CPA Advanced Audit and Assurance (AAA) Study Notes:
Module 1 – The Auditing and Assurance Framework
1.1: Assurance Environment (p.4):
• Assurance services are independent professional services that aim to improve the quality,
relevance and reliability of information necessary for decision making.
• An audit is a specific type of assurance engagement focusing on historical financial
information.
• Assurance services are divided between:
o Audits of historical financial information
o Reviews of historical financial information
o Assurance engagements other than audits and reviews of historical financial
information
• Auditing and assurance are governed by 2 separate but related sets of standards: auditing
standards (International Standards on Auditing – ISA) that are concerned with audits of
historical financial information; and assurance standards (International Standards on Review
Engagements – ISRE) that are concerned with all other types of assurance engagements.
The Internationalisation of Auditing (p.5)
, • Regulatory agencies implement and enforce laws and regulations and they want greater
consistency in the delivery of quality audit services globally
• The International Framework for Assurance Engagements (ISAEs) developed by the IAASB
distinguishes assurance engagements from other engagements and provides a hierarchy of
standards applicable to different engagements.
• The International Code of Ethics for Professional Accountants developed by the IESBA is the
fundamental pronouncement for assurance practitioners and was developed with a view to
enhancing ease of navigation, use and enforcement.
• The main regulatory agencies that have an impact on auditing and assurance engagements
in a global setting include:
o International Federation of Accountants (IFAC)
o International Forum of Independent Audit Regulators (IFIAR)
o International Ethics Standards Board for Accountants (IESBA)
o International Auditing and Assurance Standards Board (IAASB).
Regulation of Auditing in Australia (p.7):
• There are a number of regulators and institutions that have an impact on the audit process,
either directly or indirectly which include:
o Financial Reporting Council (FRC)
o Australian Securities and Investments Commission (ASIC)
o Accounting Professional and Ethical Standards Board (APESB)
, o Auditing and Assurance Standards Board (AUASB)
o Companies Auditors and Liquidators Disciplinary Board (CALDB)
o Australian Securities Exchange (ASX)
o Professional accounting bodies:
Þ CPA Australia
Þ Chartered Accountants Australia and New Zealand (CAANZ)
Þ Institute of Public Accountants (IPA).
1.2: Assurance Engagement Framework (p.11)
• The International Framework for Assurance Engagements (the Framework) issued by the
IAASB applies to all assurance engagements and helps in understanding the engagements to
which ISAs, ISREs and ISAEs apply.
, • Engagements for non-assurance and related services including consulting engagements are
outside the scope of this Framework, but accountants undertaking such engagements must
also adhere to the IESBA Code of Ethics for Professional Accountants (the Code).
• An assurance engagement is when a practitioner expresses a conclusion designed to
enhance the degree of confidence of the intended users other than the responsible party
about the outcome of the evaluation or measurement of a subject matter against criteria.
• An assurance engagement doesn’t include reporting to management (the responsible party)
and a conclusion must be provided as only identifying gaps and providing recommendations
on how to fix them is not relevant
• Matters contained in the Framework include:
o Ethical principles
o Quality control standards
o Description of assurance engagements
o Attestation and direct engagements
o Reasonable and limited assurance engagements
o Scope of the Framework
• Elements of an assurance engagement:
1. 3 party relationship
2. Underlying subject matter
3. Criteria
4. Evidence
5. Assurance report.
Ethical Principles (p.12):
• The Framework specifies that firms that perform assurance engagements must comply with
the fundamental ethical principles outlined in IESBA’s Code.
• The Code’s conceptual framework (the Code, s. 120) outlines circumstances in which threats
to compliance with the fundamental principles may occur and also specifies how
accountants may identify, evaluate and address these threats by eliminating them or
reducing them to an acceptable level.
The Code (p.12):
• IFAC established the IESBA Code to develop ethical principles for accountants.
• The Code is divided into 4 parts:
1. Part 1 introduces and describes the fundamental principles and conceptual
framework
2. Part 2 applies to professional accountants in business.
3. Part 3 applies to professional accountants in public practice.
4. Part 4 covers independence standards for:
a. 4A audits and review engagements
b. 4B other assurance and non-assurance engagements.
Fundamental Principles (The Code, s.110) (p.12):
• The Code begins by establishing the fundamental principles of professional conduct and
outlining the requirements and application of the conceptual framework to identify,
evaluate and address the threats to compliance with the fundamental principles.
• The fundamental principles according to APES 110 are integrity, objectivity, professional
competences and due care, confidentiality and professional behaviour
Integrity:
, • The principle of integrity imposes an obligation on professional accountants to be
straightforward and honest (the Code, para. R111.1).
Objectivity:
• Accountants, and in particular auditors, may be exposed to numerous situations that could
reduce objectivity in their professional judgments.
• Therefore, they have a duty to avoid relationships or situations that allow prejudice, bias,
conflict of interest or the undue influence of others, which might compromise their
professional and business judgments (the Code, para. R112.1).
Professional Competence and Due Care:
• The principle of professional competence and due care (the Code, para. R113.1) is an
obligation that has 2 distinct parts:
1. Attaining and maintaining professional knowledge and skills necessary to provide
competent professional service to the client.
2. To act ‘diligently and in accordance with applicable technical and professional
standards’ (the Code, para. R113.1(b)).
• This obligation requires continuing awareness of relevant technical, professional and
business developments, which can be obtained through continuing professional
development (the Code, para. 113.1 A2).
• The Code explains that ‘diligence encompasses the responsibility to act in accordance with
the requirements of an assignment, carefully, thoroughly and on a timely basis’ (the Code,
para. 113.1 A3).
Confidentiality
• A professional accountant must respect the confidentiality of information acquired as a
result of professional and business relationships.
• They must not:
o Use the information for the personal advantage of themselves or third parties
o Disclose any such information to third parties without proper and specific authority,
unless there are responsibilities under law, regulation or relevant ethical
requirements to disclose (the Code, para. R114.1)
• Circumstances where disclosure of confidential information may be required or appropriate
(the Code, para. 114.1 A1) include:
a. Disclosure is required by law, for example:
i. Production of documents or other provision of evidence in the course of
legal proceedings; or
ii. Disclosure to the appropriate public authorities of infringements of the law
that come to light;
b. Disclosure is permitted by law and is authorized by the client or the employing
organization;
c. There is a professional duty or right to disclose, when not prohibited by law:
i. To comply with the quality review of a professional body;
ii. To respond to an inquiry or investigation by a professional or regulatory
body;
iii. To protect the professional interests of a professional accountant in legal
proceedings; or
iii. To comply with technical and professional standards, including ethics
requirements (the Code, para. 114.1 A1).
Professional Behaviour
, • An accountant must demonstrate professional behaviour by complying with relevant laws
and regulations and avoid conduct that discredits the profession (the Code, para. R115.1)
• E.g. Not comparing the quality of their audit work with other accountants in the area
Threats and Safeguards
• Using the conceptual framework approach recommended by the Code, members must
identify any threats to compliance with the fundamental principles, evaluate those threats
and address threats to compliance with the fundamental principles in section 110.
• Where the threats are significant, members must apply safeguards to eliminate them or
reduce them to an acceptable level (i.e. so that compliance with the fundamental principles
is no longer compromised).
• If members cannot implement appropriate safeguards, they must either decline the specific
professional service, or consider resigning from the client or employer.
• Compliance with fundamental ethical principles can be jeopardised by a range of threats:
o Self-interest threat may occur as a result of the financial or other interests of a
professional accountant
o Self-review threat may occur when the assurance team needs to form an opinion on
their work or work performed by others in their firm.
o Advocacy may occur when an auditor is asked to promote or represent their client in
some particular way (E.g. When a client asks the auditor to promote their shares on
the stock exchange, argue their client’s position on a proposed accounting
disclosure or represent them in a court case) The auditor’s objectivity may be
impaired. Further, the auditor’s independence of mind and in appearance could be
compromised.
o Familiarity may occur when, because of a long or close relationship with a client, a
professional accountant becomes too sympathetic to their interests or too accepting
of their work (E.g. The wife of the audit partner is the CEO of the client)
o Intimidation may occur when a professional accountant is deterred from acting
objectively because of actual or perceived threats (the Code, para. 120.6 A3).
• Many of the safeguards that eliminate or reduce threats may be created by the:
o The profession, legislation or regulation:
Þ The issue of quality standards, member education, establishment of a code
of ethics, and the enactment of legislation such as the Corporations Act and
the ASIC Act.
o In the work environment of the assurance client:
Þ When the client’s management appoints the auditor, people other than
management ratifying or approving the appointment
Þ The client having competent employees to make managerial decisions
Þ Policies and procedures emphasising the client’s commitment to fair
financial reporting
Þ Internal procedures ensuring objective choices in commissioning non-audit
work
Þ Strong corporate governance, including an effective audit committee.
o In the work environment of the audit firm:
Þ Systems and procedures to ensure compliance with ethical standards (e.g.
rules on share ownership, relationship with clients, client acceptance
procedures)
Þ Partner rotation policies to enhance audit partner independence
Þ Peer review policies to provide other partners with feedback
, • In exercising judgment on the significance of threats and safeguards, accountants must
consider what a reasonable and informed 3rd party would likely conclude on whether
compliance with the fundamental principles has been compromised.
Professional Accountants in Public Practice
• Part 3 of the Code, ‘Professional accountants in public practice’, provides guidance on
applying the conceptual framework from Part 1.
Conflicts of Interest
• ‘A conflict of interest creates threats to compliance with the principle of objectivity and
create threats to compliance with other fundamental principles’ (the Code, para. 310.2).
• Such threats may be created, for example, when the interests of the client and the
professional accountant conflict or when a professional accountant in public practice
performs services for 2 or more clients whose interests are in conflict.
• In these circumstances, it is the responsibility of the professional accountant to notify the
relevant parties that they are acting for two or more parties whose respective interests are
in conflict and obtain their consent to so act.
• Safeguards to address threats created by a conflict of interest include:
1. Having separate engagement teams who are provided with clear policies and
procedures on maintaining confidentiality.
2. Having an appropriate reviewer, who is not involved in providing the service or
otherwise affected by the conflict, review the work performed to assess whether the
key judgments and conclusions are appropriate (the Code, para. 310.8 A3).
Professional Appointments
• Before accepting a new client, a professional accountant must determine whether
acceptance would create any threats to compliance with the fundamental principles.
o A threat to integrity or professional behaviour may be created from behaviours of
the ‘client (its owners, management or activities)’, such as ‘illegal activities,
dishonesty, questionable financial reporting practices or unethical behaviour’ (the
Code, para. 320.3 A1). The professional accountant can safeguard against this threat
by obtaining knowledge and understanding of the client or securing the client’s
commitment to address the questionable behaviours.
o A threat to professional competence and due care arises if the engagement team
does not possess the competencies necessary to properly carry out the engagement.
In these circumstances, an obvious safeguard would be for the practitioner to
acquire knowledge of the relevant industry and its regulatory requirements.
• In Australia, there are additional requirements that apply to the appointment of auditors
(E.g. If the auditor has been an officer or audit-critical employee of the proposed client
within the 12 months immediately before the proposed audit period, accepting an
appointment is not permitted (Corporations Act, s. 324))
• In respect of a change of auditor, an accountant who is asked to replace an existing auditor
will generally need to obtain the prospective client’s permission to communicate with the
existing auditor.
• If permission is not granted, the accountant must take reasonable steps to obtain
information by other means about the circumstances of the change of appointment and any
possible threats (E.g. Enquiries of 3rd parties or background investigations of senior
management or those charged with governance of the prospective client) (the Code, paras
320.4–320.5 A1).
Second Opinions
, • An intimidation threat which compromises objectivity arises when a client succeeds in
obtaining a 2nd opinion favourable to their position (E.g. An opinion on the use of particular
accounting policies) and uses this to apply pressure on the existing accountant.
• Safeguards include the accountant who is asked to provide the 2nd opinion seeking client
permission to contact the existing accountant, as well as providing the existing accountant
with a copy of the second opinion (the Code, para. 321.3 A3).
Fees and Other Types of Remuneration
• Even though auditors, may quote whatever fee they consider as appropriate, quoting fees
that are too low may make it difficult for the auditor to perform the assurance engagement
in accordance with the applicable technical and professional standards which will impact the
principle of professional competence and due care.
• Safeguards to address this type of self-interest threat include:
o Adjusting the level of fees or the scope of the engagement
o Having an appropriate reviewer review the work (the Code, para. 330.3 A4).
• Having an appropriate reviewer review the work performed or obtaining a written
agreement with the client on the basis of remuneration prior to commencement of work
may address such self-interest risks (the Code, para. 330.4 A3).
• A self-interest threat ‘with the principles of objectivity and professional competence and
due care is created if a professional accountant pays or receives a referral fee or commission
relating to a client’ (the Code, para. 330.5 A1).
• Such self-interest threats can be addressed by having the client outline commission
arrangements prior to commencing work or ‘disclosing to clients any referral fees or
commission arrangements’ with other professional accountants (the Code, para. 330.5 A2).
Inducements — Gifts and Hospitality
• Professional accountants may find themselves in situations where they, or their immediate
or close family members, are offered inducements to influence their behaviour, such as gifts,
hospitality, entertainment, political or charitable donations, appeals to friendship and
loyalty, employment or other commercial opportunities or preferential treatment, rights or
privileges (the Code, para. 340.4 A1).
• Offers of inducements may create self-interest, familiarity or intimidation threats to the
principles of integrity, objectivity or professional behaviour (the Code, para. 340.2).
Custody of Client Assets
• A professional accountant should not take ‘custody of client money or other assets unless
permitted to do so by law’ because doing so may create a self-interest threat to the
principles of professional behaviour and objectivity and check whether the assets as they
may be derived from illegal activities such as money laundering. (the Code, para. R350.3).
• After taking custody of client money or other assets, a professional accountant must comply
with the relevant laws and regulations, keep the assets separate from personal or firm
assets, use them only for the intended purpose and be ready to account for them at all times
(the Code, para. R350.5).
Responding to Non-Compliance with Laws and Regulations (NOCLAR)
• The Code incorporates the IESBA’s standard, Responding to Non-Compliance with Laws and
Regulations (NOCLAR), which sets out an approach to guide professional accountants who
encounter or become aware of a potential NOCLAR committed by a client (the Code, s. 360).
• If they encounter, or are made aware of NOCLAR, their objectives are:
a. To comply with the principles of integrity and professional behaviour
, b. By alerting management or, where appropriate, those charged with governance of
the client, to seek to:
i. Enable them to rectify, remediate or mitigate the consequences of identified
or suspected non- compliance; or
ii. Deter the commission of the non-compliance where it has not yet occurred;
and
c. To take such further action as appropriate in the public interest (the Code, para.
360.4).
Independence
• The definition of independence in the Code stresses that the accountant must be
independent both of mind and in appearance (refer also Glossary, APES 110)
• To be independent, the accountant must act with integrity, and exercise objectivity,
professional judgment and professional scepticism.
• Therefore, the greater the independence of the auditor, the greater the quality of the
assurance that they can provide on the audit
• In addition, the accountant must remain alert for new information, changes in facts and
circumstances and avoid circumstances that a reasonable and informed 3rd party might
think indicate that a member’s integrity, objectivity or professional scepticism has been
compromised.
• As a result, the Code establishes a conceptual framework that requires a member to
identify, evaluate and address threats to compliance with the fundamental principles (the
Code, para. 120.2).
• One of the major features of the Code is the independence requirements in relation to long
association of personnel with an audit client, in particular the audit partner rotation
requirements (the Code, s.540).
• Under the Corporations Act, ASIC has responsibility for the surveillance, investigation and
enforcement of auditor independence.
Quality Management Standards (p.18):
• The Framework outlines ISQC 1 Quality Control for Firms that Perform Audits and Reviews of
Financial Statements, and Other Assurance and Related Services Engagements establishes
basic principles and essential procedures for firms to establish and maintain a system of QC
for assurance engagements.
• Whereas an auditing standard ISA 220 Quality Control for an Audit of Financial Statements
discusses specific engagement matters.
• Quality management is being addressed to:
o More proactively manage quality to address stakeholder expectations and concerns
o Improve the scalability of the standards
o Modernise the standards and keep them fit for purpose.
Elements of Quality Control (p.19):
• There are 6 areas where firms should have QC policies in place:
1. Leadership responsibilities for quality within the firm
2. Relevant ethical requirements
3. Acceptance and continuance of client relationships and specific engagements
4. Human resources
5. Engagement performance:
a) Engagement support materials
b) Supervision and review
c) Consultation
, d) An engagement QC review
6. Monitoring (ISCQ 1, para. 16)
1. Leadership Responsibility (Read ISQC 1, para 18-19 and A4-A6)
• Leadership culture underpins all other elements of QC, so it is important for a firm to have a
strong QC culture established by the leadership of the firm and the examples it sets.
• Operational responsibility for the firm’s QC system must rest with a person with appropriate
experience and ability, as well as the necessary authority which will be one of the senior
partners.
• An assurance firm should develop, document and implement appropriate QC procedures
and a formal code of conduct.
• This means that the work done in an QC assurance engagement cannot be limited by the
budget or by the fee, but must be determined by the assessed risk and the procedures
thought necessary to address that risk.
2. Ethical Requirements (Read ISQC 1, para 20-25)
• The assurance firm should develop, document and implement policies and procedures to
guide and reinforce ethical behaviour.
• These include independence policies describing permitted and prohibited behaviour
reflecting the advice in the Code, and independence consultations that allow staff and
partners to refer independence threats to relevant partners so timely action can be taken.
• Systems that support ethical behaviour include databases to match staff disclosures with a
prohibited securities list, and tracking the firm’s management of the auditor rotation
requirements of the Corporations Act.
• In ISA 220, the engagement partner shall consider whether members of the engagement
team have complied with relevant ethical requirements relating to audit engagements and
must remain alert for evidence of non-compliance with the ethical requirements relating to
the audit engagement.
• With respect to independence, it is mandatory that the engagement partner:
a. Obtain relevant information from the firm and, where applicable, network firms, to
identify and evaluate circumstances and relationships that create threats to
independence;
b. Evaluate information on identified breaches, if any, of the firm’s independence
policies and procedures to determine whether they create a threat to independence
for the audit engagement; and
c. Take appropriate action to eliminate such threats or reduce them to an acceptable
level by applying safeguards ... The engagement partner shall promptly report to the
firm any inability to resolve the matter for appropriate action (ISA 220, para. 11).
• Non-compliance can be at the firm level looked after by senior partners (E.g. the control
system to monitor employee ownership of shares in listed companies is not adequate) or at
the individual client level looked after by more junior partners (E.g. the audit manager and
the CFO are related).
