1 | P a g e

INTERNATIONAL STANDARD ON AUDITING 315

IDENTIFYING AND ASSESSING THE RISKS OF MATERIAL
MISSTATEMENT THROUGH UNDERSTANDING THE
ENTITY AND ITS ENVIRONMENT

Scope of this ISA
This International Standard on Auditing (ISA) deals with the auditors responsibility to identify and
assess the risks of material misstatement in the financial statements, through understanding the entity
and its environment, including the entitys internal control

Definitions
4. For purposes of the ISAs, the following terms have the meanings attributed below:
(a) Assertions Representations by management, explicit or otherwise, that are embodied in the
financial statements, as used by the auditor to consider the different types of potential misstatements
that may occur.
(b) Business risk A risk resulting from significant conditions, events, circumstances, actions or
inactions that could adversely affect an entitys ability to achieve its objectives and execute its
strategies, or from the setting of inappropriate objectives and strategies.
(c) Internal control The process designed, implemented and maintained by those charged with
governance, management and other personnel to provide reasonable assurance about the achievement
of an entitys objectives with regard to reliability of financial reporting, effectiveness and efficiency
of operations, and compliance with applicable laws and regulations. The term controls refers to any
aspects of one or more of the components of internal control.
(d) Risk assessment procedures The audit procedures performed to obtain an understanding of the
entity and its environment, including the entitys internal control, to identify and assess the risks of
material misstatement, whether due to fraud or error, at the financial statement and assertion levels.
(e) Significant risk An identified and assessed risk of material misstatement that, in the auditors
judgment, requires special audit consideration.

Requirements
Risk Assessment Procedures and Related Activities
The auditor shall perform risk assessment procedures to provide a basis for the identification and
assessment of risks of material misstatement at the financial statement and assertion levels. Risk
assessment procedures by themselves, however, do not provide sufficient appropriate audit evidence
on which to base the audit opinion.
The risk assessment procedures shall include the following:
(a) Inquiries of management and of others within the entity who in the auditors judgment may have
information that is likely to assist in identifying risks of material misstatement due to fraud or error
(b) Analytical procedures.
(c) Observation and inspection.

The Required Understanding of the Entity and Its Environment, Including the
Entitys Internal Control
The Entity and Its Environment
Examples of matters that the auditor may consider when obtaining an understanding of the nature of the entity
include:
Business operations such as:
Nature of revenue sources, products or services, and markets, including involvement in electronic
commerce such as Internet sales and marketing activities.
Conduct of operations (for example, stages and methods of production, or activities exposed to
environmental risks).Alliances, joint ventures, and outsourcing activities.
Geographic dispersion and industry segmentation.
Location of production facilities, warehouses, and offices, and location and quantities of inventories.
2 | P a g e

Key customers and important suppliers of goods and services, employment arrangements (including the
existence of union contracts, pension and other post employment benefits, stock option or incentive bonus
arrangements, and government regulation related to employment matters).

The Entitys Internal Control
The auditor shall obtain an understanding of internal control relevant to the audit. Although most
controls relevant to the audit are likely to relate to financial reporting, not all controls that relate to
financial reporting are relevant to the audit. It is a matter of the auditors professional judgment
whether a control, individually or in combination with others, is relevant to the audit.

Nature and Extent of the Understanding of Relevant Controls
When obtaining an understanding of controls that are relevant to the audit, the auditor shall evaluate
the design of those controls and determine whether they have been implemented, by performing
procedures in addition to inquiry of the entitys personnel.
Components of Internal Control
Control environment
The auditor shall obtain an understanding of the control environment. As part of obtaining this
understanding, the auditor shall evaluate whether:
(a) Management, with the oversight of those charged with governance, has created and maintained a
culture of honesty and ethical behavior; and
(b) The strengths in the control environment elements collectively provide an appropriate foundation
for the other components of internal control, and whether those other components are not undermined
by deficiencies in the control environment.

The entitys risk assessment process
15. The auditor shall obtain an understanding of whether the entity has a process for:
(a) Identifying business risks relevant to financial reporting objectives;
(b) Estimating the significance of the risks;
(c) Assessing the likelihood of their occurrence; and
(d) Deciding about actions to address those risks

The auditor shall obtain an understanding of the information system, including the related business
processes, relevant to financial reporting, including the following areas:
(a) The classes of transactions in the entitys operations that are significant to the financial statements;
(b) The procedures, within both information technology (IT) and manual systems, by which those
transactions are initiated, recorded, processed, corrected as necessary, transferred to the general ledger
and reported in the financial statements;
(c) The related accounting records, supporting information and specific accounts in the financial
statements that are used to initiate, record, process and report transactions; this includes the correction
of incorrect information and how information is transferred to the general ledger. The records may be
in either manual or electronic form;
(d) How the information system captures events and conditions, other than transactions, that are
significant to the financial statements;
(e) The financial reporting process used to prepare the entitys financial statements, including
significant accounting estimates and disclosures; and
(f) Controls surrounding journal entries, including non-standard journal entries used to record non-
recurring, unusual transactions or adjustments.

Monitoring of controls
. The auditor shall obtain an understanding of the major activities that the entity uses to monitor
internal control over financial reporting, including those related to those control activities relevant to
the audit, and how the entity initiates remedial actions to deficiencies in its controls. (Ref: Para. A98-
A100)
If the entity has an internal audit function,1 the auditor shall obtain an understanding of the following
in order to determine whether the internal audit function is likely to be relevant to the audit:
3 | P a g e

(a) The nature of the internal audit functions responsibilities and how the internal audit function fits
in the entitys organizational structure; and
(b) The activities performed, or to be performed, by the internal audit function.
The auditor shall obtain an understanding of the sources of the information used in the entitys
monitoring activities, and the basis upon which management considers the information to be
sufficiently reliable for the purpose.
that are outside the normal course of business for the entity, or that otherwise appear to be unusual
Risks That Require Special Audit Consideration
As part of the risk assessment, the auditor shall determine whether any of the risks identified are, in
the auditors judgment, a significant risk. In exercising this judgment, the auditor shall exclude the
effects of identified controls related to the risk.
In exercising judgment as to which risks are significant risks, the auditor shall consider at least the
following:
(a) Whether the risk is a risk of fraud;
(b) Whether the risk is related to recent significant economic, accounting or other developments and,
therefore, requires specific attention;
(c) The complexity of transactions;
(d) Whether the risk involves significant transactions with related parties;
(e) The degree of subjectivity in the measurement of financial information related to the risk,
especially those measurements involving a wide range of measurement uncertainty; and
(f) Whether the risk involves significant transactions

Documentation32. The auditor shall include in the audit documentation:2
(a) The discussion among the engagement team and the significant decisions reached;
(b) Key elements of the understanding obtained regarding each of the aspects of the entity and its
environment and of each of the internal control components specified in paragraphs 14-
The sources of information from which the understanding was obtained; and the risk assessment
procedures performed;
(c) The identified and assessed risks of material misstatement at the financial statement level and at
the assertion level and
(d) The risks identified, and related controls about which the auditor has obtained an understanding, as
a result of the requirements in paragraphs



4 | P a g e

Past examination papers
Spring 2002
(c) What is the relationship between detection risk and combined level of inherent and control
risk?
Q.8 Distinguish the following between control environment and control procedures:
(a) Reporting, reviewing and approving reconciliation;
(b) The function of the board of directors and its committees;
(c) Checking the arithmetical accuracy of the records;
(d) Maintaining and reviewing control accounts and trial balances;
(e) Managements control system including the internal audit function and personnel policies
and procedures and segregation of duties;
(f) Defined and documented code of ethics. (06)
Autumn 2003
Q.2 (a) It is said that without proper understanding and evaluation of internal controls the auditor
cannot properly determine the extent of substantive procedures. Do you agree? Give two
examples in support of your answer.
(08)
(b) It is generally stated that internal controls have certain inherent limitations.
Why is it so? Give at least four reasons. (05)
Spring 2003
Q.3 (a) The most significant risks in case of payroll and personnel cycles are the existence of
fictitious employees and falsification of hours worked. These risks are normally mitigated
through segregation of duties. Discuss various internal controls regarding segregation of
duties to achieve these objectives. (05)
(b) Describe the specific risks involved in the audit of a small business. (05)
Q.4 (a) What do you understand by control environment and control procedures? (02)
(b) It is said that during an audit, evaluation of control environment in most of the cases is more
important than the evaluation of the control procedures. What is the logic behind this?
(c) Materiality and risk are two important concepts in an audit. Describe the relationship between
the two giving some example. (05)
Spring 2004
(b) Describe some of the preventive and detective internal control procedures in connection with
duplicate payments to parties. (05)
(c) Describe the effects of a computer information system (CIS) environment on an audit (05)
Autumn 2005
Q.2 (a) The following issues were highlighted in a meeting of the audit committee of
XYZ Limited with regard to financial statements of one of its subsidiaries on which
auditors had issued an unmodified audit report:
(i) The audit procedures were unable to detect a material error in inventory valuation,
because it occurred under exceptional circumstances and the internal controls established
by the management could not prevent and detect the same.
(ii) The provision for bad debt was insufficient and the impact was material. It was also
evident from the subsequent events, which came into the knowledge of the auditors
before they issued their report.
You are one of the independent members of the audit committee and are considered an
expert on financial reporting issues. The chairman of the audit committee has asked your
comments with regard to the responsibilities of management and auditors of the above
mentioned subsidiary. Give your comments on each of the above matters. (06)
Q.4 (a) You had assisted management in strengthening the internal control system for a medium
size limited company about a year ago. The management has recently pointed out that the
5 | P a g e

occurrences of frauds and errors have reduced significantly, but could not be eliminated
altogether. You are required to offer your comments on the above situation with reference
to limitations of any system of internal control. (04)
(b) N, a member of external audit team of a consumer goods manufacturing company, was
assigned to verify trade debts by the audit in-charge. What are the internal control
activities, which are expected to be in place? (08)
Spring 2005
Q.8 Briefly discuss the following risks in a Computer information system environment:
Risks of lack of transaction trails.
Risk associated with lack of segregation of functions.
Risk of automatic initiation or execution of transactions. (06)
Spring 2006
Q.5 Give four examples of the circumstances when manual controls are given preference over the
automated controls. (04)
Autumn 2006
Q.2 Briefly describe the following:
(a) Entitys risk assessment process (05)
(b) Monitoring of controls (05)
Autumn 2007
Q.5 (b) The auditor performs risk assessment procedures to obtain an understanding of the
entity and its environment, including its internal controls. Briefly discuss all such procedures.
(09)
Spring 2008
Q.5 (a) If the auditor plans to rely on controls that have not changed since they were last tested,
the auditor should test the operating effectiveness of such controls at least once in every
third audit. Identify the situations in which the auditor may decide to test the controls
again, in the very next audit. (04)
(b) Briefly describe the components of internal control. (10)
Autumn 2008
(b) Briefly describe the components of internal control. (10)
Autumn 2010
Q.5 Al-Madad Foundation (AMF) is a charitable organization. It receives donations which are utilized
to help the destitute persons in accordance with the rules and regulations prescribed by the AMFs
Trust Deed.
The donations are received from the following sources:
(i) Cash collected from the general public through charity boxes placed at key points in hospitals,
airports, superstores etc.,
(ii) Cash and cheques received from individuals and institutions at AMFs office; and
(iii) Cash from generous individuals who prefer to remain anonymous.
Donations received in case of (ii) and (iii) above, often contain specific instructions for utilization of
the donated amount for specific purposes e.g. for education of orphan children.
Required:
(a) Identify the inherent risks in the operations of AMF. (03 marks)
b) Briefly discuss the effect of each of these risks on the audit of AMF. (03 marks)