Guide to Using International Standards on Auditing in - IFAC
Guide to Using International Standards on Auditing in - IFAC
Guide to Using International Standards on Auditing in - IFAC
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
71<br />
<str<strong>on</strong>g>Guide</str<strong>on</strong>g> <str<strong>on</strong>g>to</str<strong>on</strong>g> <str<strong>on</strong>g>Us<strong>in</strong>g</str<strong>on</strong>g> <str<strong>on</strong>g>Internati<strong>on</strong>al</str<strong>on</strong>g> <str<strong>on</strong>g>Standards</str<strong>on</strong>g> <strong>on</strong> <strong>Audit<strong>in</strong>g</strong> <strong>in</strong> the Audits of Small- and Medium-Sized Entities Volume 1—Core C<strong>on</strong>cepts<br />
• Communicati<strong>on</strong>s relat<strong>in</strong>g <str<strong>on</strong>g>to</str<strong>on</strong>g> <strong>in</strong>ternal c<strong>on</strong>trol from external audi<str<strong>on</strong>g>to</str<strong>on</strong>g>rs and c<strong>on</strong>sultants.<br />
Sources of Informati<strong>on</strong> Used for M<strong>on</strong>i<str<strong>on</strong>g>to</str<strong>on</strong>g>r<strong>in</strong>g<br />
Much of the <strong>in</strong>formati<strong>on</strong> used <strong>in</strong> m<strong>on</strong>i<str<strong>on</strong>g>to</str<strong>on</strong>g>r<strong>in</strong>g will be produced by the entity’s <strong>in</strong>formati<strong>on</strong> system.<br />
Management may tend <str<strong>on</strong>g>to</str<strong>on</strong>g> assume that this <strong>in</strong>formati<strong>on</strong> is accurate. If this <strong>in</strong>formati<strong>on</strong> is not accurate, there is<br />
a risk that management could reach <strong>in</strong>correct c<strong>on</strong>clusi<strong>on</strong>s, and make poor decisi<strong>on</strong>s as a result.<br />
Accord<strong>in</strong>gly, when the audi<str<strong>on</strong>g>to</str<strong>on</strong>g>r is evaluat<strong>in</strong>g the m<strong>on</strong>i<str<strong>on</strong>g>to</str<strong>on</strong>g>r<strong>in</strong>g of c<strong>on</strong>trols, an understand<strong>in</strong>g is required of:<br />
• The sources of the <strong>in</strong>formati<strong>on</strong> related <str<strong>on</strong>g>to</str<strong>on</strong>g> the entity’s m<strong>on</strong>i<str<strong>on</strong>g>to</str<strong>on</strong>g>r<strong>in</strong>g activities; and<br />
• The basis up<strong>on</strong> which management c<strong>on</strong>siders the <strong>in</strong>formati<strong>on</strong> <str<strong>on</strong>g>to</str<strong>on</strong>g> be sufficiently reliable for the purpose.<br />
5.9 Understand<strong>in</strong>g of Internal C<strong>on</strong>trols Relevant <str<strong>on</strong>g>to</str<strong>on</strong>g> the Audit<br />
The follow<strong>in</strong>g exhibit summarizes the steps <strong>in</strong>volved <strong>in</strong> obta<strong>in</strong><strong>in</strong>g an understand<strong>in</strong>g of <strong>in</strong>ternal c<strong>on</strong>trols<br />
relevant <str<strong>on</strong>g>to</str<strong>on</strong>g> the audit.<br />
Exhibit 5.9-1<br />
Identify<br />
Specific Risks<br />
of Material<br />
Misstatement<br />
Requir<strong>in</strong>g<br />
Mitigati<strong>on</strong><br />
Management’s<br />
Resp<strong>on</strong>se <str<strong>on</strong>g>to</str<strong>on</strong>g><br />
the Identified<br />
Risks of Material<br />
Misstatement<br />
Significant<br />
Deficiencies<br />
Implementati<strong>on</strong> of<br />
Relevant C<strong>on</strong>trols<br />
Address<br />
The potential risks of material misstatement (related <str<strong>on</strong>g>to</str<strong>on</strong>g> significant classes of<br />
transacti<strong>on</strong>s, account balances, and f<strong>in</strong>ancial statement disclosures) that exist at the<br />
asserti<strong>on</strong> level. For example:<br />
• Regular day-<str<strong>on</strong>g>to</str<strong>on</strong>g>-day transacti<strong>on</strong>al risks;<br />
• Fraud risks (such as management override and asset misappropriati<strong>on</strong>);<br />
• Disclosure risks (<strong>in</strong>complete or miss<strong>in</strong>g <strong>in</strong>formati<strong>on</strong>);<br />
• Significant risks;<br />
• N<strong>on</strong>-rout<strong>in</strong>e risks (such as implement<strong>in</strong>g a new account<strong>in</strong>g system); and<br />
• Judgmental risks (estimates, valuati<strong>on</strong>s, etc.).<br />
What specific (manual or IT applicati<strong>on</strong>) c<strong>on</strong>trol activities that (<strong>in</strong>dividually or <strong>in</strong><br />
comb<strong>in</strong>ati<strong>on</strong> with others) prevent, or detect and correct, material errors and fraud.<br />
This step does not require the audi<str<strong>on</strong>g>to</str<strong>on</strong>g>r <str<strong>on</strong>g>to</str<strong>on</strong>g> identify all the c<strong>on</strong>trol activities that may<br />
exist. For example, an entity may have implemented 15 c<strong>on</strong>trol procedures <str<strong>on</strong>g>to</str<strong>on</strong>g> address<br />
a particular risk. If the audi<str<strong>on</strong>g>to</str<strong>on</strong>g>r c<strong>on</strong>cluded that the first three c<strong>on</strong>trol procedures<br />
identified were sufficient <str<strong>on</strong>g>to</str<strong>on</strong>g> mitigate the risk <strong>in</strong>volved, there is no need <str<strong>on</strong>g>to</str<strong>on</strong>g> carry <strong>on</strong><br />
work <str<strong>on</strong>g>to</str<strong>on</strong>g> identify and document the other 12 c<strong>on</strong>trol procedures.<br />
Failure by management <str<strong>on</strong>g>to</str<strong>on</strong>g> mitigate a risk of material misstatement would likely result<br />
<strong>in</strong> a significant deficiency. These would be reported <str<strong>on</strong>g>to</str<strong>on</strong>g> management and an audit<br />
resp<strong>on</strong>se developed.<br />
This <strong>in</strong>volves procedures (<strong>in</strong> additi<strong>on</strong> <str<strong>on</strong>g>to</str<strong>on</strong>g> <strong>in</strong>quiry of the client’s pers<strong>on</strong>nel) <str<strong>on</strong>g>to</str<strong>on</strong>g> determ<strong>in</strong>e<br />
that relevant c<strong>on</strong>trols identified actually exist and are <strong>in</strong> use by the entity. This can be<br />
carried out at a po<strong>in</strong>t <strong>in</strong> time such as trac<strong>in</strong>g <strong>on</strong>e transacti<strong>on</strong> through the system <strong>on</strong><br />
a particular day. This is not a test of c<strong>on</strong>trols, which is designed <str<strong>on</strong>g>to</str<strong>on</strong>g> evaluate whether a<br />
c<strong>on</strong>trol operated effectively throughout the period covered by the audit.