5
AUDIT REPORT
Question 1
Write a short note on - Summary Written Report. (4 marks) (Final May 2000)
Answer
Summary written reports: These are known as flash reports. They are significant highlights
for immediate attention of top management. Generally suspected defalcations are reported
briefly to the appropriate management official on the 'flash' basis, often ending up in referral
for criminal investigation and legal action. It is common practice in number of companies of
issuing a report quite frequently summarising the various individual reports issued and
describing the range of their contents in a very brief and comprehensive manner where only
important points are highlighted. Such reports are primarily issued for audit committees of
Board of Directors and for other top level managers who do not have sufficient time to go
through the elaborate reports and matters which are required to be brought to their notice for
immediate action.
Question 2
(a) H.W.P. Private Ltd. is having only two members H and W. During the audit of accounts
for the year ended 31st March, 2000, you as auditor find that:
(i) H, who is incharge of purchases has introduced fictitious purchase bills of Rs.50
lakhs.
(ii) W, who is incharge of sales has sold goods worth Rs.1 crore without bringing the
same in the books of account.
You raise the matter with H and W in their capacity as directors. They contest that as
this is a position known to them and within their own fold, you should not report the same
under the Companies Act, 1956.
Discuss whether the above arguments are acceptable under the Companies Act, 1956 for
non-reporting. If not, state the reasons and the manner of reporting. (6 marks)
(b) Under the Manufacturing and Other Companies (Auditor’s Report) Order, 1988, an
auditor is required to report on the regularity of payment of Provident Fund and
Employees’ State Insurance dues.
Give alternative drafts of the report on this clause mentioning the circumstances of
reporting. (6 marks) (Final Nov 2000)
Advanced Auditing
106
Answer
(a) The arguments put forth by H and W, directors of H.W.P. Pvt. Ltd., for non-reporting of
fictitious purchases of Rs.50 lakhs and omission of recording of sales of Rs. 1 crore
under the Companies Act, 1956 are not acceptable in view of the following reasons:
(i) The scope of audit of a company is determined by provisions of the Companies Act,
1956. Even the terms of the engagement cannot restrict the scope of audit in
relation to matters which are prescribed by legislation. Corresponding to scope of
audit, even the rights of an auditor available under statute cannot be restricted. In
the case of Newton v. Birmingham Small Arms Co. (1895), it was held that any
regulation which precludes the auditors from availing themselves of all the
information to which they are entitled under the Companies Act are inconsistent with
the Act.
(ii) Section 227(2) provides that the duty of an auditor is to make a report to the
members of the company. In his report, the auditor has to state whether “in his
opinion and to the best of his information and according to the explanations given to
him”, the accounts “give a true and fair view in the case of the balance sheet, of the
state of the company’s affairs as at the end of its financial year and in the case of
the profit and loss account, of the profit or loss for its financial year”. Thus, the
primary duty of the auditor is to determine whether the balance sheet shows a true
and fair view of the state of the company’s affairs as at the end of the financial year
and whether the profit and loss account shows a true and fair view of the working
results of the company for the year.
(iii) The Companies Act, 1956 does not make any distinction between a private limited
company and a public limited company. Therefore, the fact that there are only two
members and they are fully aware of such transactions would not have any impact
as far as scope of audit is concerned. The decision in Pendleburys Ltd. vs. Ellis
Green and Co. (1936) holding the auditors not liable for not reporting separately to
the shareholders as the report had been given to the directors who are the sole
shareholders, will not hold good at present.
Therefore, in view of the above mentioned reasons, inflation of purchases (which in
this case is of Rs.50 lakhs) and omission of sales (which in this case is of Rs.1
crore) is bound to affect the true and fair view of the financial statements of the
company. It would, therefore, be obligatory on the part of auditor to report these
aspects in the audit report.
The following paragraph in the audit report under section 227 of the Companies Act,
1956 should be included:
“The purchases of Rs………. as reflected in the profit and loss account are
overstated by Rs.50 lakhs and sales of Rs………as reflected in the Profit and Loss
Account are understated by Rs.1 crore. This has had the effect of understating the
profits of the company by Rs.1.50 crores. On account of these discrepancies, the
Audit Report
107
current liabilities are overstated by Rs.50 lakhs, the current assets are understated
by Rs.1 crore and reserves are understated (before tax) by Rs.1.50 crores.”
Subject to the above, in our opinion and to the best of our information, the accounts
do not portray a true and fair view.
Notes:
(i) Having regard to materiality aspects, the auditor may qualify the audit report
instead of an adverse report which would involve usage of words “subject to
the above” as a prefix to qualification paragraph followed by the statement that
the accounts show a true and fair view.
(ii) The action of H and W in inflating purchases and deflating sales may have
effect on the stock positions reflected in the stock ledgers and on the physical
inventory. If it be so, it may also be essential to include appropriate remarks in
the report required to be issued under Manufacturing and Other Companies
(Auditor’s Report) Order, 1988.
(b) CARO 2003 issued under section 227(4A) of the Companies Act, 1956, requires the
auditor to report whether the company is regular in depositing Provident Fund or
Employees’ State Insurance (ESI) dues with the appropriate authority. The clause further
requires the auditor to indicate the extent of arrears if the same have not been deposited
regularly. The auditor has to report on the regularity of deposit of provident fund and
Employees’ State Insurance dues irrespective of the fact whether or not there are any
arrears on the balance sheet date. This is because there may be situations where a
company has deposited the relevant dues before the end of the year while it has been in
default in the matter for a significant part of the year. Statement on CARO issued by the
Institute states that, “while the auditor has to report upon the regularity of the deposit, he
is not required to specify in detail each instance where there has been a delay or the
extent of the delay. It should be sufficient if he indicates whether generally the deposits
have been regular or otherwise”. The following are examples of the wording which may
be used:
“Provident Fund/Employees’ State Insurance dues have generally been regularly
deposited with the appropriate authorities in all cases during the year”.
“Provident Fund/Employees’ State Insurance dues have generally been regularly
deposited with the appropriate authorities though there has been a slight delay in a few
cases”.
“Provident Fund/Employees’ State Insurance dues have not generally been regularly
deposited with the appropriate authorities though the delays in deposit have not been
serious”.
“Provident Fund/Employees’ State Insurance dues have not been regularly deposited
with the appropriate authorities and there have been serious delays in a large number of
cases”.
In case, where there are arrears, the following wording may be used:
Advanced Auditing
108
“Provident Fund/Employees’ State Insurance dues relating to the period …… and
aggregating to Rs…….. which had fallen due for deposit with the appropriate authorities
had not been so deposited as at …….. Out of these, Rs…….. have been deposited
subsequently”.
Question 3
Is the auditor of a company supposed to refer any paragraph in Director’s report in his own
report to the shareholders of the company? State your views in this regard.
(8 marks) (Final Nov 2000)
Answer
Section 217 of the Companies Act, 1956 specifies the contents to be included in the Board of
Directors’ report and states that there shall be attached to every balance sheet laid before a
company in general meeting, a report by its Board of Directors, with respect to:
(i) the state of the company’s affairs;
(ii) the amounts, if any, which it proposes to carry to any reserves in such balance sheet;
(iii) the amount, if any, which it recommends should be paid by way of dividend;
(iv) material changes and commitments, if any, affecting the financial position of the company
which have occurred between the end of the financial year of the company to which the
balance sheet relates and the date of the report;
(v) conservation of energy, technology absorption, foreign exchange earnings and outgo, in
such manner as may be prescribed.
The Board’s report shall also contain the material aspects relating to appreciation of the state
of company’s affairs and deal with important changes. The Board shall also be bound to give
the fullest information and explanation in its report aforesaid, or in case falling under the
proviso to Section 222, in an addendum to that report, on every reservation, qualification or
adverse remark in the auditors’ report.
Section 227 of the Act states that it is the duty of an auditor to make a report to the members
of the company on the accounts examined by him on every balance sheet and profit and loss
account, and every other document declared by this Act to be part of annexed to the balance
sheet or profit or loss account which are laid before the company in general meeting during his
tenure of office. Thus, as per section 227, the auditor is required to report only on those
documents which are part of or annexed to the Balance Sheet and Profit and Loss Account.
The subject matter of the auditor’s report is the books of account and the financial statements
including notes thereon and any other documents annexed thereto and not the Board’s Report
which as per section 217 is attached to balance sheet.
Section 222 of the Act dealing with construction of reference to documents annexed to
accounts also makes it clear that Board’s report is attached to the annual accounts.
Therefore, normally the auditors’ report does not cover authentication of various matters
contained in the Board’s report. This is despite the fact that the Board’s report contains many
matters as stated above, having a bearing on accounts and financial position of the company.
Audit Report
109
For example, the amount of proposed dividend, amount of depreciation, the net profit before
tax and net profit after tax are common items that are contained in the Board’s report.
However, proviso to section 222 requires that if any information which is required by this Act to
be given in the accounts, and is allowed by it to be given in a statement annexed to the
accounts, may be given in the Board’s report instead of in the accounts; and if any such
information is so given, the report shall be annexed to the accounts and this Act shall apply in
relation thereto accordingly, except that the auditors shall report thereon only in so far as it
gives the said information.
Question 4
On 30th September, 2000 a company’s issued and paid up capital was Rs.25 crores
comprising of fully paid equity shares of Rs.10 each. This included Rs.50,00,000 capital
issued for cash; Rs.4,50,00,000 capital issued for purchase of a business; Rs.20 crores on
issue of bonus shares from time to time by capitalising various reserves including Rs.5 crores
by capitalising capital redemption reserve.
The company had fixed assets costing Rs.2 crores on which depreciation provision was
Rs.1.95 crores, which was equal to the full cost of depreciable assets. The balance Rs.5
lakhs represented the cost of land. It has discontinued its operations for last many years.
The company had made investments in various companies to the tune of Rs.30 crores.
Unfortunately all these investee companies have turned out to be BIFR cases. Nothing is
expected to be realised on such investments. The company has dues from customers totalling
to Rs.4.95 crores of which Rs.4.90 crores are due from business which have become defunct.
The balance Rs.5 lakhs are due for over 3 years. The accumulated losses are Rs.10 crores.
The amounts due to suppliers are Rs.3 crores and they are overdue. The balancing figure in
the Balance Sheet refers to loan from Financial Institutions.
Workers who had put in long years of service have lodged claims for termination benefits of
Rs.10 crores, which have been decreed in their favour. No accounting entry has been passed
for the same since the decree on 1.1.1997. In the light of Statement on Auditing and
Assurance Standard – SA 570, relating to Going Concern, you are asked to write appropriate
paragraph of audit report.
Give reason for supporting your report. (8 marks) (Final Nov 2000)
Answer
SA 570 on “Going Concern” requires the auditor to consider the appropriateness of the going
concern assumption underlying the preparation of the financial statements which may no
longer be appropriate. The following indications inter alia have to be taken into consideration
in determining the appropriateness of the going concern assumption:
(i) Financial indications such as negative net worth, adverse key financial ratios, substantial
operating losses, inability to pay creditors on due dates, etc.
(ii) Operating indications such as labour difficulties, loss of major market, etc.
Advanced Auditing
110
(iii) Other indications include pending legal proceedings which may affect the concern
adversely, sickness of entity under statutory definition, etc.
Having regard to aforesaid indicators and as per the facts of the case, the company is
not a going concern as on September 30, 2000 on account of following reasons:
(i) The company has discontinued its operations for last many years. Its productive
fixed assets are fully depreciated. The only productive asset left is land worth of
Rs.5 lakhs.
(ii) The claim of workers for termination benefits amounting to Rs.10 crores though
decreed on January 1, 1997 has not been provided for in the books of account.
(iii) The amounts recoverable from customers totalling Rs.4.95 crores of which Rs.4.90
crores are due from businesses which are totally defunct are doubtful of recovery in
its entirety. Even the balance amount is due for more than three years. Hence, the
entire amount is doubtful of recovery.
(iv) The company has not been able to pay to its suppliers amounting to Rs.3 crores
which are overdue.
(v) The company’s investment to the tune of Rs.30 crores are not realisable and are
worthless in view of the fact that all investor companies have turned sick.
(vi) The balance figure for term loan from financial institutions works out to be Rs.17
crores as per records even which the company is unable to pay.
Thus, in view of the aforesaid financial, operating and other indicators, the assumption of
going concern is not appropriate.
Paragraph in the Audit Report: “The company as at September 30, 2000 has an
accumulated loss of Rs.10 crores, has irrecoverable debts of Rs.4.95 crores as at that
date, the diminution in value of its investments is of Rs.30 crores as at that date and a
non-provision of decreed obligations in favour of employees of Rs.10 crores. The
company has discontinued its operations for last many of years and has not been able to
honour its obligation to creditors and financial institutions for quite some time. Thus, total
accumulated losses are Rs.54.9 crores (and not as……… reported).
After taking into account the above factors we are of the opinion that the company is not
a going concern as at September 30, 2000 and, thus, the usage of going concern
assumption in the preparation of financial statements is inappropriate.
In our opinion, subject to the information given in preceding paragraph, the financial
statements do not give a true and fair view of the financial position of the company at
September 30, 2000 and the results of its operations for the year then ended”.
Note:The Companies (Amendment) Act, 2000 also requires that the auditor’s report shall
also state in thick type or in italics the observation or comments of the auditors which
have any adverse effect on the functioning of the company.
Audit Report
111
Question 5
As an auditor, state your view on the following:
The Statutory Auditors of a Government Company have issued a qualified Audit Report on the
accounts of the company. In his supplementary audit, the Comptroller and Auditor General of
India (C and AG) has also made further qualifications on the accounts of the company.
But the report of the Board of Directors of the Company is silent on the comments of statutory
auditors and those of C and AG. (5 marks) (Final May 2002)
Answer
Board’s Report and Qualifications in the Auditor’s Report: Section 217(3) of the
Companies Act, 1956 imposes a duty on the Board of directors of a company to give the
fullest information and explanations in the Directors’ report regarding every reservation,
qualification or adverse remarks contained in the auditor’s report. The remarks of the Board
on the auditor’s report are to be given as addendum to the report and are to form part of the
main body of the report as per section 217(3). Hence there is failure on the part of the Board
of directors in not having offered its explanation on the reservations, qualifications or adverse
remarks made in the auditor’s report.
However in the absence of similar provisions in section 217(3) of the Companies Act, 1956
requiring the company to give their reply on the reservations, qualifications etc. contained in
the supplementary audit report made by the C&AG, the Board of Directors of such a company
is not bound to give information or explanation in respect of such comments. Therefore, in the
absence of any legal provision, the Board, has not committed any default by not giving any
explanation on comment of the C&AG.
Question 6
Write short notes on the following:
(a) Propriety elements in MAOCARO, 1988
(b) Audit Certificate as distinguished from Audit Report (Final May 2002)
(c) Disclosure under “Basis of Issue Price” in prospectus. (4x3=12 marks)(Final May 2006)
Answer
(a) Propriety Elements in MAOCARO, 1988: Propriety audit stands for verification of
transactions on the tests of public interest, commonly accepted customs and standards
of conduct. Instead of too much dependence on documents, vouchers and evidence, it
shifts the emphasis to the substance of transactions and looks into the appropriateness
thereof on a consideration of financial prudence, public interest and prevention of
wasteful expenditure. Normally speaking, the company audit under section 227 of the
Companies Act, 1956 does not contain an element of propriety. However, with the
passage to time, the legislature has incorporated several clauses which involve an
element of propriety. MAOCARO, 1988 issued under Section 227(4A) of the Companies
Act, 1956 contains following clauses involving propriety element:
Advanced Auditing
112
(a) If the company has taken any loan, secured or unsecured, from other companies, or
other parties listed in the registers maintained under sections 301 and 370 (1C) of
the Companies Act, whether the rate of interest and the terms and conditions of
such loans are prima facie prejudicial to the interests of the company. In this case,
the auditor will have to look into the reasonableness of the rate of interest and the
terms and conditions of such loans. In other words, he will have to see whether the
terms and conditions, including the rates of interest are apparently adverse to the
interests of the company, having regard to the circumstances of the company at the
time of taking the loans and the terms normally available. He is to exercise his
judgement based on commercial considerations like urgency, security offered, etc.
[Note: Students may note that the MAOCARO, 1988 has been superceded by the
Companies (Auditor’s Report), Order, 2003. The above answer is based on
MAOCARO, 1988]
(b) If the company has granted any loans, secured or unsecured, to companies, firms
or other parties listed in the register(s) maintained under section 301 and/or to the
companies under the same management as defined under sub-section (1B) of
Section 370 of the Companies Act, 1956 (1 of 1956), whether the rate of interest
and other terms and conditions of such loans are prima facie prejudicial to the
interests of the company
(c) Whether the transactions of purchase of goods and materials and sale of goods,
materials and service, made in pursuance of contracts or arrangements entered in
the register(s) maintained under section 301 of the Companies Act, 1956 (1 of
1956) aggregating during the year to Rs.50,000 (Rupees fifty thousand) or more in
respect of each party, have been made at prices which are reasonable having
regard to prevailing market prices for such goods, materials, or services or the
prices at which transactions for similar goods or service have been made with other
parties.
(d) Is the company regular in depositing Provident Fund and Employees’ State
Insurance dues with the appropriate authority and if not, the extent of arrears of
Provident Fund an employees' State Insurance dues shall be indicated by the
auditor. [Paragraph 4(A) (vii)].
(e) Whether personal expenses have been charged to revenue account; if so, the detail
thereof should be reported.
(b) Audit Certificate as distinguished from Audit Report: A certificate is a written
confirmation of the accuracy of the facts stated therein and does not involve any estimate
or opinion. The term ‘certificate’ is, therefore, used where the auditor verifies the
accuracy of facts. An auditor may thus, certify the circulation figures of a newspaper or
the value of imports or exports of a company. An auditor’s certificate represents that he
has verified certain figures and is in a position to vouchsafe their accuracy as per his
examination of documents and books of account. A report, on the other hand, is a formal
statement usually made after an enquiry, examination or review of specified matters
under report and includes the reporting auditor’s opinion thereon. Thus, when a reporting
Audit Report
113
auditor issues a certificate, he is responsible for the factual accuracy of what is stated
therein. On the other hand, when a reporting auditor gives a report, he is responsible for
ensuring that the report is based on factual data, that his opinion is in due accordance
with facts, and that it is arrived at by the application of due care and skill. The ‘report’
involves expression of opinion which may differ from one professional to another. There
is no question of exactitude in case of a report since the information contained therein is
based on estimates and involves judgement element.
(c) Disclosures under ‘Basis of Issue Price’: Under this heading, the following information
is to be disclosed:
(i) (a) Earnings per share, i.e., EPS pre-issue for the last three years (as adjusted for
changes in capital);
(b) P/E pre-issue and comparison thereof with industry P/E where available (giving
the source from which industry P/E has been taken);
(c) Average return on net worth in the last three years;
(d) Minimum return on the increased net worth required to maintain pre-issue
EPS;
(e) Net Asset Value per share based on last balance sheet;
(f) Net Asset Value per share after issue and comparison thereof with the issue
price.
Provided that projective earnings shall not be used as a justification for the issue
price in the offer document.
(ii) The accounting ratios disclosed in the offer document in support of basis of the
issue price shall be calculated after giving effect to the consequent increase of
capital on account of compulsory conversions outstanding, as well as on the
assumption that the options outstanding, if any, to subscribe for additional capital
will be exercised.
Question 7
Answer the following:
(a) Mention the difference between ‘report’ and ‘certificate.’ (4 marks)
(b) What are the contents of reports and certificates for special purposes? (6 marks)
(c) What are the reporting requirements for closing stocks in the Manufacturing and other
Companies (Auditors Report) Order, 1988? (6 marks) (Final Nov 2002)
Answer
(a) Difference Between Report and Certificate: A certificate is written confirmation of the
accuracy of the facts stated therein and does not involve any estimate or opinion. A
report on the other hand, is a formal statement usually made after an enquiry,
examination or review of specified matters under report and includes the reporting
Advanced Auditing
114
auditor’s opinion thereon. These words are fundamentally distinct from each other.
Etymologically, the word ‘certificate’ is derived from Latin words certus (Certain) and
facere (to make). So, the certificate connotes verification of certain and exact facts.
However, the rendition of this type of statement is an impossible task and the auditor’s
duty indeed becomes onerous. The dictionary meaning of the word ‘report’ refers to
formal account of results after an enquiry, examination or review given by an authorised
person or group of reasons.
In other words, when a certificate is issued, the auditor is responsible for the factual
accuracy of what is contained therein. However, when a report is given, the auditor is
responsible for ensuring that the report is based on factual data, that his opinion is in due
accordance with facts and that it is arrived at by the application of due care and skill.
(b) Contents of Reports and Certificates for Special Purposes: The contents of reports
and certificates for special purposes in many cases are specified by statute and cannot
be changed. However, in cases where no format has been specified, the reporting
auditor can choose the form and contents. In such cases, where a reporting auditor is
free to draft his report or certificate, he should consider the following:
(i) Specific elements, accounts or items covered by the report or certificate should be
clearly identified and indicated.
(ii) The report or certificate should indicate the manner in which the audit was
conducted, e.g., by the application of generally accepted auditing practices, or any
other specific tests.
(iii) If the report or certificate is subject to any limitations in scope, such limitations
should be clearly mentioned.
(iv) Assumptions on which the special purpose statement is based should be clearly
indicated if they are fundamental to the appreciation of the statement.
(v) Reference to the information and explanations obtained should be included in the
report or certificate. In certain cases apart from a general reference to information
and explanations obtained, a reporting auditor may also find it necessary to refer in
his report or certificate to specific information or explanations on which he has
relied.
(vi) The title of the report or certificate should clearly indicate its nature, i.e., whether it
is a report or a certificate. Similarly, the language should be unambiguous, i.e., it
should clearly bring out whether the reporting auditor is expressing an opinion (as in
the case of a report) or whether he is only confirming the accuracy of certain facts
(as in the case of a certificate). For this, the choice of appropriate words and
phrases is important.
(vii) If the special purpose statement is based on general purpose financial statements,
the report or certificate should contain a reference to such statements. However, the
report or certificate should not contain a reference to any other statement unless the
same is attached therewith. It should be clearly indicated whether or not the
Audit Report
115
statutory audit of the general purpose financial statements has been completed and
also, whether such audit has been conducted by the reporting auditor or by another
auditor. In case the general purpose financial statements have been audited by
another auditor, the reporting auditor should specify the extent to which he has
relied on them. He may communicate with the statutory auditor for securing his
cooperation and in appropriate circumstances, discuss relevant matters with him, if
possible.
(viii) Where a report requires the interpretation of a statute, the reporting auditor should
clearly indicate the fact that he is merely expressing his opinion in the matter. He
should take sufficient care to ensure that in respect of matters which are capable of
more than one interpretation, his report is not misconstrued as representing a
settled legal position.
(ix) An audit report or certificate should ordinarily be a self-contained document. It
should not confine itself to a mere reference to another report or certificate issued
by the reporting auditor but should include all relevant information contained in such
report or certificate.
(x) The reporting auditor should clearly indicate in his report or certificate, the extent of
responsibility which he assumes. Where the statement on which he is required to
give his report or certificate, includes some information which has not been audited,
he should clearly indicate in his report or certificate the particulars of such
information.
In certain cases, the form and/or contents of the report or certificate, as prescribed
by a statute or a notification, may not be appropriate or adequate. In such
situations, the reporting auditor may consider modifying the report or certificate on
the basis of the aforesaid parameters, to the extent applicable. In case this is not
possible, he should clearly indicate the limitations in his report or certificate itself.
(c) Reporting Requirements for Closing Stocks Under MAOCARO, 1988: The auditor
has to make four specific statements on verification and valuation of closing stocks under
MAOCARO, 1988 issued under section 227(4A) of the Companies Act, 1956. The order
requires the auditor to state “whether physical verification has been conducted by the
management at reasonable intervals in respect of finished goods, stores, spare parts and
raw materials”. Secondly, the auditor has to state, “Are the procedures of physical
verification of stocks followed by the management reasonable and adequate in relation to
the size of the company and the nature of its business? If not, the inadequacies in such
procedures should be reported”. Further, “whether any material discrepancies have been
noticed on such verification as compared to book records, and if so, whether the same
have been properly, dealt with in the books of account”. Finally, “whether the auditor is
satisfied on the basis of his examination of stocks that such valuation is fair and proper in
accordance with the normally accepted accounting principles. Is the basis of valuation of
stocks same as in the preceding year? If there is any deviation in the basis of valuation,
the effect of such deviation, if material, should be reported”.
Advanced Auditing
116
The comment on the reasonableness and adequacy of the stock verification procedures
requires that the auditor should examine the methods and procedures of such verification
and may if considered appropriate by him, be also present at the time of stock-taking.
He should, in any case, examine the instructions given by the management to the stocktaking
personnel (which should preferably be in writing). Where stocks are material and
the auditor is placing reliance on the physical verification by the management, it may be
appropriate for the auditor to attend stocktaking and perform test counts. He should
ascertain whether the cut-off procedures are adequate. The original physical verification
sheets should be reviewed and selected items traced into final inventories, which in turn
should be compared with stock records and other evidence such as stock statements
submitted to banks. The procedures for identifying damaged and obsolete items of
inventory should be reviewed. While commenting on this clause, the auditor should point
out the specific areas where the procedures are not reasonable or adequate.
The auditor should look carefully into all material discrepancies between the book stocks
and physical and physical inventories to examine whether the same have been properly
adjusted in the books of account.
The auditor has also state whether the valuation of stocks is fair and proper in
accordance with the normally accepted accounting principles. To determine what
constitute the normally accepted accounting principles regarding valuation of stock, one
may refer to Accounting Standard 2. This standard provides that, in general, inventories
should be valued at the lower of historical cost and net realisable value.
[Note: Students may note that the MAOCARO, 1988 has been superceded by the
Companies (Auditor’s Report), Order, 2003. The above answer is based on
MAOCARO, 1988]
Question 8
What is your understanding of the term “true and fair view” in a statutory audit report of a
company? (8 marks) (Final May 2003)
Answer
Meaning of Expression “True and Fair View”: The requirements of the Companies Act,
1956 are that the auditor should specifically express an opinion whether the published
accounts give a true and fair view of the company's state of affairs and of the profit and loss
for the financial year. What constitutes a ‘true and fair view’ has not been defined in the Act.
Sub-sections (1) and (2) of section 211 merely require that every balance sheet and profit and
loss account of a company shall give a true and fair view of the state of affairs and profit or
loss of the company and shall comply with the requirements of Schedule VI to the Companies
Act, 1956 so far as they are applicable. Sub-section (5) of this section implies that the
balance sheet and the profit and loss account of a company shall be deemed as not showing a
true and fair view, if they do not disclose any matters which are required to be disclosed by
virtue of the provisions of Schedule VI or by virtue of a notification or an order of the central
government modifying the disclosure requirements. It is clear that the auditor will have to
examine whether the financial statements are drawn up in conformity with the provisions of
Audit Report
117
Schedule VI and whether they contain the matters required to be disclosed therein. Thus, one
of the tests for determining whether or not the financial statements show a true and fair view is
to check whether all relevant disclosures as required be the governing Act have been properly
made.
The phrase ‘true and fair’ in the auditor’s report signifies that the auditor gives an opinion as to
whether the financial statements represent fairly the actual financial position as at the end of
the accounting period and profit or loss for that period. SA 200A, “Objective and Scope of the
Audit of Financial Statements” states that, “in forming his opinion on the financial statements,
the auditor follows procedures designed to satisfy himself that the financial statements reflect
a true and fair view of the financial position and operating results of the enterprise. The auditor
recognises that because of the test nature and other inherent limitations of an audit, together
with the inherent limitations of any system of internal control, there is an unavoidable risk that
some material misstatement may remain undiscovered. While in many situations the discovery
of a material misstatement by management may often arise during the conduct of the audit,
such discovery is not the main objective of audit nor is the auditor’s programme of work
specifically designed for such discovery. The audit cannot, therefore, be relied upon to ensure
the discovery of all frauds or errors but where the auditor has any indication that some fraud or
error may have occurred which could result in material misstatement, the auditor should
extend his procedures to confirm or dispel his suspicions.” What constitutes a true and fair
view is, thus, a matter of an auditor’s judgement in the particular circumstances of a case.
However, the following general guidelines may be laid down in this regard.
(a) The balance sheet and the profit and loss account should be drawn up in conformity with
the requirements of the Companies Act or those of the specific Acts governing certain
classes of companies.
(b) Relevant information should be so disclosed in the balance sheet and the profit and loss
account that the financial position and the working results are shown as they are, i.e.
there is neither an overstatement nor an understatement. There should be no windowdressing;
the balance sheet and the profit and loss account should not attempt to show a
better picture than what it is in reality. Similarly, there should be no secret reserves
(unless the statute specifically permits the creation of such reserves).
(c) All material facts regarding expenses, revenues, assets and liabilities of the company
should be disclosed. There should be no misstatement.
(d) All unusual, exceptional, or non-recurring items should be disclosed separately.
(e) The balance sheet and the profit and loss account should be prepared and presented in
conformity with the generally accepted principles of accounting. Such principles should
be consistently applied. The effect of a change in these principles should be suitably
disclosed.
(f) The auditor should examine the situation as it exists at the end of the accounting period.
If certain subsequent events help the auditor in making a better assessment of the
position as at the date of the balance sheet, the auditor should take such events into
account.
Advanced Auditing
118
(g) The financial statements should convey the required information clearly. As has been
held in many legal cases, information and means of information are by no means
equivalent terms. A person whose duty it is to convey information to others does not
discharge that duty by simply giving them so much of information as is calculated to
induce them, or some of them, to ask for more.
Question 9
Distinguish with suitable examples - Between a case where an auditor is obliged to state in his
report to the members of a company that the accounts do not show a true and fair view, and a
case where he states that he is unable to form an opinion as to whether or not the accounts
give a true and fair view. (8 mark) (Final Nov 2003)
Answer
Adverse Report and Disclaimer of Opinion: SA 200 “ Basic Principles Governing an Audit”
states that the audit report should contain a clear written expression of opinion on the financial
information. In order to express such an opinion, the auditor should review and assess the
conclusions drawn from the audit evidence obtained by him. This review and assessment
involves forming an overall conclusion as to whether:
(a) the financial information has been prepared using acceptable accounting policies, which
have been consistently applied;
(b) the financial information complies with relevant regulations and statutory requirements;
(c) the view presented by the financial information as a whole is consistent with the auditor’s
knowledge of business environment; and
(d) there is adequate disclosure of all matters relevant to the proper presentation of financial
information.
The opinion expressed by an auditor may be unqualified, adverse, qualified or a
disclaimer of opinion depending upon the degree of satisfaction of the auditor about the
overall truth and fairness of the financial statements.
An adverse opinion should be expressed when the effect of a disagreement is so
material and pervasive to the financial statements that the auditor concludes that a
qualification of the report is not adequate to disclose the misleading or incomplete nature
of the financial statements. Such an opinion is issued when the effect of disagreement is
so material and pervasive to financial statements that the auditor concludes that a
qualification of his report is not adequate to disclose the misleading or incomplete picture
of the financial statements. This conclusion can be reached by the auditor in an extreme
case where there had been flagrant violation of the accounting principles or evidence is
not available for material transactions or within the knowledge of the auditor there exists
material concealment or misstatement about financial affairs. He must have strong and
convincing evidence in favour of his conclusion. It should be appreciated that this opinion
is also an overall opinion and owes direct relationship to the portrayal of the financial
position in the accounting statements. If one or two illegal transactions of not much
significance have taken place and they have been fairly presented and disclosed in the
Audit Report
119
accounting statements, it can not be held that the accounting statements are not true and
fair. They are true and fair subject to the illegality already disclosed. The audit report
stating that the accounts do not show a true and fair view is indeed an extreme and rare
case. In case an auditor has to report to that effect, there must exist reservations on the
accounts affecting materially the accounts taken as a whole. The reservation should not
be such that it only partially affects the accounts. Also, mere reservation in the mind of
the auditor is not enough, he must have convincing and definite evidence to state that the
accounts are so materially irregular that they do not show a true and fair view.
SA 700, “The Auditor’s Report on Financial Statements” requires that a disclaimer of
opinion should be expressed when the possible effect of a limitation on scope is so
material and pervasive that the auditor has not been able to obtain sufficient appropriate
audit evidence and is, accordingly, unable to express an opinion on the financial
statements. A limitation may be imposed by circumstances, for example, when the timing
of the auditor’s appointment is such that the auditor is unable to observe the counting of
physical inventories. It may also arise when, in the opinion of the auditor, the entity’s
accounting records are inadequate or when the auditor is unable to carry out an audit
procedure believed to be desirable. In these circumstances, the auditor would attempt to
carry out reasonable alternative procedures to obtain sufficient appropriate audit
evidence to support an unqualified opinion. This would also be the case when internal
control is so weak as to prevent the auditor from putting any reliance on the accounts.
Therefore, to be fair and just, he should state that he is unable to form an opinion as to
whether or not accounts give a true and fair view, for example, when the auditor was not
able to examine a substantial part of the books of accounts because they were in police
custody. In both the situations, the auditor should give also his reasons for the report he
makes. Instances in which the auditor faces limitations on the scope of his work, it is
appropriate for him to state that he has not been able to form an opinion.
Question 10
Write a short note on - Reporting on the compilation engagement. (4 marks) (Final Nov 2003)
Answer
Reporting on the Compilation Engagement: The objective of a compilation engagement is
to use accounting expertise, as opposed to auditing expertise, to collect, classify and
summarise financial information, This ordinarily entails reducing detailed data to a
manageable and understandable form without the requirement to test the assertions
underlying that information. The procedures employed are not designed and do not enable the
member to express any opinion on the financial information. Therefore, it is essential that the
member clearly brings out the nature of association with the financial statement and the nature
of the work performed by him. The following may be noted in this regard.
i. The title of the report should be “Accountant’s Report on Unaudited Financial Statement
and not An Auditor’s Report”.
ii. The report should be addressed to the appointing authority.
Advanced Auditing
120
iii. The report should identify the financial information compiled, also stating that it is based
on the information provided by the management.
iv. The report should clearly state that the financial statements are not audited.
v. In describing the engagement, ambiguous terms such as review, general review, check,
etc. should not be based.
vi Date of the report should be mentioned.
vii Name and address of the firm of the member appointed for carrying out the compilation
engagement should be mentioned.
viii Signature and the designation (sole proprietor/ partner) and membership number should
appear in the report.
Question 11
As Chartered Accountant you are required to give your reports on various financial statements
under Companies Act, 1956 which are as under:
(i) Report to the shareholders under Section 227;
(ii) Report to be set out in prospectus under Section 60(3);
(iii) Report to be given to the Central Government as special auditor under Section 233A;
(iv) Report to be given on voluntary winding up under Section 488(1).
Explain the significance of each of these reports and your functional approach very briefly.
(8 marks) (Final May 2004)
Answer
Auditor’s report on the Companies Act, 1956 (the Act)
(i) Report to Shareholders U/s 227: Section 227 of the Act lays down powers and duties of
the auditor. Sub-sections (2), (3), (4) and (4A) of Section 227 deal with reporting
requirements. Sub-section (2) states that the auditor of a company shall make a report to
the members on the accounts examined by him and on every balance sheet and profit
and loss account which are laid before company in general meeting during the tenure of
his office. The significance of the report lies in the fact that it requires that the report
shall state whether in his opinion and to the best of his information and according to the
explanations given to him the said accounts give the information required by the Act in
the manner so required and give a true and fair view.
The functional approach by the auditor for making a report u/s 227 of the Act, requires
him to perform compliance and substantive audit procedures to verify the information
contained in the financial statements. Having regard to the materiality of the items
involved, the auditor also determines whether the relevant information is properly
disclosed in the financial statements.
(ii) Report to be set out in the prospectus u/s 60(3): Section 60(3) of the Act provides that
a prospectus should be accompanied inter alia by the consent in writing of the person
Audit Report
121
named therein as the auditor of the company or intended company, to act in that
capacity. Part II of Schedule II to the Act prescribes the reports to be set out in a
prospectus. The report contains particulars about profit and losses of the company for
five preceding year, assets and liabilities, rates of dividend, etc. The significance of the
report lies in the fact that a prospectus is issued by a company when it seeks to raise
funds from the public and gives detailed information about the company to enable
prospective investors to take a well-informed decision. The functional approach on the
part of auditor involves obtaining information from the management, particularly, in
respect of estimation of current and future profits. He has to also ensure that all
adjustments have been made properly.
(iii) Special Audit Report U/s 233A: Under section 233A of the Act, the Central Government
has a power to order a special audit of the accounts of a company for a specified period.
An order to conduct special audit of the accounts of a company may be made where the
Central Government is of the opinion that:
(a) the affairs of the company are not being managed in accordance with sound
business principles or prudent commercial practices; or
(b) the company is being managed in a manner likely to cause serious injury or damage
to the interests of the trade, industry or business to which it pertains; or
(c) the financial position of the company is such as to endanger its solvency.
The main objective of such an audit is to provide a critical review of the company’s
working and state of affairs to the government. Special audit should be distinguished
from ‘investigation’ into the affairs of a company under section 235 of the Act. The
special auditor has the same powers and duties which a company auditor has under
section 227 of the Act, with the difference, however, the instead of making his report to
the members of the company, the special auditor makes the report to the central
government. The special audit report should, as far as possible, include all the
information required to be included in an audit report under section 227 of the Act.
However, the central government may direct that the special audit report shall also
include a statement on any other matter referred to the special auditor by the
government.
(iv) Report on the accounts prepared on voluntarily winding up u/s 488 (1): Section
488(1) of the Act requires that where it is proposed to wind up a company voluntarily, its
directors, or in case the company has more than two directors, the majority of the
directors, may at a meeting of the Board, make a declaration verified by an affidavit, to
the effect that they have made a full inquiry into the affairs of the company, and that,
having done so, they have formed the opinion that the company has no debts, or that it
will be able to pay its debts in full within such period not exceeding three years from the
commencement of the winding up as may be specified in the declaration. Such
declaration has to be accompanied by a copy of the report of the auditors of the company
(prepared, as far as circumstances admit, in accordance with the provisions of this Act)
on the profit and loss account of the company for the period commencing from the date
up to which the last such account was prepared and ending with the latest practicable
Advanced Auditing
122
date immediately before the making of the declaration and the balance sheet of the
company made out as on the last mentioned date and also embodies a statement of the
company’s assets and liabilities as at the date.
Question 12
Bring out the significance of the following two illustrative paragraphs found in the statutory
auditor’s report in recent days.
(i) Opening Paragraph:
“We have audited the attached Balance Sheet of …….. as at 31st March, 2xxx and also
the Profit and Loss Account for the year ended on that date annexed thereto. These
financial statements are the responsibility of the company’s management. Our
responsibility is to express an opinion on these financial statements”. (4 marks)
(ii) Scope Paragraph:
“We conducted our audit in accordance with the auditing standards generally accepted
in India. Those standards require that we plan and perform the audit to obtain
reasonable assurance whether the financial statements are free of material statement.
An audit includes examining, on a test basis, evidence supporting the amounts and
disclosures in financial statements. An audit also includes assessing the accounting
principles used and significant estimates made by management, as well as evaluating
the overall financial presentation. We believe that our audit provides a reasonable basis
for our opinion.” (4 marks) (Final Nov 2004)
Answer
(i) Opening Paragraph: The opening or introductory paragraph identifies the financial
statements of the entity that have been audited, including the date of and period covered
by the financial statements. Further, the significance of ‘opening paragraph’ is to bring to
the notice of the users of financial statements that preparation of the accounts is the
responsibility of the management of the enterprise, whereas the responsibility of the
auditor is to express an opinion on the said accounts based on audit carried out by him.
The preparation of such statements requires management to make significant accounting
estimates and judgements, as well as to determine the appropriate accounting principles
and methods used in preparation of the said statements.
(ii) Scope Paragraph: The significance of ‘scope paragraph’ is to inform the users about the
practices and procedures followed in conduct of audit by the auditor. The auditor states
in this paragraph that the audit was planned and performed in accordance with generally
auditing standards generally accepted in India. The auditor also states that the audit
provides a reasonable basis for his opinion. The significance of this paragraph lies in
the fact that auditor wishes to convey to readers about the scope of audit by highlighting
the nature and process of audit. The test check approach of audit adopted by the auditor
in performing his work as also the significant aspect of evaluation of accounting
principles and accounting estimates is also clarified. The basic objective of auditing that
Audit Report
123
the auditor provides only “reasonable assurance” is emphasised in this paragraph. In a
way, such a statement signifies inherent limitations of audit.
Question 13
Write a short note on - Certificate for Special Purpose vs. Audit Report. .
(4 marks) (Final Nov 2004)
Answer
Certificate for Special Purpose vs. Audit Report: A certificate is a written confirmation of
the accuracy of the facts stated therein and does not involve any estimate or opinion.
Government authorities may under various statutes or notifications, require reports or
certificates from auditors in support of statements or other information prepared by an
enterprise. Reports or certificates on specific matters may also be required from auditors by
an enterprise, for its own special purposes. These reports or certificates to specific
requirements of the individual users is unlike a ‘general purposes report’ e.g. an auditor’s
report on financial statements which is intended for general use. A report, on the other hand,
is a formal statement usually made after an enquiry, examination or review of specified
matters under report and includes the reporting auditor’s opinion thereon. Thus, when a
reporting auditor issues a certificate, he is responsible for the factual accuracy of what is
stated therein, e.g., certification of export turnover, etc. On the other hand, when the reporting
auditor gives the report, he is responsible for ensuring that the report is based on factual data,
that his opinion is in due accordance with facts, and that it is arrived at by the application of
due care and skill.
Question 14
(a) A Pvt. Ltd. is incorporated on 1st July, 2004. During the year ended 31st March, 2005, it
had issued shares (fully paid up) of Rs. 40 lakhs, had borrowed Rs. 7.5 lakhs each from
2 financial institutions and its turnover (Net of excise Rs. 50 lakhs which is credited to a
separate account) is Rs.475 lakhs. Will Companies Auditors Report Order, 2003 (CARO)
be applicable to A Pvt. Ltd.? (4 marks)
(b) As the statutory auditor of B Ltd. to whom CARO, 2003 is applicable, how would you
report in the following situations?
(i) The company has stood guarantee to its sister concern, whose financial condition
was not healthy for a sum of Rs. 20 lakhs borrowed from a bank.
(ii) Physical verification of only 50% (in value) of items of inventory has been conducted
by the company. The balance 50% will be conducted in next year due to lack of
time and resources.
(iii) Accumulated losses of the company are 50.9% of its net worth and it is incurring
continuous cash losses since last 2 years. (4 × 3 = 12 marks) (Final May 2005)
Advanced Auditing
124
Answer
(a) The Companies (Auditor’s Report) Order (CARO), 2003, exempts private limited
companies from its application which fulfils all the following conditions:
(i) the paid up capital and reserves are Rs.50 lakhs or less;
(ii) it has not accepted any public deposits;
(iii) it has no outstanding loan of Rs.10 lakhs or more from any bank or financial
institution; and
(iv) its turnover does not exceed Rs.5 crores.
In the case of M/s A Pvt. Ltd., its paid-up capital is less than Rs.50 lakhs, turnover is less
than Rs. 5 crores since excise duty is not taken into account if it is credited separately to
excise duty account; and, it is also implied from the facts that it has not accepted any
public deposits. However, it fails to fulfil condition relating to outstanding loan because
as per the statement on CARO, 2003, issued by the Institute requires that the amount of
outstanding loan taken from bank/financial institution have to be considered on a
cumulative basis. M/s A Pvt. Ltd. has total borrowings of Rs. 15 lakhs and thus fails to
satisfy all conditions and accordingly CARO, 2003 will be applicable.
(b) (i) Para 4(xv) of CARO, 2003 requires the auditor to state in his report whether the
company has given any guarantee for loans taken by others from bank or financial
institutions, the terms and condition whereof are prejudicial to the interests of the
company. The auditor should examine the Memorandum of Association to
determine whether the company has the power to give guarantee. The auditor
should also examine the minute book and register of guarantee to ascertain whether
guarantee has been issued under the sanction of competent authority. The auditor
should also verify compliance with requirements of sections 295 and 372A of the
Companies Act, 1956. It should also be ensured that the guarantee given is shown
as contingent liability.
In determining whether the guarantee is prejudicial to the interest of the company,
the auditor should consider financial standing of the party, nature of security
offered, etc. In this case, since financial condition of the company on behalf of
whom guarantee is given is not so good, the auditor may consider expressing an
opinion that the terms and conditions on which the company has given guarantees
for loans taken by the sister concern, i.e., M/s B Ltd., is prejudicial to the interests of
the company.
(ii) Para 4(ii)(a) of CARO, 2003 requires the auditor to state in his report whether
physical verification of inventory has been conducted at reasonable interval by the
management. Physical verification of inventory is the responsibility of the
management which should verify all material items at least once in a year and more
often in appropriate cases. The auditor in order to satisfy himself about verification
at reasonable intervals should examine the adequacy of evidence and record of
verification. In the given case, the above requirement of CARO, 2003 has not been
Audit Report
125
fulfilled as such and the auditor should point out the specific areas where he
believes the procedure of inventory verification is not reasonable. He may consider
the impact on financial statement and report accordingly.
(iii) Para 4(x) of CARO, 2003 requires the auditor to state in his report in respect of a
company which is in existence for more than 5 years from the date of registration:
(a) whether the accumulated losses at the end of the year are more than 50% of
its net worth; and
(b) whether it has incurred cash losses during the current year and the
immediately preceding financial year.
In the instant case, since the company is covered by the above requirements, there
are symptoms of potential sickness and, thus, auditor should report the same. It is,
however, to be assumed that the company is in existence for more than 5 years.
(Note: Students may note that the CARO, 2003 has been amended by the
Companies (Auditor’s Report) (Amendment) Order, 2004 which is effective for all
audit reports issued on or after November 25, 2004. While answering this question,
the position as contained in the original CARO, 2003 has been considered.)
Question 15
Answer the following:
(a) What are the statements of facts that an auditor has to report u/s 227 of the Companies
Act, 1956? (4 marks)
(b) Illustrate, as a statutory auditor, how would you give a report where all qualifications are
not quantifiable. (4 marks)
(c) Under CARO, 2003 how, as a statutory auditor would you comment on the following:
(i) Fixed assets comprising 1/3rd of the total assets have been disposed off during the
year. (4 marks)
(ii) A Term Loan was obtained from a bank for Rs.75 lakhs for acquiring R&D
equipment, out of which Rs.12 lakhs was used to buy a car for use of the concerned
director, who was overlooking the R&D activities. (4 marks)(Final Nov 2005)
Answer
(a) Statements of facts u/s 227 of the Companies Act, 1956: Section 227 of the Companies
Act, 1956, deals with contents of the audit report. Some of these aspects on which the
auditor is required to report which constitute statements of fact are as under:
(i) Whether he has obtained all the information and explanations which to the best of
his knowledge and belief were necessary for the purpose of his audit.
(ii) Whether the report on the accounts of any branch office audited u/s 228 has been
forwarded to him and how has he dealt with the same in preparing the auditor’s
report.
Advanced Auditing
126
(iii) Whether the company’s balance sheet and profit and loss account dealt with by his
report are in agreement with the books of account.
(iv) Whether any director is disqualified from being appointed u/s 274(1)(g) of the
Companies Act, 1956.
(v) Whether cess payable u/s 441A has been paid and if not, the details of amount not
paid. (This clause has not yet became operative).
(b) An illustrative Format of Audit Report: SA 700 “The Auditor’s Report on Financial
Statements”, states that there may be circumstances when it is not practicable to quantify
the effect of modification in the audit report accurately, the auditor may do so on the
basis of estimates made by the management after carrying out such audit tests as are
possible and clearly indicate the fact that the figures are based on management
estimates. Ordinarily, this information would be set out in a separate paragraph
preceding the opinion or disclaimer of opinion and may include a reference to a more
extensive discussion, if any, in a note to the financial statements.
The following illustration of a qualification where quantification was not possible will
explain the point:
“(2) No provision has been made in respect of product warranties outstanding at the year
end. The amount of provision required in this behalf could not be ascertained.”
In the above situation, the overall paragraph would appear as follows:
“We further report that, without considering item mentioned in paragraph (2) above, the
effect of which could not be determined, had the observations made by us in paragraph
(1) (not reproduced) and (2) above been considered, the profit for the year would have
been Rs.500.41 lacs (as against the reported figure of Rs.596.07 lacs), reserves and
surplus would have been Rs.685.43 lacs (as against the reported figure of Rs.781.09
lacs) and total fixed assets would have been Rs.200.00 lacs (as against the reported
figure of Rs.229.05 lacs)”
Subject to the above in our opinion………………..
(c) (i) Disposal of Fixed Assets: Under CARO, 2003, an auditor is required to state if
substantial part of the fixed assets have been disposed off during the year, whether
it has affected the going concern. This clause requires the auditor to carry out
adequate audit procedures to satisfy himself that the company shall be able to
continue as going concern for the foreseeable future despite the sale of substantial
part of the fixed assets.
Accordingly, in the instant case, the auditor should satisfy himself as to whether
disposal off of 1/3rd of fixed assets during the year had any effect on the going
concern assumption on account of such sale of fixed assets. The auditor is required
to exercise his professional judgement to determine whether disposal off of onethird
of total assets constitutes substantial part or not. Depending upon the
judgement arrived at by the auditor, he shall report whether substantial part of fixed
assets have been disposed off or not during the year and it has affected or not
Audit Report
127
affected the going concern status of the company. Alternatively, in case the auditor
is of the opinion that it constitutes substantial sale but the going concern
assumption is appropriate because of mitigating factors then he has to ensure that
the same are disclosed in the financial statements or else he shall have to modify
the auditor report. The manner of reporting shall also be modified appropriately in
case the going concern assumption is resolved or not.
(ii) Utilisation of Term Loans: Under CARO, 2003, an auditor is required to comment
whether term loans were applied for the purpose for which the loans were obtained.
The auditor should examine the terms and conditions of the term loan with the
actual utilisation of the loans. If the auditor finds that the fund has not been utilized
for the purpose for which they were obtained, the report should state the fact.
In the instant case, since term loan taken for the purpose of R&D equipment has
been utilized for purchase of car which has no relation with R&D equipment.
Therefore, car though used for R&D Director cannot be considered as R&D
equipment. The auditor should state the fact in his report that the out of term loan
of R&D lack, Rs.12 lakhs was not utilised for the purpose of acquiring the R & D
equipment.
Question 16
Answer the following:
(a) Discuss the various aspects to be considered by the Statutory Auditor before qualifying
his report. (4 marks)
(b) As a Statutory Auditor, how would you report on the following under CARO:
(i) O Pvt. Ltd. Is a dealer in Shares and Securities.
(ii) ABC Pvt. Ltd. Is an Manufacturer of jewellery. A senior employee of the Company
informed you that the Company does not properly disclose the purity of gold used
on the jewellery. (4 marks)(Final May 2006)
Answer
(a) Aspects to be Considered Before Qualifying the Audit Report: SA 700, “The
Auditor’s Report on Financial Statements”, specifies that auditor’s report may need
modification on account of certain matters which may or may not affect the auditor’s
opinion. There may be certain circumstances when an auditor may not be able to
express an unqualified opinion because the effort of such circumstances in the auditor’s
judgment, is or may be material to the financial statements:
(i) there is a limitation on the scope of the auditor’s work; or
(ii) there is a disagreement with management regarding the acceptability of the
accounting policies selected, the method of their application or the adequacy of
financial statement disclosures.
Advanced Auditing
128
Further, while qualifying a report, it is important to appreciate as to which of the various
items of statement of fact or statement of opinion require a qualification in respect of
audits under the Companies Act, 1956, the auditor may also see whether the matters
constituting the qualification involve a material contravention of any requirements of the
Companies Act, 1956 which have a bearing on the accounts.
Finally, whenever the auditor expresses an opinion that is other than unqualified, a clear
description of all the substantive reasons should be included in the report and, unless
impracticable, a quantification of the possible effect(s), individually and in aggregate, on
the financial statements should be mentioned in the auditor’s report. A quantified opinion
should be expressed as being “subject to” or “except for” the effects of the matter to
which qualification related.
(b) Reporting under CARO, 2003
(i) O Pvt. Ltd. is a dealer in shares and securities. Clause (xiv) of CARO, 2003 is
applicable to a company in case it is dealing or trading in shares, securities,
debentures and other investments. The requirements applicable to O Pvt. Ltd.
would be as under:
• whether proper records are maintained for transactions and contracts;
• whether timely entries are made in such records; and
• whether shares, securities, debentures and other investments have been held
by the company in its own name except to the extent of exemption, if any
granted under section 49 of the Companies Act, 1956.
In case auditor is satisfied in respect of aforesaid matters, after making
examination, the auditor may report as under:
“In our opinion, and according to information and explanation given to us,
the company has been maintained proper records in respect of
transactions and contracts in securities during the year and timely entries
have been made therein. Further, all shares and certificates are held by
the company in its own name.”
(ii) In the case of ABC Pvt. Ltd. If purity of gold is not properly disclosed on the
jewellery it amounts to defrauding the customers. That means the management is
deceiving customers to obtain an illegal advantage. However, the auditor is
concerned with fraudulent acts that cause a material misstatement in financial
statements. As long as books of account are not falsified arising out of difference in
the purity of gold, i.e., actual cost of the gold and the sale price of gold, it has no
implication for the auditor. Further, under CARO, 2003, the auditor may examine
this from the view point of maintaining proper records of inventory. But even the
requirement of maintaining proper records does not necessitate that purity as such
should be mentioned on the gold itself. However, the purity of gold would have
implication on the valuation of inventory. But this aspect is not required to be
reported under CARO, 2003.
Audit Report
129
Thus, from the view point of reporting on frauds under CARO, 2003, there is no
implication for misstatement in the financial statements. Hence, no reporting is
necessary for non-proper disclosure of purity of gold on the jewelry.
Question 17
Draft audit report u/s 227(3)(f) of the Companies Act, 1956 on the following three situations in
respect XYZ Ltd. as on 31.3.2006:
(i) Where all directors have given written representations that they have not defaulted u/s
274(1)(g) of the Companies Act, 1956. (2 marks)
(ii) Where one of the directors, Mr. Flexible has failed to produce written representation that
he has not defaulted u/s 274(1)(g) of the Companies Act, 1956. (3 marks)
(iii) Where on the basis of written representations received from the directors it is noticed
that one of the directors, Mr. Rigid has defaulted in terms of Section 274(1)(g) of the
Companies Act, 1956. (3 marks)(Final Nov 2006)
Answer
Draft audit report u/s 227 (3) (f):
(i) Where the directors have not defaulted :
“On the basis of the written representations received from the directors and taken on
record by the Board of Directors, we report that none of the directors is disqualified as on
31 March, 2006 from being appointed as a directors in terms of Section 274(1)(g) of the
Companies Act, 1956
(ii) Where one of the directors failed to produce written representation.
“Mr. Flexible who is also a director of XYZ Ltd. has not produced any written
representation to the company as to whether XYZ Ltd. as at 31.03.06 had not defaulted
in terms of Section 274(1)(g) of the Companies Act. In the absence of the representation
we are unable to comment whether Mr. Flexible is disqualified from being appointed as
director in terms of section 274(1)(g). As far as other directors are concerned on the
basis of the written representation received from such directors and taken on record by
the Board, we report that none of the remaining directors is disqualified as on 31.3.2006
from being appointed as a director in terms of Section 274(1) (g) of the Companies Act,
1956”.
(iii) Where a director is found to be disqualified
“On the basis of the written representation received from Mr. Rigid who is a director of
XYZ Ltd. as on 31.3.2006 and taken on record by the board, we report that Mr. Rigid is
disqualified from being appointed as a director in terms of Section 274(1) (g) of the
Companies Act, 1956. As far as other directors are concerned, on the basis of written
representations received and taken on record by the board we report that none of the
remaining directors is disqualified as on 31.3.2006 from being appointed as director in
terms of Section 274 (1) (g) of the Companies Act.”
Advanced Auditing
130
Question 18
Explain the propriety elements in the Companies (Auditors) Report Order, 2003.
(8 marks)(Final Nov 2006)
Answer
Propriety elements in CARO 2003
(i) If a company has given or taken loans, secured or unsecured to/ from companies, Firms
or other parties listed in the register maintained u/s 301 of the Companies Act, whether
the rate of Interest and other terms and conditions of such Loans are prima facie
prejudicial to the interest of the company.
(ii) If overdue amount of loan given to or taken from companies, firms or other parties listed
in the register maintained u/s 301 of the Companies Act is more than one Lakh, what
reasonable steps have been taken by the company for recovery/ payment of the principal
and interest.
(iii) Whether the particulars of contracts or arrangements referred to in section 301 of the Act
have been entered in the register required to be maintained. To ensure the transactions
entered in the register maintained u/s 301 have been made at prices which are
reasonable at the relevant time.
(iv) Whether the company is regular in depositing undisputed statutory dues including PF,
income tax, sales tax, customs, excise duties and other statutory dues and if not , the
arrears outstanding for more than 6 months from the date they became payable shall be
indicated.
(v) Whether the company has made any preferential allotment of shares to parties covered
in the register maintained u/s 301 and if so, whether the price at which they were issued
is prejudicial to the interests of the company.
Question 19
As an auditor, how would you deal with the following?
(a) L Private Ltd., which has outstanding loan of Rs. 50 lakhs from Financial Institution
defaulted in repayment thereof to the extent of 50%. The company holds that it being a
private limited company, the Companies Auditors Report Order (CARO) is not applicable.
(5 marks)
(b) ABC Limited to whom CARO is applicable made a public issue of 7% debentures of Rs. 3
crores, redeemable after 5 years and used the proceeds of issue for payment of Sundry
creditors and other Current liabilities to the tune of 3 crores. (4 marks) (Final May 2007)
Answer
(a) Applicability of CARO to a Private Ltd. Co.: A Private Ltd. Co., in order to be exempt
from the applicability of CARO must satisfy all the following conditions cumulatively :
(i) its paid-up capital and reserves are Rs. 50 lacs or less;
Audit Report
131
(ii) it has no outstanding loan exceeding Rs. 25 lacs from any bank or financial
institutions; and
(iii) its turnover does not exceed Rs. 5 crores during the financial year.
Since condition (ii), above, is violated, the order is applicable to L Pvt. Ltd.
The period and amount of default be reported by the auditor as per Para 4(xi) of the
CARO.
(b) End use of issue proceeds of a public issue: Para 4(xx) of CARO deals with end use
of issue proceeds of a public issue. Public issue may relate to equity shares, preference
shares, debentures and other securities. The auditor is expected to verify and report
whether the end use of moneys raised by way of public issue have been properly
disclosed in the financial statements.
The auditor must see whether the terms of issue of debentures contain any specific
purpose/project for which the funds raised will be utilized.
It the terms of issue of debentures is for liquidating sundry creditors and other current
liabilities, it would be in order for the company to do so. Auditor should verify that the
amount of end use of money disclosed in the financial statements by the management is
adequate and is not significantly different from the proposed and actual use. If either end
use is not for the purpose for which a public issue is made or the disclosure is not
adequate, the auditor should state the fact in his report.
Question 20
What are the features of a qualified Audit Report? (8 marks) (Final Nov 2007))
Answer
The features of a qualified report are
1 Clarity: The auditor must express the nature of qualification, in a clear and unambiguous
manner.
2 Explanation: Where the auditor answers any of the statutory affirmations in the negative
or with a qualification his report shall state the reasons for such answer.
3 Placement: All qualifications should be contained in the Auditor’s Report. When there
are notes which are subject matter of a qualification, the same should preferably be
annexed to the Auditors’ Report. However a reference to the notes to Accounts in the
Auditors’ Report does not automatically become a qualification.
4. Subject to: The words’ subject to are essential to state any qualification. The
qualification should be preceded by words such as ‘subject to’ or except that’ to make it
clear that he is making an exception.
5. Quantification: It is also necessary that the auditor should quantify, wherever possible,
the effect of individual as well as the total effect of all qualifications on profit or loss
and/or state of affairs these qualifications on the financial statements in a clear and
unambiguous manner. In circumstances where it is not possible to quantify the effect of
Advanced Auditing
132
the qualifications accurately the auditor may do so on the estimates made by the
management after carrying out such audit tests as are possible and clearly indicate that
the figures given are based on the estimates of the management.
6. Nature of qualification: Vague statements the effect of which on accounts cannot be
ascertained like ‘the debtors balances are subject to confirmation’, ‘no provision for
taxation has been made in view of the loss during the year’ etc., should be avoided.
7. Violation of law: Where the company has committed an irregularity resulting in a breach
of law, the auditor should bring the same to the notice of the shareholders by properly
qualifying his report.
8. Notes – Report Relationship – Where notes of a qualificatory nature appear in the
accounts the auditors should state all qualifications independently in their report so that
the user can assess the significance of these qualifications.
9. Draft Report: The auditor may discuss matters of qualification with the management of
the company to acquire their views. It is not necessary that the auditor should accept the
managements view and modify his opinion. But it would enable the auditor to accurately
draft the qualifications in his final report.
Question 21
List the matters to be included in the ‘Auditors’ report’ in the case of Non Banking Financial
Companies (NBFCs) accepting or holding public deposits. (8 marks) (Final Nov 2007)
Answer
The auditors are required to make a separate report to the Board of Directors and the RBI for
every financial year as per the Non Banking Companies Auditors’ Report (RBI) Direction 1998,
in addition to the reporting obligations u/s 227 of the Companies Act 1956.
(1) Reporting Requirements: The auditor shall make –a statement on the following matters,
together with reasons in case of any unfavourable or qualified statement:
(a) Registration: Whether the NBFC has obtained certificate of Registration or applied
for registration.
(b) Communication from RBI: Whether the NBFC has received any communication
from RBI refusing grant of Certificate of Registration.
(2) NBFCs accepting/holding public deposits
(i) Limit on Public Deposits: Whether the public deposits and the following
borrowings are within the permissible limits
(a) Borrowing from public by issue of unsecured non-convertible
Debentures/Bonds.
(b) Borrowing from its share holders by a public limited company and
(c) Other deposits within the definition of “Public Deposit” in the NBFC (Reserve
Bank) Direction, 1998.
Audit Report
133
(ii) Credit Rating: Whether Credit rating for fixed Deposits, assigned by the credit
rating agency is in force.
(iii) Limit on Fixed Deposits: Whether aggregate amount of Deposit outstanding at
any point during the year has exceeded the limit specified by the Credit Rating
Agency.
(iv) Default: Whether the NBFC has defaulted in paying to its Depositors the interest
and/or principal amount of the deposits after such interest and/or principal became
due.
(v) Prudential Norms: Whether the NBFC has complied with NBFC Prudential Norms
(Reserve Bank) Direction, 1998 in relation to Income Recognition. According
standards, classification, Provisioning for bad and doubtful debts and concentration
of Credit/Investment.
(vi) Capital Adequacy: Whether the capital Adequacy Ratio disclosed in the return
submitted to the RBI is correctly determined and whether such ratio is in compliance
with the minimum capital to Risk Asset Ratio prescribed by the RBI.
(vii) Liquidity: Whether the NBFC has complied with the prescribed liquidity requirement
and kept the approved securities with designated Bank.
(viii) Return of Deposits: Whether the NBFC has furnished the return of deposits to the
RBI within the stipulated period as required under First Schedule to NBFC
Prudential Norms (Reserve Bank) Directions, 1998.
Question 22
T Pvt. Ltd.’s paid up Capital & Reserves are less than Rs. 50 lakhs and it has no outstanding
loan exceeding Rs. 25 lakhs from any bank or financial institution. Its sales are Rs. 6 crores
before deducting Trade discount Rs. 10 lakhs and Sales returns Rs.95 lakhs. The services
rendered by the company amounted to Rs. 10 lakhs. The company contends that reporting
under Companies Auditor’s Reports Order (CARO) is not applicable. Discuss.
(4 marks) (Final Nov 2007)
Answer
Since paid up capital and reserves of T Pvt. Ltd. is less than Rs. 50 lakhs and has no loan
outstanding exceeding rupees 25 lakhs from any bank or financial institution, the only other
condition is whether turnover exceeds rupees five crores. Turnover is not defined in the
CARO. Part II of Schedule VI defines the term "turnover" as the aggregate amount for which
sales are affected by the company. "Sales affected" would include sale of goods as well as
services rendered by the company.
For ascertaining turnover though trade discount and sales returns should be deducted, the
inclusion of services rendered would result in a turnover of Rs. 5.05 crores (i.e. 6 - 0.10 - 0.95
+ 0.10 crore) Hence CARO will apply to T. Pvt. Ltd.
Advanced Auditing
134
Question 23
Write a short note on- Emphasis of matter paragraph in Audit Reports.
(4 marks) (Final May 2008)
Answer
Emphasis of matter paragraph in audit reports: An auditor’s report can be modified for
matters that do not affect the auditor’s opinion. An “emphasis of matter” paragraph is such a
type of notification in an audit report. In certain circumstances, such a paragraph is added to
highlight a matter affecting the financial statements which is included in a note to the financial
statements that more extensively discusses the matter. The addition of such a paragraph
does not affect the auditor’s opinion. Such a paragraph is preferably included preceding the
opinion paragraph and would ordinarily refer to fact that the auditor’s opinion is not quantified
in this respect. (Refer SA 700).
An illustration of an emphasis of matter paragraph for a significant uncertainty in an auditor
report is as follows :
“Without qualifying our opinion, we draw attention to note X of schedule to the financial
statements. The entity is the defendant in a lawsuit alleging infringement of certain patent right
and claiming royalties and punitive damages. The entity has filed a counter action, and
preliminary hearings and discovery proceedings on both actions are in progress. The ultimate
of the matter can not presently be determined, and no provision for any liability, that may
result, has been made in the financial statements.”
Question 24
Discuss the reporting requirements under the Companies (Auditor’s report) Order, 2003 where
a company has defaulted in compliance of Section 58AA of the Companies Act, 1956 with
regard to public deposits. (8 marks) (Final Nov 2008)
Answer
Under paragraph 4(VI) of Companies (Auditor’s) Report Order 2003 as amended by
Companies (Auditor’s) Report (Amendment) Order, 2004, the audit report should include
following matters:
In case company has accepted any deposits from public whether directives issued by the
Reserve Bank of India and the provisions of sections 58 A and 58 AA or any other relevant
provisions of the Act and the rules framed there under, where ever applicable, have been
complied with. If not the nature of contraventions should be stated. If an order has been
passed by Company Law Board or National Law Tribunal or Reserve Bank of India or any
court or any other tribunal whether the same has been complied with or not ?
Section 58 AA deals with small depositors. As per this, a small depositor means a depositor
who has deposited during a financial year a sum not exceeding rupees twenty thousand this
section requires compliance of certain matters by the company.
Audit Report
135
Non compliance of section 58 AA occurs where company fails to intimate company law board,
any default in repayment of deposit by small depositors or part there of or any interest
thereupon. The auditor has therefore, to first determine whether there is any default in
repayment of such deposits, when number of depositors are large, it may not be possible for
an auditor to verify each repayment. In such situation, he should examine internal control
system. He should obtain schedule of repayment to small depositors, and should make
reasonable test checks of repayments made by the company. If during test check, default in
repayment is noticed, he should see whether the same has been intimated to Company Law
Board.
Over and above this, auditor should also examine regarding non compliance of Section 58 AA
or rules made there under he should enquire, about any order passed by Company Law Board
for contravention of section 58 AA
The auditor should obtain management representation to the effect whether:
(a) Company has complied with directives issued by Reserve Bank of India and provision of
Section 58 AA or relevant rules. and
(b) Where an order has been passed by Company Law Board, the company has complied
with requirements of the order
Question 25
Answer the following:
Comment whether the following Companies can be classified as a Small and Medium Sized
Company (SMC) as per the Companies (Accounting Standards) Rules, 2006:
(i) A Pvt. Ltd., a subsidiary of a multinational company listed on London Stock Exchange. It
has a turnover of Rs.12 crores and borrowings of Rs.5 crores.
(ii) B Pvt. Ltd. has a turnover of Rs.45 crores, other income of Rs.7 crores and bank
borrowings of Rs.9 crores.
(iii) C Ltd. has appointed Merchant bankers to prepare a Red-herring prospectus for the
purpose of filing the same with Securities and Exchange Board of India.
(12 Marks) (Final Nov 2008)
Answer
As per the Companies (Accounting Standards) Rules, 2006, “Small and Medium Sized
Company” (SMC) means a company –
(i) Whose equity or debt securities are not listed or are not in the process of listing on any
stock exchange, whether in India or outside India;
(ii) Which is not a bank, financial institution or an insurance company;
(iii) Whose turnover (excluding other income) does not exceed Rs. 50 crores in the
immediately preceding accounting year;
Advanced Auditing
136
(iv) Which does not have borrowings (including public deposits) in excess of Rs. 10 crores at
any time during the immediately preceding accounting year; and
(v) Which is not a holding or subsidiary company of a company which is not a small and
medium-sized company.
Explanation: For the purposes of clause (f), a company shall qualify as a small and
medium sized company, if the conditions mentioned therein are satisfied as at the end of the
relevant accounting period.
(a) As per the definition of SMC, point (v), a company will be a SMC if it is not a holding or
subsidiary company of another company which is not a SMC. Since A Pvt. Ltd. is a
subsidiary of another company which is listed on London Stock Exchange (and is
therefore not a SMC), A Pvt. Ltd., cannot be a SMC. The turnover and borrowings are
not relevant in this case.
(b) As per the definition of SMC, point (iii), a company will be a SMC if it’s turnover does not
exceed Rs.50 crores or borrowings do not exceed Rs.10 crores. For calculating this
turnover, other income is not to be included. Since B Pvt. Ltd., has a turnover of Rs.45
crores and borrowings of Rs.9 crores, it will satisfy the definition and can be classified as
a SMC.
(c) As per the definition of SMC, point (i), a company will be a SMC if it is not listed or in the
process of listing. Since C Pvt. Ltd., has appointed merchant bankers to prepare a Red-
Herring Prospectus for the purpose of filing the same with SEBI, it is in the process of
listing on a Stock Exchange. Hence, C Pvt. Ltd., cannot be classified as a SMC.
6
EDP AUDIT
Question 1
"Where the financial Accounting System has not been computerised, the auditor need not
verify Computerised Management System ". (8 Marks) (Final May 2000)
Answer
Any typical organisation structure would involve different kinds of systems having regard to its
nature of operational activities. Apart from the accounting information flow, there may be
various other operational departments such as production, purchase, sales, computer
department, maintenance, research and development, corporate services, etc. It is quite likely
that certain aspects of the organisation have been inter-connected through computers and a
central computerised management system is functional in the organisation. On the other hand,
merely because the financial accounting system has not been computerised would not mean
that the information generated in other sections of the organisation has no effect on manually
maintained accounting records. The auditor's field of interest covers most of the business's
activities. For although primarily he will be concerned with the financial accounting department
activities, accounting information will be generated by many departments. And it is the
auditor's task to see that all this information is reliable. It may be noted that AAS 6 (SA 400)
on "Study and Evaluation of the Accounting System and Related Internal Controls in
Connection with an Audit" makes it clear that the system of internal control extends beyond
those matters which relate directly to the functions of the accounting system. Thus,
operational controls such as quality control, work standards, budgetary control, quantitative
control, etc. also acquire significance. This is where administrative controls also become
important. The auditor should familiarise himself with the tasks being undertaken, the systems
that have been developed and the reports generated from such applications. This would
provide information which could improve the quality of his own work and enable him to judge
better the quality of the accounting systems and internal checks which come within his
preview. It would also assist him in making a qualitative judgement as to the state of affairs of
the company and give an opportunity to review his audit programme to reduce routine work
and improve quality by assuring that more time is spent by his assistants in other areas to
improve quality and offer constructive suggestions. It is very important that the auditor must
evaluate such control system also, which have bearing on reliability of financial information.
(NOTE: SA 315 issued in December, 2007. The date this Standard (along with SA 330) becomes
effective, the existing Standard on Auditing (SA) 400, “Risk Assessments and Internal Control”, SA
Advanced Auditing
138
310, “Knowledge of the Business”, and SA 401, “Auditing in a Computer Information Systems
Environment”, issued in June 2002, April 2000 and January 2003, respectively, would stand
withdrawn).
Question 2
(a) Describe the role of Computer-assisted Audit Techniques in EDP Environment.
(10 marks)
(b) Briefly explain the uses of test packs while conducting examination of accounts in the
absence of audit trail. (6 marks) (Final May 2000)
Answer
(a) Role of Computer Assisted Audit Techniques in EDP Environment
Computer Assisted Audit Techniques (CAATs) refer to those auditing techniques that
take assistance of a computer for being applied to an audit in a computer environment.
The use of computer-assisted audit techniques may be required because:
(i) the absence of input documents (e.g. order entry in on-line systems), or the
generation of accounting transactions by computer program (e.g. automatic
calculation of discounts) may preclude the auditor from examining documentary
evidence;
(ii) the lack of a visible audit trail will preclude the auditor from visually following
transactions through the computerised accounting system; and
(iii) the lack of visible output may necessitate access to data retained on files readable
only by the computer.
The auditor may however, decide to take advantage of the fact that much of the
information is available in a form, which can be tested electronically. Alternatively, the
auditor could be forced to abandon manual tests because there is no visible audit trail. In
either case, the auditor must use either software or specially prepared audit data to test
the inner workings of the company's system. This is known as auditing 'through the
machine'. The methods by which this is done are known as 'computer assisted audit
techniques' (CAATs).
CAATs enable the auditor to save time by examining data stored on computer media
rather than on print-outs or other documents and, in some cases, to conduct tests which
cannot be done manually because there is no visible evidence or audit trail. CAATs can
be used for both compliance and substantive testing.
CAATs may be used in performing various auditing procedures, including:
(i) Tests of details of transactions and balances for example, the use of audit software
to test all (or a sample) of the transactions in a computer file.
(ii) Analytical review procedures - for example, the use of audit software to identify
unusual fluctuations of items.
EDP Audit
139
(iii) Compliance test of general EDP controls - for example, the use of test data to test
access procedures to the program libraries.
(iv) Compliance tests of EDP application controls - for example, the use of test data to
test the functioning of a program procedure.
The most common types of CAATs used for audit purposes are discussed below:
(a) Audit Software: Audit software consists of computer program used by the auditor
as a part of his auditing procedure to process data of audit significance. It may
consist of:
(i) Package programs: These are generalised computer programs designed to
perform data processing which includes reading computer files, selecting
information, performing calculations, creating data files and printing reports in
a format as specified by the auditor.
(ii) Purpose written programs: These are computer programs designed to
perform audit tasks is specific circumstances. These programs may be
prepared by the auditor, by the organisation or by an outside programmer
engaged by the auditor. In some cases, the programs existing in the
organisation may be used by the auditor in their original or in a modified state
because it may be more economical and effective than developing
independent program.
(iii) Utility programs: These are used by the organisation to perform common
data processing functions, such as sorting, creating and printing files. These
programs are generally not designed for audit purposes and therefore may not
contain such features as automatic record counts or control totals.
(b) Test Data: Test data techniques are used in conducting audit procedures by
entering data into the computer system of the organisation and comparing the
results obtained with pre-determined results. For example:
(i) Test data used to test specific controls in computer programs, such as, on line
password and data access controls.
(ii) Test transactions selected from previously processed transactions preferably
historical data or data treated by the auditor to test specific processing
characteristics of the organisation's computer system. Such transactions are
generally processed separately from the entity's normal processing.
(iii) Test transactions used in an integrated test facility where a 'dummy' unit is
established and to which test transactions are posted during the normal processing.
When test data is processed with the organisation's normal processing the auditor
should ensure that the test transactions are subsequently eliminated from
accounting records of the organisations.
Advanced Auditing
140
(b) Use of Test Packs
"Test Packs" contain simulated transactions of all sorts of error conditions which can be
used to test all the program controls. It consists of test data which will be processed in
the same way as actual or live data. The data may either be fictitious as invented by the
auditor or genuine data selected prior to processing. The essence of a test pack is that
data will be chosen to test the workings of each control upon which reliance is to be
placed. Data will include both that which falls outside the control parameters (and
therefore should be printed out as an error or exception), and that which falls within the
parameters (and therefore should be processed normally). For example:, assume that
stock numbers range from 0 to 8,000, and that any stock movements with a number
outside this range should be printed out as an error. So test data with numbers of 7,999
and 8,001 might be chosen. The latter should be printed out as an error, the former
should be processed normally. Assume further that all debts over 60 days old should be
printed out as exceptions on account of their being overdue. So a debt at 59 days, and
one at 61 days might be chosen as the test data. The latter should be printed out as a
exception, whereas the former should not appear on the exception report.
The results of the test data can be predetermined, and these anticipated results can then
be compared with the error or exception reports produced by the computer. If this
compliance testing reveals that the program controls can be relied upon, then it means
that the resulting error and exception reports can be regarded as reliable. For, if a
program control can be proved to work properly, it may be assumed that it will continue
to work, unless fraudulently interfered with. And the chances of this will have been
assessed during the examination of administrative controls.
The auditor will then have to satisfy himself that the appropriate action is taken on all
error and exception reports. This would be determined by appropriate compliance testing,
such as the review of a sample of error reports, to ensure that all errors have been
removed, and, if necessary, reprocessed. If the results of this compliance testing are
satisfactory, the auditor may then be satisfied that the chances of material error existing
in the system are small, and may accordingly reduce the quantity of substantive testing
for error, on the basis of reliable internal control.
The exception reports will be an important part of management controls over assets and
liabilities, especially, in relation to concealed defalcations. And as such, the auditor will
want to ensure that they are reliable. But they can also be of considerable audit benefit in
substantive testing, particularly at the verification stage. For the exceptions are often
exactly those items which the auditor himself would wish to examine. And he would
otherwise have to extract such figures by hand. For example, a list of overdue debts
would be of value in assessing the provision for doubtful debts.
Question 3
What is an Audit Trail? Briefly describe the special audit techniques using the computer as an
audit tool. (8 marks) (Final Nov 2000)
EDP Audit
141
Answer
Audit Trail: Changes in hardware and software of data processing system have significantly
changed the approach to auditing. The work of an auditor would be hardly affected if “audit
trail” is maintained i.e. if it were still possible to relate, on a ‘one-to-one’ basis, the original
input with the final output. In a manual accounting system, it is possible to relate the recording
of a transaction at each successive stage enabling an auditor to locate and identify all
documents from beginning to end for the purposes of examining documents, totalling and
cross-referencing.
In first and early second-generation computer systems, a complete audit trail was generally
available. However, with the advent of modern machines, the EDP environment has become
more complex. This led to use of exception reporting by the management which effectively
eliminated the audit trail between input and output. The lack of visible evidence may occur at
different stages in the accounting process, for example:
(i) Input documents may be non-existent where sales orders are entered online. In addition,
accounting transactions, such as discounts and interest calculations, may be generated
by computer programmes with no visible authorisation of individual transactions.
(ii) The system may not produce a visible audit trail of transactions processed through the
computer. Delivery notes and suppliers’ invoices may be matched by a computer
programme. In addition, programmed control procedures, such as checking customer
credit limits, may provide visible evidence only on an exception basis. In such cases,
there may be no visible evidence that all transactions have been processed.
(iii) Output reports may not be produced by the system. In addition, a printed report may
only contain summary totals while supporting details are retained in computer files.
Special Audit Techniques: In the absence of audit trail, the auditor needs the assurance
that the programmes are functioning correctly in respect of specific items by using special
audit techniques. The absence of input documents or the lack of visible audit trail may require
the use of Computer Assisted Audit Techniques (CAATs) i.e. using the computer as an audit
tool. The effectiveness and efficiency of auditing procedures may be enhanced through the
use of CAATs. Popularly, two common types of CAATs are in vogue, viz., test packs or test
data and audit software or computer audit programmes. Normally speaking, special audit
techniques may be used under the following circumstances:
(i) to ensure the correct functioning of important programme controls;
(ii) to overcome losses of audit trail;
(iii) to reduce audit costs or increase the efficiency of the audit.
Audit Software: Audit software consists of computer programmes used by the auditor, as part
of his auditing procedures, to process data of audit significance from the entity’s accounting
system. It may consist of package programmes, purpose-written programmes, and utility
programmes. Regardless of the source of the programmes, the auditor should substantiate
their validity for audit purposes prior to use.
Advanced Auditing
142
(i) Package programmes are generalised computer programmes designed to perform data
processing functions which include reading computer files, selecting information,
performing calculations, creating data files and printing reports in a format specified by
the auditor.
(ii) Purpose-written programmes are computer programmes designed to perform audit tasks
in specific circumstances. These programmes may be prepared by the auditor, by the
entity or by an outside programmer engaged by the auditor. In some cases, existing
entity programmes may be used by the auditor in their original or in a modified state
because it may be more efficient than developing independent programmes.
(iii) Utility programmes are used by the entity to perform common data processing functions,
such as sorting, creating, and printing files. These programmes are generally not
designed for audit purposes and, therefore, may not contain such features as automatic
record counts or control totals.
Test Data: Test data techniques are used in conducting audit procedures by entering data
(e.g., a sample of transactions) into an entity’s computer system, and comparing the results
obtained with predetermined results. This enables to ascertain whether the controls residing
in the hardware and in the programmes are operating correctly. Test data is used to test
specific controls in computer programmes, such as online password and data access controls.
Examples of such uses are:
(i) Test transactions selected from previously processed transactions or created by the
auditor to test specific processing characteristics of an entity’s computer system. Such
transactions are generally processed separately from the entity’s normal processing.
(ii) Test transactions in an integrated test facility where a “dummy” unit (e.g., a department
or employee) is established and to which test transactions are posted during the normal
processing cycle.
When test data is processed with the entity’s normal processing, the auditor should ensure
that the test transactions are subsequently eliminated from the entity’s accounting records.
Question 4
Write short notes on the following:
(i) Decision Tree
(ii) Utility Routine (4 × 2 = 8 marks) (Final Nov 2000)
(iii) Test Packs (4 marks) (Final May 2006)
Answer
(i) Decision Tree: A decision tree is a graphic display of the relationship between the
present position and future events; future events and their consequences. The sequence
of events is mapped out over time in a format similar to the branches of a tree. The
decision tree approach gets its name because of the resemblance with a tree having
number of branches. A decision tree represents a decision problem as a series of
EDP Audit
143
decisions to be taken under conditions of uncertainty. A present decision depends upon
the past decision and their outcomes. The decision trees are the diagrams that permit
the various decision alternatives, their outcomes and probabilities of their occurrences to
be mapped in a clear fashion.
In a typical decision tree, therefore, the project is broken down into clearly defined
stages, and the possible outcomes at each stage are listed along with the probabilities
and cash flows effect of each outcome. Important steps while constructing a decision
tree in respect of an investment proposal are: definition of the investment proposal,
identification of decision alternatives, identification of decision points, chance of events
and other data, location on the decisions tree branches of the relevant data such as
projected cash flow, expected present value, and selection of the best alternatives. This
approach is extremely useful in handling sequential investments and working backwards,
eliminating unprofitable branches and determination of optimum decision at various
decision points.
The major advantage of a decision tree is that it brings out the implicit assumptions and
calculations for all to see, raise questions and revise. It also allows a decision maker to
visualise assumptions and alternatives in the graphic form which are easy to understand.
The disadvantages, however, are that the diagram becomes complicated and
cumbersome as more and more variables are added. The addition of interdependent
alternatives and variables does not only present a queer picture but also makes
calculation time consuming.
(ii) Utility Routines: Utility Routines are generally supplied by the computer manufacturer
and are available for call up by the operating system. These routines play a key role in
an electronic data processing. These are generalised programmes that perform
necessary but routine jobs in a computer installation. These routines are sufficiently
flexible to handle needs of all users. They are controlled by parameters to indicate the
particular characteristics of the data or the requirements. Generally, three types of utility
routines are made available by computer vendors.
Data set utilities are used to manipulate files of stored data. One data set utility
programme might merge or combine data from more than one file of stored data.
Another might copy a file of data to another file. A third might instruct the computer to
print selected portions of a set of data. A fourth might sort file records into a desired
sequence.
System utilities are used to simplify the task of knowing where data are stored in a
computer file. One utility routine might add data to a file, name the set of data, and
catalogue the data set to distinguish it from other data sets. Another utility routine might
list the catalogue of data sets, showing where particular data is stored in a file. A third
might label magnetic tapes. A fourth might accumulate and report errors incurred during
the processing of magnetic disk and tape.
Independent utilities perform such housekeeping functions as preparing a back up copy
of the contents stored on a magnetic disk file or analysing a magnetic disk for defective
tracks. This type of a utility routine performs the needed diagnostic tests.
Advanced Auditing
144
(iii) Test Packs: Test pack is a technique to determine the correctness of the computer
programming used to record transactions through the computer. Preparation of test pack
requires a great deal of expertise. It may be prepared by the auditor himself with the
help of the entity’s staff or by the Internal Control department of the entity. Normally test
packs are used where:
(i) a significant part of the control system is embodied in the programme;
(ii) there are gaps in audit trail making it difficult to trace output from input and to verify
intermediate calculation; and
(iii) the volume of records is large, so that it may be more economical and more
effective to use test packs rather than to trace the transactions manually.
The operations of a test pack involve following steps:
(i) The auditor or the Internal Audit Department prepares a set of special data covering
different types of transactions containing valid and invalid conditions.
(ii) Data will include both that falling outside the control parameters (and printed out as
an error or conception) and that falling within the parameters (and hence should be
processed normally).
(iii) The test data are seen on the clients’ computer with the client’s programme but
under audit supervision.
(iv) The results of the test data are also prepared separately, independent of the
computer/programme, and are compared with the results obtained by running the
programme through the computer.
(v) If the results are identical, reliability of the computer programme is proved.
Question 5
A limited company having turnover of approximately Rs.50 crores uses a tailor made
accounting software package. In the said package, all transactions are recorded, processed
and the final accounts generated from the system. The management tells you that in view of
the voluminous nature of day books, there is no need to print them and that audit can be
conducted on the computer itself. The management further assures you that any 'query based
reports' as required can be generated and printed. As a statutory auditor of the company,
enumerate the procedures you would adopt to conduct the audit. (16 marks) (Final May 2001)
Answer
A key feature of the accounting software package used by the company definitely involves the
absence of a clear audit trail. In other words, transactions cannot be easily traced or co-related
from the individual supporting documents of those transactions. Moreover, the management does
not wish to print the daybooks in view of the voluminous nature since it may involve extensive
costs. This has naturally led to extensive dependence by management upon the "exception
reporting" principle.
EDP Audit
145
From the auditor's point of view, it must also be conceded, the exception reports in the form of
'query-based reports' which isolate the above data provide him with the very material that he
requires for most of his verification work. The only problem which it raises, and it is a serious one,
is that he cannot simply assume that the programmes which produce the exception reports are
reliable in respect of the following factors:
(i) operating accurately;
(ii) printing out all the exceptions which exist; and
(iii) bound by programmed control parameters which meet the company's genuine internal
control requirements.
In view of the above, whether management relies upon exception reports, it effectively eliminated
the audit trail between input and output and the auditor is forced to test the invisible processes
which purport to embody the controls, and produce the output such as it is. These tests, which
invariably involve the use by the auditor of the computer itself, are known as tests through the
machine. In the 'through the machine' approach, the auditor starts by proving the accuracy of the
input data, and then thoroughly examines (by applying tests) the processing procedures with a
view to establishing the following that:
(i) all input is actually entered into the computer.
(ii) neither the computer nor the operators can cause undetected irregularities in the final
reports.
(iii) the programmes appear, on the evidence of rejection and exception routines, to be
functioning correctly.
(iv) all operator intervention during processing is logged and scrutinised by the DP manager.
The auditor in such circumstances will have to first evaluate the existing controls. For the same, he
has to do the following:
(i) Evaluate the internal control system especially the controls and checks existing for
recording the transactions, i.e., he has to verify at what level transactions can be entered
into the system and what checks are available to prevent any unauthorised data entry
and for rectifying errors/omissions in the transactions entered.
(ii) Evaluate at what level there is authority given for modification of transactions already
entered. Is there any authority given only to a senior employee to carry out
modifications? Or is it that once transactions are entered and validated no further
modifications are possible thereto.
(iii) Whether there is a provision in the software for carrying out an on line audit of
transactions, i.e. whether there a separate module in the package, where a separate
password given to the auditor and once he has seen and approved a particular
transaction/set of transactions, the same would be locked and no modifications would be
possible by anyone (including the senior most employee) in the company.
(iv) Whether there are proper procedures for backup of data on a regular basis and whether
the said procedures are being strictly followed.
Advanced Auditing
146
(v) In case of any loss of data whether there is a clear defined recovery procedure to
minimise the loss of data due to power failures or any human errors.
(vi) The auditor may introduce some dummy data into the system and see the results
obtained.
After the auditor has evaluated the above procedures, he has to prepare an audit plan depending
on the results obtained from his earlier evaluation. Since the daybooks are not being printed, the
plan can contain procedures wherein data is verified directly on the computer from the
vouchers/invoices, etc. The audit plan will also require a lot of analytical procedures to be
performed. Depending on the importance of various expense heads and other important account
heads, the auditor will also obtain various reports from the system depending on various queries
that he would have to identify. Some illustrative reports can be:
(i) To check whether proper classification is done for revenue/capital - a report can be
obtained of all purchases (not being raw materials or other routine purchases) exceeding
Rs. one lakh.
(ii) To check whether all freight outward bills are accounted for a report containing a monthwise
co-relation between goods despatched and freight amount paid. The same can be
further co-related with the freight rates obtained from the bills.
Once the auditor has performed the above procedures, he would be able to form an opinion
whether reliance can be placed on the accounting systems and the data recorded. If the auditor
finds that reliance cannot be placed on the systems he can inform the management about the fact
and also that the daybooks, etc., will need to printed to allow him to conduct the audit. The
finalisation procedures to be followed even under this system would remain more or less similar to
other accounting systems. The auditor can obtain reports of depreciation on fixed assets,
inventory valuation and using the normal procedures find out whether reliance can be placed on
them, e.g., if while valuing stocks the system is using the LIFO method, the same would not be
acceptable and will need to be modified. Similarly depreciation calculations will have to verified on
a random basis to find out its reliability.
Question 6
“On-line real time processing system and batch processing system have their inherent
strengths and weaknesses.” Please comment. (8 marks) (Final Nov 2001)
Answer
On-line Real Time Processing System vs. Batch Processing System: On-line computer
systems are computer systems that enable users to access data and programmes directly
through terminal devices. Such systems may comprise mainframe computers, minicomputers
or a network of connected PCs. When the entity uses an on-line computer system, the
technology is likely to be complex and linked with the entity’s strategic business plans. Online
computer systems may be classified according to how information is entered into the
system, how it is processed and when the results are available to the user. In an on-line realtime
processing system, individual transactions are entered at terminal devices, validated and
used to update related computer files immediately. An example is the application of cash
EDP Audit
147
receipts directly to customers’ accounts. The results of such processing are then available
immediately for inquiries or reports. In an on-line real-time (OLRT) processing system,
transactions are entered as they occur, and are processed as they are entered. These
systems form the heart of management information systems. Given the continuous updating of
the database as transactions are entered, the status of such files as accounts receivable,
accounts payable, and inventory may be determined at any time.
In a system with on-line batch processing, individual transactions are entered at a terminal
device, subjected to certain validation checks and added to a transaction file that contains
other transactions entered during the period. Later, during a subsequent processing cycle, the
transaction file may be validated further and then used to update the relevant master-file. For
example, journal entries may be entered and validated on-line and kept on a transaction file,
with the general ledger master-file being updated on a monthly basis. Inquiries of, or reports
generated from, the master-file will not include transactions entered after the last master-file
update. In a batch processing system which is not on-line, transactions are accumulated and
processed in group sales orders for the day, invoices to be recorded, and daily cash receipts
might each be viewed as a “batch” of transactions, to be processed as a group. Batch
processing systems are distinguished by their relative simplicity and reliability. They do not
process transactions as quickly as the more advanced systems, nor do they possess the
potential for providing timely information concerning the files updated by transactions
processing. Given these limitations, the use of networked PCs terminals has become
widespread, even among small entities. Batch processing systems are rarely found in today’s
systems environment.
Although powerful in terms of information capability, OLRT systems are more complex than
batch processing systems. Moreover, they ordinarily do not provide the extent of audit trail
documentation produced by batch system and for this they are more difficult to audit in terms
of obtaining satisfaction concerning the existence of necessary controls, and of designing
substantive testing procedures.
Conversely, in a batch processing system, the transaction are accumulated and processed in
batches or groups. Control totals, both monetary and documentary, are also available for
review to ensure completeness and accuracy of data being processed. The system is simple
and reliable. However, its deficiency lies in the MIS is not updated on a concurrent basis and,
therefore, information is not available on a timely basis.
Accordingly, it is a question of cost-benefit analysis as to which system will be more preferable
to an entity.
Question 7
Indicate the control procedures which the auditor should adopt in applying CAAT (Computer
Assisted Audit Technique) in an audit under EDP environment. (16 marks) (Final May 2002)
Answer
Computer Assisted Auditing Techniques (CAATs) involve performing audit procedures while
conducting audit through the computer. Audit software and Test Data are two common type of
Advanced Auditing
148
CAATs. Using CAATs involves taking various measures including monitoring so that the use of
CAATs by the auditor provides reasonable assurance that the audit objectives and detailed
specifications of CAATs have been met. It is to be seen that CAATs are not manipulated by staff
of the entity. The specific procedures necessary to control the use of a CAATs will depend on the
particular application. In establishing control, the auditor should consider the necessity to:
(a) Approve technical specifications and carry out a technical review of work pertaining to
CAAT application.
(b) Review the General EDP controls operating in the organisation which might contribute to
the integrity of the CAAT. For example, control over program changes and access to
computer files. When such controls cannot be relied upon to ensure the integrity of the
CAAT, the auditor may consider processing the CAAT application at another suitable
computer facility.
(c) Ensure appropriate integration of the output into the audit process.
Procedure to control audit software applications are as follows:
(i) Participation in the design and testing of computer programmes.
(ii) Checking the coding of the programme to see that it conforms to programming
specifications.
(iii) Running the audit software on small test files before running the same on main data
files.
(iv) Ensuring that correct files are used in the programme by cross-checking with
external evidence.
(v) Review output and control information to ensure that audit software functioned as
planned.
(vi) Existence of appropriate security measures to guard against manipulation.
Apart from the above control procedures for audit software, the auditor should carry out
certain control procedures for Test Data on the following lines:
(a) Controlling the sequence of submissions of test data where it spans several
processing cycles.
(b) Performing test runs containing small amounts of test data before submitting the
main audit test data.
(c) Predicting the results of the test data and comparing it with the actual test data
output, for the individual transactions and in total.
(d) Confirming that the current version of the programs was used to process the test
data.
(e) Obtaining reasonable assurance that the programs used to process the test data
were used by the entity throughout the applicable audit period.
EDP Audit
149
When using a CAAT, the auditor may require the cooperation of the entity’s staff who
have extensive knowledge of the computer installation. In such circumstances, the
auditor should have reasonable assurance that the entity’s staff did not improperly
influence the results of the CAAT.
Question 8
Answer the following:
Discuss some problems that will be encountered in an EDP system in implementation of
internal control. (10 marks) (Final Nov 2002)
Answer
Problems in Implementation of Internal Control in EDP System: The internal controls over
computer processing, which help to achieve the overall objectives of internal control, include
both manual procedures and procedures designed into computer programs. Such manual and
computer control procedures comprise the overall controls affecting the EDP environment
(general EDP controls) and the specific controls over the accounting applications (EDP
application controls). The following problems normally arise in implementation of internal
control in an EDP system:
(i) Separation of duties: In a manual system, separate individuals are responsible for
initiating transactions, recording them and the custody of the assets. This separation of
duties helps in preventing or detecting errors and other irregularities. In the EDP
environment, this traditional segregation of duties may not always apply. For example, a
program may reconcile a vendor invoice against a receiving document and print a cheque
for the amount owed to a creditor. Thus, the program is performing functions that in a
manual systems would be considered incompatible.
(ii) Delegation of authority and responsibility: Normally a clear line of authority and
responsibility is essential aspect of control in any system. In a computer system,
however, delegating authority and responsibility may prove difficult because some
resources are shared among multiple users. When multiple users have access to the
same data, it is not always easy to trace or find out who is responsible for any corruption
of the data and for identifying and correcting errors. Some organizations have attempted
to overcome these problems by designating a single user as the owner of data. This
user assumes ultimate responsibility for the integrity of the data.
(iii) Competent and trustworthy personnel: A good EDP system requires competent and
trustworthy personnel for its flawless operation. Highly skilled personnel are needed to
develop, modify, maintain and operate the computer systems. Getting competent and
trustworthy personnel for working in the EDP environment is, however, difficult as welltrained
and experienced people in this field are normally in short supply.
(iv) System of authorizations: Any good system of internal control has a system of
authorizations at various levels. General authorizations establish policies for the
organization to follow; for example, a fixed price list is issued for personnel to use when
products are sold. Specific authorisations apply to individual transactions; for example,
Advanced Auditing
150
acquisitions of major capital assets may have to be approved by the board of directors.
In a manual system, auditors can evaluate the adequacy of procedures for authorisation
by examining the work of employees. In a computer system, however, the procedures
are often embedded within a computer program. In such a case when evaluating the
adequacy of authorisation procedures, auditors will not only have to examine the work of
the employees but also find out the veracity of program processing.
(v) Adequate documents and records: In a manual system, adequate documents and
records are necessary to provide an audit trail of the various activities within the system.
In a computer system, however, documents may not be used to support the initiation,
execution and recording of some transactions. There would be therefore no visible audit
trail to trace a transaction. This absence of a visible audit trail will not hinder the
auditor’s work if systems are designed to maintain a record of all events and there is a
means of accessing these records. The auditor therefore needs to find out whether the
computer system environment provides for such a record of the events and also enables
access to the records.
(vi) Physical control over assets and records: Physical control over access to their assets
and records is critical in both manual systems as well as computer systems. In computer
systems, however, there is a concentration of the data processing assets and records of
an organisation. This means that in such an environment, if any fraud is to be
perpetrated, the person does not have to go to long distances but only have access to
the computer systems. Hence it is important that a good EDP environment restricts
access to the data processing assets and records.
(vii) Adequate management supervision: In a manual system, the management supervision
of employee activities is relatively simple because the managers and employees are
often at the same physical location. In computer systems, however, the employees
handling the data processing may be remotely located. Supervisory controls must
therefore be built into the computer system to compensate for the controls that usually
can be exercised through observation and inquiry.
(viii) Comparing recorded accountability with assets: In any good system, the data and
their assets that the data purports to represent should be compared to determine the
completeness and accuracy of the data. In a manual system, there is normally an
independent staff to prepare the basic data for such comparison. In a computer system,
however, programmes are used to prepare this data. Therefore, care must be taken that
there are no unauthorised modifications to this programs or to any of the data files
database programs use otherwise the irregularity may not be discovered.
Question 9
Discuss the control procedures which the auditor should adopt in applying CAAT (Computer
Assisted Audit Technique) in an audit under EDP environment (8 marks) (Final Nov 2003)
EDP Audit
151
Answer
Control Procedures and Computer-Assisted Audit Techniques (CAATs): The common
types of CAATs are audit software and test data. Audit software consists of computer
programmes used by the auditor to process data of audit significance from the entity’s
accounting systems. It may consist of package programmes, purpose-written programmes
and utility programmes. Regardless of the source of programme, the auditor should
substantiate their validity for audit purposes prior to use. Test Data techniques on the other
hand are used in conducting audit procedures by entering data (a sample transactions) into an
entity’s computer systems and comparing the results obtained with the predetermined results.
Test data is used to test specific controls in computer programmes, such as, on line password
and data access.
Controlling the CAAT Application: The use of a CAAT should be controlled by the auditor to
provide reasonable detailed specifications of the CAAT have been met and that the CAAT is
not improperly manipulated by the entity’s staff. The specific procedures necessary to control
the use of a CAAT will depend on the particular application in establishing audit control which
require the auditor should consider the need to –
(a) Approve the technical specifications and carry out a technical review of the work
involving the use of the CAAT.
(b) Review the entity’s general IT controls which may contribute to the integrity of the CAAT,
e.g., control over programme changes and access to computer files. When such controls
cannot be relied upon to ensure the integrity of the CAAT, the auditor may consider
processing the CAAT applications at another suitable computer facility.
(c) Ensure appropriate integration of the output by the auditor into the audit process.
Procedures carried out by the Auditor to control Audit Software Application
(a) Participating in the design and testing of the computer programmes.
(b) Checking the coding of the programme to ensure that it conforms with detailed
programme specifications.
(c) Requesting the entity’s computer staff to review the operating system instructions to
ensure that the software will run in the entity’s computer installation.
(d) Running the audit software on small test files before running on the main data files.
(e) Ensuring that the correct files were used, e.g. by checking with external evidence, such
as control totals maintained by the user.
(f) Obtaining evidence that the audit software functioned as planned, for example, returning
output and control information.
(g) Establishing appropriate security measures to safeguard against manipulations of the
entity’s data files.
The presence of the auditor is not necessarily required at the computer facility during the
running of a CAAT to ensure appropriate control procedures. However, it may provide
Advanced Auditing
152
practical advantages, such as being able to control distribution of the output and ensuring the
timely corrections of errors.
Procedures carried out by the Auditor to Control Test Data Applications
(a) Controlling the sequence of submissions of test data where it spans several processing
cycles.
(b) Performing test runs containing small amounts of test data before submitting the main
audit test data.
(c) Predicting the results of the test data and comparing it with the actual test data output,
for the individual transactions and in total.
(d) Confirming that the answered version of the programmes was used to process the test
data.
(e) Obtaining reasonable assurance that the programmes used to process the test data were
used by the entity throughout the applicable audit period.
When using a CAAT, the auditor may require the co-operation of the entity’s staff who have
extensive knowledge of the computer installation. In such circumstances, the auditor should
have reasonable assurance that the entity’s staff did not improperly influence the results of the
CAAT. Finally, the standard of working papers and retention procedures for a CAAT should be
consistent with that on the audit as a whole. It may be convenient to keep the technical
papers relating to the use of the CAAT separate from the other audit working papers. The
working papers should contain sufficient documentation to describe the CAAT application.
Question 10
State the important characteristics of an effective computer audit programme System
(8 marks) (Final May 2004)
Answer
Characteristics of an effective computer audit program system: Normally, the computer
audit program developed for general purposes shall have to customised according to needs of
the organisation. However, an examination of following features is necessary to ensure that it
is effective:
1. Simplicity: The system should be simple to use and eliminate the need for remembering
countless details normally required in writing or revising computer programs.
2. Understandability: The system should be readily understandable by members of the
audit staff, even those with little computer expertise. The capabilities of the system
should be known and it should be easy to use. Coding forms provided should not be
difficult to understand.
3. Adaptability: The system should be capable of writing computer audit programs for the
various types of computers used in the company or expected to be acquired. Thus the
package will be usable if the equipment is changed in the future.
EDP Audit
153
4. Vendor technical support: In considering the types of package to be acquired, it is
important that the vendor provides adequate support. This includes assisting in the initial
installation and providing adequate documentation. In addition, training provided for the
audit staff is important. Also, maintenance service should be furnished, and provision
made for future revisions in the programs.
5. Statistical sampling capability: Since statistical sampling is an important application in
auditing, the package should be able to perform the various statistical routines. This
should include the selection of items on a random basis, determination of sample size,
and evaluation of results at different confidence levels. In addition to simple random
sampling and stratified sampling, it should have routines for more complex sampling such
as cluster and multistage sampling.
6. Acceptability: The system should be acceptable to both the auditors and to computer
centres. For the auditors the programs should be easily carried to the site and practical
to use. For the computer centre the programs should be compatible with the system and
be capable of minimum interference with normal routines.
7. Processing Capabilities: The package should be able to process many different types
of applications. For example, it should accept all common file media and process multiple
file input. It should have the capability for extended data selection and stratification. It
should have the ability to operate under multiprogramming situations. It should have
powerful, generalized audit commands.
8. Report Writing: The package should have a strong report writing function. This should
include the ability to prepare multiple reports in a single program run and to generate
flexible output report formats.
Question 11
(a) State the specific problems, which may arise in the implementation of internal control in
an EDP system. (8 marks)
(b) What are the characteristics of ‘On-line Computer System’? (4 marks)
(c) Explain : Tagging and Tracing (4 marks) (Final Nov 2004)
Answer
(a) Specific problems of EDP relating to Internal Control: In an EDP system, the
following specific problems arise in the implementation of internal control:
(i) Separation of duties: In a manual system, separate individuals are responsible for
initiating transactions, recording transactions, and custody of assets. As a basic
control, separation of duties prevents or detects errors and irregularities. In a
computer system, however, the traditional notion of separation of duties does not
always apply. For example, a program may reconcile a vendor invoice against a
receiving document and print a cheque for the amount owed to a creditor. Thus, the
program is performing functions that in a manual systems would be considered
incompatible. In minicomputer and PC environments, separation of incompatible
Advanced Auditing
154
functions may be even more difficult to achieve. Some minicomputers and PCs
allow users to change programs and data easily; furthermore, they provide no
record of these changes. If the minicomputer or PC does not have an inbuilt
capability to provide a secure record of changes, it may be difficult to determine
whether incompatible functions have been performed by systems users.
(ii) Delegation of authority and responsibility: A clear line of authority and
responsibility is an essential control in both manual and computer systems. In a
computer system, however, delegating authority and responsibility in an
unambiguous way may be difficult because some resources are shared among
multiple users. For example, one of the objectives of using a database
management system is to provide multiple users with access to the same data,
thereby reducing the control problems that arise with maintaining redundant data.
When multiple users have access to the same data and integrity of the data is
somehow violated, it is not always easy to trace who is responsible for corrupting
the data and who is responsible for identifying and correcting the error. Some
organizations have attempted to overcome these problems by designating a single
user as the owner of data. This user assumes ultimate responsibility for the
integrity of the data.
(iii) Competent and trustworthy personnel: The technology of data processing is now
exceedingly complex-much more complex than in the days of manual systems.
Highly skilled personnel are needed to develop, modify, maintain, and operate
today’s computer systems. Thus, the existence of competent and trustworthy
personnel becomes even more important when computer systems are used to
process an organization’s data, since a relatively small number of individuals
assume major responsibility for the integrity of the data.
(iv) System of authorizations: Management issues two types of authorizations to
execute transactions. General authorizations establish policies for the organization
to follow: for example, a fixed price list is issued for personnel to use when products
are sold. Specific authorisations apply to individual transactions: for example,
acquisitions of major capital assets may have to be approved by the board of
directors. In a manual system, auditors evaluate the adequacy of procedures for
authorisation by examining the work of employees. In a computer system
authorisation procedures often are embedded within a computer program. For
example, the order entry module in a sales system may determine the price to be
charged to a customer. Thus, when evaluating the adequacy of authorisation
procedures, auditors have to examine not only the work of employees but also the
veracity of program processing.
(v) Adequate documents and records: In a manual system, adequate documents and
records are necessary to provide an audit trail of activities within the system. In
computer systems, documents may not be used to support the initiation, execution
and recording of some transactions. For example, in an on line order entry system
customers orders received by telephone may be entered directly into the system.
EDP Audit
155
Similarly, some transactions may be activated automatically by a computer system:
For example, an inventory replenishment program may initiate purchase orders
when stock levels fall below a set amount. Thus, no visible audit or management
trail may be available to trace the transaction. The absence of a visible audit trail is
not a problem for the auditor provided that systems have been designed to maintain
a record of all events and there is a means of accessing these records. In welldesigned
computer systems, audit trails are often more extensive than those
maintained in manual systems.
(vi) Physical control over assets and records: Physical control over access to assets
and records is critical in both manual systems and computer systems. Computer
systems differ from manual systems, however, in the way they concentrate the data
processing assets and records of an organization. For example, in a manual
system, a person wishing to perpetrate a fraud may be maintained at a single sitethe
data processing installation. Thus, the perpetrator does not have to go to
physically distance locations to execute the fraud.
(vii) Adequate management supervision: In a manual system management
supervision of employee activities is relatively straight forward because managers
and employees are often at the same physical location. In computer systems,
however, data communications may be used to enable employees to be closer to
the customers they service. Thus, supervision of employees may have to be carried
out remotely. Supervisory controls must be built into the computer system to
compensate for the controls that usually can be exercised through observation and
inquiry.
(viii) Comparing recorded accountability with assets: Periodically, data and the
assets that the data purports to represent should be compared to determine
whether incompleteness or inaccuracies in the data exist or shortages in the assets
have occurred. In a manual system, independent staff prepares the basic data used
for comparison purposes. In a computer system, however, programs are used to
prepare this data. For example, programs may sort an inventory file by warehouse
location and prepare counts by inventory item at different warehouses. If
unauthorized modifications occur to the programs or data files that the programs
use, an irregularity may not be discovered.
(b) Characteristics of ‘On-line Computer System’
(i) Validation Checks: When data are entered on-line, they are usually subject to
immediate validation checks. Data failing this validation would not be accepted and
a message may be displayed on the terminal screen, providing the user with the
ability to correct the data and re-enter the valid data immediately. For example, if
the user enters an invalid inventory part number, an error message will be displayed
enabling the user to re-enter a valid part number.
(ii) On-Line Access: Users may have on-line access to the system that enables them
to perform various functions, e.g., to enter transactions and to read, change or
delete programs and data files through the terminal devices. Unlimited access to all
Advanced Auditing
156
of these functions in a particular application is undesirable because it provides the
user with the potential ability to make unauthorised changes to the data and
programs. The extent of this access will depend upon such things as the design of
the particular application and the implementation of software designed to control
access to the system.
(iii) Transaction Trail: An on-line computer system may be designed in a way that does
not provide supporting documents for all transactions entered into the system.
However, the system may provide details of the transactions on request or through
the use of transaction logs or other means. Illustrations of these types of systems
include orders received by a telephone operator who enters them on-line without
written purchase orders, and cash withdrawals through the use of automated teller
machines.
(iv) Programmer Access: Programmers may have on-line access to the system that
enables them to develop new programs and modify existing programs. Unrestricted
acess provides the programmer with the potential to make unauthorised changes to
programs and obtain unauthorised access to other parts of the system. The extent
of this access depends on the requirements of the system. For example, in some
systems, programmers may have access only to programs maintained in a separate
program development and maintenance library; whereas, in emergency situations
which require changes to programs that are maintained on-line, programmers may
be authorised to change the operational programs. In such cases, formal control
procedurs would be followed subsequent to the emergency situation to ensure
appropriate authorisation and documentation of the changes.
(c) Tagging and Tracing: It is a technique better than Integrated Test Data Facility. It
involves tagging the client’s input data in such a way that relevant information is
displayed at key points. It uses the actual data, and so the question of elimination of
‘special entries’ test data designed under Integrated Test Data Facility does not arise.
The hard copy, so produced is available only to the auditor and may describe such inputs
as hours worked in a pay period in excess of 50; or sales orders processed in excess of
Rs.1,00,000. This enables the auditor to examine transactions at the intermediate steps
in processing. The advantage of the tagging and tracing approach lies in the use of
actual data and elimination of the need for reversing journal entries. The disadvantage is
that the erroneous data will not necessary be tagged. An effective combination approach
may be to use the ITF approach (integrated test facility) for a few hypothetical
transactions and the tagging and tracing approach to follow line data through a complex
system.
Question 12
Answer the following:
In determining whether to use Computer Assisted Auditing Techniques (CAATs), what are the
factors that a statutory auditor has to consider? (6 marks) (Final May 2005)
EDP Audit
157
Answer
Consideration of Factors in Use of CAATs: In determining whether to use CAATs, the
auditor should consider the following factors:
(i) Availability of sufficient IT knowledge and expertise: It is essential that members of
the audit team should possess sufficient knowledge and experience to plan, execute and
use the results of CAAT. The audit team should have sufficient knowledge to plan,
execute and use the results of the particular CAAT adopted.
(ii) Availability of CAATs and suitable computer facilities and data in suitable format:
The auditor may plan to use other computer facilities when the use of CAATs on an
entity’s computer is uneconomical or impractical, for example, because of an
incompatibility between the auditor’s package programme and entity’s computer.
(iii) Impracticability of manual tests due to lack of evidence: Some audit procedures may
not be possible to perform manually because they rely on complex processing (for
example, advanced statistical analysis) or involve, amounts of data that would overwhelm
any manual procedure.
(iv) Impact on effectiveness and efficiency in extracting a data: It includes selection of
samples, applying analytical procedures, time involved in application of CAAT, etc.
(v) Time constraints in certain data, such as transaction details, are often kept for a short
time and may not be available in machine-readable form by the time auditor wants them.
Thus, the auditor will need to make arrangements for the retention of data required, or
may need to alter the timing of the work that requires such data.
Question 13
State the important characteristics of an effective system of Computer Audit Programme.
(8 marks)(Final Nov 2006)
Answer
Important characteristics of an effective system of computer audit program
(i) The system has to be simple to use and eliminate the need to remember countless
details normally required in writing or revising computer programs.
(ii) It has to be easily understandable even by those with little computer expertise and easy
to use.
(iii) It has to be capable of being used with different configuration of computers.
(iv) The package has to include adequate support at the time of installation, provide
adequate training to the staff and to provide documentation. There should be a provision
for future revision of the program.
(v) The package should have statistical sampling capability.
(vi) The system has to be acceptable to all users in terms of easy execution and compatible
with the existing system.
Advanced Auditing
158
(vii) The program has to be capable of processing different types of applications.
(viii) The program should have strong report writing function including the ability to prepare
multiple reports in a single program run and to generate flexible output report formats.
Question 14
Write a short notes on - Factors to consider in determining the use of Computer Assisted Audit
Techniques (CAATs). (4 marks) (Final May 2007)
Answer
Factors to consider in determining the use of Computer Assisted Audit Techniques
(i) The IT knowledge, expertise and experience of the audit team.
(ii) The availability of CAATs and suitable computer facilities and data.
(iii) The impracticability of manual tests due to complex processing needed.
(iv) Effectiveness and efficiency in evaluating evidence involving large population.
(v) Time constraints.
The above is in consonance with the guidance note on Computer Assisted Audit Techniques.
Question 15
“The method of collecting Audit evidence and evaluating the same changes drastically under EDP
Auditing”. Comment on the above. (8 marks) (Final Nov 2007)
Answer
Effects of EDP Auditing: Auditor must provide a competent, independent opinion as to whether
the financial statements records and report a true and fair view of the state of affairs of an entity.
However, computer systems have affected how auditors need to collect and evaluate evidence.
These aspects are discussed below:
(1) Changes to Evidence Collection - Collecting evidence on the reliability of a computer
system is often more complex than collecting evidence on the reliability of a manual
system. Auditors have to face a diverse and complex range of internal control technology
that did not exist in manual system, like:
(a) accurate and complete operations of a disk drive may require a set of hardware
controls not required in manual system,
(b) system development control include procedures for testing programs that again are
not necessary in manual control.
Since, Hardware and Software develop quite rapidly, understanding the control
technology is not easy. With increasing use of data communication for data transfer,
research is focused an cryptographic controls to project the privacy of data. Unless
auditor's keep up with these developments, it will become difficult to evaluate the
reliability of communication network competently.
EDP Audit
159
The continuing and rapid development of control technology also makes it more difficult
for auditors to collect evidence on the reliability of controls. Even collection of audit
evidence through manual means is not possible. Hence, auditors have to run through
computer system themselves if they are to collect the necessary evidence. Though
generalized audit software are available the development of these tools cannot be relied
upon due to lack of information. Often auditors are forced to compromise in some way
when performing the evidence collection.
(2) Changes to Evidence Evaluation - With increasing complexity of computer systems and
control technology, it is becoming more and more difficult for the auditors to evaluate the
consequences of strength and weaknesses of control mechanism for placing overall
reliability on the system.
Auditors need to understand:
(a) whether a control is functioning reliably or multi functioning,
(b) traceability of control strength and weakness through the system. In a shared data
environment a single input transaction may update multiple data item used by
diverse, physically disparate user, which may be difficult to understand.
Consequence of errors in a computer system is a serious matter as errors in computer
system tend to be deterministic, i.e., an erroneous program will always execute data
incorrectly. Moreover, the errors are generated at high speed and the cost and effort to
correct and rerun program may be high. Errors in computer program can involve
extensive redesign and reprogramming. Thus, internal controls that ensure high quality
computer systems should be designed implemented and operated upon. The auditors
must ensure that these control are sufficient to maintain assets safeguarding, data
integrity, system effectiveness and system efficiency and that they are in position and
functioning.
Question 16
"Use of Audit Software would increase the probability of detecting frauds". Comment.
(6 marks) (Final May 2008)
Answer
Use of Audit Software: CAATs allow the auditor to give access to data without dependence on
the client, test the reliability of client software and perform audit tests more efficiently. CAATs are
used to perform various audit procedures like;
(i) Tests of details of transactions and balances e.g. use of audits software to test all or a
few transactions in a computer file.
(ii) Analytical review procedures e.g. use of audit software to identify unusual fluctuations or
items.
(iii) Compliance tests of IT application controls e.g. use of test data to test the functioning of
a programmed procedure.
Advanced Auditing
160
However, the methods of applying audit procedures to gather evidence may be influenced by the
methods of computer processing. Sometimes, in some accounting systems that use of computer
for processing significant applications, it may difficult or impossible for an auditor to obtain certain
data for inspection, inquiry or confirmation without computer assistance.
CAAT in fraud Detection: In an EDP environment, the Auditor is required to plan his work by
exercising reasonable care and skill in such a manner that there is reasonable expectation of
detecting material misstatements in the financial information resulting from fraud or error.
Use of the CAAT/ audit software systems will help the auditor to identify errors and frauds in the
accounting and internal control system.
Conclusion: Frauds are intentional Auditing through the computer with adequate knowledge of
computer systems may highlight some frauds, but there is no empirical evidence to prove the
assertion that the use of audit software systems has unearthed well concealed frauds.
Thus, it cannot be conclusively said that use of audit software systems increases the probability of
detection of fraud.