Requirements
Risk Assessment Procedures and Related Activities
5
The auditor shall perform risk assessment procedures to provide a basis for the identification and assessment of risks of material misstatement at the financial report and assertion levels. Risk assessment procedures by themselves, however, do not provide sufficient appropriate audit evidence on which to base the audit opinion. (Ref: Para. A1-A5)
6
The risk assessment procedures shall include the following:
- Enquiries of management, of appropriate individuals within the internal audit function (if the function exists) and of others within the entity who in the auditor’s judgement may have information that is likely to assist in identifying risks of material misstatement due to fraud or error. (Ref: Para. A6-A13)
- Analytical procedures. (Ref: Para. A14-A17)
- Observation and inspection. (Ref: Para. A18)
7
The auditor shall consider whether information obtained from the auditor’s client acceptance or continuance process is relevant to identifying risks of material misstatement.
8
If the engagement partner has performed other engagements for the entity, the engagement partner shall consider whether information obtained is relevant to identifying risks of material misstatement.
9
Where the auditor intends to use information obtained from the auditor’s previous experience with the entity and from audit procedures performed in previous audits, the auditor shall determine whether changes have occurred since the previous audit that may affect its relevance to the current audit. (Ref: Para. A19-A20)
10
The engagement partner and other key engagement team members shall discuss the susceptibility of the entity’s financial report to material misstatement, and the application of the applicable financial reporting framework to the entity’s facts and circumstances. The engagement partner shall determine which matters are to be communicated to engagement team members not involved in the discussion. (Ref: Para. A21-A24)
The Required Understanding of the Entity and its Environment, Including the Entity’s Internal Control
The Entity and Its Environment
11
The auditor shall obtain an understanding of the following:
- Relevant industry, regulatory, and other external factors and the applicable financial reporting framework. (Ref: Para. A25-A30)
- The nature of the entity, including:
- its operations;
- its ownership and governance structures;
- the types of investments that the entity is making and plans to make, including investments in special purpose entities; and
- the way that the entity is structured and how it is financed
to enable the auditor to understand the classes of transactions, account balances, and disclosures to be expected in the financial report. (Ref: Para. A31-A35)
- The entity’s selection and application of accounting policies, including the reasons for changes thereto. The auditor shall evaluate whether the entity’s accounting policies are appropriate for its business and consistent with the applicable financial reporting framework and accounting policies used in the relevant industry. (Ref: Para. A36)
- The entity’s objectives and strategies, and those related business risks that may result in risks of material misstatement. (Ref: Para. A37-A43)
- The measurement and review of the entity’s financial performance. (Ref: Para. A44-A49)
The Entity’s Internal Control
12
The auditor shall obtain an understanding of internal control relevant to the audit. Although most controls relevant to the audit are likely to relate to financial reporting, not all controls that relate to financial reporting are relevant to the audit. It is a matter of the auditor’s professional judgement whether a control, individually or in combination with others, is relevant to the audit. (Ref: Para. A50-A73)
Nature and Extent of the Understanding of Relevant Controls
13
When obtaining an understanding of controls that are relevant to the audit, the auditor shall evaluate the design of those controls and determine whether they have been implemented, by performing procedures in addition to enquiry of the entity’s personnel. (Ref: Para. A74-A76)
Components of Internal Control
Control environment
14
The auditor shall obtain an understanding of the control environment. As part of obtaining this understanding, the auditor shall evaluate whether:
- Management, with the oversight of those charged with governance, has created and maintained a culture of honesty and ethical behaviour; and
- The strengths in the control environment elements collectively provide an appropriate foundation for the other components of internal control, and whether those other components are not undermined by control environment weaknesses. (Ref: Para. A77-A87)
The entity’s risk assessment process
15
The auditor shall obtain an understanding of whether the entity has a process for:
- Identifying business risks relevant to financial reporting objectives;
- Estimating the significance of the risks;
- Assessing the likelihood of their occurrence; and
- Deciding about actions to address those risks. (Ref: Para. A88)
16
If the entity has established such a process (referred to hereafter as the “entity’s risk assessment process”), the auditor shall obtain an understanding of it, and the results thereof. If the auditor identifies risks of material misstatement that management failed to identify, the auditor shall evaluate whether there was an underlying risk of a kind that the auditor expects would have been identified by the entity’s risk assessment process. If there is such a risk, the auditor shall obtain an understanding of why that process failed to identify it, and evaluate whether the process is appropriate to its circumstances or determine if there is a significant deficiency in internal control with regard to the entity’s risk assessment process.
17
If the entity has not established such a process or has an ad hoc undocumented process, the auditor shall discuss with management whether business risks relevant to financial reporting objectives have been identified and how they have been addressed. The auditor shall evaluate whether the absence of a documented risk assessment process is appropriate in the circumstances, or determine whether it represents a significant deficiency in internal control. (Ref: Para. A89)
The information system, including the related business processes, relevant to financial reporting, and communication
18
The auditor shall obtain an understanding of the information system, including the related business processes, relevant to financial reporting, including the following areas: (Ref: Para. A90–A92)
- The classes of transactions in the entity’s operations that are significant to the financial report;
- The procedures, within both information technology (IT) and manual systems, by which those transactions are initiated, recorded, processed, corrected as necessary, transferred to the general ledger and reported in the financial report;
- The related accounting records, supporting information and specific accounts in the financial report that are used to initiate, record, process and report transactions; this includes the correction of incorrect information and how information is transferred to the general ledger. The records may be in either manual or electronic form;
- How the information system captures events and conditions, other than transactions, that are significant to the financial report;
- The financial reporting process used to prepare the entity’s financial report, including significant accounting estimates and disclosures; and
- Controls surrounding journal entries, including non standard journal entries used to record non recurring, unusual transactions or adjustments. (Ref: Para. A93-A94)
This understanding of the information system relevant to financial reporting shall include relevant aspects of that system relating to information disclosed in the financial report that is obtained from within or outside of the general and subsidiary ledgers.
19
The auditor shall obtain an understanding of how the entity communicates financial reporting roles and responsibilities and significant matters relating to financial reporting, including: (Ref: Para. A97-A98)
- Communications between management and those charged with governance; and
- External communications, such as those with regulatory authorities.
Control activities relevant to the audit
20
The auditor shall obtain an understanding of control activities relevant to the audit, being those the auditor judges it necessary to understand in order to assess the risks of material misstatement at the assertion level and design further audit procedures responsive to assessed risks. An audit does not require an understanding of all the control activities related to each significant class of transactions, account balance, and disclosure in the financial report or to every assertion relevant to them. (Ref: Para. A93-A106)
21
In understanding the entity’s control activities, the auditor shall obtain an understanding of how the entity has responded to risks arising from IT. (Ref: Para. A107-A109)
Monitoring of controls
22
The auditor shall obtain an understanding of the major activities that the entity uses to monitor internal control relevant to financial reporting, including those related to those control activities relevant to the audit, and how the entity initiates remedial actions to address deficiencies in its controls. (Ref: Para. A110-A112)
23
If the entity has an internal audit function,[1] the auditor shall obtain an understanding of the nature of the internal audit function’s responsibilities, its organisational status, and the activities performed, or to be performed. (Ref: Para. A113-A120)
See ASA 610 Using the Work of Internal Auditors, paragraph 14(a).
24
The auditor shall obtain an understanding of the sources of the information used in the entity’s monitoring activities, and the basis upon which management considers the information to be sufficiently reliable for the purpose. (Ref: Para. A121)
Identifying and Assessing the Risks of Material Misstatement
25
The auditor shall identify and assess the risks of material misstatement at:
- the financial report level; and (Ref: Para. A122-A125)
- the assertion level for classes of transactions, account balances, and disclosures (Ref: Para. A126-A131)
to provide a basis for designing and performing further audit procedures.
26
For this purpose, the auditor shall:
- Identify risks throughout the process of obtaining an understanding of the entity and its environment, including relevant controls that relate to the risks, and by considering the classes of transactions, account balances, and disclosures (including the quantitative or qualitative aspects of such disclosures) in the financial report; (Ref: Para. A132-A137)
- Assess the identified risks, and evaluate whether they relate more pervasively to the financial report as a whole and potentially affect many assertions;
- Relate the identified risks to what can go wrong at the assertion level, taking account of relevant controls that the auditor intends to test; and (Ref: Para. A138-A140)
- Consider the likelihood of misstatement, including the possibility of multiple misstatements, and whether the potential misstatement could result in a material misstatement. (Ref: Para. A137)
Risks that Require Special Audit Consideration
27
As part of the risk assessment as described in paragraph 25 of this Auditing Standard, the auditor shall determine whether any of the risks identified are, in the auditor’s judgement, a significant risk. In exercising this judgement, the auditor shall exclude the effects of identified controls related to the risk.
28
In exercising judgement as to which risks are significant risks, the auditor shall consider at least the following:
- Whether the risk is a risk of fraud;
- Whether the risk is related to recent significant economic, accounting or other developments and, therefore, requires specific attention;
- The complexity of transactions;
- Whether the risk involves significant transactions with related parties;
- The degree of subjectivity in the measurement of financial information related to the risk, especially those measurements involving a wide range of measurement uncertainty; and
- Whether the risk involves significant transactions that are outside the normal course of business for the entity, or that otherwise appear to be unusual. (Ref: Para. A141-A145)
29
If the auditor has determined that a significant risk exists, the auditor shall obtain an understanding of the entity’s controls, including control activities, relevant to that risk. (Ref: Para. A146-A148)
Risks for Which Substantive Procedures Alone Do Not Provide Sufficient Appropriate Audit Evidence
30
In respect of some risks, the auditor may judge that it is not possible or practicable to obtain sufficient appropriate audit evidence only from substantive procedures. Such risks may relate to the inaccurate or incomplete recording of routine and significant classes of transactions or account balances, the characteristics of which often permit highly automated processing with little or no manual intervention. In such cases, the entity’s controls over such risks are relevant to the audit and the auditor shall obtain an understanding of them. (Ref: Para. A149-A151)
Revision of Risk Assessment
31
The auditor’s assessment of the risks of material misstatement at the assertion level may change during the course of the audit as additional audit evidence is obtained. In circumstances where the auditor obtains audit evidence from performing further audit procedures, or if new information is obtained, either of which is inconsistent with the audit evidence on which the auditor originally based the assessment, the auditor shall revise the assessment and modify the further planned audit procedures accordingly. (Ref: Para. A152)
Documentation
32
The auditor shall include in the audit documentation:[2]
- The discussion among the engagement team where required by paragraph 10 of this Auditing Standard, and the significant decisions reached;
- Key elements of the understanding obtained regarding each of the aspects of the entity and its environment specified in paragraph 11 of this Auditing Standard and of each of the internal control components specified in paragraphs 14-24 of this Auditing Standard; the sources of information from which the understanding was obtained; and the risk assessment procedures performed;
- The identified and assessed risks of material misstatement at the financial report level and at the assertion level as required by paragraph 25 of this Auditing Standard; and
- The risks identified, and related controls about which the auditor has obtained an understanding, as a result of the requirements in paragraphs 27-30 of this Auditing Standard. (Ref: Para. A153-A156)
See ASA 230 Audit Documentation, paragraphs 8-11 and paragraph A6.