Guide to Using International Standards on Auditing in - IFAC
Guide to Using International Standards on Auditing in - IFAC
Guide to Using International Standards on Auditing in - IFAC
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
177<br />
<str<strong>on</strong>g>Guide</str<strong>on</strong>g> <str<strong>on</strong>g>to</str<strong>on</strong>g> <str<strong>on</strong>g>Us<strong>in</strong>g</str<strong>on</strong>g> <str<strong>on</strong>g>Internati<strong>on</strong>al</str<strong>on</strong>g> <str<strong>on</strong>g>Standards</str<strong>on</strong>g> <strong>on</strong> <strong>Audit<strong>in</strong>g</strong> <strong>in</strong> the Audits of Small- and Medium-Sized Entities Volume 1—Core C<strong>on</strong>cepts<br />
Exhibit 15.3-1<br />
Risk Assessment<br />
What services (relevant <str<strong>on</strong>g>to</str<strong>on</strong>g> the audit)<br />
are provided by service organizati<strong>on</strong>s?<br />
What <strong>in</strong>ternal c<strong>on</strong>trols, relevant <str<strong>on</strong>g>to</str<strong>on</strong>g><br />
the services provided, are <strong>in</strong> place?<br />
To what extent has reliance been placed<br />
<strong>on</strong> c<strong>on</strong>trols <strong>in</strong> place at the<br />
service organizati<strong>on</strong>?<br />
Is a type 1 or 2 report available?<br />
Risk Resp<strong>on</strong>se<br />
Can sufficient audit evidence be<br />
obta<strong>in</strong>ed from with<strong>in</strong> the user entity?<br />
If not:<br />
<br />
at service organizati<strong>on</strong>, or<br />
<br />
<strong>on</strong> a type 2 report, if available.<br />
Inquire about events such as fraud<br />
or n<strong>on</strong>-compliance with laws and<br />
regulati<strong>on</strong>s.<br />
Report<strong>in</strong>g<br />
o not make reference <str<strong>on</strong>g>to</str<strong>on</strong>g> work of<br />
a service audi<str<strong>on</strong>g>to</str<strong>on</strong>g>r unless audi<str<strong>on</strong>g>to</str<strong>on</strong>g>r's<br />
report has been modified.<br />
If <strong>in</strong>sufficient appropriate audit<br />
evidence was obta<strong>in</strong>ed, modify<br />
the audi<str<strong>on</strong>g>to</str<strong>on</strong>g>r’s report.<br />
Paragraph #<br />
Relevant Extracts from ISAs<br />
402.8 For purposes of the ISAs, the follow<strong>in</strong>g terms have the mean<strong>in</strong>gs attributed below:<br />
(a) Complementary user entity c<strong>on</strong>trols—C<strong>on</strong>trols that the service organizati<strong>on</strong> assumes, <strong>in</strong><br />
the design of its service, will be implemented by user entities, and which, if necessary <str<strong>on</strong>g>to</str<strong>on</strong>g><br />
achieve c<strong>on</strong>trol objectives, are identified <strong>in</strong> the descripti<strong>on</strong> of its system.<br />
(b) Report <strong>on</strong> the descripti<strong>on</strong> and design of c<strong>on</strong>trols at a service organizati<strong>on</strong> (referred <str<strong>on</strong>g>to</str<strong>on</strong>g> <strong>in</strong><br />
this ISA as a type 1 report)—A report that comprises:<br />
(i) A descripti<strong>on</strong>, prepared by management of the service organizati<strong>on</strong>, of the service<br />
organizati<strong>on</strong>’s system, c<strong>on</strong>trol objectives and related c<strong>on</strong>trols that have been<br />
designed and implemented as at a specified date; and<br />
(ii) A report by the service audi<str<strong>on</strong>g>to</str<strong>on</strong>g>r with the objective of c<strong>on</strong>vey<strong>in</strong>g reas<strong>on</strong>able assurance<br />
that <strong>in</strong>cludes the service audi<str<strong>on</strong>g>to</str<strong>on</strong>g>r’s op<strong>in</strong>i<strong>on</strong> <strong>on</strong> the descripti<strong>on</strong> of the service<br />
organizati<strong>on</strong>’s system, c<strong>on</strong>trol objectives and related c<strong>on</strong>trols and the suitability of the<br />
design of the c<strong>on</strong>trols <str<strong>on</strong>g>to</str<strong>on</strong>g> achieve the specified c<strong>on</strong>trol objectives.<br />
(c) Report <strong>on</strong> the descripti<strong>on</strong>, design, and operat<strong>in</strong>g effectiveness of c<strong>on</strong>trols at a service<br />
organizati<strong>on</strong> (referred <str<strong>on</strong>g>to</str<strong>on</strong>g> <strong>in</strong> this ISA as a type 2 report)—A report that comprises:<br />
(i) A descripti<strong>on</strong>, prepared by management of the service organizati<strong>on</strong>, of the service<br />
organizati<strong>on</strong>’s system, c<strong>on</strong>trol objectives and related c<strong>on</strong>trols, their design and<br />
implementati<strong>on</strong> as at a specified date or throughout a specified period and, <strong>in</strong> some<br />
cases, their operat<strong>in</strong>g effectiveness throughout a specified period; and<br />
(ii) A report by the service audi<str<strong>on</strong>g>to</str<strong>on</strong>g>r with the objective of c<strong>on</strong>vey<strong>in</strong>g reas<strong>on</strong>able assurance<br />
that <strong>in</strong>cludes:<br />
a. The service audi<str<strong>on</strong>g>to</str<strong>on</strong>g>r’s op<strong>in</strong>i<strong>on</strong> <strong>on</strong> the descripti<strong>on</strong> of the service organizati<strong>on</strong>’s<br />
system, c<strong>on</strong>trol objectives and related c<strong>on</strong>trols, the suitability of the design of the<br />
c<strong>on</strong>trols <str<strong>on</strong>g>to</str<strong>on</strong>g> achieve the specified c<strong>on</strong>trol objectives, and the operat<strong>in</strong>g effectiveness<br />
of the c<strong>on</strong>trols; and<br />
b. A descripti<strong>on</strong> of the service audi<str<strong>on</strong>g>to</str<strong>on</strong>g>r’s tests of the c<strong>on</strong>trols and the results thereof.