Guide to Using International Standards on Auditing in - IFAC

29
<strong>Guide</strong> <strong>to</strong> <strong>Using</strong> <strong>International</strong> <strong>Standards</strong> on Auditing in the Audits of Small- and Medium-Sized Entities Volume 1—Core Concepts
An effective risk assessment phase would include the following.
Exhibit 3.3-4
Requirements
Up-Front
Involvement
of Senior Team
Members
An Emphasis on
“Professional
Skepticism”
Planning
Team Discussions
and Ongoing
Communication
Focus on Risk
Identification
Ability <strong>to</strong> Evaluate
Management’s
Response(s) <strong>to</strong>
Risk
Description
The engagement partner and other key members of the engagement team need
<strong>to</strong> be actively involved in planning the audit, and in planning and participating in
the discussion among engagement team members. This will ensure the audit plan
takes advantage of their experience and insight. Note that ISAs usually refer <strong>to</strong> the
term “audi<strong>to</strong>r” as the person(s) performing the engagement. Where an ISA intends
a requirement or responsibility be fulfilled by the engagement partner, the term
"engagement partner" rather than "audi<strong>to</strong>r" is used.
The audi<strong>to</strong>r cannot be expected <strong>to</strong> disregard past experience of the honesty
and integrity of the entity’s management and those charged with governance.
Nevertheless, a belief that management and those charged with governance are
honest and have integrity does not relieve the audi<strong>to</strong>r of the need <strong>to</strong> maintain
professional skepticism, or allow the audi<strong>to</strong>r <strong>to</strong> be satisfied with less-than-persuasive
audit evidence when obtaining reasonable assurance.
The time spent in audit planning (developing the overall audit strategy and audit plan)
will ensure that audit objectives are properly met, and that the work of audit staff is always
focused on gathering evidence on the most critical areas of potential misstatement.
A team planning discussion/meeting with the engagement partner present provides
an excellent forum for:
• Informing staff about the client in general and discussing potential risk areas;
• Discussing the effectiveness of the overall audit strategy and the audit plan and
then making changes as necessary;
• Brains<strong>to</strong>rming how fraud could occur and then designing an appropriate
response; and
• Allocating audit responsibilities and setting timeframes.
Ongoing communication among the audit team throughout the engagement is
also important, the better <strong>to</strong> discuss and address audit issues as they arise, any
unusual activities noted, or possible indica<strong>to</strong>rs of fraud. This will enable timely
communications <strong>to</strong> management and, where necessary, changes <strong>to</strong> the audit
strategy and audit procedures.
The most important step in a risk assessment process is <strong>to</strong> identify all the relevant
risks. If business and fraud risk fac<strong>to</strong>rs are not identified by the audi<strong>to</strong>r, they will not
be assessed or documented, and an appropriate audit response (if required) will not
be designed. This is why well-designed risk assessment procedures are so important
<strong>to</strong> the effectiveness of the audit. These risk assessment procedures also need <strong>to</strong> be
performed by the appropriate level of staff.
A key step in the risk assessment process is <strong>to</strong> evaluate the effectiveness of
management’s responses (that is, management’s control design/implementation),
if any, <strong>to</strong> mitigate the identified risks of material misstatement in the financial
statements. In smaller entities, more reliance will likely be placed on the control
environment and moni<strong>to</strong>ring of controls, and less on the traditional control activities.