Which aspects should the auditors understanding of the entity and its environment cover?
(INCORPORATING ISA 200, 315, 330 and 402) Show
# 7.1 Risk AssessmentThe engagement team should obtain an understanding of the entity and its environment, including its internal controls, sufficient to identify and assess the risk of material misstatement of the financial statements whether due to fraud or error, and sufficient to design and perform further audit procedures. The audit procedures used to obtain an understanding of the of the entity and its environment, including its internal controls are referred to as risk assessment procedures ,as some of the information obtained by performing such procedures may be used by the engagement team as audit evidence to support assessment of the risks of material misstatement. The extent of the understanding required is a matter of professional judgement, and is based on the primary consideration on whether it is sufficient to assess the risk of material misstatement of the financial statements and to design and perform further audit procedures. The level of understanding required is however less than that required by the management in managing the entity. In addition, in performing risk assessment procedures, the engagement team may obtain audit evidence about classes of transactions, account balances, or disclosures and assertions and about the operating effectiveness of controls, even though such audit procedures were not specifically planned as substantive procedures or test of controls. The engagement team may choose to perform substantive procedures or tests of controls concurrently with risk assessment procedures because it is efficient to do so. # 7.2 Audit Risk and Reasonable AssuranceIn conducting an audit, the engagement team obtains reasonable assurance that the financial statements taken as a whole are free from material misstatement, whether due to fraud or error. Reasonable assurance relates to the whole audit process, and is a concept relating to the accumulation of audit evidence necessary for the engagement team to conclude that there are no material misstatements in the financial statements taken as a whole. In the conduct of an audit, one cannot obtain absolute assurance because of inherent limitations in the audit process due to the following factors:
Based on the above, an audit is not a guarantee that the financial statements are free from material misstatement, because absolute assurance is not attainable. In addition, an audit opinion does not assure the future viability of the entity nor the efficiency or effectiveness with which management has conducted the affairs of the entity. Audit risk is the risk that the engagement team expresses an inappropriate audit opinion when the financial statements are materially misstated. This definition does not include the risk that the engagement team may erroneously express an opinion that the financial statements are materially misstated. The engagement team reduces audit risk by designing and performing audit procedures to obtain sufficient appropriate audit evidence to draw reasonable conclusion on which to base the audit opinion. Reasonable assurance is obtained when the audit risk is reduced to an acceptably low level. Audit risk is the function of the risk of material misstatement that the financial statements are materially misstated prior to the audit (made up of inherent risk and control risk ) and the risk that the engagement team will not detect such misstatements ( detection risk ): Inherent risk is the susceptibility of an assertion (representations by management, explicit or otherwise, that are embodied in the financial statements) to a material misstatement if there were no internal controls. The assessment of inherent risk is a judgemental process. # Appendix I: Inherent Risk Considerations provides a list of factors that the engagement team may consider when assessing inherent risk.Control risk is the risk that a material misstatement that could occur in an assertion will not be prevented or detected and corrected on a timely basis by the entity's accounting and internal control systems. Control risk can only be assessed as low if the controls have been tested. Detection risk is the risk that the engagement team's procedures will not detect a material misstatementthat exists in an assertion. A component of detection risk is Analytical Risk which is the risk that analytical procedures, used as substantive procedures, will fail to detect a material misstatement. Analytical risk is covered in detail in Section 14.7 of the Manual. Whether the risk assessment is quantified or not, the engagement team has to assess how the estimation of the levels of risk affects the testing to be carried out:
The inverse relationship between inherent risk on the one hand and control and detection risks (including analytical risk as a component of detection risk) on the other, in order to achieve an acceptably low level of audit risk, is shown in below. In the conduct of an audit in accordance with ISA's and to obtain sufficient and reliable audit evidence to enable the engagement team draw reasonable conclusions on which to base the audit opinion, the engagement team undertakes the following steps:
# 7.3 Risk Assessment Procedures at the Planning StageISA 315 requires the engagement team to identify and assess the risk of misstatement at the financial statement level, and at the assertion level for classes of transactions, account balances, and disclosures. Obtaining an understanding of the entity and its environment establishes a frame of reference within which the engagement team plans the audit and exercises professional judgement about assessing risks of material misstatement and responding to those risks throughout the audit. The engagement team is also required to assess the risks of material misstatement due to fraud. This is covered in Section 8 of the Manual. The engagement team at the planning stage should summarise the key risks attaching to the entity and factors that may minimise or eliminate those risks. The engagement team usually obtains an understanding of the entity and its environment, including internal control through:
The table below summarises the type of information that could be obtained from inquiry:
Information Obtained in Prior Periods Where the engagement team intends to use information obtained in prior periods, the team should determine whether changes have occurred that may affect the relevance of such information in the current audit e.g. changes in the entity or its environment may render such information irrelevant. They should also make inquiry or perform other audit procedures such as walk through tests to determine whether changes have occurred that may affect the relevance of such information. Discussions Amongst the Engagement Team The engagement team should discuss the susceptibility of the entity's financial statements to material misstatement to gain a better understanding of the potential misstatements arising form fraud or error in the specific area assigned to them, and to understand how the results of the audit procedures they perform may affect other aspects of the audit including the decisions about the nature, timing and extent of further audit procedures. Ordinarily only the key members of the engagement team are involved in the discussion. In certain cases it may be necessary to involve experts including professionals possessing specialist information technology or other skills required by the engagement team. The extent of the discussion is influenced by the roles, experience and the information needs of the engagement team. In case of very small partner led audits, such discussions may not be necessary, as the partner will usually lead the team on the field. Understanding the Entity and its Environment, Including its Internal Controls The engagement team should obtain an understanding of the following:
Appendix II: Factors to Consider in Understanding the Entity and its Environment , provides overall guidance on matters that the one may consider in understanding the nature of the entity, the industry and the regulatory environment in which the entity operates, the objectives and strategies and related business risks of the entity, and the measurement and review of the entity's financial performance. Appendix III: Condition and Events that may Indicate Risk of Material Misstatement, provides guidance on potential indicators of material risk. Assessing the Risk of Material Misstatement The engagement team uses information gathered by performing risk assessment procedures, including the audit evidence obtained in evaluating the design of controls and determining whether they have been implemented, as audit evidence to support the risk assessment. The team uses the risk assessment to determine the nature, timing, and extent of further audit procedures to be performed. In making risk assessments, the engagement team may identify the controls that are likely to prevent, or detect and correct, material misstatement in specific assertions. Generally, the team gains an understanding of controls and relates them to assertions in the context of processes and systems in which they exist. Doing so is useful because individual control activities often do not in themselves address a risk. Often only multiple control activities, together with other elements of internal control, will be sufficient to address a risk. Significant Risks As part of the risk assessment, the engagement team should determine which of the risks identified require special audit consideration. Such risks are defined as "significant risks". The determination of significant risks, which arise on most audits, is a matter for the engagement team's professional judgement. Significant risks often relate to non-routine transactions and judgemental matters. Non-routine transactions are transactions that are unusual, either due to their size or nature, and therefore occur infrequently. In exercising this judgement, the engagement team excludes the effect of identified controls related to the risk to determine whether the nature of the risk, the likely magnitude of the potential misstatement including the possibility that the risk may give rise to multiple misstatements, and the likelihood of the risk occurring are such that they require special audit consideration. Routine, non-complex transactions that are subject to systematic processing are less likely to give rise to significant risks because they have lower inherent risks. On the other hand, significant risks are often derived from business risks that may result in a material misstatement. In considering the nature of the risks, the engagement team considers a number of matters, including the following:
For significant risks, the engagement team should evaluate the design of the entity's related controls, including relevant control activities, and determine whether they have been implemented. An understanding of the entity's controls related to significant risks is required to provide the team with adequate information to develop an effective audit approach. Management ought to be aware of significant risks; however, risks relating to significant non-routine or judgemental matters are often less likely to be subject to routine controls. Therefore, the team understands whether the entity has designed and implemented controls for such significant risks. Revision of Risk Assessment The engagement team's assessment of the risks of material misstatement may change during the course of the audit as additional audit evidence is obtained. In particular, the risk assessment may be based on an expectation that controls are operating effectively. In performing tests of controls to obtain audit evidence about their operating effectiveness, the team may obtain audit evidence that controls are not operating effectively at relevant times during the audit. Similarly, in performing substantive procedures the team may detect misstatements in amounts or frequency greater than is consistent with their risk assessments. In circumstances where the engagement team obtains audit evidence from performing further audit procedures that tends to contradict the audit evidence on which the team originally based the assessment, the team should revise the assessment and modify the further planned audit procedures accordingly. # 7.4 Internal ControlInternal control is the process designed and effected by those charged with governance, management and other personnel to provide reasonable assurance about the achievement of the entity's objectives with regard to reliability, of financial reporting, effectiveness and efficiency of operations and compliance with applicable laws and regulations. Internal control consists of the following components:
The division of internal control into five components provides a useful framework for the engagement team to consider how different aspects of the entity's internal control may affect the audit. The engagement team's primary concern is whether, and how, a specific control prevents, or detects and corrects material misstatements in classes of transactions, account balances, or disclosures, and their related assertions. It also enables an engagement team to:
Appendix IV: Internal Control Components sets out detailed discussions of the internal control components as they relate to an audit of the financial statements. # 7.4.1 Controls Relevant to an AuditThe entity's controls relate to financial reporting, operations and compliance controls. However, not all the controls are relevant to the engagement team's risk assessment. ISA 315 requires the team to evaluate, for significant risks, the design of the entity's related controls including relevant control activities, and determine whether they have been implemented. The engagement team should consider whether the control, individually or in combination with other controls, is capable of effectively preventing, or detecting and correcting, material misstatement. It also requires the engagement team to identify areas where controls cannot possibly or practicably reduce the risks of material misstatements at the assertion level to an acceptably low level, with the engagement team having to rely on substantive procedures to obtain the necessary audit evidence. Usually the controls relevant to an audit are those relating to the entity's objective of preparing financial statements for external purposes that give a true and fair view in accordance with the applicable financial reporting framework and the management of risk that may give rise to a material misstatement. Of great importance will be boundary controls , which are controls designed to ensure that all exchanges with third parties are properly recorded, and provide assurance on the completeness and accuracy of the initial recording of transactions and guard against the possibility that transactions are not recorded at all or are duplicated. The controls over completeness and accuracy of information may be relevant if the engagement team intends to make use of the information in designing and performing further audit procedures, while controls over safeguarding of assets against unauthorised acquisition, use or disposal may be relevant in relation to financial reporting. Controls relating to operations and compliance may only be relevant if they pertain to the data the engagement team evaluates and uses in applying audit procedures. Examples of such controls could include statistical data of production, which the engagement team plans to use in analytical procedures, or controls designed to detect non-compliance with laws and regulations, including the tax legislation, which may have a material effect on the financial statements. The following are some of the types of control the engagement team may need to evaluate: Management controls
Safeguarding of assets
Segregation
Application controls
Maintenance controls
A review of application controls should start either with the transaction or the originating document. The identification of detailed controls will often not be straightforward. General IT controls
# 7.4.2 The Depth of UnderstandingObtaining an understanding of an entity's controls is not sufficient to serve as testing the operating effectiveness of controls, unless there is some automation that provides for the consistent application of the operation of the control. For example, obtaining audit evidence about the implementation of a manually operated control at a point in time does not provide audit evidence about the operating effectiveness of the control at other times during the period under audit. However, IT enables an entity to process large volumes of data consistently and enhances the entity's ability to monitor the performance of control activities and to achieve effective segregation of duties by implementing security controls in applications, databases, and operating systems. Therefore, because of the inherent consistency of IT processing, performing audit procedures to determine whether an automated control has been implemented may serve as a test of that control's operating effectiveness, depending on the engagement team's assessment and testing of controls such as those over program changes. # 7.4.3 Manual Verses Automated ControlsThe extent and nature of the risks of internal control vary depending on the nature and characteristics of the entity's information system. Therefore in understanding internal control, the engagement team considers whether the entity has responded adequately to the risks arising from the use of IT or manual systems by establishing effective controls. An entity may use a combination of manual or automated controls. The use of manual or automated elements in internal control affects the manner in which transactions are initiated, recorded, processed, and reported. Controls in a manual system may include such procedures as approvals and reviews of activities, and reconciliations and follow-up of reconciling items. Automated procedures to initiate, record, process, and report transactions make use of electronic format which replace such paper documents as purchase orders, invoices, shipping documents, and related accounting records. Controls in IT systems consist of a combination of automated controls i.e. those controls embedded in computer programs) and manual controls. Further, manual controls may be independent of IT, may use information produced by IT, or may be limited to monitoring the effective functioning of IT and of automated controls, and to handling exceptions. When IT is used to initiate, record, process or report transactions, or other financial data for inclusion in financial statements, the systems and programs may include controls related to the corresponding assertions for material accounts or may be critical to the effective functioning of manual controls that depend on IT. An entity's mix of manual and automated controls varies with the nature and complexity of the entity's use of IT. Automated controls provide potential benefits of effectiveness and efficiency for an entity's internal control because it enables an entity to:
Automated controls however pose specific risks to an entity's internal control, which including the following:
Manual controls are performed by people, and therefore pose specific risks to the entity's internal control. Manual controls may be less reliable than automated controls because they can be more easily bypassed, ignored, or overridden and they are also more prone to simple errors and mistakes. Consistency of application of a manual control element cannot therefore be assumed. Manual aspects of systems may be more suitable where judgement and discretion are required such as for the following circumstances:
Manual controls may be less suitable for the following:
# 7.4.4 Limitations of Internal ControlInternal control, no matter how well designed and operated, can provide an entity with only reasonable assurance about achieving the entity's financial reporting objectives. The likelihood of achievement is affected by limitations inherent to internal control due to human failures, simple errors or mistakes. Additionally, controls can be circumvented by the collusion of two or more people or inappropriate management override of internal control. Small entities often have fewer employees which may limit the extent to which segregation of duties is practicable. However, for key areas, even in a very small entity, it can be practicable to implement some degree of segregation of duties or other form of unsophisticated but effective controls. The potential for override of controls by the owner-manager depends to a great extent on the control environment and in particular, the owner-manager's attitudes about the importance of internal control. # 7.4.5 Control EnvironmentISA 315 requires the engagement team to obtain an understanding of the control environment. The control environment includes the governance and management functions and the attitudes, awareness, and actions of those charged with governance and management concerning the entity's internal control and its importance in the entity. The control environment is the foundation for effective internal control, providing discipline and structure by setting the tone at the top influencing the control consciousness of the entity's personnel. The engagement team is required to understand how management and those charged with governance have created and maintained a culture of honesty and ethical behaviour, and established appropriate controls to prevent and detect fraud within the entity. Appendix IV Part A sets out the elements that should be incorporated in the entity's control environment. The engagement team also considers matters such as the independence of the directors and their ability to evaluate the actions of management. The engagement team also considers whether there is an audit committee which understands the entity's business transactions and evaluates whether the financial statements give a true and fair view. The control environment in itself does not prevent, or detect and correct, a material misstatement in classes of transaction, account balances, and disclosures and related assertions and the engagement team should consider the control environment along with the effects of other internal control components when assessing the risk of material misstatement. # 7.4.6 The Entity's Risk Assessment ProcessISA 315 requires the engagement team to obtain an understanding of the entity's process for identifying the business risks relevant to financial reporting objectives, and deciding about actions to address those risks and the results thereof. In evaluating the design and implementation of the entity's risk assessment process, the engagement team determines how management identifies the business risks relevant to financial reporting, estimates the significance of the risks, assesses the likelihood of their occurrence and decides upon action to manage them. Appendix IV Part B provides additional guidance on what the engagement team should consider in evaluating the entity's risk assessment procedures. # 7.4.7 Information System, Including the Related Business Processes, Relevant to Financial Reporting, and CommunicationThe information system relevant to financial objectives, which includes the accounting system, consists of the procedures and records established to initiate, record, process, and report entity transactions and to maintain accountability for the related assets, liabilities, and equity. ISA 315 requires the engagement team to obtain an understanding of the information system, including the related processes, relevant to financial reporting, including the following areas:
The engagement team should also understand how the entity communicates financial reporting roles and responsibilities and significant matters relating to financial reporting Information transfer In obtaining this understanding, the engagement team considers the procedures used to transfer information from transaction processing systems to general ledger or financial reporting systems. The engagement team also understands the entity's procedures to capture information relevant to financial reporting for events and conditions other than transactions, such as the depreciation and amortisation of assets and changes in the recoverability of accounts receivables. When IT is used to transfer information automatically, there may be little or no visible evidence of such intervention in the information systems. Processing of transactions The engagement team also understands how incorrect processing of transactions is resolved e.g. whether there is an automated suspense file and how it is used by the entity to ensure that suspense items are cleared out on a timely basis, and how system overrides or bypasses to controls are processed and accounted for. The engagement team also obtains an understanding of the entity's information system relevant to financial reporting in a manner that is appropriate to the entity's circumstances. This includes an understanding of how transactions originate within the entity's business processes. An entity's business processes are the activities designed to develop, purchase, produce, sell and distribute an entity's products and services, ensuring compliance with laws and regulations; and record information, including accounting and financial reporting information. Journal entries An entity's information system typically includes the use of standard journal entries that are required on a recurring basis to record transactions such as sales, purchases, and cash disbursements in the general ledger, or to record accounting estimates that are periodically made by management, such as changes in the estimate of uncollectible accounts receivable. An entity's financial reporting process also includes the use of non-standard journal entries to record non-recurring, unusual transactions or adjustments e.g. such entries include consolidating adjustments and entries for a business combination or disposal or non-recurring estimates such as an asset impairment. In manual, paper-based general ledger systems, non-standard journal entries may be identified through inspection of ledgers, journals, and supporting documentation. However, when automated procedures are used to maintain the general ledger and prepare financial statements, such entries may exist only in electronic form and may be more easily identified through the use of computer-assisted audit techniques. In obtaining the understanding of the journal entries, the engagement team considers risks of material misstatement associated with inappropriate override of controls over journal entries and the controls surrounding non-standard journal entries. For example, automated processes and controls may reduce the risk of inadvertent error but do not overcome the risk that individuals may inappropriately override such automated processes, for example, by changing the amounts being automatically passed to the general ledger or financial reporting system. Appendix IV Part C provides additional consideration in an IT environment. # 7.4.8 Control ActivitiesISA 315 requires the engagement team to obtain a sufficient understanding of control activates to assess the risks of material misstatements at the assertion level and to design audit procedures to assessed risk. Appendix IV Part D provides examples of specific control activities. In obtaining an understanding of control activities, the engagement team's primary consideration is whether, and how, a specific control activity, individually or in combination with others, prevents, or detects and corrects, material misstatements in classes of transactions, account balances, or disclosures. Control activities relevant to the audit are those for which the engagement team considers it necessary to obtain an understanding in order to assess risks of material misstatement at the assertion level and to design and perform further audit procedures responsive to the assessed risks. An audit does not require an understanding of all the control activities related to each significant class of transactions, account balance, and disclosure in the financial statements or to every assertion relevant to them. The engagement team's emphasis is on identifying and obtaining an understanding of control activities that address the areas where the engagement team considers that material misstatements are more likely to occur. When multiple control activities achieve the same objective, it is unnecessary to obtain an understanding of each of the control activities related to such objective. The engagement team should obtain an understanding of how the entity has responded to risks arising from IT. The use of IT affects the way that control activities are implemented. The engagement team considers whether the entity has responded adequately to the risks arising from IT by establishing effective general IT-controls and application controls. From the engagement team's perspective, controls over IT systems are effective when they maintain the integrity of information and the security of the data such systems process. General IT-controls are policies and procedures that relate to many applications and support the effective functioning of application controls by helping to ensure the continued proper operation of information systems. General IT-controls that maintain the integrity of information and security of data commonly include controls over the following:
# 7.4.9 Monitoring of ControlsMonitoring of controls is a process to assess the effectiveness of internal control over time, and involves assessing the design and operations of controls on a timely basis and taking necessary corrective action modified for changes in conditions. ISA 315 requires the engagement team to obtain an understanding of the major types of activities that the entity uses to monitor internal control over financial reporting, including those related to those controls activities relevant to the audit, and how the entity initiates corrective actions to its controls. Appendix IV Part E provides consideration that the engagement team may use in obtaining an understanding of how the entity monitors internal control. # 7.5 Recording and Assessment of the Accounting and Information SystemsEntities which are subject to statute are usually required by their governing law to keep proper accounting records which reflect all the business transactions. Entities which are subject to taxes on profits need to keep accounting records sufficient to enable periodic financial statements to be prepared. Engagement teams of such entities are required to report to the members if, in their opinion, governing legislation has been complied with, and on whether proper accounting records have been kept. Part E - 04.03 of the Manual, provides a checklist on compliance with the Kenyan Companies Act. The recording of the accounting system should identify the major transaction cycles, significant accounting records, the in-built controls and the financial reporting process. An understanding of the accounting system, together with internal control in-built into the system, provides answers to the following questions:
Form 05.09 in Part E of the Manual provides a convenient way of summarising the reliance on the accounting and system of internal control. Appendix V: Guidance on Documenting the Accounting Systems provides guidance on documentation of the accounting systems. Information Obtained in Prior Periods Where the engagement team intends to use information obtained in prior periods, the engagement team should determine whether changes have occurred through inquiry and by carrying other audit procedures such as walk through tests and determine the relevance of such changes. # 7.6 Inadequate Records or SystemsIf the initial assessment indicates that the accounting records may be inadequate or the accounting systems may not be reliable, further audit assurance will be required from substantive procedures to support the audit opinion, e.g. if a business has no proper system for recording sales on a cash register, the record of cash sales is quite likely to be unreliable, unless there is alternative evidence, such as the aggregate selling value of goods purchased. If the audit opinion has to be qualified on the basis of inadequacies in the accounting system and records, the qualification will need to be as specific as possible, giving details of where there are deficiencies. See section 25 of the manual on Auditor's Report. ISA 315 requires that the engagement team should make those charged with governance or management aware, as soon as practicable, and at an appropriate level of responsibility, of material weaknesses in the design or implementation of internal controls which have come to the engagement team's attention. One of the avenues of communication is through a management letter. This is covered in detail in Section 27.5 of the Manual. # 7.7 Engagement team's Response to Assessed RiskISA 330 requires that in order to reduce audit risk to an acceptably low level, the engagement team should determine the overall responses to assessed risks, including the risk of material misstatement due to fraud or error, at the financial statement level, and should design and perform further audit procedures whose nature, timing and extent are responsive to the assessed risk at the assertion level. In designing the audit approach, the engagement team should develop a clear linkage between the nature, timing and extent of further audit procedures and the risk assessment, taking onto consideration:
The nature, timing and extent of the audit procedures are a matter of the engagement team's professional judgement. In some cases, the engagement team may determine that only by performing tests of controls may the engagement team achieve an effective response to the assessed risk of material misstatement for a particular assertion. In other cases, the engagement team may determine that performing only substantive procedures is appropriate for specific assertions and, therefore, the engagement team excludes the effect of controls from the relevant risk assessment. This may be because the engagement team's risk assessment procedures have not identified any effective controls relevant to the assertion, or because testing the operating effectiveness of controls would be inefficient. However, the engagement team needs to be satisfied that performing only substantive procedures for the relevant assertion would be effective in reducing the risk of material misstatement to an acceptably low level. Often the engagement team may determine that a combined approach using both tests of the operating effectiveness of controls and substantive procedures is an effective approach. Irrespective of the approach selected the engagement team designs and performs substantive procedures for each material class of transactions, account balance and disclosure. In the case of very small entities, there may not be many control activities that could be identified by the engagement team, the engagement team's further audit procedures are likely to be primarily substantive procedures. In such cases, the engagement team also considers whether in the absence of controls it is possible to obtain sufficient appropriate audit evidence. Nature The nature of further audit procedures refers to their purpose (tests of controls or substantive procedures) and their type, that is, inspection, observation, inquiry, confirmation, recalculation, re-performance, or analytical procedures. Certain audit procedures may be more appropriate for some assertions than others. The following are some examples of the audit procedures the engagement team may adopt in response to the assessed risk.
Timing Timing refers to when audit procedures are performed or the period or date to which the audit evidence applies. The engagement team may perform tests of controls or substantive procedures at an interim date or at period end. The higher the risk of material misstatement, the more likely it is that the engagement team may decide it is more effective to perform substantive procedures nearer to, or at, the period end rather than at an earlier date, or to perform audit procedures unannounced or at unpredictable times. Performing audit procedures before the period end may assist the engagement team in identifying significant matters at an early stage of the audit, and consequently resolving them with the assistance of management or developing an effective audit approach to address such matters. If the engagement team performs tests of controls or substantive procedures prior to period end, the engagement team should consider the additional evidence required for the remaining period. In considering when to perform audit procedures, the engagement team also considers such matters as:
Extent Extent includes the quantity of a specific audit procedure to be performed, for example, a sample size or the number of observations of a control activity. The extent of an audit procedure is determined by the judgement of the engagement team after considering the materiality, the assessed risk, and the degree of assurance the engagement team plans to obtain. In particular, the engagement team ordinarily increases the extent of audit procedures as the risk of material misstatement increases. However, increasing the extent of an audit procedure is effective only if the audit procedure itself is relevant to the specific risk; therefore, the nature of the audit procedure is the most important consideration. The use of computer-assisted audit techniques (CAATs) may enable more extensive testing of electronic transactions and account files. Valid conclusions may ordinarily be drawn using sampling approaches (This is covered in Section 16 of the manual). However, if the quantity of selections made from a population is too small, the sampling approach selected may not be appropriate to achieve the specific audit objective, or if exceptions are not appropriately followed up, there will be an unacceptable risk that the engagement team's conclusion based on a sample may be different from the conclusion reached if the entire population was subjected to the same audit procedure. # 7.8 Tests of ControlsISA 330 requires the engagement team to perform tests of controls when the engagement team's risk assessment includes an expectation of the operating effectiveness of controls or when substantive procedures alone do not provide sufficient appropriate audit evidence at the assertion level. The engagement team is required to obtain sufficient and reliable audit evidence that the controls were operating effectively at all relevant times during the audit. Testing the operating effectiveness of controls is performed only on those controls that the engagement team has determined are suitably designed to prevent, or detect and correct, a material misstatement in an assertion. In making the decision, the engagement team considers the following factors:
In practice, most small and medium sized entities will not have any reliable system of internal control and therefore the engagement team may have to obtain audit evidence primarily from substantive procedures. Even where apparently reliable systems do exist, it will often not be cost effective for the engagement team to carry out tests on internal control, in the small to medium sized entities. Where the engagement team has determined that it is not possible or practicable to reduce the risks of material misstatement at the assertion level to an acceptably low level with audit evidence obtained only from substantive procedures, the engagement team should perform tests of relevant controls to obtain audit evidence about their operating effectiveness. This may be the case where the engagement team finds it impossible to design effective substantive procedures that by themselves provide sufficient appropriate audit evidence at the assertion level e.g. where an entity conducts its business using IT and no documentation of transactions is produced or maintained, other than through the IT system. Testing the operating effectiveness of controls is different from obtaining audit evidence that controls have been implemented. When obtaining audit evidence of implementation by performing risk assessment procedures, the engagement team determines that the relevant controls exist and that the entity is using them. When performing tests of the operating effectiveness of controls, the engagement team obtains audit evidence that controls operate effectively. This includes obtaining audit evidence about how controls were applied at relevant times during the period under audit, the consistency with which they were applied, and by whom or by what means they were applied. If substantially different controls were used at different times during the period under audit, the engagement team considers each separately. The engagement team may determine that testing the operating effectiveness of controls at the same time as evaluating their design and obtaining audit evidence of their implementation is efficient. Framework for Assessing Controls Test of Controls Tests of control can be grouped under the following headings:
These are covered in Section 12.4 of the manual. Those controls subject to testing by enquiry combined with inspection or re-performance provide more assurance that those subject solely to enquiry and observation. When examining programmed procedures in an IT environment, the following factors should be considered:
Nature of Tests of Controls The engagement team selects audit procedures to obtain assurance about the operating effectiveness of controls. In circumstances where it is not possible or practicable to obtain sufficient appropriate audit evidence only from substantive procedures or where the engagement team adopts an approach primarily consisting of test of controls, the engagement team ordinarily performs tests of controls to obtain a higher level of assurance about their operating effectiveness. In testing the operating effectiveness of controls, the engagement team performs other audit procedures in combination with inquiry, since inquiry alone may not provide sufficient evidence. Those controls subject to testing by performing inquiry combined with inspection or re-performance ordinarily provide more assurance than those controls for which the audit evidence consists solely of inquiry and observation. The absence of misstatements detected by a substantive procedure does not provide audit evidence that controls related to the assertion being tested are effective. However, misstatements detected by the engagement team when performing substantive procedures, is indicative of the existence of a material weakness in internal control. Timing of Tests of Control The timing of tests of controls depends on the engagement team's objectives and determines the period of reliance on those controls. If the engagement team tests controls at a particular time, the engagement team obtains audit evidence that the controls operated effectively at that time. If the engagement team wants to obtain the evidence of the effectiveness of the operations of controls throughout the period, then the engagement team should obtain evidence of their effectiveness by testing them at appropriate interval during the period. Where the engagement team obtains evidence about the operating effectiveness of controls during an interim period, the engagement team should determine what additional audit evidence should be obtained for the remaining period taking into account any changes in the information systems, processes and personnel. In making this determination, the engagement team considers the:
Where the engagement team plans to rely on the operating effectiveness of controls obtained in the prior year, the engagement team should ascertain whether changes in those specific controls have taken place subsequently. However, in such cases the engagement team should test the operating effectiveness of controls at least once in every three audits. The required audit evidence is obtained by performing inquiry combined with observation or inspection. Where controls have changed, the engagement team should obtain audit evidence by testing the operating effectiveness of the controls. Extent of Tests of Controls As a general rule, the more the engagement team plans to rely on the operating effectiveness of controls, the greater the extent of the engagement team's test of controls. In considering the extent of tests, the engagement team considers the:
The higher the level of inherent and analytical risk, the greater assurance tests of control need to give, if they are to be worthwhile. The following is a guide to the minimum number of items to test a sample of transaction control, but levels may need to vary according to the particular circumstances. The sample selected should be chosen from the whole of the accounting period.
A control is considered effective only if no exceptions are noted from the sample selected. If one to three exceptions are noted, a new sample is selected and tested. If one exception is noted in the second sample, the control is concluded not to be operating satisfactorily. If more than four exceptions are noted in the initial sample selected, the control is also concluded not to be operating satisfactorily. Drawing Conclusions If audit tests disclose no exceptions, reliance can be placed on the controls that have been tested. If audit tests reveal that the control was not operating properly, the reasons for not operating and the impact must be ascertained. Was the exception an isolated departure, or was it representative of other problems? If it is believed to be an isolated departure, the validity of the explanation should be confirmed by carrying out further tests. If these further tests fail, the control cannot be relied on and substantive tests may not be restricted unless alternative controls, that give sufficient comfort, can be identified. On completion of the tests relating to each key question, a conclusion should be drawn on whether the controls are reliable. The reliability of controls relating to each key question should be taken, together with any relevant overall controls, for the purpose of assessing whether control risk is high, medium or low in relation to substantive tests linked with that key question. If the controls are working, control risk will be low, and hence the amount of substantive testing can be limited. Before the conclusion of the audit, based on the results of substantive procedures and other audit evidence obtained by the engagement team, the engagement team should consider whether the assessment of control risk is confirmed. # 7.9 Substantive ProceduresThe substantive procedures, other than Analytical Procedures are covered in Section 15 of the manual. Analytical Procedures are covered in Section 14. # 7.10 Audit Considerations Relating to Entities Using Service OrganisationsISA 402 requires the engagement team to consider how a service organisation affects the entity's accounting and internal control systems, so as to plan the audit and develop an effective audit approach accordingly. The entity may use a service organisation to process its accounting data, and certain records, procedures and policies maintained by the organisation, may be relevant to the audit. If the services provided are limited to recording and processing data and the entity retains authorisation and maintenance of accountability, the entity could implement effective control procedures. If the service organisation maintains accountability, the entity may rely on control procedures in place at the service organisation. The engagement team therefore needs to assess the significance of the service organisation's activities and its relevance to the audit, for example, by assessing the services provided, the terms of reference, the controls exercised over processing and the extent to which the client's systems interact with those at the services organisation. The engagement team may conclude that the risk attaching to this area is low and does not present any audit problem. If the services provided are significant to the entity and relevant to the audit, the engagement team needs to obtain sufficient information to understand the systems at the service organisation, to properly assess the control risk involved. The team may ask the service organisation's engagement teams for assistance, for example, requesting a report on the operating effectiveness of the organisation's accounting and internal control systems for processing data relevant to the audit. The engagement team will have to consider the nature and content of any such report and make enquiries as to the professional competence of the service organisation's engagement team, before deciding whether to rely on it. If the engagement team uses a report from the engagement team of a service organisation, no reference should be made to that report in the auditor's report. APPENDIX I: NT RISK CONSIDERATIONS Factors that normally indicate a high inherent risk: 1. Overall business factors
2. Individual audit areas
Inherent Risk - Factors Affecting the Business as a Whole 1. General business environment
2. Position in the industry
3. Ownership of the business
4. Management of the business
5. Going concern
Other signs of going concern problems
Inherent Risk - Factors Affecting Most Audit Areas 1. Previous history
2. The nature of account balances / classes of transactions
3. Assets susceptible to theft
4. Staff
Inherent Risk - Factors Affecting Major Audit Areas 1. Property, plant and equipment
2. Investments
3. Inventories
4. Trade and Other Receivables
5. Bank and cash
6. Trade and other payables
7. Borrowings
8. Taxation
9. Equity
10. Salaries and wages
Appendix II: FACTORS TO CONSIDER IN UNDERSTANDING THE ENTITY AND ITS ENVIRONMENT
APPENDIX III: CONDITIONS AND EVENTS THAT MAY INDICATE RISKS OF MATERIAL MISSTATEMENT
APPENDIX IV: INTERNAL CONTROL COMPONENTS A. Control Environment The control environment encompasses the following elements:
The effectiveness of controls cannot rise above the integrity and ethical values of the people who create, administer, and monitor them. Integrity and ethical values are essential elements of the control environment which influence the effectiveness of the design, administration, and monitoring of other components of internal control. Integrity and ethical behaviour are the product of the entity's ethical and behavioural standards, how they are communicated, and how they are reinforced in practice. They include management's actions to remove or reduce incentives and temptations that might prompt personnel to engage in dishonest, illegal, or unethical acts. They also include the communication of entity values and behavioural standards to personnel through policy statements and codes of conduct and by example.
Competence is the knowledge and skills necessary to accomplish tasks that define the individual's job. Commitment to competence includes management's consideration of the competence levels for particular jobs and how those levels translate into requisite skills and knowledge.
An entity's control consciousness is influenced significantly by those charged with governance. Attributes of those charged with governance include independence from management, their experience and stature, the extent of their involvement and scrutiny of activities, the appropriateness of their actions, the information they receive, the degree to which difficult questions are raised and pursued with management, and their interaction with internal and external engagement teams. The importance of responsibilities of those charged with governance is recognised in codes of practice and other regulations or guidance produced for the benefit of those charged with governance. Other responsibilities of those charged with governance include oversight of the design and effective operation of whistle blower procedures and the process for reviewing the effectiveness of the entity's internal control. The following additional points may be considered:
Management's philosophy and operating style encompass a broad range of characteristics. Such characteristics may include the following:
An entity's organisational structure provides the framework within which its activities for achieving entity-wide objectives are planned, executed, controlled, and reviewed. Establishing a relevant organisational structure includes considering key areas of authority and responsibility and appropriate lines of reporting. An entity develops an organisational structure suited to its needs. The appropriateness of an entity's organisational structure depends, in part, on its size and the nature of its activities. The following additional factors may be considered:
This factor includes how authority and responsibility for operating activities are assigned and how reporting relationships and authorisation hierarchies are established. It also includes policies relating to appropriate business practices, knowledge and experience of key personnel, and resources provided for carrying out duties. In addition, it includes policies and communications directed at ensuring that all personnel understand the entity's objectives, know how their individual actions interrelate and contribute to those objectives, and recognise how and for what they will be held accountable.
Human resource policies and practices relate to recruitment, orientation, training, evaluating, counselling, promoting, compensating, and remedial actions. For example, standards for recruiting the most qualified individuals - with emphasis on educational background, prior work experience, past accomplishments, and evidence of integrity and ethical behaviour - demonstrate an entity's commitment to competent and trustworthy people. Training policies that communicate prospective roles and responsibilities and include practices such as training schools and seminars illustrate expected levels of performance and behaviour. Promotions driven by periodic performance appraisals demonstrate the entity's commitment to the advancement of qualified personnel to higher levels of responsibility. Application to Small Entities Small entities may implement the control environment elements differently than larger entities. For example, small entities might not have a written code of conduct but, instead, develop a culture that emphasises the importance of integrity and ethical behaviour through oral communication and by management example. Similarly, those charged with governance in small entities may not include an independent or outside member. B. Entity's Risk Assessment Process The entity's risk assessment process for financial reporting includes how management identifies risks relevant to the preparation of financial statements that give a true and fair view in accordance with the entity's applicable financial reporting framework, estimates their significance, assesses the likelihood of their occurrence, and decides upon actions to manage them. For example, the entity's risk assessment process may address how the entity considers the possibility of unrecorded transactions or identifies and analyses significant estimates recorded in the financial statements. Risks relevant to reliable financial reporting also relate to specific events or transactions. Risks relevant to financial reporting include external and internal events and circumstances that may occur and adversely affect an entity's ability to initiate, record, process, and report financial data consistent with the assertions of management in the financial statements. Once risks are identified, management considers their significance, the likelihood of their occurrence, and how they should be managed. Management may initiate plans, programs, or actions to address specific risks or it may decide to accept a risk because of cost or other considerations. Risks can arise or change due to circumstances such as the following:
Application to Small Entities The basic concepts of the entity's risk assessment process are relevant to every entity, regardless of size, but the risk assessment process is likely to be less formal and less structured in small entities than in larger ones. All entities should have established financial reporting objectives, but they may be recognised implicitly rather than explicitly in small entities. Management may be aware of risks related to these objectives without the use of a formal process but through direct personal involvement with employees and outside parties.
An information system consists of infrastructure (physical and hardware components), software, people, procedures, and data. Infrastructure and software will be absent, or have less significance, in systems that are exclusively or primarily manual. Many information systems make extensive use of information technology (IT). The** information system relevant to financial reporting objectives**, which includes the financial reporting system, consists of the procedures and records established to initiate, record, process, and report entity transactions (as well as events and conditions) and to maintain accountability for the related assets, liabilities, and equity. Transactions may be initiated manually or automatically by programmed procedures. Recording includes identifying and capturing the relevant information for transactions or events. Processing includes functions such as edit and validation, calculation, measurement, valuation, summarisation, and reconciliation, whether performed by automated or manual procedures. Reporting relates to the preparation of financial reports as well as other information, in electronic or printed format, that the entity uses in measuring and reviewing the entity's financial performance and in other functions. The quality of system-generated information affects management's ability to make appropriate decisions in managing and controlling the entity's activities and to prepare reliable financial reports. Accordingly, an information system encompasses methods and records that:
Communication involves providing an understanding of individual roles and responsibilities pertaining to internal control over financial reporting. It includes the extent to which personnel understand how their activities in the financial reporting information system relate to the work of others and the means of reporting exceptions to an appropriate higher level within the entity. Open communication channels help ensure that exceptions are reported and acted on. Communication takes such forms as policy manuals, accounting and financial reporting manuals, and memoranda. Communication also can be made electronically, orally, and through the actions of management. Application to Small Entities Information systems and related business processes relevant to financial reporting in small entities are likely to be less formal than in larger entities, but their role is just as significant. Small entities with active management involvement may not need extensive descriptions of accounting procedures, sophisticated accounting records, or written policies. Communication may be less formal and easier to achieve in a small entity than in a larger entity due to the small entity's size and fewer levels as well as management's greater visibility and availability. D. Control Activities Control activities are the policies and procedures that help ensure that management directives are carried out, for example, that necessary actions are taken to address risks that threaten the achievement of the entity's objectives. Control activities, whether within IT or manual systems, have various objectives and are applied at various organisational and functional levels. Generally, control activities that may be relevant to an audit may be categorised as policies and procedures that pertain to the following:
Certain control activities may depend on the existence of appropriate higher level policies established by management or those charged with governance. For example, authorisation controls may be delegated under established guidelines, such as investment criteria set by those charged with governance; alternatively, non-routine transactions such as major acquisitions or divestments may require specific high level approval, including in some cases that of shareholders. Application to Small Entities The concepts underlying control activities in small entities are likely to be similar to those in larger entities, but the formality with which they operate varies. Further, small entities may find that certain types of control activities are not relevant because of controls applied by management. For example, management's retention of authority for approving credit sales, significant purchases, and draw-downs on lines of credit can provide strong control over those activities, lessening or removing the need for more detailed control activities. An appropriate segregation of duties often appears to present difficulties in small entities. Even companies that have only a few employees may be able to assign their responsibilities to achieve appropriate segregation or, if that is not possible, to use management oversight of the incompatible activities to achieve control objectives. E. Monitoring of Controls An important management responsibility is to establish and maintain internal control on an ongoing basis. Management's monitoring of controls includes considering whether they are operating as intended and that they are modified as appropriate for changes in conditions. Monitoring of controls may include activities such as management's review of whether bank reconciliations are being prepared on a timely basis, internal engagement teams' evaluation of sales personnel's compliance with the entity's policies on terms of sales contracts, and a legal department's oversight of compliance with the entity's ethical or business practice policies. Monitoring of controls is a process to assess the quality of internal control performance over time. It involves assessing the design and operation of controls on a timely basis and taking necessary corrective actions. Monitoring is done to ensure that controls continue to operate effectively. For example, if the timeliness and accuracy of bank reconciliations are not monitored, personnel are likely to stop preparing them. Monitoring of controls is accomplished through ongoing monitoring activities, separate evaluations, or a combination of the two. Ongoing monitoring activities are built into the normal recurring activities of an entity and include regular management and supervisory activities. Managers of sales, purchasing, and production at divisional and corporate levels are in touch with operations and may question reports that differ significantly from their knowledge of operations. In many entities, internal engagement teams or personnel performing similar functions contribute to the monitoring of an entity's controls through separate evaluations. They regularly provide information about the functioning of internal control, focusing considerable attention on evaluating the design and operation of internal control. They communicate information about strengths and weaknesses and recommendations for improving internal control. Monitoring activities may include using information from communications from external parties that may indicate problems or highlight areas in need of improvement. Customers implicitly corroborate billing data by paying their invoices or complaining about their charges. In addition, regulators may communicate with the entity concerning matters that affect the functioning of internal control, for example, communications concerning examinations by bank regulatory agencies. Also, management may consider communications relating to internal control from external engagement teams in performing monitoring activities. Application to Small Entities Ongoing monitoring activities of small entities are more likely to be informal and are typically performed as a part of the overall management of the entity's operations. Management's close involvement in operations often will identify significant variances from expectations and inaccuracies in financial data leading to corrective action to the control. APPENDIX V: GUIDANCE ON DOCUMENTING THE ACCOUNTING SYSTEMS 1. Flowcharting A flowchart is a method of recording the stages in an accounting procedure. Flowcharts can be a useful tool, particularly for larger clients. Advantages of flowcharting:
Disadvantages of flowcharting:
Flowcharting Conventions
_______________________________ Document flow (vertical lines only). ---------------------------------------------------- Information flow (horizontal lines only).
(i) Detail both procedures on the main chart, if sufficiently simple; or (ii) Draw a subsidiary chart. Preparing a Flowchart
2. Narrative Notes In case of smaller entities with less complicated transactions, narrative notes describing the process flows may be sufficient. Even in such cases it is important to carry out walk-through tests and confirm the recording with the person exercising overall responsibility, to ensure that the notes are correct. What are the aspects to be covered in audit?Principle Aspects Covered by Auditing. 2.1 1] Review of all Systems.. 2.2 2] Review of the Internal Controls.. 2.3 3] Arithmetical Accuracy.. 2.4 4] Accounting Principles.. 2.5 5] Verification of Assets.. 2.6 6] Verification of Liabilities.. 2.7 7] Vouching.. 2.8 8] Statutory Compliance.. What do we understand about the entity and its environment?Understanding the entity and its environment
Results from inherent limitations in the ability to prepare the information objectively – for example, choice of valuation methodology or basis for accounting estimations. Events or conditions which affect the entity's business, industry, regulatory or economic environment.
When an auditor obtains an understanding of the entity and its environment?The audit procedures performed to obtain an understanding of the entity and its environment, in- cluding the entity's internal control, to identify and assess the risks of material misstatement, whether due to fraud or error, at the financial statement and relevant assertion levels.
What factors should an auditor consider when evaluating the control environment?Control environment factors include the following:. Integrity and ethical values.. Commitment to competence.. Board of directors or audit committee participation.. Management's philosophy and operating style.. Organizational structure.. Assignment of authority and responsibility.. Human resource policies and practices.. |