Professional Documents
Culture Documents
Risk assessment procedures are performed to obtain an understanding of the entity and
its environment, including the entity’s internal control, to identify and assess the risks of
material misstatement, whether due to fraud or error, at the financial statement and
assertion levels.
1. Inquiries of management and of others within the entity who in the auditor’s
judgment may have information that is likely to
assist in identifying risks of material misstatement due to fraud or error.
2. Analytical procedures
As defined in PSA 315, business risk is “a risk resulting from significant conditions,
events, circumstances, actions or inactions that could adversely affect an entity’s ability
to achieve its objectives and execute its strategies, or from the setting of inappropriate
objectives and strategies.”
The auditor does not have a responsibility to identify or assess all business risks facing
the entity because not all business risks give rise to risks of material misstatement.
2. “Control risk” is the risk that a misstatement that could occur in an account
balance or class of transactions that could be
material, individually or when aggregated with other misstatements in other
balances or classes, will not be prevented, or
detected and corrected, on a timely basis, by the accounting and internal control
systems.
3. “Detection risk” is the risk that an auditor’s substantive procedures will not detect
a misstatement that exists in an account
balance or class of transactions that could be material, individually or when
aggregated with misstatements in other balances or classes.
The acceptable level of detection risk is a function of the desired level of overall audit
risk and the assessed levels of inherent risk and control risk. Hence, detection risk can
be changed at the discretion of the auditor. However, it should be emphasized that the
auditor’s preliminary assessments of inherent risk and control risk may change as the
audit work continues.
An audit conducted in accordance with PSAs provides only reasonable, not absolute,
assurance that the financial statements are free of material misstatement, whether
caused by error or fraud.
An auditor assesses control risk by considering internal control. There exists an inverse
relationship between control risk and detection risk – that is, the greater (lower) the
assessed level of control risk, the lower (greater) the acceptable level of detection risk.
The acceptable level of detection risk, in turn, affects substantive testing. As the
acceptable level of detection risk decreases, the auditor changes the nature, timing, and
extent of substantive tests to increase the assurance they provide. Therefore, there is
an inverse relationship between the acceptable level of detection risk and substantive
testing.
According to the standard, the auditor should consider the assessed levels of inherent
and control risks in determining the nature, timing, and extent of substantive procedures
required to reduce audit risk to an acceptable level.
The opinion paragraph of the auditor’s report explicitly refers to materiality. By stating
that the financial statements are presented fairly, in all material respects, in conformity
with an applicable financial reporting framework, the auditor is of the opinion that the
financial statements are not materially misstated.
The standard states that regardless of the assessed levels of inherent and control risks,
the auditor should perform some substantive procedures for material account balances
and classes of transactions.
PSA 315 states that internal control is designed and implemented to achieve the entity’s
objectives with regard to:
Control activities
Monitoring of controls
b. Commitment to competence
e. Organizational structure
Controls that are relevant to a financial statement audit pertain to the entity’s objective
of preparing financial statements for external purposes and the management of risk that
may give rise to a material misstatement in those financial statements.
PSA 315 states that the entity’s risk assessment process forms the basis for how
management determines the risks to be managed.
It is important to note that for financial reporting purposes, an entity’s risk assessment
process includes how management identifies risks relevant to the preparation of
financial statements, estimates their significance, asseses the likelihood of their
occurence, and decides upon actions to manage them.
General IT controls are policies and procedures that relate to many applications and
support the effective functioning of application controls. General IT controls commonly
include controls over the following:
c. Program change
Process
Applicationcontrolsrelatetoproceduresusedtoinitiate,record,processandreporttransaction
sorotherfinancialdata. Manualfollow- up of exception reports is an example of application
controls.
According to the standard, ongoing monitoring activities are built into the normal recurring
activities of an entity and include regular management supervisory activities, such as
reviewing the purchasing function.
Conrol activities are the policies and procedures that help ensure management
directives are carried out. They are intended to ensure that necessary actions are taken
to address risks that threaten the achievements of the entity’s objectives. Control
activities have various objectives and are applied at various organizational and
functional levels. Specific control activities include those that relate to:
Authorization
Performance reviews
Information processing
Physical controls
Segregation of duties
An internal audit function is part of the monitoring component of internal control.
According to PSA 315, “Internal control is the process designed, implemented
and maintained by those charged with governance, management and other
personnel to provide reasonable assurance about the achievement of the entity’s
objectives with regard to realiability of financial reporting, effectiveness and
efficiency of operations, and compliance with applicable laws and regulations.
An effective internal control system reduces the need for management to spend
time reviewing exception reports on a day-to-day basis. An entity’s internal
control system, if working effectively, should prevent as well as detect and correct
exceptions.
Controls that are relevant to an audit pertain to the entity’s objective of preparing
financial statements for external purposes that are fairly presented in accordance
with an applicable financial reporting framework.
Because of inherent limitations of any system of internal control, even the most
effective internal control cannot guarantee the elimination of employee fraud.
Internal controls should be designed to prevent, or detect and correct, material
errors or fraud within a timely period by employees in the normal course of their
assigned duties.
The cost-benefit relationship is a primary criterion in designing internal control –
that is, the cost of a control should not exceed its benefits. Because it is
impossible to precisely measure the costs and benefits of internal control, both
quantitative and qualitative estimates and judgments are used by management to
evaluate the relationship.
A proper segregation of duties requires that one person should not be
responsible for all phases of a transaction: authorization, recording, and
custodianship of the related assets. Separate individuals should perform these
incompatible duties to reduce the opportunity for any person to be in a position to
both perpetrate and conceal errors or fraud in the normal course of his/her
duties.
The performance of incompatible functions is not an inherent limitation of internal
control but a failure to segregate functional responsibilities properly.
d. How the information system captures events and conditions, other than classes
of transactions, that are significant to the
financial statements
e. The financial reporting process used to prepare the entity’s financial statements,
including significant accounting estimates and
disclosures.
Understanding the entity’s internal control system is a matter that should be considered
by an auditor in developing the overall audit strategy.
PSA 315 states that the auditor’s understanding of internal control may raise doubts
about the auditability of an entity’s financial statements.
Concerns about the integrity of the entity’s management may be so serious as to cause
the auditor to conclude that the risk of management representation in the financial
statements is such that an audit cannot be conducted.
Also, concerns about the condition and reliability of an entity’s records may cause the
auditor to conclude that it is unlikely that sufficient appropriate audit evidence will be
available to support an unqualified opinion on the financial statements. In such
circumstances, the auditor considers a qualification or disclaimer of opinion, but in some
cases, the auditor’s only recourse may be to withdraw from the engagement.
The auditor should obtain a sufficient understanding of internal control to assess the
risks of material misstatement. The understanding includes knowledge about the design
of relevant controls and whether they have been implemented, i.e., whether they have
been placed in operation. Though the auditor may become aware of material
weaknesses in internal control, he/she is not required to search for such internal control
weakness or deficiencies. A financial statement audit is not designed to determine the
adequacy of internal control for management purposes.
Under PSA 330 (The Auditor’s Responses to Assessed Risks), the auditor should
perform tests of controls when his/her assessment of risks of material misstatement at
the assertion level includes an expectation that controls are operating effectively or
when substantive procedures alone do not provide sufficient appropriate evidence to
reduce the risks of material misstatement at the assertion level.
The auditor performs tests of controls to obtain assurance about the operating
effectiveness of controls. Testing the operating effectiveness of controls includes
obtaining audit evidence about:
1. How controls were applied at relevant times during the period under audit,
The auditor is required to document in the audit working papers the understanding
obtained of the entity’s internal control and the assessment of control risk. When control
risk is assessed at less than maximum, the auditor should also document the basis for
the conclusion.
“If you want something you’ve never had before, then you’ve got to do
something you’ve never done before.”