For the purposes of this Auditing Standard, the following terms have the meanings attributed below:


Assertions – Representations, explicit or otherwise, with respect to the recognition, measurement, presentation and disclosure of information in the financial report which are inherent in management representing that the financial report is prepared in accordance with the applicable financial reporting framework.  Assertions are used by the auditor to consider the different types of potential misstatements that may occur when identifying, assessing and responding to the risks of material misstatement.  (Ref: Para. A1)


Business risk – A risk resulting from significant conditions, events, circumstances, actions or inactions that could adversely affect an entity’s ability to achieve its objectives and execute its strategies, or from the setting of inappropriate objectives and strategies.


Controls – Policies or procedures that an entity establishes to achieve the control objectives of management or those charged with governance.  In this context: (Ref: Para. A2–A5)

  1. Policies are statements of what should, or should not, be done within the entity to effect control.  Such statements may be documented, explicitly stated in communications, or implied through actions and decisions.
  2. Procedures are actions to implement policies. 


General information technology (IT) controls – Controls over the entity’s IT processes that support the continued proper operation of the IT environment, including the continued effective functioning of information processing controls and the integrity of information (i.e., the completeness, accuracy and validity of information) in the entity’s information system.  Also see the definition of IT environment.


Information processing controls – Controls relating to the processing of information in IT applications or manual information processes in the entity’s information system that directly address risks to the integrity of information (i.e., the completeness, accuracy and validity of transactions and other information). (Ref: Para. A6)


Inherent risk factors – Characteristics of events or conditions that affect susceptibility to misstatement, whether due to fraud or error, of an assertion about a class of transactions, account balance or disclosure, before consideration of controls. Such factors may be qualitative or quantitative, and include complexity, subjectivity, change, uncertainty or susceptibility to misstatement due to management bias or other fraud risk factors[11] insofar as they affect inherent risk. (Ref: Para. A7–A8)


IT environment – The IT applications and supporting IT infrastructure, as well as the IT processes and personnel involved in those processes, that an entity uses to support business operations and achieve business strategies. For the purposes of this ASA:

  1. An IT application is a program or a set of programs that is used in the initiation, processing, recording and reporting of transactions or information. IT applications include data warehouses and report writers.
  2. The IT infrastructure comprises the network, operating systems, and databases and their related hardware and software.
  3. The IT processes are the entity’s processes to manage access to the IT environment, manage program changes or changes to the IT environment and manage IT operations.


Relevant assertions – An assertion about a class of transactions, account balance or disclosure is relevant when it has an identified risk of material misstatement. The determination of whether an assertion is a relevant assertion is made before consideration of any related controls (i.e., the inherent risk). (Ref: Para. A9)


Risks arising from the use of IT – Susceptibility of information processing controls to ineffective design or operation, or risks to the integrity of information (i.e., the completeness, accuracy and validity of transactions and other information) in the entity’s information system, due to ineffective design or operation of controls in the entity’s IT processes (see IT environment).


Risk assessment procedures – The audit procedures designed and performed to identify and assess the risks of material misstatement, whether due to fraud or error, at the financial report and assertion levels.


Significant class of transactions, account balance or disclosure – A class of transactions, account balance or disclosure for which there is one or more relevant assertions.


Significant risk – An identified risk of material misstatement: (Ref: Para. A10)

  1. For which the assessment of inherent risk is close to the upper end of the spectrum of inherent risk due to the degree to which inherent risk factors affect the combination of the likelihood of a misstatement occurring and the magnitude of the potential misstatement should that misstatement occur; or
  2. That is to be treated as a significant risk in accordance with the requirements of other ASAs.[12]


System of internal control – The system designed, implemented and maintained by those charged with governance, management and other personnel, to provide reasonable assurance about the achievement of an entity’s objectives with regard to reliability of financial reporting, effectiveness and efficiency of operations, and compliance with applicable laws and regulations. For the purposes of the ASAs, the system of internal control consists of five inter-related components:

  1. Control environment;
  2. The entity’s risk assessment process;
  3. The entity’s process to monitor the system of internal control;
  4. The information system and communication; and
  5. Control activities.


See ASA 240, paragraphs A24‒A27.


See ASA 240, paragraph 28 and ASA 550, Related Parties, paragraph 18.