Auditing Theory Review Notes (AT-3) Page 1 of 13: Industry Conditions

ACCTG 163 – AUDITING THEORY (AT-3) -helpful in identifying the existence of unusual transactions,
events, amounts, ratios and trends that might indicate matters

3.0 Understanding the Entity and its Environment Including its which have FS and audit implications.
Internal Control and Assessing the Risks of Material Misstatement -the auditor develops expectations about plausible relationships
3.1 Industry, regulatory and other external factors, including the that are reasonably expected to exist. When comparison of those
applicable financial reporting framework expectations with recorded amounts or ratios yields unusual or
3.1.1 Nature of the entity unexpected relationships, the auditor considers those results in
3.1.2 Objectives and strategies and related business risks identifying risks of material misstatements
3.1.3 Measurement and review of the entity's financial -often, such analytical procedures use data aggregated at a high
performance level. In such case, the auditor should consider the results of
3.2 Internal control analytical procedures along with other information gathered in
3.2.1 Basic concepts and elements of internal control identifying the risks of material misstatement
3.2.2 Consideration of accounting and internal control systems
3.2.2.1 Understanding and documentation Observation and Inspection
3.2.2.2 Assessment of control risks -supports inquiries of management and others
3.2.2.2.1 Test of controls -provide information about the entity and its environment
3.2.2.2.2 Documentation Examples:
3.3 Assessing the risks of material misstatement  Observation of entity activities and operations
3.3.1 Fraud and errors  Inspection of documents, records and internal control
3.3.2 Risk assessment procedures manuals
3.3.3 Discussion among the engagement team  Reading reports prepared by management (quarterly
3.3.4 Significant risks that require special audit management reports and interim financial statements)
consideration  Reading reports prepared by those charged with
3.3.5 Risks for which substantive procedures alone do governance (minutes of board of directors’ meetings)
not provide sufficient appropriate audit evidence  Visits to entity’s premises and plant facilities
3.3.6 Revision of risk assessment  Tracing transactions through the information system
3.4 Communicating with those charged with governance and relevant to financial reporting (walk-throughs)
management
______________________________________________________ Considerations
 Information about the entity obtained in prior periods
3.0 Understanding the Entity and its Environment Including its – auditor should determine whether changes have
Internal Control and Assessing the Risks of Material occurred that may affect the relevance of such
Misstatement information in the current audit, by audit procedures
such as walk-through of systems
PHASE I-C PERFORMANCE OF RISK ASSESSMENT PROCEDURES TO  Auditor also considers other information obtained from
IDENTIFY/ASSESS RISK OF MATERIAL MISSTATEMENT THROUGH auditor’s client acceptance or continuance process
UNDERSTANDING THE ENTITY  Auditor also considers experience gained from other
engagements
PSA 315 Deals with the auditor’s responsibility to identify and  The members of the engagement team should discuss
assess the risks of material misstatements in the FS, through the susceptibility of the entity’s FS to material
understanding of the entity and its environment, including its misstatements
internal control.
A. Risk assessment procedures and sources of information about 3.1 Industry, regulatory and other external factors, including the
the entity and its environment, including its internal control applicable financial reporting framework
B. Understanding the entity and its environment, including its 3.1.1 Nature of the entity
internal control 3.1.2 Objectives and strategies and related business risks
C. Identifying and assessing of the risks of material misstatements 3.1.3 Measurement and review of the entity's financial
D. Material weakness in internal control performance
E. Documentation
II. UNDERSTANDING THE ENTITY AND ITS ENVIRONMENT
I.RISK ASSESSMENT PROCEDURES AND SOURCES OF INCLUDING ITS INTERNAL CONTROL
INFORMATION ABOUT THE ENTITY AND ITS ENVIRONMENT,
INCLUDING ITS INTERNAL CONTROL Auditor’s understanding Consists of the ff:
Risk assessment procedures: A. Relevant industry, regulatory, and other external
-Audit procedures to obtain an understanding of the client. Some factors including applicable financial reporting
of the information obtained may be used as audit evidence to framework
support assessments of the risks of material misstatements. B. Nature of the entity, including:
-The auditor may also obtain audit evidence about the classes of a. Its operations
transactions, account balances, or disclosures b. Its ownership and governance structure
-The auditor may choose to perform substantive procedures or c. The types of investments that the entity is
tests of control concurrently with risk assessment procedures to making and planning to make
be efficient. d. The way that the entity is structured and
Risk Assessment procedures: how it is financed
 Inquiries of management and others within the entity C. The entity’s selection and application of accounting
 Analytical procedures and policies, including the reasons for any changes. The
 Observation and inspection accounting principles used should be evaluated if
appropriate for the business and if consistent with
Inquiries of Management and others within the entity applicable financial reporting framework and
-about entity’s external legal counsel or valuation experts that the accounting policies used in the relevant industry
entity has used D. The entity’s objectives and strategies, and those related
-reviewing information obtained from external sources such as business risks that may result in risks of material
reports by analysts, banks, or rating agencies, trade and economic misstatements
journals, or regulatory or financial publications E. The measurement and review of the entity’s financial
-From management performance
-From those responsible for financial reporting
-From others within the firm (internal audit personnel, or
production) A. Industry, regulatory, and other external factors
-From other employees with different levels of authority including applicable financial reporting framework
Factors include:
Analytical Procedures (PSA 520 “Analytical procedures – provides Industry conditions
additional guidance)
Auditing Theory Review Notes (AT-3) Page 1 of 13

- The market and competition, including demand, capacity and  Products or services and markets (major customers and
price competition contracts, terms of payments, profit margins, market share,
-Cyclical or seasonal activity competitors, exports, pricing policies, reputation of products,
-Product technology relating to entity’s products warranties, order book, trends, marketing strategy and
-Energy supply and cost objectives, manufacturing processes.
Regulatory Environment  Conduct of operations (stages and methods of production,
- Accounting principles and industry specific practices business segments, delivery of products and services, details
- Regulatory framework for a regulated industry of declining or expanding operations)
-Legislation and regulations that significantly affect the entity’s  Alliances, joint ventures and outsourcing activities
operations  Involvement in electronic commerce, including internet sales
-Regulatory requirements and marketing activities
-Direct supervisory activities  Geographic dispersion and industry segmentation
-Taxation (corporate and other)  Location of production facilities, warehouses and offices
-Government policies currently affecting the conduct of the  Key customers
entity’s business  Important suppliers of goods and services (long term
- Monetary controls (including foreign) contracts, stability of supply, terms of payment, imports,
-Fiscal methods of delivery such as just-in-time)
-Financial incentives (government aid programs)  Employment (location, supply, wage levels, union contracts,
-Tariffs, trade restrictions pension and other post employment benefits, stock option,
-Environmental requirements affecting the industry and the incentive bonus arrangements, government regulation
entity’s business related to employment matters)
Other External Factors
 Research and development activities and expenditures
-General level of economic activity (recession, growth)
 Transactions with related parties
-Interest rates and availability of financing
Investments
-Inflation, currency revaluation
 Planned or recently executed acquisitions, mergers or
disposals of business activities
B. Nature of the Entity – refers to:
-Its operations  Investments and dispositions of securities and loans
-Its ownership and governance structure  Capital investment activities, including investments in
-The types of investments that the entity is making and planning plant and equipment technology, and any recent or
to make planned changes
-The way that the entity is structured and how it is financed  Investments in non-consolidated entities, including
Understanding the nature of the client includes: partnerships, joint ventures and special purpose
 Client’s competitive position entities
 Organizational structure Financing
 Governance processes  Group structure – major subsidiaries and associated
entities, including consolidated and non-consolidated
 Accounting policies and procedures
structures
 Ownership
 Debt structure, including covenants, restrictions,
 Capital structure
guarantees, and off-statement of financial position
 Product lines
financing arrangements
 Client’s business processes
 Leasing of property, plant or equipment for use in the
business
Ex. For business processes of manufacturing company, auditors will
obtain an understanding of the ff:  Beneficial owners (local, foreign, business reputation
and experience)
 The processes used to procure, store and manage raw
 Related parties
materials
 The processes used to machine, assemble, package and  Use of derivative financial instruments
test products Financial reporting
 The processes used to create demand for products and  Accounting principles and industry-specific practices
services and to manage relations with customers  Revenue recognition practices
 The processes used to establish contract terms and to  Accounting for fair values
bill and collect receivables  Inventories (locations, quantities)
 The processes used to take orders and deliver goods  Foreign currency assets, liabilities and transactions
 The activities performed after the goods and services  Industry-specific significant categories (loans and
have been delivered (installation, training, warranty, investment for banks, accounts receivable and
and customer service) inventory for manufacturers, research and
 The processes used to acquire and maintain human development for pharmaceuticals)
resources and technology, including research and  Accounting for unusual or complex transactions
development including those in controversial or emerging areas
*An understanding of the ownership and relations between (accounting for stock-based compensation)
owners and other people or entities is also important in  Financial statement presentation and disclosure
determining whether related party transactions have been
identified and accounted for appropriately. PSA 550 “Related D. Objectives and Strategies and Related Business Risks
Parties” provides additional guidance -The auditor should obtain an understanding of the entity’s
objectives and the related business risks that may result in material
C. Selection and Application of Accounting Policies misstatement of the FS.
-Includes understanding of: -Strategies are the operational approach by which management
- The methods that the entity uses to account for intends to achieve its objectives. Objectives are defined by the
significant and unusual transactions entity’s management or those charged with governance as a
- Effect of significant accounting policies in controversial means to respond to factors surrounding the entity. Such factors
or emerging areas for which there is lack of consensus include industry, regulatory and other internal or external factors
- Changes in accounting policies affecting the conduct of business
Examples of matters that an auditor considers: -Business risks result from significant conditions, events,
circumstances, actions or inactions that could adversely affect the
Business Operations entity’s ability to achieve its objectives and execute its strategies,
 Nature of revenue sources (manufacturer, wholesaler, or through setting of inappropriate objectives and strategies.
banking, insurance, other financial services, import/export -The conduct of the entity’s business is dynamic and its objectives
trading, utility, transport, and technology products and and strategies change over time.
services Business risk:
-Is broader than the risk of material misstatement of the FS

-May arise from change or complexity management and other employees because their compensation is
-May result from failure to recognize the need for change often tied to the measures (Performance-based incentives)
Ex. Development of new products that fail or inadequate market Examples of matters to consider:
for new products  Key ratios and operating statistics
An understanding of business risks increases the likelihood of  Key performance indicators
identifying risks of material misstatements.  Employee performance measures and incentive
Significant risks that may be identified: compensation policies
1. Risks related to competition  Trends
2. Changes in government regulations  Use of forecasts, budgets and variance analysis
3. Changes in technology  Analyst reports and credit rating reports
4. Volatility of raw material prices  Competitor analysis
5. Interruption of supplies of critical raw materials  Period-on-period financial performance (revenue
6. Changes in major markets growth, profitability, leverage)
7. Increases in interest rates
-Most business risks will eventually have financial consequences III. IDENTIFYING AND ASSESSING OF THE RISKS OF MATERIAL
and therefore have an effect on the FS. However, not all business MISSTATEMENTS
risks give rise to the risks of material misstatement. -The auditor should identify and assess the risks of material
-Usually management identifies business risks and develops misstatement at the financial statement level, and at the assertion
approaches to address them. level for classes of transactions, account balances and disclosures:
-Well-operated companies use formal processes for identifying The auditor shall:
business risks and devising ways to mitigate them. 1. Identify risks throughout the process of obtaining an
-Smaller firms often do not set their objectives and strategies or understanding of the entity and its environment, including relevant
manage the related business risks through formal plans or controls that relate to the risks, and by considering classes of
processes. transactions, account balance and disclosures in the FS
-Some firms do not document such matters. In such cases, the 2. Relates the identified risks to what can go wrong at the assertion
auditor obtains understanding the entity’s business risk, through level
inquiries of management and observation of how the entity 3. Considers whether the risks are of a magnitude that could result
responds to such matters. in a material misstatement of the FS, and
Examples of matters to consider: 4. Considers the likelihood that the risks could result in a material
 Existence of objectives (how the entity addresses misstatement
industry, regulatory and other external factors relating Risk of material misstatement may be greater for risks relating to
to: significant non-routine transactions arising from:
> Industry developments (potential business risk may  Greater management intervention to specify
be lack of personnel to deal with changes in the industry) accounting treatment
> New products and services (potential business risk is  Greater manual intervention for data collection and
increased product liability) processing
>Expansion of the business (underestimated demand)  Complex calculations or accounting principles
> New accounting requirements (incomplete, improper  The nature of non-routine transactions, which make it
or increased cost of implementation) difficult for the entity to implement effective controls
> Regulatory requirements (increased legal exposure) over the risks
> Current and prospective financing requirements (loss Risk of material misstatement may be greater for risks relating to
of financing due to non-payment) significant judgemental matters that require the development of
>Use of IT (systems and processes are incompatible) accounting estimates:
 Effects of implementing a strategy  Accounting principles for accounting estimates or
> Any effects that will lead to new accounting revenue recognition subject to different interpretations
requirements (potential business risk is incomplete or  Required judgement may be subjective, complex, or
improper implementation require assumptions about the effects of future events.
Ex. Fair value
E. Measurement and Review of the Entity’s Financial  Conditions and events that may indicate risks of
Performance material misstatements:
-The auditor should obtain an understanding of the measurement  Operations in regions that are economically unstable,
and review of the entity’s financial performance. such as countries with significant currency devaluation
-Performance measures, whether external or internal, creates or highly inflationary economies
pressures on the entity that may motivate management to take  Operations exposed to volatile markets, ex. Futures
action to improve business performance or to deliberately trading
misstate the FS  High degree of complex regulation
-Obtaining an understanding of the entity’s performance measures  Going concern and liquidity issues including loss of
assists the auditor in considering whether such pressures result to significant customers
management actions that may have increased the risk of material  Constraints on the availability of capital and credit
misstatements  Changes in the industry in which the entity operates
Various performance measurement & review techniques (Internal):  Changes in the supply chain
 Budgets  Developing or offering new products or services or
 Key performance indicators moving into new lines of business
 Variance analysis  Expanding into new locations
 Segment performance reports  Changes in the entity such as large acquisitions or
 Scorecards (financial, customer, internal business reorganizations or other unusual events
process and learning and growth of the entity)  Entities or business segments likely to be sold
 Comparison with performance of competitors  Complex alliances and joint ventures
 Internal measures may highlight unexpected results or  Use of off-balance sheet finance, special purpose
trends requiring an inquiry to determine the cause and entities and other complex financing arrangements
for management to take corrective action.  Significant transactions with related parties
Ex. Performance measures may indicate that the entity has  Lack of personnel with appropriate accounting and
unusually rapid growth as compared to competitors. If combined financial reporting skills
with performance-based incentives, it may indicate potential risk  Changes in key personnel including departure or key
of management bias in the preparation of FS. executives
-External parties such as bond rating agencies, credit agencies and  Weakness in internal control, especially those not
financial analysts may also measure and review the client’s addressed by management
performance  Inconsistencies between the entity’s IT strategy and its
-The methods of measuring and reviewing performance are business strategies
important to the auditors in determining the incentives of  Changes in the IT environment

 Installation of significant new IT systems related to material FS assertion, audit risk can also be examined at that level.
financial reporting For each FS account, audit risk consists of the possibility that:
 Inquiries into the entity’s operations or financial results 1. A material misstatement in an assertion about the
by regulatory or government bodies account has occured
 Past misstatements, history of errors or a significant 2. The auditors do not detect the misstatement.
amount of adjustments at period end The risk of occurrence of material misstatement may be separated
 Significant amount of non-routine or non-systematic into two components – inherent risk and control risk.
transactions including intercompany transactions and 1. Inherent risk – the susceptibility of an account balance, class of
large revenue transactions at period end transactions or disclosures to misstatements that could be
 Transactions that are recorded based on material, individually or when aggregated with misstatements in
management’s intent, ex. Debt refinancing, assets to be other balances or classes, assuming there are no related internal
sold and classification of marketable securities controls
 Application of new accounting pronouncements 2. Control risk – the risk that a misstatement could occur in an
 Accounting measurements that involve complex account balance, or class of transaction that could be material,
processes individually or when aggregated with misstatements in other
 Events or transactions that involve significant balances of classes, will not be prevented or detected and
measurement uncertainty, including accounting corrected on a timely basis by the accounting and internal control
estimates system
 Pending litigation and contingent liabilities, ex. Sales 3. Detection risk – the risk that an auditor’s substantive procedures
warranties, financial guarantees and environmental will not detect a misstatement that exists in an account balance or
remediation class of transactions that could be material, individually or when
aggregated
IV. MATERIAL WEAKNESS IN INTERNAL CONTROL
The auditor shall evaluate whether, on the basis of audit work Audit Risk Model: Audit risk = Inherent risk x Control Risk x
performed, the auditor has identified a material weakness in the Detection risk
design, implementation or maintenance of internal control.
The auditor shall communicate material weakness in internal 1. Inherent risk
control identified, to management (at an appropriate level of Complex computations for pensions and leases are more likely to
responsibility) on a timely basis. contain errors, than simple computations of straight-line
PSA 260 “Communication with Those Charged with Governance” depreciation
The types of material weakness in internal control: Accounts differ in their susceptibility to loss, theft and fraud. Cash
-Risks of material misstatements that the auditor identifies and is more likely to be stolen than plant assets. And inventories are
which the entity has not controlled, or for which relevant control more likely subject to decline in value than tangible assets.
is inadequate To assess inherent risk, the auditor uses professional judgement to
-A weakness in the entity’s risk assessment process that the evaluate ff. factors
auditor identifies as material, or the absence of a risk assessment At the FS level
process in those cases where it would be appropriate for one to  Integrity of management
have been established.  Management experience and knowledge, changes in
Material weaknesses may also be identified, in controls that management during the period (inexperience of
prevent, or detect and correct error, or those to prevent and management may affect preparation of the FS of the
detect fraud entity
 Unusual pressures on management or circumstances
V. DOCUMENTATION that might predispose management to misstate the FS
The auditor should document: (experiencing large business failures within the industry
a. The discussion among the engagement team regarding the or lack of sufficient capital to continue business
susceptibility of the entity’s FS to material misstatement due to operations
error or fraud and the significant decisions reached.  Nature of the entity’s business, ex. Potential for
b. Key elements of the understanding obtained regarding each of technology obsolescence of its products and services
the aspects of the entity and its environment, including each of the and the complexity of its capital structure, significance
internal control components, to assess the risks of material of related parties and the number of locations and
misstatements of the FS, the sources of information from which geographical spread of its production facilities.
the understanding was obtained, and the risk assessment  Factors affecting the industry in which the entity
procedures operates ex. Economic and competitive conditions as
c. The identified and assessed risks of material misstatement at the identified by financial trends and ratios, and changes in
FS level and at assertion level technology, consumer demand and accounting
d. The risks identified and related controls evaluated practices common to the industry
Documentation may take the form of narrative descriptions, At the account balance and class of transactions level
questionnaires, check lists, flow charts, memorandum.  FS accounts likely to be susceptible to misstatement ex.
The more extensive the audit procedures, the more extensive the Accounts which required adjustment in the prior period
auditor’s documentation will be. which involve a high degree of estimation such as
PSA 230 “Audit Documentation” provides guidance regarding inventories, related party transactions, intangibles
documentation related to audit of FS  The complexity of underlying transactions and other
events which might require using the work of an expert
 The degree of judgement involved in determining
account balances ex. Contingent liabilities
ASSESSING INHERENT RISK AND CONTROL RISK AT THE  Susceptibility of assets to loss or misappropriations ex.
ASSERTION LEVEL Assets which are highly desirable and movable such as
-Auditors considers factors that affect the risk of material cash
misstatements at the FS level and at the assertion level  The completion of unusual and complex transactions,
- Auditors test the validity of the FS assertions that particularly at or near period end
related to classes of transactions, account balances and  Transactions not subjected to ordinary processing
disclosures. Client’s characteristics and industry:
- At the assertion level, a misstatement is material if it >Inconsistent profitability relative to the industry
exceeds the tolerable misstatement specified for the >Operating results that are highly sensitive to economic factors
assertion. >Going concern problems
The risk that the FS assertion is materially misstated is referred to >Large known and likely misstatements detected in prior audits
as “Risk of the Assertion Level” <Substantial turnover, questionable reputation or inadequate
Audit risk refers to the possibility that the auditors fail to accounting skills of management
appropriately modify their opinions on FS that are materially Assertions with high inherent risk:
misstated. Since audit involves gathering of evidence for each >Transactions or balances that are difficult to audit
>Complex calculations

>Difficult account accounting issues for the account. When inherent risk and control risk are high, then
>Significant judgement detection risk should be reduced and vice versa
>Valuations that vary significantly based on economic factors Detection risk is controllable by the auditor while inherent and
control risks relate to the client’s circumstances
2. Control Risk- The risk that a material error in an account will not When the auditor determines that detection risk regarding an FS
be prevented or detected on a timely basis by the client’s system assertion for a material account balance or class of transactions
of internal control. cannot be reduced to an acceptable level, then the auditor should
-Can never be zero because internal control systems cannot express a qualified opinion or a disclaimer of opinion
provide absolute assurance that all material errors will be
prevented or detected. Using the Audit Risk Model to determine the nature, timing and
-To assess control risk, auditors study the methods and procedures extent of audit procedures
by which the company controls its accounting process. Audit risk= Inherent risk x Control Risk x Detection risk or AR = IR
-If accounting procedures are well designed and consistently x CR x DR
followed, the FS will be accurate and complete. Steps in the audit risk model:
-An effective internal control structure promotes reliability in the Step 1 –Determined planned audit risk
accounting data. Step 2 –Assess inherent risk
-Errors are quickly and automatically brought to light by built-in Step 3 –Assess control risk
proofs and cross-checks that are in the system. Step 4 –Determine allowable detection risk
-If the auditors find that the client has designed effective internal
control for a particular account and that prescribed practices are Step 1- Determine planned audit risk
being consistently followed, they will assess control risk to be low, -the auditor should plan the audit risk for each FS assertion, so that
and can accept a higher level of detection risk he will be able to express an opinion on the FS taken as a whole
with an appropriate low level of audit risk.
Preliminary Assessment of Control Risk -in assessing planned or acceptable audit risk (AAR), the auditor
-process of evaluating the effectiveness of the entity’s accounting must assess the ff. factors:
and internal control systems 1. External user’s reliance on FS – by examining the FS,
-after obtaining an understanding of the accounting and internal including footnotes, reading minutes of meeting of BOD
control systems, the auditor should make a preliminary to determine future plans
assessment of control risk, at the assertion level, for each material 2. Likelihood of financial difficulties – by analyzing the FS
account balance or class of transactions for financial difficulties using ratios and other analytical
Control risk is assessed as high if: procedures, and examine historical and projected cash
a) The entity’s accounting and internal control systems flow statements for the nature of cash inflows and
are not effective outflows
b) Evaluating the effectiveness of the entity’s accounting 3. Management integrity – by obtaining information from
and internal control systems would not be efficient local attorneys, other CPAs, banks, predecessor auditor
c) The auditor is not able to identify controls relevant to
the assertion which are likely to prevent or detect and Step 2- Assess inherent risk
correct a material misstatement -the auditor attempts to predict where misstatements are most
d) The auditor does not plan to perform tests of control to likely to exist in the FS segments
support the assessment -at the start of the audit, there is not much that can be done to
Documentation of Understanding and Assessment of Control Risk change inherent risk so that the auditor must assess the factors
-The auditor should document in the working papers: resulting to inherent risk and modify audit evidence procedures
a) The understanding obtained of the entity’s accounting Factors to consider in assessing inherent risk:
and internal control system 1. Nature of client’s business – ex. Greater likelihood of
b) Assessment of control risk. When control risk is obsolete inventory for an electronics manufacturer
assessed at less than high, document the basis for than for a steel fabricators
conclusions 2. Integrity of management – greater likelihood of
misstatements if management lacks integrity
3. Detection Risk 3. Client motivation – ex. Greater tendency of
-the risk that the auditor’s examination will not detect a material misstatements if management receives a percentage of
error in an account balance. profits as a bonus
-this is a function of the effectiveness of the auditor’s verification 4. Results of previous audits – Ex. If misstatements found
of account balances and is influenced by the nature, timing and in the previous year’s audit have a high likelihood of
extent of auditor’s procedures. occurring again.
-In estimating the detection risk, the auditor should consider the 5. Initial versus Repeat engagement – ex. lack of previous
likelihood that he would make an error, such as misinterpreting year’s audit results would cause auditors to use a larger
the evidence obtained or misapplying an audit procedure inherent risk for initial audits than for repeat
-the level of detection risk is directly related to the auditor’s engagements in which no material misstatements had
substantive procedures. been found
-The auditor’s control risk assessment together with the inherent 6. Related parties – ex. transactions between parent and
risk assessment, influences the nature, timing and extent of subsidiaries or those between management and
substantive procedures to reduce detection risk and audit risk to corporate entity, are transactions that do not occur at
an acceptably low level. arm’s length
-If evidence is mostly persuasive than conclusive, then detection 7. Non-routine transactions – ex. where the client lacks
risk will be present, even if the auditor examines 100% of the experience in recording them.
account balances or class of transactions 8. Susceptibility to defalcation – ex. likelihood of
Considerations: converting company asset to personal use
a) Nature of substantive procedures, ex. Using tests 9. Judgement required to correctly record account
directed toward independent parties outside the entity, balances and transactions – ex. for account balances
rather than tests directed towards parties or which is subject to estimates or a great deal of
documentation within the entity or using tests of details management judgement. Allowances for probable
for a particular audit objective in addition to analytical losses, uncollectible accounts, liability for warranties
procedures 10. Make-up of Population of accounts or transactions –
b) Timing of substantive procedures ex. Performing them composition of the total population ex. If accounts
at period end rather than at an earlier date receivable are mostly overdue
c) Extent of substantive procedures ex. Using larger Generally auditors assess inherent risk conservatively at more than
sample size 50%. If there is reasonable possibility of significant misstatements,
then at 100%
There is an inverse relationship between detection risk that the Inherent risk (high), detection risk should be (low), planned audit
auditor can accept for an account and the inherent and control risk procedures (high)

Step 3- Assess control risk Objectives
If after the auditor obtains understanding of internal controls, and 1. Reliability of entity’s financial reporting
concludes that: 2. Effectiveness and efficiency of operations
Internal controls are ineffective, auditor sets a high (100%), 3. Compliance with applicable laws and regulations
maximum risk for control risk.
Before auditor can set control risk at less than 100%, the auditor Internal Control System
should: - All policies and procedures (internal controls) adopted by
1. Obtain an understanding of internal control management to assist in achieving management’s objective of
2. Evaluate how well it should function based on understanding ensuring the orderly and efficient conduct of it’s business,
3. Test internal controls for effectiveness. including adherence to management policies, safeguarding of
assets, prevention and detection of fraud and error, the accuracy
Step 4- Determine Allowable Detection Risk and completeness of accounting records and the timely
Allowable detection risk or planned detection risk is the amount of preparation of reliable financial information.
risk the auditor can allow for an assertion or measure of the risk Elements:
that audit evidence for a segment will fail to detect misstatements a. Control environment
exceeding a tolerable amount. b. Entity’s risk assessment process
Planned detection risk is: c. Information system (including related business
a) Dependent on three factors in the model processes relevant to financial reporting and
b) Determines the amount of substantial evidence that communication)
the auditor plans to accumulate, inversely with the size d. Control activities
of planned detection risk e. Monitoring of controls
Planned detection risk (PDR)
PDR = AAR . A.CONTROL ENVIRONMENT
IR x CR - The overall attitude, awareness and actions of directors
AAR=acceptable audit risk and management regarding the internal control system
Ex. Auditor Taylor Sweep is willing to accept a 5% risk that and its importance to the entity
existence of sales will be materiality misstated after she completes - Has an effect on the effectiveness of specific control
the audit for a client, Roses, Inc. In her understanding of current processes.
conditions, she assesses inherent risk at 60% and control risk at Ex. A strong control environment with tight budgetary controls and
40%. an effective internal audit function can significantly complement
PDR = .05 . specific control procedures.
0.6 x 0.4 Factors comprising the control environment:
PDR = .208 or 21% (rounded off) 1.Communication and Enforcement of Integrity and Ethical Values
-The assessed levels of inherent and control risk cannot be – includes mngt’s actions to remove or reduce incentives and
sufficiently low to eliminate the need for the auditor to perform temptations that might prompt personnel to engage in dishonest,
any substantive procedures. illegal or unethical acts
-Regardless of the assessed level of inherent and control risk, the 2. Commitment to Competence – makes sure to hire and assign
auditor should perform some substantive procedures for material competent employees
account balances and classes of transactions 3. Participation by those charged with governance – their
-Once the auditor has accumulated evidence regarding an independence from mngt, experience, oversight over reviewing
assertion, he can use the audit risk model to evaluate whether the effectiveness of internal control and dealing with whistleblowers
accumulated evidence is adequate. 4. Management’s Philosophy and Operating Style- attitude
-The auditor would use to audit risk model to compute for the towards business risk, financial reporting and meeting budget,
achieved audit risk (AcAR) which would be compared with the profit and established goals
planned audit risk. When achieved audit risk is less than or equal 5. Organizational Structure – provides overall framework for
to planned audit risk, then the evidence accumulated for the planning, directing and controlling operations
assertion is sufficient 6. Assignment of Authority and Responsibility – clear
AcAR = IR x CR AcDR understanding of roles and responsibilities, business practices,
AcDR=Achieved detection Risk code of conduct
Research indicates that the formula is not appropriate to be used 7. Human Resources Policies and Procedures – adequate personnel
in calculating achieved audit risk. However, the relationships in the policies enhance likelihood that the client’s policies and
formula are valid and should be used in practice. Based on the procedures will be followed
formula, there are 3 ways to reduce achieved audit risk to an
acceptable level: B. ENTITY’S RISK ASSESSMENT PROCESS
1. Reduce inherent risk – inherent risk is assessed by the auditor Risk assessment
based on client’s circumstances and is done during planning, and - Process of identifying and responding to business risks
is typically not changed unless new facts are uncovered in the - For financial reporting purposes, risk assessment
course of audit process includes identification, analysis and
2. Reduce control risk – assessed control risk is affected by the management of risks pertaining to preparation of FS
client’s internal controls and tests of those controls. Auditor’s can - Management may initiate plans, programs or actions to address
reduce the risk by more extensive tests of controls if the client has specific risks
effective controls Risk can arise or change due to circumstances:
3. Reduce achieved detection risk by increasing substantive audit  Changes in operating environment – can result in
tests – additional audit procedures, assuming they are effective, changes in competitive pressures
and larger sample sizes, both reduce achieved detection risk  New personnel – may have different focus on or
understanding of internal control
3.2 Internal control  New or revamped information systems – significant and
3.2.1 Basic concepts and elements of internal control rapid changes can change risk relating to internal
3.2.2 Consideration of accounting and internal control systems control
3.2.2.1 Understanding and documentation  Rapid growth – can strain controls and increase risk in
3.2.2.2 Assessment of control risks breakdown in controls
3.2.2.2.1 Test of controls  New technology-if incorporated into production
3.2.2.2.2 Documentation processes or information systems,may change the risks
associated with internal control
OBJECTIVES OF INTERNAL CONTROL (BASED ON PSA 315)  New business models, products or activities – new
-PSA 315 defines internal control as the process designed and areas where entity has little experience may introduce
effected by those charged with governance, management and new risks
other personnel to provide reasonable assurance about the  Corporate restructuring – may be accompanied by staff
achievement of the entity’s objectives with regard to reliability of reductions and changes in supervision and segregation
financial reporting, effectiveness and efficiency of operations and of duties that may change the risk in internal control
compliance with applicable laws and regulations.

 Expanded foreign operations – foreign operations -are applied at various organizational and functional level, whether
carries new and unique risks ex. Risks in foreign within IT or manual systems
currency transactions Major Categories of Control Procedures:
 New accounting pronouncements- may affect risk in A. Performance review
preparing FS B. Information Processing Controls
1. Proper authorization of transactions and
C. INFORMATION SYSTEM, INCLUDING BUSINESS PROCESSES activities
RELEVANT TO FINANCIAL REPORTING AND COMMUNICATION 2. Segregation of duties
Information systems consists of procedures and records designed 3. Adequate documents and records
and established to: 4. Safeguards over access to assets
 Initiate, record, process and report entity transactions 5. Independent checks on performance
and to maintain accountability for related assets, C. Physical Controls
liabilities and equity
 Resolve incorrect processing of transactions ex. A.Performance review -management accounting and operating
Automated suspense files and procedures followed to data to assess performance
clear suspense items out on a timely basis (temporary Ex. 1. Comparison of actual performance with budgets, forecasts,
accounts used) prior period performance, or competitor’s data or tracking major
 Process and account for system overrides or bypasses initiatives such as cost-containment or cost-reduction programs to
to controls measure the extent to which targets are being met
 Transfer information from transaction processing 2. Investigating performance indicators based on operating or
systems to the general ledger financial data such as quantity or purchase price variances or
 Capture information relevant to financial reporting for percentage of returns to total orders
events and conditions other than transactions such as 3. Reviewing functional or activity performance, such as relating
the depreciation and amortization of assets and the performance of a manager responsible for a bank’s consumer
changes in the recoverability of accounts receivable loans with some standard, such as economic statistics or targets
(allowances)
 Ensure information required to be disclosed by the B. Information Processing Controls
applicable financial reporting framework is Control Activities related to proper processing
accumulated, recorded, processed, summarized and 1. Proper authorization of transactions and activities
appropriately reported in the FS 2. Segregation of duties
Journal Entries 3. Design and use of adequate documents and records
- An entity’s information system typically includes the 4. Access to assets
use of standard journal entries required on a recurring 5. Independent checks on performance
basis ex. Sales, purchases, cash disbursements, loans Control Activities related to proper processing
collection, automated period end entries, etc 1.Proper authorization of transactions and activities
- Non standard journal entries are used to record non- –authorization for execution of transactions flows from the
recurring, unusual transactions or adjustments stockholders to management and its subordinates.
- When automated procedures are used to maintain the -before a transaction is entered into, certain conditions must be
GL and prepare FS, such entries exist only in electronic met
form and are more easily identified using computer -as part of evaluation of the transaction, documentation will be
assisted audit techniques created
Related Business Processes -auditor uses the documentation to determine whether
-activities designed to: transactions are properly authorized.
 Develop, purchase, produce, sell and distribute an -Ex. Purchase of inventory may create a purchase order, receiving
entity’s products and services report and vendor invoice.
 Ensure compliance with laws and regulations -The auditor should compare these documents and compare them
 Record information, including accounting and financial with company policy to be satisfied that the transaction was
reporting information authorized and executed in accordance with company policies
Business processes 2. Segregation of Duties
-result in the transactions that are recorded, processed and -No one person should be assigned duties that would allow that
reported by the information system person to commit an error or perpetuate fraud and conceal the
-Obtaining an understanding of the entity’s business processes, error or fraud
which include how transactions are originated, assists the auditor -Ex. Same person should not be responsible for recording the cash
obtain an understanding of the entity’s information system received on account and posting the receipts to the accounting
relevant to financial reporting records
Information system encompasses methods and records that: 3. Adequate documents and records
 Identify and record all valid transactions -allows the company to obtain reasonable assurance that all valid
 Describe on a timely basis the transactions in sufficient transactions are recorded
detail to permit proper classification of transactions for 4. Access to assets
financial reporting -assets can be protected by establishment of physical barriers and
 Measure the value of transactions in a manner that appropriate policies
permits recording their monetary value in the FS -Ex. Inventories kept in a storeroom, negotiable instruments kept
 Determine the time period in which transactions in safety deposit box.
occurred to permit recording of transactions in the -appropriate policies are adopted so that only authorized persons
proper accounting period have access to company assets.
 Present properly the transactions and related -entity should design their internal accounting control system so
disclosures in the FS that documents authorizing the movement of assets in or out of
Communication an organization are adequately controlled
-involves providing an understanding of individual roles and 5. Independent checks on performance
responsibilities pertaining to internal control over financial -procedures that periodically compare the actual asset with its
reporting. recorded balance
-includes extent to which personnel understand how their -Ex. Inventory count, cash count, monthly bank reconciliation
activities in the financial reporting system relate to the work of
others and the means of reporting exceptions to an appropriate General controls
higher level within the entity. – are control activities that prevent or detect errors and
-May be in the form such as policy, manuals, accounting and irregularities for all accounting systems.
financial reporting manuals, and memoranda. - Affect all transaction cycles and apply to information processing
as a center, hardware and systems software acquisitions and
D. CONTROL ACTIVITIES maintenance and back-up and recovery procedures
-policies and procedures that help ensure that management
directives are carried out Application controls

-controls that pertains to the processing of a specific type of To evaluate the effectiveness of controls established, the auditor
transactions, such as payroll, sales and collections. performs tests to determine that they are being applied
-help ensures that transactions occurred, are authorized and are
completely and accurately recorded and processed. STAGES OF STUDY AND EVALUATION OF INTERNAL CONTROL
- Ex. Checking the arithmetical accuracy of records, maintaining A. Obtaining an understanding of the entity’s internal
and reviewing accounts and trial balances, automated controls control structure
such as input data and numerical sequence checks, manual follow B. Assessing the preliminary level of control risk
up of exception reports C. Obtaining evidential matter to support the assessed
level of control risk
General IT controls D. Evaluating the results of evidential matter
-policies and procedures that relate to many applications and E. Determining the necessary level of detection risk
support the effective functioning of application controls by helping A. Obtaining an understanding of the entity’s internal control
to ensure the continues proper operation of information systems structure
-include controls over data center and network operations, The auditor should obtain an understanding about:
systems software acquisitions, change and maintenance, access 1. Control environment – Mgnt/BOD’s attitude,
security, and application system acquisition development and awareness and actions in the control environment
maintenance 2. Control Procedures – presence or absence of control
-Apply to mainframe, miniframe and end-user environments procedures
-Ex. Program change controls, controls that restrict access to 3. Accounting and Internal Control - auditor determines:
programs or data, controls over implementation of new releases a. Major classes of transactions
of packaged software applications, and controls over system b. How transactions are initiated
software that restrict access to or monitor the use of system c. Nature & existence of accounting records
utilities that could change financial data or records without leaving d. How transactions are processed from
an audit trail initiation to completion
Internal controls relating to the accounting system are concerned e. Nature and details of financial reporting
with achieving objectives such as: process followed.
 Transactions are executed in accordance with – Understanding is accomplished and documented by a narrative
management’s general or specific authorization description or by flowcharting or by transaction walk-through
 All transactions and other events are promptly The nature, timing and extent of the procedures performed by the
recorded in the correct amount, in the appropriate auditor to obtain understanding of accounting & internal control
accounts in the proper accounting period system will depend on:
 Access to assets and records is permitted only in  Size and complexity of entity and its computer system
accordance with management’s authorization  Materiality consideration
 Recorded assets are compared with the existing assets  Type of internal controls involved
at reasonable intervals and appropriate action is taken  Nature of entity’s documentation of specific internal
regarding any differences controls
 Auditor’s assessment of inherent risk
C. Physical controls Auditor’s understanding is supplemented by conducting:
 Physical security of assets, including adequate a) Inquiring of appropriate management, supervisory and
safeguards, such as secured facilities over access to other personnel at various organizational levels, along
assets and records with reference to documentations such as procedures
 Authorization for access to computer programs and manuals, job descriptions and flow charts
data files b) Inspection of documents and records produced by
 The periodic counting and comparisons with amounts accounting and internal control systems
shown on control records c) Observation of the entity’s activities and operations,
including organization of computer operations,
E. MONITORING OF CONTROLS management personnel and nature of transaction
- Process used to assess the quality of internal control processing
over time. DOCUMENTATION OF UNDERSTANDING
- Assessing the design and operations of controls on a 1. Internal Accounting Control Questionnaire
timely basis and taking corrective actions as necessary -contains a series of questions designed to detect control
- Controls are monitored to consider whether they are weaknesses. Most questionnaires are designed to yield “yes” or
operating as intended and to modify as appropriate “no” or “not applicable” answers to the questions.
- Internal auditors evaluate the design and operation of -A “yes” indicates a satisfactory degree of internal accounting
internal control and communicate information about control
strengths and weaknesses and recommendations for -A “no” indicates a possible weakness in control or at least
improving internal control indicates that further investigation is required.
- Include communications from external parties such as -When negative answers do indicate a weakness in a control, they
customers, bank regulators and other auditors should be completed on a separate weakness investigation work
- Ex. Customers corroborate sales data by paying their sheet, which should include a description of the possible effects of
bills or complaining about their charges the weakness and indication whether such effects could lead to
material errors
OBJECTIVE OF THE STUDY OF INTERNAL CONTROL -If the weakness is material, it should be reported to senior
-the auditor should obtain an understanding of the accounting and management, BOD and audit committee
internal control systems sufficient to plan the audit and develop an Advantages:
effective audit approach 1. Provides audit assurance that attention is given to
-the auditor should use professional judgement to assess audit risk presence or absence of controls listed and certain
and to design audit procedures to ensure risk is reduced to an features of the system are not overlooked
acceptable level 2. Provide a means obtaining uniform documentation of
The auditor’s understanding of internal control provides basis for internal control system reviewed
1. Planning the audit 3. Provide inexperienced audit staff members with
2. Assessing control risk guidance in performing internal control reviews
In planning an audit, the auditor develops a preliminary audit 4. Facilitates the early detection of potential weakness in
strategy for each FS assertion based on their understanding of the system
internal control Disadvantages:
In assessing control risk, the auditor considers the design of 1. Auditor may view the questionnaire device for
controls and their effectiveness. Design refers to controls that have accomplishing an automatic evaluation of internal
been established. Effectiveness refers to how the controls function control
To assess control risk below maximum, the auditor should identify 2. Controls listed on questionnaires may not suit the
specific controls relevant to each assertion, that are likely to particular circumstances of a specific audit
prevent or detect material misstatements in those assertions

3. The auditor may overlook pertinent control not 1. Auditor may not have the ability to describe the system
included in the questionnaires correctly & concisely
2. Flow Charts 2. This may require more time and careful study
-a symbolic diagram of a specific part of an internal accounting 3. Auditor may overlook important portions of internal
control system, including the sequential flow of data/authority. control system
-an internal control flowchart uses standardized symbols, 4. A poorly written internal accounting control narrative
interconnecting lines and annotations to represent information, can lead to a misunderstanding of the system, thus
documents and document flow. resulting in the improper design and application of
-provides a pictorial view of a client’s internal control activities compliance tests
-illustrates the interaction of individuals, records, and controls 4. Internal Control Checklist
related to a particular department or class of transactions. -detailed enumeration of the methods and practices which
-reflect the segmentation of duties by using a column across the characterize good internal control or of an item to be considered
top to reflect different departments and the flow of documents in reviewing internal control
from left to right -is only a guide in reviewing the internal control and does not
-reflect all operations, movements, delays and filing procedures represent a record of the auditor’s findings
associated with whatever is being charted and also indicates - This tool is used together with the narrative approach
conversion of source documents into accounting information 5. Decision Tables
(journal, ledger, computer-generated document) -the system is depicted points
Guide in preparing flowcharts -advantages and disadvantages are similar to the flowchart
 Standardized symbols – auditors should use a uniform approach
set of symbols developed by the American National
Standards Institute (ANSI) B. Assessing the Preliminary Level of Control Risk
 Flowlines – the flow of documents should be from top -after obtaining an understanding of the accounting and internal
to bottom and left to right. Arrowheads may used on all control system, the auditor should make a preliminary assessment
lines and should be used when flow is not standard or of control risk at the assertion level for each material account
is bi-directional balance or class of transactions
 Documents – when a document is created, its source Preliminary assessment of control risk
should be indicated. Multiple-document symbols are -Process where the auditor evaluates the effectiveness of the
required when multiple copies of the document are client’s internal control policies and procedures in preventing or
prepared. The disposition of every copy of each detecting material misstatements in the FS assertions
document should be shown Assessing control risk at below the maximum level involves:
 Processing – processing symbols are used to identify 1. Identifying specific internal control structure policies
any procedures applied to documents such as their and procedures relevant to specific assertions that are
being filled likely to prevent or detect material misstatements in
 Annotations – Comments and explanations should be those assertions
used to make the flowchart easier to understand and 2. Performing tests of controls to evaluate the
more complete effectiveness of such policies and procedures
Guidelines in preparing a flowchart: Identification of Specific Internal Control policies to specific
1. Determine the class of transactions or transaction cycle assertions
to be flowcharted Controls that enhance the reliability of the FS:
2. Obtain an understanding of internal control by making 1. Preventive Controls – avoids errors and irregularities
inquiries of client personnel, observing employee 2. Detection Controls – recognizes that errors will occur
activities and examining documents, records, and even under ideal conditions and provides for double-
policies and procedures checking to locate significant occurrences
3. Organize the flowchart into columns, using different Considerations:
columns for each department, function or individual. -internal control policies and procedures can have either a
Draw a sketch of the flowchart pervasive effect on many assertions or specific effect on an
4. Draw the flowchart and insert comments and individual assertion
annotations -the control environment and accounting system often have a
5. Test the flowchart for completeness by following a few pervasive effect on a number of account balances or classes of
transactions through the chart transactions
Advantages: Ex. The conclusion that the entity’s control environment is highly
1. Easily understood – visual description which is effective may influence the auditor’s decision about the number
supported by a written narrative of an entity’s location at which auditing procedures are to be
2. Better overall picture of a complex system performed or whether to perform certain auditing procedures for
3. Parallels with EDP (electronic data processing) some account balances of classes of transactions at an interim date
documentation – EDP systems are commonly -Some control procedures often have a specific effect on an
documented with flowcharts which make it easier for individual assertion embodied in a particular account balance or
EDP purchase personnel to relate to auditors class of transaction.
4. Easy to update Ex. Control procedures that an entity established to ensure that its
Disadvantages: personnel are properly counting and recording the annual physical
1. Higher level of knowledge and training are required to inventory relate directly to the existence assertion for the
prepare a good flowchart of a complex system inventory account balance
2. Flowcharts take more time to prepare -Internal control structure policies and procedures can be either
3. It is more difficult to spot internal control weakness directly or indirectly related to an assertion. The more indirect the
3. Narrative Description relationship, the less effective that policy or procedure may be in
-a written description of a particular phase or phases for a control reducing the control risk
system Ex. A sales manager’s review of a summary of sales activity for
-If systems are extensive/complex, separate narratives may be specific stores by region ordinarily is indirectly related to the
prepared for smaller groups of controls which relate to specific completeness assertion for sales revenue. Accordingly, it may be
classes of transactions or accounts. less effective in reducing the control risk for that assertion as
-Some auditors prepare narrative descriptions to accompany compared to policies and procedures that are more directly related
internal control questionnaires or flow charts in order to provide to that assertion such as matching shipping documents with billing
information not otherwise included documents.
Advantages: Based on the assessed level of control risk that the auditor expects
1. Narrative is flexible and may be tailor-made for the to support and audit efficiency considerations, the auditor plans to
engagement perform some tests of control concurrently with obtaining an
2. Requires a detailed analysis and thus forces the auditor understanding of the internal control structure.
to understand the functioning of the system -In addition, even though some of the procedures performed to
Disadvantages: obtain the understanding may not have been specifically planned
as tests of controls, they may also provide evidential matter about

the effectiveness of the design and operation of the policies and -The auditor should obtain audit evidence(evidential
procedures, and consequently, serve as tests of internal control matter)through tests of control to support any assessment of
Type of Control Activities that relate to Financial Statement control risk which is less than high (maximum). The lower the
Assertions assessment of control risk, the more support the auditor should
Assertion: A/B. Existence/Occurrence obtain that the accounting and internal control systems are
Related Control Activities: Procedures that require documentation, suitably designed and operating effectively.
approvals, authorizations, verification and reconciliations -The evidential matter that is sufficient to support a specific
Ex 1. An employee or official who does not handle cash receipts or assessed level of control risk will depend on the professional
credit approval authorizes the write-off of an uncollectible account judgement of the auditor
Ex 2. Cash disbursements should be supported by complete -When obtaining evidence about the effectiveness of internal
documentations such as purchase requisition, abstract of canvass, controls, the auditor considers how they are applied, the
purchase order, receiving/inspection report and vendor’s invoice consistency with which they were applied and by whom they were
Assertion: C. Completeness applied.
Related Control Activities: Procedures that ensure that all -The concept of effective operation recognizes that some
transactions that occur are recorded such as accounting for a deviations from prescribed controls may have occurred. Such
numerical sequence of documents deviations may be caused by factors such as changes in key
Ex. Transfer of goods should be accompanied by prenumbered personnel, significant seasonal fluctuations in volume of
documents such as delivery ticket or bill of lading and accounted transactions and human error.
for in the period issued to ensure proper recording When deviations are detected, the auditor makes specific inquiries
Assertion: D. Rights and Obligations and ensures that tests of controls appropriately cover the period
Related Control Activities: Procedures that ensure that the entity of change or fluctuation.
has a right to assets or an obligation to pay arising from the -In a computer information systems environment, the objectives
transaction. of tests of control do not differ from those in a manual
Ex. A sale to a customer should be supported by a sales invoice and environment. The auditor may need to use computer-assisted
acknowledged delivery receipt audit techniques such as file interrogation tools or audit test data
Assertion: E/F. Valuation/Measurement when the accounting and internal control systems do not provide
Related Control Activities: Procedures that ensure that a proper visible evidence documenting the performance of internal controls
price is charged and that mathematical accuracy are present in which are programmed into a computerized accounting system.
recording and in developing accounting records and the financial
statement
Ex. A sales employee traces the price used in an invoice to a price
list (in effect) at the time. D. Evaluating the Results of Evidential Matter
Assertion: G. Presentation and Disclosure Based on the results of tests of control, the auditor should evaluate
Related Control Activities: Procedures that indicate that a review whether the internal controls are designed and operating as
has been made to ascertain that a transaction has been recorded contemplated in the preliminary assessment of control risk
in the proper account and that FS disclosure have been reviewed The evaluation of deviations may lead to change in the assessed
by a competent personnel level of control risk
Ex. The chief accountant reviews the correctness of journal entries In such cases, the auditor would modify the nature, timing and
made by an accounting clerk extent of planned substantive procedures
Certain types of audit evidence are more reliable than others. The
C. Obtaining Evidential Matter to Support the Assessed Level of auditors observation provides more reliable audit evidence rather
Control Risk than merely making inquiries.
-The auditor obtains evidential matter to enable him to determine Ex. The auditor might observe the individual who applies a control
the proper level of control risk by performing tests of controls or procedure or inquire from appropriate personnel.
compliance tests on selected policies and procedures However, audit evidence obtained through observation, pertains
-Compliance procedures are designed to obtain reasonable only to a certain point in time. The auditor needs to supplement
assurance that those internal controls on which tests requiring that procedure with other tests of control capable of providing
inspection of documents supporting transactions gain evidence audit evidence about other periods of time.
that controls have operated properly and inquiries about and In determining the appropriate evidence to support the conclusion
observation of controls which leave no audit trail. about control risk, the auditor may consider audit evidence
-Auditors may also review journal entries for a test period to obtained in prior audits.
determine whether they are properly approved and are In a continuing engagement, the auditor will be need to update the
adequately supported and they trace the postings to the ledger. knowledge gained of the accounting and internal control systems,
Tests of Control and consider the need to obtain further audit evidences of any
-are performed in order to obtain evidence about the effectiveness changes in control.
of the: Before relying on the procedures performed in prior audits, the
a. Design of the accounting and internal control systems, auditor should obtain audit evidence which supports this reliance.
whether they are suitably designed to prevent or detect The auditor should obtain audit evidence as to the nature, timing
material misstatements and extent of any changes in the entity’s accounting and internal
b. Operation of the internal controls throughout the control systems and assess their impact on the auditor’s intended
period reliance. The longer the time elapsed since the performance of
-procedures directed toward either the effectiveness of the design procedures in prior audit, the lesser the assurance to the auditor
or operations of an internal control structure policy or procedures The auditor should consider whether internal controls were in use
-concerned whether the policy or procedure is suitably designed throughout the period. If substantially different controls were used
to prevent or detect material misstatement in specific FS at different times during the period, the auditor would consider
assertions. each control separately.
-for entities with complex internal control structure, the auditor A breakdown in internal controls for a specific portion of the period
should consider the use of flowcharts, questionnaires, or decision requires separate consideration of the nature, timing and extent
tables of audit procedures to be applied.
-that are directed towards the operating effectiveness of an The auditor may perform tests of control during the interim visit in
internal control structure policy are concerned with how the policy advance of period end. The auditor should consider the need to
or procedure was applied, the consistency with which it was obtain further audit evidence relating to the remainder of the
applied during the audit period and by whom it was applied. period, before he can rely on the results of the tests during interim
Tests of Control procedures visit.
a. making inquiries of appropriate entity personnel Factors to be considered:
b. inspection of documents and reports  Results of the interim tests
c. observation of the application of internal control  The length of the remaining period
policies and procedures  Whether any changes have occurred in the accounting
d. Reperformance of the policies and procedures by the and internal control systems during the remaining
auditor himself period

 The nature and amount of the transactions and other environment, including the entity’s internal control, required by
events and the balances involved ISA 315, the auditor shall perform the procedures below to obtain
 The control environment, especially supervisory information for use in identifying the risks of material
controls misstatement due to fraud.
 The substantive procedures which the auditor plans to The auditor shall make inquiries of management regarding:
carry out (a) Management’s assessment of the risk that the financial
statements may be materially misstated due to fraud, including the
E. Determining the Necessary Level of Detection Risk nature, extent and frequency of such assessments;
Considerations: (b) Management’s process for identifying and responding to the
a. The nature of substantive procedures Ex. Using tests risks of fraud in the entity, including any specific risks of fraud that
directed toward independent parties outside the entity management has identified or that have been brought to its
rather than tests directed toward parties or attention, or classes of transactions, account balances, or
documentation within the entity, or using tests of disclosures for which a risk of fraud is likely to exist;
details for a particular audit objective (c) Management’s communication, if any, to those charged with
b. The timing of substantive procedures, ex. Performing governance regarding its processes for identifying and responding
them at period end, or at earlier date to the risks of fraud in the entity; and
c. Extent of substantive procedures, ex. Using larger (d) Management’s communication, if any, to employees regarding
sample size its views on business practices and ethical behavior.
As acceptable level of detection risk decreases, the assurance -The auditor shall make inquiries of management, and others
provided from substantive test should increase. within the entity as appropriate, to determine whether they have
When both inherent and control risks are assessed as high, the knowledge of any actual, suspected or alleged fraud affecting the
auditor should consider whether substantive procedures can entity
provide sufficient appropriate audit evidence to reduce detection -For those entities that have an internal audit function, the auditor
risk. shall make inquiries of internal audit to determine whether it has
When the auditor determines that detection risk cannot be knowledge of any actual, suspected or alleged fraud affecting the
reduced to an acceptable level, then he should express a qualified entity, and to obtain its views about the risks of fraud.
or disclaimer of opinion -Unless all of those charged with governance are involved in
managing the entity, the auditor shall obtain an understanding of
how those charged with governance exercise oversight of
3.3 Assessing the risks of material misstatement management’s processes for identifying and responding to the
3.3.1 Fraud and errors (PSA 240 THE AUDITOR’S RESPONSIBILITIES risks of fraud in the entity and the internal control that
RELATING TO FRAUD IN AN AUDIT OF FINANCIAL STATEMENTS) management has established to mitigate these risks
-Misstatements in the financial statements can arise from either -The auditor shall make inquiries of those charged with governance
fraud or error. The distinguishing factor between fraud and error to determine whether they have knowledge of any actual,
is whether the underlying action that results in the misstatement suspected or alleged fraud affecting the entity. These inquiries are
of the financial statements is intentional or unintentional. made in part to corroborate the responses to the inquiries of
-Although fraud is a broad legal concept, for the purposes of PSA management.
240, the auditor is concerned with fraud that causes a material -The auditor shall evaluate whether unusual or unexpected
misstatement in the financial statements. Two types of intentional relationships that have been identified in performing analytical
misstatements are relevant to the auditor – misstatements procedures, including those related to revenue accounts, may
resulting from fraudulent financial reporting and misstatements indicate risks of material misstatement due to fraud
resulting from misappropriation of assets -The auditor shall consider whether other information obtained by
(a) Fraud – An intentional act by one or more individuals among the auditor indicates risks of material misstatement due to fraud
management, those charged with governance, employees, or third -The auditor shall evaluate whether the information obtained from
parties, involving the use of deception to obtain an unjust or illegal the other risk assessment procedures and related activities
advantage. performed indicates that one or more fraud risk factors are
(b) Fraud risk factors – Events or conditions that indicate an present. While fraud risk factors may not necessarily indicate the
incentive or pressure to commit fraud or provide an opportunity existence of fraud, they have often been present in circumstances
to commit fraud. where frauds have occurred and therefore may indicate risks of
Professional Skepticism material misstatement due to fraud.
-In accordance with PSA 200, the auditor shall maintain an attitude
of professional skepticism throughout the audit, recognizing the 3.3.3 Discussion among the engagement team - The members of
possibility that a material misstatement due to fraud could exist, the engagement team should discuss the susceptibility of the
notwithstanding the auditor’s past entity’s FS to material misstatements. Including how fraud might
experience of the honesty and integrity of the entity’s occur. The discussion shall occur setting aside beliefs that the
management and those charged with governance. engagement team members may have that management and
-Unless the auditor has reason to believe the contrary, the auditor those charged with governance are honest and have integrity.
may accept records and documents as genuine. If conditions Their discussion should be duly documented.
identified during the audit cause the auditor to believe that a The discussion among the engagement team:
document may not be authentic or that terms in a document have  Provides an opportunity for more experienced
been modified but not disclosed to the auditor, the auditor shall engagement team members, including the engagement
investigate further. partner, to share their insights based on their
-Where responses to inquiries of management or those charged knowledge of the entity.
with governance are inconsistent, the auditor shall investigate the  Allows the engagement team members to exchange
inconsistencies. information about the business risks to which the entity
is subject and about how and where the financial
3.3.2 Risk assessment procedures – see page 1 statements might be susceptible to material
When performing risk assessment procedures and related misstatement due to fraud or error.
activities to obtain an understanding of the entity and its  Assists the engagement team members to gain a better
Tests of details of transactions understanding of the potential for material
May also be used to Used in substantive misstatement of the financial statements in the specific
areas assigned to them, and to understand how the
conduct tests of control testing
results of the audit procedures that they perform may
Objective is to evaluate Objective is to detect affect other aspects of the audit including the decisions
whether an internal material misstatements in about the nature, timing, and extent of further audit
control policy or the FS procedures.
procedure operated  Provides a basis upon which engagement team
effectively members communicate and share new information
Both objectives may be accomplished concurrently by obtained throughout the audit that may affect the
performing tests of details on the same transaction. assessment of risks of material misstatement or the
audit procedures performed to address these risks. PSA

240 provides further requirements and guidance in >Inadequate procedures for appropriately assessing and applying
relation to the discussion among the engagement team accounting principles
about the risks of fraud. >Inadequate provisions for safeguarding assets
It is not always necessary or practical for the discussion to include >Absence of other control techniques appropriate for the type and
all members in a single discussion (as, for example, in a multi- level of transaction activity
location audit), nor is it necessary for all of the members of the >Evidence that a system fails to provide completeness and
engagement team to be informed of all of the decisions reached in accurate output that is consistent with objectives and current
the discussion. The engagement partner may discuss matters with needs because of design flaws
key members of the engagement team including, if considered B. Failures in the operation of the internal control structure
appropriate, specialists and those responsible for the audits of >Evidence of failure of identified controls in preventing or
components, while delegating discussion with others, taking detecting misstatements of accounting information
account of the extent of communication considered necessary >Evidence that a system fails to provide complete accurate output
throughout the engagement team. A communications plan, agreed consistent with the entity’s control objectives because of the
by the engagement partner, may be useful. misapplication of control procedures
>Evidence of failure to safeguard assets from loss, damage or
3.3.4 Significant risks that require special audit consideration misappropriation
-As part of the risk assessment, the auditor should determine Evidence of intentional override of the internal control system by
which of the risks identified will require special audit those in authority to the detriment of the overall objectives of the
consideration. Such risks are defined as significant risks. system
-The determination of what are significant risks depends on the >Evidence of failure to perform tasks that are part of the internal
professional judgement of the auditor. In exercising this control, such as not preparing timely reconciliations
judgement, the auditor excludes the effects of identified controls >Evidence of willful wrongdoing by management or employees
related to the risk. >Evidence of manipulation, falsification or alteration of accounting
Considerations whether to determine a risk as significant: records or supporting documents
 Whether the risk is a risk of fraud >Evidence of intentional misapplication of accounting principles
 Whether the risk is related to significant economic, >Evidence of misrepresentation by client personnel to the auditor
accounting or other developments and therefore >Evidence that employees or management lack the qualifications
requires specific attention and training to fulfill their functions
 The complexity of transactions C. Other matters
 The degree of subjectivity in the measurement of >Absence of a sufficient level of control consciousness within the
financial information related to the risk, especially organization
those involving a wide range of measurement >Failure to follow up and correct previously identified internal
uncertainty control structure deficiencies
 Whether the risk involves significant transactions that >Evidence of significant or extensive undisclosed related party
are outside the normal course of business for the entity, transactions
or that otherwise appear to be unusual. >Evidence of undue bias or lack of objectivity by those responsible
for accounting decisions
3.3.5 Risks for which substantive procedures alone do not provide Reporting: Form and Content
sufficient appropriate audit evidence -Conditions noted by the auditor that are considered reportable
-In respect of some risks, the auditor may judge that it is not should be reported, preferably in writing. If information is
possible or practicable to obtain sufficient appropriate audit communicated orally, the auditor should document the
evidence only from substantive procedures. Such risks may relate communication by appropriate memoranda or notation in the
to the inaccurate or incomplete recording of routine and significant working papers.
classes of transactions or account balances, the characteristics of -The report should state that the communication is intended solely
which often permit highly automated processing with little or no for the use of the audit committee, management and others within
manual intervention. In such cases, the entity’s controls over such the organization.
risks are relevant to the audit and the auditor shall obtain an When there are requirements established by governmental
understanding of them. authorities to furnish such reports, the specific governmental
authority may be referred in the report
3.3.6 Revision of risk assessment Reporting: Form and Content
-The auditor’s assessment of the risks of material misstatement at Content of the Report
the assertion level may change during the course of the audit as -Indicate that the purpose of the audit was to report on the FS and
additional audit evidence is obtained. In circumstances where the not to provide assurance on the internal control structure
auditor obtains audit evidence from performing further audit -Include the definition of reportable conditions
procedures, or if new information is obtained, either of which is -Include the restriction on distribution of the report
inconsistent with the audit evidence on which the auditor Management Letter to Client
originally -Auditors may write management letters to clients containing
based the assessment, the auditor shall revise the assessment and suggestions for improving operations and internal control.
modify the further planned audit procedures accordingly. -This is not required by auditing standards
COMMUNICATION ABOUT SUSPECTED OR IDENTIFIED FRAUD
3.4 Communicating with those charged with governance and -If the auditor has identified a fraud or has obtained information
management that indicates that a fraud may exist, the auditor shall
COMMUNICATION OF PERFORMANCE, IMPROVEMENTS AND communicate these matters on a timely basis to the appropriate
OBSERVATIONS IN INTERNAL CONTROL TO MANAGEMENT level of management in order to inform those with primary
-Any material weakness in the design or operation of the responsibility for the prevention and detection of fraud of matters
accounting and internal control systems discovered by the auditor relevant to their responsibilities.
should be made known to management as soon as practicable and -Unless all of those charged with governance are involved in
at an appropriate level of responsibility. managing the entity, if the auditor has identified or suspects fraud
-It should be indicated in the communication that only material involving:
weaknesses that was noticed by the auditor have been reported, (a) Management;
and that the study of internal control was not designed to (b) Employees who have significant roles in internal control; or
determine the adequacy of internal for management purposes, (c) Others where the fraud results in a material misstatement in
which is actually the function of the internal audit department. the financial statements, the auditor shall communicate these
Reportable Conditions (Matters that should be reported to matters to those charged with governance on a timely basis. If the
management): auditor suspects fraud involving management, the auditor shall
A.Deficiencies in the design of internal control structure communicate these suspicions to those charged with governance
>Inadequate overall internal control structure design and discuss with them the nature, timing and extent of audit
>Absence of appropriate segregation of duties consistent with procedures necessary to complete the audit
appropriate control objectives COMMUNICATIONS TO REGULATORY AND ENFORCEMENT
>Absence of appropriate reviews and approval of transactions, AUTHORITIES
accounting entries or systems output

-If the auditor has identified or suspects a fraud, the auditor shall
determine whether there is a responsibility to report the
occurrence or suspicion to a party outside the entity. Although the
auditor’s professional duty to maintain the confidentiality of client
information may preclude such reporting, the auditor’s legal
responsibilities may override the duty of confidentiality in some
circumstances.

Auditing Theory Review Notes (AT-3) Page 1 of 13: Industry Conditions

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Auditing Theory Review Notes (AT-3) Page 1 of 13: Industry Conditions

Uploaded by

Copyright:

Available Formats

ACCTG 163 – AUDITING THEORY (AT-3) -helpful in identifying the existence of unusual transactions,

events, amounts, ratios and trends that might indicate matters

Auditing Theory Review Notes (AT-3) Page 1 of 13

Auditing Theory Review Notes (AT-3) Page 2 of 13

Auditing Theory Review Notes (AT-3) Page 3 of 13

Auditing Theory Review Notes (AT-3) Page 4 of 13

Auditing Theory Review Notes (AT-3) Page 5 of 13

Auditing Theory Review Notes (AT-3) Page 6 of 13

Auditing Theory Review Notes (AT-3) Page 7 of 13

Auditing Theory Review Notes (AT-3) Page 8 of 13

Auditing Theory Review Notes (AT-3) Page 9 of 13

Auditing Theory Review Notes (AT-3) Page 10 of 13

Auditing Theory Review Notes (AT-3) Page 11 of 13

Auditing Theory Review Notes (AT-3) Page 12 of 13

Auditing Theory Review Notes (AT-3) Page 13 of 13

You might also like