May 28 (AM) - Internal Control and Assessing the Risk of Material Misstatement.pdf

Page 1 of 46 School of Business and Economics Department of Accountancy Auditing...

Page 1 of 46 School of Business and Economics Department of Accountancy Auditing Atty. Wendell K. Ang, CPA, MMPA Internal Control, and Assessing the Risk of Material Misstatement May 28, 2024 8:00AM to 12:00NN Philippine Standards on Auditing 315 (Revised 2019) IDENTIFYING AND ASSESSING THE RISKS OF MATERIAL MISSTATEMENT Philippine Standards on Auditing 315 (Revised) IDENTIFYING AND ASSESSING THE RISKS OF MATERIAL MISSTATEMENT THROUGH UNDERSTANDING THE ENTITY AND ITS ENVIRONMENT AASC’s adoption of ISA 315 as PSA 315– approved March 2, 2020 effective December 15, 2021 ISA 315 – issued December 2019 effective December 15, 2021 Definitions 12. For purposes of the ISAs, the following terms have the meanings attributed below: (c) Controls – Policies or procedures that an entity establishes to achieve the control objectives of management or those charged with governance. In this context: (Ref: Para. A2–A5) (i) Policies are statements of what should, or should not, be done within the entity to effect control. Such statements may be documented, explicitly stated in communications, or implied through actions and decisions. (ii) Procedures are actions to implement policies. (d) General information technology (IT) controls – Controls over the entity’s IT processes that support the continued proper operation of the IT environment, including the continued effective functioning of information processing controls and the integrity of information (i.e., the completeness, accuracy and validity of information) in the entity’s information system. Also see the definition of IT environment. (e) Information processing controls – Controls relating to the processing of information in IT applications or manual information processes in the entity’s information system that directly address risks to the integrity of information (i.e., the completeness, accuracy and validity of transactions and other information). (Ref: Para. A6) (g) IT environment – The IT applications and supporting IT infrastructure, as well as the IT processes and personnel involved in those processes, that an entity uses to support business operations and achieve business strategies. For the purposes of this ISA: (i) An IT application is a program or a set of programs that is used in the initiation, processing, recording and reporting of transactions or information. IT applications include data warehouses and report writers. (ii) The IT infrastructure comprises the network, operating systems, and databases and their related hardware and software. Page 2 of 46 (iii) The IT processes are the entity’s processes to manage access to the IT environment, manage program changes or changes to the IT environment and manage IT operations. (i) Risks arising from the use of IT – Susceptibility of information processing controls to ineffective design or operation, or risks to the integrity of information (i.e., the completeness, accuracy and validity of transactions and other information) in the entity’s information system, due to ineffective design or operation of controls in the entity’s IT processes (see IT environment). (m) System of internal control – The system designed, implemented and maintained by those charged with governance, management and other personnel, to provide reasonable assurance about the achievement of an entity’s objectives with regard to reliability of financial reporting, effectiveness and efficiency of operations, and compliance with applicable laws and regulations. For the purposes of the ISAs, the system of internal control consists of five inter-related components: (i) Control environment; (ii) The entity’s risk assessment process; (iii) The entity’s process to monitor the system of internal control; (iv) The information system and communication; and (v) Control activities. Understanding the Components of the Entity’s System of Internal Control (Ref: Para. A90 – A95) Control Environment, the Entity’s Risk Assessment Process and the Entity’s Process to Monitor the System of Internal Control (Ref: Para. A96‒A98) Control environment 21. The auditor shall obtain an understanding of the control environment relevant to the preparation of the financial statements, through performing risk assessment procedures, by: (Ref: Para. A99–A100) (a) Understanding the set of controls, processes and structures that address: (Ref: Para. A101‒ A102) (i) How management’s oversight responsibilities are carried out, such as the entity’s culture and management’s commitment to integrity and ethical values; (ii) When those charged with governance are separate from management, the independence of, and oversight over the entity’s system of internal control by, those charged with governance; (iii) The entity’s assignment of authority and responsibility; (iv) How the entity attracts, develops, and retains competent individuals; and (v) How the entity holds individuals accountable for their responsibilities in the pursuit of the objectives of the system of internal control; And (b) Evaluating whether: (Ref: Para. A103‒A108) (i) Management, with the oversight of those charged with governance, has created and maintained a culture of honesty and ethical behavior; (ii) The control environment provides an appropriate foundation for the other components of the entity’s system of internal control considering the nature and complexity of the entity; and (iii) Control deficiencies identified in the control environment undermine the other components of the entity’s system of internal control. The entity’s risk assessment process 22. The auditor shall obtain an understanding of the entity’s risk assessment process relevant to the preparation of the financial statements, through performing risk assessment procedures, by: Page 3 of 46 (a) Understanding the entity’s process for: (Ref: Para. A109‒A110) (i) Identifying business risks relevant to financial reporting objectives; (Ref: Para. A62) (ii) Assessing the significance of those risks, including the likelihood of their occurrence; and (iii) Addressing those risks; and (b) Evaluating whether the entity’s risk assessment process is appropriate to the entity’s circumstances considering the nature and complexity of the entity. (Ref: Para. A111‒A113) 23. If the auditor identifies risks of material misstatement that management failed to identify, the auditor shall: (a) Determine whether any such risks are of a kind that the auditor expects would have been identified by the entity’s risk assessment process and, if so, obtain an understanding of why the entity’s risk assessment process failed to identify such risks of material misstatement; and (b) Consider the implications for the auditor’s evaluation in paragraph 22(b). The entity’s process to monitor the system of internal control 24. The auditor shall obtain an understanding of the entity’s process for monitoring the system of internal control relevant to the preparation of the financial statements, through performing risk assessment procedures, by: (Ref: Para. A114–A115) (a) Understanding those aspects of the entity’s process that address: (i) Ongoing and separate evaluations for monitoring the effectiveness of controls, and the identification and remediation of control deficiencies identified; (Ref: Para. A116‒A117) and (ii) The entity’s internal audit function, if any, including its nature, responsibilities and activities; (Ref: Para. A118) (b) Understanding the sources of the information used in the entity’s process to monitor the system of internal control, and the basis upon which management considers the information to be sufficiently reliable for the purpose; (Ref: Para. A119‒A120) and (c) Evaluating whether the entity’s process for monitoring the system of internal control is appropriate to the entity’s circumstances considering the nature and complexity of the entity. (Ref: Para. A121‒A122) Information System and Communication, and Control Activities (Ref: Para. A123–A130) The information system and communication 25. The auditor shall obtain an understanding of the entity’s information system and communication relevant to the preparation of the financial statements, through performing risk assessment procedures, by: (Ref: Para. A131) (a) Understanding the entity’s information processing activities, including its data and information, the resources to be used in such activities and the policies that define, for significant classes of transactions, account balances and disclosures: (Ref: Para. A132‒A143) (i) How information flows through the entity’s information system, including how: a. Transactions are initiated, and how information about them is recorded, processed, corrected as necessary, incorporated in the general ledger and reported in the financial statements; and b. Information about events and conditions, other than transactions, is captured, processed and disclosed in the financial statements; (ii) The accounting records, specific accounts in the financial statements and other supporting records relating to the flows of information in the information system; (iii) The financial reporting process used to prepare the entity’s financial statements, including disclosures; and Page 4 of 46 (iv) The entity’s resources, including the IT environment, relevant to (a)(i) to (a)(iii) above; (b) Understanding how the entity communicates significant matters that support the preparation of the financial statements and related reporting responsibilities in the information system and other components of the system of internal control: (Ref: Para. A144‒A145) (i) Between people within the entity, including how financial reporting roles and responsibilities are communicated; (ii) Between management and those charged with governance; and (iii) With external parties, such as those with regulatory authorities; and (c) Evaluating whether the entity’s information system and communication appropriately support the preparation of the entity’s financial statements in accordance with the applicable financial reporting framework. (Ref: Para. A146) Control activities 26. The auditor shall obtain an understanding of the control activities component, through performing risk assessment procedures, by: (Ref: Para. A147–A157) a) Identifying controls that address risks of material misstatement at the assertion level in the control activities component as follows: (i) Controls that address a risk that is determined to be a significant risk; (Ref: Para. A158‒ A159) (ii) Controls over journal entries, including non-standard journal entries used to record non-recurring, unusual transactions or adjustments; (Ref: Para. A160‒A161) (iii) Controls for which the auditor plans to test operating effectiveness in determining the nature, timing and extent of substantive testing, which shall include controls that address risks for which substantive procedures alone do not provide sufficient appropriate audit evidence; and (Ref: Para. A162‒A164) (iv) Other controls that the auditor considers are appropriate to enable the auditor to meet the objectives of paragraph 13 with respect to risks at the assertion level, based on the auditor’s professional judgment; (Ref: Para. A165) (b) Based on controls identified in (a), identifying the IT applications and the other aspects of the entity’s IT environment that are subject to risks arising from the use of IT; (Ref: Para. A166‒A172) (c) For such IT applications and other aspects of the IT environment identified in (b), identifying: (Ref: Para. A173‒A174) (i) The related risks arising from the use of IT; and (ii) The entity’s general IT controls that address such risks; and (d) For each control identified in (a) or (c)(ii): (Ref: Para. A175‒A181) (i) Evaluating whether the control is designed effectively to address the risk of material misstatement at the assertion level, or effectively designed to support the operation of other controls; and (ii) Determining whether the control has been implemented by performing procedures in addition to inquiry of the entity’s personnel. Control Deficiencies Within the Entity’s System of Internal Control 27. Based on the auditor’s evaluation of each of the components of the entity’s system of internal control, the auditor shall determine whether one or more control deficiencies have been identified. (Ref: Para. A182–A183) The Entity’s Internal Control 12. The auditor shall obtain an understanding of internal control relevant to the audit. Although most controls relevant to the audit are likely to relate to financial reporting, not all controls that relate to Page 5 of 46 financial reporting are relevant to the audit. It is a matter of the auditor’s professional judgment whether a control, individually or in combination with others, is relevant to the audit. (Ref: Para. A38-A61) Components of Internal Control Control environment 14. The auditor shall obtain an understanding of the control environment. As part of obtaining this understanding, the auditor shall evaluate whether: (a) Management, with the oversight of those charged with governance, has created and maintained a culture of honesty and ethical behavior; and (b) The strengths in the control environment elements collectively provide an appropriate foundation for the other components of internal control, and whether those other components are not undermined by control environment weaknesses. (Ref: Para. A65- A74) The entity’s risk assessment process 15. The auditor shall obtain an understanding of whether the entity has a process for: (a) Identifying business risks relevant to financial reporting objectives; (b) Estimating the significance of the risks; (c) Assessing the likelihood of their occurrence; and (d) Deciding about actions to address those risks. (Ref: Para. A75) The information system, including the related business processes, relevant to financial reporting, and communication 18. The auditor shall obtain an understanding of the information system, including the related business processes, relevant to financial reporting, including the following areas: (a) The classes of transactions in the entity’s operations that are significant to the financial statements; (b) The procedures, within both information technology (IT) and manual systems, by which those transactions are initiated, recorded, processed, corrected as necessary, transferred to the general ledger and reported in the financial statements; (c) The related accounting records, supporting information and specific accounts in the financial statements that are used to initiate, record, process and report transactions; this includes the correction of incorrect information and how information is transferred to the general ledger. The records may be in either manual or electronic form; (d) How the information system captures events and conditions, other than transactions, that are significant to the financial statements; (e) The financial reporting process used to prepare the entity’s financial statements, including significant accounting estimates and disclosures; and (f) Controls surrounding journal entries, including non-standard journal entries used to record non-recurring, unusual transactions or adjustments. (Ref: Para. A77-A81) 19. The auditor shall obtain an understanding of how the entity communicates financial reporting roles and responsibilities and significant matters relating to financial reporting, including: (a) Communications between management and those charged with governance; and (b) External communications, such as those with regulatory authorities. (Ref: Para. A82-A83) Control activities relevant to the audit Page 6 of 46 20. The auditor shall obtain an understanding of control activities relevant to the audit, being those the auditor judges it necessary to understand in order to assess the risks of material misstatement at the assertion level and design further audit procedures responsive to assessed risks. An audit does not require an understanding of all the control activities related to each significant class of transactions, account balance, and disclosure in the financial statements or to every assertion relevant to them. (Ref: Para. A84- A90) 21. In understanding the entity’s control activities, the auditor shall obtain an understanding of how the entity has responded to risks arising from IT. (Ref: Para. A91-A93) Monitoring of controls 22. The auditor shall obtain an understanding of the major activities that the entity uses to monitor internal control over financial reporting, including those related to those control activities relevant to the audit, and how the entity initiates corrective actions to its controls. (Ref: Para. A94-A96) 23. The auditor shall obtain an understanding of the sources of the information used in the entity’s monitoring activities, and the basis upon which management considers the information to be sufficiently reliable for the purpose. (Ref: Para. A97) Identifying and Assessing the Risks of Material Misstatement (Ref: Para. A184‒A185) Identifying Risks of Material Misstatement 28. The auditor shall identify the risks of material misstatement and determine whether they exist at: (Ref: Para. A186–A192) (a) The financial statement level; (Ref: Para. A193–A200) or (b) The assertion level for classes of transactions, account balances and disclosures. (Ref: Para. A201) 29. The auditor shall determine the relevant assertions and the related significant classes of transactions, account balances and disclosures. (Ref: Para. A202–A204) Assessing Risks of Material Misstatement at the Financial Statement Level 30. For identified risks of material misstatement at the financial statement level, the auditor shall assess the risks and: (Ref: Para. A193–A200) (a) Determine whether such risks affect the assessment of risks at the assertion level; and (b) Evaluate the nature and extent of their pervasive effect on the financial statements. Assessing Risks of Material Misstatement at the Assertion Level Assessing Inherent Risk (Ref: Para. A205–A217) 31. For identified risks of material misstatement at the assertion level, the auditor shall assess inherent risk by assessing the likelihood and magnitude of misstatement. In doing so, the auditor shall take into account how, and the degree to which: (a) Inherent risk factors affect the susceptibility of relevant assertions to misstatement; and (b) The risks of material misstatement at the financial statement level affect the assessment of inherent risk for risks of material misstatement at the assertion level. (Ref: Para. A215‒A216) 32. The auditor shall determine whether any of the assessed risks of material misstatement are significant risks. (Ref: Para. A218–A221) Page 7 of 46 33. The auditor shall determine whether substantive procedures alone cannot provide sufficient appropriate audit evidence for any of the risks of material misstatement at the assertion level. (Ref: Para. A222–A225) Assessing Control Risk 34. If the auditor plans to test the operating effectiveness of controls, the auditor shall assess control risk. If the auditor does not plan to test the operating effectiveness of controls, the auditor’s assessment of control risk shall be such that the assessment of the risk of material misstatement is the same as the assessment of inherent risk. (Ref: Para. A226–A229) Evaluating the Audit Evidence Obtained from the Risk Assessment Procedures 35. The auditor shall evaluate whether the audit evidence obtained from the risk assessment procedures provides an appropriate basis for the identification and assessment of the risks of material misstatement. If not, the auditor shall perform additional risk assessment procedures until audit evidence has been obtained to provide such a basis. In identifying and assessing the risks of material misstatement, the auditor shall take into account all audit evidence obtained from the risk assessment procedures, whether corroborative or contradictory to assertions made by management. (Ref: Para. A230–A232) Classes of Transactions, Account Balances and Disclosures that Are Not Significant, but Which Are Material 36. For material classes of transactions, account balances or disclosures that have not been determined to be significant classes of transactions, account balances or disclosures, the auditor shall evaluate whether the auditor’s determination remains appropriate. (Ref: Para. A233–A235) Revision of Risk Assessment 37. If the auditor obtains new information which is inconsistent with the audit evidence on which the auditor originally based the identification or assessments of the risks of material misstatement, the auditor shall revise the identification or assessment. (Ref: Para. A236) Identifying and Assessing the Risks of Material Misstatement 24. The auditor shall identify and assess the risks of material misstatement at: (a) The financial statement level; and (Ref: Para. A98-A101) (b) The assertion level for classes of transactions, account balances, and disclosures, (Ref: Para. A102-A106) to provide a basis for designing and performing further audit procedures. 26. As part of the risk assessment as described in paragraph 24, the auditor shall determine whether any of the risks identified are, in the auditor’s judgment, a significant risk. In exercising this judgment, the auditor shall exclude the effects of identified controls related to the risk. 27. In exercising judgment as to which risks are significant risks, the auditor shall consider at least the following: (a) Whether the risk is a risk of fraud; (b) Whether the risk is related to recent significant economic, accounting or other developments and, therefore, requires specific attention; (c) The complexity of transactions; (d) Whether the risk involves significant transactions with related parties; (e) The degree of subjectivity in the measurement of financial information related to the risk, especially those measurements involving a wide range of measurement uncertainty; and Page 8 of 46 (f) Whether the risk involves significant transactions that are outside the normal course of business for the entity, or that otherwise appear to be unusual. (Ref: Para. A112-A116) Documentation 38. The auditor shall include in the audit documentation:13 (Ref: Para. A237–A241) (a) The discussion among the engagement team and the significant decisions reached; (b) Key elements of the auditor’s understanding in accordance with paragraphs 19, 21, 22, 24 and 25; the sources of information from which the auditor’s understanding was obtained; and the risk assessment procedures performed; (c) The evaluation of the design of identified controls, and determination whether such controls have been implemented, in accordance with the requirements in paragraph 26; and (d) The identified and assessed risks of material misstatement at the financial statement level and at the assertion level, including significant risks and risks for which substantive procedures alone cannot provide sufficient appropriate audit evidence, and the rationale for the significant judgments made. Explanatory Materials Obtaining an Understanding of the Entity’s System of Internal Control (Ref: Para. 21‒27) (Appendix 3 further describes the nature of the entity’s system of internal control and inherent limitations of internal control, respectively. Appendix 3 also provides further explanation of the components of a system of internal control for the purposes of the ISAs.) A90. The auditor’s understanding of the entity’s system of internal control is obtained through risk assessment procedures performed to understand and evaluate each of the components of the system of internal control as set out in paragraphs 21 to 27. A91. The components of the entity’s system of internal control for the purpose of this ISA may not necessarily reflect how an entity designs, implements and maintains its system of internal control, or how it may classify any particular component. Entities may use different terminology or frameworks to describe the various aspects of the system of internal control. For the purpose of an audit, auditors may also use different terminology or frameworks provided all the components described in this ISA are addressed. Scalability A92. The way in which the entity’s system of internal control is designed, implemented and maintained varies with an entity’s size and complexity. For example, less complex entities may use less structured or simpler controls (i.e., policies and procedures) to achieve their objectives. Considerations Specific to Public Sector Entities A93. Auditors of public sector entities often have additional responsibilities with respect to internal control, for example, to report on compliance with an established code of practice or reporting on spending against budget. Auditors of public sector entities may also have responsibilities to report on compliance with law, regulation or other authority. As a result, their considerations about the system of internal control may be broader and more detailed. Information Technology in the Components of the Entity’s System of Internal Control (Appendix 5 provides further guidance on understanding the entity’s use of IT in the components of the system of internal control.) Page 9 of 46 A94. The overall objective and scope of an audit does not differ whether an entity operates in a mainly manual environment, a completely automated environment, or an environment involving some combination of manual and automated elements (i.e., manual and automated controls and other resources used in the entity’s system of internal control). Understanding the Nature of the Components of the Entity’s System of Internal Control A95. In evaluating the effectiveness of the design of controls and whether they have been implemented (see paragraphs A175 to A181) the auditor’s understanding of each of the components of the entity’s system of internal control provides a preliminary understanding of how the entity identifies business risks and how it responds to them. It may also influence the auditor’s identification and assessment of the risks of material misstatement in different ways (see paragraph A86). This assists the auditor in designing and performing further audit procedures, including any plans to test the operating effectiveness of controls. For example: The auditor’s understanding of the entity’s control environment, the entity’s risk assessment process, and the entity’s process to monitor controls components are more likely to affect the identification and assessment of risks of material misstatement at the financial statement level. The auditor’s understanding of the entity’s information system and communication, and the entity’s control activities component, are more likely to affect the identification and assessment of risks of material misstatement at the assertion level. Control Environment, The Entity’s Risk Assessment Process and the Entity’s Process to Monitor the System of Internal Control (Ref: Para. 21–24) A96. The controls in the control environment, the entity’s risk assessment process and the entity’s process to monitor the system of internal control are primarily indirect controls (i.e., controls that are not sufficiently precise to prevent, detect or correct misstatements at the assertion level but which support other controls and may therefore have an indirect effect on the likelihood that a misstatement will be detected or prevented on a timely basis). However, some controls within these components may also be direct controls. Why the auditor is required to understand the control environment, the entity’s risk assessment process and the entity’s process to monitor the system of internal control A97. The control environment provides an overall foundation for the operation of the other components of the system of internal control. The control environment does not directly prevent, or detect and correct, misstatements. It may, however, influence the effectiveness of controls in the other components of the system of internal control. Similarly, the entity’s risk assessment process and its process for monitoring the system of internal control are designed to operate in a manner that also supports the entire system of internal control. A98. Because these components are foundational to the entity’s system of internal control, any deficiencies in their operation could have pervasive effects on the preparation of the financial statements. Therefore, the auditor’s understanding and evaluations of these components affect the auditor’s identification and assessment of risks of material misstatement at the financial statement level, and may also affect the identification and assessment of risks of material misstatement at the assertion level. Risks of material misstatement at the financial statement level affect the auditor’s design of overall responses, including, as explained in ISA 330, an influence on the nature, timing and extent of the auditor’s further procedures.35 Obtaining an understanding of the control environment (Ref: Para. 21) Scalability Page 10 of 46 A99. The nature of the control environment in a less complex entity is likely to be different from the control environment in a more complex entity. For example, those charged with governance in less complex entities may not include an independent or outside member, and the role of governance may be undertaken directly by the owner-manager where there are no other owners. Accordingly, some considerations about the entity’s control environment may be less relevant or may not be applicable. A100. In addition, audit evidence about elements of the control environment in less complex entities may not be available in documentary form, in particular where communication between management and other personnel is informal, but the evidence may still be appropriately relevant and reliable in the circumstances. Examples: The organizational structure in a less complex entity will likely be simpler and may include a small number of employees involved in roles related to financial reporting. If the role of governance is undertaken directly by the owner-manager, the auditor may determine that the independence of those charged with governance is not relevant. Less complex entities may not have a written code of conduct but, instead, develop a culture that emphasizes the importance of integrity and ethical behaviour through oral communication and by management example. Consequently, the attitudes, awareness and actions of management or the owner-manager are of particular importance to the auditor’s understanding of a less complex entity’s control environment. Understanding the control environment (Ref: Para. 21(a)) A101. Audit evidence for the auditor’s understanding of the control environment may be obtained through a combination of inquiries and other risk assessment procedures (i.e., corroborating inquiries through observation or inspection of documents). A102. In considering the extent to which management demonstrates a commitment to integrity and ethical values, the auditor may obtain an understanding through inquiries of management and employees, and through considering information from external sources, about: How management communicates to employees its views on business practices and ethical behavior; and Inspecting management’s written code of conduct and observing whether management acts in a manner that supports that code. Evaluating the control environment (Ref: Para. 21(b)) Why the auditor evaluates the control environment A103. The auditor’s evaluation of how the entity demonstrates behavior consistent with the entity’s commitment to integrity and ethical values; whether the control environment provides an appropriate foundation for the other components of the entity’s system of internal control; and whether any identified control deficiencies undermine the other components of the system of internal control, assists the auditor in identifying potential issues in the other components of the system of internal control. This is because the control environment is foundational to the other components of the entity’s system of internal control. This evaluation may also assist the auditor in understanding risks faced by the entity and therefore in identifying and assessing the risks of material misstatement at the financial statement and assertion levels (see paragraph A86). The auditor’s evaluation of the control environment A105. Some entities may be dominated by a single individual who may exercise a great deal of discretion. The actions and attitudes of that individual may have a pervasive effect on the culture of the Page 11 of 46 entity, which in turn may have a pervasive effect on the control environment. Such an effect may be positive or negative. Example: Direct involvement by a single individual may be key to enabling the entity to meet its growth and other objectives, and can also contribute significantly to an effective system of internal control. On the other hand, such concentration of knowledge and authority can also lead to an increased susceptibility to misstatement through management override of controls. A106. The auditor may consider how the different elements of the control environment may be influenced by the philosophy and operating style of senior management taking into account the involvement of independent members of those charged with governance. A107. Although the control environment may provide an appropriate foundation for the system of internal control and may help reduce the risk of fraud, an appropriate control environment is not necessarily an effective deterrent to fraud. Example: Human resource policies and procedures directed toward hiring competent financial, accounting, and IT personnel may mitigate the risk of errors in processing and recording financial information. However, such policies and procedures may not mitigate the override of controls by senior management (e.g., to overstate earnings). A108. The auditor’s evaluation of the control environment as it relates to the entity’s use of IT may include such matters as: Whether governance over IT is commensurate with the nature and complexity of the entity and its business operations enabled by IT, including the complexity or maturity of the entity’s technology platform or architecture and the extent to which the entity relies on IT applications to support its financial reporting. The management organizational structure regarding IT and the resources allocated (for example, whether the entity has invested in an appropriate IT environment and necessary enhancements, or whether a sufficient number of appropriately skilled individuals have been employed including when the entity uses commercial software (with no or limited modifications)). Obtaining an understanding of the entity’s risk assessment process (Ref: Para. 22–23) Understanding the entity’s risk assessment process (Ref: Para. 22(a)) A109. As explained in paragraph A62, not all business risks give rise to risks of material misstatement. In understanding how management and those charged with governance have identified business risks relevant to the preparation of the financial statements, and decided about actions to address those risks, matters the auditor may consider include how management or, as appropriate, those charged with governance, has: Specified the entity’s objectives with sufficient precision and clarity to enable the identification and assessment of the risks relating to the objectives; Identified the risks to achieving the entity’s objectives and analyzed the risks as a basis for determining how the risks should be managed; and Considered the potential for fraud when considering the risks to achieving the entity’s objectives. Evaluating the entity’s risk assessment process (Ref: Para. 22(b)) Why the auditor evaluates whether the entity’s risk assessment process is appropriate A111. The auditor’s evaluation of the entity’s risk assessment process may assist the auditor in understanding where the entity has identified risks that may occur, and how the entity has responded to Page 12 of 46 those risks. The auditor’s evaluation of how the entity identifies its business risks, and how it assesses and addresses those risks assists the auditor in understanding whether the risks faced by the entity have been identified, assessed and addressed as appropriate to the nature and complexity of the entity. This evaluation may also assist the auditor with identifying and assessing financial statement level and assertion level risks of material misstatement (see paragraph A86). Evaluating whether the entity’s risk assessment process is appropriate (Ref: Para. 22(b)) A112. The auditor’s evaluation of the appropriateness of the entity’s risk assessment process is based on the understanding obtained in accordance with paragraph 22(a). Scalability A113. Whether the entity’s risk assessment process is appropriate to the entity’s circumstances considering the nature and complexity of the entity is a matter of the auditor’s professional judgment. Example: In some less complex entities, and particularly owner-managed entities, an appropriate risk assessment may be performed through the direct involvement of management or the owner-manager (e.g., the manager or owner-manager may routinely devote time to monitoring the activities of competitors and other developments in the market place to identify emerging business risks). The evidence of this risk assessment occurring in these types of entities is often not formally documented, but it may be evident from the discussions the auditor has with management that management are in fact performing risk assessment procedures. Obtaining an understanding of the entity’s process to monitor the entity’s system of internal control (Ref: Para. 24) Scalability A114. In less complex entities, and in particular owner-manager entities, the auditor’s understanding of the entity’s process to monitor the system of internal control is often focused on how management or the owner-manager is directly involved in operations, as there may not be any other monitoring activities. Example: Management may receive complaints from customers about inaccuracies in their monthly statement that alerts the owner-manager to issues with the timing of when customer payments are being recognized in the accounting records. A115. For entities where there is no formal process for monitoring the system of internal control, understanding the process to monitor the system of internal control may include understanding periodic reviews of management accounting information that are designed to contribute to how the entity prevents or detects misstatements. Understanding the entity’s process to monitor the system of internal control (Ref: Para. 24(a)) A116. Matters that may be relevant for the auditor to consider when understanding how the entity monitors its system of internal control include: The design of the monitoring activities, for example whether it is periodic or ongoing monitoring; The performance and frequency of the monitoring activities; The evaluation of the results of the monitoring activities, on a timely basis, to determine whether the controls have been effective; and Page 13 of 46 How identified deficiencies have been addressed through appropriate remedial actions, including timely communication of such deficiencies to those responsible for taking remedial action. A117. The auditor may also consider how the entity’s process to monitor the system of internal control addresses monitoring information processing controls that involve the use of IT. This may include, for example: Controls to monitor complex IT environments that: o Evaluate the continuing design effectiveness of information processing controls and modify them, as appropriate, for changes in conditions; or o Evaluate the operating effectiveness of information processing controls. Controls that monitor the permissions applied in automated information processing controls that enforce the segregation of duties. Controls that monitor how errors or control deficiencies related to the automation of financial reporting are identified and addressed. Understanding the entity’s internal audit function (Ref: Para. 24(a)(ii)) (Appendix 4 sets out further considerations for understanding the entity’s internal audit function.) A118. The auditor’s inquiries of appropriate individuals within the internal audit function help the auditor obtain an understanding of the nature of the internal audit function’s responsibilities. If the auditor determines that the function’s responsibilities are related to the entity’s financial reporting, the auditor may obtain further understanding of the activities performed, or to be performed, by the internal audit function by reviewing the internal audit function’s audit plan for the period, if any, and discussing that plan with the appropriate individuals within the function. This understanding, together with the information obtained from the auditor’s inquiries, may also provide information that is directly relevant to the auditor’s identification and assessment of the risks of material misstatement. If, based on the auditor’s preliminary understanding of the internal audit function, the auditor expects to use the work of the internal audit function to modify the nature or timing, or reduce the extent, of audit procedures to be performed, ISA 610 (Revised 2013), Using the Work of Internal Auditors , applies. Other sources of information used in the entity’s process to monitor the system of internal control Understanding the sources of information (Ref: Para. 24(b)) A119. Management’s monitoring activities may use information in communications from external parties such as customer complaints or regulator comments that may indicate problems or highlight areas in need of improvement. Why the auditor is required to understand the sources of information used for the entity’s monitoring of the system of internal control A120. The auditor’s understanding of the sources of information used by the entity in monitoring the entity’s system of internal control, including whether the information used is relevant and reliable, assists the auditor in evaluating whether the entity’s process to monitor the entity’s system of internal control is appropriate. If management assumes that information used for monitoring is relevant and reliable without having a basis for that assumption, errors that may exist in the information could potentially lead management to draw incorrect conclusions from its monitoring activities. Evaluating the entity’s process to monitor the system of internal control (Ref: Para 24(c)) Why the auditor evaluates whether the entity’s process to monitor the system of internal control is appropriate A121. The auditor’s evaluation about how the entity undertakes ongoing and separate evaluations for monitoring the effectiveness of controls assists the auditor in understanding whether the other Page 14 of 46 components of the entity’s system of internal control are present and functioning, and therefore assists with understanding the other components of the entity’s system of internal control. This evaluation may also assist the auditor with identifying and assessing financial statement level and assertion level risks of material misstatement (see paragraph A86). Information System and Communication, and Control Activities (Ref: Para. 25‒26) A123. The controls in the information system and communication, and control activities components are primarily direct controls (i.e., controls that are sufficiently precise to prevent, detect or correct misstatements at the assertion level). Why the auditor Is required to understand the information system and communication and controls in the control activities component A124. The auditor is required to understand the entity’s information system and communication because understanding the entity’s policies that define the flows of transactions and other aspects of the entity’s information processing activities relevant to the preparation of the financial statements, and evaluating whether the component appropriately supports the preparation of the entity’s financial statements, supports the auditor’s identification and assessment of risks of material misstatement at the assertion level. This understanding and evaluation may also result in the identification of risks of material misstatement at the financial statement level when the results of the auditor’s procedures are inconsistent with expectations about the entity’s system of internal control that may have been set based on information obtained during the engagement acceptance or continuance process (see paragraph A86). A125. The auditor is required to identify specific controls in the control activities component, and evaluate the design and determine whether the controls have been implemented, as it assists the auditor’s understanding about management’s approach to addressing certain risks and therefore provides a basis for the design and performance of further audit procedures responsive to these risks as required by ISA 330. The higher on the spectrum of inherent risk a risk is assessed, the more persuasive the audit evidence needs to be. Even when the auditor does not plan to test the operating effectiveness of identified controls, the auditor’s understanding may still affect the design of the nature, timing and extent of substantive audit procedures that are responsive to the related risks of material misstatement. The iterative nature of the auditor’s understanding and evaluation of the information system and communication, and control activities A126. As explained in paragraph A49, the auditor’s understanding of the entity and its environment, and the applicable financial reporting framework, may assist the auditor in developing initial expectations about the classes of transactions, account balances and disclosures that may be significant classes of transactions, account balances and disclosures. In obtaining an understanding of the information system and communication component in accordance with paragraph 25(a), the auditor may use these initial expectations for the purpose of determining the extent of understanding of the entity’s information processing activities to be obtained. A127. The auditor’s understanding of the information system includes understanding the policies that define flows of information relating to the entity’s significant classes of transactions, account balances, and disclosures, and other related aspects of the entity’s information processing activities. This information, and the information obtained from the auditor’s evaluation of the information system may confirm or further influence the auditor’s expectations about the significant classes of transactions, account balances and disclosures initially identified (see paragraph A126). A128. In obtaining an understanding of how information relating to significant classes of transactions, account balances and disclosures flows into, through, and out of the entity’s information system, the auditor may also identify controls in the control activities component that are required to be identified in accordance with paragraph 26(a). The auditor’s identification and evaluation of controls in the control Page 15 of 46 activities component may first focus on controls over journal entries and controls that the auditor plans to test the operating effectiveness of in designing the nature, timing and extent of substantive procedures. A129. The auditor’s assessment of inherent risk may also influence the identification of controls in the control activities component. For example, the auditor’s identification of controls relating to significant risks may only be identifiable when the auditor has assessed inherent risk at the assertion level in accordance with paragraph 31. Furthermore, controls addressing risks for which the auditor has determined that substantive procedures alone do not provide sufficient appropriate audit evidence (in accordance with paragraph 33) may also only be identifiable once the auditor’s inherent risk assessments have been undertaken. A130. The auditor’s identification and assessment of risks of material misstatement at the assertion level is influenced by both the auditor’s: Understanding of the entity’s policies for its information processing activities in the information system and communication component, and Identification and evaluation of controls in the control activities component. Obtaining an understanding of the information system and communication (Ref: Para. 25) (Appendix 3, Paragraphs 15–19, sets out further considerations relating to the information system and communication.) Scalability A131. The information system, and related business processes, in less complex entities are likely to be less sophisticated than in larger entities, and are likely to involve a less complex IT environment; however, the role of the information system is just as important. Less complex entities with direct management involvement may not need extensive descriptions of accounting procedures, sophisticated accounting records, or written policies. Understanding the relevant aspects of the entity’s information system may therefore require less effort in an audit of a less complex entity, and may involve a greater amount of inquiry than observation or inspection of documentation. The need to obtain an understanding, however, remains important to provide a basis for the design of further audit procedures in accordance with ISA 330 and may further assist the auditor in identifying or assessing risks of material misstatement (see paragraph A86). Obtaining an understanding of the information system (Ref: Para. 25(a)) A132. Included within the entity’s system of internal control are aspects that relate to the entity’s reporting objectives, including its financial reporting objectives, but may also include aspects that relate to its operations or compliance objectives, when such aspects are relevant to financial reporting. Understanding how the entity initiates transactions and captures information as part of the auditor’s understanding of the information system may include information about the entity’s systems (its policies) designed to address compliance and operations objectives because such information is relevant to the preparation of the financial statements. Further, some entities may have information systems that are highly integrated such that controls may be designed in a manner to simultaneously achieve financial reporting, compliance and operational objectives, and combinations thereof. A133. Understanding the entity’s information system also includes an understanding of the resources to be used in the entity’s information processing activities. Information about the human resources involved that may be relevant to understanding risks to the integrity of the information system include: The competence of the individuals undertaking the work; Whether there are adequate resources; and Whether there is appropriate segregation of duties. Page 16 of 46 A134. Matters the auditor may consider when understanding the policies that define the flows of information relating to the entity’s significant classes of transactions, account balances, and disclosures in the information system and communication component include the nature of: (a) The data or information relating to transactions, other events and conditions to be processed; (b) The information processing to maintain the integrity of that data or information; and (c) The information processes, personnel and other resources used in the information processing process. A135. Obtaining an understanding of the entity’s business processes, which include how transactions are originated, assists the auditor in obtaining an understanding of the entity’s information system in a manner that is appropriate to the entity’s circumstances. A136. The auditor’s understanding of the information system may be obtained in various ways and may include: Inquiries of relevant personnel about the procedures used to initiate, record, process and report transactions or about the entity’s financial reporting process; Inspection of policy or process manuals or other documentation of the entity’s information system; Observation of the performance of the policies or procedures by entity’s personnel; or Selecting transactions and tracing them through the applicable process in the information system (i.e., performing a walk-through). Automated tools and techniques A137. The auditor may also use automated techniques to obtain direct access to, or a digital download from, the databases in the entity’s information system that store accounting records of transactions. By applying automated tools or techniques to this information, the auditor may confirm the understanding obtained about how transactions flow through the information system by tracing journal entries, or other digital records related to a particular transaction, or an entire population of transactions, from initiation in the accounting records through to recording in the general ledger. Analysis of complete or large sets of transactions may also result in the identification of variations from the normal, or expected, processing procedures for these transactions, which may result in the identification of risks of material misstatement. Information obtained from outside of the general and subsidiary ledgers A138. Financial statements may contain information that is obtained from outside of the general and subsidiary ledgers. Examples of such information that the auditor may consider include: Information obtained from lease agreements relevant to disclosures in the financial statements. Information disclosed in the financial statements that is produced by an entity’s risk management system. Fair value information produced by management’s experts and disclosed in the financial statements. Information disclosed in the financial statements that has been obtained from models, or from other calculations used to develop accounting estimates recognized or disclosed in the financial statements, including information relating to the underlying data and assumptions used in those models, such as: o Assumptions developed internally that may affect an asset’s useful life; or o Data such as interest rates that are affected by factors outside the control of the entity. Information disclosed in the financial statements about sensitivity analyses derived from financial models that demonstrates that management has considered alternative assumptions. Page 17 of 46 Information recognized or disclosed in the financial statements that has been obtained from an entity’s tax returns and records. Information disclosed in the financial statements that has been obtained from analyses prepared to support management’s assessment of the entity’s ability to continue as a going concern, such as disclosures, if any, related to events or conditions that have been identified that may cast significant doubt on the entity’s ability to continue as a going concern. A139. Certain amounts or disclosures in the entity’s financial statements (such as disclosures about credit risk, liquidity risk, and market risk) may be based on information obtained from the entity’s risk management system. However, the auditor is not required to understand all aspects of the risk management system, and uses professional judgment in determining the necessary understanding. The entity’s use of information technology in the information system Why does the auditor understand the IT environment relevant to the information system A140. The auditor’s understanding of the information system includes the IT environment relevant to the flows of transactions and processing of information in the entity’s information system because the entity’s use of IT applications or other aspects in the IT environment may give rise to risks arising from the use of IT. Understanding the entity’s use of IT A142. The auditor’s understanding of the IT environment may focus on identifying, and understanding the nature and number of, the specific IT applications and other aspects of the IT environment that are relevant to the flows of transactions and processing of information in the information system. Changes in the flow of transactions, or information within the information system may result from program changes to IT applications, or direct changes to data in databases involved in processing, or storing those transactions or information. A143. The auditor may identify the IT applications and supporting IT infrastructure concurrently with the auditor’s understanding of how information relating to significant classes of transactions, account balances and disclosures flows into, through and out the entity’s information system. Obtaining an understanding of the entity’s communication (Ref: Para. 25(b)) Scalability A144. In larger, more complex entities, information the auditor may consider when understanding the entity’s communication may come from policy manuals and financial reporting manuals. A145. In less complex entities, communication may be less structured (e.g., formal manuals may not be used) due to fewer levels of responsibility and management’s greater visibility and availability. Regardless of the size of the entity, open communication channels facilitate the reporting of exceptions and acting on them. Control Activities (Ref: Para. 26) Controls in the control activities component (Appendix 3, Paragraphs 20 and 21 set out further considerations relating to control activities.) A147. The control activities component includes controls that are designed to ensure the proper application of policies (which are also controls) in all the other components of the entity’s system of internal control, and includes both direct and indirect controls. Example: Page 18 of 46 The controls that an entity has established to ensure that its personnel are properly counting and recording the annual physical inventory relate directly to the risks of material misstatement relevant to the existence and completeness assertions for the inventory account balance. A148. The auditor’s identification and evaluation of controls in the control activities component is focused on information processing controls, which are controls applied during the processing of information in the entity’s information system that directly address risks to the integrity of information (i.e., the completeness, accuracy and validity of transactions and other information). However, the auditor is not required to identify and evaluate all information processing controls related to the entity’s policies that define the flows of transactions and other aspects of the entity’s information processing activities for the significant classes of transactions, account balances and disclosures. A149. There may also be direct controls that exist in the control environment, the entity’s risk assessment process or the entity’s process to monitor the system of internal control, which may be identified in accordance with paragraph 26. However, the more indirect the relationship between controls that support other controls and the control that is being considered, the less effective that control may be in preventing, or detecting and correcting, related misstatements. Example: A sales manager’s review of a summary of sales activity for specific stores by region ordinarily is only indirectly related to the risks of material misstatement relevant to the completeness assertion for sales revenue. Accordingly, it may be less effective in addressing those risks than controls more directly related thereto, such as matching shipping documents with billing documents. A150. Paragraph 26 also requires the auditor to identify and evaluate general IT controls for IT applications and other aspects of the IT environment that the auditor has determined to be subject to risks arising from the use of IT, because general IT controls support the continued effective functioning of information processing controls. A general IT control alone is typically not sufficient to address a risk of material misstatement at the assertion level. A151. The controls that the auditor is required to identify and evaluate the design, and determine the implementation of, in accordance with paragraph 26 are those: Controls which the auditor plans to test the operating effectiveness of in determining the nature, timing and extent of substantive procedures. The evaluation of such controls provides the basis for the auditor’s design of test of control procedures in accordance with ISA 330. These controls also include controls that address risks for which substantive procedures alone do not provide sufficient appropriate audit evidence. Controls include controls that address significant risks and controls over journal entries. The auditor’s identification and evaluation of such controls may also influence the auditor’s understanding of the risks of material misstatement, including the identification of additional risks of material misstatement (see paragraph A95). This understanding also provides the basis for the auditor’s design of the nature, timing and extent of substantive audit procedures that are responsive to the related assessed risks of material misstatement. Other controls that the auditor considers are appropriate to enable the auditor to meet the objectives of paragraph 13 with respect to risks at the assertion level, based on the auditor’s professional judgment. A152. Controls in the control activities component are required to be identified when such controls meet one or more of the criteria included in paragraph 26(a). However, when multiple controls each achieve the same objective, it is unnecessary to identify each of the controls related to such objective. Types of controls in the control activities component (Ref: Para. 26) Page 19 of 46 A153. Examples of controls in the control activities component include authorizations and approvals, reconciliations, verifications (such as edit and validation checks or automated calculations), segregation of duties, and physical or logical controls, including those addressing safeguarding of assets. A154. Controls in the control activities component may also include controls established by management that address risks of material misstatement related to disclosures not being prepared in accordance with the applicable financial reporting framework. Such controls may relate to information included in the financial statements that is obtained from outside of the general and subsidiary ledgers. A155. Regardless of whether controls are within the IT environment or manual systems, controls may have various objectives and may be applied at various organizational and functional levels. Scalability (Ref: Para. 26) A156. Controls in the control activities component for less complex entities are likely to be similar to those in larger entities, but the formality with which they operate may vary. Further, in less complex entities, more controls may be directly applied by management. Example: Management’s sole authority for granting credit to customers and approving significant purchases can provide strong control over important account balances and transactions. A157. It may be less practicable to establish segregation of duties in less complex entities that have fewer employees. However, in an owner-managed entity, the owner-manager may be able to exercise more effective oversight through direct involvement than in a larger entity, which may compensate for the generally more limited opportunities for segregation of duties. Although, as also explained in ISA 240, domination of management by a single individual can be a potential control deficiency since there is an opportunity for management override of controls. Controls that address risks of material misstatement at the assertion level (Ref: Para. 26(a)) Controls that address risks that are determined to be a significant risk (Ref: Para. 26(a)(i)) A158. Regardless of whether the auditor plans to test the operating effectiveness of controls that address significant risks, the understanding obtained about management’s approach to addressing those risks may provide a basis for the design and performance of substantive procedures responsive to significant risks as required by ISA 330. Although risks relating to significant non-routine or judgmental matters are often less likely to be subject to routine controls, management may have other responses intended to deal with such risks. Accordingly, the auditor’s understanding of whether the entity has designed and implemented controls for significant risks arising from non-routine or judgmental matters may include whether and how management responds to the risks. Such responses may include: Controls, such as a review of assumptions by senior management or experts. Documented processes for accounting estimations. Approval by those charged with governance. Example: Where there are one-off events such as the receipt of a notice of a significant lawsuit, consideration of the entity’s response may include such matters as whether it has been referred to appropriate experts (such as internal or external legal counsel), whether an assessment has been made of the potential effect, and how it is proposed that the circumstances are to be disclosed in the financial statements. A159. ISA 240 requires the auditor to understand controls related to assessed risks of material misstatement due to fraud (which are treated as significant risks), and further explains that it is important for the auditor to obtain an understanding of the controls that management has designed, implemented and maintained to prevent and detect fraud. Page 20 of 46 Controls over journal entries (Ref: Para. 26(a)(ii)) A160. Controls that address risks of material misstatement at the assertion level that are expected to be identified for all audits are controls over journal entries, because the manner in which an entity incorporates information from transaction processing into the general ledger ordinarily involves the use of journal entries, whether standard or non-standard, or automated or manual. The extent to which other controls are identified may vary based on the nature of the entity and the auditor’s planned approach to further audit procedures. Example: In an audit of a less complex entity, the entity’s information system may not be complex and the auditor may not plan to rely on the operating effectiveness of controls. Further, the auditor may not have identified any significant risks or any other risks of material misstatement for which it is necessary for the auditor to evaluate the design of controls and determine that they have been implemented. In such an audit, the auditor may determine that there are no identified controls other than the entity’s controls over journal entries. Automated tools and techniques A161. In manual general ledger systems, non-standard journal entries may be identified through inspection of ledgers, journals, and supporting documentation. When automated procedures are used to maintain the general ledger and prepare financial statements, such entries may exist only in electronic form and may therefore be more easily identified through the use of automated techniques. Example: In the audit of a less complex entity, the auditor may be able to extract a total listing of all journal entries into a simple spreadsheet. It may then be possible for the auditor to sort the journal entries by applying a variety of filters such as currency amount, name of the preparer or reviewer, journal entries that gross up the balance sheet and income statement only, or to view the listing by the date the journal entry was posted to the general ledger, to assist the auditor in designing responses to the risks identified relating to journal entries. Controls for which the auditor plans to test the operating effectiveness (Ref: Para. 26(a)(iii)) A162. The auditor determines whether there are any risks of material misstatement at the assertion level for which it is not possible to obtain sufficient appropriate audit evidence through substantive procedures alone. The auditor is required, in accordance with ISA 330, to design and perform tests of controls that address such risks of material misstatement when substantive procedures alone do not provide sufficient appropriate audit evidence at the assertion level. As a result, when such controls exist that address these risks, they are required to be identified and evaluated. A163. In other cases, when the auditor plans to take into account the operating effectiveness of controls in determining the nature, timing and extent of substantive procedures in accordance with ISA 330, such controls are also required to be identified because ISA 330 requires the auditor to design and perform tests of those controls. Examples: The auditor may plan to test the operating effectiveness of controls: Over routine classes of transactions because such testing may be more effective or efficient for large volumes of homogenous transactions. Over the completeness and accuracy of information produced by the entity (e.g., controls over the preparation of system-generated reports), to determine the reliability of that information, when the auditor intends to take into account the operating effectiveness of those controls in designing and performing further audit procedures. Page 21 of 46 Relating to operations and compliance objectives when they relate to data the auditor evaluates or uses in applying audit procedures. A164. The auditor’s plans to test the operating effectiveness of controls may also be influenced by the identified risks of material misstatement at the financial statement level. For example, if deficiencies are identified related to the control environment, this may affect the auditor’s overall expectations about the operating effectiveness of direct controls. Other controls that the auditor considers appropriate (Ref: Para. 26(a)(iv)) A165. Other controls that the auditor may consider are appropriate to identify, and evaluate the design and determine the implementation, may include: Controls that address risks assessed as higher on the spectrum of inherent risk but have not been determined to be a significant risk; Controls related to reconciling detailed records to the general ledger; or Complementary user entity controls, if using a service organization. Identifying IT applications and other aspects of the IT environment, risks arising from the use of IT and general IT controls (Ref: Para. 26(b)‒(c)) (Appendix 5 includes example characteristics of IT applications and other aspects of the IT environment, and guidance related to those characteristics, that may be relevant in identifying IT applications and other aspects of the IT environment subject to risks arising from the use of IT.) Identifying IT applications and other aspects of the IT environment (Ref: Para. 26(b)) Why the auditor identifies risks arising from the use of IT and general IT controls related to identified IT applications and other aspects of the IT environment A166. Understanding the risks arising from the use of IT and the general IT controls implemented by the entity to address those risks may affect: The auditor’s decision about whether to test the operating effectiveness of controls to address risks of material misstatement at the assertion level; Example: When general IT controls are not designed effectively or appropriately implemented to address risks arising from the use of IT (e.g., controls do not appropriately prevent or detect unauthorized program changes or unauthorized access to IT applications), this may affect the auditor’s decision to rely on automated controls within the affected IT applications. The auditor’s assessment of control risk at the assertion level; Example: The ongoing operating effectiveness of an information processing control may depend on certain general IT controls that prevent or detect unauthorized program changes to the IT information processing control (i.e., program change controls over the related IT application). In such circumstances, the expected operating effectiveness (or lack thereof) of the general IT control may affect the auditor’s assessment of control risk (e.g., control risk may be higher when such general IT controls are expected to be ineffective or if the auditor does not plan to test the general IT controls). The auditor’s strategy for testing information produced by the entity that is produced by or involves information from the entity’s IT applications; Example: When information produced by the entity to be used as audit evidence is produced by IT applications, the auditor may determine to test controls over system-generated reports, including identification and testing of the general IT controls that address risks of inappropriate or unauthorized program changes or direct data changes to the reports. Page 22 of 46 The auditor’s assessment of inherent risk at the assertion level; or Example: When there are significant or extensive programming changes to an IT application to address new or revised reporting requirements of the applicable financial reporting framework, this may be an indicator of the complexity of the new requirements and their effect on the entity’s financial statements. When such extensive programming or data changes occur, the IT application is also likely to be subject to risks arising from the use of IT. The design of further audit procedures. Example: If information processing controls depend on general IT controls, the auditor may determine to test the operating effectiveness of the general IT controls, which will then require the design of tests of controls for such general IT controls. If, in the same circumstances, the auditor determines not to test the operating effectiveness of the general IT controls, or the general IT controls are expected to be ineffective, the related risks arising from the use of IT may need to be addressed through the design of substantive procedures. However, the risks arising from the use of IT may not be able to be addressed when such risks relate to risks for which substantive procedures alone do not provide sufficient appropriate audit evidence. In such circumstances, the auditor may need to consider the implications for the audit opinion Identifying IT applications that are subject to risks arising from the use of IT A167. For the IT applications relevant to the information system, understanding the nature and complexity of the specific IT processes and general IT controls that the entity has in place may assist the auditor in determining which IT applications the entity is relying upon to accurately process and maintain the integrity of information in the entity’s information system. Such IT applications may be subject to risks arising from the use of IT. A168. Identifying the IT applications that are subject to risks arising from the use of IT involves taking into account controls identified by the auditor because such controls may involve the use of IT or rely on IT. The auditor may focus on whether an IT application includes automated controls that management is relying on and that the auditor has identified, including controls that address risks for which substantive procedures alone do not provide sufficient appropriate audit evidence. The auditor may also consider how information is stored and processed in the information system relating to significant classes of transactions, account balances and disclosures and whether management is relying on general IT controls to maintain the integrity of that information. A169. The controls identified by the auditor may depend on system-generated reports, in which case the IT applications that produce those reports may be subject to risks arising from the use of IT. In other cases, the auditor may not plan to rely on controls over the system-generated reports and plan to directly test the inputs and outputs of such reports, in which case the auditor may not identify the related IT applications as being subject to risks arising from IT. Scalability A170. The extent of the auditor’s understanding of the IT processes, including the extent to which the entity has general IT controls in place, will vary with the nature and the circumstances of the entity and its IT environment, as well as based on the nature and extent of controls identified by the auditor. The number of IT applications that are subject to risks arising from the use of IT also will vary based on these factors. Examples: Page 23 of 46 An entity that uses commercial software and does not have access to the source code to make any program changes is unlikely to have a process for program changes, but may have a process or procedures to configure the software (e.g., the chart of accounts, reporting parameters or thresholds). In addition, the entity may have a process or procedures to manage access to the application (e.g., a designated individual with administrative access to the commercial software). In such circumstances, the entity is unlikely to have or need formalized general IT controls. In contrast, a larger entity may rely on IT to a great extent and the IT environment may involve multiple IT applications and the IT processes to manage the IT environment may be complex (e.g., a dedicated IT department exists that develops and implements program changes and manages access rights), including that the entity has implemented formalized general IT controls over its IT processes. When management is not relying on automated controls or general IT controls to process transactions or maintain the data, and the auditor has not identified any automated controls or other information processing controls (or any that depend on general IT controls), the auditor may plan to directly test any information produced by the entity involving IT and may not identify any IT applications that are subject to risks arising from the use of IT. When management relies on an IT application to process or maintain data and the volume of data is significant, and management relies upon the IT application to perform automated controls that the auditor has also identified, the IT application is likely to be subject to risks arising from the use of IT. A171. When an entity has greater complexity in its IT environment, identifying the IT applications and other aspects of the IT environment, determining the related risks arising from the use of IT, and identifying general IT controls is likely to require the involvement of team members with specialized skills in IT. Such involvement is likely to be essential, and may need to be extensive, for complex IT environments. Identifying other aspects of the IT environment that are subject to risks arising from the use of IT A172. The other aspects of the IT environment that may be subject to risks arising from the use of IT include the network, operating system and databases, and, in certain circumstances, interfaces between IT applications. Other aspects of the IT environment are generally not identified when the auditor does not identify IT applications that are subject to risks arising from the use of IT. When the auditor has identified IT applications that are subject to risks arising from IT, other aspects of the IT environment (e.g., database, operating system, network) are likely to be identified because such aspects support and interact with the identified IT applications. Identifying risks arising from the use of IT and general IT controls (Ref: Para. 26(c)) (Appendix 6 sets out considerations for understanding general IT controls.) A173. In identifying the risks arising from the use of IT, the auditor may consider the nature of the identified IT application or other aspect of the IT environment and the reasons for it being subject to risks arising from the use of IT. For some identified IT applications or other aspects of the IT environment, the auditor may identify applicable risks arising from the use of IT that relate primarily to unauthorized access or unauthorized program changes, as well as that address risks related to inappropriate data changes (e.g., the risk of inappropriate changes to the data through direct database access or the ability to directly manipulate information). A174. The extent and nature of the applicable risks arising from the use of IT vary depending on the nature and characteristics of the identified IT applications and other aspects of the IT environment. Applicable IT risks may result when the entity uses external or internal service providers for identified aspects of its IT environment (e.g., outsourcing the hosting of its IT environment to a third party or using a shared service center for central management of IT processes in a group). Applicable risks arising from the use of IT may also be identified related to cybersecurity. It is more likely that there will be more risks arising from the use of IT when the volume or complexity of automated application controls is higher Page 24 of 46 and management is placing greater reliance on those controls for effective processing of transactions or the effective maintenance of the integrity of underlying information. Evaluating the design, and determining implementation, of identified controls in the control activities component (Ref: Para 26(d)) A175. Evaluating the design of an identified control involves the auditor’s consideration of whether the control, individually or in combination with other controls, is capable of effectively preventing, or detecting and correcting, material misstatements (i.e., the control objective). A176. The auditor determines the implementation of an identified control by establishing that the control exists and that the entity is using it. There is little point in the auditor assessing the implementation of a control that is not designed effectively. Therefore, the auditor evaluates the design of a control first. An improperly designed control may represent a control deficiency. A177. Risk assessment procedures to obtain audit evidence about the design and implementation of identified controls in the control activities component may include: Inquiring of entity personnel. Observing the application of specific controls. Inspecting documents and reports. Inquiry alone, however, is not sufficient for such purposes. A178. The auditor may expect, based on experience from the previous audit or based on current period risk assessment procedures, that management does not have effectively designed or implemented controls to address a significant risk. In such instances, the procedures performed to address the requirement in paragraph 26(d) may consist of determining that such controls have not been effectively designed or implemented. If the results of the procedures indicate that controls have been newly designed or implemented, the auditor is required to perform the procedures in paragraph 26(b)‒(d) on the newly designed or implemented controls. A179. The auditor may conclude that a control, which is effectively designed and implemented, may be appropriate to test in order to take its operating effectiveness into account in designing substantive procedures. However, when a control is not designed or implemented effectively, there is no benefit in testing it. When the auditor plans to test a control, the information obtained about the extent to which the control addresses the risk(s) of material misstatement is an input to the auditor’s control risk assessment at the assertion level. A180. Evaluating the design and determining the implementation of identified controls in the control activities component is not sufficient to test their operating effectiveness. However, for automated controls, the auditor may plan to test the operating effectiveness of automated controls by identifying and testing general IT controls that provide for the consistent operation of an automated control instead of performing tests of operating effectiveness on the automated controls directly. Obtaining audit evidence about the implementation of a manual control at a point in time does not provide audit evidence about the operating effectiveness of the control at other times during the period under audit. Tests of the operating effectiveness of controls, including tests of indirect controls, are further described in ISA 330.45 A181. When the auditor does not plan to test the operating effectiveness of identified controls, the auditor’s understanding may still assist in the design of the nature, timing and extent of substantive audit procedures that are responsive to the related risks of material misstatement. Example: The results of these risk assessment procedures may provide a basis for the auditor’s consideration of possible deviations in a population when designing audit samples. Page 25 of 46 Control Deficiencies Within the Entity’s System of Internal Control (Ref: Para. 27) A182. In performing the evaluations of each of the components of the entity’s system of internal control, the auditor may determine that certain of the entity’s policies in a component are not appropriate to the nature and circumstances of the entity. Such a determination may be an indicator that assists the auditor in identifying control deficiencies. If the auditor has identified one or more control deficiencies, the auditor may consider the effect of those control deficiencies on the design of further audit procedures in accordance with ISA 330. A183. If the auditor has identified one or more control deficiencies, ISA 265, Communicating Deficiencies in Internal Control to Those Charged with Governance and Management, requires the auditor to determine whether, individually or in combination, the deficiencies constitute a significant deficiency. The auditor uses professional judgment in determining whether a deficiency represents a significant control deficiency. Examples: Circumstances that may indicate a significant control deficiency exists include matters such as: The identification of fraud of any magnitude that involves senior management; Identified internal processes that are inadequate relating to the reporting and communication of deficiencies noted by internal audit; Previously communicated deficiencies that are not corrected by management in a timely manner; Failure by management to respond to significant risks, for example, by not implementing controls over significant risks; and The restatement of previously issued financial statements. Identifying and Assessing the Risks of Material Misstatement (Ref: Para. 28‒37) Why the Auditor Identifies and Assesses the Risks of Material Misstatement A184. Risks of material misstatement are identified and assessed by the auditor in order to determine the nature, timing and extent of further audit procedures necessary to obtain sufficient appropriate audit evidence. This evidence enables the auditor to express an opinion on the financial statements at an acceptably low level of audit risk. A185. Information gathered by performing risk assessment procedures is used as audit evidence to provide the basis for the identification and assessment of the risks of material misstatement. For example, the audit evidence obtained when evaluating the design of identified controls and determining whether those controls have been implemented in the control activities component, is used as audit evidence to support the risk assessment. Such evidence also provides a basis for the auditor to design overall responses to address the assessed risks of material misstatement at the financial statement level, as well as designing and performing further audit procedures whose nature, timing and extent are responsive to the assessed risks of material misstatement at the assertion level, in accordance with ISA 330. Identifying Risks of Material Misstatement (Ref: Para. 28) A186. The identification of risks of material misstatement is performed before consideration of any related controls (i.e., the inherent risk), and is based on the auditor’s preliminary consideration of misstatements that have a reasonable possibility of both occurring, and being material if they were to occur. Page 26 of 46 A187. Identifying the risks of material misstatement also provides the basis for the auditor’s determination of relevant assertions, which assists the auditor’s determination of the significant classes of transactions, account balances and disclosures. Assertions Why the Auditor Uses Assertions A188. In identifying and assessing the risks of material misstatement, the auditor uses assertions to consider the different types of potential misstatements that may occur. Assertions for which the auditor has identified related risks of material misstatement are relevant assertions. The Use of Assertions A189. In identifying and assessing the risks of material misstatement, the auditor may use the categories of assertions as described in paragraph A190(a)‒(b) below or may express them differently provided all aspects described below have been covered. The auditor may choose to combine the assertions about classes of transactions and events, and related disclosures, with the assertions about account balances, and related disclosures. A190. Assertions used by the auditor in considering the different types of potential misstatements that may occur may fall into the following categories: (a) Assertions about classes of transactions and events, and related disclosures, for the period under audit: (i) Occurrence—transactions and events that have been recorded or disclosed have occurred, and such transactions and events pertain to the entity. (ii) Completeness—all transactions and events that should have been recorded have been recorded, and all related disclosures that should have been included in the financial statements have been included. (iii) Accuracy—amounts and other data relating to recorded transactions and events have been recorded appropriately, and related disclosures have been appropriately measured and described. (iv) Cutoff—transactions and events have been recorded in the correct accounting period. (v) Classification—transactions and events have been recorded in the proper accounts. (vi) Presentation—transactions and events are appropriately aggregated or disaggregated and clearly described, and related disclosures are relevant and understandable in the context of the requirements of the applicable financial reporting framework. (b) Assertions about account balances, and related disclosures, at the period end: (i) Existence—assets, liabilities and equity interests exist. (ii) Rights and obligations—the entity holds or controls the rights to assets, and liabilities are the obligations of the entity. (iii) Completeness—all assets, liabilities and equity interests that should have been recorded have been recorded, and all related disclosures that should have been included in the financial statements have been included. (iv) Accuracy, valuation and allocation—assets, liabilities and equity interests have been included in the financial statements at appropriate amounts and any resulting valuation or allocation adjustments have been appropriately recorded, and related disclosures have been appropriately measured and described. (v) Classification—assets, liabilities and equity interests have been recorded in the proper accounts. (vi) Presentation—assets, liabilities and equity interests are appropriately aggregated or disaggregated and clearly described, and related disclosures are relevant and Page 27 of 46 understandable in the context of the requirements of the applicable financial reporting framework. A191. The assertions described in paragraph A190(a)‒(b) above, adapted as appropriate, may also be used by the auditor in considering the different types of misstatements that may occur in disclosures not directly related to recorded classe

May 28 (AM) - Internal Control and Assessing the Risk of Material Misstatement.pdf

Document Details

Tags

Related

Full Transcript

Upgrade to continue