SMP ISA Audit Guide Volume 1 3e

7/28/2019 SMP ISA Audit Guide Volume 1 3e

1/243

ThirdEdition

Guide to Using ISAs inthe Audits o Small-and Medium-Sized

EntitiesVolume 1 Core Concepts


2/243

Small and Medium Practices Committee

International Federation o Accountants

545 Fith Avenue, 14th Floor

New York, NY 10017 USA

This Implementation Guide was prepared by the Small and Medium Practices Committee o

the International Federation o Accountants (IFAC). The committee represents the interests

o proessional accountants operating in small- and medium-sized practices and other

proessional accountants who provide services to small- and medium-sized entities.

This publication may be downloaded ree o charge rom the IFAC website: www.iac.org. The

approved text is published in the English language.

The mission o IFAC is to serve the public interest, strengthen the worldwide accountancy

proession, and contribute to the development o strong international economies by

establishing and promoting adherence to high-quality proessional standards, urthering theinternational convergence o such standards, and speaking out on public interest issues where

the proessions expertise is most relevant.

For urther inormation, please email [email protected].

Copyright November 2011 by the International Federation o Accountants (IFAC). All rights

reserved. Permission is granted to make copies o this work provided that such copies are or

use in academic classrooms or or personal use and are not sold or disseminated and provided

that each copy bears the ollowing credit line: Copyright November 2011 by the International

Federation o Accountants (IFAC). All rights reserved. Used with permission o IFAC. Contact

[email protected] or permission to reproduce, store, or transmit this document.Otherwise,

written permission rom IFAC is required to reproduce, store, or transmit, or make other similar

uses o, this document, except as permitted by law. Contact [email protected].

ISBN: 978-1-60815-099-1
http://www.ifac.org/mailto:[email protected]:[email protected]:[email protected]:[email protected]://www.ifac.org/


3/243

Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 1Core Concepts

3

Contents

Volume 1 Primary ISA ReerencePage

Number

Preace 5

Request or Comments 61. How to Use the Guide 8

2. The ISAs 13

Core Concepts 21

3. Ethics, ISAs, and Quality Control ISQC 1, 200, 220 21

4. The Risk-Based AuditOverview Multiple 34

5. Internal ControlPurpose and Components 315 54

6. Financial Statement Assertions 315 80

7. Materiality and Audit Risk 320 87

8. Risk Assessment Procedures 240, 315 99

9. Responding to Assessed Risks 240, 300, 330, 500 109

10. Further Audit Procedures 330, 505, 520 120

11. Accounting Estimates 540 142

12. Related Parties 550 151

13. Subsequent Events 560 160

14. Going Concern 570 167

15. Summary o Other ISA Requirements 250, 402, 501, 510, 600, 610,

620, 720

177

16. Audit Documentation ISQC 1, 220, 230, 240, 300,

315, 330

211

17. Forming an Opinion on Financial Statements 700 224


4/243


4

Contents

Volume 2 Primary ISA Reerence

Page

Number

Preace 5

Request or Comments 61. How to Use the Guide 8

2. Introduction to the Case Studies 13

PHASE 1: Risk Assessment 24

3. Risk AssessmentOverview 24

Preliminary Activities 27

4. Engagement Acceptance and Continuance ISQC 1, 210, 220, 300 27

Planning the Audit 43

5. Overall Audit Strategy 300 43

6. Determining and Using Materiality 320, 450 54

7. Audit-Team Discussions 240, 300, 315 70

Perorming Risk Assessment Procedures 79

8. Inherent RisksIdentication 240, 315 79

9. Inherent RisksAssessment 240, 315 107

10. Signicant Risks 240, 315, 330 117

11. Understanding Internal Control 315 127

12. Evaluating Internal Control 315 141

13. Communicating Deciencies in Internal Control 265 17114. Concluding the Risk Assessment Phase 315 184

PHASE II: Risk Response 194

15. Risk ResponseAn Overview 194

16. The Responsive Audit Plan 260, 300, 330, 500 197

17. Determining the Extent o Testing 330, 500, 530 220

18. Documenting Work Perormed 230 249

19. Written Representations 580 253

PHASE III: Reporting 266

20. ReportingOverview 266

21. Evaluating Audit Evidence 220, 330, 450, 520, 540 269

22. Communicating with Those Charged with Governance 260, 265, 450 286

23. Modications to the Auditors Report 705 297

24. Emphasis o Matter and Other Matter Paragraphs 706 310

25. Comparative Inormation 710 316


5/243


5

Preace

Welcome to the third edition o the IFAC SMP Committees Guide to Using International Standards on Auditing

in the Audits o Small- and Medium-Sized Entities.

In this edition, we have taken the opportunity to rene some o the technical content and to make otherminor presentational improvements. Mindul, however, that many users may be in the process o translating

the Guide, we have endeavored to keep the revisions in this edition to a minimum.

First released in 2007 and developed with the Canadian Institute o Chartered Accountants (CICA), the Guide

is intended to enable practitioners to develop a deeper understanding o an audit conducted in compliance

with International Standards on Auditing (ISAs) through explanation and illustrative examples. It oers a

practical how-to audit approach that practitioners may use when undertaking a risk-based audit o an SME.

Ultimately, it should help practitioners conduct high-quality, cost-eective audits, enabling them to better

serve SMEs and, in turn, the wider public interest.

The Guide provides non-authoritative guidance on applying ISAs. It is not to be used as a substitute orreading the ISAs, but rather as a supplement to support consistent implementation o these standards in the

audits o SMEs. The Guide does not address all aspects o the ISAs, and should not be used or the purposes

o determining or demonstrating compliance with the ISAs.

In order to help member bodies maximize the use o both this Guide and its sister publication, the Guide

to Quality Control or Small- and Medium-Sized Practices, the SMP Committee is developing a companion

guide, along with additional materials designed to support the use o the Guides or education and training

purposes. The companion guide will include suggestions on how IFAC member bodies and rms may make

best use o the Guides to suit their own needs and jurisdictions.

Finally, we welcome readers to visit the SMP area o the IFAC website at www.iac.org/SMP or urther details

about the work o the IFAC SMP Committee and or access to a wide collection o additional ree publications

and resources.

Sylvie Voghel

Chair, IFAC SMP Committee

November 2011


6/243


6

Request or Comments

This is the third edition o the Guide. While we consider this Guide to be useul and o high quality, it can be

improved. We are committed to updating this Guide on a regular basis so as to ensure that it reects current

standards and is as useul as possible.

We welcome comments rom national standard setters, IFAC member bodies, practitioners, and others. In

particular, we welcome views on the ollowing questions.

1. How do you use the Guide? For example, do you use it as a basis or training and/or as a practical

reerence guide, or in some other way?

2. Do you consider the Guide to be sufciently tailored to the audit o SMEs?

3. Do you nd the Guide easy to navigate? I not, can you suggest how navigation can be improved?

4. In what other ways do you think the Guide can be made more useul?

5. Are you aware o any derivative productssuch as training materials, orms, checklists, and programs

that have been developed based on the Guide? I so, please provide details.

Please submit your comments to Paul Thompson, Deputy Director at:

Email: [email protected]

Fax: +1 212-286-9570

Mail: Small and Medium Practices Committee

International Federation o Accountants

545 Fith Avenue, 14th Floor

New York, NY 10017, USA
mailto:[email protected]:[email protected]


7/243


7

Disclaimer

This Guide is designed to assist practitioners in the implementation o the International

Standards o Auditing (ISAs) on the audit o small- and medium-sized entities, but is not

intended to be a substitute or the ISAs themselves. Furthermore, a practitioner should

utilize this Guide in light o his/her proessional judgment and the acts and circumstances

involved in each particular audit. IFAC disclaims any responsibility or liability that may occur,

directly or indirectly, as a consequence o the use and application o this Guide.


8/2438

1. How to Use the Guide

The purpose o this Guide is to provide practical guidance to practitioners conducting audit engagements or

small- and medium-sized entities (SMEs). However, no material in the Guide should be used as a substitute or

ReadingandunderstandingtheISAs

It is assumed that practitioners have read the text o the International Standards on Auditing (ISAs)

which are contained in the Handbook o International Quality Control, Auditing, Review, Other Assurance,and Related Services Pronouncements, and which can be downloaded ree o charge rom the IAASB

Publications & Resources web page at www.iac.org/auditing-assurance/publications-resources (lter

by Handbooks, Standards, and Pronouncements). ISA 200.19 states that the auditor shall have an

understanding o the entire text o an ISA, including its application and other explanatory material,

to understand its objectives and to apply its requirements properly. The ISAs, as well as requently

asked questions (FAQs) and other support materials, can also be obtained rom the Clarity Center at

www.iac.org/auditing-assurance/clarity-center.

Useofprofessionaljudgment

In order to apply the ISAs eectively, proessional judgment is required based on the particular acts

and circumstances involved in the rm and each particular engagement.While it is expected that small- and medium-sized practices (SMPs) will be a signicant user group, this Guide

is intended to help all practitioners to implement ISAs on SME audits.

This Guide can be used to:

DevelopadeeperunderstandingofanauditconductedincompliancewiththeISAs;

Developastamanual(supplementedasnecessaryforlocalrequirementsandarmsprocedure)tobe

usedforday-to-dayreference,andasabasisfortrainingsessionsandindividualstudyanddiscussion;

and

Help ensure that sta adopt a consistent approach to planning and perorming an audit.

This Guide oten reers to an audit team, which implies that more than one auditor is involved in conducting

the audit engagement. However, the same general principles also apply to audit engagements perormed

exclusively by one person (the practitioner).

1.1 Reproduction, Translation, and Adaptation o the Guide

IFAC encourages and acilitates the reproduction, translation, and adaptation o its publications. Interested

parties wishing to reproduce, translate, or adapt this Guide should contact [email protected].
http://www.ifac.org/publications-resources/2012-handbook-international-quality-control-auditing-review-other-assurance-ahttp://www.ifac.org/publications-resources/2012-handbook-international-quality-control-auditing-review-other-assurance-ahttp://www.ifac.org/auditing-assurance/publications-resourcesmailto:[email protected]:[email protected]://www.ifac.org/auditing-assurance/publications-resourceshttp://www.ifac.org/publications-resources/2012-handbook-international-quality-control-auditing-review-other-assurance-ahttp://www.ifac.org/publications-resources/2012-handbook-international-quality-control-auditing-review-other-assurance-a


9/243


9

1.2 Chapter Content and Organization

Rather than just summarize each ISA in turn, the Guide has been organized into two volumes as ollows:

Volume1CoreConcepts

Volume2PracticalGuidance

This is Volume 1 o the Guide, which provides an overview o the entire audit and a discussion o key audit

concepts such as materiality, assertions, internal control, risk assessment procedures, and the use o urther audit

procedures in responding to assessed risks. It also includes a summary o ISA requirements with respect to:

Specicareassuchasaccountingestimates,relatedparties,subsequentevents,goingconcern,andothers;

Documentationrequirements;and

Forminganopiniononthenancialstatements.

Volume 2 o the Guide ocuses on how to apply the concepts outlined in Volume 1. It ollows the typical

stages involved in perorming an audit, starting with client acceptance, planning, and risk assessment, and

then the risk response, evaluating audit evidence obtained, and orming an appropriate audit opinion.

Summary o Organization

Each chapter in both volumes o this Guide has been organized in the ollowing ormat:

ChapterTitle

AuditProcessChartExtract

Most chapters contain an extract rom the audit process chart (where applicable) to highlight the

particular activities addressed in the chapter.

ChapterContent

This outlines the content and purpose o the chapter.

RelevantISAs

Most chapters in this Guide begin with some extracts rom the ISAs that are relevant to the chapter

content. These extracts include relevant requirements and, in some cases, the objectives (sometimes

highlighted separately i/when a chapter ocuses primarily on one particular ISA), selected denitions,

and application material. The inclusion o these extracts is not meant to imply that other material in

the ISA not specically mentioned, or other ISAs that relate to the subject matter, do not need to be

considered. The extracts in the Guide are based solely on the judgment o the authors as to what is

relevant or the content o each particular chapter. For example, the requirements o ISAs 200, 220,

and 300 apply throughout the audit process, but have only been addressed specically in one or two

chapters.

OverviewandChapterMaterial

The overview in each chapter provides:

ExtractsfromapplicableISAs;and

An overview o what is addressed in the chapter.

The overview is ollowed by a more detailed discussion o the subject matter, and practical step-by-step

guidance/methodology on how to implement the relevant ISAs. This can include some cross-reerences

to the applicable ISAs. While the Guide ocuses exclusively on the ISAs (other than the 800 series)

that apply to audits o historical nancial inormation, reerence is also made to the Code o Ethics or


10/243


10

Proessional Accountants issued by the International Ethics Standards Board or Accountants (the IESBA

Code), and the International Standard on Quality Control 1 (ISQC 1), Quality Control or Firms that Perorm

Audits and Reviews o Financial Statements, and Other Assurance and Related Services Engagements.

ConsiderPoints

A number o Consider Points are included throughout the Guide. These Consider Points provide

practical guidance on audit matters that can easily be overlooked, or where practitioners may havedifculty understanding and implementing certain concepts.

IllustrativeCaseStudies

To demonstrate how the ISAs can be applied in practice, Volume 2 o the Guide includes two case

studies. At the end o many chapters within Volume 2, two possible approaches to documenting the

application o the ISA requirements are discussed. Please reer to Volume 2, Chapter 2 o this Guide or

details about the case studies.

The purpose o the case studies and the documentation presented are purely illustrative. The

documentation provided is a small extract rom a typical audit le, and it outlines just one possible way

o complying with the ISA requirements. The data, analysis, and commentary provided represent only

some o the circumstances and considerations that the auditor will need to address in a particular auditAs always, the auditor must exercise proessional judgment.

The rst case study is based on a ctional entity called Dephta Furniture. This is a local, amily-owned

urniture manuacturer with 15 ull-time employees. The entity has a simple governance structure, ew

levels o management, and straightorward transaction processing. The accounting unction uses an o-

the-shel, standard sotware package.

The second case study is based on another ctional entity called Kumar & Co. This is a micro-sized entity

with two ull-time sta plus the owner and one part-time bookkeeper.

Other IFAC Publications

This Guide may also be read in conjunction with TheGuide to Quality Control or Small- and Medium-Sized

Practices, which can be downloaded ree o charge rom the IFAC online publications and resources site at

http://web.iac.org/publications/small-and-medium-practices-committee/implementation-guides.

1.3 Glossary o Terms

The Guide uses many o the terms as dened in the IESBA Code, Glossary o Terms, and ISAs (as contained

in the Handbook o International Quality Control, Auditing, Review, Other Assurance, and Related Services

Pronouncements). Both partners and sta must be aware o these denitions.

The Guide also uses the ollowing terms:

Anti-Fraud Controls

These are controls designed by management to prevent or detect misstatements resulting rom raud. With

respect to management override, these controls may not prevent a raud rom occurring, but would act as a

deterrent and make perpetrating a raud more difcult to conceal. Typical examples are:

Policiesandproceduresthatprovideadditionalaccountability,suchassignedapprovalforjournal

entries;

Improvedaccesscontrolsforsensitivedataandtransactions;
http://web.ifac.org/publications/small-and-medium-practices-committee/implementation-guideshttp://web.ifac.org/publications/small-and-medium-practices-committee/implementation-guides


11/243


1

Silentalarms;

Discrepancyandexceptionreports;

Audittrails;

Fraudcontingencyplans;

Humanresourceproceduressuchasidentifying/monitoringindividualswithabove-averagefraudpotential(forexample,anexcessivelylavishlifestyle);and

Mechanismsforreportingpotentialfraudsanonymously.

Entity-Level Controls

Entity-level controls address pervasive risks. They contribute to the tone at the top o an organization and

establish expectations or the control environment. They are oten less tangible than controls that operate

at the transaction level, but have a pervasive and signicant impact and inuence over all other internal

controls. As such, they orm the all-important oundation upon which other internal controls (i any) are built.

Examples o entity level controls include managements commitment to ethical behavior, attitudes toward

internal control, hiring and competence o sta employed, and anti-raud and period-end nancial reporting.These controls will have an impact on all other business processes within the entity.

Management

The person(s) with executive responsibility or the conduct o the entitys operations. For some entities in

some jurisdictions, management includes some or all o those charged with governanceor example,

executive members o a governance board, or an owner-manager.

Those Charged With Governance (TCWG)

The person(s) or organization(s) (or example, a corporate trustee) with responsibility or overseeing the

strategic direction o the entity and obligations related to the accountability o the entity. This includes

overseeing the nancial reporting process. For some entities, in some jurisdictions, those charged withgovernance may include management personnelor example, executive members o a governance board

o a private or public sector entity, or an owner-manager.

Owner-Manager

This reers to the proprietor o an entity involved in the running o the entity on a day-to-day basis. In most

instances, the owner-manager will also be the person charged with governance o the entity.

Small- and Medium-Sized Practice (SMP)

An accounting practice/rm that exhibits the ollowing characteristics:

Itsclientsaremostlysmall-andmedium-sizedentities(SMEs); Externalsourcesareusedtosupplementlimitedin-housetechnicalresources;and

It employs a limited number o proessional sta.

What constitutes an SMP will vary rom one jurisdiction to another.


12/243


12

1.4 Acronyms Used in the Guide

AR Accounts receivable

Assertions

(combined) C= Completeness

E = Existence

A = Accuracy and cutoV = Valuation

CAATs Computer-assisted audit techniques

CU Currency units (standard currency unit is reerred to as )

F/S Financial statements

HR Human resources

IAASB International Auditing and Assurance Standards Board

IC Internal Control. The ve major components o internal control are as ollows:

CA = Control activities

CE = Control environment

IS = Inormation systemsMO = Monitoring

RA = Risk assessment

IESBA Code IESBA Code o Ethics or Proessional Accountants

IFAC International Federation o Accountants

IFRS International Financial Reporting Standards

ISAs International Standards on Auditing

ISAEs International Standards on Assurance Engagements

IAPSs International Auditing Practice Statements

ISQC International Standard on Quality Control

ISREs International Standards on Review EngagementsISRSs International Standards on Related Services

IT Inormation technology

PC Personal computer

R&D Research and development

RMM Risks o material misstatement

RAPs Risk assessment procedures

SME Small- and medium-sized entity

SMP Small- and medium-sized practice

TOC Tests o controls

TCWG Those charged with governance

WP Work papers, working papers


13/243 1

2. The ISAs

Structure o the ISAs

The ISAs have a common structure, as outlined below.

ISA Element Comments

Introduction An explanation othe purpose and scope o the ISA, including how the ISA relatesto other ISAs, the subject matter o the ISA, specic expectations on the auditor and

others, and the context in which the ISA is set.

Objectives The objective to be achieved by the auditor as a result o complying with the

requirements o the ISA. To achieve the overall objectives o the auditor, the auditor is

required to use the objectives stated in relevant ISAs in planning and perorming the

audit, keeping in mind the interrelationships among the ISAs. ISA 200.21 (a) requires

the auditor to:

(a) Determine whether any audit procedures in addition to those required by the

ISAsarenecessaryinpursuanceoftheobjectivesstatedintheISAs;and

(b) Evaluate whether sufcient appropriate audit evidence has been obtained.Denitions A description o the meanings attributed to certain terms or purposes o the ISAs.

These are provided to assist in the consistent application and interpretation o the

ISAs. They are not intended to override denitions that may be established or other

purposes, such as those contained in laws or regulations. Unless otherwise indicated,

these terms carry the same meanings throughout the ISAs.

Requirements This section outlines the specic auditor requirements. Each requirement contains

the word shall. For example, ISA 200.15 contains the ollowing requirement:

The auditor shall plan and perorm an audit with proessional skepticism,

recognizing that circumstances may exist that cause the nancial statements to

be materially misstated.


14/243


14

ISA Element Comments

Application and

OtherExplanatory

Material

The application and other explanatory material provides urther explanation o the

requirements o an ISA, and guidance or carrying them out. In particular, it may:

Explainmorepreciselywhatarequirementmeansorisintendedtocover;

Whereapplicable,includeconsiderationsspecictosmallerentities;and

Includeexamplesofproceduresthatmaybeappropriateinthecircumstances.

However, the actual procedures selected by the auditor require the use o

proessional judgment based on the particular circumstances o the entity and

the assessed risks o material misstatement.

While such guidance does not in itsel impose a requirement, it is relevant to the proper

application o the requirements o an ISA. The application and other explanatory

material may also provide background inormation on matters addressed in an ISA.

Appendices Appendices orm part o the application and other explanatory material. The purpose

and intended use o an appendix are explained in the body o the related ISA, or

within the title and introduction o the appendix itsel.

2.1 ISA Index and Cross-Reerences

The ISA Framework is illustrated below.

International Standards on Quality Control ISQCs 199

International Framework for

Assurance Engagements (audit & review)

Historical

Financial Information

International

Standards

on Auditing

ISAs 100999

International

Standards

on Assurance

Engagements

ISAEs 30003699

International

Standards

on Related

Services

ISRSs 40004699

International

Auditing Practice

StatementsIAPSs 10001999

International

Standards on

Review

Engagements

ISREs 20002699

Other

Financial Information

International Standards

on Related Services

(compilations, etc.)


15/243


1

The ollowing table cross-reerences the ISAs and ISQC 1 to the corresponding chapters in the Guide. Note:

This table only includes cross-reerences to the chapters in the Guide in which the primary application

requirements o the respective standards are addressed. Further reerences to any given standard may also

appear in other chapters.

ISA/ISQC 1

Reerence

Volume and Chapters

V1 = Volume 1

V2 = Volume 2

ISQC 1 Quality Control or Firms that Perorm Audits and Reviews o FinancialStatements, and Other Assurance and Related Services Engagements

V1-3, 16V2-4

200 Overall Objectives o the Independent Auditor and the Conduct o anAudit in Accordance with International Standards on Auditing

V1-3, 4

210 Agreeing the Terms o Audit Engagements V2-4

220 Quality Control or an Audit o Financial Statements V1-3, 16, V2-4, 21

230 Audit Documentation V1-3, 16, V2-18

240 The Auditors Responsibilities Relating to Fraud in an Audit o FinancialStatements

V1-8, 9, 16V2-7, 8, 9, 10

250 Consideration o Laws and Regulations in an Audit o FinancialStatements

V1-15

260 Communication with Those Charged with Governance V2-16, 22

265 Communicating Deciencies in Internal Control to Those Chargedwith Governance and Management

V2-13, 22

300 Planning an Audit o Financial Statements V1-9, 16V2-4, 5, 7, 16

315 Identiying and Assessing the Risks o Material Misstatement throughUnderstanding the Entity and its Environment V1-4, 5, 6, 8, 16V2-7, 8, 9, 10, 11, 12, 14

320 Materiality in Planning and Perorming an Audit V1-7, V2-6

330 The Auditors Responses to Assessed Risks V1-4, 9, 10, 16V2-10, 16, 17, 21

402 Audit Considerations Relating to an Entity Using a Service Organization V1-15

450 Evaluation o Misstatements Identied during the Audit V2-6, 21, 22

500 Audit Evidence V1-9, V2-16, 17

501 Audit EvidenceSpecic Considerations or Selected Items V1-15

505 External Conrmations V1-10510 Initial Audit EngagementsOpening Balances V1-15

520 Analytical Procedures V1-10, V2-21

530 Audit Sampling V2-17

540 Auditing Accounting Estimates, Including Fair Value AccountingEstimates, and Related Disclosures

V1-11, V2-21

550 Related Parties V1-12

560 Subsequent Events V1-13


16/243


16

ISA/

ISQC 1

Reerence

Volume and Chapters

V1 = Volume 1

V2 = Volume 2

570 Going Concern V1-14

580 Written Representations V2-19600 Special ConsiderationsAudits o Group Financial Statements

(Including the Work o Component Auditors)V1-15

610 Using the Work o Internal Auditors V1-15

620 Using the Work o an Auditors Expert V1-15

700 Forming an Opinion and Reporting on Financial Statements V1-4, 17

705 Modications to the Opinion in the Independent Auditors Report V2-23

706 Emphasis o Matter Paragraphs and Other Matter Paragraphs in theIndependent Auditors Report

V2-24

710 Comparative InormationCorresponding Figures and ComparativeFinancial Statements

V2-25

720 The Auditors Responsibilities Relating to Other Inormation inDocuments Containing Audited Financial Statements

V1-15

800 Special ConsiderationsAudits o Financial StatementsPrepared in Accordance with Special Purpose Frameworks

Not addressed*

805 Special ConsiderationsAudits o Single Financial Statements andSpecic Elements, Accounts, or Items o a Financial Statement

Not addressed*

810 Engagements to Report on Summary Financial Statements Not addressed*

*ISAs 800, 805, and 810 were considered to have limited application in the audits o SMEs at the present time,so this edition o the Guide does not specically address them.

The ollowing table cross-reerences the Guides chapters to the principal ISA Chapters addressed.

Note: This table provides a general cross-reerence only. Many chapters in this Guide cover aspects

addressed by more than one particular ISA.

Chapter Title

ISA /ISQC 1

Reerence

V1 3 Ethics, ISAs, and Quality Control ISQC 1, 200, 220

V1 4 The Risk-Based AuditOverview Multiple

V1 5 Internal ControlPurpose and Components 315

V1 6 Financial Statement Assertions 315

V1 7 Materiality and Audit Risk 320

V1 8 Risk Assessment Procedures 240, 315

V1 9 Responding to Assessed Risks 240, 300,330, 500

V1 10 Further Audit Procedures 330, 505, 520


17/243


1

Chapter Title

ISA /ISQC 1

Reerence

V1 11 Accounting Estimates 540

V1 12 Related Parties 550

V1 13 Subsequent Events 560

V1 14 Going Concern 570

V1 15 Summary o Other ISA Requirements 250, 402, 501,510, 600, 610,

620, 720

V1 16 Audit Documentation ISQC 1, 220,230, 240, 300,

315, 330

V1 17 Forming an Opinion on Financial Statements 700

V2 4 Engagement Acceptance and Continuance ISQC 1, 210, 220,

300V2 5 Overall Audit Strategy 300

V2 6 Determining and Using Materiality 320, 450

V2 7 Audit Team Discussions 240, 300, 315

V2 8 Inherent RisksIdentication 240, 315

V2 9 Inherent RisksAssessment 240, 315

V2 10 Signicant Risks 240, 315, 330

V2 11 Understanding Internal Control 315

V2 12 Evaluating Internal Control 315

V2 13 Communicating Deciencies in Internal Control 265

V2 14 Concluding the Risk Assessment Phase 315

V2 16 The Responsive Audit Plan 260, 300, 330,500

V2 17 Determining the Extent o Testing 330, 500, 530

V2 18 Documenting Work Perormed 230

V2 19 Written Representations 580

V2 21 Evaluating Audit Evidence 220, 330, 450,520, 540

V2 22 Communicating with Those Charged with Governance 260, 265, 450

V2 23 Modications to the Auditors Report 705

V2 24 Emphasis o Matter and Other Matter Paragraphs 706

V2 25 Comparative Inormation 710


18/243


18

2.2 The Audit Process

The audit approach outlined in this Guide has been divided into three phasesrisk assessment, risk response,

and reporting. This is illustrated in Exhibit 2.2-1. For each o the audit phases, the exhibit outlines the major

activities, their purpose and the resulting documentation. Additional inormation on the activities and

documentation required in each o the three phases is outlined throughout this Guide and particularly in

Volume 2, which ollows a typical audit rom start to nish.


19/243


1

Exhibit 2.2-1

RiskResponse

Design overallresponses andfurther auditprocedures

Developappropriateresponses tothe assessed RMM3

Update of overall strategy

Overall responses

Audit plan that linksassessed RMM3 to furtheraudit procedures

Implement responsesto assessed RMM3

Reduce audit riskto an acceptably

low level

Work performed

Audit ndings

Sta supervisionWorking paper review

Reporting

Evaluate the auditevidence obtained

Determine whatadditional audit work(if any) is required

Prepare theauditors report

Form an opinionbased on auditndings

Signicant decisions

Signed audit opinion

RiskAssessment

Plan the auditDevelop an overallaudit strategy andaudit plan2

Materiality

Audit team discussions

Overall audit strategy

Listing of risk factors

Independence

Engagement letter

Perform preliminaryengagement

activities

Decide whether toaccept engagement

Performrisk assessment

procedures

Identify/assess RMM3

through understandingthe entity

Business & fraud risksincluding signicant risks

Design/implementation of

relevant internal controls

Assessed RMM3 at: F/S level Assertion level

no

yes

Notes:

1. Refer to ISA 230 for a more complete list of documentation required.2. Planning (ISA 300) is a continual and iterative process throughout the audit.

3. RMM = Risks of material misstatement.

Activity Purpose Documentation1

Isadditional

workrequired?

New/revised risk factorsand audit procedures

Changes in materiality

Communicationson audit ndings

Conclusions on auditprocedures performed


20/243

Volume 1

Core Concepts


21/243 2

3. Ethics, ISAs, and Quality Control

Chapter Content Relevant ISAs

Matters to be addressed in a rms system o quality control to ensure

compliance with ethical (including independence) requirements and

the ISAs.ISQC 1, 200, 220

Exhibit 3.0-1

Client acceptance

and continuance

Engagement

performance

Sta

management

Ethics and

independence

Firms Values and Goals

Leadership (Roles, assignments and accountability)

Documentation and Ongoing Monitoring(Firms QC system and engagement les)

Paragraph # ISQC/ISA Objective(s)

ISQC 1.11 The objective o the rm is to establish and maintain a system o quality control to provide it

with reasonable assurance that:

(a) The rm and its personnel comply with proessional standards and applicable legal andregulatoryrequirements;and

(b) Reports issued by the rm or engagement partners are appropriate in the circumstances.

220.6 The objective o the auditor is to implement quality control procedures at the engagement

level that provide the auditor with reasonable assurance that:

(a) The audit complies with proessional standards and applicable legal and regulatory

requirements;and

(b) The auditor's report issued is appropriate in the circumstances.


22/243


22

Paragraph # Relevant Extracts rom ISAs/ISQC 1

ISQC 1.13 Personnel within the rm responsible or establishing and maintaining the rms system

o quality control shall have an understanding o the entire text o this ISQC, including its

application and other explanatory material, to understand its objective and to apply its

requirements properly.

ISQC 1.18 The rm shall establish policies and procedures designed to promote an internal culture

recognizing that quality is essential in perorming engagements. Such policies and procedures

shall require the rms chie executive ofcer (or equivalent) or, i appropriate, the rms

managing board o partners (or equivalent) to assume ultimate responsibility or the rms

system o quality control. (Re: Para. A4-A5)

ISQC 1.19 The rm shall establish policies and procedures such that any person or persons assigned

operational responsibility or the rms system o quality control by the rms chie executive

ofcer or managing board o partners has sufcient and appropriate experience and ability,

and the necessary authority, to assume that responsibility. (Re: Para. A6)

ISQC 1.29 The rm shall establish policies and procedures designed to provide it with reasonable

assurance that it has sufcient personnel with the competence, capabilities, and commitment

to ethical principles necessary to:(a) Perorm engagements in accordance with proessional standards and applicable legal and

regulatoryrequirements;and

(b) Enable the rm or engagement partners to issue reports that are appropriate in the

circumstances. (Re: Para. A24-A29)

ISQC 1.32 The rm shall establish policies and procedures designed to provide it with reasonable

assurance that engagements are perormed in accordance with proessional standards and

applicable legal and regulatory requirements, and that the rm or the engagement partner

issue reports that are appropriate in the circumstances. Such policies and procedures shall

include:

(a) Mattersrelevanttopromotingconsistencyinthequalityofengagementperformance;

(Re: Para. A32-A33)

(b) Supervisionresponsibilities;and(Ref:Para.A34)(c) Review responsibilities. (Re: Para. A35)

ISQC 1.48 The rm shall establish a monitoring process designed to provide it with reasonable assurance

that the policies and procedures relating to the system o quality control are relevant,

adequate, and operating eectively. This process shall:

(a) Include an ongoing consideration and evaluation o the rms system o quality control

including, on a cyclical basis, inspection o at least one completed engagement or each

engagementpartner;

(b) Require responsibility or the monitoring process to be assigned to a partner or partners

or other persons with sufcient and appropriate experience and authority in the rm to

assumethatresponsibility;and

(c) Require that those perorming the engagement or the engagement quality control review

are not involved in inspecting the engagements. (Re: Para. A64-A68)

ISQC 1.57 The rm shall establish policies and procedures requiring appropriate documentation to

provide evidence o the operation o each element o its system o quality control. (Re: Para.

A73-A75)

200.14 The auditor shall comply with relevant ethical requirements, including those pertaining to

independence, relating to nancial statement audit engagements. (Re: Para. A14-A17)


23/243


2

Paragraph # Relevant Extracts rom ISAs/ISQC 1

200.15 The auditor shall plan and perorm an audit with proessional skepticism recognizing that

circumstances may exist that cause the nancial statements to be materially misstated. (Re:

Para. A18-A22)

200.16 The auditor shall exercise proessional judgment in planning and perorming an audit o

nancial statements. (Re: Para. A23-A27)220.17 On or beore the date o the auditors report, the engagement partner shall, through a review o

the audit documentation and discussion with the engagement team, be satised that sufcient

appropriate audit evidence has been obtained to support the conclusions reached and or the

auditors report to be issued. (Re: Para. A18-A20)

220.18 The engagement partner shall:

(a) Take responsibility or the engagement team undertaking appropriate consultation on

dicultorcontentiousmatters;

(b) Be satised that members o the engagement team have undertaken appropriate consultation

during the course o the engagement, both within the engagement team and between the

engagementteamandothersattheappropriatelevelwithinoroutsidetherm;

(c) Be satised that the nature and scope o, and conclusions resulting rom, such

consultationsareagreedwiththepartyconsulted;and(d) Determine that conclusions resulting rom such consultations have been implemented.

(Re: Para. A21-A22)

220.19 For audits o nancial statements o listed entities, and those other audit engagements, i any,

or which the rm has determined that an engagement quality control review is required, the

engagement partner shall:

(a) Determinethatanengagementqualitycontrolreviewerhasbeenappointed;

(b) Discuss signicant matters arising during the audit engagement, including those

identied during the engagement quality control review, with the engagement quality

controlreviewer;and

(c) Not date the auditors report until the completion o the engagement quality control

review. (Re: Para. A23-A25)

3.1 Overview

Perorming quality work begins with strong leadership within the rm and engagement partners committed

to the highest ethical standards.

This chapter ocuses on developing the system o quality control within a rm. It provides some practical

guidance on matters that need to be considered whenever a rm decides to perorm audit engagements.

The provision o quality audits and related services is vital to:

Safeguardingthepublicinterest;

Maintainingclientsatisfaction;

Deliveringvalueformoney;

Ensuringcompliancewithprofessionalstandards;and

Establishingandmaintainingaprofessionalreputation.


24/243


24

The IFAC Guide to Quality Control or Small- and Medium-Sized Practices provides a detailed description o

the quality control standards and guidance on how to implement a system o quality control or small- and

medium-sized practices (SMPs).2

The Code o Ethics or Proessional Accountants (eective January 1, 2011), issued by the IESBA, can be

downloaded rom the IFAC web site.3

3.2 Quality Control Systems

The system o quality control in an accounting rm could be mapped to the ve internal control elements

that auditors are required to evaluate as part o understanding any entity being audited. In a rm, these ve

internal control elements would also be applicable to control systems in place (other than quality control),

such as time and billing, ofce workow, expense control, and marketing activities.

The ollowing diagram maps the quality control elements outlined in ISQC 1 and ISA 220 to the ve internal

control components contained in ISA 315, which are applicable to entities being audited. Each o these ve

control elements is more ully addressed in Volume 1, Chapter 5 o this Guide.

Exhibit 3.2-1

Internal Control Elements

(ISA 315)Firm-Level QC Elements (ISQC 1)

Engagement-Level QC

Elements (ISA 220)

Control Environment

(Tone at the Top)Leadership Responsibilities orQuality within the Firm

Relevant Ethical Requirements

Human Resources

Leadership Responsibilities orQuality on Audits

Relevant Ethical Requirements

Assignment o Engagement Teams

Risk Assessment

(What Could Go Wrong?)Acceptance and Continuance oClient Relationships and SpecicEngagements

Acceptance and Continuance o ClientRelationships and Audit Engagements

Risks that the report might not beappropriate in the circumstances

Inormation Systems(Tracking perormance)

Quality Control SystemDocumentation

Audit Documentation

Control Activities (Prevent& detect/correct controls)

Engagement Perormance Engagement Perormance

Monitoring(Are the frms/engagements objectives beingmet?)

Ongoing Monitoring o the FirmsQuality Control Policies andProcedures

Applying Results o OngoingMonitoring to Specic AuditEngagements

3.3 The Control EnvironmentDelivery o high-quality and cost-eective services is the principal driver o success or proessional audit

rms. Quality service is also vital in relation to the public-interest responsibilities o proessional accountants.

Theprovisionofqualityservicesshouldalwaysbeakeyobjectiveinthermsbusinessstrategy;that

objective needs to be communicated to all personnel on a regular basis, and the results monitored. This

requires leadership and accountability or promised actions. Poor quality control can lead to inappropriate

opinions, poor client service, lawsuits, and loss o reputation.

2 The web link is http://web.iac.org/publications/small-and-medium-practices-committee/implementation-guides

3 The web link is (lter by Handbooks, Standards, and Pronouncements)
http://web.ifac.org/publications/small-and-medium-practices-committee/implementation-guideshttp://web.ifac.org/publications/small-and-medium-practices-committee/implementation-guides


25/243


2

Hindrances to a strong tone at the top could include matters set out below.

Exhibit 3.3-1

Hindrance Description

Poor Attitudes A poor attitude is at the heart o most hindrances to quality. It includes such attitudes

(but not necessarily this extreme) as the ollowing: Firmcontinuallyoperatesinacrisismode;

Poorlyplannedengagementsandactivitiesarethenorm;

Poorcommitmenttoqualityorcompliancewiththehighestethicalstandards;

Notcaringabouttheexpectationsofqualitybythepublicandotherstakeholders;

Regardingchangesinauditingstandardsasonlyapplicabletobigentities.

Some practices and terminology may get changed to demonstrate compliance

onthesurface,butinsubstance,theoldauditpracticescontinueasbefore;

Beliefthatthereisnorisktotherminsmallauditssoworkperformedshould

beminimal;

Auditworktailoredtothefeereceivednottheriskinvolved;

Clientsconsideredtotallytrustworthybythecontrolpartner; Minimizingoravoidingtheneedforengagementqualitycontrolreviews;

Beliefthat,becausetheclientspaythebill,theymustgetwhattheywant;

Partnerskeeping(oraccepting)anauditclient(forthefeesgenerated)even

thoughitis(wouldbe)highlyriskyfortherm;

Unwillingnesstoadoptstandardrmpoliciesonqualitycontrol.Apartner

wants les and working papers to be prepared his/her way without regard or

whatothersdo;and

Askingstatofollowthermspolicies,butnotcomplyingpersonally(i.e.,do

what I say, not what I do).

UnwillingnesstoInvestinTraining

or Development

Conducting a quality audit is dependent on attracting and retaining qualiedand competent people to perorm the work. This requires ongoing proessional

development and perormance appraisals or all partners and proessional sta (every

period). Lack o investment in sta also leads to sta turnover.

Lack o Discipline A ailure to discipline partners or sta when the rms policies are willully

contravened sends a very clear message to personnel that written policies are really

not that important. This undermines compliance with all o the rms policies, and

increases the risk to the rm.

A healthy tone at the top can be set by the rms management and engagement partners through the

ollowing activities.


26/243


26

Exhibit 3.3-2

SettingtheTone Description

Establish theFirmsObjectives,Priorities,and

Values

This could include:

Anunwaveringcommitmenttoqualityandhighethicalstandards;

Investmentinstaslearning,training,andskillsdevelopment;

Investmentintherequiredtechnological,human,andnancialresources; Policiestoensuresoundengagementandscalmanagement;and

Risktolerancesforuseindecision-making.

CommunicateRegularly

Reinorce the rms values and commitments by communicating regularly

(verbally and in writing) with sta. Communications would address the need or

integrity, objectivity, independence, proessional skepticism, sta development,

and accountability to the public. Communications could be made through the

perormance-appraisal system, partner updates, emails, ofce meetings, and internal

newsletters.

Updatethe

Quality ControlManual

Each period, update the rms quality control policies and procedures to address

weaknesses and any new requirements.

Hold PeopleAccountable

Assign clear responsibilities and accountabilities or quality-control unctions (such as

independence issues, consultation, le review, etc.).

Develop StaCompetence andRewardQualityWork

Develop sta through:

Clearjobdescriptionsanddocumentedannualperformanceappraisalsthat

makequalityofworkapriority;

Providingincentives/rewardsfordeliveringqualitywork;and

Takingdisciplinaryactionwhenthermspoliciesarewillully contravened.

Continually

Improve

Take prompt action to correct deciencies when identied, such as through the

rms engagement le monitoring, including the cyclical inspection o completedengagement les.

SetanExample Provide sta with a role model in the positive example set by partners in their day-

to-day behavior. For example, i a policy emphasizes the need or quality work, a sta

member should then not be criticized or legitimately going over the budgeted time.

3.4 Firm Risk Assessment

Risk management is an ongoing process that helps a rm to anticipate negative events, develop a ramework

or eective decision-making, and protably deploy the rms resources.

Some orm o risk management occurs in most rms, and it is oten inormal and undocumented. Individual

partners typically identiy risks and respond to them based on their direct involvement with the rm and

with their clients. Formalizing and documenting the process or the rm as a whole is a proactive and

more eective approach to risk assessment. This does not have to be time-consuming or cumbersome to

implement. Notably, eectively managing the rms risk assessment can result in less stress or partners and

sta, savings in time and costs, and improved chances o achieving the rms goals.

A simple risk assessment process can be used in any size o rm, even a sole proprietorship. It consists o the

ollowing activities.


27/243


2

Exhibit 3.4-1

Activity Description

Establish the Risk

Tolerancesforthe

Firm

These tolerances could be quantitative amounts, such as allowable write-os o

work in process, or qualitative actors, such as characteristics o clients that would

not be acceptable to the rm. Once established, these tolerances provide partners

and sta with a useul reerence point or decision-making (e.g., write-os and clientacceptance, etc.).

Identiy What Can

Go WrongIdentiy the events (that is, the risk actors or exposures) that could prevent the rm

rom achieving its stated goals. This step implies that the rm has already established

clear objectives and a commitment to perorming quality work.

Prioritize Risks Using the risk tolerances established above, prioritize the events identied based on

an assessment o likelihood and impact.

What is the

Response

Needed?

Develop an appropriate response to the assessed risks to reduce the potential impact

to within the rms acceptable tolerances. Potential events (risks) with the highest

priority would be addressed rst.

Assign

ResponsibilityFor all risks that require action or monitoring, assign someone with the responsibility

to take the appropriate action and to manage the risk on a day-to-day basis.

MonitorProgress Require periodic (simple) reports rom each person assigned to manage risks on

behal o the rm (this could address matters such as compliance with the rms

quality control procedures, training requirements, sta appraisals, and independence

issues addressed).

A sample o a rms risk assessment worksheet could be as shown in the ollowing exhibit.


28/243


28

Exhibit 3.4-2

3.5 Inormation Systems

Most rms have well-developed inormation systems or keeping track o clients, time and billing,

expenditures, sta, and engagement le management. However, inormation systems that track the quality o

work produced and compliance with the rms quality control manual are oten not as well developed.

Inormation systems should also be designed to address the risks identied and assessed as part o the rms

risk assessment process.

Aspects o quality control that merit documentation and ongoing review include keeping track o the matters

set out in the ollowing exhibit.


29/243


2

Exhibit 3.5-1

Keep track o: Description

Firms RiskExposureand Stas

Commitmentto Quality

Clientacceptance/continuanceassessments.

Reportsfromallpersonsresponsibleforsomeaspectofquality.Thiscould

include minutes o committee meetings (i.e., quality control), issues addressed,

or simply that there is nothing to report. Firm-widecommunicationsonthesubjectofquality.

Mostrecentmonitoringreport,andthespecicactionstepsrequiredforeach

deciency ound or recommendation made (who, what, when, etc.). Also track

dates when action steps are completed and send out reminders when necessary.

Detailsofanyclientorthird-partycomplaintsaboutthermsworkorthe

behavior o the rms personnel. Also track how these complaints were

investigated, the results and communication with the complainant, and any

actions taken.

Ethics and

Independence

Listofprohibitedinvestments.

Detailsonwhatethical(includingindependence)threatswereidentied,andthe relevant saeguards that have been applied to eliminate or at least mitigate

such threats.

Personnel Oerofemployment.

Evidenceofreferencechecksperformedonnewemployees.

Actionstomentor,guide,andtrainnewrecruits.

Copyanddateoftheannualstaconrmationsonindependence,andsta

knowledge o the rms quality control manual.

Evidenceofstaappraisals,includingthedate,andanyactionsresultingsuchas

attending training, etc.

Stascheduling,withcomparisonsofplannedschedulingtoactual.

Datesofinternalandexternaltrainingsessions,thetopicscovered,andthe

names o those who attended.

Detailsofanydisciplinaryactionstaken.

EngagementManagement

Datestheteamplanningmeetingwasscheduledandwhenitactuallytook

place or all audit engagements.

Whatlesrequireengagementqualitycontrolreviews,whoisassigned,and

theplanneddate.Thenmatchtheplantowhoactuallyperformedthereview;

whenitoccurred;andanyissuesraisedandtheirresolution.

ReasonsforanydeparturesfromanyapplicableISArequirement,andthe

alternative audit procedures perormed to achieve the aim o that requirement.

Detailsofconsultationswithothers,andresolutionofaudit/accountingissuesraised, i any.

Reasonsforengagementdelaysandhowsuchdelayswereaddressed

and resolved. These could include changes in sta personnel, delays in

obtaining inormation, unavailability o client sta, scope restrictions, and any

disagreements with client management.

Datingoftheauditorsreportandcompliancewiththe60-dayrecommendation

or assembly o nal engagement les.

Howmonitorscommentsonthelewereaddressed.


30/243


30

3.6 Control Activities

Control activities are designed to ensure compliance with the rms established policies and procedures.

One possible way to design, implement, and monitor quality control is to ollow the PDCA (plan-do-check-

act) process. Each o the elements is described below.

Exhibit 3.6-1

Step Description

PLAN Establish the objectives and quality control processes necessary to deliver the

required outputs.

DO Implement the new processes, oten on a small scale i possible.

CHECK Measure the new processes, and compare the results against the expected results to

ascertain any dierences.

ACT Analyze the dierences to determine their cause. Each will be part o either one

or more o the P-D-C-A steps. Determine where to apply changes that includeimprovement.

For example, a rm objective may be not to release the audit report until all queries and outstanding items

have been cleared. The required policy is that the nal engagement report may not be released, led, or

otherwise distributed until certain specied approvals have been obtained. Implementation o the policy

could be controlled through a nal release process wherein a person veries that all approvals have in act

been obtained and documented. The eectiveness o the policy could be checked by periodic inspections o

the approval sign-os. I deviations are identied, the reasons would be investigated, and appropriate action

such as discipline, training, or changes in the policy would be considered.

Control activities to address all policies and procedures would not be possible or cost-eective. Firms shoulduse proessional judgment and their assessment o risk to determine what controls need to be implemented.

Control activities could be considered or:

Allthepoliciesandproceduresdocumentedinthermsqualitycontrolmanual;

Oceworkowpolicies;

Operationalpoliciesandprocedures;and

Otherpersonnel-relatedpoliciesandprocedures.

The scope or control-activity design would address all the quality control, ethical, and independence

requirements and the rms compliance with ISAs relevant to the audit.


31/243


3

Exhibit 3.6-2

Complying with ISAs Relevant to the Audit

Scope of Possible Control Activities:

Firms Values and GoalsLeadership & assigning of QC responsibilities

Risk assessment

Sta development, management, & disciplineInformation systems (independence, scheduling, clients, sta, etc.)

Documenting the QC system

QC monitoring and continual improvement

Firm

Level

Engagement

Level

LeadershipEthics and

Independence

Professional

Judgment

Professional

Skepticism

Supervision and

File Reviews

ClientAcceptance

Assign StaResponsibilities

Consultationand Use of

Experts

Documentation Release ofAudit Report

3.7 Monitoring

An important element o a control system is the monitoring o its tness and operational eectiveness.

This can be achieved through an independent review o the operating eectiveness o the rm-level and

engagement-level policies/procedures, and inspection o completed engagement les.

An eective monitoring process helps to develop a culture o continual improvement, wherein partners and

sta are committed to quality work and rewarded or improving perormance.

A rms monitoring process could be divided into two parts, as ollows:

Ongoingmonitoring (other than the cyclical le inspections)

An ongoing (suggest annual) consideration and evaluation o the rms system o quality control helps to

ensure that the policies and procedures in place are relevant, adequate, and operating eectively. When

perormed and documented on an annual basis, this monitoring will support the requirement to

communicate with sta each year about the rms plans to improve engagement quality. This scope o

ongoing monitoring addresses each o the quality control elements, and includes an assessment o whether:

The rms quality control manual has been updated or new requirements and developments,

Those assigned quality control responsibilities in the rm (i any) have actually ullled their roles, Written conrmations (by partners and sta) have been obtained to ensure each individuals

compliance with the rms policies and procedures on independence and ethics,

There is ongoing proessional development or partners and sta,

Decisions related to acceptance and continuance o client relationships and specic engagements

are in compliance with the rms policies and procedures,

The code o ethics has been ollowed,

Suitably qualied people were assigned as the engagement quality control reviewers and


32/243


32

completion o such reviews occurred beore the audit report was dated,

Communication has been made to the appropriate personnel about deciencies that have been

identied, and

Appropriate ollow-up has been made to ensure that identied deciencies in quality have been

addressed on a timely basis.

CyclicalcompletedleinspectionsThe ongoing consideration and evaluation o the rms system o quality control includes a cyclical

inspection o at least one completed engagement le or each partner. This is required to ensure

compliance with proessional/legal requirements, and that assurance reports being issued are

appropriate in the circumstances. Cyclical inspections help to identiy deciencies and training needs,

and enable the rm to make necessary changes, on a timely basis.

Upon completion o the review, the monitor would prepare a report that, ater discussion with the partners,

would be communicated to all managers and proessional sta along with the action steps to be taken.

Who can be appointed as monitor?

Monitoringofrm-levelpoliciesThe review o compliance with the rms policies would be perormed by a suitably qualied person who

ideally is not also responsible or managing or developing quality control within the rm. However, ISQC 1

recognizes that this may not always be possible in smaller rms, so sel-monitoring is acceptable. Alternatively,

an individual external to the rm, with the competence and capabilities to act as an engagement partner,

could be appointed. This would enhance the independence and objectivity o the rm.

Completedleinspections

The person appointed to inspect completed engagement les must be suitably qualied, and must not

have been involved in perorming the engagement or the engagement quality control review on the le.

3.8 Compliance with Relevant ISAs

Paragraph # Relevant Extracts rom ISAs

200.18 The auditor shall comply with all ISAs relevant to the audit. An ISA is relevant to the audit when

the ISA is in eect and the circumstances addressed by the ISA exist. (Re: Para. A53-A57)

200.22 Subject to paragraph 23, the auditor shall comply with each requirement o an ISA unless, in

the circumstances o the audit:

(a) TheentireISAisnotrelevant;or

(b) The requirement is not relevant because it is conditional and the condition does not exist.

(Re: Para. A72-A73)

200.23 In exceptional circumstances, the auditor may judge it necessary to depart rom a relevant

requirement in a ISA. In such circumstances, the auditor shall perorm alternative audit

procedures to achieve the aim o that requirement. The need or the auditor to depart rom

a relevant requirement is expected to arise only where the requirement is or a specic

procedure to be perormed and, in the specic circumstances o the audit, that procedure

would be ineective in achieving the aim o the requirement. (Re: Para. A74)

230.12 I, in exceptional circumstances, the auditor judges it necessary to depart rom a relevant

requirement in an ISA, the auditor shall document how the alternative audit procedures perormed

achieve the aim o that requirement, and the reasons or the departure. (Re: Para. A18-A19)


33/243


3

The ISAs set out the responsibilities and requirements o auditors in conducting an audit. As stated in ISA

200.18, 22, and 23, each relevant requirement (set out in the requirements section o the ISAs) is to be

ollowed by the auditor, except in exceptional circumstances, where alternative audit procedures would

be perormed to achieve the aim o that particular requirement. Note the ollowing.

Exhibit 3.8-1

ISAs Description

Status The ISAs, taken together, provide the standards or the auditors work in ullling theoverall objectives o the auditor.

The ISAs deal with the general responsibilities o the auditor, as well as the auditors urtherconsiderations relevant to the application o those responsibilities to specic topics.

Relevance Some ISAs (and thereore all o their requirements) may not be relevant in thecircumstances (e.g., internal audit or group accounts).

Some ISAs contain conditional requirements. These requirements are relevant whenthe circumstances envisioned apply and the condition exists.

Departures rom relevant ISA requirements need to be documented, along with thealternative audit procedures perormed and the reasons or the departure.

LocalLaws Auditors may be required (in addition to the ISAs) to comply with certain legal orregulatory requirements or other auditing standards o a specic jurisdiction or country.

Other The scope, eective date, and any specic limitation o the applicability o a specicISA is made clear in the ISA. However, the eective date o the ISA may also beaected by legal requirements in a particular jurisdiction.

Unless otherwise stated in the ISA, the auditor is permitted to apply an ISA beore theeective date specied therein.


34/24334

4. The Risk-Based Audit Overview

Chapter Content Relevant ISAs

Auditor objectives, basic elements, and approach to perorming

a risk-based audit. Multiple

Exhibit 4.0-1

Evaluate the audit

evidence obtained

Prepare the

auditors report

Perform riskassessment

procedures

Plan the auditDesign further

audit procedures

Perform further

audit proceduresR

iskAssessment

RiskResponse

Reporting

Paragraph # ISA Objective(s)

200.11 In conducting an audit o nancial statements, the overall objectives o the auditor are:

(a) To obtain reasonable assurance about whether the nancial statements as a whole are ree

rom material misstatement, whether due to raud or error, thereby enabling the auditor

to express an opinion on whether the nancial statements are prepared, in all material

respects,inaccordancewithanapplicablenancialreportingframework;and

(b) To report on the nancial statements, and communicate as required by the ISAs, in

accordance with the auditors ndings.


35/243


3

Paragraph # Relevant Extracts rom ISAs

200.3 The purpose o an audit is to enhance the degree o condence o intended users in the

nancial statements. This is achieved by the expression o an opinion by the auditor on

whether the nancial statements are prepared, in all material respects, in accordance with an

applicable nancial reporting ramework. In the case o most general purpose rameworks,

that opinion is on whether the nancial statements are presented airly, in all materialrespects, or give a true and air view in accordance with the ramework. An audit conducted

in accordance with ISAs and relevant ethical requirements enables the auditor to orm that

opinion. (Re: Para. A1)

200.5 As the basis or the auditors opinion, ISAs require the auditor to obtain reasonable assurance

about whether the nancial statements as a whole are ree rom material misstatement,

whether due to raud or error. Reasonable assurance is a high level o assurance. It is obtained

when the auditor has obtained sufcient appropriate audit evidence to reduce audit risk (i.e.,

the risk that the auditor expresses an inappropriate opinion when the nancial statements

are materially misstated) to an acceptably low level. However, reasonable assurance is not an

absolute level o assurance, because there are inherent limitations o an audit which result in

most o the audit evidence on which the auditor draws conclusions and bases the auditors

opinion being persuasive rather than conclusive. (Re: Para. A28-A52)

200.A34 The risks o material misstatement may exist at two levels:

Theoverallnancialstatementlevel;and

Theassertionlevelforclassesoftransactions,accountbalances,anddisclosures.

200.A40 The ISAs do not ordinarily reer to inherent risk and control risk separately, but rather to a

combined assessment o the risks o material misstatement. However, the auditor may

make separate or combined assessments o inherent and control risk depending on preerred

audit techniques or methodologies and practical considerations. The assessment o the risks

o material misstatement may be expressed in quantitative terms, such as in percentages,

or in non-quantitative terms. In any case, the need or the auditor to make appropriate risk

assessments is more important than the dierent approaches by which they may be made.

200.A45 The auditor is not expected to, and cannot, reduce audit risk to zero and cannot thereore obtainabsolute assurance that the nancial statements are ree rom material misstatement due to

raud or error. This is because there are inherent limitations o an audit, which result in most o

the audit evidence on which the auditor draws conclusions and bases the auditors opinion being

persuasive rather than conclusive. The inherent limitations o an audit arise rom:

Thenatureofnancialreporting;

Thenatureofauditprocedures;and

Theneedfortheaudittobeconductedwithinareasonableperiodoftimeandata

reasonable cost.

4.1 OverviewThe auditors overall objectives as stated in ISA 200.11 can be summarized as ollows:

Toobtainreasonableassuranceaboutwhetherthenancialstatementsasawholearefreefrom

material misstatement, whether due to raud or error, thereby enabling the auditor to express an

opinion on whether the nancial statements are prepared, in all material respects, in accordance with an

applicablenancialreportingframework;and

Toreportonthenancialstatements,andcommunicateasrequiredbytheISAs,inaccordancewiththe

auditors ndings.


36/243


36

Reasonable Assurance

Reasonable assurance is a high but not absolute level o assurance. It is obtained when the auditor has

obtained sufcient appropriate audit evidence to reduce audit risk (that is, the risk that the auditor expresses

an inappropriate opinion when the nancial statements are materially misstated) to an acceptably low level.

The auditor cannot provide absolute assurance due to the inherent limitations in the work carried out. This

results rom the majority o audit evidence (on which the auditor draws conclusions and bases the auditors

opinion) being persuasive rather than conclusive.

Inherent Limitations o an Audit

The ollowing exhibit outlines some o the inherent limitations o audit work perormed.

Exhibit 4.1-1

Limitations Reasons

TheNature

o Financial

Reporting

The preparation o nancial statements involves:

Judgment by management in applying the applicable nancial reporting

framework;and

Subjective decisions or assessments (such as estimates) by management

involving a range o acceptable interpretations or judgments.

Nature o Audit

Evidence AvailableMost o the auditors work in orming the auditors opinion consists o obtaining and

evaluating audit evidence. This evidence tends to be persuasive in character rather

than conclusive.

Audit evidence is primarily obtained rom audit procedures perormed during the course

o the audit. It may also include inormation obtained rom other sources such as:

Previousaudits;

Armsqualitycontrolproceduresforclientacceptanceandcontinuance;

Theentitysaccountingrecords;and Audit evidence prepared by an expert employed or engaged by the entity.

TheNatureof

Audit ProceduresAudit procedures, however well designed, will not detect every misstatement.

Consider the ollowing:

Any sample o less than 100% o a population introduces some risk that a

misstatementwillnotbedetected;

Management or others may not provide, intentionally or unintentionally, the

complete inormation required. Fraud may involve sophisticated and careully

organizedschemesdesignedtoconcealit;and

Audit procedures used to gather audit evidence may not detect that some

inormation is missing.

Timeliness

o Financial

Reporting

The relevance/value o nancial inormation tends to diminish over time, so a balance

needs to be struck between the reliability o inormation and its cost.

Users o nancial statements expect that the auditor will orm his or her opinion within

a reasonable period o time and at a reasonable cost. Consequently, it is impracticable

to address all inormation that may exist, or to pursue every matter exhaustively on the

assumption that inormation is in error or raudulent until proved otherwise.


37/243


3

Scope o an Audit

The scope o the auditors work and the opinion provided are usually conned to whether the nancial

statements are prepared, in all material respects, in accordance with the applicable nancial reporting

ramework. As a result, an unmodied auditors report does not assure the uture viability o the entity, nor the

efciency or eectiveness with which management has conducted the aairs o the entity.

Any extension o this basic audit responsibility, such as that required by local laws or securities regulations,would require the auditor to undertake urther work and to modiy or expand the auditors report

accordingly.

Material Misstatements

A material misstatement (either individually or the aggregate o all uncorrected misstatements and missing/

misleading disclosures in the nancial statements) has occurred when it could reasonably be expected to

inuence the economic decisions o users made on the basis o the nancial statements.

Assertions

Assertions are representations by management, explicit or otherwise, that are embodied in the nancial

statements. They relate to the recognition, measurement, presentation, and disclosure o the variouselements (amounts and disclosures) in the nancial statements. For example, the completeness assertion

relates to all transactions and events that should have been recorded having been recorded. They are used

by the auditor to consider the dierent types o potential misstatements that may occur.

4.2 Audit Risk

Audit risk is the risk o expressing an inappropriate audit opinion on nancial statements that are materially

misstated. The objective o the audit is to reduce this audit risk to an acceptably low level.

Audit risk has two key elements, as illustrated below.

Exhibit 4.2-1

Risk Nature Source

Inherent and

Control RisksThe nancial statements may contain a

material misstatement.

Entity objectives/operations and

managements design/implementation

o internal control.

Detection Risk The auditor may ail to detect a material

misstatement in the nancial statements.

Nature and extent o the procedures

perormed by the auditor.

To reduce audit risk to an acceptably low level, the auditor is required to:

Assesstherisksofmaterialmisstatement;and

Limitdetectionrisk.Thismaybeachievedbyperformingproceduresthatrespondtotheassessedrisks

o material misstatement, both at the nancial statement level and at the assertion level or classes o

transactions, account balance, and disclosures.

Audit Risk Components

The major components o audit risk are described in the ollowing exhibit.


38/243


38

Exhibit 4.2-2

Nature Description Commentary

Inherent Risk The susceptibility o an assertion about a

class o transaction, account balance, or

disclosure to a misstatement that could

be material, either individually or whenaggregated with other misstatements,

beore consideration o any related

controls.

This includes events or conditions

(internal or external) that could result

in a misstatement (error or raud) in the

nancial statements. The sources o risk(oten categorized as business or raud

risks) can arise rom the entitys objectives,

the nature o its operations/industry,

the regulatory environment in which it

operates, and its size and complexity.

Control Risk The risk that a misstatement that could

occur in an assertion about a class

o transaction, account balance, or

disclosure and that could be material,

either individually or when aggregatedwith other misstatements, will not be

prevented, or detected and corrected,

on a timely basis by the entitys internal

control.

Management designs controls to

mitigate a specied inherent (business

or raud) risk actor. An entity assesses its

risks (risk assessment) and then designs

and implements appropriate controlsto reduce its risk exposure to a tolerable

(acceptable) level.

Controls may be:

Pervasiveinnature,suchas

managements attitude toward

control, commitment to hiring

competent people, and prevention

o raud. These are generally called

entity-levelcontrols;and

Specictotheinitiation,processing,or recording o a particular

transaction. These are oten called

business process, activity-level, or

transaction controls.

Detection Risk The risk that the procedures perormed

by the auditor to reduce audit risk to an

acceptably low level will not detect a

misstatement that exists and that could

be material, either individually or when

aggregated with other misstatements.

The auditor assesses the risks o material

misstatement (inherent and control risk) at

the nancial statement and assertion levels.

Audit procedures are then developed to

reduce audit risk to an acceptably low

level. This includes consideration o thepotential risk o:

Selectinganinappropriateaudit

procedure;

Misapplyinganappropriateaudit

procedure;or

Misinterpretingtheresultsfroman

audit procedure.


39/243


3

Note: The ISAs dene the risk o material misstatement at the assertion level as consisting o two

components: inherent risk and control risk. Consequently, the ISAs do not ordinarily reer to inherent

risk and control risk separately, but rather to a combined assessment o the risks o material

misstatement. However, the auditor may make separate or combined assessments o inherent and

control risk, depending on preerred audit techniques or methodologies and practical considerations.

CONSIDERPOINT

Separate business and raud risks

Many inherent risks can result in both business and raud risks. For example, a new accounting system

may create potential or errors (business risk), but may also provide an opportunity or someone to

manipulate nancial results or misappropriate unds (raud risk).

So when a business risk is identied always consider whether this also creates a raud risk. I it does,

record and assess the raud risk separately rom the business risk actors. Otherwise it is possible that

the audit response will only address the business-risk element and not the raud risk.

Recording raud risks

Fraud is oten identied through the examination o:

unusualpatterns,exceptionsandodditiesintransactions/events;or

individual(s)withthemotive,opportunity,andrationalizationtocommitfraud.

I such matters are observed (during any stage o the audit) they should be recorded and assessed as

raud risks, even i they seem on the surace to be immaterial. Recording such risks will help ensure they

are appropriately considered when developing the audit response.


40/243


40

Summary o the Audit Risk Components

Exhibit 4.2-3

The ollowing chart shows the interrelationship between risk and control. The inherent risk bar contains all the

business and raud risk actors that could result in the nancial statements being materially misstated (beore

any consideration o internal control). The control risk bars reect the pervasive and specic control procedures

put into eect by management to mitigate the risk that the nancial statements are misstated. The extent towhich the control risk bars do not completely mitigate the inherent risks is oten called managements residual

risk, risk appetite or risk tolerance.

Managements Response:Internal controls that mitigate the risks identied

HighLow

Entity ObjectivePrepare nancial statements that are not materially misstated

ManagementsResidual Risk

Inherent

Risk

Risk of

material

misstatement

Control

Risk

Low Risk Moderate Risk High Risk

Business/frau