ISA 315 (Revised), Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and Its Environment
Entity's risk assessment process
-Auditors should assess whether the entity has a process to identify the business risks relevant to financial reporting objectives, estimate the significance of them, assess the likelihood of the risks occurrence, and decide actions to address the risks. -If auditors have identified such risks, then auditors should evaluate the reasons why the risk assessment process failed to identify the risks, determine whether there is significant deficiency in internal controls in identifying the risks, and discuss with the management.
Control activities relevant to the audit
-Auditors should obtain a sufficient understanding of control activities relevant to the audit in order to assess the risks of material misstatement at the assertion level, and to design further audit procedures to respond to those risks. -Control activities, such as proper authorisation of transactions and activities, performance reviews, information processing, physical control over assets and records, and segregation of duties, are policies and procedures that address the risks to achieve the management directives are carried out.
Objectives in establishing internal controls
-Generally speaking, internal control systems are designed, implemented and maintained by the management and personnel in order to provide reasonable assurance to fulfil the objectives - that is, reliability of financial reporting, efficiency and effectiveness of operations, compliance with laws and regulations and risk assessment of material misstatement. -In order to identify the types of potential misstatements and to determine the nature, timing and extent of audit testing, auditors should obtain an understanding of relevant internal controls, evaluate the design of the controls, and ascertain whether the controls are implemented and maintained properly
Monitoring of controls
-In addition, auditors should obtain an understanding of major types of activities that the entity uses to monitor internal controls relevant to financial reporting and how the entity initiates corrective actions to its controls. -For instance, auditors should obtain an understanding of the sources and reliability of the information that the entity used in monitoring the activities. Sources of information include internal auditor report, and report from regulators.
ISA 315 - revision
-One of the major revisions of ISA 315 relates to the inquiries made by external auditors of the internal audit function since internal auditors have better knowledge and understanding of the organisation and its internal control.
Inquiries of the internal audit function
-With the ISA 315 (Revised), external auditors are now required to make inquiries of the internal audit function to identify and assess risks of material misstatement. Auditors may refer to the management's responses of the identified deficiencies of the internal controls and determine whether the management has taken appropriate actions to tackle the problems properly. --Besides inquiries of the internal audit function, auditors may collect audit evidence of the control environment through observation on how the employees perform their duties, inspection of the documents, and analytical procedures. After obtaining the audit evidence of the control environment, auditors may then assess the risks of material misstatement.
5 Components of Internal Control
1. Control Environment 2. Risk Assessment 3. Information System and Communication 4. Control Activities 5. Monitoring The major components of internal control include control environment, entity's risk assessment process, information system (including the related business processes, control activities relevant to the audit, relevant to financial reporting, and communication) and monitoring of controls.
3) Participation by those charged with governance
An entity's control consciousness is influenced significantly by those charged with governance; therefore, their independence from management, experience and stature, extent of their involvement, as well as the appropriateness of their actions are extremely important.
The Information system, including the relevant business processes, relevant to financial reporting and communication
Auditors should also obtain an understanding of the information system, including the related business processes, relevant to financial reporting, including the following areas: -The classes of transactions in the entity's operations that are significant to the financial statements. The procedures that transactions are initiated, recorded, processed, corrected as necessary, transferred to the general ledger and reported in the financial statements. -How the information system captures events and conditions that are significant to the financial statements. -The financial reporting process used to prepare the entity's financial statements. -Controls surrounding journal entries. -Understand how the entity communicates financial reporting roles, responsibilities and significant matters to those charged with governance and external - regulatory authorities
Limitations of internal control systems
Effective internal control systems can only provide reasonable, not absolute, assurance to achieve the entity's financial reporting objective due to the inherent limitations of internal control - for example, management override of internal controls. Therefore, auditors should identify and assess the risks of material misstatement at the financial statement level and assertion level for classes of transactions, account balances and disclosures.
Objectives in establishing internal controls
Generally speaking, internal control systems are designed, implemented and maintained by the management and personnel in order to provide reasonable assurance to fulfil the objectives - that is, reliability of financial reporting, efficiency and effectiveness of operations, compliance with laws and regulations and risk assessment of material misstatement.
7) Human resources policies and practices
Human resources policies and practices generally refer to recruitment, orientation, training, evaluation, counselling, promotion, compensation and remedial actions. For example, an entity should establish policies to recruit individuals based on their educational background, previous work experience, and other relevant attributes. Next, classroom and on-the-job training should be provided to the newly recruited staff. Appropriate training is also available to existing staff to keep themselves updated. Performance evaluation should be conducted periodically to review the staff performance and provide comments and feedback to staff on how to improve themselves and further develop their potential and promote to the next level by accepting more responsibilities and, in turn, receiving competitive compensation and benefits.
1) Communication and enforcement of integrity and ethical values
It is important for the management to create and maintain honest, legal and ethical culture, and to communicate the entity's ethical and behavioural standards to its employees through policy statements and codes of conduct, etc
2) Commitment to competence
It is important that the management recruits competent staff who possess the required knowledge and skills at competent level to accomplish tasks.
4) Management's philosophy and operating style
Management's philosophy and operating style consists of a broad range of characteristics, such as management's attitude to response to business risks, financial reporting, information processing, and accounting functions and personnel, etc. For example, does the targeted earning realistic? Does the management apply aggressive approach where alternative accounting principles or estimates are available? These management's philosophy and operating style provide a picture to auditors about the management's attitude about the internal control.
Control environment
The control environment consists of the governance and management functions and the attitudes, awareness and actions of the management about the internal control. Auditors may obtain an understanding of the control environments through the following elements. 1) Communication and enforcement of integrity and ethical values 2) Commitment to competence 3) Participation by those charged with governance 4) Management's philosophy and operating style 5) Organisational structure 6) Assignment of authority and responsibility 7) Human resources policies and practices