ISA 315 Flashcards
Risk Assessment Procedures and Related Activities:
Auditor shall perform risk assessment procedures to obtain understanding of Entity, and Internal control to
identify and assess the risk of material misstatement, at assertion level and financial statement level.
Benefits of obtaining understanding of entity and its internal control:
o To assess Inherent Risk and Control Risk (i.e. Risk of material misstatement)
o To identify Significant Risks (i.e. risks which require special audit considerations)
o To determine materiality
o To determine nature, timing and extent of further audit procedures
o To determine appropriateness of accounting policies and estimates
Extent and Depth of understanding required:
Extent and depth of understanding to be obtained depends on professional judgment of auditor. It may be
less than that possessed by management but should be sufficient enough to identify and assess the risk of
material misstatement.
Extent and Depth of understanding required:
Extent and depth of understanding to be obtained depends on professional judgment of auditor. It may be
less than that possessed by management but should be sufficient enough to identify and assess the risk of
material misstatement.
Risk Assessment Procedures:
o Inquiries of management, internal audit function and others within the entity
o Observation, and Inspection
o Analytical procedures
Related Activities:
o Information obtained from client acceptance and continuance process
o Information obtained from other engagement for the entity
o Information obtained from previous audits
o Discussion among engagement team
Inquiry of management
Much of the information obtained by the auditor’s inquiries is obtained from management and those
responsible for preparation of financial statements.
Inquiry of Internal audit function:
Auditor may inquire of chief internal audit executive or others within internal audit function to obtain
information about entity’s risk assessment process, control deficiencies, and matters raised with TCWG.
Auditor may also consider to reading reports of internal audit function.
TCWG
To understand environment in which financial statements are prepared.
Employees
To understand process of initiation and recording of transactions
Marketing /Sales Personnel
To understand sales trends and contractual agreements with customers
In-House Legal Counsel
To understand compliance with laws/regulations, litigation and fraud
Production Department
To understand operations and productions
Risk management function
To obtain information about operational and regulatory risks affecting financial
statements.
Information system personnel
To obtain information about system changes, system or control failures or other
risks
Observation and Inspection
Observation and Inspection support inquiries and also provides further information about entity. Examples
include:
Observation of Entity’s Premises and Plant facilities
Observation of Entity’s operations
Inspection of documents (e.g. Business Plans, Strategies, SOPs, Internal Controls, etc.)
Inspection of Reports by Management (e.g. Interim financial statements and minutes of meetings)
Analytical Procedures:
Analytical procedures performed as risk assessment procedures identify Unusual or Unexpected
relationships and amounts which may indicate existence of error/fraud. Analytical procedures performed as
risk assessment procedures may include both financial and non-financial information
Information Obtained in Prior Periods:
nformation obtained in prior periods may also be relevant and may be used by auditor in current period e.g.
information about following matters:
Use of risk assessment procedures performed last year
Use of tests of controls performed last year
Use of substantive procedures performed last year
ISA – 330 provides guidance on use of information obtained in prior periods.
Discussion among the Engagement Team:
Objectives/Benefits:
1. More experienced members share their insights based on their knowledge of the entity.
2. Team members exchange information about the business risks of entity and how financial
statements may be misstated.
3. Team members gain a better understanding of audit risk in specific areas assigned to them, and how
the results of their work can affect other aspects of audit.
4. Team members communicate and share new information obtained throughout the audit that may
affect the audit risk or audit procedures
What is discussed among engagement team
Business Risks, Audit Risks, Professional Skepticism, Fraud consideration, application of AFRF on entity, New
information during audit affecting risk and audit procedures
When is discussed among engagement team
It also depends on professional judgment. Usually this discussion starts from planning phase and there may
be further discussions throughout the audit to exchange ongoing information.
Who is involved in discussion among Engagement Team
It is a matter of professional judgment as to which members to include. Usually Key members of engagement
teams are included. All members are not necessary. Involvement of Expert and auditors of components is also
considered.
The Entity and Its Environment:
Auditor is required to obtain understanding of entity. This understanding shall cover following:
1) Entity’s Environment
2) Nature of entity
3) Entity’s Selection and Application of Accounting Policies
4) Objectives, Strategies and related Business Risks
5) Measurement and Review of entity’s Financial Performance
Industry, Regulatory and Other External Factors:
Auditor shall consider following factors in obtaining understanding of entity’s environment:
Industry Factors
*Market and Competition
*Seasonal activity
*Product technology
*Energy supply and cost
Regulatory Factors
*Applicable legislation and regulation
*Taxation laws
*AFRF
*Industry specific practices
*Government policies (monetary
policy, fiscal policy, foreign
exchange policy)
Other External Factors
*General economic conditions
*Interest rates
*Inflation rates
*Availability of financing
*Currency revaluation
Nature of the Entity:
Examples of matters that the auditor may consider when obtaining an understanding of the nature of the
entity include:
IDENTIFYING AND ASSESSING THE RISKS OF MATERIAL MISSTATEMENT:
There are two levels of risk of material misstatement i.e. at Financial Statement Level and at Assertion Level.
Assessment of Risks of Material Misstatement at the Financial Statement Level
Risks at the financial statement level refer to risks that affect financial statements pervasively and potentially
affect many assertions.
Consideration of Risk at Financial Statement Level assists an auditor to:
Determine overall Audit Strategy
Assessment of Risks of Material Misstatement at the Assertion Level
Risk at assertion level refers to risks that do not affect financial statements pervasively and affect only
specific identifiable assertions.
Consideration of Risk at Assertion Level assists an auditor to:
Determine Audit Plan/Audit Program/Audit Procedures
Examples At Financial Statements Level
Due to
Inherent
Risk
-Adverse economic and competitive conditions
-Hi-tech, complex industry
-Liquidity or Going concern problem
Due to
Control Risk
-Weak control environment.
- High turnover of senior finance team members
Examples at Assertion level
Due to
Inherent
Risk
-Complex transactions and calculations
-Estimates, judgments, uncertainties in
account balance or classes of transactions
Due to
Control Risk
-Not preparing BRS
-Not sending monthly statements to
debtors
Examples at Assertion level
Due to
Inherent
Risk
-Complex transactions and calculations
-Estimates, judgments, uncertainties in
account balance or classes of transactions
Due to
Control Risk
-Not preparing BRS
-Not sending monthly statements to
debtors
- Existence i.e. recorded assets, liabilities, and equity actually exist.
- Rights and obligations i.e. entity holds or controls the rights to assets, and liabilities are obligations
of entity. - Accuracy, Valuation and allocation i.e. assets, liabilities, and equity are included in the financial
statements at appropriate amounts; and adjustments relating to valuation/allocation have been
recorded. - Completeness i.e. all assets, liabilities and equity that should have been recorded, have been
recorded. - Classification i.e. assets, liabilities and equity have been recorded in the proper accounts.
- Presentation i.e. assets, liabilities and equity are appropriately aggregated or disaggregated, and
disclosures are according to AFRF.
Assertions about classes of transactions and events for the period:
- Occurrence i.e. all transactions and events, that have been recorded, have actually occurred and
pertain to the entity (i.e. there is no overstatement). - Accuracy i.e. amounts and other data relating to transactions and events have been recorded
appropriately. - Cutoff i.e. transactions and events have been recorded in correct accounting period.
- Completeness i.e. all transactions and events, that should have been recorded, have been recorded
(i.e. there is no understatement). - Classification i.e. transactions and events have been recorded in the proper accounts.
- Presentation i.e. transactions and events are appropriately aggregated or disaggregated, and
disclosures are according to AFRF.
Identifying Significant Risks:
“An identified and assessed risk of material misstatement that, in the auditor’s judgment, requires special
audit consideration.”
Factors to consider in exercising judgment as to which risks are significant risks:
Significant non-routine transactions
Judgmental Matters
Risk of material misstatement due to fraud
Risk related to recent economic, accounting or other development
Complexity of transactions
Significant related parties’ Transactions
Significant risks are assessed before consideration of any mitigating controls so they are based on the
inherent risk only
Understanding Controls Related to Significant Risks:
Understanding Controls Related to Significant Risks:
Risks for Which Substantive Procedures Alone Do Not Provide Sufficient Appropriate Audit
Evidence:
Example:
When there are numerous and significant transactions, with highly automated processing and little or no
manual intervention.
Auditor’s Procedures:
If substantive procedures alone do not provide sufficient appropriate audit evidence, auditor is also required
to test the entity’s controls over the completeness and accuracy of the recording.
Revision of Risk Assessment:
During the audit, information may come to the auditor’s attention that differs significantly from the
information on which the risk assessment was based.
The auditor shall revise his assessment of risks of material misstatement, and shall modify the audit
procedures if there is additional evidence from further audit procedures which is inconsistent with the
evidence on which auditor based his original assessment e.g.
In performing tests of those controls, the auditor may obtain audit evidence that they were not
operating effectively at relevant times during the audit.
In performing substantive procedures, the auditor may detect misstatements in amounts or
frequency greater than original assessment
DOCUMENTATION
Auditor shall document following:
The discussion among the engagement team, and the significant decisions reached;
Risk assessment procedures performed, and key elements of the understanding obtained regarding
each of the aspects of the entity and of each of the internal control components
The identified risks at the financial statement level and at the assertion level.
Significant risks and risks for which substantive procedures alone do not provide sufficient
appropriate audit evidence, and related controls.
Occurrence of Sales:
Circumstances which increases risk:
Unusual growth of sales
Bonus on achievement of sale target
Evaluation of Risk
Revenue may be overstated to meet
expectations or targets.
Key Audit Procedures
Perform tests of controls over recording of revenue.
Checked sales recorded at year end and credit notes issued after the year
end, to assess whether these have been recorded in appropriate periods.
For sales recorded during the year, select a sample of significant sales
recorded, and inspect sales orders, sales invoices, GDN and other underlying
documents.
Completeness of Sales:
Circumstances which increases risk:
Unusual decrease in sales
Evaluation of Risk
There is a risk that some of the goods
despatched may not have been
recorded.
Key Audit Procedures
Select a sample of Goods Desptach Notes and check their recording in sales
account.
Perform cut-off test on sales.
Send confirmation letters to major debtors with low balance.
Completeness of Sales:
Circumstances which increases risk:
Unusual decrease in sales
Evaluation of Risk
There is a risk that some of the goods
despatched may not have been
recorded.
Key Audit Procedures
Select a sample of Goods Desptach Notes and check their recording in sales
account.
Perform cut-off test on sales.
Send confirmation letters to major debtors with low balance.
Accuracy of sales:
Income is received (or expense is paid) in advance:
Evaluation of Risk
Income may be recorded when cash is
received, instead of when risk and
rewards are transferred.
Key Audit Procedures:
Perform tests of controls to ensure that cash received is recorded as
deferred revenue, and subsequently recorded as sales when risks and
rewards are transferred.
Perform cut-off tests on sales.
Valuation of inventory:
Circumstances which increases risk:
Decrease in sales/demand (due to change in fashion/technology or launch of new products)
Long-standing inventory/increase in inventory turnover ratio
Defective goods in inventory
Cost of production increases, or Sale price decreases.
If product is malfunctioning,
New products are launched by company or competitor.
Contract of specialized inventory is cancelled or customer goes bankrupt.
Defective goods returned by customers.
Evaluation of Risk
Due to ______, there is risk that NRV of
inventory may be lower than its cost.
Key Audit Procedures
Inquire client about calculation of NRV of inventory, and check
reasonableness of the basis of calculations (e.g. subsequent sale price of
inventory).
Obtain the aging analysis of inventory. Test its accuracy and identify any
slow-moving/obsolete inventory which needs to be written down to its
NRV.
Compare NRV of each inventory item to its cost.
Physical verification for damaged items.
Existence of Inventory:
Circumstances which increases risk:
Inventory is held at various locations or
Inventory is held with third party or
Evaluation of Risk
It is difficult to verify existence and
completeness of inventory if ……………
Key Audit Procedures
Select a sample of locations to be physically inspected by auditor.
Conduct simultaneous stock checking for selected locations.
For locations not selected for stock-count, compare inventory level
with previous periods. Obtain working papers of internal auditors, if
relevant.
Additions to fixed assets:
Circumstances which increases risk:
Major fixed assets purchased during the year.
Significant capital expenditures incurred during the year.
Evaluation of Risk
There may be misclassification
between capital and revenue
expenditure. Further, there may also be
implications on depreciation expense
because of this misclassification.
Key Audit Procedures
Check approval of fixed assets acquired purchased or capital
expenditure incurred during the year.
Perform tests of details on additions to PPE, and perform physical
verification of PPE acquired.
Select a sample of cost incurred, and check with supporting
documents to ensure expense has been properly classified.
Inspected supporting documents to ensure it has been capitalized
from date when asset was ready for intended use.
Assessed reasonableness of useful life of fixed asset.
Tested calculation of depreciation expense.
Revaluation of PPE:
Circumstances which increases risk:
Revaluation policy adapted by management.
Evaluation of Risk
Process of valuation is a highly
complex and judgmental process which
involves assumptions and methods
affected by future economic and
market conditions.
Key Audit Procedures
Assessed competence, capability and objectivity of expert.
Obtained revaluation report from valuer and check source data,
assumptions and methodologies used, and conclusions.
Ensured that revaluation is properly accounted for and disclosed in
financial statements
Impairment of Machinery:
Circumstances which increases risk:
Decrease in sales/demand of inventory
Faults in production process (e.g. increase in scrap/wastage of inventory during production)
Destroyed or Unused or Under-utilized Fixed Assets.
Evaluation of Risk
Due to ____, Value in use of asset may
have decreased which is an indication
of impairment.
Key Audit Procedures
Ask management to carry out impairment review.
Obtain working of client relating to impairment and review source data and
assumptions to check their reasonableness.
Consider involving use of expert to verify working of impairment loss.
Classification as Non-current assets held for sale under IFRS – 5:
Circumstances which increases risk:
Closure of a factory
Evaluation of Risk
Due to closure of a factory, there may
be non-current assets held for sale.
This is a non-routine transaction,
involving significant management
judgments. Further, there are also
requirements regarding determination
of fair value, presentation and
disclosures relating to assets held for
sale.
Key Audit Procedures
Read minutes of board meeting to check approval to sell assets.
Review steps taken by management to sell the assets e.g. any
correspondence or agreement with prospective buyer.
Check whether non-current assets held for sale are
o Measured at lower of carrying amount and fair value less costs to sell.
o Presented separately in balance sheet under Current Assets.
o No more depreciated.
Obtain valuation report of expert to confirm fair value of assets.
Check that discontinued operations are separately presented, and disclosed.
Valuation of debtors:
Circumstances which increases risk:
Increase in Debtors’ turnover ratio
Increase in Debtors/Receivables
Dispute with debtors
Evaluation of Risk
Receivables have become doubtful and
full recovery is not expected.
Key Audit Procedures
Obtain understanding and test internal controls over debtors (e.g. approval
and review of credit limit, receivables’ aging report, and credit period).
Checked subsequent receipts of cash.
Assess appropriateness of provision for bad debts by comparing it with
previous years, with industry and with subsequent status.
Valuation of Foreign Currency Receivables/Payables:
Circumstances which increases risk:
Imports and Exports
Evaluation of Risk
Changes in rates of FCY at year end
may not be recorded, or may be
wrongly recorded in Purchases/Sales
instead of charging as income/expense
in P & L.
Key Audit Procedures
If there are goods in transit at year end, inspect their respective purchase
orders and ensure that rights and rewards have been transferred in respect
of inventory.
Perform tests of controls to ensure that appropriate exchange rates are used
in translation of foreign currency.
Ensure that any gain/loss on closing balances of foreign currency are
correctly recognized as per IFRS.
Review the insurance policies at year end to ensure they Goods-in-transit are
adequately covered.
Completeness of creditors:
Circumstances which increases risk:
Decrease in creditors’ ratio.
Decrease in creditors
Evaluation of Risk
Decrease indicates understatement of
creditors.
Key Audit Procedures
Send confirmation letters to major creditors having low balance.
Perform cut-off test on purchases.
Review pending Goods Received Note, to identify any purchase not
recorded.
Review significant payments made after the year to identify if any payment
relates to current year.
Provision for warranty:
Circumstances which increases risk:
Company provides warranty to its customers.
Increase in warranty period/complains.
Malfunctioning of products
Not in alignment with sales
Evaluation of Risk
Estimated expense for provision of
warranty may not be reasonable
considering warranty period, level of
sales, or complains by customers.
Key Audit Procedures
Review warranty claims after the year.
Review client’s working for warranty provision, and check appropriateness
of assumptions in the current situations.
Consider need to engage an expert to calculate warranty provision
Provision for restructuring/ staff termination:
Circumstances which increases risk:
Closure of a factory.
Evaluation of Risk Key Audit Procedures
Due to announcement of closure of a
factory before year-end, there is a risk
that restructuring provision is not
appropriately recorded in respect of
employees who were made redundant.
Obtain working papers prepared by client for restructuring provision.
Obtain list of redundant employees and ensure all of them are included in
calculation.
Inquire from terminated employees/labour union regarding agreed
termination payments.
Inspect appointment letters
Provision for Onerous contracts:
Circumstances which increases risk:
Loss making non-cancellable contracts
Evaluation of Risk
Management may not have recorded
appropriate amount of loss on noncancellable contract.
Key Audit Procedures
Review the sale agreement to confirm sale price.
Review purchase agreement and other components of cost to confirm the
purchase price.
Ensure cost exceeds sale price.
Review sale agreement to confirm if there is any right to cancel the
agreement and any penalty clause.
Provision for Legal cases:
Circumstances which increases risk:
unfair dismissal of staff
serious accident damaging environment or injuring people
malfunctioning of product
Evaluation of Risk
There is judgment involved to assess
the outcome (i.e. level of provisions
and disclosures) of pending litigations.
Complete provision or disclosure may
not have been recorded by client.
Key Audit Procedures
Circularize confirmation to company’s external legal consultants for their
views on pending litigations, and discussed the rationale and justification of
their views.
Use our own legal expert to consider the level of provision required
considering nature of case, legal precedents, and company’s
correspondence with opponents.
Analyze significant changes from prior period.
Assess the adequacy of disclosures related to pending litigations in notes to
the accounts.
Existence and Valuation of Goodwill:
Circumstances which increases risk:
Business purchased during the year.Circumstances which increases risk:
Business purchased during the year.
Evaluation of Risk
Goodwill may not have been
recognized and measured at
appropriate amount.
Further, annual testing of impairment
of goodwill is a highly complex and
judgmental process
For recognition:
Key Audit Procedures
Inspect the sale agreement and agree cost of acquisition paid to cash book
and bank statement, and
Inspect due-diligence report for the acquisition, and ensure that all
identifiable assets have been included and are reasonably valued.
For impairment testing:
Evaluate appropriateness of assumptions (e.g. sales volume, prices,
operating cost, growth rates) by comparing with our own assessment based
on our knowledge of client and industry.
Evaluation of Risk Key Audit Procedures
Goodwill may not have been
recognized and measured at
appropriate amount.
Further, annual testing of impairment
of goodwill is a highly complex and
judgmental process
For recognition:
Inspect the sale agreement and agree cost of acquisition paid to cash book
and bank statement, and
Inspect due-diligence report for the acquisition, and ensure that all
identifiable assets have been included and are reasonably valued.
For impairment testing:
Evaluate appropriateness of assumptions (e.g. sales volume, prices,
operating cost, growth rates) by comparing with our own assessment based
on our knowledge of client and industry.
Recognition of Development Cost:
Circumstances which increases risk:
Product developed/launched during the year.
Evaluation of Risk
There may be misclassification
between Research and Development
costs. Further, development cost may
not have met recognition criteria.
Key Audit Procedures
Ensure that development cost is recognized only if criteria is met as
required by IAS – 38.
Discuss the project with management to assess the feasibility of the project,
and obtain representation from management regarding intention to
complete the project.
For a sample of costs, inspect supporting documents e.g. development
contracts, billing and timesheets
Review development cost to verify that cost is appropriately classified and
does not include research expenses.
YOU ARE APPOINTED THIS YEAR (FIRST YEAR OF AUDIT)
Risk (What) and Explanation (Why)
Opening Balances:
There may be misstatements in
opening balances, and balances may
not be correctly brought forward.
Further, accounting policies may not be
consistently applied.
Key Audit Procedures (How)
Review predecessor auditor’s working papers (if applicable).
Evaluate whether audit procedures performed in current year provide
evidence about opening balances.
Perform specific procedures to verify opening balances (e.g. review of
previous period’s accounting records).
Going Concern Uncertainty:
Circumstances which increases risk:
Loss during the year,
Bankruptcy of major customer.
Adverse key financial ratios (e.g. Current ratio, Quick-asset ratio, Debt-equity ratio)
Ceased substantial manufacturing activities
Serious accident damaging environment or injuring people
Evaluation of Risk
There is a risk that entity may not be
able to continue as a going concern.
Key Audit Procedures
Inquire management about its plan to resolve the liquidity issues.
Review management’s plan and analyze the assumptions used by
management to ensure their reasonableness.
Ensure proper disclosure in management regarding material
uncertainty.
RISK OF FRAUD
Risk of Overstatement of Revenue/ Understatement of expenses:
Circumstances which increases risk:
Issue of Shares is planned.
Sale of business is planned.
Contingent remuneration of CFO/CEO.
Other fraud risk factors
Evaluation of Risk
Company may be inclined to show
better results to ………….
Key Audit Procedures
Perform analytical review of income and expenses.
Perform cut-off test to ensure transactions have been recorded in correct
period.
Review accounting estimates for reasonableness.
Evaluate selection and application of accounting policies, particularly those
related to subjective measurements..
Check transactions outside the normal course of business.
Tax litigation/Contingencies:
Risk (What) and Explanation (Why)
There are judgments involved to assess
the outcome (i.e. level of provisions
and disclosures) of tax litigations.
Key Audit Procedures (How)
Circularize confirmation to company’s external tax consultants for their
views on tax assessment, and discussed the rationale and justification of
their views.
Use our own tax specialist to consider the level of provision required
considering nature of case, legal precedents, and company’s
correspondence with the tax authorities.
Analyze significant changes from prior period.
Assess the adequacy of disclosures related to tax contingencies in notes to
the accounts.
Review calculation.
Deferred tax assets:
Circumstances which increases risk:
Deferred tax recognized.
Evaluation of Risk
Recognition of deferred tax is a highly
complex and judgmental area which
involves assumptions about future.
Further, it may be difficult for to
generate future taxable profits to
utilize deferred tax asset.
Key Audit Procedures
Performed substantive procedures on calculation of deferred tax balances,
based on tax regulations.
Performed analysis of recoverability of deferred tax assets, and evaluated
company’s assumptions and estimates in generating sufficient future
taxable profits.
Used an internal tax specialist to support us in these procedures
CUSTOMER LOYALTY PROGRAMS
Risk (What) and Explanation (Why)
Improper recognition and
measurement of Revenue &
Provision:
Due to customer loyalty points, there is
risk that provision for loyalty points
may not be estimated and recorded
correctly as per IFRS 15.
Key Audit Procedures (How)
Obtain understanding of management’s process to record revenue and
related liability.
Evaluate reasonableness of management assumption regarding redemption
of points.
Obtain valuation report of expert to confirm amount of liability relating to loyalty points.
Risk of Non-compliance with laws and regulations:
Circumstances which increases risk:
New accounting or legal regulations/guidelines.
Implementation of new IT system)
Change in accounting policies
Risk (What) and Explanation (Why)
Changes in reporting and legal
requirements may not be appropriately
met by financial reporting system.
Further, non-compliance may result in
misstatement or penalties.
Key Audit Procedures (How)
Review the accounting and reporting requirements according to
new/changed accounting policy or regulatory requirements.
Ensured appropriateness of accounting treatment and disclosures made.
Risk of Non-compliance with laws and regulations:
Risk (What) and Explanation (Why)
Ineffective Governance Structure:
Management decisions are not
overseen by directors, therefore,
governance structure is likely to be
ineffective.
Key Audit Procedures (How)
Obtain minutes of BOD meeting and audit committee meetings to evaluate
their involvement and role in decision making process.
Inquire about the competencies, skills, knowledge and experience of the
board of directors.
BANK LOAN
Evaluation of Risk
There may be misclassification of loan,
incorrect recording of interest or
inadequate disclosures.
Further, there may be breaches of debtcovenants requirements.
Key Audit Procedures
Ensure proper classification of borrowings between current and noncurrent portion by reviewing loan agreement.
Send confirmation letter to confirm outstanding amounts and other
terms and conditions.
Test calculation of markup.
Assess adequacy of compliance with debt-covenant requirements.
Assess adequacy of disclosures in financial statements.
RELATED PARTY TRANSACTIONS
Evaluation of Risk
There is inherent risk in related party
transactions due to its nature and
significance.
Key Audit Procedures
Obtained understanding of controls over identification, recording and
disclosure of related party transactions. Also, tested such controls.
Inspected minutes of BOD meetings and shareholders’ meetings to
understand nature and approval of transactions.
On a sample basis, compared transactions with related parties with
underlying supporting documents and agreements.
Obtained confirmation (on sample basis) from related parties for
transactions and balances.
Assessed the adequacy of disclosures related to related parties in notes to
the accounts.
Risk of incorrect recording of transactions:
Circumstances which increases risk:
Few/overburdened staff in accounting and finance department.
Finance department is working without financial controller (or IT department working without IT manager).
Introduction of new IT system.
Evaluation of Risk Key Audit Procedures
There is a risk of errors due to lack of
segregation of duties/supervision, or
due to inexperienced staff.
Auditor shall place less reliance on internal controls and shall
increase substantive testing.
OTHER RISKS
Circumstances which increases risk:
Company deals in large number of products (Segment Reporting)
Recording contingent asset as receivable.
Weak internal controls: e.g. Reconciliations not being prepared (in bank, debtors, creditors, inventory)
Predecessor auditor did not wish to be reappointed (This is an indication of disagreement and/or inappropriate
scope limitation.)
Restricted time schedule for audit (Audit team may not have time to obtain sufficient appropriate audit
evidence.)
Predecessor auditor expressed modified opinion.
Tips:
One information may lead to many risks
Monitoring of Controls
Monitoring of controls is a process to assess the effectiveness of internal control performance and taking
necessary remedial actions.
The auditor shall obtain an understanding of the major activities used by entity to monitor internal control
over financial reporting and how the entity initiates remedial actions to deficiencies in its controls.
If the entity has an internal audit function, auditor shall obtain an understanding of:
Objectivity of Internal Audit Function (evaluating its organizational status)
Nature (i.e. objectives and scope) of the work of internal audit function
Activities performed by internal audit function
IT General Controls:
General Controls are those controls that operate at financial statement level and relate to all or many
applications. General Controls help to ensure the effective functioning of application controls.
Application controls:
Application controls are those controls that operate at assertion level and relate to the processing of
transactions in individual applications. Application controls help to ensure that transactions are
properly authorized, accurately processed and timely distributed.
Controls in these Control Activities could be:
- Preventative (e.g. Authorization for stock issue)
- Detective (e.g. physical verification of stock)
- Corrective (e.g. follow up of exceptions)
Control Activities Relevant to the Audit
Control activities are the policies and procedures that help ensure that management directives are carried
out. Auditor shall obtain an understanding of control activities/procedures relevant to audit (including
control activities on risks arising from I.T.) to assess risk at assertion level.
Controls Activities/Procedures may be categorized as follows:
Authorization (e.g. Authorization of Expenses)
Physical controls (e.g. physical security measures for assets and periodic verification)
Performance Reviews (e.g. Variance Analysis with budget/last year)
Information Processing Controls (e.g. IT General Controls and IT Application Controls)
Segregation of duties (e.g. separating receiving, recording and custodian functions)
The Information System, Including Related Business Processes, Relevant to Financial Reporting, and
Communication
Relevant Information system means methods and processes by which entity obtains, record and presents
transactions. This system could be manual as well as IT.
Relevant Information system means methods and processes by which entity obtains, record and presents
transactions. This system could be manual as well as IT.
The Entity’s Risk Assessment Process
Entities identify business risks by following risk assessment process:
a) Identifying business risks;
b) Determine significance of risks;
c) Determine likelihood of their occurrence; and
d) Determine whether any action should be taken to address those risks.
Auditor shall obtain an understanding of whether or not entity has a Business/Entity Risk Assessment
Process:
If entity has no Risk Assessment Process or there is ad-hoc process, auditor shall:
o discuss how management identifies and address business risks.
o determine whether absence of process is appropriate or not.
If entity has a Risk Assessment Process, auditor shall obtain understanding of it. If auditor identifies a
risk which was not identified by entity’s risk assessment process, auditor shall consider whether
entity’s process is appropriate or deficient.
Control Environment
Control environment includes awareness and actions of TCWG and management regarding entity’s
internal control and its importance in the entity. It provides an atmosphere in which people conduct their
activities and carry out their control responsibilities
Elements of Control Environment and how they can be evaluated:
refer notes
Nature and Extent of the Understanding of Relevant Controls:
In obtaining understanding of controls, auditor shall evaluate whether controls have been DESIGNED and
IMPLEMENTED.
Understanding of Internal Control means evaluating design (i.e. whether it is able to prevent/detect/correct
misstatements) and implementation (i.e. whether control exists and entity is using it) of internal control.
Evaluating operating effectiveness is NOT part of understanding controls. It is called Test of Controls
Controls Relevant to the Audit:
Following are general rules used by auditors in determining which controls are relevant:
1) Usually controls related to financial reporting are relevant to audit, however not all controls related
to financial reporting are relevant.
2) Controls relating to operations and compliance objectives may be relevant when they relate to the
data which auditor uses in audit procedures (e.g. in Analytical Procedures)
3) Controls related to completeness and accuracy of information produced by entity may be relevant if
auditor intends to use them in further audit procedures (e.g. related parties information)
The Entity’s Internal Control:
Auditor is required to obtain understanding of Internal Control (relevant to audit).
Purpose of Internal Control:
“Internal Control means policies and procedures designed, implemented and operated by management
and TCWG (to address business risks) to provide reasonable assurance about achievement of entity’s
objectives with regard to:
o Reliability of the entity’s financial reporting
o Effectiveness and efficiency of its operations
o Compliance with applicable laws and regulation
Limitations of Internal Control
Internal control cannot provide absolute assurance because of following inherent limitations:
o Breakdowns caused by human errors
o Cost-benefit trade off may not justify a control
o Segregation of duties in smaller entities not possible.
o Often Judgments are involved in risk assessment, and implementation of control which can be
faulty
o Management may also override the controls
o Circumvented intentionally through collusion
Benefits in IT system:
An IT system can have many benefits (e.g. Performing complex calculation, Accuracy and Timeliness of
information, Facilitates additional analysis, Handles large volume of transactions, Facilitates monitoring).
Risks in IT system:
However there are specific risks which IT poses to system (e.g. Failure to make changes when required,
Unauthorized changes to data or programs, IT personnel gaining more than necessary privileges and
breaking segregation of duties, Potential loss of data, Inability to access data, Unauthorized access to data,
Inaccurate processing in system).
Controls in IT system:
Controls in an IT system could be classified into Manual Controls and Automated Controls. A programmed
control is performed by computer software (e.g. validation checks). A manual control is performed by
people (e.g. Authorization, Review, Reconciliations).
Manual system is better in following circumstances:
Large, unusual or non-recurring transactions
When errors are difficult to define and anticipate
Changing circumstances requiring extra controls
In monitoring the effectiveness of automated controls
Automated system is better in following circumstances:
High volume or Recurring transactions
Where automation of controls is possible
Controls in an IT system could be classified into General Controls, and Application Controls (to be
explained in component of control activities).
Measurement and Review of the Entity’s Financial Performance:
Following are different ways used to measure and review entity’s performance by management and external
parties (e.g. analysts and credit rating agencies):
i. Key Performance Indicators (e.g. Sales, Profit, Assets, Number of branches/customers)
ii. Ratios (e.g. EPS, G.P. ratio, N.P. ratio etc.)
iii. Performance/Variance Analysis (prior year, with budget, with industry average)
Reason of understanding:
Performance measures create pressure on management and in turn management may be motivated to
improve the performance or misstate the financial performance particularly when there is some
pressure/incentive to meet such unrealistic targets e.g. an unusual growth/profitability indicate a risk of
misstatement in financial statements particularly when there are contingent compensations or requirements
of a debt-covenant
The Entity’s Selection and Application of Accounting Policies:
It is auditor’s responsibility to evaluate that selection and application of accounting policies is in accordance
with AFRF and Industry.
Particular focus should be on:
Accounting policies for significant, controversial or unusual areas e.g. for derivative securities
Change in accounting policies
Newly adopted or to-be-adopted accounting standards, laws and regulations
Objectives and Strategies and Related Business Risks:
Objectives and Strategies and Related Business Risks: