Guide to Using International Standards on Auditing in - IFAC
Guide to Using International Standards on Auditing in - IFAC
Guide to Using International Standards on Auditing in - IFAC
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
60<br />
<str<strong>on</strong>g>Guide</str<strong>on</strong>g> <str<strong>on</strong>g>to</str<strong>on</strong>g> <str<strong>on</strong>g>Us<strong>in</strong>g</str<strong>on</strong>g> <str<strong>on</strong>g>Internati<strong>on</strong>al</str<strong>on</strong>g> <str<strong>on</strong>g>Standards</str<strong>on</strong>g> <strong>on</strong> <strong>Audit<strong>in</strong>g</strong> <strong>in</strong> the Audits of Small- and Medium-Sized Entities Volume 1—Core C<strong>on</strong>cepts<br />
Risk<br />
Assessment<br />
A risk assessment process provides management with the <strong>in</strong>formati<strong>on</strong> needed <str<strong>on</strong>g>to</str<strong>on</strong>g> determ<strong>in</strong>e what bus<strong>in</strong>ess/<br />
fraud risks should be managed, and the acti<strong>on</strong>s (if any) <str<strong>on</strong>g>to</str<strong>on</strong>g> be taken. Management may <strong>in</strong>itiate plans,<br />
programs, or acti<strong>on</strong>s <str<strong>on</strong>g>to</str<strong>on</strong>g> address specific risks, or it may decide <str<strong>on</strong>g>to</str<strong>on</strong>g> accept a risk because of cost or other<br />
c<strong>on</strong>siderati<strong>on</strong>s.<br />
If the entity’s risk assessment process is appropriate <str<strong>on</strong>g>to</str<strong>on</strong>g> the circumstances, it will assist the audi<str<strong>on</strong>g>to</str<strong>on</strong>g>r <strong>in</strong> identify<strong>in</strong>g<br />
risks of material misstatement. A risk assessment process would normally address such matters as:<br />
• Changes <strong>in</strong> operat<strong>in</strong>g envir<strong>on</strong>ment;<br />
• New senior pers<strong>on</strong>nel;<br />
• New or revamped <strong>in</strong>formati<strong>on</strong> systems;<br />
• Rapid growth;<br />
• New technology;<br />
• New bus<strong>in</strong>ess models, products, or activities;<br />
• Corporate restructur<strong>in</strong>gs (<strong>in</strong>clud<strong>in</strong>g divestitures and acquisiti<strong>on</strong>s);<br />
• Expanded foreign operati<strong>on</strong>s; and<br />
• New account<strong>in</strong>g pr<strong>on</strong>ouncements.<br />
In smaller entities where a formal risk assessment process is unlikely <str<strong>on</strong>g>to</str<strong>on</strong>g> exist, the audi<str<strong>on</strong>g>to</str<strong>on</strong>g>r would discuss with<br />
management how bus<strong>in</strong>ess risks are identified and how they are addressed.<br />
Matters the audi<str<strong>on</strong>g>to</str<strong>on</strong>g>r should c<strong>on</strong>sider are how management:<br />
• Identifies risks relevant <str<strong>on</strong>g>to</str<strong>on</strong>g> f<strong>in</strong>ancial report<strong>in</strong>g;<br />
• Estimates the significance of the risks;<br />
• Assesses the likelihood of their occurrence; and<br />
• Decides up<strong>on</strong> acti<strong>on</strong>s <str<strong>on</strong>g>to</str<strong>on</strong>g> manage them.<br />
If the audi<str<strong>on</strong>g>to</str<strong>on</strong>g>r identifies risks of material misstatement that management failed <str<strong>on</strong>g>to</str<strong>on</strong>g> identify, he/she should<br />
c<strong>on</strong>sider:<br />
• Why did management’s processes fail?<br />
• Are the processes appropriate <str<strong>on</strong>g>to</str<strong>on</strong>g> the circumstances?<br />
If a significant deficiency exists <strong>in</strong> the entity’s risk assessment process (or there is no process at all), it would be<br />
communicated <str<strong>on</strong>g>to</str<strong>on</strong>g> management and those charged with governance.