This appendix explains the objectives and scope of the entity’s business model and provides examples of matters that the auditor may consider in understanding the activities of the entity that may be included in the business model. The auditor’s understanding of the entity’s business model, and how it is affected by its business strategy and business objectives, may assist the auditor in identifying business risks that may have an effect on the financial report. In addition, this may assist the auditor in identifying risks of material misstatement.

Objectives and Scope of an Entity’s Business Model

1. An entity’s business model describes how an entity considers, for example its organisational structure, operations or scope of activities, business lines (including competitors and customers thereof), processes, growth opportunities, globalization, regulatory requirements and technologies. The entity’s business model describes how the entity creates, preserves and captures financial or broader value, for its stakeholders.
2. Strategies are the approaches by which management plans to achieve the entity’s objectives, including how the entity plans to address the risks and opportunities that it faces. An entity’s strategies are changed over time by management, to respond to changes in its objectives and in the internal and external circumstances in which it operates.
3. A description of a business model typically includes:
   • The scope of the entity’s activities, and why it does them.
   • The entity’s structure and scale of its operations.
   • The markets or geographical or demographic spheres, and parts of the value chain, in which it operates, how it engages with those markets or spheres (main products, customer segments and distribution methods), and the basis on which it competes.
   • The entity’s business or operating processes (e.g., investment, financing and operating processes) employed in performing its activities, focusing on those parts of the business processes that are important in creating, preserving or capturing value.
   • The resources (e.g., financial, human, intellectual, environmental and technological) and other inputs and relationships (e.g., customers, competitors, suppliers and employees) that are necessary or important to its success.
   • How the entity’s business model integrates the use of IT in its interactions with customers, suppliers, lenders and other stakeholders through IT interfaces and other technologies.
4.  A business risk may have an immediate consequence for the risk of material misstatement for classes of transactions, account balances, and disclosures at the assertion level or the financial report level. For example, the business risk arising from a significant fall in real estate market values may increase the risk of material misstatement associated with the valuation assertion for a lender of medium-term real estate backed loans. However, the same risk, particularly in combination with a severe economic downturn that concurrently increases the underlying risk of lifetime credit losses on its loans, may also have a longer-term consequence. The resulting net exposure to credit losses may cast significant doubt on the entity’s ability to continue as a going concern. If so, this could have implications for management’s, and the auditor’s, conclusion as to the appropriateness of the entity’s use of the going concern basis of accounting, and determination as to whether a material uncertainty exists. Whether a business risk may result in a risk of material misstatement is, therefore, considered in light of the entity’s circumstances. Examples of events and conditions that may give rise to the existence of risks of material misstatement are indicated in Appendix 2.

Activities of the Entity

5. Examples of matters that the auditor may consider when obtaining an understanding of the activities of the entity (included in the entity’s business model) include:

• Business operations such as:
  • Nature of revenue sources, products or services, and markets, including involvement in electronic commerce such as Internet sales and marketing activities.
  • Conduct of operations (for example, stages and methods of production, or activities exposed to environmental risks).
  • Alliances, joint ventures, and outsourcing activities. o Geographic dispersion and industry segmentation.
  • Location of production facilities, warehouses, and offices, and location and quantities of inventories.
  • Key customers and important suppliers of goods and services, employment arrangements (including the existence of union contracts, superannuation and other post- employment benefits, stock option or incentive bonus arrangements, and government regulation related to employment matters).
  • Research and development activities and expenditures.
  • Transactions with related parties.
• Investments and investment activities such as:
  • Planned or recently executed acquisitions or divestitures.
  • Investments and dispositions of securities and loans.
  • Capital investment activities.
  • Investments in non-consolidated entities, including non-controlled partnerships, joint ventures and non-controlled special-purpose entities.
• Financing and financing activities such as:
  • Ownership structure of major subsidiaries and associated entities, including consolidated and non-consolidated structures.
  • Debt structure and related terms, including off-balance-sheet financing arrangements and leasing arrangements.
  • Beneficial owners (for example, local, foreign, business reputation and experience) and related parties.
  • Use of derivative financial instruments.

Nature of Special-Purpose Entities

6. A special-purpose entity (sometimes referred to as a special-purpose vehicle) is an entity that is generally established for a narrow and well-defined purpose, such as to effect a lease or a securitisation of financial assets, or to carry out research and development activities. It may take the form of a corporation, trust, partnership or unincorporated entity. The entity on behalf of which the special-purpose entity has been created may often transfer assets to the latter (for example, as part of a derecognition transaction involving financial assets), obtain the right to use the latter’s assets, or perform services for the latter, while other parties may provide the funding to the latter. As ASA 550 indicates, in some circumstances, a special-purpose entity may be a related party of the entity.^[70]
7. Financial reporting frameworks often specify detailed conditions that are deemed to amount to control, or circumstances under which the special-purpose entity should be considered for consolidation. The interpretation of the requirements of such frameworks often demands a detailed knowledge of the relevant agreements involving the special-purpose entity.

This appendix provides further explanation about the inherent risk factors, as well as matters that the auditor may consider in understanding and applying the inherent risk factors in identifying and assessing the risks of material misstatement at the assertion level.

The Inherent Risk Factors

1. Inherent risk factors are characteristics of events or conditions that affect susceptibility of an assertion about a class of transactions, account balance or disclosure, to misstatement, whether due to fraud or error, and before consideration of controls. Such factors may be qualitative or quantitative, and include complexity, subjectivity, change, uncertainty or susceptibility to misstatement due to management bias or other fraud risk factors^[71] insofar as they affect inherent risk. In obtaining the understanding of the entity and its environment, and the applicable financial reporting framework and the entity’s accounting policies, in accordance with paragraphs 19(a)‒(b), the auditor also understands how inherent risk factors affect susceptibility of assertions to misstatement in the preparation of the financial report.
2. Inherent risk factors relating to the preparation of information required by the applicable financial reporting framework (referred to in this paragraph as “required information”) include:
   • Complexity―arises either from the nature of the information or in the way that the required information is prepared, including when such preparation processes are more inherently difficult to apply. For example, complexity may arise:
     • In calculating supplier rebate provisions because it may be necessary to take into account different commercial terms with many different suppliers, or many interrelated commercial terms that are all relevant in calculating the rebates due; or
     • When there are many potential data sources, with different characteristics used in making an accounting estimate, the processing of that data involves many inter-related steps, and the data is therefore inherently more difficult to identify, capture, access, understand or process.
   • Subjectivity―arises from inherent limitations in the ability to prepare required information in an objective manner, due to limitations in the availability of knowledge or information, such that management may need to make an election or subjective judgement about the appropriate approach to take and about the resulting information to include in the financial report. Because of different approaches to preparing the required information, different outcomes could result from appropriately applying the requirements of the applicable financial reporting framework. As limitations in knowledge or data increase, the subjectivity in the judgements that could be made by reasonably knowledgeable and independent individuals, and the diversity in possible outcomes of those judgements, will also increase.
   • Change―results from events or conditions that, over time, affect the entity’s business or the economic, accounting, regulatory, industry or other aspects of the environment in which it operates, when the effects of those events or conditions are reflected in the required information. Such events or conditions may occur during, or between, financial reporting periods. For example, change may result from developments in the requirements of the applicable financial reporting framework, or in the entity and its business model, or in the environment in which the entity operates. Such change may affect management’s assumptions and judgements, including as they relate to management’s selection of accounting policies or how accounting estimates are made or related disclosures are determined.
   • Uncertainty―arises when the required information cannot be prepared based only on sufficiently precise and comprehensive data that is verifiable through direct observation. In these circumstances, an approach may need to be taken that applies the available knowledge to prepare the information using sufficiently precise and comprehensive observable data, to the extent available, and reasonable assumptions supported by the most appropriate available data, when it is not. Constraints on the availability of knowledge or data, which are not within the control of management (subject to cost constraints where applicable) are sources of uncertainty and their effect on the preparation of the required information cannot be eliminated. For example, estimation uncertainty arises when the required monetary amount cannot be determined with precision and the outcome of the estimate is not known before the date the financial report are finalised.
   • Susceptibility to misstatement due to management bias or other fraud risk factors insofar as they affect inherent risk ―susceptibility to management bias results from conditions that create susceptibility to intentional or unintentional failure by management to maintain neutrality in preparing the information. Management bias is often associated with certain conditions that have the potential to give rise to management not maintaining neutrality in exercising judgement (indicators of potential management bias), which could lead to a material misstatement of the information that would be fraudulent if intentional. Such indicators include incentives or pressures insofar as they affect inherent risk (for example, as a result of motivation to achieve a desired result, such as a desired profit target or capital ratio), and opportunity, not to maintain neutrality. Factors relevant to the susceptibility to misstatement due to fraud in the form of fraudulent financial reporting or misappropriation of assets are described in paragraphs A1 to A5 of ASA 240.
3. When complexity is an inherent risk factor, there may be an inherent need for more complex processes in preparing the information, and such processes may be inherently more difficult to apply. As a result, applying them may require specialised skills or knowledge, and may require the use of a management’s expert.
4. When management judgement is more subjective, the susceptibility to misstatement due to management bias, whether unintentional or intentional, may also increase. For example, significant management judgement may be involved in making accounting estimates that have been identified as having high estimation uncertainty, and conclusions regarding methods, data and assumptions may reflect unintentional or intentional management bias.

Examples of Events or Conditions that May Give Rise to the Existence of Risks of Material Misstatement

5. The following are examples of events (including transactions) and conditions that may indicate the existence of risks of material misstatement in the financial report, at the financial report level or the assertion level. The examples provided by inherent risk factor cover a broad range of events and conditions; however, not all events and conditions are relevant to every audit engagement and the list of examples is not necessarily complete. The events and conditions have been categorised by the inherent risk factor that may have the greatest effect in the circumstances. Importantly, due to the interrelationships among inherent risk factors, the example events and conditions also are likely to be subject to, or affected by, other inherent risk factors to varying degrees.

Other events or conditions that may indicate risks of material misstatement at the financial report level:

• Lack of personnel with appropriate accounting and financial reporting skills.
• Control deficiencies – particularly in the control environment, risk assessment process and process for monitoring, and especially those not addressed by management.
• Past misstatements, history of errors or a significant amount of adjustments at period end.

1. The entity’s system of internal control may be reflected in policy and procedures manuals, systems and forms, and the information embedded therein, and is effected by people. The entity’s system of internal control is implemented by management, those charged with governance, and other personnel based on the structure of the entity. The entity’s system of internal control can be applied, based on the decisions of management, those charged with governance or other personnel and in the context of legal or regulatory requirements, to the operating model of the entity, the legal entity structure, or a combination of these.
2. This appendix further explains the components of, as well as the limitations of, the entity’s system of internal control as set out in paragraphs 12(m), 21–26, and A90–A181, as they relate to a financial report audit.
3. Included within the entity’s system of internal control are aspects that relate to the entity’s reporting objectives, including its financial reporting objectives, but it may also include aspects that relate to its operations or compliance objectives, when such aspects are relevant to financial reporting.

Components of the Entity’s System of Internal Control

Control Environment

4. The control environment includes the governance and management functions and the attitudes, awareness, and actions of those charged with governance and management concerning the entity’s system of internal control, and its importance in the entity. The control environment sets the tone of an organisation, influencing the control consciousness of its people, and provides the overall foundation for the operation of the other components of the entity’s system of internal control.
5. An entity’s control consciousness is influenced by those charged with governance, because one of their roles is to counterbalance pressures on management in relation to financial reporting that may arise from market demands or remuneration schemes. The effectiveness of the design of the control environment in relation to participation by those charged with governance is therefore influenced by such matters as:
   • Their independence from management and their ability to evaluate the actions of management.
   • Whether they understand the entity’s business transactions.
   • The extent to which they evaluate whether the financial report is prepared in accordance with the applicable financial reporting framework, including whether the financial report include adequate disclosures.
6. The control environment encompasses the following elements:
   1. How management’s responsibilities are carried out, such as creating and maintaining the entity’s culture and demonstrating management’s commitment to integrity and ethical values. The effectiveness of controls cannot rise above the integrity and ethical values of the people who create, administer, and monitor them. Integrity and ethical behaviour are the product of the entity’s ethical and behavioural standards or codes of conduct, how they are communicated (e.g., through policy statements), and how they are reinforced in practice (e.g., through management actions to eliminate or mitigate incentives or temptations that might prompt personnel to engage in dishonest, illegal, or unethical acts). The communication of entity policies on integrity and ethical values may include the communication of behavioural standards to personnel through policy statements and codes of conduct and by example.
   2. When those charged with governance are separate from management, how those charged with governance demonstrate independence from management and exercise oversight of the entity’s system of internal control. An entity’s control consciousness is influenced by those charged with governance. Considerations may include whether there are sufficient individuals who are independent from management and objective in their evaluations and decision-making; how those charged with governance identify and accept oversight responsibilities and whether those charged with governance retain oversight responsibility for management’s design, implementation and conduct of the entity’s system of internal control. The importance of the responsibilities of those charged with governance is recognised in codes of practice and other laws and regulations or guidance produced for the benefit of those charged with governance. Other responsibilities of those charged with governance include oversight of the design and effective operation of whistle blower procedures.
   3. How the entity assigns authority and responsibility in pursuit of its objectives. This may include considerations about:
      • Key areas of authority and responsibility and appropriate lines of reporting;
      • Policies relating to appropriate business practices, knowledge and experience of key personnel, and resources provided for carrying out duties; and
      • Policies and communications directed at ensuring that all personnel understand the entity’s objectives, know how their individual actions interrelate and contribute to those objectives, and recognise how and for what they will be held accountable.
   4. How the entity attracts, develops, and retains competent individuals in alignment with its objectives. This includes how the entity ensures the individuals have the knowledge and skills necessary to accomplish the tasks that define the individual’s job, such as:
      • Standards for recruiting the most qualified individuals – with an emphasis on educational background, prior work experience, past accomplishments, and evidence of integrity and ethical behaviour.
      • Training policies that communicate prospective roles and responsibilities, including practices such as training schools and seminars that illustrate expected levels of performance and behaviour; and
      • Periodic performance appraisals driving promotions that demonstrate the entity’s commitment to the advancement of qualified personnel to higher levels of responsibility.
   5. How the entity holds individuals accountable for their responsibilities in pursuit of the objectives of the entity’s system of internal control. This may be accomplished through, for example:
      • Mechanisms to communicate and hold individuals accountable for performance of controls responsibilities and implement corrective actions as necessary;
      • Establishing performance measures, incentives and rewards for those responsible for the entity’s system of internal control, including how the measures are evaluated and maintain their relevance;
      • How pressures associated with the achievement of control objectives impact the individual’s responsibilities and performance measures; and
      • How the individuals are disciplined as necessary. The appropriateness of the above matters will be different for every entity depending on its size, the complexity of its structure and the nature of its activities.
7. The appropriateness of the above matters will be different for every entity depending on its size, the complexity of its structure and the nature of its activities.

The Entity’s Risk Assessment Process

7. The entity’s risk assessment process is an iterative process for identifying and analysing risks to achieving the entity’s objectives, and forms the basis for how management or those charged with governance determine the risks to be managed.
8. For financial reporting purposes, the entity’s risk assessment process includes how management identifies business risks relevant to the preparation of financial report in accordance with the entity’s applicable financial reporting framework, estimates their significance, assesses the likelihood of their occurrence, and decides upon actions to manage them and the results thereof. For example, the entity’s risk assessment process may address how the entity considers the possibility of unrecorded transactions or identifies and analyses significant estimates recorded in the financial report.
9. Risks relevant to reliable financial reporting include external and internal events, transactions or circumstances that may occur and adversely affect an entity’s ability to initiate, record, process, and report financial information consistent with the assertions of management in the financial report. Management may initiate plans, programs, or actions to address specific risks or it may decide to assume a risk because of cost or other considerations. Risks can arise or change due to circumstances such as the following:
   • Changes in operating environment. Changes in the regulatory, economic or operating environment can result in changes in competitive pressures and significantly different risks.
   • New personnel. New personnel may have a different focus on or understanding of the entity’s system of internal control.
   • New or revamped information system. Significant and rapid changes in the information system can change the risk relating to the entity’s system of internal control.
   • Rapid growth. Significant and rapid expansion of operations can strain controls and increase the risk of a breakdown in controls.
   • New technology. Incorporating new technologies into production processes or the information system may change the risk associated with the entity’s system of internal control.
   • New business models, products, or activities. Entering into business areas or transactions with which an entity has little experience may introduce new risks associated with the entity’s system of internal control.
   • Corporate restructurings. Restructurings may be accompanied by staff reductions and changes in supervision and segregation of duties that may change the risk associated with the entity’s system internal control.
   • Expanded foreign operations. The expansion or acquisition of foreign operations carries new and often unique risks that may affect internal control, for example, additional or changed risks from foreign currency transactions.
   • New accounting pronouncements. Adoption of new accounting principles or changing accounting principles may affect risks in preparing financial report.
   • Use of IT. Risks relating to:
     • Maintaining the integrity of data and information processing;
     • Risks to the entity business strategy that arise if the entity’s IT strategy does not effectively support the entity’s business strategy; or
     • Changes or interruptions in the entity’s IT environment or turnover of IT personnel or when the entity does not make necessary updates to the IT environment or such updates are not timely.

The Entity’s Process to Monitor the System of Internal Control

10. The entity’s process to monitor the system of internal control is a continual process to evaluate the effectiveness of the entity’s system of internal control, and to take necessary remedial actions on a timely basis. The entity’s process to monitor the entity’s system of internal control may consist of ongoing activities, separate evaluations (conducted periodically), or some combination of the two. Ongoing monitoring activities are often built into the normal recurring activities of an entity and may include regular management and supervisory activities. The entity’s process will likely vary in scope and frequency depending on the assessment of the risks by the entity.
11. The objectives and scope of internal audit functions typically include activities designed to evaluate or monitor the effectiveness of the entity’s system of internal control.^[72] The entity’s process to monitor the entity’s system of internal control may include activities such as management’s review of whether bank reconciliations are being prepared on a timely basis, internal auditors’ evaluation of sales personnel’s compliance with the entity’s policies on terms of sales contracts, and a legal department’s oversight of compliance with the entity’s ethical or business practice policies. Monitoring is done also to ensure that controls continue to operate effectively over time. For example, if the timeliness and accuracy of bank reconciliations are not monitored, personnel are likely to stop preparing them.
12. Controls related to the entity’s process to monitor the entity’s system of internal control, including those that monitor underlying automated controls, may be automated or manual, or a combination of both. For example, an entity may use automated monitoring controls over access to certain technology with automated reports of unusual activity to management, who manually investigate identified anomalies.
13. When distinguishing between a monitoring activity and a control related to the information system, the underlying details of the activity are considered, especially when the activity involves some level of supervisory review. Supervisory reviews are not automatically classified as monitoring activities and it may be a matter of judgement whether a review is classified as a control related to the information system or a monitoring activity. For example, the intent of a monthly completeness control would be to detect and correct errors, where a monitoring activity would ask why errors are occurring and assign management the responsibility of fixing the process to prevent future errors. In simple terms, a control related to the information system responds to a specific risk, whereas a monitoring activity assesses whether controls within each of the five components of the entity’s system of internal control are operating as intended.
14. Monitoring activities may include using information from communications from external parties that may indicate problems or highlight areas in need of improvement. Customers implicitly corroborate billing data by paying their invoices or complaining about their charges. In addition, regulators may communicate with the entity concerning matters that affect the functioning of the entity’s system of internal control, for example, communications concerning examinations by bank regulatory agencies. Also, management may consider in performing monitoring activities any communications relating to the entity’s system of internal control from external auditors.

The Information System and Communication

15. The information system relevant to the preparation of the financial report consists of activities and policies, and accounting and supporting records, designed and established to:
    • Initiate, record and process entity transactions (as well as to capture, process and disclose information about events and conditions other than transactions) and to maintain accountability for the related assets, liabilities and equity;
    • Resolve incorrect processing of transactions, for example, automated suspense files and procedures followed to clear suspense items out on a timely basis;
    • Process and account for system overrides or bypasses to controls;
    • Incorporate information from transaction processing in the general ledger (e.g., transferring of accumulated transactions from a subsidiary ledger);
    • Capture and process information relevant to the preparation of the financial report for events and conditions other than transactions, such as the depreciation and amortisation of assets and changes in the recoverability of assets; and
    • Ensure information required to be disclosed by the applicable financial reporting framework is accumulated, recorded, processed, summarised and appropriately reported in the financial report.
16. An entity’s business processes include the activities designed to:
    • Develop, purchase, produce, sell and distribute an entity’s products and services;
    • Ensure compliance with laws and regulations; and
    • Record information, including accounting and financial reporting information. Business processes result in the transactions that are recorded, processed and reported by the information system.
17. The quality of information affects management’s ability to make appropriate decisions in managing and controlling the entity’s activities and to prepare reliable financial reports.
18. Communication, which involves providing an understanding of individual roles and responsibilities pertaining to the entity’s system of internal control, may take such forms as policy manuals, accounting and financial reporting manuals, and memoranda. Communication also can be made electronically, orally, and through the actions of management.
19. Communication by the entity of the financial reporting roles and responsibilities and of significant matters relating to financial reporting involves providing an understanding of individual roles and responsibilities pertaining to the entity’s system of internal control relevant to financial reporting. It may include such matters as the extent to which personnel understand how their activities in the information system relate to the work of others and the means of reporting exceptions to an appropriate higher level within the entity.

Control Activities

20. Controls in the control activities component are identified in accordance with paragraph 26. Such controls include information processing controls and general IT controls, both of which may be manual or automated in nature. The greater the extent of automated controls, or controls involving automated aspects, that management uses and relies on in relation to its financial reporting, the more important it may become for the entity to implement general IT controls that address the continued functioning of the automated aspects of information processing controls. Controls in the control activities component may pertain to the following:
    • Authorisation and approvals. An authorisation affirms that a transaction is valid (i.e., it represents an actual economic event or is within an entity’s policy). An authorisation typically takes the form of an approval by a higher level of management or of verification and a determination if the transaction is valid. For example, a supervisor approves an expense report after reviewing whether the expenses seem reasonable and within policy. An example of an automated approval is when an invoice unit cost is automatically compared with the related purchase order unit cost within a pre-established tolerance level. Invoices within the tolerance level are automatically approved for payment. Those invoices outside the tolerance level are flagged for additional investigation.
    • Reconciliations – Reconciliations compare two or more data elements. If differences are identified, action is taken to bring the data into agreement. Reconciliations generally address the completeness or accuracy of processing transactions.
    • Verifications – Verifications compare two or more items with each other or compare an item with a policy, and will likely involve a follow-up action when the two items do not match or the item is not consistent with policy. Verifications generally address the completeness, accuracy, or validity of processing transactions.
    • Physical or logical controls, including those that address security of assets against unauthorised access, acquisition, use or disposal. Controls that encompass:
      • The physical security of assets, including adequate safeguards such as secured facilities over access to assets and records.
      • The authorisation for access to computer programs and data files (i.e., logical access).
      • The periodic counting and comparison with amounts shown on control records (for example, comparing the results of cash, security and inventory counts with accounting records).
    • The extent to which physical controls intended to prevent theft of assets are relevant to the reliability of financial report preparation depends on circumstances such as when assets are highly susceptible to misappropriation.
    • Segregation of duties. Assigning different people the responsibilities of authorising transactions, recording transactions, and maintaining custody of assets. Segregation of duties is intended to reduce the opportunities to allow any person to be in a position to both perpetrate and conceal errors or fraud in the normal course of the person’s duties.
    • For example, a manager authorising credit sales is not responsible for maintaining accounts receivable records or handling cash receipts. If one person is able to perform all these activities the person could, for example, create a fictitious sale that could go undetected. Similarly, salespersons should not have the ability to modify product price files or commission rates.
    • Sometimes segregation is not practical, cost effective, or feasible. For example, smaller and less complex entities may lack sufficient resources to achieve ideal segregation, and the cost of hiring additional staff may be prohibitive. In these situations, management may institute alternative controls. In the example above, if the salesperson can modify product price files, a detective control activity can be put in place to have personnel unrelated to the sales function periodically review whether and under what circumstances the salesperson changed prices.
21. Certain controls may depend on the existence of appropriate supervisory controls established by management or those charged with governance. For example, authorisation controls may be delegated under established guidelines, such as investment criteria set by those charged with governance; alternatively, non-routine transactions such as major acquisitions or divestments may require specific high-level approval, including in some cases that of shareholders.

Limitations of Internal Control

22. The entity’s system of internal control, no matter how effective, can provide an entity with only reasonable assurance about achieving the entity’s financial reporting objectives. The likelihood of their achievement is affected by the inherent limitations of internal control. These include the realities that human judgement in decision-making can be faulty and that breakdowns in the entity’s system of internal control can occur because of human error. For example, there may be an error in the design of, or in the change to, a control. Equally, the operation of a control may not be effective, such as where information produced for the purposes of the entity’s system of internal control (for example, an exception report) is not effectively used because the individual responsible for reviewing the information does not understand its purpose or fails to take appropriate action.
23. Additionally, controls can be circumvented by the collusion of two or more people or inappropriate management override of controls. For example, management may enter into side agreements with customers that alter the terms and conditions of the entity’s standard sales contracts, which may result in improper revenue recognition. Also, edit checks in an IT application that are designed to identify and report transactions that exceed specified credit limits may be overridden or disabled.
24. Further, in designing and implementing controls, management may make judgements on the nature and extent of the controls it chooses to implement, and the nature and extent of the risks it chooses to assume.

This appendix provides further considerations relating to understanding the entity’s internal audit function when such a function exists.

Objectives and Scope of the Internal Audit Function

1. The objectives and scope of an internal audit function, the nature of its responsibilities and its status within the organisation, including the function’s authority and accountability, vary widely and depend on the size, complexity and structure of the entity and the requirements of management and, where applicable, those charged with governance. These matters may be set out in an internal audit charter or terms of reference.
2. The responsibilities of an internal audit function may include performing procedures and evaluating the results to provide assurance to management and those charged with governance regarding the design and effectiveness of risk management, the entity’s system of internal control and governance processes. If so, the internal audit function may play an important role in the entity’s process to monitor the entity’s system of internal control. However, the responsibilities of the internal audit function may be focused on evaluating the economy, efficiency and effectiveness of operations and, if so, the work of the function may not directly relate to the entity’s financial reporting.

Enquiries of the Internal Audit Function

3. If an entity has an internal audit function, enquiries of the appropriate individuals within the function may provide information that is useful to the auditor in obtaining an understanding of the entity and its environment, the applicable financial reporting framework and the entity’s system of internal control, and in identifying and assessing risks of material misstatement at the financial report and assertion levels. In performing its work, the internal audit function is likely to have obtained insight into the entity’s operations and business risks, and may have findings based on its work, such as identified control deficiencies or risks, that may provide valuable input into the auditor’s understanding of the entity and its environment, the applicable financial reporting framework, the entity’s system of internal control, the auditor’s risk assessments or other aspects of the audit. The auditor’s enquiries are therefore made whether or not the auditor expects to use the work of the internal audit function to modify the nature or timing, or reduce the extent, of audit procedures to be performed.^[73] Enquiries of particular relevance may be about matters the internal audit function has raised with those charged with governance and the outcomes of the function’s own risk assessment process.
4. If, based on responses to the auditor’s enquiries, it appears that there are findings that may be relevant to the entity’s financial reporting and the audit of the financial report, the auditor may consider it appropriate to read related reports of the internal audit function. Examples of reports of the internal audit function that may be relevant include the function’s strategy and planning documents and reports that have been prepared for management or those charged with governance describing the findings of the internal audit function’s examinations.
5. In addition, in accordance with ASA 240,^[74] if the internal audit function provides information to the auditor regarding any actual, suspected or alleged fraud, the auditor takes this into account in the auditor’s identification of risk of material misstatement due to fraud.
6. Appropriate individuals within the internal audit function with whom enquiries are made are those who, in the auditor’s judgement, have the appropriate knowledge, experience and authority, such as the chief internal audit executive or, depending on the circumstances, other personnel within the function. The auditor may also consider it appropriate to have periodic meetings with these individuals.

Consideration of the Internal Audit Function in Understanding the Control Environment

7. In understanding the control environment, the auditor may consider how management has responded to the findings and recommendations of the internal audit function regarding identified control deficiencies relevant to the preparation of the financial report, including whether and how such responses have been implemented, and whether they have been subsequently evaluated by the internal audit function.

Understanding the Role that the Internal Audit Function Plays in the Entity’s Process to Monitor the System of Internal Control

8. If the nature of the internal audit function’s responsibilities and assurance activities are related to the entity’s financial reporting, the auditor may also be able to use the work of the internal audit function to modify the nature or timing, or reduce the extent, of audit procedures to be performed directly by the auditor in obtaining audit evidence. Auditors may be more likely to be able to use the work of an entity’s internal audit function when it appears, for example, based on experience in previous audits or the auditor’s risk assessment procedures, that the entity has an internal audit function that is adequately and appropriately resourced relative to the complexity of the entity and the nature of its operations, and has a direct reporting relationship to those charged with governance.
9. If, based on the auditor’s preliminary understanding of the internal audit function, the auditor expects to use the work of the internal audit function to modify the nature or timing, or reduce the extent, of audit procedures to be performed, ASA 610 applies.
10.  As is further discussed in ASA 610, the activities of an internal audit function are distinct from other monitoring controls that may be relevant to financial reporting, such as reviews of management accounting information that are designed to contribute to how the entity prevents or detects misstatements.
11. Establishing communications with the appropriate individuals within an entity’s internal audit function early in the engagement, and maintaining such communications throughout the engagement, can facilitate effective sharing of information. It creates an environment in which the auditor can be informed of significant matters that may come to the attention of the internal audit function when such matters may affect the work of the auditor. ASA 200 discusses the importance of the auditor planning and performing the audit with professional scepticism,^[75] including being alert to information that brings into question the reliability of documents and responses to enquiries to be used as audit evidence. Accordingly, communication with the internal audit function throughout the engagement may provide opportunities for internal auditors to bring such information to the auditor’s attention. The auditor is then able to take such information into account in the auditor’s identification and assessment of risks of material misstatement.