This International Standard on Auditing (ISA) deals with the auditor’s responsibility to identify and assess the risks of material misstatement within the financial statements through understanding the entity and its surroundings which incorporates the entity’s control.
The following risk assessment procedures should be followed in an audit:
Understanding the entity and its environment:
The auditor shall obtain an understanding of the following factors:
- Relevant industry and different external factors such as the applicable financial reporting framework.
- The nature of the entity consists of its operations, its ownership and governance structures, the types of investments that the entity is making and plans to make, which include investments in special-purpose entities; and the manner that the entity is established and how it is financed, to permit the auditor to recognize the classes of transactions, account balances, and disclosures in the financial statements.
- The entity’s selection and understanding of accounting policies. The auditor should evaluate whether the entity’s accounting policies are appropriate for its enterprise and consistent with the applicable financial reporting framework.
- The entity’s goals and strategies and those related to commercial enterprise risks may result in risks of material misstatement.
- The size and assessment of the entity’s financial performance.
Obtaining an Understanding of Internal Control:
- The auditor must acquire enough understanding of each component of internal control over financial reporting to become aware of the types of potential misstatements.
- The nature, timing, and extent of procedures that might be important to gain an understanding of internal control depend upon the size and complexity of the company and the company’s nature of documentation of its internal control over financial reporting.
- Obtaining an understanding of internal control consists of comparing the design of controls which can be applicable to the audit and determining whether the controls were implemented.
- Internal control over economic reporting can be described as consisting of components that consist of the control environment, the organization’s assessment process, information and communication, control activities, and tracking of controls.
Components of Internal Control:
1) Control environment:
The auditor should obtain an understanding of the client’s control environment. Along with obtaining this information, the auditor shall evaluate whether management has created and maintained a culture of honesty and ethical conduct.
The strengths in the control environment elements collectively provide the appropriate basis for the other components of internal control and whether those other components are not undermined through deficiencies in the control environment.
2) Monitoring of Controls:
The auditor should understand the significant activities that the company uses to display the effectiveness of its internal control over financial reporting and how the organization initiates corrective actions related to its controls.
3) Performing Walkthroughs:
The auditor may carry out walkthroughs as part of obtaining information on internal control over financial reporting.
To perform a walkthrough, the auditor follows a transaction from origination through the company’s processes. Walkthrough procedures include a combination of inquiry, observation, an inspection of relevant documentation, and re-performance of controls.
4) Performing Analytical Procedures:
The auditor should perform analytical procedures designed to enhance the auditor’s understanding of the client’s business and the significant transactions and events that have occurred since the prior year-end and become aware of areas that could constitute specific risks relevant to the audit.
5) Identifying and Assessing Risks of Material Misstatement:
The auditor should determine risks of material misstatement at the financial statements level and assertion level. In identifying and assessing risks of material misstatement, the auditor should discover risks of misstatement using information obtained from performing risk assessment procedures and decide whether any of the identified risks of material misstatement are significant risks.
6) Factors Relevant to Identifying Fraud Risks:
The auditor must evaluate whether the information obtained from the risk assessment procedures indicates that one or more fraud risk factors are present and should be considered in identifying and assessing fraud risks.
7) Further Consideration of Controls:
When the auditor has decided that a significant risk, including fraud risk, exists, the auditor should evaluate the design of the company’s controls meant to address fraud risks and other significant risks and decide whether those controls were properly implemented.
8) Revision of Risk Assessment:
When the auditor obtains audit evidence during the course of the audit that may challenge the audit evidence on which the auditor originally based their risk assessment, the auditor must revise the risk evaluation and modify audit approaches in response to the revised risk assessments.