Guide to Using International Standards on Auditing in - IFAC
Guide to Using International Standards on Auditing in - IFAC
Guide to Using International Standards on Auditing in - IFAC
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
181<br />
<str<strong>on</strong>g>Guide</str<strong>on</strong>g> <str<strong>on</strong>g>to</str<strong>on</strong>g> <str<strong>on</strong>g>Us<strong>in</strong>g</str<strong>on</strong>g> <str<strong>on</strong>g>Internati<strong>on</strong>al</str<strong>on</strong>g> <str<strong>on</strong>g>Standards</str<strong>on</strong>g> <strong>on</strong> <strong>Audit<strong>in</strong>g</strong> <strong>in</strong> the Audits of Small- and Medium-Sized Entities Volume 1—Core C<strong>on</strong>cepts<br />
Risk Resp<strong>on</strong>se<br />
Paragraph #<br />
Relevant Extracts from ISAs<br />
402.13 In determ<strong>in</strong><strong>in</strong>g the sufficiency and appropriateness of the audit evidence provided by a type 1<br />
or type 2 report, the user audi<str<strong>on</strong>g>to</str<strong>on</strong>g>r shall be satisfied as <str<strong>on</strong>g>to</str<strong>on</strong>g>:<br />
(a) The service audi<str<strong>on</strong>g>to</str<strong>on</strong>g>r’s professi<strong>on</strong>al competence and <strong>in</strong>dependence from the service<br />
organizati<strong>on</strong>; and<br />
(b) The adequacy of the standards under which the type 1 or type 2 report was issued. (Ref:<br />
Para. A21)<br />
402.14 If the user audi<str<strong>on</strong>g>to</str<strong>on</strong>g>r plans <str<strong>on</strong>g>to</str<strong>on</strong>g> use a type 1 or type 2 report as audit evidence <str<strong>on</strong>g>to</str<strong>on</strong>g> support the<br />
user audi<str<strong>on</strong>g>to</str<strong>on</strong>g>r’s understand<strong>in</strong>g about the design and implementati<strong>on</strong> of c<strong>on</strong>trols at the<br />
service organizati<strong>on</strong>, the user audi<str<strong>on</strong>g>to</str<strong>on</strong>g>r shall:<br />
(a) Evaluate whether the descripti<strong>on</strong> and design of c<strong>on</strong>trols at the service organizati<strong>on</strong> is at a<br />
date or for a period that is appropriate for the user audi<str<strong>on</strong>g>to</str<strong>on</strong>g>r’s purposes;<br />
(b) Evaluate the sufficiency and appropriateness of the evidence provided by the report for<br />
the understand<strong>in</strong>g of the user entity’s <strong>in</strong>ternal c<strong>on</strong>trol relevant <str<strong>on</strong>g>to</str<strong>on</strong>g> the audit; and<br />
(c) Determ<strong>in</strong>e whether complementary user entity c<strong>on</strong>trols identified by the service<br />
organizati<strong>on</strong> are relevant <str<strong>on</strong>g>to</str<strong>on</strong>g> the user entity and, if so, obta<strong>in</strong> an understand<strong>in</strong>g of whether<br />
the user entity has designed and implemented such c<strong>on</strong>trols. (Ref: Para. A22-A23)<br />
402.15 In resp<strong>on</strong>d<strong>in</strong>g <str<strong>on</strong>g>to</str<strong>on</strong>g> assessed risks <strong>in</strong> accordance with ISA 330, the user audi<str<strong>on</strong>g>to</str<strong>on</strong>g>r shall:<br />
(a) Determ<strong>in</strong>e whether sufficient appropriate audit evidence c<strong>on</strong>cern<strong>in</strong>g the relevant f<strong>in</strong>ancial<br />
statement asserti<strong>on</strong>s is available from records held at the user entity; and, if not,<br />
(b) Perform further audit procedures <str<strong>on</strong>g>to</str<strong>on</strong>g> obta<strong>in</strong> sufficient appropriate audit evidence or use<br />
another audi<str<strong>on</strong>g>to</str<strong>on</strong>g>r <str<strong>on</strong>g>to</str<strong>on</strong>g> perform those procedures at the service organizati<strong>on</strong> <strong>on</strong> the user<br />
audi<str<strong>on</strong>g>to</str<strong>on</strong>g>r’s behalf. (Ref: Para. A24-A28)<br />
402.16 When the user audi<str<strong>on</strong>g>to</str<strong>on</strong>g>r’s risk assessment <strong>in</strong>cludes an expectati<strong>on</strong> that c<strong>on</strong>trols at the service<br />
organizati<strong>on</strong> are operat<strong>in</strong>g effectively, the user audi<str<strong>on</strong>g>to</str<strong>on</strong>g>r shall obta<strong>in</strong> audit evidence about the<br />
operat<strong>in</strong>g effectiveness of those c<strong>on</strong>trols from <strong>on</strong>e or more of the follow<strong>in</strong>g procedures:<br />
(a) Obta<strong>in</strong><strong>in</strong>g a type 2 report, if available;<br />
(b) Perform<strong>in</strong>g appropriate tests of c<strong>on</strong>trols at the service organizati<strong>on</strong>; or<br />
(c) <str<strong>on</strong>g>Us<strong>in</strong>g</str<strong>on</strong>g> another audi<str<strong>on</strong>g>to</str<strong>on</strong>g>r <str<strong>on</strong>g>to</str<strong>on</strong>g> perform tests of c<strong>on</strong>trols at the service organizati<strong>on</strong> <strong>on</strong> behalf of<br />
the user audi<str<strong>on</strong>g>to</str<strong>on</strong>g>r. (Ref: Para. A29-A30)<br />
402.17 If, <strong>in</strong> accordance with paragraph 16(a), the user audi<str<strong>on</strong>g>to</str<strong>on</strong>g>r plans <str<strong>on</strong>g>to</str<strong>on</strong>g> use a type 2 report as audit<br />
evidence that c<strong>on</strong>trols at the service organizati<strong>on</strong> are operat<strong>in</strong>g effectively, the user audi<str<strong>on</strong>g>to</str<strong>on</strong>g>r shall<br />
determ<strong>in</strong>e whether the service audi<str<strong>on</strong>g>to</str<strong>on</strong>g>r’s report provides sufficient appropriate audit evidence<br />
about the effectiveness of the c<strong>on</strong>trols <str<strong>on</strong>g>to</str<strong>on</strong>g> support the user audi<str<strong>on</strong>g>to</str<strong>on</strong>g>r’s risk assessment by:<br />
(a) Evaluat<strong>in</strong>g whether the descripti<strong>on</strong>, design and operat<strong>in</strong>g effectiveness of c<strong>on</strong>trols at the<br />
service organizati<strong>on</strong> is at a date or for a period that is appropriate for the user audi<str<strong>on</strong>g>to</str<strong>on</strong>g>r’s<br />
purposes;<br />
(b) Determ<strong>in</strong><strong>in</strong>g whether complementary user entity c<strong>on</strong>trols identified by the service<br />
organizati<strong>on</strong> are relevant <str<strong>on</strong>g>to</str<strong>on</strong>g> the user entity and, if so, obta<strong>in</strong><strong>in</strong>g an understand<strong>in</strong>g of<br />
whether the user entity has designed and implemented such c<strong>on</strong>trols and, if so, test<strong>in</strong>g<br />
their operat<strong>in</strong>g effectiveness;<br />
(c) Evaluat<strong>in</strong>g the adequacy of the time period covered by the tests of c<strong>on</strong>trols and the time<br />
elapsed s<strong>in</strong>ce the performance of the tests of c<strong>on</strong>trols; and<br />
(d) Evaluat<strong>in</strong>g whether the tests of c<strong>on</strong>trols performed by the service audi<str<strong>on</strong>g>to</str<strong>on</strong>g>r and the results<br />
thereof, as described <strong>in</strong> the service audi<str<strong>on</strong>g>to</str<strong>on</strong>g>r’s report, are relevant <str<strong>on</strong>g>to</str<strong>on</strong>g> the asserti<strong>on</strong>s <strong>in</strong> the<br />
user entity’s f<strong>in</strong>ancial statements and provide sufficient appropriate audit evidence <str<strong>on</strong>g>to</str<strong>on</strong>g><br />
support the user audi<str<strong>on</strong>g>to</str<strong>on</strong>g>r’s risk assessment. (Ref: Para. A31-A39)