditing standard.
4.4.13 The study and evaluation of internal control should be carried out according to the
type of audit undertaken. In the case of a regularity (financial) audit, study and
evaluation are made mainly on controls that assist in safeguarding assets and resources,
and assure the accuracy and completeness of accounting records. In the case of
regularity (compliance) audit, study and evaluation are made mainly on controls that
assist management in complying with laws and regulations. In the case of performance
audit, they are made on controls that assist in conducting the business of the audited
entity in an economic, efficient and effective manner, ensuring adherence to
management policies, and producing timely and reliable financial and management
information.
4.4.14 The extent of the study and evaluation of internal control depends on the objectives of
the audit and on the degree of reliance intended.
4.4.15 Where accounting or other information systems are computerised, the auditor should
determine whether internal controls are functioning properly to ensure the integrity,
reliability and completeness of the data, and the information system.
4.4.4 Compliance With Applicable Laws and Regulations
In conducting regularity (financial) audits, a test should be made of compliance with

applicable laws and regulations. The auditor should design audit steps and procedures to
provide reasonable assurance of detecting errors, irregularities, and illegal acts that
could have a direct and material effect on the financial statement amounts or the results
of regularity audits. The auditor also should be aware of the possibility of illegal acts that
could have an indirect and material effect on the financial statements or results of
regularity audits.
In conducting performance audits, an assessment should be made of compliance with

applicable laws and regulations when necessary to satisfy the audit objectives. The
auditor should design the audit to provide reasonable assurance of detecting illegal acts
that could significantly affect audit objectives. The auditor should also be alert to
situations or transactions that could be indicative of illegal acts that may have an indirect
effect on audit results.

The regularity audit is an essential aspect of government auditing. One important
objective which this type of audit assigns to the Department of the AGP is to make sure,
by all the means put at its disposal, that the Government budget and accounts are
complete and valid. This will provide legislatures and other users of the audit report with
assurance about the size and development of the financial obligations of the Government.
To achieve this objective the Department will examine the accounts and financial
statements of the administration with a view to assuring that all operations have been
correctly undertaken, completed, passed, paid and registered. The audit procedure
normally results, in the absence of irregularity, in the granting of an unqualified
certificate
The following paragraphs explain compliance as an auditing standard.
4.4.17 Reviewing compliance with laws and regulations is especially important when
auditing government programmes because decision makers need to know if the laws
and regulations are being followed, whether they are having the desired results, and, if
not, what revisions are necessary. Additionally government organisation, programmes,
services, activities, and functions are created by laws and are subject to more specific
rules and regulations.
4.4.18 Those planning the audit need to be knowledgeable of the compliance requirements
that apply to the entity being audited. Because the laws and regulations that may apply
to a specific audit are often numerous, the auditors need to exercise professional
judgment in determining those laws and regulations that might have a significant
impact on the audit objectives.
4.4.19 The auditor should also be alert to situations or transactions that could be indicative of
illegal acts that may indirectly impact the results of the audit. When audit steps and
procedures indicate that illegal acts have or may have occurred, the auditor shall
determine the extent to which these acts affect the audit results.
4.4.20 In conducting audits in accordance with this standard, the auditors should choose and
perform audit steps and procedures that, in their professional judgment, are appropriate
in the circumstances. These audit steps and procedures should be designed to obtain
sufficient, competent, reliable, and relevant evidence that will provide a reasonable
basis for their judgments and conclusions.
4.4.21 Generally, management is responsible for establishing an effective system of internal

controls to ensure compliance with laws and regulations. In designing steps and
procedures to test or assess compliance, auditors should evaluate the entity’s internal
controls and assess the risk that the control structure might not prevent or detect non
compliance.
4.4.22 Without affecting the independence of the Department of the AGP, the auditors should
exercise due professional care and caution in extending audit steps and procedures
relative to illegal acts so as not to interfere with potential future investigations or legal
proceedings. Due care would include consulting appropriate legal counsel and the
applicable law enforcement organisation/agencies to determine the audit steps and
procedures to be followed.

4.4.5 Audit Evidence
Competent, reliable, relevant and reasonable evidence should be obtained to support

the auditor’s judgment and conclusions regarding the organisation, programme,
activity or function under audit
The following paragraphs explain the audit evidence as an auditing standard.
4.4.24 The audit findings, conclusions and recommendations must be based on evidence.
Since auditors seldom have the opportunity of considering all information about the
audited entity, it is crucial that the data collection and sampling techniques are
carefully chosen. When computer-based system data are an important part of the audit
and the data reliability is crucial to accomplishing the audit objective, auditors need to
satisfy themselves that the data are reliable and relevant.
4.4.25 Auditors should have a sound understanding of techniques and procedures such as
inspection, observation, enquiry and confirmation, to collect audit evidence. The
Department o f the AGP shall ensure that the techniques employed are sufficient to
reasonably detect all quantitatively material errors and irregularities.
4.4.26 In choosing approaches and procedures, consideration should be given to the quality of
evidence, i.e., the evidence should be competent, reliable, relevant and reasonable.
4.4.27 Auditors should adequately document the audit evidence in working papers, including
the basis and extent o f the planning, work performed and the findings o f the audit.
4.4.28 Adequate documentation is important for several reasons. It will:
a) Confirm and support the auditor’s opinions and reports;
b) Increase the efficiency and effectiveness o f the audit;
c) Serve as a source of information for preparing reports or answering any enquiries

from the audited entity, legislature and its committees or from any other party;
d) Serve as evidence of the auditor’s compliance with Auditing Standards;
e) Facilitate planning and supervision;
f) Help the auditor’s professional development;
g) Help to ensure that delegated work has been satisfactorily performed; and
h) Provide evidence o f work done for future reference.
4.4.29 The auditor should bear in mind that the content and arrangement of the working
papers reflect the degree of the auditor’s proficiency, experience and knowledge.
Working papers should be sufficiently complete and detailed to enable an experienced
auditor having no previous connection with the audit subsequently to ascertain from
them what work was performed to support the conclusions.

4.4.6 Analysis of Financial Statements
In regularity (financial) audit, and in other types of audit when applicable, auditors
should analyse the financial statements to establish whether acceptable accounting
standards for financial reporting and disclosure are complied with. Analysis of financial
statements shall be performed to such a degree that a rational basis is obtained to
express an opinion on financial statements
The following paragraphs explain analysis offinancial statements as an auditing standard.
4.4.31 Financial statement analysis aims at ascertaining the existence of the expected
relationship within and between the various elements of the financial statements,
identifying any unexpected relationships and any unusual trends. The auditor should
therefore thoroughly analyse the financial statements and ascertain whether:
a) Financial statements are prepared in accordance with acceptable accounting

standards;
b) Financial statements are presented with due consideration to the circumstances of

the audited entity;
c) Sufficient disclosures are presented about various elements of financial statements;

and
d) The various elements of financial statements are properly evaluated, measured and
presented.
4.4.32 The methods and techniques of financial analysis depend to a large degree on the
nature, scope and objective of the audit, and on the knowledge and judgment of the
auditor.
4.4.33 If required to report on the execution of budgetary laws, audit by the Department of
the AGP shall include:
a) For revenue accounts, ascertaining whether forecasts are those of the initial budget,
and whether the audits of taxes and duties recorded, and imputed receipts, can be
carried out by comparison with the annual financial statements of the audited
activity;
b) For expenditure accounts, verifying credits to assist budgets, adjustment laws and,
for carryovers, the previous year’s financial statements.
4.5 Reporting Standards in Government Auditing

4.5.1 It is not practical to lay down a rule for reporting on every special situation. This
standard is to assist and not to supersede the prudent judgment of the auditor in
making an opinion or report.

4.5.2 The expression “reporting” embraces both the auditor’s opinion and other remarks on
a set of financial statements as a result of a regularity (financial) audit and the
auditor’s report on completion of a performance audit.
4.5.3 The auditor’s opinion on a set of financial statements shall generally be in concise,
standardised format to reflect the results of a wide range of tests and other audit work.
There is a requirement to report as to the compliance of transactions with laws and
regulations and to report on matters such as inadequate systems of control, illegal acts
and fraud. The constitutional or statutory obligations require the AGP to report
specifically on the execution of budgetary laws, reconciling budgetary estimates and
authorisation to the results set out in the financial statements.
4.5.4 In a performance audit, the auditor reports on the economy and efficiency with which
resources are required and used, and the effectiveness with which objectives are met.
Such reports may vary considerably in scope and nature, for example, covering
whether resources have been applied in a sound manner, commenting on the impact of
policies and programmes and recommending changes designed to result in
improvements.
4.5.5 In order to recognise reasonable user needs, the auditor’s report in both regularity and
performance auditing may need to have regard to expanded reporting periods or cycles
and relevant and appropriate disclosure requirements.
4.5.6 For ease of reference in this chapter, the word “opinion” is used to mean the auditor’s
conclusions as a result of a regularity (financial) audit, and may embrace the matters
described in paragraph 4.4.3; the word “report” is used to mean the auditor’s
conclusions following a performance audit, as described in paragraph 4.4.4
4.5.7 The reporting standards are:
a) At the end of each audit the auditor shall prepare a written opinion or report, as
appropriate, setting out the findings in an appropriate form; its content should be easy
to understand and free from vagueness or ambiguity, include only information which
is supported by competent, reliable, and relevant audit evidence, and be independent,
objective, fair and constructive.
b) It is for the Department of the AGP to decide finally on the action to be taken in
relation to fraudulent practices or serious irregularities discovered by the auditors.
With regards to regularity audits, the auditor shall prepare a written report, which may
either be a part of the report on the financial statements or a separate report, on the test
of compliance with applicable laws and regulations. The report shall contain a
statement of positive assurance on those tested for compliance and negative assurance
on those items not tested.
With regard to performance audits, the report shall include all significant instances of
non-compliance that are pertinent to the audit objectives.
4.5.8 The form and content of all audit opinions and reports are founded on the following
general principles.

a) Title. The opinion or report shall be preceded by a suitable title or heading,
helping the reader to distinguish it from statements and information issued by
others.
b) Signature and date. The opinion or reports shall be properly signed. The
inclusion of a date informs the reader that consideration has been given to the
effect of events or transactions about which the auditor became aware up to that
date (which, in the case of regularity (financial) audits, may be beyond the period
of the financial statements).
c) Objectives and scope. The opinion or report shall include reference to the
objectives and scope of the audit. This information establishes the purpose and
boundaries of the audit.
d) Completeness. Opinions shall be appended to and published with the financial

statements to which they relate, but performance reports may be free standing. The
auditor’s opinions and reports shall be presented as prepared by the auditor. In
exercising its independence the Department shall be able to include whatever it
sees fit, but it may acquire information from time to time which in the national
interest cannot be freely disclosed. This can affect the completeness of the audit
report. In this situation the auditor retains a responsibility for considering the need
to make a report, possibly including confidential or sensitive material in a separate,
unpublished report.
e) Addressee. The opinion or report shall be addressed as per requirements of

applicable laws and procedures.
f) Identification of subject matter. The opinion or report shall identify the

financial statements (in the case of regularity (financial) audits) or area (in the case
of performance audits) to which it relates. This includes information such as the
name of the audited entity, the date and period covered by the financial statements
and the subject matter that has been audited.
g) Legal basis. Audited opinions and reports shall identify the legislation or other
authority providing for the audit.
h) Compliance with standards: Audit opinions and reports shall indicate the
auditing standards or practices followed in conducting the audits, thus providing
the reader with an assurance the audit has been carried out in accordance with
generally accepted procedures.
i) Timelines: The audit opinion or report shall be available promptly to be of

greatest use to readers and users, particularly those who have to take necessary
action.
4.5.9 An audit opinion is normally in a standard format, relating to the financial statements
as a whole, thus avoiding the need to state at length what lies behind it but conveying
by its nature a general understanding among readers as to its meaning. The nature of
these words will be influenced by the legal framework for the audit, but the content of
the opinion shall indicate unambiguously whether it is unqualified or qualified and, if
the latter, whether it is qualified in certain respects or is adverse or a disclaimer of
opinion.

4.5.10 An unqualified opinion is given when the auditor is satisfied in all material respects
that:
a) The financial statements have been prepared using acceptable accounting bases and
policies which have been consistently applied;
b) The statements comply with statutory requirements and relevant regulations;
c) The view presented by the financial statements is consistent with the auditor’s
knowledge of the audited entity; and
d) There is adequate disclosure of all material matters relevant to the financial statements
4.5.11 Emphasis of Matter. In certain circumstances the auditor may consider that the
reader will not obtain a proper understanding of the financial statements unless
attention is drawn to unusual or important matters. As a general principle the auditor
issuing an unqualified opinion does not make reference to specific aspects of financial
statements in the opinion in case this should be misconstrued as being a qualification.
In order to avoid giving that impression, references which are meant as “emphasis of
matter” are contained in a separate paragraph from the opinion. However, the auditor
shall not make use of an emphasis of matter to rectify a lack of appropriate disclosure
in the financial statements, nor as an alternative to, or a substitute for, qualifying the
opinion.
4.5.12 An auditor may not be able to express an unqualified opinion when any of the
following circumstances exist and, in the auditor’s judgment, their effect is or may be
material to the financial statements:
a) There has been limitation on the scope of the audit:
b) The auditor considers that the statements are incomplete or misleading or there is an
unjustified departure from acceptable accounting standards; or
c) There is uncertainty affecting the financial statements.
4.5.13 Qualified Opinion. Where the auditor disagrees with or is uncertain about one or
more particular items in the financial statements which are material but not
fundamental to an understanding of the statements, a qualified opinion should be given.
The wording of the opinion normally indicates a satisfactory outcome to the audit
subject to a clear and concise statement of the matters of disagreement or uncertainty
giving rise to the qualified opinion. It helps the users of the statements if the financial
effect of the uncertainty or disagreement is quantified by the auditor although this is
not always practicable or relevant.
4.5.14 Adverse Opinion. Where the auditor is unable to form an opinion on the financial
statements taken as a whole due to disagreement which is so fundamental that it
undermines the position presented to the extent that an opinion which is qualified in
certain respects would not be adequate, an adverse opinion is given. The wording of
such an opinion makes clear that the financial statements are not fairly stated,
specifying clearly and concisely all the matters of disagreement. Again, it is helpful if

the financial effect on the financial statements is quantified where relevant and
practicable.
4.5.15 Disclaimer of Opinion. Where the auditor is unable to arrive at an opinion regarding
the financial statements taken as a whole due to an uncertainty or scope restriction
which is so fundamental that an opinion which is qualified in certain respects would
not be adequate, a disclaimer is given. The wording of such a disclaimer makes clear
that an opinion cannot be given, specifying clearly and concisely all matters of
uncertainty.
4.5.16 The auditor shall provide a detailed report amplifying the opinion in circumstances in
which it has been unable to give an unqualified opinion.
4.5.17 In addition, regularity audits often require that reports are made where weaknesses
exist in systems of financial control or accounting (as distinct from performance audit
aspects). This may occur not only where weaknesses affect the audited entity’s own
procedures but also where they relate to its control over the activities of others. The
auditor shall also report on significant irregularities, whether perceived or potential, on
inconsistency of application of regulations or on fraud and corrupt practices.
4.5.18 In reporting on irregularities or instances of non-compliance with laws or regulations,

the auditors should be careful to place their findings in the proper perspective. The
extent of non-compliance can be related to the number of cases examined or quantified
monetarily.
4.5.19 Reports on irregularities shall be prepared irrespective of a qualification of the

auditor’s opinion. By their nature they tend to contain significant criticisms, but in
order to be constructive they shall also address future remedial action by incorporating
statements by the audited entity or by the auditor, including conclusions or
recommendations.
4.5.20 In contrast to regularity audit, which is subject to fairly specific requirements and
expectations, performance audit is wide-ranging in nature and is more open to
judgment and interpretation; coverage is also more selective and may be carried out
over a cycle of several years, rather than in one financial period; and it does not
normally relate to particular financial or other statements. As a consequence
performance audit reports are varied and contain more decisions and reasoned
argument.
4.5.21 The performance audit report should state clearly the objectives and scope of the audit.
Reports may include criticism (for example where, in the public interest or on grounds
of public accountability, matters of serious waste, extravagance or inefficiency are
drawn to attention) or may make no significant criticism but give independent
information, advice or assurance as to whether and to what extent economy, efficiency
and effectiveness are being or have been achieved.
4.5.22 The auditor is not normally expected to provide an overall opinion on the achievement
of economy, efficiency and effectiveness by an audited entity in the same way as the
opinion on financial statements. Where the nature of the audit allows this to be done in
relation to specific areas of entity’s activities, the auditor shall provide a report which
describes the circumstances and arrives at a specific conclusion rather than a
standardised statement. Where the audit is confined to consideration of whether

sufficient controls exist to secure economy, efficiency or effectiveness, the auditor
shall provide a more general opinion.
4.5.23 Auditors should recognise that their judgments are being applied to actions resulting
from past management decisions. Care should therefore be exercised in making such
judgments, and the report should indicate the nature and extent of information
reasonably available (or which ought to have been available) to the audited entity at
the time the decisions were taken. By stating clearly the scope, objectives and findings
of the audit, the report demonstrates to the reader that the auditor is being fair. Fairness
also implies the presentation of weaknesses or critical findings in such a way as to
encourage correction, and to improve systems and guidance within the audited entity.
Accordingly the facts are generally agreed with the audited entity in order to ensure
that they are complete, accurate and fairly presented in the audit report. There may
also be a need to include the audited entity’s responses to the matters raised, either
verbatim or in summary, especially where the Department of the AGP presents its own
views or recommendations.
4.5.24 Performance reports should not concentrate solely on criticism of the past but should
be constructive. The auditor’s conclusion and recommendations are an important
aspect of the audit and, where appropriate, are written as a guide for action. Generally
these recommendations suggest what improvements are needed rather than how to
achieve them, though circumstances sometimes arise which warrant a specific
recommendation, for example to correct a defect in the law in order to bring about an
administrative improvement.
4.5.25 In formulating and following up recommendations, the auditor shall maintain

objectivity and independence and thus focus on whether identified weaknesses are
corrected rather than on whether specific recommendations are adopted.
4.5.26 In formulating the audit opinion or report, the auditor shall have regard to the
materiality of the matter in the context of the financial statements (regularity (financial)
audit) or the nature of the audited entity or activity (performance audit).
4.5.27 For regularity (financial) audits, if the auditor concludes that, judged against the
criteria most appropriate in the circumstances, the matter does not materially affect the
view given by the financial statements, the opinion should not be qualified. Where the
auditor decides that a matter is material the opinion should be qualified, having
determined the type of qualification (paragraphs 4.4.12 - 4.4.15)
4.5.28 In the case of performance audits that judgment will be more subjective as the report
does not relate so directly to financial or other statements. Consequently the auditor
may find materiality by nature or by context is a more important consideration than
materiality by amount.

5. DAGP’S ANNUAL PLANNING PROCESS
5.1 DAGP Strategic Audit Objectives
The Auditor-General’s mandate is established by legislation - Auditor-General’s (Functions,
Powers and Terms and Conditions of Service) Ordinance, 2001 (Auditor General’s
Ordinance). Two key sections are:
Section 7 of Auditor-General’s (Functions, Powers and Terms and Conditions of Service)

Ordinance, 2001 (Auditor General’s Ordinance) states that “The Auditor-General shall, on the
basis o f such audit as he may consider appropriate and necessary, certify the accounts ” ... “o f
the Federation, o f each Province and o f each District ”.
Section 8 of the Auditor-General Ordinance mandates an audit of expenditures of the

Federation and of each Province, and Section 12 of the Auditor-General Ordinance mandates
an audit of the receipts of the Federal Government and of each Province and District.
These sections establish the two primary objectives of DAGP audits: financial
attest/certification audits and compliance with authority audits to ensure entities within all
three levels of government properly comply with all rules and regulations pertaining to
expenses and revenues.
Note that all attest/certification audits will include a compliance component in accordance
with international auditing standards and that DAGP may also perform independent
compliance with authority audits in any areas which the Auditor-General considers it
important to review. Accordingly compliance audit activities will be a major aspect of DAGP
plans for any given time period.
5.2 DAGP Audit Scope

In determining the scope of audit work the Auditor-General has wide discretion.
For certification audits required under Section 7 of the Auditor-General Ordinance, the entity
to be audited will be defined by the applicable accounting policies of the government. For
example, to certify the financial statements of the Federation, the entity to be audited is the
aggregate of all of the ministries, departments, agencies, etc. that the accounting policies
require to be included in the financial statements of the Federation. Whether to perform audit
activities in every single entity within the federation is a matter for the Auditor-General to
decide. At a minimum, audit activities should cover all entities whose operations are material
in the context of the financial statements of the Federation. In addition, the Auditor-General
may plan to extend the audit activities to any other entities he considers significant.
In the case of compliance with authority audits, the Auditor-General has complete discretion
as to which entities (whether organisational entities, such as agencies, DAOs, DDOs etc.,
functional entities, such as the payroll function or the purchasing function; or accounting
entities, such as objects of expenditure, grants or appropriations) will be subject to audit and
how often audits will be conducted.

5.3 DAGP Strategic Audit Plans
The Auditor-General is responsible for deciding what audit work is necessary to fulfil his
mandate. Under his direction, DAGP produces a multi-year strategic plan for DAGP audit
activities. The audits included in the strategic plan will include:
Mandatory and centrally led. These are audits required by DAGP’s mandate to be
performed each year, where the work performed by an individual directorate is part of a
larger audit. An example of such an audit is the annual audit of the financial statements of
the Federation.
Not mandatory and centrally led. These are audits where DAGP’s mandate does not
require that they be performed each year, and the work performed by the directorate is part
of a larger audit exercise. An example of this type of audit could be a government-wide
audit of contracting.
Mandatory and not centrally led. Those audits that are required by DAGP’s mandate to be
performed each year, where the work is not part of a larger audit. An example of such an
audit is the annual audit of the financial statements of a specific commercial entity or a
foreign-aided project for which the directorate is required to issue an audit opinion.
In these cases, the Auditor-General schedules the activities and delegates audit work to the
audit directorates.
Consolidating the plans for all these audits produces the DAGP strategic audit programme.
5.4 The annual planning process
Each audit directorate is responsible for the audit of a pre-determined group of entities. The
scheduling of this work is at the discretion of the audit directorates:
Not mandatory and not centrally led. These are audits that are not required by DAGP’s
mandate to be performed each year, and which are not part of a larger audit. An example
of such an audit is the compliance with authority work being performed by the directorate
on the entities for which it is responsible.
Each directorate prepares an annual audit plan for its audit activities which includes the audit
activities required by the Auditor-General, plus the discretionary audits planned by the
directorate, and submits it to the Auditor-General for approval. Once approved, the annual
plans from all directorates are consolidated into DAGP’s annual Corporate Audit Plan.
The annual audit plans contain:

(a) A summary of the directorate’s mandate.
(b) A status report on the current year indicating the extent to which the planned coverage for
the current year is being achieved.
(c) A summary of the audits that the directorate intends to perform in the following year,
categorised by:
• Financial audits (including related compliance with authority audit);
• Compliance with authority audits (where additional compliance with authority work is
planned);
• Audits of internal controls;
• Audits of foreign-aided projects;

• Performance audits;
• Other functional, systems, programme and fraud audits; and
• Special assignments.
(e) Details with respect to each of the planned audits for the following year. These details
include, for each audit:
• The revenue and expenditure to be audited;
• The person days required;
• The staff members to be assigned to the audit (and any shortfall in the staffing);
• The travel and daily allowances that are required;
• A time schedule showing the dates by which each audit will be planned, executed,
reported, etc.
(f) A summary of the unallocated resources available within the directorate or the audit work
for which staff is not available.
Audit management software is useful for developing this plan.
With respect to centrally led audits, each directorate will estimate the number of hours
required to perform the work, the staff to be assigned to the work, and the timing of the work,
and provide this information to the responsible central team. The central team, in turn, will be
responsible for the overall budget of the audit.
This process is discussed further in Section 5.6 below.
As noted, some audits are not required each year. This provides the audit teams with some
flexibility in scheduling work, so work loads can be balanced to reflect the number of
resources available after taking into account resource assignments to mandatory audit work.
For example, the nature, extent and timing of the work that DAGP performs on its compliance
with authority audits is somewhat discretionary. DAGP auditors can decide to perform
extensive tests of compliance with authorities or more limited tests. As such, the budget for a
given compliance with authority audit can be increased or decreased as required to match the
available resources.
When deciding on the nature, extent and timing of the work that each directorate performs on
compliance with authority audits, audits of internal controls and performance audits, the
directorate should take into consideration the annually required work that it is performing, and
integrate the audits to the extent possible. This is discussed in more detail in below.
Each directorate should ensure that it has sufficient staff with necessary skills to accomplish
the work required by the Auditor-General Ordinance to be performed each year. Only plans
for the work that is not required to be performed each year may reflect staff shortfalls.
Where staffing shortages are evident, senior management within DAGP will attempt to match
one directorate’s staff shortfall with unallocated staff in another directorate. Overall, though,
the planned workload cannot exceed the available resources. Should the sum of the required
resources exceed the available resources, the discretionary audit work must be decreased.

5.5 Integration of audit work
Under DAGP’s annual planning approach, each directorate has discretion over work that is not
required by the Auditor-General Ordinance to be performed annually. The directorate can
decide, for example, which entities it wishes to audit, and the types of audits it wishes to
perform (compliance with authority, internal controls, performance, etc.). However, to
improve the efficiency and effectiveness of the work, DAGP recommends that each
directorate integrate its compliance with authority, internal control and performance audit
work that is not required to be performed each year with the work being performed on the
mandated annual audits, such as the annual audits of financial statements. This integration
could include:
• Performing the work at the same time; and
• Re-using the sample items selected for the financial audit work when performing the
compliance with authority, internal controls and performance audit work. (Additional
items could be selected if considered necessary.)
Synchronising the timing of compliance with authority work and other discretionary work to
better match the timing of financial audit work, would create the following benefits:
• Samples for financial audit and compliance with authority purposes could be integrated,
reducing the total amount of audit work being performed.
• When doing the financial audit work, the auditors could rely on the normally larger
amount of work done for compliance with authority purposes. When the compliance with
authority audit work is done several years later, this reliance is not possible.
• With auditors performing compliance with authority audit work on Year 1 transactions in
Year 4, there is a risk that the auditors could discover, in Year 4, significant errors with
respect to the accounts for Year 1. DAGP could then be in the embarrassing position of
having to amend and reissue its certificate on the Year 1 financial statements. Doing all of
the work in Year 1 would eliminate this problem.
In addition to these benefits, doing the compliance with authority work more frequently, and
covering fewer years during each audit, could benefit the compliance with authority work
itself, as follows:
• There would be more timely identification of deficiencies, which could lead to a quicker
improvement of the related controls. This, in turn, should significantly reduce compliance
with authority violations in subsequent years;
• Having auditors on the premises provides a deterrence factor - entity officials are less
likely to commit frauds or perform sloppy work when auditors are present. More frequent
visits will multiply this effect.
• Entity officials would no longer be required to find vouchers and other documents that are
several years old. This could make it easier for them to find the required documents.
There are some disadvantages to amending the rotational audit approach for compliance with
authorities. The most significant one is that auditors will spend less time at each location
during each visit. This could increase the coordination effort, travel time, start-up time, etc.
Because of these disadvantages, and because directorates may have other very valid reasons
for not following the recommended approach, that DAGP has chosen not to mandate any one
approach. However, directorates not following the recommended approach may be asked to
justify the reasons for not doing so.

5.6 Approval process for the budget of centrally-led audits
As noted above, the first two categories of audits are centrally led. Each directorate will need
to discuss the number of hours required to perform the work, the staff to be assigned to the
work, and the timing of the work, with the responsible central team. The central team, in turn,
will be responsible for the overall budget of the audit.
One of the responsibilities of the central team is to set the budget (both person days and costs)
and the deadline dates for this audit. To do so, the central team will adhere to the following
process:
• first estimate the number of hours and costs required to perform the audit, and the
approximate timing of the work.
• then allocate the estimated hours of work to the central team, and each audit directorate.
• meet with each directorate to ensure that the directorate can perform the work within the
proposed budgets and by the required deadline dates. Obtain the list of staff members from
the audit directorate who will perform the work, and the proposed scheduling for each of
those staff members.
• following the discussions with each directorate, update the budget for each directorate, and
the overall budget for the audit.
• obtain the approval of the Auditor General for this budget.
• once the central team has received the required approval, each directorate will set aside the
agreed-upon person days, dates, and staff members for the performance of the audit.

6. THE AUDIT CYCLE
6.1 Introduction
Every audit assignment must be properly planned. The auditor has a professional duty to
undertake each audit in a manner that ensures reliable and meaningful conclusions, which in
turn lead to practical and useful audit recommendations. The auditor must therefore collect
appropriate and sufficient evidence to arrive at such conclusions and recommendations. The
efficient and effective collection of evidence depends on a clear audit plan. This audit plan
should include a well-developed audit programme.
The audit plan should include:

• A clear statement of the audit objective(s);
• Statement of the magnitude of operations (expenditures, revenues, assets, personnel) and
for an attest audit, the significant line items and accounts in the financial statements and
significant financial statement assertions;
• Summary of significant issues and results of an initial risk assessment;
• Proposed audit scope, including:
- Type(s) of audit activity (attest, compliance, effectiveness of internal controls,
safeguarding of assets, fraud investigation, value-for-money, IT systems, or some
combination thereof);
- locations to be visited;
- functions, activities, systems and procedures to be examined;
- aspects of performance to be covered;
- audit methods and tests; and
- samples selected or methods of selecting samples;
• Budget and schedule;
• Audit steps; and
• Assigned audit responsibilities.
DAGP audit teams should plan to perform audits that encompass both financial attest and
compliance components. These two audit components have much in common. Each requires
the auditor to:
• Understand the audit entity;
• Conduct a risk assessment;
• Define audit objectives and scope;
• Develop an audit programme
• Test the controls;
• Determine sample size (for statistical or non-statistical);
• Conduct substantive tests;
• Report; and
• Follow up.

The audit cycle for an individual audit involves planning the audit, conducting the work,
evaluating the results of the work, reporting the results of the work, and following up to see
what the entity has done as a result of the work. (Sometimes the follow up is conducted as the
first phase of the next audit of the entity, where the auditor determines what changes have
occurred since the previous audit).
This Chapter describes the audit cycle for an individual audit performed in accordance with
DAGP’s auditing standards. This Chapter also summarises the work that is performed at each
phase of the cycle. This material is expanded upon in subsequent Chapters of this Manual.
The audit cycle is shown in Figure 6.1. It contains six basic phases:
1. General audit planning;
2. Detailed activity and resource planning;
3. Fieldwork;
4. Evaluation;
5. Reporting; and
6. Follow-up.
These phases are discussed in more detail below.
Because many financial statement audits are performed every year, much of the general and
detailed planning for these audit activities will be limited to updating the planning decisions
made in the previous year to reflect changes to the entity or desired changes to the audit
approach. There will rarely be a need to start from scratch.
Changes to the audit approach will normally have been identified at the end of the previous
year’s audit. The auditors will have identified significant issues that need to be revisited in the
next audit, as well as areas requiring less audit effort, such as where the internal controls were
found to be strong, allowing more reliance to be placed upon them. At that time, the auditors
would have assessed the overall efficiency and effectiveness of their audit, and identified
possible ways in which the efficiency and effectiveness could be improved. This process could
include analysing the feedback obtained from entity officials, the PAC, and the media.
Audit management (providing advice, supervising, reviewing, approving, etc.) is not listed as
a separate step in the audit cycle. This is because these activities need to occur throughout
each phase of the process.
Creating good relations with entity officials is key to achieving an effective and efficient audit.
The progress and outcomes of an audit will be enhanced if the audit team can obtain the
cooperation of management and foster confidence by maintaining a fully professional
approach during the course of the audit.
It is important for the auditor to avoid creating an adversarial relationship with entity officials.
To facilitate good relations the auditor should:
• Be fully aware of all other audit activities being undertaken;
• Plan to minimise impact on the audit entity; and,
• Ensure that all discussions with entity officials take place at an appropriate and reasonable
level, and at an appropriate and reasonable time.

Figure 6.1: Audit Cycle for Individual Audits

6.2 General audit planning
The general audit planning phase is where most key planning decisions are made. It involves:
Step 1 Establish audit objectives and scope;
Step 2 Understand the entity’s business;
Step 3 Assess materiality, planned precision and audit risk;
Step 4 Understand the entity’s internal control structure;
Step 5 Determine components;
Step 6 Determine financial audit and compliance with authority objectives, and
error/irregularity conditions;
Step 7 Assess inherent risk and control risk; and
Step 8 Determine mix of tests of internal control, analytical procedures and substantive tests
of details.
These steps are introduced below, and are discussed in more detail in the next Chapter.
Step 1 - Establish overall audit objectives and scope
The audit objective should be a clear statement of what the auditor intends to examine and
what is to be achieved by the audit. There should be clear audit objectives for every assertion,
for each financial statement component and for each audit area to be examined.
One or more audit objectives should be defined for each component o f a financial audit and
for each line of inquiry. The audit objective is a statement of what is to be achieved by the
audit.
The audit scope is a statement of what areas will be looked at, what work must be done and
what will not be done and the methodology to be used to achieve the audit objectives(s).
The auditor should update the audit plan to reflect the mix of financial certification and control
and compliance objectives established for the current year.
The scope of the audit will reflect the audit entity. For audits that are required under Section 7
of the Auditor-General Ordinance, the entity to be audited will be defined by the applicable
accounting policies of the government. For example, for an audit of the financial statements of
the Federation, the entity to be audited would be all of the ministries, departments, agencies,
etc. that the accounting policies require to be included in the financial statements of the
Federation.
Step 2 - Understand entity’s business
The auditor should assemble and review material that will enable the team to gain a sufficient
knowledge of the business to assess materiality, determine components, identify error
conditions, etc.

Step 3 - Assess materiality, planned precision, and audit risk
Materiality, planned precision and audit risk are key concepts when conducting an audit that
will result in the Auditor-General expressing an opinion on the financial statements of an audit
entity. The opinion paragraph of a standard unqualified auditor’s report commences, “In my
opinion, these financial statements properly present, in all material respects, the financial
position of [the entity] ...”
Materiality. When the Auditor-General states that the financial statements “properly present,
in all material respects”, he/she is stating that the financial statements are not materially
misstated. An error (or the sum of the errors) is material if the error (or the sum of the errors)
is big enough to influence the users of the financial statements. Therefore the auditor must
determine what amount is considered material.
Planned precision. Planned precision is the auditor’s planned allowance for further possible
errors. To determine it, the auditor first estimates the most likely error that will exist in the
financial statements as a whole. This estimate is referred to as the “expected aggregate error.”
The auditor then subtracts the expected aggregate error from the materiality amount to arrive
at planned precision.
Audit risk. The opinion paragraph of the standard unqualified auditor’s report begins “In my
opinion . ” This means that the auditor is not stating that he/she is absolutely certain that the
financial statements “properly present in all material respects” (i.e., are not materially
misstated). Rather, the auditor is stating that he/she has some degree of assurance that is less
than 100% that the financial statements are not materially misstated. GAAS refers to this
degree of assurance as “reasonable assurance”.
The auditor should determine what level of confidence is required. If the auditor wants to be
95% confident that the financial statements are not materially misstated, this means that the
auditor is prepared to take a 5% risk that he/she will fail to detect errors summing to more than
the materiality amount. Audit risk in this case is therefore 5%.
Using a 5% audit risk and a Rs. 3,000,000 materiality amount, when the auditor states, “In my
opinion, these financial statements present fairly, in all material respects . ”, the auditor is
stating, “I have 95% assurance that the financial statements are not misstated by more than Rs.
3,000,000”.
Step 4 - Understand entity’s internal control structure
GAAS require the auditor to have an up-to-date understanding of the entity’s internal control
structure.
The required level of understanding depends on the extent to which the auditor intends to rely
on the internal controls to reduce his/her substantive tests. Even when no reliance is intended,
some knowledge is still required.
Step 5 - Determine components
Auditors normally do not plan audits for the financial statements as a whole. Rather, they
divide the financial statements into parts and plan each part separately.

For an audit of financial statements, the most logical way of dividing up the financial
statements is to consider each line item in the financial statements to be a separate component.
Sometimes the financial statements include several different groupings of the same total
amount. For example, expenditures may be grouped by:
• Organizational unit (the ministries, departments, agencies, etc. making up the reporting
entity)
• Appropriation account;
• Economic function (general public services, defence affairs and services, etc.); and/or
• Object element (payroll expenditures, operating expenditures, civil works, etc.).
The auditor normally selects the grouping that makes it the easiest to plan, perform and
evaluate the audit work.
If the financial statements group the expenditures by object element, the auditor might then
plan the audit of each object element to obtain the desired assurance that errors in each object
element do not sum to more than the materiality amount.
Step 6 - Determine financial audit and compliance with authority objectives,

and error/irregularity conditions
Having divided the audit into components, the auditor needs to define attest and compliance
objectives, as applicable, and define what is considered to be an error or irregularity.
Specific financial audit objectives. For a financial statement audit, a component is considered
to be in error if:
• It is not valid (the asset or liability does not exist or the revenue or expenditure has not
occurred) - the existence objective; or
• The statement of the asset, liability, revenue or expenditure is not complete - the
completeness objective; or
• The asset is not owned by the entity, or the liability is not owed by the entity - the
regularity objective; or
• The asset or liability is not properly valued or is misclassified, or the revenue or
expenditure is not properly measured or is misclassified - the valuation or measurement
objective; or
• The financial statement presentation is not proper - the presentation objective.
Related compliance with authority objectives. Section 3.4 of DAGP’s auditing standards
states, “In conducting regularity (financial) audits, a test should be made o f compliance with
applicable laws and regulations.”
To comply with this standard, the auditor should test for compliance with those laws and
regulations that are related to the audit of the financial statements.
The following compliance with authority objectives are considered to be applicable:

(a) Spend:
The services were performed or the goods received;

The expenditure was consistent with the nature of the appropriation to which it was
charged;
The expenditure is in accordance with applicable legislation and the rules and regulations
issued by such legislation; and
The expenditure does not result in the total approved expenditure being exceeded.
(b) Borrow:
The amount and debt terms (period, interest rates, repayment schedule, etc.) are in
accordance with applicable legislation, and related rules and regulations.
(c) Raise revenue:
The cash received was for an approved tax or other approved source;
The cash received is in accordance with applicable legislation and associated rules and
regulations.
Error conditions. The last part to this step is to consider error conditions. The idea here is to
consider possible ways in which an asset, liability, revenue or expenditure might not be valid,
complete, compliant with applicable authorities etc. Put another way, the idea is to think of
possible ways in which a monetary error can occur in the financial statements and the ways in
which monetary amounts may not be in accordance with applicable authorities.
For example, to apply the validity and measurement objectives to the component “payroll
expenditures”, the auditor should consider how payroll expenditures might not be complete.
There are many possible reasons why payroll expenditures might not be valid or properly
measured. However the chance of some of them occurring might be negligible. Similarly, the
maximum possible error that could result from some of them might be insignificant. The idea
is to identify the errors that have a real chance of occurring, and that could be relatively large
in relation to the materiality amount.
For the validity and measurement objectives, the auditor may identify four error conditions, as
follows:
(a) Services paid for are not performed;
(b) Employees are being paid more or less than they should be paid;
(c) Payroll expenditures are being charged to an incorrect account or appropriation; and
(d) The amounts in the payroll register are not included in the financial statements at the
correct amount.
In addition, the auditor might also identify the following compliance with authority matters:
(a) the work being performed was not properly approved;
(b) the payments were not properly approved.
The auditor should then develop audit procedures to determine whether any of the possible
errors or deviations have occurred.
Step 7 - Assess inherent risk and control risk
Inherent risk. Inherent risk is the chance of material error occurring in the first place assuming
that there are no internal controls in place. “Material error” may be a single error or the sum of
multiple smaller errors.

Inherent risk is assessed at this stage as it determines how much testing of internal controls
and substantive testing (analytical procedures and substantive tests of details) the auditor
needs to perform in total to achieve his/her desired level of reasonable assurance (95% in our
illustration).
Control risk. Control risk is the chance that the entity’s internal controls will not prevent or
detect material error. Again, “material error” may be one error or the sum of multiple smaller
errors.
Control risk is assessed at this stage as it determines the amount of assurance that the auditor
can obtain from his/her tests of internal control.
Step 8 - Determine mix of tests of internal control, analytical procedures

and substantive tests of details
The auditor needs to select a combination of tests of internal control, analytical procedures and
substantive tests of details that, in total, will provide the desired level of assurance that payroll
expenditures are not incomplete by an amount greater than the materiality amount.
The auditor can obtain this assurance in a number of ways, for example by:
• reviewing the internal controls that the entity has in place to ensure the completeness of,
using our payroll example, payroll expenditures, and then performing tests of internal
control to ensure that the controls are functioning properly;
• performing such analytical procedures as comparing the payroll expenditures by month to
each other and to the equivalent amounts in the previous year; and/or
• selecting a sample of payroll transactions and performing various substantive tests of
details on those transactions.
These methods can be used in different combinations. For example the auditor can:
• Place a lot of reliance on the internal controls. Under this option, the auditor would
perform a lot of tests of internal control, supplemented by only limited analytical
procedures, and select a very small sample of payroll transactions for substantive tests of
details; or,
• Place very little reliance on the internal controls. Under this option, the auditor would do
fewer tests of internal control than in the first option, but would perform more rigorous
analytical procedures or select a larger sample of payroll transactions for substantive tests
of details.
When deciding which combination to use, the auditor should consider the cost of each
combination in terms of audit resources.
6.3 Activity and Resource Planning

This phase primarily involves taking the decisions made during the general planning phase
and using them to build the audit programmes that will be used during the fieldwork phase. It
also involves establishing budgets, staffing requirements, the timing of the audit work, and the
information to be obtained from the entity.
These steps are introduced below, and are discussed in more detail later.

Develop audit programmes
The audit programmes provide the auditor with a list of all the procedures to perform.
The auditor can use the error conditions identified during the general planning phase, or a
previous audit programme for the entity, as a starting point for the development of the audit
programmes.
The auditor should also determine what information the entity management are required to
make available for the audit work.
Establish resource requirements and timing considerations
For each audit determine:
• the number of auditors with required level of seniority and skill sets;
• related out-of-pocket expense budgets; and,
• timing of the work.
The resource requirements are based on the audit programmes. Resource allocations from
previous audits of the entity may provide a helpful starting point.
6.3.1 Fieldwork
During the fieldwork phase, the auditors complete the procedures that are contained in the
audit programmes. The required evidence is gathered, and the work performed is documented
in the working paper files.
Chapter 8 contains detailed guidance on this phase of the audit cycle.
6.3.2 Evaluation
During the evaluation phase, the results of the audit are summarised and conclusions are
reached.
The auditor first concludes on the results of each test. The auditor then reaches a conclusion
on each component. Finally, the auditor reaches a conclusion on the financial statements as a
whole, or identifies specific irregularities and general systemic weaknesses based on
compliance with authority tests.
6.3.3 Reporting
The reporting phase involves performing some final clearance procedures and issuing an audit
certificate (opinion) on the financial statements. In this certificate, the auditor expresses an
opinion as to whether:
(a) the financial statements properly present in all material respects, the entity’s financial
position, the results of its operations, its cash flows and its expenditure and receipts by
appropriation; and,

(b) the sums expended have been applied, in all material respects, for the purposes authorised
by Parliament, and have, in all material respects, been booked to the relevant grants and
appropriations.
Often, the reporting phase also involves issuing other reports dealing with internal controls,
compliance with authorities, and performance matters that were identified as part of a financial
audit, or in separate audits. These matters can be reported in a management report or in one of
the Auditor-General’s reports to Parliament and the Public Accounts Committee.
6.3.4 Follow up
The follow-up phase involves returning to the entity at a later date to determine if entity
management has:
• Corrected errors identified during the audit; and
• Implemented recommendations made by the auditors or by the Public Accounts
Committee.
6.4 Roles and responsibilities

6.4.1 General roles and responsibilities
The general planning phase is where most of the key planning decisions are made. Many of
these decisions have a significant impact on the nature, extent and timing of the work that is
performed during the fieldwork phase. Because of this, general planning decisions should be
made by the more senior and experienced members of the audit directorate.
Similarly, conclusions reached during the evaluation phase may have a significant impact on
the type of audit report that is issued. The more senior and experienced members of the audit
directorate also need to be directly involved in the evaluation process, and in the finalisation of
the report.
It is not possible to lay down specific roles and responsibilities for all audits. Each audit is
different - some are quite complex and difficult to plan and perform; others are relatively
small and straightforward. In addition, there may be differences in the knowledge of the entity
and audit skills possessed by different staff members within each directorate.
To encourage consistency, Figure 6.2 contains a chart that shows the suggested roles and
responsibilities of individuals at each level, for the general tasks to be performed during the
audit.
6.4.2 Centrally led audits
These are audits where a central team is responsible for the overall planning, performance,
evaluation, reporting and follow up. An example of such an audit is the annual audit of the
financial statements of the Federation.

With a centrally led audit, there will be a division of responsibilities between the central team
and each directorate. For example, for the annual audit of the financial statements of the
Federation, the central team is responsible for:
• Setting the basic planning parameters (materiality, planned precision, audit risk,
components, etc.);
• Setting inherent risk, control risk, other substantive procedures risk and substantive test of
details risk for each component and each specific financial audit objective and compliance
with authority objective and error condition;
• Determining the optimum mix of tests of internal control, analytical procedures and
substantive tests of details for each component and for each specific financial audit
objective and related compliance with authority objective and error condition;
• Drafting the audit programmes, forms and checklists to be used by the audit teams
performing the work;
• Performing the overall error evaluation; and
• Reporting the results of the audit.
The auditors from each of the directorates are, in turn, responsible for:
• Providing advice to assist the central team to plan the audit;
• Reviewing the material received from the central team to ensure audit programmes, forms
and checklists reflect the optimum mix of tests for that particular directorate, and contain
all the work required to obtain the required amount of overall assurance;
• Performing the audit work; and
• Reporting the results of the work, including individual errors and other matters of note, to
the central team.
Regarding the above, the central team will likely not have the same detailed level of
knowledge of a particular entity as the auditors from the applicable audit directorate. For
example the central team may not be aware that the internal controls are weak and that the
planned level of reliance on them is not possible. The auditors from the audit directorate must
bring these matters to the attention of the central team and ensure necessary adjustments are
made to the audit plan.
With a centrally led audit, some of the roles and responsibilities that, according to Figure 6.2,
are to be performed by the Director General will be performed by the Director General
responsible for the central team, while other roles and responsibilities will be performed by the
Director General in charge of each directorate. The same applies to the other levels of staff
shown in Figure 6.2.
To ensure that everyone is aware of their roles and responsibilities, the central team will
provide a schedule similar to Figure 6.2 that clearly lays out the roles and responsibilities of
individuals within the central team, and within each audit directorate.

Figure 6.2: Roles and Responsibilities
Deputy
DAG
Auditor- Director Director Audit
S tep (Senior) Director
General General or Asst. Officer
or DAG
Director
General Planning
Update overall audit A(1) R(1) P

objectives and audit
scope
Update A(1) R(1) P

understanding of
entity’s business
Update assessment of A(1) R(1) P

materiality, planned
precision, and audit
risk
Update A(1) R(1) P

understanding of the
entity’s internal
control structure
Update determination A(1) R(1) P

of components
A = Approve R = Review S = Supervise

P = Responsible for performance of.
(1) The review and approval would be done through a review and approval of the permanent file, planning
file, audit planning memorandum, audit programmes, etc. produced at the end of the planning process.

Deputy
DAG
or DAG
Director
Update A(1) R(1) P

determination of
specific financial
audit objectives,
compliance with
authority objectives
and error
conditions
Update assessment A(1) R(1) P

of inherent risk and
control risk
Update optimum A(1) R(1) P

combination of
procedures
Detailed Planning
Update audit A(1) R(1) S P

programmes
Update budgets, A(1) R(1) S P

staffing
requirements,
timing
considerations, etc.
Fieldwork
Complete audit
R S P
programmes

(1) The review and approval would be done through a review and approval of the permanent file, planning file,
audit planning memorandum, audit programmes, etc. produced at the end of the planning process.

Deputy
DAG
or DAG
Director
Evaluation
Conclude on results R S P
of work
Reporting
• Audit a (2) a (2) R P

Opinions
• Audit Reports a (2) a (2) R P
• Management A P
reports
Follow up
(3) (3) (3) (3) (3) (3)
Follow up matters
in reports

(2) It is expected that the audit opinions and audit reports on the major entities would be approved by the
Auditor-General; the other audit opinions and audit reports would be approved by the Deputy Auditor
General (Senior) or a Deputy Auditor General.
(3) The roles and responsibilities would match those for the equivalent work performed during the audit
itself.

7. PLANNING THE AUDIT
Individual audits must be properly planned to ensure:
• Appropriate and sufficient evidence is obtained to support the auditor’s opinion;
• DAGP’s auditing standards are complied with; and
• Only necessary work is performed.
This chapter contains guidelines that the auditor can use to plan the audit. These guidelines do
not replace the use of professional judgment.
7.1 Step 1 - Establish audit objectives and scope

It is a general principle of DAGP’s audit activities that no audit entity should be subject to
more than one audit in a given year. Accordingly, any individual audit may have to fulfil
multiple audit objectives, so it is important that the audit is well-planned in terms of audit
objectives and audit scope.
The step also involves communicating with the entity to ensure management is fully aware of
the audit objectives and audit scope.
7.1.1 Overall audit objectives
Each audit will be designed to address one or more of the following objectives:
• Expressing an opinion on financial statements;
• Expressing an opinion regarding compliance with authorities;
• Testing compliance with authority or controls on selected transactions with no opinion
being expressed; and
• Evaluating operational performance.
To express an opinion on financial statements the auditor needs to design audit procedures to
obtain a reasonable level of assurance that the financial statements are not materially
misstated. This means reaching a conclusion as to whether the account balances are valid, are
complete, are properly valued, etc.
For compliance with authority work where an opinion is being expressed, the auditor will
design audit procedures to obtain a reasonable level of assurance that the selected transactions
in a given period are in compliance with applicable statutes and regulations. The types of
irregularities that the auditor should look for will reflect the objectives of the compliance
audit.
For compliance with authority audit work where there is no expression of an opinion the
auditor need not plan the audit to obtain a specified minimum level of overall audit assurance.
Where the audit is to evaluate operational performance the auditor is concerned with economy,
efficiency and effectiveness the auditor will develop specific audit objectives and conclude on
the management framework and/or level of performance.

In summary, the nature and extent of the work that the auditor needs to perform will vary
according to the objectives of the audit. Therefore, a first step in the planning process is to
determine the objectives for the year.
7.1.2 Audit Scope
The auditor also needs to determine the overall audit scope - the total population on which to
express an opinion, from which to select transactions, etc. For financial audit purpose, this
total population is referred to as the “audit entity”. The audit entity determines the scope of
the audit, and is generally defined by the audit mandate. For financial statement audits that are
required under Section 7 of the Auditor-General Ordinance (see Chapter 2), the entity to be
audited will be defined by the applicable accounting policies of the government.
For example, the accounting policies for the Federation state, “The financial statements have
been prepared by consolidating the accounts o f all Centralised and Self Accounting Entities
.... Commercial entities owned or controlled by the Government prepare their own financial
statements, which are not included in these financial statements.” Based on this accounting
policy, the audit entity would include all centralised and self-accounting entities, but would
exclude the commercial entities.
For other financial audits, the entity to be audited may need to be carefully determined. For
example, a ministry may make use of a special operating agency to perform some of its
functions. In this situation, the auditor will need to determine whether or not the agency falls
under the scope of the audit.
In some cases, the scope of the audit can be at the auditor’s discretion, or can be negotiated
with entity management. For example, DAGP may have planned to audit a particular civil
works project. If the internal audit unit in that entity is planning to do a detailed audit of the
project one year later, it may suggest that DAGP defer its audit by a year so the two audits
could be coordinated. DAGP might decide to do so.
The first consideration in defining the scope of audit is to ensure that the work required to
complete the financial attest audit is covered. In determining what else should be audited, it is
important that scarce audit resources be focused on the most important aspects of the
operations of the government. The first step in deciding what to examine is to identify matters
of significance, both within the government as a whole and within the audit entity under
examination.
Matters of significance can include one or more of the following:

• Large expenditures or large revenues;
• Areas of high risk (significant control weaknesses, potential for large losses/negative
impacts);
• Matters of propriety, or probity (even if not of high materiality or risk);
• Important aspects of the programme’s performance;
• Politically sensitive areas, where the reputation of the government could be adversely
affected;
• Substantial errors or misrepresentations in financial and other management reports;
• Serious problems of compliance, especially regarding laws and regulations; and

• Areas where the audit is likely to identify opportunities for significant improvement.
The auditor may decide to address one or more of these or to limit audit coverage to financial
attest requirements together with the more critical aspects of compliance with key laws and
regulations. Ultimately the decision as to what sub-entities are significant and should be
included in a particular audit is a matter for DAGP management. As noted in Chapter 5, there
are various entities that DAGP may decide to include in any specific audit. Entities may be
organisational units, such as agencies, DAOs, DDOs etc., functional areas, such as the payroll
function or the purchasing function, or accounting entities, such as objects of expenditure,
grants or appropriations. DAGP may determine that all entities should be reviewed in a
particular audit, for example ensuring complete coverage of all DDOs or grants and
appropriations, and the planning phase for individual audits will be guided by this direction
from management.
In determining what areas are significant, an understanding of the audit entity and its business
is important. In selecting matters of significance for performance audits, the auditor should
not focus only on the potential of negative findings. It is also important that key aspects of the
programme are examined even if they are well managed. Providing the Legislature, the public,
and also management, with assurances that programmes are well administered can be of value.
When providing an assurance, the auditor must obtain sufficient evidence to conclude that
there is a low risk that any significant problem has gone undetected. This usually requires
much more audit effort than is required for finding weaknesses.
7.1.3 Entity communication letters
DAGP has a legal mandate to perform its audit work. This mandate permits it to determine the
nature, extent and timing of its work. As such, DAGP does not need to negotiate the scope of
its work with the entity, or to make use of formal engagement letters.
Nevertheless, there are benefits to discussing the nature, extent and timing of the work with
entity officials. These benefits include:
• The introduction of annual financial audit work has changed the nature of the audit work
that the auditors are performing. Entity communication letters can be used to help the audit
entities to better understand the nature of the work that is being performed, and the types
of reports that may be issued at the completion of the work.
• While much of the financial audit work will be performed annually, other work that
DAGP performs will continue to be performed on a rotational basis. Entity communication
letters can be used to advise the entity of the nature, extent and timing of the rotational
audit work that will be performed in the coming year.
• Input from entity management may help improve the planned scope of the audit and the
rotational audit plan. For example, the auditors may discover that the entity’s internal audit
unit is planning a detailed review of the entity’s internal control structure. DAGP and
internal auditors could then coordinate their work, and the DAGP auditors may be able to
rely on the work performed by the internal auditors.
• Input from entity management may also improve the efficiency of the audit work. For
example, the auditors could advise entity officials of the planned start and completion
dates of each audit, and the information that the auditors will require to perform their
audit. Entity officials would then be able to locate the required information, arrange for
suitable office space, etc. prior to the start of the audit.

An entity communication letter is a useful way to document the nature, extent and timing of
the audit work that will be performed in the following year. A sample letter is included in the
Standard Audit Working Paper Kit.
7.2 Step 2 - Understand the entity’s business

7.2.1 Information Requirements
Audit objectives are developed on the basis of an understanding of the entity’s business.
However, the auditor does not need to have a complete understanding of all of the entity’s
activities. The auditor only needs to have a detailed knowledge of those aspects of the entity’s
business that relate to the audit.
For example, when performing a financial statement audit, the auditor may not need to have a
detailed understanding of all of the entity’s human resource policies. However, should the
auditor be performing a compliance with authority or a performance audit on the staffing and
promotion processes, a more detailed understanding of the human resource policies may be
required.
The auditor should assemble the following information for most audits:
• government’s plans and priorities;
• entity’s strategic plans;
• users of the entity’s services;
• legislative authorities affecting the entity’s operations;
• industry in which the entity operates, including any specialised accounting practices
followed by that industry;
• activities in which the entity engages (constructing buildings, providing grants and
contributions, collecting taxes, etc.);
• size of the entity (its total assets, liabilities, revenue and expenditure);
• types of transactions and documents that the entity processes;
• entity’s internal control structure; and
• economic trends that can affect the valuation of significant assets and liabilities (those held
in foreign currencies, for example).
The Standard Audit Working Paper Kit includes forms to help the auditor update his/her
understanding of each of these knowledge areas.
Sufficient knowledge of these matters is required by the auditor to:

• assess materiality, planned precision and audit risk;
• understand the internal control structure;
• determine components and understand how the various components and activities fit
together;
• identify error conditions;
• assess inherent risk and control risk;

• understand the substance of transactions, as opposed to their form;
• identify the nature and sources of audit evidence that are available;
• update audit programmes;
• assess whether sufficient appropriate audit evidence has been obtained;
• assess the appropriateness of the accounting policies being used; and
• evaluate the presentation of financial statements and the reasonableness of the overall
results.
There is a link between these knowledge areas and the tasks to be performed, as follows:
• an understanding of the users of the entity’s services and the size of the entity is needed to
assess materiality;
• an understanding of the legislative authorities affecting the entity’s operations, the
activities in which the entity engages, and the types of transactions and documents that the
entity processes is needed to determine what components to audit;
• an understanding of the industry in which the entity operates, the activities in which the
entity engages, the size of the entity, the types of transactions and documents that the
entity processes, and economic trends are needed to assess inherent risk.
7.2.2 Level of Effort
Building an understanding of the entity’s business can be a significant undertaking especiall y

where the audit scope is large, like the audit of the Federal Government. The level of effort in
collecting and documenting the understanding will be high, especially when this is being done
for the first time. Practically, DAGP will probably have to approach this effort incrementally
over the course of the first few audit cycles. However, this should be done according to a plan
that will ensure adequate depth of understanding of priority issues to provide a foundation
upon which subsequent audit cycles can build.
There are a number of factors that can legitimately reduce the effort required:
• Much of the required knowledge will have already been gathered during prior
compliance with authority work. This can be used when planning the audit.
• With a financial audit, the depth of knowledge required of each ministry, department
etc. is relative to the materiality of that organisational unit to the overall audit scope.
Therefore, the knowledge required will be small for less material agencies and will be
of lower priority, so it can be deferred until more priority units have been covered.
• The depth of knowledge required also reflects the extent of intended reliance on
internal controls as a source of audit assurance. If the auditor intends to place little
reliance upon internal controls, then a lower level of knowledge is required than when
significant reliance is to be placed on controls.
These factors can reduce the level of knowledge needed, and can render the data gathering
exercise more manageable.
Once the required level of knowledge has been reached, over the course of several audit
cycles, subsequent audits need only be concerned with confirming the knowledge is current
and updating specific issues where necessary.

Clearly, knowledge of the business is important to all phases of the audit. The auditor should
therefore be sure to update his/her knowledge of the entity’s business throughout the audit.
Analytical procedures are often used at the general planning phase to identify large
fluctuations in the accounts from the previous year. These fluctuations, in turn, may indicate
changes in the entity’s operations.
Analytical procedures are discussed in more detail below.
7.3 Step 3 - Assess materiality, planned precision, and audit

risk
7.3.1 Materiality
Definition o f materiality: When the auditor states that the financial statements “properly
present, in all material respects”, he/she is stating that the financial statements are not
materially misstated. This introduces the concept of materiality.
Materiality can be defined as follows: “An error (or the sum of the errors) is material if the
error (or the sum of the errors) is big enough to influence the users of the financial
statements”.
Materiality is important in the context of the auditor’s report on the financial statements. The
opinion paragraph of a standard unqualified auditor’s report commences, “In my opinion,
these financial statements properly present, in all material respects, the financial position of
[the entity] ...”
Guidelines: To determine materiality the auditor should perform the following steps:
1. Identify the probable users of the financial statements.
2. Identify the information in the financial statements that is expected to be the most
important to each of these users (e.g., total expenditures, total assets or the annual
surplus or deficit). One or more of these amounts may serve as the base amount(s) for
computing materiality.
3. Estimate the highest percentage(s) by which the base amount(s) could be misstated
without significantly affecting the decisions of the users of the financial statements.
4. Multiply the percentage(s) times the base amount(s).
5. Select the lowest amount - this is the materiality amount. Errors exceeding this value
are material.
The auditor normally selects the lowest amount that results from each of these guidelines, and
uses that amount for the audit of the financial statements as a whole. This is because errors
often affect more than one component. For example, an error in cash may also represent an
error in expenditures. As a result, the auditor cannot use a higher materiality amount to audit
cash than he/she uses to audit expenditures.
Note that the materiality amount determined at this step in the general planning phase is used
for the audit of all components. There is no need to allocate the amount to the various
financial statement components. If materiality is set at Rs. 3,000,000 for the financial
statements as a whole, the same Rs. 3,000,000 can be used for each financial statement
component, and for each specific financial audit objective, related compliance with authority
objective, and error condition.

There are some guidelines that can be used to determine the base amount(s) and the
appropriate percentage(s). While guidelines should not replace the use of professional
judgment, the following may be useful, depending on the nature of the entity being audited:
Percentage of total expenditures.
This method is the most widely used method for not-for-profit public sector entities.
The percentages used generally range from 2% for "small" entities to 0.5% for "large"
entities.
Percentage of normalised pre-tax income.
This method is the most used method for profit-oriented public sector entities (e.g.,
state-owned enterprises with a mandate to earn a return on their investments). The
percentages used generally range from 5% for entities with "large" pre-tax incomes to
10% for entities with "small" pre-tax incomes.
Percentage of total revenue.
The same 2% to 0.5% range that is generally used for expenditures (see above) is often
recommended.
Percentage of equity.
Usually 1% is suggested. This method would be appropriate only for entities following
full accrual accounting and hence recording such assets as receivables, stocks and
fixed assets. Without these assets, the entity would most likely be in an accumulated
deficit position, and the equity amount might not be meaningful to the users.
Percentage of assets.
Usually 0.5% is suggested, which achieves the same materiality amount as the amount
in Percentage of Equity if the debt-to-equity ratio is 1 to 1.
Percentage of the annual surplus or deficit.
For public sector entities, the most often quoted amount in the media is the annual
surplus or deficit. It would therefore seem logical to base materiality on a percentage
of the entity’s annual surplus or deficit.
However, there are weaknesses in the latter approach. The main weakness with basing
materiality on a percentage of the annual surplus or deficit is the fact that the amount
may not represent the "true" size of the entity. An entity with an extremely small
annual deficit relative to its total expenditures and revenues would have an extremely
small materiality amount, and an entity with a very large annual deficit would have a
very large materiality amount. In fact, basing materiality on the annual surplus or
deficit could result in the materiality amount decreasing year after year even though
the size of the entity being audited is increasing.
Because of these problems, a percentage of the annual surplus or deficit is normally
only used as a reasonableness check on the materiality amount determined by a
percentage of total expenditures or revenues.
Again, it is not necessary to use a percentage of total expenditures or revenue to audit the
statement of expenditures and revenues, a percentage of total assets when auditing the balance
sheet, etc. Instead, the auditor selects the lowest amount that results from each of these
guidelines and uses that amount for the audit of the financial statements as a whole. That is
because errors often affect more than one component.

Also note that available audit resources should not be a factor in setting materiality.
Materiality is determined with the users in mind, and it is up to the auditor to ensure that
sufficient audit resources are available that are required to perform the required work.
The Standard Audit Working Paper Kit contains a form that can be used to assess the
materiality amount.
Ultimately, the establishment of an appropriate materiality amount is a matter for the auditor’s
professional judgment. For this reason, it is normally not appropriate to use the same
materiality amount for the audit of different entities (i.e. the materiality calculated for the
Federal Government as one entity, will be different from the materiality for a self-accounting
commercial enterprise), and materiality should be calculated separately for each audit. In
addition if, based on the knowledge of the entity and an understanding of the circumstances,
the auditor believes that the monetary amount determined by the above process appears
unreasonable, additional relevant factors should be considered and the materiality amount
revised accordingly.
Qualitative aspects. In addition to the quantitative aspects of materiality discussed above,

there is also a qualitative aspect. The inherent nature or a characteristic of an error may render
the error material, even if its value is not. For example, a small error that is designed to
conceal the over-expenditure of a government appropriation could be considered to be
material by the users.
Auditors are not expected to plan financial audits to detect all of these qualitative errors. The
cost of such an audit would be too high. Consequently, auditors normally ignore the
qualitative aspects of errors when planning their audits. However, when reporting on the
results of the audit work, they should take into account the qualitative aspects of the errors that
they have found when assessing whether the financial statements taken as a whole are
presented fairly.
7.3.2 Planned precision
Planned precision is the auditor’s planned allowance for further possible errors.
By testing a sample, the auditor can determine the Most Likely Error (MLE) in the population.
However, because the auditor has only selected a sample, there is a chance that the actual error
in the population is larger than that. The auditor needs to ensure there is sufficient assurance
that the maximum possible error in the population is less than the materiality amount.
To do this, when planning and performing many analytical procedures and substantive tests of
details, the auditor reduces the materiality amount by his/her estimate of the most likely error
that will exist in the financial statements as a whole. This estimate is referred to as the
“expected aggregate error.” Planned precision is equal to materiality less the expected
aggregate error.
To determine the expected aggregate error, the auditor should consider:

• The errors found in previous years;
• Changes the entity has made to the internal control structure to prevent these errors from
recurring; and
• Other changes to the entity’s business or its internal control structure that could affect the
size of the errors.

If the auditor’s estimate of the expected aggregate error had been set at the planning stage at
Rs. 816,500, the auditor would have calculated planned precision as follows:
Materiality Rs. 3,000,000
Expected aggregate error in financial statements 816,500
Planned precision Rs. 2,183,500
As noted in the discussion on materiality, the materiality amount determined at this step of the
general planning phase is used for the audit of all components within the same audit. There is
no need to allocate the amount to the various financial statement components. Consistent with
this approach, the expected aggregate error being used for a particular test is the expected
aggregate error in the financial statements as a whole, and not just the expected error in the
population being audited. When auditing the completeness of income tax receipts, for
example, the auditor would need to allow for errors not only in that test, but for errors found in
other income tax receipts tests and for errors found in other financial statement components.
7.3.3 Audit risk
Definition: The opinion paragraph of the standard unqualified auditor’s report begins “In my
opinion ...” This means that the auditor is not stating that he/she is absolutely certain that the
financial statements properly present the results of operations (i.e. they are not materially
misstated). Rather, the auditor is stating that he/she has some degree of assurance that is less
than 100% that the financial statements are not materially misstated. Generally accepted
auditing standards (GAAS) refer to this degree of assurance as “reasonable assurance”.
Stated another way, the auditor is taking some risk of issuing an unqualified opinion on
financial statements that are materially misstated. This risk is referred to as “audit risk”.
For example, if the auditor wants to be 95% confident that the financial statements are not
materially misstated, this means that the auditor is prepared to take a 5% risk that he/she will
fail to detect errors summing to more than the materiality amount. Audit risk is therefore 5%.
Using the audit risk and the materiality amount, when the auditor states, “In my opinion, these
financial statements present fairly, in all material respects . ”, the auditor is stating, “I have
x% assurance that the financial statements are not misstated by more than the materiality
amount”.
7.3.4 Risk Assessment
The audit should focus on the areas of greatest materiality, significance and risk. An
understanding of the risk associated with each audit entity is therefore critical to the
development of an audit plan. The auditor should develop this understanding by conducting a
risk assessment as part of planning an audit assignment.
In the case of a financial attest audit, the auditor is concerned with the risk that material
misstatements exist in the financial statements that will not be detected, either by management
or by audit procedures.
In the case of compliance audits, the auditor is concerned with the risk that certain material,
or significant, transactions have occurred in a manner that contravene the laws, regulations
and management procedures applying to the area of audit.

In considering audit risk, there are three categories of risk that are normally considered:
Inherent Risk, Control Risk, and Detection Risk. These are discussed below.
1. Inherent risk
This is the susceptibility to material/significant error or loss unrelated to any internal control
system. Assessing inherent risk requires the evaluation of numerous judgmental factors,
relating to the nature of the entity and its business environment taken as a whole.
This is done by asking what could go wrong and what would be the likely consequences. If the
likelihood of occurrence is low and the significance of the error is low, the auditor need not be
concerned. Where the likelihood is high and the significance is high, then inherent risk is high.
In this situation, the auditor must be assured that either the internal controls are strong enough
to detect and prevent such occurrences or the substantive audit coverage is sufficient to detect
such occurrences with a high level of assurance.
2. Control risk
This is the risk that material/significant error or loss is not prevented or detected on a timely
basis by the internal control structure. Control risk is a function of the effectiveness of the
design and operation of the internal controls. In order to assess control risk, the auditor should
obtain evidence to support the effectiveness of internal control policies and procedures in
preventing or detecting material error or loss. The auditor should recognise that there are risks
of error or loss that cannot be detected or prevented in a timely manner whatever the controls
in place. Further, the auditor should recognise that the costs of certain controls cannot be
justified when compared to the potential losses they are guarding against.
The auditor should identify and evaluate both the control environment and the effectiveness of
the individual internal controls that are in place. Indicators of a positive control environment
include:
• policies and procedures relating to internal controls and to the need for maintaining a
proper control environment exist and are documented;
• an appropriate organisational structure with clearly identified roles and responsibilities
relating to the administration of internal controls exists;
• staff are selected and trained to ensure their competence and dedication in key control
positions;
• senior management is involved in identifying control risks and monitoring performance;
• actions are taken to correct any identified control deficiencies with an appropriate level of
priority; and
• management displays positive attitudes towards the maintenance of sound internal
controls, such as: recognising dedicated effort; positively responding to audits and reviews
of controls; and taking disciplinary action in response to poor performance.
The auditor is referred to the Control Environment Worksheet in the Standard Audit Working
Paper Kit.
To review the effectiveness of controls the auditor should make use of the Internal Control
Questionnaires which are presented in the audit programme guides as part of the Standard
Audit Working Paper Kit. The auditor should expect stronger controls where risks are highest.
For example, there should be strong controls in place to ensure contracts involving large

expenditures are well managed: for the selection of the contractor, for drawing up the contract;
and for the control of performance under the contract. On the other hand, there should be
minimal effort applied to controlling small items of inventory where the risk of loss, damage
or theft is low.
The auditor should determine how the controls are applied, assess their adequacy, and identify
significant control gaps.
The trend in modem government is to “let the managers manage” and take reasonable risks in
order to achieve results with reduced resources. Consequently, the auditor should be conscious
of the need for reasonable, but not excessive, internal controls. The cost of controls should not
exceed the potential losses that could occur without those controls.
3. Detection risk
This is the risk of material/significant error or loss going undetected by the auditor’s
substantive audit procedures. It is a function of the effectiveness of the substantive audit
procedures and audit effort.
Also, less experienced or less knowledgeable auditors are more likely to miss detecting errors
than the experienced auditor. Therefore, without careful supervision, the employment of less
experienced auditors increases detection risk.
Audit risk is a composite of these three risks. When planning an audit there is a trade off
between the overall risk that the auditor will accept and the cost of the audit - the lower the
overall risk that the auditor is prepared to take, the more extensive the required work and the
more costly the audit becomes. Thus the risk assessment process is particularly important in
determining the extent to which the audit will examine the systems, procedures, practices and
transactions that govern matters at the lower end of the objective and control hierarchy.
7.3.5 Identification of Risk
The auditor needs to develop the ability to identify risks. This requires an understanding of
what constitutes risk and how to recognise it. There is a set of steps that the auditor can take,
but experience, imagination and judgment are also critical.
The steps to follow are:

1 List the programme objectives, assets to be safeguarded and other results that
management need to achieve;
2 Identify threats which could prevent achievement of these objectives;
3 Rate the risks, with the probability of occurrence, assuming no management controls (the
inherent risks);
4. List controls and assurances which exist within the systems and practices in place
(environment controls and internal controls);
5. Identify missing controls and assurances;
6. Identify risks that could occur even with the existing controls in place (control risk); and
7. Recommend improved controls and assurances (based on an assessment of the trade-off
of the cost of the controls against the potential savings of lost and waste without the new
controls in place).

This activity should be documented on the audit file.
7.3.6 Indicators of Risk
There are certain indicators that can alert the auditor to potential risk situations. Analysis of
data may produce information that does not look right. Managers are often aware of high-risk
situations and will assist the auditor to identify areas needing examination. This is more likely
if the manager sees the auditor as an ally rather than a critic and feels comfortable confiding
with the auditor.
Some examples of risk that can be encountered are:

• Processing risk;
• Programme risk;
• Regulatory risk; or
• Risk of fraud.
Processing risk. Errors can occur inadvertently, especially in situations such as the following:
• A new government programme where there is little experience in administering it, or the
entity has taken over responsibilities for a new function and the previous administrators
are no longer involved.
• New systems or procedures are introduced, especially a new computerised system.
• There have been recent changes in management or there is a high turnover of staff (in
other words, there is a poor corporate memory), particularly if administrative procedures
are poorly documented.
• There are unclear responsibilities.
If the process involves large transactions, the risk of inadvertent loss or waste can be serious.
Programme risk. Certain government programmes are particularly susceptible to significant

losses, either intended (fraud) or unintended (the result of poor administration).
Examples of programmes that should be given a careful assessment of risk are:

• Loans or guarantees, which, by their very nature, usually place the government at risk.
• Programmes delivered by means of contracts, especially where there are unclear terms and
conditions, insufficient specifications / performance requirements.
• Research and development projects, where often the results are difficult to predict
(especially non-standard software development).
• Programmes with vague outputs or outcomes, where in return for the government’s
expenditures, the benefits are difficult to identify.
Large expenditures in programmes of such nature should be a high priority for the auditor to
examine.
Another aspect of risk relating to programme performance is the risk that adverse publicity can
arise. The danger of criticism of a programme can be out of proportion with the potential or

actual loss occurring due to some weakness in the administration of the programme. There is
often a trade-off between the economic and efficient management of a programme and the
cautious avoidance or mistakes that can lead to embarrassment. The auditor should be
sensitive to this and be able to judge what are appropriate levels of control.
Regulatory risk. One means of implementing government policy is through regulatory

activities. The usual purpose of regulations is to protect the public - whether this is health
protection, ensuring fair trade practices, transportation safety, or other law enforcement.
Failures in a government’s regulatory programme can occur at various points within the
regulatory system. For example, regulatory risk can derive from:
• inadequate laws;
• inadequate inspection/detection (insufficient resources available; untrained inspectors;
poor supervision of the inspectors);
• inadequate penalties or other deterrents;
• poor records and inadequate statistics; and/or
• environmental factors outside of the regulatory process that impact on the effectiveness of
the regulatory programme.
The impact of regulatory weaknesses on government operations can be significant, although

not as obvious as misappropriations of funds, waste or loss of monies. For example, the non
collection of taxes can represent a huge loss to the government. Therefore the auditor must
focus on regulatory activities just as much as on expenditures.
R isk o f fraud. There are many classical indicators of weaknesses that can contribute to fraud.
Some of these are:
• Insufficient separation of duties;
• Only one person with access to financial information, particularly if this person exhibits
defensive or guarded behaviour;
• Weak controls;
• Inadequate management supervision, inspection, challenge or review;
• Inadequate or untimely reports; and,
• Late or non-existent reconciliations.
It is often beneficial to provide all auditors with some training in fraud awareness and
investigation, and to provide extensive Forensic Audit training to one or a few auditors. Then
one of those who have had extensive training and experience can be consulted wherever any
serious case of fraud has been identified or is suspected.
7.3.7 Factors affecting audit risk
To determine how much risk the auditor should accept that an unqualified opinion may be
issued on financial statements that are materially misstated, the auditor would consider such
matters as professional exposure, reporting considerations and ease of audit.

Professional exposure
This is the risk of loss or injury to the auditor's reputation from litigation, adverse publicity or
other events arising in connection with the financial statements reported upon.
Professional exposure risk is often considered to be highest when there is a good chance that
the financial statements and the audit report thereon will undergo a lot of scrutiny. This could
occur in special situations such as when an entity is:
• Receiving a lot of bad publicity for an authority violation or other matter;
• Being privatised, transferred to another level of government, or turned into a special
operating agency;
• Issuing new debt; and/or
• Experiencing financial difficulty.
For audit entities such as these, the auditor may elect to reduce their audit risk to reduce their
professional exposure risk.
Reporting considerations
These considerations usually include the number of users and the extent to which they rely on
the entity's financial statements and audit report.
Ease of auditing
Factors to be considered here could include the practical availability of audit evidence and the
existence of an audit trail.
7.3.8 Determining audit risk
Even though the determination of audit risk is the auditor's responsibility and not the financial
statement users, it may be prudent to discuss the factors affecting audit risk and the assessed
level directly with the users. There are several reasons for this:
• One of the factors affecting the required level of audit risk is the extent to which the users
rely on the entity's financial statements and audit report. If the users are placing extensive
reliance on the financial statements, the auditor may wish to use a lower level of audit risk
(i.e., obtain a higher level of overall assurance) than if the users are placing very little
reliance on the financial statements. Discussing the level of audit risk with the users will
provide the auditor with direct evidence with respect to this factor.
• Some of the users, such as government planners and managers as well as legislators, may
be aware of special circumstances that could increase the auditor’s professional exposure
risk. These may include circumstances of which the auditor is not aware.
Guidelines: As for materiality, the assessment of audit risk is a subjective process requiring
the use of professional judgment. While guidelines should not replace the use of professional
judgment, the following may be useful:

Overall
Situation Audit Risk Assurance
Entities perceived to be high risk (and 3 97

therefore the auditor wants to achieve a high
level of overall assurance and set a low level
of audit risk)
All other entities 5 95
The Standard Audit Working Paper Kit contains a form that can be used to assess audit risk.
As is evident from the above guidelines, the lower the audit risk being taken, the more
assurance is required. This is because audit risk and overall assurance are converses of each
other. Reducing audit risk from 5% to 3% increases the desired level of overall assurance from
95% to 97%.
Increasing the overall assurance will increase the required amount of audit work. Going from
95% assurance to 97% assurance could, for example, add 20% to the total required amount of
audit work.
7.3.9 Auditor’s responsibility to detect error and fraud
Because the auditor designs audit procedures to detect errors in the financial statements that in
total exceed the selected level of materiality, an audit most likely will not detect all immaterial
errors. In fact, because the auditor is providing reasonable and not absolute assurance, there is
a chance that an audit performed in accordance with GAAS will fail to detect some material
errors. Some of these errors may be due to fraud.
Fraud is the intentional act by one or more individuals to deceive others. For example, an
employee may steal cash and cover up the theft by recording fictitious expenditures. Or the
employee may not record an expenditure that would cause the ministry to exceed its allowable
expenditures.
The most difficult type of fraud to detect is fraud committed by management. This is because
management may be able to override internal controls.
Not all frauds will result in errors in the financial statements. For example, under the
accounting principles contained in the New Accounting Model (NAM), consumable stocks are
not recorded in the financial statements. Therefore, the theft of inventory would not affect
financial statements prepared using NAM.
When planning an audit, auditors normally start by assuming good faith on the part of
management, meaning that management officials are honest and have done their best to ensure
that the financial statements do not contain any errors.
However, the assumption of management’s good faith cannot be blind faith. As noted in
paragraph 3.0.3 of DAGP’s auditing standards, “The auditor should design audit steps and
procedures to provide reasonable assurance o f detecting errors, irregularities, and illegal
acts that could have a direct and material effect on the financial statement amounts or the

results o f regularity audits. The auditor also should be aware o f the possibility o f illegal acts
that could have an indirect and material effect on the financial statements or results o f
regularity audits.”
While the auditor is not required to actively seek out evidence of lack of good faith by
management, the auditor complies with the above standard by planning and performing the
audit with an attitude of professional scepticism. This means that the auditor uses a
questioning mind and keeps alert for evidence that brings into question the reliability of
documents or management’s representations. Should evidence come to light that indicates
fraud may have occurred or the assumption of management’s good faith is not appropr iate, the
auditor should design specific audit procedures to deal with the matter.
Analytical procedures are a good technique to identify areas where further investigations are
required. These procedures are discussed in Section 7.8 below.
Procedures to investigate possible fraud normally include a detailed review of specific

projects, disbursements, etc. in which the fraud could have occurred. Sampling would
normally not be used to detect or investigate fraud, because it involves selecting a
representative sample, as opposed to zeroing in on the specific areas where further
investigation is required.
7.4 Step 4 - Understand the entity’s internal control structure

7.4.1 Definition and concepts of internal control
INTOSAI defines the internal control structure as the plans and actions of an organisation,
including management's attitude, methods, procedures, and other measures that provide
reasonable assurance that the following general objectives are achieved:
• Assets are safeguarded against loss due to waste, abuse, mismanagement, errors, fraud and
other irregularities;
• Laws, regulations, and management directives are complied with; and
• Reliable financial and management data are developed, maintained and fairly disclosed in
timely reports.
The internal control structure of an audit entity is therefore very important to the auditor.
Furthermore, an understanding of internal controls, and the weaknesses in internal controls, is

often critical for the auditor to make recommendations for improvements. If the audit focuses
only on individual transactions, the auditor can only conclude, when errors are observed, that
these errors should be corrected. By examining the controls over these transactions, the
auditor can identify the reasons that the errors occurred. Then the auditor can recommend that
the weaknesses in the controls be corrected.
Hence, it is critical that the auditor examines controls not just transactions.

7.4.2 General standards for an internal control structure
INTOSAI describes five general standards that entity management and employees should
follow:
• Reasonable assurance. Internal control structures are to provide reasonable assurance that
the general objectives of the entity will be accomplished.
• Supportive attitude. Managers and employees are to maintain and demonstrate a positive
and supportive attitude toward internal controls at all times.
• Integrity and competence. Managers and employees are to have personal and professional
integrity and are to maintain a level of competence that allows them to understand the
importance of developing, implementing and maintaining good internal controls, and to
accomplish the general objectives noted in paragraph 7.4.1.
• Control objectives. Specific control objectives are to be identified or developed for each
activity of the organisation and are to be appropriate, comprehensive, reasonable, and
integrated into the overall organisational objectives.
• Monitoring controls. Managers are to continually monitor their operations and take
prompt, responsive action on all findings of irregular, uneconomical, inefficient, and
ineffective operations.
7.4.3 Detailed standards for an internal control structure
In addition, INTOSAI describes six detailed standards that entity management and employees
should follow:
• Documentation. The internal control structure and all transactions and significant events
are to be clearly documented, and the documentation is to be readily available for
examination.
• Prompt and proper recording of transactions and events. Transactions and significant
events should be promptly recorded and properly classified.
• Authorisation and execution of transactions and events. Transactions and significant
events are authorised and executed only by persons acting within the scope of their
authority.
• Separation o f duties. Key duties and responsibilities in authorising, processing, recording,
and reviewing transactions and events should be separated among individuals.
• Supervision. Competent supervision is to be provided to ensure that internal control
objectives are achieved.
• Access to and accountability fo r resources and records. Access to resources and records is
to be limited to authorised individuals who are accountable for their custody or use. To
ensure accountability, the resources are to be periodically compared with the recorded
amounts to determine whether the two agree. The asset's vulnerability should determine
the frequency of the comparison.
The extent to which these standards can be met depends to some degree on the nature of the
entity. Small organisations are not always in a position to maintain comprehensive separation
of duties. The auditor should take such matters into account when assessing the sufficiency of
the internal control structure.

7.4.4 Responsibility for maintaining internal controls
Entity management is responsible for ensuring that a proper internal control structure is
instituted, reviewed, and updated to keep it effective.
It is then the responsibility of everyone in the entity to ensure that the internal control structure
functions as it should.
In addition, the Controller General of Accounts has some responsibility for maintaining an
environment which promotes adequate internal control. Section 5(d) of the Controller General
Ordinance states that one of the functions of the Controller General shall be “to lay down the
principles governing the internal financial control fo r Government departments in
consultation with the Ministry o f Finance and the Provincial Finance departments as the case
may be ”.
7.4.5 The Elements of Control
There are five basic elements that make up a control structure:

• Control environment;
• Risk assessment;
• Control activities;
• Information and communication; and
• Monitoring.
Control environment. The control environment sets the tone for an organisation, influencing
the control consciousness of the staff. It relates to:
• Management’s philosophy and operating style, including the specific way in which staff
are supervised and controlled;
• The organisation structure;
• Methods of assigning authority and responsibility;
• Human resource policies and practices;
• Management’s and staff s integrity and ethical values;
• Management’s and staff s commitment to competence;
• Management’s reaction to change and outside influences; and
• Existence of an internal audit unit.
Risk assessment. Risk assessment is the identification and analysis of relevant risks to the
achievement of objectives. Management needs to identify these risks in order to know the
areas in which the internal control structure needs to be particularly strong. Conversely, risk
assessment may indicate areas where risks are low, and therefore where the entity does not
need to design elaborate internal control structures.
Control activities. Control activities are the policies and procedures that help ensure
management directives are carried out. They help ensure that necessary actions are taken to
address the identified risks.

Control activities occur throughout the organisation, at all levels and in all functions. They
include a range of activities such as:
• Proper authorisation of transactions and activities;
• Physical control over assets and records;
• Independent checks on performance; and
• Adequate segregation of duties.
Information and communication. Pertinent information must be identified, captured and

communicated in a form that enables people to carry out their responsibilities.
To have pertinent information for accounting purposes, the entity needs to have adequate
documents and records. It also needs to have prompt and proper recording of transactions and
activities. This, in turn, requires a good accounting system, and a good system of
communication within the organisation and with customers, suppliers, and other government
entities.
Monitoring. Monitoring by management involves the ongoing and periodic assessment of

internal control performance to determine if controls are operating as intended, and are
modified when needed. Summary information should be monitored and spot checks made on
the quality and timeliness of the information on selected transactions.
7.4.6 The role of internal audit
Internal audit is in itself an internal control. It acts as an independent check on performance. It

can be very effective in helping management fulfil its monitoring role.
To be most effective, internal audit must not become part of the operational controls. The
internal audit unit should not be performing checks on an ongoing basis. It should audit and
review after the fact, or as a separate, independent and additional check, to ensure that the
management and staff have been carrying out their duties properly.
7.4.7 Categories of Controls
Controls can take different forms and serve different purposes. Different ways of categorising
controls are:
• Input vs. output;
• Independent vs. interrelated;
• Manual vs. electronic;
• General vs. application;
• Documented vs. undocumented;
• Preventive vs. detective; and
• Compensating.
Input vs. output
Input controls are controls over the initial input of data. They include password controls to
prevent unauthorised personnel from inputting transactions. Output controls are controls over

the output from systems. They include comparing cheques (output of payment system) to
supplier invoices and other supporting documentation, and reviewing printouts of cash
disbursements to ensure that all pre-numbered cheques have been recorded.
Independent vs. interrelated
A control may work on its own or may need to be part of a series of controls. For example, a
reconciliation may be a powerful control in its own right, but an input control will really only
be effective if the entity also has adequate controls over data processing and output.
M anual vs. electronic
Manual controls, given the fact that they are operated by staff, can be affected by human errors
of judgment, misinterpretation, carelessness, fatigue, and distractions.
In contrast, electronic controls are built into computer programmes and, assuming that the
systems are properly designed, installed and tested, are inherently more reliable. Any
problems with the software, however, might be difficult to detect and often expensive to
correct.
General vs. application
General controls are applicable to the accounting system as a whole, such as passwords
restricting access to a computer network. Application controls relate specifically to a particular
processing function to ensure transactions are authorised, complete and accurate.
Documented vs. undocumented
Documented controls result in evidence that the control has been performed (e.g., signatures
and initials). Undocumented controls are controls where there is no evidence that the control
has been performed. These would include, for example, many electronic controls where there
is no evidence that the appropriate person approved the transaction. The existence of these
controls can often be established through observation, inquiry and testing/replication.
Another example is when management and staff of an entity follow sound control principles
based on experience. Sound controls may be in place but not documented. This presents a
control exposure since the control procedures may be lost when staff turnover occurs.
Preventive vs. detective
Preventive controls prevent errors from occurring. Most data entry controls are preventive
controls. In contrast, detective controls detect errors that have occurred. Most output controls
and reconciliation controls are detective controls.
Preventive controls are usually less costly to use than detective controls. It is generally less
costly to prevent an error than it is to detect and correct it after the fact. It is possible, however,
to find systems that are so strict in preventing errors that a lot of valid data can be rejected
because of minor errors or missing data elements. This can cause serious delays and expense
in processing data.

Compensating controls
These are controls that detect errors that occur at earlier control points.
As a general rule, a control over output can act as a compensating control for a weak input
control. For example, a control to review the list of cash disbursements to ensure that there are
no missing cheque numbers can compensate for a weak control over the input of the
disbursements. Similarly, if a cheque is recorded for an incorrect amount, the error will show
up when the organisation performs the bank reconciliation. (This assumes that the cheque has
been cleared).
7.4.8 Limitations of internal control structures
Internal control can help an entity to:

• achieve its objectives;
• comply with laws and regulations;
• ensure reliable financial reporting; and
• prevent loss of resources.
No matter how well conceived and operated, an internal control structure can only provide
reasonable - not absolute - assurance to management regarding the achievement of its
objectives, etc. There are limitations inherent in all internal control structures. These include
the realities that judgments in decision-making can be faulty, and that breakdowns can occur
because of simple errors or mistakes.
Additionally, controls can be circumvented by the collusion of two or more people, and
management has the ability to override the system. In addition, the design of an internal
control structure must reflect the fact that there are resource constraints, and the benefits of
controls must be considered relative to their costs.
7.4.9 Multiple sub-entities and locations
In the case of government-wide audits there will be multiple ministries, departments, etc.
making up the reporting entity. Each of these may have multiple locations.
There is no requirement for the auditor to take the same approach with respect to each ministry
and so on. The auditor may decide to place no reliance on the internal control structure at
some Drawing and Disbursing Offices, but place a lot of reliance on some specific controls at
the District Accounts Offices. In this case:
• For the DDOs, the auditor would only need an overview level understanding of
controls and a general understanding of the systems to collect, record and process data
and report on the results.
• For the District Accounts Offices, the auditor would need a more detailed
understanding of the control environment and systems, to justify placing reliance on
them.

In terms of level of effort, the auditor should already have a good understanding of the internal
control structure through prior compliance with authority work. Where a given sub-entity is
small compared to the materiality amount, a deep level of understanding is not required.
7.4.10 Understanding and Examining Internal Controls
The auditor is expected to review the internal controls as part of the audit.
First, the auditor should review and document the systems and procedures in place to carry out
the transactions and other activities of the operations. Normally, a description of the major
systems and procedures should be maintained on the permanent audit file. In which case, the
auditor should review the description of the system and identify whether there have been any
changes to the system.
Next, the auditor should identify points in the accounting system, and in other systems being
audited, where he/she would expect to find controls.
Then the auditor should identify and document the controls at these points and determine that
the controls have been operating.
Finally, the auditor should assess the adequacy of the controls and conclude whether any
controls are missing or ineffective. The auditor should make recommendations to management
where, in the opinion of the auditor, the controls should be strengthened. These
recommendations should be based on an appreciation of the risk of reduced performance, loss,
damage or waste compared to the additional costs, if any, of implementing improved controls.
A Control Environment Worksheet is provided in the Standard Audit Working Paper Kit.
7.4.11 Documenting Our Understanding of Controls
The auditor should document the internal controls as part o f the audit. A clearly documented
description of the controls enhances the auditor’s ability to assess the controls. Also, the
documentation aids supervision of the audit and improves communications between members
of the team. The documentation should form part of the working papers and should be
included on the permanent file.
Methods of understanding the system and application of controls include:

• Narrative;
• Flowchart;
• Internal Control Questionnaire (ICQ); and
• Walk-through.
Narrative. This is a written description of an entity’s internal controls. Narrative of an

accounting system and related controls includes four characteristics:
• Information on the origin of every document and record in the system;
• Description of all processing that takes place;
• The disposition of every document and record in the system; and

• An indication of the controls relevant to the assessment of control risk - these typically
include separation of duties, authorisation and approvals and internal verification.
Flowchart. This is a time-consuming exercise and is generally applied only when the effort
can be justified, such as when there is some uncertainty about the processes or the complexity
and importance of the procedures indicate a need for clear representation.
The flowchart is a diagrammatic representation of the entity’s documents and their sequential
flow in the organisation and can be a valuable component of the working paper file. It includes
the same four characteristics identified above for narratives.
The advantages of a flowchart are that it:

• provides a concise overview of the entity’s system;
• helps identify inadequacies by showing how the system operates;
• shows clearly the separation of duties allowing the auditor to judge whether they are
adequate; and
• is easier to follow a diagram than to read a description.
Internal Control Questionnaire. The ICQ is a common tool of the auditor. It contains a series
of questions about the controls in each audit area. There is usually a pre-developed ICQ that
may, or may not be tailored for the particular area under examination by the auditor. It is
designed to require a “yes” or a “no” response, with a “no” response indicating potential
internal control deficiencies.
The advantage of using the ICQ is it allows the auditor to thoroughly cover each audit area
reasonably quickly at the beginning of the audit.
The disadvantages are:

• The individual parts of the entity’s systems are examined without providing an overall
view;
• A standard questionnaire may not apply to all audit entities; and
• There is a danger of taking a mechanical approach rather than thinking through the control
needs of the particular operations under examination.
Walk-Through (Cradle to Grave Test). The walk-through is conducted to confirm that the
system and controls are operating in accordance with the auditor’s understanding. It is used to
verify that identified controls have been put into operation.
To conduct a walk through test the auditor selects a few transactions (generally between 3 and
6), pertaining to each significant transaction cycle, and traces them through the cycle
beginning with initiation of the transaction, through processing until it is ultimately
summarised and included in a general ledger or management report.
The auditor should document the transactions selected for walk-through, the controls that were
observed and describe any enquiries made of client personnel.

7.5 Step 5 - Determine components
7.5.1 Definition
Auditors normally do not plan audits for the financial statements as a whole. Rather, they
divide the financial statements into parts and plan each part separately.
A component is a discrete item in the financial statements.
7.5.2 How to determine the components to be used
For a financial statement audit, the most logical way of dividing up the financial statements is
to consider each line item in the financial statements to be a separate component.
“Line items” are each of the amounts reported in the financial statements, including amounts
disclosed in the notes thereto.
Sometimes the financial statements include several different groupings of the same total
amount. For example, expenditures may be grouped by:
• Organizational units (the ministries, departments, agencies, etc. making up the reporting
entity)
• appropriation account;
• economic function (general public services, defence affairs and services, etc.); or
• object element (payroll expenditures, operating expenditures, civil works, etc.).
The auditor selects the grouping that makes it the easiest to plan, perform and evaluate the
audit work. The auditor will also perform some additional procedures to ensure that the
amounts reported in the other groupings are also presented fairly.
To illustrate, assume that the financial statements group expenditures by both ministry and by
object element. In this case, the auditor could either plan the audit of expenditures using each
ministry as a component, or using each object element as a component. If the auditor chooses
“object element”, the auditor would then plan the audit to obtain reasonable assurance that
payroll expenditures are not materially misstated, that operating expenditures are not
materially misstated, etc. The auditor would then develop additional audit procedures to
ensure that the total expenditures reported for each ministry are also not materially misstated.
For financial certification audits, it is unlikely that the financial statements will contain details
with respect to expenditures, etc. by district accounts officer or by drawing and disbursing
officer. However, DAGP may wish to extend the audit to include these organisational units as
components to be reviewed, based on DAGP’s assessment of their risk or significance.
For compliance audits, it might be decided that individual DAOs or DDOs should be subject
to review. This is at DAGP’s discretion and will be reflected in the individual audit plans.
7.5.3 Individually significant transactions and events
Individual significant transactions and events include:

• Very large transactions and events; and
• High risk transactions and events.

The auditor should audit 100% of these transactions and events.
Very large transactions and events are usually audited 100% because they are large enough
that, should they be in error, the error could be significant. The auditor therefore does not want
to risk failing to find an error in these transactions and events.
High risk transactions and events are those which, because of their nature, contain a high risk
of being in error. They are often audited 100% because, while the error in each one of these
transactions and events may not be significant, the high likely error rate in these transactions
and events could result in a significant error in total.
Very large transactions are normally easy to find - the auditor should look for transactions and
events exceeding a pre-determined amount.
High risk transactions can be more difficult to detect. The auditor should use his/her
knowledge of the entity’s business to identify these transactions and events.
These transactions and events are normally not treated as separate components. Rather, they
are audited as part of the work performed on other components. However, there may be some
cases where it is advantageous to consider them to be a separate component. This could occur
when the inherent risk or control risk associated with these transactions are significantly
different from the risks associated with the other transactions contained in the component.
7.5.4 Using sub-components
There may be cases where the inherent risk and control risk for part of a component are
significantly different than for the rest of a component. In these cases, the auditor may decide
to split the component into sub-components - the one(s) with the higher risks and the rest of
the component. Higher-risk sub-components will receive a higher level of audit examination
than lower risk ones.
Should the inherent risks or control risks for a particular DAO be significantly higher than for
other DAOs, and if the amounts involved are substantial, the auditor should consider breaking
out the single high risk office and planning its audit separately.
7.5.5 Related components and transaction cycles
Some components are related to other components. For example, an understatement of

expenditures may also result in an understatement of liabilities and/or an overstatement of
cash. Therefore, the audit of each of these components will provide the auditor with some
assurance as to the fairness of the related components. To avoid doing more work than
necessary, the auditor should take the assurance achieved from auditing the related
components into account.
One way to do this is to consider transaction cycles - the flow of the transactions. For
example, the purchase of a medical supply will result in a stock item that will either be in
expenses for the year or in the year-end stock balance. The purchase will also result in a cash
disbursement or a payable at year end.
The internal control questionnaire and audit programmes contained in the Standard Audit
Working Paper Kit and Audit Guides contain the “standard” components for the entities being

covered, and use a transaction cycle approach for the tests of internal control. It must be
stressed that the auditor needs to assess inherent risk and control risk for each component and
specific financial audit or compliance with authority objective, as opposed to each transaction
cycle and specific financial/compliance audit objective.
7.6 Step 6 - Determine financial audit and compliance with

authority objectives, and error/irregularity conditions
7.6.1 Specific financial audit objectives
Having divided the audit into components, the next step is to define what we mean by
“properly presents” in the audit certificate. To do so, the auditor needs to consider what
he/she would consider to be an error.
For a financial statement audit, a component is considered to be in error if:

• it is not valid (the asset or liability does not exist or the revenue or expenditure has not
occurred);
• the asset, liability, revenue or expenditure is not complete;
• the transactions have not been carried out in proper compliance with relevant laws,
regulations and administrative rules;
• the asset or liability is not properly valued or is misclassified, or the revenue or
expenditure is not properly measured or is misclassified; or
• the financial statement presentation is not proper.
The Standard Audit Working Paper Kit and Audit Guides make use of these specific financial
audit objectives.
To illustrate, payroll expenditures may be materially misstated if:

• the costs are not valid. This could be due to, among other things, ghost workers on the
payroll.
• the costs are not complete. For example, employees have not been paid, or the payments
have not been recorded.
• the costs are not properly measured. This could be due to paying employees more or less
than they should be paid, or the amounts being recorded being more or less than the actual
payments.
• the financial statement presentation is not proper. This could be due to the failure to
disclose all of the information called for in the New Accounting Model.
7.6.2 Related compliance with authority objectives
Reviewing compliance with laws and regulations is very important. Decision makers need to
know if the laws and regulations are being followed, whether they are having the desired
results and, if not, what revisions are necessary.
Section 3.4 of DAGP’s auditing standards states, “In conducting [financial] audits, a test
should be made o f compliance with applicable laws and regulations.”

To comply with this standard, the auditor need not test for compliance with all laws,
regulations, rules, policies, etc. As noted in paragraph 3.4.3 of DAGP’s auditing standards,
“Because the laws and regulations that may apply to a specific audit are often numerous, the
auditors need to exercise professional judgement in determining those laws and regulations
that might have a significant impact on the audit objectives.”
For financial audits, Section 3.4 of DAGP’s auditing standards requires the auditor to “design
audit steps and procedures to detect errors, irregularities, and illegal acts that could have a
direct and material effect on the financial statement amounts or the results o f regularity
audits. The auditor also should be aware o f the possibility o f illegal acts that could have an
indirect and material effect on the financial statements or results o f regularity audits.”
In deciding which laws and regulations should be examined as part of a financial audit, the
auditor should deal with those laws and regulations that might have a significant impact on the
financial audit objectives.
In addition to compliance audit work performed as part of a financial audit, DAGP also
conducts extensive compliance tests to identify deviations and validate controls at
organisational units across the Government of Pakistan.
Departments, ministries, etc. are not permitted to spend, borrow or raise revenue without the
approval of Parliament. Therefore, audits of compliance with authority should focus on
compliance with authority to spend, borrow and raise revenue, as follows:
Spend
Determine that:
• the services were actually performed or the goods were actually received;
• the expenditure is consistent with the nature of the appropriation to which it was charged;
• the expenditure does not result in the total approved expenditure being exceeded; and,
• the expenditure is in accordance with the applicable legislation and the rules and
regulations issued by such legislation have been complied with.
Borrow
• Determine that the amount and debt terms (period, interest rates, repayment schedule, etc.)
are in accordance with the appropriate law.
Raise revenue
Determine that the cash received is:
• for an approved tax or other approved revenue source; and,
• is received in accordance with the applicable legislation and the rules and regulations
issued by such legislation have been complied with.

The compliance with the authorities tests noted above apply to organisational, functional or
accounting units for different types of government body as follows:
Federal and provincial governments. All the authorities described in the preceding section
would usually be considered part of the audit of federal and provincial governments.
District governments. District governments are not permitted to borrow. Therefore only
authorities to spend and to raise revenues would normally be considered part of the audit of a
district.
State-owned enterprises. These enterprises are usually created by separate acts. These acts and
the supporting regulations usually specify the operations that the enterprise is permitted to
carry out. Compliance with the spending, borrowing and revenue-raising authorities in these
acts and regulations is therefore usually the principal focus of the compliance with authority
work for these audits.
7.6.3 Potential Error conditions
The last part to this step is to consider error conditions. The idea here is to consider ways in
which an asset, liability, revenue or expenditure item might not be valid, might not be
complete, etc. Put another way, the auditor’s objective is to identify ways in which a monetary
error can occur in the financial statements, or an applicable authority may not be complied
with.
There are probably numerous reasons why a component might not be valid, might not be
complete, etc. However the chance of some of them occurring might be negligible. Similarly,
the maximum possible error that could result from some of them might be insignificant. The
auditor’s objective is to identify the errors that have a real chance of occurring, and that could
be relatively large in relation to the materiality amount. For this reason, error conditions are
sometimes referred to as “potentially big errors”.
Note that conditions that constitute an error will be affected by the accounting policies being
used. For example, if the accounting policies do not call for the recording of accounts payable,
then the failure to record a payable would not constitute an error. However, there should be a
system to track unsettled payables in the form of commitments against appropriations.
The process of determining which error conditions or compliance deviations should be audited
will help to ensure that the audit plan is complete. The process will also help to ensure that the
audit plan does not include unnecessary work. The process therefore helps to ensure that
auditors spend their time dealing with matters of real importance, and do not waste their time
on insignificant matters.
For example, consider the component “payroll expenditures”.
For the completeness of payroll expenditures, the auditor considers how payroll expenditure
figures might not be complete and may identify the following three error conditions:
• Services performed have not been paid for;
• Payments made have not been recorded in the payroll register; and
• The amounts in the payroll register have not been included in the financial statement
amounts.

In addition, the auditor needs to consider whether there are any related compliance with
authority objectives. In this case, because compliance objectives relate to controlling what has
been spent, as opposed to ensuring that the spending is complete, there are no related
compliance objectives.
Consider the validity and measurement objectives for payroll expenditure. The auditor may
identify four additional error conditions, as follows:
• Services paid for were not performed (because, for example, there are ghost workers on
the payroll);
• Employees have been paid more or less than they should be paid;
• Payroll expenditures are recorded in the Payroll Register at the wrong amount;
• Payroll expenditures have been charged to an incorrect account or appropriation; and
• Amounts in the payroll register have not been included in the financial statements at the
correct amount.
In this case, the auditor may also identify the following compliance with authority matters:
• The work being performed was not properly approved;
• Pay rates/employee levels were not properly approved in accordance with regulations; and
• The payments were not properly approved.
The same approach can be applied to receipts. For example, for the completeness o f income
tax receipts, the auditor may identify three error conditions, as follows:
• Income tax receipts are not deposited in the bank;
• Income tax receipts are not recorded in the cash receipts register; and
• The amounts in the cash receipts register are not included in the financial statement
amounts.
In addition, the auditor needs to consider whether there are any related compliance with
authority objectives. In this case, there probably is one - that the receipts were deposited
within the time period required by government policy.
For the validity and measurement objectives for income tax receipts, the auditor may identify
two other error conditions, as follows:
• The income tax receipts are being charged to an incorrect account; and
• The amounts in the cash receipts register are not included in the financial statements at the
correct amount.
In addition, the auditor may also identify one compliance with authority matter - the
government did not remit any overpayments by the taxpayer back to the taxpayer on a timely
basis.

7.6.4 How error conditions and compliance irregularities are used to
develop audit programmes
The error conditions/compliance deviations provide the auditor with guidance as to which
audit procedures should be included in the audit programme. Using the errors/irregularities
identified above, for regularity and measurement of payroll expenditures for example, the
auditor can develop audit procedures to determine if:
• Services paid for were actually performed;
• Employees were paid correct amounts;
• Payments are being recorded in the payroll register at the correct amount
• Payments are recorded in the correct account and appropriation at the correct amount;
• Amounts in the payroll register are included in the financial statements at the correct
amount;
• The work performed was properly approved;
• Payments made were properly approved.
Similarly for the regularity and measurement of income tax receipts the auditor could develop
procedures to determine if:
• Receipts are posted to the correct account;

• Amounts in cash receipts register are included in the financial statements at the correct
amount;
• Government is remitting overpayments back to taxpayers on a timely basis.
7.7 Step 7 - Assess inherent risk and control risk

Inherent risk and control risk may differ by component and audit/compliance objective. As a
result, the auditor may have a large number of different inherent and control risk valuations to
deal with.
It is tempting to combine different risks by using a weighted approach. However, this

approach is not recommended as it fails to meet the standards for generally accepted auditing
standards.
7.7.1 Inherent risk
Inherent risk is the chance of material error occurring assuming that there are no internal
controls in place. “Material error” may be one error or the sum of multiple smaller errors.
Inherent risk is evaluated at this stage to determine how much testing of internal controls and
substantive testing (analytical procedures and substantive tests of details) the auditor needs to
perform to achieve the desired level of assurance. In general, the greater the inherent risk, the
greater the audit effort required.
Inherent risk is assessed assuming that there are no internal controls in place. As such, it is
assessed in a hypothetical environment.

Factors affecting inherent risk include:
The nature o f the component. Components such as cash are more susceptible to
manipulation or loss than, say, fixed assets.
The extent to which the items making up the component are similar in size and
composition. If the population is composed of relatively homogeneous items, it would be
easier for management (and the auditor) to detect anomalous transactions and amounts.
The volume o f activity. If there are a lot of transactions being processed, the chances of an
error occurring may be higher than if only a few transactions are being processed.
Competence o f the staff processing the transactions. If staff are experienced and take their
jobs seriously, there is probably a lower inherent risk than if they are inexperienced or
careless.
The number o f locations. Entities operating out of a single location with a centralised
accounting system may have a lower inherent risk than those operating out of many
locations, each with its own accounting system.
The accounting policies being used. Many components have a lower risk of error when the
cash basis of accounting is being used than when the accrual basis of accounting is being
used.
Factors that could affect the risk o f fraud. An error could be an intentional one. The
auditor should use a questioning mind and be alert for evidence that contradicts or brings
into question the reliability of documents or management’s representations.
It can be seen from the above that evaluation of inherent risk is based primarily on the
auditor’s knowledge of the entity and its environment. This knowledge would have been
acquired primarily in Step 2 of the process - updating the understanding of the entity’s
business.
The assessment of inherent risk will be subjective, and will require the use of professional
judgment. It would therefore be appropriate to have the most experienced and knowledgeable
individuals on the audit team make the assessment of inherent risk. These should be the
individuals with the greatest knowledge of the entity being audited.
Inherent risk may differ by component and by specific financial audit objective. For example,
the risk of cash being improperly valued is low, but the risk of cash not being complete may
be quite high.
Inherent risk needs to be assessed throughout the audit. For example, if inherent risk is
assessed as “low” at the general planning phase but numerous errors are found during the
fieldwork phase, then the assessment of inherent risk may need to be revised.

While guidelines should not replace the use of professional judgment, the following may be
useful when assessing inherent risk:
Resulting
Level of Inherent Risk Risk Assurance
High inherent risk 60% 40%
Moderate inherent risk 50% 50%
Low inherent risk 40% 60%
Risk assessment is a matter for DAGP and will reflect ground realities within the entity being
audited. It is recommended that a conservative approach be considered until DAGP gains
experience with this methodology, to recognise the danger of using an incorrectly low risk
factor. Assume the auditor sets inherent risk at a low 20%. At this level, the auditor could
eliminate all or most substantive sampling, and little work would be required on the
component. Given this low level of planned effort, if there are significant monetary errors or
compliance irregularities they are likely not to be detected, and in the worst case, the auditor
might issue an unqualified report when there were actually material errors present.
Accordingly, an inherent risk factor of not less than 40% is recommended unless there is
convincing evidence such as prior compliance with authority audit work that detected a high
level of compliance or few monetary errors.
The Standard Audit Working Paper Kit includes an Inherent Risk Assessment Form that can
be used to assess inherent risk.
7.7.2 Control risk
Control risk is the chance that the entity’s internal controls will not prevent or detect material
error and is directly related to the effectiveness of the internal control structure.
Control risk is evaluated at this stage as it establishes a limit on the amount of assurance that
the auditor can obtain from tests of internal control.
Much of the work required to assess control risk would have been performed as part of
updating the understanding of the entity’s internal control structure.
Control risk is also affected by the factors that could affect the risk of fraud - particularly
management fraud. This is because management can often override the internal controls that
have been put in place. As discussed above, the auditor needs to use a questioning mind and
stay alert for evidence that contradicts or brings into question the reliability of documents or
management’s representations.
Control risk may differ by component and by specific audit objective and related compliance
with authority objective. For example, entity management may have devised very good
controls over the payment process to ensure the validity and measurement of expenditures, but
may have paid less attention to the completeness of those expenditures.

In general, the control environment and the controls that collect, record, process and report
often have a pervasive effect on many components, financial audit objectives and related
compliance with authority objectives. The controls that enhance reliability are the ones that are
most likely to differ by component and by specific audit objective.
Control risk needs to be assessed throughout the audit. For example, if control risk is assessed
as “low” at the general planning phase but numerous internal control deviations (improperly
approved supplier invoices, for example) are found during the fieldwork phase, then the
assessment of control risk may need to be revised.
While guidelines should not replace the use of professional judgment, the following may be
useful when assessing control risk:
Resulting
Level of Control Risk Risk Assurance
High (poor internal controls) 80% Up to 20%
Moderate (moderate internal controls) 50% Up to 50%
Low (strong internal controls) 20% Up to 80%
The reason for presenting “Resulting Assurance” as an amount “up to” a percentage limit is
that, unlike inherent assurance, control assurance must be earned. The auditor should not rely
on the internal controls unless tests demonstrate that the controls are not only in place, but are
also working.
To illustrate, the auditor may have concluded that the internal controls over the validity and
measurement of payroll expenditures were moderate. The auditor may therefore have assessed
control risk as “moderate” (50%). This means that, for this component and these specific
financial audit objectives, the auditor can place moderate reliance (50%) on the internal
control structure.
To place moderate reliance on the internal controls the auditor must do a fair amount of testing
of internal controls. The auditor may decide that it is more efficient to place only limited
reliance on the internal control structure and instead do extensive analytical procedures and
use a large sample for substantive tests. In this case, even though the auditor may have been
able to obtain a control assurance of 50%, the auditor may decide to do only enough tests of
internal control to support a 20% level of assurance. The auditor would then set control risk at
80%.
It has been noted that control risk is assessed at this stage as it limits the amount of assurance
the auditor can obtain from his/her tests of internal control. Assume that, in the above
illustration, the auditor wants to place a lot of reliance on the internal control structure.
Because control risk was assessed at 50%, it is not possible for the auditor to obtain more than
a moderate level of assurance from the internal controls.
Put more simply, it is not possible to place a lot of reliance on a poor internal control structure.
To provide some practical guidance, consider the following questions:

Question 1:
Should the control environment in all DDOs be documented, or should only the controlling
offices be taken into account?
Answer:
This answer refers back to a basic auditing concept - the auditor should document and test any
controls on which reliance is to be placed. Therefore, any controls, in any DDOs, on which
the auditor intends to rely should be documented.
Question 2:
If the controls in one department are not reliable, should it affect the auditors view of the
overall control environment?
Answer:
If the controls in one department are not reliable, but in other departments they are, the auditor
can assess control risk as “high” where they are not reliable, and “low” in the other
departments. The auditor should not attempt to come up with an “average” risk assessment.
Question 3:
What would be the relative weightings of authorisation and accounting controls? That is to
say, how would the auditor’s assessment be affected if the authorisation controls are working
and the accounting controls fail more often than not?
Answer:
As for the response to Question 2, the auditor should not attempt to derive an aggregate risk
assessment. In this case, the auditor may decide to rely on the authorisation controls, but
cannot rely on the accounting controls.
Since the auditor would need to take a substantive approach with respect to transactions
flowing through the system because of the poor accounting controls, relying on the
authorisation controls would not likely reduce the amount of the required substantive testing.
Therefore, the most cost effective approach would likely be to assess control risk for the
particular transaction cycle as high and audit accordingly.
Question 4:
What aggregation and consolidation mechanism should be used to develop an overall

assessment of the control environment prevailing in the Federal Government.
Answer:
Because the Federal Government is made up of many sub-entities, each of which has its own
risk profile, it is not appropriate to try to derive an aggregate risk assessment. Separate control
risk assessments are made for each financial audit and compliance with authority audit
objective for each component, within each sub-entity.

Question 5:
Suppose in all but two of the sub-offices of a ministry, controls can be relied on, but they
cannot be relied upon for the remaining two sub-offices. Suppose also that the control
environment in the DDOs is poor. How should the auditor proceed?
Answer:
The auditor could assess control risk as “low” in all but the two sub-offices and plan to rely on
the related controls, while not relying on controls in the “high” risk sub-offices. Since the
control environment in the DDOs is poor, the auditor may be forced to a substantive approach
with respect to the transactions flowing through the system. Relying on the controls in the
sub-offices may therefore not reduce the amount of required substantive testing. If that is the
case, the most cost effective approach would probably be to assess control risk for the
particular transaction cycle as high.
Question 6:
If the auditor does not aggregate the risk assessments of individual sub-entities, components
and objectives, won’t the auditor end up with hundreds of different assessments of control
risk? And won’t it take an auditor considerable time to come up with all those different
assessments?
Answer:
Theoretically, it is possible that the auditor will end up with hundreds of different assessments
of control risk. However, in practice this is not generally the case and the auditor often winds
up taking approximately the same approach for many different components, specific financial
audit objectives and related compliance with authority objectives. There are several reasons
for this:
The control environment often applies quite widely across components in each sub
entity. As a result, if it is possible to place a lot of reliance on the internal controls for
one component, it is normally possible to place a lot of reliance on internal controls for
many of the other components in the same sub-entity.
Also, as noted previously, components may be inter-related. For example, an

understatement of cost of sales may also result in an overstatement of the year-end
stock balance and/or an understatement of the year-end accounts payable balance
and/or an overstatement of cash. One particular audit procedure, such as testing the
validity and measurement of cost of sales, may also provide assurance as to the
validity and valuation of the year-end stock and accounts payable balances. It therefore
often makes sense to use approximately the same sources of assurance for these related
components.
Regarding the amount of time required to perform multiple assessments, it is true that the level
of effort will be greatest when first assessing each control risk. Once the various controls have
been assessed, the auditor would only need to consider the impact of changes in the nature of
the entity, the results of the previous year’s audit, and so on, as opposed to repeating the entire
exercise from scratch.

Recognising the challenge of establishing initial risk assessments across large audit entities, it
is suggested that DAGP consider a phased approach to risk assessments, and accepts that
audits for the initial years will not cover all aspects of risk assessment because of resource and
time constraints. This is not intended to provide a justification for weak execution of audit
procedures, but recognises that it may take a number of audit cycles for rigorous audit
procedures to be applied across all aspects of each audit. It is suggested that DAGP strategic
audit plans for the first few years of implementing these new audit procedures should
accommodate this phased approach.
The Standard Audit Working Paper Kit contains a Control Risk Assessment Form that can be
used to assess control risk.
7.8 Step 8 - Determine mix of tests of internal controls,

analytical procedures and substantive tests of details
7.8.1 Introduction
Financial audit procedures are usually broken down between tests of internal control and
substantive tests supplemented with compliance with authority tests. DAGP also conducts
audit activities which focus exclusively on compliance with authority testing.
Tests of internal control are used to gain assurance that specific controls within the entity’s
internal control structure are operating effectively, and are therefore helping to reduce the
chance of material error existing in the accounting information.
Substantive tests are procedures used to gain direct assurance as to the completeness and
accuracy of the data produced by the accounting systems. They are often broken down
between analytical procedures and substantive tests of details.
Audit procedures that provide both assurance with respect to internal controls and substantive
assurance are often referred to as “dual purpose” tests.
Compliance with authority procedures are used to determine whether entity staff have fulfilled
the administrative requirements of all applicable rules, regulations and legislation.
7.8.2 Tests of internal control
Tests of internal control include:

• Inquiries of appropriate entity personnel;
• Observation of policies and procedures in use;
• Walk-through procedures; and
• Selecting a sample of transactions and verifying that the appropriate control procedures
were followed.
The first three procedures are the same as were used to update the understanding of the
internal control structure. The work done at that stage will have already provided some
assurance with respect to the internal control structure.
With respect to sampling, if the auditor wishes to place high reliance on a specific internal
control, it is normally necessary to test the control throughout the entire year. If, on the other

hand, the auditor only wishes to place moderate reliance on the control, it may be sufficient to
select a sample of transactions to an interim date (say, the first 8 months of the year), and then
to use inquiries, observations and walk-through procedures to ensure that there have been no
changes made to the internal control structure between the interim date and the year-end date.
If the auditor only wishes to obtain limited reliance on a particular internal control, then
sampling is often not required at all -inquiries, observations and walk-through procedures may
provide all of the required assurance.
GAAS do not permit the auditor to obtain all of his/her assurance through tests of internal
control - some substantive testing must always be performed. This is because the ability of the
internal control structure to prevent or detect material error is subject to practical limitations,
such as:
• Members of management may be in a position to override specific internal controls.
• Collusion can circumvent internal controls that depend on good segregation of duties to be
effective.
• Inexperienced entity officials may not perform their control procedures properly. There is
always a possibility of human error.
• Internal controls are often designed to address transactions arising from the normal course
of the entity’s activities. They may not cover transactions of an unusual nature, or arising
from new activities.
• Management may not be prepared to devote the resources that would be required to
prevent or detect all errors. Rather, management normally requires that the internal
controls be cost-effective. This means that the benefits of having the controls must exceed
their costs.
7.8.3 Analytical procedures
Analytical procedures are techniques used by the auditor to:

• Form expectations as to what the recorded amounts should be by studying the
relationships among elements of financial and non-financial information;
• Compare those expectations with the recorded amounts; and,
• Draw conclusions about entity operations, inherent risk and control risk, and the
completeness and accuracy of the recorded amount.
Analytical procedures are an efficient and effective way to obtain audit assurance. As a result,
they should be performed on every audit.
Analytical procedures may be used in all phases of the audit to achieve various objectives, for
example:
Planning phase:
• To obtain knowledge of the entity’s business operations;
• To identify unusual items and explore areas of potential high inherent risk; and
• To obtain some degree of audit assurance.
Fieldwork phase:
• To obtain the planned degree of audit assurance.

Evaluation phase:
• To assess the internal consistency and overall reasonableness of the financial
statements using the auditor's knowledge of the entity; and
• To obtain some degree of audit assurance.
The auditor can derive various levels of assurance from analytical procedures depending on
how rigorously the analytical procedures are designed and performed.
There are several different types of analytical procedures, as follows:

General reviews for reasonableness.
These analytical procedures involve a high level comparison of current information with
previous periods, budgets or statistics from the entity. No pre-determined threshold amount is
specified for identifying significant fluctuations. The process is sometimes referred to as
“eyeballing” the financial statements - looking for accounts that appear to be unusual in
amount, in volume of activity, etc. The objective of this type of analysis is generally to decide
where to focus audit attention.
Comparative analysis.
This involves comparing the current year's reported amounts (or ratios) with those of the prior
years. Comparative analysis assumes that the prior year's amount is a sufficiently accurate
estimate of the current year's amount and, therefore, can be used to identify any significant
fluctuations from the current year's recorded amount. A pre-determined threshold amount is
specified for identifying significant fluctuations.
Predictive analysis.
Predictive analysis compares the current year's reported amounts (or ratios) with a prediction
of what the current year's amount (or ratio) should be, based upon the trend of the prior years’
amounts (or ratios). The prior years’ data used in making the prediction is adjusted for all
known changes in the factors affecting the data. This usually results in a more precise estimate
than comparative analysis. A pre-determined threshold amount is specified for identifying
significant fluctuations.
Statistical analysis.
This category of analytical procedures involves analysing the known behaviour of variables
and developing an equation (model) that explains the relationship between these variables.
Although this category is similar to "predictive analysis", the distinguishing characteristics of
statistical analysis is that it uses more rigorous methods, such as regression analysis, to
provide more accurate predictions and objectively measures the confidence level and the
achieved level of precision.
Overall verification procedures.
This category of analytical procedures involves building up an estimate of an account balance
from known and verified data. For example, the auditor could verify the number of rental units
by type of unit, the average rent by type of unit, and the vacancy rate. The auditor could then
compare the product to the revenue received from the rents. Overall verification procedures
usually result in an accurate estimate of the account. A pre-determined threshold amount is
specified for identifying significant fluctuations for the auditor to investigate.
Care is required with this type of analysis. The auditor must not assume that the data are more
accurate than the financial information. For example, the actual vacancy rate may be lower
than the recorded vacancy rate, with the difference being due to fraud. Thus the analytical

data might substantiate the financial data, while income being received is less than income
due. The auditor should therefore test whether sources of information are independent or
might be subject to the same potential errors.
Appendix B discusses each of these types of analytical procedures in detail. The discussion
includes a description of how the auditor normally determines the pre-determined threshold
amount.
The following table provides guidance as to the amount of assurance that each category of
analytical procedure can provide. While guidelines should not replace the use of professional
judgment, the following is typical:
Type of Analytical Procedure Risk Assurance
Overall reviews for reasonableness 100% 0%
Comparative analysis 70% or more Up to 30%
Predictive analysis 50% or more Up to 50%
Statistical analysis 30% or more Up to 70%
Overall verification procedures 10% or more Up to 90%
The Standard Audit Working Paper Kit contains an Analytical Procedures Assessment Form
that can be used to assess the amount of assurance that the auditor can derive from the
different categories of analytical procedures.
Appendix B also discusses the fact that computer-assisted auditing techniques (CAATs) are a
very useful tool for performing analytical procedures. With the use of a CAAT, the auditor can
perform numerous analyses instantaneously. If performed manually, the equivalent work could
consume extensive audit effort.
CAATs are discussed in more detail in Appendix C.
7.8.4 Substantive tests of details
Substantive tests of details include such procedures as physically inspecting an asset, checking
transactions recorded in the books and records to supporting documentation, and confirming
amounts with third parties.
The auditor usually tests a sample of transactions as opposed to verifying 100% of them.
Appendix B contains a detailed description of sampling.
Substantive tests of details can involve more than sampling. There are often specific
transactions and events that the auditor wants to examine. These could be:
• Very large transactions and events; or
• High risk transactions and events.

These transactions and events are often referred to as “individually significant transactions and
events”. They are often audited 100% because they are large enough that, should they be in
error, the error could be significant. The auditor therefore does not want to risk failing to find
an error in these transactions or events.
Auditors often audit 100% of the individually significant transactions and events, and audit a
sample of the remaining transactions.
7.8.5 Compliance with authority tests
The first step for the auditor is to work with entity management to identify the rules and
regulations that apply to the entity. O f these, the auditor will determine which authorities are
most significant and will design tests to check compliance. The auditor will also determine
what sampling approach is appropriate. Sampling is discussed at length in Appendix B.
The auditor will then plan to extract the samples as determined, and apply the compliance
tests.
7.8.6 The audit risk model
The audit risk model is a useful way to tie together all of the various sources of audit
assurance.
The basic theory behind the audit risk model is that, for errors adding up to more than
materiality to remain in the accounts at the end of the audit (audit risk - AR), all of the
following must have happened:
• The errors must have occurred in first place (inherent risk - IR);
• The internal controls must have failed to prevent or detect the errors (control risk - CR);
and
• The auditor’s substantive procedures (analytical procedures and substantive tests of
details) must have failed to detect the errors (detection risk - DR).
Basic probability theory states that, if two events are mutually exclusive (the occurrence of
one is not affected by the occurrence or non-occurrence of the other), then the probability of
both events occurring is the probability of the first event occurring times the probability of the
second event occurring.
All of the events in paragraph, as defined, are mutually exclusive, and all must occur before
errors adding up to more than materiality remain in the accounts at the end of the audit. We
therefore have the following formula:
AR = IR x CR x DR; where:
AR = Audit risk;
IR = Inherent risk;
CR = Control risk (achieved); and
DR = Detection risk.
The reason for qualifying the control risk as being “achieved” is because the auditor needs to
validate his/her control assurance. What goes in the risk model is the converse of the achieved
assurance.

The audit risk model is often expanded upon to split detection risk (DR) into two parts. This is
done for two reasons:
1. Analytical procedures are often effective and efficient at obtaining audit assurance. As
a result, they should normally be performed on every audit. The assurance to be
achieved from these procedures needs to be reflected in the risk model;
2. The auditor often performs more than one substantive test of detail to obtain the
required assurance with respect to each specific financial audit objective and related
compliance with authority objective. To link the risk model to the confidence level to
be used for one key substantive test of details, these other substantive tests of details
need to be considered separately.
It is done as follows:
AR = IR x CR x DR
IR x CR x OSPR x STDR; where:
AR = Audit risk;
IR = Inherent risk;
CR = Control risk (achieved);
OSPR = Other substantive procedures risk, being the
risk that the auditor’s analytical procedures,
and all substantive tests of details expect one
key substantive test of details, will fail to detect
material error; and
STDR = Substantive test of details risk, being the risk
that one key substantive test of details will fail
to detect material error.
The reason for splitting out one key substantive test of details in this manner is that the
formula can be rearranged as follows:
STDR = AR .
IR x CR x OSPR
The resulting STDR is the converse of the confidence level that the auditor will use for his/her
substantive sample. For example, if STDR is determined to be 15%, the auditor will use an
85% confidence level for his/her sampling procedures.
7.8.7 Considering the assurance achievable from each audit step
Auditors are not required to develop the detailed audit programmes during the Planning Phase.
However, the auditor should give some consideration to the types of procedures, and the
assurance that can be derived from each procedure, in order to make a reasonable
determination of the optimum combination of sources of audit assurance.
The amount of assurance that can be derived from each procedure depends on the nature of the
test and the evidence that will be collected. The auditor should have a sound understanding of:
• The nature of evidence;
• What constitutes appropriate quality and quantity of evidence; and
• The most appropriate methods of collecting evidence.

7.8.8 Considering staffing, budgeting and timing of the audit
The staffing, budgeting and timing of the audit are all matters to be dealt with in detail at the
detailed planning stage. They are discussed in detail in Chapter 8.
However, the auditor should give these matters some consideration during the general
planning phase. There is no point coming up with an optimum combination of tests of internal
control, analytical procedures and substantive tests of details unless adequate time or resources
are available.
Staffing. Unless an audit is appropriately staffed, the benefits of good audit planning can be
lost. Persons involved in the general planning phase need to make sure that there are staff
members available who have the audit skills required to perform the work efficiently and
effectively.
For example, the auditor may determine that the most efficient audit approach would be to
place high reliance on internal controls and to use regression analysis. However, unless the
audit can be staffed with people capable of doing a detailed evaluation of an internal control
structure and using a regression analysis software package, this approach is not practicable.
Budgeting the work. DAGP has finite resources, so it is important to estimate the time required
to perform the audit under each combination of tests.
Each financial audit will require a minimum amount of resources. DAGP needs to ensure that
the required resources are allocated. Since the resources required for compliance with
authority work can be more flexible than those required for financial certification, the Director
may have some scope for reallocating resources in response to certification audit demands.
Timing o f the work. Most government entities have the same year-end date (30 June). To keep
audit staff busy throughout the year, and complete the audit of the financial statements on a
timely basis after the year-end date, it is often appropriate to perform some of the work in
advance of the year-end date. This should be taken into account when scheduling audit
activities.
Supporting software. Audit management software can be used to assist in the staffing,
budgeting and timing of the audit work.
7.8.9 Re-assessing the general planning decisions for individual audits
Before completing the general planning phase, the auditor should consider whether decisions
made in later steps in the phase indicate that changes are needed to decisions made earlier in
the phase. For example, the assessment of inherent risk and control risk may result in the
auditor re-estimating the amount required for the expected aggregate error. Similarly, staffing
and timing issues may affect the auditor’s ability to use the optimum mix of tests of internal
control, analytical procedures and substantive tests of details.
In addition, audits cannot be planned in isolation. Each audit directorate needs to consider how
best to utilise all of its staff members on all of its audits in the most efficient and effective
manner. Planning decisions should also be re-assessed in later stages of the audit.

7.9 Reliance on other auditors
A key factor to consider in the general planning phase is the extent to which the auditor can
rely on the work of internal auditors.
Reliance on internal auditors can affect the work required to update the understanding of the
internal control structure. It will also likely affect the assessment of control risk.
In addition, the ability to rely on internal auditors will likely affect the optimum mix of tests of
internal control, analytical procedures and substantive tests of details.
7.9.1 Internal auditors
Internal auditors have an independent appraisal function within their organisations. As such,
they are part of the entity’s internal control structure.
In general, the relationship between DAGP and the internal audit community should be one of
cooperation and professional reliance. Coordination of work can ensure adequate audit
coverage, while at the same time minimising duplicate efforts.
The coordination and cooperation between DAGP and each internal audit organisation can be
enhanced by:
• DAGP and the internal audit unit coordinating their audit effort, which in turn requires
each:
• To have knowledge of the planned audit coverage of the other; and
• To the extent possible, to amend its plans to better coordinate the effort.
• Having access to each other’s audit programmes and internal control questionnaires;
• DAGP having access to the working papers of the internal audit organisation;
• Having an exchange of audit reports and management letters;
• Having a common understanding of audit techniques, methods, and terminology; and
• DAGP relying, to the extent possible, on the audit work of the internal auditors, and thus
reducing the amount of additional testing required by the DAGP auditors.
Coordination of effort requires that DAGP and the internal audit staff meet well before the
commencement of specific audits to jointly plan their work for the following year. During
these meetings, DAGP could, for example:
• Discuss areas where it would like to rely on the work of internal audit;
• Provide the internal auditors with its basic planning parameters - materiality, audit risk,
sources of audit assurance, etc.;
• Provide the internal auditors with an audit programme, summary of unadjusted differences
and other forms and checklists for the internal auditors to complete; and
• Discuss the timing of the work and any required deadline dates.
One of the roles of internal audit is to provide management with an assessment of the
adequacy and effectiveness of the internal control structure and the extent to which it can be
relied upon. Auditors from DAGP should consult with the head of the internal audit

organisation to determine how much audit work internal audit has performed on the internal
controls. Wherever possible, the DAGP auditors should rely on the work of internal audit.
Just like any other control, the unit’s work needs to be tested before it can be relied upon.
DAGP auditors should consider examining the systems and procedures that the internal audit
unit has in place to ensure that its work is performed to the required standards. These systems
and procedures would include the unit’s quality assurance procedures, hiring policies and
training programme. The DAGP auditors may also wish to re-perform some of the work
performed by internal audit.
Sometimes the external auditors use internal auditors to perform some of the external audit
work. In cases such as this, the internal auditors are effectively acting as members of the
external audit team. Their work should be supervised and their files reviewed just like the
work of any other member of the team.
7.10 Documenting strategic planning decisions

7.10.1 The need to document planning decisions
The auditor’s documentation, in the form of audit files, is collectively referred to as the
“working papers”.
Paragraph 3.5.5 of DAGP’s auditing standards states, “Auditors should adequately document
the audit evidence in working papers, including the basis and extent o f the planning, work
performed and the findings o f the audit.”
Documentation of the planning decisions is discussed in detail in Chapter 8. At the end of the
detailed planning stage, all steps in the planning process should be complete and adequately
documented.
It should be noted that the documentation of the audit planning phase should not wait until the
detailed planning steps are complete. The work done in each step of the audit planning phase
should be fully documented as soon as the work has been completed.
At the end of the audit planning phase there should be documentation in the planning file and
in the permanent file of all of the decisions made during the general planning phase. In
addition, the relevant sections in the audit planning memorandum should be completed. The
individuals completing the detailed planning phase can then make use of all of this material.
7.11 Application to Government-wide Audits

7.11.1 Sample selection
As noted earlier, the auditor uses one overall materiality amount for the audit, and does not
need to allocate it to each grant, component, location, etc. In addition, this one overall
materiality amount is used when determining minimum sample sizes for the audit of each
component, and each specific financial audit objective and related compliance with authority
objective. (Note: this is not to limit the discretion of DAGP to perform more rigorous
sampling as it sees fit, especially for compliance with authority audit work).
For government-wide audits, the materiality amount will be established by a central DAGP
team that is responsible for the overall planning, performance, evaluation, reporting and

follow up of the audit. For the audit of the financial statements of an individual government
agency, the materiality amount will usually be set by the audit director or a more senior staff
person.
Each ministry, department etc. performs accounting functions at different locations - the
Account General Pakistan Revenues, principal accounting officers in the ministry or
department, DAOs, DDOs, etc.
Using one overall materiality amount ensures that every grant that is greater than the
materiality amount, and every location with assets, liabilities, revenues or expenditures greater
than the materiality amount will be virtually certain to have at least one transaction selected
for audit. Similarly, each grant and each location with assets, liabilities, revenues or
expenditures greater than one half of the materiality amount will also be likely to have at least
one transaction selected for audit. It is possible that sampling techniques will not select items
from all DDOs, DAOs etc. (DAGP has full discretion to extend sample selection to include
items from every DDO and DAO if it is considered necessary).
In addition, for the audit of the Federal Government, a province or a district, the auditor is
again using a single materiality amount for each audit entity, and that amount is based on the
assets, liabilities, revenues or expenditures of that entity as a whole, not each of the sub
entities, such as ministry or department, within the audit entity. Therefore it is possible that
sampling techniques will not select audit items from some of the smaller sub-entities. This is
logical, since sub-entities that are small relative to materiality are not significant from a
financial audit perspective.
However, with direction from DAGP, auditors have the freedom to extend the scope of their
audit to extend audit coverage to as many sub-entities as deemed appropriate, and the
coverage within each sub-entity, even 100% sampling, is also discretionary. Auditors often
accomplish this by developing a list of minimum procedures to be applied at specified sub
entities that is applied over and above the samples determined by sampling techniques.
Procedures that can help identify additional areas where coverage would be useful include:
1. Updating knowledge of the business by looking for new legislation, reviewing minutes
etc.,
2. Reviewing the basic control environment;
3. Performing analytical procedures on each line item in the financial statements
(including statement of appropriations); and,
4. Exploring for significant events and transactions after the year-end cut-off date.
The auditor could also select additional transactions at random and perform various tests on
those items. Bear in mind that the most useful test, given the small size of some sub-entities
relative to materiality, is to look for unrecorded transactions rather than errors in recorded
transactions. In particular, the auditor would look for unrecorded expenditures that could be
hiding over-expended appropriations.
The choice of which grants, locations, ministries or other sub-entities on which to perform
these discretionary procedures is based primarily on the auditor’s professional judgement and
knowledge of the entity. The auditor should consider the following:
• The grants, locations, ministries, etc. suspected of significant inherent and control risk;
• Sub-entity headquarters where records are kept and where management likely exerts
the most influence over transactions;

• All individually significant events, transactions or sub-entities.
In addition to extending the coverage of planned financial audit procedures, the auditor may
also decide to conduct additional audit work to review compliance with authority, internal
controls, performance and so on.
7.11.2 Coordination
It is not feasible for each audit directorate to plan its portion of the audit of the Federal
Government, province or district in isolation. The materiality amount and planned precision
value need to be set and the audit work on each component (e.g. line item in the financial
statements) should be coordinated across ministries, departments, agencies, etc.
A single grant may be spread across a number of departments, and one DAO may manage
more than one grant. It is essential that each grant is subject to an appropriate level of
investigation. DAGP has created a central team responsible for audit planning, performance,
evaluation, reporting and follow up of each government wide audit. For the annual audit of
the financial statements of the Federation, the central team is responsible for:
• Setting basic planning parameters (materiality, audit risk, planned precision,

components to audit, etc.);
• Setting inherent risk, control risk, other substantive procedures risk and substantive
test of details risk for each component and audit objective, compliance objective, error
and irregularity;
• Determining optimum mix of tests of internal control, analytical procedures, and
substantive tests of detail for each component and audit objective, compliance
objective, error and irregularity;
• Drafting audit programmes, forms and checklists to be used by audit teams;
• Performing overall error evaluation; and
• Reporting the results of the audit.

8. A C T IV IT Y A N D R E S O U R C E P L A N N IN G FO R
IN D IV ID U A L A U D IT S
This phase primarily involves using the decisions made during the audit planning phase to
update the audit programmes that will be used in the fieldwork phase. It is also concerned with
updating budgets, staffing requirements, the timing of the audit work, and the information to
be obtained from the entity.
8.1 Formulate/update Audit Programmes

The audit programmes provide the auditors with a list of all the procedures to perform.
As discussed in Section 3.5 of DAGP’s auditing standards, the audit findings, conclusions and
recommendations must be based on evidence. The audit programme must contain all of the
procedures necessary for the auditor to obtain sufficient, relevant, timely, reliable and
objective evidence to support his/her audit findings.
The Standard Audit Working Paper Kit and the Audit Programme Guides for specialised audit
areas provide a good starting point for the audit programmes to be used on any entity. The kit
and guides contain the following components:
• Internal control questionnaires (ICQs) and tests of internal control;
• Analytical procedures; and
• Substantive tests of details.
The kit and guides also contain various planning documents, checklists, forms and supervision
instruments.
This material cannot be used blindly, even on those audits where the auditor has extensive
material. All entities are different, and each entity can change over time. Therefore, there is
always a need to use professional judgment. For example:
• If limited reliance is being placed on the internal control structure, then some of the
procedures in the Internal Control Questionnaires can often be deleted, or the work
required for specific procedures can be reduced.
• If a lot of reliance is being placed on the internal control structure, then some of the
substantive tests of details may not be necessary, or the extent of the work required in
some of the procedures could be reduced.
When developing an audit programme, or tailoring one that is already in existence, it is

important to ensure that the programme will provide sufficient, relevant, timely, reliable and
objective evidence for each specific audit objective, related compliance with authority
objective, and error condition.
As a starting point to assist in this process, the audit programme guides contained in the
Standard Audit Working paper Kit and the Audit Guidelines contain a column that indicates
for which objective the procedure is designed to provide assurance. Once the auditor has
completed tailoring the programme for the specific entity, the auditor should then ensure that
each specific objective contains an adequate, but not excessive number of procedures to test it.

Nature. Some procedures, by their nature, will provide more assurance than other procedures.
They may be more relevant, more reliable, more objective, etc. To assess the amount of
assurance that the auditor can derive from a particular audit procedure, the auditor needs to
have a sound understanding of:
• The nature of evidence;
• What constitutes an appropriate quantity and quality of evidence; and
• The most appropriate methods of collecting evidence.
Extent. The extent of testing relates to how much work the auditor performs - the size of the
sample, the number of observations he/she makes, the threshold amount selected for following
up significant fluctuations from an analytical procedure, etc. The audit risk model and the
guidance provided in Annexes B and D may be useful for this purpose.
Timing. Timing relates to the period covered by the test. Generally, the longer the period of
time being covered by the test, the more assurance the auditor can derive from it. For example,
a test of internal control that covers transactions for the entire year is better than a test of
internal control that covers only a few months. This is why, if high reliance is placed on
internal controls, the auditor normally samples transactions from the entire year. Similarly, a
cut-off test that covers the transactions for a month after the year end would be a better test
than one that only covers the transactions for a few days after the year end.
The requirement to consider the nature, extent and timing of each procedure applies to entity
audit teams who are completing audit programmes developed by a central team. For the audit
of the financial statements of the Federation, for example, entity teams will be provided with
audit programmes prepared by a central team. However, these audit programmes cannot be
used blindly. It is the responsibility of each entity team to review the programmes to ensure
that:
• They contain all of the necessary audit procedures and that the required assurance will be
achieved; and
• They do not include unnecessary audit procedures or involve more work than is required.
However, audit programmes for each specific financial audit objective and compliance with
authority objective are not developed in isolation, for several reasons:
• Many internal controls, such as those that are part of the control environment, will be
common to many components, specific financial audit objectives, related compliance with
authority objectives and error conditions. The tests of internal control performed on these
controls can be used to provide assurance for all of these components, specific financial
audit objectives, etc.
• Some components are related to other components. For example, an understatement of
expenditures may also result in an understatement of liabilities and/or an overstatement of
cash. Therefore, the audit of each of these components will provide the auditor with some
assurance as to the completeness and accuracy of the related components. To avoid doing
more work than necessary, the auditor needs to take the assurance achieved from auditing
the related components into account. Professional judgment is required.
8.2 Updating staffing requirements and allocating resources

The audit must be appropriately staffed to achieve its objectives.

Audit planners should ensure that the staff members assigned to the audit have the audit skills
required to perform the work efficiently and effectively.
Changes to the nature, extent and timing of the audit work may affect the levels of staff
required to perform the work, and the assignment of specific staff members to the audit.
Staffing requirements need to be updated at this time.
For example, if the auditor wishes to reduce the size of substantive samples and increase
reliance on internal controls and analytical procedures, and also intends to introduce CAATs,
then the staff members assigned to the audit should have the required training to carry out the
tests of internal control, the analytical procedures, and the CAATs.
For the audit of the financial statements of the Federation and other audits where a central
team makes the initial planning decisions, the central team will often be making its planning
decisions on the assumption that each entity team will be able to provide the staff members
with the required technical and supervisory skills to perform the audit as planned. It is the
responsibility of each entity team to review the proposed audit plan and to discuss any
potential staffing problems with the central team before commencing the work.
8.2.1 Factors to consider
When assigning specific staff to audits consider the following:

• The required skill mix for each specific audit. Ensure that each audit team is composed of
staff members with the technical and supervisory skills that are required to complete the
audit.
• The needs of all the audits in the directorate. Better auditors should be assigned to the
more difficult and risky assignments.
• The audit deadline. Should the deadline date for an audit be moved forward, the auditors
may have less time after the year end to complete their audit. This may necessitate adding
extra staff to the audit to complete it in a shorter period of time.
• Audit continuity. Having at least some of the audit staff members return to perform work
on the entity the next year will help to ensure that the audit team has the required
knowledge of the entity.
• Rotation. Changing audit staff every few years can add new ideas to the planning and
performance of the audit. It can also help to ensure that the auditors remain independent of
the entity being audited.
• Learning and advancement. While it is beneficial for some staff to return to an entity, it’s
also advantageous to give them more challenging work each year. At the same time, they
could provide advice and assistance to the more junior auditors who are performing the
work that they performed in the previous year.
Audit management software will assist in making these staffing decisions.
8.2.2 Allocating resources
The specific audits planned for the period may have to be changed if certain audit skills or
experience within the Audit Directorate (or supplied from elsewhere within DAGP) are
overextended. The Audit Director should ensure that not only can the proposed set of audits
be conducted within available resources but also that there are specific resources with required

skills available to conduct the audits. For example, if there is only one person capable of
conducting audits of IT systems under development, the Director should ensure the total audit
workload of this type across several audits does not exceed the time available.
This can be managed by drawing up a matrix assigning audit resources against audit tasks to
enable the manager to balance workload with available resources.
8.3 Updating budget requirements

Any changes made to the nature, extent and timing of the audit procedures will most likely
affect the budgets for the work. The auditor should update the budgets at this time.
The audit budget should include a projection of:

• costs of travel, accommodation and subsistence while visiting audit sites;
• cost of any purchases;
• level of effort of audit team members.
The biggest aspect of budgeting is the budgeting of time - estimating the amount of time
required to:
• Plan the audit;
• Perform the audit of each specific component, and in total;
• Evaluate the audit results;
• Report the results of the audit;
• Follow up the results of previous audits (if being done at this time); and
• Manage the audit, including the supervision of lower level staff and a review of their
work.
Good budgeting is very important for audits where an opinion is being expressed. In these
cases, the auditor needs to complete all the activities that have been deemed necessary to form
an opinion, and so needs to ensure adequate resources (people, time, and money) are available.
Where no opinion is being expressed, the auditor has discretion over the scope of work
performed and can adjust the audit plan to best use the resources that are available.
For the audit of the financial statements of the Federation and other audits where a central
team makes the initial planning decisions, the central team will also be providing the entity
teams with a budget to perform the work. It is the responsibility of each entity team to review
the budget that it has been given and to discuss any problems with the central team before
commencing the work.
8.3.1 Factors to consider
The following factors should be considered when setting the budgets:

• size of the entity;
• complexity of the entity and its transactions;
• audit risk;
• inherent risk;

• quality of the internal control structure; and
• experience of the staff performing the audit.
Each of these is discussed below.
Size o f the entity. The size of the entity may only have a limited effect on the required budget.
This is because, as the entity being audited gets bigger, the materiality amount may increase
proportionately. The sample size required to audit the expenditures in a small entity may be
just as large as the sample size required to audit the expenditures in a large entity.
The complexity o f the entity and its transactions. This will likely have a considerable impact
on the budget. Some entities are inherently complex, and the substance of their transactions
may be difficult to determine. Entities such as these could require a much larger budget than
entities that are straightforward.
Audit risk. The lower the audit risk being taken, the more assurance is required. Reducing
audit risk from 5% to 3%, for example, could add 20% to the total required audit work.
Inherent risk. The higher the assessed inherent risk, the more assurance the auditor needs in
total from tests of internal control, analytical procedures and substantive tests of details. Also,
the auditor may need to use a higher expected aggregate error when determining planned
precision, further increasing the required amount of work.
The quality o f the internal control structure. It is more efficient to place a lot of reliance on the
internal control structure and reduce the substantive tests of details. Should this not be possible
because the internal controls are poor (control risk is high), the auditor may need to increase
the budget. Also, the auditor may need to use a higher expected aggregate error when
determining planned precision, further increasing the required amount of work.
The experience o f the staff assigned to the audit. More experienced staff should be able to
complete the work in a fewer number of hours.
8.3.2 Reviewing and approving the budget
The budget for each audit should be reviewed by the Director General responsible for the
audit, and approved by the Deputy Auditor General responsible for the audit.
Each audit directorate should review the budgets set for each individual audit within the
directorate to ensure that they look reasonable in relation to each other. Senior DAGP officials
could carry out the same review across all directorates.
Team members should record the time that they spend auditing each component. Explanations
for any deviations from the budget should be obtained, and the auditor should conclude
whether or not the factor causing the increase or decrease in time is expected to recur in the
next year. This information can be used as a starting point for the following year’s budget.
8.4 Updating timing considerations

All government entities have a 30 June year end. If DAGP were to wait until after the financial
statements of all of these entities were completed before commencing work, the audit reports
would not be timely and DAGP may not be able to meet required deadline dates.

To improve the timeliness of the audit reports, and to achieve other benefits, DAGP should
commence work on the audits before the year end (i.e., at an interim date).
This approach will be essential for the audit of the financial statements of the Federation and
the provinces since the New Accounting Model calls for the Auditor-General to issue a report
on the financial statements on or before 30 October.
For the audit of the financial statements of the Federation and other centrally-planned audits,
the central team will request each entity team to report to it by a certain deadline date. It is the
responsibility of each entity team to discuss, with the central team, any potential problems that
it may have meeting the deadline date before commencing the work.
8.4.1 The use of interim audits
An “interim date” is a date in advance of the year-end date. An “interim audit” is an audit
performed at an interim date.
To illustrate, the auditors could decide to perform an audit of the transactions for the first six
months of the year (1 July to 31 December) in the following February and March. They could
then return to the entity in May to do the next three months (1 January to 31 March). They
could then return again after 30 June to complete their audit.
The work performed at an interim date could include:

• Auditing a sample of revenue and expenditure transactions up to the interim date. A
sample of the transactions for the rest of the year could then be audited at a later interim
date, or after the year-end.
• Reviewing and testing the entity’s internal control structure. Enquiries, observations and
walk-through procedures could then be performed at the year-end date to ensure that the
internal controls had not deteriorated.
Note: When high reliance is being placed on the internal controls, the auditor would
normally to also sample the transaction between the interim date and the year-end date.
• Discussing accounting policies, the form and content of the financial statements,
contentious authority matters, etc. with entity officials. This could avoid having to deal
with these matters at the end of the audit.
8.4.2 Factors to consider when determining the optimum timing
The key benefit of using interim dates is to improve the timeliness of the audit reports.
Another benefit of using an interim audit is that it can provide the auditor with an earlier
indication that the planning decisions may need changing. For example, the auditor may have
intended to place a lot of reliance on the internal controls, but may find at an interim date that
the controls are not reliable. The auditor would then be able to amend the audit plan well
before the year-end date.
A further benefit of performing an interim audit is that it may solve staffing problems. The
required staff may not be available to do all of the audit work after the year-end date. Also,
there may be a need to do some of the work before the year-end to keep all of the staff fully
occupied.

The major drawback of doing some work at an interim date is that it may add to the cost of the
audit. If, for example, the bank reconciliations were verified before the year end, the auditor
would normally need to review the transactions that took place between the date of the in term
work and the year end.
8.5 Updating information required from the entity

It is entity management’s job to ensure that the financial statements, and the supporting books
and records, are complete and accurate. Management should be preparing its own analyses of
the account balances, reconciling accounts, preparing lists of specific assets and liabilities
making up various account balances, checking the year-end cut-off, doing searches for
unrecorded transactions, etc.
The auditor could make use of the above work to reduce the audit effort. To do so, the auditor
should prepare a list of all of entity management’s analyses, reconciliations, schedules, lists,
etc. that would be useful for the audit, and submit the list, with a request for copies, to entity
management well in advance of the commencement of the audit.
This process will not only help to improve the efficiency of the audit, but will also be a good
test of the extent to which entity management has fulfilled its own responsibilities.
The Standard Audit Working Paper Kit includes a list of forms, schedules, reconciliations,
analyses, documents, etc. that are typicallyoften requested from entity officials.
8.6 Re-assessing the general and detailed planning decisions

for individual audits
8.6.1 The need for re-assessments
Decisions made in the detailed planning phase may require changes to decisions made during
the general planning phase. For example, staffing and timing issues may affect the auditor’s
ability to use the optimum mix of tests of internal control, analytical procedures and
substantive tests of details.
In addition, audits cannot be planned in isolation. Each audit directorate needs to consider how
best to utilise its entire staff on all of its audits in the most efficient and effective manner. This
could result in some individual audits not being done in the most efficient and effective
manner.
As we will see in later chapters, the general and detailed planning decisions should also be re
assessed in later stages of the audit.
8.7 Documenting the detailed planning decisions

8.7.1 The need for documentation
Paragraph 3.5.5 of DAGP’s auditing standards requires: “Auditors should adequately

document the audit evidence in working papers, including the basis and extent o f the planning,
work performed and the findings o f the audit.”
The general and detailed planning decisions are documented primarily through:

An updated permanent file;
• An updated planning file;
• An updated audit planning memorandum; and
• Updated audit programmes.
8.7.2 Updated permanent file
The permanent file contains information that can be useful to the auditor for several
assignments. A sample index for a permanent file is contained in the Standard Audit Working
Paper Kit.
As is illustrated in the working paper kit, the information that is often found in the permanent
file includes:
• The role of the entity, its vision and mission statements, and its most recent corporate plan;
• Copies of relevant government legislation, regulations, guidelines and other rules affecting
operations;
• Organisation charts;
• Chart of accounts;
• Summary of accounting principles used by the organisation;
• Copies of long-term contracts/leases;
• Copies of loan agreements, schedules of amortisation for debts and special assets;
• Extracts of minutes;
• Special remuneration conditions for senior officers; and
• Reports to management and management’s response.
Policies and procedures manuals may be in the permanent file if they are brief or,
alternatively, a copy should be kept on the auditor’s premises.
8.8 Updated planning file
The planning file contains support for all of the planning decisions that have been made. The
usual content of these files is illustrated in the Standard Audit Working Paper Kit.
As is illustrated in these guidance materials, the information that is often found in the planning
file includes:
- Support for the work performed and the decisions made at each step of the general and
detailed planning processes. This would include the work performed to update the
planning decisions made in previous years
- An updated audit planning memorandum. See below.
- Updated budgets, staffing requirements, timing considerations, information required
from the entity, etc. resulting from the detailed planning process.

8.8.1 Updated audit planning memorandum
This document is usually included in the planning file. It summarises the key planning
decisions that have been made, with emphasis on the changes that have been made to the
previous year’s plan.
The usual content of an audit planning memorandum is illustrated in the Standard Audit
Working Paper Kit.
8.8.2 Updated audit programmes
Audit programmes contain the specific audit procedures that the auditor needs to complete
during the fieldwork phase.
Standard audit programmes are included in the Standard Audit Working Paper Kit. Audit
programmes for the 13 specialised areas are included in the Audit Guides for those areas.
8.9 Approval of the general and detailed planning decisions

All planning decisions should be approved before the fieldwork commences. This is to ensure
that:
• Appropriate and sufficient evidence is obtained to support the opinion;
• All of DAGP’s auditing standards are complied with; and
• Only necessary work is performed.
Since the work performed will form the basis for the conclusions reached and the form and
content of the reports being issued, it is important that the general and detailed planning
decisions be reviewed and approved by senior DAGP officials. It is suggested that the
planning decisions be reviewed by the responsible Director General and approved by the
responsible Deputy Auditor General.

9. CONDUCTING THE AUDIT
9.1 Introduction
By the end of the planning phase and after completing the detailed activity and resource
planning work, the auditors will have updated the:
• Permanent file;
• Planning file;
• Audit planning memorandum;
• Audit programmes;
• Staffing requirements, and the staff to be assigned to each component of the audit;
• Budget requirements;
• Timing considerations; and
• List of information to be obtained from entity officials.
The auditors will use this information during the fieldwork stage to perform the audit work. In
particular, the set of updated audit programmes selected for the audit will guide the detailed
activities of the auditor. The following sections of this Chapter introduce the conceptual basis
for the auditors’ work of testing and sampling transactions, collecting and evaluating evidence,
and maintaining working paper files.
9.2 Compliance Testing

In conducting the audit, the first step is to evaluate the effectiveness of internal controls. This
is done through compliance testing. During the planning phase, the auditor will have assessed
the appropriateness of internal controls and made an initial judgment as to the extent to which
the auditor can rely on the internal controls when deciding on the sample sizes to take for
detailed testing of transactions.
To determine how well internal controls are being applied, the auditor should test the controls
with a sample of transactions. The sample taken for compliance testing will usually be part of
the sample required for substantive testing (see later).
Generally, for compliance testing, basing the assumptions on a zero deviation (or error) rate
and a tolerable rate of 5%, the auditor would take a sample size of between 30 and 60. Thus,
with a sample size of, say, 45 items, if the auditor finds no errors, then the controls can be
assessed as having a low control risk. If in this sample, one error is found, then the auditor can
determine control risk is moderate. If, however, more than one error is found in the sample,
the auditor cannot place much reliance on the controls (and therefore would increase the
amount of substantive testing).
Compliance tests are designed to determine whether the controls are effective. Any significant
misstatements or instances of non-compliance should lead the auditor to identify weaknesses
in controls, report the specific weaknesses in the controls, consider the implications on the
financial statements and reconsider the extent of reliance on the controls (and therefore the
size of sample needed for direct testing of transactions).

A similar approach is taken to sampling and testing compliance with authorities, authorities
being one specific type of internal control over the entity’s operations.
9.3 Substantive Testing

For financial audit purposes, substantive testing is required to determine how much assurance
can be placed on financial assertions. Some testing is by analysis and other procedures but
most assurance is provided through detailed testing of sampled transactions.
9.3.1 Substantive Analysis
Substantive analysis is a means o f deciding whether financial data appear reasonable and
acceptable and therefore may allow the auditor to conduct less detailed testing of transactions.
The extent o f reliance on substantive analysis procedures depends on the following factors:
• Materiality of items involved in relation to the financial information taken as a whole (if
the amount is high, the auditor does not rely on analytical procedures alone in forming an
opinion);
• Other audit procedures relating to the same audit objectives;
• The likely level of precision and reliability that can be obtained from the analysis (for
example, if the construction of a road is through uniform terrain, a unit cost per kilometre
can be applied to provide a reasonable estimate o f expected cost; however, such an
analysis would not likely provide a reliable figure if the road is constructed through
variable terrain o f mountains and plains);
• Results of the evaluation of internal controls. If the internal controls are assessed as weak,
more reliance should be placed on tests o f detailed transactions than on analytical
procedures.
9.3.2 Tests of Details
Tests o f details are the application o f one or more o f the following audit techniques to
individual transactions that make up an account balance:
• Recomputation;
• Confirmation;
• Inspection; and
• Cut-off tests.
Recomputation provides strong evidence of the arithmetical accuracy of the tested operations.
It cannot, however, by itself provide evidence as to the existence, completeness, accuracy or
authorisation o f components o f the computation and should therefore be supplemented by
other procedures directed to those assertions.
Confirmation generally provides strong and documented evidence from an external source.
Confirmation procedures are used for example to confirm cash at banks or amounts owing by
creditors. DAGP should maintain control over the confirmation letters, mailing procedures
and any exceptions throughout the process in order to minimise any interference by the
entity’s management.

Inspection procedures are applied both to assets (to obtain evidence about existence) and to
documentation (vouching as to the accuracy of a recorded transaction, such as the date, party,
quantity, unit price, description, total amount and signature of authorisation). Inspection of
assets provides evidence of physical existence but does not normally provide evidence as to
ownership, completeness or valuation of the inspected assets. The collection of further
evidence relating to these can often be designed to be tied into the physical inspection
procedures.
Cut-off procedures are tests of transactions occurring close to the cut-off date to ensure that
the transactions are recorded in the correct accounting period.
Selecting items for tests of details. Normally only a proportion of the items within an
account is tested even though the auditor wants to conclude about the account as a whole.
This is done by:

• Selecting key and high value items; or
• Taking a representative sample; or
• A combination of both.
Key items are normally selected when:

• There is reliance on internal controls and there is substantive audit evidence from
analytical procedures (and therefore require relatively little substantive audit evidence
from tests of details); or,
• A small number of high value items form a large proportion of the account (therefore
testing these items will include a high proportion of the total value of the account); or
• The population consists largely of non-routine transactions and therefore the account is
unlikely to consist of similar items that could be sampled.
As well as having a high value, key items can be other unusual or suspicious items, such as:
• multiple transactions with very similar values/dates/suppliers;
• apparently duplicate transactions;
• items which are unmatched; or,
• items with other specific characteristics that catch the auditors’ attention.
Representative sampling is likely to be most effective when:

• There is little or no evidence from analytical procedures so the auditor has to rely on
substantive audit evidence from tests of details;
• The population contains a large number of individually insignificant items; and/or
• The population contains routine transactions and therefore the account is likely to consist
mostly of similar items (i.e. a homogeneous population).

9.3.3 Substantive Sampling
It is important to ensure that whatever sampling is chosen, an estimate of the total level of
errors in the population can be deduced from the sample on a scientific basis. Without having
a scientifically selected sample that is sufficient and representative, no assurance on the
financial statements can be concluded and no projection of other quantitative concerns can be
concluded.
In implementing a substantive sampling plan, the following need to be considered:

• Decide what is to be tested;
• Define the sample and select the sample;
• Audit the sample items; and
• Evaluate and interpret the results.
Decide what is to be tested. First, the auditor needs to define the objective of the test. This
includes defining what assertions are being tested, what constitutes an error, the acceptable
risk of material error, the population from which a sample is to be selected, the sampling
technique and the definition of a sampling unit (the physical unit to be selected). The
population is the collection of items from which a sample is drawn and about which the
sample is to provide information.
Note that the completeness of the population cannot be tested using a sample because omitted
items have no chance of selection. Therefore, completeness should be tested separately to
ensure that substantially all items are included in the recorded population and will have a
chance of selection.
Define the sample and select the sample. To obtain reliable conclusions about the population
as a whole, a representative sample should be taken. For the sample to be representative, each
item in the population should have an equal chance of being selected (i.e. the sample is
random) or, if the sample is stratified (for example, large transactions are treated differently
from the rest of the population), the sample from each stratified component is representative of
that component and thus conclusions can be determined for each stratified selection. For a
guide to sample selection, see Appendix B.
The sample size is determined by what is considered an acceptable level of materiality

(compared to the value of the population as a whole), the level of confidence that the auditor
wishes to have about the conclusions (for example a 95% level of confidence - that is the
conclusion arrived at is correct 19 times out of 20) and the assumed level of error in the
population (which is not normally known until the sample has been taken and analysed). The
method of determining the sample size is provided in Appendix B.
The preferred method of selecting a sample is the monetary unit sampling (MUS) method.
Standard CAATs software can provide the auditor with the sample size and the sample items.
The auditor can sometimes reduce the sample size by using a stratified sample (for example,
testing 100% of the large transaction values and then taking a sample from the remainder of
the population - where the sample of the remainder of the population represents a relatively
small part of the total population value).
Audit the sample items. To enable the auditor to draw conclusions on the whole population,
all items in the sample need to be examined. The audit effort can be reduced where a pattern

can be identified. For example, the errors in the sampled items may be grouped together
where of the observed errors have a common cause.
The first use of the sampled items is to determine whether the level of errors, when projected
to the population as a whole suggests that the acceptable level of materiality has been
exceeded in which case, the auditor may not be prepared to accept the reliability of the
financial statements.
As well as determining the extent of inaccuracies discovered in the sample, the auditor needs
to determine the causes of the errors. There are two reasons to follow up on identified errors:
1) To assess the internal controls (and where necessary, adjust the level of reliance on the
controls as a result of the substantive testing) which will assist the auditor in concluding
whether reliance can be placed on the financial statements; and
2) To conduct a compliance audit on any errors that suggest that the transactions were not
carried out in compliance with relevant and applicable laws, regulations and internal
controls. Also, following up on errors should help the auditor identify the underlying
cause of the errors and thus be able to provide practical recommendations on corrective
action.
Where the compliance with authority work is being performed as part of a financial
certification audit, the auditor should only be concerned with compliance where the impact of
non-compliance is significant. Minor cases of non-compliance should be picked up by the
internal audit function. Where the potential impact of lack of compliance, or mismanagement,
or misallocation of funds is serious, it is very important that the audit work is completed.
Where appropriate, the sample should be expanded to follow up on other suspected situations
of serious mismanagement of funds.
For other compliance with authority work, the audit objectives will determine what is
significant.
Evaluate and interpret the results. Especially for reporting purposes, the auditor must be
able to conclude on the population as a whole, based on the findings from the sample items. If
the sample size is 1,000 and the population size is 100,000 (and provided the sample is
representative of the population) the most likely errors in the population as a whole would be
estimated at one hundred times as great as the errors discovered in the sample. Say for
example, errors in the sample amounted to 50,000 Rupees, the errors in the population as a
whole would be a hundred times as large, which would be approximately 5 million Rupees.
Whereas the errors in the sample may not be large enough to include in the Auditor-General’s
Annual Report, the estimated errors in the population as a whole become a much more serious
concern.
The audit work should be sufficient to conclude on the nature of the errors detected and the
underlying causes of the errors. An understanding of the causes of the errors allows the
auditor to form judgments on the seriousness of the observations. For example, the errors may
have occurred only in a particular month when an inexperienced clerk was handling the
transactions. If so, and there is sufficient evidence to be assured that for the rest of the year
the problem did not occur, then the errors can be assumed to have occurred only during a
small part of the year’s transactions. Thus, conclusions on the population as a whole are not
necessarily a simple projection based on the sample. The explanation of the errors found is
critical for forming reliable inferences on the evidence obtained.

9.3.4 Management of Sample
The Director o f Audit should personally ensure the proper selection o f the required
sample and follow up to check that this sample was the one used in the field.
Reliable audit results depend on having an unbiased and representative sample. Any
changes to that sample can possibly invalidate the conclusions to be derived from the
sample.
In practice, the auditor may not be able to utilize all items in the selected sample. This can
be due to a wrong identification of the item (an item from a different office or location was
inadvertently included in the sample); the transaction was later reversed; or due to a whole
host of possible reasons. A frequent problem is that the supporting documentation for the
transaction cannot be found. Although the auditor must be careful to determine why the
documentation is missing since this could well indicate irregular activities, in certain
circumstances, other items might have to be substituted. Also, the auditor should be
encouraged to use initiative and include other items, especially when conducting the
regularity component of the audit. Although substitution o f other items during the fie ld
audit can be appropriate, the auditor M UST inform the Director o f Audit o f the
intended substitution or addition o f items in the sample and ONLY include these items
(and/or drop other items) after obtaining the approval o f the Director o f Audit. It is the
responsibility of the Director of Audit to be assured that any substitutions are fully
justified and after the field work has been completed, to review the file to be assured that
the items audited were consistent with the original sample and/or with the approved
changes.
It is the role of quality assurance to pay particular attention to the proper selection of audit
sample and ensure that that sample was indeed the one followed up during the field work.
9.3.5 Sampling for Regulatory Audit Purposes (Compliance with Authorities)
Regulatory Audit Combined with Certification Audit. In general, the sample taken for
certification purposes is also appropriate for regulatory audit purposes. Although it has
often been the custom of auditors to take large samples for regulatory audit purposes, in
most cases this is not necessary. In fact the converse is usually the case. The sample for
certification audit purposes has to be sufficiently large to conclude whether the financial
information (e.g. line-item) is sufficiently accurate to be relied upon. The regulatory audit
on the other hand only has to determine whether there are control problems and does NOT
have to estimate the error rates in the irregularity occurring. The audit evidence only has
to be sufficiently convincing to point out to management that there needs to be improved
controls and better administrative performance.
The exception to this is where the irregularity occurs only infrequently (say at one
particular location, or only on the last day of the month) and the sample cannot be
designed to focus in on this problem, then a larger sample is required to make sure of
including some of these irregularities. Yet, since it is infrequent, it is not material. It is an
audit judgement whether to exert considerable audit effort to try to catch these infrequent
irregularities. Wherever possible, the use of other methods, than using a large sample,
such as analytical techniques and examining internal controls would be a more cost-
effective means of detecting and zeroing-in on the problem area.

Regulatory Audit Not Part of Certification Audit. In some cases, the regulatory audit is
carried out without performing certification audit, such as conducting regulatory audit
work where the organization has an auditor from the private sector performing the
certification audit work. Wherever possible, the use of a CAAT for analysing the patterns
of transactions and/or for obtaining a random selection of transactions is preferable to a
manual selection of the sample.
The sample size, in this case, is not defined by the needs of the certification audit, so some
other means has to be used. Regulatory audit is not normally concerned with estimating
the financial value of the transactions that have been carried out in an irregular manner.
Nevertheless, the auditor would prefer to ensure that the majority of transactions examined
were significant transactions not very small transactions. Thus for regulatory purposes as
well as for certification purposes, the auditor would like to be assured that the larger
transactions were given greater emphasis in the sample than small ones. Thus, a 100%
sample, or high proportion sample, of the largest transactions combined with a random
sample from the rest is one approach. Alternatively, there is no reason why a MUS cannot
be used to select a sample solely for regulatory audit purposes.
Appropriate Sample Size For Regulatory Audit. Whether the sample used for
regulatory audit is taken from the sample selected for certification audit purposes (the full
sample or a sub-set of the sample) or is generated separately, the same question arises:
how to determine an appropriate sample size.
It is better to do a thorough examination of all aspects of a transaction (including digging

down to discover what caused the irregularity) than examine a large number of
transactions at a superficial level (e.g. checking for a signature).
As with most sampling situations, the decision on the size of sample is first based on the
assumption of a homogenious population (i.e. any item in the sample is just as likely as
another to have the particular characteristics of the typical member of the population).
Secondly, the appropriate sample size is dependent on the characteristics of the population
(which usually is not known until the sample is taken). So the sample size calculation
needs to make an assumption about the error rate (in the case of attribution sampling1).
There are formulae that the auditor can use to calculate the desired sample size, based on
certain assumptions. Alternatively it is practical in most cases to take a sample size of
between 50 and 100 for regulatory purposes. Or, as discussed above a much larger sample
if attempting to find an irregularity that occurs infrequently in the population as a whole.
The best way to illustrate this is to discuss what conclusions can be derived from the
sample. After taking a particular sample, the error rate for the population as a whole can
be estimated based on the results obtained from the sample.
For example, if the auditor has taken a sample size of 60 and finds no errors, then it can be
said with 95% level of confidence2 that the population as a whole contains less than 5%
1 Attribute Sampling. A type of statistical sampling used for compliance testing whereby sample items are
evaluated for compliance or attributes. Items either are or are not (yes or no) in compliance. This type of
sampling reaches a conclusion on the frequency of occurrence of a particular attribute in a universe.
2 That is to say that the statement will be a correct statement 19 times out of 20.

level of errors. If the auditor found 10% of the transactions had errors, then it can be said
with 95% confidence that the errors in the population as a whole were somewhere between
5% and 20% level of error (approximately). This is true for a population of more than 500
transactions from which the 60 was a representative sample3.
If the auditor wants to be sure that there was less than 1% level of error in the population
(with 95% level of confidence), a sample size of 300 would be needed and no errors
found. This statement would be correct if the population size was over 1,000.
Interpretation of Regulatory Errors. It is not the job of the regulatory auditor to find
every error. What the auditor needs to know is:
• Is there a problem with irregularities and if so how serious is the problem; and
• What is the cause (or set of causes) that has led to the problem.
In addition, the auditor would like to be able to recommend a way of correcting the
problem(s) observed.
A rule in quality control is that usually only one or two, or perhaps a few more, causes can
explain almost all of the observed errors. Thus as soon as the auditor discovers the
underlying causes of the errors found, and as long as it can be concluded that there is a
serious problem, the auditors have done their job. No additional auditing is really that
useful. From a regulatory perspective, it is not all that important to determine the precise
level of error rate.
Finally, the auditor must be able to communicate the findings relating to regulatory
concerns in a manner that management can understand and accept as important. The
auditor is referred to the Chapter on Reporting in this Manual.
3 This formula is affected by the size of the population as a whole. If the population (i.e. all transactions
from which the sample has been taken) is small compared to the size of the sample, then the results are
slightly different.

9.4 Evidence
The auditor requires evidence to support all information presented in the audit report. Even the
background description of the entity and generalised statements about the organisation must be
supported by appropriate evidence. The final audit report must be able to withstand all
challenges and the auditor must be able to demonstrate his/her professionalism in the way the
audit is carried out and in the presentation and contents of the final report.
9.4.1 Attributes of Evidence
To support the auditors’ findings, conclusions and recommendations the evidence must be:
• Sufficient;
• Relevant;
• Reliable; and
• Objective.
Sufficient. Evidence should be sufficient to lead a reasonable person to the same conclusions
as the auditor. The sufficiency of evidence will be influenced by a wide variety of matters
including:
• The auditor’s knowledge of the entity and its environment;
• The materiality/significance of the matter in hand;
• Whether the report is addressing only a limited area of coverage or whether it
encompasses all activities and transactions within a large area of management
responsibilities;
• Whether the audit is providing assurance or just identifying particular weaknesses in need
of correction;
• The degree of risk that insufficient evidence will lead to a misleading statement or
conclusion or produce an inappropriate recommendation;
• The quality and persuasiveness of the evidence; and
• The degree of acceptance of the evidence by management.
The auditor should take care that the evidence is strong enough to support statements in the
report.
If the audit report simply lists a series of negative findings, the evidence required applies only
to those particular projects/activities/transactions examined. If however, the auditor wishes to
generalise about all projects/activities/transactions, the audit evidence has to be sufficient to
demonstrate, usually on the basis of a statistically valid sample, that the majority of such
projects/activities/transactions have the same characteristics of satisfactory performance
(assurance) or suffer from the same negative findings.
Relevant. The relevance of audit evidence refers to the relationship of the evidence to its use
and applicability. The auditor should have a clear audit programme with distinct audit
objectives. The auditor is expected to collect relevant evidence to conclude against those audit
objectives to complete the audit satisfactorily.

In practice, the auditor is likely to encounter situations not anticipated in the audit plan. The
auditor should not be blind to evidence outside of the audit objective(s). If the auditor obtains
evidence of a significant issue outside of the defined scope and objectives of the audit, the
auditor should discuss the situation with his/her superior or other appropriate person in DAGP.
If the auditor pursues an area of investigation substantially outside of the audit objectives, it
would be appropriate to brief the entity’s management on the change of scope.
Evidence must support audit statements directly. Evidence should not take the form of an
implication. For example, statements that the manager is often absent does not necessarily
imply that there is insufficient supervision. The linkage must be established by the auditor by
obtaining sufficient relevant evidence to support the conclusion.
Evidence to support audit conclusions should, as far as possible, be timely. The relevance of
audit findings generally diminishes over time. The auditor needs to focus as far as possible on
current situations so that management can receive useful feedback and take corrective actions.
For example, major capital projects may proceed through the planning stage, contracting and
construction over many years. If the auditor identifies a weakness in the planning stage of a
project now complete, the finding may not be applicable to other projects. The managers, or
the systems, procedures and practices may have changed. Wherever possible, the auditor
should review the current systems, procedures and practices and determine whether the
weaknesses of the past still exist or have been corrected.
Reliable. The auditor has a professional responsibility to ensure that, as far as possible, the
evidence obtained is reliable. That is to say, the evidence is:
• based on fact, not opinion;
• an accurate reflection of reality;
• from a reliable source;
• consistent with other evidence; and
• remains true for all situations within the audit domain.
Interviews are a source of useful evidence but the auditor should appreciate that often
statements are based on opinions, are not necessarily accurate and may on occasion be
intentionally false. Wherever possible, a statement from an interview should be checked
against documented evidence. For example, if the auditor is informed that a particular
transaction was delayed for some time, the documentation of the transaction should be sought
to confirm what was said in the interview.
Occasionally, even documented evidence can be unreliable. The auditor should be continually
reviewing, questioning and deciding on the reliability of the evidence. Where the auditor is not
satisfied with the reliability of the evidence, and has not been able to resolve the problems, the
best approach is to include statements to this effect in the draft report and seek management’s
assistance in getting the most reliable evidence.
Where there is a good system of internal control, the auditor can be more confident of the
reliability of information produced by the entity than where the internal controls are weak.
A particular type of evidence is the non-existence of something - the lack of an anticipated

event or expectation (a control, a study or some other matter that the auditor is expecting to
see). The best the auditor can do is document on file the efforts made to find the evidence of
what the auditor would expect to see in the particular circumstances. If the auditor does not

make the appropriate efforts to find what is considered missing, he/she can be criticised by
management for not making reasonable effort. One approach is to use the “audit query” to
seek management’s assistance. Alternatively, through interviews, briefing and, if necessary,
within the draft report, the auditor should draw attention to the fact that no evidence has been
found of what the auditor was looking for.
Objective. To be admissible, evidence should be objective and free from bias. The auditor
should always maintain an open mind with regard to the evidence collected. The auditor
should guard against assuming that the initial findings or assumptions are the only
interpretation of the situation. If not, there is the danger that the auditor, most likely
inadvertently, seeks evidence that supports the original perception. Whenever there are
contradictions in the evidence collected, the auditor should not reject certain evidence, but
rather seek further evidence to determine which information is correct, or to obtain an
explanation as to why the evidence is not consistent.
Evidence should be evaluated objectively; alternative interpretations of the same evidence

should be considered and inconsistencies in the evidence resolved before reaching final
conclusions. Wherever possible, the auditor should focus on the results and systems, not on
the individuals involved. The auditor should endeavour to avoid being influenced by
personalities.
9.4.2 Types of Evidence
Evidence can take the form of observation, documentation, analysis, interview responses, and
confirmation through interview or written response.
Evidence can be classified according to the following:

• Documentary;
• Observational;
• Physical;
• Oral; or,
• Analytical.
Documentary. Although the auditor may rely on interviews for determining where to look
and what to look for, the main source of audit evidence is usually documentary, in either
physical or electronic form. Documentary evidence can be further broken down into internal
or external. Internal documentary evidence originates within the entity and may include
accounting records, copies of correspondence, budgets, internal reports and memoranda,
personnel documents, appraisals, organisational charts, and internal policies. External
documentary evidence may include letters or memoranda received by the entity, suppliers’
invoices, leases, contracts and other reports, and third party confirmations.
Auditors should be wary of possible errors or misstatements in documentary evidence. Their

reliability depends on how the source data are collected and manipulated. Although electronic
processing is far less prone to error, and errors that are generated are likely to be systematic,
the data input to the electronic systems are frequently manual and therefore prone to human
error. Various analytical tests can be made to confirm consistency and increase the auditor’s
assurance of their reliability.

Observational. Observational evidence is obtained by observing people and events or by
examining property. All observations obtained by the auditor should be recorded, either in the
form of notes to file, photographs, or other pictorial representations. The evidence is
strengthened if it is obtained by two auditors, if the observation takes place several times as
opposed to only once, or is discussed at the time of observation with a representative of the
entity, preferably someone responsible for the activities or properties being audited.
An important form of evidence is the confirmation of information contained in records

through a physical count of the actual amount or number of items (such as cash, pieces of
equipment, inventory). Inspection of equipment should include spot checks to ensure that the
equipment is complete and in good working order.
Physical. The main physical evidence that would be used by an auditor would be a
photograph, for example showing the condition of a building or piece of equipment.
Generally, physical evidence, except of course documents, is not collected by auditors. In the
case of documents, some standards require that the auditor examine an original rather than a
copy, but in most cases, the evidence collected is a copy of a document, or part of a document.
The auditor must clearly identify the source of the document.
Oral. Oral evidence takes the form of statements usually made in response to enquiries or
interviews. Interviews can provide important leads not always obtainable through other forms
of audit work. There are many sources of oral evidence:
• Various levels of management;
• Personnel directly involved in operations;
• Suppliers and contractors;
• Recipients of government services;
• Members of the general public;
• Other ministries/departments/agencies; and
• Experts and consultants.
The auditor must take care to follow appropriate protocol and procedures when approaching
individuals from inside and outside the entity. Generally, the management in charge of a
particular part of the entity should be notified before the auditor approaches staff within their
area. It is appropriate in most cases to clear with management of the entity before approaching
personnel outside of the entity to discuss matters pertaining to the entity. When approaching
experts or consultants to discuss aspects of the entity, care should be taken to avoid placing
them in a position of conflict.
The auditor should always prepare a written summary of the interview. Interviews must be
well documented. The auditor should not normally “quote” a specific individual nor indicate
the source of oral information in a report or briefing. If, for any reason, a person is to be
quoted, then the auditor should obtain that person’s agreement. Wherever possible, the auditor
should obtain corroborating oral information from more than one source. The reason for this is
that:
• This increases the reliability of the information, particularly where the sources are
independent;
• The source of the information is less likely to be traceable to one particular individual;

• A stronger statement can be made, such as “the majority of those interviewed commented
that ...”, or “x% of managers responded ...”; and
• The auditor cannot be accused of placing too much emphasis on a source that could be
biased.
One way of strengthening oral evidence, and confirming other forms of evidence, is to
produce a list of observations to discuss at an exit interview with the person responsible for the
area. The auditor does not need to divulge the source of the information; only confirmation of
its correctness is discussed during the exit interview. If further documentation of these
findings is required, then minutes of this meeting can be sent for confirmation.
Analytical. Analysis of data can provide conclusions that are not necessarily directly available
from lists of data, reports, studies or other sources. An auditor with strong analytical skills can
uncover information that may not be known already to managers of the entity.
There are many uses for evidence derived from analysis. These can include:
• Checking that data from different sources are consistent, and conducting reconciliations;
• Calculating variability in levels of efficiency;
• Calculating averages to compare performance;
• Ensuring interest payments are properly calculated;
• Confirming payroll and other expenditures are accurate, and comply with regulations,
agreements and other controls on payments; and
• In general, confirming written and oral statements.
Analysis can be time-consuming but the results can prove valuable. Wherever possible, the
auditor should start with a quick approximation rather than conduct detailed analyses. If the
quick approximations suggest that there are problems or potentially important findings, then
the auditor should design a detailed process for obtaining accurate evidence.
9.4.3 Procedures for Gathering Audit Evidence
Broad Approach. At the start of an audit, usually during the planning stage, the auditor takes
a broad approach to the collection of evidence. Interviews are often of a more general nature
and questions are more open-ended than specific. The auditor takes the approach of scanning
at this stage. Materials are scanned quickly to obtain a general understanding. The auditor
searches for significant events or transactions that may require further review.
It is usually more efficient to obtain explanations through inquiry, and then later seek to
validate these explanations, than for the auditor to try to find explanations directly by sifting
through quantities of detailed evidence. Sometimes, managers are happy to direct the auditor
to those areas in greatest need of examination while others will evade or even misdirect the
auditor in hope that weaknesses will not be discovered.
Specific Approach. Before the main examination phase of the audit, the auditor will have
developed a detailed audit programme. Here the audit objectives have been defined, and the
standards or audit criteria against which the observations are compared have been structured.
A set of specific questions may be identified, either in the form of a modified internal control
questionnaire or audit guide, or by an analysis of what information is required to answer the
audit objectives and confirm compliance or lack of compliance with the standards/criteria.

Expanded Approach. As the evidence is collected, however, further questions arise and new
areas for enquiry are often discovered. The auditor needs to apply judgement as to what
evidence to collect and what to ignore. Cause-and-effect analysis (see below) will usually raise
questions about further evidence.
Experience will guide the auditor in deciding whether the evidence obtained to a certain point
can stand on its own or further support is required to confirm the validity of the evidence. This
further support could include:
• Corroborating evidence with independent third parties;
• Physical checks to verify that an asset or liability exists;
• Analysis to ensure that the evidence is reliable; and
• Verifying that procedures actually operate as claimed by management.
9.5 Matters to deal with during fieldwork

Auditors need to obtain and record relevant, reliable, sufficient and convincing audit evidence
to support their audit findings, conclusions and recommendations.
In the process of obtaining this evidence, auditors often need to deal with matters that require
the use of professional judgment. These matters are discussed in this section.
9.5.1 Unanticipated matters
Although the audit programmes are approved at the detailed planning stage, the auditor
performing the work should not assume that the programmes cannot be changed. The auditor
is likely to encounter matters not anticipated in the audit plan. For example, the entity may
have new assets, liabilities, receipts or expenditures that were not known at the planning stage,
or may be operating under new legislation. Similarly, the entity may have entered into
significant contracts since the audit was planned.
The auditor should also be alert for matters arising during the fieldwork phase that indicate
changes may be required to the general planning parameters. For example, the audit approach
may call for high reliance on the internal control structure. However, if the auditor’s tests of
internal control reveal a larger than expected number of internal control deviations, then the
sources of assurance, and the nature, extent and timing of the auditor’s substantive tests, may
need reconsideration.
To detect matters such as these, the auditor should not be blind to evidence beyond the audit
programme. The auditor needs to be on the lookout for these unanticipated matters, and to
consider their implications for the audit.
If audit work is performed at an interim date, this can alert the auditor to unanticipated matters
at an earlier date. The auditor could then make the required changes to the audit planning
memorandum, audit programmes, etc.
Should an unanticipated matter be relatively minor, requiring the addition of only one or two
audit procedures to an existing audit programme, the auditor should be able to make the
change without going through a formal approval process. However, if the matter is more
significant, such as one that calls for developing new audit programmes or re-considering the

sources of audit assurance, the auditor should discuss the situation with the audit supervisor.
The auditor should then prepare an addendum to the audit planning memorandum. This
addendum should follow the same review and approval process as is used for the audit
planning memorandum itself.
In addition, if the matter requires the auditor to pursue an area of investigation substantially
outside of the initial audit scope, it would be appropriate to brief entity officials on the change
of scope. This could be done through an addendum to the entity communication letter.
9.5.2 The substance of the transaction
Auditors should be satisfied with the nature, adequacy and relevance of audit evidence before
placing reliance upon it. One aspect of this is to consider the substance of a particular
transaction that is being supported by the documentary evidence.
There may be a significant difference between the form of the transaction and its substance.
For example, a bribe may be disguised as a commission, or a purchase may be disguised as a
long-term lease. The auditor needs to ensure that the documentary evidence is clear enough to
determine the real substance of the transaction.
If the auditor suspects that the substance of a transaction is different from its form, the auditor
should consider what the real substance is. The auditor should discuss his/her findings and
conclusions with entity officials. Should the auditor still believe that the substance of the
transaction is different from its form, the auditor should record the most likely error that arises
from the difference on the Summary of Unadjusted Differences.
9.5.3 Inadequately supported transactions
Inadequately supported transactions often reflect missing documents. They may also indicate
the entity’s accounting or control system does not call for the documentation that the auditor
would consider appropriate.
When a document is missing, the auditor should make a reasonable effort to locate it. If the
auditor does not make the appropriate efforts, entity officials could criticise the auditor,
particularly if the officials found the document at a later date.
If the document cannot be found, the auditor should consider if other evidence exists to
support the transaction. For example, assume the entity has paid for a particular piece of
equipment. Assume also that the auditor can find the supplier invoice and purchase order, but
not the receiving report or other documentation indicating that the item was received. In this
case, the auditor may be able to physically examine the piece of equipment, and query its
operator as to when it was received. These procedures may provide the auditor with sufficient
assurance as to the validity of the purchase transaction.
Sometimes the auditor will not be able to find relevant, reliable, sufficient and convincing
audit evidence to compensate for the missing documentation. Using the above example, the
auditor may not be able to identify the particular piece of equipment that has been delivered,
or to obtain independent evidence as to its delivery date. In such cases, the transaction should
be considered to be in error, and the most likely error should be recorded on the Summary of
Unadjusted Differences.

In addition, the auditor should document the efforts to locate the missing receiving report, and
to otherwise support the validity of the transaction. This documentation should include
discussions with entity officials, and the steps that the officials were to have taken. This will
reduce the risk of the auditor being criticised should the missing document be found at a later
date.
9.5.4 Conflicting audit evidence
Conflicting audit evidence occurs when the auditor receives evidence regarding a particular
balance, transaction or event that is not consistent with other evidence. Examples of
conflicting audit evidence are when:
• The auditor’s analytical procedures indicate that material error exists in a particular
component, while substantive tests of details indicate that there are no errors in the
component.
• One entity official provides the auditor with information or an explanation that is
inconsistent with the information provided by another entity official.
• The auditor identifies what appears to be a material error and asks entity officials to
investigate. The officials respond with an analysis or explanation indicating that no error
exists.
The first step the auditor should take is to re-evaluate the evidence received. The auditor
should maintain an open mind, and guard against assuming that the initial findings are the only
interpretation of the situation. Evidence should be evaluated objectively, and alternative
interpretations of the evidence should be considered.
It is not appropriate for the auditor to disregard some of the evidence received. For example, in
the first illustration it would not be appropriate for the auditor to ignore the results of
analytical procedures. The auditor should seek further evidence to determine whether the
results of the analytical procedures or the results of the substantive tests of details are correct.
Input from entity officials is often helpful. For example, entity officials may be able to provide
the auditor with additional information that helps to explain the fluctuation identified by
analytical procedures.
Where the auditor receives conflicting information from officials, the auditor should determine
whether:
• there are legitimate reasons why the two officials would have provided different
information or explanations; and
• the information or explanations received from each individual are reliable.
It may be appropriate for the auditor to seek corroborating information or explanation from a
third or even a fourth individual to determine which of the two original providers of the
information or explanation appears to be incorrect.
Where subsequent analysis by the entity management does not support the auditor’s estimate
of error, the auditor should audit the entity’s analysis and supporting documentation to
determine if the further analysis:
• deals directly with the matter at hand;
• was sufficient and appropriate, and done correctly; and

• explains why the auditor’s original estimation of the error was not correct.
Until the conflicting audit evidence is satisfactorily resolved, the auditor should not take any
assurance from any of the affected audit procedures.
9.6 Cause and Effect Analysis

Wherever possible, the auditor should determine the underlying cause(s) of an observed
weaknesses or error. Normally, there is at least one major underlying cause for the weakness
or error, such as:
• Inexperienced individual carrying out the transaction;
• Insufficient training of that individual;
• Lack of proper systems and procedures;
• Insufficient management involvement / scrutiny; or
• Unclear accountability.
It is usually a matter of judgment as to which factor, or combination of factors, is generally

regarded as the underlying cause(s).
These underlying causes need to be addressed by entity management to obtain long-term

improvement of the operations. The auditors’ recommendations for improvement should
address these items.
The auditor needs to identify the actual, or potential, effect of the observation. Wherever
possible, the auditor should seek examples of the effects resulting from a weakness observed.
However, such evidence may not be readily available. If this is the case, the auditor should be
able to demonstrate the risk associated with the continuation of the current situation. The risk
should be plausible and convincing to management. If not, the auditor will likely find it
difficult to get management support for recommended changes to reduce or eliminate the
weaknesses observed.
Cause and effect analysis can be difficult. Sometimes clear relationships between observations
and the underlying causes cannot be proved. This is where the auditor’s knowledge,
experience and communication skills are important. Management needs to have confidence in
the auditor to accept the recommendations for change.
If the underlying causes of weaknesses are not addressed, the auditor can expect to note the
same problems each time the area is audited. Except to the extent required as part of a follow
up audit, there is no point in repeating audits and coming up with the same observations.
Either the weaknesses are too small to matter, in which case the auditor should not be
concerned with the issues, or there is need to correct the problems.
Cause and effect analysis ensures that we direct our effort towards the areas that matter and
produce meaningful and significant audit observations. This analysis also ensures that we
understand the underlying causes, so that we can develop recommendations that address the
most important areas. These need to be addressed in the audit report - see Chapter 12.
Cause and effect analysis requires the auditor to:

• identify the fundamental cause(s) of the deficiency. This is important in developing a basis
for recommending remedial actions. Often there is more than one cause and the auditor’s
challenge is to determine which ones are the most relevant.
• assess and quantify the effect, or the potential effect, of the deficiency. Quantifying the
effect of a problem is an important step in determining the significance of the deficiency.
In many cases, the effects can only be described in terms of risks as opposed to actual
losses, or other negative effects, that have occurred.
9.7 Developing Conclusions and Recommendations

In theory, the auditor compares an actual finding with an expected finding (the accounting
standard or audit criterion) and identifies any deviations.
Reality is generally more complex. In collecting evidence, the auditor frequently discovers
unanticipated findings. The structure of the audit may not have fully anticipated the
complexity of the activities and transactions. When the auditor discovers an unanticipated
weakness in a particular transaction, he/she should determine whether this is a single
occurrence or part of a pattern.
Conversely, one or more of the standards or criteria may not be applicable to the operations
being examined. If this part of the audit is addressing a control or activity that is not
significant, there is no need for any assurance in this area. Audit effort should be directed to
more significant issues.
Conclusions should focus on significant issues. These are generally concerned with:
• Inefficient or ineffective operations, or examples of not achieving intended results; and,
• Failures to measure and report on the efficiency of operations and the effectiveness of the
programmes.
Performance audits are also concerned with:

• Failures to acquire resources economically and to safeguard assets;
• Lack of accountability;
• Inadequate controls and excessive risks to the entity; and
• Inefficiencies, errors, waste, and misuse.
Issues relating to these concerns should have been identified during the planning stage of the
audit.
The auditor should avoid any implication of deceit in dealing with the management of the
entity. If the audit objective(s) state one thing and the auditor focuses on issues that are
unrelated, entity management has reason to be concerned. As far as possible, the auditor
should have identified during the planning stage what needs to be examined. A well-planned
audit should not require the auditor to stray far beyond the plan. On the other hand, the auditor
should be careful not to conduct the audit in a mechanical manner, ignoring anything that does
not fit within the precise structure of the audit programme.

9.7.1 Significant Findings and Conclusions
The auditor should ensure that the audit report provides a few key messages rather than a long
list of relatively small matters. Good managers are used to focusing on key areas and may not
have the time or inclination to get into details that do not appear significant. In developing
conclusions, the auditor must be able to identify the key matters for management attention.
Details of the findings should be used only to support these key conclusions. These details
may need to be communicated to lower levels of management to help them address the errors.
The auditor may discover many findings that at first glance do not seem to be related or
significant. With experience, the auditor will recognise patterns of findings that are indicative
of a serious or general weakness. Thus the auditor is able to take clusters of small findings to
form significant observations.
In developing findings, the auditor needs to:

• Determine the frequency of the identified weakness. This is important in assessing
whether the deficiency is an isolated instance or represents a systemic or general
weakness;
• Assess the significance of the weakness, in terms of frequency and impact;
• Develop one or more examples, for inclusion in the report, to clearly illustrate the nature
of the deficiency;
• Clearly communicate the actual or potential impact of the identified deficiencies; and
• Determine whether management is aware of the deficiency and if corrective action is
underway. A deficiency that is being corrected is less significant for reporting purposes
than a previously unknown and unresolved deficiency.
These steps are necessary to determine reporting strategy and to ensure fairness and balance of
the report.
Development of Recommendations. As the auditors clear findings with the different levels of
management within the entity, they should explore potential recommendations.
Recommendations that are supported by management are much more likely to get
implemented than those that are simply the opinions of the auditor.
Recommendations should address the underlying causes of errors or deficiencies. The auditor
must focus on the underlying weaknesses in controls, or other causes of the errors, to increase
the likelihood that management will take steps to prevent further errors from occurring.
When developing recommendations, the auditor should consider:

• The most significant causes of the weaknesses observed (through cause and effect
analysis) and what needs to be done to strengthen the management framework to correct
the underlying cause(s);
• The feasibility and cost of adopting a recommendation (i.e., the benefits of a
recommendation should outweigh the cost of implementing it);
• Alternative courses for remedial action; and
• Effects, both positive and negative, that may arise if the recommendations are adopted.

9.8 Keeping entity officials informed
To successfully complete the fieldwork, the auditor should:
• Have effective communication skills, both oral and written; and
• Establish and maintain good working relationships with entity officials.
Good working relationships are highly dependent on good communications. Entity officials
must have complete confidence in the integrity, independence and capability of the auditors.
Auditors must be, and be seen to be, honest, fair, discreet and tactful.
Entity management and staff should be kept informed of the progress of the audit. Conflicts
between an audit team and entity officials can be avoided by timely intervention.
Except in the case of a fraud, or suspected fraud, the auditor should strive to conduct a “no -
surprises audit”. This means honest communications and keeping entity officials aware of the
progress of the audit and the findings to date. The auditor should ensure that the findings about
an area of audit are not reported to a more senior manager before the manager at the lower
level has been informed of the findings and given an opportunity to rebut, correct or explain.
It is good practice, at the end of the fieldwork at a particular location, to arrange a meeting to
discuss the findings with the senior manager of the area being audited. This meeting is an
opportunity to confirm the audit findings and explore possible recommendations with the
manager. Minutes of the meeting can form useful audit evidence.
The auditors should also seek, where appropriate, to have regular communications with the
internal audit unit within the entity. As discussed in earlier sections, coordination of the
external and internal audit work can ensure adequate audit coverage, while at the same time
minimising duplicate efforts.
9.9 Documenting the work performed

Paragraph 3.5.5 of DAGP’s Auditing Standards requires: “Auditors should adequately
document the audit evidence in working papers, including the basis and extent o f the planning,
work performed and the findings o f the audit.”
The content and arrangement of the working papers reflect the auditor's proficiency,
experience and knowledge.
Adequate documentation is important for several reasons. It will:

• serve as evidence of the auditor's compliance with DAGP’s Auditing Standards;
• help to ensure that delegated work has been satisfactorily performed;
• increase the efficiency and effectiveness of the audit;
• help the auditor's professional development;
• serve as a source of information for preparing reports;
• provide information to answer enquiries from entity officials, the Legislature and its
committees, or from any other party;
• assist in the planning of the audit for the following year; and

• help auditors in the following year to perform their work.
9.9.1 Documentation standards
The auditor should diligently document all the work that has been performed. The working
papers should provide a record of the nature, extent and timing of the audit procedures
performed, and the results of those procedures.
Working papers should be sufficiently complete and detailed to enable an experienced auditor
having no previous connection with the audit to subsequently ascertain what work was
performed to support the conclusions.
To achieve this objective, the fieldwork, evaluation and reporting files should include:
• evidence that all of the planned audit work was performed;
• an indication as to who performed the audit procedures and when they were performed;
• evidence that the work performed by lower level staff was supervised and reviewed;
• copies of communication with experts and other third parties;
• copies of letters or notes concerning audit matters communicated to or discussed with the
entity; and
• copies of the auditor’s reports.
To illustrate, assume that:

• the auditor selected a sample of 20 supplier invoices and performed numerous procedures
on them;
• one of the procedures was to trace the supplier invoices to receiving reports or to other
evidence that the goods were received or the services were performed;
• in one case there was no receiving report; and
• the auditor was unable to find other evidence to support the validity of the expenditure.
In this illustration, as a minimum the audit working papers would need to include:
• a description of the sampling procedure used - the population from which the sample was
selected, the parameters used to determine the sample size, etc.;
• sufficient information with respect to the 20 supplier invoices for the auditor to be able to
find the 20 invoices again if he/she had to;
• sufficient additional information with respect to the one supplier invoice whose validity
could not be adequately verified to support the amount being recorded on the Summary of
Unadjusted Differences;
• description of the efforts made by the auditor to locate the missing receiving report, and to
otherwise support the validity of the transaction; and
• an indication, through a signed audit programme and/or a completed sample control
schedule, that all of the work called for in the audit programme has been completed.
The Standard Audit Working Paper Kit includes a sample control schedule that the auditor can
use.

The minimum documentation called for above does not call for photocopies of the 20 supplier
invoices and the supporting documentation. However, the auditor may be asked to include this
additional information in the working papers if:
• the auditor is very inexperienced, and his/her supervisor believes that it is necessary to
duplicate the auditor’s work to check the auditor’s conclusions with respect to the other 19
sample items; or
• on-the-job supervision has been very limited, and the supervisor believes that it is
necessary to duplicate the auditor’s work to make up for this lack of supervision.
9.9.2 Standards for working paper files
Every working paper should clearly show:

• the name of the audit entity and audit area;
• the period covered by the audit;
• the date the work was performed;
• initials of the preparer;
• the source from which information or explanations were obtained;
• cross-references to schedules, notes and other documents that support the working papers;
• cross-references of all amounts and other information in the audit report to the working
papers supporting the amounts and information;
• evidence that the audit procedures were performed;
• an explanation of any pencilled in notations that appear on the working paper; and
• the date and initials of the reviewer.
Working papers should be organised in a logical fashion. To assist in this process, the
Standard Audit Working Paper Kit contains a file index that can be used on most financial
audits.
Working papers should be neat and easily readable. The auditor should:
• write or print legibly or type up the notes;
• avoid crowding on a page;
• write on one side of the working paper;
• use correct grammar, spelling and punctuation;
• spell the names of individuals or organisations correctly;
• when appropriate, identify the titles of persons referred to; and
• remove all non-evidential matter from the working papers on the completion of the
assignment (rough notes in the margins, etc.).

9.10 Custody and maintenance of working paper files
Working paper files are confidential and are the property of DAGP. They are not for general
disclosure. However, they should be shared with other auditors as appropriate and be available
for any independent review.
Access to the working paper files should be controlled and secure. Material should not be
removed from the files without the specific authority of the responsible Director General.
Audit files should be kept for the length of time specified by DAGP’s file retention policy.
9.11 Quality assurance during fieldwork

Paragraph 3.2.1 of DAGP’s Auditing Standards requires, “The work o f the audit staff at each
level and audit phase should be properly supervised during the audit, and documented work
should be reviewed by a senior member o f the audit staff.”
This section discusses the role of supervision and review. It also discusses the need for
effective time reporting.
9.11.1 Supervision
As noted in paragraph 3.2.2 of DAGP’s Auditing Standards, “Supervision is essential to

ensure the fulfilment o f audit objectives and the maintenance o f the quality o f the audit work.
Proper supervision and control is therefore necessary in all cases, regardless o f the
competence o f individual auditors.”
The Directors and Directors General must ensure that the audit is carried out efficiently,
effectively, and with a high standard of professional competence. This requires auditors to be
properly supervised during each audit assignment.
The extent of the required supervision will vary from situation to situation. In general:
• Junior staff should be supervised more closely than senior staff;
• Auditors who are not familiar with the entity or the audit procedures being performed
should be supervised more closely than auditors who are familiar with the entity and the
specific audit procedures; and
• Auditors performing procedures that require a great deal of experience and professional
judgment should be supervised more closely than auditors performing simple, routine
audit procedures.
Supervision involves ensuring that:

• The members of the audit team fully understand all of the planning decisions before
commencing the fieldwork;
• The fieldwork is performed in accordance with DAGP’s Auditing Standards;
• The audit programmes are completed as planned, unless changes are required;
• If changes are required to the audit plan, the additional areas that require examination, or
the areas that require additional examination, are properly planned and the work is
properly performed;

• Only essential work is performed;
• Sufficient evidence will have been obtained when the work is completed;
• Audit findings and conclusions are being adequately supported by evidence in the working
papers;
• The audit is performed within the time budget and by the deadline dates set; and
• The work is being done in a strong team environment, which promotes the success of the
audit and the development of audit skills within the team.
It is difficult to supervise staff from a distance. Supervision is most effective when the
supervisor is on the job with the audit team.
While each audit situation is different, it would normally be appropriate for the supervisors of
the lowest level staff to be on the job on a full-time basis. Supervisors of more senior staff
could be on the job less frequently.
9.11.2 Review of working paper files
At the completion of each section of the audit work, the supervisor should review the work
performed.
This should include a thorough review of the working paper files to provide further assurance
that the matters noted above are adequately dealt with. In addition, the review o f the working
paper files helps to ensure that:
• all evaluations and conclusions are soundly based and are supported by competent,
reliable, relevant and reasonable audit evidence;
• all errors, deficiencies and unusual matters have been properly identified, documented and
evaluated; and
• changes and improvements necessary to the conduct of future audits are identified,
recorded and taken into account in later audit plans and in staff development activities.
While the working paper files need to be reviewed at the completion of the audit work, there is
no need for the reviewer to wait until then before commencing a review. A preliminary review
at an interim date could detect problems with the work at an earlier date, allowing for speedier
correction and saving valuable audit hours.
To improve the learning experience, the reviewer should provide the auditor with feedback on
his/her performance shortly after the file review, as opposed to waiting until after the reporting
phase.
9.11.3 Time reporting and monitoring
The purpose of supervision and review is not only to ensure that the work is being done to the
required standards. It is also to ensure that the work is being performed efficiently, within
budget, and will be completed by the required deadline date.
To assist in this process, auditors should be required to complete a daily time schedule,
indicating the number of hours that they spend each day on each component of the work. The

Standard Audit Working Paper Kit includes a daily time schedule that is applicable to most
audits.
At regular intervals, the supervisor should review the daily time schedule and request the
auditors to provide an estimate of the number of hours required to complete the work. This
process will help to ensure that the audit is on schedule and in budget.
If the audit is not on track, remedial action is necessary. Existing staff may need to be
assigned to the audit for longer periods of time than originally planned, or additional staff may
need to be assigned to the audit to complete it on schedule. In either case, the planning for
other audits in the directorate may be affected. As a result, it is good practice for the directors
on all audits to report their progress to the Director General on a regular basis.
Audit management software can be used for this purpose.
All variances from the audit budget should be explained. This process will not only help the
supervisor to evaluate the auditor’s work during the current year, but could also help the
auditor to:
• Set the budget for the following year; and
• Refine the optimum combination of tests of internal control, analytical procedures and
substantive tests of details.
To illustrate, assume that the auditor has used more resources than planned on tests of internal
control of purchases and payments, and that the cause of this is a change to the internal control
structure that will permanently increase the time required to perform the tests of internal
control. In this case, the auditor could decide, when planning the audit for the following year,
to increase the budget for the tests of internal control, or to reduce the reliance on the internal
control structure and increase work on substantive tests.

10. EVALUATING AUDIT RESULTS
10.1 Evaluating Financial Audit Results
By the end of the fieldwork stage the auditors will have completed their audit programmes and
documented the results of their work. Part of this work will have involved the identification of
monetary errors, compliance with authority violations, internal control deviations, etc. These
errors and deviations need to be dealt with during the evaluation phase.
Error evaluation is done in stages. First the auditor reaches a conclusion on the results of each
test. Next, the auditor reaches a conclusion on each component. Finally, the auditor reaches a
conclusion on the financial statements as a whole.
As described earlier in this Manual, the optimum mix of tests of internal control, analytical
procedures and substantive tests of details for one specific financial audit or compliance
objective for one component may be totally different than for a different objective or
component. Appendix B provides a non-technical discussion on the theory behind the overall
error evaluation process - how the auditor can combine different sources of assurance to reach
an overall conclusion on the financial statements.
10.1.1 Use of CAATS
Evaluation of fieldwork results hinges on the application of a number of error-based

calculations, as described in the following section.
Computer-assisted auditing techniques (CAATs) are useful in determining the most likely
error and the upper error limit for individual substantive tests of details, or the most likely
deviation rate and the maximum possible deviation rate for individual tests of internal control.
This is because the easiest way to perform and document these calculations is to use the error
evaluation function of a CAATs product.
Advantages of CAATs over manual evaluation of errors are:

• Calculations are much quicker using computer power;
• Manual calculations are complex and prone to error - computers produce much more
accurate and reliable results;
Auditors are therefore strongly encouraged to use CAATs. DAGP is establishing a capability
to provide access to auditors across the department.
There may be circumstances in which manual calculations are judged to be appropriate. For
this reason, the Standard Audit Working Paper Kit contains standard forms that can be used.
10.2 Known errors, most likely errors, further possible errors

and maximum possible errors
Error evaluations are performed by projecting the findings from a representative sample to the
population as a whole. The rest of this Chapter illustrates the process based on sampling from
a population of supplier invoices.

Some key terms used in this chapter are Known Error (KE), Most Likely Error (MLE), Further
Possible Error (FPE), Maximum Possible Error (MPE) and Upper Error Limit (UEL). They
are illustrated in the figure below for reference when reviewing later sections of this Chapter.
Figure 10.1: Known Error, Most Likely Error, Further Possible Error and Upper Error Limit -
Overstatement Errors
Precision Gap Upper

3,500,000 error
Widening limit
(3,584,850)
3.000. 000
Basic Precision
Further
(1,644,040)
possible
2,500,000 error
(2,044,700)
2 .0 0 0 . 0 0 0
.4 ---- Most
1,500,000 likely
Most Likely error
Error (1,540,150) (1,540,150)
,
1 0 0 0 ,0 0 0
500,000 Known
4 — ' error
0
(4,000)
10.2.1 Known error
The known error is the sum of the errors that the auditor actually finds during the audit.
If for example, the auditor tests a sample of 181 supplier invoices out of a population of
30,000 and finds 5 overstatement errors totalling Rs. 4,000, then the known error is Rs. 4,000.
10.2.2 Most likely error (MLE)
The most likely error (MLE) represents the auditor’s best estimate of the error in the
population.
In the example, the auditor has only selected a sample of 181 supplier invoices out of a
population of 30,000. There are likely to be more overstatement errors than just the Rs. 4,000
found in the sample. The auditor needs to estimate the most likely error in the population
based on the results of the sample.

Using the approach illustrated in Appendix B, the auditor determines the MLE in the
population to be Rs. 1,540,150.
10.2.3 Upper error limit (UEL)
The auditor has only taken a sample of 181 supplier invoices out of 30,000 supplier invoices.
Therefore, it is very likely that the actual error in the population will not be exactly Rs.
1.540.150. The actual error could be larger or smaller than Rs. 1,540,150.
The upper error limit (UEL) represents the maximum possible error that could exist in the
population at a given confidence level.
The reason for the phrase “at a given confidence level” is because the upper error limit will be
different depending on the confidence level the auditor wishes to achieve. With a MLE of Rs.
1.540.150, the auditor would be very confident that the actual error in the population is less
than Rs. 10,000,000, but would have less confidence that the actual error in the population is
less than Rs. 2,000,000.
As discussed in detail in Appendix B, the auditor normally does two error evaluations - one
for overstatement errors and one for understatement errors. The auditor then combines the
results of the two evaluations.
Using the techniques illustrated in Appendix B, the auditor is able to conclude that:
(1) The population is not overstated by more than Rs. 3,584,850; and
(2) the population is not understated by more than Rs. 103,890.
10.2.4 Further possible error
The further possible error is the difference between the UEL and the MLE. It has two
components - basic precision and precision gap widening.
In our example, the further possible error for overstatements is Rs. 2,044,700, being the
difference between the UEL of Rs. 3,584,850 and the MLE of Rs. 1,540,150.
10.2.5 Basic precision
Basic precision is the possible error that could exist in the population even if no errors are
found in the sample. It therefore represents the upper error limit when the most likely error is
nil.
Assume the audit fieldwork uncovers no understatement errors. Therefore, the most likely
understatement error is Rs. nil. However, it is difficult to believe that there isn’t a single
understatement error in any of the 30,000 supplier invoices.
In fact, with a desired 95% confidence level, the auditor determines basic precision to be Rs.
1,644,040. The auditor can therefore conclude with 95% confidence that the understatement
errors in the population sum to a maximum of Rs. 1,644,040.
When the basic precision value, Rs. 1,644,040, is netted against the MLE for overstatements
of Rs. 1,540,150, the auditor gets the UEL for understatements of Rs. 103,890.

Note that basic precision is the same amount for both overstatement errors and for
understatement errors. The same Rs. 1,644,040 is also used for the evaluation of overstatement
errors.
10.2.6 Precision gap widening
Basic precision does not represent the total amount of the further possible error. The reason is
that, for each additional Rs. 1 in the MLE, the UEL increases by more than Rs. 1. Precision
gap widening is the additional further possible error that results from finding errors in the
population.
In the above illustration, the precision gap widening for overstatement errors is Rs. 400,660.
(There is no precision gap widening for understatement errors as no understatement errors
were found in the sample.)
The sum of the Rs. 400,660 precision gap widening amount and the Rs. 1,644,040 basic
precision amount is Rs. 2,044,700 - the further possible overstatement error.
10.2.7 Compliance with authority violations and internal control deviations
The above illustration has been based on a monetary error. The same terminology and process
are used for compliance with authority violations and internal control deviations.
For example, assume the auditor tests 184 supplier invoices out of a population of 30,000 and
finds 5 invoices that have not been approved. The auditor could then calculate the most likely
amount of the unapproved expenditures, and the maximum possible amount of the unapproved
expenditures. The only difference in the process is that, since we are dealing with approvals,
all errors will be 100% errors i.e. the full amount of the invoice. An invoice cannot be 50%
approved.
10.3 Determining the cause of errors, violations and deviations

In the illustration discussed above, the auditor is projecting the results of the sample onto the
entire population. The auditor is assuming that the sample is representative of the population,
and that the monetary errors, compliance with authority violations and internal control
deviations found are therefore representative of the errors and deviations that exist in the
population as a whole.
This is normally the appropriate assumption to make. The auditor selects the sample from the
population in a way that is designed to produce a representative sample. Therefore, the auditor
can conclude that the sample results are representative of the population. If the auditor
concluded that the results were not representative of the population, the auditor would be
effectively concluding that the sample itself was not representative of the population. The
auditor would then need to select another sample and repeat all the audit procedures.
As a result, it is normally not acceptable to conclude that a monetary error, a compliance with
authority violation or an internal control deviation found in a sample is an “isolated incident”
and therefore does not need to be projected over the population.
However, there may be rare cases where a particular monetary error, compliance with
authority violation or internal control deviation is clearly not representative of the entire
population. These would include cases where the cause of the error, violation or deviation was

so unique that it is safe to assume that there could not be too many other similar items in the
entire population.
One case where this can happen is where the auditor selects one sample of transactions from a
population made up of numerous ministries and finds an error that clearly could only relate to
one ministry. In this case, the auditor could divide the ministries into two populations - those
to which the error could potentially relate and those to which the error could not possibly
relate. The auditor would then divide the sample on the same basis and perform two separate
error evaluations.
Therefore, the auditor needs to consider the cause of each monetary error, compliance with
authority violation and internal control deviation found in his/her sample to determine if there
is any reason why the sample results should not be projected over the entire population.
There are several other reasons for the auditor to determine the cause of each monetary error,
compliance with authority violation and internal control deviation uncovered:
(a) In the case of a test of internal control, the auditor may need to reduce reliance on a
specific control and replace that reliance with additional assurance from substantive
tests of details. Unless the auditor can determine the cause of the internal control
deviation, the auditor may not be able to determine the substantive tests to perform.
The auditor could wind up performing substantive tests that do not deal directly with
the same error conditions, and do not provide the required amount of compensating
assurance.
(b) Also in the case of a test of internal control, the auditor needs to determine the cause
of the deviation to develop an appropriate recommendation to help prevent the
deviation from occurring in the future.
(c) In the case of a substantive test, as illustrated below, errors that affect a closing
balance carried forward in one year may affect the opening balance brought forward in
the following year. The auditor needs to determine the cause of the error to determine
which errors could affect opening balances for the following year.
(d) Further to (c), the same type of monetary error, compliance with authority violation or
internal control deviation may recur in the following year. Investigating the cause of
the error, violation or deviation found in the first year might help the auditor to arrive
at a more accurate estimate of the most likely amount in the following year. It should
also help the auditor to better plan the following year’s audit.
(e) Also in the case of a substantive test, the auditor needs to determine the cause of the
monetary error or the compliance with authority violation to identify the particular
internal control(s) that may need to be re-evaluated. And, as above, the auditor needs
to determine the cause of the error to develop an appropriate recommendation to help
prevent the error from occurring in the future.
10.4 Concluding on the results of each test

This process is somewhat different depending on whether the auditor is performing a test of
internal control, an analytical procedure or a substantive test of details. Each is discussed in
turn below. This section starts, though, with a discussion on determining known monetary
errors, compliance with authority violations and internal control deviations.

10.4.1 Determining known monetary errors, compliance with authority
violations and internal control deviations
Determining known monetary errors, compliance with authority violations and internal control
deviations is normally quite straightforward. At the planning stage, the auditor updates the
financial audit objectives and related compliance with authority objectives and error
conditions. He or she then designs audit procedures to obtain the required amount of assurance
for each error condition.
Sometimes, though, the determination of a monetary error, a compliance with authority

violation or an internal control deviation is not all that straightforward. For example, the
auditor may be confronted with:
(a) Some doubt as to the substance of the transaction.
(b) Some doubt as to whether a particular transaction is adequately supported.
(c) Conflicting audit evidence affecting the transaction being audited or the test being
performed. For example, one entity official may provide the auditor with information
that is inconsistent with information provided by another entity official.
(d) Some doubt as to whether the entity’s explanation for a significant fluctuation
identified in an analytical procedure adequately explains the fluctuation.
(e) Vaguely worded legislation or other authorities that make it difficult to determine
precisely what is required.
(f) Errors that are subsequently detected by entity officials.
As an example of (f), consider an overpayment to a supplier. Entity officials may have

identified the error and requested a reimbursement from the supplier. In this case, there may or
may not be a monetary error in the accounts, depending on the whether:
• The overpayment had been reimbursed by year-end; or
• The accounting policies being followed would not consider this to be a
monetary error even if the overpayment had not been reimbursed.
Similarly, while the internal controls over the original payment may have failed to prevent the
overpayment from occurring, the entity may have had other controls that ultimately detected
the overpayment. If that was the case, the auditor may conclude that there is no weakness in
the overall internal control structure. On the other hand, if the overpayment has been brought
to light by the supplier notifying the entity of the overpayment, then the auditor would
conclude that there is a weakness in the internal control structure.
Such matters should be resolved by discussing all potential errors and deviations with entity
officials. In fact, given the impact that a monetary error in one small transaction can have on
the most likely error and the upper error limit, it is prudent to discuss all errors and deviations
with entity officials no matter how clear cut they are from the auditor’s perspective.
10.4.2 Concluding on the results of each test of internal control
The auditor should reach a conclusion on a test of an internal control sample by determining
the number of internal control deviations (violations of specific internal controls) in the
sample, and the maximum possible deviation rate, and then comparing the maximum possible
deviation rate to the tolerable deviation rate.

Should the maximum possible deviation rate be less than or equal to the tolerable deviation
rate, the auditor can place the desired level of reliance on the control.
Should the maximum possible deviation rate exceed the tolerable deviation rate, the auditor
reduces reliance on the internal control, and obtains additional assurance through other
procedures. The auditor may also have other options, as discussed below.
Suppose the auditor selects a sample of 42 supplier invoices and finds 2 internal control
deviations - 2 supplier invoices that are not properly approved. The auditor can use a CAATs
to arrive at a maximum possible deviation rate of 12.18%. Since the tolerable deviation rate
was 9%, this is an unacceptable result. The process for doing this is described in Appendix B.
10.4.3 Analytical procedures
The auditor should investigate significant fluctuations identified by analytical procedures and
evaluates the results. Appendix E provides details of the process.
If the investigation is completed successfully, the auditor will have obtained the desired
amount of assurance from the analytical procedure.
If the investigation is not completed successfully, the auditor will normally not have obtained
the desired amount of assurance from the analytical procedure, and will need to obtain
additional assurance through other procedures. The auditor may have other options as
discussed below.
10.4.4 Substantive tests of details
As described above, the auditor should determine the known error, the most likely error and
the upper error limit, and then compares the upper error limit to the materiality amount to
determine if there is the required amount of assurance.
Should the upper error limit be less than or equal to the materiality amount, the auditor can
obtain the desired amount of assurance from the procedure.
Should the upper error limit exceed the materiality amount, the auditor’s results are not
acceptable. In this case, the auditor has several options, all of which are discussed below.
It should also be noted that, as discussed in Appendix B, the auditor can follow the same
procedures to determine a most likely error and an upper error limit whether using statistical
or non-statistical sampling. GAAS in many countries requires the auditor to determine an
upper error limit regardless of the sources of audit assurance.
10.5 Concluding on the results of each component

Having concluded on the results of each individual test of internal control, analytical
procedure and substantive test of details, the auditor must combine these results to reach a
conclusion on the component being audited.
If the auditor is faced with numerous monetary errors, compliance with authority violations
and/or internal control deviations, the auditor may first wish to reach a conclusion on each

specific financial audit objective and compliance with authority objective within each
component, as opposed to reaching a conclusion on the whole component.
Note that the same terminology and process is used for compliance with authority violations,
internal control deviations and monetary errors.
10.5.1 Determining the most likely error and upper error limit
The auditor should consider the results of all tests of internal control, analytical procedures
and substantive tests of details and use professional judgment to estimate the most likely error
and the maximum possible error in the component.
If the results of all of the auditor’s procedures are consistent with each other, this may not be
difficult. For example, assume the auditor has:
(a) concluded that the applicable internal controls are functioning well enough to
prevent and detect material error;
(b) not found any significant fluctuations through analytical procedures; and
(c) has an upper error limit from substantive tests of details that is less than the materiality
amount.
In this case, the auditor may conclude that the most likely error and the upper error limit
determined from his substantive tests of details are the best estimates of the most likely error
and the upper error limit in the component as a whole.
Sometimes, though, the auditor is faced with conflicting audit evidence. Suppose the auditor’s
analytical procedures indicate that material error exists in a particular component, while the
auditor’s substantive tests of details indicate that there are no errors in the component.
In this case, it is not appropriate for the auditor to ignore the results of his/her analytical
procedures and to conclude that the most likely error in the component is Rs. nil. The auditor
should seek further evidence to determine whether the results of the analytical procedures or
the results of the substantive tests of details are correct.
One way to resolve conflicting audit evidence is to seek input from entity officials. Entity
officials may be able to provide the auditor with additional information that helps to explain
the fluctuation identified by the analytical procedures.
As a second example, consider the reverse situation - the auditor’s analytical procedures
indicate that material error does not exist in a particular component, while the auditor’s
substantive tests of details indicate that material error does exist in the component.
Again, it is not appropriate for the auditor to ignore the results of analytical procedures. The
auditor may, in fact, have a substantive sample that is not representative of the population.
To resolve the conflicting audit evidence the auditor could ask entity officials to perform a
detailed investigation of the specific errors identified by the auditor, or of the entire
component to determine the actual error in the component.
The auditor should not take any assurance from the affected audit procedures until such time
as the conflicting audit evidence is satisfactorily resolved. To do so would be to ignore

evidence that indicates that the results of at least one of the procedures is not correct, or that
there are causes of the errors that are yet to be identified.
10.5.2 Reaching the conclusion
The comparison that the auditor performs at the end of this stage of the evaluation process is
essentially the same as the comparison that the auditor makes when evaluating the results of
an individual substantive test of details. If the upper error limit is less than or equal to the
materiality amount, the results are acceptable. If the upper error limit exceeds the materiality
amount, the results are unacceptable.
If the most likely error in the component is larger than the expected aggregate error that was
allowed for when planning the audit then, as a general rule, the upper error limit will exceed
the materiality amount.
The auditor can follow the same procedures to determine a most likely error and an upper
error limit when using statistical or non-statistical sampling.
10.5.3 Case study
The process followed by the auditor in evaluating the audit results of a financial attest audit
can be explained by the use of an example.
Consider a small independent power production plant (with separate financial statements)
within the overall operation of WAPDA.
Revenue is obtained from the sale of electricity. The expenditures on diesel fuel, equipment
and other production expenses are recorded separately from other expenditures such as
administration. The storage of diesel fuel is the main component of year-end inventory.
Auditors have identified overstatements of the production expenditure amount and the
accounts payable amount, but have found the year-end inventory amount to be correct.
Assume no other monetary errors are found in the cost of sales amount, and that there is no
conflicting audit evidence that needs to be resolved.
Following the approach described above, the auditor would conclude that the most likely error
and the upper error limit determined from the substantive test of details are the best estimates
of the most likely error and the upper error limit in the cost of sales.
The auditor would have the results shown below.
Figure 10.2: Error evaluation for Production Expenditure

Overstatements Understatements
Most likely error (MLE) 1,540,150 nil
Basic precision (BP) 1,644,040 1,644,040
Precision gap widening 400,660 nil

(PGW)

Total of MLE, BP and 3,584,850 1,644,040
PGW
(Less): “Opposing” MLE ( nil) (1,540,150)
Net UEL in 3,584,850 103,890

component
As materiality is Rs. 3,000,000, this is an unacceptable result for this component, which
must be taken into consideration when concluding on the financial statements as a
whole.
10.6 Concluding on the financial statements as a whole

Once the auditor has drawn conclusions from the results on each individual component, he or
she must now combine the results to reach a conclusion on the financial statements as a whole.
As with reaching a conclusion on each component, conflicting audit evidence may arise. For
example, the auditor may have concluded that the most likely errors in several expenditure
components were negligible but that the most likely error in another expenditure component
was close to materiality. If all of the expenditure components are subject to the same basic
internal control structure, the auditor should investigate why the most likely error in the one
component is so significantly different than the most likely errors in the other components.
10.6.1 Determining the most likely error and upper error limit
The basic rules are as follows:

(a) For most likely errors - Net all overstatements and understatements;
(b) For basic precisions - Use the largest basic precision for each of overstatements and
understatements; and
(c) For precision gap widenings - Add all precision gap widenings for each of
overstatements and understatements.
The above process results in a very conservative overall error evaluation. This is because the
largest basic precision for each of overstatements and understatements is being used, and
because the sum of the precision gap widenings will almost always be much higher than if the
entire financial statements were treated as one population and one overall sample had been
taken.
To illustrate, assume the auditor has obtained the results shown below.

Figure 10.3: Error Evaluation for Financial Statements - Results for
Revenue and Expenditure Components
MLE BP PGW UEL
Audit Area
Revenue
Overstatements 180,000 920,000 90,000 1,190,000
Understatements 20,000 920,000 10,000 950,000
Production
Expenditures
Overstatements 1,540,150 1,644,040 400,660 3,584,850
Understatements Nil 1,644,040 nil 1,644,040
Other expenditures
Overstatements Nil 1,280,000 nil 1,280,000
Understatements 700,000 1,280,000 220,000 2,200,000
When performing the evaluation on the financial statements as a whole, the auditor needs to
ensure that a common base is used when adding overstatements and understatements. The
common base normally used in a Government context is a percentage of total expenditures.
When using these bases, overstatements of revenues and understatements of expenditures
would be added together as they would both overstate net income and residual equity.
Following the basic rules in paragraph, we would obtain the results in Figure 10.5 for the
Statement of Revenue and Expenditure:
Figure 10.4: Error Evaluation for Financial Statements - Overall

Results for Statement of Revenue and Expenditure
Understatements in Overstatements in
Audit Area
Net Income Net Income
Most likely error (MLE):
Revenue 20,000 180,000
Production Purchases 1,540,150 nil
Other expenditures 700,000

Nil
Total MLE 1.560.150 880.000
Basic precision (BP) (largest) 1.644.040 1.644.040

Precision gap widening (PGW):
Revenue 10,000 90,000
Production purchases 400,660 nil
All other expenditures Nil 220,000
Total PGW 410,660 310,000
Total of MLE, BP and PGW 3,614,850 2,834,040
(Less): “Opposing” MLE ( 880.000) (1,560,150)
Net UEL in net income 2,734,850 1,273,890
As materiality is Rs. 3,000,000 we would appear to have acceptable results. However, this is
not the case. We still need to deal with the unacceptable results for production expenditures.
This is why the auditor needs to reach a conclusion on each component before doing an
evaluation of the financial statements of a whole. Potentially material errors in one component
may be “hidden” by offsetting errors in other components.
The same schedule as above would also be prepared for errors in the asset and liability
accounts to come up with an overall error evaluation for the balance sheet and for the financial
statements as a whole.
10.6.2 Evaluating the overall financial statement presentation and the

reasonableness of the overall results
At the end of the evaluation phase, the auditor needs to step away from the mathematical
calculations, the theory and the detail, and establish whether:
(a) The overall financial statement presentation - both the amounts and the disclosures -
properly present, in all material respects, the government’s financial position, the
results of its operations, its cash flows and its expenditures and receipts by
appropriation; and
(b) The sums expended have been applied, in all material respects, for the purposes
authorised by Parliament and have, in all material respects, been booked to the
relevant grants and appropriations.
Where the auditor believes that they do not, he/she would need to estimate what changes are
required to the recorded amounts and/or to the financial statement disclosures to deal with
his/her concerns.
10.6.3 Assessing the achieved level of assurance
At the end of evaluation phase, the auditor also needs to determine whether the audit supports
the desired level of overall audit assurance.

If, for example, control risk is assessed as “low” at the general planning phase but numerous
internal control deviations or monetary errors are found during the fieldwork phase, then the
assessment of control risk may need to be revised.
Similarly, the auditor may need to reconsider the assessment of inherent risk. If, for example,
inherent risk is assessed as “low” but numerous monetary errors are found during the
fieldwork phase, then the assessment of inherent risk may also need to be revised.
The Standard Audit Working Paper Kit contains an “Achieved Level of Assurance Form” that
can be used to assist the auditor in this process.
10.7 Dealing with unacceptable results

Where the evaluation of audit work provides unacceptable or ambiguous results, the auditor
must determine a course of action. Actions to be taken in different circumstances are
described below.
10.7.1 Most likely error less than materiality; upper error limit greater than
materiality
In this case, the auditor has four potential options:

1. Increase the materiality amount;
2. Increase the sample size;
3. Request entity officials to record a correcting entry; or
4. Request entity officials to perform a detailed investigation and then re-audit.
Each is discussed in turn.
Increase the materiality amount. In our case study, materiality was set at Rs. 3,000,000.
However, determination of materiality is not an exact science, but instead depends on the
auditor’s professional judgment. As such, setting materiality at Rs. 3,000,000 does not
necessarily mean that an upper limit of Rs. 2,999,000 (or somewhat less) is always acceptable,
or that an upper error limit of Rs. 3,001,000 (or somewhat more) is always unacceptable.
The margin of variance around the materiality amount is a matter of judgment. As a rule of
thumb increasing the materiality amount by 25% would normally be considered acceptable,
and increasing the amount by as much as 50% may be acceptable in some cases.
In our case study, our upper error limit for overstatement errors in cost of sales was Rs.
3,584,850 - only 19.5% more than the Rs. 3,000,000 materiality amount. In this case, the
auditor may decide that the Rs. 3,584,850 really is not material, and that the results are
acceptable.
Increase the sample size. Assuming that the original sample is representative of the
population, it is unlikely that increasing the sample size will change the auditor’s estimate of
the most likely error. However, increasing the sample size will normally decrease both basic
precision and precision gap widening.

Increasing the sample size can result in the auditor performing a lot more work and still having
unacceptable results. Therefore, the auditor should only use this option when:
(a) The most likely error is significantly less than the materiality amount; and
(b) The upper error limit is only slightly higher than the materiality amount.
In the example, the most likely error is more than 50% of the materiality amount. Therefore, it
is unlikely that this approach would work.
At the same time, the upper error limit is 33.7% higher than the materiality amount. Therefore
it is unlikely that increasing the sample size would work. This leads to a third option.
Request entity officials to record a correcting entry. The most likely error and the upper error
limit can be decreased by the amount of any corrections made by entity officials. Should the
adjustment be large enough, it may result in the upper error limit dropping below the
materiality amount. Care must be taken when choosing this option. If the correction is made
across the whole population and not just for the case within the sample (where the type of
error can be recognised and corrected everywhere) then this is acceptable. Otherwise, even
where the sample has been corrected there is no assurance that the same problem does not
persist elsewhere. As a minimum, the auditor should take another sample and repeat the test.
In our example, if entity officials were to make a correcting entry to decrease the production
costs by Rs. 1,540,150 - the amount of the most likely error - the upper error limit would be
reduced to Rs. 2,044,700. This is much less than the Rs. 3,000,000 materiality amount.
Entity officials will rarely make an adjustment based on a most likely error. They will usually
only be prepared to adjust for known errors. In our example, this would only reduce the upper
error limit from Rs. 3,584,850 to Rs 3,580,850 - a negligible change. In this event, the next
option is appropriate.
Request entity officials to perform a detailed investigation, and then re-audit. As noted above,
entity officials will usually only be prepared to adjust for known errors. Therefore the auditor
needs to get entity officials to perform a detailed investigation of the transactions in the
population in order to arrive at a more accurate estimate of the error in the component. The
auditor should then re-audit the component and request entity officials to record a correcting
entry for the known error.
In our example, entity officials might perform a detailed investigation and conclude that cost
of sales were overstated by Rs. 1,400,000, and make a correcting entry for that amount. The
auditor would then audit the work done by the officials and reach his/her own conclusions as
to the most likely error and upper error limit remaining in the component.
10.7.2 Most likely error greater than materiality
Where MLE exceeds materiality, increasing the materiality amount and increasing the sample
size would normally not result in acceptable results. Only two of the options listed above are
available to the auditor. They are:
1. Request entity officials to record a correcting entry; and

2. Request entity officials to perform a detailed investigation and then re-audit.
If neither of these options is possible, the auditor should qualify the audit opinion.

10.7.3 Unacceptable results for tests of internal control
Assume the auditor selects a sample of 44 supplier invoices and finds 2 internal control
deviations - 2 supplier invoices have not been properly approved. This gives a most likely
deviation rate of 4.55% (2 divided by 44). The auditor then uses CAATs to arrive at an upper
error limit frequency (maximum possible deviation rate of 12.11%. If the upper error limit
(tolerable deviation rate) selected is 9%, this is an unacceptable result.
In this case, the auditor normally needs to reduce reliance on the internal control structure.
There are three other potential options the auditor can consider:
1. Increase the upper error limit;
2. Increase the sample size; or
3. Request entity officials to perform the “missing” controls, adjust the books for all
identified errors, and audit the work performed.
Each is discussed below.
Increase the upper error limit. This is equivalent to increasing the materiality amount in the
case of monetary errors, and the preceding discussion relating to increasing the materiality
amount also applies here to increasing the tolerable deviation rate.
Increase the sample size. Assuming the original sample was representative of the population,
it is unlikely that increasing the sample size would change the auditor’s estimate of the most
likely deviation rate, but could decrease the maximum possible deviation rate.
Increasing the sample size could result in the auditor performing a lot more work and still
having unacceptable results. Therefore, the auditor should normally only make use of this
option when:
(a) The most likely deviation rate is significantly less than the upper error limit; and
(b) The maximum possible deviation rate is only slightly higher than the upper error limit.
In our example, the most likely deviation rate is more than 50% of the tolerable deviation rate,
and maximum possible deviation rate is 34.6% higher than the upper error limit. Therefore,
increasing the sample size would most likely not lead to acceptable results.
Request entity officials to perform the “missing ” controls, adjust the books fo r all identified
errors, and audit the work performed.
The deviation rate can be decreased by the amount of any corrections made by entity officials.
Should the adjustment be large enough, it may result in the deviation dropping below the
tolerable deviation rate.
Entity officials will usually only be prepared to adjust for known errors. Therefore the auditor
should re-audit the component and request entity officials to record a correcting entry for the
known error. Nevertheless, correction of internal controls does not alter the fact that the
transactions throughout the population as a whole are likely to have been subject to inadequate
controls prior to the correction resulting in both identified and unidentified errors.

10.7.4 Unacceptable results for analytical procedures
The auditor should perform and evaluate analytical procedures to:

(a) Determine the threshold amount (the amount above which a difference is considered to
be significant);
(b) Identify significant fluctuations;
(c) Investigate the significant fluctuations found; and
(d) Conclude as to whether entity officials have adequately explained all significant
fluctuations.
Appendix B provides details of the process.
The threshold amount in (a) is normally set at a percentage of planned precision. Fluctuations
are normally considered to be adequately explained when the unexplained portion is less than
one-half the threshold amount.
If the amount cannot be adequately explained, or the auditor cannot obtain audit evidence to
substantiate the explanation, the auditor must reduce his/her reliance on the analytical
procedure. There are, though, two other options, as follows:
(a) Increase the threshold amount; and/or
(b) Request entity officials to perform further follow up, adjust the books for all identified
errors, and audit the work performed.
Each is discussed in turn.
Increase the threshold amount. This could be done by increasing the materiality amount (and
hence planned precision) or by increasing the percentage of planned precision used to
determine a significant fluctuation. This could result in some unexplained differences
becoming immaterial fluctuations, or inadequate explanations now being sufficient.
This option is equivalent to increasing the materiality amount. The arguments for increasing
the materiality amount can also be used to increase the threshold amount.
Request entity officials to perform further follow up, adjust the books fo r all identified errors,
and audit the work performed. In the case of analytical procedures, this option will rarely
work. This is because entity officials should already have attempted to explain all significant
fluctuations, and attempted to substantiate their explanations.
10.8 Dealing with acceptable results

Given the impact that a monetary error in one small transaction can have on the most likely
error and the upper error limit, it is prudent to discuss all errors and deviations with entity
officials no matter how clear cut they are from the auditor’s perspective.
The auditor has another reason for discussing all errors with entity officials - getting entity
officials to investigate and correct for all monetary errors found by the auditor. This should not
only include investigating and correcting the known errors, but also investigating the accuracy
of the auditor’s most likely error, and making a correction for the determined amount.

This investigation should be done even when the results are acceptable. There are two reasons
for this:
1. Entity officials should be interested in having their accounts as accurate as possible.
Investigating and correcting for all errors will help to achieve this.
2. Errors that affect a closing balance in one year may affect the related opening balance
for the following year. When combined with errors found in the subsequent year, the
result may be a material error in the following year’s financial statements.
To illustrate point (2) assume:
A Rs. 1,540,150 overstatement error in costs is caused by recording some of the following
year’s expenditures in the current year. This will result in an understatement of the purchases
in the following year.
When doing the following year’s audit, the auditor identifies other understatement errors in
costs, and estimates the most likely error of these other errors to be Rs. 1,100,000.
In this case, if the Rs. 1,540,150 is not adjusted for in the first year, the most likely
understatement error in the second year will be Rs. 2,640,150 (Rs. 1,540,150plus Rs.
1,100,000). This will likely result in an upper error limit significantly larger than the Rs.
3,000,000 materiality amount.
On the other hand, if the Rs. 1,540,150 had been adjusted for in the first year, the most likely
understatement error in the second year would be Rs. 1,100,000, which would probably result
in an upper error limit less than the materiality amount.
10.9 Documenting the evaluation process

The Standard Audit Working Paper Kit includes a Summary of Unadjusted Differences. This
is a series of forms that can be used to:
• Document individual monetary errors and compliance with authority violations;
• Calculate errors in each component and in the financial statements as a whole; and
• Determine the amount of such compliance with authority violations as:
o Errors in the amount reported for authority available;
o Errors in the amount reported for excess or saving;
o Vote over-expended but not so reported; and
o Spending for purposes not authorised.
The Summary of Unadjusted Differences does not include a component to show the
determination of the most likely error and the upper error limit for individual substantive tests
of details, or the most likely deviation rate and the maximum possible deviation rate for
individual tests of internal control. This is because the easiest way to document these
calculations is to print out the error evaluation forms produced by CAATs.
However, to prepare for circumstances where manual calculations are required, the Standard
Audit Working Paper Kit contains standard forms that can be used for this purpose.

10.10 Evaluating Regularity Audit Results
The auditor does not need an accurate prediction of the extent of irregularities, but wants to
know:
(a) whether the occurrence of irregularities is low enough to be ignored, is sufficiently
serious to be brought to the attention of management and Parliament or is so
serious that immediate corrective actions are required;
(b) what factors have contributed to the irregularities, particularly internal control
weaknesses that have to be corrected; and
(c) the impact of the irregularities (these may be (i) minimal where the rules that have
been broken are of a preventive nature but no consequences occurred; (ii) serious
wastage and misappropriation of funds; and in the most serious case, (iii) loss of
Parliamentary control).
Thus the auditor needs to be able to judge how the irregularities occurred and what impact
they have had on propriety and the financial and operational performance of the entity.
A series of minor infractions in themselves are not worthy of reporting. However, if a pattern
can be detected, individual minor findings may indicate a more serious problem at a higher
level. For example many minor miscalculations in payroll may not amount to very much
money. The fact that there are errors in the way payroll is calculated can indicate a lack of
proper supervision of the payroll section, thus putting the controls over payroll in a situation of
high risk. In that situation, the audit finding is not miscalculations of pay but inadequate
internal controls over the management of the payroll section.
The audit of individual transactions is not an end in itself. The auditor must identify the
underlying causes of the irregularities identified. Determining the causes is not always easy.
Often a combination of weaknesses contributes to the breakdown of proper procedures. A
high turnover of staff combined with a lack of documented procedures could result in
inadequate controls although the lack of one or the other in itself might not be problem. The
experience and the judgment of the auditor is critical in getting to the underlying causes of the
observed irregularities. Hence, it can be seen that just observing and documenting the
irregularities is not the end of the audit process.
Sometimes the audit programme has to be adjusted during or at the end of the audit to follow
up on control weaknesses not anticipated at the start of the audit. Further audit work to
identify the causes and impact of the irregularities discovered is far more important than
increasing the sample size to determine the extent of the weaknesses. In fact, it is
management’s responsibility to determine the extent of the problem. The auditor’s
responsibility is to draw management’s attention to the need to improve the internal controls.
To identify the impact of the problem, the auditor may decide to take a larger sample to
identify the seriousness of the problem. This decision is up to the judgment of the auditor.
Senior management within the DAGP may request further work in order that the Auditor-
General is able to comment on the extent of the problem discovered. In some cases, other
audit teams involved in auditing other parts of the government may be asked to conduct the
same type of audit to determine how widespread is the practice of irregularities discovered
within one department or entity.

10.11 Quality assurance during the evaluation phase
Considerable professional judgment is required during the evaluation phase. Every step, from
the identification of what is a monetary error, a compliance with authority violation, or an
internal control deviation, through to the evaluation of the financial statements as a whole and
the resolution of unacceptable results, requires this judgment. If the judgment is not
appropriate, the auditor could issue an incorrect opinion on the financial statements.
Therefore, it is critical that there is a detailed review and approval of:

(a) All monetary errors, compliance with authority violations and internal control
deviations found, and the assessment of their causes;
(b) The calculation of the most likely error and the upper error limit for each test;
(c) The calculation of the most likely error and the upper error limit for each component;
(d) The calculation of the most likely error and the upper error limit for the financial
statements as a whole;
(e) The assessment of the overall financial statement presentation and the reasonableness
of the overall results;
(f) The assessment of the achieved level of assurance;
(g) The documentation supporting the discussion of the results of the error evaluation with
entity officials;
(h) The follow-up work performed by entity officials; and
(i) How unacceptable results were dealt with.
Given the importance of this phase, the Director or Director General responsible for the audit
should perform this review and approval.

11. THE REPORTING PROCESS
11.1 Introduction
There are different reports that may result from a completed audit.
Reports for Certification purposes are generally brief and follow a standard format for the type
of opinion to be delivered.
Reports on management controls (identifying control weaknesses), compliance with laws,

regulations and administrative procedures, and on the performance of the organisation require
more developed writing and reporting skills.
Irrespective of the type of audit report, the main measure of the performance of the DAGP is
the quality and usefulness of the reports produced by the Office. The reports bring together
the professional knowledge and judgment of the auditors. Therefore, audit reports must be
well written and substantiated, and developed in accordance with a formal process, as
described in this Chapter.
Prior to reporting, during the evaluation phase of the audit, the auditor should have sought the
agreement of entity officials with respect to:
a) The extent and cause of each monetary error; and
b) The extent and cause of each compliance with authority violation and internal control
deviation.
The auditor will also have reached a conclusion on the results of each test, on each component,
and on the financial statements as a whole, and dealt with any unacceptable results.
In the reporting phase, the auditor performs some final quality assurance procedures,
concludes on the type of audit opinion to issue, and then drafts and issues the opinion. The
auditor may also issue audit reports and management reports.
DAGP’s Auditing Standards use the term “opinion” to refer to the auditor’s conclusions as to
whether:
a) the financial statements properly present, in all material respects, the government’s
financial position, the results of its operations, its cash flows and its expenditures and
receipts by appropriation; and
b) the sums expended have been applied, in all material respects, for the purposes
authorised by parliament and have, in all material respects, been booked to the relevant
grants and appropriations.
The word “report” refers to DAGP’s other products.
DAGP’s reporting standards are contained in paragraph 4.0.7 of DAGP’s Auditing Standards.
They are:
• A t the end o f each audit the auditor shall prepare a written opinion or report, as
appropriate, setting out the findings in an appropriate form; its content should be
easy to understand and free from vagueness or ambiguity, include only

information which is supported by competent, reliable, and relevant audit
evidence, and be independent, objective, fa ir and constructive.
• It is fo r the Department o f the AGP to decide finally on the action to be taken in
relation to fraudulent practices or serious irregularities discovered by the
auditors.
An audit report (a report that is made public or that is presented to the appropriate public
accounts committee or other external party) will be signed by the Auditor-General, the Deputy
Auditor General (Senior) or the responsible Deputy Auditor General.
Management reports (reports addressed to entity officials) will be signed by the responsible
Director General.
11.2 Focus on the Reporting Process

The reporting stage of the audit often takes longer than estimated. The process of writing the
report, cross referencing to the working paper files and finalising the working paper files, is
time consuming. The auditor has to allow time for managers to review the draft report. There
should also be an extensive review process within the DAGP to ensure:
• a high quality report, with clear, unambiguous messages; and
• the existence of sufficient evidence to support the wording contained within the report.
One way of completing the audit report as quickly as possible is to start writing the report as
early as possible during the audit. The effort of putting down the points to be reported also
helps to focus the analysis and identify whether sufficient evidence has been collected or
whether more evidence is required.
Preparation for a mid-point review meeting, or for other review meetings, can help to focus
the message that will eventually be contained in the report.
At the end of the reporting process, it is important that the audit is finalised with completed
working papers. At the end of the audit, an Audit Completion Checklist should be completed.
11.3 Clearing Observations, Conclusions and Recommendations

Before the auditor can publish a report on findings or an opinion on financial statements, the
audit observations, conclusions and recommendations must be cleared with entity
management.
This is accomplished by briefing entity management on audit findings and documenting their
responses, which can also provide additional audit evidence. This process can be based on
formal written statements or verbal briefings.
The auditor should make best efforts to obtain a sound understanding of the operations and to
obtain sufficient evidence to support findings. Nevertheless, at the initial stages of clearing
observations, not all observations may be complete or accurate. Where findings are refuted, or
modified by the manager’s response further evidence may be sought to substantiate the
manager’s assertions.

It is normal to clear the observations up the management chain, briefing lower level managers
and confirming the auditor’s understanding before briefing more senior managers. When
visiting an entity’s local office, it is usual to brief the senior manager before leaving the site.
The auditor should take detailed minutes of these briefing meetings. The auditor may send a
copy of these notes to the manager for confirmation.
When there is a significant difference between what the auditor would expect to see and what
was found, the auditor should discuss this with management to determine the reasons and then
decide whether the expectations are still appropriate in the particular circumstances. The
auditor should conclude whether management has fallen short or whether the expectations
were unreasonable in the context.
In developing recommendations, the auditor can explore options with management through
this process before including them in the draft report. The auditor should ensure it is clear that
the conclusions and recommendations are preliminary at this time.
The effectiveness of the communication of the contents of an audit report is influenced by:
• Facts;
• Opinions; and
• Wording.
In clearing the report, the auditor should first ensure there is agreement on the facts. The
auditor should recognise that in addition to the facts, there are opinions. For example, a fact
may be that there is no control in place. Whether there should be a control in place is an
opinion, even if it is a generally accepted accounting practice. Where conflict arises between
the entity management and the auditor it is after over wording. The auditor should be careful
when making generalised statements or using adjectives that could be considered to
exaggerate a finding.
11.4 Obtaining Management Responses

When clearing audit queries, or getting management responses to the draft report, the auditor
needs a timely response.
To encourage this, the auditor should establish a date for discussing the material or indicate by
what date the auditor would like to receive the response. Management should be given a
reasonable amount of time to respond.
When management of the entity fails to provide a response as requested, the auditor should
consult with senior DAGP management and draft a letter for the signature of the AG,
informing the management of the entity that if a response is not provided by a given date,
usually two weeks from the date of the letter, the DAGP assumes that the management of the
entity have no disagreements with the contents of the report and that the DAGP will proceed
to publish the report.
There are often multiple briefings to entity management, clearing each area with the respective
manager(s) and then briefing the most senior manager on the total audit. If there are no
briefings to lower managers or if all involved managers are going to meet together, it is
advisable to make sure that managers are aware of the findings in their area before other

managers hear about them. Even a briefing by phone is preferable to no briefing at all. This is
consistent with a “no surprises” style of audit.
11.5 Management representation letter

Entity officials in each ministry, department, agency, etc. are responsible for the completeness
and accuracy of the financial statements or, in the case of the financial statements of the
Federation, the provinces and the districts, their portion of the financial statements. In
addition, entity officials have often provided the auditors with numerous pieces of information
- both verbally and in writing - during the course of the audit.
The auditor prepares the management representation letter to have entity officials
acknowledge, in writing, that they are responsible for the completeness and accuracy of the
financial statements (or their portion thereof) and for the representations they made during the
audit.
Section 7(b) of the Controller General Ordinance requires the Controller General of Accounts
to “prepare and submit to the Auditor-General fo r each financial year a Consolidated and
General Financial Statement incorporating the summary o f the accounts o f the Federation, all
provinces and district authorities ”.
Section 5(d) of the Controller General Ordinance states that one of the functions of the
Controller General shall be “to lay down the principles governing the internal financial
control fo r Government departments in consultation with the Ministry o f Finance and the
Provincial Finance departments as the case may be”.
Since the Controller General of Accounts is responsible for the preparation and submission of
the financial statements for the Federation, all provinces and district authorities, and for laying
down the principles governing the internal control structures, the auditors should normally
obtain a representation from the Office of the Controller General on the financial statements of
the Federation, each province and each district. The auditors should also normally obtain a
representation from the Office of the Controller General on other relevant financial statements.
This representation is in addition to obtaining a representation from officials in the specific
entity that they are auditing.
For audits that are coordinated by a central team, the central team could obtain the
representation letter from the Office of the Controller General on behalf of all the other audit
teams.
11.5.1 Standard content
A sample management representation letter is included in the Standard Audit Working Paper
Kit. In this letter entity officials are asked to acknowledge their responsibility for the proper
presentation of the entity’s financial position, results of operations, etc., and confirm, to the
best of their knowledge and belief, that:
• all relevant information has been made available to the auditors;
• they are not aware of any irregularities involving management or employees, or any
violations of statutes or regulations whose effect should be recorded or disclosed in the
financial statements;
• specifically listed asset, liability, revenue and expenditure items are valid, complete,
properly valued, etc.;

• all required disclosures have been made;
• there are no significant subsequent events that require recording or disclosure in the
financial statements; and
• there are no other matters of significance that require recording or disclosure in the
financial statements.
The letter should normally be addressed to the person within DAGP who will be signing the
audit opinion (the Auditor-General, the Deputy Auditor General (Senior) or the responsible
Deputy Auditor General).
The letter should normally be signed by the:

• Head o f the Organisation;
• Principal Accounting Officer;
• Financial Advisor; and
• Finance and Accounts Officer.
For exempt entities, officials performing the equivalent functions would sign the
representation letter.
It is possible that more than one letter will be required on each audit. First, as discussed above,
for the audits of the financial statements for the Federation, the provinces and the districts, the
auditors should normally seek a representation from the Office of the Controller General in
addition to officials in the specific entity that they are auditing.
Furthermore, separate representations may also be required from entity officials at several
different locations within the entity.
The auditor needs to ensure that, if multiple representations are being used, all significant
matters are covered off in the representations, and that at least one senior official is taking
responsibility for each representation.
11.5.2 Preparation and clearance of the letter
The auditor should review the letter of representation contained in the Standard Audit
Working Paper Kit to ensure that it is appropriate for the entity. The auditor should make
whatever changes are considered necessary, including adding any representations that he/she
believes should be added.
The auditor should then discuss the draft letter with entity officials. This should be done well
in advance of the deadline date for the letter to ensure that there will be no difficulties
obtaining the required representations.
When the response is received from the officials, the auditor should ensure that any alterations
made by the officials are acceptable to the auditor.
The Standard Audit Working Paper Kit includes a checklist that the auditor can use to assist in
the preparation and clearance of the representation letter.

11.6 Audit completion checklist
The primary purpose of the checklist is to give assurance to the person signing the audit
opinion (the Auditor-General, the Deputy Auditor General (Senior) or the responsible Deputy
Auditor General) that:
• the Director and the Director General have reviewed the working paper files;
• the audit work is complete;
• sufficient appropriate audit evidence has been obtained to support the auditor’s opinion;
• all matters that should be reported are included in the opinion;
• Either:
(a) An unqualified opinion can be issued; or
(b) The auditor’s opinion contains all of the required reservations; and
• The auditor’s opinion can be signed and released.
A secondary purpose of the audit completion checklist is to act as final review document
(supervision instrument) that the Director and the Director General can use to assure
themselves that all of the critical planning, fieldwork, evaluation and reporting procedures
have been completed satisfactorily.
A sample audit completion checklist is included in the Standard Audit Working Paper Kit.
The checklist contains a series of questions concerning the entire audit process - planning,
fieldwork, evaluation and reporting as well as the certification referred to above.
The checklist should be completed after all of the audit procedures have been performed. The
Director and the Director General responsible for the conduct of the audit should complete it
and sign it. The responsible Deputy Audit or General should then approve it.
11.6.2 Memorandum supporting signature
The audit completion checklist assures the person signing the audit opinion was properly
completed that the audit process noted above. However, the checklist does not provide any
details concerning the contents of the financial statements or the audit process itself.
The memorandum supporting signature provides the person signing the audit opinion with this
additional information.
The Standard Audit Working Paper Kit contains a table of contents for a typical memorandum
supporting signature.
As indicated from the table of contents, the memorandum normally contains a discussion of:
• Any reservations being expressed in the auditor’s opinion;
• Contentious matters on which DAGP decided not to express a reservation;
• Significant changes made to the form and content of the financial statements;

• Significant changes made to the accounting policies used to prepare the financial
statements, and their impact on the financial statement amounts and disclosures;
• Explanations for the more significant fluctuations in each asset, liability, revenue and
expenditure account;
• Significant changes to the basic planning parameters (materiality, audit risk, etc.);
• Significant changes to the audit approach (for example, significantly increasing or
decreasing reliance on the internal control structure for a particular component);
• Any difficulties encountered during the conduct of the audit, and how they were resolved;
and
• A summary of the amounts contained on the Summary of Unadjusted Differences.
11.7 Producing the Audit Report

The auditor should prepare a draft opinion and audit report. The auditor will first brief entity
management and then issue the audit report to them.
If there are any controversial, or matters with broad policy implications, it may be appropriate
to brief the AG prior to issuing the draft report.
There will likely be a greater reaction to the draft report than was raised during the briefing.
Much of the concern may be in response to specific wording and a desire for a different
balance in the presentation of the findings. If the clearing process was well conducted, there
should not be much debate regarding the facts unless the managers involved had not been
forthcoming or had not taken the process seriously.
Entity management may have taken corrective actions by the time the observations are
reported. In this case the auditor has two options. Either the comments of management may be
acknowledged and included in the report (with or without verifying the accuracy of the
statements) or after verifying that the corrective action has been taken, the observation may be
dropped.
The auditor also has to prepare a report or audit note for the Annual Report. This is usually
much briefer than the full report to management. Alternatively, the auditor may prepare a
brief audit report and use a management letter to convey the supporting details.
Details of the various opinions and reports that may be published by DAGP are provided in
the next Chapter.
11.8 Review of reports by others

Once DAGP publishes an opinion and audit report, it becomes available for review by certain
other parties.
11.8.1 Public Accounts Committees
A PAC may conduct a hearing on the matters contained in a particular audit report, after
which the PAC might issue its own report and recommendations on the subject.

In preparation for a meeting of the PAC to discuss a particular report, the auditor should
prepare a “Briefing Book”, or briefing file. The briefing book is described in the next
Chapter, and should contain:
• A copy of the report (cross referenced back to the key pieces of supporting evidence)
• The key evidence (including extracts of important documents with source of the
documents, etc.) which should be copied from the working papers; and
• Anticipated questions with suggested answers.
11.8.2 Police, National Accountability Bureau and other similar

organisations
During the course of the audit, the auditor may have discovered fraudulent practices or serious
irregularities that should be brought to the attention of these organisations.
The auditor may be required to provide these organisations with considerable detail regarding
the irregularities and the audit work already performed, to permit the organisation to conduct
an efficient and effective investigation.
11.8.3 Other external parties
The contents of specific audit reports may be reported by the media, reviewed directly by the
general public, etc.
Readers of the report will often have very little knowledge of the matter other than what is
contained in the report itself. This makes it important that the matters dealt with in the report
are very clearly described so that the readers can appreciate the significance of the matters
raised, and the importance of the auditor’s recommendations.
If the auditor wishes to attract the attention of the media and the general public, it is also
important that the audit report is clear and concise. The use of press releases, videos, and
media briefing sessions could also be beneficial.

12. THE AUDIT REPORT
12.1 Introduction
DAGP produces three main types of report:
1. Financial certification report expressing an audit opinion (on the government as a
whole, on an audit entity or on a major project);
2. Individual reports on audit work focused on investigations, compliance or performance
(although often these may be included as part of the certification report); and
3. Annual Report.
The Auditor General’s Annual Report is a key document. Every audit team has to ensure that
its input for the Annual Report is produced in a timely manner; is clear and concise; and is free
of any errors.
Much of the impact of the audits and the reputation of DAGP rests on the quality of the
Annual Report and, to a lesser degree, the individual audit reports produced. Thus, the report
is not only an integral part of the audit but the key to audit success.
In an attest audit, the major concern is the reliability and fairness of the presentation of the
financial facts in the financial statements. Only inappropriate accounting methods, material
risks and significant misrepresentations are normally commented on. Audit observations of
minor inaccuracies and errors should not be included in an audit report. A large volume of
small inaccuracies or errors should be summarised as an error percentage.
In compliance auditing, the report should focus much more on the controls in place and the
reliance that can be placed on them than on individual findings. The audit report should not
list all the minor non-compliance or errors observed.
In the case of performance audits, a much higher proportion of the audit work gets included
within the report. Further, in performance audit reports, much more explanation of the
business of the entity and description of the areas examined is usually included than in the
other types of audit. The auditor’s expectation, or performance criteria, is often included to
place the observations and conclusions in context.
Whatever the audit type, the same considerations apply:

• Audit reports should be easy for entity management to read (brief, clear and in the case of
performance audits, pertinent);
• The Annual Report will be read by Parliamentarians, the media and the public and so
should be written with a minimal technical terminology and not assume an understanding
of the detailed business of the entity;
• The contents of the report should focus only on material and significant matters;
• Any assurances, conclusions and recommendations should be useful; and
• All statements should be fully supported by reliable and sufficient evidence.
Audit reports take a very different form according to whether they are presenting:
• An opinion on a set of financial statements; or

• The results of reviewing compliance and performance.
These are discussed in the following sections.
12.2 The Certification Report and Types of Opinion

The Certification Report is the product of the financial attestation audit work. It follows very
specific standards, modified as necessary to reflect different qualifications that the auditor may
wish to express.
12.2.1 Unqualified auditor’s opinion on financial statements
The auditor’s report on a set of financial statements is referred to as the “auditor’s opinion”,
even though the report is often entitled “Auditor’s Report”. This differentiates the report from
other audit reports, such as reports dealing with compliance with authority and performance
matters. These other reports are discussed in a subsequent section.
Paragraph 4.0.9 of DAGP’s Auditing Standards states, “An audit opinion is normally in a
standard format, relating to the financial statements as a whole, thus avoiding the need to
state at length what lies behind it but conveying by its nature a general understanding among
readers as to its meaning. The nature o f these words will be influenced by the legal framework
fo r the audit, but the content o f the opinion shall indicate unambiguously whether it is
unqualified or qualified and, i f the latter, whether it is qualified in certain respects or is
adverse (paragraph 4.0.14) or a disclaimer (paragraph 4.0.15) o f opinion. ”
This Auditing Standard contains several important messages. First, the auditor expresses one
opinion on all of the financial statements, as opposed to having a separate opinion on each
financial statement. Second, and probably more important, it is critical that the readers receive
an unambiguous message.
For the readers to receive an unambiguous message from what is normally a very short report,
it is important that:
• The auditor adopts a standard wording for an unqualified opinion, and only deviates from
that standard wording when a reservation of opinion is being expressed; and
• Any reservations of opinion is very clearly expressed.
When expressing a reservation of opinion the auditor should not issue an opinion that deviates
only slightly from the standard wording, as the message could be ambiguous. There is a
danger that casual readers will read it as an unqualified opinion. Even readers who are familiar
with the standard content of an audit opinion might not be able to determine whether or not the
deviation is intended to be a reservation of opinion.
12.2.2 When to give an unqualified opinion
As discussed in Paragraph 4.0.10 of DAGP’s Auditing Standards, “an unqualified opinion is

given when the auditor is satisfied in all material respects that:
• the financial statements have been prepared using acceptable accounting bases and
policies which have been consistently applied;
• the statements comply with statutory requirements and relevant regulations;

• the view presented by the financial statements is consistent with the auditor's knowledge o f
the audited entity; and
• there is adequate disclosure o f all material matters relevant to the financial statements.”
12.2.3 Standard wording
An example of a standard unqualified auditor’s opinion is contained in the Standard Audit

Working Paper Kit.
To fully comply with paragraph 4.0.8 of DAGP’s Auditing Standards, the unqualified opinion
should contain:
• A title;
• An addressee;
• A signature and a date; and
• Three standard paragraphs - an introductory paragraph, a scope paragraph and an opinion
paragraph - which contain material that satisfies the other disclosure requirements of
paragraph 4.0.8 of DAGP’s Auditing Standards. Each of these paragraphs is discussed
below.
The introductory paragraph. The introductory paragraph identifies the financial statements
covered by the auditor's opinion and distinguishes the responsibilities of management and the
responsibilities of the auditor.
The scope paragraph. In this paragraph the auditor informs the reader that the audit was
planned and performed in accordance with professional standards, and that the auditor has
made judgments in applying these standards. It also provides the reader with some explanation
of the nature and extent of an audit and the degree of assurance it provides.
The opinion paragraph. In this paragraph the auditor expresses his/her opinion as to the
whether:
a) the financial statements properly present, in all material respects, the government’s
receipts by appropriation; and
b) the sums expended have been applied, in all material respects, for the purposes authorised
by parliament and have, in all material respects, been booked to the relevant grants and
appropriations.
The opinion paragraph may also state whether, in the auditor’s opinion, certain statutes and
regulations have been complied with. (The statutes and regulations should be spelled out in the
opinion).
Sometimes the auditor wants to insert a reference in the opinion to an unusual or important
matter that is properly disclosed in the financial statements. Since the auditor does not intend
to express a reservation of opinion on the financial statements, this reference should be
included in a fourth paragraph, after the opinion paragraph.
The auditor should not use this additional paragraph to rectify a lack of appropriate disclosure
in the financial statements. It is also not an alternative to, or a substitute for, expressing a
reservation of opinion.

Even when a matter is placed after the opinion paragraph, there is still a danger that some
readers may think that a reservation of opinion is intended. As a result, this paragraph should
only be used in very rare cases.
A better way to provide additional information or recommendations is to use a separate report,

such as an audit report. The fourth paragraph of the auditor’s opinion could then contain a
reference to the audit report. Audit reports are discussed later.
12.2.4 Reservations in the auditor’s opinion
There are three general types of reservations that the auditor may express - qualified, adverse,
and disclaimer. Each is discussed in turn in this section. Examples of qualified, adverse and
disclaimers of opinion are included in the Standard Audit Working Paper Kit.
In accordance with paragraph 4.0.12 of DAGP’s Auditing Standards, reservations are issued
when any of the following circumstances occur, and when the auditor believes that the effect
is or may be material:
• a scope limitation;
• a departure from the government’s accounting principles; or
• uncertainty affecting the financial statements.
Each is discussed below.
Scope limitation. A scope limitation has occurred when the auditor has not been able to apply
all the tests and procedures considered necessary in the circumstances and, as a result does not
have sufficient appropriate audit evidence to form an opinion as to whether the financial
statements give a true and fair view, in all material respects, in accordance with the
government’s accounting principles.
Scope limitations may arise in a number of situations, including:

• circumstances beyond the control of the entity or the auditor, such as the destruction of
accounting records in a fire;
• a limitation imposed by the entity, such as refusing to allow the auditor to perform certain
audit procedures; and
• a limitation created by the entity, such as or a failure to maintain adequate accounting
records or internal control structures.
When the auditor has a scope limitation, the reporting objective is to inform the reader that the
auditor:
• has been unable to perform specific tests and procedures and obtain certain audit evidence;
and, as a result,
• is unable to determine whether or not there has been a departure from the government’s
accounting principles that materially affects the financial statements.
Departure from government's accounting principles. A departure from the government’s

accounting principles occurs when there is:
• An inappropriate accounting treatment, such as the failure to record certain assets or
liabilities that are required to be disclosed by the government’s stated accounting policies;

• An inappropriate valuation of an item in the financial statements, such as recording fixed
assets at an appraised value;
• A failure to disclose all of the information required, such as not segregating expenditures
into all the categories that are called for by the government’s accounting principles.
In any of these circumstances, the auditor's reporting objective is to inform the reader about
the departure from the accounting principles.
Uncertainty. An uncertainty normally involves a significant contingency or other event that is

primarily dependent on future developments or future decisions by parties other than entity
officials.
For example, the government may have guaranteed loans to third parties who are now
experiencing financial difficulties. In these circumstances, the auditor (and entity officials)
might not have sufficient information to determine what amount, if any, the government may
ultimately be required to pay.
When the auditor has an uncertainty, the reporting objective is to inform the reader that he/she
has been unable to determine what adjustments, if any, might be needed to the financial
statements.
12.2.5 Qualified opinion
A qualified opinion is issued where the auditor is faced with a scope limitation, a departure
from the government’s accounting principles, or an uncertainty, but the matter at hand:
• is not critical to an understanding of the financial statements; and
• can be explained clearly and concisely.
To explain a matter clearly and concisely, it helps if the auditor can quantify the financial
effect. Of course, in the case of a scope limitation, this would not be possible.
The use of a paragraph (called the reservation paragraph) between the scope paragraph and the
opinion paragraph is the usual way of alerting the reader to the fact that there is a qualified
opinion. To be most effective the paragraph needs to explain the matter as clearly and
concisely as possible. It is not sufficient to provide only a general indication of a problem so
that the reader is merely warned that further questions should be asked.
To be clear and concise, the auditor should:

a) state the financial effect of the matter. If it cannot be quantified, the auditor should so
state.
b) In the case of an audit involving more than one Ministry, identify the specific Ministry
(or Ministries) in which the monetary errors or compliance with authority violations
occurred. This is particularly important if the reservation in the auditor’s opinion was
the result of significant errors in only one or two Ministries.
Note: where material monetary errors or compliance with authority violations have occurred,
the auditors should request Ministry officials to investigate the matter and make necessary
adjustments to the financial statements. If Ministry officials refuse, the auditors could request
the Controller General of Accounts to make the necessary adjustment. This is consistent with
Sections 5(a) and 5 (i) of the Controller General Ordinance. Once the necessary adjustments

have been made, the financial statements can be considered accurate, and the Auditor-General
can issue an unqualified opinion.
In addition to adding the reservation paragraph, other changes are made to the standard
wording of the auditor’s opinion, as follows:
The opinion paragraph is amended to insert:
(a) In the case of a scope limitation or a departure from the government’s accounting
principles, an “except for”, “except that” or “except as”, followed by a brief summary of
the matter and a reference to the reservation paragraph; or
(b) In the case of an uncertainty, a “subject to”, followed by a brief summary of the matter and
a reference to the reservation paragraph.
In the case o f a scope limitation or an uncertainty, the scope paragraph would also contain an
“except as” clause. This is done by inserting “Except as explained in the following paragraph,
... ” at the start of the scope paragraph.
The Standard Audit Working Paper Kit contains three examples of qualified opinions - a
scope limitation, a departure from the government’s accounting principles, and an uncertainty.
12.2.6 Adverse opinion
An adverse opinion is issued when there is a departure from the government’s accounting
principles that is:
• so pervasive and fundamental that the auditor is unable to describe clearly how the
financial statements are affected; or
• so significant that it overshadows a clear description of how the financial statements are
affected.
In these circumstances, a qualified opinion would not be adequate. The wording of an adverse
opinion makes it clear that:
(a) the financial statements do not properly present, in all material respects, the
government’s financial position, the results of its operations, its cash flows and its
expenditures and receipts by appropriation; or,
(b) the sums expended have not been applied, in all material respects, for the purposes
authorised by parliament and have not been booked to the relevant grants and
appropriations.
As with a qualified opinion, a reservation paragraph should be inserted between the scope
paragraph and the opinion paragraph. The reservation paragraph should clearly and concisely
describe all the matters of disagreement, and the financial effect should be quantified where
relevant and practicable.
The opinion paragraph would be amended to state something to the effect that, “In my
opinion, because [brief description of matter] described in the preceding paragraph:
• these financial statements do not properly present, in all material respects, the
government’s financial position, the results of its operations, its cash flows and its
expenditures and receipts by appropriation; or,

• the sums expended have not been applied, in all material respects, for the purposes
authorised by parliament and have not been booked to the relevant grants and
appropriations....”
The Standard Audit Working Paper Kit contains an example of an adverse opinion.
12.2.7 Disclaimer of opinion
Where the auditor is unable to arrive at an opinion regarding the financial statements taken as
a whole due to a scope limitation or uncertainty that is so fundamental, pervasive or significant
that a qualified opinion would not be adequate, a disclaimer is given. The wording of the
disclaimer makes it clear that an opinion cannot be given.
As with a qualified and an adverse opinion, a reservation paragraph should be inserted

between the scope paragraph and the opinion paragraph. The reservation paragraph should
clearly and concisely describe the reason for the disclaimer.
In this case the opinion paragraph would be amended to state something to the effect that, “In
view of the possible material effects on the financial statements of the matter described in the
preceding paragraph, I am unable to express an opinion whether .
• these financial statements properly present, in all material respects, the government’s
receipts by appropriation; or,
• the sums expended have been applied, in all material respects, for the purposes authorised
by parliament and have been booked to the relevant grants and appropriations.
The scope paragraph should be amended by inserting “Except as explained in the following
paragraph” at the start.
The Standard Audit Working Paper Kit contains an example of a disclaimer of opinion.
12.3 Audit reports other than opinions on financial statements

12.3.1 Nature and content of reports
This section covers two general types of reports - audit reports and management reports.
Audit reports are reports that are made public and/or that are presented to the appropriate
public accounts committee (PAC) or other external party. These reports would deal with
matters of such significance that they require the attention of Members of the National
Assembly, a Provincial Assembly, or a District Assembly.
Audit reports may also deal with matters that require the attention of the police, the National
Accountability Bureau and/or other similar organisations. Matters to be reported to these
organisations include fraudulent practices or serious irregularities.
Management reports are reports addressed to entity officials. They contain matters of a lesser
significance.
Both audit reports and management reports may deal with:

(a) Reservations being expressed in the auditor’s opinion;

(b) Contentious matters on which DAGP decided not to express a reservation;
(c) Comments on the form and content of the financial statements;
(d) Comments on the accounting policies used to prepare the financial statements;
(e) Compliance with authority violations;
(f) Internal control weaknesses; and
(g) Performance (value-for-money) matters.
With respect to item (a), because the standard audit opinion is usually very short, the auditor
normally does not have an opportunity to provide a detailed discussion on the reservations that
he/she has expressed. Such a discussion could be included in a separate report.
With respect to items (b), (c) and (d), the inclusion of additional matters in the auditor’s report
could result in some readers thinking that a reservation of opinion is intended. As a result, it is
preferable for the auditor to use a separate audit report to make comments about the financial
statements and his/her audit thereof.
Items (e), (f) and (g) would be matters that were identified during the conduct o f the audit.
The decision to include a particular matter in the audit report or in a management report may
change during the audit and even during the reporting phase itself. The auditor needs to keep
in perspective the message and the most important conclusions expected to result from the
audit.
For example, the auditor may have initially concluded that a particular matter was significant
enough to be brought to the attention of the appropriate PAC. However, during the clearance
process entity officials may have agreed to deal promptly with the matter. In this case, the
auditor may decide to report the matter in his/her management report.
On the other hand, the auditor may have initially included a matter in a management report
because entity officials had agreed to deal with the matter promptly. I f the matter was still
outstanding the following year, the auditor may decide to include it in his/her audit report for
that year.
12.4 Reporting style and format

A good audit report needs to present a clear message. However well the audit has been
conducted and however strong the findings, the audit will not be successful and useful to
Parliament, a Public Accounts Committee (PAC), the public, and the management o f the entity
unless the report is well written.
Whatever the audit type, the following basic reporting principles apply.
The report should be easy for entity officials, PAC members, etc. to read. This means that it
should:
• be brief, interesting and clear;

• be written in a style that maintains the reader’s interest; and
• avoid, as far as possible, details that distract from the message that is to be conveyed.

If extensive definitions, detailed calculations, and other distracting details are required, they
could be inserted as a footnote or as an appendix.
Particularly in the case of audit reports (reports intended for Parliamentarians and the general
public), the report should be written with the minimum amount of technical terms. The report
should not assume that the reader is familiar with these terms, or with the entity’s business.
The report should clearly explain the significance of each matter being raised. For example,
reporting that certain bank accounts have not been reconciled for several months may not be
meaningful on its own. Reporting that there may be unauthorised or unrecorded payments,
missing receipts, stolen funds and so would ensure the point is understood.
Matters should be grouped by the nature of the issue at hand, or by recommendation. This
helps readers to better appreciate the overall extent of a particular matter.
Conclusions and recommendations should be presented. These help the reader to obtain an
overall understanding of the auditor’s position, and to understand the actions that are expected
to be taken as a result of the matter.
One possible exception to these principles is reports to the police, the National Accountability
Bureau and/or other similar organisations where the auditor is recommending that the
organisation perform an additional investigation. In this case, the auditor may be required to
provide a great deal of detail with respect to the matter at hand, and the audit work already
performed, to permit the organisation to conduct an efficient and effective investigation.
A useful structure for each matter dealt with in the report is:
• Background material - a description of the area audited, etc.;
• A description of the work that was performed;
• A description of what entity officials should have been doing, and why;
• A description of what was found, and the cause;
• What can be concluded;
• The auditor’s recommendation to deal with the matter; and
• The entity’s response (if shown in a separate section).
Each of these is discussed below.
The Standard Audit Working Paper Kit includes an example of an observation that follows
this format.
Where the report is more than, say, 10 or 15 pages there should also be an Executive Summary
at the front of the report. It is common to include a list of the major recommendations at the
end of the Executive Summary.
Background material. The amount of background material required will depend on the
intended reader of the report. For reports to be made public, more material is often required
than if the report is only to be sent to entity officials who are responsible for the applicable
component.
Whoever is the intended reader, background material should be kept as brief as possible.

Description o f work performed. As for the background material, the amount of detail required
will depend on the intended reader of the report. In general, though, it should also be kept as
brief as possible.
Description o f what entity officials should have been doing, and why. It is important for the
auditor to ensure that readers of the report appreciate the implications of the compliance with
authority violation, the internal control deviations, etc. Simply stating that several supplier
invoices were not properly approved may not get the readers’ attention if the significance of
this issue is not explained. The auditor needs to state why the violation or deviation is
significant. In the case of proper approval of supplier invoices - to prevent payment being
made for fictitious goods, services not performed, for excessive amounts or for corrupt
purposes and so on.
Description o f what was found and the cause. In this section the auditor should describe what
his/her findings were. To help the reader appreciate the matter at hand, the findings should be
worded in a way that clearly shows the difference between what entity officials should have
been doing, and what they were (or were not) doing.
The description should also include the cause of the matter, if it is known. This would make it
easier for the reader to understand the nature of the problem, and the reasoning behind the
recommendation.
As noted in paragraph, matters should be grouped by the nature of the issue at hand, or by
recommendation. Where there is a large volume of small inaccuracies or errors, they should be
grouped.
It is normally not necessary to list all of the specific internal control weaknesses or compliance
with authority matters. For example, the auditor could simply note that, in a sample of 200
supplier invoices, 8 lacked proper approval. There is usually no need to list the 8 invoices in
the report.
The auditor’s conclusion. The conclusion section summarises the matter being discussed, and
puts the findings in context.
The tone of the conclusion should be consistent with the significance of the matter being
raised. If, for example, the matter has been presented as a relatively minor internal control
violation, the conclusion should not imply that material frauds could occur if the matter is not
fixed immediately.
The auditor’s recommendation. The recommendation should describe specific actions that the
entity should take to deal with the matter raised in the observation and/or to prevent similar
matters from recurring in the future. Unless the auditor can identity a specific and useful
recommendation, the auditor should question the value of reporting the matter in the first
place.
Assume the auditor detected that several suppliers had been overpaid. A simple
recommendation that the auditor could make in this case is that the entity should recover the
amounts of the overpayments from the suppliers. This recommendation, though, will not
necessarily help to prevent a repeat of the error or fraud that led to the overpayments. It would
be more useful to the entity for the auditor to identify the internal control weakness that led to
the overpayments, followed up with a recommendation to prevent similar error or fraud from
occurring in the future.

To further improve the effectiveness of the recommendation, the recommendation should:
• be as specific as possible. This helps the reader to know exactly what is expected to be
done, and helps the auditor to assess at a later date whether the recommendation was
implemented. Recommendations such as “The internal controls should be improved” are
too general and do not describe for the reader what needs to be done.
• be addressed to a specific person or group of individuals. This helps to fix accountability
for the implementation of the recommendation, which in turn should improve the chances
that it will be implemented. Recommendations such as the “The government should ...”
do not fix accountability.
• contain a date by which the auditor would like the recommendation to be implemented.
This will help to prevent unreasonable delays in implementing the recommendation.
Entity response. Entity officials will often want auditors to include, in the report, a description
of the context in which the matter occurred, and corrective actions taken by the time the
matters are reported. Entity officials may also wish to indicate whether they agree with the
recommendation, or, if not, why they disagree.
There are two ways in which the entity’s position can be reflected in the report. The auditor
could amend the wording of the observation, or the auditor could permit the entity to insert an
“entity response” directly into the report. If the latter option is taken, the response would
normally be inserted at the end of the material on the specific observation.
12.5 Compliance and Performance Reports

A report on a compliance audit or a performance audit should draw attention to the key issues
and concerns raised by the audit. The reader should be able to understand the significant
issues, the underlying causes of any weaknesses observed and any recommended actions to
improve the management of the area covered in the audit.
Traditionally, reports of compliance audits have not presented the big picture and have simply
listed cases of non-compliance, often drawing attention to small or minor errors or waste. If
the auditor wants to initiate change, the focus should be redirected onto controls rather than
individual cases of non-compliance. If not, the auditor can expect to find similar problems
being reported every year.
Except when expressing a financial opinion, all reports should adhere to the structure outlined
below. Their focus should be towards encouraging improvements in internal controls and
more effective management in the public service.
12.5.1 Structure of the Report
The audit report should normally state:

• The context (background and description of area audited);
• What was done (audit objective and audit scope);
• What was expected to be found (audit criteria and/or laws and regulations);
• What was found (findings and observations);
• What can be concluded (including what is or can be the impact of what was observed);

• What should be done to improve the management of the area (recommendations); and
• In some cases, but not necessarily always, management comments.
There are commonly two options for structuring the report to include the content mentioned
above. One is to structure the main chapters according to Introduction and Background,
Observations, Conclusions, and Recommendations and, within these, address the different
lines of enquiry, or audit topics. The other is to structure the main chapters according to the
lines of enquiry, or audit topics and, within these, address Background, etc. The latter
approach is often better because that structure is normally easier for the reader to follow.
Where the report is structured around the audit topics, the statement of scope can either be in
an introductory chapter or stated for each audit topic.
Where the report is more than say 10 or 15 pages, there should also be an Executive Summary
at the front of the report. It is common to include a list of the major recommendations at the
end of the Executive Summary.
There are different styles with regard to taking note of management views and responses to the
report. In most cases, the report should be changed in response to management comments if
inaccuracies or insufficient information are rectified during the process of clearing the report.
When management is asked to comment on the conclusions and recommendations contained
in the report it is common practice to include these responses in the report.
12.5.2 Determining the Message
From the beginning of the audit cycle, the auditor needs to keep in mind the significant issues
to be addressed. As evidence is gathered, the auditor may find:
• some issues relating to suspected weaknesses will disappear as it is found that there are no
significant management weaknesses;
• new issues will be discovered that had not been identified or anticipated previously; and
• other issues will remain because of their importance to the programme, irrespective of
whether the area is well managed or not.
Focusing on important issues from the start of the audit will ensure the auditor has a
meaningful report at its completion. This means keeping the most important conclusions
expected to result from the audit in perspective at all times.
The final audit report must present a clear message. A clear structure also helps the auditor
complete the report much faster. Sometimes it is helpful to develop a summary of the main
message prior to writing rather than the other way around.
12.5.3 Developing Conclusions and Recommendations of the Report
The report should convey the message that the auditor developed during the examination
phase of the audit. The report should place the findings in context, indicate the impact of what
has been observed, and indicate to management the corrective actions required to prevent
similar weaknesses occurring in the future.
The report should provide a general assessment of the strengths and weaknesses in the area
examined whilst avoiding exaggerated or unsubstantiated conclusions. Reports should be
based on facts and avoid including assumptions that cannot be substantiated.

Sometimes, it is worth dropping some audit findings if they are of much less significance than
the others, especially if they are controversial, or poorly substantiated, and of minor
importance in comparison with the main issues and concerns. Consideration should be given
to excluding minor findings where their inclusion might distract from the main messages to be
conveyed to entity management, Parliament and the public.
Conversely, where the auditor has an important message to convey, there need to be sufficient
supporting evidence and examples to strengthen the message.
12.5.4 Report Style
Reports should be written in a style that maintains the reader’s interest. The auditor should
avoid as far as possible including details in the body of the report that distract from the
message that is to be conveyed. Extensive definitions, detailed calculations, large numbers
given to the last dollar (“over 35 million rupees” is easier to read, and gets the message across
better, than “35,301,472 rupees”) and other distracting details can be placed as a footnote or
added as an appendix.
The use of active rather than the passive tense (“we found” rather than “it was found”) is
normally considered better writing style.
Report writing is not easy and auditors will often benefit from training and practice. Good
report writing capabilities and strong editing skills are a prerequisite for promotion to higher
positions within the DAGP.

Audit Manual

Uploaded by

Copyright:

Available Formats

Audit Manual

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Audit Manual

Uploaded by

Copyright:

Available Formats

Cowater File No. 00.

Project for Improvement of Financial Reporting and Auditing (PIFRA)

AUDIT COMPONENT No. 100

Financial Audit Manual

The Department of the Auditor-General of Pakistan

Cowater International Inc., Ottawa, Canada

1.1 Purpose of the Audit Manual

1.2 Types of audits dealt with

Regulatory audit embraces:

1.3 Audit entities dealt with

1.4 Accounting Responsibility Structure of the Government of

Audit Manual - Chapter 1 1-1

Departmental treasuries. Departmental treasuries are established to record specific accounting

1.5 Stages of audit work dealt with

1-2 Audit Manual - Chapter 1

1.7 Links to other guidance material

1.8 Standard audit working paper kit

1.8.1 Audit guidelines for specialised areas

1.9 Need for professional judgment

Audit Manual - Chapter 1 1-3

1-4 Audit Manual - Chapter 1

2.1 Parliamentary Control and Public Accountability

To ensure the administrative machinery of the government performs its functions in

2.2 Introduction to Auditing

2.3 Legislative Basis

Audit Manual - Chapter 2 2-1

In addition, Section 8 of the Auditor-General Ordinance mandates an audit of expenditures of

2.4 Vision, Mission and Values

The Vision of DAGP is to add value to public resources.

The Values held by DAGP are:

Excellence. DAGP strives for excellence in all of its activities.

2-2 Audit Manual - Chapter 2

Open communications. DAGP maintains open and timely communications with

Audit Manual - Chapter 2 2-3

3.2 Conditions of Employment

3.3 Code of Ethics

Concept, Background and Purpose of the Code of Ethics

Audit Manual - Chapter 3 3-1

Trust, Confidence and Credibility

3-2 Audit Manual - Chapter 3

Independence, Objectivity and Impartiality

Audit Manual - Chapter 3 3-3

3-4 Audit Manual - Chapter 3

3.4 Protection of the Auditor

Audit Manual - Chapter 3 3-5

4.1.2 The INTOSAI auditing standards consist of four parts.

4.1.6 The basic principles are:

d) Development of adequate information, control, evaluation and reporting systems

Audit Manual - Chapter 4 4-1

f) Consistent application of acceptable accounting standards should result in the fair

h) Legislative enactments would facilitate the co-operation of audited entities in

4.1.8 The basic auditing principles stipulate that:

a) The overall view given to the financial information;

b) The total of which it forms a part;

c) Associated terms and issues;

d) The corresponding amount in previous years.

4-2 Audit Manual - Chapter 4

4.1.14 The basic auditing principles stipulate that:

4.1.19 The basic auditing principles stipulate that: