AUDIT DOCUMENTATION

The auditor shall include in the audit documentation:

a. The overall audit strategy;
b. The audit plan; and
c. Any significant changes made during the audit engagement to the overall audit
strategy or the audit plan, and the reasons for such changes.

The documentation of the overall audit strategy is a record of the key decisions
considered necessary to properly plan the audit and to communicate significant
matters to the engagement team. For example, the auditor may summarize the
overall audit strategy in the form of a memorandum that contains key decisions
regarding the overall scope, timing and conduct of the audit.
The documentation of the audit -plan is a record of the planned nature, timing and
extent of risk assessment procedures and further audit procedures at the assertion
level in response to the assessed risks. It also serves as a record of the proper
planning of the audit procedures that can be reviewed and approved prior-to their
performance. The auditor may use standard audit programs or audit completion
checklists, tailored as needed to reflect the particular engagement circumstances.
A record of the significant changes to the overall audit strategy and the audit plan,
and resulting changes to the planned nature, timing and extent of audit procedures,
explains why the significant changes were made, and the overall strategy and audit
plan finally adopted for the audit. It also reflects the appropriate response to the
significant changes occurring during the audit.
The auditor must record or document all the information gathered as audit evidence
in forming an opinion on the financial statements. The evidence is recorded in the
form of working papers which are prepared by the auditor or obtained during the
audit. The working papers are retained by the auditors in connection with the
performance of an audit. Audit working papers should always be sufficiently
complete and detailed to enable an inexperienced auditor having no previous
connection to the audit to ascertain work that was performed to support the
conclusion reached.
The auditor should record all relevant information known to him at the time, the
conclusion reached based on that information and the views of management.

The need for good working papers

- The reporting partner needs to satisfy himself that the work delegated
by him has been properly performed. This is only possible by
 reviewing detailed working papers prepared by the audit staff that
performs the work. This also aids in supervision and review of work
done by audit assistants. Working papers provide details of problems
encountered together with evidence of work performed and conclusion
reached. They can also serve as a good reference point for future
audit.
- Preparation of working papers enables to auditor to adopt a methodical
approach to his work.
- Working papers assist in planning and performance of audit in future financial
periods.
- If sued for negligence, the auditor can use the working papers as
evidence for work done.
- Working papers can be used for training of audit staff. They contain audit
programme and specimen schedules which audit assistants can refer to
when conducting the audit.

Auditing guidelines do not define precisely, the form of working papers but it
indicates what might typically be contained therein.
- Information of continuing importance to the audit such as letter of engagement
and memorandum of association.
- Planned audit approach as contained in the planning memorandum.
- Auditor's assessment of client's accounting system, his review and evaluation of
internal controls. Details of work carried out, not as of errors or exceptions noted
and action taken together with conclusion drawn by audit staff.
- Evidence that the work of staff has been properly reviewed.
- Record of relevant balances and other financial info that is subject to the audit
- Analysis of significant ration and trends
- Copies of communications with other auditors, expects and other third parties.
- Letters of representation received form management.
- Working papers are divided into the current audit file (CAF) and the permanent
audit file (PAF)

The permanent audit file

This contains documents and matters of continuing importance which are required for
more than one financial period.
It contains:
Statutory material governing the conduct of the audit e.g. for companies, the
companies Act Cap 486 and for quoted companies in Nairobi Stock Exchange, the
NSE booklet of regulation are required.
- Rules and regulations of the entity e.g. articles of association or a partnership
 deed.
- Copies of documents of continuing importance and relation to the auditors e.g.
minutes of meetings that recorded the appointment of the auditor, guarantees and
indemnities entered into. Address of registered office and all other premises with a
short description of the work carried at each of those premises.
- Organizational chart showing the principal departments and subdivision thereof
and names of officials and their responsibilities showing clearly the lines of
authority.
- A list of directors, their shareholding and service contracts.
- A list of company’s advisors, bankers, lawyers, stock brokers and valuers
- An outline of history of the organization reserves and share capital.
- Accounting policies used on material areas such as stock and depreciation.

The current audit file

This file contains matters pertinent to the current year's audit and contains:
- A copy of the accounts being audited which must be signed by the directors.
- A file index showing contents of the file.
- A detailed description of internal control system in form of flow charts,
questionnaires or any other form of suitable documentation.
- Audit programme showing the audit objective and planned audit procedures for
each of the areas to be audited.
- A schedule of each item in the balance sheet showing the balance at beginning of
the year, changes during the year and balance at the end of the year. The schedule
also shows details of work performed on each balance, the result and conclusion
made.
- A schedule_ of the items in the profit and loss account. It will show the
details of work performed on each balance the result and conclusion
reached.
- A check list for compliance with statutory disclosure requirements and
accounting standards. A record of questions raised during the audit and those
raised in the previous audit.
- A schedule of important statistics such as net profit margin, liquidity ratios and
composition of sales
- A record or an abstract form minutes of all director's meetings and of any internal
committee whose deliberations are important to the auditor.
- The management letter setting out weakness of the internal control system.
- Letters of representation obtained from client's management.

Standardized working papers

This refers to a predetermined format of presenting and documenting audit findings
formulated by individual audit firms e.g. check lists and specimen letters which are
filled with standard wording and .gaps_ left to fill in the relevant details of the
client.

Advantages of standardized Working Papers

- This improves the efficiency with which working papers are prepared because
they will be used for many clients.
- They act on guidelines for instructions to audit staff and facilitate delegation of
work.
- They provide a means to control the quality of audit work by ensuring that
minimum quality standards are maintained.
- Ensures that all relevant issues in the audit are addressed.

Disadvantages
- It is not appropriate to follow mechanically, a standardized approach to the
conduct and documentation of audit work as the auditor in some cases will need
to exercise his own judgment.
- The initiative of auditor staff may be restricted because the need to exercise
judgment in preparing working papers is eliminated.
- The client staff may become familiar with the method and perpetuate
fraud in areas not covered by the standard working papers.
- The audit work becomes very mechanical with use of standardized working
papers.
ASSESSING AUDIT RISK

Audit risks (ISA 320)

Audit risk refers to the risk that the auditors will express an inappropriate audit
opinion when the financial statements are materially misstated.
Audit risk therefore could be defined as the chance of damage to the audit firm as a
result of giving an opinion that is wrong in some particular. Or put another way, it
could be explained as the possibility that financial statements contain material miss-
statements which had escaped detection by both an internal control on which the
auditor has relied and on the auditor's own substantive tests and other work.
It could be looked at also as: the possibility that the auditor may be required to pay
damages to the client or other persons as a consequence of:
1. The financial statements containing a miss-statement;
2. The complaining party suffering a loss as a direct consequence of relying on the
financial statement and
3. Negligence by the auditor in not detecting any reporting on the miss-
statement which can be demonstrated.

Damage to the audit firm or the auditor may be in the form of monetary damages
paid to the complainant as compensation or simply damage to their reputation with a
client or the business community.
All audits involve an element of risk such that however strong the audit evidence
and however careful the auditor, there is always a possibility of an error or a fraud
going undetected. It is generally known that the auditor who organises his office and
staff in a competent manner an follows auditing standards and guidelines is unlikely
to be found negligent and to pay damages as a consequence of fraud or error not
being discovered by him.
Audit risks facing the auditor when material assets are stated at fair values
instead of historical costs include:
 Inherent risk is the susceptibility of an assertion to a misstatement that could be
material, either individually or when aggregated with other misstatements,
assuming that there are no related controls.
 Control risk is the risk that a misstatement that could occur in an assertion and
that could be material either individually or when aggregated with other
misstatements, will not be prevented or detected and corrected on a timely basis
by the entity's internal control. Control risk is a function of the effectiveness of
the design and operation of internal control in achieving the entity's objectives
relevant to the preparation of the entity's financial statements.
 Detection risk is the risk that the auditor will not detect a material misstatement
that exists in an assertion that could be material either individually or when
aggregated with other misstatements. Detection risk is a function of the
effectiveness of an audit procedure and its application by the auditor.

Key audit risks may include

1. The management should install an internal control system to detect material errors
and correct them. In this case management should implement controls around
receivables, work in progress and inventory to ensure that any materials errors are
detected before they make it to the financial statements.
2. Some material errors may fail to be detected by the controls and others may
completely by-pass the controls. The value of inventory depends on the valuation
by the chief engineer of the firm, who despite all the controls may under or
overstate the value of inventory to suit the management intentions.
3. The auditor is expected to carry out audit procedures to provide reasonable
assurance that material errors will be detected and removed from the financial
 statements. Despite the audit. Procedures and the controls, there will be the-
possibility that some misstatements will be undetected. The management makes
provisions for warranties based on estimates of the costs incurred in repairing the
machines.

Audit risk can be either normal or higher than normal.

Normal audit risk

Indications that an audit is a normal risk audit are:
a) The client having management and staff who are competent and have integrity;
b) Where the client has an accounting system that is well designed, works and is
subject
c) to strong internal controls;
d) Where the client has no special financial problems;
e) The auditor's past experience;
f) Where the client is old, well established and the business of the entity is not
subject to
g) rapid change;
h) If the client's board of directors are actively engaged in the company and they
provide
i) control and leadership of a good quality;
j) If the board of directors has competent non-executive directors:
k) If the organization has an audit committee....

When the auditor is faced with the normal audit risk, the audit approach adopted is
usually one of reliance on key controls supported by substantive tests, compliance
tests and analytical review.

Higher than normal risk

Several audit assignments involve high audit risk and usually in any client there will
always be at least one high risk area. Indications that an audit has an element of
higher than normal audit risk include:
a. Poor management with lack of control and poor book-keeping;
b. Liquidity problems and high gearing;
c. The opposite of all the factors mentioned in the normal risk above;
d. Recent changes in ownership, control or key staff;
e. Changes in accounting policies or procedures;
f. Future plans to seek quotation on the Nairobi Stock Exchange;
g. Over-reliance on a few products, customers, suppliers and investments in new
 ventures or products;
h. Problems inherent in the nature of the business for example difficulties in stock
counting or valuation, difficulties in determining the extent of claims and
i. The existence of put upon enquiry situations, dominance by the single person and
lack of involvement of directors or proprietors. In such a situation, the auditor
approaches his audit in a manner that is:
 Collection of audit evidence in each area from a wide range of sources
 Taking extreme care in the preparation of audit working papers
 Investigating thoroughly high risk and problematic areas
 Exercising extreme care in drafting the audit report

In addition to normal risk and higher than normal risk discussed above, the auditor
can also be exposed by sub-standard work such as:
 His failure to recognise put upon enquiry situation
 His failure to draw correct inferences from audit evidence and the analytical
review
 His use of wrong procedures in a particular situation
 His failure to perform necessary audit work because of time and cost
consideration
 His failure to detect errors or fraud because of poor sampling methods or the
selection of inadequate sample sizes

It is essential that an audit firm should organize itself in such a way that it can
minimise the risk of suffering any damage. We can look at these measures from two
points of view. Broad measures taken by the profession as a whole and measures to
be taken by the individual auditor in minimising this audit risk.
This approach requires the auditor to determine what are the very important business
risks which the client faces. This line of approach both helps the client and also
enables the auditor to appreciate and understand his clients business and appreciate
all aspects of the business activities. It is then for the auditor to determine where the
risks are likely or unlikely and whether the risks are likely to produce serious
consequences. This enable the audit to be focused on those matters where there is a
possibility of misstatement. This is the basis of revised auditing standards. The big
firms have largely adopted this approach within their audit methodology.
The history of auditing shows a gradual change over time as detailed testing of
transactions moved to system audits. The next development was the audit risk model
which focuses the audit and the extent of audit procedures on to the areas of an audit
where the auditor was most at risk of giving an inappropriate opinion.
ISA 220, Quality Control for an Audit of Financial Statements,
 Environmental requirements affecting the industry and the entity's business.

 ISA 250 includes some specific requirements related to the legal and regulatory
framework applicable to the entity and the industry or sector in which the entity
operates.

Other External Factors

Examples of other external factors affecting the entity that the auditor
may consider include the general economic conditions, interest rates and
availability of financing, and inflation or currency revaluation.
Nature of the Entity
An understanding of the nature of an entity enables the auditor to understand such
matters as:
 Whether the entity has a complex structure, for example, with subsidiaries or other
components in multiple locations. Complex structures often introduce issues that
may give rise to risks of material misstatement. Such issues may include whether
goodwill, joint ventures, investments, or special-purpose entities are accounted for
appropriately.
 The ownership, and relations between owners and other people or entities. This
understanding assists in determining whether related party transactions have been
identified and accounted for appropriately:
 ISA 550 establishes requirements and provides guidance on the auditor's
considerations relevant to related parties.
Examples of matters that the auditor may consider when obtaining an understanding
of the nature of the entity include:
 Business operations such as:
- Nature of revenue sources, products or services, and markets, including
involvement in electronic commerce such as Internet sales and marketing
activities.
- Conduct of operations (for example, stages and methods of production, or
activities exposed to environmental risks).
- Alliances, joint ventures, and outsourcing activities.
- Geographic dispersion and industry segmentation.
- Location of production facilities, warehouses, and offices, and location and
quantities of inventories.
- Key customers and important suppliers of goods and services, employment
arrangements (including the existence of union contracts, pension and other
post- employment benefits, stock option or incentive bonus arrangements, and
government regulation related to employment matters).
 - Research and development activities and expenditures.
- Transactions with related parties.
 Investments and investment activities such as:
- Planned or recently executed acquisitions or divestitures:
- Investments and dispositions of securities and loans
- Capital investment activities
- Investments in non-consolidated entities, including partnerships, joint
ventures and special-purpose entities
 Financing and financing activities such as:

- Major subsidiaries and associated entities, including consolidated and non-

consolidated structures.
- Debt structure and related terms, including off-balance-sheet financing
arrangements and leasing arrangements.
- Beneficial owners (local, foreign, business reputation and experience) and related
parties.
- Use of derivative financial instruments.
 Financial reporting such as:
- Accounting principles and industry-specific practices, including industry-specific
significant categories (for example, loans and investments for banks, or research
and development for pharmaceuticals).
- Revenue recognition practices.
- Accounting for fair values.
- Foreign currency assets, liabilities and transactions.
- Accounting for unusual or complex transactions including those in controversial
or emerging areas (for example, accounting for stock-based compensation).

Significant changes in the entity from prior periods may give rise to, or change,
risks of material misstatement.
Nature of Special-Purpose Entities
A special-purpose entity (sometimes referred to as a special-purpose vehicle) is an
entity that is generally established for a narrow and well defined purpose, such as to
effect a lease or a securitization of financial assets, or to carry out research and
development activities. It may take the form of a corporation, trust, partnership or
unincorporated entity. The entity on behalf of which the special-purpose entity has
been created may often transfer assets to the latter (for example, as part of a de-
recognition transaction involving financial assets), obtain the right to use the latter's
assets, or perform services for the latter, while other parties may provide the funding
to the latter. As ISA 550 indicates, in some circumstances, a special purpose entity
 may be a related party of the entity.
Financial reporting frameworks often specify detailed conditions that are deemed to
amount to control, or circumstances under which the special purpose entity should
be considered for consolidation. The interpretation of the requirements of such
frameworks often demands a detailed knowledge of the relevant agreements
involving the special-purpose entity.

The Entity's Selection and Application of Accounting Policies

An understanding of the entity's selection and application of
accounting policies may encompass such matters as:
 The methods the entity uses-to account for significant and unusual transactions.
 The effect of significant accounting policies in controversial or emerging areas
for which there is a lack of authoritative guidance or consensus.
 Changes in the entity's accounting policies.
 Financial reporting standards and laws and regulations that are new to the entity
and when and how the entity will adopt such requirements.
The Business Risk Approach to Auditing
Business risk is the threat that an event or action will adversely affect a business's
ability to achieve its ongoing objective. It can be split between external and internal
factors.
The business risk approach to auditing involves examining the business in it's
entirely and evaluating the various risks to which it is exposed. The business risks
are factors which affect the company's ability to meet its goals. The risks may be
controllable (to some extent) or uncontrollable (for example, external factors). It
may be possible to trade-off some risks (e.g. insurance). The auditor is concerned
about those risks which may impact upon the financial statements and therefore
needs a full understanding of the business and its risks in order to do this. The
auditor will then plan the audit strategy with these business risks clearly focused in
mind.
The Effects of the Business Risk Approach
There are some general points which can be made about the business
risk approach and the effect it has had on the auditing process.
i. This 'top down' approach to the audit, beginning with business risk and ending
with the financial statements
ii. There is still a lack of clarity in the relationship between business risk and audit
risk
iii. The ideas of inherent risk and control risk have tended to merge into the larger
concept of business risk.
iv. The ideas of inherent risk and control risk can be called residual risk
which has to be minimized by audit action. An audit action carries
with it detection risk.
v. The approach is very much a high level approach and should include
consideration of all .matters which are critical to the business. For example,
'could the client lose the
vi. XYZ franchise and what would be the possible consequences for the company
and its financial statements?'
vii. Because of the high level of understanding required of a client's business it is
possible to use analytical procedures more frequently as a procedure for
verification of financial statement assertions
viii. It is an aid to the firm's acceptance and continuation procedures for clients (do
we want this client?)
ix. Business failure risk is an important aspect of overall business risk. The
assessment of business failure risk will assist the auditor when considering the
going concern status of the clients business.
x. The audit needs to be tailor made and a generalized approach to audits is neither
productive nor economical
xi. Auditors need more understanding of business and to that end the larger firms
set up larger databases of information about the economy and the business
world
The concept implies a continuing relationship with the client rather than a one off
view with each year being separate.
As should be evident from this summary the business risk approach is a more
holistic approach to the audit. The business risk approach starts at a stage back from
the traditional audit risk model and offers more benefit to auditors and clients alike.

Business Risk results from significant conditions, events, circumstances or actions

that could adversely affect the entity's ability to achieve its objectives and execute its
strategies. Even though such risks are likely to eventually have an impact on an
entity's financial statements, not every business risk will translate directly in a risk of
a material misstatement in the financial statements, which is often referred to as audit
risks. There are 3 categories of business risk.

 Financial risk- this is the risk that the firm will not be able to meet its short term
maturing obligations as a when they fall due.
 Operational risk- these are risks arising with regard to operations for instance,
the risk that a major supplier will lay longer be able to supply the company with
 the key raw materials.
 Compliance risk- Risk that arises from non-compliance with laws and
regulations under which the business operates for example, environmental issues.

Objectives and Strategies and Related Business Risks

The entity conducts its business in the context of industry, regulatory and other
internal and external factors. To respond to these factors, the entity's management or
those charged with governance define objectives, which are the overall plans for the
entity. Strategies are the approaches by which management intends to achieve its
objectives. The entity's objectives and strategies may change over time.
Business risk is broader than the risk of material misstatement of the financial
statements, though it includes the latter. Business risk may arise from change or
complexity. A failure to recognize the need for change may also give rise to business
risk. Business risk may arise, for example, from
 The development of new products or services that may fail;
 A market which, even if successfully developed, is inadequate to support a
product or service; Or
 Flaws in a product or service that may result in liabilities and reputational risk.

An understanding of the business risks facing the entity increases the

likelihood of identifying risks of material misstatement, since most
business risks will eventually have financial consequences and, therefore,
an effect on the financial statements. However, the auditor does not have a
responsibility to identify or assess all business risks because not all
business risks give rise to risks of material misstatement.
Examples of matters that the auditor may consider when obtaining an
understanding of the entity's objectives, strategies and related business
risks that may result in a risk of material misstatement of the financial
statements include:
• Industry developments (a potential related business risk might be, for example,
that the entity does not have the personnel or expertise to deal with the changes in
theindustry).
• New products and services (a potential related business risk might be, for
example, that there is increased product liability).

• Expansion of the business (a potential related business risk might be, for example,
that
the demand has not been accurately estimated).
• New accounting requirements (a potential related business risk might be, for
 example, incomplete or improper implementation, or increased costs).
• Regulatory requirements (a potential related business risk might be, for example,
that there is increased legal exposure).
• Current and prospective financing requirements (a potential related business risk
might be, for example, the loss of financing due to the entity's inability to meet
requirements).
• Use of IT (a potential related business risk might be, for example, that systems
and processes are incompatible).
• The effects of implementing a strategy, particularly any effects that will lead to
new accounting requirements (a potential related business risk might be, for
example, incomplete or improper implementation).
A business risk may have an immediate consequence for the risk of material
misstatement for classes of transactions, account balances, and disclosures at the
assertion level or the financial statement level. For example, the business risk arising
from a contracting customer base may increase the risk of material misstatement
associated with the valuation of receivables.
However, the same risk, particularly in combination with a contracting economy,
may also have a longer-term consequence, which the auditor considers when
assessing the appropriateness of the going concern assumption. Whether a business
risk may result in -a risk of material misstatement is, therefore, considered in light of
the entity's circumstances.
Usually, management identifies business risks and develops approaches to address
them. Such a risk assessment process is part of internal control.
Peer review and its objectives
Peer review helps to monitor a CPA firm’s accounting and auditing practice
(practice monitoring). The goal of the practice monitoring, and the program itself, is
to promote quality in the accounting and auditing services provided by the CPA
firms. This goal serves the public interest and enhances the significance of CPA
membership.

 Ensure high quality services are provided to clients

 Review and optimize internal processes
 Provides firms with insights and recommendations for efficiency improvements

Automated Working Papers System

This is a new electronic system for the collection of audit and other review
information. It is designed to provide greater efficiency, flexibility and ease of
information access and does not change the nature of the information collected,
which is audit/review specific, or the reason we collect it.
Provide an overview of the system or collection and indicate the legislation
authorizing this activity.

The Automated Working Papers System is a distributed information system the

system is maintained to increase the efficiency and productivity of the audit/review
process by automating working paper preparation, internal review and retention. The
system utilizes the commercial software product, to manage and integrate working
papers prepared with various standard office automation products.

2. Describe the information the agency will collect and how the agency will use
the collected information.

The system is used in conducting audit/review work.It is a vertical application that

documents the audit process – planning preparation, review and storage – in an
electronic format. The nature and scope of the information is determined by the
objectives of the audit/review. Therefore, the information pertaining to a specific
audit may or may not contain personally identifiable information. To the extent that
personally identifiable information is collected, it is generally maintained in the
audit/review work papers and not disseminated to the public or readers of the related
reports. The information is not retrievable by personally identifying information. The
information may be used as part of the basis for developing the results of the
audit/review and related recommendations.

3. Explain why the information is being collected.

Conducting audits and other reviews and the issuance of related reports are integral
to mission. This includes supporting audit management activities and day-to-day
administrative management needs.

4. Identify with whom the agency will share the collected information.

Only authorized staff conducting or reviewing audits/reviews use system. Access to

information for individual audits is limited to staff assigned to the audit/review.
Other offices within may have a need on a case-by-case basis to review audits.Other
law enforcement agencies may be provided the information based on the scope and
findings of an audit/review; information may also be shared with auditees and other
third parties when necessary to obtain information relevant to the audit/review.

5. Describe how the information will be obtained, from whom it will be

collected. Describe any opportunities for individuals to decline to provide
information or to consent to particular uses of the information and how
individuals can grant consent.
We generally obtain information from the examination of the books and records and
interviews of the auditee/reviewee and parties acting on behalf of such persons or
entities. We collect information only where we have specific authority to do so and
this information is collected primarily to meet our responsibilities

Such information is generally peripheral to the audit/review. An audit/review start

notice is provided to the auditee containing the description and objectives of the
audit/review. Sufficient background is included to inform the reader of the
audit/review process. In addition to the audit/review start notice, auditors send a
notification letter to the auditee on all audits

6. Describe security measures in place to protect the information.

Access to the automated working papers is restricted by physical and computer-based

access controls. Technological controls include multi-layer firewall architectures on
LAN components. We will safeguard the security of information by requiring the use
of access codes to enter the computer systems that will maintain the data and will
store computerized records in secured areas that are accessible only to employees
who require the information to perform their official duties. All computer files and
printed listings are safeguarded.

7. Describe plans for retention and destruction of data collected.

working papers and associated electronic media are retained for a minimum of 8
years from the end of the fiscal year in which the audit/review report is closed and
the findings resolved. There may be certain factors, such as a subsequent
investigation, which would necessitate holding working papers for longer periods.

8. Identify whether a system of records is being created