ISA 315 – Identifying and Assessing the Risks of Material ...

24/09/2019

1

© 2013-2019 Nelson Consulting Limited 1

ISA 315 – Identifying and Assessing the Risks of Material Misstatement 24 September 2019

LAM Chi Yuen Nelson 林智遠CFA® charterholder FCPA(Practising)MBA MSc BBA CPA(US) CTA FCA FCCA FCPA(Aust.) FSCA

www.Facebook.com/NelsonCFARosetta Stone @ British Museum

© 2013-2019 Nelson Consulting Limited 2Venice @ Italy Photo taken by Stephanie and Nelson © 2016

1

2

24/09/2019

2


Overview and Introduction

Today’s Agenda

Risk Assessment Procedures

Full Version of the Presentation can be found in:

www.Facebook.com/NelsonCFA

Understanding of the Entity and its Environment

Petra @ Jordan Stephanie & Nelson © 2018

Recap

Update

Examples

Identifying and Assessing the Risks of Material Misstatement

Documentation Requirements


Overview and Introduction

Today’s Agenda


www.Facebook.com/NelsonCFAPetra @ Jordan Stephanie & Nelson © 2018

3

4

24/09/2019

3

© 2013-2019 Nelson Consulting Limited 5Photo taken by Stephanie and Nelson © 2017Auschwitz @ Poland


Overview – ISA Structure

International Framework for Assurance Engagements

Audits and Reviews of Historical Financial Information

Other Assurance Engagements

ISAEs 3000-3699

Assurance Eng.

ISAEs 3000-3699 International Standards on

Assurance Eng.

ISAs 100-999

Auditing

ISAs 100-999 International Standards on

Auditing

ISREs 2000-2699

Engagements

ISREs 2000-2699 International

Standards on Review Engagements

Related Services

ISRSs 4000-4699

Related Services

ISRSs 4000-4699 International Standards on

Related Services

Engagements Governed by the Standards of the IAASB (The International Auditing and Assurance Standards Board)

IESBA (International Ethics Standards Board for Accountants) Code of Ethics for Professional Accountants

ISQCs 1-99 International Standards on Quality Control(only ISQC 1 issued so far)

5

6

24/09/2019

4



International Framework for Assurance Engagements

Audits and Reviews of Historical Financial Information

ISAs 100-999

Auditing


Auditing

Engagements Governed by the Standards of the IAASB (The International Auditing and Assurance Standards Board)

IESBA (International Ethics Standards Board for Accountants) Code of Ethics for Professional Accountants

ISQCs 1-99 International Standards on Quality Control(only ISQC 1 issued so far)

Today’s focus on ISA 315



• ISA 200 – 299 General Principles and Responsibilities

• ISA 500 – 599 Audit Evidence

• ISA 300 – 499 Risk Assessment and Response to Assessed Risks

• ISA 600 – 699 Using the Work of Others

• ISA 700 – 799 Audit Conclusions and Reporting

• ISA 800 – 899 Specialized Areas

ISA to be shared today

ISA 315 (Revised)

ISAs 100-999

Auditing


Auditing

With highlight on changes made in

2015

7

8

24/09/2019

5


Audit Process Overview

Preliminary engagement activities

Planning activities

Understanding the entity and its environment


Identify and assess risks ofmaterial misstatements


Design and implement auditor’s responses to assessed risks


Overall reviewing

Drawing conclusions and reporting

Planning

Risk assessment

Risk response

Reviewing and reporting

An audit is a cumulative and iterative process

Audit Process

Source: Auditing & Assurance in HK, 5th edition (2017) by Peter Lau and Nelson Lam


Audit Process and ISA 315





Risk assessment

Audit Process


Covered by ISA 315

(Revised)

9

10

24/09/2019

6







Risk assessment


ISA 315 Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and Its Environment One of the critical requirements in ISAs

ISA 315 deals with the auditor’s responsibility • to identify and assess the risks of material misstatement in the

financial statements, • through understanding the entity and its environment, including the

entity’s internal control.


ISA 315 – Objective





Risk assessment


ISA 315 Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and Its Environment One of the critical requirements in ISAs

assessed risks of material misstatement (ISA 315.3)

• The objective of the auditor is to identify and assess the risks of material misstatement, whether due to fraud

or error, at ‒ the financial statement and assertion levels,

through understanding the entity and its environment, including the entity’s internal control,

Thereby providing a basis for designing and implementing responses to the assessed risks of material misstatement (ISA 315.3)

11

12

24/09/2019

7


ISA 315 – Objective

• The understanding establishes a frame of reference within which the auditor plans the audit and exercises professional judgment throughout the audit, for example, when:

− Assessing risks of material misstatement of the financial statements;− Determining materiality in accordance with ISA 320;− Considering the appropriateness of the selection and application of

accounting policies, and the adequacy of financial statement disclosures;− Identifying areas relating to amounts or disclosures in the financial

statements where special audit consideration may be necessary;− Developing expectations for use when performing analytical procedures;− Responding to the assessed risks of material misstatement, including

designing and performing further audit procedures to obtain sufficient appropriate audit evidence; and

− Evaluating the sufficiency and appropriateness of audit evidence obtained, such as the appropriateness of assumptions and of management’s oral and written representations.


ISA 315 – Requirements

To gather information about

Understanding the entityand its environment


The entity and its environment


Internal control

Identify and assess risks of material misstatements

Perform risk assessment procedures

Financial statement level

Financial statement level Assertion level


13

14

24/09/2019

8


Today’s Agenda

Risk Assessment Procedures



© 2013-2019 Nelson Consulting Limited 16Photo taken by Stephanie and Nelson © 2008Abu Simbel @ Egypt

15

16

24/09/2019

9


ISA 315 – Risk Assessment Procedures

• The auditor shall perform risk assessment procedures– to provide a basis for the identification and

assessment of risks of material misstatement at• the financial statement and • the assertion levels. (ISA 315.5)







• The risk assessment procedures shall include the following:a. Inquiries of management,

• of appropriate individuals within the internal audit function (if the function exists), and

• of others within the entity who in the auditor’s judgment may have information that is likely to assist in identifying risks of material misstatement due to fraud or error.

b.Analytical procedures.c. Observation and Inspection. (ISA 315.6)


17

18

24/09/2019

10


Equity instrument?

ISA 315 – Risk Assessment ProceduresExample

• Other procedures may be performed where the information to be obtained therefrom may be helpful in identifying risks of material misstatement.

• Examples of such procedures include:– Reviewing information obtained from external sources such as

trade and economic journals; reports by analysts, banks, or rating agencies; or regulatory or financial publications.

– Making inquiries of the entity’s external legal counsel or of valuation experts that the entity has used. (ISA 315.A5)


Equity instrument?


• Inquiries may be directed toward the following persons to obtain an understanding of an entity and its environment, including internal control and identifying risks of material misstatement:– Inquiries directed towards those charged with governance

• may help the auditor understand the environment in which the financial statements are prepared

– Inquiries directed toward internal audit personnel • may provide information about internal audit procedures performed

during the year relating to the design and effectiveness of the entity’s internal control and whether management has satisfactorily responded to findings from those procedures.

– Inquiries of employees involved in initiating, processing or recording complex or unusual transactions • may help the auditor to evaluate the appropriateness of the selection

and application of certain accounting policies.

19

20

24/09/2019

11


Equity instrument?


– Inquiries directed toward in-house legal counsel • may provide information about such matters as litigation, compliance

with laws and regulations, knowledge of fraud or suspected fraud affecting the entity, warranties, postsales obligations, arrangements (such as joint ventures) with business partners and the meaning of contract terms.

– Inquiries directed towards marketing or sales personnel • may provide information about changes in the entity’s marketing

strategies, sales trends, or contractual arrangements with its customers– Inquiries directed to the risk management function

• may provide information about operational and regulatory risks that may affect financial reporting.

– Inquiries directed to information systems personnel • may provide information about system changes, system or control

failures, or other information system-related risks


Equity instrument?


• The following items or documents may be observed or inspected as part of the audit procedures:– The entity’s operations.– Documents (such as business plans and strategies), records,

and internal control manuals.– Reports prepared by management (such as quarterly

management reports and interim financial statements) and those charged with governance (such as minutes of board of directors’ meetings).

– The entity’s premises and plant facilities.

21

22

24/09/2019

12



• Risk assessment procedures by themselves, however, do not provide sufficient appropriate audit evidence on which to base the audit opinion. (ISA 315.5)

– Information obtained by performing risk assessment procedures and related activities may be used by the auditor as audit evidence to support assessments of the risks of material misstatement.

– In performing risk assessment procedures, the auditor may • obtain audit evidence about classes of transactions,

account balances, or disclosures, and related assertions, and about the operating effectiveness of controls, even though such procedures were not specifically planned as substantive procedures or as tests of controls.

• choose to perform substantive procedures or tests of controls concurrently with risk assessment procedures because it is efficient to do so.




• The auditor shall – consider whether information obtained from the auditor’s client acceptance

or continuance process is relevant to identifying risks of material misstatement.

– consider whether information obtained from other engagements (if any) is relevant to identifying risks of material misstatement

– determine whether changes have occurred since the previous audit that may affect its relevance to the current audit (If intends to use information obtained from previous audits).

– discuss the susceptibility of the entity’s financial statements to material misstatement, and the application of the applicable financial reporting framework to the entity’s facts and circumstances

– determine which matters are to be communicated to engagement team members not involved in the discussion. (ISA 315.7 to 10)


23

24

24/09/2019

13



• Obtaining an understanding of the entity and its environment, including the entity’s internal control is a continuous, dynamic process of gathering, updating and analyzing information throughout the audit.







Internal control




• The auditor uses professional judgment to determine the extent of the understanding required. – The auditor’s primary consideration is whether the understanding that has

been obtained is sufficient to meet the objective stated in ISA 315. – The depth of the overall understanding that is required by

the auditor is less than that possessed by management in managing the entity.

– Although the auditor is required to perform all the risk assessment procedures described in ISA 315.6 in the course of obtaining the required understanding of theentity, the auditor is not required to perform all of them for each aspect of that understanding.


25

26

24/09/2019

14


Today’s Agenda



Understanding of the Entity and its Environment

Petra @ Jordan Stephanie & Nelson © 2018

© 2013-2019 Nelson Consulting Limited 28Photo taken by Stephanie and Nelson © 2013Siosepol in Esfahan @ Iran

27

28

24/09/2019

15


ISA 315 – Understanding the Entity

Relevant industry,

regulatory, and other external factors

The nature of the entity

The entity’s objectives & strategies &

those related business risks

Measurement Measurement and review of

the entity’s financial

performance

The entity’s internal control

The entity’s selection and application of

accounting policies







Internal control



• The auditor shall obtain an understanding of the following:a. Relevant industry, regulatory, and other external factors including the

applicable financial reporting framework. b. The nature of the entity, including its operations, ownership and governance

structures, the type of investments, the structure and etc.c. The entity’s selection and application of accounting policies, including the

reasons for changes thereto.d. The entity’s objectives and strategies, and those related business risks that

may result in risks of material misstatement.e. The measurement and review of the entity’s financial performance (ISA 315.11)

ISA 315 – The Entity and Its Environment

Relevant industry,







performance


accounting policies

29

30

24/09/2019

16



1. Industry, Regulatory and Other External Factors, Including the Applicable Financial Reporting Framework – The auditor is required to obtain an understanding of relevant industry,

regulatory, and other external factors including the applicable financial reporting framework.• The nature of the business or the degree of regulation within industry

where the entity operates may give rise to specific risks of material misstatement.

• Legislative and regulatory requirements also often determine the applicable financial reporting framework to be used by the client.

Relevant industry,



Equity instrument?

ISA 315 – The Entity and Its EnvironmentExample

• Relevant industry, regulatory and other external factors that an auditor may consider include:– Industry factors, such as market and competition, cyclical or seasonal

activity, product technology relating to the entity’s products, and energy supply and cost.

– Regulatory factors include the regulatory environment, such as accounting principles and industry specific practices, regulatory framework for a regulated industry, taxation, government policies, and environmental requirements affecting the industry and the entity’s business.

– Other external factors, such as general economic conditions, inflation, currency revaluation, interest rates and availability of financing.Relevant

industry, regulatory, and other external factors

31

32

24/09/2019

17



2. Nature of the Entity– An auditor is required to obtain an understanding of the nature of the

entity. – The nature of an entity refers to:

a. its operations;b. its ownership and governance structures;c. the types of investments that the entity is making and plans to make,

including investments in special-purpose entities; andd. the way that the entity is structured and how it is financed.

– An understanding of the nature of an entity enables the auditor to understand the classes of transactions, account balances, and disclosures to be expected in the financial statements.




3. Selection and Application of Accounting Policies

– ISA 315 further requires the auditor to – obtain an understanding of the entity’s selection and application of

accounting policies and – consider whether the accounting policies are appropriate for its

business and consistent with the applicable financial reporting framework and accounting policies used in the relevant industry.


accounting policies

33

34

24/09/2019

18




– An understanding of the entity’s selection and application of accounting policies may encompass:

a. The methods the entity uses to account for significant and unusual transactions;

b. The effect of significant accounting policies in controversial or emerging areas for which there is a lack of authoritative guidance or consensus;

c. Changes in the entity’s accounting policies; andd. Financial reporting standards and laws and regulations that are new to the

entity and when and how the entity will adopt such requirements.


accounting policies




– Where the entity has changed its selection of or method of applying a significant accounting policy, the auditor considers the reasons for the change and whether it is appropriate and consistent with the requirements of

the applicable financial reporting framework.


accounting policies

35

36

24/09/2019

19



4. Objectives and Strategies and Related Business Risks– The auditor is required to obtain an understanding of

• the entity’s objectives and strategies, and • the related business risks that may result in material misstatement of

the financial statements.

– Business risks result from significant conditions, events, circumstances, actions or inactions that could adversely affect the entity’s ability to achieve its objectives and execute its strategies, or through the setting of inappropriate objectives and strategies





5. Measurement and Review of the Entity’s Financial Performance

– The auditor is required to obtain an understanding of • the measurement and review of the entity’s financial performance.

Performance measures, whether external or internal, create pressures on the entity that, in turn, may motivate managementto take action to improve the business performance or to misstate the financial statements.

Obtaining an understanding of theentity’s performance measuresassists the auditor in considering whether such pressures result in management actions that may have increased the risks of material misstatement.



performance

37

38

24/09/2019

20


Equity instrument?

ISA 315 – The Entity and Its EnvironmentExample

• An auditor may consider the following in obtaining an understanding the measurement and review of an entity’s financial performance:– Key ratios and operating statistics– Key performance indicators– Employee performance measures and incentive compensation policies– Trends– Use of forecasts, budgets and variance analysis– Analyst reports and credit rating reports– Competitor analysis– Period-on-period financial performance

(revenue growth, profitability, and/or leverage)Measurement Measurement and review of


performance


ISA 315 – Internal Control

• The auditor shall obtain an understanding of internal controlrelevant to the audit.– Although most controls relevant to the audit are likely to relate to financial

reporting, not all controls that relate to financial reporting are relevant to the audit.

– It is a matter of the auditor’s professional judgment whether a control, individually or in combination with others, is relevant to the audit. (ISA 315.12)


39

40

24/09/2019

21



Control Environment

The Entity’s Risk Assessment Process

The Information System

Control Activities

Monitoring of Controls

• The auditor shall obtain an understanding of the following components of internal control:





Control Environment

Obtain an understanding of the control environment. (ISA 315.14)Obtain an understanding of the control environment. (ISA 315.14)• The control environment includes the

governance and management functions and the attitudes, awareness, and actions of those charged with governance and management concerning the entity’s internal control and its importance in the entity.

• The control environment sets the tone of an organization, influencing the control consciousness of its people.

41

42

24/09/2019

22




Control Environment

Obtain an understanding of the control environment. (ISA 315.14)Obtain an understanding of the control environment. (ISA 315.14)• Elements of the control environment that may be

relevant when obtaining an understanding of the control environment include the following:

a. Communication and enforcement of integrity and ethical values

b. Commitment to competence

c. Participation by those charged with governance

d. Management’s philosophy and operating style

e. Organizational structure

f. Assignment of authority and responsibility

g. Human resource policies and practices




Control Environment

Obtain an understanding of the control environment. (ISA 315.14)Obtain an understanding of the control environment. (ISA 315.14)• Some elements of an entity’s control

environment have a pervasive effect on assessing the risks of material misstatement.

• The control environment in itself does not prevent, or detect and correct, a material misstatement. It may, however, influence the auditor’s evaluation of the effectiveness of

other controls (for example, the monitoring of controls and the operation of specific control activities) and

thereby, the auditor’s assessment of the risks of material misstatement.

43

44

24/09/2019

23




The Entity’s Risk Assessment Process

Obtain an understanding of whether the entity has a process for

a. identifying business risks relevant to financial reporting objectives

b. estimating the significance of the risksc. assessing the likelihood of their occurrence d. deciding about actions to address those

risks. (ISA 315.15)




The Information System

Obtain an understanding of the information system, including the related business processes, relevant to financial reporting, including the following areas:

a. The significant classes of transactions;

b. The procedures by which transactions are initiated, recorded, processed, corrected as necessary, transferred to the G/L and reported in the financial statements;

c. The related accounting records, supporting information and specific accounts in the F/S;

d. How the information system captures events and conditions;

e. The financial reporting process used to prepare the entity’s financial statements; &

f. Controls surrounding journal entries (ISA 315.18)

‒ The auditor shall obtain an understanding of how the entity communicates financial reporting roles and responsibilities and significant matters relating to financial reporting. (ISA 315.19)

45

46

24/09/2019

24




Control Activities

• The auditor shall obtain an understanding of control activities relevant to the audit (not all control activities), being those the auditor judges it necessary to understand in order to assess the risks of material misstatement at the assertion level and design further audit procedures responsive to assessed risks.

• In understanding the entity’s control activities, the auditor shall obtain an understanding of how the entity has responded to risks arising from IT. (ISA 315.20-21)




Monitoring of Controls

• The auditor shall obtain an understanding of the major activities that the entity uses to monitor internal control over financial reporting, and how the entity initiates remedial actions to deficiencies in its controls (ISA 315.22)

• The auditor shall obtain an understanding of the nature of the internal audit function’s responsibilities (if any) (ISA 315.23)

• The auditor shall obtain an understanding of the sources of the information used in the entity’s monitoring activities (ISA 315.24)

47

48

24/09/2019

25


ISA 315 – Requirements






Internal control







Today’s Agenda



Identifying and Assessing the Risks of Material Misstatement

49

50

24/09/2019

26

© 2013-2019 Nelson Consulting Limited 51Photo taken by Stephanie and Nelson © 2011Jerusalem @ Israel


ISA 315 – Identifying and Assessing Risks


Planning activities





Planning

Risk assessment

Audit Process


• What is audit risk? • What is risk of material misstatement?

51

52

24/09/2019

27



• What is audit risk? • What is risk of material misstatement?

• ISA 200 Overall Objectives of the Independent Auditor and the Conduct of an Audit in Accordance with International Standards on Auditing states that audit risk as: The risk that the auditor expresses an inappropriate audit

opinion when the financial statements are materially misstated.

A function of • the risks of material misstatement and • detection risk. (ISA 200.13)



Audit Risk

Risk of Material Misstatement Detection Risk

• ISA 200 specifically states that ‒ In conducting an audit of financial statements, the overall objectives of

the auditor are ...... to obtain reasonable assurance about whether the financial statements as a whole are free from material misstatement …… (ISA 200.11)

‒ To obtain reasonable assurance, the auditor shall obtain sufficient appropriate audit evidence to reduce audit risk to an acceptably low level and thereby enable the auditor to draw reasonable conclusions on which to base the auditor’s opinion. (ISA 200.17)

53

54

24/09/2019

28



Audit Risk


Overall Financial Statement Level Assertion Level

• ISA 200 further states that ‒ The risks of material misstatement may exist at two levels:

1. The overall financial statement level; and2. The assertion level for classes of transactions, account balances,

and disclosures.


© 2013-2019 Nelson Consulting Limited 56Source: Auditing & Assurance in HK, 5th edition (2017) by Peter Lau and Nelson Lam


Audit Risk



Inherent Risk

Control Risk

2. Control risk

• ISA 200 also states that the risks of material misstatement at the assertion level consists of two components:

1. Inherent risk2. Control risk

55

56

24/09/2019

29



Audit Risk



Inherent Risk

Control Risk

• Even ISA 200 only states that inherent risk and control risk are considered at the assertion level, it is also common for the auditor to consider them at the overall financial statement level.

Inherent Risk

Control Risk




Risk of Material Misstatement


• Based on this audit risk framework, ISA 315 thus states (as discussed) that:‒ the objective of the auditor is to identify and assess the risks of material

misstatement, whether due to fraud or error, at the financial statementand assertion levels, through understanding the entity and its environment ......

57

58

24/09/2019

30









Internal control







• By performing risk assessment procedures and based on the understanding of the entity obtained, ISA 315 specifically requires– the auditor shall identify and assess the risks of material

misstatement at:a. the financial statement level; andb. the assertion level for classes of transactions, account balances, and

disclosures to provide a basis for designing and performing further audit procedures. (ISA 315.25)




59

60

24/09/2019

31



• For the purpose of identifying and assessing the risks of material misstatement, the auditor shall:

a. Identify risks throughout the process of obtaining an understanding of the entity and its environment, including relevant controls that relate to the risks, and by considering the classes of transactions, account balances, and disclosures in the financial statements;

b. Assess the identified risks, and evaluate whether they relate more pervasively to the financial statements as a whole and potentially affect many assertions;

c. Relate the identified risks to what can go wrong at the assertion level, taking account of relevant controls that the auditor intends to test; and

d. Consider the likelihood of misstatement, including the possibility of multiple misstatements, and whether the potential misstatement is (of a magnitude that, deleted in 2015) could result in a material misstatement. (ISA 315.26)



In 2015, disclosures further

qualitative aspects”

In 2015, disclosures further specified to “the quantitative or qualitative aspects”


ISA 315 – Risks at Fin. Statement Level

• Risks of material misstatement at the financial statement level refer to risks that – relate pervasively to the financial statements as a whole and – potentially affect many assertions.

• Risks of this nature are not necessarily risks identifiable with specific assertions at the class of transactions, account balance, or disclosure level. – Rather, they represent circumstances that may increase the

risks of material misstatement at the assertion level, for example, through management override of internal control.



61

62

24/09/2019

32



• Financial statement level risks may be especially relevant to the auditor’s consideration of the risks of material misstatement arising from fraud.







• Risks at the financial statement level may derive in particular from a deficient control environment (although these risks may also relate to other factors, such as declining economic conditions). For example, – deficiencies such as management’s lack of competence may have a more

pervasive effect on the financial statements and may require an overall response by the auditor. (ISA 315.A123)

• The auditor’s understanding of internal control may raise doubts about the auditability of an entity’s financial statements. For example:– Concerns about the integrity of the entity’s management may be so serious

as to cause the auditor to conclude that the risk of management misrepresentation in the financial statements is such that an audit cannot be conducted.

– Concerns about the condition and reliability of an entity’s records may cause the auditor to conclude that it is unlikely that sufficient appropriate audit evidence will be available to support an unmodified opinion on the financial statements.

Example

63

64

24/09/2019

33


ISA 315 – Risks at Assertion Level

• Risks of material misstatement at the assertion level for classes of transactions, account balances, and disclosures need to be considered – because such consideration directly assists in determining the nature,

timing, and extent of further audit procedures at the assertion level necessary to obtain sufficient appropriate audit evidence.

• In identifying and assessing risks of material misstatement at the assertion level, – the auditor may conclude that the identified risks relate more pervasively

to the financial statements as a whole and potentially affect many assertions.

Assertion level



• The risks of material misstatement at the assertion level consists of two components as follows:

1. Inherent risk ‒ The susceptibility of an assertion about a class

of transaction, account balance or disclosure toa misstatement that could be material, eitherindividually or when aggregated with othermisstatements, before consideration of any related controls.

2. Control risk‒ The risk that a misstatement that could occur in an assertion about a class of

transaction, account balance or disclosure and that could be material, either individually or when aggregated with other misstatements, will not be prevented, or detected and corrected, on a timely basis by the entity’s internal control.

• Both risks are the entity’s risks; they exist independently of the audit of the financial statements.

Assertion Level

Inherent Risk

Control Risk

Assertion level

65

66

24/09/2019

34



• The Use of Assertions– In representing that the financial statements

are in accordance with the applicable financial reporting framework, management implicitly or explicitly makes assertions regarding the recognition, measurement, presentation and disclosure of the various elements of financial statements and related disclosures.

Account Balances

Class of Transactions

Presentation and Disclosure


Assertion level

Before 2015 Amendments



• Assertions used by the auditor fall into the following categories:– About Classes of Transactions and Events for the period under audit

• Occurrence• Completeness• Accuracy• Cutoff• Classification

– About Account Balances at the period end• Existence• Rights and obligations• Completeness• Valuation and allocation

– About Presentation and Disclosure• Occurrence and rights and obligations• Completeness• Classification and understandability• Accuracy and valuation

Account Balances





Assertion level

67

68

24/09/2019

35



Source: The Guide to Using ISA in Audits of SME, 3rd edition (2011), by IFAC

Combined AssertionsClasses of

TransactionsAccount Balances


Existence/ occurrence √ √ √

Completeness √ √ √

Rights and obligations √ √

Accuracy / classification √ √

Cutoff √

Classification and understandability

√ √

Valuation and allocation √ √

• ISA 315.A124 (2012) describes three categories of assertions that can be used by the auditor to consider the different types of potential misstatements.

• Guide to Using International Standards on Auditing in the Audits of Small- and Medium-sized Entities, 3rd Edition, 2011, by IFAC SMPC (the Guide) described the categories in the exhibit as follows:




• Guide to Using International Standards on Auditing in the Audits of Small- and Medium-sized Entities, 3rd Edition, 2011, by IFAC SMPC (the Guide)

‒ To make the use of assertions a little easier to apply to smaller entities, the Guide combined the assertions into 4 combined assertions as follows:

Combined Assertions

Classes of Transactions

Account Balances


Completeness Completeness Completeness Completeness

Existence Occurrence Existence Occurrence

Accuracy andCut-off

Accuracy

Cut-off

Classification

Rights and obligations

Accuracy

Rights and obligations

Classification and understandability

Valuation Valuation and allocation

Valuation



69

70

24/09/2019

36



• The Guide also illustrated two levels of risk assessment in partial form as follows:





• In 2015, pursuant to the completion of the IAASB’s project “Addressing Disclosures in the Audit of Financial Statements” in 2015, ISA 315 is revised

• In 2018, the Guide is also updated to The Guide to Using International Standards on Auditing in the Audits of Small- and Medium-sized Entities, 4th Edition, 2018, by IFAC SMPC

As a result of 2015 Amendments

Account Balances




Account Balances and related disclosures

Account Balances and related disclosures

Class of Transactions and related disclosures

Class of Transactions and related disclosures

Assertion level

71

72

24/09/2019

37



• Guide to Using International Standards on Auditing in the Audits of Small- and Medium-sized Entities, 4th Edition, 2018, by IFAC SMPC (the Guide)

‒ Paragraph A124 of ISA 315 (Revised) describes the categories of assertions that can be used by the auditor to consider the different types of potential misstatements.

‒ The applicability of assertions to the financial statement areas is summarized:

Combined Assertions

Classes of Transactions and Related Disclosures

Account Balances and Related Disclosures

Existence/Occurrence

√ √

Completeness √ √

Rights and Obligations

√

Accuracy and Allocation

√ √

Valuation √

Cutoff √ √

Classification √ √

Presentation √ √Source: The Guide to Using ISA in Audits of SME, 4th edition (2018), by IFAC




• To make the use of assertions a little easier, the Guide combined the assertions into 4 combined assertions as follows:

CombinedAssertions

Classes of Transactions and Related Disclosures

Account Balances and Related Disclosures

Completeness (C) Completeness Completeness

Existence (E) Occurrence ExistenceRights and Obligations

Accuracy andValuation (AV)

AccuracyCut-offClassification

AccuracyValuationAllocationClassification

Presentation (P) Presentation Presentation

Source: The Guide to Using ISA in Audits of SME, 4th edition (2018), by IFAC


73

74

24/09/2019

38



Describe what can go wrong at assertion level

Can risks

assertions?

Can risks be related to

specific assertions?

Yes







• Information gathered by performing risk assessment procedures, including the audit evidence obtained in evaluating the design of controls and determining whether they have been implemented, is used as audit evidence to support the risk assessment.

• The risk assessment determines the nature, timing and extent of further audit procedures to be performed.

• In identifying the risks of material misstatement in the financial statements, the auditor exercises professional skepticism in accordance with ISA 200




75

76

24/09/2019

39


Equity instrument?

ISA 315 – Identifying and Assessing RisksExample

• Examples of conditions and events that may indicate the existence of risks of material misstatement:– Operations in regions that are economically unstable, for example,

countries with significant currency devaluation or highly inflationary economies.

– Operations exposed to volatile markets, for example, futures trading.– Operations that are subject to a high degree of complex regulation.– Going concern and liquidity issues including loss of significant customers.– Constraints on the availability of capital and credit.– Changes in the industry in which the entity operates.– Changes in the supply chain.– Developing or offering new products or services, or moving into new lines

of business.– Expanding into new locations.


Equity instrument?


– Changes in the entity such as large acquisitions or reorganizations or other unusual events.

– Entities or business segments likely to be sold.– The existence of complex alliances and joint ventures.– Use of off-balance-sheet finance, special-purpose entities, and other

complex financing arrangements.– Significant transactions with related parties.– Lack of personnel with appropriate accounting and financial reporting

skills.– Changes in key personnel including departure of key executives.– Deficiencies in internal control, especially those not addressed by

management.– Inconsistencies between the entity’s information technology (IT) strategy

and its business strategies.– Changes in the IT environment.

77

78

24/09/2019

40


Equity instrument?


financial guarantees and environmental remediation.

– Installation of significant new IT systems related to financial reporting.– Inquiries into the entity’s operations or financial results by regulatory or

government bodies.– Past misstatements, history of errors or a significant amount of

adjustments at period end.– Significant amount of non-routine or non-systematic transactions including

intercompany transactions and large revenue transactions at period end.– Transactions that are recorded based on management’s intent, for

example, debt refinancing, assets to be sold and classification of marketable securities.

– Application of new accounting pronouncements.– Accounting measurements that involve complex processes– Events or transactions that involve significant measurement uncertainty,

including accounting estimates.– Pending litigation and contingent liabilities, for example, sales warranties,

financial guarantees and environmental remediation.

© 2013-2019 Nelson Consulting Limited 80Photo taken by Stephanie and Nelson © 2015Shwedagon Pagoda @ Myanmar

79

80

24/09/2019

41


ISA 315 – Determining Significant Risks

• As part of the risk assessment, the auditor shall determine whether any of the risks identified are, in the auditor’s judgment, a significant risk.

• In exercising this judgment, the auditor shall exclude the effects of identified controls related to the risk. (ISA 315.27)

• Significant risk is an identified and assessed risk

of material misstatement that, in the auditor’s judgment, requires special audit consideration.



Describe what can go wrong at assertion level

Can risks

assertions?

Can risks be related to

specific assertions?

Yes

Significant Significant risk?





81

82

24/09/2019

42



• In exercising judgment as to which risks are significant risks, the auditor shall consider at least the following:

a. Whether the risk is a risk of fraud;b. Whether the risk is related to recent significant economic, accounting or

other developments and, therefore, requires specific attention;c. The complexity of transactions;d. Whether the risk involves significant transactions with related parties;e. The degree of subjectivity in the measurement of financial information

related to the risk, especially those measurements involving a wide range of measurement uncertainty; and

f. Whether the risk involves significanttransactions that are outside the normal course of business for the entity, or that otherwise appear to beunusual. (ISA 315.28)




• Significant risks often relate to significant non-routine transactions or judgmental matters.

– Non-routine transactions are transactions that are unusual, due to either size or nature, and that therefore occur infrequently.

– Judgmental matters may include the development of accounting estimates for which there is significant measurement uncertainty.

• Routine, non-complex transactions that are subject to systematic processing are less likely to giverise to significant risks.


83

84

24/09/2019

43




• Risks of material misstatement may be greater for risks relating to significant non-routine transactions arising from matters such as: – Greater management intervention to specify the accounting treatment. – Greater manual intervention for data collection and processing. – Complex calculations or accounting principles. – The nature of non-routine transactions, which may make it difficult for

the entity to implement effective controls over the risks.

Example

• Risks of material misstatement may be greater for risks relating to significant judgmental matters that require the development of accounting estimates, arising from matters such as the following: – Accounting principles for accounting estimates or revenue recognition may

be subject to differing interpretation. – Required judgment may be subjective, complex or require assumptions

about the effects of future events, for example, judgment about fair value.



• If the auditor has determined that a significant risk exists, – the auditor shall obtain an understanding of the entity’s

controls, including control activities, relevant to that risk. (ISA 315.29)


85

86

24/09/2019

44



• Although risks relating to significant non-routine or judgmental matters are often less likely to be subject to routine controls, – management may have other responses intended to deal with such risks – accordingly, the auditor’s understanding of whether the entity has

designed and implemented controls for significant risks arising from non-routine or judgmental matters includes whether and how management responds to the risks.

• Such responses might include:– Control activities such as a review of assumptions by senior

management or experts.– Documented processes for estimations.– Approval by those charged with

governance.



ISA 315 – Determining Other Risks

Risks for which Substantive Procedures Alone do not Provide Sufficient Appropriate Audit Evidence • In respect of some risks, the auditor may judge that it is not

possible or practicable to obtain sufficient appropriate audit evidence only from substantive procedures. – Such risks may relate to the inaccurate or incomplete recording of routine and

significant classes of transactions or account balances, the characteristics of which often permit highly automated processing with little or no manual intervention.

– In such cases, the entity’s controls over such risks are relevant to the audit and the auditor shall obtain an understanding of them.

Any examples?

87

88

24/09/2019

45


Any examples?


• Risks of material misstatement may relate directly to the recording of routine classes of transactions or account balances, and the preparation of reliable financial statements. – Such risks may include risks of inaccurate or incomplete processing for

routine and significant classes of transactions, such as an entity’s revenue, purchases, and cash receipts or cash payments.

– Where such routine business transactions are subject to highly automated processing with little or no manual intervention, it may not be possible to perform only substantive procedures in relation to the risk.

Example


Any examples?


• For example, the auditor may consider this to be the case in circumstances where a significant amount of an entity’s information is initiated, recorded, processed, or reported only in electronic form such as in an integrated system. In such cases:– Audit evidence may be available only in electronic form, and its sufficiency

and appropriateness usually depend on the effectiveness of controls over its accuracy and completeness.

– The potential for improper initiation or alteration of information to occur and not be detected may be greater if appropriate controls are not operating effectively.

Example

89

90

24/09/2019

46


ISA 315 – Risks in Respect of Disclosures

• As a result of the IAASB’s project “Addressing Disclosures in the Audit of Financial Statements” finalised in 2015,– ISA 315 is revised in 2015– ISA 315 (revised 2015) further states that

• the auditor’s consideration of disclosures in the financial statements when identifying risks includes quantitative and qualitative disclosures,

• the misstatement of which could be material, i.e., in general, misstatements are considered to be material if they could reasonably be expected to influence the economic decisions of users taken on the basis of the financial statements as a whole.



ISA 315 – Risks in Respect of Disclosures

• ISA 315 (revised 2015) further states:– As part of the discussion among the engagement team

required by ISA 315.10, consideration of the disclosure requirements of the applicable financial reporting framework assists in identifying early in the audit where there may be risks of material misstatement in relation to disclosures.


91

92

24/09/2019

47


Equity instrument?

ISA 315 – Risks in Respect of DisclosuresExample

• Examples of matters the engagement team may discuss include:– Changes in financial reporting requirements that may result in

significant new or revised disclosures;– Changes in the entity's environment, financial condition or

activities that may result in significant new or revised disclosures, for example, a significant business combination in the period under audit;

– Disclosures for which obtaining sufficient appropriate audit evidence may have been difficult in the past; and

– Disclosures about complex matters, including those involving significant management judgment as to what information to disclose.


Equity instrument?


• Depending on the circumstances of the entity and the engagement, examples of disclosures that will have qualitative aspects and that may be relevant when assessing the risks of material misstatement include disclosures about:– Liquidity and debt covenants of an entity in financial distress.– Events or circumstances that have led to the recognition of an impairment

loss.– Key sources of estimation uncertainty, including assumptions about the

future.– The nature of a change in accounting policy, and other relevant disclosures

required by the applicable financial reporting framework, where, for example, new financial reporting requirements are expected to have a significant impact on the financial position and financial performance of the entity.

93

94

24/09/2019

48


Equity instrument?


– Share-based payment arrangements, including information about how any amounts recognized were determined, and other relevant disclosures.

– Related parties, and related party transactions.– Sensitivity analysis, including the effects of changes in assumptions used in

the entity's valuation techniques intended to enable users to understand the underlying measurement uncertainty of a recorded or disclosed amount.


ISA 315 – Revision of Risk Assessment

• The auditor’s assessment of the risks of material misstatement at the assertion level may change during the course of the audit as additional audit evidence is obtained.

• In circumstances where the auditor obtains audit evidence from performing further audit procedures, or if new information is obtained, either of which is inconsistent with the audit evidence on which the auditor originally based the assessment, the auditor shall– revise the assessment and – modify the further planned

audit procedures accordingly.

95

96

24/09/2019

49


Any examples?

ISA 315 – Revision of Risk Assessment

• During the audit, information may come to the auditor’s attention that differs significantly from the information on which the risk assessment was based. For example:– The risk assessment may be based on an expectation that certain controls

are operating effectively.• In performing tests of those controls, the auditor may obtain audit

evidence that they were not operating effectively at relevant times during the audit.

– In performing substantive procedures the auditor may detect misstatements in amounts or frequency greater than is consistent with the auditor’s risk assessments.

• In such circumstances, the risk assessment may not appropriately reflect the true circumstances of the entity and the further planned audit procedures may not be effective in detecting material misstatements.

Example


Today’s Agenda



Documentation Requirements

97

98

24/09/2019

50

© 2013-2019 Nelson Consulting Limited 99Photo taken by Stephanie and Nelson © 2017Kyoto @ Japan


• The auditor shall include in the audit documentation:a. The discussion among the engagement team where required

by ISA 315.10 (susceptibility to material misstatement), and the significant decisions reached;

ISA 315 – Documentation

99

100

24/09/2019

51


• The auditor shall include in the audit documentation:b. Key elements of the understanding obtained regarding each of

the aspects• of the entity and its environment specified in ISA 315.11

and • of each of the internal control components specified in ISA

315.14-24; the sources of information from which the understanding was obtained; and the risk assessment procedures performed;




Relevant industry,







performance



accounting policies







Internal control


101

102

24/09/2019

52


• The auditor shall include in the audit documentation:c. The identified and assessed risks of material misstatement

• at the financial statement level and • at the assertion level as required by ISA 315.25; and

d. The risks identified, and related controls about which the auditor has obtained an understanding, as a result of the requirements in ISA 315.27-30.














Internal control





103

104

24/09/2019

53




Planning activities






Overall reviewing

Drawing conclusions and reporting

Planning

Risk assessment

Risk response

Reviewing and reporting

An audit is a cumulative and iterative process

Audit Process


© 2013-2019 Nelson Consulting Limited 106Photo taken by Stephanie and Nelson © 2018Yinchuan @ China

105

106

24/09/2019

54

© 2013-2019 Nelson Consulting Limited 107Rosetta Stone @ British Museum




Q&A SessionQ&A Session

© 2013-2019 Nelson Consulting Limited 108Rosetta Stone @ British Museum





Facebook.com/NelsonCFA

107

108