Scope of this ISA This International Standard on Auditing (ISA) deals with the auditor’s responsibility to identify and assess the risks of material misstatement in the financial statements, through understanding the entity and its environment, including the entity’s internal control
For purposes of the ISAs, the following terms have the meanings attributed below:
Assertions – Representations by management, explicit or otherwise, that are embodied in the financial statements, as used by the auditor to consider the different types of potential misstatements that may occur.
Business risk – A risk resulting from significant conditions, events, circumstances, actions or inactions that could adversely affect an entity’s ability to achieve its objectives and execute its strategies, or from the setting of inappropriate objectives and strategies.
Internal control – The process designed, implemented and maintained by those charged with governance, management and other personnel to provide reasonable assurance about the achievement of an entity’s objectives with regard to reliability of financial reporting, effectiveness and efficiency of operations, and compliance with applicable laws and regulations. The term “controls” refers to any aspects of one or more of the components of internal control.
Risk assessment procedures – The audit procedures performed to obtain an understanding of the entity and its environment, including the entity’s internal control, to identify and assess the risks of material misstatement, whether due to fraud or error, at the financial statement and assertion levels.
An identified and assessed risk of material misstatement that, in the auditor’s judgment, requires special audit consideration.
Requirements Risk Assessment Procedures and Related Activities
The auditor shall perform risk assessment procedures to provide a basis for the identification and assessment of risks of material misstatement at the financial statement and assertion levels. Risk assessment procedures by themselves, however, do not provide sufficient appropriate audit evidence on which to base the audit opinion. The risk assessment procedures shall include the following:
(a) Inquiries of management and of others within the entity who in the auditor’s judgment may have information that is likely to assist in identifying risks of material misstatement due to fraud or error
(b) Analytical procedures.
(c) Observation and inspection.
The Required Understanding of the Entity and Its Environment, Including the Entity’s Internal Control
The Entity and Its Environment
Examples of matters that the auditor may consider when obtaining an understanding of the nature of the entity include:
• Business operations such as:
Nature of revenue sources, products or services, and markets, including involvement in electronic commerce such as Internet sales and marketing activities.
Conduct of operations (for example, stages and methods of production, or activities exposed to environmental risks). Alliances, joint ventures, and outsourcing activities.
Geographic dispersion and industry segmentation.
Location of production facilities, warehouses, and offices, and location and quantities of inventories.
Key customers and important suppliers of goods and services, employment arrangements (including the existence of union contracts, pension and other post employment benefits, stock option or incentive bonus arrangements, and government regulation related to employment matters).The Entity’s Internal Control The auditor shall obtain an understanding of internal control relevant to the audit. Although most controls relevant to the audit are likely to relate to financial reporting, not all controls that relate to financial reporting are relevant to the audit. It is a matter of the auditor’s professional judgment whether a control, individually or in combination with others, is relevant to the audit.
Nature and Extent of the Understanding of Relevant Controls When obtaining an understanding of controls that are relevant to the audit, the auditor shall evaluate the design of those controls and determine whether they have been implemented, by performing procedures in addition to inquiry of the entity’s personnel.
Components of Internal Control
The auditor shall obtain an understanding of the control environment. As part of obtaining this understanding, the auditor shall evaluate whether:
(a) Management, with the oversight of those charged with governance, has created and maintained a culture of honesty and ethical behavior; and
(b) The strengths in the control environment elements collectively provide an appropriate foundation for the other components of internal control, and whether those other components are not undermined by deficiencies in the control environment.
The entity’s risk assessment process
The auditor shall obtain an understanding of whether the entity has a process for:
(a) Identifying business risks relevant to financial reporting objectives;
(b) Estimating the significance of the risks;
(c) Assessing the likelihood of their occurrence; and
(d) Deciding about actions to address those risks
The auditor shall obtain an understanding of the information system, including the related business processes, relevant to financial reporting, including the following areas:
(a) The classes of transactions in the entity’s operations that are significant to the financial statements;
(b) The procedures, within both information technology (IT) and manual systems, by which those transactions are initiated, recorded, processed, corrected as necessary, transferred to the general ledger and reported in the financial statements;
(c) The related accounting records, supporting information and specific accounts in the financial statements that are used to initiate, record, process and report transactions; this includes the correction of incorrect information and how information is transferred to the general ledger. The records may be in either manual or electronic form;
(d) How the information system captures events and conditions, other than transactions, that are significant to the financial statements;
(e) The financial reporting process used to prepare the entity’s financial statements, including significant accounting estimates and disclosures; and
(f) Controls surrounding journal entries, including non-standard journal entries used to record non-recurring, unusual transactions or adjustments.
Monitoring of controls
The auditor shall obtain an understanding of the major activities that the entity uses to monitor internal control over financial reporting, including those related to those control activities relevant to the audit, and how the entity initiates remedial actions to deficiencies in its controls.
If the entity has an internal audit function,1 the auditor shall obtain an understanding of the following in order to determine whether the internal audit function is likely to be relevant to the audit:
(a) The nature of the internal audit function’s responsibilities and how the internal audit function fits in the entity’s organizational structure; and
(b) The activities performed, or to be performed, by the internal audit function. The auditor shall obtain an understanding of the sources of the information used in the entity’s monitoring activities, and the basis upon which management considers the information to be sufficiently reliable for the purpose. that are outside the normal course of business for the entity, or that otherwise appear to be unusual Risks That Require Special Audit Consideration As part of the risk assessment, the auditor shall determine whether any of the risks identified are, in the auditor’s judgment, a significant risk. In exercising this judgment, the auditor shall exclude the effects of identified controls related to the risk.
In exercising judgment as to which risks are significant risks, the auditor shall consider at least the following:
(a) Whether the risk is a risk of fraud;
(b) Whether the risk is related to recent significant economic, accounting or other developments and, therefore, requires specific attention;
(c) The complexity of transactions;
(d) Whether the risk involves significant transactions with related parties;
(e) The degree of subjectivity in the measurement of financial information related to the risk, especially those measurements involving a wide range of measurement uncertainty; and
(f) Whether the risk involves significant transactions
The auditor shall include in the audit documentation:
(a) The discussion among the engagement team and the significant decisions reached;
(b) Key elements of the understanding obtained regarding each of the aspects of the entity and its environment and of each of the internal control components ,
The sources of information from which the understanding was obtained; and the risk assessment procedures performed;
(c) The identified and assessed risks of material misstatement at the financial statement level and at the assertion level and
(d) The risks identified, and related controls about which the auditor has obtained an understanding, as a result of the requirements in paragraphs