Corporate Finance

Compiled Auditing Standard
ASA 315
(June 2011)
Auditing Standard ASA 315
Identifying and Assessing the
Risks of Material
Misstatement through
Understanding the Entity and
Its Environment
This compilation was prepared on 27 June 2011 taking into account
amendments made by ASA 20111
!repared by the Auditing and Assurance Standards Board
Obtaining a Copy of this Auditing Standard
The most recently compiled "ersions o# Auditing Standards$ original
Standards and amending Standards (see %ompilation &etails) are a"ailable on
the A'AS( website) www*auasb*go"*au
Contact Details
Auditing and Assurance Standards (oard
+e"el 7$ ,00 (ourke Street
-elbourne .ictoria /000
A'ST0A+1A
!hone) (0/) 2020 7300
4a5) (0/) 2020 7360
7mail) en8uiries9auasb*go"*au
Postal Address:
!: (o5 203
%ollins Street ;est
-elbourne .ictoria 2007
A'ST0A+1A
COP!"#$%
< 2011 Auditing and Assurance Standards (oard* The te5t$ graphics and
layout o# this compiled Auditing Standard are protected by Australian
copyright law and the comparable law o# other countries* 0eproduction
within Australia in unaltered #orm (retaining this notice) is permitted #or
personal and noncommercial use sub=ect to the inclusion o# an
acknowledgment o# the source* 0e8uests and en8uiries concerning
reproduction and rights #or commercial purposes within Australia should be
addressed to the 75ecuti"e &irector$ Auditing and Assurance Standards
(oard$ !: (o5 203$ %ollins Street ;est$ -elbourne .ictoria 2007*
:therwise$ no part o# the compiled Auditing Standard may be reproduced$
stored or transmitted in any #orm or by any means without the prior written
permission o# the A'AS( e5cept as permitted by law*
1SS> 12//3/?/
ASA 315 & ' & A(D"%")# S%A)DA!D
Compiled Auditing Standard ASA 315
Identifying and Assessing the Risks of Material Misstatement through
Understanding the Entity and Its Environment
%:>T7>TS
%:-!1+AT1:> &7TA1+S
A'T@:01TA STAT7-7>T
Paragraphs
Application
*********************************************************************************************
*********************************************************************************************
Aus 0*1Aus 0*2
Operati*e Date
*********************************************************************************************
*********************************************************************************************
Aus 0*/
"ntroduction
Scope o# this Auditing Standard
*********************************************************************************************
*********************************************************************************************
1
7##ecti"e &ate
*********************************************************************************************
*********************************************************************************************
2
Ob+ecti*e
*********************************************************************************************
*********************************************************************************************
/
Definitions
*********************************************************************************************
*********************************************************************************************
3
!e,uirements
0isk Assessment !rocedures and 0elated Acti"ities
*********************************************************************************************
*********************************************************************************************
610
ASA 315 & compiled & 3 & A(D"%")# S%A)DA!D
The 0e8uired 'nderstanding o# the 7ntity and its
7n"ironment$ 1ncluding the 7ntityBs 1nternal %ontrol
*********************************************************************************************
*********************************************************************************************
1123
1denti#ying and Assessing the 0isks o# -aterial
-isstatement
*********************************************************************************************
*********************************************************************************************
26/1
&ocumentation
*********************************************************************************************
*********************************************************************************************
/2
Application and Other -.planatory /aterial
0isk Assessment !rocedures and 0elated Acti"ities
*********************************************************************************************
*********************************************************************************************
A1A1,
The 0e8uired 'nderstanding o# the 7ntity and 1ts
7n"ironment$ 1ncluding the 7ntityBs 1nternal %ontrol
*********************************************************************************************
*********************************************************************************************
A17A103
1denti#ying and Assessing the 0isks o# -aterial
-isstatement
*********************************************************************************************
*********************************************************************************************
A106A1/0
&ocumentation
*********************************************************************************************
*********************************************************************************************
A1/1A1/3
Conformity 0ith "nternational Standards on Auditing
Appendi5 1) 1nternal %ontrol %omponents
Appendi5 2) %onditions and 7"ents That -ay 1ndicate
0isks o# -aterial -isstatement
%:-!1+AT1:> &7TA1+S
Auditing Standard ASA 315 Identifying and
Assessing the Risks of Material Misstatement
through Understanding the Entity and Its
Environment as Amended
This compilation takes into account amendments made up to and including
27 June 2011 and was prepared on 27 June 2011 by the Auditing and
Assurance Standards (oard (A'AS()*
This compilation is not a separate Auditing Standard made by the A'AS(*
1nstead$ it is a representation o# ASA /16 (:ctober 200?) as amended by
another Auditing Standard which is listed in the Table below*
%able of Standards
Standard Date made Operati*e date
ASA /16 27 :ctober 200? 1 January 2010
ASA 20111 27 June 2011 1 July 2011
%able of Amendments
Paragraph affected $o0 affected By 2 3paragraph4
A2, Amended ASA 20111 C22D
Appendi5 1
!ara* / Amended ASA 20111 C2?D
Appendi5 1
Subheading abo"e
!ara* 6 Amended ASA 20111 C/0D

A(%$O!"% S%A%-/-)%
Auditing Standard ASA /16 1denti#ying and Assessing the 0isks o#
-aterial -isstatement through 'nderstanding the 7ntity and 1ts
7n"ironment (as amended at 27 June 2011) is set out in paragraphs
1 to A1/3 and Appendices 1 and 2*
This Auditing Standard is to be read in con=unction with ASA 101
Preamble to Australian Auditing Standards$ which sets out the
intentions o# the A'AS( on how the Australian Auditing Standards$
operati"e #or #inancial reporting periods commencing on or a#ter
1 January 2010$ are to be understood$ interpreted and applied* This
Auditing Standard is to be read also in con=unction with ASA 200
Overall Objectives of the Independent Auditor and the Conduct of an
Audit in Accordance with Australian Auditing Standards.
&ated) 27 June 2011 - @ Eelsall
%hairman A'AS(
A(D"%")# S%A)DA!D ASA 315
Identifying and Assessing the Risks of Material
Misstatement through Understanding the
Entity and Its Environment
Application
Aus 0*1 This Auditing Standard applies to)
(a) an audit o# a #inancial report #or a #inancial year$ or
an audit o# a #inancial report #or a hal#year$ in
accordance with the Corporations Act 200F and
(b) an audit o# a #inancial report$ or a complete set o#
#inancial statements$ #or any other purpose*
Aus 0*2 This Auditing Standard also applies$ as appropriate$ to an
audit o# other historical #inancial in#ormation*
Operati*e Date
Aus 0*/ This Auditing Standard is operati"e #or #inancial reporting
periods commencing on or a#ter 1 January 2010* C>ote) 4or
operati"e dates o# paragraphs changed or added by an amending Standard$
see %ompilation &etails*D
"ntroduction
Scope of this Auditing Standard
1* This Auditing Standard deals with the auditorBs responsibility to
identi#y and assess the risks o# material misstatement in the #inancial
report$ through understanding the entity and its en"ironment$
including the entityBs internal control*
-ffecti*e Date
2* C&eleted by the A'AS(* 0e#er Aus 0*/D
& 7 & A(D"%")# S%A)DA!D
A'&1T1>G STA>&A0& ASA /16
The Auditing and Assurance Standards (oard (A'AS() made Auditing
Standard ASA /16 1denti#ying and Assessing the 0isks o# -aterial
-isstatement through 'nderstanding the 7ntity and 1ts 7n"ironment!
pursuant to section 227( o# the Australian Securities and Investments
Commission Act 200 and section //, o# the Corporations Act 200$ on
27 :ctober 200?*
This compiled "ersion o# ASA /16 incorporates subse8uent amendments
contained in another Auditing Standard made by the A'AS( up to and
including 27 June 2011 (see %ompilation &etails)*
Compiled Auditing Standard ASA
Ob+ecti*e
/* The ob=ecti"e o# the auditor is to identi#y and assess the risks o#
material misstatement$ whether due to #raud or error$ at the #inancial
report and assertion le"els$ through understanding the entity and its
en"ironment$ including the entityBs internal control$ thereby
pro"iding a basis #or designing and implementing responses to the
assessed risks o# material misstatement*
Definitions
3* 4or purposes o# the Australian Auditing Standards$ the #ollowing
terms ha"e the meanings attributed below)
(a) Assertions means representations by management and
those charged with go"ernance$ e5plicit or otherwise$ that
are embodied in the #inancial report$ as used by the auditor
to consider the di##erent types o# potential misstatements
that may occur*
(b) (usiness risk means a risk resulting #rom signi#icant
conditions$ e"ents$ circumstances$ actions or inactions that
could ad"ersely a##ect an entityBs ability to achie"e its
ob=ecti"es and e5ecute its strategies$ or #rom the setting o#
inappropriate ob=ecti"es and strategies*
(c) 1nternal control means the process designed$ implemented
and maintained by those charged with go"ernance$
management and other personnel to pro"ide reasonable
assurance about the achie"ement o# an entityBs ob=ecti"es
with regard to reliability o# #inancial reporting$
e##ecti"eness and e##iciency o# operations$ and compliance
with applicable laws and regulations* The term HcontrolsI
re#ers to any aspects o# one or more o# the components o#
internal control*
(d) 0isk assessment procedures means the audit procedures
per#ormed to obtain an understanding o# the entity and its
en"ironment$ including the entityBs internal control$ to
identi#y and assess the risks o# material misstatement$
whether due to #raud or error$ at the #inancial report and
assertion le"els*
& compiled & 8 & A(D"%")# S%A)DA!D
(e) Signi#icant risk means an identi#ied and assessed risk o#
material misstatement that$ in the auditorBs =udgement$
re8uires special audit consideration*
!e,uirements
!is9 Assessment Procedures and !elated Acti*ities
6* The auditor shall per#orm risk assessment procedures to pro"ide a
basis #or the identi#ication and assessment o# risks o# material
misstatement at the #inancial report and assertion le"els* 0isk
assessment procedures by themsel"es$ howe"er$ do not pro"ide
su##icient appropriate audit e"idence on which to base the audit
opinion* (0e#) !ara* A1A6)
,* The risk assessment procedures shall include the #ollowing)
(a) 7n8uiries o# management$ and o# others within the entity
who in the auditorBs =udgement may ha"e in#ormation that
is likely to assist in identi#ying risks o# material
misstatement due to #raud or error* (0e#) !ara* A,)
(b) Analytical procedures* (0e#) !ara* A7A10)
(c) :bser"ation and inspection* (0e#) !ara* A11)
7* The auditor shall consider whether in#ormation obtained #rom the
auditorBs client acceptance or continuance process is rele"ant to
identi#ying risks o# material misstatement*
2* 1# the engagement partner has per#ormed other engagements #or the
entity$ the engagement partner shall consider whether in#ormation
obtained is rele"ant to identi#ying risks o# material misstatement*
?* ;here the auditor intends to use in#ormation obtained #rom the
auditorBs pre"ious e5perience with the entity and #rom audit
procedures per#ormed in pre"ious audits$ the auditor shall determine
whether changes ha"e occurred since the pre"ious audit that may
a##ect its rele"ance to the current audit* (0e#) !ara* A12A1/)
10* The engagement partner and other key engagement team members
shall discuss the susceptibility o# the entityBs #inancial report to
material misstatement$ and the application o# the applicable #inancial
reporting #ramework to the entityBs #acts and circumstances* The
& compiled & 1: & A(D"%")# S%A)DA!D
engagement partner shall determine which matters are to be
communicated to engagement team members not in"ol"ed in the
discussion* (0e#) !ara* A13A1,)
%he !e,uired (nderstanding of the -ntity and its -n*ironment;
"ncluding the -ntity<s "nternal Control
"he #ntit$ and Its #nvironment
11* The auditor shall obtain an understanding o# the #ollowing)
(a) 0ele"ant industry$ regulatory$ and other e5ternal #actors
and the applicable #inancial reporting #ramework*
(0e#) !ara* A17A22)
(b) The nature o# the entity$ including)
(i) its operationsF
(ii) its ownership and go"ernance structuresF
(iii) the types o# in"estments that the entity is making
and plans to make$ including in"estments in
specialpurpose entitiesF and
(i") the way that the entity is structured and how it is
#inanced
to enable the auditor to understand the classes o#
transactions$ account balances$ and disclosures to be
e5pected in the #inancial report* (0e#) !ara* A2/A27)
(c) The entityBs selection and application o# accounting
policies$ including the reasons #or changes thereto* The
auditor shall e"aluate whether the entityBs accounting
policies are appropriate #or its business and consistent with
the applicable #inancial reporting #ramework and
accounting policies used in the rele"ant industry*
(0e#) !ara* A22)
(d) The entityBs ob=ecti"es and strategies$ and those related
business risks that may result in risks o# material
misstatement* (0e#) !ara* A2?A/6)
(e) The measurement and re"iew o# the entityBs #inancial
per#ormance* (0e#) !ara* A/,A31)
"he #ntit$%s Internal Control
12* The auditor shall obtain an understanding o# internal control rele"ant
to the audit* Although most controls rele"ant to the audit are likely
to relate to #inancial reporting$ not all controls that relate to #inancial
reporting are rele"ant to the audit* 1t is a matter o# the auditorBs
pro#essional =udgement whether a control$ indi"idually or in
combination with others$ is rele"ant to the audit* (0e#) !ara* A32A,6)
>ature and 75tent o# the 'nderstanding o# 0ele"ant %ontrols
1/* ;hen obtaining an understanding o# controls that are rele"ant to the
audit$ the auditor shall e"aluate the design o# those controls and
determine whether they ha"e been implemented$ by per#orming
procedures in addition to en8uiry o# the entityBs personnel*
(0e#) !ara* A,,A,2)
%omponents o# 1nternal %ontrol
%ontrol en"ironment
13* The auditor shall obtain an understanding o# the control
en"ironment* As part o# obtaining this understanding$ the auditor
shall e"aluate whether)
(a) -anagement$ with the o"ersight o# those charged with
go"ernance$ has created and maintained a culture o# honesty
and ethical beha"iourF and
(b) The strengths in the control en"ironment elements
collecti"ely pro"ide an appropriate #oundation #or the other
components o# internal control$ and whether those other
components are not undermined by control en"ironment
weaknesses* (0e#) !ara* A,?A72)
The entityBs risk assessment process
16* The auditor shall obtain an understanding o# whether the entity has a
process #or)
(a) 1denti#ying business risks rele"ant to #inancial reporting
ob=ecti"esF
& compiled & 1' & A(D"%")# S%A)DA!D
(b) 7stimating the signi#icance o# the risksF
(c) Assessing the likelihood o# their occurrenceF and
(d) &eciding about actions to address those risks* (0e#) !ara*
A7?)
1,* 1# the entity has established such a process (re#erred to herea#ter as
the HentityBs risk assessment processI)$ the auditor shall obtain an
understanding o# it$ and the results thereo#* 1# the auditor identi#ies
risks o# material misstatement that management #ailed to identi#y$
the auditor shall e"aluate whether there was an underlying risk o# a
kind that the auditor e5pects would ha"e been identi#ied by the
entityBs risk assessment process* 1# there is such a risk$ the auditor
shall obtain an understanding o# why that process #ailed to identi#y
it$ and e"aluate whether the process is appropriate to its
circumstances or determine i# there is a signi#icant de#iciency in
internal control with regard to the entityBs risk assessment process*
17* 1# the entity has not established such a process or has an ad hoc
undocumented process$ the auditor shall discuss with management
whether business risks rele"ant to #inancial reporting ob=ecti"es ha"e
been identi#ied and how they ha"e been addressed* The auditor shall
e"aluate whether the absence o# a documented risk assessment
process is appropriate in the circumstances$ or determine whether it
represents a signi#icant de#iciency in internal control* (0e#) !ara* A20)
The in#ormation system$ including the related business processes$ rele"ant to
#inancial reporting$ and communication
12* The auditor shall obtain an understanding o# the in#ormation system$
including the related business processes$ rele"ant to #inancial
reporting$ including the #ollowing areas)
(a) The classes o# transactions in the entityBs operations that
are signi#icant to the #inancial reportF
(b) The procedures$ within both in#ormation technology (1T)
and manual systems$ by which those transactions are
initiated$ recorded$ processed$ corrected as necessary$
trans#erred to the general ledger and reported in the
#inancial reportF
(c) The related accounting records$ supporting in#ormation
and speci#ic accounts in the #inancial report that are used to
initiate$ record$ process and report transactionsF this
includes the correction o# incorrect in#ormation and how
in#ormation is trans#erred to the general ledger* The records
may be in either manual or electronic #ormF
(d) @ow the in#ormation system captures e"ents and
conditions$ other than transactions$ that are signi#icant to the
#inancial reportF
(e) The #inancial reporting process used to prepare the entityBs
#inancial report$ including signi#icant accounting estimates
and disclosuresF and
(#) %ontrols surrounding =ournal entries$ including
nonstandard =ournal entries used to record nonrecurring$
unusual transactions or ad=ustments* (0e#) !ara* A21A26)
1?* The auditor shall obtain an understanding o# how the entity
communicates #inancial reporting roles and responsibilities and
signi#icant matters relating to #inancial reporting$ including)
(0e#) !ara* A2,A27)
(a) %ommunications between management and those charged
with go"ernanceF and
(b) 75ternal communications$ such as those with regulatory
authorities*
%ontrol acti"ities rele"ant to the audit
20* The auditor shall obtain an understanding o# control acti"ities
rele"ant to the audit$ being those the auditor =udges it necessary to
understand in order to assess the risks o# material misstatement at
the assertion le"el and design #urther audit procedures responsi"e to
assessed risks* An audit does not re8uire an understanding o# all the
control acti"ities related to each signi#icant class o# transactions$
account balance$ and disclosure in the #inancial report or to e"ery
assertion rele"ant to them* (0e#) !ara* A22A?3)
21* 1n understanding the entityBs control acti"ities$ the auditor shall
obtain an understanding o# how the entity has responded to risks
arising #rom 1T* (0e#) !ara* A?6A?7)
-onitoring o# controls
22* The auditor shall obtain an understanding o# the ma=or acti"ities that
the entity uses to monitor internal control o"er #inancial reporting$
including those related to those control acti"ities rele"ant to the
audit$ and how the entity initiates remedial actions to address
de#iciencies in its controls* (0e#) !ara* A?2A100)
2/* 1# the entity has an internal audit #unction$
1
the auditor shall obtain
an understanding o# the #ollowing in order to determine whether the
internal audit #unction is likely to be rele"ant to the audit)
(a) The nature o# the internal audit #unctionBs responsibilities
and how the internal audit #unction #its in the entityBs
organisational structureF and
(b) The acti"ities per#ormed$ or to be per#ormed$ by the
internal audit #unction* (0e# !ara* A101A10/)
23* The auditor shall obtain an understanding o# the sources o# the
in#ormation used in the entityBs monitoring acti"ities$ and the basis
upon which management considers the in#ormation to be su##iciently
reliable #or the purpose* (0e#) !ara* A103)
"dentifying and Assessing the !is9s of /aterial /isstatement
26* The auditor shall identi#y and assess the risks o# material
misstatement at)
(a) the #inancial report le"elF and (0e#) !ara* A106A102)
(b) the assertion le"el #or classes o# transactions$ account
balances$ and disclosures (0e#) !ara* A10?A11/)
to pro"ide a basis #or designing and per#orming #urther audit
procedures*
2,* 4or this purpose$ the auditor shall)
(a) 1denti#y risks throughout the process o# obtaining an
understanding o# the entity and its en"ironment$ including
rele"ant controls that relate to the risks$ and by considering
1
See ASA ,10 &sing the 'or( of Internal Auditors$ paragraph 7(a)*
the classes o# transactions$ account balances$ and
disclosures in the #inancial reportF (0e#) !ara* A113A116)
(b) Assess the identi#ied risks$ and e"aluate whether they
relate more per"asi"ely to the #inancial report as a whole
and potentially a##ect many assertionsF
(c) 0elate the identi#ied risks to what can go wrong at the
assertion le"el$ taking account o# rele"ant controls that the
auditor intends to testF and (0e#) !ara* A11,A112)
(d) %onsider the likelihood o# misstatement$ including the
possibility o# multiple misstatements$ and whether the
potential misstatement is o# a magnitude that could result in
a material misstatement*
)is(s that )e*uire Special Audit Consideration
27* As part o# the risk assessment as described in paragraph 26 o# this
Auditing Standard$ the auditor shall determine whether any o# the
risks identi#ied are$ in the auditorBs =udgement$ a signi#icant risk* 1n
e5ercising this =udgement$ the auditor shall e5clude the e##ects o#
identi#ied controls related to the risk*
22* 1n e5ercising =udgement as to which risks are signi#icant risks$ the
auditor shall consider at least the #ollowing)
(a) ;hether the risk is a risk o# #raudF
(b) ;hether the risk is related to recent signi#icant economic$
accounting or other de"elopments and$ there#ore$ re8uires
speci#ic attentionF
(c) The comple5ity o# transactionsF
(d) ;hether the risk in"ol"es signi#icant transactions with
related partiesF
(e) The degree o# sub=ecti"ity in the measurement o# #inancial
in#ormation related to the risk$ especially those
measurements in"ol"ing a wide range o# measurement
uncertaintyF and
(#) ;hether the risk in"ol"es signi#icant transactions that are
outside the normal course o# business #or the entity$ or that
otherwise appear to be unusual* (0e#) !ara* A11?A12/)
2?* 1# the auditor has determined that a signi#icant risk e5ists$ the auditor
shall obtain an understanding o# the entityBs controls$ including
control acti"ities$ rele"ant to that risk* (0e#) !ara* A123A12,)
)is(s for 'hich Substantive Procedures Alone +o ,ot Provide Sufficient
Appropriate Audit #vidence
/0* 1n respect o# some risks$ the auditor may =udge that it is not possible
or practicable to obtain su##icient appropriate audit e"idence only
#rom substanti"e procedures* Such risks may relate to the inaccurate
or incomplete recording o# routine and signi#icant classes o#
transactions or account balances$ the characteristics o# which o#ten
permit highly automated processing with little or no manual
inter"ention* 1n such cases$ the entityBs controls o"er such risks are
rele"ant to the audit and the auditor shall obtain an understanding o#
them* (0e#) !ara* A127A12?)
)evision of )is( Assessment
/1* The auditorBs assessment o# the risks o# material misstatement at the
assertion le"el may change during the course o# the audit as
additional audit e"idence is obtained* 1n circumstances where the
auditor obtains audit e"idence #rom per#orming #urther audit
procedures$ or i# new in#ormation is obtained$ either o# which is
inconsistent with the audit e"idence on which the auditor originally
based the assessment$ the auditor shall re"ise the assessment and
modi#y the #urther planned audit procedures accordingly*
(0e#) !ara* A1/0)
Documentation
/2* The auditor shall include in the audit documentation)
1
(a) The discussion among the engagement team where
re8uired by paragraph 10 o# this Auditing Standard$ and the
signi#icant decisions reachedF
(b) Eey elements o# the understanding obtained regarding
each o# the aspects o# the entity and its en"ironment
1
See ASA 2/0 Audit +ocumentation! paragraphs 211 and paragraph A,*
speci#ied in paragraph 11 o# this Auditing Standard and o#
each o# the internal control components speci#ied in
paragraphs 1323 o# this Auditing StandardF the sources o#
in#ormation #rom which the understanding was obtainedF
and the risk assessment procedures per#ormedF
(c) The identi#ied and assessed risks o# material misstatement
at the #inancial report le"el and at the assertion le"el as
re8uired by paragraph 26 o# this Auditing StandardF and
(d) The risks identi#ied$ and related controls about which the
auditor has obtained an understanding$ as a result o# the
re8uirements in paragraphs 27/0 o# this Auditing Standard*
(0e#) !ara* A1/1A1/3)
J J J
Application and Other -.planatory /aterial
!is9 Assessment Procedures and !elated Acti*ities =!ef: Para> 5?
A1* :btaining an understanding o# the entity and its en"ironment$
including the entityBs internal control (re#erred to herea#ter as an
Hunderstanding o# the entityI)$ is a continuous$ dynamic process o#
gathering$ updating and analysing in#ormation throughout the audit*
The understanding establishes a #rame o# re#erence within which the
auditor plans the audit and e5ercises pro#essional =udgement
throughout the audit$ #or e5ample$ when)
Assessing risks o# material misstatement o# the #inancial
reportF
&etermining materiality in accordance with ASA /20F
2
%onsidering the appropriateness o# the selection and
application o# accounting policies$ and the ade8uacy o#
#inancial report disclosuresF
1denti#ying areas where special audit consideration may be
necessary$ #or e5ample$ related party transactions$ the
appropriateness o# managementBs use o# the going concern
assumption$ or considering the business purpose o#
transactionsF
&e"eloping e5pectations #or use when per#orming
analytical proceduresF
0esponding to the assessed risks o# material misstatement$
including designing and per#orming #urther audit
procedures to obtain su##icient appropriate audit e"idenceF
and
7"aluating the su##iciency and appropriateness o# audit
e"idence obtained$ such as the appropriateness o#
assumptions and o# managementBs oral and written
representations*
A2* 1n#ormation obtained by per#orming risk assessment procedures and
related acti"ities may be used by the auditor as audit e"idence to
support assessments o# the risks o# material misstatement* 1n
2
See ASA /20 -aterialit$ in Planning and Performing an Audit*
addition$ the auditor may obtain audit e"idence about classes o#
transactions$ account balances$ or disclosures and related assertions
and about the operating e##ecti"eness o# controls$ e"en though such
procedures were not speci#ically planned as substanti"e procedures
or as tests o# controls* The auditor also may choose to per#orm
substanti"e procedures or tests o# controls concurrently with risk
assessment procedures because it is e##icient to do so*
A/* The auditor uses pro#essional =udgement to determine the e5tent o#
the understanding re8uired* The auditorBs primary consideration is
whether the understanding that has been obtained is su##icient to
meet the ob=ecti"e stated in this Auditing Standard* The depth o# the
o"erall understanding that is re8uired by the auditor is less than that
possessed by management in managing the entity*
A3* The risks to be assessed include both those due to error and those
due to #raud$ and both are co"ered by this Auditing Standard*
@owe"er$ the signi#icance o# #raud is such that #urther re8uirements
and guidance are included in ASA 230$ in relation to risk assessment
procedures and related acti"ities to obtain in#ormation that is used to
identi#y the risks o# material misstatement due to #raud*
/
A6* Although the auditor is re8uired to per#orm all the risk assessment
procedures described in paragraph , in the course o# obtaining the
re8uired understanding o# the entity (see paragraphs 1123)$ the
auditor is not re8uired to per#orm all o# them #or each aspect o# that
understanding* :ther procedures may be per#ormed where the
in#ormation to be obtained there#rom may be help#ul in identi#ying
risks o# material misstatement* 75amples o# such procedures
include)
0e"iewing in#ormation obtained #rom e5ternal sources such
as trade and economic =ournalsF reports by analysts$ banks$
or rating agenciesF or regulatory or #inancial publications*
-aking en8uiries o# the entityBs e5ternal legal counsel or o#
"aluation e5perts that the entity has used*
/
See ASA 230 "he Auditor%s )esponsibilities )elating to .raud in an Audit of a
.inancial )eport! paragraphs 1223*
& compiled & ': & A(D"%")# S%A)DA!D
#n*uiries of -anagement and Others within the #ntit$ /)ef0 Para. 1/a22
A,* -uch o# the in#ormation obtained by the auditorBs en8uiries is
obtained #rom management and those responsible #or #inancial
reporting* @owe"er$ the auditor may also obtain in#ormation$ or a
di##erent perspecti"e in identi#ying risks o# material misstatement$
through en8uiries o# others within the entity and other employees
with di##erent le"els o# authority* 4or e5ample)
7n8uiries directed towards those charged with go"ernance
may help the auditor understand the en"ironment in which
the #inancial report is prepared*
7n8uiries directed toward internal audit personnel may
pro"ide in#ormation about internal audit procedures
per#ormed during the year relating to the design and
e##ecti"eness o# the entityBs internal control and whether
management has satis#actorily responded to #indings #rom
those procedures*
7n8uiries o# employees in"ol"ed in initiating$ processing$
or recording comple5 or unusual transactions may help the
auditor to e"aluate the appropriateness o# the selection and
application o# certain accounting policies*
7n8uiries directed toward inhouse legal counsel may
pro"ide in#ormation about such matters as litigation$
compliance with laws and regulations$ knowledge o# #raud
or suspected #raud a##ecting the entity$ warranties$
postsales obligations$ arrangements (such as =oint "entures)
with business partners and the meaning o# contract terms*
7n8uiries directed towards marketing or sales personnel
may pro"ide in#ormation about changes in the entityBs
marketing strategies$ sales trends$ or contractual
arrangements with its customers*
Anal$tical Procedures /)ef0 Para. 1/b22
A7* Analytical procedures per#ormed as risk assessment procedures may
identi#y aspects o# the entity o# which the auditor was unaware and
may assist in assessing the risks o# material misstatement in order to
pro"ide a basis #or designing and implementing responses to the
assessed risks* Analytical procedures per#ormed as risk assessment
procedures may include both #inancial and non#inancial
& compiled & '1 & A(D"%")# S%A)DA!D
in#ormation$ #or e5ample$ the relationship between sales and s8uare
#ootage o# selling space or "olume o# goods sold*
A2* Analytical procedures may help identi#y the e5istence o# unusual
transactions or e"ents$ and amounts$ ratios$ and trends that might
indicate matters that ha"e audit implications* 'nusual or
une5pected relationships that are identi#ied may assist the auditor in
identi#ying risks o# material misstatement$ especially risks o#
material misstatement due to #raud*
A?* @owe"er$ when such analytical procedures use data aggregated at a
high le"el (which may be the situation with analytical procedures
per#ormed as risk assessment procedures)$ the results o# those
analytical procedures only pro"ide a broad initial indication about
whether a material misstatement may e5ist* Accordingly$ in such
cases$ consideration o# other in#ormation that has been gathered
when identi#ying the risks o# material misstatement together with the
results o# such analytical procedures may assist the auditor in
understanding and e"aluating the results o# the analytical
procedures*
%onsiderations Speci#ic to Smaller 7ntities
A10* Some smaller entities may not ha"e interim or monthly #inancial
in#ormation that can be used #or purposes o# analytical procedures*
1n these circumstances$ although the auditor may be able to per#orm
limited analytical procedures #or purposes o# planning the audit or
obtain some in#ormation through en8uiry$ the auditor may need to
plan to per#orm analytical procedures to identi#y and assess the risks
o# material misstatement when an early dra#t o# the entityBs #inancial
report is a"ailable*
Observation and Inspection /)ef0 Para. 1/c22
A11* :bser"ation and inspection may support en8uiries o# management
and others$ and may also pro"ide in#ormation about the entity and its
en"ironment* 75amples o# such audit procedures include
obser"ation or inspection o# the #ollowing)
The entityBs operations*
&ocuments (such as business plans and strategies)$ records$
and internal control manuals*
& compiled & '' & A(D"%")# S%A)DA!D
0eports prepared by management (such as 8uarterly
management reports and interim #inancial reports) and
those charged with go"ernance (such as minutes o# board o#
directorsB meetings)*
The entityBs premises and plant #acilities*
Information Obtained in Prior Periods /)ef0 Para. 32
A12* The auditorBs pre"ious e5perience with the entity and audit
procedures per#ormed in pre"ious audits may pro"ide the auditor
with in#ormation about such matters as)
!ast misstatements and whether they were corrected on a
timely basis*
The nature o# the entity and its en"ironment$ and the
entityBs internal control (including de#iciencies in internal
control)*
Signi#icant changes that the entity or its operations may
ha"e undergone since the prior #inancial period$ which may
assist the auditor in gaining a su##icient understanding o#
the entity to identi#y and assess risks o# material
misstatement*
A1/* The auditor is re8uired to determine whether in#ormation obtained in
prior periods remains rele"ant$ i# the auditor intends to use that
in#ormation #or the purposes o# the current audit* This is because
changes in the control en"ironment$ #or e5ample$ may a##ect the
rele"ance o# in#ormation obtained in the prior year* To determine
whether changes ha"e occurred that may a##ect the rele"ance o# such
in#ormation$ the auditor may make en8uiries and per#orm other
appropriate audit procedures$ such as walkthroughs o# rele"ant
systems*
+iscussion among the #ngagement "eam /)ef0 Para. 02
A13* The discussion among the engagement team about the susceptibility
o# the entityBs #inancial report to material misstatement)
!ro"ides an opportunity #or more e5perienced engagement
team members$ including the engagement partner$ to share
their insights based on their knowledge o# the entity*
Allows the engagement team members to e5change
in#ormation about the business risks to which the entity is
sub=ect and about how and where the #inancial report might
be susceptible to material misstatement due to #raud or
error*
Assists the engagement team members to gain a better
understanding o# the potential #or material misstatement o#
the #inancial report in the speci#ic areas assigned to them$
and to understand how the results o# the audit procedures
that they per#orm may a##ect other aspects o# the audit
including the decisions about the nature$ timing$ and e5tent
o# #urther audit procedures*
!ro"ides a basis upon which engagement team members
communicate and share new in#ormation obtained
throughout the audit that may a##ect the assessment o# risks
o# material misstatement or the audit procedures per#ormed
to address these risks*
ASA 230 pro"ides #urther re8uirements and guidance in relation to
the discussion among the engagement team about the risks o# #raud*
3
A16* 1t is not always necessary or practical #or the discussion to include
all members in a single discussion (as$ #or e5ample$ in a
multilocation audit)$ nor is it necessary #or all o# the members o# the
engagement team to be in#ormed o# all o# the decisions reached in
the discussion* The engagement partner may discuss matters with
key members o# the engagement team including$ i# considered
appropriate$ specialists and those responsible #or the audits o#
components$ while delegating discussion with others$ taking account
o# the e5tent o# communication considered necessary throughout the
engagement team* A communications plan$ agreed by the
engagement partner$ may be use#ul*
A1,* -any small audits are carried out entirely by the engagement partner
(who may be a sole practitioner)* 1n such situations$ it is the
engagement partner who$ ha"ing personally conducted the planning
o# the audit$ would be responsible #or considering the susceptibility
o# the entityBs #inancial report to material misstatement due to #raud
or error*
3
See ASA 230$ paragraph 16*
%he !e,uired (nderstanding of the -ntity and "ts -n*ironment;
"ncluding the -ntity<s "nternal Control
%he -ntity and "ts -n*ironment
Industr$! )egulator$ and Other #4ternal .actors /)ef0 Para. /a22
1ndustry 4actors
A17* 0ele"ant industry #actors include industry conditions such as the
competiti"e en"ironment$ supplier and customer relationships$ and
technological de"elopments* 75amples o# matters the auditor may
consider include)
The market and competition$ including demand$ capacity$
and price competition*
%yclical or seasonal acti"ity*
!roduct technology relating to the entityBs products*
7nergy supply and cost*
A12* The industry in which the entity operates may gi"e rise to speci#ic
risks o# material misstatement arising #rom the nature o# the business
or the degree o# regulation* 4or e5ample$ longterm contracts may
in"ol"e signi#icant estimates o# re"enues and e5penses that gi"e rise
to risks o# material misstatement* 1n such cases$ it is important that
the engagement team include members with su##icient rele"ant
knowledge and e5perience$ as re8uired by ASA 220*
6
0egulatory 4actors
A1?* 0ele"ant regulatory #actors include the regulatory en"ironment* The
regulatory en"ironment encompasses$ among other matters$ the
applicable #inancial reporting #ramework and the legal and political
en"ironment* 75amples o# matters the auditor may consider
include)
Accounting principles and industry speci#ic practices*
0egulatory #ramework #or a regulated industry*
6
See ASA 220 5ualit$ Control for an Audit of a .inancial )eport and Other
6istorical .inancial Information$ paragraph 13*
+egislation and regulation that signi#icantly a##ect the
entityBs operations$ including direct super"isory acti"ities*
Ta5ation (corporate and other)*
Go"ernment policies currently a##ecting the conduct o# the
entityBs business$ such as monetary$ including #oreign
e5change controls$ #iscal$ #inancial incenti"es (#or e5ample$
go"ernment aid programs)$ and tari##s or trade restrictions
policies*
7n"ironmental re8uirements a##ecting the industry and the
entityBs business*
A20* ASA 260 includes some speci#ic re8uirements related to the legal
and regulatory #ramework applicable to the entity and the industry or
sector in which the entity operates*
,
%onsiderations speci#ic to public sector entities
A21* 4or the audits o# public sector entities$ law$ regulation or other
authority may a##ect the entityBs operations* Such elements are
essential to consider when obtaining an understanding o# the entity
and its en"ironment*
:ther 75ternal 4actors
A22* 75amples o# other e5ternal #actors a##ecting the entity that the
auditor may consider include the general economic conditions$
interest rates and a"ailability o# #inancing$ and in#lation or currency
re"aluation*
,ature of the #ntit$ ()ef0 Para. /b22
A2/* An understanding o# the nature o# an entity enables the auditor to
understand such matters as)
;hether the entity has a comple5 structure$ #or e5ample
with subsidiaries or other components in multiple locations*
%omple5 structures o#ten introduce issues that may gi"e
rise to risks o# material misstatement* Such issues may
,
See ASA 260 Consideration of 7aws and )egulations in the Audit of a .inancial
)eport! paragraph 12*
include whether goodwill$ =oint "entures$ in"estments$ or
specialpurpose entities are accounted #or appropriately*
The ownership$ and relations between owners and other
people or entities* This understanding assists in
determining whether related party transactions ha"e been
identi#ied and accounted #or appropriately* ASA 660
7

establishes re8uirements and pro"ides guidance on the
auditorBs considerations rele"ant to related parties*
A23* 75amples o# matters that the auditor may consider when obtaining
an understanding o# the nature o# the entity include)
(usiness operations such as)
K >ature o# re"enue sources$ products or
ser"ices$ and markets$ including in"ol"ement in
electronic commerce such as 1nternet sales and
marketing acti"ities*
K %onduct o# operations (#or e5ample$
stages and methods o# production$ or acti"ities
e5posed to en"ironmental risks)*
K Alliances$ =oint "entures$ and outsourcing
acti"ities*
K Geographic dispersion and industry
segmentation*
K +ocation o# production #acilities$
warehouses$ and o##ices$ and location and
8uantities o# in"entories*
K Eey customers and important suppliers o#
goods and ser"ices$ employment arrangements
(including the e5istence o# union contracts$
superannuation and other post employment
bene#its$ share option or incenti"e bonus
arrangements$ and go"ernment regulation related to
employment matters)*
7
See ASA 660 )elated Parties.
K 0esearch and de"elopment acti"ities and
e5penditures*
K Transactions with related parties*
1n"estments and in"estment acti"ities such as)
K !lanned or recently e5ecuted ac8uisitions
or di"estitures*
K 1n"estments and dispositions o# securities
and loans*
K %apital in"estment acti"ities*
K 1n"estments in nonconsolidated entities$
including partnerships$ =oint "entures and special
purpose entities*
4inancing and #inancing acti"ities such as)
K -a=or subsidiaries and associated entities$
including consolidated and nonconsolidated
structures*
K &ebt structure and related terms$
including
o##balancesheet #inancing arrangements and
leasing arrangements*
K (ene#icial owners (local$ #oreign$
business reputation and e5perience) and related
parties*
K 'se o# deri"ati"e #inancial instruments*
4inancial reporting such as)
K Accounting principles and industry
speci#ic practices$ including industryspeci#ic
signi#icant categories (#or e5ample$ loans and
in"estments #or banks$ or research and
de"elopment #or pharmaceuticals)*
K 0e"enue recognition practices*
K Accounting #or #air "alues*
K 4oreign currency assets$ liabilities and
transactions*
K Accounting #or unusual or comple5
transactions including those in contro"ersial or
emerging areas (#or e5ample$ accounting #or share
based compensation)*
Aus A23*1 :wnership and Go"ernance arrangements such as)
K The role o# the board o# directors and
those charged with go"ernance in
determining policies #or the le"els o# risk
that the entity is willing to accept in its
daily operations*
K The role o# senior management in
designing$ implementing$ and monitoring
e##ecti"e risk management systems to
implement the policies prescribed by the
board o# directors*
K The presence o# none5ecuti"e directors
on the board and an independent
compensation committee that re"iews
incenti"e plans$ including commissions$
discretionary bonuses$ directorsB ser"ice
contracts$ and pro#itsharing plans*
K The role o# line management in carrying
out the prescribed procedures and control
acti"ities*
K The strength o# the internal audit #unction
and the audit committee and their role as
an independent appraisal #unction*
K The strength o# other signi#icant
committees$ #or e5ample$ risk
management committee$ asset and
liability management committee$ or
general management committee*
K The ade8uacy o# segregation o# duties*
K !rior period #inancial reporting
disclosures include the #orm$
classi#ication$ terminology$ basis o#
amounts and le"el o# detail pro"ided*
A26* Signi#icant changes in the entity #rom prior periods may gi"e rise to$
or change$ risks o# material misstatement*
>ature o# Special!urpose 7ntities
A2,* A specialpurpose entity (sometimes re#erred to as a special purpose
"ehicle) is an entity that is generally established #or a narrow and
wellde#ined purpose$ such as to e##ect a lease or a securitisation o#
#inancial assets$ or to carry out research and de"elopment acti"ities*
1t may take the #orm o# a corporation$ trust$ partnership$ or
unincorporated entity* The entity on behal# o# which the
specialpurpose entity has been created may o#ten trans#er assets to
the latter (#or e5ample$ as part o# a derecognition transaction
in"ol"ing #inancial assets)$ obtain the right to sue the latterBs assets$
or per#orm ser"ices #or the later$ while other parties may pro"ide the
#unding to the latter* As ASA 660 indicates$ in some circumstances$
a specialpurpose entity may be a related party o# the entity*
2
A27* 4inancial reporting #rameworks o#ten speci#y detailed conditions
that are deemed to amount to control$ or circumstances under which
the specialpurpose entity should be considered #or consolidation*
The interpretation o# the re8uirements o# such #rameworks o#ten
demands a detailed knowledge o# the rele"ant agreements in"ol"ing
the specialpurpose entity*
"he #ntit$%s Selection and Application of Accounting Policies /)ef0 Para./c22
A22* An understanding o# the entityBs selection and application o#
accounting policies may encompass such matters as)
The methods the entity uses to account #or signi#icant and
unusual transactions*
The e##ect o# signi#icant accounting policies in
contro"ersial or emerging areas #or which there is a lack o#
authoritati"e guidance or consensus*
2
See ASA 660! paragraph A7*
%hanges in the entityBs accounting policies*
4inancial reporting standards and laws and regulations that
are new to the entity and when and how the entity will
adopt such re8uirements*
Objectives and Strategies and )elated 8usiness )is(s /)ef. Para./d22
A2?* The entity conducts its business in the conte5t o# industry$ regulatory
and other internal and e5ternal #actors* To respond to these #actors$
the entityBs management or those charged with go"ernance de#ine
ob=ecti"es$ which are the o"erall plans #or the entity* Strategies are
the approaches by which management intends to achie"e its
ob=ecti"es* The entityBs ob=ecti"es and strategies may change o"er
time*
A/0* (usiness risk is broader than the risk o# material misstatement o# the
#inancial report$ though it includes the latter* (usiness risk may
arise #rom change or comple5ity* A #ailure to recognise the need #or
change may also gi"e rise to business risk* (usiness risk may arise$
#or e5ample$ #rom)
The de"elopment o# new products or ser"ices that may #ailF
A market which$ e"en i# success#ully de"eloped$ is
inade8uate to support a product or ser"iceF or
4laws in a product or ser"ice that may result in liabilities
and reputational risk*
A/1* An understanding o# the business risks #acing the entity increases the
likelihood o# identi#ying risks o# material misstatement$ since most
business risks will e"entually ha"e #inancial conse8uences and$
there#ore$ an e##ect on the #inancial report* @owe"er$ the auditor
does not ha"e a responsibility to identi#y or assess all business risks
because not all business risks gi"e rise to risks o# material
misstatement*
A/2* 75amples o# matters that the auditor may consider when obtaining
an understanding o# the entityBs ob=ecti"es$ strategies and related
business risks that may result in a risk o# material misstatement o#
the #inancial report include)
1ndustry de"elopments (a potential related business risk
might be$ #or e5ample$ that the entity does not ha"e the
personnel or e5pertise to deal with the changes in the
industry)*
>ew products and ser"ices (a potential related business risk
might be$ #or e5ample$ that there is increased product
liability)*
75pansion o# the business (a potential related business risk
might be$ #or e5ample$ that the demand has not been
accurately estimated)*
>ew accounting re8uirements (a potential related business
risk might be$ #or e5ample$ incomplete or improper
implementation$ or increased costs)*
0egulatory re8uirements (a potential related business risk
might be$ #or e5ample$ that there is increased legal
e5posure)*
%urrent and prospecti"e #inancing re8uirements (a potential
related business risk might be$ #or e5ample$ the loss o#
#inancing due to the entityBs inability to meet re8uirements)*
'se o# 1T (a potential related business risk might be$ #or
e5ample$ that systems and processes are incompatible)*
The e##ects o# implementing a strategy$ particularly any
e##ects that will lead to new accounting re8uirements (a
potential related business risk might be$ #or e5ample$
incomplete or improper implementation)*
A//* A business risk may ha"e an immediate conse8uence #or the risk o#
material misstatement #or classes o# transactions$ account balances$
and disclosures at the assertion le"el or the #inancial report le"el*
4or e5ample$ the business risk arising #rom a contracting customer
base may increase the risk o# material misstatement associated with
the "aluation o# recei"ables* @owe"er$ the same risk$ particularly in
combination with a contracting economy$ may also ha"e a
longerterm conse8uence$ which the auditor considers when
assessing the appropriateness o# the going concern assumption*
;hether a business risk may result in a risk o# material misstatement
is$ there#ore$ considered in light o# the entityBs circumstances*
75amples o# conditions and e"ents that may indicate risks o#
material misstatement are indicated in Appendi5 2*
A/3* 'sually$ management identi#ies business risks and de"elops
approaches to address them* Such a risk assessment process is part
o# internal control and is discussed in paragraph 16 and paragraphs
A7?A20*
%onsiderations Speci#ic to !ublic Sector 7ntities
A/6* 4or the audits o# public sector entities$ Hmanagement ob=ecti"esI
may be in#luenced by concerns regarding public accountability and
may include ob=ecti"es which ha"e their source in law$ regulation$ or
other authority*
-easurement and )eview of the #ntit$%s .inancial Performance
/)ef0 Para. /e22
A/,* -anagement and others will measure and re"iew those things they
regard as important* !er#ormance measures$ whether e5ternal or
internal$ create pressures on the entity* These pressures$ in turn$ may
moti"ate management to take action to impro"e the business
per#ormance or to misstate the #inancial report* Accordingly$ an
understanding o# the entityBs per#ormance measures assists the
auditor in considering whether pressures to achie"e per#ormance
targets may result in management actions that increase the risks o#
material misstatement$ including those due to #raud* See ASA 230
#or re8uirements and guidance in relation to the risks o# #raud*
A/7* The measurement and re"iew o# #inancial per#ormance is not the
same as the monitoring o# controls (discussed as a component o#
internal control in paragraphs A?2A103)$ though their purposes
may o"erlap)
The measurement and re"iew o# per#ormance is directed at
whether business per#ormance is meeting the ob=ecti"es set
by management (or third parties)*
-onitoring o# controls is speci#ically concerned with the
e##ecti"e operation o# internal control*
1n some cases$ howe"er$ per#ormance indicators also pro"ide
in#ormation that enables management to identi#y de#iciencies in
internal control*
A/2* 75amples o# internallygenerated in#ormation used by management
#or measuring and re"iewing #inancial per#ormance$ and which the
auditor may consider$ include)
Eey per#ormance indicators (#inancial and non#inancial)
and key ratios$ trends and operating statistics*
!eriodonperiod #inancial per#ormance analyses*
(udgets$ #orecasts$ "ariance analyses$ segment in#ormation
and di"isional$ departmental or other le"el per#ormance
reports*
7mployee per#ormance measures and incenti"e
compensation policies*
%omparisons o# an entityBs per#ormance with that o#
competitors*
A/?* 75ternal parties may also measure and re"iew the entityBs #inancial
per#ormance* 4or e5ample$ e5ternal in#ormation such as analystsB
reports and credit rating agency reports may represent use#ul
in#ormation #or the auditor* Such reports can o#ten be obtained #rom
the entity being audited*
A30* 1nternal measures may highlight une5pected results or trends
re8uiring management to determine their cause and take correcti"e
action (including$ in some cases$ the detection and correction o#
misstatements on a timely basis)* !er#ormance measures may also
indicate to the auditor that risks o# misstatement o# related #inancial
report in#ormation do e5ist* 4or e5ample$ per#ormance measures
may indicate that the entity has unusually rapid growth or
pro#itability when compared to that o# other entities in the same
industry* Such in#ormation$ particularly i# combined with other
#actors such as per#ormancebased bonus or incenti"e remuneration$
may indicate the potential risk o# management bias in the
preparation o# the #inancial report*
A31* Smaller entities o#ten do not ha"e processes to measure and re"iew
#inancial per#ormance* 7n8uiry o# management may re"eal that it
relies on certain key indicators #or e"aluating #inancial per#ormance
and taking appropriate action* 1# such en8uiry indicates an absence
o# per#ormance measurement or re"iew$ there may be an increased
risk o# misstatements not being detected and corrected*
%he -ntity<s "nternal Control =!ef: Para> 1'?
A32* An understanding o# internal control assists the auditor in identi#ying
types o# potential misstatements and #actors that a##ect the risks o#
material misstatement$ and in designing the nature$ timing$ and
e5tent o# #urther audit procedures*
A3/* The #ollowing application material on internal control is presented in
#our sections$ as #ollows)
General >ature and %haracteristics o# 1nternal %ontrol*
%ontrols 0ele"ant to the Audit*
>ature and 75tent o# the 'nderstanding o# 0ele"ant
%ontrols*
%omponents o# 1nternal %ontrol*
9eneral ,ature and Characteristics of Internal Control
!urpose o# 1nternal %ontrol
A33* 1nternal control is designed$ implemented and maintained to address
identi#ied business risks that threaten the achie"ement o# any o# the
entityBs ob=ecti"es that concern)
The reliability o# the entityBs #inancial reportingF
The e##ecti"eness and e##iciency o# its operationsF and
1ts compliance with applicable laws and regulations*
The way in which internal control is designed$ implemented and
maintained "aries with an entityBs siLe and comple5ity*
%onsiderations speci#ic to smaller entities
A36* Smaller entities may use less structured means and simpler processes
and procedures to achie"e their ob=ecti"es*
+imitations o# 1nternal %ontrol
A3,* 1nternal control$ no matter how e##ecti"e$ can pro"ide an entity with
only reasonable assurance about achie"ing the entityBs #inancial
reporting ob=ecti"es* The likelihood o# their achie"ement is a##ected
by the inherent limitations o# internal control* These include the
realities that human =udgement in decisionmaking can be #aulty and
that breakdowns in internal control can occur because o# human
error* 4or e5ample$ there may be an error in the design o#$ or in the
change to$ a control* 78ually$ the operation o# a control may not be
e##ecti"e$ such as where in#ormation produced #or the purposes o#
internal control (#or e5ample$ an e5ception report) is not e##ecti"ely
used because the indi"idual responsible #or re"iewing the
in#ormation does not understand its purpose or #ails to take
appropriate action*
A37* Additionally$ controls can be circum"ented by the collusion o# two
or more people or inappropriate management o"erride o# internal
control* 4or e5ample$ management may enter into side agreements
with customers that alter the terms and conditions o# the entityBs
standard sales contracts$ which may result in improper re"enue
recognition* Also$ edit checks in a so#tware program that are
designed to identi#y and report transactions that e5ceed speci#ied
credit limits may be o"erridden or disabled*
A32* 4urther$ in designing and implementing controls$ management may
make =udgements on the nature and e5tent o# the controls it chooses
to implement$ and the nature and e5tent o# the risks it chooses to
assume*
A3?* Smaller entities o#ten ha"e #ewer employees which may limit the
e5tent to which segregation o# duties is practicable* @owe"er$ in a
small ownermanaged entity$ the ownermanager may be able to
e5ercise more e##ecti"e o"ersight than in a larger entity* This
o"ersight may compensate #or the generally more limited
opportunities #or segregation o# duties*
A60* :n the other hand$ the ownermanager may be more able to o"erride
controls because the system o# internal control is less structured*
This is taken into account by the auditor when identi#ying the risks
o# material misstatement due to #raud*
&i"ision o# 1nternal %ontrol into %omponents
A61* The di"ision o# internal control into the #ollowing #i"e components$
#or purposes o# Australian Auditing Standards$ pro"ides a use#ul
#ramework #or auditors to consider how di##erent aspects o# an
entityBs internal control may a##ect the audit)
(a) The control en"ironmentF
(b) The entityBs risk assessment processF
(c) The in#ormation system$ including the related business
processes$ rele"ant to #inancial reporting$ and
communicationF
(d) %ontrol acti"itiesF and
(e) -onitoring o# controls*
The di"ision does not necessarily re#lect how an entity designs$
implements and maintains internal control$ or how it may classi#y
any particular component* Auditors may use di##erent terminology
or #rameworks to describe the "arious aspects o# internal control$
and their e##ect on the audit than those used in this Auditing
Standard$ pro"ided all the components described in this Auditing
Standard are addressed*
A62* Application material relating to the #i"e components o# internal
control as they relate to a #inancial report audit is set out in
paragraphs A,?A103 below* Appendi5 1 pro"ides #urther
e5planation o# these components o# internal control*
%haracteristics o# -anual and Automated 7lements o# 1nternal %ontrol
0ele"ant to the AuditorBs 0isk Assessment
A6/* An entityBs system o# internal control contains manual elements and
o#ten contains automated elements* The characteristics o# manual or
automated elements are rele"ant to the auditorBs risk assessment and
#urther audit procedures based thereon*
A63* The use o# manual or automated elements in internal control also
a##ects the manner in which transactions are initiated$ recorded$
processed$ and reported)
%ontrols in a manual system may include such procedures
as appro"als and re"iews o# transactions$ and
reconciliations and #ollowup o# reconciling items*
Alternati"ely$ an entity may use automated procedures to
initiate$ record$ process$ and report transactions$ in which
case records in electronic #ormat replace paper documents*
%ontrols in 1T systems consist o# a combination o#
automated controls (#or e5ample$ controls embedded in
computer programs) and manual controls* 4urther$ manual
controls may be independent o# 1T$ may use in#ormation
produced by 1T$ or may be limited to monitoring the
e##ecti"e #unctioning o# 1T and o# automated controls$ and
to handling e5ceptions* ;hen 1T is used to initiate$ record$
process or report transactions$ or other #inancial data #or
inclusion in the #inancial report$ the systems and programs
may include controls related to the corresponding assertions
#or material accounts or may be critical to the e##ecti"e
#unctioning o# manual controls that depend on 1T*
An entityBs mi5 o# manual and automated elements in internal
control "aries with the nature and comple5ity o# the entityBs use
o# 1T*
A66* Generally$ 1T bene#its an entityBs internal control by enabling an
entity to)
%onsistently apply prede#ined business rules and per#orm
comple5 calculations in processing large "olumes o#
transactions or dataF
7nhance the timeliness$ a"ailability$ and accuracy o#
in#ormationF
4acilitate the additional analysis o# in#ormationF
7nhance the ability to monitor the per#ormance o# the
entityBs acti"ities and its policies and proceduresF
0educe the risk that controls will be circum"entedF and
7nhance the ability to achie"e e##ecti"e segregation o#
duties by implementing security controls in applications$
databases$ and operating systems*
A6,* 1T also poses speci#ic risks to an entityBs internal control$ including$
#or e5ample)
0eliance on systems or programs that are inaccurately
processing data$ processing inaccurate data$ or both*
'nauthorised access to data that may result in destruction
o# data or improper changes to data$ including the recording
o# unauthorised or none5istent transactions$ or inaccurate
recording o# transactions* !articular risks may arise where
multiple users access a common database*
The possibility o# 1T personnel gaining access pri"ileges
beyond those necessary to per#orm their assigned duties
thereby breaking down segregation o# duties*
'nauthorised changes to data in master #iles*
'nauthorised changes to systems or programs*
4ailure to make necessary changes to systems or programs*
1nappropriate manual inter"ention*
!otential loss o# data or inability to access data as re8uired*
A67* -anual elements in internal control may be more suitable where
=udgement and discretion are re8uired such as #or the #ollowing
circumstances)
+arge$ unusual or nonrecurring transactions*
%ircumstances where errors are di##icult to de#ine$
anticipate or predict*
1n changing circumstances that re8uire a control response
outside the scope o# an e5isting automated control*
1n monitoring the e##ecti"eness o# automated controls*
A62* -anual elements in internal control may be less reliable than
automated elements because they can be more easily bypassed$
ignored$ or o"erridden and they are also more prone to simple errors
and mistakes* %onsistency o# application o# a manual control
element cannot there#ore be assumed* -anual control elements may
be less suitable #or the #ollowing circumstances)
@igh "olume or recurring transactions$ or in situations
where errors that can be anticipated or predicted can be
pre"ented$ or detected and corrected$ by control parameters
that are automated*
%ontrol acti"ities where the speci#ic ways to per#orm the
control can be ade8uately designed and automated*
A6?* The e5tent and nature o# the risks to internal control "ary depending
on the nature and characteristics o# the entityBs in#ormation system*
The entity responds to the risks arising #rom the use o# 1T or #rom
use o# manual elements in internal control by establishing e##ecti"e
controls in light o# the characteristics o# the entityBs in#ormation
system*
Controls )elevant to the Audit
A,0* There is a direct relationship between an entityBs ob=ecti"es and the
controls it implements to pro"ide reasonable assurance about their
achie"ement* The entityBs ob=ecti"es$ and there#ore controls$ relate
to #inancial reporting$ operations and complianceF howe"er$ not all
o# these ob=ecti"es and controls are rele"ant to the auditorBs risk
assessment*
A,1* 4actors rele"ant to the auditorBs =udgement about whether a control$
indi"idually or in combination with others$ is rele"ant to the audit
may include such matters as the #ollowing)
-ateriality*
The signi#icance o# the related risk*
The siLe o# the entity*
The nature o# the entityBs business$ including its
organisation and ownership characteristics*
The di"ersity and comple5ity o# the entityBs operations*
Applicable legal and regulatory re8uirements*
The circumstances and the applicable component o# internal
control*
The nature and comple5ity o# the systems that are part o#
the entityBs internal control$ including the use o# ser"ice
organisations*
;hether$ and how$ a speci#ic control$ indi"idually or in
combination with others$ pre"ents$ or detects and corrects$
material misstatement*
A,2* %ontrols o"er the completeness and accuracy o# in#ormation
produced by the entity may be rele"ant to the audit i# the auditor
intends to make use o# the in#ormation in designing and per#orming
#urther audit procedures* %ontrols relating to operations and
compliance ob=ecti"es may also be rele"ant to an audit i# they relate
to data the auditor e"aluates or uses in applying audit procedures*
A,/* 1nternal control o"er sa#eguarding o# assets against unauthorised
ac8uisition$ use$ or disposition may include controls relating to both
#inancial reporting and operations ob=ecti"es* The auditorBs
consideration o# such controls is generally limited to those rele"ant
to the reliability o# #inancial reporting*
A,3* An entity generally has controls relating to ob=ecti"es that are not
rele"ant to an audit and there#ore need not be considered* 4or
e5ample$ an entity may rely on a sophisticated system o# automated
controls to pro"ide e##icient and e##ecti"e operations (such as an
airlineBs system o# automated controls to maintain #light schedules)$
but these controls ordinarily would not be rele"ant to the audit*
4urther$ although internal control applies to the entire entity or to
any o# its operating units or business processes$ an understanding o#
internal control relating to each o# the entityBs operating units and
business processes may not be rele"ant to the audit*
%onsiderations Speci#ic to !ublic Sector 7ntities
A,6* !ublic sector auditors o#ten ha"e additional responsibilities with
respect to internal control$ #or e5ample to report on compliance with
an established %ode o# !ractice* !ublic sector auditors can also ha"e
responsibilities to report on the compliance with law$ regulation or
other authority* As a result$ their re"iew o# internal control may be
broader and more detailed*
,ature and #4tent of the &nderstanding of )elevant Controls /)ef0 Para. :2
A,,* 7"aluating the design o# a control in"ol"es considering whether the
control$ indi"idually or in combination with other controls$ is
capable o# e##ecti"ely pre"enting$ or detecting and correcting$
material misstatements* 1mplementation o# a control means that the
control e5ists and that the entity is using it* There is little point in
assessing the implementation o# a control that is not e##ecti"e$ and so
the design o# a control is considered #irst* An improperly designed
control may represent a signi#icant de#iciency in internal control*
A,7* 0isk assessment procedures to obtain audit e"idence about the
design and implementation o# rele"ant controls may include)
7n8uiring o# entity personnel*
:bser"ing the application o# speci#ic controls*
1nspecting documents and reports*
Tracing transactions through the in#ormation system
rele"ant to #inancial reporting*
7n8uiry alone$ howe"er$ is not su##icient #or such purposes*
A,2* :btaining an understanding o# an entityBs controls is not su##icient to
test their operating e##ecti"eness$ unless there is some automation
that pro"ides #or the consistent operation o# the controls* 4or
e5ample$ obtaining audit e"idence about the implementation o# a
manual control at a point in time does not pro"ide audit e"idence
about the operating e##ecti"eness o# the control at other times during
the period under audit* @owe"er$ because o# the inherent
consistency o# 1T processing (see paragraph A66)$ per#orming audit
procedures to determine whether an automated control has been
implemented may ser"e as a test o# that controlBs operating
e##ecti"eness$ depending on the auditorBs assessment and testing o#
controls such as those o"er program changes* Tests o# the operating
e##ecti"eness o# controls are #urther described in ASA //0*
?
Components of Internal Control;Control #nvironment /)ef0 Para. <2
A,?* The control en"ironment includes the go"ernance and management
#unctions and the attitudes$ awareness$ and actions o# those charged
with go"ernance and management concerning the entityBs internal
control and its importance in the entity* The control en"ironment
sets the tone o# an organisation$ in#luencing the control
consciousness o# its people*
A70* 7lements o# the control en"ironment that may be rele"ant when
obtaining an understanding o# the control en"ironment include the
#ollowing)
(a) Communication and enforcement of integrit$ and ethical
values M These are essential elements that in#luence the
e##ecti"eness o# the design$ administration and monitoring
o# controls*
(b) Commitment to competence M -atters such as
managementBs consideration o# the competence le"els #or
?
See ASA //0 "he Auditor%s )esponses to Assessed )is(s.
particular =obs and how those le"els translate into re8uisite
skills and knowledge*
(c) Participation b$ those charged with governance
M Attributes o# those charged with go"ernance such as)
Their independence #rom management*
Their e5perience and stature*
The e5tent o# their in"ol"ement and the
in#ormation they recei"e$ and the scrutiny o#
acti"ities*
The appropriateness o# their actions$ including the
degree to which di##icult 8uestions are raised and
pursued with management$ and their interaction
with internal and e5ternal auditors*
(d) -anagement%s philosoph$ and operating st$le
M %haracteristics such as managementBs)
Approach to taking and managing business risks*
Attitudes and actions toward #inancial reporting*
Attitudes toward in#ormation processing and
accounting #unctions and personnel*
(e) Organisational structure M The #ramework within which an
entityBs acti"ities #or achie"ing its ob=ecti"es are planned$
e5ecuted$ controlled$ and re"iewed*
(#) Assignment of authorit$ and responsibilit$ M -atters such
as how authority and responsibility #or operating acti"ities
are assigned and how reporting relationships and
authorisation hierarchies are established*
(g) 6uman resource policies and practices M !olicies and
practices that relate to$ #or e5ample$ recruitment$
orientation$ training$ e"aluation$ counselling$ promotion$
compensation$ and remedial actions*
Audit 7"idence #or 7lements o# the %ontrol 7n"ironment
A71* 0ele"ant audit e"idence may be obtained through a combination o#
en8uiries and other risk assessment procedures such as corroborating
en8uiries through obser"ation or inspection o# documents* 4or
e5ample$ through en8uiries o# management and employees$ the
auditor may obtain an understanding o# how management
communicates to employees its "iews on business practices and
ethical beha"iour* The auditor may then determine whether rele"ant
controls ha"e been implemented by considering$ #or e5ample$
whether management has a written code o# conduct and whether it
acts in a manner that supports the code*
7##ect o# the %ontrol 7n"ironment on the Assessment o# the 0isks o# -aterial
-isstatement
A72* Some elements o# an entityBs control en"ironment ha"e a per"asi"e
e##ect on assessing the risks o# material misstatement* 4or e5ample$
an entityBs control consciousness is in#luenced signi#icantly by those
charged with go"ernance$ because one o# their roles is to
counterbalance pressures on management in relation to #inancial
reporting that may arise #rom market demands or remuneration
schemes* The e##ecti"eness o# the design o# the control en"ironment
in relation to participation by those charged with go"ernance is
there#ore in#luenced by such matters as)
Their independence #rom management and their ability to
e"aluate the actions o# management*
;hether they understand the entityBs business transactions*
The e5tent to which they e"aluate whether the #inancial
report is prepared in accordance with the applicable
#inancial reporting #ramework*
A7/* An acti"e and independent board o# directors may in#luence the
philosophy and operating style o# senior management* @owe"er$
other elements may be more limited in their e##ect* 4or e5ample$
although human resource policies and practices directed toward
hiring competent #inancial$ accounting$ and 1T personnel may reduce
the risk o# errors in processing #inancial in#ormation$ they may not
mitigate a strong bias by top management to o"erstate earnings*
A73* The e5istence o# a satis#actory control en"ironment can be a positi"e
#actor when the auditor assesses the risks o# material misstatement*
@owe"er$ although it may help reduce the risk o# #raud$ a
satis#actory control en"ironment is not an absolute deterrent to
#raud* %on"ersely$ de#iciencies in the control en"ironment may
undermine the e##ecti"eness o# controls$ in particular in relation to
#raud* 4or e5ample$ managementBs #ailure to commit su##icient
resources to address 1T security risks may ad"ersely a##ect internal
control by allowing improper changes to be made to computer
programs or to data$ or unauthorised transactions to be processed*
As e5plained in ASA //0$ the control en"ironment also in#luences
the nature$ timing$ and e5tent o# the auditorBs #urther procedures*
10

A76* The control en"ironment in itsel# does not pre"ent$ or detect and
correct$ a material misstatement* 1t may$ howe"er$ in#luence the
auditorBs e"aluation o# the e##ecti"eness o# other controls (#or
e5ample$ the monitoring o# controls and the operation o# speci#ic
control acti"ities) and thereby$ the auditorBs assessment o# the risks
o# material misstatement*
A7,* The control en"ironment within small entities is likely to di##er #rom
larger entities* 4or e5ample$ those charged with go"ernance in small
entities may not include an independent or outside member$ and the
role o# go"ernance may be undertaken directly by the
ownermanager where there are no other owners* The nature o# the
control en"ironment may also in#luence the signi#icance o# other
controls$ or their absence* 4or e5ample$ the acti"e in"ol"ement o#
an ownermanager may mitigate certain o# the risks arising #rom a
lack o# segregation o# duties in a small businessF it may$ howe"er$
increase other risks$ #or e5ample$ the risk o# o"erride o# controls*
A77* 1n addition$ audit e"idence #or elements o# the control en"ironment
in smaller entities may not be a"ailable in documentary #orm$ in
particular where communication between management and other
personnel may be in#ormal$ yet e##ecti"e* 4or e5ample$ small
entities might not ha"e a written code o# conduct but$ instead$
de"elop a culture that emphasises the importance o# integrity and
ethical beha"iour through oral communication and by management
e5ample*
A72* %onse8uently$ the attitudes$ awareness and actions o# management
or the ownermanager are o# particular importance to the auditorBs
understanding o# a smaller entityBs control en"ironment*
10
See ASA //0$ paragraphs A2A/*
Components of Internal Control;"he #ntit$%s )is( Assessment Process
/)ef0 Para. =2
A7?* The entityBs risk assessment process #orms the basis #or how
management determines the risks to be managed* 1# that process is
appropriate to the circumstances$ including the nature$ siLe and
comple5ity o# the entity$ it assists the auditor in identi#ying risks o#
material misstatement* ;hether the entityBs risk assessment process
is appropriate to the circumstances is a matter o# =udgement*
%onsiderations Speci#ic to Smaller 7ntities =!ef: Para> 16?
A20* There is unlikely to be an established risk assessment process in a
small entity* 1n such cases$ it is likely that management will identi#y
risks through direct personal in"ol"ement in the business*
1rrespecti"e o# the circumstances$ howe"er$ en8uiry about identi#ied
risks and how they are addressed by management is still necessary*
Components of Internal Control;"he Information S$stem! Including the
)elated 8usiness Processes! )elevant to .inancial
)eporting! and Communication
The 1n#ormation System$ 1ncluding 0elated (usiness !rocesses$ 0ele"ant to
4inancial 0eporting =!ef: Para> 17?
A21* The in#ormation system rele"ant to #inancial reporting ob=ecti"es$
which includes the accounting system$ consists o# the procedures
and records designed and established to)
1nitiate$ record$ process$ and report entity transactions (as
well as e"ents and conditions) and to maintain
accountability #or the related assets$ liabilities$ and e8uityF
0esol"e incorrect processing o# transactions$ #or e5ample$
automated suspense #iles and procedures #ollowed to clear
suspense items out on a timely basisF
!rocess and account #or system o"errides or bypasses to
controlsF
Trans#er in#ormation #rom transaction processing systems
to the general ledgerF
%apture in#ormation rele"ant to #inancial reporting #or
e"ents and conditions other than transactions$ such as the
depreciation and amortisation o# assets and changes in the
reco"erability o# accounts recei"ablesF and
7nsure in#ormation re8uired to be disclosed by the
applicable #inancial reporting #ramework is accumulated$
recorded$ processed$ summarised and appropriately
reported in the #inancial report*
Journal entries
A22* An entityBs in#ormation system typically includes the use o# standard
=ournal entries that are re8uired on a recurring basis to record
transactions* 75amples might be =ournal entries to record sales$
purchases$ and cash disbursements in the general ledger$ or to record
accounting estimates that are periodically made by management$
such as changes in the estimate o# uncollectible accounts recei"able*
A2/* An entityBs #inancial reporting process also includes the use o#
nonstandard =ournal entries to record nonrecurring$ unusual
transactions or ad=ustments* 75amples o# such entries include
consolidating ad=ustments and entries #or a business combination or
disposal or nonrecurring estimates such as the impairment o# an
asset* 1n manual general ledger systems$ nonstandard =ournal
entries may be identi#ied through inspection o# ledgers$ =ournals$ and
supporting documentation* ;hen automated procedures are used to
maintain the general ledger and prepare a #inancial report$ such
entries may e5ist only in electronic #orm and may there#ore be more
easily identi#ied through the use o# computerassisted audit
techni8ues*
0elated business processes
A23* An entityBs business processes are the acti"ities designed to)
&e"elop$ purchase$ produce$ sell and distribute an entityBs
products and ser"icesF
7nsure compliance with laws and regulationsF and
0ecord in#ormation$ including accounting and #inancial
reporting in#ormation*
(usiness processes result in the transactions that are recorded$
processed and reported by the in#ormation system* :btaining an
understanding o# the entityBs business processes$ which include how
transactions are originated$ assists the auditor obtain an
understanding o# the entityBs in#ormation system rele"ant to
#inancial reporting in a manner that is appropriate to the entityBs
circumstances*
A26* 1n#ormation systems and related business processes rele"ant to
#inancial reporting in small entities are likely to be less sophisticated
than in larger entities$ but their role is =ust as signi#icant* Small
entities with acti"e management in"ol"ement may not need
e5tensi"e descriptions o# accounting procedures$ sophisticated
accounting records$ or written policies* 'nderstanding the entityBs
systems and processes may there#ore be easier in an audit o# smaller
entities$ and may be more dependent on en8uiry than on re"iew o#
documentation* The need to obtain an understanding$ howe"er$
remains important*
%ommunication =!ef: Para> 18?
A2,* %ommunication by the entity o# the #inancial reporting roles and
responsibilities and o# signi#icant matters relating to #inancial
reporting in"ol"es pro"iding an understanding o# indi"idual roles
and responsibilities pertaining to internal control o"er #inancial
reporting* 1t includes such matters as the e5tent to which personnel
understand how their acti"ities in the #inancial reporting in#ormation
system relate to the work o# others and the means o# reporting
e5ceptions to an appropriate higher le"el within the entity*
%ommunication may take such #orms as policy manuals and
#inancial reporting manuals* :pen communication channels help
ensure that e5ceptions are reported and acted on*
A27* %ommunication may be less structured and easier to achie"e in a
small entity than in a larger entity due to #ewer le"els o#
responsibility and managementBs greater "isibility and a"ailability*
Components of Internal Control;Control Activities /)ef0 Para. 202
A22* %ontrol acti"ities are the policies and procedures that help ensure
that management directi"es are carried out* %ontrol acti"ities$
whether within 1T or manual systems$ ha"e "arious ob=ecti"es and
are applied at "arious organisational and #unctional le"els*
75amples o# speci#ic control acti"ities include those relating to the
#ollowing)
Authorisation*
!er#ormance re"iews*
1n#ormation processing*
!hysical controls*
Segregation o# duties*
A2?* %ontrol acti"ities that are rele"ant to the audit are)
Those that are re8uired to be treated as such$ being control
acti"ities that relate to signi#icant risks and those that relate
to risks #or which substanti"e procedures alone do not
pro"ide su##icient appropriate audit e"idence$ as re8uired by
paragraphs 2? and /0$ respecti"elyF or
Those that are considered to be rele"ant in the =udgement o#
the auditor*
A?0* The auditorBs =udgement about whether a control acti"ity is rele"ant
to the audit is in#luenced by the risk that the auditor has identi#ied
that may gi"e rise to a material misstatement and whether the auditor
thinks it is likely to be appropriate to test the operating e##ecti"eness
o# the control in determining the e5tent o# substanti"e testing*
A?1* The auditorBs emphasis may be on identi#ying and obtaining an
understanding o# control acti"ities that address the areas where the
auditor considers that risks o# material misstatement are likely to be
higher* ;hen multiple control acti"ities each achie"e the same
ob=ecti"e$ it is unnecessary to obtain an understanding o# each o# the
control acti"ities related to such ob=ecti"e*
A?2* The auditorBs knowledge about the presence or absence o# control
acti"ities obtained #rom the understanding o# the other components
o# internal control assists the auditor in determining whether it is
necessary to de"ote additional attention to obtaining an
understanding o# control acti"ities*
A?/* The concepts underlying control acti"ities in small entities are likely
to be similar to those in larger entities$ but the #ormality with which
they operate may "ary* 4urther$ small entities may #ind that certain
types o# control acti"ities are not rele"ant because o# controls
applied by management* 4or e5ample$ managementBs sole authority
#or granting credit to customers and appro"ing signi#icant purchases
can pro"ide strong control o"er important account balances and
transactions$ lessening or remo"ing the need #or more detailed
control acti"ities*
A?3* %ontrol acti"ities rele"ant to the audit o# a smaller entity are likely
to relate to the main transaction cycles such as re"enues$ purchases
and employment e5penses*
0isks Arising 4rom 1T =!ef: Para> '1?
A?6* The use o# 1T a##ects the way that control acti"ities are implemented*
4rom the auditorBs perspecti"e$ controls o"er 1T systems are
e##ecti"e when they maintain the integrity o# in#ormation and the
security o# the data such systems process$ and include e##ecti"e
general 1Tcontrols and application controls*
A?,* General 1Tcontrols are policies and procedures that relate to many
applications and support the e##ecti"e #unctioning o# application
controls* They apply to main#rame$ mini#rame$ and enduser
en"ironments* General 1Tcontrols that maintain the integrity o#
in#ormation and security o# data commonly include controls o"er the
#ollowing)
&ata centre and network operations*
System so#tware ac8uisition$ change and maintenance*
!rogram change*
Access security*
Application system ac8uisition$ de"elopment$ and
maintenance*
They are generally implemented to deal with the risks re#erred to in
paragraph A6, abo"e*
A?7* Application controls are manual or automated procedures that
typically operate at a business process le"el and apply to the
processing o# transactions by indi"idual applications* Application
controls can be pre"enti"e or detecti"e in nature and are designed to
ensure the integrity o# the accounting records* Accordingly$
application controls relate to procedures used to initiate$ record$
process and report transactions or other #inancial data* These
controls help ensure that transactions occurred$ are authorised$ and
are completely and accurately recorded and processed* 75amples
include edit checks o# input data$ and numerical se8uence checks
with manual #ollowup o# e5ception reports or correction at the point
o# data entry*
Components of Internal Control;-onitoring of Controls /)ef0 Para. 222
A?2* -onitoring o# controls is a process to assess the e##ecti"eness o#
internal control per#ormance o"er time* 1t in"ol"es assessing the
e##ecti"eness o# controls on a timely basis and taking necessary
remedial actions* -anagement accomplishes monitoring o# controls
through ongoing acti"ities$ separate e"aluations$ or a combination o#
the two* :ngoing monitoring acti"ities are o#ten built into the
normal recurring acti"ities o# an entity and include regular
management and super"isory acti"ities*
A??* -anagementBs monitoring acti"ities may also include using
in#ormation #rom communications #rom e5ternal parties such as
customer complaints and regulator comments that may indicate
problems or highlight areas in need o# impro"ement*
A100* -anagementBs monitoring o# control is o#ten accomplished by
managementBs or the ownermanagerBs close in"ol"ement in
operations* This in"ol"ement o#ten will identi#y signi#icant
"ariances #rom e5pectations and inaccuracies in #inancial data
leading to remedial action to the control*
1nternal Audit 4unctions =!ef: Para '3?
A101* The entityBs internal audit #unction is likely to be rele"ant to the
audit i# the nature o# the internal audit #unctionBs responsibilities and
acti"ities are related to the entityBs #inancial reporting$ and the
auditor e5pects to use the work o# the internal auditors to modi#y the
nature or timing$ or reduce the e5tent$ o# audit procedures to be
per#ormed* 1# the auditor determines that the internal audit #unction
is likely to be rele"ant to the audit$ ASA ,10 applies*
A102* The ob=ecti"es o# an internal audit #unction$ and there#ore the nature
o# its responsibilities and its status within the organisation$ "ary
widely and depend on the siLe and structure o# the entity and the
re8uirements o# management and$ where applicable$ those charged
with go"ernance* The responsibilities o# an internal audit #unction
may include$ #or e5ample$ monitoring o# internal control$ risk
management$ and re"iew o# compliance with laws and regulations*
:n the other hand$ the responsibilities o# the internal audit #unction
may be limited to the re"iew o# the economy$ e##iciency and
e##ecti"eness o# operations$ #or e5ample$ and accordingly$ may not
relate to the entityBs #inancial reporting*
A10/* 1# the nature o# the internal audit #unctionBs responsibilities are
related to the entityBs #inancial reporting$ the e5ternal auditorBs
consideration o# the acti"ities per#ormed$ or to be per#ormed by$ the
internal audit #unction may include re"iew o# the internal audit
#unctionBs audit plan #or the period$ i# any$ and discussion o# that
plan with the internal auditors*
Sources o# 1n#ormation =!ef: Para> '1?
A103* -uch o# the in#ormation used in monitoring may be produced by the
entityBs in#ormation system* 1# management assumes that data used
#or monitoring are accurate without ha"ing a basis #or that
assumption$ errors that may e5ist in the in#ormation could
potentially lead management to incorrect conclusions #rom its
monitoring acti"ities* Accordingly$ an understanding o#)
the sources o# the in#ormation related to the entityBs
monitoring acti"itiesF and
the basis upon which management considers the
in#ormation to be su##iciently reliable #or the purpose
is re8uired as part o# the auditorBs understanding o# the entityBs
monitoring acti"ities as a component o# internal control*
"dentifying and Assessing the !is9s of /aterial /isstatement
Assessment of )is(s of -aterial -isstatement at the .inancial )eport 7evel
/)ef0 Para. 2= /a22
A106* 0isks o# material misstatement at the #inancial report le"el re#er to
risks that relate per"asi"ely to the #inancial report as a whole and
potentially a##ect many assertions* 0isks o# this nature are not
necessarily risks identi#iable with speci#ic assertions at the class o#
transactions$ account balance$ or disclosure le"el* 0ather$ they
represent circumstances that may increase the risks o# material
misstatement at the assertion le"el$ #or e5ample$ through
management o"erride o# internal control* 4inancial report le"el risks
may be especially rele"ant to the auditorBs consideration o# the risks
o# material misstatement arising #rom #raud*
A10,* 0isks at the #inancial report le"el may deri"e in particular #rom a
de#icient control en"ironment (although these risks may also relate
to other #actors$ such as declining economic conditions)* 4or
e5ample$ de#iciencies such as managementBs lack o# competence
may ha"e a more per"asi"e e##ect on the #inancial report and may
re8uire an o"erall response by the auditor*
A107* The auditorBs understanding o# internal control may raise doubts
about the auditability o# an entityBs #inancial report* 4or e5ample)
%oncerns about the integrity o# the entityBs management
may be so serious as to cause the auditor to conclude that
the risk o# management misrepresentation in the #inancial
report is such that an audit cannot be conducted*
%oncerns about the condition and reliability o# an entityBs
records may cause the auditor to conclude that it is unlikely
that su##icient appropriate audit e"idence will be a"ailable
to support an un8uali#ied opinion on the #inancial report*
A102* ASA 706
11
establishes re8uirements and pro"ides guidance in
determining whether there is a need #or the auditor to e5press a
8uali#ied opinion or disclaim an opinion or$ as may be re8uired in
some cases$ to withdraw #rom the engagement where withdrawal is
possible under applicable law or regulation*
11
See ASA 706 -odifications to the Opinion in the Independent Auditor%s )eport.
Assessment of )is(s of -aterial -isstatement at the Assertion 7evel
/)ef0 Para. 2=/b22
A10?* 0isks o# material misstatement at the assertion le"el #or classes o#
transactions$ account balances$ and disclosures need to be
considered because such consideration directly assists in
determining the nature$ timing$ and e5tent o# #urther audit
procedures at the assertion le"el necessary to obtain su##icient
appropriate audit e"idence* 1n identi#ying and assessing risks o#
material misstatement at the assertion le"el$ the auditor may
conclude that the identi#ied risks relate more per"asi"ely to the
#inancial report as a whole and potentially a##ect many assertions*
The 'se o# Assertions
A110* 1n representing that the #inancial report is in accordance with the
applicable #inancial reporting #ramework$ management or where
appropriate those charged with go"ernance implicitly or e5plicitly
makes assertions regarding the recognition$ measurement$
presentation and disclosure o# the "arious elements o# the #inancial
report and related disclosures*
A111* Assertions used by the auditor to consider the di##erent types o#
potential misstatements that may occur #all into the #ollowing three
categories and may take the #ollowing #orms)
(a) Assertions about classes o# transactions and e"ents #or the
period under audit)
(i) :ccurrenceNtransactions and e"ents that ha"e
been recorded ha"e occurred and pertain to the
entity*
(ii) %ompletenessNall transactions and e"ents that
should ha"e been recorded ha"e been recorded*
(iii) AccuracyNamounts and other data relating to
recorded transactions and e"ents ha"e been
recorded appropriately*
(i") %uto##Ntransactions and e"ents ha"e been
recorded in the correct accounting period*
(") %lassi#icationNtransactions and e"ents ha"e been
recorded in the proper accounts*
(b) Assertions about account balances at the period end)
(i) 75istenceNassets$ liabilities$ and e8uity interests
e5ist*
(ii) 0ights and obligationsNthe entity holds or
controls the rights to assets$ and liabilities are the
obligations o# the entity*
(iii) %ompletenessNall assets$ liabilities and e8uity
interests that should ha"e been recorded ha"e been
recorded*
(i") .aluation and allocationNassets$ liabilities$ and
e8uity interests are included in the #inancial report
at appropriate amounts and any resulting "aluation
or allocation ad=ustments are appropriately
recorded*
(c) Assertions about presentation and disclosure)
(i) :ccurrence and rights and obligationsNdisclosed
e"ents$ transactions$ and other matters ha"e
occurred and pertain to the entity*
(ii) %ompletenessNall disclosures that should ha"e
been included in the #inancial report ha"e been
included*
(iii) %lassi#ication and understandabilityN#inancial
in#ormation is appropriately presented and
described$ and disclosures are clearly e5pressed*
(i") Accuracy and "aluationN#inancial and other
in#ormation are disclosed #airly and at appropriate
amounts*
A112* The auditor may use the assertions as described abo"e or may
e5press them di##erently pro"ided all aspects described abo"e ha"e
been co"ered* 4or e5ample$ the auditor may choose to combine the
assertions about transactions and e"ents with the assertions about
account balances*
%onsiderations speci#ic to public sector entities
A11/* ;hen making assertions about the #inancial report o# public sector
entities$ in addition to those assertions set out in paragraph A111$
management or those charged with go"ernance may o#ten assert that
transactions and e"ents ha"e been carried out in accordance with
law$ regulation or other authority* Such assertions may #all within
the scope o# the #inancial report audit*
Process of Identif$ing )is(s of -aterial -isstatement /)ef0 Para. 21/a22
A113* 1n#ormation gathered by per#orming risk assessment procedures$
including the audit e"idence obtained in e"aluating the design o#
controls and determining whether they ha"e been implemented$ is
used as audit e"idence to support the risk assessment* The risk
assessment determines the nature$ timing$ and e5tent o# #urther audit
procedures to be per#ormed*
A116* Appendi5 2 pro"ides e5amples o# conditions and e"ents that may
indicate the e5istence o# risks o# material misstatement*
)elating Controls to Assertions /)ef0 Para. 21/c22
A11,* 1n making risk assessments$ the auditor may identi#y the controls
that are likely to pre"ent$ or detect and correct$ material
misstatement in speci#ic assertions* Generally$ it is use#ul to obtain
an understanding o# controls and relate them to assertions in the
conte5t o# processes and systems in which they e5ist because
indi"idual control acti"ities o#ten do not in themsel"es address a
risk* :#ten$ only multiple control acti"ities$ together with other
components o# internal control$ will be su##icient to address a risk*
A117* %on"ersely$ some control acti"ities may ha"e a speci#ic e##ect on an
indi"idual assertion embodied in a particular class o# transactions or
account balance* 4or e5ample$ the control acti"ities that an entity
established to ensure that its personnel are properly counting and
recording the annual physical in"entory relate directly to the
e5istence and completeness assertions #or the in"entory account
balance*
A112* %ontrols can be either directly or indirectly related to an assertion*
The more indirect the relationship$ the less e##ecti"e that control may
be in pre"enting$ or detecting and correcting$ misstatements in that
assertion* 4or e5ample$ a sales managerBs re"iew o# a summary o#
sales acti"ity #or speci#ic stores by region ordinarily is only
indirectly related to the completeness assertion #or sales re"enue*
Accordingly$ it may be less e##ecti"e in reducing risk #or that
assertion than controls more directly related to that assertion$ such as
matching shipping documents with billing documents*
Significant )is(s
1denti#ying Signi#icant 0isks =!ef: Para> '7?
A11?* Signi#icant risks o#ten relate to signi#icant nonroutine transactions
or =udgemental matters* >onroutine transactions are transactions
that are unusual$ due to either siLe or nature$ and that there#ore occur
in#re8uently* Judgemental matters may include the de"elopment o#
accounting estimates #or which there is signi#icant measurement
uncertainty* 0outine$ noncomple5 transactions that are sub=ect to
systematic processing are less likely to gi"e rise to signi#icant risks*
A120* 0isks o# material misstatement may be greater #or signi#icant
nonroutine transactions arising #rom matters such as the #ollowing)
Greater management inter"ention to speci#y the accounting
treatment*
Greater manual inter"ention #or data collection and
processing*
%omple5 calculations or accounting principles*
The nature o# nonroutine transactions$ which may make it
di##icult #or the entity to implement e##ecti"e controls o"er
the risks*
A121* 0isks o# material misstatement may be greater #or signi#icant
=udgemental matters that re8uire the de"elopment o# accounting
estimates$ arising #rom matters such as the #ollowing)
Accounting principles #or accounting estimates or re"enue
recognition may be sub=ect to di##ering interpretation*
0e8uired =udgement may be sub=ecti"e or comple5$ or
re8uire assumptions about the e##ects o# #uture e"ents$ #or
e5ample$ =udgement about #air "alue*
A122* ASA //0 describes the conse8uences #or #urther audit procedures o#
identi#ying a risk as signi#icant*
12
Signi#icant risks relating to the risks o# material misstatement due to #raud
A12/* ASA 230 pro"ides #urther re8uirements and guidance in relation to
the identi#ication and assessment o# the risks o# material
misstatement due to #raud*
1/
'nderstanding %ontrols 0elated to Signi#icant 0isks =!ef: Para> '8?
A123* Although risks relating to signi#icant nonroutine or =udgemental
matters are o#ten less likely to be sub=ect to routine controls$
management may ha"e other responses intended to deal with such
risks* Accordingly$ the auditorBs understanding o# whether the entity
has designed and implemented controls #or signi#icant risks arising
#rom nonroutine or =udgemental matters includes whether and how
management responds to the risks* Such responses might include)
%ontrol acti"ities such as a re"iew o# assumptions by senior
management or e5perts*
&ocumented processes #or estimations*
Appro"al by those charged with go"ernance*
A126* 4or e5ample$ where there are oneo## e"ents such as the receipt o#
notice o# a signi#icant lawsuit$ consideration o# the entityBs response
may include such matters as whether it has been re#erred to
appropriate e5perts (such as internal or e5ternal legal counsel)$
whether an assessment has been made o# the potential e##ect$ and
how it is proposed that the circumstances are to be disclosed in the
#inancial report*
A12,* 1n some cases$ management may not ha"e appropriately responded
to signi#icant risks o# material misstatement by implementing
controls o"er these signi#icant risks* 4ailure by management to
implement such controls is an indicator o# a signi#icant de#iciency in
internal control*
13
12
See ASA //0$ paragraphs 16 and 21*
1/
See ASA 230$ paragraphs 2627*
13
See ASA 2,6 Communicating +eficiencies in Internal Control to "hose Charged with
9overnance and -anagement! paragraph A7*
)is(s for 'hich Substantive Procedures Alone +o ,ot Provide Sufficient
Appropriate Audit #vidence /)ef0 Para. :02
A127* 0isks o# material misstatement may relate directly to the recording
o# routine classes o# transactions or account balances$ and the
preparation o# a reliable #inancial report* Such risks may include
risks o# inaccurate or incomplete processing #or routine and
signi#icant classes o# transactions such as an entityBs re"enue$
purchases$ and cash receipts or cash payments*
A122* ;here such routine business transactions are sub=ect to highly
automated processing with little or no manual inter"ention$ it may
not be possible to per#orm only substanti"e procedures in relation to
the risk* 4or e5ample$ the auditor may consider this to be the case in
circumstances where a signi#icant amount o# an entityBs in#ormation
is initiated$ recorded$ processed$ or reported only in electronic #orm
such as in an integrated system* 1n such cases)
Audit e"idence may be a"ailable only in electronic #orm$
and its su##iciency and appropriateness usually depend on
the e##ecti"eness o# controls o"er its accuracy and
completeness*
The potential #or improper initiation or alteration o#
in#ormation to occur and not be detected may be greater i#
appropriate controls are not operating e##ecti"ely*
A12?* The conse8uences #or #urther audit procedures o# identi#ying such
risks are described in ASA //0*
16
)evision of )is( Assessment /)ef0 Para. :2
A1/0* &uring the audit$ in#ormation may come to the auditorBs attention
that di##ers signi#icantly #rom the in#ormation on which the risk
assessment was based* 4or e5ample$ the risk assessment may be
based on an e5pectation that certain controls are operating
e##ecti"ely* 1n per#orming tests o# those controls$ the auditor may
obtain audit e"idence that they were not operating e##ecti"ely at
rele"ant times during the audit* Similarly$ in per#orming substanti"e
procedures the auditor may detect misstatements in amounts or
#re8uency greater than is consistent with the auditorBs risk
assessments* 1n such circumstances$ the risk assessment may not
appropriately re#lect the true circumstances o# the entity and the
16
See ASA //0$ paragraph 2*
& 5: & A(D"%")# S%A)DA!D
#urther planned audit procedures may not be e##ecti"e in detecting
material misstatements* See ASA //0 #or #urther guidance*
Documentation =!ef: Para> 3'?
A1/1* The manner in which the re8uirements o# paragraph /2 are
documented is #or the auditor to determine using pro#essional
=udgement* 4or e5ample$ in audits o# small entities the
documentation may be incorporated in the auditorBs documentation
o# the o"erall strategy and audit plan*
1,
Similarly$ #or e5ample$ the
results o# the risk assessment may be documented separately$ or may
be documented as part o# the auditorBs documentation o# #urther
procedures*
17
The #orm and e5tent o# the documentation is
in#luenced by the nature$ siLe and comple5ity o# the entity and its
internal control$ a"ailability o# in#ormation #rom the entity and the
audit methodology and technology used in the course o# the audit*
A1/2* 4or entities that ha"e uncomplicated businesses and processes
rele"ant to #inancial reporting$ the documentation may be simple in
#orm and relati"ely brie#* 1t is not necessary to document the
entirety o# the auditorBs understanding o# the entity and matters
related to it* Eey elements o# understanding documented by the
auditor include those on which the auditor based the assessment o#
the risks o# material misstatement*
A1//* The e5tent o# documentation may also re#lect the e5perience and
capabilities o# the members o# the audit engagement team* !ro"ided
the re8uirements o# ASA 2/0 are always met$ an audit undertaken by
an engagement team comprising less e5perienced indi"iduals may
re8uire more detailed documentation to assist them to obtain an
appropriate understanding o# the entity than one that includes
e5perienced indi"iduals*
A1/3* 4or recurring audits$ certain documentation may be carried #orward$
updated as necessary to re#lect changes in the entityBs business or
processes*
1,
See ASA /00 Planning an Audit of a .inancial )eport$ paragraphs 7 and ?.
17
See ASA //0$ paragraph 22*
& 51 & A(D"%")# S%A)DA!D
Conformity 0ith "nternational Standards on Auditing
This Auditing Standard con#orms with 1nternational Standard on Auditing
1SA /16 Identif$ing and Assessing the )is(s of -aterial -isstatement
through &nderstanding the #ntit$ and its #nvironment$ issued by the
1nternational Auditing and Assurance Standards (oard (1AAS()$ an
independent standardsetting board o# the 1nternational 4ederation o#
Accountants (14A%)*
!aragraphs that ha"e been added to this Auditing Standard (and do not appear
in the te5t o# the e8ui"alent 1SA) are identi#ied with the pre#i5 HAusI*
%ompliance with this Auditing Standard enables compliance with 1SA /16*
& 5' & A(D"%")# S%A)DA!D
Appendi. 1
(0e#) !ara* 3(c)$ 1323 and A,?A103)
"nternal Control Components
1* This appendi5 #urther e5plains the components o# internal control$ as
set out in paragraphs 3(c)$ 1323 and A,?A103 as they relate to a
#inancial report audit*
Control -n*ironment
2* The control en"ironment encompasses the #ollowing elements)
(a) Communication and enforcement of integrit$ and ethical
values. The e##ecti"eness o# controls cannot rise abo"e the
integrity and ethical "alues o# the people who create$
administer$ and monitor them* 1ntegrity and ethical
beha"iour are the product o# the entityBs ethical and
beha"ioural standards$ how they are communicated$ and
how they are rein#orced in practice* The en#orcement o#
integrity and ethical "alues includes$ #or e5ample$
management actions to eliminate or mitigate incenti"es or
temptations that might prompt personnel to engage in
dishonest$ illegal$ or unethical acts* The communication o#
entity policies on integrity and ethical "alues may include
the communication o# beha"ioural standards to personnel
through policy statements and codes o# conduct and by
e5ample*
(b) Commitment to competence. %ompetence is the
knowledge and skills necessary to accomplish tasks that
de#ine the indi"idualBs =ob*
(c) Participation b$ those charged with governance. An
entityBs control consciousness is in#luenced signi#icantly by
those charged with go"ernance* The importance o# the
responsibilities o# those charged with go"ernance is
recognised in codes o# practice and other laws and
regulations or guidance produced #or the bene#it o# those
charged with go"ernance* :ther responsibilities o# those
charged with go"ernance include o"ersight o# the design
and e##ecti"e operation o# whistle blower procedures and
the process #or re"iewing the e##ecti"eness o# the entityBs
internal control*
& 53 & A(D"%")# S%A)DA!D
(d) -anagement%s philosoph$ and operating st$le.
-anagementBs philosophy and operating style encompass a
broad range o# characteristics* 4or e5ample$ managementBs
attitudes and actions toward #inancial reporting may
mani#est themsel"es through conser"ati"e or aggressi"e
selection #rom a"ailable alternati"e accounting principles$
or conscientiousness and conser"atism with which
accounting estimates are de"eloped*
(e) Organisational structure. 7stablishing a rele"ant
organisational structure includes considering key areas o#
authority and responsibility and appropriate lines o#
reporting* The appropriateness o# an entityBs organisational
structure depends$ in part$ on its siLe and the nature o# its
acti"ities*
(#) Assignment of authorit$ and responsibilit$. The
assignment o# authority and responsibility may include
policies relating to appropriate business practices$
knowledge and e5perience o# key personnel$ and resources
pro"ided #or carrying out duties* 1n addition$ it may include
policies and communications directed at ensuring that all
personnel understand the entityBs ob=ecti"es$ know how
their indi"idual actions interrelate and contribute to those
ob=ecti"es$ and recognise how and #or what they will be
held accountable*
(g) 6uman resource policies and practices. @uman resource
policies and practices o#ten demonstrate important matters
in relation to the control consciousness o# an entity* 4or
e5ample$ standards #or recruiting the most 8uali#ied
indi"iduals M with emphasis on educational background$
prior work e5perience$ past accomplishments$ and e"idence
o# integrity and ethical beha"iour M demonstrate an entityBs
commitment to competent and trustworthy people* Training
policies that communicate prospecti"e roles and
responsibilities and include practices such as training
schools and seminars illustrate e5pected le"els o#
per#ormance and beha"iour* !romotions dri"en by periodic
per#ormance appraisals demonstrate the entityBs
commitment to the ad"ancement o# 8uali#ied personnel to
higher le"els o# responsibility*
-ntity<s !is9 Assessment Process
/* 4or #inancial reporting purposes$ the entityBs risk assessment process
includes how management identi#ies business risks rele"ant to the
preparation o# the #inancial report in accordance with the entityBs
applicable #inancial reporting #ramework$ estimates their
signi#icance$ assesses the likelihood o# their occurrence$ and decides
upon actions to respond to and manage them and the results thereo#*
4or e5ample$ the entityBs risk assessment process may address how
the entity considers the possibility o# unrecorded transactions or
identi#ies and analyses signi#icant estimates recorded in the #inancial
report*
3* 0isks rele"ant to reliable #inancial reporting include e5ternal and
internal e"ents$ transactions or circumstances that may occur and
ad"ersely a##ect an entityBs ability to initiate$ record$ process$ and
report #inancial data consistent with the assertions o# management in
the #inancial report* -anagement may initiate plans$ programs$ or
actions to address speci#ic risks or it may decide to accept a risk
because o# cost or other considerations* 0isks can arise or change
due to circumstances such as the #ollowing)
Changes in operating environment* %hanges in the
regulatory or operating en"ironment can result in changes
in competiti"e pressures and signi#icantly di##erent risks*
,ew personnel* >ew personnel may ha"e a di##erent #ocus
on or understanding o# internal control*
,ew or revamped information s$stems* Signi#icant and
rapid changes in in#ormation systems can change the risk
relating to internal control*
)apid growth. Signi#icant and rapid e5pansion o#
operations can strain controls and increase the risk o# a
breakdown in controls*
,ew technolog$* 1ncorporating new technologies into
production processes or in#ormation systems may change
the risk associated with internal control*
,ew business models! products! or activities* 7ntering into
business areas or transactions with which an entity has little
e5perience may introduce new risks associated with internal
control*
Corporate restructurings. 0estructurings may be
accompanied by sta## reductions and changes in super"ision
and segregation o# duties that may change the risk
associated with internal control*
#4panded foreign operations* The e5pansion or ac8uisition
o# #oreign operations carries new and o#ten uni8ue risks that
may a##ect internal control$ #or e5ample$ additional or
changed risks #rom #oreign currency transactions*
,ew accounting pronouncements* Adoption o# new
accounting principles or changing accounting principles
may a##ect risks in preparing the #inancial report*
"nformation System; "ncluding the !elated Business Processes; !ele*ant
to @inancial !eporting; and Communication
6* An in#ormation system consists o# in#rastructure (physical and
hardware components)$ so#tware$ people$ procedures$ and data*
-any in#ormation systems make e5tensi"e use o# in#ormation
technology (1T)*
,* The in#ormation system rele"ant to #inancial reporting ob=ecti"es$
which includes the #inancial reporting system$ encompasses methods
and records that)
1denti#y and record all "alid transactions*
&escribe on a timely basis the transactions in su##icient
detail to permit proper classi#ication o# transactions #or
#inancial reporting*
-easure the "alue o# transactions in a manner that permits
recording their proper monetary "alue in the #inancial
report*
&etermine the time period in which transactions occurred to
permit recording o# transactions in the proper accounting
period*
!resent properly the transactions and related disclosures in
the #inancial report*
7* The 8uality o# systemgenerated in#ormation a##ects managementBs
ability to make appropriate decisions in managing and controlling
the entityBs acti"ities and to prepare reliable #inancial reports*
2* %ommunication$ which in"ol"es pro"iding an understanding o#
indi"idual roles and responsibilities pertaining to internal control
o"er #inancial reporting$ may take such #orms as policy manuals$
accounting and #inancial reporting manuals$ and memoranda*
%ommunication also can be made electronically$ orally$ and through
the actions o# management*
Control Acti*ities
?* Generally$ control acti"ities that may be rele"ant to an audit may be
categorised as policies and procedures that pertain to the #ollowing)
Performance reviews. These control acti"ities include
re"iews and analyses o# actual per#ormance "ersus budgets$
#orecasts$ and prior period per#ormanceF relating di##erent
sets o# data M operating or #inancial M to one another$
together with analyses o# the relationships and in"estigati"e
and correcti"e actionsF comparing internal data with
e5ternal sources o# in#ormationF and re"iew o# #unctional or
acti"ity per#ormance*
Information processing. The two broad groupings o#
in#ormation systems control acti"ities are application
controls$ which apply to the processing o# indi"idual
applications$ and general 1Tcontrols$ which are policies
and procedures that relate to many applications and support
the e##ecti"e #unctioning o# application controls by helping
to ensure the continued proper operation o# in#ormation
systems* 75amples o# application controls include
checking the arithmetical accuracy o# records$ maintaining
and re"iewing accounts and trial balances$ automated
controls such as edit checks o# input data and numerical
se8uence checks$ and manual #ollowup o# e5ception
reports* 75amples o# general 1Tcontrols are program
change controls$ controls that restrict access to programs or
data$ controls o"er the implementation o# new releases o#
packaged so#tware applications$ and controls o"er system
so#tware that restrict access to or monitor the use o# system
utilities that could change #inancial data or records without
lea"ing an audit trail*
Ph$sical controls. %ontrols that encompass)
K The physical security o# assets$ including
ade8uate sa#eguards such as secured #acilities o"er
access to assets and records*
K The authorisation #or access to computer
programs and data #iles*
K The periodic counting and comparison
with amounts shown on control records (#or
e5ample comparing the results o# cash$ security
and in"entory counts with accounting records)*
The e5tent to which physical controls intended to pre"ent
the#t o# assets are rele"ant to the reliability o# #inancial
report preparation$ and there#ore the audit$ depends on
circumstances such as when assets are highly susceptible to
misappropriation*
Segregation of duties. Assigning di##erent people the
responsibilities o# authorising transactions$ recording
transactions$ and maintaining custody o# assets*
Segregation o# duties is intended to reduce the opportunities
to allow any person to be in a position to both perpetrate
and conceal errors or #raud in the normal course o# the
personBs duties*
10* %ertain control acti"ities may depend on the e5istence o# appropriate
higher le"el policies established by management or those charged
with go"ernance* 4or e5ample$ authorisation controls may be
delegated under established guidelines$ such as in"estment criteria
set by those charged with go"ernanceF alternati"ely$ nonroutine
transactions such as ma=or ac8uisitions or di"estments may re8uire
speci#ic high le"el appro"al$ including in some cases that o#
shareholders*
/onitoring of Controls
11* An important management responsibility is to establish and maintain
internal control on an ongoing basis* -anagementBs monitoring o#
controls includes considering whether they are operating as intended
and that they are modi#ied as appropriate #or changes in conditions*
-onitoring o# controls may include acti"ities such as managementBs
re"iew o# whether bank reconciliations are being prepared on a
timely basis$ internal auditorsB e"aluation o# sales personnelBs
compliance with the entityBs policies on terms o# sales contracts$ and
a legal departmentBs o"ersight o# compliance with the entityBs ethical
or business practice policies* -onitoring is done also to ensure that
controls continue to operate e##ecti"ely o"er time* 4or e5ample$ i#
the timeliness and accuracy o# bank reconciliations are not
monitored$ personnel are likely to stop preparing them*
12* 1nternal auditors or personnel per#orming similar #unctions may
contribute to the monitoring o# an entityBs controls through separate
e"aluations* :rdinarily$ they regularly pro"ide in#ormation about
the #unctioning o# internal control$ #ocusing considerable attention
on e"aluating the e##ecti"eness o# internal control$ and communicate
in#ormation about strengths and de#iciencies in internal control and
recommendations #or impro"ing internal control*
1/* -onitoring acti"ities may include using in#ormation #rom
communications #rom e5ternal parties that may indicate problems or
highlight areas in need o# impro"ement* %ustomers implicitly
corroborate billing data by paying their in"oices or complaining
about their charges* 1n addition$ regulators may communicate with
the entity concerning matters that a##ect the #unctioning o# internal
control$ #or e5ample$ communications concerning e5aminations by
bank regulatory agencies* Also$ management may consider
communications relating to internal control #rom e5ternal auditors in
per#orming monitoring acti"ities*
Appendi. '
(0e#) !ara* A// and A116)
Conditions and -*ents %hat /ay "ndicate !is9s of /aterial
/isstatement
The #ollowing are e5amples o# conditions and e"ents that may indicate the
e5istence o# risks o# material misstatement* The e5amples pro"ided co"er a
broad range o# conditions and e"entsF howe"er$ not all conditions and e"ents
are rele"ant to e"ery audit engagement and the list o# e5amples is not
necessarily complete*
:perations in regions that are economically unstable$ #or
e5ample$ countries with signi#icant currency de"aluation or highly
in#lationary economies*
:perations e5posed to "olatile markets$ #or e5ample$
#utures trading*
:perations that are sub=ect to a high degree o# comple5
regulation*
Going concern and li8uidity issues including loss o#
signi#icant customers*
%onstraints on the a"ailability o# capital and credit*
%hanges in the industry in which the entity operates*
%hanges in the supply chain*
&e"eloping or o##ering new products or ser"ices$ or mo"ing
into new lines o# business*
75panding into new locations*
%hanges in the entity such as large ac8uisitions or
reorganisations or other unusual e"ents*
7ntities or business segments likely to be sold*
The e5istence o# comple5 alliances and =oint "entures*
& 6: & A(D"%")# S%A)DA!D
'se o# o##balancesheet #inance$ specialpurpose entities$
and other comple5 #inancing arrangements*
Signi#icant transactions with related parties*
+ack o# personnel with appropriate accounting and
#inancial reporting skills*
%hanges in key personnel including departure o# key
e5ecuti"es*
&e#iciencies in internal control$ especially those not
addressed by management*
1nconsistencies between the entityBs 1T strategy and its
business strategies*
%hanges in the 1T en"ironment*
1nstallation o# signi#icant new 1T systems related to
#inancial reporting*
7n8uiries into the entityBs operations or #inancial results by
regulatory or go"ernment bodies*
!ast misstatements$ history o# errors or a signi#icant amount
o# ad=ustments at period end*
Signi#icant amount o# nonroutine or nonsystematic
transactions including intercompany transactions and large re"enue
transactions at period end*
Transactions that are recorded based on managementBs
intent$ #or e5ample$ debt re#inancing$ assets to be sold and
classi#ication o# marketable securities*
Application o# new accounting pronouncements*
Accounting measurements that in"ol"e comple5 processes*
7"ents or transactions that in"ol"e signi#icant measurement
uncertainty$ including accounting estimates*
!ending litigation and contingent liabilities$ #or e5ample$
sales warranties$ #inancial guarantees and en"ironmental
remediation*

Corporate Finance

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Corporate Finance

Uploaded by

Copyright:

Available Formats

Compiled Auditing Standard

You might also like