Auditing Standard ASA 315 Identifying and Assessing the Risks of Material Misstatement (Cth)

Case

Compiled Auditing Standard

ASA 315

(December 2022)

Auditing Standard ASA 315
Identifying and Assessing the Risks of Material Misstatement

This compilation was prepared on 31 March 2022 taking into account amendments made by ASA 2021‑1.

Compilation Number: 1

Compilation Date: 14 December 2022

Prepared by the Auditing and Assurance Standards Board

Obtaining a Copy of this Auditing Standard

The most recently compiled versions of Auditing Standards, original Standards and amending Standards (see Compilation Details) are available on the AUASB website: Details

Auditing and Assurance Standards Board
Level 20, 500 Collins Street
Melbourne   Victoria   3000
AUSTRALIA

Phone:  (03) 8080 7400
E-mail: [email protected]

Postal Address:

PO Box 204
Collins Street West
Melbourne   Victoria   8007
AUSTRALIA

COPYRIGHT

© 2022 Commonwealth of Australia.  The text, graphics and layout of this Auditing Standard are protected by Australian copyright law and the comparable law of other countries.  Reproduction within Australia in unaltered form (retaining this notice) is permitted for personal and non‑commercial use subject to the inclusion of an acknowledgment of the source as being the Australian Auditing and Assurance Standards Board (AUASB).

Requests and enquiries concerning reproduction and rights for commercial purposes within Australia should be addressed to the Technical Director, Auditing and Assurance Standards Board, PO Box 204, Collins Street West, Melbourne, Victoria 8007 or sent to [email protected].  Otherwise, no part of this Auditing Standard may be reproduced, stored or transmitted in any form or by any means without the prior written permission of the AUASB except as permitted by law.

This Auditing Standard reproduces substantial parts of the corresponding International Standard on Auditing issued by the International Auditing and Assurance Standards Board (IAASB) and published by the International Federation of Accountants (IFAC), in the manner described in the statement on Conformity with International Standards on Auditing.  The AUASB acknowledges that IFAC is the owner of copyright in the International Standard on Auditing incorporated in this Auditing Standard throughout the world.

All existing rights in this material are reserved outside Australia.  Reproduction outside Australia in unaltered form (retaining this notice) is permitted for personal and non-commercial use only.

Further information and requests for authorisation to reproduce this Auditing Standard for commercial purposes outside Australia should be addressed to the Technical Director, Auditing and Assurance Standards Board, PO Box 204, Collins Street West, Melbourne, Victoria 8007 or sent to [email protected].  Any decision to approve a request may also require the agreement of IFAC.

ISSN 1833-4393

CONTENTS

COMPILATION DETAILS

AUTHORITY STATEMENT

CONFORMITY WITH INTERNATIONAL STANDARDS ON AUDITING

Paragraphs

Application.......................................................................................................... Aus 0.1-Aus 0.2

Operative Date................................................................................................................. Aus 0.3

Introduction

Scope of this Auditing Standard................................................................................................... 1

Key Concepts in this ASA........................................................................................................ 2-8

Scalability.................................................................................................................................... 9

Effective Date............................................................................................................................ 10

Objective................................................................................................................................... 11

Definitions................................................................................................................................. 12

Requirements

Risk Assessment Procedures and Related Activities............................................................. 13-18

Obtaining an Understanding of the Entity and Its Environment, the Applicable Financial Reporting Framework and the Entity’s System of Internal Control..................................................... 19-27

Identifying and Assessing the Risks of Material Misstatement.............................................. 28-37

Documentation.......................................................................................................................... 38

Application and Other Explanatory Material

Definitions........................................................................................................................ A1-A10

Risk Assessment Procedures and Related Activities........................................................ A11-A47

Obtaining an Understanding of the Entity and Its Environment, the Applicable Financial Reporting Framework and the Entity’s System of Internal Control.............................................. A48-A183

Identifying and Assessing the Risks of Material Misstatement.................................... A184-A236

Documentation............................................................................................................ A237-A241

Appendix 1: Considerations for Understanding the Entity and its Business Model

Appendix 2: Understanding Inherent Risk Factors

Appendix 3: Understanding the Entity’s System of Internal Control

Appendix 4: Considerations for Understanding an Entity’s Internal Audit Function

Appendix 5: Considerations for Understanding Information Technology (IT)

Appendix 6: Considerations for Understanding General IT Controls

COMPILATION DETAILS

Auditing Standard ASA 315 Identifying and Assessing the Risks of Material Misstatement (as Amended)

This compilation takes into account amendments made up to and including 10 March 2021 and was prepared on 31 March 2022 by the Auditing and Assurance Standards Board (AUASB).

This compilation is not a separate Auditing Standard made by the AUASB.  Instead, it is a representation of ASA 315 (February 2020) as amended by another Auditing Standard which is listed in the Table below.

Table of Standards

Standard Date made Operative Date
ASA 315         [A] February 2020 Financial reporting periods commencing on or after 15 December 2021
ASA 2021-1    [B] 10 March 2021  Financial reporting periods commencing on or after 15 December 2022

[A]       Federal Register of Legislation – registration number F2020L00234, 6 March 2020

[B]       Federal Register of Legislation – registration number F2021L00403, 1 April 2021

Table of Amendments

Paragraph affected How affected By … [paragraph]

A38

Footnote 25

Amended ASA 2021-1 [83]
A69 Amended ASA 2021-1 [84]

A69

Footnote 33

Amended ASA 2021-1 [85]

A218

Footnote 56

Amended ASA 2021-1 [86]

AUTHORITY STATEMENT

Auditing Standard ASA 315 Identifying and Assessing the Risks of Material Misstatement (as amended to 10 March 2021) is set out in paragraphs Aus 0.1 to A241 and Appendices 1 to 6.

This Auditing Standard is to be read in conjunction with ASA 101 Preamble to AUASB Standards, which sets out how AUASB Standards are to be understood, interpreted and applied.  This Auditing Standard is to be read also in conjunction with ASA 200 Overall Objectives of the Independent Auditor and the Conduct of an Audit in Accordance with Australian Auditing Standards.

Conformity with International Standards on Auditing

This Auditing Standard conforms with International Standard on Auditing ISA 315 (Revised 2019) Identifying and Assessing the Risks of Material Misstatement issued by the International Auditing and Assurance Standards Board (IAASB), an independent standard‑setting board of the International Federation of Accountants (IFAC).

Paragraphs that have been added to this Auditing Standard (and do not appear in the text of the equivalent ISA) are identified with the prefix “Aus”.

Compliance with this Auditing Standard enables compliance with ISA 315.

Auditing Standard ASA 315

The Auditing and Assurance Standards Board (AUASB) made Auditing Standard ASA 315 Identifying and Assessing the Risks of Material Misstatement pursuant to section 227B of the Australian Securities and Investments Commission Act 2001 and section 336 of the Corporations Act 2001, on 4 February 2020.

This compiled version of ASA 315 incorporates subsequent amendments contained in another Auditing Standard made by the AUASB up to and including 10 March 2021 (see Compilation Details).

Auditing Standard ASA 315

Identifying and Assessing the Risks of Material Misstatement

Application

Aus 0.1            This Auditing Standard applies to:

(a)        an audit of a financial report for a financial year, or an audit of a financial report for a half-year, in accordance with the Corporations Act 2001; and

(b)       an audit of a financial report, or a complete set of financial statements, for any other purpose.

Aus 0.2            This Auditing Standard also applies, as appropriate, to an audit of other historical financial information.

Operative Date

Aus 0.3            This Auditing Standard is operative for financial reporting periods commencing on or after 15 December 2021.  [Note: For operative dates of paragraphs changed or added by an Amending Standard, see Compilation Details.]

Introduction

Scope of this Auditing Standard

  1. This Auditing Standard deals with the auditor’s responsibility to identify and assess the risks of material misstatement in the financial report. 

Key Concepts in this ASA

  1. ASA 200 deals with the overall objectives of the auditor in conducting an audit of the financial report,[1] including to obtain sufficient appropriate audit evidence to reduce audit risk to an acceptably low level.[2] Audit risk is a function of the risks of material misstatement and detection risk.[3] ASA 200 explains that the risks of material misstatement may exist at two levels:[4] the overall financial report level; and the assertion level for classes of transactions, account balances and disclosures. 

    [1]     See ASA 200 Overall Objectives of the Independent Auditor and the Conduct of an Audit in Accordance with Australian Auditing Standards.

    [2]     See ASA 200, paragraph 17.

    [3]     See ASA 200, paragraph 13(c).

    [4]     See ASA 200, paragraph A36.

  1. ASA 200 requires the auditor to exercise professional judgement in planning and performing an audit, and to plan and perform an audit with professional scepticism recognising that circumstances may exist that cause the financial report to be materially misstated.[5]

    [5]     See ASA 200, paragraphs 15–16. 

  1. Risks at the financial report level relate pervasively to the financial report as a whole and potentially affect many assertions.  Risks of material misstatement at the assertion level consist of two components, inherent and control risk:

·Inherent risk is described as the susceptibility of an assertion about a class of transaction, account balance or disclosure to a misstatement that could be material, either individually or when aggregated with other misstatements, before consideration of any related controls. 

·Control risk is described as the risk that a misstatement that could occur in an assertion about a class of transaction, account balance or disclosure and that could be material, either individually or when aggregated with other misstatements, will not be prevented, or detected and corrected, on a timely basis by the entity’s system of internal control.

  1. ASA 200 explains that risks of material misstatement are assessed at the assertion level in order to determine the nature, timing and extent of further audit procedures necessary to obtain sufficient appropriate audit evidence.[6] For the identified risks of material misstatement at the assertion level, a separate assessment of inherent risk and control risk is required by this ASA.  As explained in ASA 200, inherent risk is higher for some assertions and related classes of transactions, account balances and disclosures than for others.  The degree to which inherent risk varies is referred to in this ASA as the ‘spectrum of inherent risk.’

    [6]     See ASA 200, paragraph A38 and ASA 330 The Auditor’s Responses to Assessed Risks, paragraph 6.

  1. Risks of material misstatement identified and assessed by the auditor include both those due to error and those due to fraud.  Although both are addressed by this ASA, the significance of fraud is such that further requirements and guidance are included in ASA 240[7] in relation to risk assessment procedures and related activities to obtain information that is used to identify, assess and respond to the risks of material misstatement due to fraud.

    [7]     See ASA 240 The Auditor’s Responsibilities Relating to Fraud in an Audit of Financial Report.

  1. The auditor’s risk identification and assessment process is iterative and dynamic.  The auditor’s understanding of the entity and its environment, the applicable financial reporting framework, and the entity’s system of internal control are interdependent with concepts within the requirements to identify and assess the risks of material misstatement.  In obtaining the understanding required by this ASA, initial expectations of risks may be developed, which may be further refined as the auditor progresses through the risk identification and assessment process.  In addition, this ASA and ASA 330 require the auditor to revise the risk assessments, and modify further overall responses and further audit procedures, based on audit evidence obtained from performing further audit procedures in accordance with ASA 330, or if new information is obtained. 

  1. ASA 330 requires the auditor to design and implement overall responses to address the assessed risks of material misstatement at the financial report level.[8] ASA 330 further explains that the auditor’s assessment of the risks of material misstatement at the financial report level, and the auditor’s overall responses, is affected by the auditor’s understanding of the control environment.  ASA 330 also requires the auditor to design and perform further audit procedures whose nature, timing and extent are based on and are responsive to the assessed risks of material misstatement at the assertion level.[9]

    [8]     See ASA 330, paragraph 5.

    [9]     See ASA 330, paragraph 6.

Scalability

  1. ASA 200 states that some ASAs include scalability considerations which illustrate the application of the requirements to all entities regardless of whether their nature and circumstances are less complex or more complex.[10] This ASA is intended for audits of all entities, regardless of size or complexity and the application material therefore incorporates specific considerations specific to both less and more complex entities, where appropriate.  While the size of an entity may be an indicator of its complexity, some smaller entities may be complex and some larger entities may be less complex.

    [10]    See ASA 200, paragraph A65.

Effective Date

  1. [Deleted by the AUASB. Refer to Aus 0.3]

Objective

  1. The objective of the auditor is to identify and assess the risks of material misstatement, whether due to fraud or error, at the financial report and assertion levels thereby providing a basis for designing and implementing responses to the assessed risks of material misstatement.

Definitions

  1. For the purposes of this Auditing Standard, the following terms have the meanings attributed below:

(a)Assertions – Representations, explicit or otherwise, with respect to the recognition, measurement, presentation and disclosure of information in the financial report which are inherent in management representing that the financial report is prepared in accordance with the applicable financial reporting framework.  Assertions are used by the auditor to consider the different types of potential misstatements that may occur when identifying, assessing and responding to the risks of material misstatement.  (Ref: Para. A1)

(b)Business risk – A risk resulting from significant conditions, events, circumstances, actions or inactions that could adversely affect an entity’s ability to achieve its objectives and execute its strategies, or from the setting of inappropriate objectives and strategies.

(c)Controls – Policies or procedures that an entity establishes to achieve the control objectives of management or those charged with governance.  In this context: (Ref: Para. A2–A5)

(i)Policies are statements of what should, or should not, be done within the entity to effect control.  Such statements may be documented, explicitly stated in communications, or implied through actions and decisions. 

(ii)Procedures are actions to implement policies. 

(d)General information technology (IT) controls – Controls over the entity’s IT processes that support the continued proper operation of the IT environment, including the continued effective functioning of information processing controls and the integrity of information (i.e., the completeness, accuracy and validity of information) in the entity’s information system.  Also see the definition of IT environment.

(e)Information processing controls – Controls relating to the processing of information in IT applications or manual information processes in the entity’s information system that directly address risks to the integrity of information (i.e., the completeness, accuracy and validity of transactions and other information).  (Ref: Para. A6)

(f)Inherent risk factors – Characteristics of events or conditions that affect susceptibility to misstatement, whether due to fraud or error, of an assertion about a class of transactions, account balance or disclosure, before consideration of controls.  Such factors may be qualitative or quantitative, and include complexity, subjectivity, change, uncertainty or susceptibility to misstatement due to management bias or other fraud risk factors[11] insofar as they affect inherent risk.  (Ref: Para. A7–A8)

[11]    See ASA 240, paragraphs A24‒A27.

(g)IT environment – The IT applications and supporting IT infrastructure, as well as the IT processes and personnel involved in those processes, that an entity uses to support business operations and achieve business strategies.  For the purposes of this ASA:

(i)An IT application is a program or a set of programs that is used in the initiation, processing, recording and reporting of transactions or information.  IT applications include data warehouses and report writers.

(ii)The IT infrastructure comprises the network, operating systems, and databases and their related hardware and software. 

(iii)The IT processes are the entity’s processes to manage access to the IT environment, manage program changes or changes to the IT environment and manage IT operations. 

(h)Relevant assertions – An assertion about a class of transactions, account balance or disclosure is relevant when it has an identified risk of material misstatement.  The determination of whether an assertion is a relevant assertion is made before consideration of any related controls (i.e., the inherent risk).  (Ref: Para. A9)

(i)Risks arising from the use of IT – Susceptibility of information processing controls to ineffective design or operation, or risks to the integrity of information (i.e., the completeness, accuracy and validity of transactions and other information) in the entity’s information system, due to ineffective design or operation of controls in the entity’s IT processes (see IT environment). 

(j)Risk assessment procedures – The audit procedures designed and performed to identify and assess the risks of material misstatement, whether due to fraud or error, at the financial report and assertion levels. 

(k)Significant class of transactions, account balance or disclosure – A class of transactions, account balance or disclosure for which there is one or more relevant assertions. 

(l)Significant risk – An identified risk of material misstatement: (Ref: Para. A10)

(i)For which the assessment of inherent risk is close to the upper end of the spectrum of inherent risk due to the degree to which inherent risk factors affect the combination of the likelihood of a misstatement occurring and the magnitude of the potential misstatement should that misstatement occur; or

(ii)That is to be treated as a significant risk in accordance with the requirements of other ASAs.[12]

[12]    See ASA 240, paragraph 28 and ASA 550, Related Parties, paragraph 18.

(m)System of internal control – The system designed, implemented and maintained by those charged with governance, management and other personnel, to provide reasonable assurance about the achievement of an entity’s objectives with regard to reliability of financial reporting, effectiveness and efficiency of operations, and compliance with applicable laws and regulations.  For the purposes of the ASAs, the system of internal control consists of five inter-related components:

(i)Control environment;

(ii)The entity’s risk assessment process;

(iii)The entity’s process to monitor the system of internal control;

(iv)The information system and communication; and

(v)Control activities. 

Requirements

Risk Assessment Procedures and Related Activities

  1. The auditor shall design and perform risk assessment procedures to obtain audit evidence that provides an appropriate basis for: (Ref: Para. A11–A18)

(a)The identification and assessment of risks of material misstatement, whether due to fraud or error, at the financial report and assertion levels; and

(b)The design of further audit procedures in accordance with ASA 330.

The auditor shall design and perform risk assessment procedures in a manner that is not biased towards obtaining audit evidence that may be corroborative or towards excluding audit evidence that may be contradictory.  (Ref: Para. A14)

  1. The risk assessment procedures shall include the following: (Ref: Para. A19–A21)

(a)Enquiries of management and of other appropriate individuals within the entity, including individuals within the internal audit function (if the function exists).  (Ref: Para. A22–A26)

(b)Analytical procedures.  (Ref: Para. A27–A31)

(c)Observation and inspection.  (Ref: Para. A32–A36)

Information from Other Sources

  1. In obtaining audit evidence in accordance with paragraph 13, the auditor shall consider information from: (Ref: Para. A37‒A38)

(a)The auditor’s procedures regarding acceptance or continuance of the client relationship or the audit engagement; and

(b)When applicable, other engagements performed by the engagement partner for the entity.

  1. When the auditor intends to use information obtained from the auditor’s previous experience with the entity and from audit procedures performed in previous audits, the auditor shall evaluate whether such information remains relevant and reliable as audit evidence for the current audit.  (Ref: Para. A39‒A41)

Engagement Team Discussion

  1. The engagement partner and other key engagement team members shall discuss the application of the applicable financial reporting framework and the susceptibility of the entity’s financial report to material misstatement.  (Ref: Para. A42–A47)

  1. When there are engagement team members not involved in the engagement team discussion, the engagement partner shall determine which matters are to be communicated to those members.

Obtaining an Understanding of the Entity and Its Environment, the Applicable Financial Reporting Framework and the Entity’s System of Internal Control (Ref: Para. A48‒A49)

Understanding the Entity and Its Environment, and the Applicable Financial Reporting Framework (Ref: Para. A50‒A55)

  1. The auditor shall perform risk assessment procedures to obtain an understanding of:

(a)The following aspects of the entity and its environment:

(i)The entity’s organisational structure, ownership and governance, and its business model, including the extent to which the business model integrates the use of IT; (Ref: Para. A56‒A67)

(ii)Industry, regulatory and other external factors; (Ref: Para. A68‒A73) and

(iii)The measures used, internally and externally, to assess the entity’s financial performance; (Ref: Para. A74‒A81)

(b)The applicable financial reporting framework, and the entity’s accounting policies and the reasons for any changes thereto; (Ref: Para. A82‒A84) and

(c)How inherent risk factors affect susceptibility of assertions to misstatement and the degree to which they do so, in the preparation of the financial report in accordance with the applicable financial reporting framework, based on the understanding obtained in (a) and (b).  (Ref: Para. A85‒A89)

  1. The auditor shall evaluate whether the entity’s accounting policies are appropriate and consistent with the applicable financial reporting framework. 

Understanding the Components of the Entity’s System of Internal Control (Ref: Para. A90 – A95)

Control Environment, the Entity’s Risk Assessment Process and the Entity’s Process to Monitor the System of Internal Control (Ref: Para. A96‒A98)

Control environment

21.        The auditor shall obtain an understanding of the control environment relevant to the preparation of the financial report, through performing risk assessment procedures, by: (Ref: Para. A99–A100)

(a)        Understanding the set of controls, processes and structures that address: (Ref: Para. A101‒A102)

(i)          How management’s oversight responsibilities are carried out, such as the entity’s culture and management’s commitment to integrity and ethical values;

(ii)        When those charged with governance are separate from management, the independence of, and oversight over the entity’s system of internal control by, those charged with governance;

(iii)       The entity’s assignment of authority and responsibility;

(iv)       How the entity attracts, develops, and retains competent individuals; and

(v)        How the entity holds individuals accountable for their responsibilities in the pursuit of the objectives of the system of internal control;

and

(b)        Evaluating whether: (Ref: Para. A103‒A108)

(i)          Management, with the oversight of those charged with governance, has created and maintained a culture of honesty and ethical behaviour;

(ii)        The control environment provides an appropriate foundation for the other components of the entity’s system of internal control considering the nature and complexity of the entity; and

(iii)       Control deficiencies identified in the control environment undermine the other components of the entity’s system of internal control.

The entity’s risk assessment process

22.        The auditor shall obtain an understanding of the entity’s risk assessment process relevant to the preparation of the financial report, through performing risk assessment procedures, by:

(a)        Understanding the entity’s process for: (Ref: Para. A109‒A110)

(i)           Identifying business risks relevant to financial reporting objectives; (Ref: Para. A62)

(ii)        Assessing the significance of those risks, including the likelihood of their occurrence; and

(iii)       Addressing those risks;

and

(b)        Evaluating whether the entity’s risk assessment process is appropriate to the entity’s circumstances considering the nature and complexity of the entity.  (Ref: Para. A111‒A113)

  1. If the auditor identifies risks of material misstatement that management failed to identify, the auditor shall:

(a)Determine whether any such risks are of a kind that the auditor expects would have been identified by the entity’s risk assessment process and, if so, obtain an understanding of why the entity’s risk assessment process failed to identify such risks of material misstatement; and

(b)Consider the implications for the auditor’s evaluation in paragraph 22(b).

The entity’s process to monitor the system of internal control

24.        The auditor shall obtain an understanding of the entity’s process for monitoring the system of internal control relevant to the preparation of the financial report, through performing risk assessment procedures, by: (Ref: Para. A114–A115)

(a)        Understanding those aspects of the entity’s process that address:

(i)          Ongoing and separate evaluations for monitoring the effectiveness of controls, and the identification and remediation of control deficiencies identified; (Ref: Para. A116‒A117) and

(ii)          The entity’s internal audit function, if any, including its nature, responsibilities and activities; (Ref: Para. A118)

(b)        Understanding the sources of the information used in the entity’s process to monitor the system of internal control, and the basis upon which management considers the information to be sufficiently reliable for the purpose; (Ref: Para. A119‒A120)

and

(c)        Evaluating whether the entity’s process for monitoring the system of internal control is appropriate to the entity’s circumstances considering the nature and complexity of the entity.  (Ref: Para. A121‒A122)

Information System and Communication, and Control Activities (Ref: Para. A123–A130)

The information system and communication

25.        The auditor shall obtain an understanding of the entity’s information system and communication relevant to the preparation of the financial report, through performing risk assessment procedures, by: (Ref: Para. A131)

(a)        Understanding the entity’s information processing activities, including its data and information, the resources to be used in such activities and the policies that define, for significant classes of transactions, account balances and disclosures: (Ref: Para. A132‒A143)

(i)          How information flows through the entity’s information system, including how:

a.          Transactions are initiated, and how information about them is recorded, processed, corrected as necessary, incorporated in the general ledger and reported in the financial report; and

b.          Information about events and conditions, other than transactions, is captured, processed and disclosed in the financial report;

(ii)        The accounting records, specific accounts in the financial report and other supporting records relating to the flows of information in the information system;

(iii)       The financial reporting process used to prepare the entity’s financial report, including disclosures; and

(iv)       The entity’s resources, including the IT environment, relevant to (a)(i) to (a)(iii) above;

(b)        Understanding how the entity communicates significant matters that support the preparation of the financial report and related reporting responsibilities in the information system and other components of the system of internal control: (Ref: Para. A144‒A145)

(i)          Between people within the entity, including how financial reporting roles and responsibilities are communicated;

(ii)        Between management and those charged with governance; and

(iii)       With external parties, such as those with regulatory authorities;

and

(c)        Evaluating whether the entity’s information system and communication appropriately support the preparation of the entity’s financial report in accordance with the applicable financial reporting framework. (Ref: Para. A146)

Control activities

26.        The auditor shall obtain an understanding of the control activities component, through performing risk assessment procedures, by: (Ref: Para. A147–A157)

(a)        Identifying controls that address risks of material misstatement at the assertion level in the control activities component as follows:

(i)          Controls that address a risk that is determined to be a significant risk; (Ref: Para. A158‒A159)

(ii)        Controls over journal entries, including non-standard journal entries used to record non-recurring, unusual transactions or adjustments; (Ref: Para. A160‒A161)

(iii)       Controls for which the auditor plans to test operating effectiveness in determining the nature, timing and extent of substantive testing, which shall include controls that address risks for which substantive procedures alone do not provide sufficient appropriate audit evidence; and (Ref: Para. A162‒A164)

(iv)       Other controls that the auditor considers are appropriate to enable the auditor to meet the objectives of paragraph 13 with respect to risks at the assertion level, based on the auditor’s professional judgement; (Ref: Para. A165)

(b)        Based on controls identified in (a), identifying the IT applications and the other aspects of the entity’s IT environment that are subject to risks arising from the use of IT; (Ref: Para. A166‒A172)

(c)        For such IT applications and other aspects of the IT environment identified in (b), identifying: (Ref: Para. A173‒A174)

(i)          The related risks arising from the use of IT; and

(ii)        The entity’s general IT controls that address such risks.

and

(d)        For each control identified in (a) or (c)(ii): (Ref: Para. A175‒A181)

(i)          Evaluating whether the control is designed effectively to address the risk of material misstatement at the assertion level, or effectively designed to support the operation of other controls; and

(ii)        Determining whether the control has been implemented by performing procedures in addition to enquiry of the entity’s personnel.

Control Deficiencies Within the Entity’s System of Internal Control

  1. Based on the auditor’s evaluation of each of the components of the entity’s system of internal control, the auditor shall determine whether one or more control deficiencies have been identified.  (Ref: Para. A182–A183)

Identifying and Assessing the Risks of Material Misstatement (Ref: Para. A184‒A185)

Identifying Risks of Material Misstatement

  1. The auditor shall identify the risks of material misstatement and determine whether they exist at: (Ref: Para. A186–A192)

(a)The financial report level; (Ref: Para. A193–A200) or

(b)The assertion level for classes of transactions, account balances and disclosures.  (Ref: Para. A201)

  1. The auditor shall determine the relevant assertions and the related significant classes of transactions, account balances and disclosures.  (Ref: Para. A202–A204)

Assessing Risks of Material Misstatement at the Financial Report Level

  1. For identified risks of material misstatement at the financial report level, the auditor shall assess the risks and: (Ref: Para. A193–A200)

(a)Determine whether such risks affect the assessment of risks at the assertion level; and

(b)Evaluate the nature and extent of their pervasive effect on the financial report.

Assessing Risks of Material Misstatement at the Assertion Level

Assessing Inherent Risk (Ref: Para. A205–A217)

  1. For identified risks of material misstatement at the assertion level, the auditor shall assess inherent risk by assessing the likelihood and magnitude of misstatement.  In doing so, the auditor shall take into account how, and the degree to which:

(a)Inherent risk factors affect the susceptibility of relevant assertions to misstatement; and

(b)The risks of material misstatement at the financial report level affect the assessment of inherent risk for risks of material misstatement at the assertion level.  (Ref: Para. A215‒A216)

  1. The auditor shall determine whether any of the assessed risks of material misstatement are significant risks.  (Ref: Para. A218–A221)

  1. The auditor shall determine whether substantive procedures alone cannot provide sufficient appropriate audit evidence for any of the risks of material misstatement at the assertion level.  (Ref: Para. A222–A225)

Assessing Control Risk

  1. If the auditor plans to test the operating effectiveness of controls, the auditor shall assess control risk.  If the auditor does not plan to test the operating effectiveness of controls, the auditor’s assessment of control risk shall be such that the assessment of the risk of material misstatement is the same as the assessment of inherent risk.  (Ref: Para. A226–A229)

Evaluating the Audit Evidence Obtained from the Risk Assessment Procedures

  1. The auditor shall evaluate whether the audit evidence obtained from the risk assessment procedures provides an appropriate basis for the identification and assessment of the risks of material misstatement.  If not, the auditor shall perform additional risk assessment procedures until audit evidence has been obtained to provide such a basis.  In identifying and assessing the risks of material misstatement, the auditor shall take into account all audit evidence obtained from the risk assessment procedures, whether corroborative or contradictory to assertions made by management.  (Ref: Para. A230–A232)

Classes of Transactions, Account Balances and Disclosures that Are Not Significant, but Which Are Material

  1. For material classes of transactions, account balances or disclosures that have not been determined to be significant classes of transactions, account balances or disclosures, the auditor shall evaluate whether the auditor’s determination remains appropriate.  (Ref: Para. A233–A235)

Revision of Risk Assessment

  1. If the auditor obtains new information which is inconsistent with the audit evidence on which the auditor originally based the identification or assessments of the risks of material misstatement, the auditor shall revise the identification or assessment.  (Ref: Para. A236)

Documentation

  1. The auditor shall include in the audit documentation:[13] (Ref: Para. A237–A241)

    [13]    See ASA 230, Audit Documentation, paragraphs 8–11, and A6–A7.

(a)The discussion among the engagement team and the significant decisions reached;

(b)Key elements of the auditor’s understanding in accordance with paragraphs 19, 21, 22, 24 and 25; the sources of information from which the auditor’s understanding was obtained; and the risk assessment procedures performed;

(c)The evaluation of the design of identified controls, and determination whether such controls have been implemented, in accordance with the requirements in paragraph 26; and

(d)The identified and assessed risks of material misstatement at the financial report level and at the assertion level, including significant risks and risks for which substantive procedures alone cannot provide sufficient appropriate audit evidence, and the rationale for the significant judgements made.

* * *

Application and Other Explanatory Material

Definitions (Ref: Para. 12)

Assertions (Ref: Para. 12(a))

A1.Categories of assertions are used by auditors to consider the different types of potential misstatements that may occur when identifying, assessing and responding to the risks of material misstatement. Examples of these categories of assertions are described in paragraph A190. The assertions differ from the written representations required by ASA 580,[14] to confirm certain matters or support other audit evidence.

[14]    See ASA 580 Written Representations.

Controls (Ref: Para. 12(c))

A2.Controls are embedded within the components of the entity’s system of internal control.

A3.Policies are implemented through the actions of personnel within the entity, or through the restraint of personnel from taking actions that would conflict with such policies.

A4.Procedures may be mandated, through formal documentation or other communication by management or those charged with governance, or may result from behaviours that are not mandated but are rather conditioned by the entity’s culture. Procedures may be enforced through the actions permitted by the IT applications used by the entity or other aspects of the entity’s IT environment.

A5.Controls may be direct or indirect. Direct controls are controls that are precise enough to address risks of material misstatement at the assertion level. Indirect controls are controls that support direct controls.

Information Processing Controls (Ref: Para. 12(e))

A6.Risks to the integrity of information arise from susceptibility to ineffective implementation of the entity’s information policies, which are policies that define the information flows, records and reporting processes in the entity’s information system. Information processing controls are procedures that support effective implementation of the entity’s information policies. Information processing controls may be automated (i.e., embedded in IT applications) or manual (e.g., input or output controls) and may rely on other controls, including other information processing controls or general IT controls.

Inherent Risk Factors (Ref: Para. 12(f))

Appendix 2 sets out further considerations relating to understanding inherent risk factors.

A7.Inherent risk factors may be qualitative or quantitative and affect the susceptibility of assertions to misstatement. Qualitative inherent risk factors relating to the preparation of information required by the applicable financial reporting framework include:

·Complexity;

·Subjectivity;

·Change;

·Uncertainty; or

·Susceptibility to misstatement due to management bias or other fraud risk factors insofar as they affect inherent risk.

A8.Other inherent risk factors, that affect susceptibility to misstatement of an assertion about a class of transactions, account balance or disclosure may include:

·The quantitative or qualitative significance of the class of transactions, account balance or disclosure; or

·The volume or a lack of uniformity in the composition of the items to be processed through the class of transactions or account balance, or to be reflected in the disclosure.

Relevant Assertions (Ref: Para. 12(h))

A9.A risk of material misstatement may relate to more than one assertion, in which case all the assertions to which such a risk relates are relevant assertions. If an assertion does not have an identified risk of material misstatement, then it is not a relevant assertion.

Significant Risk (Ref: Para. 12(l))

A10.Significance can be described as the relative importance of a matter, and is judged by the auditor in the context in which the matter is being considered. For inherent risk, significance may be considered in the context of how, and the degree to which, inherent risk factors affect the combination of the likelihood of a misstatement occurring and the magnitude of the potential misstatement should that misstatement occur.

Risk Assessment Procedures and Related Activities (Ref: Para. 13–18)

A11.The risks of material misstatement to be identified and assessed include both those due to fraud and those due to error, and both are covered by this ASA.  However, the significance of fraud is such that further requirements and guidance are included in ASA 240 in relation to risk assessment procedures and related activities to obtain information that is used to identify and assess the risks of material misstatement due to fraud.[15] In addition, the following ASAs provide further requirements and guidance on identifying and assessing risks of material misstatement regarding specific matters or circumstances:

[15]    See ASA 240, paragraphs 17–28.

·ASA 540[16] in regard to accounting estimates;

[16]    See ASA 540 Auditing Accounting Estimates and Related Disclosures.

·ASA 550* in regard to related party relationships and transactions;

·ASA 570[17] in regard to going concern; and

[17]    See ASA 570 Going Concern.

·ASA 600[18] in regard to group financial report. 

[18]    See ASA 600 Special Considerations—Audits of a Group Financial Report.

A12.Professional scepticism is necessary for the critical assessment of audit evidence gathered when performing the risk assessment procedures, and assists the auditor in remaining alert to audit evidence that is not biased towards corroborating the existence of risks or that may be contradictory to the existence of risks. Professional scepticism is an attitude that is applied by the auditor when making professional judgements that then provides the basis for the auditor’s actions. The auditor applies professional judgement in determining when the auditor has audit evidence that provides an appropriate basis for risk assessment.

A13.The application of professional scepticism by the auditor may include:

·Questioning contradictory information and the reliability of documents;

·Considering responses to enquiries and other information obtained from management and those charged with governance;

·Being alert to conditions that may indicate possible misstatement due to fraud or error; and

·Considering whether audit evidence obtained supports the auditor’s identification and assessment of the risks of material misstatement in light of the entity’s nature and circumstances.

Why Obtaining Audit Evidence in an Unbiased Manner Is Important (Ref: Para. 13)

A14.Designing and performing risk assessment procedures to obtain audit evidence to support the identification and assessment of the risks of material misstatement in an unbiased manner may assist the auditor in identifying potentially contradictory information, which may assist the auditor in exercising professional scepticism in identifying and assessing the risks of material misstatement. 

Sources of Audit Evidence (Ref: Para. 13)

A15.Designing and performing risk assessment procedures to obtain audit evidence in an unbiased manner may involve obtaining evidence from multiple sources within and outside the entity.  However, the auditor is not required to perform an exhaustive search to identify all possible sources of audit evidence.  In addition to information from other sources[19], sources of information for risk assessment procedures may include:

[19]    See paragraphs A37 and A38.

·Interactions with management, those charged with governance, and other key entity personnel, such as internal auditors. 

·Certain external parties such as regulators, whether obtained directly or indirectly.

·Publicly available information about the entity, for example entity-issued press releases, materials for analysts or investor group meetings, analysts’ reports or information about trading activity. 

Regardless of the source of information, the auditor considers the relevance and reliability of the information to be used as audit evidence in accordance with ASA 500.[20]

[20]    See ASA 500 Audit Evidence, paragraph 7.

Scalability (Ref: Para. 13)

A16.The nature and extent of risk assessment procedures will vary based on the nature and circumstances of the entity (e.g., the formality of the entity’s policies and procedures, and processes and systems).  The auditor uses professional judgement to determine the nature and extent of the risk assessment procedures to be performed to meet the requirements of this ASA. 

A17.Although the extent to which an entity’s policies and procedures, and processes and systems are formalised may vary, the auditor is still required to obtain the understanding in accordance with paragraphs 19, 21, 22, 24, 25 and 26.

Examples:

Some entities, including less complex entities, and particularly owner-managed entities, may not have established structured processes and systems (e.g., a risk assessment process or a process to monitor the system of internal control) or may have established processes or systems with limited documentation or a lack of consistency in how they are undertaken.  When such systems and processes lack formality, the auditor may still be able to perform risk assessment procedures through observation and enquiry. 

Other entities, typically more complex entities, are expected to have more formalised and documented policies and procedures.  The auditor may use such documentation in performing risk assessment procedures.

A18.The nature and extent of risk assessment procedures to be performed the first time an engagement is undertaken may be more extensive than procedures for a recurring engagement.  In subsequent periods, the auditor may focus on changes that have occurred since the preceding period.

Types of Risk Assessment Procedures (Ref: Para. 14)

A19.ASA 500[21] explains the types of audit procedures that may be performed in obtaining audit evidence from risk assessment procedures and further audit procedures.  The nature, timing and extent of the audit procedures may be affected by the fact that some of the accounting data and other evidence may only be available in electronic form or only at certain points in time.[22] The auditor may perform substantive procedures or tests of controls, in accordance with ASA 330, concurrently with risk assessment procedures, when it is efficient to do so.  Audit evidence obtained that supports the identification and assessment of risks of material misstatement may also support the detection of misstatements at the assertion level or the evaluation of the operating effectiveness of controls.

[21]    See ASA 500, paragraphs A14–A17 and A21–A25.

[22]    See ASA 500, paragraph A16.

A20.Although the auditor is required to perform all the risk assessment procedures described in paragraph 14 in the course of obtaining the required understanding of the entity and its environment, the applicable financial reporting framework, and the entity’s system of internal control (see paragraphs 19–26), the auditor is not required to perform all of them for each aspect of that understanding.  Other procedures may be performed when the information to be obtained may be helpful in identifying risks of material misstatement.  Examples of such procedures may include making enquiries of the entity’s external legal counsel or external supervisors, or of valuation experts that the entity has used.

Automated Tools and Techniques (Ref: Para. 14)

A21.Using automated tools and techniques, the auditor may perform risk assessment procedures on large volumes of data (from the general ledger, sub-ledgers or other operational data) including for analysis, recalculations, reperformance or reconciliations. 

Enquiries of Management and Others within the Entity (Ref: Para. 14(a))

Why Enquiries Are Made of Management and Others Within the Entity

A22.Information obtained by the auditor to support an appropriate basis for the identification and assessment of risks, and the design of further audit procedures, may be obtained through enquiries of management and those responsible for financial reporting.

A23.Enquiries of management and those responsible for financial reporting and of other appropriate individuals within the entity and other employees with different levels of authority may offer the auditor varying perspectives when identifying and assessing risks of material misstatement.

Examples:

·           Enquiries directed towards those charged with governance may help the auditor understand the extent of oversight by those charged with governance over the preparation of the financial report by management.  ASA 260[23] identifies the importance of effective two-way communication in assisting the auditor to obtain information from those charged with governance in this regard.

·           Enquiries of employees responsible for initiating, processing or recording complex or unusual transactions may help the auditor to evaluate the appropriateness of the selection and application of certain accounting policies.

·           Enquiries directed towards in-house legal counsel may provide information about such matters as litigation, compliance with laws and regulations, knowledge of fraud or suspected fraud affecting the entity, warranties, post-sales obligations, arrangements (such as joint ventures) with business partners, and the meaning of contractual terms.

·           Enquiries directed towards marketing or sales personnel may provide information about changes in the entity’s marketing strategies, sales trends, or contractual arrangements with its customers.

·           Enquiries directed towards the risk management function (or enquiries of those performing such roles) may provide information about operational and regulatory risks that may affect financial reporting. 

·           Enquiries directed towards IT personnel may provide information about system changes, system or control failures, or other IT-related risks.

[23]    See ASA 260 Communication with Those Charged with Governance, paragraph 4(b).

Considerations Specific to Public Sector Entities

A24.When making enquiries of those who may have information that is likely to assist in identifying risks of material misstatement, auditors of public sector entities may obtain information from additional sources such as from the auditors that are involved in performance or other audits related to the entity.

Enquiries of the Internal Audit Function

Appendix 4 sets out considerations for understanding an entity’s internal audit function. 

Why enquiries are made of the internal audit function (if the function exists)

A25.If an entity has an internal audit function, enquiries of the appropriate individuals within the function may assist the auditor in understanding the entity and its environment, and the entity’s system of internal control, in the identification and assessment of risks. 

Considerations specific to public sector entities

A26.Auditors of public sector entities often have additional responsibilities with regard to internal control and compliance with applicable laws and regulations.  Enquiries of appropriate individuals in the internal audit function may assist the auditors in identifying the risk of material non-compliance with applicable laws and regulations, and the risk of control deficiencies related to financial reporting.

Analytical Procedures (Ref: Para. 14(b))

Why Analytical Procedures Are Performed as a Risk Assessment Procedure

A27.Analytical procedures help identify inconsistencies, unusual transactions or events, and amounts, ratios, and trends that indicate matters that may have audit implications.  Unusual or unexpected relationships that are identified may assist the auditor in identifying risks of material misstatement, especially risks of material misstatement due to fraud. 

A28.Analytical procedures performed as risk assessment procedures may therefore assist in identifying and assessing the risks of material misstatement by identifying aspects of the entity of which the auditor was unaware or understanding how inherent risk factors, such as change, affect susceptibility of assertions to misstatement. 

Types of Analytical Procedures

A29.Analytical procedures performed as risk assessment procedures may:

·Include both financial and non-financial information, for example, the relationship between sales and square footage of selling space or volume of goods sold (non-financial).

·Use data aggregated at a high level.  Accordingly, the results of those analytical procedures may provide a broad initial indication about the likelihood of a material misstatement.

Example:

In the audit of many entities, including those with less complex business models and processes, and a less complex information system, the auditor may perform a simple comparison of information, such as the change in interim or monthly account balances from balances in prior periods, to obtain an indication of potentially higher risk areas.

A30.This ASA deals with the auditor’s use of analytical procedures as risk assessment procedures.  ASA 520[24] deals with the auditor's use of analytical procedures as substantive procedures (“substantive analytical procedures”) and the auditor’s responsibility to perform analytical procedures near the end of the audit.  Accordingly, analytical procedures performed as risk assessment procedures are not required to be performed in accordance with the requirements of ASA 520.  However, the requirements and application material in ASA 520 may provide useful guidance to the auditor when performing analytical procedures as part of the risk assessment procedures.

[24]    See ASA 520 Analytical Procedures.

Automated tools and techniques

A31.Analytical procedures can be performed using a number of tools or techniques, which may be automated.  Applying automated analytical procedures to the data may be referred to as data analytics. 

Example:

The auditor may use a spreadsheet to perform a comparison of actual recorded amounts to budgeted amounts, or may perform a more advanced procedure by extracting data from the entity’s information system, and further analysing this data using visualization techniques to identify classes of transactions, account balances or disclosures for which further specific risk assessment procedures may be warranted.

Observation and Inspection (Ref: Para. 14(c))

Why Observation and Inspection Are Performed as Risk Assessment Procedures

A32.Observation and inspection may support, corroborate or contradict enquiries of management and others, and may also provide information about the entity and its environment.

Scalability

A33.Where policies or procedures are not documented, or the entity has less formalised controls, the auditor may still be able to obtain some audit evidence to support the identification and assessment of the risks of material misstatement through observation or inspection of the performance of the control. 

Examples:

·           The auditor may obtain an understanding of controls over an inventory count, even if they have not been documented by the entity, through direct observation. 

·           The auditor may be able to observe segregation of duties.

·           The auditor may be able to observe passwords being entered.

Observation and Inspection as Risk Assessment Procedures

A34.Risk assessment procedures may include observation or inspection of the following:

·The entity’s operations.

·Internal documents (such as business plans and strategies), records, and internal control manuals.

·Reports prepared by management (such as quarterly management reports and interim financial reports) and those charged with governance (such as minutes of board of directors’ meetings). 

·The entity’s premises and plant facilities. 

·Information obtained from external sources such as trade and economic journals; reports by analysts, banks, or rating agencies; regulatory or financial publications; or other external documents about the entity’s financial performance (such as those referred to in paragraph A79).

·The behaviours and actions of management or those charged with governance (such as the observation of an audit committee meeting).

Automated tools and techniques

A35.Automated tools or techniques may also be used to observe or inspect, in particular assets, for example through the use of remote observation tools (e.g., a drone).

Considerations Specific to Public Sector Entities

A36.Risk assessment procedures performed by auditors of public sector entities may also include observation and inspection of documents prepared by management for the legislature, for example documents related to mandatory performance reporting.

Information from Other Sources (Ref: Para. 15)

Why the Auditor Considers Information from Other Sources

A37.Information obtained from other sources may be relevant to the identification and assessment of the risks of material misstatement by providing information and insights about:

·The nature of the entity and its business risks, and what may have changed from previous periods.

·The integrity and ethical values of management and those charged with governance, which may also be relevant to the auditor’s understanding of the control environment.

·The applicable financial reporting framework and its application to the nature and circumstances of the entity.

Other Relevant Sources

A38.Other relevant sources of information include:

·The auditor’s procedures regarding acceptance or continuance of the client relationship or the audit engagement in accordance with ASA 220, including the conclusions reached thereon.[25]

[25]    See ASA 220 Quality Management for an Audit of a Financial Report and Other Historical Financial Information, paragraphs 22-24.

·Other engagements performed for the entity by the engagement partner.  The engagement partner may have obtained knowledge relevant to the audit, including about the entity and its environment, when performing other engagements for the entity.  Such engagements may include agreed-upon procedures engagements or other audit or assurance engagements, including engagements to address incremental reporting requirements in the jurisdiction.

Information from the Auditor’s Previous Experience with the Entity and Previous Audits (Ref: Para. 16)

Why information from previous audits is important to the current audit

A39.The auditor’s previous experience with the entity and from audit procedures performed in previous audits may provide the auditor with information that is relevant to the auditor’s determination of the nature and extent of risk assessment procedures, and the identification and assessment of risks of material misstatement. 

Nature of the Information from Previous Audits

A40.The auditor’s previous experience with the entity and audit procedures performed in previous audits may provide the auditor with information about such matters as:

·Past misstatements and whether they were corrected on a timely basis.

·The nature of the entity and its environment, and the entity’s system of internal control (including control deficiencies). 

·Significant changes that the entity or its operations may have undergone since the prior financial period.

·Those particular types of transactions and other events or account balances (and related disclosures) where the auditor experienced difficulty in performing the necessary audit procedures, for example, due to their complexity.

A41.The auditor is required to determine whether information obtained from the auditor’s previous experience with the entity and from audit procedures performed in previous audits remains relevant and reliable, if the auditor intends to use that information for the purposes of the current audit.  If the nature or circumstances of the entity have changed, or new information has been obtained, the information from prior periods may no longer be relevant or reliable for the current audit.  To determine whether changes have occurred that may affect the relevance or reliability of such information, the auditor may make enquiries and perform other appropriate audit procedures, such as walk-throughs of relevant systems.  If the information is not reliable, the auditor may consider performing additional procedures that are appropriate in the circumstances.

Engagement Team Discussion (Ref: Para. 17–18)

Why the Engagement Team Is Required to Discuss the Application of the Applicable Financial Reporting Framework and the Susceptibility of the Entity’s Financial report to Material Misstatement

A42.The discussion among the engagement team about the application of the applicable financial reporting framework and the susceptibility of the entity’s financial report to material misstatement:

·Provides an opportunity for more experienced engagement team members, including the engagement partner, to share their insights based on their knowledge of the entity.  Sharing information contributes to an enhanced understanding by all engagement team members. 

·Allows the engagement team members to exchange information about the business risks to which the entity is subject, how inherent risk factors may affect the susceptibility to misstatement of classes of transactions, account balances and disclosures, and about how and where the financial report might be susceptible to material misstatement due to fraud or error. 

·Assists the engagement team members to gain a better understanding of the potential for material misstatement of the financial report in the specific areas assigned to them, and to understand how the results of the audit procedures that they perform may affect other aspects of the audit, including the decisions about the nature, timing and extent of further audit procedures.  In particular, the discussion assists engagement team members in further considering contradictory information based on each member’s own understanding of the nature and circumstances of the entity. 

·Provides a basis upon which engagement team members communicate and share new information obtained throughout the audit that may affect the assessment of risks of material misstatement or the audit procedures performed to address these risks.

ASA 240 requires the engagement team discussion to place particular emphasis on how and where the entity’s financial report may be susceptible to material misstatement due to fraud, including how fraud may occur.[26]

[26]    See ASA 240, paragraph 16.

A43.Professional scepticism is necessary for the critical assessment of audit evidence, and a robust and open engagement team discussion, including for recurring audits, may lead to improved identification and assessment of the risks of material misstatement.  Another outcome from the discussion may be that the auditor identifies specific areas of the audit for which exercising professional scepticism may be particularly important, and may lead to the involvement of more experienced members of the engagement team who are appropriately skilled to be involved in the performance of audit procedures related to those areas.

Scalability

A44.When the engagement is carried out by a single individual, such as a sole practitioner (i.e., where an engagement team discussion would not be possible), consideration of the matters referred to in paragraphs A42 and A46 nonetheless may assist the auditor in identifying where there may be risks of material misstatement. 

A45.When an engagement is carried out by a large engagement team, such as for an audit of a group financial report, it is not always necessary or practical for the discussion to include all members in a single discussion (for example, in a multi-location audit), nor is it necessary for all the members of the engagement team to be informed of all the decisions reached in the discussion.  The engagement partner may discuss matters with key members of the engagement team including, if considered appropriate, those with specific skills or knowledge, and those responsible for the audits of components, while delegating discussion with others, taking into account the extent of communication considered necessary throughout the engagement team.  A communications plan, agreed by the engagement partner, may be useful.

Discussion of Disclosures in the Applicable Financial Reporting Framework

A46.As part of the discussion among the engagement team, consideration of the disclosure requirements of the applicable financial reporting framework assists in identifying early in the audit where there may be risks of material misstatement in relation to disclosures, even in circumstances where the applicable financial reporting framework only requires simplified disclosures.  Matters the engagement team may discuss include:

·Changes in financial reporting requirements that may result in significant new or revised disclosures;

·Changes in the entity’s environment, financial condition or activities that may result in significant new or revised disclosures, for example, a significant business combination in the period under audit;

·Disclosures for which obtaining sufficient appropriate audit evidence may have been difficult in the past; and

·Disclosures about complex matters, including those involving significant management judgement as to what information to disclose.

Considerations Specific to Public Sector Entities

A47.As part of the discussion among the engagement team by auditors of public sector entities, consideration may also be given to any additional broader objectives, and related risks, arising from the audit mandate or obligations for public sector entities. 

Obtaining an Understanding of the Entity and Its Environment, the Applicable Financial Reporting Framework and the Entity’s System of Internal Control (Ref: Para. 19‒27)

Appendices 1 through 6 set out further considerations relating to obtaining an understanding of the entity and its environment, the applicable financial reporting framework and the entity’s system of internal control.

Obtaining the Required Understanding (Ref: Para. 19‒27)

A48.Obtaining an understanding of the entity and its environment, the applicable financial reporting framework and the entity’s system of internal control is a dynamic and iterative process of gathering, updating and analysing information and continues throughout the audit.  Therefore, the auditor’s expectations may change as new information is obtained.

A49.The auditor’s understanding of the entity and its environment and the applicable financial reporting framework may also assist the auditor in developing initial expectations about the classes of transactions, account balances and disclosures that may be significant classes of transactions, account balances and disclosures.  These expected significant classes of transactions, account balances and disclosures form the basis for the scope of the auditor’s understanding of the entity’s information system. 

Why an Understanding of the Entity and Its Environment, and the Applicable Financial Reporting Framework Is Required (Ref: Para. 19‒20)

A50.The auditor’s understanding of the entity and its environment, and the applicable financial reporting framework, assists the auditor in understanding the events and conditions that are relevant to the entity, and in identifying how inherent risk factors affect the susceptibility of assertions to misstatement in the preparation of the financial report, in accordance with the applicable financial reporting framework, and the degree to which they do so.  Such information establishes a frame of reference within which the auditor identifies and assesses risks of material misstatement.  This frame of reference also assists the auditor in planning the audit and exercising professional judgement and professional scepticism throughout the audit, for example, when:

·Identifying and assessing risks of material misstatement of the financial report in accordance with ASA 315 or other relevant standards (e.g., relating to risks of fraud in accordance with ASA 240 or when identifying or assessing risks related to accounting estimates in accordance with ASA 540);

·Performing procedures to help identify instances of non-compliance with laws and regulations that may have a material effect on the financial report in accordance with ASA 250;[27]

[27]    See ASA 250 Consideration of Laws and Regulations in an Audit of a Financial Report, paragraph 14.

·Evaluating whether the financial report provide adequate disclosures in accordance with ASA 700;[28]

[28]    See ASA 700 Forming an Opinion and Reporting on a Financial Report, paragraph 13(e).

·Determining materiality or performance materiality in accordance with ASA 320;[29] or

[29]    See ASA 320 Materiality in Planning and Performing an Audit, paragraphs 10‒11.

·Considering the appropriateness of the selection and application of accounting policies, and the adequacy of financial report disclosures.

A51.The auditor’s understanding of the entity and its environment, and the applicable financial reporting framework, also informs how the auditor plans and performs further audit procedures, for example, when:

·Developing expectations for use when performing analytical procedures in accordance with ASA 520;[30]

[30]    See ASA 520, paragraph 5.

·Designing and performing further audit procedures to obtain sufficient appropriate audit evidence in accordance with ASA 330; and

·Evaluating the sufficiency and appropriateness of audit evidence obtained (e.g., relating to assumptions or management’s oral and written representations).

Scalability

A52.The nature and extent of the required understanding is a matter of the auditor’s professional judgement and varies from entity to entity based on the nature and circumstances of the entity, including:

·The size and complexity of the entity, including its IT environment;

·The auditor’s previous experience with the entity;

·The nature of the entity’s systems and processes, including whether they are formalised or not; and

·The nature and form of the entity’s documentation.

A53.The auditor’s risk assessment procedures to obtain the required understanding may be less extensive in audits of less complex entities and more extensive for entities that are more complex.  The depth of the understanding that is required by the auditor is expected to be less than that possessed by management in managing the entity.

A54.Some financial reporting frameworks allow smaller entities to provide simpler and less detailed disclosures in the financial report.  However, this does not relieve the auditor of the responsibility to obtain an understanding of the entity and its environment and the applicable financial reporting framework as it applies to the entity.

A55.The entity’s use of IT and the nature and extent of changes in the IT environment may also affect the specialised skills that are needed to assist with obtaining the required understanding. 

The Entity and Its Environment (Ref: Para. 19(a))

The Entity’s Organisational Structure, Ownership and Governance, and Business Model (Ref: Para. 19(a)(i))

The entity’s organisational structure and ownership

A56.An understanding of the entity’s organisational structure and ownership may enable the auditor to understand such matters as:

·The complexity of the entity’s structure. 

Example:

The entity may be a single entity or the entity’s structure may include subsidiaries, divisions or other components in multiple locations.  Further, the legal structure may be different from the operating structure.  Complex structures often introduce factors that may give rise to increased susceptibility to risks of material misstatement.  Such issues may include whether goodwill, joint ventures, investments, or special-purpose entities are accounted for appropriately and whether adequate disclosure of such issues in the financial report has been made.

·The ownership, and relationships between owners and other people or entities, including related parties.  This understanding may assist in determining whether related party transactions have been appropriately identified, accounted for, and adequately disclosed in the financial report.[31]

[31]    ASA 550 establishes requirements and provide guidance on the auditor’s considerations relevant to related parties.

·The distinction between the owners, those charged with governance and management. 

Example:

In less complex entities, owners of the entity may be involved in managing the entity, therefore there is little or no distinction.  In contrast, such as in some listed entities, there may be a clear distinction between management, the owners of the entity, and those charged with governance.[32]

[32]    ASA 260, paragraphs A1 and A2, provide guidance on the identification of those charged with governance and explains that in some cases, some or all of those charged with governance may be involved in managing the entity.

·The structure and complexity of the entity’s IT environment. 

Examples:

An entity may:

·           Have multiple legacy IT systems in diverse businesses that are not well integrated resulting in a complex IT environment. 

·           Be using external or internal service providers for aspects of its IT environment (e.g., outsourcing the hosting of its IT environment to a third party or using a shared service centre for central management of IT processes in a group).

Automated tools and techniques

A57.The auditor may use automated tools and techniques to understand flows of transactions and processing as part of the auditor’s procedures to understand the information system.  An outcome of these procedures may be that the auditor obtains information about the entity’s organisational structure or those with whom the entity conducts business (e.g., vendors, customers, related parties). 

Considerations specific to public sector entities

A58.Ownership of a public sector entity may not have the same relevance as in the private sector because decisions related to the entity may be made outside of the entity as a result of political processes.  Therefore, management may not have control over certain decisions that are made.  Matters that may be relevant include understanding the ability of the entity to make unilateral decisions, and the ability of other public sector entities to control or influence the entity’s mandate and strategic direction. 

Example:

A public sector entity may be subject to laws or other directives from authorities that require it to obtain approval from parties external to the entity of its strategy and objectives prior to it implementing them.  Therefore, matters related to understanding the legal structure of the entity may include applicable laws and regulations, and the classification of the entity (i.e., whether the entity is a ministry, department, agency or other type of entity).

Governance

Why the auditor obtains an understanding of governance

A59.Understanding the entity’s governance may assist the auditor with understanding the entity’s ability to provide appropriate oversight of its system of internal control.  However, this understanding may also provide evidence of deficiencies, which may indicate an increase in the susceptibility of the entity’s financial report to risks of material misstatement. 

Understanding the entity’s governance

A60.Matters that may be relevant for the auditor to consider in obtaining an understanding of the governance of the entity include:

·Whether any or all of those charged with governance are involved in managing the entity. 

·The existence (and separation) of a non-executive Board, if any, from executive management. 

·Whether those charged with governance hold positions that are an integral part of the entity’s legal structure, for example as directors. 

·The existence of sub-groups of those charged with governance, such as an audit committee, and the responsibilities of such a group. 

·The responsibilities of those charged with governance for oversight of financial reporting, including approval of the financial report.

The Entity’s Business Model

Appendix 1 sets out additional considerations for obtaining an understanding of the entity and its business model, as well as additional considerations for auditing special purpose entities.

Why the auditor obtains an understanding of the entity’s business model

A61.Understanding the entity’s objectives, strategy and business model helps the auditor to understand the entity at a strategic level, and to understand the business risks the entity takes and faces.  An understanding of the business risks that have an effect on the financial report assists the auditor in identifying risks of material misstatement, since most business risks will eventually have financial consequences and, therefore, an effect on the financial report.

Examples:

An entity’s business model may rely on the use of IT in different ways:

·           The entity sells shoes from a physical store, and uses an advanced stock and point of sale system to record the selling of shoes; or

·           The entity sells shoes online so that all sales transactions are processed in an IT environment, including initiation of the transactions through a website.

For both of these entities the business risks arising from a significantly different business model would be substantially different, notwithstanding both entities sell shoes.

Understanding the entity’s business model

A62.Not all aspects of the business model are relevant to the auditor’s understanding.  Business risks are broader than the risks of material misstatement of the financial report, although business risks include the latter.  The auditor does not have a responsibility to understand or identify all business risks because not all business risks give rise to risks of material misstatement. 

A63.Business risks increasing the susceptibility to risks of material misstatement may arise from:

·Inappropriate objectives or strategies, ineffective execution of strategies, or change or complexity.

·A failure to recognise the need for change may also give rise to business risk, for example, from:

oThe development of new products or services that may fail;

oA market which, even if successfully developed, is inadequate to support a product or service; or

oFlaws in a product or service that may result in legal liability and reputational risk. 

·Incentives and pressures on management, which may result in intentional or unintentional management bias, and therefore affect the reasonableness of significant assumptions and the expectations of management or those charged with governance.

A64.Examples of matters that the auditor may consider when obtaining an understanding of the entity’s business model, objectives, strategies and related business risks that may result in a risk of material misstatement of the financial report include:

·Industry developments, such as the lack of personnel or expertise to deal with the changes in the industry;

·New products and services that may lead to increased product liability;

·Expansion of the entity’s business, and demand has not been accurately estimated;

·New accounting requirements where there has been incomplete or improper implementation;

·Regulatory requirements resulting in increased legal exposure;

·Current and prospective financing requirements, such as loss of financing due to the entity’s inability to meet requirements;

·Use of IT, such as the implementation of a new IT system that will affect both operations and financial reporting; or

·The effects of implementing a strategy, particularly any effects that will lead to new accounting requirements. 

A65.Ordinarily, management identifies business risks and develops approaches to address them.  Such a risk assessment process is part of the entity’s system of internal control and is discussed in paragraph 22, and paragraphs A109–A113.

Considerations specific to public sector entities

A66.Entities operating in the public sector may create and deliver value in different ways to those creating wealth for owners but will still have a ‘business model’ with a specific objective.  Matters public sector auditors may obtain an understanding of that are relevant to the business model of the entity, include:

·Knowledge of relevant government activities, including related programs.

·Program objectives and strategies, including public policy elements.

A67.For the audits of public sector entities, “management objectives” may be influenced by requirements to demonstrate public accountability and may include objectives which have their source in law, regulation or other authority. 

Industry, Regulatory and Other External Factors (Ref: Para. 19(a)(ii))

Industry factors

A68.Relevant industry factors include industry conditions such as the competitive environment, supplier and customer relationships, and technological developments.  Matters the auditor may consider include:

·The market and competition, including demand, capacity, and price competition.

·Cyclical or seasonal activity.

·Product technology relating to the entity’s products.

·Energy supply and cost.

A69.The industry in which the entity operates may give rise to specific risks of material misstatement arising from the nature of the business or the degree of regulation. 

Example:

In the construction industry, long-term contracts may involve significant estimates of revenues and expenses that give rise to risks of material misstatement.  In such cases, it is important that the engagement team include members with the appropriate competence and capabilities.[33]

[33]    See ASA 220, paragraphs 25-28.

Regulatory factors

A70.Relevant regulatory factors include the regulatory environment.  The regulatory environment encompasses, among other matters, the applicable financial reporting framework and the legal and political environment and any changes thereto.  Matters the auditor may consider include:

·Regulatory framework for a regulated industry, for example, prudential requirements, including related disclosures. 

·Legislation and regulation that significantly affect the entity’s operations, for example, labour laws and regulations.

·Taxation legislation and regulations.

·Government policies currently affecting the conduct of the entity’s business, such as monetary, including foreign exchange controls, fiscal, financial incentives (for example, government aid programs), and tariffs or trade restriction policies.

·Environmental requirements affecting the industry and the entity’s business.

A71.ASA 250 includes some specific requirements related to the legal and regulatory framework applicable to the entity and the industry or sector in which the entity operates.[34]

[34]    See ASA 250, paragraph 13.

Considerations specific to public sector entities

A72.For the audits of public sector entities, there may be particular laws or regulations that affect the entity’s operations.  Such elements may be an essential consideration when obtaining an understanding of the entity and its environment. 

Other external factors

A73.Other external factors affecting the entity that the auditor may consider include the general economic conditions, interest rates and availability of financing, and inflation or currency revaluation. 

Measures Used by Management to Assess the Entity’s Financial Performance (Ref: Para. 19(a)(iii))

Why the auditor understands measures used by management

A74.An understanding of the entity’s measures assists the auditor in considering whether such measures, whether used externally or internally, create pressures on the entity to achieve performance targets.  These pressures may motivate management to take actions that increase the susceptibility to misstatement due to management bias or fraud (e.g., to improve the business performance or to intentionally misstate the financial report) (see ASA 240 for requirements and guidance in relation to the risks of fraud).

A75.Measures may also indicate to the auditor the likelihood of risks of material misstatement of related financial report information.  For example, performance measures may indicate that the entity has unusually rapid growth or profitability when compared to that of other entities in the same industry.

Measures used by management

A76.Management and others ordinarily measure and review those matters they regard as important.  Enquiries of management may reveal that it relies on certain key indicators, whether publicly available or not, for evaluating financial performance and taking action.  In such cases, the auditor may identify relevant performance measures, whether internal or external, by considering the information that the entity uses to manage its business.  If such enquiry indicates an absence of performance measurement or review, there may be an increased risk of misstatements not being detected and corrected.

A77.Key indicators used for evaluating financial performance may include:

·Key performance indicators (financial and non-financial) and key ratios, trends and operating statistics.

·Period-on-period financial performance analyses.

·Budgets, forecasts, variance analyses, segment information and divisional, departmental or other level performance reports.

·Employee performance measures and incentive compensation policies.

·Comparisons of an entity’s performance with that of competitors.

Scalability (Ref: Para. 19(a)(iii))

A78.The procedures undertaken to understand the entity’s measures may vary depending on the size or complexity of the entity, as well as the involvement of owners or those charged with governance in the management of the entity.

Examples:

·           For some less complex entities, the terms of the entity’s bank borrowings (i.e., bank covenants) may be linked to specific performance measures related to the entity’s performance or financial position (e.g., a maximum working capital amount).  The auditor’s understanding of the performance measures used by the bank may help identify areas where there is increased susceptibility to the risk of material misstatement. 

·           For some entities whose nature and circumstances are more complex, such as those operating in the insurance or banking industries, performance or financial position may be measured against regulatory requirements (e.g., regulatory ratio requirements such as capital adequacy and liquidity ratios performance hurdles).  The auditor’s understanding of these performance measures may help identify areas where there is increased susceptibility to the risk of material misstatement.

Other considerations

A79.External parties may also review and analyse the entity’s financial performance, in particular for entities where financial information is publicly available.  The auditor may also consider publicly available information to help the auditor further understand the business or identify contradictory information such as information from:

·Analysts or credit agencies. 

·News and other media, including social media.

·Taxation authorities.

·Regulators.

·Trade unions.

·Providers of finance.

Such financial information can often be obtained from the entity being audited.

A80.The measurement and review of financial performance is not the same as the monitoring of the system of internal control (discussed as a component of the system of internal control in paragraphs A114–A122), though their purposes may overlap:

·The measurement and review of performance is directed at whether business performance is meeting the objectives set by management (or third parties).

·In contrast, monitoring of the system of internal control is concerned with monitoring the effectiveness of controls including those related to management’s measurement and review of financial performance. 

In some cases, however, performance indicators also provide information that enables management to identify control deficiencies. 

Considerations specific to public sector entities

A81.In addition to considering relevant measures used by a public sector entity to assess the entity’s financial performance, auditors of public sector entities may also consider non-financial information such as achievement of public benefit outcomes (for example, the number of people assisted by a specific program).

The Applicable Financial Reporting Framework (Ref: Para. 19(b))

Understanding the Applicable Financial Reporting Framework and the Entity’s Accounting Policies

A82.Matters that the auditor may consider when obtaining an understanding of the entity’s applicable financial reporting framework, and how it applies in the context of the nature and circumstances of the entity and its environment include: 

·The entity’s financial reporting practices in terms of the applicable financial reporting framework, such as:

oAccounting principles and industry-specific practices, including for industry-specific significant classes of transactions, account balances and related disclosures in the financial report (for example, loans and investments for banks, or research and development for pharmaceuticals).

oRevenue recognition.

oAccounting for financial instruments, including related credit losses.

oForeign currency assets, liabilities and transactions.

oAccounting for unusual or complex transactions including those in controversial or emerging areas (for example, accounting for cryptocurrency).

·An understanding of the entity’s selection and application of accounting policies, including any changes thereto as well as the reasons therefore, may encompass such matters as:

oThe methods the entity uses to recognise, measure, present and disclose significant and unusual transactions. 

oThe effect of significant accounting policies in controversial or emerging areas for which there is a lack of authoritative guidance or consensus.

oChanges in the environment, such as changes in the applicable financial reporting framework or tax reforms that may necessitate a change in the entity’s accounting policies.

oFinancial reporting standards and laws and regulations that are new to the entity and when and how the entity will adopt, or comply with, such requirements.

A83.Obtaining an understanding of the entity and its environment may assist the auditor in considering where changes in the entity’s financial reporting (e.g., from prior periods) may be expected. 

Example:

If the entity has had a significant business combination during the period, the auditor would likely expect changes in classes of transactions, account balances and disclosures associated with that business combination.  Alternatively, if there were no significant changes in the financial reporting framework during the period the auditor’s understanding may help confirm that the understanding obtained in the prior period remains applicable. 

Considerations specific to public sector entities

A84.The applicable financial reporting framework in a public sector entity is determined by the legislative and regulatory frameworks relevant to each jurisdiction or within each geographical area.  Matters that may be considered in the entity’s application of the applicable financial reporting requirements, and how it applies in the context of the nature and circumstances of the entity and its environment, include whether the entity applies a full accrual basis of accounting or a cash basis of accounting in accordance with the International Public Sector Accounting Standards, or a hybrid.

How Inherent Risk Factors Affect Susceptibility of Assertions to Misstatement (Ref: Para. 19(c))

Appendix 2 provides examples of events and conditions that may give rise to the existence of risks of material misstatement, categorised by inherent risk factor.

Why the auditor understands inherent risk factors when understanding the entity and its environment and the applicable financial reporting framework

A85.Understanding the entity and its environment, and the applicable financial reporting framework, assists the auditor in identifying events or conditions, the characteristics of which may affect the susceptibility of assertions about classes of transactions, account balances or disclosures to misstatement.  These characteristics are inherent risk factors.  Inherent risk factors may affect susceptibility of assertions to misstatement by influencing the likelihood of occurrence of a misstatement or the magnitude of the misstatement if it were to occur.  Understanding how inherent risk factors affect the susceptibility of assertions to misstatement may assist the auditor with a preliminary understanding of the likelihood or magnitude of misstatements, which assists the auditor in identifying risks of material misstatement at the assertion level in accordance with paragraph 28(b).  Understanding the degree to which inherent risk factors affect susceptibility of assertions to misstatement also assists the auditor in assessing the likelihood and magnitude of a possible misstatement when assessing inherent risk in accordance with paragraph 31(a).  Accordingly, understanding the inherent risk factors may also assist the auditor in designing and performing further audit procedures in accordance with ASA 330.

A86.The auditor’s identification of risks of material misstatement at the assertion level and assessment of inherent risk may also be influenced by audit evidence obtained by the auditor in performing other risk assessment procedures, further audit procedures or in fulfilling other requirements in the ASAs (see paragraphs A95, A103, A111, A121, A124 and A151).

The effect of inherent risk factors on a class of transactions, account balance or disclosure

A87.The extent of susceptibility to misstatement of a class of transactions, account balance or disclosure arising from complexity or subjectivity is often closely related to the extent to which it is subject to change or uncertainty. 

Example:

If the entity has an accounting estimate that is based on assumptions, the selection of which are subject to significant judgement, the measurement of the accounting estimate is likely to be affected by both subjectivity and uncertainty.

A88.The greater the extent to which a class of transactions, account balance or disclosure is susceptible to misstatement because of complexity or subjectivity, the greater the need for the auditor to apply professional scepticism.  Further, when a class of transactions, account balance or disclosure is susceptible to misstatement because of complexity, subjectivity, change or uncertainty, these inherent risk factors may create opportunity for management bias, whether unintentional or intentional, and affect susceptibility to misstatement due to management bias.  The auditor’s identification of risks of material misstatement, and assessment of inherent risk at the assertion level, are also affected by the interrelationships among inherent risk factors.

A89.Events or conditions that may affect susceptibility to misstatement due to management bias may also affect susceptibility to misstatement due to other fraud risk factors.  Accordingly, this may be relevant information for use in accordance with paragraph 24 of ASA 240, which requires the auditor to evaluate whether the information obtained from the other risk assessment procedures and related activities indicates that one or more fraud risk factors are present. 

Obtaining an Understanding of the Entity’s System of Internal Control (Ref: Para. 21‒27)

Appendix 3 further describes the nature of the entity’s system of internal control and inherent limitations of internal control, respectively.  Appendix 3 also provides further explanation of the components of a system of internal control for the purposes of the ASAs.

Examples of typical characteristics of:

Non-complex commercial software

Mid-size and moderately complex commercial software or IT applications

Large or complex IT applications (e.g., ERP systems)

Matters related to extent of automation and use of data:

·           The extent of automated procedures for processing, and the complexity of those procedures, including, whether there is highly automated, paperless processing.

N/A

N/A

Extensive and often complex automated procedures

·           The extent of the entity’s reliance on system-generated reports in the processing of information.

Simple automated report logic

Simple relevant automated report logic

Complex automated report logic; Report-writer software

·           How data is input (i.e., manual input, customer or vendor input, or file load).

Manual data inputs

Small number of data inputs or simple interfaces

Large number of data inputs or complex interfaces

·           How IT facilitates communication between applications, databases or other aspects of the IT environment, internally and externally, as appropriate, through system interfaces.

No automated interfaces (manual inputs only)

Small number of data inputs or simple interfaces

Large number of data inputs or complex interfaces

·           The volume and complexity of data in digital form being processed by the information system, including whether accounting records or other information are stored in digital form and the location of stored data.

Low volume of data or simple data that is able to be verified manually; Data available locally

Low volume of data or simple data

Large volume of data or complex data; Data warehouses;[76] Use of internal or external IT service providers (e.g., third-party storage or hosting of data)

Matters related to the IT applications and IT infrastructure:

·           The type of application (e.g., a commercial application with little or no customization, or a highly-customised or highly-integrated application that may have been purchased and customised, or developed in-house).

Purchased application with little or no customization

Purchased application or simple legacy or low-end ERP applications with little or no customization

Custom developed applications or more complex ERPs with significant customization

·           The complexity of the nature of the IT applications and the underlying IT infrastructure.

Small, simple laptop or client server-based solution

Mature and stable mainframe, small or simple client server, software as a service cloud

Complex mainframe, large or complex client server, web-facing, infrastructure as a service cloud

·           Whether there is third-party hosting or outsourcing of IT. 

If outsourced, competent, mature, proven provider (e.g., cloud provider)

If outsourced, competent, mature, proven provider (e.g., cloud provider)

Competent, mature proven provider for certain applications and new or start-up provider for others

·           Whether the entity is using emerging technologies that affect its financial reporting.

No use of emerging technologies

Limited use of emerging technologies in some applications

Mixed use of emerging technologies across platforms

Matters related to IT processes:

·           The personnel involved in maintaining the IT environment (the number and skill level of the IT support resources that manage security and changes to the IT environment).

Few personnel with limited IT knowledge to process vendor upgrades and manage access

Limited personnel with IT skills / dedicated to IT

Dedicated IT departments with skilled personnel, including programming skills

·           The complexity of processes to manage access rights.

Single individual with administrative access manages access rights

Few individuals with administrative access manage access rights

Complex processes managed by IT department for access rights

·           The complexity of the security over the IT environment, including vulnerability of the IT applications, databases, and other aspects of the IT environment to cyber risks, particularly when there are web-based transactions or transactions involving external interfaces. 

Simple on-premise access with no external web-facing elements

Some web-based applications with primarily simple, role-based security

Multiple platforms with web-based access and complex security models

·           Whether program changes have been made to the manner in which information is processed, and the extent of such changes during the period.

Commercial software with no source code installed

Some commercial applications with no source code and other mature applications with a small number or simple changes; traditional systems development lifecycle

New or large number or complex changes, several development cycles each year

·           The extent of change within the IT environment (e.g., new aspects of the IT environment or significant changes in the IT applications or the underlying IT infrastructure).

Changes limited to version upgrades of commercial software

Changes consist of commercial software upgrades, ERP version upgrades, or legacy enhancements

New or large number or complex changes, several development cycles each year, heavy ERP customization

·           Whether there was a major data conversion during the period and, if so, the nature and significance of the changes made, and how the conversion was undertaken.

Software upgrades provided by vendor; No data conversion features for upgrade

Minor version upgrades for commercial software applications with limited data being converted

Major version upgrade, new release, platform change

[76]    A data warehouse is generally described as a central repository of integrated data from one or more disparate sources (such as multiple databases) from which reports may be generated or that may be used by the entity for other data analysis activities. A report-writer is an IT application that is used to extract data from one or more sources (such as a data warehouse, a database or an IT application) and present the data in a specified format.

Emerging Technologies

  1. Entities may use emerging technologies (e.g., blockchain, robotics or artificial intelligence) because such technologies may present specific opportunities to increase operational efficiencies or enhance financial reporting.  When emerging technologies are used in the entity’s information system relevant to the preparation of the financial report, the auditor may include such technologies in the identification of IT applications and other aspects of the IT environment that are subject to risks arising from the use of IT.  While emerging technologies may be seen to be more sophisticated or more complex compared to existing technologies, the auditor’s responsibilities in relation to IT applications and identified general IT controls in accordance with paragraph 26(b)‒(c) remain unchanged. 

Scalability

  1. Obtaining an understanding of the entity’s IT environment may be more easily accomplished for a less complex entity that uses commercial software and when the entity does not have access to the source code to make any program changes.  Such entities may not have dedicated IT resources but may have a person assigned in an administrator role for the purpose of granting employee access or installing vendor-provided updates to the IT applications.  Specific matters that the auditor may consider in understanding the nature of a commercial accounting software package, which may be the single IT application used by a less complex entity in its information system, may include:

·The extent to which the software is well established and has a reputation for reliability;

·The extent to which it is possible for the entity to modify the source code of the software to include additional modules (i.e., add-ons) to the base software, or to make direct changes to data;

·The nature and extent of modifications that have been made to the software.  Although an entity may not be able to modify the source code of the software, many software packages allow for configuration (e.g., setting or amending reporting parameters).  These do not usually involve modifications to source code; however, the auditor may consider the extent to which the entity is able to configure the software when considering the completeness and accuracy of information produced by the software that is used as audit evidence; and

·The extent to which data related to the preparation of the financial report can be directly accessed (i.e., direct access to the database without using the IT application) and the volume of data that is processed.  The greater the volume of data, the more likely the entity may need controls that address maintaining the integrity of the data, which may include general IT controls over unauthorised access and changes to the data.

  1. Complex IT environments may include highly-customised or highly-integrated IT applications and may therefore require more effort to understand.  Financial reporting processes or IT applications may be integrated with other IT applications.  Such integration may involve IT applications that are used in the entity’s business operations and that provide information to the IT applications relevant to the flows of transactions and information processing in the entity’s information system.  In such circumstances, certain IT applications used in the entity’s business operations may also be relevant to the preparation of the financial report.  Complex IT environments also may require dedicated IT departments that have structured IT processes supported by personnel that have software development and IT environment maintenance skills.  In other cases, an entity may use internal or external service providers to manage certain aspects of, or IT processes within, its IT environment (e.g., third-party hosting).

Identifying IT Applications that are Subject to Risks Arising from the use of IT

  1. Through understanding the nature and complexity of the entity’s IT environment, including the nature and extent of information processing controls, the auditor may determine which IT applications the entity is relying upon to accurately process and maintain the integrity of financial information.  The identification of IT applications on which the entity relies may affect the auditor’s decision to test the automated controls within such IT applications, assuming that such automated controls address identified risks of material misstatement.  Conversely, if the entity is not relying on an IT application, the automated controls within such IT application are unlikely to be appropriate or sufficiently precise for purposes of operating effectiveness tests.  Automated controls that may be identified in accordance with paragraph 26(b) may include, for example, automated calculations or input, processing and output controls, such as a three-way match of a purchase order, vendor shipping document, and vendor invoice.  When automated controls are identified by the auditor and the auditor determines through the understanding of the IT environment that the entity is relying on the IT application that includes those automated controls, it may be more likely for the auditor to identify the IT application as one that is subject to risks arising from the use of IT.

  1. In considering whether the IT applications for which the auditor has identified automated controls are subject to risks arising from the use of IT, the auditor is likely to consider whether, and the extent to which, the entity may have access to source code that enables management to make program changes to such controls or the IT applications.  The extent to which the entity makes program or configuration changes and the extent to which the IT processes over such changes are formalised may also be relevant considerations.  The auditor is also likely to consider the risk of inappropriate access or changes to data.

  1. System-generated reports that the auditor may intend to use as audit evidence may include, for example, a trade receivable aging report or an inventory valuation report.  For such reports, the auditor may obtain audit evidence about the completeness and accuracy of the reports by substantively testing the inputs and outputs of the report.  In other cases, the auditor may plan to test the operating effectiveness of the controls over the preparation and maintenance of the report, in which case the IT application from which it is produced is likely to be subject to risks arising from the use of IT.  In addition to testing the completeness and accuracy of the report, the auditor may plan to test the operating effectiveness of general IT controls that address risks related to inappropriate or unauthorised program changes to, or data changes in, the report.

  1. Some IT applications may include report-writing functionality within them while some entities may also utilize separate report-writing applications (i.e., report-writers).  In such cases, the auditor may need to determine the sources of system-generated reports (i.e., the application that prepares the report and the data sources used by the report) to determine the IT applications subject to risks arising from the use of IT. 

  1. The data sources used by IT applications may be databases that, for example, can only be accessed through the IT application or by IT personnel with database administration privileges.  In other cases, the data source may be a data warehouse that may itself be considered to be an IT application subject to risks arising from the use of IT.

  1. The auditor may have identified a risk for which substantive procedures alone are not sufficient because of the entity’s use of highly-automated and paperless processing of transactions, which may involve multiple integrated IT applications.  In such circumstances, the controls identified by the auditor are likely to include automated controls.  Further, the entity may be relying on general IT controls to maintain the integrity of the transactions processed and other information used in processing.  In such cases, the IT applications involved in the processing and the storage of the information are likely subject to risks arising from the use of IT.

End-User Computing

  1. Although audit evidence may also come in the form of system-generated output that is used in a calculation performed in an end-user computing tool (e.g., spreadsheet software or simple databases), such tools are not typically identified as IT applications in the context of paragraph 26(b).  Designing and implementing controls around access and change to end-user computing tools may be challenging, and such controls are rarely equivalent to, or as effective as, general IT controls.  Rather, the auditor may consider a combination of information processing controls, taking into account the purpose and complexity of the end-user computing involved, such as:

·Information processing controls over the initiation and processing of the source data, including relevant automated or interface controls to the point from which the data is extracted (i.e., the data warehouse);

·Controls to check that the logic is functioning as intended, for example, controls which ‘prove’ the extraction of data, such as reconciling the report to the data from which it was derived, comparing the individual data from the report to the source and vice versa, and controls which check the formulas or macros; or

·Use of validation software tools, which systematically check formulas or macros, such as spreadsheet integrity tools. 

Scalability

  1. The entity’s ability to maintain the integrity of information stored and processed in the information system may vary based on the complexity and volume of the related transactions and other information.  The greater the complexity and volume of data that supports a significant class of transactions, account balance or disclosure, the less likely it may become for the entity to maintain integrity of that information through information processing controls alone (e.g., input and output controls or review controls).  It also becomes less likely that the auditor will be able to obtain audit evidence about the completeness and accuracy of such information through substantive testing alone when such information is used as audit evidence.  In some circumstances, when volume and complexity of transactions are lower, management may have an information processing control that is sufficient to verify the accuracy and completeness of the data (e.g., individual sales orders processed and billed may be reconciled to the hard copy originally entered into the IT application).  When the entity relies on general IT controls to maintain the integrity of certain information used by IT applications, the auditor may determine that the IT applications that maintain that information are subject to risks arising from the use of IT.

Example characteristics of an IT application that is likely not subject to risks arising from IT

Example characteristics of an IT application that is likely subject to risks arising from IT

·           Stand-alone applications.

·           The volume of data (transactions) is not significant.

·           The application’s functionality is not complex.

·           Each transaction is supported by original hard copy documentation. 

·           Applications are interfaced.

·           The volume of data (transactions) is significant.

·           The application’s functionality is complex as:

o    The application automatically initiates transactions; and

o    There are a variety of complex calculations underlying automated entries.

IT application is likely not subject to risks arising from IT because:

·           The volume of data is not significant and therefore management is not relying upon general IT controls to process or maintain the data. 

·           Management does not rely on automated controls or other automated functionality.  The auditor has not identified automated controls in accordance with paragraph 26(a).

·           Although management uses system-generated reports in their controls, it does not rely on these reports.  Instead, it reconciles the reports back to the hard copy documentation and verifies the calculations in the reports. 

·           The auditor will directly test information produced by the entity used as audit evidence.

IT application is likely subject to risks arising from IT because:

·           Management relies on an application system to process or maintain data as the volume of data is significant.

·           Management relies upon the application system to perform certain automated controls that the auditor has also identified.

Other Aspects of the IT Environment that Are Subject to Risks Arising from the Use of IT

  1. When the auditor identifies IT applications that are subject to risks arising from the use of IT, other aspects of the IT environment are also typically subject to risks arising from the use of IT.  The IT infrastructure includes the databases, operating system, and network.  Databases store the data used by IT applications and may consist of many interrelated data tables.  Data in databases may also be accessed directly through database management systems by IT or other personnel with database administration privileges.  The operating system is responsible for managing communications between hardware, IT applications, and other software used in the network.  As such, IT applications and databases may be directly accessed through the operating system.  A network is used in the IT infrastructure to transmit data and to share information, resources and services through a common communications link.  The network also typically establishes a layer of logical security (enabled through the operating system) for access to the underlying resources.

  1. When IT applications are identified by the auditor to be subject to risks arising from IT, the database(s) that stores the data processed by an identified IT application is typically also identified.  Similarly, because an IT application’s ability to operate is often dependent on the operating system and IT applications and databases may be directly accessed from the operating system, the operating system is typically subject to risks arising from the use of IT.  The network may be identified when it is a central point of access to the identified IT applications and related databases or when an IT application interacts with vendors or external parties through the internet, or when web-facing IT applications are identified by the auditor. 

Identifying Risks Arising from the Use of IT and General IT Controls

  1. Examples of risks arising from the use of IT include risks related to inappropriate reliance on IT applications that are inaccurately processing data, processing inaccurate data, or both, such as

·Unauthorised access to data that may result in destruction of data or improper changes to data, including the recording of unauthorised or non-existent transactions, or inaccurate recording of transactions.  Particular risks may arise where multiple users access a common database.

·The possibility of IT personnel gaining access privileges beyond those necessary to perform their assigned duties thereby breaking down segregation of duties.

·Unauthorised changes to data in master files.

·Unauthorised changes to IT applications or other aspects of the IT environment.

·Failure to make necessary changes to IT applications or other aspects of the IT environment.

·Inappropriate manual intervention.

·Potential loss of data or inability to access data as required.

  1. The auditor’s consideration of unauthorised access may include risks related to unauthorised access by internal or external parties (often referred to as cybersecurity risks).  Such risks may not necessarily affect financial reporting, as an entity’s IT environment may also include IT applications and related data that address operational or compliance needs.  It is important to note that cyber incidents usually first occur through the perimeter and internal network layers, which tend to be further removed from the IT application, database and operating systems that affect the preparation of the financial report.  Accordingly, if information about a security breach has been identified, the auditor ordinarily considers the extent to which such a breach had the potential to affect financial reporting.  If financial reporting may be affected, the auditor may decide to understand, and test the related controls to determine the possible impact or scope of potential misstatements in the financial report or may determine that the entity has provided adequate disclosures in relation to such security breach. 

  1. In addition, laws and regulations that may have a direct or indirect effect on the entity’s financial report may include data protection legislation.  Considering an entity’s compliance with such laws or regulations, in accordance with ASA 250,[77] may involve understanding the entity’s IT processes and general IT controls that the entity has implemented to address the relevant laws or regulations. 

    [77]    See ASA 250.

  1. General IT controls are implemented to address risks arising from the use of IT.  Accordingly, the auditor uses the understanding obtained about the identified IT applications and other aspects of the IT environment and the applicable risks arising from the use of IT in determining the general IT controls to identify.  In some cases, an entity may use common IT processes across its IT environment or across certain IT applications, in which case common risks arising from the use of IT and common general IT controls may be identified.

  1. In general, a greater number of general IT controls related to IT applications and databases are likely to be identified than for other aspects of the IT environment.  This is because these aspects are the most closely concerned with the information processing and storage of information in the entity’s information system.  In identifying general IT controls, the auditor may consider controls over actions of both end users and of the entity’s IT personnel or IT service providers. 

  1. Appendix 6 provides further explanation of the nature of the general IT controls typically implemented for different aspects of the IT environment.  In addition, examples of general IT controls for different IT processes are provided.

Appendix 6

(Ref: Para. 25(c)(ii), A173‒A174)

Considerations for Understanding General IT Controls

This appendix provides further matters that the auditor may consider in understanding general IT controls. 

  1. The nature of the general IT controls typically implemented for each of the aspects of the IT environment:

(a)Applications

General IT controls at the IT application layer will correlate to the nature and extent of application functionality and the access paths allowed in the technology. For example, more controls will be relevant for highly-integrated IT applications with complex security options than a legacy IT application supporting a small number of account balances with access methods only through transactions.

(b)Database

General IT controls at the database layer typically address risks arising from the use of IT related to unauthorised updates to financial reporting information in the database through direct database access or execution of a script or program.

(c)Operating system

General IT controls at the operating system layer typically address risks arising from the use of IT related to administrative access, which can facilitate the override of other controls. This includes actions such as compromising other user’s credentials, adding new, unauthorised users, loading malware or executing scripts or other unauthorised programs.

(d)Network

General IT controls at the network layer typically address risks arising from the use of IT related to network segmentation, remote access, and authentication. Network controls may be relevant when an entity has web-facing applications used in financial reporting. Network controls are also may be relevant when the entity has significant business partner relationships or third-party outsourcing, which may increase data transmissions and the need for remote access.

  1. Examples of general IT controls that may exist, organised by IT process include:

(a)Process to manage access:

oAuthentication

Controls that ensure a user accessing the IT application or other aspect of the IT environment is using the user’s own log-in credentials (i.e., the user is not using another user’s credentials). 

oAuthorisation

Controls that allow users to access the information necessary for their job responsibilities and nothing further, which facilitates appropriate segregation of duties.

oProvisioning

Controls to authorise new users and modifications to existing users’ access privileges.

oDeprovisioning

Controls to remove user access upon termination or transfer.

oPrivileged access

Controls over administrative or powerful users’ access.

oUser access reviews

Controls to recertify or evaluate user access for ongoing authorisation over time.

oSecurity configuration controls

Each technology generally has key configuration settings that help restrict access to the environment.

oPhysical access

Controls over physical access to the data centre and hardware, as such access may be used to override other controls.

(b)Process to manage program or other changes to the IT environment:

oChange management process

Controls over the process to design, program, test and migrate changes to a production (i.e., end user) environment.

oSegregation of duties over change migration

Controls that segregate access to make and migrate changes to a production environment.

oSystems development or acquisition or implementation

Controls over initial IT application development or implementation (or in relation to other aspects of the IT environment). 

oData conversion

Controls over the conversion of data during development, implementation or upgrades to the IT environment.

(c)Process to manage IT operations

oJob scheduling

Controls over access to schedule and initiate jobs or programs that may affect financial reporting.

oJob monitoring

Controls to monitor financial reporting jobs or programs for successful execution.

oBackup and recovery

Controls to ensure backups of financial reporting data occur as planned and that such data is available and able to be accessed for timely recovery in the event of an outage or attack.

oIntrusion detection

Controls to monitor for vulnerabilities and or intrusions in the IT environment. 

The table below illustrates examples of general IT controls to address examples of risks arising from the use of IT, including for different IT applications based on their nature. 

Process

Risks

Controls

IT Applications

IT Process

Example Risks Arising from the Use of IT

Example General IT Controls

Non-complex commercial software – Applicable (yes / no)

Mid-size and moderately complex commercial software or IT applications – Applicable (yes / no)

Large or complex IT applications (e.g., ERP systems) – Applicable (yes / no)

Manage Access

User-access privileges: Users have access privileges beyond those necessary to perform their assigned duties, which may create improper segregation of duties.

Management approves the nature and extent of user-access privileges for new and modified user access, including standard application profiles/roles, critical financial reporting transactions, and segregation of duties

Yes – instead of user access reviews noted below

Yes

Yes

Access for terminated or transferred users is removed or modified in a timely manner

Yes – instead of user access reviews below

Yes

Yes

User access is periodically reviewed

Yes – instead of provisioning/

Deprovisioning controls above

Yes ‒ for certain applications

Yes

Segregation of duties is monitored and conflicting access is either removed or mapped to mitigating controls, which are documented and tested

N/A – no system enabled segregation

Yes ‒ for certain applications

Yes

Privileged-level access (e.g., configuration, data and security administrators) is authorised and appropriately restricted

Yes – likely at IT application layer only

Yes ‒ at IT application and certain layers of IT environment for platform

Yes ‒ at all layers of IT environment for platform

Manage Access

Direct data access: Inappropriate changes are made directly to financial data through means other than application transactions.

Access to application data files or database objects/tables/data is limited to authorised personnel, based on their job responsibilities and assigned role, and such access is approved by management

N/A

Yes ‒ for certain applications and databases

Yes

Manage Access

System settings: Systems are not adequately configured or updated to restrict system access to properly authorised and appropriate users.

Access is authenticated through unique user IDs and passwords or other methods as a mechanism for validating that users are authorised to gain access to the system.  Password parameters meet company or industry standards (e.g., password minimum length and complexity, expiration, account lockout)

Yes – password authentication only

Yes – mix of password and multi-factor authentication

Yes

The key attributes of the security configuration are appropriately implemented

N/A – no technical security configurations exist

Yes ‒ for certain applications and databases

Yes

Manage Change

Application changes: Inappropriate changes are made to application systems or programs that contain relevant automated controls (i.e., configurable settings, automated algorithms, automated calculations, and automated data extraction) or report logic.

Application changes are appropriately tested and approved before being moved into the production environment

N/A ‒ would verify no source code installed

Yes ‒ for non-commercial software

Yes

Access to implement changes into the application production environment is appropriately restricted and segregated from the development environment

N/A

Yes for non-commercial software

Yes

Manage Change

Database changes: Inappropriate changes are made to the database structure and relationships between the data.

Database changes are appropriately tested and approved before being moved into the production environment

N/A – no database changes made at entity

Yes ‒ for non-commercial software

Yes

Manage Change

System software changes: Inappropriate changes are made to system software (e.g., operating system, network, change-management software, access-control software).

System software changes are appropriately tested and approved before being moved to production

N/A – no system software changes are made at entity

Yes

Yes

Manage Change

Data conversion: Data converted from legacy systems or previous versions introduces data errors if the conversion transfers incomplete, redundant, obsolete, or inaccurate data. 

Management approves the results of the conversion of data (e.g., balancing and reconciliation activities) from the old application system or data structure to the new application system or data structure and monitors that the conversion is performed in accordance with established conversion policies and procedures

N/A – Addressed through manual controls

Yes

Yes

IT Operations

Network: The network does not adequately prevent unauthorised users from gaining inappropriate access to information systems.

Access is authenticated through unique user IDs and passwords or other methods as a mechanism for validating that users are authorised to gain access to the system.  Password parameters meet company or professional policies and standards (e.g., password minimum length and complexity, expiration, account lockout)

N/A – no separate network authentication method exists

Yes

Yes

Network is architected to segment web-facing applications from the internal network, where ICFR relevant applications are accessed

N/A – no network segmentation employed

Yes ‒ with judgement

Yes ‒ with judgement

On a periodic basis, vulnerability scans of the network perimeter are performed by the network management team, which also investigates potential vulnerabilities

N/A

Yes ‒ with judgement

Yes ‒ with judgement

On a periodic basis, alerts are generated to provide notification of threats identified by the intrusion detection systems.  These threats are investigated by the network management team

N/A

Yes ‒ with judgement

Yes ‒ with judgement

Controls are implemented to restrict Virtual Private Network (VPN) access to authorised and appropriate users

N/A – no VPN

Yes ‒ with judgement

Yes ‒ with judgement

IT Operations

Data backup and recovery: Financial data cannot be recovered or accessed in a timely manner when there is a loss of data. 

Financial data is backed up on a regular basis according to an established schedule and frequency

N/A – relying on manual backups by finance team

Yes

Yes

IT Operations

Job scheduling: Production systems, programs, or jobs result in inaccurate, incomplete, or unauthorised processing of data.

Only authorised users have access to update the batch jobs (including interface jobs) in the job scheduling software

N/A – no batch jobs

Yes ‒ for certain applications

Yes

Critical systems, programs, or jobs are monitored, and processing errors are corrected to ensure successful completion.

N/A – no job monitoring

Yes ‒ for certain applications

Yes


*     See ASA 550 Related Parties.

Actions
Download as PDF Download as Word Document


Cases Citing This Decision

0

Cases Cited

0

Statutory Material Cited

0