HLB INTERNATIONAL AUDIT AND ASSURANCE MANUAL
possessing specialist information technology or other skills required by the engagement team.
The extent of the discussion is influenced by the roles, experience and the information needs
of the engagement team.. The engagement partner shall determine which matters are to be
communicated to engagement team members not involved in the discussion.
Considerations specific to smaller entities
7.3.14 Many small audits are carried out entirely by the engagement partner (who may be a
sole practitioner). In such situations, it is the engagement partner who, having personally
conducted the planning of the audit would be responsible for considering the susceptibility of
the entity’s financial statements to material misstatement due to fraud or error.
7.4. The required understanding of the entity and its environment, including the
entity’s internal control
7.4.1 The auditor shall obtain an understanding of the following:
Relevant industry, regulatory, and other external factors, including the applicable financial
reporting framework: The industry in which the entity operates may give rise to specific
risks of material misstatement arising from the nature of the business or the degree of
regulation e.g. long-term contracts may involve significant estimates of revenues and
costs.
Nature of the entity, including the entity’s selection and application of accounting policies
and considering whether they are appropriate for its business and consistent with the
applicable financial reporting framework and accounting policies used in the relevant
industry: This enables the engagement team to understand the classes of transactions,
account balances and disclosures to be expected in the financial statements, including the
impact of significant and unusual transactions. The nature of the entity includes:
(a) Its operations;
(b) Its ownership and governance structures to include the existence of any
relevant related parties;
(c) The types of investments that the entity is making and plans to make, including
investments in special-purpose entities; and
(d) The way that the entity is structured and how it is financed.
An understanding of the entity’s selection and application of accounting policies
may encompass such matters as:
• The methods the entity uses to account for significant and unusual
transactions.
• The effect of significant accounting policies in controversial or changing
areas for which there is a lack of authoritative guidance or consensus.
• Changes in the entity’s accounting policies.
• Financial reporting standards and laws and regulations that are new to the
entity and when and how the entity will adopt such requirements.
Objectives and strategies, and the related business risks that may result in material
misstatement of the financial statements: In response to the industry, regulatory
requirements and other internal and external factors, the management and those charged
with governance define objectives, which are the overall plans for the entity, and the
strategies, which are the operational approaches, by which the management intends to
7. Identifying and assessing the risks of material misstatement through understanding the entity and its
environment and the auditor’s responses to assessed risk
1st September 2015 21 of 133
HLB INTERNATIONAL AUDIT AND ASSURANCE MANUAL
achieve its objectives. Business risks result from significant conditions, events,
circumstances and actions or inactions that could adversely affect the entity’s ability to
achieve its objectives and execute its strategies. The auditor needs to identify the
business risks associated with the business as this increases the likelihood of identifying
risks of material misstatements. In the case of smaller entities, where plans and the risk
management process may not usually be documented, the understanding is normally
obtained through inquiries of management and observations of how the entity responds
to such matters.
Measurement and review of the entity’s financial performance: This understanding
enables the auditor to consider whether financial performance pressures can increase the
chance of material misstatements. Smaller entities often do not have processes to
measure and review financial performance. Inquiry of management may reveal that it
relies on certain key indicators for evaluating financial performance and taking
appropriate action. If such enquiry indicates an absence of performance measurement or
review, there may be an increased risk of misstatements not being detected and
corrected.
Internal controls relevant to the audit: The auditor uses the understanding of internal
controls to identify types of potential misstatements, consider factors that affect the risks
of material misstatement, and design the nature, timing and extent of further audit
procedures. The procedures to be used in obtaining an understanding of internal control
are discussed in Chapter 7.5,7.6 and 7.11.
Appendix II: Factors to consider in understanding the entity and its environment, provides
overall guidance on matters that one may consider in understanding the nature of the entity,
the industry and the regulatory environment in which the entity operates, the objectives and
strategies and related business risks of the entity, and the measurement and review of the
entity’s financial performance.
Appendix III: Conditions and events that may indicate risks of material misstatement, provides
guidance on potential indicators of material risk.
7.5. Identifying and assessing the risk of material misstatement
7.5.1 The auditor shall identify and assess the risks of material misstatement at:
The financial statement level; and
The assertion level for classes of transactions, account balances and disclosures to
provide a reliable basis for designing and performing further audit procedures.
7.5.2 For this purpose the auditor shall:
Identify risks through the process of obtaining an understanding of the entity and its
environment, including relevant controls that relate to the risks, and by considering the
classes of transactions, account balances, and disclosures in the financial statements.
Assess the identified risks, and evaluate whether they relate more pervasively to the
financial statements as a whole and potentially affect many assertions;
Relate the identified risks to what can go wrong at the assertion level, taking account of
relevant controls that the auditor intends to test; and
7. Identifying and assessing the risks of material misstatement through understanding the entity and its
environment and the auditor’s responses to assessed risk
1st September 2015 22 of 133
HLB INTERNATIONAL AUDIT AND ASSURANCE MANUAL
Consider the likelihood of misstatement, including the possibility of multiple
misstatements, and whether the potential misstatement is of a magnitude that could
result in a material misstatement.
7.5.3 The risk assessment determines the nature, timing and extent of further audit procedures
to be performed.
7.6. Risks of material misstatement at the financial statement level
7.6.1 Risks of material misstatement at the financial statement level refer to risks that relate
pervasively to the financial statements as a whole and potentially affect many assertions. Risks
of this nature are not necessarily risks identifiable with specific assertions at the class of
transactions, account balance, or disclosure level. Rather, they represent circumstances that
may increase the risks of material misstatement at the assertion level, for example, through
management override of control. Financial statement risk may be especially relevant to the
auditor’s consideration of the risks of material misstatement arising from fraud.
7.6.2 Risks at the financial statement level may derive in particular from a deficient control
environment. For example, deficiencies such as management’s lack of competence may have
a more pervasive effect on the financial statements and may require an overall response by
the auditor.
7.6.3 The auditor’s understanding of internal control may raise doubts about the auditability of
an entity’s financial statements. For example:
Concerns about the integrity of the entity’s management may be so serious as to cause
the auditor to conclude that the risk of management misrepresentation in the financial
statements is such that an audit cannot be conducted.
Concerns about the condition and reliability of an entity’s records may cause the auditor
to conclude that it is unlikely that sufficient appropriate audit evidence will be available to
support an unmodified opinion on the financial statements.
7.6.4 ISA 705 establishes requirements and provides guidance in determining whether there is
a need for the auditor to express a qualified opinion or disclaim an opinion or, as may be
required in cases, to withdraw from the engagement where withdrawal is possible under
applicable law or regulation.
Risks of material misstatement at the assertion level
7.6.5 Risks of material misstatement at the assertion level for classes of transactions, account
balances, and disclosures need to be considered because such consideration directly assists
in determining the nature, timing and extent of further audit procedures at the assertion level
necessary to obtain sufficient appropriate audit evidence. In identifying and assessing risks of
material misstatement at the assertion level, the auditor may conclude that the identified risks
relate more pervasively to the financial statements as a whole and potentially affect many
assertions.
The use of assertions
7. Identifying and assessing the risks of material misstatement through understanding the entity and its
environment and the auditor’s responses to assessed risk
1st September 2015 23 of 133
HLB INTERNATIONAL AUDIT AND ASSURANCE MANUAL
7.6.6 In representing that the financial statements are in accordance with the applicable
financial reporting framework, management implicitly or explicitly makes assertions regarding
the recognition, measurement, presentation and disclosure of the various elements of financial
statements and related disclosures.
7.6.7 Assertions used by the auditor to consider the different types of potential misstatements
that may occur fall into the following three categories and may take the following forms:
Assertions about classes of transactions and events for the period under audit:
• Occurrence – transactions and events that have been recorded have occurred
and pertain to the entity
• Completeness – all transactions and events that should have been recorded
have been recorded.
• Accuracy – amounts and other data relating to recorded transactions and events
have been recorded appropriately.
• Cut off – transactions and events have been recorded in the correct accounting
period.
• Classification – transactions and events have been recorded in the proper
accounts.
Assertions about account balances at the period end:
• Existence – assets, liabilities, and equity interests exist.
• Rights and obligations – the entity holds or controls the rights to assets, and
liabilities are the obligations of the entity.
• Completeness – all assets, liabilities and equity interests that should have been
recorded have been recorded.
• Valuation and allocation – assets, liabilities and equity interests are included in
the financial statements at appropriate amounts and any resulting valuation or
allocation adjustments are appropriately recorded.
Assertions about presentation and disclosure:
• Occurrence and rights and obligations – disclosed events, transactions, and other
matters have occurred and pertain to the entity.
• Completeness – all disclosures that should have been included in the financial
statements have been included.
• Classification and understandability – financial information is appropriately
presented and described, and disclosures are clearly expressed.
• Accuracy and valuation – financial and other information are disclosed fairly and
at appropriate amounts.
7.6.8 The auditor may use the assertions as described above or may express them differently
provided all aspects described above have been covered. For example, the auditor may
choose to combine the assertions about transactions and events with the assertions about
account balances.
Relating controls to assertions
7.6.9 In making risk assessments, the auditor may identify controls that are likely to prevent, or
detect and correct, material misstatement in specific assertions. Generally, it is useful to obtain
7. Identifying and assessing the risks of material misstatement through understanding the entity and its
environment and the auditor’s responses to assessed risk
1st September 2015 24 of 133
HLB INTERNATIONAL AUDIT AND ASSURANCE MANUAL
an understanding of controls and relate them to assertions in the context of processes and
systems in which they exist because individual control activities often do not by themselves
address a risk. Often, only multiple control activities, together with other components of internal
control, will be sufficient to address a risk.
7.6.10 Conversely, some control activities may have a specific effect on an individual assertion
embodied in a particular class of transactions or account balance. For example, the control
activities that an entity established to ensure that its personnel are properly counting and
recording the annual physical inventory relate directly to the existence and completeness
assertions for the inventory account balance.
7.6.11 Controls can either be directly or indirectly related to an assertion. The more indirect the
relationship, the less effective that control may be in preventing, or detecting and correcting,
misstatements in that assertion. For example, a sales manager’s review of a summary of sales
activity for specific stores by region ordinarily is only indirectly related to the completeness
assertion for sales revenue. Accordingly, it may be less effective in reducing risk for that
assertion than controls more directly related to that assertion, such as matching shipping
documents with billing documents.
7.7. Significant risks
7.7.1 As part of the risk assessment, the auditor shall determine whether any of the risks
identified are risks that require special audit consideration. Such risks are defined as
“significant risks”. The determination of significant risks, which arise on most audits, is a matter
for the auditor’s professional judgement. Significant risks often relate to non-routine
transactions and judgemental matters. Non-routine transactions are transactions that are
unusual, either due to their size or nature, and therefore occur infrequently. Judgemental
matters may include the development of accounting estimates for which there is significant
measurement uncertainty. In exercising this judgement, the auditor excludes the effect of
identified controls related to the risk to determine whether the nature of the risk, the likely
magnitude of the potential misstatement including the possibility that the risk may give rise to
multiple misstatements, and the likelihood of the risk occurring are such that they require
special audit consideration. Routine, non-complex transactions that are subject to systematic
processing are less likely to give rise to significant risks because they have lower inherent
risks. On the other hand, significant risks are often derived from business risks that may result
in a material misstatement. In considering the nature of the risks, the auditor considers a
number of matters including the following:
Whether the risk is a risk of fraud.
Whether the risk is related to recent significant economic, accounting or other
developments and, therefore, requires specific attention.
The complexity of transactions.
Whether the risk involves significant transactions with related parties.
The degree of subjectivity in the measurement of financial information related to the risk
especially those involving a wide range of measurement uncertainty.
Whether the risk involves significant transactions that are outside the normal course of
business for the entity, or that otherwise appear to be unusual.
7. Identifying and assessing the risks of material misstatement through understanding the entity and its
environment and the auditor’s responses to assessed risk
1st September 2015 25 of 133
HLB INTERNATIONAL AUDIT AND ASSURANCE MANUAL
7.7.2 For significant risks, the auditor shall evaluate the design of the entity’s related controls,
including relevant control activities, and determine whether they have been implemented. An
understanding of the entity’s controls related to significant risks is required to provide the team
with adequate information to develop an effective audit approach. Management ought to be
aware of significant risks; however, risks relating to significant non-routine or judgemental
matters are often less likely to be subject to routine controls. Therefore, the team understands
whether the entity has designed and implemented controls for such significant risks.
7.7.3 Such responses might include:
Control activities such as a review of assumptions by senior management or experts.
Documented processes for estimations.
Approval by those charged with governance.
7.7.4 For example, where there are one-off events such as a receipt of a notice of a
significant lawsuit, consideration of an entity’s response may include such matters as whether
it has been referred to appropriate experts, whether an assessment has been made of the
potential effect, and how it is proposed that the circumstances are to be disclosed in the
financial statements.
7.7.5 In some cases management may not have appropriately responded to significant risks of
material misstatement by implementing controls over these significant risks. Failure by
management to implement such controls is an indicator of a significant deficiency in internal
control.
7.8. Risks for which substantive procedures alone do not provide sufficient appropriate
audit evidence
7.8.1 In respect of some risks, the auditor may judge that it is not possible or practicable to
obtain sufficient appropriate audit evidence only from substantive procedures. Such risks may
relate to the inaccurate or incomplete recording of routine and significant classes of
transactions or account balances, the characteristics of which often permit highly automated
processing with little or no manual intervention. In such cases, the entity’s controls over such
risks are relevant to the audit and the auditor shall obtain an understanding of them.
Revision of risk assessment
7.8.2 The auditor’s assessment of the risks of material misstatement at the assertion level may
change during the course of the audit as additional audit evidence is obtained. In particular, the
risk assessment may be based on an expectation that controls are operating effectively. In
performing tests of controls to obtain audit evidence about their operating effectiveness, the
team may obtain audit evidence that controls are not operating effectively at relevant times
during the audit. Similarly, in performing substantive procedures, the team may detect
misstatements in amounts or frequency greater than is consistent with their risk assessments.
In circumstances where the engagement team obtains audit evidence from performing further
audit procedures that tends to contradict the audit evidence on which the team originally based
the assessment, the team should revise the assessment and modify the planned audit
procedures accordingly.
7. Identifying and assessing the risks of material misstatement through understanding the entity and its
environment and the auditor’s responses to assessed risk
1st September 2015 26 of 133
HLB INTERNATIONAL AUDIT AND ASSURANCE MANUAL
In circumstances where the auditor obtains audit evidence from performing further audit
procedures, or if new information is obtained, either of which is inconsistent with the audit
evidence on which the auditor originally based the assessment, the auditor shall revise the
assessment and modify the further planned audit procedures accordingly.
7.8.3 The assessment of risk should be recorded in form 424 in Part I of the manual.
Internal control
7.8.4 Internal control is the process designed and effected by those charged with governance,
management and other personnel to provide reasonable assurance about the achievement of
the entity’s objectives with regard to reliability of financial reporting, effectiveness and
efficiency of operations and compliance with applicable laws and regulations. Internal control
consists of the following components:
The control environment;
The entity’s risk assessment process;
The information systems, including the related business processes relevant to financial
reporting, and communication;
Control activities; and
Monitoring of controls.
7.8.5 The division of internal control into five components provides a useful framework for the
auditor to consider how different aspects of the entity’s internal control may affect the audit.
The auditor’s primary concern is whether, and how, a specific control prevents, or detects and
corrects material misstatements in classes of transactions, account balances, or disclosures,
and their related assertions. It also enables an auditor to:
Determine whether it is likely to produce a reliable system of accounting.
Consider management's ability to make the necessary judgements and estimates.
Assess whether the entity has fulfilled the legal requirement to keep proper accounting
records.
Identify the incentives and opportunities for misrepresentation or distortion by
management.
Assess whether management has sufficient reliable information for the effective control of
the business.
Identify the key indicators and controls.
7.8.6 Smaller entities may use less structured means and simpler processes and procedures
to achieve their objectives.
7.8.7 The auditor shall obtain an understanding of internal control relevant to the audit.
Although most controls relevant to the audit are likely to relate to financial reporting, not all
controls that relate to financial reporting are relevant to the audit. It is a matter of the auditor’s
professional judgement whether a control, individually or in combination with other, is relevant
to the audit.
Appendix IV: Internal Control Components sets out detailed discussions of the internal control
components as they relate to an audit of the financial statements.
7. Identifying and assessing the risks of material misstatement through understanding the entity and its
environment and the auditor’s responses to assessed risk 27 of 133
1st September 2015
HLB INTERNATIONAL AUDIT AND ASSURANCE MANUAL
Controls relevant to an audit
7.8.8 The entity’s controls relate to financial reporting, operations and compliance controls.
However, not all the controls are relevant to the auditor’s risk assessment. ISA 315 requires
the team to evaluate, for significant risks, the design of the entity’s related controls including
relevant control activities, and determine whether they have been implemented. The auditor
shall consider whether the control, individually or in combination with other controls, is capable
of effectively preventing, or detecting and correcting material misstatement. It also requires the
auditor to identify areas where controls cannot possibly or practicably reduce the risks of
material misstatements at the assertion level to an acceptably low level, with the auditor having
to rely on substantive procedures to obtain the necessary audit evidence.
7.8.9 Usually, the controls relevant to an audit are those relating to the entity’s objective of
preparing financial statements for external purposes that give a true and fair view in
accordance with the applicable financial reporting framework and the management of risk that
may give rise to a material misstatement.
7.8.10 Of great importance will be boundary controls, which are controls designed to ensure
that all exchanges with third parties are properly recorded, and provide assurance on the
completeness and accuracy of the initial recording of transactions and guard against the
possibility that transactions are not recorded at all or are duplicated. The controls over
completeness and accuracy of information may be relevant if the engagement team intends to
make use of the information in designing and performing further audit procedures, while
controls over safeguarding of assets against unauthorised acquisition, use or disposal may be
relevant in relation to financial reporting.
7.8.11 Controls relating to operations and compliance may only be relevant if they pertain to
the data the engagement team evaluates and uses in applying audit procedures. Examples of
such controls could include statistical data of production, which the engagement team plans to
use in analytical procedures, or controls designed to detect non-compliance with laws and
regulations, including the tax legislation, which may have a material effect on the financial
statements.
7.8.12 The following are some of the types of controls the engagement team may need to
evaluate:
Management controls
• Management controls and reviews by independent persons are designed to detect
errors. Examples include reviewing financial information, exception reports and
reconciliations.
• Management controls also include authorisation, which is the approving of all
transactions by a responsible person. In smaller entities, each transaction may be
individually authorised. In larger entities, the authorisation procedures may be more
broadly based e.g. an approved budget within which the budget holder can
authorise the expenditure, or an assistant authorising an order from customers
within the authorised parameters of prices and quantities.
Safeguarding of assets
7. Identifying and assessing the risks of material misstatement through understanding the entity and its
environment and the auditor’s responses to assessed risk
1st September 2015 28 of 133
HLB INTERNATIONAL AUDIT AND ASSURANCE MANUAL
These controls are designed to ensure:
• Access to assets is limited to authorised personnel.
• Assets are safeguarded against the creation of documents that would authorise
their use or disposal.
• Assets are safeguarded against theft.
• Assets to be safeguarded include assets stated in the financial statements and
information held on an IT system. Computerised data should be safeguarded by
allowing authorised users to gain access only for the purpose of fulfilling their duties
e.g. by a system of passwords and / or restriction of physical access. Computer
controls should always include safeguards against catastrophe.
Segregation
The key aim of segregation of duties is that no one person should be in a position to
control all stages of the processing of a transaction which include:
• Initiating transactions;
• Recording transactions;
• Handling cash receipts and payments; and
• Custody of assets.
Application controls
These are specific controls in automated or manual procedures that are preventive or
detective in nature and are designed to ensure the integrity of the accounting records that
all transactions are completely and accurately recorded. Such controls are designed to:
• Ensure invalid items are rejected in processing, or
• Transferred to suspense files, or
• Reported to the user by means of an exception report.
• When evaluating application controls, the engagement team should examine the
procedures for resubmitting or otherwise dealing with rejected items and for
preventing duplicate recording.
Application controls can be grouped under the following headings:
• Completeness controls.
• Accuracy controls.
• Maintenance controls.
Completeness controls
7.8.13 Completeness controls are designed to ensure all transactions are recorded. These
are normally based on establishing an open item within the accounting system which cannot
be cleared until all aspects of the transaction have been completed. For example, in a sales
and receivables cycle, this includes ensuring that the sale is recorded, the inventory is updated
and the receivable account is updated simultaneously.
7.8.14 Another more general example is a numerical sequence test such as sequential sales
invoice numbering. Completeness procedures must be comprehensive such as covering
customer claims for credit notes and claims on suppliers for faulty goods.
Accuracy controls
7.8.15 Accuracy controls are designed to ensure entries within the accounting records are
accurate. The system should cover data input and subsequent processing such as checking
7. Identifying and assessing the risks of material misstatement through understanding the entity and its
environment and the auditor’s responses to assessed risk
1st September 2015 29 of 133
HLB INTERNATIONAL AUDIT AND ASSURANCE MANUAL
calculations, additions and analysis. In an automated environment, this check is often carried
out in conjunction with programmed procedures.
Maintenance controls
7.8.16 Maintenance controls are controls designed to ensure that files can only be altered by
transactions processed through properly controlled procedures. With such controls e.g. the
maintenance of a ledger control account under user control, users should be aware of
unauthorised amendment. Maintenance controls should also ensure that the correct copy of a
computer file is used when restoring from a back-up file.
7.8.17 A review of application controls should start either with the transaction or the originating
document. The identification of detailed controls will often not be straightforward.
General IT controls
7.8.18 General controls governing IT operations need to be examined so as to form a view on
the overall integrity and the programs.
7.8.19 General controls are the controls which relate to the environment within which
computer-based accounting systems are developed, maintained and operated. These include:
Controls over the reliability of processing information.
Controls over the integrity of data input and output.
Controls over the integrity of programs used.
Controls over computer system development and implementation.
7.9. Nature and extent of the understanding of relevant controls
7.9.1 When obtaining an understanding of controls that are relevant to the audit, the auditor
shall evaluate the design of those controls and determine whether they have been
implemented, by performing procedures in addition to inquiry of the entity’s personnel.
7.9.2 Obtaining an understanding of an entity’s controls is not sufficient to serve as testing the
operating effectiveness of controls, unless there is some automation that provides for the
consistent application of the operation of the control. For example, obtaining audit evidence
about the implementation of a manually operated control at a point in time does not provide
audit evidence about the operating effectiveness of the control at other times during the period
under audit. However, IT enables an entity to process large volumes of data consistently and
enhances the entity’s ability to monitor the performance of control activities and to achieve
effective segregation of duties by implementing security controls in applications, databases,
and operating systems. Therefore, because of the inherent consistency of IT processing,
performing audit procedures to determine whether an automated control has been
implemented may serve as a test of that control’s operating effectiveness, depending on the
engagement team’s assessment and testing of controls such as those over program changes.
Manual versus automated controls
7.9.3 The extent and nature of the risks of internal control vary depending on the nature and
characteristics of the entity’s information system. Therefore, in understanding internal control,
the auditor considers whether the entity has responded adequately to the risks arising from the
7. Identifying and assessing the risks of material misstatement through understanding the entity and its
environment and the auditor’s responses to assessed risk 30 of 133
1st September 2015
HLB INTERNATIONAL AUDIT AND ASSURANCE MANUAL
use of IT or manual systems by establishing effective controls. An entity may use a
combination of manual or automated controls. The use of manual or automated elements in
internal control affects the manner in which transactions are initiated, recorded, processed,
and reported.
7.9.4 Controls in a manual system may include such procedures as approvals and reviews of
activities, and reconciliations and follow-up of reconciling items.
7.9.5 Automated procedures to initiate, record, process, and report transactions make use of
electronic format which replace such paper documents as purchase orders, invoices, shipping
documents, and related accounting records.
7.9.6 Controls in IT systems consist of a combination of automated controls (i.e. those controls
embedded in computer programs) and manual controls. Further, manual controls may be
independent of IT, may use information produced by IT, or may be limited to monitoring the
effective functioning of IT and of automated controls, and to handling exceptions. When IT is
used to initiate, record, process or report transactions or other financial data for inclusion in
financial statements, the systems and programs may include controls related to the
corresponding assertions for material accounts or may be critical to the effective functioning of
manual controls that depend on IT. An entity’s mix of manual and automated controls varies
with the nature and complexity of the entity’s use of IT.
7.9.7 Automated controls provide potential benefits of effectiveness and efficiency for an
entity’s internal control because it enables an entity to:
Consistently apply pre-defined business rules and perform complex calculations in
processing large volumes of transactions or data;
Enhance the timeliness, availability and accuracy of information;
Facilitate the additional analysis of information;
Enhance the ability to monitor the performance of the entity’s activities and its policies
and procedures;
Reduce the risk that controls will be circumvented; and
Enhance the ability to achieve effective segregation of duties by implementing security
controls in applications, databases and operating systems.
7.9.8 Automated controls however pose specific risks to an entity’s internal control, which
including the following:
Reliance on systems or programs that are inaccurately processing data, processing
inaccurate data, or both.
Unauthorised access to data that may result in destruction of data or improper changes to
data, including the recording of unauthorised or non-existent transactions or inaccurate
recording of transactions. Particular risks may arise where multiple users access a
common database.
The possibility of IT personnel gaining access privileges beyond those necessary to
perform their assigned duties thereby breaking down segregation of duties.
Unauthorised changes to data in master files.
Unauthorised changes to systems or programs.
Failure to make necessary changes to systems or programs.
7. Identifying and assessing the risks of material misstatement through understanding the entity and its
environment and the auditor’s responses to assessed risk
1st September 2015 31 of 133
HLB INTERNATIONAL AUDIT AND ASSURANCE MANUAL
Inappropriate manual intervention.
Potential loss of data or inability to access data as required.
7.9.9 Manual controls are performed by people, and therefore pose specific risks to the entity’s
internal control. Manual controls may be less reliable than automated controls because they
can be more easily bypassed, ignored, or overridden and they are also more prone to simple
errors and mistakes. Consistency of application of a manual control element cannot therefore
be assumed.
7.9.10 Manual aspects of systems may be more suitable where judgement and discretion are
required such as for the following circumstances:
Large, unusual or non-recurring transactions.
Circumstances where errors are difficult to define, anticipate or predict.
In changing circumstances that require a control response outside the scope of an
existing automated control.
In monitoring the effectiveness of automated controls.
7.9.11 Manual controls may be less suitable for the following:
High volume or recurring transactions, or in situations where errors that can be
anticipated or predicted can be prevented or detected by control parameters that are
automated.
Control activities where the specific ways to perform the control can be adequately
designed and automated.
Limitations of internal control
7.9.12 Internal control, no matter how well designed and operated, can provide an entity with
only reasonable assurance about achieving the entity’s financial reporting objectives. The
likelihood of achievement is affected by limitations inherent to internal control due to human
failures, simple errors or mistakes. Additionally, controls can be circumvented by the collusion
of two or more people or by inappropriate management override of internal control.
7.9.13 Smaller entities often have fewer employees which may limit the extent to which
segregation of duties is practicable. However, in a small owner-managed entity, the owner
manager may be able to exercise more effective oversight than in a larger entity. This
oversight may compensate for the generally more limited opportunity for segregation of duties.
7.9.14 On the other hand, the owner-manager may be more able to override controls because
the system of internal controls is less structured. This is to be taken into account by the auditor
when identifying the risks of material misstatement due to fraud.
Control environment
7.9.15 The auditor shall obtain an understanding of the control environment. As part of
obtaining this understanding, the auditor shall evaluate whether:
Management, with the oversight of those charged with governance, has created and
maintained a culture of honesty and ethical behaviour; and
7. Identifying and assessing the risks of material misstatement through understanding the entity and its
environment and the auditor’s responses to assessed risk
1st September 2015 32 of 133
HLB INTERNATIONAL AUDIT AND ASSURANCE MANUAL
The strengths in the control environment elements collectively provide an appropriate
foundation for the other components of internal control, and whether those other
components are not undermined by deficiencies in the control environment.
7.9.16 The control environment is the foundation for effective internal control, providing
discipline and structure by setting the tone at the top influencing the control consciousness of
the entity’s personnel. The auditor is required to understand how management and those
charged with governance have created and maintained a culture of honesty and ethical
behaviour, and established appropriate controls to prevent and detect fraud within the entity.
Part A of Appendix IV: Internal control components sets out the elements that should be
incorporated in the entity’s control environment. The auditor also considers matters such as
the independence of the directors and their ability to evaluate the actions of management. The
auditor also considers whether there is an audit committee which understands the entity’s
business transactions and evaluates whether the financial statements give a true and fair view.
7.9.17 The control environment in itself does not prevent, or detect and correct a material
misstatement in classes of transaction, account balances, and disclosures and related
assertions, and the auditor should consider the control environment along with the effects of
other internal control components when assessing the risk of material misstatement.
7.10. The entity’s risk assessment process
7.10.1 The auditor shall obtain an understanding of whether the entity has a process for:
Identifying business risks relevant to the financial reporting objectives;
Estimating the significance of the risks;
Assessing the likelihood of their occurrence; and
Deciding about actions to address those risks.
7.10.2 If the entity has established such a process (referred to hereafter as the “entity’s risk
assessment process”), the auditor shall obtain an understanding of it, and the results thereof. If
the auditor identifies risks of material misstatement that management has failed to identity, the
auditor shall evaluate whether there was an underlying risk of a kind that the auditor expects
would have been identified by the entity’s risk assessment process. If there is such a risk, the
auditor shall obtain an understanding of why the process failed to identify it, and evaluate
whether the process is appropriate to its circumstances or determine if there is a significant
deficiency in internal control with regard to the entity’s risk assessment process.
7.10.3 If the auditor has not established such a process or has an ad hoc process, the auditor
shall discuss with management whether business risks relevant to financial reporting
objectives have been identified and how they have been addressed, The auditor shall evaluate
whether the absence of a documented risk assessment process is appropriate in the
circumstances, or determine whether it represents a significant deficiency in internal control.
Considerations specific to smaller entities
7.10.4 There is unlikely to be an established risk assessment process in a small entity. In such
cases, it is likely that management will identify the risks through direct personal involvement in
7. Identifying and assessing the risks of material misstatement through understanding the entity and its
environment and the auditor’s responses to assessed risk
1st September 2015 33 of 133
HLB INTERNATIONAL AUDIT AND ASSURANCE MANUAL
the business. Irrespective of the circumstances, however, inquiry about the identified risks and
how they are addressed by management is still necessary.
Part B of Appendix IV: Internal control components provides additional guidance on what the
engagement team should consider in evaluating the entity’s risk assessment procedures.
7.11. Information system, including the related business processes, relevant to
financial reporting, and communication
7.11.1 The information system relevant to financial reporting objectives, which includes the
accounting system, consists of the procedures and records established to initiate, record,
process, and report entity transactions and to maintain accountability for the related assets,
liabilities, and equity.
7.11.2 The auditor shall obtain an understanding of the information system, including the
related business processes relevant to financial reporting, including the following areas:
The classes of transactions in the entity’s operations that are significant to the financial
statements.
The procedures within both IT and manual systems, by which those transactions are
initiated, recorded, processed, corrected as necessary, transferred to the general ledger
and reported in the financial statements.
The related accounting records, whether electronic or manual, supporting information,
and specific accounts in the financial statements in respect of initiating, recording,
processing and reporting transactions; this includes the correction of incorrect information
and how the information is transferred to the general ledger.
How the information system captures events and conditions, other than classes of
transactions that are significant to the financial statements.
The financial reporting process used to prepare the entity’s financial statements, including
significant accounting estimates and disclosures; and
Controls surrounding journal entries, including non-standard journal entries used to
record non-recurring, unusual transactions or adjustments.
7.11.3 Business processes result in the transactions that are recorded, processed and
reported by the information system. Obtaining an understanding of the entity’s business
processes, which include how transactions are originated, assists the auditor obtain an
understanding of the entity’s information system relevant to financial reporting in a manner that
is appropriate to the entity’s circumstances.
Communication
7.11.4 The engagement team should also understand how the entity communicates financial
reporting roles and responsibilities and significant matters relating to financial reporting
including:
Communications between management and those charged with governance; and
External communications, such as those with regulatory authorities.
7.11.5 Communication by the entity of the financial reporting roles and responsibilities and of
significant matters relating to financial reporting involves providing an understanding of
7. Identifying and assessing the risks of material misstatement through understanding the entity and its
environment and the auditor’s responses to assessed risk 34 of 133
1st September 2015
HLB INTERNATIONAL AUDIT AND ASSURANCE MANUAL
individual roles and responsibilities pertaining to internal control over financial reporting. It
includes such matters as the extent to which personnel understand how their activities in the
financial reporting information system relate to the work of others and the means of reporting
exceptions to an appropriate higher level within the entity. Communication may take such
forms as policy manuals and financial reporting manuals. Open communication channels help
ensure that exceptions are reported and acted on.
Considerations specific to smaller entities
7.11.6 Information systems and related business processes relevant to financial reporting in
small entities are likely to be less sophisticated than in larger entities, but their role is just as
significant. Small entities with active management involvement may not need extensive
descriptions of accounting procedures, sophisticated accounting records, or written policies.
Understanding the entity’s systems and processes may therefore be easier in an audit of
smaller entities, and may be more dependent on inquiry than on review of documentation. The
need to obtain an understanding, however, remains important.
7.11.7 Communication may be less structured and easier to achieve in a small entity than in
large entity due to fewer levels of responsibility and management’s greater visibility and
availability.
Information transfer
7.11.8 In obtaining this understanding, the auditor considers the procedures used to transfer
information from transaction processing systems to general ledger or financial reporting
systems. The auditor also understands the entity’s procedures to capture information relevant
to financial reporting for events and conditions other than transactions, such as the
depreciation and amortisation of assets and changes in the recoverability of accounts
receivables. When IT is used to transfer information automatically, there may be little or no
visible evidence of such intervention in the information systems.
Processing of transactions
7.11.9 The auditor also understands how incorrect processing of transactions is resolved e.g.
whether there is an automated suspense file and how it is used by the entity to ensure that
suspense items are cleared out on a timely basis, and how system overrides or bypasses to
controls are processed and accounted for. The auditor also obtains an understanding of the
entity’s information system relevant to financial reporting in a manner that is appropriate to the
entity’s circumstances. This includes an understanding of how transactions originate within the
entity’s business processes.
7.11.10 An entity’s business processes are the activities designed to develop, purchase,
produce, sell and distribute an entity’s products and services, ensuring compliance with laws
and regulations; and record information, including accounting and financial reporting
information.
Journal entries
7.11.11 An entity’s information system typically includes the use of standard journal entries
that are required on a recurring basis to record transactions such as sales, purchases and
cash disbursements in the general ledger, or to record accounting estimates that are
7. Identifying and assessing the risks of material misstatement through understanding the entity and its
environment and the auditor’s responses to assessed risk 35 of 133
1st September 2015
HLB INTERNATIONAL AUDIT AND ASSURANCE MANUAL
periodically made by management, such as changes in the estimate of uncollectible accounts
receivable.
7.11.12 An entity’s financial reporting process also includes the use of non-standard journal
entries to record non-recurring, unusual transactions or adjustments. Such entries include
consolidating adjustments and entries for a business combination or disposal or non-recurring
estimates such as asset impairment. In manual general ledger systems, non-standard journal
entries may be identified through inspection of ledgers, journals, and supporting
documentation. However, when automated procedures are used to maintain the general ledger
and prepare financial statements, such entries may exist only in electronic form and may be
more easily identified through the use of computer-assisted audit techniques.
7.11.13 In obtaining an understanding of the journal entries, the auditor considers risks of
material misstatement associated with inappropriate override of controls over journal entries
and the controls surrounding non-standard journal entries. For example, automated processes
and controls may reduce the risk of inadvertent error but do not overcome the risk that
individuals may inappropriately override such automated processes, for example, by changing
the amounts being automatically passed to the general ledger or financial reporting system.
7.11.14 Part C of Appendix IV: Internal control components provides additional considerations
to be taken into account in an IT environment.
Control activities
7.11.15 The auditor shall obtain an understanding of the control activities relevant to the audit,
being those the auditor judges it necessary to understand to assess the risks of material
misstatement at the assertion level and to design further audit procedures responsive to
assessed risk. Part D of Appendix IV: Internal control components provides examples of
specific control activities.
In obtaining an understanding of control activities, the auditor’s primary consideration is
whether, and how, a specific control activity, individually or in combination with others,
prevents or detects and corrects material misstatements in classes of transactions, account
balances, or disclosures.
An audit does not require an understanding of all the control activities related to each
significant class of transactions, account balance, and disclosure in the financial statements or
to every assertion relevant to them. The auditor’s emphasis is on identifying and obtaining an
understanding of control activities that address the areas where the auditor considers that
material misstatements are more likely to occur.
7.11.16 When multiple control activities achieve the same objective, it is unnecessary to obtain
an understanding of each of the control activities related to such objective.
7.11.17 The auditor shall obtain an understanding of how the entity has responded to risks
arising from IT. The use of IT affects the way that control activities are implemented. The
auditor considers whether the entity has responded adequately to the risks arising from IT by
establishing effective general IT controls and application controls. From the auditor’s
perspective, controls over IT systems are effective when they maintain the integrity of
7. Identifying and assessing the risks of material misstatement through understanding the entity and its
environment and the auditor’s responses to assessed risk
1st September 2015 36 of 133
HLB INTERNATIONAL AUDIT AND ASSURANCE MANUAL
information and the security of the data such systems process, and include effective IT
controls and application controls.
Monitoring of controls
7.11.18 Monitoring of controls is a process to assess the effectiveness of internal control
performance over time, and involves assessing the design and operations of controls on a
timely basis and taking necessary corrective actions modified for changes in conditions. The
auditor shall obtain an understanding of the major activities that the entity uses to monitor
internal control over financial reporting, including those related to those control activities
relevant to the audit, and how the entity initiates remedial actions to deficiencies in its controls.
Management accomplishes monitoring of controls through ongoing activities, separate
evaluations, or a combination of the two.
Internal audit
7.11.19 If the entity has an internal audit function, the auditor shall obtain an understanding of
the following in order to determine whether the internal audit function is likely to be relevant to
the audit:
The nature of the internal audit function’s responsibilities and how the internal audit
function fits into the organisational structure; and
The activities performed, or to be performed, by the internal audit function.
7.11.20 If the internal audit function is likely to be relevant to the audit, ISA 610 applies.
7.11.21 Management’s monitoring activities may include using information from
communications from external parties such as customer complaints and regulator comments
that may indicate problems or highlight areas in need of improvement.
7.11.22 The auditor shall obtain an understanding of the sources of the information used in the
entity’s monitoring activities, and the basis upon which management considers the information
to be sufficiently reliable for the purpose. Much of the information used in monitoring may be
produced by the entity’s information system. If management assumes that data used for
monitoring are accurate without having a basis for that assumption, errors may exist in the
information that potentially lead management to incorrect conclusions from its monitoring
activities.
Considerations specific to smaller entities
7.11.23 Management’s monitoring of control is often accomplished by management’s or the
owner-manager’s close involvement in operations. This involvement often will identify
significant variances from expectations or inaccuracies in financial data leading to remedial
action to the control.
7.11.24 Part E of Appendix IV: Internal control components provides consideration that the
engagement team may use in obtaining an understanding of how the entity monitors internal
control.
7. Identifying and assessing the risks of material misstatement through understanding the entity and its
environment and the auditor’s responses to assessed risk
1st September 2015 37 of 133
HLB INTERNATIONAL AUDIT AND ASSURANCE MANUAL
Form 511.2 - Understanding the entity and its internal control in part I of the manual provides a
checklist that should be completed by the engagement team to provide an assessment of the
control environment.
7.12. Recording and assessment of the accounting and information systems
7.12.1 Entities which are subject to statute are usually required by their governing law to keep
proper accounting records which reflect all the business transactions. Entities which are
subject to taxes on profits need to keep accounting records sufficient to enable periodic
financial statements to be prepared. Engagement teams of such entities are required to report
to the members if, in their opinion, governing legislation has been complied with, and on
whether proper accounting records have been kept.
7.12.2 The recording of the accounting system should identify the major transaction cycles,
significant accounting records, the in-built controls and the financial reporting process.
7.12.3 An understanding of the accounting system, together with internal controls in-built into
the system, provides an answer to whether proper and reliable accounting records have been
kept, and whether there is a recognisable control system in operation.
The systems notes documented should be filed in 511 of the current audit file (or in the
permanent audit file). Appendix V: Guidance on documenting the accounting systems provides
guidance on documentation of the accounting systems.
Information obtained in prior periods
7.12.4 Where the engagement team intends to use information obtained in prior periods, the
engagement team should determine whether changes have occurred through inquiry and by
carrying out other audit procedures such as walk through tests and determine the relevance of
such changes.
Inadequate records or systems
7.12.5 If the initial assessment indicates that the accounting records may be inadequate or the
accounting systems may not be reliable, further audit assurance will be required from
substantive procedures to support the audit opinion e.g. if a business has no proper system for
recording sales on a cash register, the record of cash sales is quite likely to be unreliable,
unless there is alternative evidence, such as the aggregate selling value of goods purchased.
If the audit opinion has to be qualified on the basis of inadequacies in the accounting system
and records, the qualification will need to be as specific as possible, giving details of where
there are deficiencies. See Chapter 25 of the Manual on the Auditor’s Report.
7.12.6 ISA 315 requires that the auditor shall make those charged with governance or
management aware, as soon as practicable, and at an appropriate level of responsibility, of
material weaknesses in the design or implementation of internal controls which have come to
the engagement team’s attention. One of the avenues of communication is through a
management letter. This is covered in detail in Chapter 27.5 of the Manual.
7.13. The Auditor’s responses to assessed risks
7. Identifying and assessing the risks of material misstatement through understanding the entity and its
environment and the auditor’s responses to assessed risk 38 of 133
1st September 2015
HLB INTERNATIONAL AUDIT AND ASSURANCE MANUAL
Overall responses
7.13.1 The auditor shall then design and implement overall responses to address the assessed
risks of material misstatement at the financial statement level.
7.13.2 Overall responses to address the assessed risks of material misstatement at the
financial statement level may include:
Emphasising to the audit team the need to maintain professional scepticism.
Assigning more experienced staff or those with special skills or using experts.
Providing more supervision
Incorporating additional elements of unpredictability in the selection of further audit
procedures to be performed.
Making general changes to the nature, timing or extent of audit procedures, for example,
performing substantive procedures at the period end instead of at the interim date; or
modifying the nature of audit procedures to obtain more persuasive audit evidence.
7.13.3 The assessment of the risks of material misstatement at the financial statement level,
and thereby the auditor’s overall responses, is affected by the auditor’s understanding of the
control environment. An effective control environment may allow the auditor to have more
confidence in internal control and the reliability of audit evidence generated internally within the
entity and thus, for example, allow the auditor to conduct some audit procedures at an interim
date rather than at the period end.
7.13.4 Deficiencies in the control environment, however, have the opposite effect; for example,
the auditor may respond to an ineffective control environment by:
Conducting more audit procedures as of the period end rather than at an interim date.
Obtaining more extensive audit evidence from substantive procedures.
Increasing the number of locations to be included in the audit scope.
Audit procedures responsive to the assessed risks of material misstatement at the
assertion level
7.13.5 The auditor shall design and perform further audit procedures whose nature, timing and
extent are based on and are responsive to the assessed risks of material misstatement at the
assertion level.
7.13.6 For example, the auditor may determine that:
Only by performing tests of controls may the auditor achieve an effective response to the
assessed risk of material misstatement for a particular assertion;
Performing only substantive procedures is appropriate for particular assertions and,
therefore, the auditor excludes the effects of controls from the relevant risk assessment.
This may be because the auditor’s risk assessment procedures have not identified any
effective controls relevant to the assertion, or because testing controls would be
inefficient and therefore the auditor does not intend to rely on the operating effectiveness
of controls on determining the nature, timing and extent of substantive procedures; or
A combined approach using both tests of controls and substantive procedures is an
effective approach.
7. Identifying and assessing the risks of material misstatement through understanding the entity and its
environment and the auditor’s responses to assessed risk
1st September 2015 39 of 133
HLB INTERNATIONAL AUDIT AND ASSURANCE MANUAL
7.13.7 However, irrespective of the approach selected the auditor designs and performs
substantive procedures for each material class of transactions, account balance and
disclosure.
7.13.8 Designing and performing further audit procedures whose nature, timing and extent are
based on and are responsive to the assessed risks of material misstatement at the assertion
level provides a clear linkage between the auditor’s further audit procedures and the risk
assessment.
7.13.9 In designing the further audit procedures to be performed, the auditor shall:
Consider the reasons for the assessment given to the risk of material misstatement at the
assertion level for each class of transactions, account balance, and disclosure, including:
• The likelihood of material misstatement due to the particular characteristics of
the relevant classes of transactions, account balance, or disclosure.
• Whether the risk assessment takes account of relevant controls (that is control
risk), thereby requiring the auditor to obtain audit evidence to determine whether
controls are operating effectively; and
Obtain more persuasive audit evidence the higher the auditor’s assessment of the risk.
7.13.10 When obtaining more persuasive audit evidence because of a higher assessment of
risk, the auditor may increase the quantity of evidence, or obtain evidence that is more relevant
or reliable, for example, by placing more emphasis on obtaining third party evidence or by
obtaining corroborating evidence from a number of independent sources.
Nature
7.13.11 The nature of further audit procedures refers to their purpose (tests of controls or
substantive procedures) and their type, that is, inspection, observation, inquiry, confirmation,
re-calculation, re-performance or analytical procedures. Certain audit procedures may be more
appropriate for some assertions than others. The following are some examples of the audit
procedures the engagement team may adopt in response to the assessed risk.
In relation to revenue, tests of controls may be most responsive to the assessed risk of
misstatement of the completeness assertion, whereas substantive procedures may be most
responsive to the assessed risk of misstatement of the occurrence assertion.
If the auditor team considers that there is a lower risk that a material misstatement may occur
because of the particular characteristics of a class of transactions without consideration of the
related controls, the auditor team may determine that substantive analytical procedures alone
may provide sufficient appropriate audit evidence.
If the auditor expects that there is a lower risk that a material misstatement may arise because
an entity has effective controls and the auditor intends to design substantive procedures based
on the effective operation of those controls, then the auditor performs tests of controls to obtain
audit evidence about their operating effectiveness. This may be the case, for example, for a
class of transactions of reasonably uniform, non-complex characteristics that are routinely
processed and controlled by the entity’s information system.
If the auditor uses non-financial information or budget data produced by the entity’s information
system in performing audit procedures, such as substantive analytical procedures or tests of
7. Identifying and assessing the risks of material misstatement through understanding the entity and its
environment and the auditor’s responses to assessed risk
1st September 2015 40 of 133
HLB INTERNATIONAL AUDIT AND ASSURANCE MANUAL
controls, the auditor obtains audit evidence about the accuracy and completeness of such
information.
Timing
7.13.12 Timing refers to when audit procedures are performed or the period or date to which
the audit evidence applies. The auditor may perform tests of controls or substantive
procedures at an interim date or at period-end. The higher the risk of material misstatement,
the more likely it is that the auditor team may decide it is more effective to perform substantive
procedures nearer to, or at, the period-end rather than at an earlier date, or to perform audit
procedures unannounced or at unpredictable times. This is particularly relevant when
considering the response to the risks of fraud.
7.13.13 Performing audit procedures before the period-end may assist the auditor in identifying
significant matters at an early stage of the audit, and consequently resolving them with the
assistance of management or developing an effective audit approach to address such matters.
If the auditor performs tests of controls or substantive procedures prior to period-end, the
auditor should consider the additional evidence required for the remaining period.
7.13.14 In considering when to perform audit procedures, the auditor also considers such
matters as:
The control environment.
When relevant information is available (for example, electronic files may subsequently be
overwritten, or procedures to be observed may occur only at certain times).
The nature of the risk (for example, if there is a risk of inflated revenues to meet earnings
expectations by subsequent creation of false sales agreements, the engagement team
may wish to examine contracts available on the date of the period-end).
The period or date to which the audit evidence relates.
Extent
7.13.15 Extent includes the quantity of a specific audit procedure to be performed, for
example, a sample size or the number of observations of a control activity. The extent of an
audit procedure is determined by the judgement of the auditor after considering the materiality,
the assessed risk, and the degree of assurance the auditor plans to obtain. In particular, the
auditor ordinarily increases the extent of audit procedures as the risk of material misstatement
increases. However, increasing the extent of an audit procedure is effective only if the audit
procedure itself is relevant to the specific risk, therefore, the nature of the audit procedure is
the most important consideration. The use of computer-assisted audit techniques (CAAT’s)
may enable more extensive testing of electronic transactions and account files.
7.13.16 Valid conclusions may ordinarily be drawn using sampling approaches (This is
covered in Chapter 17 of the Manual). However, if the quantity of selections made from a
population is too small, the sampling approach selected may not be appropriate to achieve the
specific audit objective, or if exceptions are not appropriately followed up, there will be an
unacceptable risk that the auditor’s conclusion based on a sample may be different from the
conclusion reached if the entire population was subjected to the same audit procedure.
7. Identifying and assessing the risks of material misstatement through understanding the entity and its
environment and the auditor’s responses to assessed risk
1st September 2015 41 of 133
HLB INTERNATIONAL AUDIT AND ASSURANCE MANUAL
The audit risks identified for each audit area at the assertion level should be summarised in
Form 424 - Risk assessment and approach to assessed risk in Part I of the manual. The same
form should also be used to document the key risks identified and the audit approach to the
assessed risks. The approach to audit risks should then be adequately covered in the audit
procedures in each of the audit programmes for the respective areas.
7.14. Tests of controls
7.14.1 The auditor shall design and perform tests of control to obtain sufficient appropriate
audit evidence as to the operating effectiveness of relevant controls if:
The auditor’s assessment of risks of material misstatement at the assertion level
includes an expectation that the controls are operating effectively; or
Substantive procedures alone do not provide sufficient appropriate audit evidence at the
assertion level.
Designing and performing tests of controls
7.14.2 Tests of controls are performed only on those controls that the auditor has determined
are suitably designed to prevent, or detect and correct, a material misstatement in an
assertion. If substantially different controls were used at different times during the period
under audit, each is considered separately.
7.14.3 Testing the operating effectiveness of controls is different from obtaining an
understanding of and evaluating the design and implementation of controls. However, the
same types of audit procedures are used. The auditor may, therefore, decide it is efficient to
test the operating effectiveness of controls at the same time as evaluating their design and
determining that they have been implemented.
7.14.4 Further, although some risk assessment procedures may not have been specifically
designed as tests of controls, they may nevertheless provide audit evidence about the
operating effectiveness of the controls and, consequently, serve as test of controls. For
example, the auditor’s risk assessment procedures may have included:
Inquiring about management’s use of budgets.
Observing management’s comparison of monthly budgeted and actual expenses.
Inspecting reports pertaining to the investigation of variances between budgeted and
actual amounts.
7.14.5 These audit procedures provide knowledge about the design of the entity’s budgeting
policies and whether they have been implemented, but may also provide audit evidence about
the effectiveness of the operation of budgeting policies in preventing or detecting material
misstatements in the classification of expenses.
7.14.6 In addition, the auditor may design a test of controls to be performed concurrently with a
test of details on the same transaction. Although the purpose of a test of controls is different
from the purpose of a test of details, both may be accomplished concurrently by performing a
test of controls and a test of details on the same transaction, also known as a dual-purpose
test. For example, the auditor may design, and evaluate the results of, a test to examine an
7. Identifying and assessing the risks of material misstatement through understanding the entity and its
environment and the auditor’s responses to assessed risk
1st September 2015 42 of 133
HLB INTERNATIONAL AUDIT AND ASSURANCE MANUAL
invoice to determine whether it has been approved and to provide substantive audit evidence
of a transaction. A dual-purpose test is designed and evaluated by considering each purpose
of the test separately.
7.14.7 In some cases, the auditor may find it impossible to design effective substantive
procedures that by themselves provide sufficient appropriate audit evidence at the assertion
level. This may occur when an entity conducts its business using IT and no documentation of
transactions is produced or maintained, other than through the IT system. In such cases, the
auditor is required to perform tests of relevant controls.
7.14.8 In designing and performing tests of controls, the auditor shall obtain more persuasive
audit evidence the greater the reliance the auditor places on the effectiveness of a control.
7.14.9 In designing and performing tests of controls, the auditor shall:
Perform other procedures in combination with inquiry to obtain audit evidence about the
operating effectiveness of the controls, including:
• How the controls were applied at relevant times during the period under audit;
• The consistency with which they were applied; and
• By whom or what means they were applied.
Determine whether the controls to be tested depend upon other controls (indirect
controls) and, if so, whether it is necessary to obtain audit evidence supporting the
effective operation of these indirect controls.
7.14.10 Inquiry is not sufficient to test the operating effectiveness of controls. Accordingly,
other audit procedures are performed in combination with inquiry. In this regard, inquiry
combined with inspection or reperformance may provide more assurance than inquiry and
observation, since an observation is pertinent only at the time at which it is made.
7.14.11 The auditor is required to obtain sufficient and reliable audit evidence that the controls
were operating effectively at all relevant times during the audit. Testing the operating
effectiveness of controls is performed only on those controls that the auditor has determined
are suitably designed to prevent, or detect and correct a material misstatement in an assertion.
In making the decision, the auditor considers the following factors:
Key controls.
The degree of reliance required.
Which controls address similar assertions to substantive procedures.
How easily controls can be tested.
The evidence gained from previous years and the impact of any changes.
The IT environment.
Cost effectiveness and staff requirements.
Any specific legal or regulatory requirements.
7.14.12 In practice, most small and medium sized entities will not have any reliable system of
internal control and therefore the auditor may have to obtain audit evidence primarily from
substantive procedures. Even where apparently reliable systems do exist, it will often not be
7. Identifying and assessing the risks of material misstatement through understanding the entity and its
environment and the auditor’s responses to assessed risk
1st September 2015 43 of 133
HLB INTERNATIONAL AUDIT AND ASSURANCE MANUAL
cost effective for the engagement team to carry out tests on internal control in the small to
medium sized entities.
7.14.13 Where the auditor has determined that it is not possible or practicable to reduce the
risks of material misstatement at the assertion level to an acceptably low level with audit
evidence obtained only from substantive procedures, the auditor should perform tests of
relevant controls to obtain audit evidence about their operating effectiveness. This may be the
case where the auditor finds it impossible to design effective substantive procedures that by
themselves provide sufficient appropriate audit evidence at the assertion level e.g. where an
entity conducts its business using IT and no documentation of transactions is produced or
maintained, other than through the IT system.
7.14.14 Testing the operating effectiveness of controls is different from obtaining audit
evidence that controls have been implemented. When obtaining audit evidence of
implementation by performing risk assessment procedures, the engagement team determines
that the relevant controls exist and that the entity is using them. When performing tests of the
operating effectiveness of controls, the auditor obtains audit evidence that controls operate
effectively. This includes obtaining audit evidence about how controls were applied at relevant
times during the period under audit, the consistency with which they were applied, and by
whom or by what means they were applied. If substantially different controls were used at
different times during the period under audit, the auditor considers each separately. The
auditor may determine that testing the operating effectiveness of controls at the same time as
evaluating their design and obtaining audit evidence of their implementation is efficient.
7.15. Framework for assessing controls
Tests of controls
7.15.1 Tests of controls can be grouped under the following headings:
Tests by observation.
Tests by enquiry.
Tests involving inspection of documentary evidence.
Tests by re-performance.
7.15.2 These are covered in Chapter 13.5 of the Manual. Those controls subject to testing by
enquiry combined with inspection or re-performance provide more assurance that those
subject solely to enquiry and observation. When examining programmed procedures in an IT
environment, the following factors should be considered:
The reliability of general controls over program integrity.
The duration that the program has been in use (one-off or new programs should always
be subject to a higher level of test).
Whether the size of transactions has gone beyond that expected when the program was
originally designed.
The effect on the financial statements of an error in the programmed procedures.
Nature of tests of controls
7.15.3 The auditor selects audit procedures to obtain assurance about the operating
effectiveness of controls. In circumstances where it is not possible or practicable to obtain
7. Identifying and assessing the risks of material misstatement through understanding the entity and its
environment and the auditor’s responses to assessed risk 44 of 133
1st September 2015
HLB INTERNATIONAL AUDIT AND ASSURANCE MANUAL
sufficient appropriate audit evidence only from substantive procedures or where the
engagement team adopts an approach primarily consisting of tests of controls, the auditor
ordinarily performs tests of controls to obtain a higher level of assurance about their operating
effectiveness.
Evaluating the operating effectiveness of controls
7.15.4 When evaluating the operating effectiveness of relevant controls, the auditor shall
evaluate whether misstatements that have been detected by substantive procedures indicate
that controls are not operating effectively. The absence of misstatements detected by
substantive procedures, however, does not provide audit evidence that controls related to the
assertion being tested are effective.
7.15.5 If deviations from controls upon which the auditor intends to rely are detected, the
auditor shall make specific inquiries to understand these matters and their potential
consequences, and shall determine whether:
The tests of controls that have been performed provide an appropriate basis for
reliance on the controls;
Additional tests of controls are necessary; or
The potential risks of misstatement need to be addressed using substantive procedures.
7.15.6 A material misstatement detected by the auditor’s procedures is a strong indicator of the
existence of a significant deficiency in internal control.
7.15.7 The concept of effectiveness of the operation of controls recognises that some
deviations in the way controls are applied by the entity may occur. Deviations from prescribed
controls may be caused by factors as changes in key personnel, significant seasonal
fluctuations in volume of transactions and human error. The detected rate of deviation in
comparison with the expected rate, may indicate that the control cannot be relied upon to
reduce risk at the assertion level to that assessed by the auditor.
7.16. Timing of tests of controls
7.16.1 The auditor shall test controls for the particular time, or throughout the period, for which
the auditor intends to rely on those controls, in order to provide an appropriate basis for the
auditor’s intended reliance.
7.16.2 Audit evidence pertaining only to a point in time may be sufficient for the auditor’s
purpose, for example, when testing controls over the entity’s physical inventory counting at the
period end. If on the other hand, the auditor intends to rely on a control over a period, tests that
are capable of providing audit evidence that the control operated effectively at relevant times
during the period are appropriate. Such tests may include tests on the entity’s monitoring of
controls.
Using audit evidence obtained during an interim period
7.16.3 Where the auditor obtains evidence about the operating effectiveness of controls during
an interim period, it shall obtain audit evidence about significant changes to those controls
subsequent to the interim period and determine the additional audit evidence to be obtained for
7. Identifying and assessing the risks of material misstatement through understanding the entity and its
environment and the auditor’s responses to assessed risk 45 of 133
1st September 2015
HLB INTERNATIONAL AUDIT AND ASSURANCE MANUAL
the remaining period taking into account any changes in the information systems, processes
and personnel. In making this determination, the auditor considers the:
Significance of assessed risk of material misstatement at the assertion level;
Specific controls that were tested during the interim period;
Degree to which audit evidence about the operating effectiveness of those controls was
obtained;
Length of the remaining period;
Control environment; and
Extent to which the engagement team intends to reduce further substantive tests based
on the reliance of controls.
Using audit evidence obtained in previous audits
7.16.4 In determining whether it is appropriate to use audit evidence about the operating
effectiveness of controls obtained in previous audits, and, if so, the length of time that may
elapse before retesting a control, the auditor shall consider the following:
The effectiveness of other elements of internal control, including the control environment,
the entity’s monitoring of controls, and the entity’s risk assessment process;
The risks arising from the characteristics of the control, including whether it is manual or
automated;
The effectiveness of general IT controls;
The effectiveness of the control and its application by the entity, including the nature and
extent of deviations in the application of the control noted in previous audits, and whether
there have been personnel changes that significantly affect the application of the control;
Whether the lack of a change in a particular control poses a risk due to changing
circumstances; and
The risks of material misstatement and the extent of reliance on the control.
7.16.5 If the auditor plans to use audit evidence from a previous audit about the operating
effectiveness of specific controls, the auditor shall establish the continuing relevance of that
evidence by obtaining audit evidence about whether significant changes in those controls have
occurred subsequent to the previous audit. The auditor shall obtain this evidence by
performing inquiry combined with observation or inspection, to confirm the understanding of
those specific controls, and;
If there have been changes that affect the continuing relevance of the audit evidence
from the previous audit, the auditor shall test the controls in the current audit.
If there have not been such changes, the auditor shall test the controls at least one in
every third audit, and shall test some controls each audit to avoid the possibility of
testing all of the controls on which the auditor intends to rely in a single audit period with
no testing of controls in the subsequent two audit periods.
7.16.6 In general, the higher the risk of material misstatement, or the greater the reliance on
controls, the shorter the time period elapsed, if any, is likely to be. Factors that may decrease
the period for retesting a control, or result in not relying on audit evidence obtained in previous
audits at all, include the following:
A deficient control environment.
Deficient monitoring of controls.
7. Identifying and assessing the risks of material misstatement through understanding the entity and its
environment and the auditor’s responses to assessed risk 46 of 133
1st September 2015
HLB INTERNATIONAL AUDIT AND ASSURANCE MANUAL
A significant manual element to the relevant controls.
Personnel changes that significantly affect the application of the control.
Changing circumstances that indicate the need for changes in the control.
Deficient general IT controls
7.16.7 Where there a number of controls for which the auditor intends to rely on audit evidence
obtained in previous audits, testing some of the controls in each audit provides corroborating
evidence about the continued effectiveness of the control environment. This contributes to the
auditor’s decision about whether it is appropriate to rely on audit evidence obtained in previous
periods.
Controls over significant risks
7.16.8 If the auditor plans to rely on controls over a risk that the auditor has determined to be a
significant risk, the auditor shall test those controls in the current period.
7.17. Extent of tests of controls
7.17.1 As a general rule, the more the auditor plans to rely on the operating effectiveness of
controls, the greater the extent of the auditor’s test of controls. In considering the extent of
tests, the auditor considers the:
Frequency of the performance of the control by the entity during the period.
Length of time during the audit period that the auditor is relying on the operating
effectiveness of the controls.
Relevance and reliability of the audit evidence to be obtained in supporting that the
control prevents, or detects and corrects material misstatements at the assertion levels.
Extent to which audit evidence is obtained from tests of other controls related to the
assertion.
Extent to which the auditor plans to rely on the operating effectiveness of the control in
the assessment of audit risk.
Expected deviation from the control.
7.17.2 The higher the level of inherent and analytical risk, the greater assurance tests of
controls need to give, if they are to be worthwhile. The following is a guide to the minimum
number of items to test a sample of transaction control, but levels may need to vary according
to the particular circumstances. The sample selected should be chosen from the whole of the
accounting period. The number of tests may not be applicable to periodic controls (e.g. bank
reconciliations).
INHERENT ANALYTICAL KEY CONTROLS
Number of items to test
High High 25 - 35
High Medium 20 - 30
High Low 15 - 25
Medium High 20 - 30
Medium Medium 15 - 25
7. Identifying and assessing the risks of material misstatement through understanding the entity and its
environment and the auditor’s responses to assessed risk 47 of 133
1st September 2015
HLB INTERNATIONAL AUDIT AND ASSURANCE MANUAL
Medium Low 10 - 20
Low High 15 - 25
Low Medium 10 - 20
Low Low
8 - 10
7.17.3 A control is considered effective only if no exceptions are noted from the sample
selected. If one to three exceptions are noted, a new sample is selected and tested. If one
exception is noted in the second sample, the control is concluded not to be operating
satisfactorily. If more than four exceptions are noted in the initial sample selected, the control is
also concluded not to be operating satisfactorily.
7.17.4 The controls which are identified at the planning stage on which the engagement team
wants to place reliance should be documented in Form 511.2 in Part I of the manual -
understanding the entity and its internal control. The controls identified should be tested for the
effectiveness of their design and effectiveness of operation throughout the period using the steps
identified in the audit programmes and the test results and conclusions documented in the
respective audit areas.
7.18. Drawing conclusions
7.18.1 If audit tests disclose no exceptions, reliance can be placed on the controls that have
been tested. If audit tests reveal that the control was not operating properly, the reasons for
not operating and the impact must be ascertained. Was the exception an isolated departure, or
was it representative of other problems? If it is believed to be an isolated departure, the validity
of the explanation should be confirmed by carrying out further tests. If these further tests fail,
the control cannot be relied on and substantive tests may not be restricted unless alternative
controls that give sufficient comfort can be identified.
7.18.2 On completion of the tests relating to each key question, a conclusion should be drawn
on whether the controls are reliable. The reliability of controls relating to each key question
should be taken together with any relevant overall controls for the purpose of assessing
whether control risk is high, medium or low in relation to substantive tests linked with that key
question. If the controls are working, control risk will be low, and hence the amount of
substantive testing can be limited. Before the conclusion of the audit, based on the results of
substantive procedures and other audit evidence obtained by the engagement team, the
auditor should consider whether the assessment of control risk is confirmed.
7.19. Substantive procedures
7.19.1 Irrespective of the assessed risks of material misstatement, the auditor shall design and
perform substantive procedures for each material class of transactions, account balance, and
disclosure.
7.19.2 Depending on the circumstances, the auditor may determine that:
Performing only substantive analytical procedures will be sufficient to reduce audit risk
to an acceptably low level. For example, where the auditor’s assessment of risk is
supported by audit evidence from tests of controls.
7. Identifying and assessing the risks of material misstatement through understanding the entity and its
environment and the auditor’s responses to assessed risk
1st September 2015 48 of 133
HLB INTERNATIONAL AUDIT AND ASSURANCE MANUAL
Only tests of details are appropriate.
A combination of substantive analytical procedures and tests of details are most
responsive to the assessed risks.
7.19.3 Substantive analytical procedures are generally more applicable to large volumes of
transactions that tend to be predicable over time. Chapter 16 establishes requirements and
provides guidance on the application of analytical procedures during an audit.
7.19.4 The nature of the risk and assertion is relevant to the design of the test of details. For
example, test of details related to the existence or occurrence assertion may involve selecting
from items contained in a financial statement amount and obtaining relevant reliable audit
evidence. On the other hand, tests of details related to the completeness assertion may
involve selecting from items that are expected to be included in the relevant financial statement
amount and investigating whether they are included.
7.19.5 Because the assessment of the risk of material misstatement takes account of internal
control, the extent of substantive procedures may need to be increased when the results from
tests of control are unsatisfactory. However, increasing the extent of an audit procedure is
appropriate only if the audit procedure itself is relevant to the specific risk.
External confirmation procedures
7.19.6 The auditor shall consider whether external confirmation procedures are to be used as
substantive audit procedures. These procedures are dealt with in detail in Chapter 13 of the
manual.
Substantive procedures related to the financial statement close process
7.19.7 The auditor’s substantive procedures shall include the following audit procedures
related to the financial statement closing process:
Agreeing or reconciling the financial statements with the underlying records; and
Examining material journal entries and other adjustments made during the course of
preparing the financial statements.
7.19.8 The nature, and also the extent, of the auditor’s examination of journal entries and other
adjustments depends on the nature and complexity of the entity’s financial reporting process
and the related risks of material misstatement.
Substantive procedures responsive to significant risks
7.19.9 If the auditor has determined that an assessed risk of material misstatement at the
assertion level is a significant risk, the auditor shall perform substantive procedures that are
specifically responsive to that risk. When the approach to a significant risk consists only of
substantive procedures, these procedures shall include tests of details.
Timing of substantive procedures
7.19.10 If substantive procedures are performed at an interim date, the auditor shall cover the
remaining period by performing:
Substantive procedures, combined with tests of controls for the intervening period; or
If the auditor determines that it is sufficient, further substantive procedures only,
7. Identifying and assessing the risks of material misstatement through understanding the entity and its
environment and the auditor’s responses to assessed risk 49 of 133
1st September 2015
HLB INTERNATIONAL AUDIT AND ASSURANCE MANUAL
that provide a reasonable basis for extending the audit conclusions from the interim date
to the period end.
Using audit evidence obtained during an interim period
7.19.11 In some circumstances, the auditor may determine that it is effective to perform
substantive procedures at an interim date, and to compare and reconcile information
concerning the balance at the period end with the comparable information at the interim date
to:
Identify amounts that appear unusual;
Investigate any such amounts; and
Perform substantive analytical procedures or tests of details to test the intervening period.
7.19.12 Performing substantive procedures at an interim date without undertaking additional
procedures at a later date increases the risk that the auditor will not detect misstatements that
may exist at the period end. This risk increases as the remaining period is lengthened. Factors
such as the following may influence whether to perform substantive procedures at an interim
date:
The control environment and other relevant controls.
The availability at a later date of information necessary for the auditor’s procedures.
The purpose of the substantive procedure.
The assessed risk of material misstatement.
The nature and class of transactions or account balance and related assertions.
The ability of the auditor to perform appropriate substantive procedures or substantive
procedures combined with tests of controls to cover the remaining period in order to
reduce the risk that misstatements that may exist at the period end will not be detected.
7.19.13 If misstatements that the auditor did not expect when assessing the risks of material
misstatement are detected at an interim date, the auditor shall evaluate whether the related
assessment of risk and the planned nature, timing or extent of substantive procedures
covering the remaining period need to be modified.
7.19.14 When the auditor concludes that the planned nature, timing or extent of substantive
procedures covering the remaining period need to be modified as a result of unexpected
misstatements detected at an interim date, such modification may include extending or
repeating the procedures performed at the interim date at the period end.
7.20. Quantification of risk
7.20.1 The table in Appendix VI of this Chapter attempts to quantify the effect of the
assessment of the levels of risk and provides a method of directly relating the risk levels to the
amount of audit testing to be carried out.
7.20.2 The quantification process is based on seeking a 95% confidence level when issuing
the audit opinion. This does not mean that 5% of audit opinions are invalid; it implies that for
marginal decisions on qualification, the underlying evidence on which that marginal decision is
based may be misleading 5% of the time. The confidence level of 95% is often expressed as a
7. Identifying and assessing the risks of material misstatement through understanding the entity and its
environment and the auditor’s responses to assessed risk
1st September 2015 50 of 133
HLB INTERNATIONAL AUDIT AND ASSURANCE MANUAL
basic risk factor of 3.0, this being a mathematical constant derived from the Poisson
distribution.
7.20.3 A basic risk factor level of 3.0 implies the item is likely to be materially misstated as
inherent risk in relation to the specific area is high, there are no controls that can be relied
upon resulting in a high control risk and that little or no assurance can be gained from using
analytical procedures as substantive procedures resulting in a high analytical risk. Therefore,
maximum reliance must be placed on substantive procedures.
7.20.4 A minimum risk factor of 0.7 represents the need to place some reliance on substantive
procedures. Choosing 0.7 as a minimum level is a matter of judgement, as are the
intermediate levels set out in the appendix.
7.20.5 Once the risk factor is quantified, this is divided by the materiality chosen for the
individual audit area (See Form 420 in Part I of the Manual) to determine the sampling interval.
7.20.6 Refer to Chapter 17 of the Manual on how to determine the sample size and evaluate
the results when using statistical sampling and the sampling interval derived using the above
method.
7.21. Adequacy of presentation and disclosure
7.21.1 The auditor shall perform audit procedures to evaluate whether the overall presentation
of the financial statements, including the related disclosures, is in accordance with the
applicable financial reporting framework.
7.22. Evaluating the sufficiency and appropriateness of audit evidence
7.22.1 Based on the audit procedures performed and the audit evidence obtained, the auditor
shall evaluate before the conclusion of the audit whether the assessments of risks of material
misstatement at the assertion level remain appropriate.
7.22.2 The auditor shall conclude whether sufficient appropriate audit evidence has been
obtained. In forming an opinion, the auditor shall consider all relevant audit evidence,
regardless of whether it appears to corroborate or to contradict the assertions in the financial
statements.
7.22.3 The auditor’s judgement as to what constitutes sufficient appropriate evidence is
influenced by such factors as the following:
Significance of the potential misstatement in the assertion and the likelihood of its
having a material effect, individually or aggregated with other potential misstatements,
on the financial statements.
Effectiveness of management’s responses and controls to address the risks.
Experience gained during previous audits with respect to similar potential
misstatements.
Results of audit procedures performed, including whether such audit procedures
identified specific instances of fraud or error.
7. Identifying and assessing the risks of material misstatement through understanding the entity and its
environment and the auditor’s responses to assessed risk
1st September 2015 51 of 133
HLB INTERNATIONAL AUDIT AND ASSURANCE MANUAL
Source and reliability of the available information.
Persuasiveness of the audit evidence.
Understanding of the entity and its environment, including the entity’s internal control.
7.22.4 If the auditor has not obtained sufficient appropriate audit evidence as to a material
financial statement assertion, the auditor shall attempt to obtain further audit evidence. If the
auditor is unable to obtain sufficient appropriate audit evidence, the auditor shall express a
qualified opinion or disclaim an opinion on the financial statements.
7.23. Documentation
Identifying and assessing the risks of material misstatement through understanding the
entity and Its environment
7.23.1 The auditor shall include in the audit documentation:
The discussion among the engagement team and the significant decisions reached;
Key elements of the understanding obtained regarding each of the specific aspects of
the entity and its environment and each of the internal control components; the sources
of information from which the understanding was obtained; and the risk assessment
procedures performed;
The identified and assessed risks of material misstatement at the financial statement
level and the assertion level;
The risks identified, and related controls about which the auditor has obtained an
understanding.
7.23.2 The manner in which these requirements are documented is for the auditor to determine
using professional judgement. For example, in audits of small entities the documentation may
be incorporated in the auditor’s documentation of the overall strategy and audit plan. Similarly,
the results of the risk assessment may be documented separately, or may be documented as
part of the auditor’s documentation of further procedures. The form and extent of the
documentation is influenced by the nature, size and complexity of the entity and its internal
control, availability of information from the entity and the audit methodology and technology
used in the course of the audit.
7.23.3 For entities that have uncomplicated businesses and processes relevant to financial
reporting, the documentation may be in simple form and relatively brief. It is not necessary to
document the entirety of the auditor’s understanding of the entity and matters related to it. Key
elements of understanding documented by the auditor include those on which the auditor
based the assessment of the risks of material misstatement.
7.23.4 The extent of documentation may also reflect the experience and capabilities of the
members of the audit engagement team.
7.23.5 For recurring audits, certain documentation may be carried forward, updated as
necessary to reflect changes in the entity’s business or processes.
The Auditor’s responses to assessed risks
7. Identifying and assessing the risks of material misstatement through understanding the entity and its
environment and the auditor’s responses to assessed risk
1st September 2015 52 of 133
HLB INTERNATIONAL AUDIT AND ASSURANCE MANUAL
7.23.6 The auditor shall include in the audit documentation:
The overall responses to address the assessed risks of material misstatement at the
financial statement level, and the nature, timing and extent of the further audit
procedures performed;
The linkage of those procedures with the assessed risks at the assertion level; and
The results of the audit procedures, including the conclusions where these are not
otherwise clear.
7.23.7 If the auditor plans to use audit evidence about the operating effectiveness of controls
obtained in previous periods, the auditor shall include in the audit documentation the
conclusions reached about relying on such controls that were tested in a previous audit.
7.23.8 The auditor’s documentation shall demonstrate that the financial statements agree or
reconcile with the underlying records.
7. Identifying and assessing the risks of material misstatement through understanding the entity and its
environment and the auditor’s responses to assessed risk
1st September 2015 53 of 133
HLB INTERNATIONAL AUDIT AND ASSURANCE MANUAL
APPENDIX I: INHERENT RISK CONSIDERATIONS
Conditions and events that may indicate risks of material misstatement
The following are examples of conditions and events that may indicate the existence of risks of
material misstatement. The examples provided cover a broad range of conditions and events;
however, not all conditions and events are relevant to every audit engagement and the list of
examples is not necessarily complete.
Operations in regions that are economically unstable, for example, countries with significant
currency devaluation or highly inflationary economies.
Operations exposed to volatile markets, for example, futures trading.
Operations that are subject to a high degree of complex regulation.
Going concern and liquidity issues including loss of significant customers.
Constraints on the availability of capital and credit.
Changes in the industry in which the entity operates.
Changes in the supply chain.
Developing or offering new products or services, or moving into new lines of business.
Expanding into new locations.
Changes in the entity such as large acquisitions or reorganizations or other unusual events.
Entities or business segments likely to be sold.
The existence of complex alliances and joint ventures.
Use of off balance sheet finance, special-purpose entities, and other complex financing
arrangements.
Significant transactions with related parties.
Lack of personnel with appropriate accounting and financial reporting skills.
Changes in key personnel including departure of key executives.
Deficiencies in internal control, especially those not addressed by management.
Inconsistencies between the entity’s IT strategy and its business strategies.
Incentives for management and employees to engage in fraudulent financial reporting
Changes in the IT environment.
Installation of significant new IT systems related to financial reporting.
Inquiries into the entity’s operations or financial results by regulatory or
government bodies.
Past misstatements, history of errors or a significant amount of adjustments at
period end.
Significant amount of non-routine or non-systematic transactions including intercompany
transactions and large revenue transactions at period end.
Transactions that are recorded based on management’s intent, for example, debt
refinancing, assets to be sold and classification of marketable securities.
Application of new accounting pronouncements.
Accounting measurements that involve complex processes.
Events or transactions that involve significant measurement uncertainty, including
accounting estimates.
Pending litigation and contingent liabilities, for example, sales warranties, financial
guarantees and environmental remediation.
7. Identifying and assessing the risks of material misstatement through understanding the entity and its
environment and the auditor’s responses to assessed risk
1st September 2015 54 of 133
HLB INTERNATIONAL AUDIT AND ASSURANCE MANUAL
APPENDIX II: FACTORS TO CONSIDER IN UNDERSTANDING THE ENTITY AND ITS
ENVIRONMENT
1. Industry, regulatory and other external factors, including the applicable financial
reporting framework
Industry conditions:
• The market and competition, including demand, capacity, and price competition.
• Cyclical or seasonal activity.
• Product technology relating to the entity’s products.
• Energy supply and cost.
Regulatory environment:
• Accounting principles and industry specific practices.
• Regulatory framework for a regulated industry.
• Legislation and regulation that significantly affect the entity’s operations:
o Regulatory requirements.
o Direct supervisory activities.
• Taxation (corporate and other).
• Government policies currently affecting the conduct of the entity’s business:
o Monetary, including foreign exchange controls.
o Fiscal.
o Financial incentives (for example, government aid programs).
o Tariffs, trade restrictions.
o Environmental requirements affecting the industry and the entity’s business:
Other external factors currently affecting the entity’s business:
• General level of economic activity (for example, recession, growth).
• Interest rates and availability of financing.
• Inflation, currency revaluation.
2. Nature of the entity
Nature of business operations:
• Nature of revenue sources (for example, manufacturer, wholesaler, banking, insurance
or other financial services, import / export trading, utility, transportation and technology
products and services).
• Products or services and markets (for example, major customers and contracts, terms
of payment, profit margins, market share, competitors, exports, pricing policies,
reputation of products, warranties, order book, trends, marketing strategy and
objectives, manufacturing processes).
• Conduct of operations (for example, stages and methods of production, business
segments, delivery or products and services, details of declining or expanding
operations).
• Alliances, joint ventures, and outsourcing activities.
• Involvement in electronic commerce, including Internet sales and marketing activities.
• Geographic dispersion and industry segmentation.
7. Identifying and assessing the risks of material misstatement through understanding the entity and its
environment and the auditor’s responses to assessed risk
1st September 2015 55 of 133
HLB INTERNATIONAL AUDIT AND ASSURANCE MANUAL
• Location of production facilities, warehouses, and offices, and location and quantities of
inventories.
• Key customers.
• Important suppliers of goods and services (for example, long-term contracts, stability of
supply, terms of payment, imports, methods of delivery such as “just-in-time”).
• Employment (for example, by location, supply, wage levels, union contracts, pension
and other post employment benefits, stock options or incentive bonus arrangements,
and government regulation related to employment matters).
• Research and development activities and expenditures.
• Transactions with related parties.
• Involvement in electronic commerce such as Internet sales and marketing activities.
Investments
• Acquisitions, mergers or disposals of business activities (planned or recently executed).
• Investments and dispositions of securities and loans.
• Capital investment activities, including investments in plant and equipment and
technology, and any recent or planned changes.
• Investments in non-consolidated entities, including partnerships, joint ventures and
special-purpose entities.
Financing
• Group structure - major subsidiaries and associated entities, including consolidated and
non-consolidated structures.
• Debt structure, including covenants, restrictions, guarantees, and off-balance-sheet
financing arrangements.
• Leasing of property, plant or equipment for use in the business.
• Beneficial owners (local, foreign, business reputation and experience).
• Related parties.
• Use of derivative financial instruments.
Financial reporting
• Accounting principles and industry specific practices.
• Revenue recognition practices.
• Accounting for fair values.
• Inventories (for example, locations, quantities).
• Foreign currency assets, liabilities and transactions.
• Industry-specific significant categories (for example, loans and investments for banks,
accounts receivable and inventory for manufacturers, research and development for
pharmaceuticals).
• Accounting for unusual or complex transactions including those in controversial or
emerging areas (for example, accounting for stock-based compensation).
• Financial statement presentation and disclosure.
7. Identifying and assessing the risks of material misstatement through understanding the entity and its
environment and the auditor’s responses to assessed risk
1st September 2015 56 of 133
HLB INTERNATIONAL AUDIT AND ASSURANCE MANUAL
3. Objectives and strategies and related business risks
Existence of objectives (i.e. how the entity addresses industry, regulatory and other
external factors) relating to, for example, the following:
• Industry developments (a potential related business risk might be, for example, that the
entity does not have the personnel or expertise to deal with the changes in the industry).
• New products and services (a potential related business risk might be, for example, that
there is increased product liability).
• Expansion of the business (a potential related business risk might be, for example, that
the demand has not been accurately estimated).
• New accounting requirements (a potential related business risk might be, for example,
incomplete or improper implementation, or increased costs).
• Regulatory requirements (a potential related business risk might be, for example, that
there is increased legal exposure).
• Current and prospective financing requirements (a potential related business risk might
be, for example, the loss of financing due to the entity’s inability to meet requirements).
• Use of IT (a potential related business risk might be, for example, that systems and
processes are incompatible).
Effects of implementing a strategy, particularly any effects that will lead to new accounting
requirements (a potential related business risk might be, for example, incomplete or
improper implementation).
4. Measurement and review of the entity’s financial performance
Key ratios and operating statistics.
Key performance indicators.
Employee performance measures and incentive compensation policies.
Trends.
Use of forecasts, budgets and variance analysis.
Analyst reports and credit rating reports.
Competitor analysis.
Period-on-period financial performance (revenue growth, profitability, leverage).
7. Identifying and assessing the risks of material misstatement through understanding the entity and its
environment and the auditor’s responses to assessed risk
1st September 2015 57 of 133
HLB INTERNATIONAL AUDIT AND ASSURANCE MANUAL
APPENDIX III: CONDITIONS AND EVENTS THAT MAY INDICATE RISKS OF MATERIAL
MISSTATEMENT
Operations in regions that are economically unstable, for example, countries with significant
currency devaluation or highly inflationary economies.
Operations exposed to volatile markets, for example, futures trading.
High degree of complex regulation.
Going concern and liquidity issues including loss of significant customers.
Constraints on the availability of capital and credit.
Changes in the industry in which the entity operates.
Changes in the supply chain.
Developing or offering new products or services, or moving into new lines of business.
Expanding into new locations.
Changes in the entity such as large acquisitions or reorganisations or other unusual events.
Entities or business segments likely to be sold.
Complex alliances and joint ventures.
Use of off-balance-sheet finance, special-purpose entities, and other complex financing
arrangements.
Significant transactions with related parties.
Lack of personnel with appropriate accounting and financial reporting skills.
Changes in key personnel including departure of key executives.
Weaknesses in internal control, especially those not addressed by management.
Inconsistencies between the entity’s IT strategy and its business strategies.
Changes in the IT environment.
Installation of significant new IT systems related to financial reporting.
Inquiries into the entity’s operations or financial results by regulatory or government bodies.
Past misstatements, history of errors or a significant amount of adjustments at period-end.
Significant amount of non-routine or non-systematic transactions including inter-company
transactions and large revenue transactions at period-end.
Transactions that are recorded based on management’s intent, for example, debt
refinancing, assets to be sold and classification of marketable securities.
Application of new accounting pronouncements.
Accounting measurements that involve complex processes.
Events or transactions that involve significant measurement uncertainty, including
accounting estimates, and related disclosures.
Omission, or obscuring, of significant information in disclosures.
Pending litigation and contingent liabilities, for example, sales warranties, financial
guarantees and environmental remediation.
7. Identifying and assessing the risks of material misstatement through understanding the entity and its
environment and the auditor’s responses to assessed risk
1st September 2015 58 of 133
HLB INTERNATIONAL AUDIT AND ASSURANCE MANUAL
APPENDIX IV: INTERNAL CONTROL COMPONENTS
A. Control environment
The control environment encompasses the following elements:
Communication and enforcement of integrity and ethical values
The effectiveness of controls cannot rise above the integrity and ethical values of the people
who create, administer, and monitor them. Integrity and ethical values are essential elements
of the control environment which influence the effectiveness of the design, administration, and
monitoring of other components of internal control. Integrity and ethical behaviour are the
product of the entity’s ethical and behavioural standards, how they are communicated, and
how they are reinforced in practice. They include management’s actions to remove or reduce
incentives and temptations that might prompt personnel to engage in dishonest, illegal, or
unethical acts. They also include the communication of entity values and behavioural
standards to personnel through policy statements and codes of conduct and by example.
Commitment to competence
Competence is the knowledge and skills necessary to accomplish tasks that define the
individual’s job. Commitment to competence includes management’s consideration of the
competence levels for particular jobs and how those levels translate into requisite skills and
knowledge.
Participation by those charged with governance
An entity’s control consciousness is influenced significantly by those charged with governance.
Attributes of those charged with governance include independence from management, their
experience and stature, the extent of their involvement and scrutiny of activities, the
appropriateness of their actions, the information they receive, the degree to which difficult
questions are raised and pursued with management, and their interaction with internal and
external auditors. The importance of responsibilities of those charged with governance is
recognised in codes of practice and other regulations or guidance produced for the benefit of
those charged with governance. Other responsibilities of those charged with governance
include oversight of the design and effective operation of whistle blower procedures and the
process for reviewing the effectiveness of the entity’s internal control. The following additional
points may be considered:
The independence of the board.
The frequency of board meetings.
Domination by one person or a small group.
The qualifications, experience and competence of those charged with governance.
The turnover of board members.
The independence of an independent audit function and of the audit committee.
The speed at which any internal or external audit recommendations are responded to.
7. Identifying and assessing the risks of material misstatement through understanding the entity and its
environment and the auditor’s responses to assessed risk
1st September 2015 59 of 133
HLB INTERNATIONAL AUDIT AND ASSURANCE MANUAL
Management’s philosophy and operating style
Management’s philosophy and operating style encompass a broad range of characteristics.
Such characteristics may include the following:
• Short and long-term objectives;
• Approach to taking and monitoring business risks;
• Management’s attitudes and actions toward financial reporting (conservative or
aggressive selection from available alternative accounting principles, and
conscientiousness and conservatism with which accounting estimates are developed);
and
• Management’s attitudes towards information processing and accounting functions and
personnel.
Organisational structure
An entity’s organisational structure provides the framework within which its activities for
achieving entity-wide objectives are planned, executed, controlled, and reviewed. Establishing
a relevant organisational structure includes considering key areas of authority and
responsibility and appropriate lines of reporting. An entity develops an organisational structure
suited to its needs. The appropriateness of an entity’s organisational structure depends, in
part, on its size and the nature of its activities. The following additional factors may be
considered:
The appropriateness of centralisation policies.
The responsibilities of divisional management.
The extent to which delegation is understood.
The systems of communication.
The work load.
Management harmony with lower grades of staff.
Assignment of authority and responsibility
This factor includes how authority and responsibility for operating activities are assigned and
how reporting relationships and authorisation hierarchies are established. It also includes
policies relating to appropriate business practices, knowledge and experience of key
personnel, and resources provided for carrying out duties. In addition, it includes policies and
communications directed at ensuring that all personnel understand the entity’s objectives,
know how their individual actions inter-relate and contribute to those objectives, and recognise
how and for what they will be held accountable.
Human resource policies and practices
Human resource policies and practices relate to recruitment, orientation, training, evaluating,
counselling, promoting, compensating, and remedial actions. For example, standards for
recruiting the most qualified individuals - with emphasis on educational background, prior work
experience, past accomplishments, and evidence of integrity and ethical behaviour -
demonstrate an entity’s commitment to competent and trustworthy people. Training policies
that communicate prospective roles and responsibilities and include practices such as training
7. Identifying and assessing the risks of material misstatement through understanding the entity and its
environment and the auditor’s responses to assessed risk
1st September 2015 60 of 133
HLB INTERNATIONAL AUDIT AND ASSURANCE MANUAL
schools and seminars illustrate expected levels of performance and behaviour. Promotions
driven by periodic performance appraisals demonstrate the entity’s commitment to the
advancement of qualified personnel to higher levels of responsibility.
Application to smaller entities
Small entities may implement the control environment elements differently than larger entities.
For example, small entities might not have a written code of conduct but, instead, develop a
culture that emphasises the importance of integrity and ethical behaviour through oral
communication and by management example. Similarly, those charged with governance in
small entities may not include an independent or outside member.
B. Entity’s risk assessment process
The entity’s risk assessment process for financial reporting includes how management
identifies risks relevant to the preparation of financial statements that give a true and fair view
in accordance with the entity’s applicable financial reporting framework, estimates their
significance, assesses the likelihood of their occurrence, and decides upon actions to manage
them. For example, the entity’s risk assessment process may address how the entity considers
the possibility of unrecorded transactions or identifies and analyses significant estimates
recorded in the financial statements. Risks relevant to reliable financial reporting also relate to
specific events or transactions.
Risks relevant to financial reporting include external and internal events and circumstances
that may occur and adversely affect an entity’s ability to initiate, record, process, and report
financial data consistent with the assertions of management in the financial statements. Once
risks are identified, management considers their significance, the likelihood of their occurrence,
and how they should be managed. Management may initiate plans, programs or actions to
address specific risks or it may decide to accept a risk because of cost or other considerations.
Risks can arise or change due to circumstances such as the following:
Changes in operating environment: Changes in the regulatory or operating environment
can result in changes in competitive pressures and significantly different risks.
New personnel: New personnel may have a different focus on or understanding of internal
control.
New or revamped information systems: Significant and rapid changes in information
systems can change the risk relating to internal control.
Rapid growth: Significant and rapid expansion of operations can strain controls and
increase the risk of a breakdown in controls.
New technology: Incorporating new technologies into production processes or information
systems may change the risk associated with internal control.
New business models, products, or activities: Entering into business areas or transactions
with which an entity has little experience may introduce new risks associated with internal
control.
Corporate restructurings: Restructurings may be accompanied by staff reductions and
changes in supervision and segregation of duties that may change the risk associated with
internal control.
7. Identifying and assessing the risks of material misstatement through understanding the entity and its
environment and the auditor’s responses to assessed risk
1st September 2015 61 of 133
HLB INTERNATIONAL AUDIT AND ASSURANCE MANUAL
Expanded foreign operations: The expansion or acquisition of foreign operations carries
new and often unique risks that may affect internal control, for example, additional or
changed risks from foreign currency transactions.
New accounting pronouncements: Adoption of new accounting principles or changing
accounting principles may affect risks in preparing financial statements.
C. Information systems, including the related business processes, relevant to financial
reporting and communication
An information system consists of infrastructure (physical and hardware components),
software, people, procedures, and data. Infrastructure and software will be absent, or have
less significance in systems that are exclusively or primarily manual. Many information
systems make extensive use of information technology (IT).
The information system relevant to financial reporting objectives, which includes the financial
reporting system, consists of the procedures and records established to initiate, record,
process, and report entity transactions (as well as events and conditions) and to maintain
accountability for the related assets, liabilities, and equity. Transactions may be initiated
manually or automatically by programmed procedures. Recording includes identifying and
capturing the relevant information for transactions or events. Processing includes functions
such as edit and validation, calculation, measurement, valuation, summarisation, and
reconciliation, whether performed by automated or manual procedures. Reporting relates to
the preparation of financial reports as well as other information, in electronic or printed format,
that the entity uses in measuring and reviewing the entity’s financial performance and in other
functions. The quality of system-generated information affects management’s ability to make
appropriate decisions in managing and controlling the entity’s activities and to prepare reliable
financial reports. Accordingly, an information system encompasses methods and records that:
Identify and record all valid transactions.
Describe on a timely basis the transactions in sufficient detail to permit proper classification
of transactions for financial reporting.
Measure the value of transactions in a manner that permits recording their proper monetary
value in the financial statements.
Determine the time period in which transactions occurred to permit recording of
transactions in the proper accounting period.
Present properly the transactions and related disclosures in the financial statements.
D. Control activities
Control activities are the policies and procedures that help ensure that management directives
are carried out, for example, that necessary actions are taken to address risks that threaten
the achievement of the entity’s objectives. Control activities, whether within IT or manual
systems, have various objectives and are applied at various organisational and functional
levels.
7. Identifying and assessing the risks of material misstatement through understanding the entity and its
environment and the auditor’s responses to assessed risk
1st September 2015 62 of 133
HLB INTERNATIONAL AUDIT AND ASSURANCE MANUAL
Generally, control activities that may be relevant to an audit may be categorised as policies
and procedures that pertain to the following:
Performance reviews: These control activities include reviews and analysis of actual
performance versus budgets, forecasts, and prior period performance; relating different
sets of data - operating or financial - to one another, together with analysis of the
relationships and investigative and corrective actions; comparing internal data with external
sources of information; and review of functional or activity performance, such as a bank’s
consumer loan manager’s review of reports by branch, region, and loan type for loan
approvals and collections.
Information processing: A variety of controls are performed to check accuracy,
completeness, and authorisation of transactions. The two broad groupings of information
systems control activities are application controls and general IT controls.
• Application controls are manual or automated procedures that typically operate at a
business process level and apply to the processing of transactions by individual
applications. Application controls can be preventative or detective in nature and are
designed to endure the integrity of the accounting records. Accordingly, application
controls relate to procedures used to initiate, record, process and report transactions or
other financial data. These controls help ensure that transactions occurred, are
authorised, and are completely and accurately recorded and processed. Examples of
application controls include checking the arithmetical accuracy of records, maintaining
and reviewing accounts and trial balances, automated controls such as edit checks of
input data and numerical sequence checks, and manual follow-up of exception reports
or correction at the point of data entry.
• General IT controls are polices and procedures that relate to many applications and
support the effective functioning of application controls by helping to ensure the
continued proper operation of information systems. General IT controls commonly
include controls over data centre and network operations; system software acquisition,
change and maintenance; access security; and application system acquisition,
development, and maintenance. These controls apply to mainframe, miniframe, and
end-user environments. Examples of such general IT controls are program change
controls, controls that restrict access to programs or data, controls over the
implementation of new releases of packaged software applications, and controls over
system software that restrict access to or monitor the use of system utilities that could
change financial data or records without leaving an audit trail.
Physical controls: These activities encompass the physical security of assets, including
adequate safeguards such as secured facilities over access to assets and records;
authorisation for access to computer programs and data files; and periodic counting and
comparison with amounts shown on control records (for example, comparing the results of
cash, security and inventory counts with accounting records). The extent to which physical
controls intended to prevent theft of assets are relevant to the reliability of financial
statement preparation, and therefore the audit depends on circumstances such as when
assets are highly susceptible to misappropriation. For example, these controls would
ordinarily not be relevant when any inventory losses would be detected pursuant to periodic
physical inspection and recorded in the financial statements. However, if for financial
reporting purposes, management relies solely on perpetual inventory records, the physical
security controls would be relevant to the audit.
7. Identifying and assessing the risks of material misstatement through understanding the entity and its
environment and the auditor’s responses to assessed risk
1st September 2015 63 of 133
HLB INTERNATIONAL AUDIT AND ASSURANCE MANUAL
Segregation of duties: Assigning different people the responsibilities of authorising
transactions, recording transactions, and maintaining custody of assets is intended to
reduce the opportunities to allow any person to be in a position to both perpetrate and
conceal errors or fraud in the normal course of the person’s duties. Examples of
segregation of duties include reporting, reviewing and approving reconciliations, and
approval and control of documents.
Certain control activities may depend on the existence of appropriate higher level policies
established by management or those charged with governance. For example, authorisation
controls may be delegated under established guidelines, such as investment criteria set by
those charged with governance; alternatively, non-routine transactions such as major
acquisitions or divestments may require specific high level approval, including in some cases
that of shareholders.
Application to small entities
The concepts underlying control activities in small entities are likely to be similar to those in
larger entities, but the formality with which they operate varies. Further, small entities may find
that certain types of control activities are not relevant because of controls applied by
management. For example, management’s retention of authority for approving credit sales,
significant purchases, and draw-downs on lines of credit can provide strong control over those
activities, lessening or removing the need for more detailed control activities. An appropriate
segregation of duties often appears to present difficulties in small entities. Even companies
that have only a few employees may be able to assign their responsibilities to achieve
appropriate segregation or, if that is not possible, to use management oversight of the
incompatible activities to achieve control objectives.
Control activities relevant to the audit of a smaller entity are likely to relate to the main
transactions cycles, such as revenues, purchases, and employment expenses.
E. Monitoring of controls
An important management responsibility is to establish and maintain internal control on an
ongoing basis. Management’s monitoring of controls includes considering whether they are
operating as intended and that they are modified as appropriate for changes in conditions.
Monitoring of controls may include activities such as management’s review of whether bank
reconciliations are being prepared on a timely basis, internal auditor’s evaluation of sales
personnel’s compliance with the entity’s policies on terms of sales contracts, and a legal
department’s oversight of compliance with the entity’s ethical or business practice policies.
Monitoring of controls is a process to assess the quality of internal control performance over
time. It involves assessing the design and operation of controls on a timely basis and taking
necessary corrective actions. Monitoring is done to ensure that controls continue to operate
effectively. For example, if the timeliness and accuracy of bank reconciliations are not
monitored, personnel are likely to stop preparing them. Monitoring of controls is accomplished
through ongoing monitoring activities, separate evaluations, or a combination of the two.
Ongoing monitoring activities are built into the normal recurring activities of an entity and
include regular management and supervisory activities. Managers of sales, purchasing, and
7. Identifying and assessing the risks of material misstatement through understanding the entity and its
environment and the auditor’s responses to assessed risk 64 of 133
1st September 2015
HLB INTERNATIONAL AUDIT AND ASSURANCE MANUAL
production at divisional and corporate levels are in touch with operations and may question
reports that differ significantly from their knowledge of operations. In many entities, internal
engagement teams or personnel performing similar functions contribute to the monitoring of an
entity’s controls through separate evaluations. They regularly provide information about the
functioning of internal control, focusing considerable attention on evaluating the design and
operation of internal control. They communicate information about strengths and weaknesses
and recommendations for improving internal control.
Monitoring activities may include using information from communication from external parties
that may indicate problems or highlight areas in need of improvement. Customers implicitly
corroborate billing data by paying their invoices or complaining about their charges. In addition,
regulators may communicate with the entity concerning matters that affect the functioning of
internal control, for example, communication concerning examinations by bank regulatory
agencies. Also, management may consider communication relating to internal control from
external engagement teams in performing monitoring activities.
7. Identifying and assessing the risks of material misstatement through understanding the entity and its
environment and the auditor’s responses to assessed risk
1st September 2015 65 of 133
HLB INTERNATIONAL AUDIT AND ASSURANCE MANUAL
APPENDIX V: GUIDANCE ON DOCUMENTING THE ACCOUNTING SYSTEMS
1. Flowcharting
A flowchart is a method of recording the stages in an accounting procedure. Flowcharts can be
a useful tool, particularly for larger clients.
Advantages of flowcharting
Easier to understand and assimilate than pure narrative notes.
Completion requires a full understanding of the system by the preparer.
Encourages a logical and objective audit approach.
Aids the completeness of system records.
Gives a perspective to the system description.
Allows a rapid independent review.
Communication is made easier.
Easier to update than pure narrative notes.
Disadvantages of flowcharting
Requires careful and laborious attention to detail.
Time consuming in preparation.
Time wasting if applied to very simple systems, or where no real system is in operation.
Flowcharting conventions
Direction of flow
• Must be down the page or horizontally (either left or right) but never up the page.
• Diagonal flows must not be used.
Narrative
• Confined to the narrative column.
• Directly opposite the chart operation to which it relates.
• If not obvious from the chart, one should explain (briefly) what each operation is, who
does it, and its purpose.
Numbering of operations
• Each and every operation should be numbered.
• Flow-lines
_______________________________ Document flow (vertical lines only).
---------------------------------------------------- Information flow (horizontal lines only).
• If two unrelated document lines must cross then a “bridge” or other symbol should be
used.
7. Identifying and assessing the risks of material misstatement through understanding the entity and its
environment and the auditor’s responses to assessed risk
1st September 2015 66 of 133
HLB INTERNATIONAL AUDIT AND ASSURANCE MANUAL
Document description
• The name of a document should be shown either on the document symbol or by the
side of it.
Placing of symbols
• All symbols should normally appear on a vertical flow line.
Merging or separating
• This should be shown on the chart by merging or separating the appropriate document
flow lines.
Alternative procedures
• Depending on the complexity of alternatives, either:
(i) Detail both procedures on the main chart, if sufficiently simple; or
(ii) Draw a subsidiary chart.
Preparing a flowchart
Obtain oral or written details of the system from the person exercising overall control.
Information required includes:
• The nature and source of significant transactions.
• The key processes.
• The flow of significant transactions.
• Principal files supporting account balances.
• Principal files used for comparison.
• Output, its regularity and distribution.
Prepare a rough copy of the system.
Trace a transaction through the system by performing walk-through tests.
Complete the final version of the flowchart.
Review the completed charts to ensure all alternatives are charted and that all document
flows have an end.
Review the completed charts with the person exercising overall responsibility, to ensure
they are correct and to draw attention to any divergences from the original description.
2. Narrative notes
In the case of smaller entities with less complicated transactions, narrative notes describing
the process flows may be sufficient. Even in such cases, it is important to carry out walk-
through tests and confirm the recording with the person exercising overall responsibility to
ensure that the notes are correct.
7. Identifying and assessing the risks of material misstatement through understanding the entity and its
environment and the auditor’s responses to assessed risk
1st September 2015 67 of 133
HLB INTERNATIONAL AUDIT AND ASSURANCE MANUAL
APPENDIX VI: TABLE OF RISK FACTORS
INHERENT ANALYTICAL CONTROL RISK FACTOR
Low Low Low 0.7
Low Low Medium 0.9
Low Low High 1.1
Low Medium Low 1.1
Low Medium Medium 1.4
Low Medium High 1.7
Low High Low 1.5
Low High Medium 2.0
Low High High 2.5
Medium Low Low 1.2
Medium Low Medium 1.4
Medium Low High 1.6
Medium Medium Low 1.5
Medium Medium Medium 1.8
Medium Medium High 2.1
Medium High Low 2.0
Medium High Medium 2.4
Medium High High 2.8
High Low Low 1.6
High Low Medium 1.9
High Low High 2.2
High Medium Low 2.0
High Medium Medium 2.3
High Medium High 2.6
High High Low 2.4
High High Medium 2.7
High High High 3.0
7. Identifying and assessing the risks of material misstatement through understanding the entity and its
environment and the auditor’s responses to assessed risk
1st September 2015 68 of 133
HLB INTERNATIONAL AUDIT AND ASSURANCE MANUAL
8. AUDITOR’S RESPONSIBILITY TO CONSIDER FRAUD (INCORPORATING ISA 240)
8.1. Objective
8.1.1 The objectives of the auditor are:
To identify and assess the risks of material misstatement of the financial
statements due to fraud;
To obtain sufficient appropriate audit evidence regarding the assessed risks of material
misstatement due to fraud, through designing and implementing appropriate responses;
and
To respond appropriately to fraud or suspected fraud identified during the audit.
8.1.2 The firm, in the conduct of an audit, is required to obtain reasonable assurance that the
financial statements taken as a whole are free from material misstatements. Misstatements in
the financial statements could arise as a result of fraud or error. The distinguishing factor
between fraud and error is whether the underlying action that results in the misstatement is
intentional (fraud) or unintentional (error).
8.2. Definitions
8.2.1 Error refers to an unintentional misstatement in the financial statements, including the
omission of an amount or a disclosure, which could include:
A mistake in gathering or processing data from which financial statements are prepared.
An incorrect accounting estimate arising from oversight or misinterpretation of facts.
A mistake in the application of accounting polices relating to measurement, recognition,
classification, presentation or disclosure.
8.2.2 Fraud refers to an intentional act by one or more individuals among management, those
charged with governance, employees, or third parties, involving the use of deception to obtain
an unjust or illegal advantage.
8.2.3 Fraud risk factors – Events or conditions that indicate an incentive or pressure to commit
fraud or provide an opportunity to commit fraud.
8.2.4 Although fraud is a broad legal concept, for the purposes of ISAs, the auditor is
concerned with fraud that causes a material misstatement in the financial statements. Two
types of intentional misstatements are relevant to the auditor :
Misstatements resulting from fraudulent financial reporting; and.
Misstatements resulting from misappropriation of assets.
Although the auditor may suspect or, in rare cases, identify the occurrence of fraud, the auditor
does not make legal determinations of whether fraud has actually occurred.
8.2.5 Fraud involving one or more members of management or those charged with governance
is referred to as “management fraud”; while fraud involving only employees of the entity is
referred to as “employee fraud”. In either case, there may be collusion with third parties outside
the entity.
8. Auditor’s responsibility to consider fraud 69 of 133
1st July 2010
HLB INTERNATIONAL AUDIT AND ASSURANCE MANUAL
8.2.6 The risk of the auditor not detecting a material misstatement resulting from management
fraud is greater than for employee fraud, because management is frequently in a position to
directly or indirectly manipulate accounting records, present fraudulent financial information or
override control procedures designed to prevent similar frauds by other employees.
8.2.7 Professional scepticism is an attitude that includes a questioning mind and a critical
assessment of audit evidence. Professional scepticism requires an ongoing questioning of
whether the information and audit evidence obtained suggests that a material misstatement due
to fraud may exist.
8.3. Responsibility for the detection of fraud
8.3.1 While the general audit procedures that the auditor is required to follow to detect
misstatements are covered in the other chapters of the Manual, this chapter provides additional
considerations that the team shall take into account in designing the audit procedures to enable
them to have reasonable expectations to detecting misstatements arising from fraud. Owing to
the inherent limitations of an audit, there is an unavoidable risk that some material
misstatements of the financial statements will not be detected, even though the audit is properly
planned and performed in accordance with the ISAs.
8.3.2 The primary responsibility for the prevention and detection of fraud rests with both those
charged with governance of the entity and with the management. It is important that
management, with the oversight of those charged with governance, place a strong emphasis
on fraud prevention, which may reduce opportunities for fraud to take place, and fraud
deterrence, which could persuade individuals not to commit fraud because of the likelihood of
detection and punishment. This involves a commitment to creating a culture of honesty and
ethical behaviour which can be reinforced by an active oversight by those charged with
governance. Oversight by those charged with governance includes considering the potential
for override of controls or other inappropriate influence over the financial reporting process,
such as efforts by management to manage earnings in order to influence the perceptions of
analysts as to the entity’s performance and profitability. As described in ISA 200 the potential
effects of inherent limitations are particularly significant in the case of misstatement resulting
from fraud. The risk of not detecting a material misstatement resulting from fraud is higher than
the risk of not detecting one resulting from error. This is because fraud may involve
sophisticated and carefully organised schemes designed to conceal it, such as forgery,
deliberate failure to record transactions, or intentional misrepresentations being made to the
auditor. Such attempts at concealment may be even more difficult to detect when
accompanied by collusion. Collusion may cause the auditor to believe that audit evidence is
persuasive when it is, in fact, false. The auditor’s ability to detect a fraud depends on factors
such as the skill of the perpetrator, the frequency and extent of manipulation, the degree of
collusion involved, the relative size of individual amounts manipulated, and the seniority of
those individuals involved. While the auditor may be able to identify potential opportunities for
fraud to be perpetrated, it is difficult for the auditor to determine whether misstatements in
judgment areas such as accounting estimates are caused by fraud or error.
8. Auditor’s responsibility to consider fraud 70 of 133
1st July 2010
The words you are searching are inside this book. To get more targeted content, please make full-text search by clicking here.
Audit Manual Part1
Discover the best professional documents and content resources in AnyFlip Document Base.
Search
Audit Manual Part1
- 1 - 50
- 51 - 100
- 101 - 150
- 151 - 200
- 201 - 250
- 251 - 300
- 301 - 350
- 351 - 400
- 401 - 450
- 451 - 500
- 501 - 550
- 551 - 565
Pages: