Chapter 14-18 - Audit Planning & Risk Assessment (Student) PDF

Summary

This document details audit planning and risk assessment. It includes topics such as learning outcomes and planning activities, along with benefits of planning and preliminary engagement activities. The content is focused on accounting concepts.

Full Transcript

Chapter 14, 15, 16, 17, 18

The Audit Process:
Audit Planning and Risk
Assessment

7-Oct-24 1
 Chapter 14

Planning

7-Oct-24 2
 Learning Outcomes
1. The planning of an audit.

2. The requirements of preliminary engagement
activities.

3. The contents of the planning activities

4. The overall audit strategy and audit plan

5. The documentation of the planning of an audit.

7-Oct-24 3
 Planning
Preliminary engagement
Client Acceptance activities
& Planning
Planning activities

Understanding the entity
and its environment
An audit is a
Identifying and assessing risks of cumulative and
material misstatements iterative process
Designing and implementing auditor’s
responses to assessed risks

Overall reviewing

Drawing audit conclusions
7-Oct-24
and reporting 4
 Planning
⚫ HKSA 300 “Planning an Audit of F/S”
⚫ The objective of planning the audit is to perform
the audit in an effective manner.
⚫ Require the involvement of the engagement
partner and other key audit team members in
audit planning (Leadership → to share their
experience & knowledge with junior team
members → on the job training)
⚫ Planning is a continuous process, (in case of any
additional info collected during the audit → revise
the risk assessment and change the audit plan)
7-Oct-24 5
 Planning: Benefits of Planning
Adequate audit planning helps the auditors to:
1. ensure audit effort, attention (and resource) is
devoted to important audit areas (i.e. areas with
higher risk of MM → detailed audit checking needed
→ more manpower allocated to these areas);
2. ensure potential problems / difficulties which
required auditor’s attention (e.g. MM & Frauds) are
identified and resolved on a timely basis;
3. ensure the audit is properly organized and
managed in an effective and efficient manner; (e.g.
7-Oct-24
planning on staffing, resources, travelling, multi- 6

locations)
 Planning: Benefits of Planning
Adequate audit planning helps the auditors to:
4. assist proper allocation of work to audit team
members (i.e. work allocated & delegated to
appropriate audit team member; difficult parts /
problematic areas → senior members; easy
tasks → junior members + review by senior);
5. facilitate the direction and supervision of team
members and review of their work (e.g. hold
planning meeting; on-the-job coaching and
supervision → ensure audit quality);
6. assist in coordination of work done by
7-Oct-24 components auditors and other experts. 7
 Planning
⚫The key activities of audit planning involve:
1. Preliminary engagement activities, and
2. Planning activities, which
a. establish an overall audit strategy and
b. develop an audit plan.

Preliminary engagement
activities
Overall Audit Strategy
Planning activities
Audit Plan

7-Oct-24 8
 Preliminary
Engagement Activities

7-Oct-24 9
 Preliminary Engagement Activities
⚫Preliminary engagement activities include the
following: (Aim: accept this engagement or not?)
i. (Re-) Acceptance procedures → the continuance
of the client relationship? (consider: preconditions
for an audit / past experience & cooperation with
the reporting entity / any limitations of scope
imposed by the reporting entity).
ii. Evaluate compliance with ethical requirements,
including independence (e.g. CoE: principles,
threats, safegrauds → acceptable or not?)
iii. Establish an mutual understanding of the terms of
7-Oct-24
the engagement (→ by signing engagement letter 10
and discussion with client).
 Source: HKICPA QP Learning Pack, 6th Ed, p.210

7-Oct-24 11
 Planning Activities:
Overall Audit Strategy

7-Oct-24 12
 Overall Audit Strategy
⚫ Set out the scope, timing and direction of the audit
⚫ → Guides the development of the detailed audit plan.
⚫ Establishment of the overall audit strategy involves:
1. Identify the characteristics of the engagement that
define its scope (e.g. FR framework? Specialized
industry? Locations? Currency / FX? Group
Reporting? Listed / Private Co? Sensitive? Public
Interests?);
2. Ascertain the reporting objectives of the engagement
(Listing requirements? Tax-purpose? Companies
Ordinance? form of report? Other communication
required? any group reporting requirements?
7-Oct-24 Reporting Deadline? ➔ timing & output of audit ➔ 13

discuss with management and TCWG);
 Overall Audit Strategy
⚫ Establishment of the overall audit strategy involves:
3. Consider the factors that are significant in directing
the engagement team’s efforts (i.e. F/S areas with
higher risk of MM);
4. Consider the results of preliminary engagement
activities and info obtained from other
engagements or previous audit (compare this
client with other clients in the same industry) ➔ to
highlights areas with higher risk of MM;
5. Ascertain the nature, timing and extent of
resources necessary to perform the engagement
(Time + Staff + Level of experience + Location).
7-Oct-24 14
 Source: HKICPA QP Learning Pack, 6th Ed, p.226

7-Oct-24 15
 Source: HKICPA QP Learning Pack, 6th Ed, p.227

7-Oct-24 16
 Overall Audit Strategy
⚫ Once the audit strategy has been established, → the
development of a more detailed audit plan to address
the various matters identified.

Preliminary engagement
activities
Overall Audit Strategy
Planning activities
Audit Plan

⚫ Overall audit strategy and detailed audit plan are
closely inter-related, changes in one may result in
consequential changes to the other.
7-Oct-24 17
 Planning Activities:
Audit Plan

7-Oct-24 18
 Audit Plan
⚫ An audit plan is more detailed than the overall
audit strategy.
⚫ Operational plan for implementation & execution
⚫ A listing of Audit Procedures to be preformed (i.e.
a listing of tasks to be completed)
⚫ Develop and planning of these audit procedures
takes place over the course of the audit,
throughout the audit (continuous)

7-Oct-24 19
 Audit Plan
⚫ An audit plan includes a description of:
a. the nature, timing and extent of planned risk
assessment procedures (Ch 15 & 16)
b. the nature, timing and extent of planned
further audit procedures at the assertion
level (Ch 20)
c. other planned audit procedures as required by
HKSAs
d. The nature, timing and extent of direction and
supervision of audit team members and review
of their work
7-Oct-24 20
 Stages in the Audit Process
Client Preliminary engagement
Acceptance & activities
Planning
(Chapter 14) Planning activities

Understanding the entity
Risk assessment and its environment
(Chapter 15 to 18) An audit is a
Identifying and assessing risks of cumulative and
material misstatements iterative process
Risk response Designing and implementing auditor’s
(Chapter 19 to 29) responses to assessed risks

Reviewing and Overall reviewing
reporting (Chapter
20, 30 to 35) Drawing audit conclusions
and reporting
21 7-Oct-24
 Audit Plan

⚫ Set out goals and objectives of the audit
⚫ (i.e. overall Audit Strategy)
⚫ →→ guide the development of Audit plan
⚫ (i.e. design of Audit Procedures)

⚫ Implementation of Audit Procedures
⚫ → → achieve the goals and objectives of the audit
(i.e. achieve overall Audit Strategy)

7-Oct-24 22
 Planning Activities:
Changes & Control
and
Documentation

7-Oct-24 23
 Planning – Changes and Control
⚫Planning is a continuous process.
⚫Update and change the overall audit strategy &
the audit plan when necessary during the audit.
⚫Changes may due to:
 Available info for the development of overall
audit strategy & audit plan
 Audit evidence obtained / unexpected events /
changes in condition → new info available is
significantly different from previous info
 Contradiction in audit evidence (previous info
vs new info)
 ➔➔ modify the overall audit strategy & audit
7-Oct-24
plan (to incorporate new info into audit 24

planning → higher risk of MM → more work)
 Planning
Preliminary engagement
Client Acceptance activities
& Planning
Planning activities

Understanding the entity
and its environment
An audit is a
Identifying and assessing risks of cumulative and
material misstatements iterative process
Designing and implementing auditor’s
responses to assessed risks

Overall reviewing

Drawing audit conclusions
7-Oct-24
and reporting 25
 Planning - Documentation
⚫ HKSA 300 requires the auditor to document:
1. the overall audit strategy;
2. the audit plan; and
3. any significant changes made during the audit
to (1) and (2), and the reasons for such
changes.

⚫ With proper documentation: (i) facilitate the
communication to engagement team, and (ii)
serve as a record of the proper planning which
should be reviewed and approved prior to the
7-Oct-24 performance of audit procedures. 26
 Planning - Documentation

Overall
Audit Partner’s
Audit Strategy
Review & Approval
Audit Plan

Change in
Overall Audit Strategy
& Audit Plan
(Reasons & Changes) All of these
require proper
Final Adopted documentation
Overall Audit Strategy in the audit wp
7-Oct-24 27
& Audit Plan
 Additional
Considerations
in
Initial Audit Engagement

7-Oct-24 28
 Additional Considerations in Initial
Audit Engagements
⚫The auditor should perform the following activities
prior to starting an initial audit or 1st audit
engagement:

 Client acceptance / Engagement acceptance
procedures.
Same with recurring client (Ch 9)
Communicate with the previous auditor in
compliance with relevant ethical requirements
(i.e. Request for Professional Clearance).
7-Oct-24
Covered in Ch 7 Professional Ethics 29
 Additional Considerations in Initial
Audit Engagements
⚫ Need to expand the planning activities, since without
any past experience / knowledge of this new client

⚫ Additional concerns for initial audits:

1. arrangements to be made with the previous
auditor; (i.e. Request for professional clearance)

2. discuss with management of any major issues;
(e.g. selection of FR framework & accounting
policies, reasons for changing auditor) (info
collected during the discussion → influence the
7-Oct-24 30
overall audit strategy and audit plan)
 Additional Considerations in Initial
Audit Engagements
⚫ Additional concerns for initial audits :

3. the planned audit procedures for opening
balances and comparative figures;

4. the assignment of audit team member with
appropriate levels of capabilities & competence
(new client → not familiar with the client’s
operation & control + additional audit procedures
for opening bal. → higher risk of MM & more audit
works → high level of skills and efforts required →
7-Oct-24
allocate experienced audit staff & more audit staff 31

to initial audit + more time needed)
 Required Reading

Lau, P., & Lam, N. (2021). Auditing and
Assurance in Hong Kong. (6th ed.). Hong
Kong: Pilot Publishing.

Chapter 14

7-Oct-24 32
 Chapter 15

Understanding an Entity
and Its Environment
→ Gathering info for assessing Risk of MM

7-Oct-24 33
 Learning Outcomes
1. The purpose of understanding an entity and its
environment, including its internal control.

2. Risk assessment procedures used to understand
an entity.

3. The specific aspects of an entity to be
understood in an audit.

7-Oct-24 34
 Preliminary engagement activities

Planning activities

Understanding the entity
and its environment and its IC
An audit is a
Identifying and assessing risks of cumulative and
material misstatements iterative process
Designing and implementing auditor’s
responses to assessed risks

Overall reviewing

Drawing audit conclusions
7-Oct-24
and reporting 35
 Understanding an Entity & its
Environment
- Risk-based audit
Designing & implementing Obtain audit evidence
Identifying & assessing
auditor’s responses to to support
risks of MM
assessed risks of MM audit opinion
How to identify
& assess risks
of MM? How can we
obtain such
understanding?
By obtaining understanding of
the Entity, its Environment & By performing
its IC → then analyze Risk Assessment
Procedures
What kind of info /
understanding to
be obtained?

7-Oct-24 36
Aspects of Understanding
Understanding an Entity & its (A) Procedures to be performed
in order to obtain such
Environment understanding; and Sources of
info

Designing and performing
(Ch 15)
risk assessment procedures

Understanding the entity, i.e. obtaining an understanding of:

The entity’s The entity Applicable
system of and its financial reporting
internal control environment framework
Control (Ch 15) Inherent risk (Ch 15)
deficiencies factors
(Ch 16)

Identifying and assessing (B) The specific aspects of an
(Ch 17) entity that should be understood
risks of material misstatement
37 (i.e. the contents of such
understanding)
 (A) Risk Assessment Procedures

7-Oct-24 38
 Risk Assessment Procedures
What is Risk Assessment Procedures?
The audit procedures designed and performed
→ to obtain an understanding of the entity and its
environment, including the entity’s IC,
→ → to identify and assess the risks of MM
(whether due to fraud or error) at the F/S and
assertion level.

Risk Assessment Procedures by themselves do
not provide sufficient appropriate audit evidence;
→ info obtained from risk assessment procedures
→ support the assessments of the risks of MM
i.e. to support the design and implementation of
auditor’s responses and later audit procedures
➔ to support the whole audit methodology (risk-
7-Oct-24
based audit) 39
 Risk Assessment Procedures

Types of Risk Assessment Procedures:

1. Inquiries of management and others within the
entity
2. Analytical procedures (for risk assessment)
3. Observation and Inspection
4. Discussion among the engagement team
5. Other sources

7-Oct-24 40
 Risk Assessment Procedures
1. Inquiries of management and others within the entity
Sources of Info Info obtained
TCWG & - Economic / Industrial / Business Environment
Directors & - Internal organisation culture
Management - Organisation structure
Accounting staff - Choices of accounting policies (& reasons)
- Any significant / abnormal transactions (M&A)
- Process of handling transaction & Fin Reporting
- Changes due to revised FRSs
Marketing staff - Pricing strategy
- Marketing & promotion plan / activities
- Any sales trends / pattern / regional analysis
- Market Competition
7-Oct-24
- Market survey results → expected demand in 41
the future (Any New Products?)
 Risk Assessment Procedures
1. Inquiries of management and others within the entity
Sources of Info Info obtained
Production staff - Production Cost / Cost Composition
- New Technology in production (reduce cost?)
- Production method / Production capacity
- Materials usage
HR staff - Recruitment policies / Remuneration package
- Performance measurement / incentive scheme
(any bonus, commission, share based payment)
Internal auditor - Internal control policies and procedures
- Effectiveness of Internal control
- Any fraud / suspected fraud identified
7-Oct-24
Legal advisor - Any litigation case in progress (any provision?) 42

Etc… Etc…
 Risk Assessment Procedures
2. Analytical procedures;
(develop auditor’s expectations of plausible
relationship → if F/S indicates unusual or
unexpected relationships → risk of MM identified →
design auditor’s response and further audit
procedures) (Illustration)
3. Observation and inspection.
(Support client’s explanation obtained in Inquiries)
(Items for observation & inspection: operation and
production, physical premises and plant facilities,
budget report, monthly management report,
7-Oct-24
business plan & strategies, BoD minutes, internal 43
control manual, customers complaints report, etc)
 Risk Assessment Procedures
4. Discussion among engagement team
(involvement of engagement partner and senior
audit team members)
(discuss the identified risk of MM, FR framework to
the client’s circumstance)
(communicate to audit team members → share
experience, knowledge and insights with junior
members)
(exchange info collected from different sources →
inconsistence → higher risk of MM)
(brain-storming for any further risk of MM)
7-Oct-24
(audit planning meeting) 44
 Risk Assessment Procedures
5. Other source
(info obtained from engagement acceptance
procedures, experience & info from previous audit,
experience in other clients in the same industry)
(external sources: info from trade / economic
journals, reports by analysts / banks / credit rating
agencies, news)
(Publicly available info: News, press release, gov’t
data)
(making inquiries to entity’s legal advisors and
7-Oct-24 consultants / valuation expert) 45
 Risk Assessment Procedures
(2) Analytical Procedures (Illustration)
– Auditor develops expectation on plausible relationships
between various F/S areas
– If the results from the client’s draft F/S different from
auditor’s expectation
– → risk of MM identified (significant fluctuations,
unexpected relationships & strange patterns are
highlighted as areas with high risk for further action)
– → → auditors have to plan for further investigation on that
F/S areas, plan for further audit procedures and make
further inquires to the management (Risk Response)

– In developing expectation, auditor should use both
7-Oct-24
financial and non-financial data; and external and internal 46
info
 Risk Assessment Procedures
(2) Analytical Procedures (Illustration)
Fact / Info Collected (Economic environment):
Due to financial crisis, many businesses found
difficulties to pay back their debts.

Auditor’s expectation:
– AR balance are expected to increase,
– AR Collection Period are expected to extend
(longer repayment period). Different from
auditor’s
Results from client’s draft F/S: expectation

– AR balance decreased.
– AR Collection Period are shortened.
7-Oct-24 Potential MM in Client’s F/S
47
 Risk Assessment Procedures
(2) Analytical Procedures (Illustration)
Risk of MM (High):
– AR balance may be understated.
– Sales figure may be overstated.

Response to assessed risks of MM:
– Further audit procedures (testing) should be
planned on sales and AR.
– Inquire management on the irregularity noted.
7-Oct-24 48
 Risk Assessment Procedures
(2) Analytical Procedures (Illustration)
Management Explanation:
– Due to the financial crisis, the demand on company’s
products was lowered, thus sales amount and sales
volume dropped, and hence AR balance was
lowered.

– Due to the current economic condition, the credit
term offered to customer was shortened from 60
days to 30 days and the company has tighten its
credit control policy, thus the collection period was
7-Oct-24 shortened. (Internal Control → credit control) 49
 Risk Assessment Procedures
(2) Analytical Procedures (Illustration)
Verify Management Explanation (Further audit
procedures):
– Obtain audit evidence to support management
explanation
– Review sales order register compare with l/y; prepare
monthly analysis on sales (to support the drop in
demand and the drop in sales amount & volume)
– Inspection of sales contracts / invoices (to support the
shortened credit term offered)
– Review AR ledger movement / aging report to confirm
repayment pattern (to support the shortened credit
7-Oct-24
term and tighten credit control; faster repayment from 50
debtors)
 (B) Aspects of Understanding

7-Oct-24 51
 ⚫ Include identifying any significant changes in these aspects
from l/y → indicate higher risks of MM
Perform risk assessment procedures
to obtain an understanding of the entity

(Ch 16) Applicable
The entity’s system The entity
financial reporting
of internal control and its environment
framework
Control Inherent risk
deficiencies factors

Measures
Industry,
Organizational used to
regulatory
structure, Business assess the
and other
ownership and model entity’s
external
governance financial
factors
performance
52
 Aspects of Understanding
a. Industry, Regulatory, and other External Factors;
(including: market & competition, economic condition,
latest products, latest technology, latest production
methods, cost structure, legal / tax / environmental /
employment regulation, government policy, inflation,
FX fluctuation, interest rate, etc)
(Example: new regulatory / FR requirement →
client's personnel may not be familiar with this new
requirement → breach the law in operation / MM in
F/S → legal consequence (fines?) (Going
Concern?)→ financial implication → higher risk of
MM)
7-Oct-24 53
 Aspects of Understanding
a. Industry, Regulatory, and other External Factors;
(Example: F/S disclosure needed in HKTV upon
government decision) (HKTV Annual Report 2013)

7-Oct-24 54
 a. Industry, Regulatory, and other External Factors;
◼ Source: Annual Report 2020 of The Hongkong and Shanghai Hotels, Limited
(Stock code:0045)

55 7-Oct-24
 Aspects of Understanding
b. Organizational Structure, Ownership &
Governance
(e.g. operations; sources of finance (debts covenant);
group structure, choices of investment, separation of
M&G, Audit Committee, INED, etc)
(Example: listed Co. with diversified shareholding
→ market expectation on Co. performance →
pressure on Co. performance → pressure on
management → higher chance of F/S manipulation
(higher fraud risk) → higher risk of MM)
(Example: business operations in IT / bio-tec. →
special accounting treatment on R&D expenditure
→ expensed or capitalized? → acc treatment involve
7-Oct-24
estimation & judgments → higher risk of MM) 56
 Aspects of Understanding
c. The Applicable FR Framework (incl: selection
and application of Accounting Policies and
reasons for any changes in Accounting Policies)
(appropriate and justified choices? Applied
consistently? Follow FRS requirements? common
practice in the industry? Any changes in FRSs?)
(Example: manipulate F/S to overstate profit →
change inventory costing method from LIFO to FIFO
→ any appropriate reasons / justifications? Adequate
disclosure made in F/S? → higher risk of MM)
(Example: Operation: leasing out of property →
Investment Property (not PPE) → if used
inappropriate accounting policy → higher risk of MM)
7-Oct-24 57
 Aspects of Understanding
d. Business Model (incl: Objectives, Strategies
and Business Risks)
(Example: new product failure → increase product
liability / warranty liability / Re-call product →
provision / liability in F/S → acc treatment involve
estimation → higher risk of MM)
(Example: new product failure → deteriorated
reputation → adversely affect future business →
going concern assumption? → higher risk of MM)
(Example: Strategies: overseas expansion →
involve FX in transaction → Financial Instrument
(e.g. future contract / swap contract) in FX to
manage currency risk → any impairment in
Financial Instrument? or Fair Value estimation? →
7-Oct-24 sufficient disclosure in F/S? → complicated acc 58

treatment → higher risk of MM)
 Aspects of Understanding
e. Measurement and Review of financial /
management performance
(e.g. remuneration package, incentive scheme,
key performance indicators (KPI), sales /
performance targets, key ratios and operating
statistics)
(Example: Pressures on the entity’s performance
may motivate management to manipulate the F/S
(fraud) → higher risk of MM)
(Example: involvement of share based payment /
share option → complicated acc treatment →
involve estimation and judgment → higher risk of
MM)
7-Oct-24 59

f. Internal Control ➔ Ch 16
 Inherent Risk Factors
⚫Inherent Risk Factors
to focus the auditor on the susceptibility of assertions
to misstatement.
These include:
⚫complexity,
⚫subjectivity,
⚫change,
⚫uncertainty or
⚫susceptibility to misstatement due to
management bias or
⚫other fraud risk factors.
7-Oct-24 60
 Documentation

7-Oct-24 61
 Documentation
⚫Auditors should document:
the Risk Assessment Procedures performed;
the sources of info;
key elements & aspects of the understanding;
the identified and assessed risks of MM at the
F/S level and at the assertion level;
the risks identified (risk of MM) and related
controls (entity’s internal control to minimize the
risk of MM);
the discussion among the audit team, and the
7-Oct-24 significant decisions reached 62
 Documentation
⚫ ➔ Understanding of the Entity wp / memo

True and Fair Limited

Knowledge of the business
for the year ended 31 December 2010

7-Oct-24 63
 Summary

7-Oct-24 64
 Source: HKICPA QP Learning Pack, 6th Ed, p.230

7-Oct-24 65
 Source: HKICPA QP Learning Pack, 6th Ed, p.230

Internal Control (Ch 16)

7-Oct-24 66
 Source: HKICPA QP Learning Pack, 6th Ed, p.230

7-Oct-24 67
 Required Reading

Lau, P., & Lam, N. (2021). Auditing and
Assurance in Hong Kong. (6th ed.). Hong
Kong: Pilot Publishing.

Chapter 15

7-Oct-24 68
 Chapter 16

Internal Control
→ Gathering info for assessing Risk of MM
→ Control Risk

7-Oct-24 69
 Learning Outcomes
1. The requirements to obtain an understanding of
internal control relevant to the audit.

2. General nature and characteristics of internal
control.

3. Controls relevant to the audit.

4. Nature and extent of the understanding of
relevant controls

5. Components of internal control.
7-Oct-24 70
 Preliminary engagement activities

Planning activities

Understanding the entity
and its environment and its IC
An audit is a
Identifying and assessing risks of cumulative and
material misstatements iterative process
Designing and implementing auditor’s
responses to assessed risks

Overall reviewing

Drawing audit conclusions
7-Oct-24
and reporting 71
Understanding an Entity & its
Environment
Designing and performing
(Ch 15)
risk assessment procedures

Understanding the entity, i.e. obtaining an understanding of:

The entity’s The entity Applicable
system of and its financial reporting
internal control environment framework
Control (Ch 15) Inherent risk (Ch 15)
deficiencies factors
(Ch 16)

Identifying and assessing
(Ch 17)
risks of material misstatement
72
 What is
Internal Control?

7-Oct-24 73
 Internal control
⚫Internal control is defined as:
 The system designed, implemented and What?
maintained
 by those charged with governance (TCWG),
management and other personnel By Whom?

 to provide reasonable assurance about the
achievement of an entity’s objectives Aimed for?

 with regard to (i) reliability of financial reporting, (ii)
effectiveness and efficiency of operations, and (iii)
compliance with applicable laws and regulations.
7-Oct-24 What kind of objectives? 74
 Internal control
⚫ Internal control, can only provide an entity with reasonable
assurance on achieving the entity’s objectives and cannot
provide absolute assurance, due to the inherent limitations
of internal control.

⚫ Inherent limitations of internal control:
▪ contain human errors / failures / judgement
▪ cost of internal control outweigh its benefit (Co. size /
resource available)
▪ ignore non-routine transactions & judgemental matters (fall
outside of normal operating cycles / normal internal control)
▪ possibility of management override of IC
▪ possibility of staff collusion
7-Oct-24 75
 Internal control
⚫ Can be both manual and automated (IT) control
⚫ Manual control
⚫ - approvals, reviews, reconciliations, follow-up
⚫ - which require human judgement and discretion
⚫ - handling of non-recurring, unusual transactions;
transaction fall outside of the scope of automated
control; monitor the automated control
⚫ Automated control [Ch 29] [ACY4004]
⚫ - General IT controls and application controls
⚫ - Edit check, auto posting, error report / message
7-Oct-24
⚫ - related to high volume of routine and recurring 76
transactions
 Internal Controls
relevant to Audit

7-Oct-24 77
 Internal Controls Relevant to the Audit
HKSA 315 requires the auditor to obtain an understanding of
internal control relevant to the audit (➔ IC that relating to
financial reporting)
→ with such understanding → identify and assess risks of MM
→ Good IC → able to prevent, detect and correct MM → lower
risks of MM
→ Weak IC → NOT able to prevent, detect and correct MM →
higher risks of MM
→ Based on risk assessment → next stage, design auditor’s
responses to the assessed risk of MM, incl. further audit
procedures (TOC)

Not necessary to understanding all the control in the reporting
entity, only those IC relevant to the audit (which may relevant to
7-Oct-24 78
risk of MM in F/S).
 Internal Controls Relevant to the Audit
⚫ An auditor is required to understand internal
control relevant to the audit.
⚫ ➔ auditor’s professional judgment whether a
control is relevant to the audit.

⚫ Consider the linkage of the Internal Control
and the risk of MM in F/S
⚫ With proper internal control → reduce the
opportunity for frauds → reduce the chance of
material misstatements in F/S → lower risk of
7-Oct-24
MM 79
 Nature and Extent of
Understanding of
Internal Controls

7-Oct-24 80
 Nature & Extent of Understanding of IC
(3-steps)
1) Understand the design of internal control
(By performing Risk Assessment Procedures)
(e.g. by making inquiry to the entity’s personnel /
inspection of the operation handbook / control manual)
(i.e. What is the control system? Any policies &
procedures? How to process a Transaction?)
2) Evaluate the design of the internal controls
(Good IC Design or Bad IC Design? Criteria: whether the
controls can effectively prevent or detect and correct
MM? → reduce the risk of MM)
3) Determine whether the IC have been implemented
(enforcement & implementation: whether the control
really exists? Being carried out? In use?) → TOC
7-Oct-24 81
 Nature & Extent of Understanding of IC
Risk Assessment Procedures: procedures and
methods to obtain understanding on the design and
implementation of IC:

▪ Making inquiry of entity personnel;
▪ Observing the application of controls;
▪ Inspecting documents and reports;
▪ Tracing transactions through the information
system relevant to financial reporting (i.e.
walkthrough procedures)
7-Oct-24 82
 Source: Porter B., Simon J. and Hatherly D. (2014) Principles or
External Auditing, pp.408, Wiley.

7-Oct-24 83
 Source: http://www.slideshare.net/hcc79/ais6eabaz-ch02-33806730

7-Oct-24 84
 Source: Porter B., Simon J. and Hatherly D. (2014) Principles or
External Auditing, pp.405, Wiley.

7-Oct-24 85
 Source: Porter B., Simon J. and Hatherly D. (2014) Principles or
External Auditing, pp.403, Wiley.

7-Oct-24 86
 Nature & Extent of Understanding of IC

7-Oct-24 87
 Nature & Extent of Understanding of IC
⚫ In determining the audit strategy, the auditor makes
judgement on the extent of planned reliance on an
entity’s IC

⚫ If effective IC, lower risk of MM (low CR) → place
higher reliance on reporting entity’s IC → TOC (test
for control implementation) + reduced Substantive
Procedures

⚫ If ineffective IC, higher risk of MM (high CR)→ place
lower reliance on reporting entity’s IC → ignore or
reduce TOC → more detailed Substantive
7-Oct-24
Procedures 88
 5 Components
of Internal Control

7-Oct-24 89
 Components of Internal Control
⚫ Five components of internal control:

A. Control Environment
B. Reporting Entity’s Risk Assessment Indirect Control
(→ F/S level)
process
C. Monitoring of controls
D. Information System relevant to financial
reporting and Communication Direct Control
(→ assertion level)
E. Control Activities

7-Oct-24 90
 Components of Internal Control
⚫ Direct Control
⚫ → Controls that are precise enough to address Risks of MM at
the assertion level (i.e. Acc Bal $ & Transaction Amount $)
⚫ → Controls that are sufficiently precise to prevent, detect or
correct misstatements at assertion level
⚫ → include: The Information System and Communication and
Control Activities

⚫ Indirect Control
⚫ → controls that support other direct controls
⚫ → affect Risks of MM at the F/S level (i.e. F/S-as-a-whole)
⚫
7-Oct-24
→ include: Control Environment, the Entity’s Risk Assessment 91

Process and the Monitoring of Control
Source:
IAASB, ISA 315 (Revised 2019) Identifying and Assessing the Risks of Material Misstatement First-
Time Implementation Guide, July 2022

7-Oct-24 92
 Five Components of Internal control

Control
activities

Risk assessment

Control environment
8-93
 Five Components of Internal control

Control
activities

Risk assessment

Control environment Indirect Control
8-94
 (A) Control Environment – Meaning
▪ TCWG and management’s concern on the internal
control of the reporting entity and its importance in
the entity
▪ includes the governance and management
functions and their attitude, awareness and
actions on internal control
▪ Create and maintain a culture of honestly and
ethical behavior in the organization
▪ → set out the tone of the organization;
▪ → influence the control consciousness of its
people / staff
7-Oct-24 ▪ ➔ the foundation for effective internal control. 95
 (A) Control Environment – Meaning
⚫Elements of Control Environment include:
Communication and enforcement of integrity & ethical
values (e.g. code of conducts / staff handbook / training);
Commitment to competence (e.g. staff training &
education / recruitment / appraisal → a fair system?);
Participation by TCWG (their independence, experience,
stature & reputation) (top management’s concern on IC,
stress & emphasize on the importance on IC in the entity);
Management’s philosophy and operating style;
Organizational structure (e.g. decentralization vs.
centralization; family-based business vs wider SH base);
Assignment of authority and responsibility (e.g. proper
line of authority, fair & balance? management override of
7-Oct-24
control? abuse of authority & power?); and 96

Human resource policies and practices.
 Organizational culture is
like an iceberg, with most
of its weight and bulk
below the surface – The
iceberg of organizational
culture change

Source:
http://www.torbenrick.eu/blog/culture/o
rganizational-culture-is-like-an-
iceberg/

7-Oct-24 97
 (A) Control Environment - Auditor
⚫ Auditors should obtain an understanding of
the reporting entity’s control environment.

⚫ To evaluate whether the management (and
TCWG) has created and maintained a culture
of honesty and ethical behavior in the entity

⚫ ➔ which provide an appropriate foundation
for the other components of internal control.
⚫ ➔Control deficiencies in the control
7-Oct-24
environment → undermine other components 98

of IC.
 (A) Control Environment - Auditor
⚫ When assessing the risks of MM, the auditor
considers favorably if a satisfactory control
environment exists

⚫ Strong control environment ➔ culture of honesty
behaviours (organization as a whole; pervasive
effect) ➔ lower chance of frauds ➔ lower risk of
MM at F/S level (F/S as a whole)

⚫ However, the control environment itself does not
prevent, or detect and correct, material
7-Oct-24
misstatements ( X assertion level // X F/S areas) 99
Five Components of Internal control

Control
activities

Risk assessment Indirect Control

Control environment
 (B) Entity’s Risk Assessment Process
⚫ It is the reporting entity’s process for:
- identifying business risks (regarding financial
reporting) (identify chance of misstatement);
- estimating the significance of the risks (possible
outcomes? potential loss? potential MM?);
- assessing the likelihood of their occurrence
(probability // chance of happening); and
- deciding about actions to address those risks.

All performed by the reporting entity
⚫ The auditor is required to evaluate whether such
7-Oct-24
process is appropriates to the entity’s circumstances. 101
 (B) Entity’s Risk Assessment Process
⚫ Form the basis for how management determines
the risk to be managed (by imposing IC to →
accept / avoid / reduce / transfer the risks).

⚫ → if the reporting entity doing well in its risk
assessment process, it assists the auditor in
identifying risk of MM.

⚫ If auditors identify risk of MM, which the
management failed to identify → represent
deficiency in Entity’s Risk Assessment Process
7-Oct-24
→ represent deficiency in IC → risk of MM (high) 102
Five Components of Internal control

Direct Control
Control
activities

Risk assessment

Control environment
 (C) Control Activities – Meaning

⚫Control activities are those policies and
procedures that help to ensure management
directives are carried out.

⚫Can be within information technology (IT)
system or manual systems

7-Oct-24 104
 (C) Control Activities – Meaning
▪Types of control activities include:
▪ Authorization and Approval by appropriate level (e.g.
payment above $100,000 should be authorized and
approved by CFO);
▪ Performance reviews (e.g. actual performance vs budgets
and variance analysis → explanation & follow up;
management’s review on report; compare data);
▪ Reconciliations (compare data; identify diff → correction; to
check accuracy, completeness) (e.g. preparation of TB;
bank reconciliation process);
▪ Verifications (compare data; documents vs physical items;
action vs policy)
▪ Physical / logical controls on assets & data (e.g. right to
access, inventory count; cash count; security guard);and
7-Oct-24 ▪ Segregation of duties (between authorization vs recording 105

of transactions vs custody of assets).
 (C) Control Activities – Auditor
⚫The auditor should obtains an understanding of
control activities relevant to the audits,
- ➔ in order to assess the risks of MM at the
assertion level (i.e. particular F/S areas;
Acc Bal $; Transaction Amount $), and
- ➔ ➔ to design further audit procedures
responsive to assessed risks of MM at
assertion level ➔ TOC

 Relevant to the audit or not? → linkage with
7-Oct-24 F/S → a matter of professional judgement 106
 Source: http://www.slideshare.net/hcc79/ais6eabaz-ch02-33806730

7-Oct-24 107
 Source: Porter B., Simon J. and Hatherly D. (2014) Principles or
External Auditing, pp.405, Wiley.

7-Oct-24 108
 Source: Porter B., Simon J. and Hatherly D. (2014) Principles or
External Auditing, pp.415, Wiley.

7-Oct-24 109
Five Components of Internal control

Direct Control
Control
activities

Risk assessment

Control environment
 (D) Information System & Communication
⚫ How info flow within entity & external communication
⚫ Can be manual system or information technology (IT)
system
⚫ Auditors should obtain an understanding of the
information system relevant to business process and
financial reporting includes the following areas:
a. Significant classes of transactions (e.g. how many
types of operating cycles & transactions?);
b. The procedures by which those transactions are
initiated, recorded, processed and reported in the
F/S (i.e. the implementation of operating cycles);
7-Oct-24 c. The related accounting records & supporting info 111

(the reflection in the F/S & books and records);
 (D) Information System & Communication
⚫ Auditors should obtain an understanding of the
information system relevant to business process and
financial reporting includes the following areas:
d. How the info system captures significant events
and conditions → process and disclose (e.g.
discover of abnormal events; non-routine
transactions; not included in operation cycles);
e. The financial reporting process used to prepare
F/S, including accounting estimates & disclosure
(i.e. year-end adjustments & review; impairment
review; contingency); &
f. Controls surrounding journal entries used to record
7-Oct-24 non-recurring, unusual transactions or adjustments 112

(e.g. disposal of scrap assets)
Five Components of Internal control

Indirect Control
Control
activities

Risk assessment

Control environment
 (E) Monitoring of Controls
⚫ A process to assess the effectiveness of IC on a
timely basis and taking necessary remedial actions.
- Ongoing monitoring activities (built within normal
recurring / routine activities → regular
management and supervisory activities; e.g.
normal routine reporting & review; budget
variance analysis)
- Separate evaluation (e.g. Internal audit function;
handling of customer complaints)
- Any remediation of control deficiencies
⚫ The auditor is required to obtain an understanding
of the major activities that the entity uses to monitor
7-Oct-24
internal control over financial reporting, and how the 114
entity initiates corrective actions to its controls.
Five Components of Internal control

Control
activities

Risk assessment

Control environment
 Source: Porter B., Simon J. and Hatherly D. (2014) Principles or
External Auditing, pp.389, Wiley.

7-Oct-24 116
 Nature & Extent of Understanding of IC

7-Oct-24 117
Overview of Audit
Decisions About
Substantive Procedures
for the F/S Audit

Source: Zehms, Gramling, Rittenberg (2024) Auditing: A Risk-Based Approach, Chapter 5
 Source: Porter B., Simon J. and Hatherly D. (2014) Principles or
External Auditing, pp.395, Wiley.

7-Oct-24 119
 COSO Framework for Internal Control
Committee of Sponsoring Organizations of the Treadway Commission “COSO”

Source: Zehms, Gramling, Rittenberg (2024) Auditing: A Risk-Based Approach, Chapter 3
 Understanding the
Components of the
Entity’s System of
Internal Control

Source: International Federation of Accountants (IFAC), THE
RISK IDENTIFICATION AND ASSESSMENT PROCESS:
TIPS ON IMPLEMENTING ISA 315 (REVISED 2019)
 Documentation

7-Oct-24 122
 Documentation
⚫Auditors should document in audit working paper:
- the risk assessment procedures performed;
- the sources of info;
- key elements & aspects of the understanding
obtained regarding the entity, its environment; its
FRF & IC;
- the identified and assessed risks of MM at the F/S
level and at the assertion level;
- the risks of MM identified and related controls (each
components of entity’s control to minimize the risk of
MM);
7-Oct-24
- the discussion among the engagement team, and 123

the significant decisions reached
 Required Reading

Lau, P., & Lam, N. (2021). Auditing and
Assurance in Hong Kong. (6th ed.). Hong
Kong: Pilot Publishing.
Chapter 16

Reference Reading
Porter B., Simon J. and Hatherly D. (2014)
Principles of External Auditing, Wiley.
Chapter 10
7-Oct-24 124