risk and understanding of entity Flashcards
ISA 315
-Identifying and Assessing the Risks of Material Misstatement
assertions
auditor needs to obtain SAE to support assertions and disclosures in FS made by management
assertions are used by auditor when assessing risks of MM on an engagement
objective of the audit and the assessment of risk
objective of auditor is to identify and assess ROMM, whether due to fraud or error, at the FS and assertion level, providing a basis for designing and implementing responses to the assessed risks of MM.
audit risk
the risk that the auditor expresses an inappropriate opinion when the financial statements are materiality misstated.
risk of material misstatement comprises of
Audit risk = inherent risk * control risk * detection risk
latest requirement of how to evaluate risks
understand the audit risk of the client by obtaining an understanding of the entity and its environment, the applicable financial reporting standards (inherent risk) and the entity’s system of internal control. (control risk)
define inherent risk
the susceptibility of an assertion about a class of transaction, balance or disclosure to a misstatement that could be material, either individually or in aggregation, before consideration of any related controls
qualitative and quantitave inherent risk factors are
-complexity
-subjectivity
-change
-uncertainty
-management bias or fraud risk factors
IR is considered before any controls
IR and CR are both at assertion level
understanding the financial reporting framework
-consider accounting policies, FR requirements, industry requirements
-some accounting standards can be misapplied either by error or deliberately, for eg. IFRS 15, IAS 37, and FOREX.
-new issues like crypto and environment are also subjective to management
evaluating financial reporting is part of overall assessment of inherent risk
after risks have been identified auditor must
do a separate assessment of inherent and control risk
-inherent risk will be higher for some A,B,C,D (assertions, balances, classes, disclosures) than others and will require exercise of professional judgement
the degree to which inherent risk varies is called spectrum of inherent risk
purpose of spectrum of inherent risk
helps determine if identified risk is significant or not
significance depends on likelihood and magnitude of potential misstatement
risks need to be prioritised so we can plan procedures accordingly
The higher on the spectrum of inherent risk a risk is assessed, the more persuasive the audit evidence needs to be.
what is control risk
Control risk is the risk that the entity’s system of internal control will not prevent or detect and correct a misstatement on a timely basis. This can be due to weak or absent internal controls.
components of the entity’s system of internal control
indirect controls: (affects risk of MM at financial statement level)
-control environment
-entity’s risk assessment process
-entity’s process to monitor the system of internal control
direct controls: auditor’s understanding affects risk of MM at assertion level
-information system and communication
-control activities
If the auditor does not plan to test the operating effectiveness of the entity’s internal controls,
the risk of material misstatement is the same as the assessment of inherent risk. In other words, if the auditor is not planning on testing the controls, they assume there are no controls present in their risk assessment.
planning stage
-consider whether the audit procedures will include planned reliance on the operating effectiveness of controls.
-Reliance on an entity’s system of internal control can reduce the level of substantive procedures the auditor performs.
-the auditor’s assessment of the risks is affected by their understanding of each of the components of the entity’s system of internal control.
direct and indirect controls
Direct controls are designed to address the ROMM at the assertion level. eg. monthly bank acc reconciliation, ensuring all discrepancies are resolved, verifies the existence and accuracy of the bank balance at period end.
Indirect controls, like general IT controls, lack the precision to directly prevent, detect, or correct material misstatements at the assertion level. However, they can indirectly support direct controls, potentially enhancing the overall ability to detect or prevent misstatements.
audit considerations relating to IT
he auditor needs to understand how the entity processes information, and how this data is used throughout the business. There should be an understanding of the accounting records, how the information is captured and controlled and how these flow into the accounts in the financial statements.
how does IT benefit control ssytem of entity
Applying consistent business rules
Performing complex or repetitive bulk calculations
Facilitating analysis of information
Improving timeliness, availability and accuracy of information
Reducing the risk that controls can be avoided and enhancing the segregation of duties.
why are automated controls better than manual controls?
-reliable
-not easilly overriden
detection risk
risk that the procedures performed by the auditor to reduce audit risk to an acceptably low level will fail to detect a misstatement which exists that could be material.
detection risk is not part of risk of material misstatement
what is the stand back requirement
-after obtaining understanding
-stand back and evalyate the evidence arising from risk assessment procedures
-apply professional skepticim in the evidence
-ISA 315 (Revised) ensures auditors confirm all material risks are identified, focusing on initially overlooked areas.
