7/28/2019 SMP ISA Audit Guide Volume 1 3e
1/243
ThirdEdition
Guide to Using ISAs inthe Audits o Small-and Medium-Sized
EntitiesVolume 1 Core Concepts
7/28/2019 SMP ISA Audit Guide Volume 1 3e
2/243
Small and Medium Practices Committee
International Federation o Accountants
545 Fith Avenue, 14th Floor
New York, NY 10017 USA
This Implementation Guide was prepared by the Small and Medium Practices Committee o
the International Federation o Accountants (IFAC). The committee represents the interests
o proessional accountants operating in small- and medium-sized practices and other
proessional accountants who provide services to small- and medium-sized entities.
This publication may be downloaded ree o charge rom the IFAC website: www.iac.org. The
approved text is published in the English language.
The mission o IFAC is to serve the public interest, strengthen the worldwide accountancy
proession, and contribute to the development o strong international economies by
establishing and promoting adherence to high-quality proessional standards, urthering theinternational convergence o such standards, and speaking out on public interest issues where
the proessions expertise is most relevant.
For urther inormation, please email [email protected].
Copyright November 2011 by the International Federation o Accountants (IFAC). All rights
reserved. Permission is granted to make copies o this work provided that such copies are or
use in academic classrooms or or personal use and are not sold or disseminated and provided
that each copy bears the ollowing credit line: Copyright November 2011 by the International
Federation o Accountants (IFAC). All rights reserved. Used with permission o IFAC. Contact
[email protected] or permission to reproduce, store, or transmit this document.Otherwise,
written permission rom IFAC is required to reproduce, store, or transmit, or make other similar
uses o, this document, except as permitted by law. Contact [email protected].
ISBN: 978-1-60815-099-1
http://www.ifac.org/mailto:[email protected]:[email protected]:[email protected]:[email protected]://www.ifac.org/7/28/2019 SMP ISA Audit Guide Volume 1 3e
3/243
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 1Core Concepts
3
Contents
Volume 1 Primary ISA ReerencePage
Number
Preace 5
Request or Comments 61. How to Use the Guide 8
2. The ISAs 13
Core Concepts 21
3. Ethics, ISAs, and Quality Control ISQC 1, 200, 220 21
4. The Risk-Based AuditOverview Multiple 34
5. Internal ControlPurpose and Components 315 54
6. Financial Statement Assertions 315 80
7. Materiality and Audit Risk 320 87
8. Risk Assessment Procedures 240, 315 99
9. Responding to Assessed Risks 240, 300, 330, 500 109
10. Further Audit Procedures 330, 505, 520 120
11. Accounting Estimates 540 142
12. Related Parties 550 151
13. Subsequent Events 560 160
14. Going Concern 570 167
15. Summary o Other ISA Requirements 250, 402, 501, 510, 600, 610,
620, 720
177
16. Audit Documentation ISQC 1, 220, 230, 240, 300,
315, 330
211
17. Forming an Opinion on Financial Statements 700 224
7/28/2019 SMP ISA Audit Guide Volume 1 3e
4/243
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 1Core Concepts
4
Contents
Volume 2 Primary ISA Reerence
Page
Number
Preace 5
Request or Comments 61. How to Use the Guide 8
2. Introduction to the Case Studies 13
PHASE 1: Risk Assessment 24
3. Risk AssessmentOverview 24
Preliminary Activities 27
4. Engagement Acceptance and Continuance ISQC 1, 210, 220, 300 27
Planning the Audit 43
5. Overall Audit Strategy 300 43
6. Determining and Using Materiality 320, 450 54
7. Audit-Team Discussions 240, 300, 315 70
Perorming Risk Assessment Procedures 79
8. Inherent RisksIdentication 240, 315 79
9. Inherent RisksAssessment 240, 315 107
10. Signicant Risks 240, 315, 330 117
11. Understanding Internal Control 315 127
12. Evaluating Internal Control 315 141
13. Communicating Deciencies in Internal Control 265 17114. Concluding the Risk Assessment Phase 315 184
PHASE II: Risk Response 194
15. Risk ResponseAn Overview 194
16. The Responsive Audit Plan 260, 300, 330, 500 197
17. Determining the Extent o Testing 330, 500, 530 220
18. Documenting Work Perormed 230 249
19. Written Representations 580 253
PHASE III: Reporting 266
20. ReportingOverview 266
21. Evaluating Audit Evidence 220, 330, 450, 520, 540 269
22. Communicating with Those Charged with Governance 260, 265, 450 286
23. Modications to the Auditors Report 705 297
24. Emphasis o Matter and Other Matter Paragraphs 706 310
25. Comparative Inormation 710 316
7/28/2019 SMP ISA Audit Guide Volume 1 3e
5/243
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 1Core Concepts
5
Preace
Welcome to the third edition o the IFAC SMP Committees Guide to Using International Standards on Auditing
in the Audits o Small- and Medium-Sized Entities.
In this edition, we have taken the opportunity to rene some o the technical content and to make otherminor presentational improvements. Mindul, however, that many users may be in the process o translating
the Guide, we have endeavored to keep the revisions in this edition to a minimum.
First released in 2007 and developed with the Canadian Institute o Chartered Accountants (CICA), the Guide
is intended to enable practitioners to develop a deeper understanding o an audit conducted in compliance
with International Standards on Auditing (ISAs) through explanation and illustrative examples. It oers a
practical how-to audit approach that practitioners may use when undertaking a risk-based audit o an SME.
Ultimately, it should help practitioners conduct high-quality, cost-eective audits, enabling them to better
serve SMEs and, in turn, the wider public interest.
The Guide provides non-authoritative guidance on applying ISAs. It is not to be used as a substitute orreading the ISAs, but rather as a supplement to support consistent implementation o these standards in the
audits o SMEs. The Guide does not address all aspects o the ISAs, and should not be used or the purposes
o determining or demonstrating compliance with the ISAs.
In order to help member bodies maximize the use o both this Guide and its sister publication, the Guide
to Quality Control or Small- and Medium-Sized Practices, the SMP Committee is developing a companion
guide, along with additional materials designed to support the use o the Guides or education and training
purposes. The companion guide will include suggestions on how IFAC member bodies and rms may make
best use o the Guides to suit their own needs and jurisdictions.
Finally, we welcome readers to visit the SMP area o the IFAC website at www.iac.org/SMP or urther details
about the work o the IFAC SMP Committee and or access to a wide collection o additional ree publications
and resources.
Sylvie Voghel
Chair, IFAC SMP Committee
November 2011
7/28/2019 SMP ISA Audit Guide Volume 1 3e
6/243
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 1Core Concepts
6
Request or Comments
This is the third edition o the Guide. While we consider this Guide to be useul and o high quality, it can be
improved. We are committed to updating this Guide on a regular basis so as to ensure that it reects current
standards and is as useul as possible.
We welcome comments rom national standard setters, IFAC member bodies, practitioners, and others. In
particular, we welcome views on the ollowing questions.
1. How do you use the Guide? For example, do you use it as a basis or training and/or as a practical
reerence guide, or in some other way?
2. Do you consider the Guide to be sufciently tailored to the audit o SMEs?
3. Do you nd the Guide easy to navigate? I not, can you suggest how navigation can be improved?
4. In what other ways do you think the Guide can be made more useul?
5. Are you aware o any derivative productssuch as training materials, orms, checklists, and programs
that have been developed based on the Guide? I so, please provide details.
Please submit your comments to Paul Thompson, Deputy Director at:
Email: [email protected]
Fax: +1 212-286-9570
Mail: Small and Medium Practices Committee
International Federation o Accountants
545 Fith Avenue, 14th Floor
New York, NY 10017, USA
mailto:[email protected]:[email protected]7/28/2019 SMP ISA Audit Guide Volume 1 3e
7/243
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 1Core Concepts
7
Disclaimer
This Guide is designed to assist practitioners in the implementation o the International
Standards o Auditing (ISAs) on the audit o small- and medium-sized entities, but is not
intended to be a substitute or the ISAs themselves. Furthermore, a practitioner should
utilize this Guide in light o his/her proessional judgment and the acts and circumstances
involved in each particular audit. IFAC disclaims any responsibility or liability that may occur,
directly or indirectly, as a consequence o the use and application o this Guide.
7/28/2019 SMP ISA Audit Guide Volume 1 3e
8/2438
1. How to Use the Guide
The purpose o this Guide is to provide practical guidance to practitioners conducting audit engagements or
small- and medium-sized entities (SMEs). However, no material in the Guide should be used as a substitute or
ReadingandunderstandingtheISAs
It is assumed that practitioners have read the text o the International Standards on Auditing (ISAs)
which are contained in the Handbook o International Quality Control, Auditing, Review, Other Assurance,and Related Services Pronouncements, and which can be downloaded ree o charge rom the IAASB
Publications & Resources web page at www.iac.org/auditing-assurance/publications-resources (lter
by Handbooks, Standards, and Pronouncements). ISA 200.19 states that the auditor shall have an
understanding o the entire text o an ISA, including its application and other explanatory material,
to understand its objectives and to apply its requirements properly. The ISAs, as well as requently
asked questions (FAQs) and other support materials, can also be obtained rom the Clarity Center at
www.iac.org/auditing-assurance/clarity-center.
Useofprofessionaljudgment
In order to apply the ISAs eectively, proessional judgment is required based on the particular acts
and circumstances involved in the rm and each particular engagement.While it is expected that small- and medium-sized practices (SMPs) will be a signicant user group, this Guide
is intended to help all practitioners to implement ISAs on SME audits.
This Guide can be used to:
DevelopadeeperunderstandingofanauditconductedincompliancewiththeISAs;
Developastamanual(supplementedasnecessaryforlocalrequirementsandarmsprocedure)tobe
usedforday-to-dayreference,andasabasisfortrainingsessionsandindividualstudyanddiscussion;
and
Help ensure that sta adopt a consistent approach to planning and perorming an audit.
This Guide oten reers to an audit team, which implies that more than one auditor is involved in conducting
the audit engagement. However, the same general principles also apply to audit engagements perormed
exclusively by one person (the practitioner).
1.1 Reproduction, Translation, and Adaptation o the Guide
IFAC encourages and acilitates the reproduction, translation, and adaptation o its publications. Interested
parties wishing to reproduce, translate, or adapt this Guide should contact [email protected].
http://www.ifac.org/publications-resources/2012-handbook-international-quality-control-auditing-review-other-assurance-ahttp://www.ifac.org/publications-resources/2012-handbook-international-quality-control-auditing-review-other-assurance-ahttp://www.ifac.org/auditing-assurance/publications-resourcesmailto:[email protected]:[email protected]://www.ifac.org/auditing-assurance/publications-resourceshttp://www.ifac.org/publications-resources/2012-handbook-international-quality-control-auditing-review-other-assurance-ahttp://www.ifac.org/publications-resources/2012-handbook-international-quality-control-auditing-review-other-assurance-a7/28/2019 SMP ISA Audit Guide Volume 1 3e
9/243
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 1Core Concepts
9
1.2 Chapter Content and Organization
Rather than just summarize each ISA in turn, the Guide has been organized into two volumes as ollows:
Volume1CoreConcepts
Volume2PracticalGuidance
This is Volume 1 o the Guide, which provides an overview o the entire audit and a discussion o key audit
concepts such as materiality, assertions, internal control, risk assessment procedures, and the use o urther audit
procedures in responding to assessed risks. It also includes a summary o ISA requirements with respect to:
Specicareassuchasaccountingestimates,relatedparties,subsequentevents,goingconcern,andothers;
Documentationrequirements;and
Forminganopiniononthenancialstatements.
Volume 2 o the Guide ocuses on how to apply the concepts outlined in Volume 1. It ollows the typical
stages involved in perorming an audit, starting with client acceptance, planning, and risk assessment, and
then the risk response, evaluating audit evidence obtained, and orming an appropriate audit opinion.
Summary o Organization
Each chapter in both volumes o this Guide has been organized in the ollowing ormat:
ChapterTitle
AuditProcessChartExtract
Most chapters contain an extract rom the audit process chart (where applicable) to highlight the
particular activities addressed in the chapter.
ChapterContent
This outlines the content and purpose o the chapter.
RelevantISAs
Most chapters in this Guide begin with some extracts rom the ISAs that are relevant to the chapter
content. These extracts include relevant requirements and, in some cases, the objectives (sometimes
highlighted separately i/when a chapter ocuses primarily on one particular ISA), selected denitions,
and application material. The inclusion o these extracts is not meant to imply that other material in
the ISA not specically mentioned, or other ISAs that relate to the subject matter, do not need to be
considered. The extracts in the Guide are based solely on the judgment o the authors as to what is
relevant or the content o each particular chapter. For example, the requirements o ISAs 200, 220,
and 300 apply throughout the audit process, but have only been addressed specically in one or two
chapters.
OverviewandChapterMaterial
The overview in each chapter provides:
ExtractsfromapplicableISAs;and
An overview o what is addressed in the chapter.
The overview is ollowed by a more detailed discussion o the subject matter, and practical step-by-step
guidance/methodology on how to implement the relevant ISAs. This can include some cross-reerences
to the applicable ISAs. While the Guide ocuses exclusively on the ISAs (other than the 800 series)
that apply to audits o historical nancial inormation, reerence is also made to the Code o Ethics or
7/28/2019 SMP ISA Audit Guide Volume 1 3e
10/243
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 1Core Concepts
10
Proessional Accountants issued by the International Ethics Standards Board or Accountants (the IESBA
Code), and the International Standard on Quality Control 1 (ISQC 1), Quality Control or Firms that Perorm
Audits and Reviews o Financial Statements, and Other Assurance and Related Services Engagements.
ConsiderPoints
A number o Consider Points are included throughout the Guide. These Consider Points provide
practical guidance on audit matters that can easily be overlooked, or where practitioners may havedifculty understanding and implementing certain concepts.
IllustrativeCaseStudies
To demonstrate how the ISAs can be applied in practice, Volume 2 o the Guide includes two case
studies. At the end o many chapters within Volume 2, two possible approaches to documenting the
application o the ISA requirements are discussed. Please reer to Volume 2, Chapter 2 o this Guide or
details about the case studies.
The purpose o the case studies and the documentation presented are purely illustrative. The
documentation provided is a small extract rom a typical audit le, and it outlines just one possible way
o complying with the ISA requirements. The data, analysis, and commentary provided represent only
some o the circumstances and considerations that the auditor will need to address in a particular auditAs always, the auditor must exercise proessional judgment.
The rst case study is based on a ctional entity called Dephta Furniture. This is a local, amily-owned
urniture manuacturer with 15 ull-time employees. The entity has a simple governance structure, ew
levels o management, and straightorward transaction processing. The accounting unction uses an o-
the-shel, standard sotware package.
The second case study is based on another ctional entity called Kumar & Co. This is a micro-sized entity
with two ull-time sta plus the owner and one part-time bookkeeper.
Other IFAC Publications
This Guide may also be read in conjunction with TheGuide to Quality Control or Small- and Medium-Sized
Practices, which can be downloaded ree o charge rom the IFAC online publications and resources site at
http://web.iac.org/publications/small-and-medium-practices-committee/implementation-guides.
1.3 Glossary o Terms
The Guide uses many o the terms as dened in the IESBA Code, Glossary o Terms, and ISAs (as contained
in the Handbook o International Quality Control, Auditing, Review, Other Assurance, and Related Services
Pronouncements). Both partners and sta must be aware o these denitions.
The Guide also uses the ollowing terms:
Anti-Fraud Controls
These are controls designed by management to prevent or detect misstatements resulting rom raud. With
respect to management override, these controls may not prevent a raud rom occurring, but would act as a
deterrent and make perpetrating a raud more difcult to conceal. Typical examples are:
Policiesandproceduresthatprovideadditionalaccountability,suchassignedapprovalforjournal
entries;
Improvedaccesscontrolsforsensitivedataandtransactions;
http://web.ifac.org/publications/small-and-medium-practices-committee/implementation-guideshttp://web.ifac.org/publications/small-and-medium-practices-committee/implementation-guides7/28/2019 SMP ISA Audit Guide Volume 1 3e
11/243
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 1Core Concepts
1
Silentalarms;
Discrepancyandexceptionreports;
Audittrails;
Fraudcontingencyplans;
Humanresourceproceduressuchasidentifying/monitoringindividualswithabove-averagefraudpotential(forexample,anexcessivelylavishlifestyle);and
Mechanismsforreportingpotentialfraudsanonymously.
Entity-Level Controls
Entity-level controls address pervasive risks. They contribute to the tone at the top o an organization and
establish expectations or the control environment. They are oten less tangible than controls that operate
at the transaction level, but have a pervasive and signicant impact and inuence over all other internal
controls. As such, they orm the all-important oundation upon which other internal controls (i any) are built.
Examples o entity level controls include managements commitment to ethical behavior, attitudes toward
internal control, hiring and competence o sta employed, and anti-raud and period-end nancial reporting.These controls will have an impact on all other business processes within the entity.
Management
The person(s) with executive responsibility or the conduct o the entitys operations. For some entities in
some jurisdictions, management includes some or all o those charged with governanceor example,
executive members o a governance board, or an owner-manager.
Those Charged With Governance (TCWG)
The person(s) or organization(s) (or example, a corporate trustee) with responsibility or overseeing the
strategic direction o the entity and obligations related to the accountability o the entity. This includes
overseeing the nancial reporting process. For some entities, in some jurisdictions, those charged withgovernance may include management personnelor example, executive members o a governance board
o a private or public sector entity, or an owner-manager.
Owner-Manager
This reers to the proprietor o an entity involved in the running o the entity on a day-to-day basis. In most
instances, the owner-manager will also be the person charged with governance o the entity.
Small- and Medium-Sized Practice (SMP)
An accounting practice/rm that exhibits the ollowing characteristics:
Itsclientsaremostlysmall-andmedium-sizedentities(SMEs); Externalsourcesareusedtosupplementlimitedin-housetechnicalresources;and
It employs a limited number o proessional sta.
What constitutes an SMP will vary rom one jurisdiction to another.
7/28/2019 SMP ISA Audit Guide Volume 1 3e
12/243
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 1Core Concepts
12
1.4 Acronyms Used in the Guide
AR Accounts receivable
Assertions
(combined) C= Completeness
E = Existence
A = Accuracy and cutoV = Valuation
CAATs Computer-assisted audit techniques
CU Currency units (standard currency unit is reerred to as )
F/S Financial statements
HR Human resources
IAASB International Auditing and Assurance Standards Board
IC Internal Control. The ve major components o internal control are as ollows:
CA = Control activities
CE = Control environment
IS = Inormation systemsMO = Monitoring
RA = Risk assessment
IESBA Code IESBA Code o Ethics or Proessional Accountants
IFAC International Federation o Accountants
IFRS International Financial Reporting Standards
ISAs International Standards on Auditing
ISAEs International Standards on Assurance Engagements
IAPSs International Auditing Practice Statements
ISQC International Standard on Quality Control
ISREs International Standards on Review EngagementsISRSs International Standards on Related Services
IT Inormation technology
PC Personal computer
R&D Research and development
RMM Risks o material misstatement
RAPs Risk assessment procedures
SME Small- and medium-sized entity
SMP Small- and medium-sized practice
TOC Tests o controls
TCWG Those charged with governance
WP Work papers, working papers
7/28/2019 SMP ISA Audit Guide Volume 1 3e
13/243 1
2. The ISAs
Structure o the ISAs
The ISAs have a common structure, as outlined below.
ISA Element Comments
Introduction An explanation othe purpose and scope o the ISA, including how the ISA relatesto other ISAs, the subject matter o the ISA, specic expectations on the auditor and
others, and the context in which the ISA is set.
Objectives The objective to be achieved by the auditor as a result o complying with the
requirements o the ISA. To achieve the overall objectives o the auditor, the auditor is
required to use the objectives stated in relevant ISAs in planning and perorming the
audit, keeping in mind the interrelationships among the ISAs. ISA 200.21 (a) requires
the auditor to:
(a) Determine whether any audit procedures in addition to those required by the
ISAsarenecessaryinpursuanceoftheobjectivesstatedintheISAs;and
(b) Evaluate whether sufcient appropriate audit evidence has been obtained.Denitions A description o the meanings attributed to certain terms or purposes o the ISAs.
These are provided to assist in the consistent application and interpretation o the
ISAs. They are not intended to override denitions that may be established or other
purposes, such as those contained in laws or regulations. Unless otherwise indicated,
these terms carry the same meanings throughout the ISAs.
Requirements This section outlines the specic auditor requirements. Each requirement contains
the word shall. For example, ISA 200.15 contains the ollowing requirement:
The auditor shall plan and perorm an audit with proessional skepticism,
recognizing that circumstances may exist that cause the nancial statements to
be materially misstated.
7/28/2019 SMP ISA Audit Guide Volume 1 3e
14/243
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 1Core Concepts
14
ISA Element Comments
Application and
OtherExplanatory
Material
The application and other explanatory material provides urther explanation o the
requirements o an ISA, and guidance or carrying them out. In particular, it may:
Explainmorepreciselywhatarequirementmeansorisintendedtocover;
Whereapplicable,includeconsiderationsspecictosmallerentities;and
Includeexamplesofproceduresthatmaybeappropriateinthecircumstances.
However, the actual procedures selected by the auditor require the use o
proessional judgment based on the particular circumstances o the entity and
the assessed risks o material misstatement.
While such guidance does not in itsel impose a requirement, it is relevant to the proper
application o the requirements o an ISA. The application and other explanatory
material may also provide background inormation on matters addressed in an ISA.
Appendices Appendices orm part o the application and other explanatory material. The purpose
and intended use o an appendix are explained in the body o the related ISA, or
within the title and introduction o the appendix itsel.
2.1 ISA Index and Cross-Reerences
The ISA Framework is illustrated below.
International Standards on Quality Control ISQCs 199
International Framework for
Assurance Engagements (audit & review)
Historical
Financial Information
International
Standards
on Auditing
ISAs 100999
International
Standards
on Assurance
Engagements
ISAEs 30003699
International
Standards
on Related
Services
ISRSs 40004699
International
Auditing Practice
StatementsIAPSs 10001999
International
Standards on
Review
Engagements
ISREs 20002699
Other
Financial Information
International Standards
on Related Services
(compilations, etc.)
7/28/2019 SMP ISA Audit Guide Volume 1 3e
15/243
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 1Core Concepts
1
The ollowing table cross-reerences the ISAs and ISQC 1 to the corresponding chapters in the Guide. Note:
This table only includes cross-reerences to the chapters in the Guide in which the primary application
requirements o the respective standards are addressed. Further reerences to any given standard may also
appear in other chapters.
ISA/ISQC 1
Reerence
Volume and Chapters
V1 = Volume 1
V2 = Volume 2
ISQC 1 Quality Control or Firms that Perorm Audits and Reviews o FinancialStatements, and Other Assurance and Related Services Engagements
V1-3, 16V2-4
200 Overall Objectives o the Independent Auditor and the Conduct o anAudit in Accordance with International Standards on Auditing
V1-3, 4
210 Agreeing the Terms o Audit Engagements V2-4
220 Quality Control or an Audit o Financial Statements V1-3, 16, V2-4, 21
230 Audit Documentation V1-3, 16, V2-18
240 The Auditors Responsibilities Relating to Fraud in an Audit o FinancialStatements
V1-8, 9, 16V2-7, 8, 9, 10
250 Consideration o Laws and Regulations in an Audit o FinancialStatements
V1-15
260 Communication with Those Charged with Governance V2-16, 22
265 Communicating Deciencies in Internal Control to Those Chargedwith Governance and Management
V2-13, 22
300 Planning an Audit o Financial Statements V1-9, 16V2-4, 5, 7, 16
315 Identiying and Assessing the Risks o Material Misstatement throughUnderstanding the Entity and its Environment V1-4, 5, 6, 8, 16V2-7, 8, 9, 10, 11, 12, 14
320 Materiality in Planning and Perorming an Audit V1-7, V2-6
330 The Auditors Responses to Assessed Risks V1-4, 9, 10, 16V2-10, 16, 17, 21
402 Audit Considerations Relating to an Entity Using a Service Organization V1-15
450 Evaluation o Misstatements Identied during the Audit V2-6, 21, 22
500 Audit Evidence V1-9, V2-16, 17
501 Audit EvidenceSpecic Considerations or Selected Items V1-15
505 External Conrmations V1-10510 Initial Audit EngagementsOpening Balances V1-15
520 Analytical Procedures V1-10, V2-21
530 Audit Sampling V2-17
540 Auditing Accounting Estimates, Including Fair Value AccountingEstimates, and Related Disclosures
V1-11, V2-21
550 Related Parties V1-12
560 Subsequent Events V1-13
7/28/2019 SMP ISA Audit Guide Volume 1 3e
16/243
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 1Core Concepts
16
ISA/
ISQC 1
Reerence
Volume and Chapters
V1 = Volume 1
V2 = Volume 2
570 Going Concern V1-14
580 Written Representations V2-19600 Special ConsiderationsAudits o Group Financial Statements
(Including the Work o Component Auditors)V1-15
610 Using the Work o Internal Auditors V1-15
620 Using the Work o an Auditors Expert V1-15
700 Forming an Opinion and Reporting on Financial Statements V1-4, 17
705 Modications to the Opinion in the Independent Auditors Report V2-23
706 Emphasis o Matter Paragraphs and Other Matter Paragraphs in theIndependent Auditors Report
V2-24
710 Comparative InormationCorresponding Figures and ComparativeFinancial Statements
V2-25
720 The Auditors Responsibilities Relating to Other Inormation inDocuments Containing Audited Financial Statements
V1-15
800 Special ConsiderationsAudits o Financial StatementsPrepared in Accordance with Special Purpose Frameworks
Not addressed*
805 Special ConsiderationsAudits o Single Financial Statements andSpecic Elements, Accounts, or Items o a Financial Statement
Not addressed*
810 Engagements to Report on Summary Financial Statements Not addressed*
*ISAs 800, 805, and 810 were considered to have limited application in the audits o SMEs at the present time,so this edition o the Guide does not specically address them.
The ollowing table cross-reerences the Guides chapters to the principal ISA Chapters addressed.
Note: This table provides a general cross-reerence only. Many chapters in this Guide cover aspects
addressed by more than one particular ISA.
Chapter Title
ISA /ISQC 1
Reerence
V1 3 Ethics, ISAs, and Quality Control ISQC 1, 200, 220
V1 4 The Risk-Based AuditOverview Multiple
V1 5 Internal ControlPurpose and Components 315
V1 6 Financial Statement Assertions 315
V1 7 Materiality and Audit Risk 320
V1 8 Risk Assessment Procedures 240, 315
V1 9 Responding to Assessed Risks 240, 300,330, 500
V1 10 Further Audit Procedures 330, 505, 520
7/28/2019 SMP ISA Audit Guide Volume 1 3e
17/243
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 1Core Concepts
1
Chapter Title
ISA /ISQC 1
Reerence
V1 11 Accounting Estimates 540
V1 12 Related Parties 550
V1 13 Subsequent Events 560
V1 14 Going Concern 570
V1 15 Summary o Other ISA Requirements 250, 402, 501,510, 600, 610,
620, 720
V1 16 Audit Documentation ISQC 1, 220,230, 240, 300,
315, 330
V1 17 Forming an Opinion on Financial Statements 700
V2 4 Engagement Acceptance and Continuance ISQC 1, 210, 220,
300V2 5 Overall Audit Strategy 300
V2 6 Determining and Using Materiality 320, 450
V2 7 Audit Team Discussions 240, 300, 315
V2 8 Inherent RisksIdentication 240, 315
V2 9 Inherent RisksAssessment 240, 315
V2 10 Signicant Risks 240, 315, 330
V2 11 Understanding Internal Control 315
V2 12 Evaluating Internal Control 315
V2 13 Communicating Deciencies in Internal Control 265
V2 14 Concluding the Risk Assessment Phase 315
V2 16 The Responsive Audit Plan 260, 300, 330,500
V2 17 Determining the Extent o Testing 330, 500, 530
V2 18 Documenting Work Perormed 230
V2 19 Written Representations 580
V2 21 Evaluating Audit Evidence 220, 330, 450,520, 540
V2 22 Communicating with Those Charged with Governance 260, 265, 450
V2 23 Modications to the Auditors Report 705
V2 24 Emphasis o Matter and Other Matter Paragraphs 706
V2 25 Comparative Inormation 710
7/28/2019 SMP ISA Audit Guide Volume 1 3e
18/243
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 1Core Concepts
18
2.2 The Audit Process
The audit approach outlined in this Guide has been divided into three phasesrisk assessment, risk response,
and reporting. This is illustrated in Exhibit 2.2-1. For each o the audit phases, the exhibit outlines the major
activities, their purpose and the resulting documentation. Additional inormation on the activities and
documentation required in each o the three phases is outlined throughout this Guide and particularly in
Volume 2, which ollows a typical audit rom start to nish.
7/28/2019 SMP ISA Audit Guide Volume 1 3e
19/243
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 1Core Concepts
1
Exhibit 2.2-1
RiskResponse
Design overallresponses andfurther auditprocedures
Developappropriateresponses tothe assessed RMM3
Update of overall strategy
Overall responses
Audit plan that linksassessed RMM3 to furtheraudit procedures
Implement responsesto assessed RMM3
Reduce audit riskto an acceptably
low level
Work performed
Audit ndings
Sta supervisionWorking paper review
Reporting
Evaluate the auditevidence obtained
Determine whatadditional audit work(if any) is required
Prepare theauditors report
Form an opinionbased on auditndings
Signicant decisions
Signed audit opinion
RiskAssessment
Plan the auditDevelop an overallaudit strategy andaudit plan2
Materiality
Audit team discussions
Overall audit strategy
Listing of risk factors
Independence
Engagement letter
Perform preliminaryengagement
activities
Decide whether toaccept engagement
Performrisk assessment
procedures
Identify/assess RMM3
through understandingthe entity
Business & fraud risksincluding signicant risks
Design/implementation of
relevant internal controls
Assessed RMM3 at: F/S level Assertion level
no
yes
Notes:
1. Refer to ISA 230 for a more complete list of documentation required.2. Planning (ISA 300) is a continual and iterative process throughout the audit.
3. RMM = Risks of material misstatement.
Activity Purpose Documentation1
Isadditional
workrequired?
New/revised risk factorsand audit procedures
Changes in materiality
Communicationson audit ndings
Conclusions on auditprocedures performed
7/28/2019 SMP ISA Audit Guide Volume 1 3e
20/243
Volume 1
Core Concepts
7/28/2019 SMP ISA Audit Guide Volume 1 3e
21/243 2
3. Ethics, ISAs, and Quality Control
Chapter Content Relevant ISAs
Matters to be addressed in a rms system o quality control to ensure
compliance with ethical (including independence) requirements and
the ISAs.ISQC 1, 200, 220
Exhibit 3.0-1
Client acceptance
and continuance
Engagement
performance
Sta
management
Ethics and
independence
Firms Values and Goals
Leadership (Roles, assignments and accountability)
Documentation and Ongoing Monitoring(Firms QC system and engagement les)
Paragraph # ISQC/ISA Objective(s)
ISQC 1.11 The objective o the rm is to establish and maintain a system o quality control to provide it
with reasonable assurance that:
(a) The rm and its personnel comply with proessional standards and applicable legal andregulatoryrequirements;and
(b) Reports issued by the rm or engagement partners are appropriate in the circumstances.
220.6 The objective o the auditor is to implement quality control procedures at the engagement
level that provide the auditor with reasonable assurance that:
(a) The audit complies with proessional standards and applicable legal and regulatory
requirements;and
(b) The auditor's report issued is appropriate in the circumstances.
7/28/2019 SMP ISA Audit Guide Volume 1 3e
22/243
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 1Core Concepts
22
Paragraph # Relevant Extracts rom ISAs/ISQC 1
ISQC 1.13 Personnel within the rm responsible or establishing and maintaining the rms system
o quality control shall have an understanding o the entire text o this ISQC, including its
application and other explanatory material, to understand its objective and to apply its
requirements properly.
ISQC 1.18 The rm shall establish policies and procedures designed to promote an internal culture
recognizing that quality is essential in perorming engagements. Such policies and procedures
shall require the rms chie executive ofcer (or equivalent) or, i appropriate, the rms
managing board o partners (or equivalent) to assume ultimate responsibility or the rms
system o quality control. (Re: Para. A4-A5)
ISQC 1.19 The rm shall establish policies and procedures such that any person or persons assigned
operational responsibility or the rms system o quality control by the rms chie executive
ofcer or managing board o partners has sufcient and appropriate experience and ability,
and the necessary authority, to assume that responsibility. (Re: Para. A6)
ISQC 1.29 The rm shall establish policies and procedures designed to provide it with reasonable
assurance that it has sufcient personnel with the competence, capabilities, and commitment
to ethical principles necessary to:(a) Perorm engagements in accordance with proessional standards and applicable legal and
regulatoryrequirements;and
(b) Enable the rm or engagement partners to issue reports that are appropriate in the
circumstances. (Re: Para. A24-A29)
ISQC 1.32 The rm shall establish policies and procedures designed to provide it with reasonable
assurance that engagements are perormed in accordance with proessional standards and
applicable legal and regulatory requirements, and that the rm or the engagement partner
issue reports that are appropriate in the circumstances. Such policies and procedures shall
include:
(a) Mattersrelevanttopromotingconsistencyinthequalityofengagementperformance;
(Re: Para. A32-A33)
(b) Supervisionresponsibilities;and(Ref:Para.A34)(c) Review responsibilities. (Re: Para. A35)
ISQC 1.48 The rm shall establish a monitoring process designed to provide it with reasonable assurance
that the policies and procedures relating to the system o quality control are relevant,
adequate, and operating eectively. This process shall:
(a) Include an ongoing consideration and evaluation o the rms system o quality control
including, on a cyclical basis, inspection o at least one completed engagement or each
engagementpartner;
(b) Require responsibility or the monitoring process to be assigned to a partner or partners
or other persons with sufcient and appropriate experience and authority in the rm to
assumethatresponsibility;and
(c) Require that those perorming the engagement or the engagement quality control review
are not involved in inspecting the engagements. (Re: Para. A64-A68)
ISQC 1.57 The rm shall establish policies and procedures requiring appropriate documentation to
provide evidence o the operation o each element o its system o quality control. (Re: Para.
A73-A75)
200.14 The auditor shall comply with relevant ethical requirements, including those pertaining to
independence, relating to nancial statement audit engagements. (Re: Para. A14-A17)
7/28/2019 SMP ISA Audit Guide Volume 1 3e
23/243
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 1Core Concepts
2
Paragraph # Relevant Extracts rom ISAs/ISQC 1
200.15 The auditor shall plan and perorm an audit with proessional skepticism recognizing that
circumstances may exist that cause the nancial statements to be materially misstated. (Re:
Para. A18-A22)
200.16 The auditor shall exercise proessional judgment in planning and perorming an audit o
nancial statements. (Re: Para. A23-A27)220.17 On or beore the date o the auditors report, the engagement partner shall, through a review o
the audit documentation and discussion with the engagement team, be satised that sufcient
appropriate audit evidence has been obtained to support the conclusions reached and or the
auditors report to be issued. (Re: Para. A18-A20)
220.18 The engagement partner shall:
(a) Take responsibility or the engagement team undertaking appropriate consultation on
dicultorcontentiousmatters;
(b) Be satised that members o the engagement team have undertaken appropriate consultation
during the course o the engagement, both within the engagement team and between the
engagementteamandothersattheappropriatelevelwithinoroutsidetherm;
(c) Be satised that the nature and scope o, and conclusions resulting rom, such
consultationsareagreedwiththepartyconsulted;and(d) Determine that conclusions resulting rom such consultations have been implemented.
(Re: Para. A21-A22)
220.19 For audits o nancial statements o listed entities, and those other audit engagements, i any,
or which the rm has determined that an engagement quality control review is required, the
engagement partner shall:
(a) Determinethatanengagementqualitycontrolreviewerhasbeenappointed;
(b) Discuss signicant matters arising during the audit engagement, including those
identied during the engagement quality control review, with the engagement quality
controlreviewer;and
(c) Not date the auditors report until the completion o the engagement quality control
review. (Re: Para. A23-A25)
3.1 Overview
Perorming quality work begins with strong leadership within the rm and engagement partners committed
to the highest ethical standards.
This chapter ocuses on developing the system o quality control within a rm. It provides some practical
guidance on matters that need to be considered whenever a rm decides to perorm audit engagements.
The provision o quality audits and related services is vital to:
Safeguardingthepublicinterest;
Maintainingclientsatisfaction;
Deliveringvalueformoney;
Ensuringcompliancewithprofessionalstandards;and
Establishingandmaintainingaprofessionalreputation.
7/28/2019 SMP ISA Audit Guide Volume 1 3e
24/243
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 1Core Concepts
24
The IFAC Guide to Quality Control or Small- and Medium-Sized Practices provides a detailed description o
the quality control standards and guidance on how to implement a system o quality control or small- and
medium-sized practices (SMPs).2
The Code o Ethics or Proessional Accountants (eective January 1, 2011), issued by the IESBA, can be
downloaded rom the IFAC web site.3
3.2 Quality Control Systems
The system o quality control in an accounting rm could be mapped to the ve internal control elements
that auditors are required to evaluate as part o understanding any entity being audited. In a rm, these ve
internal control elements would also be applicable to control systems in place (other than quality control),
such as time and billing, ofce workow, expense control, and marketing activities.
The ollowing diagram maps the quality control elements outlined in ISQC 1 and ISA 220 to the ve internal
control components contained in ISA 315, which are applicable to entities being audited. Each o these ve
control elements is more ully addressed in Volume 1, Chapter 5 o this Guide.
Exhibit 3.2-1
Internal Control Elements
(ISA 315)Firm-Level QC Elements (ISQC 1)
Engagement-Level QC
Elements (ISA 220)
Control Environment
(Tone at the Top)Leadership Responsibilities orQuality within the Firm
Relevant Ethical Requirements
Human Resources
Leadership Responsibilities orQuality on Audits
Relevant Ethical Requirements
Assignment o Engagement Teams
Risk Assessment
(What Could Go Wrong?)Acceptance and Continuance oClient Relationships and SpecicEngagements
Acceptance and Continuance o ClientRelationships and Audit Engagements
Risks that the report might not beappropriate in the circumstances
Inormation Systems(Tracking perormance)
Quality Control SystemDocumentation
Audit Documentation
Control Activities (Prevent& detect/correct controls)
Engagement Perormance Engagement Perormance
Monitoring(Are the frms/engagements objectives beingmet?)
Ongoing Monitoring o the FirmsQuality Control Policies andProcedures
Applying Results o OngoingMonitoring to Specic AuditEngagements
3.3 The Control EnvironmentDelivery o high-quality and cost-eective services is the principal driver o success or proessional audit
rms. Quality service is also vital in relation to the public-interest responsibilities o proessional accountants.
Theprovisionofqualityservicesshouldalwaysbeakeyobjectiveinthermsbusinessstrategy;that
objective needs to be communicated to all personnel on a regular basis, and the results monitored. This
requires leadership and accountability or promised actions. Poor quality control can lead to inappropriate
opinions, poor client service, lawsuits, and loss o reputation.
2 The web link is http://web.iac.org/publications/small-and-medium-practices-committee/implementation-guides
3 The web link is (lter by Handbooks, Standards, and Pronouncements)
http://web.ifac.org/publications/small-and-medium-practices-committee/implementation-guideshttp://web.ifac.org/publications/small-and-medium-practices-committee/implementation-guides7/28/2019 SMP ISA Audit Guide Volume 1 3e
25/243
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 1Core Concepts
2
Hindrances to a strong tone at the top could include matters set out below.
Exhibit 3.3-1
Hindrance Description
Poor Attitudes A poor attitude is at the heart o most hindrances to quality. It includes such attitudes
(but not necessarily this extreme) as the ollowing: Firmcontinuallyoperatesinacrisismode;
Poorlyplannedengagementsandactivitiesarethenorm;
Poorcommitmenttoqualityorcompliancewiththehighestethicalstandards;
Notcaringabouttheexpectationsofqualitybythepublicandotherstakeholders;
Regardingchangesinauditingstandardsasonlyapplicabletobigentities.
Some practices and terminology may get changed to demonstrate compliance
onthesurface,butinsubstance,theoldauditpracticescontinueasbefore;
Beliefthatthereisnorisktotherminsmallauditssoworkperformedshould
beminimal;
Auditworktailoredtothefeereceivednottheriskinvolved;
Clientsconsideredtotallytrustworthybythecontrolpartner; Minimizingoravoidingtheneedforengagementqualitycontrolreviews;
Beliefthat,becausetheclientspaythebill,theymustgetwhattheywant;
Partnerskeeping(oraccepting)anauditclient(forthefeesgenerated)even
thoughitis(wouldbe)highlyriskyfortherm;
Unwillingnesstoadoptstandardrmpoliciesonqualitycontrol.Apartner
wants les and working papers to be prepared his/her way without regard or
whatothersdo;and
Askingstatofollowthermspolicies,butnotcomplyingpersonally(i.e.,do
what I say, not what I do).
UnwillingnesstoInvestinTraining
or Development
Conducting a quality audit is dependent on attracting and retaining qualiedand competent people to perorm the work. This requires ongoing proessional
development and perormance appraisals or all partners and proessional sta (every
period). Lack o investment in sta also leads to sta turnover.
Lack o Discipline A ailure to discipline partners or sta when the rms policies are willully
contravened sends a very clear message to personnel that written policies are really
not that important. This undermines compliance with all o the rms policies, and
increases the risk to the rm.
A healthy tone at the top can be set by the rms management and engagement partners through the
ollowing activities.
7/28/2019 SMP ISA Audit Guide Volume 1 3e
26/243
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 1Core Concepts
26
Exhibit 3.3-2
SettingtheTone Description
Establish theFirmsObjectives,Priorities,and
Values
This could include:
Anunwaveringcommitmenttoqualityandhighethicalstandards;
Investmentinstaslearning,training,andskillsdevelopment;
Investmentintherequiredtechnological,human,andnancialresources; Policiestoensuresoundengagementandscalmanagement;and
Risktolerancesforuseindecision-making.
CommunicateRegularly
Reinorce the rms values and commitments by communicating regularly
(verbally and in writing) with sta. Communications would address the need or
integrity, objectivity, independence, proessional skepticism, sta development,
and accountability to the public. Communications could be made through the
perormance-appraisal system, partner updates, emails, ofce meetings, and internal
newsletters.
Updatethe
Quality ControlManual
Each period, update the rms quality control policies and procedures to address
weaknesses and any new requirements.
Hold PeopleAccountable
Assign clear responsibilities and accountabilities or quality-control unctions (such as
independence issues, consultation, le review, etc.).
Develop StaCompetence andRewardQualityWork
Develop sta through:
Clearjobdescriptionsanddocumentedannualperformanceappraisalsthat
makequalityofworkapriority;
Providingincentives/rewardsfordeliveringqualitywork;and
Takingdisciplinaryactionwhenthermspoliciesarewillully contravened.
Continually
Improve
Take prompt action to correct deciencies when identied, such as through the
rms engagement le monitoring, including the cyclical inspection o completedengagement les.
SetanExample Provide sta with a role model in the positive example set by partners in their day-
to-day behavior. For example, i a policy emphasizes the need or quality work, a sta
member should then not be criticized or legitimately going over the budgeted time.
3.4 Firm Risk Assessment
Risk management is an ongoing process that helps a rm to anticipate negative events, develop a ramework
or eective decision-making, and protably deploy the rms resources.
Some orm o risk management occurs in most rms, and it is oten inormal and undocumented. Individual
partners typically identiy risks and respond to them based on their direct involvement with the rm and
with their clients. Formalizing and documenting the process or the rm as a whole is a proactive and
more eective approach to risk assessment. This does not have to be time-consuming or cumbersome to
implement. Notably, eectively managing the rms risk assessment can result in less stress or partners and
sta, savings in time and costs, and improved chances o achieving the rms goals.
A simple risk assessment process can be used in any size o rm, even a sole proprietorship. It consists o the
ollowing activities.
7/28/2019 SMP ISA Audit Guide Volume 1 3e
27/243
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 1Core Concepts
2
Exhibit 3.4-1
Activity Description
Establish the Risk
Tolerancesforthe
Firm
These tolerances could be quantitative amounts, such as allowable write-os o
work in process, or qualitative actors, such as characteristics o clients that would
not be acceptable to the rm. Once established, these tolerances provide partners
and sta with a useul reerence point or decision-making (e.g., write-os and clientacceptance, etc.).
Identiy What Can
Go WrongIdentiy the events (that is, the risk actors or exposures) that could prevent the rm
rom achieving its stated goals. This step implies that the rm has already established
clear objectives and a commitment to perorming quality work.
Prioritize Risks Using the risk tolerances established above, prioritize the events identied based on
an assessment o likelihood and impact.
What is the
Response
Needed?
Develop an appropriate response to the assessed risks to reduce the potential impact
to within the rms acceptable tolerances. Potential events (risks) with the highest
priority would be addressed rst.
Assign
ResponsibilityFor all risks that require action or monitoring, assign someone with the responsibility
to take the appropriate action and to manage the risk on a day-to-day basis.
MonitorProgress Require periodic (simple) reports rom each person assigned to manage risks on
behal o the rm (this could address matters such as compliance with the rms
quality control procedures, training requirements, sta appraisals, and independence
issues addressed).
A sample o a rms risk assessment worksheet could be as shown in the ollowing exhibit.
7/28/2019 SMP ISA Audit Guide Volume 1 3e
28/243
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 1Core Concepts
28
Exhibit 3.4-2
3.5 Inormation Systems
Most rms have well-developed inormation systems or keeping track o clients, time and billing,
expenditures, sta, and engagement le management. However, inormation systems that track the quality o
work produced and compliance with the rms quality control manual are oten not as well developed.
Inormation systems should also be designed to address the risks identied and assessed as part o the rms
risk assessment process.
Aspects o quality control that merit documentation and ongoing review include keeping track o the matters
set out in the ollowing exhibit.
7/28/2019 SMP ISA Audit Guide Volume 1 3e
29/243
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 1Core Concepts
2
Exhibit 3.5-1
Keep track o: Description
Firms RiskExposureand Stas
Commitmentto Quality
Clientacceptance/continuanceassessments.
Reportsfromallpersonsresponsibleforsomeaspectofquality.Thiscould
include minutes o committee meetings (i.e., quality control), issues addressed,
or simply that there is nothing to report. Firm-widecommunicationsonthesubjectofquality.
Mostrecentmonitoringreport,andthespecicactionstepsrequiredforeach
deciency ound or recommendation made (who, what, when, etc.). Also track
dates when action steps are completed and send out reminders when necessary.
Detailsofanyclientorthird-partycomplaintsaboutthermsworkorthe
behavior o the rms personnel. Also track how these complaints were
investigated, the results and communication with the complainant, and any
actions taken.
Ethics and
Independence
Listofprohibitedinvestments.
Detailsonwhatethical(includingindependence)threatswereidentied,andthe relevant saeguards that have been applied to eliminate or at least mitigate
such threats.
Personnel Oerofemployment.
Evidenceofreferencechecksperformedonnewemployees.
Actionstomentor,guide,andtrainnewrecruits.
Copyanddateoftheannualstaconrmationsonindependence,andsta
knowledge o the rms quality control manual.
Evidenceofstaappraisals,includingthedate,andanyactionsresultingsuchas
attending training, etc.
Stascheduling,withcomparisonsofplannedschedulingtoactual.
Datesofinternalandexternaltrainingsessions,thetopicscovered,andthe
names o those who attended.
Detailsofanydisciplinaryactionstaken.
EngagementManagement
Datestheteamplanningmeetingwasscheduledandwhenitactuallytook
place or all audit engagements.
Whatlesrequireengagementqualitycontrolreviews,whoisassigned,and
theplanneddate.Thenmatchtheplantowhoactuallyperformedthereview;
whenitoccurred;andanyissuesraisedandtheirresolution.
ReasonsforanydeparturesfromanyapplicableISArequirement,andthe
alternative audit procedures perormed to achieve the aim o that requirement.
Detailsofconsultationswithothers,andresolutionofaudit/accountingissuesraised, i any.
Reasonsforengagementdelaysandhowsuchdelayswereaddressed
and resolved. These could include changes in sta personnel, delays in
obtaining inormation, unavailability o client sta, scope restrictions, and any
disagreements with client management.
Datingoftheauditorsreportandcompliancewiththe60-dayrecommendation
or assembly o nal engagement les.
Howmonitorscommentsonthelewereaddressed.
7/28/2019 SMP ISA Audit Guide Volume 1 3e
30/243
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 1Core Concepts
30
3.6 Control Activities
Control activities are designed to ensure compliance with the rms established policies and procedures.
One possible way to design, implement, and monitor quality control is to ollow the PDCA (plan-do-check-
act) process. Each o the elements is described below.
Exhibit 3.6-1
Step Description
PLAN Establish the objectives and quality control processes necessary to deliver the
required outputs.
DO Implement the new processes, oten on a small scale i possible.
CHECK Measure the new processes, and compare the results against the expected results to
ascertain any dierences.
ACT Analyze the dierences to determine their cause. Each will be part o either one
or more o the P-D-C-A steps. Determine where to apply changes that includeimprovement.
For example, a rm objective may be not to release the audit report until all queries and outstanding items
have been cleared. The required policy is that the nal engagement report may not be released, led, or
otherwise distributed until certain specied approvals have been obtained. Implementation o the policy
could be controlled through a nal release process wherein a person veries that all approvals have in act
been obtained and documented. The eectiveness o the policy could be checked by periodic inspections o
the approval sign-os. I deviations are identied, the reasons would be investigated, and appropriate action
such as discipline, training, or changes in the policy would be considered.
Control activities to address all policies and procedures would not be possible or cost-eective. Firms shoulduse proessional judgment and their assessment o risk to determine what controls need to be implemented.
Control activities could be considered or:
Allthepoliciesandproceduresdocumentedinthermsqualitycontrolmanual;
Oceworkowpolicies;
Operationalpoliciesandprocedures;and
Otherpersonnel-relatedpoliciesandprocedures.
The scope or control-activity design would address all the quality control, ethical, and independence
requirements and the rms compliance with ISAs relevant to the audit.
7/28/2019 SMP ISA Audit Guide Volume 1 3e
31/243
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 1Core Concepts
3
Exhibit 3.6-2
Complying with ISAs Relevant to the Audit
Scope of Possible Control Activities:
Firms Values and GoalsLeadership & assigning of QC responsibilities
Risk assessment
Sta development, management, & disciplineInformation systems (independence, scheduling, clients, sta, etc.)
Documenting the QC system
QC monitoring and continual improvement
Firm
Level
Engagement
Level
LeadershipEthics and
Independence
Professional
Judgment
Professional
Skepticism
Supervision and
File Reviews
ClientAcceptance
Assign StaResponsibilities
Consultationand Use of
Experts
Documentation Release ofAudit Report
3.7 Monitoring
An important element o a control system is the monitoring o its tness and operational eectiveness.
This can be achieved through an independent review o the operating eectiveness o the rm-level and
engagement-level policies/procedures, and inspection o completed engagement les.
An eective monitoring process helps to develop a culture o continual improvement, wherein partners and
sta are committed to quality work and rewarded or improving perormance.
A rms monitoring process could be divided into two parts, as ollows:
Ongoingmonitoring (other than the cyclical le inspections)
An ongoing (suggest annual) consideration and evaluation o the rms system o quality control helps to
ensure that the policies and procedures in place are relevant, adequate, and operating eectively. When
perormed and documented on an annual basis, this monitoring will support the requirement to
communicate with sta each year about the rms plans to improve engagement quality. This scope o
ongoing monitoring addresses each o the quality control elements, and includes an assessment o whether:
The rms quality control manual has been updated or new requirements and developments,
Those assigned quality control responsibilities in the rm (i any) have actually ullled their roles, Written conrmations (by partners and sta) have been obtained to ensure each individuals
compliance with the rms policies and procedures on independence and ethics,
There is ongoing proessional development or partners and sta,
Decisions related to acceptance and continuance o client relationships and specic engagements
are in compliance with the rms policies and procedures,
The code o ethics has been ollowed,
Suitably qualied people were assigned as the engagement quality control reviewers and
7/28/2019 SMP ISA Audit Guide Volume 1 3e
32/243
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 1Core Concepts
32
completion o such reviews occurred beore the audit report was dated,
Communication has been made to the appropriate personnel about deciencies that have been
identied, and
Appropriate ollow-up has been made to ensure that identied deciencies in quality have been
addressed on a timely basis.
CyclicalcompletedleinspectionsThe ongoing consideration and evaluation o the rms system o quality control includes a cyclical
inspection o at least one completed engagement le or each partner. This is required to ensure
compliance with proessional/legal requirements, and that assurance reports being issued are
appropriate in the circumstances. Cyclical inspections help to identiy deciencies and training needs,
and enable the rm to make necessary changes, on a timely basis.
Upon completion o the review, the monitor would prepare a report that, ater discussion with the partners,
would be communicated to all managers and proessional sta along with the action steps to be taken.
Who can be appointed as monitor?
Monitoringofrm-levelpoliciesThe review o compliance with the rms policies would be perormed by a suitably qualied person who
ideally is not also responsible or managing or developing quality control within the rm. However, ISQC 1
recognizes that this may not always be possible in smaller rms, so sel-monitoring is acceptable. Alternatively,
an individual external to the rm, with the competence and capabilities to act as an engagement partner,
could be appointed. This would enhance the independence and objectivity o the rm.
Completedleinspections
The person appointed to inspect completed engagement les must be suitably qualied, and must not
have been involved in perorming the engagement or the engagement quality control review on the le.
3.8 Compliance with Relevant ISAs
Paragraph # Relevant Extracts rom ISAs
200.18 The auditor shall comply with all ISAs relevant to the audit. An ISA is relevant to the audit when
the ISA is in eect and the circumstances addressed by the ISA exist. (Re: Para. A53-A57)
200.22 Subject to paragraph 23, the auditor shall comply with each requirement o an ISA unless, in
the circumstances o the audit:
(a) TheentireISAisnotrelevant;or
(b) The requirement is not relevant because it is conditional and the condition does not exist.
(Re: Para. A72-A73)
200.23 In exceptional circumstances, the auditor may judge it necessary to depart rom a relevant
requirement in a ISA. In such circumstances, the auditor shall perorm alternative audit
procedures to achieve the aim o that requirement. The need or the auditor to depart rom
a relevant requirement is expected to arise only where the requirement is or a specic
procedure to be perormed and, in the specic circumstances o the audit, that procedure
would be ineective in achieving the aim o the requirement. (Re: Para. A74)
230.12 I, in exceptional circumstances, the auditor judges it necessary to depart rom a relevant
requirement in an ISA, the auditor shall document how the alternative audit procedures perormed
achieve the aim o that requirement, and the reasons or the departure. (Re: Para. A18-A19)
7/28/2019 SMP ISA Audit Guide Volume 1 3e
33/243
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 1Core Concepts
3
The ISAs set out the responsibilities and requirements o auditors in conducting an audit. As stated in ISA
200.18, 22, and 23, each relevant requirement (set out in the requirements section o the ISAs) is to be
ollowed by the auditor, except in exceptional circumstances, where alternative audit procedures would
be perormed to achieve the aim o that particular requirement. Note the ollowing.
Exhibit 3.8-1
ISAs Description
Status The ISAs, taken together, provide the standards or the auditors work in ullling theoverall objectives o the auditor.
The ISAs deal with the general responsibilities o the auditor, as well as the auditors urtherconsiderations relevant to the application o those responsibilities to specic topics.
Relevance Some ISAs (and thereore all o their requirements) may not be relevant in thecircumstances (e.g., internal audit or group accounts).
Some ISAs contain conditional requirements. These requirements are relevant whenthe circumstances envisioned apply and the condition exists.
Departures rom relevant ISA requirements need to be documented, along with thealternative audit procedures perormed and the reasons or the departure.
LocalLaws Auditors may be required (in addition to the ISAs) to comply with certain legal orregulatory requirements or other auditing standards o a specic jurisdiction or country.
Other The scope, eective date, and any specic limitation o the applicability o a specicISA is made clear in the ISA. However, the eective date o the ISA may also beaected by legal requirements in a particular jurisdiction.
Unless otherwise stated in the ISA, the auditor is permitted to apply an ISA beore theeective date specied therein.
7/28/2019 SMP ISA Audit Guide Volume 1 3e
34/24334
4. The Risk-Based Audit Overview
Chapter Content Relevant ISAs
Auditor objectives, basic elements, and approach to perorming
a risk-based audit. Multiple
Exhibit 4.0-1
Evaluate the audit
evidence obtained
Prepare the
auditors report
Perform riskassessment
procedures
Plan the auditDesign further
audit procedures
Perform further
audit proceduresR
iskAssessment
RiskResponse
Reporting
Paragraph # ISA Objective(s)
200.11 In conducting an audit o nancial statements, the overall objectives o the auditor are:
(a) To obtain reasonable assurance about whether the nancial statements as a whole are ree
rom material misstatement, whether due to raud or error, thereby enabling the auditor
to express an opinion on whether the nancial statements are prepared, in all material
respects,inaccordancewithanapplicablenancialreportingframework;and
(b) To report on the nancial statements, and communicate as required by the ISAs, in
accordance with the auditors ndings.
7/28/2019 SMP ISA Audit Guide Volume 1 3e
35/243
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 1Core Concepts
3
Paragraph # Relevant Extracts rom ISAs
200.3 The purpose o an audit is to enhance the degree o condence o intended users in the
nancial statements. This is achieved by the expression o an opinion by the auditor on
whether the nancial statements are prepared, in all material respects, in accordance with an
applicable nancial reporting ramework. In the case o most general purpose rameworks,
that opinion is on whether the nancial statements are presented airly, in all materialrespects, or give a true and air view in accordance with the ramework. An audit conducted
in accordance with ISAs and relevant ethical requirements enables the auditor to orm that
opinion. (Re: Para. A1)
200.5 As the basis or the auditors opinion, ISAs require the auditor to obtain reasonable assurance
about whether the nancial statements as a whole are ree rom material misstatement,
whether due to raud or error. Reasonable assurance is a high level o assurance. It is obtained
when the auditor has obtained sufcient appropriate audit evidence to reduce audit risk (i.e.,
the risk that the auditor expresses an inappropriate opinion when the nancial statements
are materially misstated) to an acceptably low level. However, reasonable assurance is not an
absolute level o assurance, because there are inherent limitations o an audit which result in
most o the audit evidence on which the auditor draws conclusions and bases the auditors
opinion being persuasive rather than conclusive. (Re: Para. A28-A52)
200.A34 The risks o material misstatement may exist at two levels:
Theoverallnancialstatementlevel;and
Theassertionlevelforclassesoftransactions,accountbalances,anddisclosures.
200.A40 The ISAs do not ordinarily reer to inherent risk and control risk separately, but rather to a
combined assessment o the risks o material misstatement. However, the auditor may
make separate or combined assessments o inherent and control risk depending on preerred
audit techniques or methodologies and practical considerations. The assessment o the risks
o material misstatement may be expressed in quantitative terms, such as in percentages,
or in non-quantitative terms. In any case, the need or the auditor to make appropriate risk
assessments is more important than the dierent approaches by which they may be made.
200.A45 The auditor is not expected to, and cannot, reduce audit risk to zero and cannot thereore obtainabsolute assurance that the nancial statements are ree rom material misstatement due to
raud or error. This is because there are inherent limitations o an audit, which result in most o
the audit evidence on which the auditor draws conclusions and bases the auditors opinion being
persuasive rather than conclusive. The inherent limitations o an audit arise rom:
Thenatureofnancialreporting;
Thenatureofauditprocedures;and
Theneedfortheaudittobeconductedwithinareasonableperiodoftimeandata
reasonable cost.
4.1 OverviewThe auditors overall objectives as stated in ISA 200.11 can be summarized as ollows:
Toobtainreasonableassuranceaboutwhetherthenancialstatementsasawholearefreefrom
material misstatement, whether due to raud or error, thereby enabling the auditor to express an
opinion on whether the nancial statements are prepared, in all material respects, in accordance with an
applicablenancialreportingframework;and
Toreportonthenancialstatements,andcommunicateasrequiredbytheISAs,inaccordancewiththe
auditors ndings.
7/28/2019 SMP ISA Audit Guide Volume 1 3e
36/243
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 1Core Concepts
36
Reasonable Assurance
Reasonable assurance is a high but not absolute level o assurance. It is obtained when the auditor has
obtained sufcient appropriate audit evidence to reduce audit risk (that is, the risk that the auditor expresses
an inappropriate opinion when the nancial statements are materially misstated) to an acceptably low level.
The auditor cannot provide absolute assurance due to the inherent limitations in the work carried out. This
results rom the majority o audit evidence (on which the auditor draws conclusions and bases the auditors
opinion) being persuasive rather than conclusive.
Inherent Limitations o an Audit
The ollowing exhibit outlines some o the inherent limitations o audit work perormed.
Exhibit 4.1-1
Limitations Reasons
TheNature
o Financial
Reporting
The preparation o nancial statements involves:
Judgment by management in applying the applicable nancial reporting
framework;and
Subjective decisions or assessments (such as estimates) by management
involving a range o acceptable interpretations or judgments.
Nature o Audit
Evidence AvailableMost o the auditors work in orming the auditors opinion consists o obtaining and
evaluating audit evidence. This evidence tends to be persuasive in character rather
than conclusive.
Audit evidence is primarily obtained rom audit procedures perormed during the course
o the audit. It may also include inormation obtained rom other sources such as:
Previousaudits;
Armsqualitycontrolproceduresforclientacceptanceandcontinuance;
Theentitysaccountingrecords;and Audit evidence prepared by an expert employed or engaged by the entity.
TheNatureof
Audit ProceduresAudit procedures, however well designed, will not detect every misstatement.
Consider the ollowing:
Any sample o less than 100% o a population introduces some risk that a
misstatementwillnotbedetected;
Management or others may not provide, intentionally or unintentionally, the
complete inormation required. Fraud may involve sophisticated and careully
organizedschemesdesignedtoconcealit;and
Audit procedures used to gather audit evidence may not detect that some
inormation is missing.
Timeliness
o Financial
Reporting
The relevance/value o nancial inormation tends to diminish over time, so a balance
needs to be struck between the reliability o inormation and its cost.
Users o nancial statements expect that the auditor will orm his or her opinion within
a reasonable period o time and at a reasonable cost. Consequently, it is impracticable
to address all inormation that may exist, or to pursue every matter exhaustively on the
assumption that inormation is in error or raudulent until proved otherwise.
7/28/2019 SMP ISA Audit Guide Volume 1 3e
37/243
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 1Core Concepts
3
Scope o an Audit
The scope o the auditors work and the opinion provided are usually conned to whether the nancial
statements are prepared, in all material respects, in accordance with the applicable nancial reporting
ramework. As a result, an unmodied auditors report does not assure the uture viability o the entity, nor the
efciency or eectiveness with which management has conducted the aairs o the entity.
Any extension o this basic audit responsibility, such as that required by local laws or securities regulations,would require the auditor to undertake urther work and to modiy or expand the auditors report
accordingly.
Material Misstatements
A material misstatement (either individually or the aggregate o all uncorrected misstatements and missing/
misleading disclosures in the nancial statements) has occurred when it could reasonably be expected to
inuence the economic decisions o users made on the basis o the nancial statements.
Assertions
Assertions are representations by management, explicit or otherwise, that are embodied in the nancial
statements. They relate to the recognition, measurement, presentation, and disclosure o the variouselements (amounts and disclosures) in the nancial statements. For example, the completeness assertion
relates to all transactions and events that should have been recorded having been recorded. They are used
by the auditor to consider the dierent types o potential misstatements that may occur.
4.2 Audit Risk
Audit risk is the risk o expressing an inappropriate audit opinion on nancial statements that are materially
misstated. The objective o the audit is to reduce this audit risk to an acceptably low level.
Audit risk has two key elements, as illustrated below.
Exhibit 4.2-1
Risk Nature Source
Inherent and
Control RisksThe nancial statements may contain a
material misstatement.
Entity objectives/operations and
managements design/implementation
o internal control.
Detection Risk The auditor may ail to detect a material
misstatement in the nancial statements.
Nature and extent o the procedures
perormed by the auditor.
To reduce audit risk to an acceptably low level, the auditor is required to:
Assesstherisksofmaterialmisstatement;and
Limitdetectionrisk.Thismaybeachievedbyperformingproceduresthatrespondtotheassessedrisks
o material misstatement, both at the nancial statement level and at the assertion level or classes o
transactions, account balance, and disclosures.
Audit Risk Components
The major components o audit risk are described in the ollowing exhibit.
7/28/2019 SMP ISA Audit Guide Volume 1 3e
38/243
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 1Core Concepts
38
Exhibit 4.2-2
Nature Description Commentary
Inherent Risk The susceptibility o an assertion about a
class o transaction, account balance, or
disclosure to a misstatement that could
be material, either individually or whenaggregated with other misstatements,
beore consideration o any related
controls.
This includes events or conditions
(internal or external) that could result
in a misstatement (error or raud) in the
nancial statements. The sources o risk(oten categorized as business or raud
risks) can arise rom the entitys objectives,
the nature o its operations/industry,
the regulatory environment in which it
operates, and its size and complexity.
Control Risk The risk that a misstatement that could
occur in an assertion about a class
o transaction, account balance, or
disclosure and that could be material,
either individually or when aggregatedwith other misstatements, will not be
prevented, or detected and corrected,
on a timely basis by the entitys internal
control.
Management designs controls to
mitigate a specied inherent (business
or raud) risk actor. An entity assesses its
risks (risk assessment) and then designs
and implements appropriate controlsto reduce its risk exposure to a tolerable
(acceptable) level.
Controls may be:
Pervasiveinnature,suchas
managements attitude toward
control, commitment to hiring
competent people, and prevention
o raud. These are generally called
entity-levelcontrols;and
Specictotheinitiation,processing,or recording o a particular
transaction. These are oten called
business process, activity-level, or
transaction controls.
Detection Risk The risk that the procedures perormed
by the auditor to reduce audit risk to an
acceptably low level will not detect a
misstatement that exists and that could
be material, either individually or when
aggregated with other misstatements.
The auditor assesses the risks o material
misstatement (inherent and control risk) at
the nancial statement and assertion levels.
Audit procedures are then developed to
reduce audit risk to an acceptably low
level. This includes consideration o thepotential risk o:
Selectinganinappropriateaudit
procedure;
Misapplyinganappropriateaudit
procedure;or
Misinterpretingtheresultsfroman
audit procedure.
7/28/2019 SMP ISA Audit Guide Volume 1 3e
39/243
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 1Core Concepts
3
Note: The ISAs dene the risk o material misstatement at the assertion level as consisting o two
components: inherent risk and control risk. Consequently, the ISAs do not ordinarily reer to inherent
risk and control risk separately, but rather to a combined assessment o the risks o material
misstatement. However, the auditor may make separate or combined assessments o inherent and
control risk, depending on preerred audit techniques or methodologies and practical considerations.
CONSIDERPOINT
Separate business and raud risks
Many inherent risks can result in both business and raud risks. For example, a new accounting system
may create potential or errors (business risk), but may also provide an opportunity or someone to
manipulate nancial results or misappropriate unds (raud risk).
So when a business risk is identied always consider whether this also creates a raud risk. I it does,
record and assess the raud risk separately rom the business risk actors. Otherwise it is possible that
the audit response will only address the business-risk element and not the raud risk.
Recording raud risks
Fraud is oten identied through the examination o:
unusualpatterns,exceptionsandodditiesintransactions/events;or
individual(s)withthemotive,opportunity,andrationalizationtocommitfraud.
I such matters are observed (during any stage o the audit) they should be recorded and assessed as
raud risks, even i they seem on the surace to be immaterial. Recording such risks will help ensure they
are appropriately considered when developing the audit response.
7/28/2019 SMP ISA Audit Guide Volume 1 3e
40/243
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 1Core Concepts
40
Summary o the Audit Risk Components
Exhibit 4.2-3
The ollowing chart shows the interrelationship between risk and control. The inherent risk bar contains all the
business and raud risk actors that could result in the nancial statements being materially misstated (beore
any consideration o internal control). The control risk bars reect the pervasive and specic control procedures
put into eect by management to mitigate the risk that the nancial statements are misstated. The extent towhich the control risk bars do not completely mitigate the inherent risks is oten called managements residual
risk, risk appetite or risk tolerance.
Managements Response:Internal controls that mitigate the risks identied
HighLow
Entity ObjectivePrepare nancial statements that are not materially misstated
ManagementsResidual Risk
Inherent
Risk
Risk of
material
misstatement
Control
Risk
Low Risk Moderate Risk High Risk
Business/frau