Guide to Using

International Standards
on Auditing in the
Audits of Small- and
Medium-Sized Entities
Volume 2 Practical Guidance
Second Edition
Small and Medium Practices Committee
International Federation of Accountants
545 Fifth Avenue, 14th Floor
New York, NY 10017 USA
This Implementation Guide was prepared by the Small and Medium Practices Committee of
the International Federation of Accountants (IFAC). The committee represents the interests
of professional accountants operating in small- and medium-sized practices and other
professional accountants who provide services to small- and medium-sized entities.
This publication may be downloaded free of charge from the IFAC website: www.ifac.org. The
approved text is published in the English language.
The mission of IFAC is to serve the public interest, strengthen the worldwide accountancy
profession, and contribute to the development of strong international economies by
establishing and promoting adherence to high-quality professional standards, furthering the
international convergence of such standards, and speaking out on public interest issues where
the professions expertise is most relevant.
For further information, please email [email protected].
Copyright@ October 2010 by the International Federation of Accountants (IFAC). All rights
reserved. Permission is granted to make copies of this work provided that such copies are for
use in academic classrooms or for personal use and are not sold or disseminated and provided
that each copy bears the following credit line: Copyright October 2010 by the International
Federation of Accountants. All rights reserved. Used with permission. Otherwise, written
permission from IFAC is required to reproduce, store, or transmit this document, except as
permitted by law. Contact [email protected].
ISBN: 978-1-60815-076-2
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
3
Contents
Volume 1 Primary ISA References
Page
Number
Preface
5
Request for Comments
6
1. How to Use the Guide
8
2. Clarifed ISAs
13
Core Concepts
19
3. The Risk-Based AuditOverview
Multiple 20
4. Ethics, ISAs, and Quality Control
ISQC 1, 200, 220 38
5. Internal ControlPurpose and Components
315 51
6. Financial Statement Assertions
315 77
7. Materiality and Audit Risk
320 84
8. Risk Assessment Procedures
240, 315 94
9. Responding to Assessed Risks
240, 300, 330, 500 104
10. Further Audit Procedures
330, 505, 520 115
11. Accounting Estimates
540 136
12. Related Parties
550 145
13. Subsequent Events
560 154
14. Going Concern
570 161
15. Summary of Other ISA Requirements
250, 402, 501, 510, 600,
610, 620, 720
171
16. Audit Documentation
ISQC 1, 220, 230, 240,
300, 315, 330
205
17. Forming an Opinion on Financial Statements
700 218
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
4
Volume 2 Primary ISA Reference
Page
Number
Preface
5
Request for Comments
6
1. How to Use the Guide
8
2. Introduction to the Case Studies
13
PHASE 1: Risk Assessment
24
3. Risk AssessmentOverview
24
Preliminary Activities
27
4. Engagement Acceptance and Continuance
ISQC 1, 210, 220, 300 27
Planning the Audit
43
5. Overall Audit Strategy
300 43
6. Determining and Using Materiality
320, 450 54
7. Audit Team Discussions
240, 300, 315 70
Performing Risk Assessment Procedures
79
8. Inherent RisksIdentifcation
240, 315 79
9. Inherent RisksAssessment
240, 315 107
10. Signifcant Risks
240, 315, 300 117
11. Understanding Internal Control
240, 315 127
12. Evaluating Internal Control
315 141
13. Communicating Defciencies in Internal Control
265 170
14. Concluding the Risk Assessment Phase
315 183
PHASE II: Risk Response
193
15. Risk ResponseAn Overview
193
16. The Responsive Audit Plan
260, 300, 330, 500 196
17. Determining the Extent of Testing
330, 500, 530 219
18. Documenting Work Performed
230, 500 248
19. Written Representations
580 252
PHASE III: Reporting
264
20. ReportingOverview
264
21. Evaluating Audit Evidence
220, 330, 450, 520, 540 267
22. Communicating with Those Charged With Governance
260, 450 284
23. Modifcations to the Auditors Report
705 295
24. Emphasis of Matter and Other Matter Paragraphs
706 308
25. Comparative Information
710 314
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
5
Preface
The second edition of this Guide was commissioned by the IFAC Small and Medium Practices (SMP)
Committee to assist practitioners on the audit of small- and medium-sized entities (SMEs), and to promote
consistent application of the International Standards on Auditing (ISAs).
While developed by the Canadian Institute of Chartered Accountants (the CICA), the Guide is the full
responsibility of the IFAC SMP Committee. The International Auditing and Assurance Standards Board (IAASB)
staf and a global advisory panel, with members drawn from a broad cross-section of IFAC member bodies,
have assisted in reviewing the Guide.
The Guide provides non-authoritative guidance on applying ISAs. It is not to be used as a substitute for
reading the ISAs, but rather as a supplement intended to help practitioners understand and consistently
implement these standards on SME audits. The Guide does not address all aspects of ISAs, and should not be
used for the purposes of determining or demonstrating compliance with the ISAs.
The Guide is intended to explain and illustrate so as to develop a deeper understanding of an audit
conducted in compliance with ISAs. It ofers a practical how-to audit approach that practitioners may use
when undertaking a risk-based audit of an SME. Ultimately it should help practitioners conduct high quality,
cost-efective SME audits, and in so doing help them to better serve the public interest. It is anticipated
that the Guide will be used by member bodies, audit frms, and others as a basis for educating and training
professional accountants and students.
IFAC member bodies and frms may use the Guide, either as it is or tailored to suit their own needs and
jurisdiction. It provides a basis from which member bodies and others can develop derivative products such
as training materials, audit software, checklists, and forms.
The IFAC SMP Committee welcomes readers to visit its International Center for Small and Medium Practices
(www.ifac.org/smp), which hosts a collection of other free publications and resources.
Sylvie Voghel
Chair, IFAC SMP Committee
October 2010
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
6
Request for Comments
This is the second edition of the Guide. While we consider this Guide to be useful and of high quality, it can be
improved. We are committed to updating this Guide on a regular basis so as to ensure that it refects current
standards and is as useful as possible.
We welcome comments from national standard setters, IFAC member bodies, practitioners, and others. These
comments will be used to assess the Guides usefulness and to improve it prior to publishing the third edition.
In particular, we welcome views on the following questions.
1. How do you use the Guide? For example, do you use it as a basis for training and/or as a practical
reference guide, or in some other way?
2. Do you consider the Guide to be suf ciently tailored to the audit of SMEs?
3. Do you fnd the Guide easy to navigate? If not, can you suggest how navigation can be improved?
4. In what other ways do you think the Guide can be made more useful?
5. Are you aware of any derivative productssuch as training materials, forms, checklists, and programs
that have been developed based on the Guide? If so, please provide details.
Please submit your comments to Paul Thompson, Senior Technical Manager at:
Email: [email protected]
Fax: +1 212-286-9570
Mail: Small and Medium Practices Committee
International Federation of Accountants
545 Fifth Avenue, 14th Floor
New York, New York 10017, USA
Disclaimer
This Guide is designed to assist practitioners in the implementation of the International
Standards of Auditing (ISAs) on the audit of small- and medium-sized entities, but is not
intended to be a substitute for the ISAs themselves. Furthermore, a practitioner should
utilize this Guide in light of his/her professional judgment and the facts and circumstances
involved in each particular audit. IFAC disclaims any responsibility or liability that may occur,
directly or indirectly, as a consequence of the use and application of this Guide.
8
1. How to Use the Guide
The purpose of this Guide is to provide practical guidance to practitioners conducting audit engagements for
small- and medium-sized entities (SMEs). However, no material in the Guide should be used as a substitute for:
Reading and understanding of the ISAs
It is assumed that practitioners have read the text of the International Standards on Auditing (ISAs) as
contained in the 2010 IFAC Handbook of International Quality Control, Auditing, Review, Other Assurance,
and Related Services Pronouncements (IFAC Handbook), which can be downloaded free of charge from
the IFAC online publications and resources site at web.ifac.org/publications. ISA 200.19 states that the
auditor shall have an understanding of the entire text of an ISA, including its application and other
explanatory material, to understand its objectives and to apply its requirements properly. The ISAs, as
well as frequently asked questions (FAQs) and other support materials, can also be obtained from the
Clarity Center at web.ifac.org/clarity-center/index.
Use of professional judgment
Professional judgment is required based on the particular facts and circumstances involved in the frm
and each particular engagement, and where interpretation of a particular standard is required.
While it is expected that small- and medium-sized practices (SMPs) will be a signifcant user group, this Guide
is intended to help all practitioners to implement ISAs on SME audits.
This Guide can be used to:
Develop a deeper understanding of an audit conducted in compliance with the ISAs;
Develop a staf manual (supplemented as necessary for local requirements and a frms procedure) to be
used for day-to-day reference, and as a basis for training sessions and individual study and discussion; and
Ensure that staf adopt a consistent approach to planning and performing an audit.
This Guide often refers to an audit team, which implies that more than one auditor is involved in conducting
the audit engagement. However, the same general principles also apply to audit engagements performed
exclusively by one person (the practitioner).
1.1 Reproduction, Translation, and Adaptation of the Guide
IFAC encourages and facilitates the reproduction, translation, and adaptation of its publications. Interested
parties wishing to reproduce, translate, or adapt this Guide should contact [email protected].
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
9
1.2 Content and Organization
Rather than just summarize each ISA in turn, the Guide has been organized into two volumes as follows:
Volume 1Core Concepts
Volume 2Practical Guidance
This is Volume 2 of the Guide, which focuses on how to apply the concepts outlined in Volume 1. It follows the
typical stages involved in performing an audit, starting with client acceptance, planning, and risk assessment,
and then the risk response, evaluating audit evidence obtained, and forming an appropriate audit opinion.
To avoid repetition, Volume 2 has not repeated the requirements of ISAs that address specifc audit issues
such as estimates, related parties, subsequent events, going concern, and various other ISAs. Volume 1
summarizes these requirements in separate chapters or as part of Chapter 15, which is entitled Summary of
Other ISA Requirements.
Summary of Organization
Each chapter in both volumes of this Guide has been organized in the following format:
Chapter Title
Audit Process ChartExtract
Most chapters contain an extract from the audit process chart (where applicable) to highlight the
particular activities addressed in the chapter.
Chapter Content
This outlines the content and purpose of the chapter.
Relevant ISAs
Most chapters in this Guide begin with some extracts from the ISAs that are relevant to the chapter
content. These extracts include relevant requirements and, in some cases, the objectives (sometimes
highlighted separately if/when a chapter focuses primarily on one particular ISA), selected defnitions, and
application material. The inclusion of these extracts is not meant to imply that other material in the ISA not
specifcally mentioned, or other ISAs that relate to the subject matter do not need to be considered. The
extracts in the Guide are based solely on the judgment of the authors as to what is relevant for the content
of each particular chapter. For example, the requirements of ISAs 200, 220, and 300 apply throughout the
audit process, but have only been addressed specifcally in one or two chapters.
Overview and Chapter Material
The overview in each chapter provides:
Extracts from applicable ISAs, and
An overview of what is addressed in the chapter.
The overview is followed by a more detailed discussion of the subject matter, and practical step-by-step
guidance/methodology on how to implement the relevant ISAs. This can include some cross-references to
the applicable ISAs. While the Guide focuses exclusively on the ISAs (other than the 800 series) that apply
to audits of historical fnancial information, reference is also made to the Code of Ethics for Professional
Accountants issued by the International Ethics Standards Board for Accountants (the IESBA Code), and the
International Standard on Quality Control 1 (ISQC 1), Quality Control for Firms that Perform Audits and
Reviews of Financial Statements, and Other Assurance and Related Services Engagements.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
10
Consider Point
A number of Consider Points are included throughout the Guide. These Consider Points provide
practical guidance on audit matters that can easily be overlooked, or where practitioners often have
dif culty understanding and implementing certain concepts.
Illustrative Case Studies
To demonstrate how the ISAs can be applied in practice, Volume 2 of the Guide includes two case
studies. At the end of many chapters within Volume 2, two possible approaches to documenting the
application of the ISA requirements are discussed. Please refer to Volume 2, Chapter 2 of this Guide for
details about the case studies.
The purpose of the case studies and the documentation presented are purely illustrative. The
documentation provided is a small extract from a typical audit fle, and it outlines just one possible way
of complying with the ISA requirements. The data, analysis, and commentary provided represent only
some of the circumstances and considerations that the auditor will need to address in a particular audit.
As always, the auditor must exercise professional judgment.
The frst case study is based on a fctional entity called Dephta Furniture. This is a local, family-owned
furniture manufacturer with 10 full-time employees. The entity has a simple governance structure, few
levels of management, and straightforward transaction processing. The accounting function uses an
of-the-shelf, standard software package. The second case study is based on another fctional entity
called Kumar & Co. This is a micro-sized entity with two full-time staf plus the owner and one part-time
bookkeeper.
Other IFAC Publications
The Guide to Quality Control for Small- and Medium-sized Practices may also be read in conjunction with this
Guide which can be downloaded free of charge from the IFAC online publications and resources site at
http://web.ifac.org/publications/small-and-medium-practices-committee/implementation-guides
1.3 Glossary of Terms
The Guide uses many of the terms as defned in the IESBA Code, Glossary of Terms, and ISAs (as contained in
the 2010 IFAC Handbook of International Quality Control, Auditing, Review, Other Assurance, and Related Services
Pronouncements). Both partners and staf must be aware of these defnitions.
The Guide also uses the following terms:
Anti-Fraud Controls
These are controls designed by management to prevent or detect and correct frauds. With respect to
management override, these controls may not prevent a fraud from occurring, but would act as a deterrent
and make perpetrating a fraud more dif cult to conceal. Typical examples are:
Policies and procedures that provide additional accountability, such as signed approval for journal
entries;
Improved access controls for sensitive data and transactions;
Silent alarms;
Discrepancy and exception reports;
Audit trails;
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
11
Fraud contingency plans;
Human resource procedures such as identifying/monitoring individuals with above-average fraud
potential (for example, an excessively lavish lifestyle); and
Mechanisms for reporting potential frauds anonymously.
Entity-Level Controls
Entity-level controls address pervasive risks. They set the tone at the top of an organization and establish
expectations for the control environment. They are often less tangible than controls that operate at the
transaction level, but have a pervasive and signifcant impact and infuence over all other internal controls.
As such, they form the all-important foundation upon which other internal controls (if any) are built. Examples
of entity-level controls include managements commitment to ethical behavior, attitudes toward internal
control, hiring and competence of staf employed, and anti-fraud and period-end fnancial reporting. These
controls will have an impact on all other business processes within the entity.
Management
The person(s) with executive responsibility for the conduct of the entitys operations. For some entities in
some jurisdictions, management includes some or all of those charged with governancefor example,
executive members of a governance board, or an owner-manager.
Those Charged With Governance (TCWG)
The person(s) or organization(s) (for example, a corporate trustee) with responsibility for overseeing the
strategic direction of the entity and obligations related to the accountability of the entity. This includes
overseeing the fnancial reporting process. For some entities, in some jurisdictions, those charged with
governance may include management personnelfor example, executive members of a governance board
of a private or public sector entity, or an owner-manager.
Owner-Manager
This refers to the proprietors of an entity involved in the running of the entity on a day-to-day basis. In most
instances, the owner-manager will also be the person charged with governance of the entity.
Small- and Medium-Sized Accounting Practices/Firms (SMP)
Accounting practices/frms that exhibit the following characteristics: its clients are mostly small- and medium-
sized entities (SMEs); external sources are used to supplement limited in-house technical resources; and it
employs a limited number of professional staf. What constitutes an SMP will vary from one jurisdiction to
another.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
12
1.4 Acronyms Used in the Guide
AR Accounts receivable
Assertions
(combined) C= Completeness
E = Existence
A = Accuracy and cutof
V = Valuation
CAATs Computer-assisted audit techniques
CU Currency units (standard currency unit is referred to as )
FS Financial statements
HR Human resources
IAASB International Auditing and Assurance Standards Board
IC Internal Control. The fve major components of internal control are as follows:
CA = Control activities
CE = Control environment
IS = Information systems
MO= Monitoring
RA = Risk assessment
IESBA Code IESBA Code of Ethics for Professional Accountants
IFAC International Federation of Accountants
IFRS International Financial Reporting Standards
ISAs International Standards on Auditing
ISAEs International Standards on Assurance Engagements
IAPSs International Auditing Practice Statements
ISQCs International Standards on Quality Control
ISREs International Standards on Review Engagements
ISRSs International Standards on Related Services
IT Information technology
PC Personal computer
R&D Research and development
RMM Risks of material misstatement
RAPs Risk assessment procedures
SME Small- and medium-sized entities
SMP Small- and medium-sized (accounting) practices
TOC Tests of controls
TCWG Those charged with governance
WP Work papers, working papers
13
2. Introduction to the Case Studies
To illustrate how the various aspects of the audit process can be documented in practice, two case studies
have been developed based on one fctional medium-sized entity and one fctional entity that is very
small. The frst scenario (Case Study A) is a furniture company called Dephta Furniture, Inc. that employs
10 people. The second scenario (Case Study B) is Kumar & Co., a small entity with two people. Kumar & Co.
primarily supplies goods to Dephta Furniture, Inc. Both organizations have decided to use the IFRS reporting
framework.
Readers are cautioned that these case studies are purely illustrative. The documentation provided
is a small extract from a typical audit fle, and it illustrates just one possible way of complying with
the ISA requirements. The data, analysis, and commentary provided represent only some of the
circumstances and considerations that the auditor will need to address in a particular audit. As
always, the auditor must exercise professional judgment.
Case Study ADephta Furniture, Inc.
Background
Dephta Furniture, Inc. is a family-owned furniture manufacturing company. It produces various kinds of
wooden household furniture, both ready-made and custom-built. Dephta has an excellent reputation for
producing quality products.
The company has three major product lines: bedroom sets, dining-room sets, and tables of all sorts. Standard
pieces of furniture can also be customized for specifc needs. To tap into the power of the Internet, the
company recently set up a web site where people can buy furniture directly and pay by credit card. During
the last period, the company shipped custom orders as far as 900 kilometers away.
The manufacturing facility is located on an acre of land adjacent to Suraj Dephtas house. An addition on the
west side of Surajs home acts as Dephta Furnitures shop. Major decisions are often made around the dining
room table (which is the frst table Suraj and his father built together). He likes the symbolism of sharing a
meal on the product that produces his familys money for food.
Industry Trends
Until recently, Dephta had been growing rapidly. However, the furniture industry is currently experiencing
challenging times due to:
A declining economy due to a world-wide recession;
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
14
Potential customers limiting their spending on discretionary goods, including furniture;
Competition;
Pressure to reduce prices to attract sales; and
Some furniture parts manufacturers going out of business, thereby causing some production delays.
Governance
The company was started in 1952 by Surajs father, Jeewan Dephta. Jeewan frst made wooden spindles and
banisters with one lathe in a small workshop next to the family home.
The company does not have a formal governance structure. Jeewan and Suraj prepare a business plan each
period, then meet once a month with a successful local businessman, Ravi Jain, to review their progress
against the plan. They also pay Ravi to comment on the practicality of their new dreams and ideas for the
business, review the operating results, and provide advice on how to deal with any specifc issues that have
arisen.
Ravis daughter, Parvin (a lawyer by training), usually accompanies her father to the meetings with Suraj and
Jeewan. Parvin ofers some legal advice, but her true passion lies in marketing and promotion. It was Parvins
idea that Dephta Furniture should expand its boundaries and start selling its products on the Internet. She
also pushed for expansion outside their local region and even to neighboring countries. Perhaps by accessing
additional markets, sales levels can be maintained despite the current economic downturn.
Personnel
Dephta Furniture, Inc. has a full-time staf of 10 employees. About six of these employees are related in some
way to the family. Most of the family members work in the production area (as needed) in addition to the
roles outlined in the exhibit below. During busy periods, two to four temporary workers may be employed as
necessary. A few of the temporary workers return regularly but, because of the lack of job security, turnover is
quite high.
As managing director, Suraj Dephta oversees all aspects of the business. Arjan Singh is in charge of sales and
he is assisted by two full-time salespeople. Dameer, Surajs brother, looks after production, which includes
ordering raw materials and managing the inventory. Because the facilitys space is limited, Suraj and Dameer
are never too far away from the production process, and they share the task of supervising the two staf
members.
Jawad Kassab (a cousin of Suraj) is in charge of the fnance function and information technology (IT), and has
two staf in his group.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
15
Suraj Dephta
Managing
Director
Production
Staf
Dameer Dephta
Production
Arjan Singh
Sales
Sales Staf
Jawad Kassab
Finance & IT
Organizational Chart
Dephta Furniture, Inc.
Ownership
Jeewan is the principal shareholder with a 50% interest in the company. He has plans to start transferring
the shares to his son, Suraj, as long as Suraj continues to manage the company on a full-time basis and the
company remains proftable as a result.
Suraj and his sister, Kalyani, each hold a 15% interest.
The remaining 20% is held by a family friend, Vinjay Sharma. Vinjay is a wealthy investor who has provided
much of the capital needed to grow the company.
Ownership of Deptha Furniture, Inc. p
Jeewan 50%
Kalyani 15%
Suraj
15%
Vinjay 20%
Kalyani is a well-known singer who travels extensively. She is not involved in the operations of the company
and totally relies on her father and brother to look after her interests.
In June of each period, Jeewan organizes a more formal business meeting. The shareholders meet in the
morning (primarily to review the fnancial statements) and, later in the afternoon, hold a party for all staf.
Suraj uses this occasion to tell the staf how well the business is doing and what the plans are for the future.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
16
Operations
The company started out manufacturing chairs, tables, and spindles for railings and banisters, and has
since expanded into making simple household furniture such as dressers, wardrobes, and cabinets. Dephta
Furniture has grown considerably through strategies such as:
Providing quality products at fair prices to local customers;
Accepting larger furniture orders from national retailers. These large orders come with a frm delivery
deadline (there are major penalties for late delivery) and the proft margins are much tighter than those
for custom-made furniture;
Being the frst company in the region to sell (limited products) over the Internet; and
Manufacturing parts such as spindles and round table legs for other local furniture manufacturers. This
has enabled the company to purchase expensive lathes and specialized tools that other companies
cannot aford.
Dephta also sells scrap furniture and wood (pieces rejected in the quality control process) at the factory for
cash only.
Exporting furniture to neighboring countries is also being considered. Suraj recognizes that this will mean
higher shipping costs, dealing with customs, foreign currency exchange risk, and the potential for damage
during transport. Although selling to neighboring countries means higher costs, it seems to be a small price
to pay to access potential new customers. Also, Parvin knows many people in local government and thinks
she can help to facilitate the extra paperwork involved.
Sales
The sales breakdown is approximately:
Standard furniture (from catalog) from sales that are negotiated
in person at the store: 40%
Sales to furniture retailers: 30%
Made-to-order (custom-built) furniture: 15%
Internet sales: 12%
Scrap sales from factory: 3%
Breakdown of Sales
Store
40%
Retailers
30%
Scrap
3%
Custom
15%
Internet
12%
Arjan Singh is a great dealmaker. He is very persistent when negotiating with customers and usually gets the
sale, although the proft margins can be slim. Despite the economic downturn, he recently bought a beautiful
family home overlooking the valley.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
17
Notes on the sales system
Sales contracts are prepared for retail and specialized orders. Deposits of 15% of the order are
required on all custom orders, which are recorded as sales revenue when received. Two of the
large retailers require Dephta to keep 30 days of inventory on hand so that orders can be shipped
quickly to the stores when needed. These contracts also have provisions for inventory to be
returned to Dephta if it doesnt sell within a specifed time period.
Sales orders are manually flled at the time of sale, except for furniture sold directly from the shop
or other small items on hand. All orders over 500 or where the sale price is below the minimum
sale price must be approved by Arjan. Invoices are prepared when the items are shipped and sent
to the customer.
For all sales out of the shop, invoices are prepared at the time of sale and entered into the
accounting system, which automatically numbers each sales transaction and provides an order
receipt upon request.
A summary of the days Internet sales is downloaded from the web site. Details of the items
ordered are prepared and given to the production department. An invoice is prepared at the same
time and recorded into revenue, as the item has already been paid for on the customers credit
card. The invoice marked paid in full accompanies all Internet orders that have been shipped.
Arjan rarely performs credit checks on customers. He knows most of them. In the past, customers
paid cash upon delivery; currently, credit is granted to match the terms that Dephta Furnitures
competitors are providing. As a result, Dephta Furniture requires a line of credit from the bank.
Each period, the number of bad debts seems to be growing.
At the end of each month, Suraj reviews the sales and accounts receivable listing. He ensures that
there are no obvious mistakes, and personally calls every customer whose account is over 90 days.
Each member of the sales staf (including Arjan) receives a commission of 15% on each sale in addition
to a minimum base salary. To motivate the salespeople, their base salary is well below the salaries of
most of the other employees. The computer system tracks sales made by each salesperson. Jawad
prints a report each month and prepares a listing of commissions that will be paid on the following
weeks payroll. Either Suraj or Dameer reviews the listing of commissions and the sales to ensure that
the staf are paid the correct amount. Arjan receives by far the most sales commissions.
Information Technology
The system consists of six PCs and a server used to host the Internet site. The internal system is mainly used
for email, order taking, and accounting.
The company runs weekly back-ups of the accounting system on an external hard drive that is kept in the safe
next to the computer room. Firewall protection and password protection have all been added in the last two
periods. Last period, two PCs were stolen from the of ce. Access to the of ces is now better secured, the PCs
are chained to desks, and the server is locked in a separate and specially cooled of ce.
Internet sales are managed by Jawad. The company has an agreement with the bank to process the credit
cards before any order is approved for shipping, and pays the bank 7% on each order processed. The
application program for Internet sales provides the details of each sale, including the customers name,
address, and the items ordered. Internet transactions are downloaded daily from the website, and sales orders
are prepared and forwarded to the production department.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
18
Human Resources and Payroll
All hiring decisions are made by Dameer and Suraj. Like his father, Suraj is committed to hiring competent
people and expects loyalty from his employees.
Employees are paid in cash at the beginning of each week. One of Jawads staf, Karla Winston, is responsible
for payroll. She has a list of employees, and calculates the payroll and deductions based on time-card
summaries that Dameer provides to her. Suraj reviews payroll each Monday morning before instructing
Karla to hand the envelopes to employees. All employees sign a list when they pick up their envelope. The
company does not keep formal employee records.
Purchasing and Production
Dameer is responsible for purchasing and production. Because the inventory system is not very sophisticated,
he tends to over-order some items, which often results in inventory sitting in the warehouse gathering dust.
This is considered better than under-ordering supplies, which results in production delays.
Notes on the purchasing function
At least two quotes must be obtained before purchases over 5,000 are approved. The exception
is wood supplied by the local lumber mill, where Dephta has negotiated a fve-year exclusive
supply contract.
The company prepares purchase orders for all inventory or capital purchases over 1,000.
Dameer approves all new vendors and supplies the details to Jawad. Jawad then sets up the
vendors in the system and enters details of invoices received.
Accounting and Finance
Jawad studied accounting at university and is well versed in accounting and fnancial matters. When he joined
Dephta two years ago, he quickly introduced the Sound Accounting software package by Onion Corp. with
its integrated accounts payable, accounts receivable, and capital assets modules.
Notes on the accounting and fnance function
At present, the company does not have a perpetual inventory system. Inventory is counted twice a
period, once at period end and once halfway through the period. This ensures that proft margins
on sales can be accurately calculated at least twice a period.
Jawad has been frustrated by the lack of controls over inventory. He had suggested to Suraj
that inventory be counted at least four times per period to ensure that margins are reviewed
throughout the period. Suraj had overridden his recommendation, stating that it would be too
disruptive to count inventory so often and could cause the company to miss deadlines.
Although Dephta has been proftable, the gross margins have been inconsistent. Jawad does not
have an explanation as to why inventory costs are not tracked by product line.
Suraj gets very annoyed at having to pay any form of income tax, and usually pressures Jawad to
ensure that accruals are more than adequate.
Note: The following income statement and balance sheet were prepared by management. Notes to the
fnancial statements or a cash-fow statement have not been included.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
19
Appendix A
Dephta Furniture, Inc.
Income Statement
(in Currency Units ())
For the year ended December 31
20X2 20X1 20X0
Sales 1,437,317 1,034,322 857,400
Cost of goods sold 879,933 689,732 528,653
Gross proft 557,384 344,590 328,747
Distribution costs 64,657 41,351 39,450
Administrative expenses 323,283 206,754 197,248
Finance cost 19,471 19,279 15,829
Depreciation 23,499 21,054 10,343
430,910 288,438 262,870
Proft before tax 126,474 56,152 65,877
Income taxes 31,619 14,038 16,469
Net income 94,855 42,114 49,408
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
20
Appendix B
Dephta Furniture, Inc.
Balance Sheet
(in Currency Units ())
As at December 31
20X2 20X1 20X0
ASSETS
Current assets
Cash and cash equivalents 22,246 32,522 22,947
Trade and other receivables 177,203 110,517 82,216
Inventories 156,468 110,806 69,707
Prepayments and other 12,789 10,876 23,877
368,706 264,721 198,747
Non-current assets
Property, plant and equipment 195,821 175,450 103,430
564,527 440,171 302,177
EQUITY AND LIABILITIES
Current liabilities
Bank indebtedness 123,016 107,549 55,876
Trade and other payables 113,641 107,188 50,549
Income tax payable 31,618 14,038 16,470
Current portion of interest-
bearing loan 10,000 10,000 10,000
278,275 238,775 132,895
Non-current liabilities
Interest-bearing loan 70,000 80,000 90,000
Capital and reserves
Issued capital 18,643 18,643 18,643
Accumulated profts 197,609 102,753 60,639
564,527 440,171 302,177
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
21
Case Study BKumar & Co.
Background
Kumar & Co. was started in 1990 by Rajesh (Raj) Kumar. It is an incorporated company, but consists of only two
production personnel, Rajesh as the owner-manager, and some part-time bookkeeping assistance.
As a young boy, Raj learned the woodcrafting trade from his father, Sanjay. When Sanjay frst took young Raj
under his wing, he saw that Raj also had a natural talent for woodworking, and that made him proud.
After his father died in 1976, Raj decided to invest his small savings in opening his own furniture shop, which
he called Kumar & Co.
Business Proposition
Rajs business was initially focused on producing small wooden household furniture. However, soon after
starting the business, his cousin Suraj (of Dephta Furniture) approached him with a business proposition. Suraj
asked that Raj dedicate most of his time and attention to creating spindles and table legs for furniture the
Dephta factory produced. The price Dephta was willing to pay for his products allowed him a greater proft
margin than he could get with any of his other handiwork. Raj agreed.
To encourage Raj to focus his business on serving Dephtas supply needs, Dephta purchased a 15% ownership
stake in Kumar. This helped Kumar purchase new lathes and tools to improve production ef ciency.
Industry Trends
The furniture industry is currently facing a challenging economy. Kumar & Co. has experienced healthy and
steady growth, but if the demand for products from Dephta declines, Kumars sales will also be hurt. Raj still
takes some custom furniture orders, but Dephta constitutes approximately 90% of his business.
Production
Kumar & Co. is an owner-managed company, with Raj owning 85% of the shares. There are two full-time
production personnel in addition to Raj. He is used to long workdays, and works most weekends, simply to
keep up with the orders from Dephta.
In the current period, though, Raj is rarely in the of ce or workshop. He does the minimum required to meet
demands, but has not been nearly as involved in approving orders, supply purchases, or record-keeping as he
once was. Apparently he is dealing with some issues at home. Rajs teenage son recently developed a health
problem that is threatening to ruin the familys reputation.
At the beginning of the period, Kumar obtained new bank fnancing to buy necessary raw materials and to
replace some aging equipment. The loan came with bank covenants that must be maintained or the funds
could be recalled.
Raj deals directly with Dephta personnel on orders and logs them in a notebook. The accountant then creates
invoices and receives payments. He personally organizes shipping and maintains an order/shipping log.
Raj maintains good records and keeps the following information updated:
Order/shipping log: date order was placed, amount, type, pricing, date promised, method of delivery,
quantity sold/shipped, date shipped, and if paid;
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
22
Sales log: customer name, date shipped, order details (product type, quantity, type of wood, special
requests, etc.), price, amount paid; and
Purchases log: segregated between materials and other items.
Raj matches the shipping log to the sales log each week to ensure that no shipments are missed.
Accounting
Kumar & Co.s part-time bookkeeper, Ruby, has been working with Raj for over 10 years and is very competent.
She maintains the accounting records and creates the monthly and annual fnancial statements. However, she
feels that Raj takes her services for granted. He has not increased her salary in the last three years. Ruby has
two children whom she wants to go to college, but is worried about how the tuition will be paid.
Appendix A
Kumar & Co.
Income StatementPrepared by Management
For the year ended December 31
20X2 20X1 20X0
Sales 231,540 263,430 212,818
Cost of goods sold 118,600 122,732 100,220
Gross proft 112,940 140,698 112,598
Distribution costs 13,002 19,450 12,890
Administrative expenses 71,532 91,318 68,101
Finance cost 6,480 0 0
Depreciation 11,541 6,871 5,020
102,555 117,639 86,011
Proft before tax 10,385 23,059 26,587
Income taxes 5,765 6,420 8,988
Net income 4,620 16,639 17,599
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
23
Appendix B
Kumar & Co.
Balance SheetPrepared by Management
As at December 31
20X2 20X1 20X0
ASSETS
Current assets
Cash and cash equivalents 1,255 10,822 6,455
Trade and other receivables 67,750 65,110 34,100
Inventories 34,613 15,445 12,607
103,618 91,377 53,162
Property, plant and equipment 54,430 22,468 20,216
158,048 113,845 73,378
EQUITY AND LIABILITIES
Current liabilities
Trade and other payables 53,100 48,820 36,500
Current portion of interest-
bearing loan 4,000 0 0
57,100 48,820 36,500
Non-current liabilities
Interest-bearing loan 31,000 0 0
Capital and reserves
Issued capital 10,580 10,580 10,580
Accumulated profts 59,368 54,445 26,298
158,048 113,845 73,378
24
3. Risk Assessment Overview
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
25
Paragraph # ISA Objective(s)
315.3 The objective of the auditor is to identify and assess the risks of material misstatement,
whether due to fraud or error, at the fnancial statement and assertion levels, through
understanding the entity and its environment, including the entitys internal control, thereby
providing a basis for designing and implementing responses to the assessed risks of material
misstatement.
A simpler way of describing the three elements is illustrated below.
Exhibit 3.0-1

R
i
s
k

A
s
s
e
s
s
m
e
n
t
R
i
s
k

R
e
s
p
o
n
s
e
R
e
p
o
r
t
i
n
g What events*
could occur that would
cause a material
misstatement in the
fnancial statements?
Did the events*
identifed occur and
result in a material
misstatement in the
fnancial statements?
What audit opinion,
based on the evidence
obtained, is appropriate
on the fnancial statements?
* An event is simply a business or fraud risk factor (see descriptions in Volume 1, Chapter 3, Exhibit
3.2-2) that, if it actually occurred, would adversely afect the entitys ability to achieve its objective
of preparing fnancial statements that do not contain material misstatements resulting from error
and fraud. This would also include risks resulting from the absence of internal control to mitigate the
potential for material misstatements in the fnancial statements.
The major steps involved in the risk assessment phase of the audit, in the order they would normally be
performed, are outlined in the following exhibit.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
26
Exhibit 3.0-2
Decide to Accept/Continue Engagement
Document fndings and any changes to the plan
Quality Controls Ethics, Independence, and ISAs
R
i
s
k

A
s
s
e
s
s
m
e
n
t
* RMM = Risks of Material Misstatement
Risk Assessment Procedures
Planning Activities
Determine
materiality
Team planning
meeting
Overall audit
strategy
Conclude:
Assess RMM*
(fraud & error)
at fnancial
statement
and assertion
levels
Identify &
assess
inherent risks
Identify &
assess
control risks
Communicate
signifcant
defciencies
The core concepts addressed in the risk assessment phase are set out below.
Core Concepts Risk Assessment Phase
Volume and
Chapters
Internal Control
V1 - 5
Financial Statement Assertions
V1 - 6
Materiality and Audit Risk
V1 - 7
Risk Assessment Procedures
V1 - 8
27
4. Engagement Acceptance
and Continuance
Chapter Content Relevant ISAs/ISQC 1
Guidance on procedures required to:
Identify and assess risk factors relevant to deciding whether to
accept or decline the audit engagement; and
Agree upon and document the terms of the engagement.
210, 220, 300
and ISQC 1
Exhibit 4.0-1
:WabW\U]T`WaYTOQb]`a
7\RS^S\RS\QS
3\UOUS[S\bZSbbS`
>S`T]`[ ^`SZW[W\O`g
S\UOUS[S\b
OQbWdWbWSa
2SQWRSeVSbVS`b]
OQQS^bS\UOUS[S\b
/QbWdWbg >c`^]aS 2]Qc[S\bObW]\
The major steps in the engagement acceptance/continuance process are outlined below .
Exhibit 4.0-2
Does frm have
resources, time,
& competence?
Is the frm
independent and
free from confict?
Are risks involved
acceptable?
Accept or
Continue?
Process to accept/continue with an audit engagement
Document procedures performed and how threats and issues were resolved
Yes No
Are the audit
preconditions
present?
1
Any scope
limitations?
Agree on
terms of
engagement
Prepare/sign
engagement
letter
Stop
1 For further information, refer to Volume 2, Chapter 4.3.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
28
Paragraph # ISA Objective(s)
210.3 The objective of the auditor is to accept or continue an audit engagement only when the basis
upon which it is to be performed has been agreed, through:
(a) Establishing whether the preconditions for an audit are present; and
(b) Confrming that there is a common understanding between the auditor and management
and, where appropriate, those charged with governance of the terms of the audit
engagement.
Paragraph # Relevant Extracts from ISAs/ISQC 1
ISQC 1.26 The frm shall establish policies and procedures for the acceptance and continuance of
client relationships and specifc engagements, designed to provide the frm with reasonable
assurance that it will only undertake or continue relationships and engagements where the
frm:
(a) Is competent to perform the engagement and has the capabilities, including time and
resources, to do so; (Ref: Para. A18, A23)
(b) Can comply with relevant ethical requirements; and
(c) Has considered the integrity of the client, and does not have information that would lead
it to conclude that the client lacks integrity. (Ref: Para. A19-A20, A23)
ISQC 1.27 Such policies and procedures shall require:
(a) The frm to obtain such information as it considers necessary in the circumstances before
accepting an engagement with a new client, when deciding whether to continue an
existing engagement, and when considering acceptance of a new engagement with an
existing client. (Ref: Para. A21, A23)
(b) If a potential confict of interest is identifed in accepting an engagement from a new or an
existing client, the frm to determine whether it is appropriate to accept the engagement.
(c) If issues have been identifed, and the frm decides to accept or continue the client
relationship or a specifc engagement, the frm to document how the issues were resolved.
ISQC 1.28 The frm shall establish policies and procedures on continuing an engagement and the client
relationship, addressing the circumstances where the frm obtains information that would have
caused it to decline the engagement had that information been available earlier. Such policies
and procedures shall include consideration of:
(a) The professional and legal responsibilities that apply to the circumstances, including
whether there is a requirement for the frm to report to the person or persons who made
the appointment or, in some cases, to regulatory authorities; and
(b) The possibility of withdrawing from the engagement or from both the engagement and
the client relationship. (Ref: Para. A22-A23)
210.4 For purposes of the ISAs, the following term has the meaning attributed below:
Preconditions for an auditThe use by management of an acceptable fnancial reporting
framework in the preparation of the fnancial statements and the agreement of management
and, where appropriate, those charged with governance to the premise on which an audit is
conducted.
220.12 The engagement partner shall be satisfed that appropriate procedures regarding the
acceptance and continuance of client relationships and audit engagements have been
followed, and shall determine that conclusions reached in this regard are appropriate. (Ref:
Para. A8-A9)
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
29
Paragraph # Relevant Extracts from ISAs/ISQC 1
220.13 If the engagement partner obtains information that would have caused the frm to decline the
audit engagement had that information been available earlier, the engagement partner shall
communicate that information promptly to the frm, so that the frm and the engagement
partner can take the necessary action. (Ref: Para. A9)
300.13 The auditor shall undertake the following activities prior to starting an initial audit:
(a) Performing procedures required by ISA 220 regarding the acceptance of the client
relationship and the specifc audit engagement; and
(b) Communicating with the predecessor auditor, where there has been a change of auditors,
in compliance with relevant ethical requirements. (Ref: Para. A20)
4.1 Overview
One of the most important decisions that a frm can make is determining what engagements to accept or
which client relationships to retain. A poor decision can lead to unbillable time, unpaid fees, additional stress
on partners and staf, loss of reputation, and, worst of all, potential lawsuits.
ISQC 1 and ISA 220 require frms to develop, implement, and document their quality control procedures in
regard to their client acceptance and retention policies. Ideally, these policies and procedures should address
the level of risk (risk tolerance) and the client characteristics (such as poor management integrity, a high-risk
industry, or a publicly-traded company) that would not be acceptable to the frm.
For more information, refer to ISQC 1 and ISA 220, and to IFACs Guide to Quality Control for Use by Small- and
Medium-Sized Practices (QC Guide).
Before a frm decides to accept or retain an engagement, the auditor is required to:
Establish the acceptability of the proposed fnancial reporting framework;
Assess whether the frm can comply with relevant ethical requirements;
Obtain the agreement of management that it acknowledges and understands its responsibility for:
The preparation of the fnancial statements in accordance with the applicable fnancial reporting
framework,
Such internal control as management determines is necessary to enable the preparation of
fnancial statements that are free from material misstatement, whether due to fraud or error, and
To provide the auditor with access to all relevant information and any additional information that
the auditor may request, plus unrestricted access to persons within the entity from whom the
auditor determines it necessary to obtain audit evidence; and
Perform engagement acceptance or continuance procedures. These procedures would be similar to the
risk assessment procedures outlined in Volume1, Chapter 8. The results (assuming the engagement is
accepted) can later be used as part of the risk assessment.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
30
The initial and subsequent years assessments of the engagement risk help to ensure that the frm is:
Independent, and that no conficts of interest exist;
Competent to perform the work with the required resources and time availability;
Willing to accept the risks involved in performing the audit. This would include an assessment of
managements integrity and attitudes toward internal control, industry trends, availability of appropriate
audit evidence, and other factors such as the ability of the client to pay the fees involved; and
Not aware of any new information about an existing client that would have caused the frm to decline
the engagement if it had been known earlier. g g
CONSIDER POINT
There may be some very small entities requiring an audit where the owner-manager runs the entity,
has few (if any) formal documented controls in place, and can therefore override just about everything.
In these situations, the auditor has to determine whether the absence of control activities or of other
components of control may make it impossible to obtain suf cient appropriate audit evidence. If this is
the case, the auditor would exercise professional judgment in determining whether the engagement
should be declined or a modifed opinion provided.
Factors to consider include:
The entitys control environment. For example: is the owner-manager trustworthy, competent, and
does he/she have a good attitude toward internal control?
Is it possible to develop an overall response and further audit procedures that would respond
appropriately to the assessed risk factors? For example, can substantive procedures be used to
determine that all revenues and liabilities are properly recorded in the accounting records?
Once a decision has been reached to accept or continue with the client engagement, the next step is to:
Establish whether the preconditions for an audit are present; and
Confrm a common understanding between the auditor and management (and where appropriate,
those charged with governance) of the terms of the audit engagement.
4.2 Engagement Acceptance
The frst step in the client acceptance or continuance process is to assess the auditing frms ability to perform
the engagement, and the risks involved. The following exhibit outlines some possible lines of inquiry.
Exhibit 4.2-1
Consider Line of Inquiry
The Firms
Quality Control
Requirements
What (frm- and engagement-level) policies and procedures are in place to provide
reasonable assurance that the frm will only undertake or continue relationships
where:
The frm can comply with the ISA requirements; and
The engagement risks involved are within the frms tolerance for risk?
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
31
Consider Line of Inquiry
What Work Is
Required?
What is the nature and scope of the audit?
What accounting framework will be used?
How will the auditors report and fnancial statements be used?
What is the deadline (if any) for completing the audit?
Does the Firm
Have the
Competence,
Resources, and
Time Required?
Does the frm have suf cient personnel with the necessary competence and
capabilities?
Do the selected frm personnel have:
Knowledge of relevant industries or subject matters,
Experience with relevant regulatory or reporting requirements, or
Ability to gain the necessary skills and knowledge efectively?
Are experts available, if needed?
Where applicable, are there qualifed persons available to perform the
engagement quality control review?
Can the frm and the available staf (in light of timing requirements for other
clients) complete the engagement within the reporting deadline?
Is the Firm
Independent?
Can the frm and the engagement team comply with ethical and independence
requirements?
Where conficts of interest, lack of independence, or other threats have been
identifed:
Has appropriate action been taken to eliminate those threats or reduce
them to an acceptable level by applying safeguards, or
Have steps been taken to withdraw from the engagement?
If the entity being audited is a component of a larger group, the group
engagement team may request certain work to be performed on the fnancial
information of the component. In such cases, the group engagement would
frst obtain an understanding of the following:
Whether the component auditor understands and will comply with the
ethical (including independence) requirements that are relevant to the
group audit,
The component auditor's professional competence,
Whether the group engagement team will be able to be involved in
the work of the component auditor to the extent necessary to obtain
suf cient appropriate audit evidence, and
Whether the component auditor operates in a regulatory environment
that actively oversees auditors.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
32
Consider Line of Inquiry
Are the Risks
Involved
Acceptable?
For new engagements, has the frm communicated (as required by ISA 300.13)
with the predecessor auditor to determine if there are any reasons for not
accepting the engagement?
Has the frm conducted an Internet search and had discussions with frm
personnel and other third parties (such as bankers) to identify any reasons why
the frm should not accept the engagement?
What are the values (tone at the top) and future goals of the entity?
How competent are the entitys senior management and staf?
Are there dif cult or time-consuming issues to address (accounting policies,
estimates, compliance with legislation, etc.)?
What changes have taken place this period that will impact the engagement
(business trends and initiatives, personnel changes, fnancial reporting, IT
systems, purchase/sale of assets, regulations, etc.)?
Is there a high level of public scrutiny and media interest?
Is the entity in good fnancial health and does it have the ability to pay the frms
professional fees?
Will the entity provide help to the frm in obtaining information and preparing
schedules, analysis of balances, providing data fles, etc.?
Can the Client Be
Trusted?
Are there any scope limitations, such as unrealistic deadlines or an inability to
obtain the required audit evidence?
Is there any reason (or recent event) that casts doubt on the integrity of the
principal owners, senior management, and those charged with governance of
the entity? Consider the entitys operations, including business practices, the
business reputation, and history of any ethical or regulatory infringements.
Are there any indications that the entity might be involved in money laundering
or other criminal activities?
What is the identity and business reputation of related parties?
Does management have a poor attitude toward internal control and an
aggressive attitude toward interpretation of accounting standards? Consider
corporate culture, organizational structure, risk tolerance, complexity of
transactions, etc.
Background Checks
To ensure that the information obtained from the entity is accurate, consider what third-party information
could be obtained to validate key aspects of the risk assessment. This simple step could avert problems later
on. Examples include information from sources such as previous fnancial statements, income tax returns,
credit reports, and possibly (after receiving permission from the prospective client) discussions with key
advisors such as bankers, etc.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
33
CONSIDER POINT
Before contacting third parties and collecting information on a prospective client, take steps to ensure
that all partners and staf are aware of:
The frms policies to protect confdential information maintained on clients;
Requirements of any privacy legislation; and
Requirements of the applicable code of ethics.
4.3 Pre-Conditions for an Audit
Paragraph # Relevant Extracts from ISAs
210.6 In order to establish whether the preconditions for an audit are present, the auditor shall:
(a) Determine whether the fnancial reporting framework to be applied in the preparation of
the fnancial statements is acceptable; and (Ref: Para. A2-A10)
(b) Obtain the agreement of management that it acknowledges and understands its
responsibility: (Ref: Para A11-A14, A20)
(i) For the preparation of the fnancial statements in accordance with the applicable
fnancial reporting framework, including where relevant their fair presentation; (Ref:
Para. A15)
(ii) For such internal control as management determines is necessary to enable the
preparation of fnancial statements that are free from material misstatement, whether
due to fraud or error; and (Ref: Para. A16-A19)
(iii) To provide the auditor with:
a. Access to all information of which management is aware that is relevant to the
preparation of the fnancial statements such as records, documentation and other
matters;
b. Additional information that the auditor may request from management for the
purpose of the audit; and
c. Unrestricted access to persons within the entity from whom the auditor
determines it necessary to obtain audit evidence.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
34
Exhibit 4.3-1
Consider Line of Inquiry
Are the Audit
Preconditions
Present?
Is the fnancial reporting framework (such as IFRS or a local framework) to be used in
preparing the fnancial statements acceptable? Factors to consider include:
The nature of the entity (business, public sector, or not-for-proft);
The purpose of the fnancial statements (common purpose or for specifc users);
The nature of the fnancial statements (complete set of fnancial statements or a
single fnancial statement); and
Whether law or regulation prescribes the applicable fnancial reporting framework.
Does management agree to and acknowledge/understand its responsibility for:
Preparing the fnancial statements in accordance with the applicable fnancial
reporting framework, including (where relevant) their fair presentation;
Such internal control as management determines is necessary to enable the
preparation of fnancial statements that are free from material misstatement,
whether due to fraud or error; and
Providing the auditor with:
Access to all relevant information such as records, documentation, and
other matters,
Additional information requested from management for the purpose of
the audit (such as written representations), and
Unrestricted access to persons within the entity to obtain the necessary
audit evidence?
Is There a Scope
Limitation?
Has management or those charged with governance imposed any type of limitation
on the scope of the audit? This could include unrealistic deadlines, not accepting
certain frms staf to perform the work, and denial of access to a facility, key
personnel, or relevant documents. If such a limitation would result in a disclaimer of
opinion, the frm would decline the engagement, unless the frm is required by law or
regulation to proceed with the engagement.
Where management does not acknowledge its responsibilities or agree to provide the written
representations, the auditor will not be able to obtain suf cient appropriate audit evidence. In such
circumstances, or where the fnancial reporting framework is not acceptable, the auditor is required by ISA
210.8 to decline the engagement unless required by law or regulation.
4.4 Agreeing the Terms of Engagement
Paragraph # Relevant Extracts from ISAs
210.7 If management or those charged with governance impose a limitation on the scope of the
auditors work in the terms of a proposed audit engagement such that the auditor believes
the limitation will result in the auditor disclaiming an opinion on the fnancial statements, the
auditor shall not accept such a limited engagement as an audit engagement, unless required
by law or regulation to do so.
210.9 The auditor shall agree the terms of the audit engagement with management or those
charged with governance, as appropriate. (Ref: Para. A21)
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
35
Paragraph # Relevant Extracts from ISAs
210.10 Subject to paragraph 11, the agreed terms of the audit engagement shall be recorded in an
audit engagement letter or other suitable form of written agreement and shall include: (Ref:
Para. A22-A25)
(a) The objective and scope of the audit of the fnancial statements;
(b) The responsibilities of the auditor;
(c) The responsibilities of management;
(d) Identifcation of the applicable fnancial reporting framework for the preparation of the
fnancial statements; and
(e) Reference to the expected form and content of any reports to be issued by the auditor
and a statement that there may be circumstances in which a report may difer from its
expected form and content.
210.11 If law or regulation prescribes in suf cient detail the terms of the audit engagement referred to
in paragraph 10, the auditor need not record them in a written agreement, except for the fact
that such law or regulation applies and that management acknowledges and understands its
responsibilities as set out in paragraph 6(b). (Ref: Para. A22, A26-A27)
210.12 If law or regulation prescribes responsibilities of management similar to those described in
paragraph 6(b), the auditor may determine that the law or regulation includes responsibilities
that, in the auditor's judgment, are equivalent in efect to those set out in that paragraph.
For such responsibilities that are equivalent, the auditor may use the wording of the law or
regulation to describe them in the written agreement. For those responsibilities that are not
prescribed by law or regulation such that their efect is equivalent, the written agreement shall
use the description in paragraph 6(b). (Ref: Para. A26)
210.13 On recurring audits, the auditor shall assess whether circumstances require the terms of the
audit engagement to be revised and whether there is a need to remind the entity of the
existing terms of the audit engagement. (Ref: Para. A28)
210.14 The auditor shall not agree to a change in the terms of the audit engagement where there is
no reasonable justifcation for doing so. (Ref: Para. A29-A31)
210.15 If, prior to completing the audit engagement, the auditor is requested to change the audit
engagement to an engagement that conveys a lower level of assurance, the auditor shall
determine whether there is reasonable justifcation for doing so. (Ref: Para. A32-A33)
210.16 If the terms of the audit engagement are changed, the auditor and management shall agree
on and record the new terms of the engagement in an engagement letter or other suitable
form of written agreement.
210.17 If the auditor is unable to agree to a change of the terms of the audit engagement and is not
permitted by management to continue the original audit engagement, the auditor shall:
(a) Withdraw from the audit engagement where withdrawal is possible under applicable law
or regulation; and
(b) Determine whether there is any obligation, either contractual or otherwise, to report
the circumstances to other parties, such as those charged with governance, owners or
regulators
Note: Paragraphs 18-22 of ISA 210 contain some additional considerations in engagement acceptance, such
as where fnancial reporting standards are supplemented by law or regulation and where the fnancial
reporting framework is prescribed by law or regulation.
To ensure a clear understanding between management and the auditor on the terms of engagement, an
engagement letter (or other suitable form of written agreement) is prepared and agreed upon with the appropriate
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
36
representative of senior management. To avoid any potential for misunderstanding, the engagement letter would
be fnalized and signed before the engagement work commences.
Even in countries where the audit objective, scope, and obligations are established by law, an engagement
letter may still be useful to inform clients about their specifc roles and responsibilities.
A sample of an engagement letter based on the example contained in ISA 210 is provided in the case study
materials that follow.
The engagement letter would address the matters set out below.
Exhibit 4.4-1
Terms Description
The Objective,
Accounting
Framework,
Scope, and Form
of Auditors
Report Resulting
from the Audit
of the Financial
Statements
The accounting framework to be used.
Objective of the audit of fnancial statements and the anticipated form of
auditors report or other communication. Also, the circumstances in which a
report may difer from its expected form and content.
The scope of the audit, including reference to applicable legislation, regulations,
ISAs, and ethical and other pronouncements of professional bodies to which the
auditor adheres.
Other parties to whom a report is required to be made (e.g., a regulator).
The
Responsibilities
of the Auditor
To conduct the audit in accordance with International Standards on Auditing
(ISAs).
Recognition that, due to the inherent limitations of an audit and the
limitations of internal control, there is an unavoidable risk that some material
misstatements may not be detected, even though the audit is properly planned
and performed in accordance with ISAs.
The
Responsibilities
of Management
For the preparation of the fnancial statements in accordance with the
applicable fnancial framework, and for designing and implementing such
internal control as management determines is necessary to enable the
preparation of fnancial statements that are free from material misstatement,
whether due to fraud or error.
Accept the terms of the engagement as outlined in the engagement letter.
Provide unrestricted access to any records, documentation, and other
information requested in connection with the audit.
Provide unrestricted access to persons within the entity
Confrm auditors expectation of receiving written confrmation from
management concerning representations made in connection with the audit.
Agreement of management to inform the auditor of facts that may afect the
fnancial statements, of which management may become aware during the
period from the date of the auditors report to the date the fnancial statements
are issued.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
37
Other matters that could be included in the engagement letter are outlined below.
Exhibit 4.4-2
Terms Description
How the Audit Will
Be Conducted,
Any Dispute
Resolution,
Obligations, and
Fee Arrangements
Address arrangements regarding:
The planning and performance of the audit, including the composition of
the audit team and details of what (if any) draft fnancial statements or other
working papers are to be prepared by the client, along with the dates on which
the auditor requires these;
Involvement of other auditors and experts;
Involvement of the predecessor auditor, if any, with respect to opening
balances; and
Other matters:
Any restrictions of the auditors liability where such possibility exists,
The basis on which fees are computed and any billing arrangements,
Any obligations by the frm to provide audit working papers to other
parties, and
Reference to any further agreements between the auditor and the client,
or other letters or reports the auditor expects to issue to the client.
Client to confrm the terms of the engagement by acknowledging receipt of the
engagement letter.
Updating the Engagement Letter
When no changes have occurred, the auditor is required to assess whether there is a need to remind the
entity of the existing terms of the audit engagement. The terms of engagement may be reconfrmed at the
time of the auditors reappointment without the need to obtain a new letter each year.
The engagement letter is required to be revised when the circumstances change. Matters that may constitute
a change in circumstance include:
Any revised or special terms of the engagement;
A recent change in senior management;
A signifcant change in ownership;
A signifcant change in the nature or size of the entitys business;
A change in legal or regulatory requirements;
A change in the fnancial reporting framework adopted in the preparation of the fnancial statements;
A change in other reporting requirements; and
Some indication that management misunderstands the objective and scope of the audit.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
38
A Change in the Terms of the Audit Engagement
If management requests changes to the terms of the audit engagement, the auditor would consider whether
there is reasonable justifcation for the request, and the implications for the scope of the audit engagement.
A reasonable justifcation could include a change in the clients circumstances or a misunderstanding of the
nature of the original service requested.
A change would not be reasonable if it is motivated by issues raised during the audit. This could include
audit information that does not support management representations, an inability to obtain certain audit
information (which would efectively limit the scope of the audit), or evidence that is otherwise unsatisfactory.
An example might be where the auditor is unable to obtain suf cient appropriate audit evidence regarding
inventory balances, and the entity asks for the audit engagement to be changed to a review engagement to
avoid a qualifed opinion or a disclaimer of opinion.
If the change in terms is reasonable, a revised engagement letter or other suitable form of written agreement
would be obtained. If, however, the auditor is unable to agree to the proposed change in terms and is not
permitted by management to continue the original audit engagement, the auditor is required to:
Withdraw from the audit engagement where possible under applicable law or regulation; and
Determine whether there is any obligation, either contractual or otherwise, to report the circumstances
to other parties, such as those charged with governance, owners, or regulators.
4.5 Case StudiesClient Acceptance and Continuance
For details of the case studies, refer to Volume 2, Chapter 2Introduction to the Case Studies.
Assuming that this is an ongoing audit engagement, the partner or senior manager in the audit frm would
make some inquiries to identify and assess any new or revised risk factors relevant to deciding to continue
with the audit engagement. Include inquiries such as the following.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
39
Case Study ADephta Furniture, Inc.
Client Acceptance and Continuance
A questionnaire such as the following could be used.
Have the audit preconditions been met? Dephtas fnancial statements will be prepared by
management using IFRS.
The engagement letter has been signed, and management
have acknowledged their responsibility to:
Make available all information as requested.
Provide unlimited access to personnel.
Design and implement such internal control as
management determines is necessary to enable the
preparation of fnancial statements that are free from
material misstatement, whether due to fraud or error.
Have the acceptance/continuance requirements
in the frms quality control manual been
followed?
Yes. Refer to policies XX and YY of our QC manual.
Any change in the terms of reference or
requirements for the audit engagement?
No.
Any independence issues or conficts of interest?
Consider: family/personal relationships with
key client people, non-audit services such
as accounting, fnancial interests, and other
business relationships.
Only matter noted was that one of our staf bought a lot
of bedroom furniture from Dephta; he paid the catalog
price. This incident is not considered a threat to our
independence.
Any circumstances that would cast doubt on
the integrity of the clients owners? Consider
convictions, regulatory proceedings/sanctions,
suspicion or confrmation of illegal acts or fraud,
police investigations, and any negative publicity.
No. However, Parvin (daughter of the clients business
advisor) received some negative publicity in July. She was
an advisor in a land deal where government of cials were
accused of receiving bribes from developers. This matter has
also been noted on our listing of risk factors for the audit.
Are there areas where specialized knowledge is
necessary?
We will use David (who is knowledgeable in the IT area) to
review controls over the Internet sales.
Does the frm have the capacity in time,
competencies, and resources to complete the
engagement in accordance with professional and
frm standards?
Yes. See the planned budget.
Are there any issues identifed in previous audits
and other engagements for this entity that need
to be addressed?
Need for a review of the general IT controls in light of the
decision to accept sales over the Internet.
Are there any new circumstances that increase
our engagement risk?
No. Management has a good attitude toward internal
control.
Can the client continue to pay our fees? Yes.
Conclusion
Overall assessment of engagement risk = Low
We should continue with this client.
Sang Jun Lee
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
40
The terms of engagement would be included in a letter such as outlined below.

Jamel, Woodwind & Wing LLP
55 Kingston St., Cabetown, United Territories 123-53004
October 15, 20X2
Mr. Suraj Dephta, Managing Director
Dephta Furniture, Inc.
2255 West Street
North Cabetown
United Territories
123-50214
Dear Mr. Dephta:
You have requested that we audit the fnancial statements of Dephta Furniture, which comprise the
balance sheet as at December 31, 20X2, and the income statement, statement of changes in equity and
cash-fow statement for the year then ended, and a summary of signifcant accounting policies and
other explanatory information. We are pleased to confrm our acceptance and our understanding of
this audit engagement by means of this letter. Our audit will be conducted with the objective of our
expressing an opinion on the fnancial statements.
Our Responsibilities
We will conduct our audit in accordance with International Standards on Auditing. Those standards
require that we comply with ethical requirements and plan and perform the audit to obtain reasonable
assurance about whether the fnancial statements are free from material misstatement. An audit
involves performing procedures to obtain audit evidence about the amounts and disclosures in the
fnancial statements. The procedures selected depend on the auditor's judgment, including the
assessment of the risks of material misstatement of the fnancial statements, whether due to fraud
or error. An audit also includes evaluating the appropriateness of accounting policies used and the
reasonableness of accounting estimates made by management, as well as evaluating the overall
presentation of the fnancial statements.
Because of the inherent limitations of an audit, together with the inherent limitations of internal control,
there is an unavoidable risk that some material misstatements may not be detected, even though the
audit is properly planned and performed in accordance with ISAs.
In making our risk assessments, we consider internal control relevant to the entitys preparation of the
fnancial statements in order to design audit procedures that are appropriate in the circumstances,
but not for the purpose of expressing an opinion on the efectiveness of the entitys internal control.
However, we will communicate to you in writing any signifcant defciencies in internal control relevant
to the audit of the fnancial statements that we have identifed during the audit.
Unless unanticipated dif culties are encountered, our report will be substantially in the following form:
[Form and content of the auditors report not has not been reproduced.]
The form and content of our report may need to be amended in the light of our audit fndings.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
41
Managements Responsibility
Our audit will be conducted on the basis that management and those charged with governance
acknowledge and understand that they have responsibility:
(a) For the preparation and fair presentation of the fnancial statements in accordance with International
Financial Reporting Standards;
(b) For such internal control as management determines is necessary to enable the preparation of
fnancial statements that are free from material misstatement, whether due to fraud or error; and
(c) To provide us with:
(i) Access to all information of which you are aware that is relevant to the preparation of the
fnancial statements such as records, documentation and other matters;
(ii) Additional information that we may request from you for the purpose of the audit; and
(iii) Unrestricted access to persons within the company from whom we determine it necessary to
obtain audit evidence.
As part of our audit process, we will request from management and, where appropriate, those charged
with governance written confrmation concerning representations made to us in connection with the
audit.
We look forward to full cooperation from your staf during our audit.
Fees
Our fees, which will be billed as work progresses, are based on the time required by the individuals
assigned to the engagement plus out-of-pocket expenses. Individual hourly rates vary according to the
degree of responsibility involved and the experience and skill required.
This letter will be efective for future periods unless it is terminated, amended, or superseded.
Please sign and return the attached copy of this letter to indicate that it is in accordance with your
understanding of the arrangements for our audit of the fnancial statements.
Yours truly,

Sang Jun Lee
Jamel, Woodwind & Wing, LLP
Acknowledged on behalf of Dephta Furniture, Inc. by

Suraj Dephta
Managing Director
November 1, 20X2
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
42
Case Study BKumar & Co.
Client Acceptance and Continuance
Assuming that this is an ongoing audit engagement, the inquiries to identify and assess any new or revised
risk factors could be documented in a memo as follows.
Client Continuance Memo Kumar & Co.
October 15, 20X2
We spoke to the client, Raj Kumar, on September 15, 20X2 to determine whether we should accept this
engagement.
Matters arising:
- Raj requires an audit opinion on the fnancial statements of Kumar & Co. using IFRS.
- We have not identifed any threats to our independence.
- Nothing new happened that might raise concerns over the integrity of the owner.
- Operations are similar to the previous period, although Rajs absence from day-to-day operations
does create more opportunity for fraud to be committed. We should consider expanding our
substantive procedures this year to address the potential fraud risks.
- No additional specialists are necessary, and the same people as last period can perform the audit.
Two possible concerns this period:
- The company has experienced a drop in demand for products from its major customer, Dephta.
- Raj has diverted much of his focus to personal family matters. During our audit, we should ensure
that books and records have been kept up to date and that no undetected errors occurred. This
could also create a fraud risk.
Overall assessment of engagement risk = Moderate
We will accept this engagement for the current period.
Sang Jun Lee
The terms of engagement would be included in a letter that would be very similar to the example previously
provided in Case Study A: Dephta Furniture, Inc.
43
5. Overall Audit Strategy
Chapter Content Relevant ISA
Outline of steps involved in developing an overall plan and strategy
for the audit.
300
Exhibit 5.0-1
R
i
s
k

A
s
s
e
s
s
m
e
n
t
Plan the audit
Develop an overall
audit strategy and
audit plan
2
Materiality
Audit team discussions
Overall audit strategy
Listing of risk factors
Independence
Engagement letter
Perform preliminary
engagement
activities
Decide whether to
accept engagement
Notes:
1. Refer to ISA 230 for a more complete list of documentation required.
2. Planning (ISA 300) is a continual and iterative process throughout the audit.
Activity Purpose Documentation
1
Paragraph # ISA Objective(s)
300.4 The objective of the auditor is to plan the audit so that it will be performed in an efective
manner.
Listing of risk factors
Independence
Engagement letter
Perform preliminary
engagement
activities
Decide whether to
accept engagement
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
44
Paragraph # Relevant Extracts from ISAs
300.5 The engagement partner and other key members of the engagement team shall be involved in
planning the audit, including planning and participating in the discussion among engagement
team members. (Ref: Para. A4)
300.7 The auditor shall establish an overall audit strategy that sets the scope, timing and direction of
the audit, and that guides the development of the audit plan.
300.8 In establishing the overall audit strategy, the auditor shall:
(a) Identify the characteristics of the engagement that defne its scope;
(b) Ascertain the reporting objectives of the engagement to plan the timing of the audit and
the nature of the communications required;
(c) Consider the factors that, in the auditors professional judgment, are signifcant in
directing the engagement teams eforts;
(d) Consider the results of preliminary engagement activities and, where applicable, whether
knowledge gained on other engagements performed by the engagement partner for the
entity is relevant; and
(e) Ascertain the nature, timing and extent of resources necessary to perform the
engagement. (Ref: Para. A8-A11)
300.9 The auditor shall develop an audit plan that shall include a description of:
(a) The nature, timing and extent of planned risk assessment procedures, as determined
under ISA 315.
(b) The nature, timing and extent of planned further audit procedures at the assertion level,
as determined under ISA 330.
(c) Other planned audit procedures that are required to be carried out so that the
engagement complies with ISAs. (Ref: Para. A12)
300.10 The auditor shall update and change the overall audit strategy and the audit plan as necessary
during the course of the audit. (Ref: Para. A13)
300.11 The auditor shall plan the nature, timing and extent of direction and supervision of
engagement team members and the review of their work. (Ref: Para. A14-A15)
300.15 The auditor shall plan and perform an audit with professional skepticism recognizing that
circumstances may exist that cause the fnancial statements to be materially misstated. (Ref:
Para. A18-A22)
5.1 Overview
Planning is important to ensure that the engagement is performed in an ef cient and efective manner and
that audit risk has been reduced to an acceptably low level.
Audit planning is not a discrete phase of the audit. It is a continual and iterative process that starts shortly
after completion of the previous audit, and continues until the completion of the current audit.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
45
The benefts of audit planning are outlined in the exhibit below.
Exhibit 5.1-1
Benefts of
Audit Planning
Team members learn from the experience/insight of the partner and other key
personnel.
The engagement is properly organized, stafed, and managed.
Experience gained from previous periods engagements and other assignments
is properly utilized.
Important areas of the audit receive the appropriate attention.
Potential problems are identifed and resolved on a timely basis.
Audit fle documentation is reviewed on a timely basis.
Work performed by others is coordinated (other auditors, experts, etc.).
There are two levels of planning for the audit as illustrated in the exhibit below.
Exhibit 5.1-2
Overall Audit Strategy
Detailed Audit Plan
Continually update and change audit plans as required
Reporting Risk Response
Nature, timing, and extent of planned procedures
Risk assessment procedures
Further audit procedures
Engagement characteristics
Reporting objectives
Signifcant factors and experience (materiality, risk factors, etc.)
Nature, timing, and extent of resources necessary
Risk Assessment
Audit Planning
Communications with management &
those charged with governance
CONSIDER POINT
It is often said that an hour spent planning can save fve hours in execution. A well-planned audit
ensures that the audit efort is directed to addressing the high-risk areas, that unnecessary audit
procedures are scoped out, and that audit staf knows what is expected of them.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
46
Development of the overall audit strategy begins at the commencement of the engagement, and is
completed and then updated based on the information obtained from:
Previous experience with the entity;
Preliminary (client acceptance and continuation) activities;
Discussions with the client on changes since last period and recent operating results;
Other engagements performed for the client during the period;
Audit team discussions and meetings;
Other external sources such as newspaper and Internet articles; and
New information obtained, failed audit procedures, or new circumstances encountered during the audit
that will change previously planned strategies.
The detailed audit plan will begin a little later when the specifc risk assessment procedures are planned
and when there is suf cient information about assessed risks to develop an appropriate audit response. The
requirements for developing the detailed audit plan are addressed in Volume 2, Chapter 16.
The time required to prepare an overall audit strategy will vary based on:
The size and complexity of the entity;
The composition and size of the audit team. Smaller audits will also have smaller teams, making
planning, coordination, and communication easier;
Previous experience with the entity; and
Circumstances encountered in performing the audit.
CONSIDER POINT
Small entity audits are often conducted by very small audit teams. This makes coordination and
communication among the team members easier, and development of the overall audit strategy can
be straightforward. Documentation for small entities may be in the form of a brief memorandum that
includes:
Nature of engagement and timing;
Issues identifed in the audit just completed;
What has changed in the current period;
Any revisions required in the overall audit strategy or in the detailed audit plan; and
Specifc responsibilities of each member of the audit team.
Planning for the current period can start with a brief memo prepared at the end of the previous audit.
However, the memo needs to be updated for the current period, based on discussions with the owner-
manager and the results of audit team meetings.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
47
5.2 Developing the Overall Audit Strategy
The overall audit strategy is a record of the key decisions considered necessary to properly plan the audit
and to communicate signifcant matters to the engagement team. The strategy will document the decisions
arising from conducting the planning steps outlined in the exhibit below. Note that specifc details of risk
assessment and further audit procedures to be performed would be documented in the detailed audit plan.
Exhibit 5.2-1
Basic Steps Description
Getting
Started
Perform preliminary activities (client acceptance/continuance and establish the
terms of engagement).
Gather relevant information about the entity such as current operating results,
results from previous engagements, and signifcant changes in the current period.
Assign staf to the engagement, including, where applicable, the engagement
quality control reviewer and any experts required.
Schedule the audit team meeting (including the engagement partner) to
discuss the susceptibility of material misstatements (including fraud) in the
fnancial statements.
Determine the appropriate timeframes (dates) when each aspect of audit work
will be undertaken (inventory counts, risk assessment procedures, external
confrmations, the period-end visit, and meetings to discuss audit results).
Assessing Risks
and Responses
Determine materiality for the fnancial statements as a whole, and performance
materiality.
Determine the nature and extent of the required risk assessment procedures
and who will perform them.
When risk has been assessed at the fnancial statement level, develop an
appropriate overall response (refer to Volume 1, Chapter 9). Also include the
impact on the further audit procedures to be performed.
Communicate an overview of the planned scope and timing of the audit to
those charged with governance.
Update and change the strategy and audit plan as necessary in light of new
circumstances.
When the risks of material misstatement have been identifed and assessed, the overall strategy (including
timing, staf ng, and supervision) can be fnalized, and the detailed audit plan developed. The detailed plan
will set out the further audit procedures required at the assertion level that respond to the identifed and
assessed risks.
As work commences, changes may be required to the overall strategy and detailed plans to respond to new
circumstances, audit fndings, and other information obtained. Any such changes are to be documented
along with the reasons in the audit documentation, such as the overall audit strategy or audit plan.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
48
The overall strategy documents relevant matters such as those listed below.
Exhibit 5.2-2
Document Description
Engagement
Characteristics
The fnancial reporting framework to be used.
Additional reports required, such as stand-alone fnancial and industry-specifc
requirements (by regulators, etc.).
Any need for specialized knowledge or expertise to address complex, specifc,
and high-risk audit areas.
Evidence required from service organizations.
Use of evidence obtained in previous audits (such as risk assessment procedures
and tests of controls).
Efect of information technology on audit procedures (availability of data and
use of computer-assisted audit techniques).
Need to introduce some unpredictability in performing audit procedures.
Availability of entity personnel and data.
Reporting
Objectives
Entitys timetable for reporting.
Timing of meetings with management and those charged with governance to
discuss:
The nature, timing, and extent of the audit work. This could include
dates for inventory counts, external confrmations, and interim and other
required procedures,
Status of audit work throughout the engagement, and
The auditors report and other communications such as management
letters.
Timing of meetings/communications among engagement team members to
discuss:
Entity risk factors (business and fraud),
Nature, timing, and extent of work to be performed,
Review of work performed, and
Other communications with third parties.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
49
Document Description
Signifcant Factors
Materiality (overall, individual fnancial statement areas, and performance
materiality).
Preliminary assessment of risk at the overall fnancial statement level and the
impact on the audit.
Preliminary identifcation of:
Signifcant and material classes of transactions, account balances, and
disclosures, and
Areas where there may be a higher risk of material misstatement.
How engagement team members will be reminded to maintain a questioning mind
and to exercise professional skepticism in gathering and evaluating audit evidence.
Relevant results of previous audits, including identifed control defciencies and
action taken by management to address them.
Discussions with frms personnel who provided other services to the entity.
Evidence of managements attitude toward internal control, and importance
attached to internal control generally throughout the entity.
Volume of transactions, which may determine whether it is more ef cient for
the auditor to rely on internal control.
Signifcant
Changes and
Developments
Signifcant business developments afecting the entity, including changes in
information technology and business processes, changes in key management
and acquisitions, mergers, and divestitures.
Signifcant industry developments, such as changes in industry regulations and
new reporting requirements.
Signifcant changes in the fnancial reporting framework, such as changes in
accounting standards.
Other signifcant relevant developments, such as changes in the legal
environment afecting the entity.
Nature, Timing,
and Extent
of Resources
Required
The engagement team (including, where necessary, the engagement quality
control reviewer).
Assignment of audit work to the team members, including the assignment of
appropriately experienced team members to areas where there may be higher
risks of material misstatement.
Engagement budgeting, including considering the appropriate amount of time
to set aside for areas where there may be higher risks of material misstatement.
If the entity has components (such as subsidiaries or operating divisions), reference should be made to the
additional planning considerations outlined in the Appendix to ISA 300 and to the requirements of ISA 600.
For smaller entities, a brief memorandum may serve as the documented overall strategy. For the audit plan,
standard audit programs or checklists may be used, assuming there are few relevant control activities and
provided the programs are tailored to the circumstances of the engagement, including the auditors risk
assessments.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
50
5.3 Communicating the Audit Plan With Management and Those Charged With Governance
Paragraph # Relevant Extracts from ISAs
260.15 The auditor shall communicate with those charged with governance an overview of the
planned scope and timing of the audit. (Ref: Para. A11-A15)
An ongoing, two-way dialogue with management and those charged with governance can play an important
role in the audit planning process. Good communication regarding the planned scope and timing of the audit
may assist management and those charged with governance to:
Understand the consequences of the auditors work;
Discuss issues of risk and the concept of materiality with the auditor; and
Identify any areas in which they may request the auditor to undertake additional procedures.
This dialogue may also assist the auditor in developing a better understanding of the entity and its
environment.
Take care, though, not to compromise the efectiveness of the audit. For example, communicating the exact
nature and timing of detailed audit procedures may reduce the efectiveness of those procedures by making
them too predictable.
Matters that the auditor may consider for communication include:
How the auditor proposes to address the signifcant risks of material misstatement, whether due to
fraud or error;
The auditors approach to internal control relevant to the audit; and
The application of materiality in the context of an audit.
Other planning matters that may be appropriate to discuss include:
The views of those charged with governance of:
- The allocation of responsibilities between those charged with governance and management,
- The entitys objectives and strategies, and the related business risks that may result in material
misstatements,
- Matters that those charged with governance consider warrant particular attention during the
audit, and any areas where they request additional procedures to be undertaken,
- Signifcant communications with regulators, and
- Other matters that those charged with governance consider may infuence the audit of the
fnancial statements;
The attitudes, awareness, and actions of those charged with governance concerning:
- The entitys internal control and its importance in the entity, including how those charged with
governance oversee the efectiveness of internal control, and
- The detection or possibility of fraud;
The actions of those charged with governance in response to developments in accounting standards,
corporate governance practices, and other related matters; and
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
51
The responses of those charged with governance to previous communications with the auditor.
Note: This two-way communication does not change the auditors sole responsibility to establish the overall
audit strategy and the audit plan, including the nature, timing, and extent of procedures necessary to
obtain suf cient appropriate audit evidence.
Further matters may be required to be communicated by law or regulation, by agreement with the entity, or
by additional requirements applicable to the engagement. Also note that ISA 265 sets out the requirements to
communicate signifcant defciencies identifed in internal control.
5.4 Documentation
Paragraph # Relevant Extracts from ISAs
300.12 The auditor shall include in the audit documentation:
(a) The overall audit strategy;
(b) The audit plan; and
(c) Any signifcant changes made during the audit engagement to the overall audit strategy
or the audit plan, and the reasons for such changes. (Ref: Para. A16-A19)
The overall audit strategy and detailed audit plan, including details of any signifcant changes made
during the audit engagement, would be documented. The auditor may use a memorandum, standard
audit programs, or audit completion checklists, tailored as needed to refect the particular engagement
circumstances.
5.5 Case StudiesThe Overall Audit Strategy
For details of the case studies, refer to Volume 2, Chapter 2Introduction to the Case Studies.
Once the decision has been made to continue with the audit, the next step is to develop or update the overall
audit strategy for conducting the engagement. This can be documented by some form of planning checklist
or a brief structured memorandum (see the consider point above) such as the examples that follow.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
52
Case Study ADephta Furniture, Inc.
Dephta Furniture, Inc.
Overall strategy memo
Period end December 31, 20X2
Scope
The scope of the audit has not changed this period. Audit to comply with ISAs and the IFRS accounting
framework. There have been no changes in IFRS that afect Dephta this year.
Entity Changes
Dephta is planning to make sales in foreign currencies.
Internet sales are also increasing and Dephtas IT capabilities will be stretched.
Dephta is now selling to Franjawa Merchandising. This company is renowned for squeezing proft
margins of suppliers in exchange for giving large orders. It also requires suppliers to maintain additional
inventories of some products for instant delivery as required.
Risk
Our assessment of risk at the fnancial statements level is low (refer to WP ref. #). Management is not
particularly sophisticated but there is a strong commitment to competence; it has introduced a code of
ethics and, in general, has a good attitude toward internal control.
Overall Strategy
Materiality for the fnancial statements as a whole will be increased from 8,000 to 10,000 this
period to refect the growth in sales and proftability during the last period. Management bonuses
of approximately 70,000 were added back to income for calculating materiality for the fnancial
statements as a whole [refer to working paper on determining materiality Volume 2, Chapter 6].
Performance materiality (based on our assessment of audit risk) has been set at 7,000, except for
certain account balances as described on WP ref. #.
Use the same senior staf as last period and perform the work at the same time.
Perform our risk assessment procedures at the end of August. There are no plans to change any
systems at present.
At our team planning meeting to be held on November 15, we need to:
Consider the susceptibility of the fnancial statements to fraud,
Emphasize use of professional skepticism by our staf,
Identify fraud scenarios by employees and management, and
Focus on identifcation of related party transactions that have been growing and expanding
our testing.
Attend the period-end inventory counts. There are still no ongoing inventory control procedures.
Use David (who is knowledgeable about IT systems) to identify the risks of material misstatement
relating to the Internet sales and whether any relevant internal controls exist to mitigate such risks.
He will also assess the general IT controls.
Audit partner (signed): Sang Jun Lee
Date: October 20, 20X2
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
53
Case Study BKumar & Co.
Kumar & Co.
Overall strategy memo
Period end December 31, 20X2
Scope
Perform the statutory audit
Management wants to use IFRS
Risk
At the fnancial statement level is moderate (refer to WP ref. #).
Changes
Lower sales due to fewer orders from Dephta.
Could lead to unsaleable fnished-goods inventory and sales returns.
Raj not as active in the business as in prior period, which could increase the risk of fraud.
New fnancing, resulting in new bank covenants to maintain.
Overall Strategy
Materiality for the fnancial statements as a whole will be decreased from 3,000 to 2,500 due to
decline in sales and proftability. Performance materiality (based on our assessment of audit risk)
has been set at 1,800, except for certain account balances as described on WP ref. #.
Use the same staf as last period for continuity and audit ef ciency.
Perform risk assessment procedures at end of December.
At our team planning meeting to be held on November 30, we need to:
Consider the susceptibility of the fnancial statements to fraud,
Discuss the potential for employee fraud and management override. The bookkeeper seems
disgruntled and may have motivation and opportunity, as Raj has not been as involved in
reviewing the fnancial statements as he did in the past, and
Focus on the growing related party transactions to Dephta.
Attend the period-end inventory count.
Expand our testing with regard to related party transactions.
Audit partner (signed): Sang Jun Lee
Date: October 20, 20X2
54
6. Determining and Using Materiality
Chapter Content Relevant ISAs
Determination and use of materiality in an audit engagement.
320, 450
Exhibit 6.0-1
R
i
s
k

A
s
s
e
s
s
m
e
n
t
Plan the audit
Develop an overall
audit strategy and
audit plan
2
Materiality
Audit team discussions
Overall audit strategy
Listing of risk factors
Independence
Engagement letter
Perform preliminary
engagement
activities
Decide whether to
accept engagement
Notes:
1. Refer to ISA 230 for a more complete list of documentation required.
2. Planning (ISA 300) is a continual and iterative process throughout the audit.
Activity Purpose Documentation
1
Exhibit 6.0-2
Financial
statement level
Overall Materiality
Overall Performance Materiality
Specifc Materiality
Specifc Performance
Materiality
Account balance,
class of transactions
and disclosures level
?cO\bWbObWdSO[]c\b
(for particular fnacial statement areas)
(for the fnancial statements as a whole)
Listing of risk factors
Independence
Engagement letter
Perform preliminary
engagement
activities
Decide whether to
accept engagement
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
55
Note: The terms overall materiality and specifc materiality used in the exhibit above and in the text
below are used solely for the purposes of this Guide and are terms that are not used in the ISAs. Overall
materiality refers to the fnancial statements as a whole, and specifc materiality relates to materiality of
particular classes of transactions, account balances, or disclosures.
Paragraph # ISA Objective(s)
320.8 The objective of the auditor is to apply the concept of materiality appropriately in planning
and performing the audit.
450.3 The objective of the auditor is to evaluate:
(a) The efect of identifed misstatements on the audit; and
(b) The efect of uncorrected misstatements, if any, on the fnancial statements.
Paragraph # Relevant Extracts from ISAs
320.9 For purposes of the ISAs, performance materiality means the amount or amounts set by
the auditor at less than materiality for the fnancial statements as a whole to reduce to an
appropriately low level the probability that the aggregate of uncorrected and undetected
misstatements exceeds materiality for the fnancial statements as a whole. If applicable,
performance materiality also refers to the amount or amounts set by the auditor at less than the
materiality level or levels for particular classes of transactions, account balances or disclosures.
320.10 When establishing the overall audit strategy, the auditor shall determine materiality for the
fnancial statements as a whole. If, in the specifc circumstances of the entity, there is one or
more particular classes of transactions, account balances or disclosures for which misstatements
of lesser amounts than materiality for the fnancial statements as a whole could reasonably
be expected to infuence the economic decisions of users taken on the basis of the fnancial
statements, the auditor shall also determine the materiality level or levels to be applied to those
particular classes of transactions, account balances or disclosures. (Ref: Para. A2-A11)
320.11 The auditor shall determine performance materiality for purposes of assessing the risks
of material misstatement and determining the nature, timing and extent of further audit
procedures. (Ref: Para. A12)
320.12 The auditor shall revise materiality for the fnancial statements as a whole (and, if applicable,
the materiality level or levels for particular classes of transactions, account balances or
disclosures) in the event of becoming aware of information during the audit that would have
caused the auditor to have determined a diferent amount (or amounts) initially. (Ref: Para. A13)
320.13 If the auditor concludes that a lower materiality for the fnancial statements as a whole (and, if
applicable, materiality level or levels for particular classes of transactions, account balances or
disclosures) than that initially determined is appropriate, the auditor shall determine whether
it is necessary to revise performance materiality, and whether the nature, timing and extent of
the further audit procedures remain appropriate.
320.14 The auditor shall include in the audit documentation the following amounts and the factors
considered in their determination:
(a) Materiality for the fnancial statements as a whole (see paragraph 10);
(b) If applicable, the materiality level or levels for particular classes of transactions, account
balances or disclosures (see paragraph 10);
(c) Performance materiality (see paragraph 11); and
(d) Any revision of (a)-(c) as the audit progressed (see paragraphs 12-13).
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
56
Paragraph # Relevant Extracts from ISAs
450.6 The auditor shall determine whether the overall audit strategy and audit plan need to be
revised if:
(a) The nature of identifed misstatements and the circumstances of their occurrence
indicate that other misstatements may exist that, when aggregated with misstatements
accumulated during the audit, could be material; or (Ref: Para. A4)
(b) The aggregate of misstatements accumulated during the audit approaches materiality
determined in accordance with ISA 320. (Ref: Para. A5)
6.1 Overview
Decisions made by the auditor on materiality will form the basis for risk assessments and for determining the
extent of auditing procedures required.
Determining materiality is a matter of professional judgment. It is based on the auditors perception of the
common fnancial information needs of users of the fnancial statements as a group. Overall materiality
(which is a term used in this Guide to summarize materiality for the fnancial statements as a whole) is the
total amount of misstatements in a fnancial statement, including omissions, which, if exceeded, could
reasonably be expected to infuence the economic decisions of users. This difers from audit risk, which
relates to an inappropriate audit opinion being issued on fnancial statements that are materially misstated.
This chapter addresses the determination of overall and specifc materiality, and the auditors use of
performance materiality to obtain suf cient and appropriate audit evidence. Materiality is used throughout
the audit for audit planning, risk assessment, risk response, and reporting. Additional information on
materiality and audit risk is contained Volume 1, Chapter 7 of this Guide.
There are two levels of materiality to consideroverall materiality, and specifc materialityas described below.
Exhibit 6.1-1
Description
Overall Materiality
(For the Financial
Statements as a
Whole)
Materiality for the fnancial statements as a whole (overall materiality) is based on
the auditors professional judgment as to the highest amount of misstatement(s)
that could be included in the fnancial statements without afecting the economic
decisions taken by a fnancial statement user. If the amount of uncorrected
misstatements, either individually or in the aggregate, is higher than the overall
materiality established for the engagement, it would mean that the fnancial
statements are materially misstated.
Overall materiality is based on the common fnancial information needs of the various
users as a group. Consequently, the possible efect of misstatements on specifc
individual users, whose needs may vary widely, is not considered.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
57
Description
Specifc Materiality
(Materiality Level
or Levels for
Particular Classes
of Transactions,
Account Balances,
or Disclosures)
In some cases, there may be a need to identify misstatements of lesser amounts than
overall materiality that would afect the economic decisions of fnancial statement
users. This could relate to sensitive areas such as particular note disclosures (i.e.,
management remuneration or industry-specifc data), compliance with legislation or
certain terms in a contract, or transactions upon which bonuses are based. It could
also relate to the nature of a potential misstatement.
Nature of Misstatements
In addition to the size of a misstatement, the auditor would consider the nature of potential misstatements
and the particular circumstances of their occurrence when evaluating their efect on the fnancial statements.
The circumstances related to some misstatements may cause the auditor to evaluate them as material even
if they are below materiality. Examples could include illegal acts, non-compliance with loan covenants, and
non-compliance with statutory/regulatory reporting requirements. However, it is not considered practicable
to design audit procedures to detect misstatements that could be material solely because of their nature.
Performance Materiality
Performance materiality is used by the auditor to reduce the risk to an appropriately low level that the
accumulation of uncorrected and unidentifed misstatements exceeds materiality for the fnancial statements
as a whole (overall materiality), or materiality levels established for particular classes of transactions, account
balances, or disclosures (specifc materiality).
Performance materiality is set at a lower amount (or amounts) than overall or specifc materiality. The
objective is to perform more audit work than would be required by the overall or a specifc materiality to:
Ensure that misstatements less than overall or specifc materiality are detected; and
Provide a margin or bufer for possible undetected misstatements. This bufer is between detected but
uncorrected misstatements in the aggregate and the overall or specifc materiality.
This margin provides some assurance for the auditor that undetected misstatements, along with all
uncorrected misstatements, will not likely accumulate to reach an amount that would cause the fnancial
statements to be materially misstated.
The determination of performance materiality is not a simple mechanical calculation. It involves the exercise
of professional judgment based on the specifc risk factors identifed, the auditors understanding of the
entity, and any matters the auditor has identifed in previous audit engagements.
Performance materiality is set in relation to overall materiality or specifc materiality. For example, a specifc
performance materiality can be set at a lower amount than overall performance materiality for testing repairs
and maintenance expenses if there is a higher risk of assets not being capitalized. Specifc performance
materiality may also be used to perform additional work in areas that may be sensitive due to the nature of
potential misstatements and their occurrence, rather than their monetary size.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
58
6.2 How to Determine Materiality
The following paragraphs address the determination and use of overall and specifc materiality.
Overall Materiality
Overall materiality is based on the auditors perceptions of the needs of fnancial statement users. Auditors
can assume the following about fnancial statement users.
Exhibit 6.2-1
Assumptions
Financial
Statement Users
Have a reasonable knowledge of business and economic activities and accounting;
Have a willingness to study the information in the fnancial statements with
reasonable diligence;
Understand that fnancial statements are prepared, presented, and audited to
levels of materiality;
Recognize the uncertainties inherent in the measurement of amounts based on
the use of estimates, judgment, and the consideration of future events; and
Make reasonable economic decisions on the basis of the information in the
fnancial statements.
A percentage numerical threshold (or benchmark) is often used as a starting point in the determination.
The nature of the benchmark and the percentage to be applied are based on professional judgment. For
example, in an owner-managed business where the owner takes much of the proft before tax in the form of
remuneration, a benchmark such as proft before remuneration and tax may be more relevant.
CONSIDER POINT
To provide some consistency, accounting frms may want to establish some frm-wide guidelines on
how materiality will be initially be determined, including the use of appropriate benchmarks. However,
the actual benchmark to be used would be based on professional judgment in light of the particular
circumstances of the entity. This also applies to the use of performance materiality, which is essentially
a tool used by the auditor to address the risk of material misstatement by catching misstatements that
fall below a certain threshold.
When identifying an appropriate benchmark to use, the auditor would consider the matters outlined
in the exhibit below, and obtain an understanding of the views and expectations of management and
those charged with governance.
Exhibit 6.2-2
Consider
Choosing the
Right Benchmark
to Use
Users
Determine who are the likely users of the fnancial statements. This would include
the entitys owners (and other shareholders) and those charged with governance,
fnancial institutions, franchisors, major funders, employees, customers, creditors, and
government agencies and departments.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
59
Consider
Choosing the
Right Benchmark
to Use
(continued)
Specifc user expectations
Identify any specifc user expectations such as the following:
Measurement or disclosure of items such as related party transactions, management
remuneration, and compliance with sensitive laws and regulations;
Industry-specifc disclosures such as exploration costs in a mining company and
research costs in a high technology or pharmaceutical company;
Major events or contingencies. This could include disclosure of events such as an
acquisition, divestiture, restructuring, or signifcant legal proceedings against the
entity; and
Existence of covenants in loan agreements, particularly those where the entity
is close to breaching a covenant. If a small uncorrected error would mean that a
covenant had been violated, this could have a signifcant efect on the fnancial
statements and could, at worst, afect the appropriateness of using the going-
concern assumption in preparing the fnancial statements.
Relevant fnancial statement elements
What are the major elements of the fnancial statements that will be of interest to users
(e.g., assets, liabilities, equity, income, and expenses)?
Nature of the entity
Consider the nature of the entity, where the entity fts in the life cycle (growing, mature,
declining, etc.), and the industry and economic environment in which the entity operates.
Adjustments required
Are adjustments required to normalize the benchmark base? For example, income from
continuing operations could be adjusted for:
Unusual or non-recurring revenue/expense items; and
Items such as a management bonus, which may be based on profts before the
bonus or simply paid out to reduce income left in the company.
The primary focus of users
What information in fnancial statement items will attract the most attention by users?
For example, users interested in:
Evaluating fnancial performance will focus on profts, revenues, or net assets; and
The resources utilized to achieve certain goals or ends will focus on the nature and
extent of revenues and expenditures.
Financing
How is the entity fnanced? If fnanced solely by debt (rather than equity capital), users may put
more emphasis on the pledged assets and any claims than on the entitys earnings.
Volatility
How volatile is the proposed benchmark? For example, a benchmark based on earnings
might normally be appropriate, but if the entity is operating close to break-even each
period (such as small profts or losses) or their results fuctuate widely, it may not be the
appropriate base for determining materiality.
Alternatives
Is an alternative benchmark necessary to address special circumstances? Alternative
benchmarks could include current assets, net working capital, total assets, total revenues,
gross proft, total equity, and cash fow from operations.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
60
Performance Materiality
Whereas overall and specifc materiality is set in relation to the needs of fnancial statement users,
performance materiality is set at a lower amount. This will result in more audit work being performed (smaller
misstatements may be identifed) and audit risk being reduced to an appropriately low level.
If the audit was planned solely to detect individually material misstatements, there would be no margin of error
to identify and account for immaterial misstatements that might exist. As a result, it could be possible for the
aggregate of individually immaterial misstatements to cause the fnancial statements to be materially misstated.
Performance materiality is designed to:
Ensure that immaterial misstatements less than overall or specifc materiality are detected, and
Provide a margin or bufer for possible undetected misstatements. This bufer is between detected but
uncorrected misstatements in the aggregate and the overall or specifc materiality.
The determination of performance materiality would not be a simple mechanical calculation such as 80% of overall
materiality. This simplifcation would ignore specifc risk factors that may be relevant to the entity. For example, if there
was a high risk of errors in inventory pricing, performance materiality could be lowered so that additional work is
performed to identify the extent of misstatements. Conversely, if the risk of misstatement in the receivables balance is
assessed as low, the performance materiality could be raised, resulting in less substantive audit work on the balance.
Performance materiality requires the auditor to exercise professional judgment and is afected by:
The auditors understanding of the entity, which is updated during the execution of the risk assessment
procedures; and
The nature and extent of misstatements identifed in previous audits.
CONSIDER POINT
Do not reduce the overall materiality level based on high audit risks
Avoid the mistake of reducing the overall (fnancial statement) materiality level because of an audit risk
assessed as high. Overall materiality is based on users information needs, not on how risky a particular
balance might be to audit. Lowering the overall materiality threshold implies that:
The decision of a fnancial statement user is afected by audit risk rather than the information
contained in the fnancial statements; and
Additional work will be performed by the auditor to ensure that no misstatements exist in the fnancial
statements that, individually or accumulated together, exceed the overall materiality threshold.
A better approach is to address audit risk by setting the performance materiality at the class of
transaction or account balance level at a lower level. This will ensure that suf cient work is performed to
detect any misstatements, without having to reduce the overall materiality level. It also creates a safety
bufer to cover unidentifed misstatements in the work performed.
Establish the overall materiality level by reference to fnancial statement users, and then establish
performance materiality for the purpose of designing further audit procedures.
Sensitive fnancial statement disclosures, balances, and issues
Use a specifc performance materiality for designing further audit procedures that address specifc risks
and balances in sensitive audit areas.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
61
Summary
The materiality levels and use of performance materiality are summarized in the exhibit below.
Exhibit 6.2-3
Overall Specifc Performance
Purpose
To establish the threshold
for determining whether the
fnancial statements are free
from material misstatement,
whether due to error or fraud.
To establish a threshold(s)
(lower than overall materiality)
to be applied to particular
classes of transactions, account
balances, or disclosures where
misstatements of lesser
amounts than overall materiality
for the fnancial statements
could reasonably be expected
to infuence the economic
decisions of users.
To establish the threshold(s)
(lower than overall or specifc
materiality) that ensures
immaterial misstatements
(less than overall or specifc
materiality) are identifed, and
provide the auditor with a
safety margin.
Basis of
Calculation
What level of misstatement
in the fnancial statements
would be tolerable to users
(i.e., would not afect the
economic decisions made by
a fnancial statement user)?
What level of misstatement
relating to special
circumstances in a particular
class of transactions, account
balances, or disclosures could
reasonably be expected
to infuence the economic
decisions of users?
What amount of audit work
will be required to:
Identify misstatements
below overall or specifc
materiality; and
Leave a bufer
for undetected
misstatements?
Rules of
Thumb
(For Use as
a Starting
Point)
Materiality is a matter of
professional judgment rather
than a mechanical exercise. As
a result, no specifc guidance is
provided in the ISA. However,
income from continuing
operations (3 to 7%) is often
used in practice as having the
greatest signifcance to fnancial
statement users. If income is
not a useful measure (such as
for a not-for-proft entity or
where income is not a stable
base), then consider other bases
such as:
Revenues or
expenditures 1 to 3%;
Assets 1 to 3%; or
Equity 3 to 5%.
Establish a lower, specifc
materiality amount (based on
professional judgment) for the
audit of specifc or sensitive
fnancial statement areas.
No specifc guidance
is provided in the ISAs.
Percentages range from
60% (of overall or specifc
materiality), where there
is a higher risk of material
misstatement, up to 85%,
where the assessed risk of
material misstatement is less.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
62
Overall Specifc Performance
Use in the
Audit
Determining whether
uncorrected misstatements,
individually or in aggregate,
exceed overall materiality.
Determining whether
uncorrected misstatements,
individually or in aggregate,
exceed the specifc materiality.
Assessing the risks of
material misstatement;
and
Designing further audit
procedures to respond
to assessed risks.
Revision
as Audit
Progresses
A change in
circumstances that
occurred during the
audit such as the sale of
part of the business;
New information; or
A change in the auditor's
understanding of the
entity and its operations,
as a result of performing
further audit procedures
(e.g., actual operating
results being very
diferent from expected).
A change in the special
circumstances.
Changes in assessed
risks;
Nature and extent of
misstatements found
when performing
further audit
procedures; or
Change in
understanding of the
entity.
6.3 Materiality in Planning and Risk Assessment
Determining the various materiality levels is a key component of the planning process. This is not a discrete
phase of an audit, but rather a continual and iterative process. The following exhibit summarizes the use of
materiality in planning and risk assessment.
Exhibit 6.3-1
Materiality
Planning
(Overall Strategy
and Audit Plans)
Use materiality to:
Determine what fnancial statement areas require auditing.
Set the context for the overall audit strategy.
Plan the nature, timing, and extent of specifc audit procedures.
Determine specifc materiality for particular classes of transactions, account
balances, or disclosures where misstatements at lesser amounts than overall or
performance materiality could reasonably be expected to infuence the economic
decisions of users.
Determine performance materiality for each specifc materiality level, as it may
be necessary for the auditor to work using a performance materiality level for a
particular class of transactions, account balance, or disclosure, depending on the
level of risk associated with that item.
Evaluate later evidence to determine the need for any adjustment to any of the
materiality levels. If so, the auditor would revise the nature, timing, and extent of
procedures accordingly.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
63
Materiality
Risk Assessment
Procedures
Identify what risk assessment procedures are necessary.
Provide a context when evaluating the information obtained.
Assess the magnitude (impact) of the risks identifed.
Assess results of risk assessment procedures.
Team Meetings
Ensure that team members understand the identifed users and what could
reasonably be expected to change their economic decisions. This may help in the
event that a team member becomes aware of information during the audit that
would have caused a diferent amount of materiality to be determined initially.
Examples of such matters include:
A decision to dispose of a major part of the entity's business,
New information or risk factors that would have afected the initial
determination of materiality, and
A change in the auditor's understanding of the entity and its operations as a
result of performing further audit procedures, such as when actual fnancial
results are substantially diferent from anticipated results.
Establish overall audit strategy.
Determine the extent of testing in relation to:
Performance materiality, and
Specifc performance materiality.
Identify critical audit issues and areas for signifcant audit focus.
CONSIDER POINT
The determination of overall performance and specifc performance materiality levels requires the use
of professional judgment. It is suggested (but not required) that teams discuss the judgments applied in
determining materiality levels with the engagement partner and obtain his/her approval. Finally, record
the judgments used in determining materiality in suf cient detail in the audit working papers.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
64
6.4 Materiality in Performing Audit Procedures
Auditors should consider materiality when determining the nature, timing, and extent of audit procedures, as
illustrated in the following exhibit.
Exhibit 6.4-1
Materiality
Performing Audit
Procedures
Use materiality to:
Identify what further audit procedures are necessary.
Determine which items to select for testing and whether to use sampling
techniques.
Assist with determining sample sizes (e.g., sampling interval = precision
(materiality) confdence factor).
Evaluate representative sampling errors by extrapolating across population for
likely misstatements.
Evaluate the aggregate of total errors at the account level up to the fnancial
statement level.
Evaluate the aggregate of total errors, including the net efect of uncorrected
misstatements in opening retained earnings.
Assess results of procedures.
Note: The overall audit strategy and audit plan will need to be revised where:
The nature of identifed misstatements and the circumstances of their occurrence indicate that
other misstatements may exist that, when aggregated with misstatements accumulated during
the audit, could be material; or
The aggregate of misstatements accumulated during the audit approaches materiality.
CONSIDER POINT
Overall materiality is unlikely to change very often. However, it may need to be revised as the auditor
becomes aware of new information or if there is a change in the auditors understanding of the entity
and its operations. If a change is required, ensure that the audit team is informed and assesses the
impact on the audit plan.
Performance materiality may change based on new risk factors or new audit fndings that may not
impact overall materiality. Changes in performance materiality will result in the modifcation of the
nature, timing, and extent of audit procedures. Of course, if overall materiality changes, a corresponding
change will likely be required in performance materiality.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
65
6.5 Materiality in Reporting
Paragraph # Relevant Extracts from ISAs
450.11 The auditor shall determine whether uncorrected misstatements are material, individually or in
aggregate. In making this determination, the auditor shall consider:
(a) The size and nature of the misstatements, both in relation to particular classes of
transactions, account balances or disclosures and the fnancial statements as a whole, and
the particular circumstances of their occurrence; and (Ref: Para. A13-A17, A19-A20)
(b) The efect of uncorrected misstatements related to prior periods on the relevant classes
of transactions, account balances or disclosures, and the fnancial statements as a whole.
(Ref: Para. A18)
450.12 The auditor shall communicate with those charged with governance uncorrected
misstatements and the efect that they, individually or in aggregate, may have on the opinion
in the auditor's report, unless prohibited by law or regulation. The auditor's communication
shall identify material uncorrected misstatements individually. The auditor shall request that
uncorrected misstatements be corrected. (Ref: Para. A21-A23)
Refer to Volume 2, Chapter 21 for more information on evaluating misstatements.
Prior to issuing an opinion, the auditor would:
Confrm the materiality established for the fnancial statements as a whole;
Evaluate the nature and the aggregate of uncorrected misstatements that are identifed; and
Make an overall assessment as to whether the fnancial statements are materially misstated.
Exhibit 6.5-1
Materiality
Reporting
The auditor would use materiality to:
Evaluate the aggregate of total errors at the account level up to the fnancial
statement level.
Evaluate the aggregate of total errors, including the net efect of uncorrected
misstatements in opening retained earnings.
Determine whether additional audit procedures should be performed when the
aggregate misstatements are approaching overall or specifc materiality.
Request that management correct all identifed misstatements.
Consider rechecking areas of highest misstatement.
Make judgments about the nature and sensitivity of the misstatements
identifed, as well as their size.
Determine whether the auditors report needs to be modifed due to
uncorrected material misstatements.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
66
The aggregate of misstatements is made up of:
Specifc misstatements identifed by the auditor as a result of their audit testing; and
An estimate of other misstatements identifed that cannot otherwise be specifcally quantifed.
The auditor would then request management to record all the identifed misstatements. Refer to Volume 2,
Chapter 21 for additional information on evaluating audit evidence obtained.
6.6 Other Considerations
Other considerations include:
Communicating to management and those charged with governance;
Updating materiality; and
Reducing materiality level from previous period.
Communicating with Management and Those Charged With Governance
Management and those charged with governance need to understand the limitations concerning the degree
of precision that can be expected from an audit. They also need to be aware that it is not economically
feasible to design audit procedures that will provide absolute assurance that the fnancial statements are not
materially misstated. An audit can provide only reasonable assurance in this regard.
When misstatements are identifed by the auditor during the course of the audit, the frst step is to request
from management that all the uncorrected misstatements be corrected. If management decides not
to correct certain misstatements, the auditor is then required to communicate with those charged with
governance the following:
Details of uncorrected misstatements and the efect that they, individually or in aggregate, may have on
the opinion in the auditors report (unless prohibited by law or regulation);
Material uncorrected misstatements individually; and
The efect of uncorrected misstatements related to prior periods on the relevant classes of transactions,
account balances, or disclosures, and the fnancial statements as a whole.
Updating Materiality
The preliminary assessment of overall and performance materiality may change from the initial audit
planning to the time of evaluating the results of the audit procedures. This could result from a change in
circumstances or from a change in the auditors knowledge as a result of performing audit procedures. For
example, if audit procedures are performed prior to the period end, the auditor will anticipate the results of
operations and the fnancial position. If the actual results of operations and fnancial position are substantially
diferent, the assessments of materiality and audit risk may also change.
Reducing Materiality Level from Previous Period
When circumstances change from one period to the next, the auditor should consider the efect of any
misstatement on the opening equity. For example, where sales and income are substantially less than the
previous periods, a lower materiality is required. Errors could exist in opening fgures, as the audit was
previously conducted using a higher materiality level. To reduce the risk of a material error occurring in the
opening equity, the auditor may perform further audit procedures on the opening asset and liability balances.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
67
CONSIDER POINT
New engagements
When accepting a new audit engagement, inquire about the overall materiality used by the previous
auditor. If available, this would help in determining whether further audit procedures may be required
on the opening asset and liability balances.
Use of management experts
Ensure that any experts employed by the entity (to assist the entity in preparing the fnancial
statements) or used by the audit team are instructed to use an appropriate materiality level in relation
to the work they perform.
6.7 Documentation
Document the determination of the following and the factors considered in their determination:
Overall materiality;
Where applicable, the specifc materiality level(s) for particular classes of transactions, account balances,
or disclosures;
Performance materiality; and
Any revision of the above factors as the audit progresses.
6.8 Case StudiesDetermining and Using Materiality
For details of the case studies, refer to Volume 2, Chapter 2Introduction to the Case Studies.
Materiality is often documented on a worksheet that includes a summary of operating results and provides
space for other materiality considerations such as qualitative factors.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
68
Case Study A Dephta Furniture, Inc.
Dephta Furniture, Inc.
(Excerpt)
Materiality assessment
The main users of the fnancial statements are the bank and the shareholders. The materiality number
used in last period was 8,000.
See WP ref. # for possible materiality amounts based on income from continuing operations, as well as
revenue. Using our professional judgment, we decided to base our materiality on 5% of the proft before
tax after adding back the management bonus of 70,000. Other bases for materiality, such as revenues,
were also considered but it was felt that proft before tax was the most meaningful amount in relation to
the identifed fnancial statement users.
For this period, the plan is to use 10,000 as the overall materiality. The concept of materiality and its use
in the audit has been discussed in general terms with the client.
Using professional judgment, and the types of misstatements identifed in previous audits, overall
performance materiality has been set at 7,500.
A specifc materiality for the local sales taxes paid has been set at 1,000 as we are required to audit and
report on this amount to the local government.
Also see WP 615 on quantitative analysis..
Prepared by: JF Date: December 8, 20X2
Reviewed by: LF Date: January 5, 20X3
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
69
Case Study BKumar & Co.
Kumar & Co.
(Excerpt)
Materiality assessment
The main users of the fnancial statements are the bank and the owners.
The materiality number used in the last period was 3,000.
Based on consideration of user needs, we decided to base materiality at approximately 1% of sales.
In our judgment, revenues provide a more stable base for materiality than profts before tax. For this
period, we plan to use 2,500 as the overall materiality. The concept of materiality and its use in the
audit has been discussed in general terms with the client.
Using professional judgment, which is largely based on the history of errors in previous periods, overall
performance materiality has been set at 1,800.
Other matters
See WP 615 for..
Prepared by: JF Date: December 8, 20X2
Reviewed by: LF Date: January 5, 20X3
70
7. Audit Team Discussions
Chapter Content Relevant ISAs
Purpose and nature of required discussions among the audit team about the
susceptibility of the entitys fnancial statements to material misstatements.
240, 300, 315
Exhibit 7.0-1
R
i
s
k

A
s
s
e
s
s
m
e
n
t
Plan the audit
Develop an overall
audit strategy and
audit plan
2
Materiality
Audit team discussions
Overall audit strategy
Listing of risk factors
Independence
Engagement letter
Perform preliminary
engagement
activities
Decide whether to
accept engagement
Notes:
1. Refer to ISA 230 for a more complete list of documentation required.
2. Planning (ISA 300) is a continual and iterative process throughout the audit.
Activity Purpose Documentation
1
Listing of risk factors
Independence
Engagement letter
Performpreliminary
engagement
activities
Decide whether to
accept engagement
Paragraph # Relevant Extracts from ISAs
240.15 ISA 315 requires a discussion among the engagement team members and a determination by
the engagement partner of which matters are to be communicated to those team members
not involved in the discussion. This discussion shall place particular emphasis on how and
where the entitys fnancial statements may be susceptible to material misstatement due to
fraud, including how fraud might occur. The discussion shall occur setting aside beliefs that the
engagement team members may have that management and those charged with governance
are honest and have integrity. (Ref: Para. A10-A11)
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
71
Paragraph # Relevant Extracts from ISAs
240.44 The auditor shall include the following in the audit documentation of the auditors
understanding of the entity and its environment and the assessment of the risks of material
misstatement required by ISA 315:
(a) The signifcant decisions reached during the discussion among the engagement team
regarding the susceptibility of the entitys fnancial statements to material misstatement
due to fraud; and
(b) The identifed and assessed risks of material misstatement due to fraud at the fnancial
statement level and at the assertion level.
315.10 The engagement partner and other key engagement team members shall discuss the
susceptibility of the entitys fnancial statements to material misstatement, and the application
of the applicable fnancial reporting framework to the entitys facts and circumstances. The
engagement partner shall determine which matters are to be communicated to engagement
team members not involved in the discussion. (Ref: Para. A14-16)
7.1 Overview
A critical element in the success of any audit engagement is good communication among the audit team
members. Communication starts with the assignment of team members, arranging the team meeting to plan
the engagement, and then continues throughout the engagement. The benefts of good communication
include those set out in the following exhibit.
Exhibit 7.1-1
Benefts
Need for Ongoing
Communication
Among the Audit
Team Members
Audit productivity
Each person on the team will understand the entity being audited, the fnancial
reporting framework to be used, what his/her specifc role will be in the audit,
and the expectations about how and when work will be performed.
Potential for over- and under-auditing will be signifcantly reduced.
Audit efectiveness
Staf is provided insights into the client and audit expectations directly from
senior personnel such as the engagement partner.
Team discussions on the susceptibility of the fnancial statements to material
misstatements will help determine the business and fraud risks that need to be
addressed.
Better decisions will be made about the nature, timing, and extent of risk
assessment and further audit procedures.
Open lines of communication enable quick reactions to new information in
areas such as unusual transactions/events, related parties, and reporting issues.
Staf development
Best practices in auditing will be transferred from partners to staf.
Staf will be encouraged to ask questions and reconsider the efectiveness of
the previous periods responses to assessed risks.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
72
Efective ongoing communication requires:
Involvement by (and undivided attention of) the engagement partner and senior personnel; and
Willingness of senior personnel to listen to junior staf. This includes understanding the engagement from
the perspective of junior staf, encouraging their questions and suggestions, and then providing feedback.
The following exhibit summarizes what to consider and discuss in audit team communications.
Exhibit 7.1-2
Consider:
- Skills and experience
- Need for experts
- Need for engagement
quality control reviewer
Discuss:
- Materiality
- Insights based on
knowledge of entity
- Potential business and
fraud risks
- How/where fnancial
statements might be
susceptible to material
misstatement
- Audit plan including
who, what, where & when
- Supervision and review
Discuss:
- Audit results, progress,
and issues identifed
- Changes in audit plan
- New information
- Unusual events/
transactions
- Suggestions for next
periods audit
Assigning team
members and roles
Team planning
meeting
During and after
the audit
Audit Team Communications
CONSIDER POINT
Audit team discussions are critical to an efective audit. Avoid the temptation to rush through the
agenda due to other time pressures. These discussions enable audit risks to be discussed, fraud
scenarios to be developed, and possible responses drafted. It also provides an opportunity for staf
to learn about the entitys business and what is expected from them on the audit. Staf can also be
encouraged to put forward their ideas on how the audit could be improved.
7.2 Audit Team Planning Meeting
On larger engagements, a planning meeting should be scheduled well in advance of the commencement of
feldwork. This will provide the time necessary to prepare or make changes in the detailed audit plan. On very
small engagements, planning may best be achieved through brief discussions at the start of the engagement
and as the audit progresses.
Team members should be encouraged to come to the meeting with a questioning mind, and be prepared
to participate and share information with an attitude of professional skepticism. They should set aside any
beliefs that management and those charged with governance are honest and have integrity. The extent
of the discussion should be infuenced by the roles, experience, and the information needs of the audit
engagement team members.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
73
The three key areas to address are outlined in the exhibit below.
Exhibit 7.2-1
Key Areas
to Address Purpose: To have an open discussion
Share Insights on
the Entity, Such
As the People,
Operations, and
Objectives
The entity
History and business objectives.
The corporate culture.
Changes in operations, personnel, or systems.
Application of the applicable fnancial reporting framework to the entitys facts
and circumstances.
Management
The nature/structure of the entity and management.
The attitude toward internal control.
Incentives to commit fraud.
Unexplained changes in the behavior or lifestyle of key employees.
Any indications of management bias.
Known risk factors
Experience from previous audit engagements.
Signifcant business risk factors.
Opportunity for fraud to be perpetrated.
Key Areas
to Address Purpose: To brainstorm ideas and possible audit approaches
Brainstorm
Potential for errors and fraud
Which fnancial statement areas may be susceptible to material misstatement
(fraud and error)? This step is a requirement on all audits.
How could management perpetrate and conceal fraudulent fnancial reporting?
It may be helpful to develop various fraud scenarios or, where possible, use the
services of a forensic accountant. Consider journal entries, management bias in
estimates/provisions, changes in accounting policies, etc.
How could assets be misappropriated or misused for personal purposes?
Are there non-selfsh incentives (such as to maintain a funding source for a not-
for-proft entity) to manipulate the fnancial statements?
Response to risks
What possible audit procedures/approaches might be considered to respond to
the risks identifed above?
Consider whether an element of unpredictability will be incorporated into the
nature, timing, and extent of the audit procedures to be performed.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
74
Key Areas
to Address Purpose: To provide direction
Audit Planning
Specifc areas to address:
Ensure that the specifc requirements of all ISAs relevant to the audit are
appropriately addressed in the audit plan. ISAs that include specifc procedures to be
performed include:
ISA 240 The Auditor's Responsibilities Relating to Fraud in an Audit of Financial Statements
ISA 402 Audit Considerations Relating to an Entity Using a Service Organization
ISA 540 Auditing Accounting Estimates, Including Fair Value Accounting Estimates, and
Related Disclosures
ISA 550 Related Parties
ISA 600 Audits of Group Financial Statements (Including the Work of Component Auditors)
Provide direction to the audit team:
Determine materiality levels.
Assign roles and responsibilities.
Provide staf with an overview of the audit sections they are responsible for
completing. Address the approach required, special considerations, timing,
documentation required, the extent of supervision provided, fle review, and
any other expectations.
Stress the importance of maintaining professional skepticism throughout the audit.
Note: If some (junior) members of the audit team are not able (or are not invited) to attend the meeting, the
engagement partner would determine which matters arising are to be communicated to them.
CONSIDER POINT
Emphasize the importance for staf to be alert for indications of dishonesty, but also to be careful not to
jump to any conclusions, particularly when discussing fndings with the entitys management or staf.
Indicate possible circumstances (red fags) that, if encountered, might indicate the possibility of fraud.
Fraud is generally discovered by identifying patterns, exceptions, and oddities in transactions
and events. For example, a false claim in an expense account would be immaterial to the fnancial
statements by itself, but could be indicative of a much larger issue such as lack of management integrity.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
75
7.3 Communication During and At Completion of the Audit
Each member of the audit team will have a slightly diferent perspective on the entity. Some of the
information gathered by a particular team member may not even make sense unless it is combined with
information obtained by other team members. This is particularly true in relation to fraud, where it is the
identifcation of small patterns, oddities, and exceptions that may lead to its ultimate detection.
A simple analogy is the jigsaw puzzle. Each part by itself does not enable a person to see the entire picture; it is only
when all the pieces are put together that the big picture can be seen. The same is true in auditing. It is only when
the individual knowledge/fndings of each auditor are shared with the team that the bigger picture emerges. This is
illustrated in the following exhibit.
Exhibit 7.3-1
Sharing Findings
Senior
Partner
Manager
Junior
Pa PPPP r
MMana
ior
Team discussions need not be confned to just the planning meeting. Audit team members should be
encouraged to communicate and share the information that they obtain throughout the audit on any matters
of relevance, particularly when it afects the assessment of risk and planned audit procedures.
CONSIDER POINT
Hold short debriefng meetings at strategic times during the audit
In addition to the audit planning discussions at the start of the engagement, it may be benefcial (but
not required) for the audit team, however small, to meet (or arrange a conference call) and discuss audit
fndings after the following audit phases.
Performing risk assessment procedures and further audit procedures
These debriefng sessions do not need to be formal or long, but they enable audit team members to
report verbally on their fndings, exceptions found, and concerns noted. They can also report on any
matters (however small) that seemed odd or did not make sense. It is often the small matters that, when
combined with information obtained by other team members, point to a possible risk factor (such as
fraud) that may require further work to be performed. Even when the audit team comprises only two
people, these meetings can yield signifcant results.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
76
CONSIDER POINT (continued)
Completing the audit
Once the previous audit is complete, the temptation is always to move on and start the next
engagement. As a result, a lot of knowledge that could be helpful for performing the next periods audit
can get lost. A short meeting or conference call after each audit could be used to obtain feedback from
the audit team and determine what can be improved. This would include identifying:
Audit areas that might require additional, or less, attention in the future;
Any other unexpected fndings, unusual transactions, or fnancial pressures on personnel that may
be an indicator of fraud or an incentive to commit fraud;
Any planned changes that will afect future engagements such as key personnel changes, new
fnancing, an acquisition, new products or services, the installation of a new accounting system, or
other internal control changes;
Areas where additional assistance could be provided by the entity such as an analysis of certain
fnancial statement areas; and
Where signifcant risk factors exist, the debriefng meeting could also address whether the frm
wishes to continue with the client the following period. If the frm resigns right after the audit
fnishes, the reasons will be fresh in everyones mind, and it would provide the entity with more
time to fnd another auditor.
At the initial planning meeting, a time and date for these debriefng sessions can be scheduled.
7.4 Case StudiesAudit Team Discussions
For details of the case studies, refer to Volume 2, Chapter 2Introduction to the Case Studies.
The most recent fnancial statements, the listing of assessed risks from previous periods (or this period, if
updated), and the audit response could usefully be circulated to engagement team members before the
meeting. At the meeting, emphasize the need for professional skepticism, and the need to immediately
report any suspicious situations or possible warning signals of fraud.
Documentation may be in the form of a standard agenda or a memo to fle.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
77
Case Study A Dephta Furniture, Inc.
Date of meeting: December 8, 20X2
Agenda item Minutes of meeting
1. Materiality and signifcant account balances. Increase overall materiality to 10,000 based on
growth in proftability and sales, and performance
materiality to 7,500.
2. Timing, key dates, and availability of client
personnel.
Confrmed that last periods timing is appropriate
and our requests for management help in preparing
certain schedules are reasonable.
3. What can we learn from past experience such
as issues/events that caused delays and areas
of over-/under-auditing?
Inventory internal control was poor last year and
resulted in additional work. Client has indicated that
this will be addressed before this period end.
4. Any new concerns about management
integrity, going concern, litigation, etc.?
See newspaper clipping re: Parvin. This may be isolated
but we need to be cautious.
5. Changes this period in business operations
and/or fnancial condition, industry
regulations, accounting policies used, and
people.
Internet sales now account for 12% of sales. There are
also plans for signifcant growth. This will put a strain
on cash resources, internal control, and the operating
systems. The current economic downturn puts
additional pressure on the organization to maintain
sales levels despite the drop in demand and sales
prices.
6. Susceptibility of the fnancial statements
to fraud. In what possible ways could the
entity be defrauded? Develop some possible
scenarios, and then plan procedures that
would confrm or dispel any suspicions.
Management bias and override to avoid tax liability
are possible. Managements estimates, journal entries,
and related party transactions are susceptible to
manipulation. Also, Arjan (the senior salesperson)
lives an expensive lifestyle. We should also look at the
bonus calculations and the sales revenue.
7. Signifcant risks that require special attention. Defaulting on bank covenants. Suraj says he is going
to renegotiate the bank terms this period to provide
some fexibility.
8. Appropriate audit responses to the risks
identifed.
The detailed audit plan was reviewed in some detail
with the staf member responsible and a number of
ef ciencies were identifed.
9. Consider the need for specialized skills or
consultants, testing internal controls vs.
substantive procedures, the need to introduce
unpredictability in some audit tests, and work
that could be completed by the client.
IT specialist to look at Internet sales and IT controls in
general. Scheduled visit for December this period.
10. Audit team roles, scheduling, and fle reviews Overall and detailed audit plans have been updated.
Prepared by: FJ Date: December 8, 20X2
Reviewed by: LF Date: January 5, 20X3
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
78
Case Study B Kumar & Co.
Memo to fle: Kumar & Co.
On December 8, 20X2, the audit team (partner and senior) met to plan the Kumar & Co. audit
engagement.
We discussed the following:
Overall materiality has been decreased to 2,500 based on decline in proftability and sales.
Performance materiality has been set at 1,800.
Rajs focus has been diverted recently to personal family matters. The bookkeepers work may
not be adequately reviewed. That leaves Ruby with a lot of control over the reported numbers.
Any unintentional or intentional errors of Rubys could go undetected. This should be treated as a
signifcant fraud risk in the audit.
Management bias and override could occur to avoid tax liability or bank covenant violations.
Managements estimates have traditionally been conservative. The audit team was reminded to be
alert for anything that appears unusual.
We will pay careful attention to transactions and pricing of products with the related party,
Dephta.
Audit Plan:
Confrmed that last periods timing is appropriate and we will again request managements help in
preparing certain schedules. However, since Kumar & Co. had a dif cult time getting the requested
schedules for us on time last period, we will spend time this period with Ruby in advance, and
provide her with example schedules to ensure that she understands what is needed and the
required due dates.
The detailed audit plan was reviewed in some detail. Procedures in some areas were expanded
based on the assessed risk, and a number of other procedures were eliminated where the assessed
risk was low.
We decided that it will be more ef cient to perform substantive procedures than to perform tests
of controls, as there are no assertions where substantive procedures alone would not provide
suf cient appropriate audit evidence.
Prepared by: FJ Date: December 8, 20X2
Reviewed by: LF Date: January 5, 20X3
79
8. Inherent Risks Identifcation
Chapter Content Relevant ISAs
How to identify risks of material misstatement in the fnancial
statements.
240, 315
Exhibit 8.0-1
R
i
s
k

A
s
s
e
s
s
m
e
n
t
Plan the audit
Develop an overall
audit strategy and
audit plan
2
Materiality
Audit team discussions
Overall audit strategy
Listing of risk factors
Independence
Engagement letter
Perform preliminary
engagement
activities
Decide whether to
accept engagement
Perform
risk assessment
procedures
Identify/assess RMM
3
through understanding
the entity
Business & fraud risks
including signifcant risks
Design/implementation of
relevant internal controls
Assessed RMM
3
at:
tF/S level
tAssertion level
Notes:
1. Refer to ISA 230 for a more complete list of documentation required.
2. Planning (ISA 300) is a continual and iterative process throughout the audit.
3. RMM = Risks of material misstatement.
Activity Purpose Documentation
1
Plan the audit
Develop an overall
audit strategy and
audit plan
2
Materiality
Audit team discussions
Overall audit strategyy
Listing of risk factors
Independence
Engagement letter
Perform preliminary
engagement
activities
Decide whether to
accept engagement
Design/implementation of
relevant internal controls
Assessed RMM
3
at:
tF/S level
tAssertion level
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
80
Paragraph # ISA Objective(s)
240.10 The objectives of the auditor are:
(a) To identify and assess the risks of material misstatement of the fnancial statements due to fraud;
(b) To obtain suf cient appropriate audit evidence regarding the assessed risks of material
misstatement due to fraud, through designing and implementing appropriate responses; and
(c) To respond appropriately to fraud or suspected fraud identifed during the audit.
315.3 The objective of the auditor is to identify and assess the risks of material misstatement,
whether due to fraud or error, at the fnancial statement and assertion levels, through
understanding the entity and its environment, including the entity's internal control, thereby
providing a basis for designing and implementing responses to the assessed risks of material
misstatement.
Paragraph # Relevant Extracts from ISAs
200.13 For purposes of the ISAs, the following terms have the meanings attributed below:
(n) Risk of material misstatementThe risk that the fnancial statements are materially misstated
prior to audit. This consists of two components, described as follows at the assertion level:
(i) Inherent riskThe susceptibility of an assertion about a class of transaction, account
balance or disclosure to a misstatement that could be material, either individually
or when aggregated with other misstatements, before consideration of any related
controls.
(ii) Control riskThe risk that a misstatement that could occur in an assertion about a
class of transaction, account balance or disclosure and that could be material, either
individually or when aggregated with other misstatements, will not be prevented, or
detected and corrected, on a timely basis by the entitys internal control.
240.11 For purposes of the ISAs, the following terms have the meanings attributed below:
(a) FraudAn intentional act by one or more individuals among management, those charged
with governance, employees, or third parties, involving the use of deception to obtain an
unjust or illegal advantage.
(b) Fraud risk factorsEvents or conditions that indicate an incentive or pressure to commit
fraud or provide an opportunity to commit fraud.
240.12 In accordance with ISA 200, the auditor shall maintain professional skepticism throughout
the audit, recognizing the possibility that a material misstatement due to fraud could exist,
notwithstanding the auditors past experience of the honesty and integrity of the entitys
management and those charged with governance. (Ref: Para. A7- A8)
240.13 Unless the auditor has reason to believe the contrary, the auditor may accept records and
documents as genuine. If conditions identifed during the audit cause the auditor to believe
that a document may not be authentic or that terms in a document have been modifed but
not disclosed to the auditor, the auditor shall investigate further. (Ref: Para. A9)
240.15 ISA 315 requires a discussion among the engagement team members and a determination by
the engagement partner of which matters are to be communicated to those team members
not involved in the discussion. This discussion shall place particular emphasis on how and
where the entitys fnancial statements may be susceptible to material misstatement due to
fraud, including how fraud might occur. The discussion shall occur setting aside beliefs that the
engagement team members may have that management and those charged with governance
are honest and have integrity. (Ref: Para. A10-A11)
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
81
Paragraph # Relevant Extracts from ISAs
240.17 The auditor shall make inquiries of management regarding:
(a) Managements assessment of the risk that the fnancial statements may be materially
misstated due to fraud, including the nature, extent and frequency of such assessments;
(Ref: Para. A12-A13)
(b) Managements process for identifying and responding to the risks of fraud in the entity,
including any specifc risks of fraud that management has identifed or that have been
brought to its attention, or classes of transactions, account balances, or disclosures for
which a risk of fraud is likely to exist; (Ref: Para. A14)
(c) Managements communication, if any, to those charged with governance regarding its
processes for identifying and responding to the risks of fraud in the entity; and
(d) Managements communication, if any, to employees regarding its views on business
practices and ethical behavior.
240.18 The auditor shall make inquiries of management, and others within the entity as appropriate,
to determine whether they have knowledge of any actual, suspected or alleged fraud afecting
the entity. (Ref: Para. A15-A17)
240.22 The auditor shall evaluate whether unusual or unexpected relationships that have been
identifed in performing analytical procedures, including those related to revenue accounts,
may indicate risks of material misstatement due to fraud.
240.23 The auditor shall consider whether other information obtained by the auditor indicates risks of
material misstatement due to fraud. (Ref: Para. A22)
240.24 The auditor shall evaluate whether the information obtained from the other risk assessment
procedures and related activities performed indicates that one or more fraud risk factors are
present. While fraud risk factors may not necessarily indicate the existence of fraud, they have
often been present in circumstances where frauds have occurred and therefore may indicate
risks of material misstatement due to fraud. (Ref: Para. A23-A27)
240.44 The auditor shall include the following in the audit documentation of the auditors
understanding of the entity and its environment and the assessment of the risks of material
misstatement required by ISA 315:
(a) The signifcant decisions reached during the discussion among the engagement team
regarding the susceptibility of the entitys fnancial statements to material misstatement
due to fraud; and
(b) The identifed and assessed risks of material misstatement due to fraud at the fnancial
statement level and at the assertion level.
315.11 The auditor shall obtain an understanding of the following:
(a) Relevant industry, regulatory, and other external factors including the applicable fnancial
reporting framework. (Ref: Para. A17-A22)
(b) The nature of the entity, including:
(i) its operations;
(ii) its ownership and governance structures;
(iii) the types of investments that the entity is making and plans to make, including
investments in special-purpose entities; and
(iv) the way that the entity is structured and how it is fnanced to enable the auditor
to understand the classes of transactions, account balances, and disclosures to be
expected in the fnancial statements. (Ref: Para. A23-A27)
(c) The entitys selection and application of accounting policies, including the reasons for
changes thereto. The auditor shall evaluate whether the entitys accounting policies
are appropriate for its business and consistent with the applicable fnancial reporting
framework and accounting policies used in the relevant industry. (Ref: Para. A28)
(d) The entitys objectives and strategies, and those related business risks that may result in
risks of material misstatement. (Ref: Para. A29-A35)
(e) The measurement and review of the entitys fnancial performance. (Ref: Para. A36-A41)
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
82
8.1 Overview
Identifcation of risk is the foundation of the audit. It is based upon, and forms an integral part of, the auditors
procedures to understand the entity and its environment. Without a solid understanding of the entity, the
auditor may miss certain risk factors. For example, if a clients sales were increasing, it would be important for
the auditor to know that the industry sales as a whole were actually in sharp decline.
The objective of the risk assessment phase of the audit is to identify sources of risk, and then to assess
whether they could possibly result in a material misstatement in the fnancial statements. This provides the
auditor with the information needed to direct audit efort to areas where the risk of material misstatement is
the highest, and away from less risky areas.
Risk assessment has two distinct parts:
Risk identifcation (asking what can go wrong); and
Risk assessment (determining the signifcance of each risk).
Risk assessment is addressed in Volume 2, Chapter 9.
Risk identifcation is illustrated below.
Exhibit 8.1-1
CONSIDER POINT
First, identify the risks
You cannot assess a risk that has not frst been identifed. Avoid the temptation to assume that because
the entity is small, there are no relevant risks or that the risks of material misstatement will be the
same as the previous period. New risks may now exist, and the nature/signifcance of some previously
identifed risks may have changed.
After the frst engagement, focus on what has changed from previous period
After the frst engagement, focus on what has changed within each of the six risk sources (i.e., external
nature of entity, etc.) as opposed to starting all over again. This will save time, and focuses attention on
the nature and efect of new risks that may now exist and revisions to risks previously identifed.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
83
8.2 Types of Risk
There are two major classifcations of risk:
Business risk; and
Fraud risk.
The diference between business risk and fraud risk is that fraud risk results from a persons deliberate actions.
This is illustrated in the following exhibit.
Exhibit 8.2-1
Note: In many instances, a risk can be both a business and a fraud risk. For example, the introduction of a new
accounting system creates uncertainty (errors could be made as personnel learn the new system) and
would be classifed as a business risk. However, it could also be classifed as a fraud risk, because someone
could take advantage of the uncertainty to misappropriate assets or manipulate the fnancial statements.
Business Risk
The term business risk encompasses more than just the risks of material misstatement in the fnancial
statements. Business risks result from signifcant conditions, events, circumstances, actions, or inactions that
could adversely afect the entitys ability to achieve its objectives and execute its strategies. This could also
include the setting of inappropriate objectives and strategies.
Business risk also includes events that arise from change, complexity, or the failure to recognize the need for
change. Change may arise, for example, from:
The development of new products that may fail;
An inadequate market, even if new products are successfully developed; or
Flaws in the products that may result in liabilities and damage to the entitys reputation.
Fraud Risk
Fraud risk relates to events or conditions that indicate an incentive or pressure to commit fraud or provide an
opportunity to commit fraud.
The auditors understanding of business and fraud risk factors increases the likelihood of identifying the risks
of material misstatement. However, there is no responsibility for the auditor to identify or assess all of the
possible business risks.
8.3 Sources of Information about Entity
The frst step in the risk assessment process is to gather (or update) as much relevant information about the entity as
possible. This information provides an important frame of reference for identifying and assessing possible risk factors.
Information about the entity and its environment can be obtained from both internal and external sources. In
many cases, the auditor will start with internal sources of information. This information can then be checked
for consistency with information obtained from external sources such as trade association data and data
about general economic conditions, which can often be obtained from the Internet. The following exhibit
shows some of the potential sources of information available.
Exhibit 8.3-1
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
84
Internal Sources
F
i
n
a
n
c
i
a
l

I
n
f
o
r
m
a
t
i
o
n
N
o
n
-
f
n
a
n
c
i
a
l

I
n
f
o
r
m
a
t
i
o
n
External Sources
Financial statements
Budgets
Reports
Performance measures
Tax returns
Accounting policies in use
Judgments and estimates
Information on the Internet
Industry information
Competitive intelligence
Credit rating agencies
Creditors
Government agencies
Media and other external parties
Vision, values, objectives,
and strategies
Organization structure
Job descriptions
Human Resources fles
Performance indicators
Policy & procedure manuals
Information on the Internet
Trade association data
Industry forecasts
Government agencies
Media articles
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
85
CONSIDER POINT
A major source of information that is often overlooked is the auditors working paper fles from previous
periods engagements. They often contain valuable information on matters such as:
Considerations or issues to address in planning this periods audit;
Evaluation and source of possible adjustments and uncorrected errors;
Areas where there are recurring disagreements, such as the assumptions used for accounting estimates;
Areas which appear to be susceptible to error; and
Matters raised in the auditors communication with management and those charged with governance.
The information gained from risk assessment procedures conducted before engagement acceptance or
continuance can be used as part of the audit teams understanding of the entity.
8.4 Risk Assessment Procedures
Based on the information obtained about the entity, the auditor is now in a position to design the risk
assessment procedures discussed in Volume 1, Chapter 8. These risk assessment procedures will be designed
to obtain and document an understanding of the entity and its environment, including internal control.
The scope of the understanding required by the auditor for identifying risks is contained in six key areas, as
follows.
Exhibit 8.4-1
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
86
>`]QSaaSaO\R`SZSdO\bQ]\b`]Za
b][WbWUObS`WaYaObbVSS\bWbgZSdSZ
O\RObbVSb`O\aOQbW]\OZZSdSZ
A. ExternaI Factors
<Obc`S]TW\Rcab`g
@SUcZOb]`gS\dW`]\[S\b
4W\O\QWOZ`S^]`bW\UT`O[Se]`Y
B. Nature of Entity
=^S`ObW]\aO\RYSg^S`a]\\SZ
=e\S`aVW^O\RU]dS`\O\QS
7\dSab[S\bab`cQbc`SO\RTW\O\QW\U
C. AccountinQ PoIicies
ASZSQbW]\O\RO^^ZWQObW]\
@SOa]\aT]`QVO\USa
/^^`]^`WObS\Saab]S\bWbg
D. Entity Ob|ectives
& StrateQies
0caW\Saa^ZO\aO\Rab`ObSUWSa
4W\O\QWOZW[^ZWQObW]\aO\R`WaYa
c\RS`bOYS\
E. Measurement/
Review of FinanciaI
Performance
EVObWa[SOac`SR
EV]`SdWSeaTW\O\QWOZ`SacZba
F. !nternaI ControI
ReIevant to
the Audit
The suf ciency of information (depth of understanding) required by the auditor is a matter of professional
judgment. It is less than that possessed by management in managing the entity. The last section (F in the
exhibit above), which relates to internal controls relevant to the audit, is discussed in Volume 1, Chapter 5, and
Volume 2, Chapters 4, 11, and 12.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
87
Obtaining an understanding of the nature of the entity and its environment, including internal control, has a
number of benefts, as outlined below.
Exhibit 8.4-2
Provides a Frame of Reference
Benefts
Obtained from
Understanding
the Entity
Identifying risks and developing responses
Making judgments about the risk assessments.
Developing appropriate responses to identifed risks of material misstatement
in the fnancial statements.
Establishing materiality (refer to Volume 2, Chapter 6).
Developing expectations needed for performing analytical procedures.
Designing/performing further audit procedures to reduce audit risk to an
acceptably low level.
Evaluating suf ciency/appropriateness of audit evidence obtained (e.g.,
appropriateness of assumptions used and managements oral and written
representations).
Financial statement review
Assessing managements selection and application of accounting policies.
Considering the adequacy of fnancial statement disclosures.
Identifying audit areas for special consideration (e.g., related party transactions,
unusual or complex contractual arrangements, going-concern or unusual
transactions).
CONSIDER POINT
Obtaining an understanding of the entity is not a discrete task that can be completed early in the audit
and then put to one side. It is important to keep learning about the entity throughout the audit, and
to remain alert to risk factors not previously identifed or where the original assessment of risk needs
updating.
8.5 Sources of Risk
Errors and fraud in fnancial statements arise from risk factors that have their origin in one or more of the six
required areas of understanding the entity (see Exhibit 8.4-1).
An example would be a new and complex tax being imposed on the entity. This would be an external risk
factor. A risk of misstatement in the fnancial statements could be a misinterpretation of the new law, resulting
in an incorrect calculation of tax payable and the amount owed. Note that the source (or cause) of the risk is
the new tax that afects the entity, and not the error in calculation, which is the efect of the risk factor. As a
consequence of the new tax, the risk of a calculation error increases.
The following exhibit shows the six areas of understanding as being potential sources of risk.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
88
Exhibit 8.5-1
Examples of sources of risk (but not the efect on specifc fnancial statement areas) are outlined below.
Exhibit 8.5-2
Sources of Business and Fraud Risk
Business
Objectives and
Strategies
Inappropriate, unrealistic, or overly aggressive objectives and strategies.
New products or services, or moving into new lines of business.
Entering into business areas/transactions with which the entity has little
experience.
Inconsistencies between IT and business strategies.
Response to rapid growth or decline in sales that can strain internal control
systems and peoples skills.
Use of complex fnancing arrangements.
Corporate restructurings.
Signifcant transactions with related parties.
External
Factors
State of the economy and changes in government regulation.
Declining demand for the entitys products or services.
High degree of complex regulation.
Changes in the industry.
Inability to obtain required resources (materials or skilled personnel).
Deliberate sabotage of an entitys products or services.
Constraints on the availability of capital and credit.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
89
Sources of Business and Fraud Risk
Nature of Entity
Poor corporate culture and governance.
Incompetent personnel in key positions.
Changes in key personnel, including departure of key executives.
Complexity in operations, organizational structure, or products.
Product or service faws that may result in liabilities and reputation risk.
Failure to recognize the need for change (skills required or technology).
Weaknesses in internal control, especially those not addressed by management.
Poor relationships with external funders, such as banks.
Going-concern and liquidity issues, including loss of signifcant customers.
Installation of new systems related to fnancial reporting.
Performance
Indicators
Performance measures not used by management to assess the entitys
performance and achievement of objectives.
Measures not used to improve operations or take corrective actions.
Accounting
Policies
Inconsistent application of accounting policies.
Inappropriate use of accounting policies.
Internal Control
Inadequate management oversight of day-to-day operations.
Poor or nonexistent controls over entity-level activities such as human
resources, fraud, and preparation of accounting information such as estimates
and fnancial reports.
Poor or nonexistent controls over transactions such as revenues, purchases,
expenses, and payroll.
Poor safeguarding of assets.
8.6 Fraud Risk
The term fraud refers to an intentional act by one or more individuals among management, those charged
with governance, employees, or third parties involving the use of deception to obtain an unjust or illegal
advantage.
Fraud involving one or more members of management or those charged with governance is referred to as
management fraud. Fraud involving only employees of the entity is referred to as employee fraud. In either
case, there may be collusion within the entity or with third parties outside of the entity.
The following exhibit outlines the types and characteristics of fraud.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
90
Exhibit 8.6-1
Often large due to
position of
management in
entity and their
knowledge
of internal control
Who?
Why?
How?
How much?
Manipulation of
Financial Statements
(reporting a higher/lower level of
earnings than actually occurred)
Owners and
Management
Personal beneft
(save taxes, sell
business at infated
price, or pay a bonus)
(stay in business, save
jobs, maintain funding,
serve the community)
Override of internal
controls, false/incorrect
transactions, collusion,
manipulation of
accounting policies,
exploiting weaknesses
in internal control
Employees
Personal beneft
(obtain a performance-
based bonus, conceal
losses, or cover up
stolen assets)
False or incorrectly
recorded transactions,
collusion, manipulation
of accounting policies,
exploiting weaknesses
in internal control
Often smaller in size
but can accumulate
signifcantly over time
if not detected
Often based on
a particular need.
Even if starts small
will likely get bigger if
not quickly detected
Misappropriation of Assets
(converting assets to personal use)
Owners and
Management
Personal beneft
or to help
someone
else in need
Override internal
controls, theft of
inventory/assets,
collusion, exploiting
weakness in
internal control
Employees
Personal beneft
or to help
someone
else in need
Often based on
a particular need.
Could be small but
likely will get bigger
if not quickly detected
Theft of inventory
or assets, collusion,
exploiting weakness
in internal control
Justify an end
CONSIDER POINT
For each risk factor identifed, consider whether it is a business risk, a fraud risk, or both. Many sources of
risk can result in both business and fraud risks. For example, a change in accounting personnel can result
in errors being made (business risk), but may also provide an opportunity for someone to commit a fraud.
8.7 Types and Characteristics of Fraud
Although fraud can occur at any level in the organization, it tends to be more serious (and involve higher
monetary amounts) when senior management is involved.
Some of the major conditions that create an environment for fraud include:
Inefective corporate governance;
Lack of leadership by management and poor tone at the top;
High incentives provided for fnancial performance;
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
91
Taxes or other expenses that are considered very high or onerous;
Complexity in the entitys rules, regulations, and policies;
Unrealistic expectations from bankers, investors, or other stakeholders;
Downward and unexpected shifts in proftability;
Unrealistic budget targets for staf to attain; and
Inadequate internal control, especially in the presence of organizational change.
As can be determined from the above, the most efective anti-fraud internal control would be a strong
commitment by those in governance and senior management positions to doing the right thing. This is
evidenced through articulated entity values and a commitment to ethics that are modeled on a day-to-day
basis. This is true for any size of organization.
8.8 The Fraud Triangle
There are three conditions that often provide clues to the existence of fraud. Forensic accountants often refer to this
as the fraud triangle (see exhibit below) because when all three conditions are present, it is highly likely that fraud
may be occurring.
The conditions are:
Pressure
This is often generated by immediate needs (such as having signifcant personal debts or meeting an
analysts or banks expectations for proft) that are dif cult to share with others.
Opportunity
A poor corporate culture and a lack of adequate internal control procedures can often create confdence
that a fraud could go undetected.
Rationalization
Rationalization is the belief that a fraud has not really been committed. For example, the perpetrator
rationalizes that this is not a big deal or I am only taking what I deserve.
Exhibit 8.8-1
Opportunity
R
a
t
i
o
n
a
l
i
z
a
t
i
o
n
P
r
e
s
s
u
r
e
For example, an owner-manager in the construction business might be ofered a job to build a signifcant
addition to a friends house, as long as it is a cash-only transaction with no paperwork involved. Consider
the three conditions.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
92
The pressure on the owner-manager might be to reduce taxes that would otherwise be payable.
The opportunity is for the owner-manager to override the internal controls over revenue recognition
and not record the revenue from the sale.
The rationalization could be that the owner-manager is already paying far too much in taxes.
Note: If any one of the three conditions is not present, the cash sale is unlikely to take place.
In conducting risk assessment procedures, audit team members need to consider the existence of all three
conditions and not just the opportunity for fraud. Consider the sources of fraud risk set out below.
Exhibit 8.8-2
Sources of Fraud Risk
Incentives and
Pressures
Financial stability or proftability is threatened by economic, industry, or the
entitys operating conditions.
Excessive pressure exists for management to meet the requirements or
expectations of third parties or those charged with governance (such as
earnings targets or compliance with onerous environmental regulations, etc.).
Personal fnancial obligations may create pressure on management or
employees with access to cash or other assets susceptible to theft to
misappropriate those assets.
Adverse relationships between the entity and employees with access to cash or
other assets. For example:
Known or anticipated future employee layofs,
Recent or anticipated changes to employee compensation or beneft
plans, and
Promotions, compensation, or other rewards inconsistent with
expectations.
The personal fnancial situation of management or those charged with
governance may be threatened by the entitys fnancial performance (such as
fnancial interests, compensation, guarantees, etc.).
Attitudes and
Rationalizations
Rationalizations
Management is interested in employing inappropriate means to:
Minimize reported earnings for tax-motivated reasons, and
Increase reported earnings to avoid violating bank covenants, increase the
sale price of the entity, or meet targets set by a third party.
Employee behavior indicates displeasure or dissatisfaction with the entity.
Low morale exists among senior management.
Management is tolerant of some employee thefts. For example, no disciplinary
action is taken when an employee is caught stealing.
Management does not enforce the entitys values or ethical standards.
Management disregards the need for monitoring or reducing risks related to
the misappropriations of assets.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
93
Sources of Fraud Risk
Attitudes and
Rationalizations
(continued)
Attitudes
Management has a known history of violations of laws and regulations, or
allegations of fraud.
Management exhibits changes in behavior or lifestyle that may indicate assets
have been misappropriated.
Senior managers demonstrate a poor ethical example (such as infating expense
accounts and committing petty thefts, etc.).
Management has overridden existing controls.
Management has failed to take appropriate remedial action on known
defciencies in internal control.
The owner-manager makes no distinction between personal and business transactions.
Disputes exist between shareholders in a closely-held entity.
Management makes recurring attempts to justify marginal or inappropriate
accounting on the basis of materiality.
The relationship between management and the current or predecessor auditor is strained.
Opportunities

Assets susceptible to misappropriation
Large amounts of cash on hand or processed.
Inventory items that are small in size, of high value, or in high demand.
Easily convertible assets, such as bearer bonds, diamonds, or computer chips.
Property, plant, and equipment are small in size, marketable, or lack observable
identifcation of ownership.
Inadequate internal controls
Inadequate oversight by those charged with governance of managements
processes for identifying and responding to the risks of fraud.
Inadequate segregation of duties or checks.
Inadequate oversight of senior management expenditures.
Inadequate management oversight of employees responsible for assets.
Inadequate job-applicant screening for employees with access to assets.
Inadequate record keeping with respect to assets.
Inadequate authorization and approval of transactions.
Inadequate physical safeguards over cash, investments, inventory, or property,
plant, and equipment.
Lack of complete and timely reconciliations of assets.
Lack of timely and appropriate documentation of transactions (e.g., credits for
merchandise returns).
Lack of mandatory vacations for employees performing key control functions.
Inadequate management understanding of information technology, which
enables information-technology employees to perpetrate a misappropriation.
Inadequate access controls over automated records, including controls over and
review of computer systems event logs.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
94
Sources of Fraud Risk
Opportunities
(continued)
Specifc areas of vulnerability
Management estimates, revenue recognition, use of journal entries, transactions
with related parties, etc.
CONSIDER POINT
Fraud is always intentional. It involves concealment of information from the auditor and deliberate
misrepresentations. Consequently, fraud is discovered by looking for patterns, oddities, and exceptions,
often in what might be considered very small monetary amounts.
Fraud is unlikely to be detected through substantive procedures alone. For example, an auditor is
unlikely to identify a missing transaction or determine that a transaction is invalid unless there is some
additional understanding of the entity that can be used as a frame of reference.
Auditors, depending on their role and position on the audit team, may identify a fraud risk factor that relates
to one or more of the triangle elements. However, it is less likely that any one auditor will identify all three
conditions (opportunity, pressure, and rationalization) together. For this reason, it is important for the audit
team to continually discuss their fndings throughout the engagement.
The benefts of audit team discussions are outlined in the exhibit below.
Exhibit 8.8-3
The audit partner fnds
that the owner-manager
has occasionally strayed
close to ethical boundaries.
The audit junior was told by
a puzzled staf member that
some material purchases had
been shipped directly to
friends.
The audit senior discovers
in talking to the sales manager
that the owner handles certain
clients exclusively by himself.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
95
In the absence of communication, it would be dif cult for any single member of the above audit team to see
the big picture. Ongoing audit team discussion enables the team to pull together small pieces of information
so that the bigger picture can be seen.
8.9 Professional Skepticism
It is the responsibility of the auditor to maintain an attitude of professional skepticism at all times during the
engagement. An attitude of professional skepticism involves matters outlined in the following exhibit.
Exhibit 8.9-1
Skepticism Involves:
Recognizing That
Management Can
Always Commit
Fraud
Management is always in a position to override otherwise good internal control.
Engagement team members are to set aside any beliefs that management and
those charged with governance are honest and have integrity, notwithstanding the
auditors past experience of their honesty and integrity.
A Questioning
Mind
Make critical assessments about the validity of audit evidence obtained.
Being Alert
Does audit evidence contradict or bring into question the reliability of:
Documents and responses to inquiries?
Other information obtained from management and those charged with
governance?
Being Careful
Avoid:
Overlooking unusual circumstances.
Over-generalizing when drawing conclusions from audit observations.
Using faulty assumptions in determining the nature, timing, and extent of the
audit procedures and evaluating the results thereof.
Accepting less than persuasive audit evidence in a belief that management and
those charged with governance are honest and have integrity.
Accepting representations from management as a substitute for obtaining
suf cient appropriate audit evidence.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
96
CONSIDER POINT
Applying professional skepticism to an audit of a client you know and trust can be dif cult. There is
a natural human tendency to place trust in people, assuming there is no information to the contrary.
Consequently, partners and staf need to be reminded on a regular basis to apply professional
skepticism. Some practical suggestions for applying this concept include:
Create a fctional character (and name) of someone who has a bad attitude toward control
and poor ethics. When the discussion around possible fraud scenarios and fnancial statement
susceptibilities takes place, imagine this person (not your client) as being the client or the senior
manager in charge.
Inviting someone (ideally with some forensic experience) who does not know the entity to
participate in the planning discussions about fraud.
8.10 How to Identify Inherent Risk Factors
The most efective way to avoid missing a relevant risk factor is to make risk identifcation an integral part of
understanding the entity. The more that the auditor knows about the six areas of understanding, the more
likely the auditor will be able to identify risk factors. Understanding the entity is also helpful when identifying
and later responding to possible fraud scenarios. Remember that management override is always a possibility
and fraud is thereby concealed (especially from the auditor).
As information is gathered (or updated) about each of the required areas of understanding the entity,
the existence of relevant business and fraud risk factors will be considered. For many of the business risks
identifed, there may also be a fraud risk to consider. For this reason, it is suggested that, where possible, fraud
risks be listed separately from business risks and assessed separately. For example, if the sales outlook for
an entitys products was poor (an external source of risk), consider what could go wrong (implications for) in
the fnancial statements. Poor sales could result in excess inventory that may need to be written down, but
it could also trigger a fraud risk if it provided an incentive for a salesperson to infate his/her sales to meet a
bonus threshold.
CONSIDER POINT
The business and fraud risks (inherent risks) are identifed before any consideration of any internal
controls that might mitigate such risks. Internal control to mitigate risks is addressed in Volume 2,
Chapters 11 and 12. This is also important for identifying any signifcant risks that might exist (refer to
Volume 2, Chapter 10).
The efect of some of the risk factors identifed will relate to a specifc fnancial statement area, but other risk
factors will be pervasive and relate to many fnancial statement areas. For example, if the senior accountant
is incompetent, errors will not likely be limited to one fnancial statement area. In addition, if someone took
advantage of the situation to commit fraud, misstatements could occur in any number of asset or liability
balances, and could be covered up with additional misstatements in revenue and expense transactions.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
97
Pervasive risks often derive from a weak control environment and potentially afect many fnancial statement
areas, disclosures, and assertions. Pervasive risks will likely afect the assessment of risk at the fnancial
statement level. Risks at the fnancial statement level will be addressed through an overall response by the
auditor (such as more audit work performed, assigning more experienced staf members, etc.).
As the audit progresses, additional risk factors may be identifed. These should be added to the list of
identifed risks and appropriately assessed before making any decisions as to the impact on audit strategy
and the audit plan, such as the nature and extent of further audit procedures required. This will ensure that,
when planning takes place for the next period, the risk identifcation and assessment will be complete.
A suggested three-step risk identifcation process is outlined below.
Exhibit 8.10-1
Risk Identifcation
Step 1
Gather Basic
Information about
the Entity
The starting point is to obtain a basic understanding or frame of reference
for designing the risk assessment procedures to be performed. Without this
understanding, it would be dif cult, if not impossible, to identify what errors and
fraud could occur in the fnancial statements.
Obtain (or update) relevant basic information about the entity, its objectives,
culture, operations, key personnel, and the internal organization and control.
Step 2
Design, Perform
and Document
Risk Assessment
Procedures
Risk assessment procedures/activities (see Volume 1, Chapter 8) are required to
be performed so that:
The sources of risks of material misstatement are identifed,
An appropriate understanding of the entity is obtained, and
The necessary supporting audit evidence is obtained.
Using the basic understanding of the entity obtained in step 1 above, design
and perform risk assessment procedures and related activities.
Hold discussions among the audit team regarding the susceptibility of the
entitys fnancial statements to material misstatement, caused by error or fraud
(see Volume 2, Chapter 7).
Make inquiries of management as to how they identify and manage risk factors
(particularly fraud), and what risk factors have in fact been identifed and
managed. Also ask management if errors or fraud have actually occurred.
Document all risk factors identifed.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
98
Risk Identifcation
Step 3
Relate or Map the
Risks Identifed to
Material Financial
Statement Areas
For each risk factor (risk cause) identifed, identify the efect (specifc misstatements
such as fraud and error) that could occur in the fnancial statements as a result. Note
that a single risk factor can result in a number of difering types of misstatements that
may afect more than just one fnancial statement area. (See the Consider Point below
for some examples.)
Identify the material account balances, class of transactions, and disclosures in
the fnancial statements.
Relate or map the risks identifed to the specifc fnancial statement areas,
disclosures, and assertions afected. If the risk identifed is pervasive, then
relate it to the fnancial statements as a whole. Identifying the efect of risks
by fnancial statement area helps in assessing risks at the assertion level.
Identifying the efect of pervasive risks helps in assessing risks at the fnancial
statement level.
CONSIDER POINT
A natural tendency for auditors is to use the fnancial statements as the starting point for identifying
risks. For example, inventory may be considered high risk because of the errors found in previous
periods. However, this is equivalent to identifying the efect of a risk but not the underlying cause.
Knowing inventory is high risk is important; however, it is even better to know the cause of the risk.
If the cause of a risk is not identifed, it is possible that some risk factors will be missed altogether.
Consider the following:
Missing balances or transactions
Financial statements only summarize the results of business decisions and transactions that have
been recorded. If transactions have not been recorded, or if assets have been misappropriated or
contingencies are not disclosed, it is quite possible that the risk factors associated with such missing
amounts or disclosures will not be identifed or assessed.
Fact gathering versus risk identifcation
The process of understanding the entity can easily become focused on collecting facts about the entity
rather than identifying sources of risk. When this occurs, new risk factors, events, transactions, and fraud
risks may be missed altogether.
Cause and efect of misstatements
The signifcance of certain risk sources may be missed if attention is paid primarily to the efect or
consequence of the risk factor (such as focusing on the errors in the inventory balance, rather than the
reasons for their occurrence in the frst place). The source of the risk is the event(s) that would cause
errors to occur in the frst place. The source of errors in the inventory balance could be inadequate or
poorly trained staf, an outdated system of internal control, misapplication of accounting policies such
as revenue recognition, lack of security over inventory or outright fraud by employees, etc.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
99
CONSIDER POINT (continued)
A cause with multiple misstatement efects
An individual risk source may often afect many fnancial statement balances. For example, a downturn
in the economy may afect the valuation of inventory, the collectability of receivables, compliance with
banking agreements, manipulation of sales transactions to achieve bonus thresholds, and possibly even
going-concern issues.
Pervasive risks
By focusing on one fnancial statement area at a time, certain pervasive risks and fraud risks may not be
identifed. For example, the introduction of a new accounting system could result in errors being made
in many fnancial statement balances. In addition, someone could take advantage of the uncertainty
created by the new system to commit a fraud.
8.11 Documenting the Risk Identifcation Process
The auditor should use professional judgment regarding the manner in which these matters are documented.
For example, the documentation of the risk identifcation process following the three steps outlined above
would consist of:
Information about the entity;
Risk assessment procedures; and
Relating identifed risks to possible errors and fraud in the fnancial statements.
Exhibit 8.11-1
Document Description
Information about
the Entity
Document information obtained under the appropriate area of understanding, such as
the entitys objectives, external factors, nature of the entity, etc. Documentation may vary
from very simple to complex, depending on the size of the entity, and could include:
Client-prepared information (such as business plans and analysis);
External data (industry reports, internal staf communications, documented
policies and procedures);
Relevant correspondence (legal, government agencies, etc.), emails, consultants
reports, memoranda; and
Firms checklists.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
100
Document Description
Risk Assessment
Procedures
Document details of the risk assessment procedures performed. This would include:
Discussions among the audit team regarding the susceptibility of the entitys fnancial
statements to material misstatement caused by error or fraud, and the results;
Key elements of the understanding of the entity obtained, including:
Each of the aspects of the entity and its environment outlined above,
Each of the fve internal control components, as outlined in Volume 1,
Chapter 5, and
Sources of information from which the understanding was obtained; and
The identifed and assessed risks of material misstatement at the fnancial
statement level and assertion level.
Relate Identifed
Risks to Possible
Errors and Fraud
in the Financial
Statements
Document the material account balances, class of transactions, and disclosures in the
fnancial statements; and then, for each source of risk identifed, indicate whether it is:
Pervasive to the fnancial statements as a whole; or
Confned to specifc fnancial statement areas, disclosures, and assertions.
There are a number of ways that identifed risks can be documented. One way of documenting the risks
identifed is outlined in the following exhibit. The exhibit shows the risk source by area of understanding
(external factors, nature of entity, etc.), the impact or possible consequence of the risk, and the fnancial
statement areas afected.
Exhibit 8.11-2
Risk Source
Impact of Risk on Financial Statements
(Errors or Fraud)
Financial
Statement Area
Afected or
Pervasive Risk
Entitys Objectives
Introduction of
a new product
during the year
Errors in cost allocation and inventory valuation. Inventory valuation
New product costing and pricing methodologies/systems could
create opportunities for fraud to occur.
Inventory accuracy
The new fnancing required will make it dif cult to comply with
existing bank covenants. If the entity is in breach of covenants,
the loan may actually be payable on demand.
Note disclosures
on fnancing, debt
covenants, and
loan classifcation
Management may be tempted to manipulate fnancial
statements to ensure compliance with the bank covenants.
Pervasive risk
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
101
Risk Source
Impact of Risk on Financial Statements
(Errors or Fraud)
Financial
Statement Area
Afected or
Pervasive Risk
Nature of the Entity
Senior accountant
not trained
properly
Errors in the fnancial statements. Pervasive risk
Opportunity for fraud. Pervasive risk
CONSIDER POINT
One location for risks
Consider recording all the risk factors identifed in a single document, single place, or with a common
fle reference number in the working paper fle. This has a number of advantages:
Ease of fle review. All risk factors identifed can be found in one place.
Consistent assessment. When risks are reviewed together, a particular risk that has been assessed
diferently from others will be more evident.
Risks can be sorted (using an electronic spreadsheet) enabling the most signifcant risks to appear
at the top of the page. In this way, a fle reviewer can check to ensure that all the major risks
identifed have been addressed with an appropriate audit response.
Separate lists of fraud and business risk factors
List and assess fraud risks separately from business risk factors. Many business risks also create an
opportunity or incentive for fraud to occur. If fraud is not separately considered, some fraud risk factors
may be missed. For example, a new accounting system may create potential for errors (business risk),
but may also provide an opportunity for someone to manipulate the fnancial results or misappropriate
assets (fraud risk). Another reason for keeping them separate is that the audit response to a fraud risk
(identifcation of any patterns, exceptions, or oddities that might exist) might be quite diferent from the
response to a related business risk.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
102
CONSIDER POINT (CONTD)
Leave the assessment of risk until later
Avoid the temptation to only list risk factors that are likely to be signifcant or important. A key part of
risk or event identifcation is to develop as complete a listing of risk factors as possible. Inconsequential
risk factors can always be removed later after each risk is appropriately assessed. This will help to ensure
that all material risks are indeed identifed.
Re-use documentation to extent possible
Avoid having to re-document the risk factors identifed and the understanding of the entity obtained
each period. If information about risk assessment procedures performed and the risks identifed is
captured in a structured way (see one location for risks above), it can simply be updated each period.
This may require more time initially (in the frst period) to prepare, but will save time in subsequent
periods. However, be sure that appropriate risk assessment procedures are carried out and documented
each period, and that any changes made can be identifed. Also ensure that each document records the
fact that the information was updated.
Impact of risks
The most important, but also the most dif cult, column to complete is impact of risk on fnancial
statements (see above exhibit). It is in this column that the auditor sets out the implication of the
identifed risk. Declining sales is a risk factor but, if recorded accurately by the entity, this would not
result in risks of material misstatement. However, declining sales could result in inventories being
obsolete or overvalued, and receivables may become dif cult to collect. It is the implication of each risk
factor that the auditor needs to identify so that an appropriate audit response can be developed.
Note: The risk sources identifed in this example have multiple impacts, each of which has been considered
separately. If the various impacts of risk sources are not broken out into discrete components, not
only will the risk assessment process be more dif cult, but the auditor could easily miss some risk
implications (such as fraud) altogether.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
103
8.12 Case Studies Inherent Risks Identifcation
For details of the case studies, refer to Volume 2, Chapter 2 Introduction to the Case Studies.
Understanding the entity
This can be documented in a memo that is similar to the one in Volume 2, Chapter 2 that outlines the
details of these two case studies.
Identifying risk factors
One way of documenting the cause and efect of identifed risks (both business and fraud) is to list them
in a structured format such as the risk assessment form outlined below. This will ensure that all risks are
recorded in one place and that the assessment of risks will be consistent. The alternative approach is to
list the risks identifed in a memo format. Avoid the temptation to combine business and fraud risk on
one form. The assessment of and response to a business risk versus a fraud risk may be quite diferent.
Outlined below is a structured format for Dephta Furniture, Inc., and a memo approach for Kumar & Co.
Case Study A Dephta Furniture, Inc.
Business Risks
Risk Event/Source Implication of Risk Factor Assertions
What fnancial statement areas could be misstated
and in what way?
P CAEV
Downturn in economy Receivables may be dif cult to collect V
Downturn in economy Inventory write-downs may be required V
Inventory clerk known to make
errors
Inventory balances may be overstated/understated
and possibly impact valuation
CAEV
Continued growth (despite
downturn) and poor inventory
control
Breach of debt covenants P
General IT controls are weak
in a number of areas
Data integrity may be compromised or data may even be
lost
P
New sales being sought in
other countries
Foreign exchange risks in receivables A
Key:
P = Pervasive (all assertions)
C = Completeness
A = Accuracy
E = Existence
V = Valuation
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
104
Fraud Risks
Risk Event/Source Implication of Risk Factor Assertions
What fnancial statement areas could be misstated
and in what way?
P CAEV
Pressures
Minimize tax burden Management bias in estimates (such as valuation of
inventory) to reduce income.
CAV
Minimize tax burden Unauthorized journal entries or manipulation of fnancial
statements.
P
Rapid growth putting pressure
on fnancing
Financial statement manipulation to avoid bank
covenant being violated.
P
Salesmans bonus based on
sales above certain thresholds
Infated sales to meet thresholds. E
Paying bribes to obtain
contracts
Damage to reputation, overstatement of expenses,
unaccrued fnes.
CAE
Opportunities
Poor control over inventory Goods stolen from inventory. E
Poor control over cash sales Goods stolen/cash stolen. E
Transactions with related
parties
Sales/purchases may not be complete, properly valued or
disclosed in the fnancial statements.
P
Signifcant expansion in
the use of related party
transactions
Sales/purchases could be undervalued/overvalued.
Balances with related parties may not be collectable.
Manipulation of fnancial statements could be achieved by
transferring risky balances to a related party. This would
replace a risky balance with a related party balance.
V
Rationalization
Low morale among temporary
workers
Goods or cash stolen E
Key:
P = Pervasive (all assertions)
C = Completeness
A = Accuracy
E = Existence
V = Valuation
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
105
Case Study B Kumar & Co.
Memo to FileKumar & Co.
Inherent Risk Identifcation
As a result of performing the risk assessment procedures outlined on working paper X.X, which included
potential sources of risk arising from the six areas of required understanding, we have identifed the
following risk factors:
Business Risks
Rajs absence from operationsa pervasive risk
The quality and accuracy of the accounting records could be compromised due to Rajs focus on
personal family matters. The fnancial statements could be materially misstated.
Risk Assessment: (to be addressed in Volume 2, Chapter 9)
Risk Response: (to be addressed in Volume 2, Chapter 16)
Raj used to inspect goods for quality before shipment. The quality of products sold could be
compromised, leading to greater returns and/or unsaleable inventory. (Valuation)
Risk Assessment: (to be addressed in Volume 2, Chapter 9)
Risk Response: (to be addressed in Volume 2, Chapter 16)
Downturn in economy and economic dependence
Kumar & Co. is dependent on its primary customer, Dephta Furniture, Inc., which represents over
90% of its sales. In this economic downturn, Dephta could cancel orders. The impact could be
bank covenant violations and overvalued assets.
A decline in sales and liquidity pressures may lead to fnancial statement manipulation to avoid
bank covenant violations.
If the bank called their loan, the company may not be able to continue as a going concern. This
could result in a material uncertainty that should be disclosed in the fnancial statements, and an
evaluation of the basis (i.e., the going-concern assumption) on which the fnancial statements are
prepared. This would afect all assertions.
Risk Assessment: (to be addressed in Volume 2, Chapter 9)
Risk Response: (to be addressed in Volume 2, Chapter 16)
Fraud Risks
Tax minimization
There may be a management bias to minimize the tax burden. There may be a bias in
managements estimates, or unauthorized journal entries could be used. (Completeness, Accuracy)
Risk Assessment: (to be addressed in Volume 2, Chapter 9)
Risk Response: (to be addressed in Volume 2, Chapter 16)
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
106
Rajs absence from operationsa pervasive risk
Rajs absence results in minimal oversight of Rubys work. In addition, Ruby appears to have low
morale and personal fnancial pressures. This creates incentive, opportunity, and rationalization
for cash/goods being stolen (Existence) and/or fnancial statement manipulation. This should be
treated as a fraud risk.
Risk Assessment: (to be addressed in Volume 2, Chapter 9)
Risk Response: (to be addressed in Volume 2, Chapter 16)
Related Parties
Transactions with related parties could be manipulated, leading to sales being overvalued.
(Valuation) Attention should also be paid to the possible existence of other related parties and the
valuation/accuracy of balances with related parties at period end.
Risk Assessment: (to be addressed in Volume 2, Chapter 9)
Risk Response: (to be addressed in Volume 2, Chapter 16)
Prepared by: FJ Date: December 8, 20X2
Reviewed by: LF Date: January 5, 20X3
107
9. Inherent Risks Assessment
Chapter Content Relevant ISAs
How to assess the identifed risks of material misstatement in the
fnancial statements.
240, 315
Exhibit 9.0-1
R
i
s
k

A
s
s
e
s
s
m
e
n
t
Plan the audit
Develop an overall
audit strategy and
audit plan
2
Materiality
Audit team discussions
Overall audit strategy
Listing of risk factors
Independence
Engagement letter
Perform preliminary
engagement
activities
Decide whether to
accept engagement
Perform
risk assessment
procedures
Identify/assess RMM
3
through understanding
the entity
Business & fraud risks
including signifcant risks
Design/implementation of
relevant internal controls
Assessed RMM
3
at:
tF/S level
tAssertion level
Notes:
1. Refer to ISA 230 for a more complete list of documentation required.
2. Planning (ISA 300) is a continual and iterative process throughout the audit.
3. RMM = Risks of material misstatement.
Activity Purpose Documentation
1
Plan the audit
Develop an overall
audit strategy and
audit plan
2
Materiality
Audit team discussions
Overall audit strategyy
Listing of risk factors
Independence
Engagement letter
Perform preliminary
engagement
activities
Decide whether to
accept engagement
Design/implementation of
relevant internal controls
Assessed RMM
3
at:
tF/S level
tAssertion level
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
108
Paragraph # Relevant Extracts from ISAs
240.25 In accordance with ISA 315, the auditor shall identify and assess the risks of material
misstatement due to fraud at the fnancial statement level, and at the assertion level for classes
of transactions, account balances and disclosures.
240.26 When identifying and assessing the risks of material misstatement due to fraud, the auditor
shall, based on a presumption that there are risks of fraud in revenue recognition, evaluate
which types of revenue, revenue transactions or assertions give rise to such risks. Paragraph
47 specifes the documentation required where the auditor concludes that the presumption
is not applicable in the circumstances of the engagement and, accordingly, has not identifed
revenue recognition as a risk of material misstatement due to fraud. (Ref: Para. A28-A30)
240.27 The auditor shall treat those assessed risks of material misstatement due to fraud as
signifcant risks and accordingly, to the extent not already done so, the auditor shall obtain
an understanding of the entitys related controls, including control activities, relevant to such
risks. (Ref: Para. A31-A32)
315.25 The auditor shall identify and assess the risks of material misstatement at:
(a) the fnancial statement level; and (Ref: Para. A105-A108)
(b) the assertion level for classes of transactions, account balances, and disclosures (Ref: Para.
A109-A113)
(c) to provide a basis for designing and performing further audit procedures.
315.26 For this purpose, the auditor shall:
(a) Identify risks throughout the process of obtaining an understanding of the entity and its
environment, including relevant controls that relate to the risks, and by considering the
classes of transactions, account balances, and disclosures in the fnancial statements; (Ref:
Para. A114-A115)
(b) Assess the identifed risks, and evaluate whether they relate more pervasively to the
fnancial statements as a whole and potentially afect many assertions;
(c) Relate the identifed risks to what can go wrong at the assertion level, taking account of
relevant controls that the auditor intends to test; and (Ref: Para. A116-A118)
(d) Consider the likelihood of misstatement, including the possibility of multiple
misstatements, and whether the potential misstatement is of a magnitude that could
result in a material misstatement.
9.1 Overview
Risk identifcation, which was addressed in the previous chapter, involves:
Performing risk assessment procedures to identify sources (causes) of risk through understanding the
entity;
Determining the possible efects of the risk sources identifed (potential misstatements in the fnancial
statements), including the possibility of fraud; and
Relating the efects of risks to the fnancial statement area and assertions afected, or determining that
the risks are pervasive to the fnancial statements as a whole and potentially afect many assertions.
The next step is to assess the identifed risks and determine their signifcance for the audit of the fnancial
statements. Again, it is preferable to assess the inherent risks before considering any internal control that
might mitigate such risks.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
109
Risk assessment involves consideration of two attributes about the risk:
What is the likelihood of a misstatement occurring as a result of the risk?
What would be the magnitude (monetary impact) if the risk did occur?
Likelihood of a Misstatement Occurring
What is the probability that the risk will occur? The auditor could evaluate this probability simply as high,
medium, or low, or could assign a numerical score, such as 1 to 5. A numerical score provides a slightly more
precise assessment. The higher the score, the more likely the risk would occur.
Magnitude (Monetary Impact) if the Risk Did Occur
If the risk occurred, what would be the monetary impact? This judgment needs to be assessed against
a specifed monetary amount, such as performance materiality. If not, diferent people (with diferent
materiality amounts in mind) could come to entirely diferent conclusions. For audit purposes, the specifed
amount would relate to what constitutes a material misstatement for the fnancial statements as a whole. This
assessment can also be evaluated simply as high, medium, or low, or by assigning a numerical score, such as 1
to 5. The higher the score is, the higher the magnitude of the risk.
CONSIDER POINT
If numeric scores are used to assess likelihood and magnitude, the numbers can be multiplied to
provide a combined or overall risk assessment score. This calculation can be useful in considering
whether signifcant risks exist. In addition, if an electronic worksheet is used, the listing of risks may be
ranked and sorted so that the most signifcant identifed risks are always at the top of the list. This can
be useful information when reviewing the fle and ensuring that an appropriate response has been
developed for the assessed risks.
In smaller entities where the number of risk factors is small and the audit response has already been
established, the two assessments (likelihood and magnitude) can still be considered separately but
documented as one combined assessment.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
110
The steps involved in risk assessment (using assessment criteria of high, medium, or low) are illustrated below.
Exhibit 9.1-1
Listing of the business and fraud
risk factors identifed
1 2 3 4 5
Is the identifed risk (misstatement)
likely to occur? (High Medium Low)
If risk (misstatement) did occur,
how material would it be to
the fnancial statements?
(High Medium Low)
Assessed Level of Risk
(High Medium Low)
Risk Assessment
L L
M
L
L L
M
M M M
M
H H
H
H
The results of the risk assessment process can also be set out in a chart, as illustrated below. Some commercial
software packages provide charting capabilities.
Exhibit 9.1-2
Likelihood of Risk Occurring
I
m
p
a
c
t

(
M
a
g
n
i
t
u
d
e
)

o
f

R
i
s
k
High Impact
Low Likelihood
Low Impact
Low Likelihood
High Impact
High Likelihood
Low Impact
High Likelihood
Risks falling in the high impact (magnitude), high likelihood area of the chart clearly require management
action to mitigate. In addition, these risks will likely be determined as being signifcant, which will require
special audit consideration (refer to Volume 2, Chapter 10).
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
111
CONSIDER POINT
Discussions with management
When risk factors are documented and assessed by the auditor, it is important that the results be
discussed with the entitys management. This discussion will help to ensure that a risk factor has not been
overlooked and that the auditors assessment of risks (likelihood and impact) is reasonable. However, it is
always important to use professional skepticism when evaluating managements input and responses.
9.2 Risk Assessments Performed by the Entity
Risk assessment is one of the fve components of internal control (see Volume 1, Chapter 5) that should be
addressed by the entitys management.
In smaller entities, the risk assessment process is likely to be informal and unstructured. Risk in smaller entities
is often recognized implicitly rather than explicitly. Management may be aware of risks related to fnancial
reporting through direct personal involvement with employees and outside parties. As a result, the auditor
would make inquiries of management as to how it identifes and manages risk, and then as to what risks have
actually been identifed and managed. The auditor would document the results.
As management understands the benefts of a more formalized risk assessment process, it may decide to
develop, implement, and document its own processes. When this occurs, the auditor would evaluate:
Controls in place over managements processes;
The completeness of the business and fraud risks identifed. This is often recorded on what is commonly
referred to as a risk register;
Managements assessment of the magnitude of the risks and the likelihood of their occurrence; and
Managements responses to address the assessed risks.
If management has failed to identify key risks, consideration should be given as to whether there is a
signifcant defciency in the entitys risk assessment process.
9.3 Documenting Assessed Risks
Professional judgment should be used regarding the manner in which risk factors are assessed.
The assessment of the risks of material misstatement is made at the:
Financial statement level; and
Assertion level for classes of transactions, account balances, and disclosures.
Documentation may be in the form of memoranda or a risk listing (for fraud) such as that outlined in Exhibit
9.3-1. Note the following:
The frst two columns in the table below would be completed as part of risk identifcation as discussed
in Volume 2, Chapter 8.
The assertion column is an assessment of:
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
112
The specifc assertions that relate to the fnancial statement area or disclosure impacted by the
risk. This will help in the assessment of risks at the assertion level, and
Pervasive risks that afect many assertions, and would impact the assessment of risk at the
fnancial statement level.
The risks being assessed are inherent risks. Control risk is addressed in Volume 2, Chapters 11 and 12.
The assessments of likelihood and magnitude (impact) used the numeric scale of 1 = low likelihood/
magnitude and 5 = high likelihood/magnitude. These scores may be multiplied to provide a combined
overall score. However, these risks could just as easily have been assessed as high, medium or low.
Exhibit 9.3-1
Period ended: December 31, 20X2 Materiality 50,000
Risk Event/Source Implication of Risk Factor
Assertions
PCAEV
Inherent Risk
Assessment
Likeli-
hood
to
Occur

Impact
Com-
bined
Score
Salespersons compensation
based on sales commissions
Sales could be fctitious, recorded in the wrong period,
overstated, or at terms diferent from the standard terms
and conditions in order to achieve bonus targets
EA 4 4 16
Failure to comply with debt
covenants is covered up to
avoid bank inquiries
Unauthorized journal entries to defer expense, bias in
management estimates, etc.
P 2 5 10
Fictitious suppliers inserted by
employees
Acme pays for expenses at infated prices or for which no
services/goods were rendered
EA 2 4 8
Related party transactions not
identifed. Shareholders not
involved in business could be
disadvantaged
Revenue and expenses not recorded at FMV (Fair Market
Value)
P 3 5 15
Cash sales for parts and service
may go unrecorded and
undeposited
Revenue and assets are understated CAE 4 1 4
CONSIDER POINT
When documenting risk factors, consider how they will be updated and used in subsequent periods.
Recording information in one place and in a structured format (such as above) may take a little longer to
prepare initially, but will be much easier to update in the future. A structured format also helps to ensure:
That risks are not addressed more than once (which can occur if spread throughout the audit fle);
A consistent assessment of each risk;
That signifcant risks are identifed;
Ease of review. An electronic worksheet enables risks (scored numerically) to be sorted on their
combined score, or by likelihood or impact; and
The risk listing can be shared with the client (to obtain their input) or to request that the client
prepare the listing of risk factors for the auditors review.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
113
9.4 Case Studies Inherent Risks Assessment
For details of the case studies, refer to Volume 2, Chapter 2 Introduction to the Case Studies.
Where a structured format is used to document the assessment, it can be completed using the same form as
the one started in Volume 2, Chapter 8. The audit response column can be used to cross-reference the risk
factors to the specifc audit procedures or audit programs that address the identifed risks.
If a memo is to be used, the risk assessment and risk response could be added to the memo started in
Volume2, Chapter 8.
Case Study ADephta Furniture, Inc.
Business Risks
Risk Event/Source Implication of Risk Factor Assertions Inherent Risk Assessment
Signi-
fcant
Risk?
Y/N
What fnancial statement areas
could be misstated and in what
way
PCAEV
Likelihood
to Occur

Impact
Com-
bined
Score
Continued growth (despite
downturn) and poor inventory
control
Breach of debt covenants P 4 5 20 Y
Inventory clerk known to make
errors
Inventory balances may be
overstated
E 5 3 15 N
General IT controls are weak in a
number of areas
Data integrity may be
compromised or data may
even be lost
P 3 5 15 N
Downturn in economy Inventory write-downs may
be required
V 3 3 9 N
New sales being sought in other
countries
Foreign exchange risks in
receivables
A 2 2 4 N
Downturn in economy. Receivables may be dif cult to
collect (i.e., overstated)
V 1 3 3 N
Key:
Assess likelihood (probability) to occur
on a scale of 1-5
Assess the magnitude (monetary
impact) in relation to materiality on a
scale of 15
P = Pervasive (all assertions) 1 = Remote 1 = Immaterial
C = Completeness 2 = Unlikely 2 = Minor
A = Accuracy 3 = Likely 3 = Moderate
E = Existence 4 = Most likely 4 = Major
V = Valuation 5 = Almost certain 5 = Material
(As a guide, risk factors with a combined risk assessment (Likelihood x Impact) score of 20 or more should be considered as
signifcant fraud risks. )
Note: The possible violation of the bank covenants has a combined risk score of 20, and is therefore considered to be a
signifcant risk. Signifcant risks require special audit consideration by the auditor, including obtaining an understanding
of the entitys related controls relevant to such risks.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
114
Fraud Risks
Risk Event/Source Implication of Risk Factor Assertions Inherent Risk Assessment
Signi-
fcant
Risk?
Y/N
What fnancial statement areas
could be misstated and in what
way? PCAEV
Likelihood
to Occur

Impact
Com-
bined
Score
Pressures
Minimize tax burden Unauthorized journal entries/
fnancial statement manipulation
CAV 4 5 20 Y
Rapid growth putting pressure on
fnancing
Financial statement manipulation
to avoid bank covenant being
violated
P 4 5 20 Y
Minimize tax burden Management bias in estimates to
reduce income
CA 4 4 16 Y
Salesmans bonus based on sales
above certain thresholds
Infated sales to meet thresholds.
However, the bonus amounts are
small.
E 3 2 6 N
Paying bribes to obtain contracts Damage to reputation,
overstatement of expenses,
unaccrued fnes.
CAE 2 2 4
N
Opportunities
Revenue recognition Inconsistent application of
accounting policies
CAE 3 4 12 Y
Signifcant expansion in the use of
related party transactions
Sales/purchases could be
undervalued/overvalued
V 4 5 20 Y
Poor control over inventory Goods stolen from inventory E 4 3 12 N
Poor control over cash sales Goods stolen/cash stolen. E 4 3 12 N
Transactions with related parties Sales/purchases may not be
complete, properly valued,
or disclosed in the fnancial
statements
Pervasive 3 4 12 N
Rationalization
Low morale among temporary workers Goods or cash stolen E 3 2 6 N
Key:
Assess likelihood (probability) to occur
on a scale of 1-5
Assess the magnitude (monetary
impact) in relation to materiality on a
scale of 15
P = Pervasive (all assertions) 1 = Remote 1 = Immaterial
C = Completeness 2 = Unlikely 2 = Minor
A = Accuracy 3 = Likely 3 = Moderate
E = Existence 4 = Most likely 4 = Major
V = Valuation 5 = Almost certain 5 = Material
(As a guide, risk factors with a combined risk assessment (Likelihood x Impact) score of 20 or more should be considered as
signifcant fraud risks. )
Note: The possible management bias in estimates, unauthorized journal entries, the pressures to fnance the rapid growth,
and related party transactions have been assessed as signifcant risks (where the combined score exceeded 20).
Signifcant risks require special audit consideration by the auditor, including obtaining an understanding of the entitys
related controls relevant to such risks. If no controls exist, it is likely that a signifcant defciency exists. Note that revenue
recognition has a combined score of less than 16 but is presumed to be a signifcant risk. (Refer to ISA 240.26.)
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
115
Case Study BKumar & Co.
Memo to FileKumar & Co.
Inherent Risk Identifcation
Materiality = 3,000
As a result of performing the risk assessment procedures outlined on working paper X.X, which included
potential sources of risk arising from the six areas of required understanding, we have identifed the
following risk factors:
Business Risks
Rajs absence from operationsa pervasive risk
The quality and accuracy of the accounting records could be compromised due to Rajs focus on
personal family matters. The fnancial statements could be materially misstated.
Risk Assessment: High likelihood of occurrence/High magnitude (in relation to materiality) =
High Risk, and also a signifcant risk. See WP # X.X.
Risk Response: (to be addressed in Volume 2, Chapter 16)
Raj used to inspect goods for quality before shipment. The quality of products sold could be
compromised, leading to greater returns and/or unsaleable inventory. (Valuation)
Risk Assessment: Low Likelihood/Low Magnitude = Low Risk
Risk Response: (to be addressed later)
Downturn in economy and economic dependence
Kumar & Co. is dependent on its primary customer, Dephta Furniture, Inc., which represents over
90% of its sales. In this economic downturn, Dephta could cancel orders. The impact could be
bank covenant violations and overvalued assets. If the bank called its loan, the company would be
unable to continue. (Valuation)
Risk Assessment: Moderate Likelihood/Moderate Magnitude = Moderate Risk
Risk Response: (to be addressed in Volume 2, Chapter 16)
Fraud Risks
Revenue Recognition
Possibility of inconsistent application of accounting policies.
Risk Assessment: Moderate Likelihood/Moderate Magnitude = Moderate Risk, but this
is presumed by ISA 240.26 to be a signifcant risk, and will be treated as such.
Risk Response: (to be addressed in Volume 2, Chapter 16)
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
116
Tax minimization
There may be a management bias to minimize the tax burden. There may be a bias in
managements estimates, or unauthorized journal entries could be used. (Completeness, Accuracy)
Risk Assessment: High Likelihood/Moderate Magnitude = Moderate to High
Risk, and should be considered a signifcant risk.
Risk Response: (to be addressed in Volume 2, Chapter 16)
Downturn in economy and economic dependence
A decline in sales and liquidity pressures may lead to fnancial statement manipulation to avoid
bank covenant violations. (All assertions)
Risk Assessment: Moderate Likelihood/High Magnitude = Moderate to High Risk, and should be
considered a signifcant risk.
Risk Response: (to be addressed in Volume 2, Chapter 16)
Rajs absence from operationsa pervasive risk
Rajs absence results in minimal oversight of Rubys work. In addition, Ruby appears to have low
morale and personal fnancial pressures. This creates incentive, opportunity, and rationalization for
cash/goods being stolen (Existence) and/or fnancial statement manipulation.
Risk Assessment: Moderate Likelihood/Moderate Magnitude = Moderate Risk
Risk Response: (to be addressed in Volume 2, Chapter 16)
Related Parties
Transactions with related parties could be manipulated leading to sales being overvalued.
(Valuation)
Risk Assessment: Moderate Likelihood/Moderate Magnitude = Moderate Risk and should be
considered a signifcant risk
Risk Response: (to be addressed in Volume 2, Chapter 16)
Note: Signifcant risks require special audit consideration by the auditor, including obtaining an
understanding of the entitys related controls relevant to such risks. If no controls exist, it is likely that
a signifcant defciency exists.
117
10. Signifcant Risks
Chapter Content Relevant ISAs
Guidance on the nature and determination of signifcant risks, and
the consequences for the audit.
240, 315, 330
Exhibit 10.0-1
R
i
s
k

A
s
s
e
s
s
m
e
n
t
Plan the audit
Develop an overall
audit strategy and
audit plan
2
Materiality
Audit team discussions
Overall audit strategy
Listing of risk factors
Independence
Engagement letter
Perform preliminary
engagement
activities
Decide whether to
accept engagement
Perform
risk assessment
procedures
Identify/assess RMM
3
through understanding
the entity
Business & fraud risks
including signifcant risks
Design/implementation of
relevant internal controls
Assessed RMM
3
at:
tF/S level
tAssertion level
Notes:
1. Refer to ISA 230 for a more complete list of documentation required.
2. Planning (ISA 300) is a continual and iterative process throughout the audit.
3. RMM = Risks of material misstatement.
Activity Purpose Documentation
1
Plan the audit
Develop an overall
audit strategy and
audit plan
2
Materiality
Audit team discussions
Overall audit strategyy
Listing of risk factors
Independence
Engagement letter
Perform preliminary
engagement
activities
Decide whether to
accept engagement
Design/implementation of
relevant internal controls
Assessed RMM
3
at:
tF/S level
tAssertion level
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
118
Paragraph # Relevant Extracts from ISAs
240.26 When identifying and assessing the risks of material misstatement due to fraud, the auditor
shall, based on a presumption that there are risks of fraud in revenue recognition, evaluate
which types of revenue, revenue transactions or assertions give rise to such risks. Paragraph
47 specifes the documentation required where the auditor concludes that the presumption
is not applicable in the circumstances of the engagement and, accordingly, has not identifed
revenue recognition as a risk of material misstatement due to fraud. (Ref: Para. A28-A30)
315.4 For purposes of the ISAs, the following terms have the meanings attributed below:
(e) Signifcant riskAn identifed and assessed risk of material misstatement that, in the
auditors judgment, requires special audit consideration.
315.25 The auditor shall identify and assess the risks of material misstatement at:
(a) the fnancial statement level; and (Ref: Para. A105-A108)
(b) the assertion level for classes of transactions, account balances, and disclosures (Ref: Para.
A109-A113)
to provide a basis for designing and performing further audit procedures.
315.27 As part of the risk assessment as described in paragraph 25, the auditor shall determine
whether any of the risks identifed are, in the auditors judgment, a signifcant risk.
In exercising this judgment, the auditor shall exclude the efects of identifed controls related
to the risk.
315.28 In exercising judgment as to which risks are signifcant risks, the auditor shall consider at least
the following:
(a) Whether the risk is a risk of fraud;
(b) Whether the risk is related to recent signifcant economic, accounting or other
developments and, therefore, requires specifc attention;
(c) The complexity of transactions;
(d) Whether the risk involves signifcant transactions with related parties;
(e) The degree of subjectivity in the measurement of fnancial information related to the risk,
especially those measurements involving a wide range of measurement uncertainty; and
(f) Whether the risk involves signifcant transactions that are outside the normal course of
business for the entity, or that otherwise appear to be unusual. (Ref: Para. A119-A123)
315.29 If the auditor has determined that a signifcant risk exists, the auditor shall obtain an
understanding of the entitys controls, including control activities, relevant to that risk. (Ref:
Para. A124-A126)
330.21 If the auditor has determined that an assessed risk of material misstatement at the assertion
level is a signifcant risk, the auditor shall perform substantive procedures that are specifcally
responsive to that risk.
When the approach to a signifcant risk consists only of substantive procedures, those
procedures shall include tests of details. (Ref: Para. A53)
550.18 In meeting the ISA 315 requirement to identify and assess the risks of material misstatement,
the auditor shall identify and assess the risks of material misstatement associated with related
party relationships and transactions and determine whether any of those risks are signifcant
risks. In making this determination, the auditor shall treat identifed signifcant related party
transactions outside the entity's normal course of business as giving rise to signifcant risks.
550.19 If the auditor identifes fraud risk factors (including circumstances relating to the existence of a
related party with dominant infuence) when performing the risk assessment procedures and
related activities in connection with related parties, the auditor shall consider such information
when identifying and assessing the risks of material misstatement due to fraud in accordance
with CAS 240. (Ref: Para. A6, A29-A30)
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
119
10.1 Overview
After the business and fraud risks have been identifed and assessed, consideration can be given to the
existence of signifcant risks. A signifcant risk is where the assessed risk of material misstatement is so high
that, in the auditors judgment, it will require special audit consideration.
Signifcant risks are assessed before consideration of any mitigating controls. Signifcant risk is based on the
inherent risk (before considering the related internal control) and not the combined risk (considering both
inherent and internal control risks). For example, a company with a large inventory of diamonds would have
a high inherent risk of theft. Managements response is to maintain secure facilities. The combined risks of
material misstatement are therefore minimal. However, because the risk of loss (before considering internal
control) is highly likely and its size would have a material impact on the fnancial statements, the risk would be
determined as signifcant.
CONSIDER POINT
When considering the existence of signifcant risks, it can be dif cult to ignore the mitigating efect of
relevant internal control. This is particularly true when the people implementing the control are well
known to the auditor and most likely are highly competent in what they do.
What is required is to separate the inherent risk from the controls in place. For example, an adult
about to cross a busy street would not likely consider the activity to be very risky. This is because it is
anticipated that adults use their eyes, ears, and previous experience (in crossing streets) to cross safely.
But such a risk assessment combines the inherent risk involved in crossing the street with a number
of control activities (the use of the eyes, ears, and previous experience). To assess whether crossing
the street is a signifcant risk (i.e., before any controls), the person would have to be blindfolded, given
earplugs, and asked to walk across the street.
10.2 Examples
Examples of signifcant risks are set out in the exhibit below.
Exhibit 10.2-1
Sources Examples
High-Risk
Activities
Includes operations or events where a material misstatement could easily occur. For
example, an inventory of high-value diamonds or gold bars held by a jeweller, or a
new/complex accounting system being introduced.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
120
Sources Examples
Large Non-
Routine
Transactions (Size
or Nature)
Identifed signifcant related party transactions outside the entity's normal course of
business are to be treated as giving rise to signifcant risks.
Includes infrequent and large transactions. For example:
Unusual volume of routine transactions with a related party;
A major sales or supply contract;
The purchase or sale of major business assets or business segments; and
Sale of the business to a third party.
Routine non-complex transactions that are subject to systematic processing are less
likely to give rise to signifcant risks.
Matters Requiring
Judgment or
Management
Intervention
Examples would include:
The assumptions and calculations used by management in developing major
estimates;
Complex calculations or accounting principles;
Revenue recognition (presumed to be a signifcant risk) that is subject to
difering interpretation;
Extensive manual data collection and processing; and
Where management intervention is required to specify the accounting
treatment to be used.
Potential for Fraud
The risk of not detecting a material misstatement resulting from fraud (which is
intentional and deliberately concealed) is higher than the risk of not detecting one
resulting from error.
In evaluating whether signifcant risks could result from the identifed fraud risk
factors and the possible scenarios and schemes identifed in team discussions (see
Volume 2, Chapter 7), consider
the following:
Skilfulness of the potential perpetrator;
Relative size of individual amounts manipulated;
Level of authority of management or employee to:
Directly or indirectly manipulate accounting records, and
Override control procedures;
Frequency and extent of manipulation involved;
Possible degree of collusion;
Intentional misrepresentations being made to the auditor; and
Previous audit experience or concerns expressed by other persons.
Signifcant fraud risks may be identifed at any stage in the audit as a result of new
information being obtained.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
121
10.3 Identifying Signifcant Risks
If the risks of material misstatement have already been identifed and assessed, all that is required is to
review the fndings and then select (based on the use of professional judgment) those risks that are indeed
signifcant. For example, if the assessment of risks was charted as illustrated below (the stars represent
assessed risks), it would be the two risks falling within the shaded area (risks with high magnitude and high
likelihood) that would frst be considered as signifcant risks.
Exhibit 10.3-1
Likelihood of Risk Occurring
I
m
p
a
c
t

(
m
a
g
n
i
t
u
d
e
)

o
f

R
i
s
k
High Impact
Low Likelihood
Low Impact
Low Likelihood
High Impact
High Likelihood
Low Impact
High Likelihood
= Identifed Risk Factor
When considering whether signifcant risks exist, the auditor would consider the matters set out below.
Considerations
Factors That May
Indicate Possible
Signifcant Risks
Risk of fraud.
Risks related to recent signifcant economic, accounting, or other developments, and
therefore require specifc attention.
Complexity of transactions.
Signifcant transactions with related parties.
The degree of subjectivity in the measurement of fnancial information related to the
risk, especially those involving a wide range of measurement uncertainty.
Signifcant transactions that are outside the normal course of business for the entity
or that otherwise appear to be unusual.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
122
In smaller entities, signifcant risks often relate to the matters outlined in the exhibit below.
Exhibit 10.3-2
Subject Matter/
Information Characteristics
Signifcant
Non-Routine
Transactions
High inherent risk (likelihood and impact).
Transactions that occur infrequently and are not subject to systematic processing.
Unusual due to their size or nature (such as the acquisition of another entity).
Require management intervention:
To specify accounting treatment, and
For data collection and processing.
Involve complex calculations or accounting principles.
Nature of transactions makes it dif cult for entity to implement efective
internal control over the risks.
Signifcant
Judgmental
Matters
High inherent risk.
Involve signifcant measurement uncertainty (such as the development of
accounting estimates).
Accounting principles involved may be subject to difering interpretation (such
as preparation of accounting estimates or application of revenue recognition).
The required judgment by management may be subjective, complex, or require
assumptions about the efects of future events (such as judgments about fair
value, valuation of inventory subject to rapid obsolescence, etc.).
Signifcant
Transactional
Risks
There may be a small number of transactional risks relating to the major
business processes (such as goods being shipped but not invoiced in a sales
process) that would result in a material misstatement in the fnancial statements
if not mitigated. Where these risks require special audit consideration, they
would be regarded as signifcant risks. If there were no internal controls in place
to mitigate such risks, they would also be reported to management as being a
signifcant defciency.
Fraud
Revenue recognition. This is a presumed signifcant risk.
Management override or bias in estimates, etc.
Major related party transactions used to increase sales or purchases.
Collusion with suppliers or customers such as price or bid rigging.
Unrecorded or fctitious transactions.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
123
10.4 Responding to Signifcant Risks
When a risk is classifed as being signifcant, the auditor should respond as outlined below.
Exhibit 10.4-1
Audit Steps Description
Evaluate Internal
Control Design &
Implementation
Over Each
Signifcant Risk
Has management designed and implemented internal control that mitigates the
signifcant risks? Consider the existence of direct controls such as control activities
and indirect (pervasive) controls which may be included in the control environment,
risk assessment, information systems, and monitoring elements. This information will
be helpful in developing an efective audit response to the identifed risks.
Where signifcant non-routine or judgmental matters are not subject to routine
internal control (such as a one-of or an annual event), the auditor would evaluate
managements awareness of the risks and the appropriateness of its response. For
example, if the entity purchased the assets of another business, the entitys response
might include:
Hiring an independent valuator for the acquired assets;
Applying appropriate accounting principles; and
Proper disclosure of the transaction in the fnancial statements.
Where the auditor determines that management has not appropriately responded
(by implementing internal control over signifcant risks), a signifcant defciency
would exist in the entitys internal control, which would be communicated (as soon as
possible) to those charged with governance.
Design an Audit
Response to
the Identifed
Signifcant Risks
Do the planned further audit procedures specifcally address the signifcant risk?
These procedures would be designed to obtain audit evidence with high reliability,
and could include tests of controls and substantive procedures.
In many cases, the audit procedures may simply be an extension of procedures
that would be performed in any event. For example, if the signifcant risk related to
potential management bias, such as in the preparation of an estimate, the extended
substantive procedures would include:
Assessing the validity of the assumptions used;
Identifying the sources and reliability of the information used (both external
and internal);
Considering the existence of any bias in the prior periods estimates as
compared to actual facts; and
Reviewing the methods used (including formulas in electronic spreadsheets) in
the estimate calculation.
No Reliance
Can Be Placed on
Evidence Obtained
in Previous Periods
Where a test of operating efectiveness is planned for a control that mitigates a
signifcant risk, the auditor may not rely on audit evidence about the operating
efectiveness of internal control obtained in prior audits.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
124
Audit Steps Description
Substantive
Analytical
Procedures Alone
are not Suf cient
The use of substantive analytical procedures by themselves is not considered an
appropriate response to address a signifcant risk. When the approach to signifcant
risks consists only of substantive procedures, the audit procedures can consist of:
Tests of details alone; or
A combination of tests of details and substantive analytical procedures.
10.5 Documenting Signifcant Risks
The identifcation of signifcant risks and the proposed audit response would be documented. If all risks are
documented in a single location, the documentation of signifcant risks may simply be an extension of the
information already documented.
Note: If the auditor concludes that revenue recognition is not a signifcant risk of material misstatement due
to fraud, the reasons for that conclusion are to be included in the audit documentation.
10.6 Case StudiesSignifcant Risks
For details of the case studies, refer to Volume 2, Chapter 2Introduction to the Case Studies.
Signifcant risks can be identifed from the listing of risk factors and their assessment. See the forms contained
in the case studies discussion in Volume 2, Chapters 8 and 9. Such a form can also be used to cross-reference
each signifcant risk to the related detailed audit plan.
For each signifcant risk identifed, managements response should be documented and appropriate audit
procedures developed that respond to the specifc risk.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
125
Case Study A Dephta Furniture, Inc.
(Excerpt)
Signifcant
Risk Managements Response Audit Response
WP
Reference
Possible
violation
of terms of
their banks
fnancing?
Preparation and monitoring of
cash-fow forecasts.
Renegotiate amount and terms
of fnancing.
Look at the companys growth plans and
whether the forecasted cash fows are realistic.
Review and compare actual results and cash fows.
Ensure that the valuations of receivables
and inventory (the security for the loans) are
reasonable.
Review the companys refnancing submission to
the bank.
Review any response/correspondence from the bank.
(Not
included)
Financial
statement
manipulation
could occur to
avoid the bank
covenants
being violated.
None. Management does not
see this as a risk at all.
Carefully review the assumptions used in the
cash-fow forecasts and the basis on which
actual cash-fow reports are prepared.
Ensure that the basis for the valuations of
receivables and inventory is valid and correct.
Carefully test the existence and accuracy of
sales, as there is pressure to maintain and grow
sales levels despite the challenging economic
environment.
Inconsistent
revenue
recognition (a
presumed fraud
risk).
Sales contracts over 500 are
reviewed by the sales manager.
Review of major contracts (and a sample
of smaller contracts) and discussion with
sales manager to ensure that revenue was
appropriately recognized in the period.
Unauthorized
journal entries.
Management has agreed to
put policy in place requiring
approval of all journal
entries, but it has not yet been
implemented.
Identify and review all journal entries over
1,500 and all entries in the month before
and after the period end.
Signifcant
expansion
in the use of
related party
transactions.
Policy is that all related party
transactions are identifed
as such and conducted at
the normal terms of sale.
This includes any corporate
assets or services provided for
personal use by management or
employees.
Review employees understanding of the policy
through inquiry and inspection.
Seek to ensure that all related party transactions
have been identifed and that the transactions,
terms of sale, nature of transaction, and the
dates are indeed appropriate.
Prepared by: FJ Date: December 9, 20X2
Reviewed by: LF Date: January 5, 20X3
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
126
Case Study BKumar & Co.
Memo to File: Kumar & Co.
Identifcation of Signifcant Risks
The following signifcant risk areas, including managements response and the audit response, are
identifed below.
Downturn in economy
The company has not sufered too badly in the downturn. However, Raj should periodically review
bank covenant calculations, but he has not been attentive to this in the current period under audit. We
will recalculate all ratios to see status against covenants. We will also perform more audit procedures
for audit areas that are input into the calculation. The risk is heightened the closer the company is to
violation, due to possibility of fnancial statement manipulation.
Tax minimization
There are no management controls that specifcally address this issue. The response to this risk will be to
carefully review managements estimates and journal entries (see below).
Unauthorized Journal Entries
Raj should authorize all journal entries, but this has not been happening consistently. We will identify
and review all journal entries over 500 and all entries in the month before and after period end.
Related Party Transactions
Company policy is that all related party transactions are identifed as such and conducted at the
normal terms of sale. We will review Rajs and Rubys understanding of the policy through inquiry and
inspection. We will ensure that for all related party transactions, the terms of sale, nature of transactions,
and the dates are indeed appropriate. We will also remain alert throughout the audit for transactions
outside the normal course of business, and that all related party transactions have in fact been
identifed.
Revenue recognition
Revenue recognition policies on sales are fairly straightforward and the majority of sales made by
Kumar are to Dephta Furniture, Inc. The audit work performed on cutof and related party transactions
addressed any potential for fraud through inappropriate revenue recognition.
Prepared by: FJ Date: December 9, 20X2
Reviewed by: LF Date: January 5, 20X3
127
11. Understanding Internal Control
Chapter Content Relevant ISAs
Guidance on the steps involved in understanding internal control
relevant to the audit:
Evaluating control design and implementation; and
Documentation using two possible approaches.
315
Exhibit 11.0-1
R
i
s
k

A
s
s
e
s
s
m
e
n
t
Plan the audit
Develop an overall
audit strategy and
audit plan
2
Materiality
Audit team discussions
Overall audit strategy
Listing of risk factors
Independence
Engagement letter
Perform preliminary
engagement
activities
Decide whether to
accept engagement
Perform
risk assessment
procedures
Identify/assess RMM
3
through understanding
the entity
Business & fraud risks
including signifcant risks
Design/implementation of
relevant internal controls
Assessed RMM
3
at:
tF/S level
tAssertion level
Notes:
1. Refer to ISA 230 for a more complete list of documentation required.
2. Planning (ISA 300) is a continual and iterative process throughout the audit.
3. RMM = Risks of material misstatement.
Activity Purpose Documentation
1
Plan the audit
Develop an overall
audit strategy and
audit plan
2
Materiality
Audit team discussions
Overall audit strategyy
Listing of risk factors
Independence
Engagement letter
Perform preliminary
engagement
activities
Decide whether to
accept engagement
Assessed RMM
3
at:
tF/S level
tAssertion level
Business & fraud risks
including signifcant risks
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
128
Paragraph # Relevant Extracts from ISAs
315.4 For purposes of the ISAs, the following terms have the meanings attributed below:
(a) AssertionsRepresentations by management, explicit or otherwise, that are embodied in
the fnancial statements, as used by the auditor to consider the diferent types of potential
misstatements that may occur.
(b) Business riskA risk resulting from signifcant conditions, events, circumstances, actions
or inactions that could adversely afect an entitys ability to achieve its objectives and
execute its strategies, or from the setting of inappropriate objectives and strategies.
(c) Internal controlThe process designed, implemented and maintained by those charged
with governance, management and other personnel to provide reasonable assurance
about the achievement of an entitys objectives with regard to reliability of fnancial
reporting, efectiveness and ef ciency of operations, and compliance with applicable
laws and regulations. The term controls refers to any aspects of one or more of the
components of internal control.
315.12 The auditor shall obtain an understanding of internal control relevant to the audit. Although
most controls relevant to the audit are likely to relate to fnancial reporting, not all controls that
relate to fnancial reporting are relevant to the audit. It is a matter of the auditors professional
judgment whether a control, individually or in combination with others, is relevant to the
audit. (Ref: Para. A42-A65)
315.14 The auditor shall obtain an understanding of the control environment. As part of obtaining this
understanding, the auditor shall evaluate whether:
(a) Management, with the oversight of those charged with governance, has created and
maintained a culture of honesty and ethical behavior; and
(b) The strengths in the control environment elements collectively provide an appropriate
foundation for the other components of internal control, and whether those other
components are not undermined by defciencies in the control environment. (Ref: Para.
A69-A78)
315.15 The auditor shall obtain an understanding of whether the entity has a process for:
(a) Identifying business risks relevant to fnancial reporting objectives;
(b) Estimating the signifcance of the risks;
(c) Assessing the likelihood of their occurrence; and
(d) Deciding about actions to address those risks. (Ref: Para. A79)
315.18 The auditor shall obtain an understanding of the information system, including the related
business processes, relevant to fnancial reporting, including the following areas:
(a) The classes of transactions in the entitys operations that are signifcant to the fnancial
statements;
(b) The procedures, within both information technology (IT) and manual systems, by which
those transactions are initiated, recorded, processed, corrected as necessary, transferred to
the general ledger and reported in the fnancial statements;
(c) The related accounting records, supporting information and specifc accounts in the
fnancial statements that are used to initiate, record, process and report transactions; this
includes the correction of incorrect information and how information is transferred to the
general ledger. The records may be in either manual or electronic form;
(d) How the information system captures events and conditions, other than transactions, that
are signifcant to the fnancial statements;
(e) The fnancial reporting process used to prepare the entitys fnancial statements, including
signifcant accounting estimates and disclosures; and
(f) Controls surrounding journal entries, including non-standard journal entries used to
record non-recurring, unusual transactions or adjustments. (Ref: Para. A81-A85)
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
129
Paragraph # Relevant Extracts from ISAs
315.19 The auditor shall obtain an understanding of how the entity communicates fnancial reporting
roles and responsibilities and signifcant matters relating to fnancial reporting, including: (Ref:
Para. A86-A87)
(a) Communications between management and those charged with governance; and
(b) External communications, such as those with regulatory authorities.
315.20 The auditor shall obtain an understanding of control activities relevant to the audit, being
those the auditor judges it necessary to understand in order to assess the risks of material
misstatement at the assertion level and design further audit procedures responsive to assessed
risks. An audit does not require an understanding of all the control activities related to each
signifcant class of transactions, account balance, and disclosure in the fnancial statements or
to every assertion relevant to them. (Ref: Para. A88-A94)
315.21 In understanding the entitys control activities, the auditor shall obtain an understanding of
how the entity has responded to risks arising from IT. (Ref: Para. A95-A97)
315.22 The auditor shall obtain an understanding of the major activities that the entity uses to
monitor internal control over fnancial reporting, including those related to those control
activities relevant to the audit, and how the entity initiates remedial actions to defciencies in
its controls. (Ref: Para. A98-A100)
11.1 Overview
This chapter addresses the scope of work required to understand internal control relevant to the audit. Volume 1,
Chapter 5 addresses the nature of internal control and provides a detailed description of the fve components of
internal control. Volume 2, Chapter 12 outlines a four-step approach to internal control evaluation.
Internal control refers to the processes, policies, and procedures designed by management to ensure reliable
fnancial reporting and the preparation of fnancial statements in accordance with the applicable accounting
framework. Internal control addresses such matters as managements attitude toward control, competence
of key people, risk assessment, accounting, and other fnancial information systems in use, as well as the
traditional control activities.
The auditor is required to obtain an understanding of internal control on all audit engagements. This applies
to any size of entity, even where the auditor has already decided that an entirely substantive approach would
be the appropriate response to the risks of material misstatement.
Obtaining a suf cient understanding of internal control (relevant to the audit) involves the performance of risk
assessment procedures to identify the controls that will directly or indirectly mitigate material misstatements.
The information obtained will assist the auditor in:
Assessing the residual risk (inherent and control risk) of material misstatement at the fnancial statement
and assertion levels; and
Designing further audit procedures that are responsive to the assessed risks.
However, not all control activities are relevant to the audit and therefore do not require understanding.
The auditor is only concerned with evaluating those controls that mitigate a risk of a material misstatement
(caused by fraud or error) in the fnancial statements. Control activities that are not relevant can be scoped out
of the audit altogether.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
130
11.2 Risk and Control
The relationship between risk and control can be illustrated as follows.
Exhibit 11.2-1
Inherent Risk: Events that could lead to misstatements in the F/S
Control Risk: Controls designed to mitigate misstatements
Risk of material
misstatement
Risk exposure
Low High
Entity Objective
To prepare fnancial statements free from error and fraud.
Inherent business and fraud risks are identifed during the risk identifcation and risk assessment phase.
Management mitigates such risks by designing and implementing internal controls and procedures that will
reduce such risks to an acceptably low level. The amount of risk left over, after internal controls have been
designed and implemented, is the risk of material misstatement (sometimes referred to as residual risk).
Ideally, management would design suf cient controls to ensure that the residual risk is reduced to an
acceptably low level for both internal management purposes and for the external audit. In practice, some
managers will tend to have a high tolerance for risk (i.e., less controls are in place, resulting in a higher residual
risk), and some managers (often in the public sector) will tend to be conservative and design controls to
reduce risk to almost nothing.
CONSIDER POINT
The sole purpose of a control is to mitigate risk. A control without a risk to mitigate is obviously
redundant. So, a risk has to exist before it can be mitigated by a management control. However, some
auditors ignore this fact. They start their evaluation of internal control by documenting the system
and controls that exist before taking the time to identify what risks actually require mitigation. This
approach can result in a lot of unnecessary work in documenting processes and controls, which may
later prove to be totally irrelevant to the audit objectives.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
131
11.3 Pervasive and Specifc Internal Controls
Internal controls can be broadly categorized as pervasive (or entity-level) controls that address pervasive risks,
and specifc (transactional) controls that address specifc risks. The diferences between these controls are
illustrated below.
Exhibit 11.3-1
I
n
h
e
r
e
n
t

R
i
s
k
s
C
o
n
t
r
o
l
s
P
e
r
v
a
s
i
v
e
(
e
n
t
i
t
y
-
l
e
v
e
l
)
S
p
e
c
i
f
c
Entitys Objectives
Financial Statements
& Assertions
Governance
Leadership/Management
Information Systems
Revenue
Processes
Purchasing
Processes
Payroll
Processes
Other
Processes
Transactions
P
e
r
v
a
s
i
v
e
S
p
e
c
i
f
c
Exhibit 11.3-2
Description
Pervasive (Entity-
Level) Controls
Pervasive (entity-level) controls address governance and general management,
and serve to establish the overall control environment or tone at the top. Typical
control processes include human resources, fraud, risk assessment (management
override), general IT management, preparation of fnancial information (including
fnancial statements and underlying estimates, etc.), and the ongoing monitoring
of operations. In small entities, these controls will refer primarily to managements
attitudes toward integrity and control.
A solid understanding of the pervasive elements of internal control provides an
important foundation for assessing relevant controls over fnancial reporting at the
transactional (business process) level. For example, if there are poor controls over
data integrity at the entity level, this will impact the reliability of all information
produced by systems such as sales, purchases, and payroll.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
132
Description
Specifc
(Transactional)
Controls
Transactional (business process) controls are specifc processes/controls that are
designed to ensure that:
Transactions are appropriately recorded for the preparation of fnancial
statements;
Accounting records are maintained in reasonable detail to accurately and fairly
refect all the transactions and dispositions of assets;
Receipts and expenditures are made only in accordance with the authorizations
of management; and
Unauthorized acquisition, use, or disposition of assets would be prevented or
detected on a timely basis.
Transactional control processes include routine transactions (such as revenues,
purchases, and payroll) and non-routine transactions (such as purchasing equipment
or the costs involved in starting a new line of business).
11.4 The Five Internal Control Components
The various types of internal control that exist within an entity have been divided into fve key components,
as illustrated below.
Each of these components is to be addressed by the auditor as:
Part of the understanding of the internal control (over fnancial reporting); and
Information for considering how the diferent aspects of internal control may afect the audit.
Exhibit 11.4-1
C
o
n
t
r
o
l
E
n
v
ir
o
n
m
e
n
t
R
is
k
A
s
s
e
s
s
m
e
n
t
I
n
f
o
r
m
a
t
i
o
n
S
y
s
t
e
m
Control
Activities
M
o
n
i
t
o
r
i
n
g
Financial
Reporting
Objectives
The interrelationships of the fve components between the pervasive (entity-level) controls and the specifc
transactional (business process) controls are illustrated below.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
133
Exhibit 11.4-2
Entity-Level Controls
General IT controls
Transactional
(business process)
Controls
Includes controls over:
t Fraud (management
override)
t Centralized processing
t Period-end fnancial
reporting process
Signifcant F/S Accounts & Disclosures
Transactions
IT application controls
P
e
r
v
a
s
i
v
e
C
o
n
t
r
o
l
s
S
p
e
c
i
f
c
C
o
n
t
r
o
l
s
Entity-Level Controls
General IT controls G l IT t l
p g
C
o
n
t
r
o
l
E
n
v
ir
o
n
m
e
n
t
R
isk
A
sse
ssm
e
n
t
I
n
f
o
r
m
a
t
i
o
n
S
y
s
t
e
m
Control
Activities
M
o
n
i
t
o
r
i
n
g
Pervasive entity-level controls collectively provide the appropriate foundation for all the other components
of internal control, because poor entity-level controls can render even the best business process controls
inefective. For example, an entity may have an efective purchasing system, but if the bookkeeper/
accountant is incompetent (i.e., it is a poor control environment), a wide variety of errors could occur and
possibly result in a material misstatement in the fnancial statements. Management override and poor tone at
the top (that primarily occur at the entity level) are common themes in bad corporate behavior.
CONSIDER POINT
How an entity actually designs and implements its internal control will vary with an entitys size and
complexity. In smaller entities, the owner-manager may perform functions that address several of the
components of internal control.
11.5 Internal Control in Smaller Entities
In smaller entities, there are often few employees, which may limit the extent to which:
Segregation of duties is practicable; and
An appropriate paper trail of documentation is available.
Internal control in such entities often derives from the control environment (managements commitment
to ethical values, competence, attitude toward control, and its day-to-day actions) as opposed to specifc
controls over transactions. Evaluating the control environment is quite diferent from traditional control
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
134
activities, as it involves an assessment of the behavior, attitudes, competence, and actions of management.
Such assessments are often documented in a memo or with a questionnaire.
The presence of a highly involved owner-manager is often an internal control strength and a control weakness.
The control strength is that the person (assuming his/her competence) will be knowledgeable about all aspects
of operations, and it is highly unlikely that material misstatements will be missed. The control weakness is the
opportunity provided for that person to override the internal control for his/her own beneft.
CONSIDER POINT
Identify the pervasive (entity-level) controls
In the audit of small entities, there is a temptation to assume that internal control is nonexistent, and
therefore, not worth understanding. However, any entity that wants to continue operating will have
some form of internal control. For example, what business manager does not care whether the cash
receipts are deposited in the bank, or that goods shipped are invoiced?
Consider how the pervasive (entity-level) controls could be evidenced
In cases where the owner-manager or equivalent approves transactions and carefully reviews
fnancial results, the control can have the efect of preventing or detecting misstatements occurring
at the assertion level. If reliance on such a control would reduce the need for other substantive
procedures, consider whether such controls could be evidenced, such as by a signature on a report or
a reconciliation to indicate review or approval. Such evidence could then be used to test the operating
efectiveness of the control.
11.6 Absence of Internal Control
In virtually all entities, there is some form of internal control, such as the competence of the owner-manager
(control environment). It may be informal and unsophisticated, but it is still internal control. An entity
that does not mitigate any of the major risks it faces (through control components such as the control
environment, risk assessment, information systems, control activities, or monitoring) is unlikely to stay in
business for long.
Where there are not many control activities that can be identifed, the auditor would consider whether:
It is possible to address the relevant assertions by performing further audit procedures that are primarily
substantive procedures; or
The absence of control activities or of other components of control (in rare cases) makes it impossible to
obtain suf cient appropriate audit evidence.
Other matters that would raise questions as to whether the audit should be conducted would include:
Concerns about managements integrity, non-ethical behavior, or a poor attitude toward internal
control. Defciencies in the control environment tend to undermine controls that exist in other control
components. It also raises the risk of management misrepresentation and fraud; and
Concerns about the condition and reliability of an entitys records that make it unlikely that suf cient
appropriate audit evidence will be available to support an unqualifed opinion.
If these or similar concerns are present, the auditor should consider the need to modify the auditors report or
withdraw from the engagement altogether.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
135
If withdrawal is chosen, the auditor would consider his/her professional and legal responsibilities, including
any requirement to report to the persons who made the audit appointment and to regulatory authorities. The
auditor would also discuss the withdrawal and the reasons with the appropriate level of management and
those charged with governance.
11.7 Controls to Prevent Fraud (Anti-Fraud Controls)
Management override can often be mitigated or slowed down in small entities by establishing and then
documenting key policies and procedures. For example, a written policy that says all non-routine journal
entries require approval would empower the bookkeeper to ask the manager to approve proposed journal
entries. It would not prevent management override from occurring, but would act as a deterrent. If anti-fraud
policies and procedures are not in operation, the risk of management override will need to be addressed by
the auditor through performing other audit procedures.
Note: Controls that address compliance with regulations that are not relevant to the audit (where non-
compliance would not result in a material misstatement in the fnancial statements) do not need to be
addressed in the audit.
11.8 Internal Controls Relevant to the Audit (the scope of understanding)
Not all controls are relevant to the audit and require understanding. The auditor is only concerned with
understanding and evaluating those controls that would mitigate a risk of a material misstatement (due to
fraud or error) in the fnancial statements. This means that certain types of controls can be scoped out of the
audit altogether, as illustrated in the following exhibit. These are controls that:
Do not drive fnancial reporting (such as operational controls and controls that address compliance with
regulations); and
Even if non-existent, a material misstatement in the fnancial statements would be unlikely.
Exhibit 11.8-1
Entity-Level Controls
& General IT Controls
Application/
Transactional
(business
process)
Controls
Application/
Transactional
(business
process)
Controls
Application/
Transactional
(business
process)
Controls
Application/
Transactional
(business
process)
Controls
Operational and
compliance objectives
Controls relevant
to the audit
Controls NOT
relevant to the audit
Financial Reporting:
(signifcant F/S accounts
& disclosures)
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
136
In some cases, there may be some overlap between fnancial controls and controls relating to operations
and compliance objectives. Examples include controls that pertain to data the auditor evaluates or uses in
applying other audit procedures such as:
Data required for analytical procedures (e.g., production statistics);
Controls that detect non-compliance with laws and regulations;
Safeguarding of asset controls that pertain to fnancial reporting; and
Controls over the completeness and accuracy of information produced that may form the basis for
calculating key performance measures.
Controls that would always be relevant to the audit include those that mitigate the following risks.
Exhibit 11.8-2
Description
Signifcant Risks
Signifcant risks are identifed and assessed risks of material misstatement that, in the
auditors judgment, require special audit consideration.
Risks That Cannot
Easily Be Addressed
by Substantive
Procedures
These are identifed and assessed risks of material misstatement for which substantive
procedures alone would not provide suf cient appropriate audit evidence.
Other Risks
of Material
Misstatement
These are identifed and assessed risks of material misstatement that, in the judgment
of the auditor, could potentially result in material misstatements occurring.
The auditors judgment about whether a particular control is relevant to the audit is infuenced by:
Knowledge about the presence/absence of controls identifed in other components of internal control.
If a particular risk has already been addressed (such as by the control environment, information system,
etc.), there is no need to identify any additional controls that may exist;
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
137
The existence of multiple control activities that achieve the same objective. It is unnecessary to obtain
an understanding of each of the control activities related to such objective;
The need to test the operating efectiveness of certain key controls. For example, if there is not a
practical way to test sales completeness (i.e., by performing substantive procedures), a test of the
operating efectiveness of controls would be required; and
The impact that testing the operating efectiveness of controls would have on the extent (i.e., the
reduction) of substantive testing required.
Professional judgment is required to determine whether an internal control, individually or in combination
with others, is in fact relevant.
CONSIDER POINT
Top-down and risk-based
The auditors approach to understanding internal control should be from the top down. The frst step is
to identify the relevant entity-level and transactional risks, and then determine whether managements
response is appropriate.
A solid understanding of entity-level controls provides an important basis for assessing relevant controls
over fnancial reporting at the transactional (business process) level. For example, if there are poor
controls over data integrity at the entity level, this will impact the reliability of all information produced
by systems such as sales, purchases, and payroll.
Example
The top-down and risk-based approach to understanding internal control involves:
Identifying the business processes involved (including accounting) for each signifcant account balance;
Determining for each process identifed whether a material misstatement in the fnancial
statements could possibly occur, or whether other factors exist that would make it relevant; and
Scoping out of the audit those processes and controls that are not relevant.
For example, a biscuit production company may have the following processes that drive the sales
revenue fgure:
The main sales order system captures details and the progress of each order received by
telephone. This accounts for 70% of sales.
Window sales occur when customers buy broken biscuits from a small shop at the back of the
production facility. These account for 2% of sales.
Internet salesorders are placed online and paid by credit card; these account for 28% of sales.
The accounting system captures details of all types of sales.
In this situation, the window sales are unlikely to result in a material misstatement in the fnancial
statements and may therefore be scoped out of the audit. However, before this decision is made, it
would still be prudent to either:
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
138
CONSIDER POINT (continued)
Inquire about the existence of controls over the window sales to ensure that all such sales are
recorded, and that there is no deliberate breaking of biscuits for sale at reduced prices to related
parties; or
Perform an analytical review of the breakdown of sales to ensure that window sales have not
deviated from the expected 2% of sales.
11.9 Case StudiesIdentifying Relevant Controls
For details of the case studies, refer to Volume 2, Chapter 2Introduction to the Case Studies.
Since not all business processes and controls are relevant to the audit, it is important to understand which
fnancial statement areas and controls could have a material impact on the fnancial statements.
Determining which fnancial statement areas and related business processes are in scope involves using
overall materiality as a guide to identify:
What fnancial statement areas are, or could be, material; and
What entity-level controls and business processes are relevant.
Immaterial balances, transactions, business processes, and controls where no material misstatements are likely
to result can be scoped out of any further consideration in the audit. However, before scoping an area out,
consider:
The possible accumulation of immaterial misstatements that could, in the aggregate, add up to a
material misstatement; and
Whether the fnancial statement area is understated due to fraud or error.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
139
Case Study ADephta Furniture, Inc.
Financial Statement Level
Pervasive Risks identifed Identify any Processes That Mitigate the Risks
Entity-level and general IT controls Annual business planning cycle, management/owner monthly
meetings, including fnancial statement review, IT budgets, day-to-
day involvement of management in operations
Cash and cash equivalent Receivables, receipts process, investment of short-term (30 to 60-day)
deposits at bank, bank reconciliations, and cash management
Trade and other receivables Revenue, receivables, receipts process, valuation of overdue accounts,
asset sales
Inventories Purchases, payables, payments process, inventory management, stock
taking, valuation of obsolete inventory
Property, plant, and equipment Purchases, payables, payments process, calculation of amortization,
capitalization of assets, asset sales
Bank indebtedness Receivables, receipts process, bank reconciliation, and cash
management
Trade and other payables Purchases, payables, payroll, payments process, calculation or
amortization, capitalization, or assets
Income tax payable Income tax provision preparation
Interest-bearing loan Finance charges, bank reconciliation process
Capital and reserves Issuance/redemption of capital, dividends
Sales Revenue, receivables, receipts process (including cash scrap sale,
Internet sales, catalog, and custom sales orders)
Cost of goods sold Purchases, payables, payroll, payments process, inventory
adjustments
Distribution costs Purchases, payables, payroll, payments.
Administrative costs Purchases, payables, payroll, payments
Depreciation Depreciation and amortization calculations
Finance cost Finance charges, bank reconciliation process
Income taxes Income tax provision preparation
Prepared by: FJ Date: February 18, 20X3
Reviewed by: LF Date: March 5, 20X3
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
140
Case Study BKumar & Co.
Memo to File: Scoping material fnancial statement areas (FSAs) and processes
Entity Level and General IT
Raj prepares an annual budget each period for the bank.
Raj communicates with the bank manager quarterly when the fnancial statements are sent to the bank.
Raj usually reviews these with Suraj and Jawad since Dephta is a shareholder, but also because Raj
appreciates their input and Jawads accounting and fnancial knowledge.
There is no formal IT structure or process. Raj decides what software and hardware to replace on an as-
needed basis. Although Raj ensures that Ruby backs up the accounting data weekly, there is no disaster
recovery plan or documented IT process.
Material fnancial statement areas
With the exception of cash and cash equivalents, which seem to fuctuate from period to period, all FSAs
on the fnancial statements are material and in scope. Therefore, the following business processes will
need to be examined as part of our audit:
Business Process Material Financial Statement Areas Afected
Receivables/receipts Revenue, trade receivables & other, cash and cash
equivalents
Valuation of overdue accounts receivable Trade receivables & bad debt expense
Sales process (cash sales, sales orders) Revenue
Purchases, payables, payments Trade payables & other, property, plant and
equipment, inventories, income statement
expense categories
Payroll Payroll expenses
Taxes payable and remittances Income, payroll, and sales taxes
Inventory valuation and management Purchases and inventories
Bank account reconciliations Cash and cash equivalents, interest-bearing loan,
interest expense
Calculation of depreciation and amortization Property, plant, and equipment, and depreciation/
amortization expense
Prepared by: FJ Date: February 18, 20X3
Reviewed by: LF Date: March 5, 20X3
141
12. Evaluating Internal Control
Chapter Content Relevant ISA
Guidance on the four key steps involved in evaluating control design
and implementation, and on documenting the results.
315
Exhibit 12.0-1
R
i
s
k

A
s
s
e
s
s
m
e
n
t
Plan the audit
Develop an overall
audit strategy and
audit plan
2
Materiality
Audit team discussions
Overall audit strategy
Listing of risk factors
Independence
Engagement letter
Perform preliminary
engagement
activities
Decide whether to
accept engagement
Perform
risk assessment
procedures
Identify/assess RMM
3
through understanding
the entity
Business & fraud risks
including signifcant risks
Design/implementation of
relevant internal controls
Assessed RMM
3
at:
tF/S level
tAssertion level
Notes:
1. Refer to ISA 230 for a more complete list of documentation required.
2. Planning (ISA 300) is a continual and iterative process throughout the audit.
3. RMM = Risks of material misstatement.
Activity Purpose Documentation
1
Plan the audit
Develop an overall
audit strategy and
audit plan
2
Materiality
Audit team discussions
Overall audit strategyy
Listing of risk factors
Independence
Engagement letter
Perform preliminary
engagement
activities
Decide whether to
accept engagement
Assessed RMM
3
at:
tF/S level
tAssertion level
Business & fraud risks
including signifcant risks
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
142
Paragraph # Relevant Extracts from ISAs
315.13 When obtaining an understanding of controls that are relevant to the audit, the auditor shall
evaluate the design of those controls and determine whether they have been implemented, by
performing procedures in addition to inquiry of the entitys personnel. (Ref: Para. A66-A68)
315.29 If the auditor has determined that a signifcant risk exists, the auditor shall obtain an understanding
of the entitys controls, including control activities, relevant to that risk. (Ref: Para. A124-A126)
315.32 The auditor shall include in the audit documentation:
(a) The discussion among the engagement team where required by paragraph 10, and the
signifcant decisions reached;
(b) Key elements of the understanding obtained regarding each of the aspects of the
entity and its environment specifed in paragraph 11 and of each of the internal control
components specifed in paragraphs 14-24; the sources of information from which the
understanding was obtained; and the risk assessment procedures performed;
(c) The identifed and assessed risks of material misstatement at the fnancial statement level
and at the assertion level as required by paragraph 25; and
(d) The risks identifed, and related controls about which the auditor has obtained an
understanding, as a result of the requirements in paragraphs 27-30. (Ref: Para. A131-A134)
12.1 Overview
Regardless of the whether tests of controls will ultimately be performed to gather audit evidence, it is still
necessary for the auditor on every engagement to evaluate control design and implementation. This involves
a four-step process, which can be summarized as follows.
Exhibit 12.1-1
Description
Step 1
What Risks
Require
Mitigation?
Identify the inherent risks of material misstatement (business and fraud risks), and
whether they are pervasive risks afecting all assertions, or specifc risks that afect
particular fnancial statement areas and assertions.
Step 2
Do the Controls
Designed by
Management
Mitigate the Risk?
Identify what business processes are in place (if any).
Interview entity personnel to identify what controls mitigate the risks identifed
in Step 1 above.
Review results and assess whether the controls do in fact mitigate the risks.
Communicate any signifcant defciencies identifed in the entitys internal
control to management and those charged with governance.
In larger entities, this step may require reference to or preparation of some system
documentation (see Step 3 below) to provide some context regarding the operation
of certain controls.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
143
Description
Step 3
Are the Controls
That Mitigate the
Risks Factors in
Operation?
Observe or inspect the operation of relevant internal controls to ensure that they
have indeed been implemented. Note that inquiry of management is not suf cient to
evaluate whether a relevant control has in fact been implemented.
This step can often be combined with Step 2 above.
Step 4
Has the Operation
of Relevant
Controls Been
Documented?
This step can consist of a simple narrative description of the major processes
(prepared by the entitys management or auditor), describing the operation of the
relevant internal controls identifed.
This documentation does not have to include:
A detailed description of the business process or the way paper fows through
the entity; or
Internal controls that may exist but are not relevant to the audit.
Exhibit 12.1-2
Note: Regardless of how well a control is designed and implemented, it can only provide reasonable
assurance about the achievement of an entitys objectives with regard to reliability of fnancial
reporting due to certain inherent limitations. These are described below.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
144
Exhibit 12.1-3
Description
Internal Control
Limitations
Human judgments and simple human failures such as errors or mistakes.
Circumvention of internal control by the collusion of two or more people.
Inappropriate management override of internal control, such as revising the
terms of a sales contract or overriding a customers credit limit.
Volume 2, Chapter 11 addresses the understanding of internal control required. Volume 1, Chapter 5
addresses the nature of internal control and provides a detailed description of the fve components of internal
control.
12.2 Step 1What Risks Require Mitigation?
Exhibit 12.2-1
Identify what risks
require mitigation
A Risk Assessment Procedure
What risks exist (pervasive or specifc) that, if not mitigated
by controls could cause a material misstatement to occur?
Before the auditor begins to document the controls that may exist, the frst step is to identify and then assess
the signifcant and other risk factors that are present. Otherwise, the internal control evaluation will take place
without an understanding of what risks need to be mitigated by internal control.
The identifcation of risks has been addressed in Volume 2, Chapter 8. Risks requiring mitigation can be
pervasive, relating to many fnancial statement areas and assertions, or specifc, relating to particular fnancial
statement areas and assertions.
The following exhibit summarizes some typical sources of risk and the types of control that could mitigate
such risks.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
145
Exhibit 12.2-2
What can go wrong? Sources of risk Mitigating controls
Unreliable
fnancial reports
(pervasive risks)
Misstatements arising
from fnancial
statement preparation
(pervasive risks)
Transactions not
processed or
recorded accurately
(specifc risks)
External industry factors
Nature of entity
Accounting policies
Objectives and goals
Performance measures
Fraud
Identifcation/recording of
authorized transactions
Transaction classifcation
Measurement, cut of
Safeguarding of assets
Accounting estimates
Provisions
Accounting policies
Use of spreadsheet
Non-routine transactions
Journal entries, reconciliations
Information neccessary for
fnancial statement disclosures
Entity-level controls
and processes
General IT controls
Transactional controls
Entity-level controls
General IT controls
Transactional controls
Transactional controls
IT application controls
Some specifc entity-level
controls
When a listing of risk factors by business process has been prepared, it would be useful (but not required) to:
Eliminate any risk factor that would be unlikely to result in a material misstatement even if it was not
mitigated at all. Controls that address such risks would not be relevant to the audit;
Customize the wording of the risk factors to make it relevant for the particular entity;
Ensure that all relevant assertions have been addressed; and
Consider whether there are any additional risks (entity- and transactional-level) that could result in a
material misstatement if not mitigated.
CONSIDER POINT
Some entities may use an internal control framework (such as that published by the Committee of
Sponsoring Organizations of the Treadway Commission (COSO)) that provide generic listings of internal
control objectives and internal control procedures. If such a tool is used in the audit, the same steps
outlined above would be followed:
Remove the control objectives (or risk factors) that are unlikely to result in a material misstatement
even if no internal control existed;
Add any other additional control objectives (risk factors) that could result in a material
misstatement for the entity if not mitigated; and
Identify the fnancial statement areas and assertions afected by the risk factors.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
146
Exhibit 12.3 Step 2Do the Controls Designed by Management Mitigate the Risk?
Exhibit 12.3-1
Assess control
design
Identify/assess controls to mitigate risks
Address each of the 5 control components
Do signifcant control defciencies exist?
Evaluating whether a control has been designed properly by management involves an assessment of
whether the controls identifed (individually or in combination with other controls) will actually mitigate the
risk factor. This involves considering whether the control(s) is capable of efectively:
Preventing material misstatements from occurring in the frst place; or
Detecting and correcting material misstatements after they have occurred.
It is recommended that an evaluation of control design begin with the pervasive controls. These types of
controls form the all-important foundation for assessing the design and operation of specifc (transactional)
controls.
At this point, some auditors (particularly when auditing larger and more complex entities) may fnd it helpful to
obtain some information, preferably prepared by the entity, that describes the business process, the way paper
fows through the entity, and where controls exist. However, this is not a specifc requirement in the ISAs.
There are two common ways to match internal controls to the risk factors (or control objectives) that they are
designed to mitigate. For the purposes of this Guide, these approaches have been called:
One-risk-to-many controls; and
Many-risks-to-many controls.
One-Risk-to-Many Controls
Under this approach, each risk factor is considered by itself. All the controls that address that particular risk
factor are identifed. This approach is particularly useful for mapping the pervasive (entity-level) risk factors to
controls. The approach is illustrated below.
Exhibit 12.3-2
Risk/Control Objective Assertion Mitigating Controls
1. Risk factor C 1. Control procedure A
2. Control procedure B
3. Control procedure C
4. Control procedure D
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
147
Risk/Control Objective Assertion Mitigating Controls
2. Risk factor EA 1. Control procedure E
2. Control procedure F
3. Control procedure G
4. Control procedure H
3. Risk factor A 1. Control procedure I
2. Control procedure J
3. Control procedure K
4. Control procedure L
4. Risk factor CA 1. Control procedure M
2. Control procedure N
3. Control procedure O
4. Control procedure P
This one-risk-to-many controls approach has often been used for mapping all types of control, including
transactional controls. However, because a single transactional control can often address more than one risk
(and therefore get repeated many times in this approach), the many-to-many matrix (see Exhibit 12.3-4) is
generally considered more efective for transactional controls.
The following example illustrates how the one-risk-to-many controls approach can work. An objective of the
control environment is the need for management, with the oversight of those charged with governance, to
create and maintain a culture of honesty and ethical behavior. This objective stated as a risk factor could mean
that management has not created or maintained a culture of honesty and ethical behavior.
Some of the controls that management may design and implement to address this pervasive risk could include:
Management continually demonstrates, through words and actions, a commitment to high ethical
standards;
Management removes or reduces incentives or temptations that might cause personnel to engage in
dishonest or unethical acts;
A code of conduct or equivalent exists that sets out expected standards of ethical and moral behavior;
Employees clearly understand what behavior is acceptable and unacceptable and know what to do
when they encounter improper behavior; and
Employees are always disciplined for improper behavior.
The auditor would frst read the risk or control objective and then identify, possibly from a list such as that above,
what, if any, controls exist to mitigate the risk. The resulting documentation could take the following form.
Note: The column on control design outlines the steps the auditor could take to assess control design.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
148
Exhibit 12.3-3
Internal Control (IC)
Component Risk Factor Control Identifed Control Design
Control Environment
No emphasis on integrity
or ethics
Code of conduct is signed
by employees each year
and enforced through staf
discipline.
Have read the Code and it
does emphasize need for
integrity and ethics.
Incompetent employees
could be hired
Required knowledge and
skills specifed for each
employee position.
Reviewed the job
specifcations for key
positions including
accounting and they
appear to be acceptable.
Risk Assessment Management often
surprised by predictable
events
Business risks are identifed
and assessed each year as
part of business planning.
Reviewed the business
plan and risks have been
identifed, updated, and
assessed.
Once the controls have been identifed, the auditor would use professional judgment to conclude whether
the control design is suf cient to address the risk factor.
When forming a conclusion on the control environment, the auditor is required by ISA 315.14 to evaluate
whether:
Management, with the oversight of those charged with governance, has created and maintained a
culture of honesty and ethical behavior; and
The strengths in the control environment elements collectively provide an appropriate foundation for
the other components of internal control, and whether those other components are not undermined by
defciencies in the control environment.
This wording could be used as the overall conclusion by the auditor on all entity-level controls. Such a
conclusion will also have a major impact on the auditors assessment of risk at the fnancial statement level.
Many-Risks-to-Many Controls
For specifc and transactional risks, the most common approach to evaluating design is through the use of
what is sometimes called a control design matrix. These matrices enable the auditor to see at a glance:
The many-to-many relationships that exist between risks and controls;
Where internal control is strong;
Where internal control is weak; and
The key controls that address many risks/assertions and could be tested for operating efectiveness.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
149
An example of a simple control design matrix is illustrated below.
Exhibit 12.3-4
Process = Sales
Material Risk Factors Risk A Risk B Risk C Risk D Key
Controls
Assertions C EA AC CE
Controls Internal Control Component
Procedure #1 Control Environment D
Procedure #2 Information Systems D
Procedure #3 Control Activity P P P Yes
Procedure #4 Monitoring D
Procedure #5 Control Activity P P Yes
Procedure #6 Control Activity
Procedure #7 Information Systems D D D
Is control design OK? That is, will the identifed
controls mitigate the risk factors?
Yes Yes No Yes
Key:
P = Prevent control
D = Detect and correct control
Note: The above matrix contains the following information:
Risk factors that, if not mitigated, could result in a material misstatement in the fnancial
statements;
The assertions addressed by the risk factors; and
Where the internal control procedure addresses (intersects with) the risk on the matrix, it
is recorded as either preventing (P) a misstatement or detecting (D) and then correcting a
misstatement after it has occurred.
Such a matrix can also be expanded to include other information including:
The frequency with the control is operated, e.g., continuously, weekly, or monthly;
Whether the control is manual or automated; and
The expected reliability of the internal control over a period of time. This could include, for example,
assessing the competence (and independence from other functions) of the person who performs the
control, whether the control is performed on a timely basis, and any history of errors occurring.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
150
CONSIDER POINT
Multiple control procedures
Note that any one control procedure by itself is unlikely to mitigate a key risk factor. Often, a
combination of control activities, working together with other components of internal control (such as
the control environment), will be suf cient to address the risk factor.
Start with the risks
Avoid the temptation to list all the known controls and then match them to risks. Risks come frst, then
controls to mitigate the risks. It is more ef cient to address each risk (or control objective) in turn and
then identify what controls exist to address that risk. Once enough controls have been identifed to
address the risk, there is no point in spending more time to identify any additional controls.
Matching controls with risks not only helps to evaluate control design, but will also identify key controls (over
relevant assertions) that could potentially be tested. It will also help the auditor identify control defciencies
that may require:
Communication to management and those charged with governance about the signifcant defciency
on a timely basis, so that corrective action can be taken; and
Development of an appropriate audit response.
The control design matrix (see Exhibit 12.3-4) can be used to identify both control strengths and control
defciencies. This process is described below.
Exhibit 12.3-5
Identify DescriptionUsing the Control Design Matrix
Internal Control
Defciencies
Look down each risk column (in the control design matrix above) to see what
internal control procedures exist to mitigate the risks. If sufficient controls exist,
then there is no control deficiency.
Where few or no internal control procedures exist to mitigate the risk, a signifcant
internal control defciency may exist. Refer to Risk C in the matrix above, where it
appears that a signifcant defciency exists. In this case, the auditor would:
Inquire about any other internal control procedures or compensating internal
control procedures that might exist. If none exists, a signifcant defciency may
exist that would be communicated to management and those charged with
governance as soon as possible, so that corrective action may be taken; and
Consider what further audit procedures may be necessary to respond to the
risk identifed.
Compensating controls may be activities that indirectly impact on the risk factor. For
example, the risk of shipping goods but not invoicing for them could be detected by
the sales manager when he reviews sales results each quarter. Such a control would
obviously not be suf cient by itself to mitigate the risk.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
151
Identify DescriptionUsing the Control Design Matrix
Internal Control
Strengths
Look across the rows of the control design matrix above to identify internal control
procedures that would prevent or detect and correct misstatements arising from a
number of risk factors. Note that Control Procedure 3 in the example matrix above
addresses three risks and three assertions. This is an example of a type of control
(often referred to as a key control) that, if considered reliable, could be considered
for testing operational efectiveness, particularly where this testing could be used to
reduce other more detailed tests.
12.4 How to Identify Internal Controls
Controls are usually identifed through discussion (interviews) with the person(s) who are responsible for
managing the risk or the particular process. In smaller entities, this will often be the owner-manager or the
senior manager. A typical approach for identifying controls would be as follows.
Exhibit 12.4-1
Action Description
Identify the
Inherent Risks
Identify the pervasive (entity-level) and specifc (transactional) risks that require
mitigation through internal control to prevent or detect and correct material
misstatements.
Ask about
Internal Control
Procedures That
Address the
Inherent Risk
(Address Each Risk
Factor, One at a
Time)
Ask the owner-manager or the responsible person what internal control procedures
exist in the entity to mitigate each particular risk factor one by one. Document the
controls identifed in the words of the person being interviewed.
When (based on professional judgment) enough controls have been identifed to
efectively mitigate the risk, stop asking for any more controls. There is no need to
list all of the other controls that may exist to mitigate the risk, unless specifcally
requested for another purpose.
Document
the Results
The controls identifed can be documented in a number of ways. They can be listed
under each risk factor they address, or listed on a control matrix and linked to all the
various risk factors they address.
The key is to ensure that the control procedures identifed are linked to the risk factor
they were designed to mitigate. This enables an assessment to be made as to whether
the controls identifed do actually mitigate the risk. If the control matrix is used:
Record the internal control procedures identifed directly onto the matrix, and
indicate (where they intersect with the risk) whether they would prevent or
detect and correct potential misstatements for risk factors; and
Consider whether the control would also be efective in mitigating other risk
factors. It is quite possible that some internal control procedures will prevent or
detect a number of the risk factors.
Where controls have not been identifed to address a risk, the auditor would
immediately alert management to the control defciency (likely signifcant) that may
need to be addressed.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
152
CONSIDER POINT
Avoid using generic controls
Avoid the temptation to use generic lists of internal control activities that are appropriate for the so-
called typical entity. Listings of standard or typical controls can take time to read and understand,
and are often too complex or simply irrelevant for smaller entities. Instead, use them as a reference
source, but only when needed. It is much better to document the nature of each control identifed using
the clients own description.
Multi-task
Evaluating control design can be combined with control documentation (see Step 3 below) and with
the inspection/observation of documents to support control implementation (see Step 4 below).
For example, if there is a policy identifed that no non-routine journal entries can be made without
authorization, ask to see the actual policy (assess control design) and some journal entries for evidence
of approval (control implementation).
Risk management
Many entities assign risk management responsibilities by process (such as sales or purchasing) instead of
by risk. As a result, there may be a number of important risk factors that fall between departments (such
as sales, purchasing, and accounting), and no one is directly accountable. If risks are not specifcally
identifed and responsibility assigned to someone, there is often a lot of fnger pointing when
something goes wrong. Staf may blame each other by saying something like, I thought that risk was
being managed by Mary or Jack, or the accounting, IT, or sales department, etc.
Concluding on Control Design
The fnal step in assessing control design is to draw a conclusion on whether the controls identifed
actually mitigate the particular risk factor. This requires the use of professional judgment. For each relevant
assertion or risk factor, consider whether managements response is suf cient to reduce the risk of material
misstatement to an acceptably low level. If the control design matrix approach is used, the bottom row of the
matrix could be used to document the conclusion as to whether the controls are suf cient or not to mitigate
each risk factor.
A summary of the overall control evaluation (that addresses the fve control components) is set out in the
following exhibit.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
153
Exhibit 12.4-2
Key fnancial reporting
risks are identifed
Accounting policies are
applied consistently
Staf are competent
and knowledgeable
Clear lines of authority and
responsibility exist
Information systems
provide reliable data
Anti-fraud controls exist
to address fraud risks
Controls are monitored
Control activities are
appropriately designed
and implemented
Payroll
process
Purchasing
process
Sales
process
Entity-level
processes
Key:
Green = the underlying risks have been appropriately mitigated
Yellow = some problems may exist
Red = potentially signifcant defciencies
CONSIDER POINT
For smaller entities, there is an even simpler way of assessing transactional controls. First, identify the
risk factors (see Step 1 above) and the assertion(s) afected. Then, instead of mapping identifed controls
to each individual risk factor, identify controls that address the assertions afected by the risk.
If no controls are identifed for a particular assertion, a substantive audit response would need to be
developed. If the controls identifed are expected to operate reliably, the audit response could include
a test of relevant key controls. For example, the risk of unrecorded sales addresses the completeness
assertion. Identifcation of relevant controls could be limited to those that address the completeness
assertion in general, rather than the one specifc risk.
12.5 Step 3Are Controls That Mitigate the Risk Factors in Operation?
Exhibit 12.5-1
A Risk Assessment Procedure
Ensure identifed (relevant) controls are actually operating
as designed
Access control
implementation
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
154
Inquiry of management alone is not suf cient to evaluate the design of internal control procedures or to
determine whether they have been implemented. This is because people may genuinely believe or hope that
certain controls exist, when in fact they do not. A documented description of controls (however good) that do
not exist or do not operate is of no value to the audit.
Some of the reasons for observing internal control in action are:
Change Processes
Processes change over time, resulting from revised/new products or services, ef ciencies in operation,
changes in personnel, and implementation of new supporting IT applications;
Wishful thinking
The entitys personnel may explain to the auditor how a system should operate, rather than how it
actually operates in practice; and
Lack of knowledge
Some aspects of the system may have been inadvertently overlooked in obtaining the understanding of
internal control.
CONSIDER POINT
If there is any doubt about whether some controls identifed in Step 2 above have not in fact been
implemented, do not assess control design and document the operation of the controls until some work
has been performed to determine that they exist and operate. Alternatively, do not take time to assess
controls that are unlikely to be relevant to the audit or have been inappropriately designed.
Risk assessment procedures required to obtain audit evidence about control implementation would include
those listed below.
Exhibit 12.5-2
Description
Assessing Control
Implementation
Inquiring of entity personnel;
Observing or re-performing the application of specifc controls;
Inspecting documents and reports; and
Tracing one or two transactions through the information system relevant to
fnancial reporting. This is often called a walkthrough.
Note: A walkthrough is not a test of the operating efectiveness of a control.
Implementation of controls provides evidence about whether a control was actually in operation at a
particular point in time. It does not address operating efectiveness throughout the period being audited.
Evidence of operating efectiveness (if this is part of the audit strategy being developed) would be achieved
through a test of controls that gathers evidence about control operation over a period of time, such as a year.
Only when it has been established that the internal control relevant to the audit has been properly designed
and implemented is it worth considering:
What tests of the operating efectiveness of controls (if any) will reduce the need for other substantive testing; and
What controls require testing because there is no other way of obtaining suf cient appropriate audit evidence.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
155
CONSIDER POINT
Ensure that the audit team has a clear understanding of the diference between control design, control
implementation, and tests of controls. These are summarized as follows:
Control design
Have controls been designed that will mitigate the inherent risks?
Control implementation
Are the designed controls actually in operation? Control implementation procedures should be
performed each period to identify any system changes.
Tests of controls
Did the controls operate efectively over a specifed period of time? There is no requirement to test the
operating efectiveness of controls unless there is no alternative way (such as in a highly automated and
paperless system) to gain the necessary audit evidence. The decision to test the operating efectiveness
of controls is therefore a matter of professional judgment.
Do not ignore the linkage between control design and implementation
If there is any doubt about whether some of the controls identifed in Step 2 above have in fact been
implemented, do not assess control design until some work has been performed to determine if they
exist and operate. Also, if the auditor concludes that control design is inadequate, there is no point
going on and evaluating the control implementation. It is likely that a signifcant defciency already
exists.
Assess implementation every period
After the initial audit engagement, frst evaluate the control implementation to determine what has
changed. Use the control design documentation already obtained in the previous period as the starting
point. If a change in internal control is identifed, consider whether the revised or new controls continue
to mitigate the risk factor, or whether there are now new risks that have to be mitigated.
12.6 Step 4Has the Operation of Relevant Controls Been Documented?
Exhibit 12.6-1
Document operation of relevant controls
Provide context for the operation of controls
from inception to fnancial reporting
Document
relevant controls
The purpose of this step is to provide some information about the operation of the relevant controls identifed
in Step 2 above. The extent of documentation required is determined by professional judgment.
The resulting documentation will help the auditor to:
Understand the nature, operation (initiation, processing, recording, etc.), and context (such as who
performs the control, where the control is performed, how often and the resulting documentation) of
the identifed controls; and
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
156
Determine whether the controls are likely to be reliable and operate efectively. If so, they could
be tested as part of the audit response to assessed risks. If a decision is made to test the operating
efectiveness of controls, this documentation will also help the auditor in designing the test, such as
what population to use in selecting the sample, what control attributes to examine, who performs the
control, and where the necessary documentation may be found.
CONSIDER POINT
Documentation of controls does not have to be complex or comprehensive. There is no requirement for
the auditor to document an entire business process, or to describe the operation of any controls that are
not relevant to the audit.
Some of the matters to be considered when documenting relevant internal controls are identifed in the
exhibit below.
Exhibit 12.6-2
Documenting Relevant Internal Controls
How signifcant transactions are initiated, authorized, recorded, processed, and reported;
The fow of transactions in suf cient detail to identify the points at which material misstatements
caused by error or fraud could occur; and
Internal controls over the period-end fnancial reporting process, including signifcant accounting
estimates and disclosures.
The most common forms of documentation prepared by management or the auditor are:
Narrative descriptions or memoranda;
Flow charts;
A combination of fow charts and narrative descriptions; and
Questionnaires and checklists.
The nature and extent of the documentation required is a matter of professional judgment. Factors to
consider include:
The nature, size, and complexity of the entity and its internal control,
Availability of information from the entity, and
Audit methodology and technology used in the course of the audit.
The extent of documentation may also refect the experience and capabilities of the audit team. An audit
undertaken by a less experienced team may require more detailed documentation to assist them in obtaining
an appropriate understanding of the entity than a team composed of more experienced individuals.
12.7 Updating Control Documentation in Subsequent Periods
The auditor may use documentation prepared or obtained in a prior audit period when planning the audit of
a subsequent period. This will involve the following documentation.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
157
Exhibit 12.7-1
Description
Updating Control
Documentation
Prepared in
Previous Periods
Make a copy of the previous periods working papers on controls as the starting
point for updating in the current year. If nothing has changed, evaluate control
implementation before design. If the control has been implemented and the
risk did not change, the design will be acceptable;
Update the listing of risks that require mitigation by control;
Identify changes in internal control at the entity and transactional levels. This is
achieved by procedures that address control implementation;
Where changes are identifed (risk or controls), determine whether new internal
controls have been designed and implemented;
Update the linkage of internal controls with the appropriate risk factor; and
Update the conclusions on control risk.
Where the audit strategy is likely to involve reliance on the efective operation of certain controls (such
as through tests of controls) and control changes have occurred, there will be a need to walk through
transactions that were processed both before and after the change took place.
CONSIDER POINT
Changes in pervasive (entity-level) controls
When updating control documentation, carefully consider the changes in pervasive (entity-level)
controls. These changes could have a signifcant impact on the efectiveness of other specifc
(transactional) controls, and may afect the audit response to assessed risks. For example, managements
decision to hire a qualifed professional to prepare the fnancial statements may considerably reduce
the risk of errors in the fnancial information and enhance the efectiveness of transactional controls that
might previously have been undermined. Alternatively, managements failure to replace an incompetent
IT manager or commit suf cient resources to address IT security risks may undermine other internal
control procedures in efect. In either case, these changes could trigger a signifcant change in the
appropriate audit response.
12.8 Written Representations about Internal Control
Written representations should be obtained from management acknowledging its responsibility for such
internal control as management determines is necessary to enable the preparation of fnancial statements
that are free from material misstatement, whether due to fraud or error.
12.9 Case StudiesInternal Control Evaluation
For details of the case studies, refer to Volume 2, Chapter 2Introduction to the Case Studies.
The following extracts from internal control documentation provide an example of the information that
would be obtained from using the four-step process described above.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
158
Case Study ADephta Furniture, Inc.
Entity-Level Controls
This form addresses all four steps described above. It outlines the risks to be addressed and provides for
documentation of the controls identifed, how the controls operate, and how they are implemented.
Control Environment
Control
Exists?
Describe the Nature of
Supporting Documentation
or Management Actions
Describe Inquiries/
Observations to Ensure
Controls identifed were
implemented
1. Risk: No emphasis is placed on need for integrity and ethical values
Possible controls (choose those that
apply):
a) Management continually
demonstrates, through words
and actions, a commitment to
high ethical standards.
Yes Suraj and the management
team consistently reinforce the
need for adherence to safety
and ethical standards through
daily communication with
employees.
Interviewed two
employees, Jon and Amad,
who confrmed.
b) Management removes
or reduces incentives or
temptations that might
cause personnel to engage in
dishonest or unethical acts.
Yes Suraj accepted our
recommendation last period
and prepared a code of
conduct outlining expected
behaviors by staf.
Employees have been
given a copy of the code
of conduct and attended
a meeting on May 13,
where the guidelines were
explained.
c) A code of conduct or equivalent
exists that sets out expected
standards of ethical and moral
behavior.
Yes See response to b) above. Reviewed code of conduct.
d) Employees clearly understand
what behavior is acceptable and
unacceptable and know what
to do when they encounter
improper behavior.
Yes Employees have been
disciplined in the past for
improper behavior.
Suraj fres people
immediately if they are
caught stealing or acting
unethically. Two such cases
occurred last year among
temporary workers.
e) Employees are always
disciplined for improper
behavior.
Yes Suraj will not tolerate illegal
or unethical behavior among
employees, customers or
suppliers.
Noted that a new employee
was quickly fred after
being caught stealing of ce
supplies.
f) Other (explain). No
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
159
Control Environment
Control
Exists?
Describe the Nature of
Supporting Documentation
or Management Actions
Describe Inquiries/
Observations to Ensure
Controls identifed were
implemented
2. Risk: Incompetent employees may be hired or retained
Possible controls (choose those that
apply):
a) Company personnel have
the competence and training
necessary for their assigned duties.
Yes All staf are trained on the job
and adequately supervised.
Interviewed two
employees, Jon and Amad,
who:
Clearly understood
their roles and
responsibilities in the
absence of a written
job description.
Indicated that they
receive instruction
whenever a machine
or process changes.
Receive praise when
things go better than
expected, and are
told immediately
when a job was not
done well.
Inquiries of admin staf
(Mirelli and Clif) indicated
that staf ng levels remained
constant during period.
b) Management specifes the
requisite knowledge and skills
required for employee positions.
Yes Management is skilled in
manufacturing, sales, and
administration. Ravi and
Parvin ofer advice on business,
marketing, and legal issues.
c) Job descriptions exist and are
efectively used.
No
d) Management provides
personnel with access to
training programs on relevant
topics.
No
e) Adequate staf ng levels are
maintained to efectively
perform required tasks.
Yes There were no vacancies
during year in any of the
positions that afect fnancial
reporting.
f) Initial and ongoing matching
of staf skills to their job
descriptions.
No
g) Staf are compensated
and rewarded for good
performance.
No Employees are encouraged
when they do a good job.
There is no bonus structure
other than for salespeople.
h) Other (explain). No
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
160
Control Environment
Control
Exists?
Describe the Nature of
Supporting Documentation
or Management Actions
Describe Inquiries/
Observations to Ensure
Controls identifed were
implemented
3. Risk: Management has a poor attitude toward internal control and/or managing business risks
Possible controls (choose those that
apply):
Management demonstrates positive
attitudes and actions toward:
a) The establishment and
maintenance of sound internal
control over fnancial reporting,
(including management
override and other fraud):
Yes Management is
very responsive to
recommendations that are
not costly or disruptive to
implement, and has a good
attitude towards internal
control.
Reviewed the business
plan, which included:
Sales and cash-fow
forecast.
Anticipated capital
expenditures.
Discussion of how
recession may afect
their business in
terms of sales and
the possibility of
one supplier going
bankrupt.
Our management letter
recommendations have
always been accepted if
they were feasible.
Appropriate selection/
application of accounting
policies,
Information-processing
controls, and
The treatment of
accounting personnel.
b) Management emphasizes
appropriate behavior to
operating personnel.
Yes See comments above on
attitudes and the code of
conduct.
Based on our employee
interviews (see Step 2),
employees understand
what is required and that
rules should be followed.
c) Management has established
procedures to prevent
unauthorized access to,
or destruction of, assets,
documents, and records.
Yes
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
161
Control Environment
Control
Exists?
Describe the Nature of
Supporting Documentation
or Management Actions
Describe Inquiries/
Observations to Ensure
Controls identifed were
implemented
d) Management analyzes
business risks and takes
appropriate action.
Some Although risk management
is informal, business risks are
discussed at management
meetings and refected in the
business plan.
During our interview with
Jawad, he indicated that
Suraj was open to discussing
issues and that he did not feel
pressured to manipulate the
fnancial statements. In Surajs
words, The numbers are
what they are, whether they
are good this month or bad.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
162
Business Process or Transactional Controls
The above control design matrix addresses two of the four steps. It matches the transactional risks with
identifed controls, and could also be used to cross-reference work on implementation.
Step 3Assessing control implementation is addressed below
Extract from the revenue/receivables walkthrough
Make inquiries of the personnel processing the transaction.
Persons interviewed:
Karla Date February 16, 20X3
Dameer Date February 17, 20X3
Maria Ho Date February 17, 20X3
Describe the procedures performed related to
the transaction. Address initiation, authorization,
recording in the accounting records, and reporting in
the fnancial statements.
System works as described in the systems
documentation. See WP 530 for copies of documents
that demonstrate the internal controls in action.
However, we noted Maria Ho is a new employee and
knows little about the system at present.
Describe the process for any information transfers
from one person (process owner) to the next.
There is a handover from sales to accounting. Based on
the walkthrough, the transfer worked well.
Note the frequency and timing of the internal
control procedures performed.
Noted on the control design matrix.
Identify any general IT controls required to protect
the transaction data fles and ensure the proper
functioning of application internal controls.
General IT controls are minimal due to small size of
entity.
Document the procedures in place to cover illnesses
and vacations of personnel. If vacations have not
been taken in last 12 months, document why.
There was a sales clerk vacancy for four months during
the period before Maria was hired. This meant less
segregation of duties during that time.
Ask about the extent and nature of errors found in
the past period.
Most errors were due to mistakes in pricing, which is
mostly a manual process at present.
Ask whether any person has been required to
deviate from documented procedures.
One request made by the sales manager to
substantially reduce the price on a bedroom set for a
friend was denied.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
163
Step 4Control documentation is addressed below
Extract From Business Process Documentation Using a Narrative Approach
Dephta Furniture, Inc.
Note: the controls are identifed in bold type.
Business ProcessRevenue/receivables/receipts system
Sales contracts
Sales contracts for the retail and specialized orders are prepared by Arjan, as they involve extensive work. The
contracts are all based on a template that contains the estimated quantities, types of furniture, special requests,
as well as standard delivery and payment terms and conditions. Payment terms and conditions can vary by
customer. A 15% deposit is required on all custom orders and is recorded as revenue at the time of sale.
All contracts are reviewed and signed for approval by Suraj prior to being given to the customer for
signature. When the contract is signed by the customer for approval, the order is entered into the accounting
system, which automatically assigns the order a sequential number. When the order is ready for shipment,
a shipping document is prepared, entered into the system, and matched with the order. Karla then prepares
an invoice from the accounting system, which automatically assigns a sequential number. It is a strict rule
that no shipments can be made without the shipping document number being entered into the system. The
system can then track which orders have been flled and which ones are still pending by delivery date.
Regular sales orders
Sales orders are prepared for each order received and entered into the accounting system, which
automatically assigns the order a sequential number. The only exception is furniture sold directly from the
shop or other small items on hand.
All orders over 500, or where the sales price is below the minimum sales price, must be approved by Arjan.
When items are assembled and ready for shipment, Karla prepares an invoice that is sent along with the order
to the customer.
Arjan does not do a credit check on customers unless he does not know them or the order is large. When
granting credit, he relies mostly on his previous experience with the customer.
Shop sales
For all sales out of the shop, invoices are prepared at the time of sale and entered into the accounting system.
The system automatically generates an invoice number for each sale. Invoices are usually given to customers.
The majority of the shop sales are for cash, so there is little credit risk.
Internet sales
A summary of the days Internet sales is downloaded from the website by Karla. She prepares sales orders that are
given to the production department. An invoice is prepared at the same time and recorded as prepaid revenue
since the item has been paid for. The invoice marked paid in full accompanies all Internet orders shipped.
Accounts receivable
Karla opens all of the mail and segregates the payments received for deposit. Jawad usually goes to the bank
on his way home and makes the deposit. Karla then enters the payments into the accounting system and
applies the payment to the invoices indicated.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
164
Jawad prepares an aged accounts receivable listing and gives the listing to Suraj for his review.
Accounts over 90 days are followed up each month, and comments are made on the listing as to when the
customer has agreed to pay the balance.
For customers who are over 90 days and have not made alternative payment arrangements, future sales are
made on a cash-on-delivery basis.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
165
Case Study BKumar & Co.
Entity Level and General IT
This form addresses all four steps described above. It outlines the risks to be addressed and provides for
documentation of the controls identifed, how the controls operate, and how they are implemented.
Entity-Level Controls
Risks to Consider Relevant Controls
Control Environment:
No emphasis placed on importance/need for
integrity and ethical values.
No commitment to employee competence.
Inefective management oversight by those
charged with governance.
Management has a poor attitude toward internal
control and/or managing business risks.
Inefective/inappropriate organizational structure
for planning, controlling, and achieving objectives.
No policies/procedures to ensure efective HR
management.
Raj continually communicates the need for integrity and
ethical dealings in day-to-day communications with
employees and by his actions.
He has a good attitude for internal controlhas
implemented audit recommendations in past that were
feasible.
No formal governance structure, but Raj meets with Suraj
and Jawad (Dephta) regularly.
Do controls mitigate the risk factors? Yes
Describe inquiries/observations to ensure controls
identifed were implemented.
Interviewed Ruby, who confrmed Rajs commitment to
treating suppliers and customers ethically and fairly.
Reviewed the minutes from the last meeting which had
been prepared by Jawad.
Risks assessment:
Management is often surprised by events that were
not previously identifed/assessed or is continually
reacting to events rather than planning ahead.
Business plan prepared annually. Raj monitors monthly
cash fows and sales trends.
Do controls mitigate the risk factors? Yes
Describe inquiries/observations to ensure controls
identifed were implemented.
Reviewed a copy of the business plan, which did highlight
the potential for the economy to impact sales.
Reviewed a folder containing monthly cash fows given
to Raj. Evidence of Rajs review by comments on the
documents and changes requested.
Financial reporting risks:
Events and conditions (other than transactions)
that are signifcant to the fnancial statements may
not be captured or recorded;
Poor oversight/control over fnancial reporting,
journal entries, and preparation of signifcant
estimates/disclosures could result in material
misstatements in the fnancial statements; and
Signifcant matters relating to fnancial reporting
may not be communicated to the board of
directors or external parties such as bankers or
regulators.
Raj meets with Suraj and Jawad (Dephta) to review
fnancial statements and business plans.
Raj reviews fnancial statements but only reviews journal
entries when he has time. (Risk increased by lack of
segregation of duties, and gives Ruby ability to book entries
undetected.)
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
166
Entity-Level Controls
Risks to Consider Relevant Controls
Do controls mitigate the risk factors? No. Control weaknesses include the risk of management
override and the lack of segregation of duties in such a
small entity.
Describe inquiries/observations to ensure that controls
identifed were implemented.
Reviewed a folder containing the monthly fnancials given
to Raj. However, no evidence seen that Raj actually reviewed
the statements.
Fraud prevention:
Management has not considered or assessed the
risks of fraud occurring (including management
override).
Raj keeps cash and valuables locked.
Raj is involved in every step of the operations, including
production, so oversight of all operations minimizes fraud risk.
Do controls mitigate the risk factors? No. Valuables are kept safe, but Raj was absent quite a
bit this year, which reduced the extent of management
oversight. In addition, the bookkeeper is known to have
personal fnancial problems.
Describe inquiries/observations to ensure that controls
identifed were implemented.
Inspected where the cash is kept locked and verifed that
only Raj has the key.
General IT Controls
Risks to Consider Relevant Controls
Risks to consider:
No policies/procedures exist to ensure efective IT
management or IT staf supervision;
No alignment exists between business objectives,
risks, and IT plans;
Reliance is placed on systems/programs that
are inaccurately processing data or processing
inaccurate data; and
Unauthorized access to data. Possible destruction
of data, improper changes, unauthorized or non-
existent transactions, or inaccurate recording of
transactions.
No IT policies and procedures.
IT expenses and capital purchases part of annual budget (if
foreseen).
Raj ensures that software is up to date and that Ruby runs a
back-up of the data.
Do controls mitigate the risk factors? Yes, given small size of operations.
Describe inquiries/observations to ensure controls
identifed were implemented.
Reviewed the annual budget with an IT expense line. No
major capital purchases were planned for the period.
Business Process or Transactional Controls
This form (revenue, receivables, receipts) addresses two of the four steps in the process. It matches the
transactional risks by assertion with identifed controls. It could also be used to cross-reference work on the
implementation of controls.

(continued)
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
167
Entity: Kumar & Co. Period ended: December 31, 20XX
1. Identify any transactional risks that if not controlled could result in a material misstatement in the FS.
Step 1: Identify Material Transactional
Risks (remove risks below that are not
material)
Assertion
Risks
Step 3: Audit Response
(describe or cross
reference to
audit plan) WP ref.
1 Goods shipped/services performed not invoiced C See revenue plan 700
2 Revenues partially or not recorded (i.e., cash sales) CA See revenue plan 700
3 Fictitious sales/sales credits recorded in accounts. CE See revenue plan 700
4 Revenue recognition policies not followed. CEA Extra procedures on 700 700
5 Revenue/receipts recorded in wrong accounting period. A See revenue plan 700
6 Receipts are partially/not deposited or recorded. CA See revenue plan 700
7 No allowance for doubtful of uncollectible balances. V See revenue plan 700
8 Related-party transactions are not identifed. CEAV Refer to WP 666 666
9
2. Identify relevant internal control procedures (RICPs) (manual and automated) that mitigate (P =
prevent or D = detect and correct) the assertion risks identifed (1-8) in Step 1 above. Then assess, for
each assertion, whether the RICPs identifed mitigate the assertion risk.
Step 2: Identify Relevant RICPs
Assertions
C E A V
Control Procedures
1 Order/shipping log is prepared listing: order details, delivery
information, quantity sold/shipped, date shipped and if paid.
D D D
2 Sales log is prepared listing: customer name, date shipped,
order details, price, amount paid.
D D
3 Raj matches the shipping log to the sales log each week to
ensure that no shipments are missed.
D
4 Raj reviews monthly sales, A/R and cash receipts journals. (Few
customers, majority of sales to Dephta).
D D D D
5 All sales to Dephta and related companies are recorded in
separate accounts.
D
6
7
Do the control procedures mitigate the assertion risk? Y Y Y Y
Key:
Y = Risk mitigated
S = Some mitigation
No = Material weakeness exists
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
168
Step 3Control implementation is addressed below.
Transactional control implementation
Extract from the revenue/receivables walkthrough
Persons interviewed:
Ruby Date February 22, 20X3
Raj Date February 22, 20X3
Describe the procedures performed related to
the transaction. Address initiation, authorization,
recording in the accounting records, and reporting
in the fnancial statements.
System works as described in the systems
documentation. See WP 535 for copies of documents
that demonstrate the internal controls in action.
Describe the process for any information transfers
from one person (process owner) to the next.
There is a handover from sales to accounting. Based on
the walkthrough, the transfer worked well.
Note the frequency and timing of the internal
control procedures performed.
Noted on the control design matrix.
Identify any general IT controls required to protect
the transaction data fles and ensure the proper
functioning of application internal controls.
General IT controls are minimal due to small size of
entity.
Document the procedures in place to cover illnesses
and vacations of personnel. If vacations have not
been taken in last 12 months, document why.
As a part-time employee, Ruby catches up on all record-
keeping whenever she gets back to the of ce. Due to
the minimal number of transactions, this has been
suf cient.
Ask about the extent and nature of errors found in
the past period.
Most errors were due to mistakes in quantities of items
ordered and shipped. The sales and order log matching
is Rajs control to catch those errors and appears to be
working efectively in our walk-through testing.
Ask whether any person has been required to
deviate from documented procedures.
None noted.
Step 4Internal control documentation is addressed below.
Note: the controls are identifed in bold type.
Extract From Business Process Documentation Using a Narrative Approach
Kumar & Co.
Business ProcessRevenue/receivables/receipts system
Sales orders
Sales orders are prepared for each order received and entered into the accounting system, which
automatically assigns the order a sequential number. The only exception is furniture sold directly from the
shop or other small items on hand.
Raj maintains an order log that tracks the date of the order, the amount, the type of product, date promised,
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
169
price, etc. He also maintains a sales log with customer name, order details, price, etc. Raj matches and reviews
the order and sales logs at the end of the month for accuracy.
When items are assembled and ready for shipment, Ruby prepares an invoice, which is sent along with the
order to the customer.
Shop sales
For all sales out of the shop, invoices are prepared at the time of sale by Raj and entered into the accounting
system. The system automatically generates an invoice number for each sale. Invoices are given to customers.
The majority of the shop sales are for cash, so there is little credit risk.
Accounts receivable
Ruby opens all of the mail and segregates the payments received for deposit. Raj goes to the bank on his way
home and makes the deposit. Ruby then enters the payments into the accounting system and applies the
payment to the invoices indicated.
Ruby prepares an aged accounts receivable listing and gives the listing to Raj for review.
Accounts over 90 days are followed up by Ruby each month, and comments are made on the listing as to
when the customer has agreed to pay the balance.
170
13. Communicating Defciencies in
Internal Control
Chapter Content Relevant ISA
Guidance on communicating defciencies identifed in
internal control that, in the auditors professional judgment,
merit the attention of management and those charged with
governance.
265
Exhibit 13.0-1
R
i
s
k

A
s
s
e
s
s
m
e
n
t
Plan the audit
Develop an overall
audit strategy and
audit plan
2
Materiality
Audit team discussions
Overall audit strategy
Listing of risk factors
Independence
Engagement letter
Perform preliminary
engagement
activities
Decide whether to
accept engagement
Perform
risk assessment
procedures
Identify/assess RMM
3
through understanding
the entity
Business & fraud risks
including signifcant risks
Design/implementation of
relevant internal controls
Assessed RMM
3
at:
tF/S level
tAssertion level
Notes:
1. Refer to ISA 230 for a more complete list of documentation required.
2. Planning (ISA 300) is a continual and iterative process throughout the audit.
3. RMM = Risks of material misstatement.
Activity Purpose Documentation
1
Plan the audit
Develop an overall
audit strategy and
audit plan
2
Materiality
Audit team discussions
Overall audit strategyy
Listing of risk factors
Independence
Engagement letter
Perform preliminary
engagement
activities
Decide whether to
accept engagement
Assessed RMM
3
at:
tF/S level
tAssertion level
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
171
Paragraph # Relevant Extracts from ISAs
260.10 For purposes of the ISAs, the following terms have the meanings attributed below:
(a) Those charged with governanceThe person(s) or organization(s) (e.g., a corporate
trustee) with responsibility for overseeing the strategic direction of the entity and
obligations related to the accountability of the entity. This includes overseeing the
fnancial reporting process. For some entities in some jurisdictions, those charged with
governance may include management personnel, for example, executive members of a
governance board of a private or public sector entity, or an owner-manager. For discussion
of the diversity of governance structures, see paragraphs A1-A8.
(b) ManagementThe person(s) with executive responsibility for the conduct of the entitys
operations. For some entities in some jurisdictions, management includes some or all of
those charged with governance, for example, executive members of a governance board,
or an owner-manager.
265.6 For purposes of the ISAs, the following terms have the meanings attributed below:
(a) Defciency in internal controlThis exists when:
(i) A control is designed, implemented or operated in such a way that it is unable to
prevent, or detect and correct, misstatements in the fnancial statements on a timely
basis; or
(ii) A control necessary to prevent, or detect and correct, misstatements in the fnancial
statements on a timely basis is missing.
(b) Signifcant defciency in internal controlA defciency or combination of defciencies in
internal control that, in the auditors professional judgment, is of suf cient importance to
merit the attention of those charged with governance. (Ref: Para. A5)
265.7 The auditor shall determine whether, on the basis of the audit work performed, the auditor has
identifed one or more defciencies in internal control. (Ref: Para. A1-A4)
265.8 If the auditor has identifed one or more defciencies in internal control, the auditor shall
determine, on the basis of the audit work performed, whether, individually or in combination,
they constitute signifcant defciencies. (Ref: Para. A5-A11)
265.9 The auditor shall communicate in writing signifcant defciencies in internal control identifed
during the audit to those charged with governance on a timely basis. (Ref: Para. A12-A18, A27)
265.10 The auditor shall also communicate to management at an appropriate level of responsibility on
a timely basis: (Ref: Para. A19, A27)
(a) In writing, signifcant defciencies in internal control that the auditor has communicated
or intends to communicate to those charged with governance, unless it would be
inappropriate to communicate directly to management in the circumstances; and (Ref:
Para. A14, A20-A21)
(b) Other defciencies in internal control identifed during the audit that have not been
communicated to management by other parties and that, in the auditors professional
judgment, are of suf cient importance to merit managements attention. (Ref: Para.
A22-A26)
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
172
Paragraph # Relevant Extracts from ISAs
265.11 The auditor shall include in the written communication of signifcant defciencies in internal control:
(a) A description of the defciencies and an explanation of their potential efects; and (Ref:
Para. A28)
(b) Suf cient information to enable those charged with governance and management to
understand the context of the communication. In particular, the auditor shall explain that:
(Ref: Para. A29-A30)
(i) The purpose of the audit was for the auditor to express an opinion on the fnancial
statements;
(ii) The audit included consideration of internal control relevant to the preparation of the
fnancial statements in order to design audit procedures that are appropriate in the
circumstances, but not for the purpose of expressing an opinion on the efectiveness
of internal control; and
(iii) The matters being reported are limited to those defciencies that the auditor has
identifed during the audit and that the auditor has concluded are of suf cient
importance to merit being reported to those charged with governance.
13.1 Overview
During the course of the audit, defciencies in internal control may be identifed. This may occur as a result of
understanding and evaluating internal control (see Volume 2, Chapters 11 and 12), in making risk assessments,
performing audit procedures, or from other observations made at any stage of the audit process.
There is no restriction on what control defciencies can be communicated with those charged with
governance and with management. However, where an identifed defciency is assessed by the auditor as
being signifcant, the auditor would frst discuss it with management, and is then required to communicate it
(and any other signifcant defciencies) in writing to those charged with governance.
Some of the more common control defciencies are listed in the exhibit below.
Exhibit 13.1-1
Potential Internal Control Defciencies
Pervasive (Entity-
Level) Controls
Weak control environment (entity-level) controls such as inefective oversight, poor
attitude toward internal control, or instances found of management override or fraud
Changes in personnel that have resulted in key positions being unflled, or where
current personnel (such as in accounting) are not competent to perform the required
tasks.
Defciencies identifed in general IT controls.
Inadequate controls implemented to address signifcant non-routine events such as
the introduction of a new accounting system, the automation of a system such as
sales, or the acquisition of a new business.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
173
Potential Internal Control Defciencies
Pervasive (Entity-
Level) Controls
(cond)
Inability by management to oversee the preparation of the fnancial statements. This
could include the lack of:
General monitoring controls (such oversight of fnancial accounting personnel);
Controls over the prevention and detection of fraud;
Controls over the selection and application of signifcant accounting policies;
Controls over signifcant transactions with related parties;
Controls over signifcant transactions outside the entitys normal course of
business; and
Controls over the period-end fnancial reporting process (such as controls over
non-recurring journal entries).
Signifcant defciencies previously communicated to management or those charged
with governance remain uncorrected after some reasonable period of time.
Specifc
(Transactional)
Controls
An inefective management response to identifed signifcant risks (e.g., absence of
controls over such a risk).
Misstatements were detected by the auditor when they should have been prevented,
or detected and corrected, by the entitys internal control.
The existing internal controls were not:
Suf cient to mitigate the risk (poor design); and/or
Operating as designed (poor implementation). This could result from poor
training, lack of staf competence, or inadequate resources to perform the
required tasks.
13.2 Fraud
If evidence is obtained that fraud exists or may exist, the matter should be brought to the attention of the
appropriate level of management as soon as is practicable. This should be done even if the matter might be
considered inconsequential.
The appropriate level of management is a matter of professional judgment, but would be at least one level
above the persons who appear to be involved with the suspected fraud. It would also be afected by the
likelihood of collusion and the nature and magnitude of the suspected fraud. Where the fraud involves senior
management, communication is also required with those charged with governance. This may be made orally
or in writing.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
174
CONSIDER POINT
Fraud perpetrated by the owner-manager or those charged with governance
When fraud occurs at the very top of an organization, there is no one within the entity to whom it can
be reported. In these situations, the auditor may obtain legal advice to determine the appropriate
course of action in the circumstances. The purpose of obtaining such advice is to ascertain what steps (if
any) are necessary in considering the public-interest aspects of the identifed fraud.
In most countries, the auditors professional duty is to maintain the confdentiality of client information.
This may preclude reporting fraud to an external party. However, the auditors legal responsibilities
vary by country and, in certain circumstances, the duty of confdentiality may be overridden by statute,
the law, or courts of law. In some countries, the auditor of a fnancial institution has a statutory duty
to report the occurrence of fraud to supervisory authorities. Also, in some countries, the auditor has a
duty to report misstatements to authorities in those cases where management and those charged with
governance fail to take corrective action.
13.3 Assessing the Severity of a Defciency
A signifcant defciency is defned as a defciency or combination of defciencies in internal control that, in
the auditors professional judgment, is of suf cient importance to merit the attention of those charged with
governance.
In evaluating internal control (see Volume 2, Chapter 12), it is suggested that risk factors that are unlikely to
result in a material misstatement in the fnancial statements be eliminated (scoped out) from the auditors
understanding of internal control. If this guidance is followed, most of the control defciencies identifed by
the auditor are likely to be signifcant.
The criteria for determining whether a defciency is signifcant or not is similar to that for any other risk (see
Volume 2, Chapter 9). Professional judgment is used to assess the likelihood that a misstatement could occur,
and the potential magnitude of the misstatement if it did occur. If a misstatement has in fact occurred, the
assessment would be based on the extent of the actual misstatement.
Less serious or even minor control defciencies may also be identifed during the course of the audit. These
could result from interviews with management and staf, observation of internal controls in operation,
performing further audit procedures, and any other information that may be obtained. It is a matter of
professional judgment whether these matters are of suf cient importance to be reported to management
and those charged with governance.
Some matters that could be considered by the auditor in assessing the severity of a defciency are outlined in
the following exhibit.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
175
Exhibit 13.3-1
Identifying a Signifcant Defciency
Defciency
Assessment
Criteria
Likelihood of defciencies leading to material misstatements in the fnancial
statements in the future.
The susceptibility of an asset or liability to loss or fraud.
The subjectivity and complexity of determining estimated amounts, such as fair value
accounting estimates.
The fnancial statement amounts exposed to the defciencies.
The volume of activity that has occurred or could occur in the account balance or
class of transactions exposed to the defciency or defciencies.
The importance of the controls to the fnancial reporting process.
The cause and frequency of the exceptions detected as a result of the defciencies in
the controls.
The interaction of the defciency with other defciencies in internal control.
13.4 Smaller Entities
When assessing control defciencies in smaller entities, the auditor would pay attention to the following factors.
Exhibit 13.4-1
Consider
Control in a Small
Entity
Controls may operate with less formality and with less evidence of their performance
than in larger entities.
Certain types of control activities may not be necessary at all. The risks may be
mitigated through the controls applied by senior management (e.g., entity-level
controls, such as the control environment, that would prevent or detect a specifc
error from occurring).
There will be fewer employees, which may limit the extent to which segregation
of duties is practicable. This can be ofset by the owner-manager exercising more
efective oversight (e.g., entity-level controls such as the control environment) than is
possible in a larger entity.
Greater potential exists for management override of controls.
In addition, the communication of defciencies with those charged with governance may be less structured
than in the case of larger entities.
13.5 Documenting Control Defciencies
There are no specifc requirements in the ISAs as to how control defciencies are to be documented.
The extent of documentation is a matter requiring professional judgment. Where the audit team is less
experienced, more detailed documentation and guidance may be required than where the team consists of
highly experienced individuals.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
176
A possible approach to documenting defciencies as they are identifed is outlined below. This documentation
can be used for:
Discussing defciencies with management;
Assessing the severity of the defciencies;
Considering the need for any additional audit procedures to respond to the unmitigated risk; and
Preparing the required communication to management and those charged with governance.
An example of such documentation is illustrated below (without the references to supporting and other
working papers).
Exhibit 13.5-1
What is the risk
factor or assertion
afected?
Describe the
defciency identifed.
What is the potential
efect on the
fnancial statements?
Signifcant
defciency?
(Yes/No) Audit response
Management has
not considered or
assessed the risks of
fraud occurring.
Members of the
management team
trust each other
and are reluctant
to introduce costly
policies, etc. that
address the risk of
fraud.
Management could
override controls and
materially manipulate
the fnancial
statements.
Yes See the specifc
procedures
performed on
journal entries,
related parties,
and revenue
recognition.
Sales/services
recorded in wrong
accounting period.
There are no controls
to prevent this from
occurring and we
found a number of
cutof errors in our
tests of details.
Revenues could be
materially misstated
in the fnancial
statements.
Yes See the additional
procedures
performed relating
to cut of.
Poor oversight and
documentation
to support the
preparation of
estimates.
The client provides
virtually no back-
up documents
to support their
estimates.
Given the size of the
estimates, an error
could result in a
material error in the
fnancial statements.
Yes Obtain evidence
to support the
assumptions
and perform the
calculations again.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
177
CONSIDER POINT
Record defciencies in a single place
Designate one particular audit form to record pertinent details of control defciencies as they are
identifed. This will ensure that all identifed defciencies are recorded on a consistent basis and in one
place. If scattered through the fle, defciencies could be missed. This could result in an incomplete audit
response to the risks involved, and incomplete communication to management and those charged with
governance.
Describe the implications
When documenting defciencies, take time to describe the implications of the defciency (what could
go wrong) and the proposed audit response (if any) to the unmitigated risk.
What is the recommended course of action?
Providing management with a recommended course of action to correct identifed control defciencies
is not a requirement. However, recommendations can be useful for management in determining
the appropriate course of corrective action. Where recommendations are likely to be provided to
management, document the suggestions for improvement at the same time that the defciencies
are recorded. If this step is left until later, it may lead to additional time being incurred to become
acquainted with the facts again.
13.6 Oral Discussions with Management
Before issuing a written communication, it is generally considered best practice to discuss the fndings
orally (such as a discussion based on a draft letter) with the appropriate person or level of management,
and possibly with those charged with governance. The appropriate person is the one who can evaluate the
defciencies and take the necessary remedial action. This step helps the auditor to ensure that the fndings are
factually correct and appropriately worded in the circumstances. It may also enable the auditor to obtain a
preliminary indication of managements response to the fndings.
For signifcant defciencies, the appropriate level of management would be the highest in the entity, such as
the owner-manager, chief executive of cer, or chief fnancial of cer (or equivalent). For other defciencies, the
appropriate level may be operational management with direct involvement in the control areas afected. Note
that, if all of those charged with governance are also involved in managing the entity, communication with
the most senior management may not adequately inform all those with governance responsibilities.
If the defciency is directed at management directly (e.g., a question about its integrity or competence), it
would not be appropriate to discuss this with management directly. The discussion of such fndings would
normally be with those charged with governance.
CONSIDER POINT
If a signifcant defciency is directed at the conduct or competence of the owner-manager or those
charged with governance, there is no higher level in the entity to whom to report the fndings. In these
situations, the auditor would consider his/her ability to continue performing the audit. This may involve
the auditor seeking legal advice.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
178
The discussion with management provides an opportunity to discuss the fndings and obtain managements
reaction before the fndings are fnalized and communicated in writing, as illustrated below.
Exhibit 13.6-1
Benefts
Discussions with
Management
Alerts management, on a timely basis, to the existence of defciencies.
Opportunity to obtain relevant information for further consideration, such as:
Confrmation that the description of the defciency and related facts (such as
the extent of an actual misstatement) is accurate;
Existence of other possibly compensating controls;
Managements reaction and understanding of the actual or suspected causes of
the defciencies; and
Existence of exceptions arising from the defciencies that management has
noted.
Obtain a preliminary management response to the fndings.
13.7 Written Communications
Signifcant defciencies are to be reported in writing. This refects the importance attached to such matters,
and may assist management and those charged with governance in fulflling their various responsibilities.
The requirement to communicate signifcant defciencies in writing applies to all sizes of entity, including
owner-managed and very small entities. Communicating such matters in writing ensures that those charged
with governance have indeed been informed of the problems.
As soon as practicable after concluding that signifcant defciencies exist, the auditor would discuss them
with management and then communicate them in writing to those charged with governance. Although not
required, the communication letter may also contain some suggested recommendations for remedial action.
By taking these steps, management can take corrective action on a timely basis.
13.8 Managements Response to the Communication
It is the responsibility of management and those charged with governance to respond appropriately to the
auditors communication about signifcant defciencies in internal control, and any recommendations for
remedial action. This may take the form of:
Initiating remedial action to correct the defciencies identifed by the auditor;
A decision not to take any action. Management may already be aware of the signifcant defciencies, and
has chosen not to remedy them because of the costs or other considerations; or
No action at all. This may be indicative of a poor attitude toward internal control, which has implications
for assessing risk at the fnancial statement level. In some situations, such non-action may constitute a
signifcant defciency in itself.
Regardless of what action is taken by management, the auditor is required to communicate all signifcant
defciencies in writing. This includes signifcant defciencies already reported in prior periods. It is not the
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
179
auditors role to determine whether the cost of mitigating a defciency outweighs the beneft to be obtained.
However, some consideration of proportionality to the size of the entity and the application of common sense
in the circumstances is appropriate.
If a previously communicated signifcant defciency remains, the current periods communication may repeat
the description or simply refer to the previous communication.
If the defciency is not signifcant, there is no need to put it in writing or to repeat the communication in the
current period. However, it may be appropriate for the auditor to re-communicate the other defciencies if
there has been a change in management, or if new information has come to the auditors attention.
Content of Communication
The communication of signifcant defciencies would normally include:
Description of the nature of each signifcant defciency and the potential efects. There is no need to
quantify those efects;
Any suggestions for remedial action on the defciencies;
Managements actual or proposed responses; and
A statement as to whether or not the auditor has undertaken any steps to verify whether managements
responses have been implemented.
Signifcant defciencies may be grouped together for reporting purposes where it is appropriate to do so.
As additional context for the communication, the letter would also include the following:
An indication that, if the auditor had performed more extensive procedures on internal control, the
auditor might have identifed more defciencies to be reported, or concluded that some of the reported
defciencies need not in fact have been reported; and
An indication that such communication has been provided for the purposes of those charged with
governance, and that it may not be suitable for other purposes.
Local Reporting Requirements
Laws or regulations in some jurisdictions may establish additional requirements for the auditor to
communicate one or more specifc types of defciency in internal control identifed during the audit. Where
this occurs:
The requirements of ISA 265 remain applicable, notwithstanding that law or regulation may require the
auditor to use specifc terms or defnitions; and
The auditor would use the defned terms and defnitions for the purpose of communicating in
accordance with the applicable legal or regulatory requirements.
13.9 Timing of the Written Communication
The auditor is required to communicate, in writing, signifcant defciencies in internal control identifed during
the audit to those charged with governance on a timely basis. Factors to consider include:
Would undue delay in the reporting of information cause it to lose its relevance?
Would the information be an important factor in enabling those charged with governance to discharge
their oversight responsibilities?
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
180
Unless local requirements specify a particular date, the latest date that a written communication may be
issued is before the date of the auditors report or shortly thereafter. This enables the auditor to complete the
assembly of the fnal audit fle on a timely basis.
CONSIDER POINT
Where possible, communicate defciencies in internal control well before the period-end audit work
commences. Early notifcation could enable management to take corrective action that may assist the
auditor by lowering the assessed risk of material misstatement at the fnancial statement or assertion
level. For example, a recommendation to replace or redeploy an incompetent accountant/bookkeeper
could signifcantly reduce the work required in reviewing the preparation of the period-end fnancial
statements.
13.10 Case StudiesCommunicating Defciencies in Internal Control
For details of the case studies, refer to Volume 2, Chapter 2Introduction to the Case Studies.
Defciencies in internal control are identifed throughout all phases of the audit (risk assessment, risk response,
and reporting), and the auditor must accumulate them for subsequent reporting to management. Signifcant
internal control defciencies (both in design and operation) would be reported to management using a letter
such as the ones below.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
181
Case Study A Dephta Furniture, Inc.

Jamel, Woodwind & Wing LLP
55 Kingston St., Cabetown, United Territories 123-53004
March 15, 20X3
Suraj Dephta
Dephta Furniture Inc.
[Address]
Re: Audit of 20X2 Financial Statements
Dear Suraj:
The objective of our audit was to obtain reasonable assurance that the fnancial statements were
free of material misstatement. Our audit was not designed for the purpose of identifying matters to
communicate. Accordingly, our audit would not usually identify all such matters that may be of interest
to you, and it is inappropriate to conclude that no such matters exist.
During the course of our audit of Dephta Furniture, Inc. for the period ended December 31, 20X2, we
identifed the following defciencies in internal control that, in our opinion, are signifcant. A signifcant
defciency or combination of defciencies in internal control is one that, in our professional judgment, is
of suf cient importance to merit the attention of those charged with governance.
Unauthorized Journal Entries
There are currently no controls over manual journal entries made throughout the period. Without
any segregation of duties and review controls over entries made, errors or misstatements can
go undetected. Although our audit found no such material errors or misstatements, this current
unrestricted and unmonitored access by all company personnel presents a risk to accuracy of the
fnancial statements.
We recommend that proper segregation of duties be allocated based on roles and responsibilities.
Further, a formalized review process should be established. All signifcant entries should be approved
prior to entry, and a secondary review should be conducted by management on a monthly basis.
Poor Inventory Controls
There are currently very limited controls over inventory. Without proper controls, inventory could be
incomplete, improperly valued, or stolen.
We recommend Dephta implement formalized controls over the tagging and periodic counting of
inventory. Inventory records should be compared to actual products in the warehouse on a monthly
basis. A visual inspection on a monthly basis of obsolete and damaged goods should also be performed
to ensure that any inventory write-downs are recorded as required.
This communication is prepared solely for the information of management and is not intended for any
other purpose. We accept no responsibility to a third party who uses this communication.
Yours truly,
Jamel, Woodwind & Wing, LLP
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
182
Case Study BKumar & Co.

Jamel, Woodwind & Wing LLP
55 Kingston St., Cabetown, United Territories 123-53004
March 15, 20X3
Rajesh Kumar
Kumar & Co.
[Address]
Re: Audit of 20X2 Financial Statements
Dear Rajesh:
The objective of our audit was to obtain reasonable assurance that the fnancial statements were
free of material misstatement. Our audit was not designed for the purpose of identifying matters to
communicate. Accordingly, our audit would not usually identify all such matters that may be of interest
to you, and it is inappropriate to conclude that no such matters exist.
During the course of our audit of Kumar & Co. for the period ended December 31, 20X2, we identifed
the following defciency in internal control that, in our opinion, is signifcant. A signifcant defciency or
combination of defciencies in internal control is one that, in our professional judgment, is of suf cient
importance to merit the attention of those charged with governance.
Lack of Segregation of Duties
There is currently a lack of segregation of duties at Kumar & Co. The part-time bookkeeper has total
access to and control over all the record-keeping at Kumar. Without separating duties across multiple
employees, there is a risk that the bookkeeper may make unintentional or intentional errors that go
undetected.
We recommend that Kumar & Co. consider hiring another part-time staf person to split functions with
the bookkeeper. Given the small size of the organization and cost restraints, if that is not practicable,
we recommend that Raj Kumar become more involved in the record-keeping aspect of the business to
provide adequate oversight of the bookkeepers work.
This communication is prepared solely for the information of management and is not intended for any
other purpose. We accept no responsibility to a third party who uses this communication.
Yours truly,
Jamel, Woodwind & Wing, LLP
183
14. Concluding the Risk
Assessment Phase
Chapter Content Relevant ISA
Concluding the risk assessment phase of the audit by documenting
the assessed risks at the fnancial statement and assertion levels.
315
Exhibit 14.0-1
R
i
s
k

A
s
s
e
s
s
m
e
n
t
Plan the audit
Develop an overall
audit strategy and
audit plan
2
Materiality
Audit team discussions
Overall audit strategy
Listing of risk factors
Independence
Engagement letter
Perform preliminary
engagement
activities
Decide whether to
accept engagement
Perform
risk assessment
procedures
Identify/assess RMM
3
through understanding
the entity
Business & fraud risks
including signifcant risks
Design/implementation of
relevant internal controls
Assessed RMM
3
at:
tF/S level
tAssertion level
Notes:
1. Refer to ISA 230 for a more complete list of documentation required.
2. Planning (ISA 300) is a continual and iterative process throughout the audit.
3. RMM = Risks of material misstatement.
Activity Purpose Documentation
1
Plan the audit
Develop an overall
audit strategy and
audit plan
2
Materiality
Audit team discussions
Overall audit strategyy
Listing of risk factors
Independence
Engagement letter
Perform preliminary
engagement
activities
Decide whether to
accept engagement
Business & fraud risks
including signifcant risks
Design/implementation of
relevant internal controls
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
184
Paragraph # Relevant Extracts from ISAs
315.25 The auditor shall identify and assess the risks of material misstatement at:
(a) the fnancial statement level; and (Ref: Para. A105-A108)
(b) the assertion level for classes of transactions, account balances, and disclosures (Ref: Para.
A109-A113)
to provide a basis for designing and performing further audit procedures.
315.26 For this purpose, the auditor shall:
(a) Identify risks throughout the process of obtaining an understanding of the entity and its
environment, including relevant controls that relate to the risks, and by considering the
classes of transactions, account balances, and disclosures in the fnancial statements; (Ref:
Para. A114-A115)
(b) Assess the identifed risks, and evaluate whether they relate more pervasively to the
fnancial statements as a whole and potentially afect many assertions;
(c) Relate the identifed risks to what can go wrong at the assertion level, taking account of
relevant controls that the auditor intends to test; and (Ref: Para. A116-A118)
(d) Consider the likelihood of misstatement, including the possibility of multiple
misstatements, and whether the potential misstatement is of a magnitude that could
result in a material misstatement.
315.32 The auditor shall include in the audit documentation:
(a) The discussion among the engagement team where required by paragraph 10, and the
signifcant decisions reached;
(b) Key elements of the understanding obtained regarding each of the aspects of the
entity and its environment specifed in paragraph 11 and of each of the internal control
components specifed in paragraphs 14-24; the sources of information from which the
understanding was obtained; and the risk assessment procedures performed;
(c) The identifed and assessed risks of material misstatement at the fnancial statement level
and at the assertion level as required by paragraph 25; and
(d) The risks identifed, and related controls about which the auditor has obtained an
understanding, as a result of the requirements in paragraphs 27-30. (Ref: Para. A131-A134)
14.1 Overview
The fnal step in the risk assessment phase of the audit is to review the results of the risk assessment
procedures performed, and then assess (or, if already assessed, summarize) the risks of material
misstatements at:
The fnancial statement level; and
The assertion level for classes of transactions, account balances, and disclosures.
The resulting list of assessed risks will form the foundation for the next phase in the audit, which is to
determine how to respond appropriately to the assessed risks through the design of further audit procedures.
The two levels of risk assessment are illustrated in the following exhibit:
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
185
Exhibit 14.1-1
14.2 Audit Evidence Obtained to Date
The evidence obtained to date, by performing risk assessment procedures, consists of identifcation and
assessment of inherent risks, and the design and implementation of internal controls that address those risks.
What is left is the risk of material misstatement. This is simply the remaining risk after taking into account the
efect of internal controls put in place to mitigate the inherent risks. This is illustrated in the exhibit below.
Exhibit 14.2-1
Note: The length of the horizontal bars in this exhibit is purely for illustrative purposes and would vary from entity to entity.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
186
Sources of audit evidence that may be relevant in summarizing and assessing risks at the two levels are listed
below.
Exhibit 14.2-2
Audit Evidence
Volume and
Chapters
The overall audit strategy V2 - 5
Materiality and identifcation of material fnancial statement areas and disclosures V2 - 6
Audit team discussions V2 - 7
Results of performing risk assessment procedures V1 - 4 and
V2 - 3 to 14
Inherent risk identifcation and assessment V2 - 8 and 9
Signifcant risks V2 - 10
Understanding and evaluation of internal control V2 - 11 and 12
Signifcant defciencies identifed V2 - 13
14.3 Summarizing the Various Risk Assessments
The purpose of assessing risks is to provide the foundation and a reference point for what is needed to
respond appropriately with well-designed and ef cient further audit procedures.
If risks identifed to date have already been documented and assessed in a consistent manner, it will be
relatively straightforward to review and summarize them.
The summary of assessed risks brings together the inherent risk factors identifed and the evaluation of any
internal control designed to mitigate such risks. This is illustrated in Exhibit 14.3-1.
Note: There is a moderate level of risk at the fnancial statement level which is mitigated by good entity-level
and possibly other controls. The result is a low assessed risk at the fnancial statement level.
The summary of assessed risks at the assertion level is a combination of the assessment of inherent and
control risks that apply to individual fnancial statement balances, transactions, and disclosures. In the case
below, the inherent risks are moderate, and there are no relevant internal controls, so the control risk is high.
The result is therefore a moderate residual risk for this particular assertion.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
187
Exhibit 14.3-1
Notes:
Before concluding there are no particular risks for a fnancial statement area or disclosure, consider the
existence of other relevant factors, such as history of known errors, susceptibility of the asset/liability to
fraud, potential for management override, and the previous periods experience.
If the auditor plans to rely on a control risk that has been assessed as low (e.g., reduce the extent of
substantive procedures), there need to be tests of the operational efectiveness of the controls to
support such an assessment.
In some cases, the entity may have some internal controls, but the auditor has deemed them not
relevant to the audit and therefore no assessment has been made. In these cases, the control risk would
be assessed as high.
Specifc (transactional) controls generally work (resulting in a low assessed risk) or do not work (resulting
in a high assessed risk). This would imply that there is no assessment of control risk as being moderate.
However, some auditors assess control risk as moderate when a control may not be totally reliable in
operation, but is expected to work most of the time. This can often be the case in smaller entities.
The determination of residual risk resulting from the combination of inherent and control risk is a matter
of professional judgment. The exhibit below shows various combinations of risk, but is not a substitute
for professional judgment based on the particular circumstances.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
188
Exhibit 14.3-2
Inherent Risk Control Risk
Risk of
material
misstatement
H H H
H M M
H L M or L
M H M
M M M
M L L
L H M/L
L M L
L L L
Key: H = High M = Moderate L = Low
CONSIDER POINT
Document the reasoning behind risk assessments
When summarizing assessed risks, be sure to provide a short description of the reasons for each
assessment or a cross-reference to where they can be found. This is often more important than the
assessment itself, because it helps to design tailored and cost-efective responses.
Assessing inherent risks
Remember that the assessment of inherent risk is always completed before any consideration of controls
that may mitigate the risk. Assuming most fnancial statement areas to be audited will exceed overall
materiality, it is likely (in most instances) that the inherent risk of misstatement (before internal control)
for most assertions will be high.
Low risk for all assertions
When a fnancial statement area has been assessed as low risk for all assertions, there is no need to
repeat the same reasoning for each individual assertion. However, the reason why all the assessments
are low would be documented.
14.4 Revision of Risk Assessments
The assessment of risk does not end at a point in time. New information may be gained as the audit
progresses, and the performance of audit procedures may identify additional risks, or that internal control is
not operating as intended. When this occurs, the original risk assessment should be revised and the impact
on the nature and extent of further audit procedures considered.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
189
14.5 Documentation
The summary of assessed risks can be documented in a number of ways. Three possible approaches are
outlined below:
A stand-alone document.
A separate document that summarizes the inherent and control assessments, and the key reasons for
the combined risk assessments. This document could also be used for outlining (in general terms) the
risk response.
Include with the overall audit strategy and audit plan.
The frst part of each section of the audit plan (such as for receivables, payables, etc.) could outline the
risk assessments and the impact on the planned audit procedures.
Incorporate risk assessments as part of the auditors documentation of further procedures.
In this case, the risk assessments, audit plans, and the results of work performed could all be
documented in one comprehensive working paper for each fnancial statement area.
The form and extent of the documentation supporting risk assessments would be infuenced by:
The nature, size, and complexity of the entity and its internal control;
Availability of information from the entity; and
The audit methodology and technology used in the course of the audit.
Other factors to consider when designing documentation include:
Ease of understandability;
Cross-references to the design and implementation of an appropriate audit response;
Ability to facilitate updating in subsequent periods; and
Ease of review. A reviewer should be able to determine whether key risks have been identifed and that
the resulting audit response was appropriate.
A well-documented summary of assessed risks will also be useful in the team planning meetings in
subsequent periods where the nature of the risks and the audit response can be discussed.
An approach using a stand-alone document but closely linked to the audit plan is illustrated in the following
exhibit. Note that this illustration uses the four combined assertions (used for the purposes of this Guide), as
defned in Volume1, Chapter 6.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
190
Exhibit 14.5-1
Assessed Levels of Risk
Assertions IR CR RMM
Document the key risks and other contributing
factors to risk assessment
The industry is in a general decline as new technologies
emerge. However, sales are still strong and the entity is
investing in R&D.
Financial Statement
Level
P M L L Managements attitude to internal control is good.
Competent people fll the key positions.
Management override possible but new policies in place
should deter the most common practices.
The governance board is made up of family members.
Assertion Level
FSA or fnancial
statement disclosure

1 Sales C H L M Owner wants to save on taxes. Revenue recognition has

been inconsistent.
E M L L Relevant internal controls were identifed.
Tests of internal control for this assertion are a possibility.
A M L L Relevant internal controls were identifed and there has
been no history of errors.
V NA L NA
2 Receivables C L L L Relevant controls were identifed and there has been no
history of errors.
E H M M Salespersons bonuses are based on recorded sales.
A L L L Relevant internal controls were identifed and there has
been no history of errors.
V H M M Recovery of receivables could be an issue in declining industry.
3 Inventory C L L L Relevant controls were identifed and there has been no history of
errors.
E H H H Inventory theft and poor physical internal control in
warehouse.
A L L L Relevant controls were identifed and there has been no history of
errors.
V H H H New technology will make some parts and even whole
products obsolete.
Key:
H = High NA = Not applicable FSA = Financial statement area A = Accuracy
M = Moderate IR = Inherent risk P = Pervasive risks V = Valuation
L = Low CR = Internal control risk C = Completeness
D = Detect and correct control RMM = Risks of material misstatement (combined risk) E = Existence
Documentation of assessed risks could also make reference to:
Details of signifcant risks that require special attention; and
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
191
Risks for which substantive procedures alone will not provide suf cient appropriate audit evidence.
14.6 Case StudiesConcluding the Risk Assessment Phase
For details of the case studies, refer to Volume 2, Chapter 2Introduction to the Case Studies.
The fnal step in the risk assessment process is to assess the combined risks of material misstatement at the
fnancial statement and assertion levels.
The risk assessments can be summarized using an approach such as outlined below. Supporting information
(where the assessments of inherent and control risk were documented) has not been shown. In practice, cross-
references would be made to the supporting data.
Case Study ADephta Furniture, Inc.
Assessed Levels of Risk
Assertions IR CR RMM
Document the key risks and other contributing
factors to risk assessment
Managements attitude to internal control is good and
competent people fll the key positions.
Financial Statement
Level
P M L L Management override is possible but we have not found
any instances where this occurred and managements
attitude toward control is good.
The monthly meeting to review performance provides
some accountability to management.
Assertion Level
FSA or fnancial
statement disclosure

1 Sales C H L M Revenue recognition policies are inconsistent.

E L L L Revenue recognition policies are inconsistent. Pressure to
infate sales due to sales bonuses and market pressures.
A L L L Sales system operates well.
V NA L NA
2 Receivables C L L L No signifcant risks identifed.
E H M M Salespersons bonuses are based on recorded sales.
A L L L
V H M M Large retailer receivables collection could be an issue if
there is concern over product quality or returns made.
Additionally, despite the declining economy, no credit
checks are performed before credit is granted.
Key:
H = High NA = Not applicable FSA = Financial statement area A = Accuracy
M = Moderate IR = Inherent risk P = Pervasive risks V = Valuation
L = Low CR = Internal control risk C = Completeness
D = Detect and correct control RMM = Risks of material misstatement (combined risk) E = Existence
At this point, it would be good practice to prepare a communication for management that outlines the
signifcant weaknesses identifed in internal control.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
192
Case Study BKumar & Co.
Concluding the Risk Assessment Phase
Assessed Levels of Risk
Assertions IR CR RMM
Document the key risks and other contributing
factors to risk assessment
Managements attitude to internal control is good and
competent people fll the key positions.
Financial Statement Level M Management override is possible due to pressures to meet
bank covenants and minimize taxes. The bookkeepers
work was not reviewed by Raj on a consistent basis
throughout the period. The bookkeeper appears
disgruntled and may have opportunity to misstate the
fgures. Therefore, both unintentional error and intentional
fraud could go undetected.
The monthly meeting to review performance provides
some accountability to management.
Assertion Level
FSA or fnancial
statement disclosure

1 Sales C H L M Relevant internal controls were identifed for this assertion.

E H L M Relevant internal controls were identifed for this assertion
but related party transactions are of concern.
A H L M Relevant internal controls were identifed for this assertion
but related party transactions are of concern.
V M M M Potential for sales returns due to state of industry.
2 Receivables C H L M Majority of receivables balance is with Dephta.
No other specifc risks identifed.
E H M M Majority of receivables balance is with Dephta.
No other specifc risks identifed.
A M M M Majority of receivables balance is with Dephta.
No other specifc risks identifed.
V H M M The smaller customers may have dif culty paying their bills
in these tougher economic times.
Key:
H = High NA = Not applicable FSA = Financial statement area A = Accuracy
M = Moderate IR = Inherent risk P = Pervasive risks V = Valuation
L = Low CR = Internal control risk C = Completeness
D = Detect and correct control RMM = Risks of material misstatement (combined risk) E = Existence
At this point, it would be good practice to prepare a communication for management that outlines the
signifcant weaknesses identifed in internal control.
193
15. Risk ResponseAn Overview
Exhibit 15.0-1
R
i
s
k

R
e
s
p
o
n
s
e
Design overall
responses and
further audit
procedures
Develop
appropriate
responses to
the assessed RMM
3
Update of overall strategy
Overall responses
Audit plan that links
assessed RMM
3
to further
audit procedures
Implement responses
to assessed RMM
3
Reduce audit risk
to an acceptably
low level
Work performed
Audit fndings
Staf supervision
Working paper review
R
i
s
k

A
s
s
e
s
s
m
e
n
t
Plan the audit
Develop an overall
audit strategy and
audit plan
2
Materiality
Audit team discussions
Overall audit strategy
Listing of risk factors
Independence
Engagement letter
Perform preliminary
engagement
activities
Decide whether to
accept engagement
Perform
risk assessment
procedures
Identify/assess RMM
3
through understanding
the entity
Business & fraud risks
including signifcant risks
Design/implementation of
relevant internal controls
Assessed RMM
3
at:
tF/S level
tAssertion level
Activity Purpose Documentation
1
R
i
s
k

A
s
s
e
s
s
m
e
n
t
Plan the audit
Develop an overall
audit strategy and
audit plan
2
Materiality
Audit team discussions
Overall audit strategyy
Listing of risk factors
Independence
Engagement letter
Perform preliminary
engagement
activities
Decide whether to
accept engagement
Perform
risk assessment
procedures
Identify/assess RMM
3
through understanding
the entity
Business & fraud risks
including signifcant risks
Design/implementation of
relevant internal controls
Assessed RMM
3
at:
tF/S level
tAssertion level
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
194
R
e
p
o
r
t
i
n
g
Evaluate the audit
evidence obtained
Determine what
additional audit work
(if any) is required
Prepare the
auditors report
Form an opinion
based on audit
fndings
Signifcant decisions
Signed audit opinion
no
yes
Notes:
1. Refer to ISA 230 for a more complete list of documentation required.
2. Planning (ISA 300) is a continual and iterative process throughout the audit.
3. RMM = Risks of material misstatement.
Is
additional
work
required?
New/revised risk factors
and audit procedures
Changes in materiality
Communications
on audit fndings
Conclusions on audit
procedures performed
R
e
p
o
r
t
i
n
g
Evaluate the audit
evidence obtained
Determine what
additional audit work
(if any) is required
Prepare the
auditors report
Form an opinion
based on audit
fndings
Signifcant decisions
Signed audit opinion
no
yes
Is
additional
work
rrrequired??
New/revised risk factors
and audit procedures
Changes in materiality
Communications
on audit fndings
Conclusions on audit
procedures performed
Paragraph # Relevant Extracts from ISAs
330.5 The auditor shall design and implement overall responses to address the assessed risks of
material misstatement at the fnancial statement level. (Ref: Para. A1-A3)
330.6 The auditor shall design and perform further audit procedures whose nature, timing, and
extent are based on and are responsive to the assessed risks of material misstatement at the
assertion level. (Ref: Para. A4-A8)
The risk response phase includes the steps outlined below:
Exhibit 15.0-2
R
i
s
k

R
e
s
p
o
n
s
e
Update overall
audit strategy
Develop
response to
assessed risks
Brief team on
audit plans as
required
Perform
planned
procedure
Assess results
and evidence
obtained
Document
fndings and
conclusions
Design Further Audit Procedures
Perform Further Audit Procedures
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
195
The basic concepts addressed in the risk response phase are listed below.
Volume and
Chapters
Responding to Assessed Risks
V1 - 9
Further Audit Procedures
V1 - 10
Accounting Estimates
V1 - 11
Related Parties
V1 - 12
Subsequent Events
V1 - 13
Going Concern
V1 - 14
Summary of Other ISA Requirements
V1 - 15
Audit Documentation
V1 - 16
196
16. The Responsive Audit Plan
Chapter Content Relevant ISAs
How to plan an efective audit response to assessed risks.
260, 300, 330, 500
Exhibit 16.0.-1
R
i
s
k

R
e
s
p
o
n
s
e
Design overall
responses and
further audit
procedures
Develop
appropriate
responses to
the assessed RMM
1
Update of overall strategy
Overall responses
Audit plan that links
assessed RMM
1
to further
audit procedures
Implement responses
to assessed RMM
1
Reduce audit risk
to an acceptably
low level
Work performed
Audit fndings
Staf supervision
Working paper review
Notes:
1. RMM = Risks of material misstatement.
Activity Purpose Documentation
Paragraph # Relevant Extracts from ISAs
260.15 The auditor shall communicate with those charged with governance an overview of the
planned scope and timing of the audit. (Ref: Para. A11-A15)
300.9 The auditor shall develop an audit plan that shall include a description of:
(a) The nature, timing and extent of planned risk assessment procedures, as determined
under ISA 315.
(b) The nature, timing and extent of planned further audit procedures at the assertion level,
as determined under ISA 330
(c) Other planned audit procedures that are required to be carried out so that the engagement
complies with ISAs. (Ref: Para. A12)
300.10 The auditor shall update and change the overall audit strategy and the audit plan as necessary
during the course of the audit. (Ref: Para. A13)
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
197
Paragraph # Relevant Extracts from ISAs
300.11 The auditor shall plan the nature, timing and extent of direction and supervision of
engagement team members and the review of their work. (Ref: Para. A14-A15)
300.12 The auditor shall include in the audit documentation:
(a) The overall audit strategy;
(b) The audit plan; and
(c) Any signifcant changes made during the audit engagement to the overall audit strategy
or the audit plan, and the reasons for such changes. (Ref: Para. A16-A19)
330.5 The auditor shall design and implement overall responses to address the assessed risks of
material misstatement at the fnancial statement level. (Ref: Para. A1-A3)
330.6 The auditor shall design and perform further audit procedures whose nature, timing, and
extent are based on and are responsive to the assessed risks of material misstatement at the
assertion level. (Ref: Para. A4-A8)
330.7 In designing the further audit procedures to be performed, the auditor shall:
(a) Consider the reasons for the assessment given to the risk of material misstatement at the
assertion level for each class of transactions, account balance, and disclosure, including:
(i) The likelihood of material misstatement due to the particular characteristics of the
relevant class of transactions, account balance, or disclosure (that is, the inherent risk);
and
(ii) Whether the risk assessment takes account of relevant controls (that is, the control
risk), thereby requiring the auditor to obtain audit evidence to determine whether the
controls are operating efectively (that is, the auditor intends to rely on the operating
efectiveness of controls in determining the nature, timing and extent of substantive
procedures); and (Ref: Para. A9-A18)
(b) Obtain more persuasive audit evidence the higher the auditors assessment of risk. (Ref:
Para. A19)
330.8 The auditor shall design and perform tests of controls to obtain suf cient appropriate audit
evidence as to the operating efectiveness of relevant controls if:
(a) The auditors assessment of risks of material misstatement at the assertion level includes
an expectation that the controls are operating efectively (that is, the auditor intends
to rely on the operating efectiveness of controls in determining the nature, timing and
extent of substantive procedures); or
(b) Substantive procedures alone cannot provide suf cient appropriate audit evidence at the
assertion level. (Ref: Para. A20-A24)
330.9 In designing and performing tests of controls, the auditor shall obtain more persuasive audit
evidence the greater the reliance the auditor places on the efectiveness of a control. (Ref: Para.
A25)
330.10 In designing and performing tests of controls, the auditor shall:
(a) Perform other audit procedures in combination with inquiry to obtain audit evidence
about the operating efectiveness of the controls, including:
(i) How the controls were applied at relevant times during the period under audit.
(ii) The consistency with which they were applied.
(iii) By whom or by what means they were applied. (Ref: Para. A26-A29)
(b) Determine whether the controls to be tested depend upon other controls (indirect
controls) and, if so, whether it is necessary to obtain audit evidence supporting the
efective operation of those indirect controls. (Ref: Para. A30-A31)
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
198
Paragraph # Relevant Extracts from ISAs
330.15 If the auditor plans to rely on controls over a risk the auditor has determined to be a signifcant
risk, the auditor shall test those controls in the current period.
330.18 Irrespective of the assessed risks of material misstatement, the auditor shall design and
perform substantive procedures for each material class of transactions, account balance, and
disclosure. (Ref: Para. A42-A47)
330.19 The auditor shall consider whether external confrmation procedures are to be performed as
substantive audit procedures. (Ref: Para. A48-A51)
330.20 The auditors substantive procedures shall include the following audit procedures related to
the fnancial statement closing process:
(a) Agreeing or reconciling the fnancial statements with the underlying accounting records;
and
(b) Examining material journal entries and other adjustments made during the course of
preparing the fnancial statements. (Ref: Para. A52)
330.21 If the auditor has determined that an assessed risk of material misstatement at the assertion
level is a signifcant risk, the auditor shall perform substantive procedures that are specifcally
responsive to that risk. When the approach to a signifcant risk consists only of substantive
procedures, those procedures shall include tests of details. (Ref: Para. A53)
330.22 If substantive procedures are performed at an interim date, the auditor shall cover the
remaining period by performing:
(a) substantive procedures, combined with tests of controls for the intervening period; or
(b) if the auditor determines that it is suf cient, further substantive procedures only that
provide a reasonable basis for extending the audit conclusions from the interim date to
the period end. (Ref: Para. A54-A57)
330.24 The auditor shall perform audit procedures to evaluate whether the overall presentation of
the fnancial statements, including the related disclosures, is in accordance with the applicable
fnancial reporting framework. (Ref: Para. A59)
500.6 The auditor shall design and perform audit procedures that are appropriate in the
circumstances for the purpose of obtaining suf cient appropriate audit evidence. (Ref: Para.
A1-A25)
500.7 When designing and performing audit procedures, the auditor shall consider the relevance
and reliability of the information to be used as audit evidence. (Ref: Para. A26-A33)
500.10 When designing tests of controls and tests of details, the auditor shall determine means of
selecting items for testing that are efective in meeting the purpose of the audit procedure.
(Ref: Para. A52-A56)
16.1 Overview
In the risk response phase of the audit, the objective is to obtain suf cient appropriate audit evidence
regarding the assessed risks. This is achieved by designing and implementing appropriate responses to the
assessed risks of material misstatement at the fnancial statement and assertion levels.
The auditor would approach this task in various ways, such as:
Addressing each assessed risk in turn according to its nature (i.e., a downturn in the economy) and
designing the appropriate audit response in the form of further audit procedures;
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
199
Addressing the assessed risks by material fnancial statement area or disclosure afected. The auditor
would then design an appropriate response in the form of further audit procedures; or
Starting with a standard list of audit procedures for each material fnancial statement area and assertion
and tailoring it (adding, modifying, and eliminating procedures) to design an appropriate response to
the assessed risks.
Responding to assessed risks implies more than using a standard (one size fts all) audit program which may
address each assertion, but has not been tailored to address the assessed risk for the fnancial statement area
by assertion for a particular entity. Audit programs should generally be tailored (to the extent necessary) to
the entitys level of risk and its particular circumstances.
16.2 The Starting Point
The starting point for designing an efective audit response is the listing of assessed risks that was developed
at the conclusion of the risk assessment phase of the audit (see Volume 2, Chapter 14).
Risks will have been identifed and assessed at:
The fnancial statement level; and
The assertion level for fnancial statement areas and disclosures.
Smaller fnancial statement areas could be grouped together and treated as one larger area for developing an
appropriate audit response.
Volume 1, Chapter 9 outlines possible responses to risks assessed at the two levels. The types of response
required are summarized in the following exhibit.
Exhibit 16.2-1
16.3 Overall Responses
Pervasive risks at the fnancial statement level (risks such as a defcient control environment and/or the potential
for fraud that could afect many assertions) are addressed through the design and implementation of an overall
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
200
response by the auditor, as illustrated in the following exhibit. Refer to Volume 2, Chapter 8 for additional
information on pervasive risks.
Areas that the auditor would address in developing an overall response include determining:
The extent that the audit team needs to be reminded about the use of professional skepticism;
Which staf to assign, including those with special skills, or whether to use experts;
The extent of supervision required throughout the audit;
The need for incorporating some elements of unpredictability in the selection of further audit
procedures to be performed; and
Any general changes that need to be made to the nature, timing, or extent of audit procedures. These
could include the timing of procedures (interim or period-end), or new/extended procedures to address
specifc risk factors such as fraud.
Exhibit 16.3-1
Risk Assessment Possible Overall Response
An Efective
Control
Environment
This allows the auditor to have more confdence in internal control and the reliability
of audit evidence generated internally within the entity.
An overall response could include some audit procedures being performed at an
interim date rather than at the period end.
An Inefective
Control
Environment
(Defciencies Exist)
This will likely require the auditor to perform some additional work such as:
Assigning more experienced audit staf.
Conducting more audit procedures at the period end rather than at an interim date.
Obtaining more extensive audit evidence from substantive procedures.
Making changes to the nature, timing, or extent of audit procedures to be
performed.
CONSIDER POINT
Where possible, develop an initial assessment of risk at the fnancial statement level at the planning
stage. This will enable an initial overall response to be developed that addresses matters such as what
staf to assign (including those with specialist skills), the level of supervision needed, and what audit
procedures are to be performed. This initial assessment of risk would require updating as the audit
progresses, and corresponding changes would be made in the overall response.
However, this may not be possible in smaller entities that do not have interim or monthly fnancial
information available for performing analytical procedures and identifying/assessing the risks of
material misstatement. Unless limited analytical procedures can be performed or information can be
obtained through inquiry to plan the audit, the auditor may need to wait until an early draft of the
entitys fnancial statements is available.
16.4 Use of Assertions in Test Design
An assessment of the risks of material misstatement is required at the fnancial statement and assertion levels. The
objective in designing an appropriate audit response is to obtain evidence that addresses the risk assessments
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
201
developed for each relevant assertion. Refer to Volume 1, Chapter 6 for more information about assertions.
When developing a response to specifc transaction streams, the auditor would note that the assertions also
provide the common link between internal control testing and substantive procedures. This is important for
identifying when a combination of tests of controls and substantive procedures may be appropriate to reduce
the risks of material misstatement to an acceptably low level.
For example, audit procedures for existence of inventory will focus on testing the validity of items already
recorded as part of the inventory balance and the testing of controls that would mitigate the risk of there being
non-existent items in the inventory balance. A test of completeness of inventory would focus on testing items
not included in the inventory balance, but would provide possible evidence of missing items. This could include
purchase orders for goods, and testing controls that would mitigate the risk of missing inventory.
16.5 Use of Materiality in Test Design
A key factor in considering the extent of an audit procedure deemed necessary is the performance materiality
that has been established. Performance materiality is based on the materiality established for the fnancial
statements as a whole, but may be modifed to address particular risks relating to an account balance,
transaction stream, or fnancial statement disclosure.
The extent of audit procedures judged necessary is determined after considering the performance materiality,
the assessed risk, and the degree of assurance the auditor plans to obtain. In general, the extent of audit
procedures (such as a sample size for a test of details, or the level of detail necessary in a substantive analytical
procedure) would increase as the risk of material misstatement increases. However, increasing the extent of
an audit procedure is efective only if the audit procedure itself is relevant to the specifc risk. See Volume 1,
Chapter 7 and Volume 2, Chapters 6 and 17 for more information on the use of materiality in test design.
16.6 The Auditors Toolbox
In developing the detailed audit plan, the auditor would use his/her professional judgment to select the
appropriate types of possible audit procedures. Refer to Volume 1, Chapters 10to15 for a more detailed
description of further audit procedures.
An efective audit program will be based on an appropriate mix of procedures that collectively reduce audit
risk to an acceptably low level. For the purposes of this Guide, the various types of audit procedures available
to the auditor have been categorized as illustrated in the following exhibit.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
202
Exhibit 16.6-1
Note: The terms basic and extended are used solely for the purposes of this Guide.
Exhibit 16.6-2
Procedure Type Description
Substantive
Basic
The term basic has been used for the typical substantive procedures that are
required by paragraph 18 of ISA 330 to be performed for each material class of
transactions, account balance, and disclosure irrespective of the assessed risks of
material misstatement (RMM). These basic procedures refect the fact that:
The auditors assessment of risk is judgmental and so may not identify all risks of
material misstatement; and
There are inherent limitations to internal control, including management
override.
Where the RMM is very low, these basic types of procedures may well be all that
is required to obtain suf cient and appropriate evidence for a particular assertion.
Examples of basic substantive procedures would be:
Obtain a complete list of items that make up a period-end balance;
Compare the current periods balance with that of the preceding period;
Obtain reasons for fuctuations; and
Perform some period-end cutof procedures.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
203
Procedure Type Description
Substantive
Extended
The term extended is used in this Guide to highlight the nature and extent of the
additional audit work (beyond the basic procedures) required to respond to situations
where the assessed risks for a particular assertion are moderate or high. This would
occur where specifc or signifcant risks exist. An extended procedure would include:
Procedures tailored to respond to specifc risk factors (such as management
override), other types of fraud, or signifcant risk; and
Procedures that are similar to basic procedures, but where the extent of the
procedure has been increased (such as an enlarged sample size in a test of
details) to obtain the appropriate level of risk reduction.
See Volume 2, Chapter 10 for a more detailed description of signifcant risks and the
appropriate audit response.
Tests of Controls
Where key controls are in place (that are likely to operate efectively) to address
certain assertions, tests of controls may be performed to obtain the necessary
evidence about an assertion.
Tests of controls performed to reduce risk to a low level (requiring a larger sample
size) may provide the majority of evidence required for a particular assertion.
Alternatively, tests of controls could be performed to reduce risk to a moderate level
(requiring a slightly smaller sample size). In this latter case, to obtain the required
evidence, the auditor would supplement the tests of controls with substantive
procedures that address the same assertion.
Under certain criteria, internal controls need only be tested every third audit. Refer to
the discussion on tests of controls in Volume 1, Chapter 10.5.
Substantive
Analytical
Substantive analytical procedures involve evaluations of fnancial information
through analysis of plausible relationships among both fnancial and non-fnancial
data. They require the development of precise expectations for certain amounts
(such as sales) that, when compared to actual recorded amounts, would be suf cient
to identify a misstatement.
Analytical procedures can be categorized as follows:
Simple comparisons of data that would typically be included in basic
substantive procedures. These procedures would normally be combined with
other tests of details at the assertion level. They would not provide suf cient
audit evidence by themselves.
Predictive models that by themselves (or in combination with tests of controls
or other substantive procedures) would be suf cient to reduce audit risk to an
acceptably low level. For example, if an entity had six employees at fxed rates
of pay throughout the period, it could be possible to estimate the total payroll
costs for the period with a high degree of accuracy. Assuming the number of
employees and the rates of pay were accurate, this procedure could provide the
entire audit evidence for payroll. There may be no need for other substantive
procedures (basic or extended) to be performed.
Note: When addressing a signifcant risk, the auditor is required to combine the
substantive analytical procedures with other substantive procedures that
include tests of details.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
204
16.7 Developing the Responsive Audit Plan
Professional judgment and careful thought are required to develop an audit plan that responds appropriately
to the assessed risks. The time spent developing an appropriate plan will almost certainly result in a more
efective and ef cient audit and less time being spent by staf.
There are three general steps the auditor would take in developing the plan:
Respond to assessed risks at the fnancial statement level (the overall response);
Identify any specifc procedures required for material fnancial statement areas; and
Determine what audit procedures (tools from the toolbox) and the extent of testing are required.
Step 1Respond to assessed risks at the fnancial statement level
The frst step is to develop an appropriate overall response to assessed risks at the fnancial statement
level. Because these risks are pervasive, a moderate or high level of risk assessment will generally result in
additional work being required for virtually every fnancial statement area. Refer to the discussion on overall
responses in Volume 2, Chapter 16.3.
Step 2Identify specifc procedures required for material fnancial statement areas
Before developing the detailed response to assessed risks, the auditor may fnd it helpful to consider (for each
material fnancial statement area) the questions set out in the exhibit below.
Exhibit 16.7-1
For Each Material or Potentially Material Financial Statement Area
Questions to
Consider When
Developing an
Appropriate Audit
Response
Are there assertions that cannot be addressed by substantive tests alone? If so, tests
of controls will be required.
This may occur when:
There is no documentation to provide audit evidence about an assertion such
as sales completeness; or
An entity conducts its business using IT, and no documentation of transactions
is produced or maintained other than through the IT system.
Are internal controls over related transaction streams/processes expected to be
reliable? If so, a test of controls may be possible unless the number of transactions is
so small that substantive procedures would still be more ef cient.
Are substantive analytical procedures available (such as on related transaction streams)?
Is an element of unpredictability required (to address fraud risks, etc.)?
Are there signifcant risks (i.e., fraud, related parties, etc.) to be addressed that
require special consideration?
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
205
Step 3Determine the nature and extent of audit procedures required
The third step is to use professional judgment to choose the appropriate mix of procedures and extent of
testing required to respond appropriately to the assessed risks at the assertion level.
Outlined below is one possible approach for determining the appropriate mix of procedures to address the
existence of receivables at low, moderate, and high levels of assessed risk.
Receivables Low Level of Assessed Risk
Performance materiality = 12,000
Planned Audit Response
Assessed Risk for Existence
Assertion Low Comments
Substantive ProceduresBasic 9 These procedures would be considered adequate by
themselves to address the assessed risk. They would
include the typical tests of details and simple analytical
procedures that would be performed in virtually any
audit of receivables. These procedures would often be
included in a standard audit program for receivables.
ReceivablesModerate Level of Assessed Risk
Performance materiality = 10,000
Planned Audit Response
Assessed Risk for Existence
Assertion Moderate Comments
Substantive ProceduresBasic 9 These procedures would be performed to address the
existence risk in general.
Substantive
ProceduresExtended
9 These procedures would be designed to:
Address the specifc risks identifed in relation to the
existence of receivables (such as a fraud risk); and
Perform suf cient tests of detail to reduce the
assessed risk to an acceptably low level.
If the entity had internal controls (such as over sales) that addressed the existence of receivables, an alternative to
performing the extended procedure would be a test of the operating efectiveness of such controls.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
206
ReceivablesHigh Level of Assessed Risk
Performance materiality = 10,000
Planned Audit Response
Assessed Risk for Existence
Assertion High Comments
Substantive ProceduresBasic 9 These procedures would be performed to address the
existence risk in general.
Substantive
ProceduresExtended
9 These procedures would be designed to:
Address the specifc risks identifed in relation to the
existence of receivables (such as a fraud risk); and
Perform suf cient tests of detail to reduce the
assessed risk to an acceptably low level.
Tests of Controls (Operating
Efectiveness)
9 To reduce the sample size required for a test of details
that would have reduced risk to a low level, the internal
controls that address existence would be tested to
obtain a moderate level of risk reduction. This combined
with the tests of details outlined above will reduce the
assessed risk to an acceptably low level.
In the above example, it may also be possible to obtain the majority of required evidence from performing
a test of controls that reduces the risk to an acceptably low level. This may eliminate the need for certain
extended substantive procedures.
When developing an audit strategy on particular account balances or transactions, the auditor would always
consider the work performed on other parts of the transaction stream.
Another example is the completeness of sales for an entity that owns an apartment building and rents out
the units.
ReceivablesModerate Level of Assessed Risk
Performance materiality = 6,000
Planned Audit Response
Assessed Risk for Existence
Assertion Moderate Comments
Substantive ProceduresBasic In light of the substantive analytical procedure outlined
below, these procedures may not be necessary at all, or
limited to obtaining evidence about the assumptions used.
Substantive Analytical
Procedures
9 The known number of rental units is 64 and the rent is
1,000 a month for the 46 two-bedroom suites and 800
for the 18 one-bedroom suites.
The predicted rental income can be calculated as
724,800.
Actual income recorded in the accounting records
was 718,800, a diference of 6,000.
The diference was verifed as being due to the fact that
six of the two-bedroom units were vacant for a month
during the year.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
207
CONSIDER POINT
Avoid defaulting to generic or standard audit procedures where possible
The most efective audit procedures are those that specifcally address the causes of the assessed risks.
Multiple assertions
Where possible, choose audit procedures that address multiple assertions. This will reduce the need for
other tests of detail.
Low-risk areas
Use the information obtained from assessing the risks of material misstatement to reduce the need for
substantive procedures in low-risk areas.
Consider using tests of controls
Use the information obtained about internal control to identify key controls that could be tested for
operating efectiveness. Testing controls (some of which may only require testing once every three
years) can often result in much less work than performing extensive tests of detail.
Do not ignore IT controls
The sample size for testing an automated control can be as little as one item because an automated
control is likely to operate in the same manner every time, making it representative of all other items in
the population. However, this would be based on the assumption that the entity has efective general IT
controls in operation.
Dual-purpose tests
Where tests of controls are planned on the same class of transactions as substantive tests, consider the
potential for dual-purpose tests. This is where a test of controls is performed concurrently with a test
of details on the same transaction. Although the purpose of a test of controls is diferent from a test of
details, both objectives may be accomplished concurrently. For example, an invoice could be examined
to determine whether it has been approved (a test of control) and whether the transaction was properly
recorded in the accounting records (a test of details).
Consider work performed on all parts of a transaction stream
Take credit for work performed on other parts of the transaction stream. For example, a test of controls
over sales completeness would provide evidence for the completeness of receivables.
Decide on audit strategy and procedures at the planning phase
Where possible, develop the nature and extent of audit procedures during the planning phase of the
audit, a time at which the team can agree on the approach to be followed. This avoids junior staf having
to design audit procedures by themselves or simply performing the same procedures as last year.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
208
CONSIDER POINT
Remember to use analytical procedures
Analytical procedures are used in each phase of the audit.
At the beginning of the audit, analytical procedures are used as a risk assessment procedure.
During the audit, analytical procedures are performed to analyze variances in data and to
substantiate certain transaction streams and account balances.
Near the end of the audit, analytical procedures are performed to determine whether the fnancial
statements are consistent with the auditors understanding of the entity, or to indicate a previously
unrecognized risk of material misstatement due to fraud.
16.8 Responding to the Risk of Fraud
The risk of fraud (including management override) can exist in virtually any entity, and needs to be addressed
when developing the audit plan. The frst step is to assess the potential risk from fraud, and then to design an
appropriate overall and detailed response.
Note: The auditor is required to treat assessed risks of material misstatement due to fraud as signifcant risks.
A signifcant risk requires the auditor to:
Obtain an understanding of the entitys related controls, including control activities, relevant
to such risks; and
Perform substantive procedures that are specifcally responsive to that risk.
When the approach to a signifcant risk consists only of substantive procedures, those procedures shall
include tests of details.
In assessing the potential risk and appropriate response to fraud, the auditor would consider the following:
Overall responses already developed to address risks assessed at the fnancial statement level;
Specifc responses already developed in relation to other risks assessed at the assertion level;
The fraud scenarios (if any) developed during the planning discussions;
Fraud risks (opportunities, incentives, and rationale) identifed as a result of performing risk assessment
procedures;
Susceptibility of certain fnancial statement balances and transactions to fraud;
Any known instances of actual fraud in the past or in the current period; and
Risks relating to management override.
The following exhibit outlines some possible responses to the risks identifed above.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
209
Exhibit 16.8-1
Overall Responses to Fraud
Pervasive Risks
at the Financial
Statement Level
Consider need for:
Heightened professional skepticism when examining certain documentation or
corroborating signifcant management representations;
People with specialized skills/knowledge, such as information technology (IT);
Development of specifc audit procedures to identify the existence of fraud; and
An element of unpredictability in the selection of audit procedures to be used.
Consider adjusting the timing of certain audit procedures, using diferent
sampling methods, or performing procedures on an unannounced basis.
Specifc Responses to Potential Fraud Risks
Specifc Risks at
the Assertion
Level
Consider:
Changing the nature, timing, and extent of the auditing procedures to address
the risk. Examples include the following:
Obtain more reliable and relevant audit evidence or additional
corroborative information to support managements assertions,
Perform a physical observation or inspection of certain assets,
Observe inventory counts on an unannounced basis, and
Perform further review of inventory records to identify unusual items,
unexpected amounts, and other items for follow-up procedures.
Performing further work to evaluate the reasonableness of managements
estimates and the underlying judgments and assumptions.
Increasing sample sizes or performing analytical procedures at a more detailed level.
Using computer-assisted audit techniques (CAATs). For example,
Gather more evidence about data contained in signifcant accounts or
electronic transaction fles,
Perform more extensive testing of electronic transactions and account fles,
Select sample transactions from key electronic fles,
Sort transactions with specifc characteristics, and
Test an entire population instead of a sample.
Requesting additional information in external confrmations. For example, on a
receivables confrmation, the auditor could ask for confrmation on the details
of sales agreements, including the date of the agreement, any rights of return,
and the delivery terms. However, consider whether a request for additional
information might delay the response time signifcantly.
Changing the timing of substantive procedures from an interim date to
one near the period end. However, if a risk of intentional misstatement or
manipulation exists, audit procedures to extend audit conclusions from an
interim date to the period end would not be efective.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
210
Risks Related to Management Override
Source of Risk
Consider
Journal Entries
Identifying, selecting, and testing journal entries and other adjustments based on the
following:
An understanding of the entitys fnancial reporting process and design/
implementation of internal control.
Consideration of the:
Characteristics of fraudulent journal entries or other adjustments,
Presence of fraud risk factors that relate to specifc classes of journal
entries and other adjustments, and
Inquiries of individuals involved in the fnancial reporting process about
inappropriate or unusual activity.
Managements
Estimates
Reviewing estimates relating to specifc transactions and balances to identify possible
biases on the part of management. Further procedures could include the following:
Reconsidering the estimates taken as a whole;
Performing a retrospective review of managements judgments and
assumptions related to signifcant accounting estimates made in the prior
period; and
Determining whether the cumulative efect of bias in managements estimates
amounts to a material misstatement in the fnancial statements.
Signifcant
Transactions
Obtaining an understanding of the business rationale for signifcant transactions that
are unusual or outside the normal course of business. This includes an assessment as
to whether:
Management is placing more emphasis on the need for a particular accounting
treatment than on the underlying economics of the transaction;
The arrangements surrounding such transactions appear overly complex;
Management has discussed the nature of, and accounting for, such transactions
with those charged with governance;
The transactions involve previously unidentifed related parties or parties that
do not have the substance or the fnancial strength to support the transaction
without assistance from the entity under audit;
Transactions that involve non-consolidated related parties, including special
purpose entities, have been properly reviewed and approved by those charged
with governance; and
There is adequate documentation.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
211
Risks Related to Management Override
Related Party
Transactions
Obtain an understanding of the business relationships that related parties may have
established directly or indirectly with the entity through:
Inquiries of, and discussion with, management and those charged with
governance;
Inquiries of the related party;
Inspection of signifcant contracts with the related party; and,
Appropriate background research, such as through the Internet or specifc
external business information databases.
Based on the fndings above:
Identify and assess the risks of material misstatement associated with related
party relationships;
Treat identifed signifcant related party transactions outside the entitys normal
course of business as giving rise to signifcant risks; and
Determine the need for substantive audit procedures that are responsive to the
risks identifed.
Revenue
Recognition
Performing substantive analytical procedures. Consider computer-assisted audit
techniques (CAATs) to identify unusual or unexpected revenue relationships or
transactions.
Confrming the relevant contract terms with customers (acceptance criteria, delivery
and payment terms) and the absence of side agreements (such as ofering a customer
the right to return the goods immediately after the period end).
16.9 Risk of Misstatements in Presentation and Disclosure
Some assessed risks may arise from fnancial statement presentation and disclosures in accordance with the
applicable fnancial reporting framework. As a result, specifc procedures may need to be designed to respond
appropriately to the risks involved.
These audit procedures would address whether:
The individual fnancial statements are presented in a manner that refects the appropriate classifcation
and description of fnancial information;
The presentation of fnancial statements includes adequate disclosure of material matters and
uncertainties. This includes the form, arrangement, and content of the fnancial statements and their
appended notes (including terminology used), the amount of detail given, the classifcation of items in
the statements, and the bases of amounts set forth; and
Management has disclosed particular matters in light of the circumstances and facts of which the
auditor is aware at the time of signing the auditors report.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
212
16.10 Determining Whether the Audit Plan Is Complete
Before concluding that the audit is complete, the auditor would consider whether the following factors have
been appropriately addressed.
Exhibit 16.10-1
Procedure Type Description
Have All Material
Financial
Statement Areas
Been Addressed?
Substantive procedures are required to be designed and performed for all material
classes of transactions, account balances, and disclosures. This is irrespective of the
assessed risks of material misstatement.
Is There a Need
for External
Confrmations?
Consider whether external confrmation procedures are to be performed as
substantive audit procedures. Examples could include:
Bank balances;
Receivables;
Inventories and investments held by third parties;
Amounts due to lenders;
Terms of agreements;
Contracts; and
Transactions between the entity and other parties.
External confrmation may also be used to address the absence of certain conditions.
For example, there are no side agreements on sales that could afect revenue cut of.
Can Evidence
Obtained in Prior
Periods Be Used?
Assuming the evidence does not address a signifcant risk and certain other criteria
apply (such as no change in controls and no signifcant manual element in the control
operation), the tests of operating efectiveness may only need to be performed once
every third audit (see Volume 1, Chapter 10.5 for more information).
Is There a Need
for an Auditors
Expert?
Is expertise in a feld other than accounting or auditing required to obtain suf cient
appropriate audit evidence?
Has the Financial
Statement Closing
Process Been
Addressed?
The following substantive procedures are required in relation to the fnancial
statement closing process:
Agreeing or reconciling the fnancial statements with the underlying accounting
records; and
Examining material journal entries and other adjustments made during the
course of preparing the fnancial statements.
Have Signifcant
Risks Been
Addressed?
For each risk assessed as signifcant, the auditor is required to design and perform
substantive procedures (possibly supplemented by tests of controls). Substantive
analytical procedures cannot be used alone and would be supplemented with tests
of details.
Where reliance is placed on internal controls over a signifcant risk, the auditor is
required to test those controls in the current period.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
213
Procedure Type Description
Has Evidence
Obtained from
Interim Testing
Been Updated?
Update interim substantive procedures by covering the remaining period. This would
include:
Substantive procedures combined with tests of controls for the intervening
period; or
Further substantive procedures that provide a reasonable basis for extending
the audit conclusions from the interim date to the period end.
Have the Potential
Risks of Fraud
Been Addressed?
For example, heightened professional skepticism, an element of unpredictability in
the design of audit procedures, etc.
(See Volume 2, Chapter 16.8.)
16.11 Documenting the Overall Response and Detailed Audit Plans
The overall responses may be documented as a stand-alone document or, more typically, as part of the overall
audit strategy.
The detailed plan is often documented in the form of an audit program that outlines the nature and extent
of procedures and the assertion(s) being addressed. Space can then be provided to record details about who
performed each step, and the fndings.
CONSIDER POINT
Timing
Consider whether some of the planned further audit procedures can be carried out at the same time as
the risk assessment procedures.
Changes to plan
If planned procedures need to be modifed as a result of audit evidence or other information obtained,
update the overall strategy and audit plan and provide the reasons for the change.
Review
Ensure that audit procedures and related working papers are signed and dated by the preparer and the
reviewer prior to the completion of the audit.
16.12 Communication of the Audit Plan
The overall audit strategy, overall responses, and the audit plan are entirely the auditors responsibility.
However, it is often useful to discuss some elements of the detailed audit plan (such as timing) with
management. Such discussions often result in minor changes to the plan to coordinate timing and facilitate
the performance of certain procedures.
The exact nature, timing, and scope of the planned procedures would not be discussed in detail with
management, or changed or scaled back to accommodate a management request. Such requests could
compromise the efectiveness of the audit, make audit procedures too predictable, and could constitute a
scope limitation.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
214
ISA 260 sets out a number of matters that the auditor is required to communicate with those charged with
governance. (Refer to Volume 2, Chapter 5.3 for a listing of such matters.) These requirements are designed
to ensure an efective two-way communication between or among the auditor, management, and those
charged with governance.
CONSIDER POINT
Auditors should consider having periodic, regular status updates with management to inform them of
any preliminary fndings, request any additional documentation, request any assistance required, and/or
discuss other issues.
Any signifcant changes to the audit plan should also be communicated to management and those
charged with governance.
16.13 Case StudiesThe Responsive Audit Plan
For details of the case studies, refer to Volume 2, Chapter 2Introduction to the Case Studies.
The following case study examples outline the considerations and possible audit procedures that could
be used in developing a detailed audit plan for accounts receivable. Since the purpose of the audit plan is
to reduce the risk of a material misstatement to an acceptably low level, it is important to review the risks
identifed in the risk assessment phase for the revenue/receivables/receipts cycle.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
215
Case Study ADephta Furniture, Inc.
According to the risk assessment in Volume 2, Chapter 14.6Concluding the Risk Assessment Phase, the
assessed risks were:
Assessed risks at fnancial statement level (High, Moderate or Low) Low
Assertions (Completeness, Existence, Accuracy, and Valuation) C E A V
Assessed risks at assertion level (High, Moderate, or Low) L M L M
Changes in assessed risks from the previous period. None
Questions to be considered in developing the receivables audit plan:
Planning Considerations Response
1. Are there assertions that cannot be addressed
by substantive tests alone?
Completeness of sales will be addressed through
a combination of tests of controls and analytical
procedures. Note for next yearif the Internet sales
continue to grow, additional tests of controls may be
required due to the loss of paper trail.
2. Is internal control over related transaction
streams/processes expected to be reliable?
If so, could the controls be tested to reduce
need/scope for other substantive procedures?
Tests of controls could be used to reduce the level of risk
reduction required from other substantive procedures
(confrmations) in accounts receivable. But we are not
totally certain as to the reliability of control operation,
so only substantive procedures will be used.
3. Are there substantive analytical procedures
available that would reduce need/scope for
other audit procedures?
No.
4. Is there a need to incorporate an element of
unpredictability or further audit procedures
(such as to address fraud, risk, etc.)?
Some extended audit procedures will be performed to
address the risks identifed for management override.
5. Are there signifcant risks that require special
attention?
There are some possible fraud risks (Volume 2, Chapter
9) in relation to revenue recognition. These will be
addressed by substantive extended procedures.
Valuation of accounts receivable is a specifc risk
requiring special attention. Additional analysis and
review of subsequent payments will be done.
Need to be mindful of undisclosed related party
transactions outside of the normal course of business
throughout the audit.
Based on the auditors professional judgment, an appropriate mix of procedures is required to reduce the risks
of material misstatement (RMM) to an acceptably low level for relevant assertions (applicable to the receivable
balance). The following is a sample audit response to the assessed level of risk for accounts receivable.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
216
Summary of Proposed Audit Response
(Check the applicable boxes under CEAV) C E A V
A. Substantive proceduresbasic X X X X
B. Substantive proceduresextended
(sampling, fraud, signifcant risks, etc.)
X
C. Substantive analytical procedures (proof in total, etc.) X
D. Tests of controls (operating efectiveness) X
Based on professional judgment, are the procedures outlined above suf cient
to address the assessed risks? (Yes/No) If no, explain below.
Yes Yes Yes Yes
Comments:
A sample audit program that responds to the risks identifed is outlined in the case study notes for Volume 2,
Chapter 17.7.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
217
Case Study BKumar & Co.
According to the risk assessment in Volume 2, Chapter 14.6Concluding the Risk Assessment Phase, the
assessed risks were:
Assessed risks at fnancial statement level (High, Moderate or Low) Moderate
Assertions (Completeness, Existence, Accuracy, and Valuation) C E A V
Assessed risks at assertion level (High, Moderate, or Low) L M M L
Changes in assessed risks from the previous period. None
Increased risks related to related party transactions and possible fraud resulting from Rajs absence.
Questions to be considered in developing the receivables audit plan:
Planning Considerations Response
1. Are there assertions that cannot be addressed
by substantive tests alone?
The completeness of sales will be addressed by a
combination of analytical review and extended
substantive testing.
2. Is internal control over related transaction
streams/processes expected to be reliable?
If so, could the controls be tested to reduce
need/scope for other substantive procedures?
Due to the small size of the company, there are limited
controls. We obtained an understanding of internal
control, but we will not test controls or place any
reliance on them.
3. Are there substantive analytical procedures
available that would reduce need/scope for
other audit procedures?
No.
4. Is there a need to incorporate an element of
unpredictability or further audit procedures
(such as to address fraud, risk, etc.)?
Not considered necessary, as the receivables balance at
year-end relates primarily to Dephta.
Planning Considerations Response
5. Are there signifcant risks that require special
attention?
The possibility of inconsistent revenue recognition or
fraud will be addressed through substantive extended
procedures.
Need to be mindful of undisclosed related party
transactions outside of the normal course of business
throughout the audit.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
218
The following is a sample audit response to the assessed level of risk for accounts receivable.
Summary of Proposed Audit Response
(Check the applicable boxes under CEAV) C E A V
A. Substantive proceduresbasic X X X X
B. Substantive proceduresextended
(sampling, fraud, signifcant risks, etc.)
X X X
C. Substantive analytical procedures (proof in total, etc.) X
D. Tests of controls (operating efectiveness) X
Based on professional judgment, are the procedures outlined above suf cient
to address the assessed risks? (Yes/No) If no, explain below.
Yes Yes Yes Yes
Comments:
None
A sample audit program that responds to the risks identifed is outlined in the case study notes for Volume 2,
Chapter 17.7.
219
17. Determining the Extent of Testing
Chapter Content Relevant ISAs
Guidance on determining the extent of testing required to be
responsive to the assessed risks of material misstatement.
330, 500, 530
Exhibit 17.0-1
R
i
s
k

R
e
s
p
o
n
s
e
Design overall
responses and
further audit
procedures
Develop
appropriate
responses to
the assessed RMM
1
Update of overall strategy
Overall responses
Audit plan that links
assessed RMM
1
to further
audit procedures
Implement responses
to assessed RMM
1
Reduce audit risk
to an acceptably
low level
Work performed
Audit fndings
Staf supervision
Working paper review
Notes:
1. RMM = Risks of material misstatement.
Activity Purpose Documentation
Implement responses
to assessed RMM
1
Reduce audit risk
to an acceptably
low level
Work performed
Audit fndings
Staf supervision
Working paper review
Paragraph # Relevant Extracts from ISAs
330.12 If the auditor obtains audit evidence about the operating
efectiveness of controls during an interim period, the
auditor shall:
(a) Obtain audit evidence about signifcant changes to
those controls subsequent to the interim period; and
(b) Determine the additional audit evidence to be
obtained for the remaining period. (Ref: Para.
A33-A34)
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
220
Paragraph # Relevant Extracts from ISAs
330.13 In determining whether it is appropriate to use audit evidence about the operating
efectiveness of controls obtained in previous audits, and, if so, the length of the time period
that may elapse before retesting a control, the auditor shall consider the following:
(a) The efectiveness of other elements of internal control, including the control environment,
the entitys monitoring of controls, and the entitys risk assessment process;
(b) The risks arising from the characteristics of the control, including whether it is manual or
automated;
(c) The efectiveness of general IT-controls;
(d) The efectiveness of the control and its application by the entity, including the nature and
extent of deviations in the application of the control noted in previous audits, and whether
there have been personnel changes that signifcantly afect the application of the control;
(e) Whether the lack of a change in a particular control poses a risk due to changing
circumstances; and
(f) The risks of material misstatement and the extent of reliance on the control. (Ref: Para. A35)
330.14 If the auditor plans to use audit evidence from a previous audit about the operating
efectiveness of specifc controls, the auditor shall establish the continuing relevance of that
evidence by obtaining audit evidence about whether signifcant changes in those controls
have occurred subsequent to the previous audit. The auditor shall obtain this evidence by
performing inquiry combined with observation or inspection, to confrm the understanding of
those specifc controls, and:
(a) If there have been changes that afect the continuing relevance of the audit evidence from
the previous audit, the auditor shall test the controls in the current audit.
(b) If there have not been such changes, the auditor shall test the controls at least once in
every third audit, and shall test some controls each audit to avoid the possibility of testing
all the controls on which the auditor intends to rely in a single audit period with no testing
of controls in the subsequent two audit periods. (Ref: Para. A37-A39)
530.5 For purposes of the ISAs, the following terms have the meanings attributed below:
(a) Audit sampling (sampling)The application of audit procedures to less than 100% of
items within a population of audit relevance such that all sampling units have a chance
of selection in order to provide the auditor with a reasonable basis on which to draw
conclusions about the entire population.
(b) PopulationThe entire set of data from which a sample is selected and about which the
auditor wishes to draw conclusions.
(c) Sampling riskThe risk that the auditors conclusion based on a sample may be diferent
from the conclusion if the entire population were subjected to the same audit procedure.
Sampling risk can lead to two types of erroneous conclusions:
(i) In the case of a test of controls, that controls are more efective than they actually
are, or in the Paragraph # Relevant Extracts from ISAs case of a test of details,
that a material misstatement does not exist when in fact it does. The auditor is
primarily concerned with this type of erroneous conclusion because it afects audit
efectiveness and is more likely to lead to an inappropriate audit opinion.
(ii) In the case of a test of controls, that controls are less efective than they actually are, or
in the case of a test of details, that a material misstatement exists when in fact it does
not. This type of erroneous conclusion afects audit ef ciency as it would usually lead
to additional work to establish that initial conclusions were incorrect.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
221
Paragraph # Relevant Extracts from ISAs
530.5 (continued) (d) Non-sampling riskThe risk that the auditor reaches
an erroneous conclusion for any reason not related to
sampling risk. (Ref: Para A1)
(e) AnomalyA misstatement or deviation that is
demonstrably not representative of misstatements or
deviations in a population.
(f) Sampling unitThe individual items constituting a
population. (Ref: Para A2)
(g) Statistical samplingAn approach to sampling that
has the following characteristics:
(i) Random selection of the sample items; and
(ii) he use of probability theory to evaluate sample
results, including measurement of sampling risk.
A sampling approach that does not have characteristics (i)
and (ii) is considered non-statistical sampling.
(h) StratifcationThe process of dividing a population
into sub-populations, each of which is a group of
sampling units which have similar characteristics
(often monetary value).
(i) Tolerable misstatementA monetary amount set by
the auditor in respect of which the auditor seeks to
obtain an appropriate level of risk reduction that the
monetary amount set by the auditor is not exceeded
by the actual misstatement in the population. (Ref:
Para A3)
(j) Tolerable rate of deviationA rate of deviation from
prescribed internal control procedures set by the
auditor in respect of which the auditor seeks to obtain
an appropriate level of risk reduction that the rate of
deviation set by the auditor is not exceeded by the
actual rate of deviation in the population.
17.1 Overview
Suf cient appropriate audit evidence may be obtained by selecting and examining the following.
Exhibit 17.1-1
Selecting and Examining
All Items
(100%
Examination)
This is appropriate when:
The population constitutes a small number of large-value items;
There is a signifcant risk, and other means do not provide suf cient appropriate
audit evidence; and
CAATs can be used in a larger population to electronically test a repetitive
calculation or other process.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
222
Selecting and Examining
Specifc Items
This is appropriate for:
High-value or key items that could individually result in a material misstatement;
All items over a specifed value;
Any unusual or sensitive items or fnancial statement disclosures;
Any items that are highly susceptible to misstatement;
Items that will provide information about matters such as the nature of the
entity, the nature of transactions, and internal control; and
Items to test the operation of certain control activities.
Representative
Sample of
Items from the
Population
This is appropriate for reaching a conclusion about an entire set of data (population)
by selecting and examining a representative sample of items within the population.
Sampling enables the auditor to obtain and evaluate audit evidence about specifed
characteristics. The determination of sample size may be made using either statistical
or non-statistical methods.
The decision as to which approach to use will depend on the circumstances. The application of any one or
combination of the above means may be appropriate in particular circumstances.
Choosing sampling as the most ef cient method of obtaining the necessary risk reduction for an assertion
has a number of advantages as illustrated below.
Exhibit 17.1-2
Benefts
Use of
Representative
Samples
Valid conclusions can be drawn. The auditors objective is obtaining reasonable risk
reduction and not absolute certainty.
Results can be combined with results from other tests.
Evidence obtained from one source can be corroborated by evidence obtained from
another source to provide increased risk reduction.
An examination of all of the data would not provide absolute certainty. For example,
unrecorded transactions will never be detected.
Cost savings. The cost of examining every entry in the accounting records and all
supporting evidence would be uneconomical.
Volume 1, Chapter 10 outlines the nature and use of further audit procedures. This chapter focuses on the
extent of testing and use of sampling techniques.
Sampling Techniques
Sampling does not have to be selected as an audit procedure but where it is used, all the sampling units in a
population (such as sales transactions or receivables balances) are required to have a chance of selection. This
is necessary to enable the auditor to draw reasonable conclusions about the entire population.
In any sample of less than 100% of the population, there is always the risk that a misstatement may not be
identifed and that it might exceed the tolerable level of misstatement or deviation. This is called sampling
risk. Sampling risk can be reduced by increasing the sample size, while non-sampling risk can be reduced by
proper engagement planning, supervision, and review.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
223
There are two types of sampling commonly used in auditing, as set out below.
Exhibit 17.1-3
Sample Attributes
Statistical
Sampling
Sample is selected on a random basis. This means that every item in the population
has a known (statistically appropriate) chance of being selected.
Results can be mathematically projected. Probability theory can be used to evaluate
the sample results, including measurement of sampling risk.
Non-Statistical
or Judgmental
Sampling
A sampling approach that does not have the characteristics outlined above for
statistical sampling.
In determining the sample size, the auditor would determine the tolerable rate of deviation (exceptions) that
would be acceptable.
Substantive Procedures
Performance materiality (whether overall or for a specifc item) is set in relation to overall materiality
(whether overall or for a specifc item, respectively). The tolerable misstatement level is set in relation
to performance materiality (either overall or for the specifc item, as the case may be). The higher
the tolerable misstatement level is set, the smaller the sample size. The lower the tolerable level of
misstatement is set, the larger the sample size. Note that the tolerable level of misstatement will often
be the same as performance materiality.
Tests of Controls
For tests of controls, the tolerable rate of deviation is likely to be very small, often allowing for no
deviations or possibly only one. Tests of controls provide evidence as to whether the controls work or not.
Consequently, they would only be used where the operation of the control was expected to be reliable.
17.2 Use of Sampling
Paragraph # Relevant Extracts from ISAs
530.6 When designing an audit sample, the auditor shall consider the purpose of the audit procedure
and the characteristics of the population from which the sample will be drawn. (Ref: Para. A4-A9)
530.7 The auditor shall determine a sample size suf cient to reduce sampling risk to an acceptably
low level. (Ref: Para. A10-A11)
530.8 The auditor shall select items for the sample in such a way that each sampling unit in the
population has a chance of selection. (Ref: Para. A12-A13)
530.9 The auditor shall perform audit procedures, appropriate to the purpose, on each item selected.
530.10 If the audit procedure is not applicable to the selected item, the auditor shall perform the
procedure on a replacement item. (Ref: Para. A14)
530.11 If the auditor is unable to apply the designed audit procedures, or suitable alternative procedures,
to a selected item, the auditor shall treat that item as a deviation from the prescribed control, in the
case of tests of controls, or a misstatement, in the case of tests of details. (Ref: Para. A15-A16)
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
224
Paragraph # Relevant Extracts from ISAs
530.12 The auditor shall investigate the nature and cause of any deviations or misstatements
identifed, and evaluate their possible efect on the purpose of the audit procedure and on
other areas of the audit. (Ref: Para. A17)
530.13 In the extremely rare circumstances when the auditor considers a misstatement or deviation
discovered in a sample to be an anomaly, the auditor shall obtain a high degree of certainty
that such misstatement or deviation is not representative of the population. The auditor shall
obtain this degree of certainty by performing additional audit procedures to obtain suf cient
appropriate audit evidence that the misstatement or deviation does not afect the remainder of
the population.
530.14 For tests of details, the auditor shall project misstatements found in the sample to the
population. (Ref: Para. A18-A20)
530.15 The auditor shall evaluate:
(a) The results of the sample; and (Ref: Para. A21-A22)
(b) Whether the use of audit sampling has provided a reasonable basis for conclusions about
the population that has been tested. (Ref: Para. A23)
Building a Foundation
Whenever statistical or non-statistical sampling techniques are being considered, the auditor would address
and document the following matters.
Exhibit 17.2-1
Factors to Consider Comments
Purpose of Test?
The starting point for the test design is to establish the purpose of the test and what
assertions will be addressed.
Primary Source of
Evidence?
What is the primary source of evidence for each assertion to be addressed, and what
is secondary? This diferentiation will help to ensure that audit efort is directed to the
right place.
Previous
Experience?
What was the experience (if any) in performing similar tests in previous periods?
Consider the efectiveness of the test, and the existence and disposition of deviations
(errors), if any, found in the samples selected.
What Population?
Ensure that the population of items to be tested is appropriate to achieve the test
objectives. Sampling will not identify or test items that are not already included
within the population. For example, a sample of receivable balances may be used to
test the existence of receivables, but such a population would not be appropriate for
testing the completeness of receivables.
Also consider the size of the population. In some cases, a statistical conclusion may
not be drawn if the population to be tested is too small to sample.
What Sampling
Unit to Use?
Consider the purpose of the test and the assertion being addressed. This decision will
determine what items will be selected to test. Examples include sales invoices, sales
orders, and customer account balances.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
225
Factors to Consider Comments
Statistical or Non-
Statistical?
Statistical conclusions can be drawn from statistical samples. Conclusions based on
professional judgment can be made from judgmental non-statistical samples. Non-
statistical samples are often used in combination with other audit procedures that
address the same assertion.
Defnition of a
Deviation
Failure to properly defne a deviation will result in time wasted by staf in reviewing
minor exceptions that may not constitute a deviation. Also, determine how the
reasons and implications of deviations found will be followed up by audit staf.
Any High-Value
Items to Exclude?
If there are larger transactions or balances in the population that can be evaluated
separately, it may result in smaller sample sizes from remaining items in the
population. In some cases, the evidence gained from testing the larger transactions
or balances may be suf cient to eliminate the need for sampling altogether.
Use of CAATs
Could computer-assisted audit techniques (CAATs) provide a better or more ef cient
result? For many tests, 100% of the population can be tested by CAATs (as opposed to just
a sample), and custom reports can be prepared that identify unusual items for follow-up.
Any Stratifcation
Possible?
Consider whether the population can be stratifed by dividing it into discrete
subpopulations which have an identifying characteristic.
For example, if a population contained a number of high-value transactions, the
population (for a test of details) could be stratifed by monetary value. This allows
greater audit efort to be directed to the larger-value items, as these items may
contain the greatest potential misstatement in terms of overstatement.
A population may also be stratifed according to a particular characteristic that
indicates a higher risk of misstatement. When testing the adequacy of the allowance
for doubtful accounts (valuation of accounts receivable), the receivable balances may
be stratifed by age.
Where subpopulations are tested separately, the misstatements will be projected
for each stratum separately. Projected misstatements for each stratum can then be
combined to consider the possible efect of misstatements on the account balance or
class of transactions.
What Precision is
Required?
Performance materiality is often used as the basis for tolerable misstatement. This
also represents the precision for a statistical test.
Performance materiality would be set at an amount that allows for the possible existence
of undetected and immaterial misstatements aggregating to a material amount.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
226
Factors to Consider Comments
What Confdence
Level is Required?
Confdence is the level of acceptable risk (detection risk) that the test will not produce
accurate results. Is a high level of confdence (resulting in a larger sample) or a lower
confdence level (resulting in a smaller sample) required?
The confdence level required in a particular test will be based on factors such as:
Evidence obtained from other sources such as analytical review, other
substantive procedures, and testing the operational efectiveness of related
controls; and
The importance of the fnancial statement assertion or line item compared with
overall materiality.
For example, a 95% level of confdence indicates that if a particular test was
performed 100 times (selecting representative transactions at random), the results
would be accurate (within the margin of misstatement) 95 times out of the 100 tests.
There is a risk that 5 tests out of the 100 will produce inaccurate results.
When statistical sampling is planned, the tolerable misstatement or deviation rate would also be addressed.
Exhibit 17.2-2
Factors to Consider Comments
What is the
Tolerable
Misstatement
or Tolerable
Deviation Rate?
Tolerable misstatement is used in sampling tests of details to address the risk that
the aggregate of individually immaterial misstatements may cause the fnancial
statements to be materially misstated, and to provide a margin for possible
undetected misstatements. Tolerable misstatement is the application of performance
materiality to a particular sampling procedure. Tolerable misstatement may be the
same amount as or an amount lower than performance materiality.
Tolerable rate of deviation is used for tests of controls where the auditor sets a rate of
deviation from prescribed internal control procedures to obtain an appropriate level
of assurance. The auditor seeks to obtain an appropriate level of assurance that the set
rate of deviation is not exceeded by the actual rate of deviation in the population.
17.3 Extent of Substantive Procedures (Using statistical sampling)
The greater the risks of material misstatement, the greater the extent of substantive procedures required.
The extent of substantive procedures may be reduced by testing the operating efectiveness of internal
control. However, if the results are unsatisfactory, the extent of substantive procedures may actually need to
be increased.
Determining Sample SizesMonetary-Unit Sampling
The most common method of sampling for tests of details is monetary-unit sampling. Under this method,
the probability of an item (for example, an accounts receivable balance) being selected for testing is directly
proportional to the monetary value of the item. Thus, an accounts receivable balance of 6,000 is three times
as likely to be selected as an accounts receivable balance of 2,000. Under this method, it would not be
appropriate to select physical units such as every 50th invoice or transaction.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
227
Although monetary-unit sampling may be the most common form of sampling used by auditors, there are a
number of other sampling methods which could be more appropriate in certain circumstances. Discussion of
these other sampling methods has not been included in this Guide.
Selection of Confdence Factors
When designing a substantive test, the auditor may fnd it useful to use three levels of risk reduction such
as high, moderate, and low. The diference between the levels can be based on the confdence factor used
for selecting the sample. The higher the confdence factor, the higher the sample size and the level of risk
reduction obtained. This is illustrated in the following exhibit, which provides typical confdence levels to
achieve high-, moderate-, and low-risk reductions.
Exhibit 17.3-1
Risk
Reduction
Required
Confdence
Level
Confdence
Factor
High 95% 3.0
Moderate 80-90% 1.6 2.3
Low 65-75% 1.1 1.4
An efective set of audit procedures designed to respond to assessed risks and specifc assertions may contain
a mixture of tests of controls and substantive procedures.
The following table gives a partial list of confdence factors for various confdence levels. For example, if a 90%
confdence level is required, the confdence factor to be used would be 2.3.
Exhibit 17.3-2
Confdence
Level
Confdence
Factor
50% 0.7
55% 0.8
60% 0.9
65% 1.1
70% 1.2
75% 1.4
80% 1.6
85% 1.9
90% 2.3
95% 3.0
98% 3.7
99% 4.6
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
228
Selecting the Sample
Exhibit 17.3-3
Monetary Unit Description
Sample Selection
Process
Remove the high-value and key items from the population.
Compute the sampling interval.
Select a random starting point for selecting the frst item. The random starting point
can range from 1 to the sampling interval. Each successive selection is made on the
value of the previous selection plus one sampling interval.
Note: Ensure that the sample selection process, including the basis for selecting the random starting point
(from a random number generator or using professional judgment), is appropriately documented.
Step 1Calculate the sampling interval
The formula is as follows.
Sampling Interval = Performance Materiality (Tolerable Misstatement) Confdence Factor
If the sampling interval was 17,391, the frst account to be selected could be randomly chosen as the one
containing the 10,000
th
. The second account selected would be the account containing the cumulative
amount of 27,391
st
(starting point + sampling interval = 10,000 + 17,391). The third account selected would
be the account that contained the cumulative amount of 44,782
nd
(27,391 + 17,391). This process would
continue to the end of the population.
Step 2Calculate the sample size
Sample sizes for the monetary-unit sampling of representative items are usually determined by the following
formula.
Sample Size = Population to Be Tested Sampling Interval
The population to be tested should exclude any specifc items removed for separate evaluation.
Step 3Select the sample
Remove any high-value and key items from the population (for separate consideration) and compute the
sampling interval (refer to Step 1 above). Then select a random starting point for selecting the frst item. The
random starting point can range from 1 to the sampling interval. Each successive selection is made on the
value of the previous selection plus one sampling interval.
The following three examples illustrate this process.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
229
Example 1Sampling Accounts Receivable Balances
Exhibit 17.3-4
Question Response
Purpose of Test
To ensure the existence of accounts receivable
by selecting a sample of receivable balances and
sending confrmation letters
Risks of Material Misstatement in the Relevant
Assertions
Existence = high risk
Population to Be Tested
Accounts receivable balances at period end
Monetary Value of Population
177,203
Specifc Items Subject to Separate Evaluation
38,340
Risk Reduction Obtained from Testing Controls
None
Risk Reduction from Other Procedures such as
Risk Assessment Procedures
Limited
Confdence Factor to Be Used (Reduce for risk
reduction gained from other sources)
No other sources of risk reduction so 95% or 3.0 will
be used
Performance Materiality
15,000
Expected Deviations in Sample
None
Sampling Interval = 15,000 / 3.0 = 5,000
Sample Size = (177,203 - 38,340) / 5,000 = 28
In this example, the sampling interval was 5,000. Therefore, if the frst item chosen randomly was 436, the
next item would be in the transaction or balance that contained the cumulative amount of 5,436. The third
item would be in the transaction or balance that contained the cumulative amount of 10,436, and so on until
the 28 items have been selected.
Note: It is likely that the higher value items will be selected for testing (refer to the partial population of
accounts receivable balances below).
Exhibit 17.3-5
Accounts
Receivable
Balance
Cumulative
Total
Sampling
Interval
Include in
Sample?
Customer A 4,750 4,750 436 Yes
Customer B 3,500 8,250 5,436 Yes
Customer C 1,800 10,050 10,436 No
Customer D 2,700 12,750 10,436 Yes
Customer E 950 13,700 15,436 No
Customer F 2,580 16,280 15,436 Yes
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
230
Example 2Sampling Accounts Receivable Balances
Exhibit 17.3-6
Question Response
Purpose of Test
To ensure the existence of receivables by selecting a
sample of accounts receivable balances and sending
confrmation letters
Risks of Material Misstatement in the Relevant
Assertions
Existence = moderate risk
Population to Be Tested
Accounts receivable balances at period end
Monetary Value of Population
177,203
Specifc Items Subject to Separate Evaluation
38,340
Risk Reduction Obtained from Testing Controls
A low level of control risk has been established over
related controls
Risk Reduction from Other Procedures (such as
risk assessment procedures)
Limited
Confdence Factor to Be Used (reduce for risk
reduction gained from other sources)
In light of other sources of evidence, a confdence
factor of 70% (1.2) will be used
Performance Materiality
15,000
Expected Deviations in Sample
None
Sampling interval = 15,000 / 1.2 = 12,500
Sample size = (177,203 - 38,340) / 12,500 = 12
Example 3Sampling Purchase Invoices
Exhibit 17.3-7
Question Response
Purpose of Test
To ensure the existence and accuracy of purchases by
selecting a sample of purchase invoices
Risks of Material Misstatement in the Relevant
Assertions
Existence = low risk
Accuracy = low risk
Population To Be Tested
Purchase invoices for period
Monetary Value of Population
879,933
Specifc Items Subject to Separate Evaluation
46,876
Risk Reduction Obtained from Testing Controls
None
Risk Reduction from Other Procedures (such
as risk assessment procedures)
Moderately efective substantive analytical procedures
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
231
Question Response
Confdence Factor To Be Used (reduce for risk
reduction gained from other sources)
In light of the other sources of evidence, a confdence
factor of 80% (1.6) will be used
Performance Materiality
15,000
Expected Deviations in Sample
None
Sampling interval = 15,000 / 1.6 = 9,375
Sample size = (879,933 46,876) / 9,375 = 89
As illustrated above, the sample sizes for substantive tests can become very large when examining transaction
streams. It is often more ef cient to test internal controls (where the sample size is smaller) or perform other
types of audit procedures to obtain the required evidence.
Projecting Misstatements
The process is set out in the following exhibit.
Exhibit 17.3-8
Steps in Projecting the Extent of Misstatements
1. Calculate the percentage of misstatement in each item. If the amount was found to be 50 but should
have been 60, the misstatement is 10 or 17% of the total.
2. Add up the misstatement percentages, netting overstatements and understatements.
3. Calculate the average percentage misstatement per item sampled by dividing the total misstatement
percentages by the number of all items sampled (with and without misstatement).
4. Multiply the average percentage misstatement by the total representative population monetary value
(excluding high-value and key items). This results in the projected misstatement for the sample. Obviously,
this excludes any misstatements found in high-value and key items previously removed from the sample.
For example, a sample of 50 items selected from a population of 250,000 contained the following three
misstatements.
Exhibit 17.3-9
Correct Value Audited Value Misstatement Misstatement %
500 400 100 20.00%
350 200 150 42.86%
600 750 (150) (25.00%)
Total % error (sum of misstatement percentages) 37.86%
Average % misstatement: 37.86% 50 (sample size) = 0.7572%
Projected misstatement: 0.7572% 250,000 (population) = 1,893
The projected misstatement is sometimes called most likely error (MLE).
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
232
CONSIDER POINT
Anomalies
There may be a temptation to regard some misstatements/deviations (discovered in a sample) to be
an anomaly (not representative of the population) and exclude them when projecting misstatements
in the population. However, additional audit work is required, regardless of whether the misstatement/
deviation is or is not representative of the population:
If the deviation is representative of the population, the auditor shall investigate the nature and
cause, and evaluate their possible efect on the purpose of the audit procedure and on other areas
of the audit.
If the deviation is considered an anomaly, the auditor shall obtain a high degree of certainty that
such misstatement or deviation is not representative of the population. This requires performing
further audit procedures to obtain suf cient appropriate audit evidence that the misstatement or
deviation does not afect the remainder of the population.
Note that ISA 530.13 states that anomalies only occur in extremely rare circumstances.
17.4 Extent of Substantive Analytical Procedures
Substantive analytical procedures will either be the primary test of the account balance, or they will be used
in combination with other tests of details that have been appropriately reduced in extent.
Volume 1, Chapter 10 outlines the two levels of risk reduction that can be gained from performing substantive
analytical procedures. This risk reduction is highly efective (i.e., the primary test) and moderately efective.
Simple analytical procedures (such as a comparison of last years results to this year) may help to identify an
issue that needs to be followed up but provide little further audit evidence. This type of analytical procedure
can be used in understanding the entity, performing risk assessment procedures, and reviewing the fnal
fnancial statements.
When designing substantive analytical procedures, the auditor would:
Develop the amount of diference from the expectation that can be accepted without further
investigation. This should be infuenced primarily by materiality and consistency with the desired level
of risk reduction;
Consider the possibility that a combination of misstatements in the specifc account balance, class of
transactions, or disclosure could aggregate to an unacceptable amount; and
Increase the desired level of risk reduction as the risks of material misstatement increase.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
233
Exhibit 17.4-1
Example of a Substantive Analytical Procedure
Questions Response
Describe the procedure to be performed and
the expected outcome.
Multiply the rent charges per unit with the number of rental units to predict the
revenue from apartments, and then compare result with the revenue recorded in
the entitys accounting records.
What is the value of the recorded amount or
ratio?
278,000
What assertions will be addressed? Completeness, existence, and accuracy
What performance materiality will be used? 10,000
What amount of diference (between recorded
amounts and expected values) is acceptable?
1%
Remaining risk of material misstatement after
procedure performed (i.e., moderate or low).
Low
Describe details of each data element used
in calculating the expected outcome (i.e.,
fnancial and non-fnancial).
Describe the procedures performed to evaluate the reliability of each
data element used (consider source, comparability, nature, relevance,
and controls over preparation).
WP
Ref.
1. Rental units We reviewed the foor plans and physically inspected the building for
major changes.
2. Rent per unit We reviewed a sample of lease contracts to determine the rent payable.
3.
4.
Provide details of the calculation, the expected outcome, and results of the comparison to the recorded amount or ratio:
Number of rental units = 26 Rent per unit = 12,000 per year
Calculation = 26 X 12,000 = 312000. The diference to the recorded amount is 34,000
Where the diference (between recorded amounts and expected values) exceeds the acceptable value, explain
what investigation was performed and the results (i.e., inquiries of management, obtaining additional evidence and
performing other audit procedures).
We inquired about the diference and verifed that, on average, 2 units were vacant (not the same ones) each month during
the year, and one unit was not rented and used for meeting purposes and as an occasional accommodation for visitors. This
accounts for 36,000 of the diference leaving 2,000 unexplained. This is below the acceptable level described above.
Conclusion:
Test was successfully completed.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
234
CONSIDER POINT
The use of non-fnancial data in a substantive analytical procedure can often enhance the result. Non-
fnancial data could include information such as head counts, square footage for a retail store, or the
number of specifc products shipped.
When performing analytical procedures, it is imperative to set expectations (e.g., relationship with
related balances, changes from prior period, etc.) and then compare those expectations to the fnancial
statement information. Avoid the opposite approach of starting with the fnancial information and
then attempting to explain variances using knowledge of the client and its environment. Analytical
procedures are much stronger when they are created by expectations based on an understanding of
the entity and its environment. However, the reliability of any non-fnancial data used needs to be
established before its use in a substantive analytical procedure.
17.5 Tests of ControlsOperating Efectiveness
Audit procedures used to test controls consist of one or more of the four types outlined below.
Exhibit 17.5-1
Tests of Internal Control Over Operating Efectiveness
Types of
Procedures
Inquiries of appropriate personnel. (Remember, though, that inquiry alone is not
suf cient to test the operating efectiveness of controls.)
Inspection of relevant documentation.
Observation of the entitys operations.
Re-performance of the application of the control.
Pervasive (Entity-Level) Controls y
Paragraph# Relevant Extracts from ISAs
315.14 The auditor shall obtain an understanding of the control environment. As part of obtaining this
understanding, the auditor shall evaluate whether:
(a) Management, with the oversight of those charged with governance, has created and
maintained a culture of honesty and ethical behavior; and
(b) The strengths in the control environment elements collectively provide an appropriate
foundation for the other components of internal control, and whether those other
components are not undermined by defciencies in the control environment. (Ref: Para.
A69-A78)
Testing of the pervasive controls that exist at the entity level tends to be more subjective (such as testing
the commitment to competence or understanding of entity policies on acceptable behaviors) than testing
specifc transactional controls. Yet these controls collectively provide the appropriate foundation for the other
components of internal control.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
235
The exhibit below sets out some possible methods for testing pervasive (entity-level) controls.
Exhibit 17.5-2
Control
Environment Possible Tests of Controls
Communication
and Enforcement
of Integrity and
Ethical Values
Read statement on the entitys website and any code of conduct or equivalent.
Review communications to staf.
Conduct interviews with a sample of staf.
Commitment to
Competence
Review hiring and fring policies.
Review job descriptions and documentation contained on selected employee fles.
Participation by
Those Charged
With Governance
Review any self-assessments made.
Review qualifcations of board members and minutes of meetings.
Attend a meeting as an observer.
Managements
Philosophy and
Operating Style
Review any documentation.
Conduct interviews with a sample of staf.
Organizational
Structure
Review structure in light of best practices for nature of entity.
Assignment of
Authority and
Responsibility
Review any documentation such as job descriptions.
Human Resources
Policies and
Practices
Review policies and practices and compliance.
Review employee fles for staf evaluations, training programs attended, etc.
Similar types of tests of controls could be designed to address other pervasive (entity-level) controls such as:
Risk assessment;
Information systems;
Monitoring;
The period-end close process; and
Anti-fraud controls.
The results of performing tests of pervasive controls can also be more dif cult to document than internal
control at the business process level (such as checking to see if a payment was authorized, which can be
documented with a simple yes/no response). As a result, the evaluation of pervasive (entity-level and general
IT) controls is often documented with memorandums to the fle along with supporting evidence.
For example, to test whether management communicates the need for integrity and ethical values to all
personnel, and enforces its policies, a sample of employees could be selected for interviews. The employees
could be asked about communications they have received from management, what relevant policies and
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
236
procedures exist, what values they see demonstrated on a day-to-day basis by management, and whether
the policies are indeed enforced. If the common response among the employees is that management has
indeed communicated the need for integrity and ethical values and there are instances of where policies
were enforced, then the test would be a success. Details of each employees interview and supporting
documentation (such as the entitys policies, communications, and enforcement actions) would then be
recorded in a memo to fle with the conclusions reached.
CONSIDER POINT
Timing
It is preferable to test the pervasive (entity-level) controls early in the audit process. The results of testing
these controls could impact the nature and extent of other planned audit procedures. For example, if it
is found that managements attitude towards controls is not as good as expected, further procedures
will be required in relation to account balances and classes of transactions.
Planning
Take time to determine the most appropriate way to test the pervasive (entity-level) controls. Consider
using an appropriate combination of inquiry, observation, re-performance, and inspection tests.
Ask open-ended questions
Avoid asking yes/no questions. Instead, ask questions that may elicit information that you may not
already know. For example, ask, Have you ever been asked to depart from an established accounting
policy or do something that made you feel uncomfortable? Also remember to listen carefully to the
persons response, and watch his or her body language for signs of unease or distress giving answers.
Follow up on outstanding matters
If management or a staf member refuses to supply requested information or you obtain unexpected
information, ensure that it is appropriately followed up, and changes made if necessary in the overall
audit strategy and planned procedures.
Monitoring controls in larger entities
Some larger entities have developed entity-level monitoring controls that provide evidence of the
ongoing operation of entity-level controls. Where this occurs, consider whether reliance can be placed
on these controls to reduce the overall extent of other testing required.
Although most pervasive (entity-level) and general IT controls will be tested through the exercise of
professional judgment and objectively applied to the circumstances, there are some situations where use of
a representative sample may be applicable. An example would be the availability of evidence that monthly
fnancial reports were reviewed and appropriate action taken.
Transactional ControlsAttribute Sampling
Tests of controls provide evidence that a control is operating efectively throughout the period of reliance,
which will be a specifed period such as a year.
Because transactional controls either operate efectively or not, it is not worth testing the operation of
controls that could ultimately prove unreliable. Unreliable controls are those where there is a likelihood
that deviation will be found. Sample sizes for tests of controls are often small because they are based on no
exceptions being found. Otherwise, the sample sizes required would be much larger.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
237
Some of the factors to consider in assessing the reliability of controls are outlined below.
Exhibit 17.5-3
Test of Controls Design
Factors to
Consider
Is it possible for the established procedures to have been circumvented by
management (i.e., management override)?
Is there a signifcant manual element involved in the control that could be prone to error?
Is there a weak control environment?
Are general IT controls poor?
Is the ongoing monitoring of internal control poor?
Have personnel changes occurred during the period that signifcantly afect the
application of the control?
Does the small number of staf involved in the control operation make meaningful
segregation of duties impractical?
Have changing circumstances necessitated the need for changes in the operation of
the control?
Reliance on Indirect Internal Controls
Consider the need to obtain audit evidence supporting the efective operation of signifcant indirect internal
controls. These are controls upon which other controls depend, such as non-fnancial information produced
by a separate process, the treatment of exceptions, and periodic reviews of reports by managers. Where
signifcant, evidence of the operating efectiveness of the indirect internal controls would be required. If any
of the above factors are signifcant, it may be more efective to perform substantive procedures.
In designing tests of controls, the auditor should focus on the evidence that will be obtained with respect to
the relevant assertions addressed (the points where misstatements could occur in the fnancial statements),
as opposed to nature of the control itself. Controls are designed to mitigate risks and ensure, for example, the
completeness of sales.
There are also a number of practical advantages in designing tests of controls that focus frst on the assertion
to be addressed. For example:
The controls tested can be linked directly to the risks of material misstatements in the fnancial
statements;
Because the test objective is not dependent on specifc controls, other controls that address the same
risks (or control objectives) can be tested. This enables unpredictability or variation in the testing to be
used; and
It makes it easier to evaluate and test new controls introduced by the entity that address the same
assertions.
Tests of controls are often designed to provide either a low or a moderate level of control risk (high or
moderate level of risk reduction (confdence)) that the control being tested is operating efectively.
When designing tests of controls, the auditor may fnd it useful to consider the two levels of confdence to be
gained from tests of controls:
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
238
A high level of confdence (low level of risk remaining). This applies where the primary evidence is
coming from tests of controls; and
A moderate level of confdence (moderate level of risk remaining). This applies where the tests of
controls will be combined with other substantive procedures to address a particular assertion.
Attribute sampling is often used to test controls. This technique uses the smallest sample size capable of
providing a specifed chance of detecting a deviation rate that exceeds the tolerable rate of deviation.
Exhibit 17.5-4
Advantages
Attribute/Discovery
Sampling
Ideal for testing the operating efectiveness of internal controls that have already
been assessed as highly reliable during the evaluation of control design and
implementation.
If any level of deviation is expected in the performance of a control, it is recommended
that alternative approaches to gathering audit evidence be considered.
If no deviations are found in such a test-of-controls sample, the auditor can
assert that the control is operating efectively. If a deviation is found, it is usually
more ef cient to stop the procedure and perform alternative substantive audit
procedures instead. Just one control deviation will likely cause a revision to the
assessed level of control risk. To continue with a test after fnding a deviation would
require a signifcant extension of the sample size, and possibly no further deviations
would be found.
Determining the Sample Size
Sample sizes are determined as illustrated below.
Sample Size = Confdence Factor Tolerable Deviation Rate
For testing the operating efectiveness of controls with minimal reliance on other work performed, a 90%
confdence level (related confdence factor = 2.3) is often used (see Exhibit 17.3-2 for the confdence factor
table). The maximum tolerable deviation rate could be 10%. The smallest sample size in this case would be 23,
calculated as follows.
Confdence Factor (2.3) Tolerable Deviation Rate (0.1) = Sample Size of 23
Where other evidence (such as evidence from substantive audit procedures) has been obtained for a
particular assertion, the confdence factor could be reduced so that only a moderate level of risk reduction is
obtained through testing the operational efectiveness of a control. In such a case, a confdence level of 80%
(related confdence factor = 1.61) could be used, resulting in the smallest sample size of 8. Some frms use
slightly higher confdence factors, resulting in the smallest sample size of 10 items for a moderate level of risk
reduction and 30 for a higher level of risk reduction.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
239
Selecting the Sample
Sample selection is set out below.
Exhibit 17.5-5
Steps to Take
Selecting the
Sample
Determine the purpose of the procedure and the evidence it will provide in relation
to the assertions underlying the control attributes to be tested.
Select the appropriate population of items to achieve the test objective. This may difer
based on the underlying assertion being addressed. For example, invoices might be
selected for testing sales existence, but these documents would not provide evidence
on sales completeness. In this instance, the better choice might be tracing order entry
or shipping documents to an invoice, and then into the accounts receivable.
Determine the smallest sample size necessary to provide the required level of risk
reduction. This could be either moderate or high levels of risk reduction.
Use a random number generator or other appropriate method to select the
individual items to be checked. Every item in the population should have an equal
chance of being selected.
Control Procedures that Operate Less than Daily
For selecting samples where the control does not operate daily, the following guidelines may be of assistance.
However, the actual sample sizes used should always be based on professional judgment.
Exhibit 17.5-6
Control Operates
Suggested Minimum
Sample Coverage Percentage of Test
Weekly 10 19%
Monthly 2-4 25%
Quarterly 2 50%
Yearly 1 100%

Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
240
CONSIDER POINT
When statistical sampling is used for testing the operating efectiveness of internal control, the sample
size required does not increase as the size of the population grows. A random sample of as little as
30 items with no deviation found can provide a high level of confdence that the control is operating
efectively.
When designing tests of controls, spend time to defne exactly what constitutes an error or exception to
the test. This will save time during the performance of the test or the evaluation of the results, and avoid
doubts in determining what a control deviation is.
If any level of deviation is expected in the operating efectiveness of a control, it is recommended that
alternative approaches to gathering audit evidence be considered.
A simple plan that can be used for attribute sampling is as follows:
Based on a 95% confdence rate (a 5% deviation rate), it is suggested that:
A sample of 10 items with no deviations will provide a moderate level of risk reduction. If a
deviation is found, no risk reduction can be gained;
A sample of 30 items with no deviations will provide a high level of risk reduction. If a single
deviation is found, only a moderate level of risk reduction can be gained. If more than one
deviation is found, no risk reduction can be gained; and
A sample of 60 items and up to one deviation will provide a high level of risk reduction. If two
deviations are found, only a moderate level of risk reduction can be gained. If more than two
deviations are found, no risk reduction can be gained from testing of controls.
17.6 Evaluating Deviations
The process for evaluating deviations as set out below.
Exhibit 17.6-1
Steps to Take
Evaluating
Deviations
Identify deviations. Place each sample item into one of two classifcations: deviation
or no deviation.
The nature and cause of each deviation should be carefully considered. For example,
is there an indication of management override or possible fraud, or was the problem
simply a result of the person responsible being on vacation?
Consider sampling risk. If deviations have been found, consider if reliance on control
efectiveness should be reduced, the sample size extended (see below), or alternative
procedures performed.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
241
CONSIDER POINT
As stated above, there is little point in testing controls if deviations are likely to be found. This is because
the only way to gain the required assurance is to expand the sample size. Then, if another deviation is
found, the sample would have to be expanded again, and so on. It would be much better to perform
alternate procedures rather than expand sample size.
One possible exception would be where a reason for a particular type of deviation can be clearly
identifed and taken into account in the test design. For example, deviations during a specifc period,
such as when the person who normally performs the control is on holiday, may be addressed instead by
performing some substantive procedures.
The results of the sample can be evaluated by comparing the maximum tolerable deviation rate to what is
called the upper deviation limit. The upper deviation limit is approximated by the formula below.
Upper Deviation Limit = Adjusted Confdence Factor Sample Size
An adjusted confdence factor could be based on the number of deviations found, as illustrated in the exhibit below.
Exhibit 17.6-2
Adjusted Confdence Factor for Number of Deviations Found
Confdence Level
Required 1 2 3 4 5
95% 4.7 6.3 7.8 9.2 10.5
90% 3.9 5.3 6.7 8.0 9.3
80% 3.0 4.3 5.5 6.7 7.9
70% 2.4 3.6 4.7 5.8 7.0
For example, lets assume a sampling of 30 items (using a 90% confdence level and 10% maximum tolerable
deviation rate) and two deviations were found. The upper deviation limit would be calculated as follows.
Adjusted Confdence Factor (5.3) Sample Size (30) = Upper Deviation Limit of 17%
The result at 17% is much higher than the maximum tolerable deviation rate of 10%, which would mean that
reliance on control efectiveness would have to be reduced. If, however, it was decided to increase the sample
size, it would have to be extended to 60 items and no further deviations found. This would reduce the upper
deviation limit (as calculated below) to an acceptable level (i.e., close to the original limit of 10%).
Adjusted Confdence Factor (5.3) Sample Size (60) = Upper Deviation Limit of 9%
However, if a further deviation was found, it would require yet another extension in the sample to try for the desired
results. This would probably not be an efective use of audit time, as yet another deviation could well be found.
Adjusted Confdence Factor (6.7) Sample Size (75) = Upper Deviation Limit of 9%
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
242
17.7 Case StudiesExtent of Testing
For details of the case studies, refer to Volume 2, Chapter 2Introduction to the Case Studies.
Case Study ADephta Furniture, Inc.
Determining the Extent of Testing
Designing Further ProceduresAccounts Receivable
The following is an outline of an audit program for accounts receivable. This program includes a statistical
sample of accounts receivable.
Dephta Furniture, Inc.
Accounts ReceivableAudit Procedures
Client: Dephta Furniture, Inc.
Assertions
Addressed
Work
Completed
by:
(initials)
WP
Ref. Comments
PROCEDURES
1. Analytical procedures
Develop expectations for the period-end
accounts receivable balances, based on
information obtained from understanding
the entity.
Investigate signifcant changes or trends
in the:
Accounts receivable balance.
Aging of accounts receivable by
customer.
Days sales in accounts receivable.
Credit balances in accounts
receivable.
Other unexpected variations. Explain.
Other (non-trade receivables).
Document fndings.
CEA MAG C.120 Accounts receivables have increased
by 60% from the prior period.
Debtors days in accounts receivable
have also increased from 39 days to
45 days.
2. Listing
Obtain a detailed (and aged) listing of
receivables at the period end:
a) Check arithmetic accuracy and
agree to general ledger.
E MAG C.110
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
243
Assertions
Addressed
Work
Completed
by:
(initials)
WP
Ref. Comments
b) Check names and amounts to
subsidiary ledger.
c) Ask staf dealing with receivables
about any instances where:
A customer has been given
preferential treatment,
The terms of sale have been
modifed,
Transactions have occurred
with related parties, or
Where internal credit limits
have been signifcantly
overridden.
E
A
MAG
MAG
Per discussion with Arjan and Karla,
the sales terms do vary between
customers but are approved by Arjan.
3. Allowance for doubtful accounts
Ensure that the allowance for doubtful
accounts relates to specifc accounts and is
adequate:
a) Review the aged accounts
receivable trial balance and
compare it to preceding periods.
CV MAG C.120 Accounts receivable over 60 days
have increased as a percentage of
sales from the prior period.
Review listing of overdue accounts
with Arjan and obtain details of
allowance.
b) Review payments received
subsequent to period end (if
possible, obtain an aged trial balance
as at the period-end date with
subsequent collections posted on it).
AV MAG
4. Cut of
Perform and document cutof procedures
A MAG C.115 Obtain listing of sales returns since
as part of cutof testing. There were
several large returns last year.
Conditions for returns on contract
sales reviewed as part of sales testing.
See WP 503.1.
All journal entries around period end
reviewed on WP 626.
SUBSTANTIVE PROCEDURESSAMPLING
S1. Extended confrmation
Select 15 confrmations of accounts
as outlined in accounts receivable
confrmation checklist.
Summarize the results and investigate
diferences by examining supporting
documentation and inquiry.
EA MAG C.200
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
244
Assertions
Addressed
Work
Completed
by:
(initials)
WP
Ref. Comments
TESTS OF CONTROLS None
EXTENDED PROCEDURESfor specifc fraud risks identifed
E1. Accounts receivable confrmations
(fraud risk)
a) Verify a sample of names, addresses,
and fax/telephone numbers of
customers selected to telephone or
business directories to ensure that
they are valid businesses.
b) Consider reviewing websites or
other online information about
customers, in addition to sending
a confrmation to verify account
details and sales terms/conditions.
Ask about any side deals or special
terms.
c) Consider accepting only original
(signed) copies of confrmations.
EA MAG C.200 Verifed 5 names, addresses, fax
numbers from the confrmation
selected. No exceptions noted.
Called 2 customers to verify and
confrm details and the contract
terms for contract sales. No
exceptions noted.
E2. Allowance for doubtful accounts
a) Test a sample of 10 subsequent
payments to bank deposits.
b) Review all credit memos issued after
period end. Consider reviewing
customer fles or supporting
documentation as appropriate.
c) Review all write-ofs of accounts
receivable after period end to
ensure that these were not doubtful
in the prior period.
V MAG C.121 No exceptions noted.
There were 2 credit memos issued
after period end but these were not
material. The customers returned
the items since they were damaged
upon arrival. It is not clear whether
they were damaged in transport or
already damaged when leaving the
factory.
WP ref. = Working Paper Reference
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
245
Substantive ProceduresSampling
The following illustrates the test design of a statistical sample for determining the existence and accuracy of
the receivable balances. Invoices have been chosen as the source document for the customers chosen for
confrmation, as certain retailers have indicated they will not confrm actual period-end balances.
A statistical sample (using monetary-unit sampling) will be performed to determine the existence and
accuracy of receivables.
Question Response
Purpose of test To ensure the existence and accuracy of receivables by selecting a
sample of receivable balances and sending confrmation letters
RMM in the relevant assertions Existence = Moderate risk
Accuracy = Low risk
Population to be tested Accounts receivable balances at period end
Monetary value of population 177,203
Specifc items subject to separate
evaluation
38,340
Risk reduction obtained from testing
the operational efectiveness of
internal control
Moderate
Risk reduction from other procedures
such as risk assessment procedures
Limited
Confdence factor to be used
(reduced for risk reduction gained
from other sources)
Test of controls planned for revenue/receivables/receipts; therefore, a
confdence interval of 75%, or 1.4, will be used
Materiality 15,000
Expected deviations in sample None
Estimating the Sample Size
Specifc items will be tested separately. There are two related party receivables of 28,340 and 10,000 from
Kalyani Dephta and Vinjay Sharma respectively that should be confrmed separately.
The remaining trade receivables balance of 138,863 (177,203 - 38,340) will need to be tested for existence
and accuracy using accounts receivable confrmations. Since some customers cannot confrm balances after
the fact, accounts receivable confrmations will be based on confrming invoices and:
Sampling interval:
Precision (materiality) confdence factor
15,000 1.4 (75%) = 10,714
Sample size:
Population to be tested sampling interval
Exclude specifc items removed for separate evaluation
138,340 10,714 = 13
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
246
Since the sampling units in this population are invoices, the sample consists of 13 invoices to be selected for
confrmation, plus the two related party transaction balances identifed above.
Selecting Invoices To Be Tested
To select the invoices and customers for confrmation, the invoices will be chosen using monetary-unit
sampling. For the remaining trade receivables balance of 138,340, a starting point of 913 was chosen. Using
the sampling interval of 10,714, the 13 invoices were selected.
Case Study BKumar & Co.
Determining the Extent of Testing
Designing Further ProceduresAccounts Receivable
Audit procedures program for Kumar:
BalanceAccounts Receivable (AR)
Basic procedures:
Procedure Assertions
Work
Completed
by and WP
Ref. Comments
Analytical procedures
Perform analytical procedures on the
AR balance, aging, and key ratios, and
compare trends and result to prior period.
CEA C.110
LP
Days sales in AR have increased to
106 days from 58 days two years ago.
Majority of increase seems to be due to
increases in Dephta AR.
Listing
Obtain aged listing of AR and check
arithmetic accuracy, agree to general
ledger, and review the listing with
Ruby for related party balances.
Check the accuracy of the aging
by reviewing 5 invoices, chosen
judgmentally, and ensure the aging
report is accurate.
A C.105
LP
C.105
LP
Listing agrees to general ledger and
no errors found on the aging and
arithmetic checks.
No evidence noted.
Allowance
Obtain details for allowance with Raj
and review the aging. Discuss the
collectability of accounts over 90
days. Obtain a listing of subsequent
payments to the end of our
subsequent events testing.
V C.120
LP
Reviewed listing with Raj. Only two
accounts are over 90 days. Invoices
over 90 days from Dephta totaled
10,590. Per Raj, these are all collectible
and will be paid soon. Some of the
invoices were paid subsequent to
period end.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
247
Procedure Assertions
Work
Completed
by and WP
Ref. Comments
Cut Of
Review a sample of 10 invoices before
and after period end and document
other cutof procedures to ensure
transactions were recorded in the
correct period. Examine evidence
that the goods were shipped prior to
period end for transactions selected.
A C.122
LP
No errors noted here and revenue
testing regarding cut of.
All journal entries around period end
reviewed on WP 626.
Confrmations
Confrm all related party accounts.
Judgmentally select accounts receivable
balances (excluding related party
balances above) for 60% coverage.
Check a sample of names and addresses
before sending confrmation to ensure
that company information is accurate.
Follow-up confrmations faxed back
to us with a phone call to verify the
confrmation details.
Perform alternative procedures for
confrmations not returned.
EA C.130
LP
Confrmed Dephta receivable and also
agreed balance to Dephta working
paper fle.
Accounts-receivable confrmations only
had a 45% response rate, so alternative
procedures were performed.
Substantive ProceduresSampling
The sample of confrmations was extended for moderate level of risk. Reliance was placed on substantive
procedures.
Extended/Other Substantive Procedures
Given the risk of management override, names and addresses were checked for a sample of confrmations
sent. For any confrmation returned by fax, the confrmation details were confrmed with a telephone call to
ensure their accuracy.
248
Chapter Content Relevant ISAs
Guidance on proper and adequate documentation of the auditors
risk response in the audit working paper fle.
230, 500
Exhibit 18.0-1
R
i
s
k

R
e
s
p
o
n
s
e
Design overall
responses and
further audit
procedures
Develop
appropriate
responses to
the assessed RMM
1
Update of overall strategy
Overall responses
Audit plan that links
assessed RMM
1
to further
audit procedures
Implement responses
to assessed RMM
1
Reduce audit risk
to an acceptably
low level
Work performed
Audit fndings
Staf supervision
Working paper review
Notes:
1. RMM = Risks of material misstatement.
Activity Purpose Documentation
Implement responses
to assessed RMM
1
Reduce audit risk
to an acceptably
lowlevel
Work performed
Audit fndings
Staf supervision
Working paper review
Paragraph # Relevant Extracts from ISAs
230.7 The auditor shall prepare audit documentation on a timely basis. (Ref: Para. A1)
230.8 The auditor shall prepare audit documentation that is suf cient to enable an experienced
auditor, having no previous connection with the audit, to understand: (Ref: Para. A2-A5,
A16-A17)
(a) The nature, timing and extent of the audit procedures performed to comply with the ISAs
and applicable legal and regulatory requirements; (Ref: Para. A6-A7)
(b) The results of the audit procedures performed, and the audit evidence obtained; and
(c) Signifcant matters arising during the audit, the conclusions reached thereon, and
signifcant professional judgments made in reaching those conclusions. (Ref: Para. A8-A11)
18. Documenting Work Performed
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
249
Paragraph # Relevant Extracts from ISAs
230.9 In documenting the nature, timing and extent of audit procedures performed, the auditor shall
record:
(a) The identifying characteristics of the specifc items or matters tested; (Ref: Para. A12)
(b) Who performed the audit work and the date such work was completed; and
(c) Who reviewed the audit work performed and the date and extent of such review. (Ref:
Para. A13)
230.10 The auditor shall document discussions of signifcant matters with management, those
charged with governance, and others, including the nature of the signifcant matters discussed
and when and with whom the discussions took place. (Ref: Para. A14)
330.16 When evaluating the operating efectiveness of relevant controls, the auditor shall evaluate
whether misstatements that have been detected by substantive procedures indicate that
controls are not operating efectively. The absence of misstatements detected by substantive
procedures, however, does not provide audit evidence that controls related to the assertion
being tested are efective. (Ref: Para. A40)
330.26 The auditor shall conclude whether suf cient appropriate audit evidence has been obtained.
In forming an opinion, the auditor shall consider all relevant audit evidence, regardless of
whether it appears to corroborate or to contradict the assertions in the fnancial statements.
(Ref: Para. A62)
330.27 If the auditor has not obtained suf cient appropriate audit evidence as to a material fnancial
statement assertion, the auditor shall attempt to obtain further audit evidence. If the auditor
is unable to obtain suf cient appropriate audit evidence, the auditor shall express a qualifed
opinion or disclaim an opinion on the fnancial statements.
500.8 If information to be used as audit evidence has been prepared using the work of a
managements expert, the auditor shall, to the extent necessary, having regard to the
signifcance of that experts work for the auditors purposes: (Ref: Para. A34-A36)
(a) Evaluate the competence, capabilities and objectivity of that expert; (Ref: Para. A37-A43)
(b) Obtain an understanding of the work of that expert; and (Ref: Para. A44-A47)
(c) Evaluate the appropriateness of that experts work as audit evidence for the relevant
assertion. (Ref: Para. A48)
500.9 When using information produced by the entity, the auditor shall evaluate whether the
information is suf ciently reliable for the auditors purposes, including as necessary in the
circumstances:
(a) Obtaining audit evidence about the accuracy and completeness of the information; and
(Ref: Para. A49-A50)
(b) Evaluating whether the information is suf ciently precise and detailed for the auditors
purposes. (Ref: Para. A51)
18.1 Overview
File documentation plays a critical role in the planning and performance of the audit. It provides the record
that work was in fact performed, and it forms the basis for the auditors report. It will also be used for quality
control reviews, monitoring of compliance with ISAs and applicable legal and regulatory requirements, and
possibly inspections by third parties.
The specifc requirements and nature of audit documentation have been extensively addressed in Volume 1,
Chapter 16 and are not repeated here. The following exhibit provides a checklist of some of the matters that
would be addressed in completing the fle.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
250
Exhibit 18.1-1
Documentation Considerations Yes/No
Has compliance with the frms documentation requirements, as set out in the frms quality
control manual, been documented?
Is the audit documentation well organized and complete, including clear links to where
signifcant matters were addressed?
Does fle documentation indicate:
Who performed the audit work and the date such work was completed?
Who reviewed the audit work performed and the date and extent of such review?
Results of discussions of signifcant matters with management, those charged with
governance, and others, including the nature of the signifcant matters discussed, and
when and with whom the discussions took place?
Could an experienced auditor, who has had no previous connection with the audit, understand:
The nature, timing, and extent of the audit procedures performed to comply with the
applicable legal, regulatory, and professional requirements?
The results of the audit procedures and the audit evidence obtained?
The nature of signifcant matters arising, the conclusions reached, and signifcant
professional judgments made in reaching those conclusions?
Does the fle contain documentation that addresses:
The presence of the audit preconditions and the decision to accept or continue with the
engagement?
The overall audit strategy?
Discussion among the engagement team?
Key elements of the understanding of the entity obtained, and of each of the fve internal
control components, including the sources of the information obtained?
Results of performing risk assessment procedures?
Identifed and assessed risks of material misstatement at the fnancial statement level and
at the assertion level?
The detailed audit plan that responds to the assessed risks?
Results of performing audit procedures, including the relevance and reliability of evidence
obtained and the treatment of exceptions found, including any changes required in
assessed risks?
Information and procedures performed to address any indicators of fraud identifed during
the audit?
Changes in materiality as a result of new information obtained?
Enough information to re-perform each procedure if that was ever necessary?
Signifcant changes made during the audit engagement to the overall audit strategy or the
audit plan, and the reasons for such changes?
Details of signifcant matters and their resolution, such as material uncertainties, concerns
with management estimates, subsequent events, and other matters that could result in a
modifed audit opinion?
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
251
Documentation Considerations Yes/No
Have consultations within the frm and with experts hired by the auditor and management been
documented?
Where an expert was used, has the appropriateness of the experts work as audit evidence been
documented?
Has compliance with the requirements of ISA 600 with regard to communications with
component auditors been documented?
Have all the documentation requirements of each relevant ISA been addressed? (See Volume 1,
Chapter 16 for a list of ISAs with specifc documentation requirements.)
File Ownership
Unless otherwise specifed by legislation or regulation, audit documentation is the property of the audit frm.
Copies of Entitys Records
Abstracts or copies of the entitys records (e.g., signifcant and specifc contracts and agreements) may be
included as part of audit documentation if considered appropriate. However, copies of the entitys accounting
records are not a substitute for appropriate audit documentation.
CONSIDER POINT
Timeliness of preparation
Preparing audit documentation on a timely basis helps to enhance the quality of the audit, and
facilitates the efective review and evaluation of the audit evidence obtained and conclusions
reached before the auditors report is fnalized. Documentation prepared after the audit work has
been performed is likely to be less accurate than documentation prepared at the time such work is
performed.
Can the audit fle stand by itself?
Where possible, audit documentation should be clear and understandable without the need for
additional oral explanations. Oral explanations on their own do not represent adequate support for the
work performed or conclusions reached. They may be used, though, to explain or clarify information
contained in the audit documentation.
Inconsistencies
If audit evidence is obtained that is inconsistent with the fnal conclusion regarding a signifcant matter,
ensure that documentation is added to the fle that explains how the auditor addressed the inconsistency.
This does not imply that the auditor needs to retain documentation that is incorrect or superseded.
252
19. Written Representations
Chapter Content Relevant ISA
Guidance on obtaining written confrmation of management
representations.
580
Exhibit 19.0-1
R
i
s
k

R
e
s
p
o
n
s
e
Design overall
responses and
further audit
procedures
Develop
appropriate
responses to
the assessed RMM
1
Update of overall strategy
Overall responses
Audit plan that links
assessed RMM
1
to further
audit procedures
Implement responses
to assessed RMM
1
Reduce audit risk
to an acceptably
low level
Work performed
Audit fndings
Staf supervision
Working paper review
Notes:
1. RMM = Risks of material misstatement.
Activity Purpose Documentation
Design overall
responses and
further audit
procedures
Develop
appropriate
responses to
the assessed RMM
1
Update of overall strategy
Overall responses
Audit plan that links
assessed RMM
1
to further
audit procedures
Paragraph # ISA Objective(s)
580.6 The objectives of the auditor are:
(a) To obtain written representations from management and, where appropriate, those charged with
governance that they believe that they have fulflled their responsibility for the preparation of the
fnancial statements and for the completeness of the information provided to the auditor;
(b) To support other audit evidence relevant to the fnancial statements or specifc assertions in the
fnancial statements by means of written representations if determined necessary by the auditor or
required by other ISAs; and
(c) To respond appropriately to written representations provided by management and, where
appropriate, those charged with governance, or if management or, where appropriate, those
charged with governance do not provide the written representations requested by the auditor.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
253
Paragraph # Relevant Extracts from ISAs
580.09 The auditor shall request written representations from management with appropriate
responsibilities for the fnancial statements and knowledge of the matters concerned. (Ref:
Para. A2-A6)
580.10 The auditor shall request management to provide a written representation that it has fulflled
its responsibility for the preparation of the fnancial statements in accordance with the
applicable fnancial reporting framework, including where relevant their fair presentation, as
set out in the terms of the audit engagement. (Ref: Para. A7-A9, A14, A22)
580.11 The auditor shall request management to provide a written representation that:
(a) It has provided the auditor with all relevant information and access as agreed in the terms
of the audit engagement, and
(b) All transactions have been recorded and are refected in the fnancial statements. (Ref:
Para. A7-A9, A14, A22)
580.12 Managements responsibilities shall be described in the written representations required by
paragraphs 10 and 11 in the manner in which these responsibilities are described in the terms
of the audit engagement.
580.13 Other ISAs require the auditor to request written representations. If, in addition to such
required representations, the auditor determines that it is necessary to obtain one or more
written representations to support other audit evidence relevant to the fnancial statements or
one or more specifc assertions in the fnancial statements, the auditor shall request such other
written representations. (Ref: Para. A10-A13, A14, A22)
580.14 The date of the written representations shall be as near as practicable to, but not after, the date
of the auditors report on the fnancial statements. The written representations shall be for all
fnancial statements and period(s) referred to in the auditors report. (Ref: Para. A15-A18)
580.15 The written representations shall be in the form of a representation letter addressed to the
auditor. If law or regulation requires management to make written public statements about
its responsibilities, and the auditor determines that such statements provide some or all of
the representations required by paragraphs 10 or 11, the relevant matters covered by such
statements need not be included in the representation letter. (Ref: Para. A19-A21)
580.16 If the auditor has concerns about the competence, integrity, ethical values or diligence
of management, or about its commitment to or enforcement of these, the auditor shall
determine the efect that such concerns may have on the reliability of representations (oral or
written) and audit evidence in general. (Ref: Para. A24-A25)
580.19 If management does not provide one or more of the requested written representations, the
auditor shall:
(a) Discuss the matter with management;
(b) Reevaluate the integrity of management and evaluate the efect that this may have on the
reliability of representations (oral or written) and audit evidence in general; and
(c) Take appropriate actions, including determining the possible efect on the opinion in
the auditors report in accordance with ISA 705, having regard to the requirement in
paragraph 20 of this ISA.
580.20 The auditor shall disclaim an opinion on the fnancial statements in accordance with ISA 705 if:
(a) The auditor concludes that there is suf cient doubt about the integrity of management
such that the written representations required by paragraphs 10 and 11 are not reliable; or
(b) Management does not provide the written representations required by paragraphs 10 and
11. (Ref: Para. A26-A27)
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
254
19.1 Overview
One of the responsibilities of management when they sign the engagement letter (see Volume 2, Chapter
4) is to confrm the auditors expectation of receiving written confrmation concerning the representations
made in connection with the audit.
During the course of the audit, management will make a number of verbal representations to the auditor,
which can be used as audit evidence to complement other audit procedures. At the end of the engagement,
these verbal representations are to be included in a written representation letter obtained from management
and, where appropriate, those charged with governance.
Note: A number of ISAs contain specifc requirements for the auditor to request written representations.
The written representation letter would include specifc representations required, and managements belief
that:
It has fulflled its responsibilities for the preparation of the fnancial statements; and
The information provided to the auditor was complete.
The written representation letter would be obtained as near as practicable to, but not after, the date of the
auditors report on the fnancial statements. Written representations would cover all fnancial statements and
period(s) referred to in the auditors report.
Written management representations are not to be used as:
A substitute for performing other audit procedures; or
As the sole source of evidence on signifcant audit matters.
CONSIDER POINT
Who signs the letter?
For engagements deemed to be high risk, consider obtaining more than one signature on the
representation letter. For example, the representation letter could be signed by the owner-manager and
other key members of the management team.
Representations as evidence
Written representations do not provide suf cient appropriate audit evidence on their own about any
of the matters with which they deal. Nor does the fact that management has provided reliable written
representation afect the nature or extent of other audit evidence that the auditor obtains about the
fulfllment of managements responsibilities, or about specifc assertions.
19.2 Subject Matter
Management representations may be:
Verbal, whether solicited or unsolicited
Such representations are typically obtained during the audit engagement.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
255
Written
At the end of the engagement, the auditor is required to request a written statement from management
confrming certain matters such as:
The verbal representations referred to above,
Management has fulflled its responsibility for the preparation of the fnancial statements in
accordance with the applicable fnancial reporting framework,
All transactions have been recorded and are refected in the fnancial statements, and
Other representations as necessary to support the audit evidence obtained.
Exhibit 19.2-1
Forms of
Management
Representations
Matters communicated in discussions.
Matters communicated electronically, such as emails, recorded telephone messages,
or text messages.
Schedules, analyses, and reports prepared by the entity, and managements notations
and comments therein.
Internal and external memoranda or correspondence.
Minutes of meetings of those charged with governance and compensation committees.
Signed copy of the fnancial statements.
Representation letter from management.
19.3 Considerations in Performing the Audit
The following matters should be considered when evaluating management representations.
Exhibit 19.3-1
Evaluating Management Representations
Matters to
Consider
Can the person making the representation be expected to be objective and
knowledgeable on the subject matter?
Is the representation reasonable in light of:
The auditors understanding of the entity and its environment?
Other evidence obtained, including other representations obtained from
management?
Other evidence obtained through the performance of audit procedures to
achieve other audit objectives?
What further audit procedures are required to corroborate the representations?
For corroborating management intent, consider sources of evidence such as
board minutes, minutes of investment committees, legal documents, or internal
correspondence and emails. For example, as part of the auditors consideration of
going concern, substantiating evidence would include inspection of board minutes,
legal documents, and availability of funding information, etc.
Where corroborating evidence is not available, is there a scope limitation?
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
256
Evaluating Management Representations
Matters to
Consider
(continued)
Where management representations have been contradicted by other audit evidence
obtained:
Is there reason to doubt managements honesty and integrity? If yes, the auditor
would discuss the matter with those charged with governance, and consider the
impact on the risk assessment and the need for further audit procedures.
Is continued reliance on any other of managements representations
appropriate and justifed?
Consider the most appropriate means of documenting the representation. For example:
A memorandum created by the auditor;
A written memorandum created by the entitys management; and
Inclusion in the management representation letter.
19.4 Written Representations
Written representations are an important source of audit evidence, for reasons such as the following:
If management modifes or does not provide the requested written representations, it may alert the
auditor to the possibility that one or more signifcant issues may exist; and
A request for written (rather than oral) representations may prompt management to consider such
matters more rigorously, thereby enhancing the quality of the representations.
Written representations are requested from those responsible for the preparation and presentation of the
fnancial statements and knowledge of the matters concerned. Often, this will be the entitys chief executive
of cer and the chief fnancial of cer, or other equivalent persons such as the owner-manager.
The auditor is required to request management to provide a written representation that:
It has fulflled its responsibility for the preparation of the fnancial statements in accordance with the
applicable fnancial reporting framework;
It has provided the auditor with all relevant information and access as agreed in the terms of the audit
engagement;
All transactions have been recorded and are refected in the fnancial statements; and
It supports other audit evidence relevant to the fnancial statements (such as required by other ISAs) or
one or more specifc assertions in the fnancial statements.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
257
Particular ISAs that may require written representations are outlined below.
Exhibit 19.4-1
ISA Title Paragraph
240 The Auditors Responsibilities Relating to Fraud in an Audit of Financial Statements 39
250 Consideration of Laws and Regulations in an Audit of Financial Statements 16
450 Evaluation of Misstatements Identifed during the Audit 14
501 Audit EvidenceSpecifc Considerations for Selected Items 12
540 Auditing Accounting Estimates, Including Fair Value Accounting Estimates, and Related
Disclosures
22
550 Related Parties 26
560 Subsequent Events 9
570 Going Concern 16(e)
710 Comparative InformationCorresponding Figures and Comparative Financial
Statements
9
Written representations address matters such as those set out below.
Exhibit 19.4-2
Managements
Responsibilities
Management has:
Fulflled its responsibility for the preparation of the fnancial statements in
accordance with the applicable fnancial reporting framework (including, where
relevant, its fair presentation, as set out in the terms of the audit engagement),
and for the completeness of the information provided to the auditor; and
In some cases (such as where the terms of engagement were agreed by other
parties), management may also be asked to reconfrm its acknowledgement
and understanding of those responsibilities in written representations.
Provided the auditor with all relevant information and access as agreed in the terms
of the audit engagement.
Recorded all transactions in the accounting records, and refected those transactions
in the fnancial statements.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
258
Exhibit 19.4-3
Specifc
Representations
Management represents that:
The selection and application of accounting policies are appropriate and are in
accordance with the applicable fnancial reporting framework.
The following matters, where relevant under the applicable fnancial reporting
framework, have been recognized, measured, presented, or disclosed in accordance
with that framework:
Plans or intentions that may afect the carrying value or classifcation of assets
and liabilities;
Liabilities, both actual and contingent;
Title to, or control over, the assets;
Liens or encumbrances on assets and assets pledged as collateral; and
Aspects of laws, regulations, and contractual agreements that may afect the
fnancial statements, including non-compliance.
It has communicated all known defciencies in internal control of which management is aware.
All of the entitys reasons for choosing a particular course of action have been
communicated.
Its intentions in relation to [specify matter] are as follows: [describe the entitys plans
or intentions].
Other Considerations
Exhibit 19.4-4
Comments:
Qualifying
Language
In some cases, management may include qualifying language to the efect that
representations are made to the best of its knowledge and belief.
Such wording can be accepted if the auditor is satisfed that the representations are
being made by those with appropriate responsibilities and knowledge of the matters
included in the representations.
Trivial
Misstatements
When obtaining representations about misstatements, a threshold amount could be
established below which individual misstatements may be regarded as trivial.
Date of Letter
The auditors report would not be dated before the date of the written
representations, as the representations are part of the audit evidence.
Address Letter to
Auditor
The required written representations would be included in a letter addressed to the auditor.
Report to Those
Charged With
Governance
ISA 260 requires the auditor to communicate with those charged with governance
the written representations which the auditor has requested from management.
Management
Inquiries of Others
If management does not have suf cient knowledge on which to base the written
representations, it may decide to make inquiries of others who participated in
preparing/presenting the fnancial statements and assertions therein. This would
include individuals who have specialized knowledge.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
259
Doubts about Representations Provided or Not Provided
If there are doubts as to the reliability of written representations, or requested written representations have
not been provided, the auditor would consider the nature of the concern and act accordingly.
Exhibit 19.4-5
Doubts Auditors Required Response
Requested
Representations
Not Provided
Discuss the matter with management;
Re-evaluate the integrity of management and evaluate the efect that this may
have on the reliability of representations (oral or written) and audit evidence in
general; and
Take appropriate actions, including determining the possible efect on the
opinion in the auditors report.
Inconsistencies
Identifed
Perform additional audit procedures to attempt to resolve the matter.
If the matter remains unresolved, reconsider the assessment of the competence,
integrity, ethical values, or diligence of management (see point below), or of its
commitment to or enforcement of these, and determine the efect that this may have
on the reliability of representations (oral or written) and audit evidence in general.
Management
Incompetence;
Lack of Integrity
or Ethical Values
Determine the efect that such concerns may have on the reliability of
representations (oral or written) and audit evidence in general.
The auditor would disclaim an opinion on the fnancial statements where:
The auditor concludes that there is suf cient doubt about the integrity of
management such that the required written representations are not reliable; or
Management does not provide the written representations required.
Supplementary/Additional Representations
In addition to the required written representations, the auditor may consider it necessary to request:
Supplementary representations about the fnancial statements
Such written representations may supplement, but do not form part of, the written representation required
by ISA 580.10. Examples could include:
Whether the selection and application of accounting policies are appropriate; and
Whether matters such as the following have been recognized, measured, presented, or disclosed in
accordance with that framework:
Plans or intentions that may afect the carrying value or classifcation of assets and liabilities,
Liabilities, both actual and contingent,
Title to, or control over, assets, the liens or encumbrances on assets, and assets pledged as collateral, and
Aspects of laws, regulations, and contractual agreements that may afect the fnancial statements,
including non-compliance.
Additional written representations
In addition to the written representation required by ISA 580.11, the auditor may consider it necessary to
request written representations such as:
Confrmation that management has communicated all defciencies in internal control of which
management is aware; and
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
260
Specifc assertions.
In some cases, it may not be possible to obtain suf cient appropriate audit evidence without a written
representation from management confrming the reasons, judgements, or intentions with respect to
specifc assertions in the fnancial statements. Matters to consider include:
The entitys past history in carrying out its stated intentions,
The entitys reasons for choosing a particular course of action,
The entitys ability to pursue a specifc course of action, and
The existence or lack of any other information that might have been obtained during the course of
the audit that may be inconsistent with managements judgment or intent.
CONSIDER POINT
Take some time to meet with management to explain the nature of requested representations, and to
ensure management is fully aware of what it is agreeing to sign.
19.5 Example of Written Representations
The example of a management-representation letter contained in the case-study materials follows the format
contained in ISA 580.
19.6 Case StudyManagement Representations
For details of the case studies, refer to Volume 2, Chapter 2Introduction to the Case Studies.
Case Study ADephta Furniture, Inc.
Management Representations
The following are examples of management representations by Suraj, and some further audit procedures that
could apply.
Management Representation
Evaluation
There is no impairment in the tools that have been
superseded by new machinery. This is because the
machines break down; therefore, the older ones will be
required on occasion while the other machine is repaired.
Make inquiries of the production manager and others
to determine whether the tools and equipment, new
or old, are currently in use and still operable. This could
be established by physical examination and review of
maintenance records.
There is no additional provision required for the slightly
damaged goods identifed during the inventory count.
Check whether the damaged goods were in fact sold
after period end. Inquire with the production manager
whether damaged goods are sold as-is or repaired (if
so, at what cost) or sold for a discounted price.
At the conclusion of the audit, important representations would be documented in a management
representation letter that would be signed by Suraj Dephta and Jawad Kassab.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
261
Such representations might be included in a letter as follows.
Dephta Furniture, Inc. Letterhead
March 15, 20X3
To: Jamel, Woodwind & Wing, LLP
55 Kingston St.
Cabetown, United Territories
123-50004
Dear Mr. Lee:
This representation letter is provided in connection with your audit of the fnancial statements of
Dephta Furniture, Inc. for the year ended December 31, 20X2, for the purpose of expressing an opinion
as to whether the fnancial statements are presented fairly, in all material respects, in accordance with
International Financial Reporting Standards.
We confrm that:
Financial Statements
We have fulflled our responsibilities, as set out in the terms of the audit engagement dated
October 15, 20X2, for the preparation of the fnancial statements in accordance with International
Financial Reporting Standards; in particular the fnancial statements are fairly presented in
accordance therewith.
Signifcant assumptions used by us in making accounting estimates, including those measured at
fair value, are reasonable.
Related party relationships and transactions have been appropriately accounted for and disclosed
in accordance with the requirements of International Financial Reporting Standards.
All events subsequent to the date of the fnancial statements and for which International Financial
Reporting Standards require adjustment or disclosure have been adjusted or disclosed.
The efects of uncorrected misstatements are immaterial, both individually and in the aggregate,
to the fnancial statements as a whole. A list of the uncorrected misstatements is attached to the
representation letter.
The Company has complied with all aspects of contractual agreements that could have a material
efect on the fnancial statements in the event of non-compliance.
There has been no non-compliance with requirements of regulatory authorities that could have a
material efect on the fnancial statements in the event of non-compliance.
The Company has satisfactory title to all assets, and there are no liens or encumbrances on the
companys assets, except for those that are disclosed in Note X to the fnancial statements.
We have no plans to abandon lines of product or other plans or intentions that will result in any excess
or obsolete inventory, and no inventory is stated at an amount in excess of net realizable value.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
262
There has been no impairment in the net realizable value of fxed assets (tools) whose functionality
has now been superseded by new machinery.
Information Provided
We have provided you with:
Access to all information of which we are aware that is relevant to the preparation of the
fnancial statements such as records, documentation, and other matters;
Additional information that you have requested from us for the purpose of the audit; and
Unrestricted access to persons within the entity from whom you determined it necessary to
obtain audit evidence.
All transactions have been recorded in the accounting records and are refected in the fnancial
statements.
We have disclosed to you the results of our assessment of the risk that the fnancial statements may
be materially misstated as a result of fraud.
We have disclosed to you all information in relation to fraud or suspected fraud that we are aware of
and that afects the entity and involves:
Management;
Employees who have signifcant roles in internal control; or
Others where the fraud could have a material efect on the fnancial statements.
We have disclosed to you all information in relation to allegations of fraud, or suspected fraud,
afecting the entitys fnancial statements communicated by employees, former employees, analysts,
regulators, or others.
We have disclosed to you all known instances of non-compliance or suspected non-compliance with
laws and regulations whose efects should be considered when preparing fnancial statements.
We have disclosed to you the identity of the entitys related parties, and all the related party
relationships and transactions of which we are aware.
Yours truly,

Suraj Dephta

Jawad Kassab
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
263
Case Study BKumar & Co.
Management Representations
The following are examples of management representations by Raj, and some further audit procedures that
could apply.
Management Representation Evaluation
No additional allowance for doubtful accounts is
necessary. The Dephta account is fully collectible and
other AR is not signifcant enough to estimate an
allowance for.
Send AR confrmation to Dephta.
Make inquiries of Raj and Ruby to understand the
various AR customer accounts and their history of
payments, and look for any trends. Validate that the
proportion of non-Dephta AR is not signifcant, as the
client is suggesting.
Review subsequent payments to support collectability
of account.
Consider any relevant information from the audit of
Dephta.
Dephta continues to be satisfed with the quality of the
goods we sell them.
Review the history of sales returns and look for any
trends.
Review the results of the AR confrmations to Dephta
for any commentary on quality of goods or the
collectability of amounts.
Conduct inventory observation and look for obsolete
items and non-moving inventory.
Make inquiries to Ruby as to the quality of the goods
and any communications she may have received from
Dephta regarding quality of the goods they have
purchased to date.
At the conclusion of the audit, important representations would be documented in a management
representation letter that would be signed by Raj Kumar.
Such representations might be included in a letter as previously illustrated in Case Study ADephta
Furniture, Inc.
264
20. Reporting Overview
Exhibit 20.0-1
R
i
s
k

R
e
s
p
o
n
s
e
Design overall
responses and
further audit
procedures
Develop
appropriate
responses to
the assessed RMM
3
Update of overall strategy
Overall responses
Audit plan that links
assessed RMM
3
to further
audit procedures
Implement responses
to assessed RMM
3
Reduce audit risk
to an acceptably
low level
Work performed
Audit fndings
Staf supervision
Working paper review
R
i
s
k

A
s
s
e
s
s
m
e
n
t
Plan the audit
Develop an overall
audit strategy and
audit plan
2
Materiality
Audit team discussions
Overall audit strategy
Listing of risk factors
Independence
Engagement letter
Perform preliminary
engagement
activities
Decide whether to
accept engagement
Perform
risk assessment
procedures
Identify/assess RMM
3
through understanding
the entity
Business & fraud risks
including signifcant risks
Design/implementation of
relevant internal controls
Assessed RMM
3
at:
tF/S level
tAssertion level
Activity Purpose Documentation
1
Plan the audit
Develop an overall
audit strategy and
audit plan
2
Materiality
Audit team discussions
Overall audit strategyy
Listing of risk factors
Independence
Engagement letter
Perform preliminary
engagement
activities
Decide whether to
accept engagement
Perform
risk assessment
procedures
Identify/assess RMM
3
through understanding
the entity
Business & fraud risks
including signifcant risks
Design/implementation of
relevant internal controls
Assessed RMM
3
at:
tF/S level
tAssertion level
Design overall
responses and
further audit
procedures
Develop
appropriate
responses to
the assessed RMM
3
Update of overall strategy
Overall responses
Audit plan that links
assessed RMM
3
to further
audit procedures
Implement responses
to assessed RMM
3
Reduce audit risk
to an acceptably
low level
Work performed
Audit fndings
Staf supervision
Working paper review
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
265
R
e
p
o
r
t
i
n
g
Evaluate the audit
evidence obtained
Determine what
additional audit work
(if any) is required
Prepare the
auditors report
Form an opinion
based on audit
fndings
Signifcant decisions
Signed audit opinion
no
yes
Notes:
1. Refer to ISA 230 for a more complete list of documentation required.
2. Planning (ISA 300) is a continual and iterative process throughout the audit.
3. RMM = Risks of material misstatement.
Is
additional
work
required?
New/revised risk factors
and audit procedures
Changes in materiality
Communications
on audit fndings
Conclusions on audit
procedures performed
Paragraph # Relevant Extracts from ISAs
200.11 In conducting an audit of fnancial statements, the overall objectives of the auditor are:
(a) To obtain reasonable assurance about whether the fnancial statements as a whole are free
from material misstatement, whether due to fraud or error, thereby enabling the auditor
to express an opinion on whether the fnancial statements are prepared, in all material
respects, in accordance with an applicable fnancial reporting framework; and
(b) To report on the fnancial statements, and communicate as required by the ISAs, in
accordance with the auditors fndings.
200.12 In all cases when reasonable assurance cannot be obtained and a qualifed opinion in the
auditors report is insuf cient in the circumstances for purposes of reporting to the intended
users of the fnancial statements, the ISAs require that the auditor disclaim an opinion or
withdraw (or resign) from the engagement, where withdrawal is possible under applicable law
or regulation.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
266
The fnal phase of the audit involves the following.
Exhibit 20.0-2
R
e
p
o
r
t
i
n
g
Complete all
required fle
reviews
Consider
misstatements
identifed
Resolve any
issues with
management
Complete
audit
documentation
Document
signifcant
decisions
Form an
opinion
Communicate
audit fndings
with TCWG*
Issue the
auditors
opinion
Evaluate evidence obtained
Prepare the auditors report
*TCWG = those charged with governance
Basic concepts addressed in the reporting phase are as follows.
Exhibit 20.0-3
Volume and
Chapters
Subsequent Events
V1 13
Going Concern
V1 14
Audit Documentation
V1 16
Communicating Audit Findings
V2 19
The Auditors Report
V1 17
267
21. Evaluating Audit Evidence
Chapter Content Relevant ISAs
Guidance on evaluating the suf ciency and appropriateness of audit
evidence so that reasonable conclusions can be made on which to
base the audit opinion.
220, 330,
450, 520, 540
Exhibit 21.0-1
R
e
p
o
r
t
i
n
g
Evaluate the audit
evidence obtained
Determine what
additional audit work
(if any) is required
Prepare the
auditors report
Form an opinion
based on audit
fndings
Signifcant decisions
Signed audit opinion
no
yes
Notes:
1. Refer to ISA 230 for a more complete list of documentation required.
2. Planning (ISA 300) is a continual and iterative process throughout the audit.
Is
additional
work
required?
New/revised risk factors
and audit procedures
Changes in materiality
Communications
on audit fndings
Conclusions on audit
procedures performed
Back
to risk
assessment
2
Activity Purpose Documentation
1
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
268
Paragraph # Relevant Extracts from ISAs
220.15 The engagement partner shall take responsibility for:
(a) The direction, supervision and performance of the audit engagement in compliance with
professional standards and applicable legal and regulatory requirements; and (Ref: Para.
A13-A15, A20)
(b) The auditors report being appropriate in the circumstances.
220.16 The engagement partner shall take responsibility for reviews being performed in accordance
with the frms review policies and procedures. (Ref: Para. A16-A17, A20)
220.17 On or before the date of the auditors report, the engagement partner shall, through a review
of the audit documentation and discussion with the engagement team, be satisfed that
suf cient appropriate audit evidence has been obtained to support the conclusions reached
and for the auditors report to be issued. (Ref: Para. A18-A20)
220.18 The engagement partner shall:
(a) Take responsibility for the engagement team undertaking appropriate consultation on
dif cult or contentious matters;
(b) Be satisfed that members of the engagement team have undertaken appropriate
consultation during the course of the engagement, both within the engagement team
and between the engagement team and others at the appropriate level within or outside
the frm;
(c) Be satisfed that the nature and scope of, and conclusions resulting from, such
consultations are agreed with the party consulted; and
(d) Determine that conclusions resulting from such consultations have been implemented.
(Ref: Para. A21-A22)
220.19 For audits of fnancial statements of listed entities, and those other audit engagements, if any,
for which the frm has determined that an engagement quality control review is required, the
engagement partner shall:
(a) Determine that an engagement quality control reviewer has been appointed;
(b) Discuss signifcant matters arising during the audit engagement, including those
identifed during the engagement quality control review, with the engagement quality
control reviewer; and
(c) Not date the auditors report until the completion of the engagement quality control
review. (Ref: Para. A23-A25)
220.20 The engagement quality control reviewer shall perform an objective evaluation of the
signifcant judgments made by the engagement team, and the conclusions reached in
formulating the auditors report. This evaluation shall involve:
(a) Discussion of signifcant matters with the engagement partner;
(b) Review of the fnancial statements and the proposed auditors report;
(c) Review of selected audit documentation relating to the signifcant judgments the
engagement team made and the conclusions it reached; and
(d) Evaluation of the conclusions reached in formulating the auditors report and
consideration of whether the proposed auditors report is appropriate. (Ref: Para. A26-A27,
A29-A31)
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
269
21.1 Overview
After the planned audit procedures have been performed, an evaluation of the results will take place. This
would include a review of the audit documentation and discussions with the engagement team, and any
changes to the audit plans as a result of the procedures performed. Some of the key considerations are set out
below.
Exhibit 21.1-1
Quality Control
It is the responsibility of the engagement partner to ensure that the fle reviews are
being performed in accordance with the frms review policies and procedures, and
that the auditors opinion is appropriate.
Consultation
The engagement partner is responsible to ensure that:
The engagement team sought appropriate consultation (both internally within
the frm and externally with third parties) on dif cult or contentious matters; and
Conclusions resulting from such consultations have been documented and
implemented.
File Quality
Review (or EQCR)
When frm policy requires an engagement quality control review (EQCR), the
engagement partner shall:
Ensure that an appropriately qualifed EQC reviewer has been appointed;
Discuss signifcant audit issues with the EQC reviewer; and
Not date the auditors report until completion of the EQCR.
The goal for the auditor is to be satisfed that suf cient appropriate audit evidence has been obtained to
support the conclusions reached, and for an appropriately worded auditors report to be issued.
The evaluation of the audit evidence obtained would address the matters set out below.
Exhibit 21.1-2
Materiality
Are the amounts established for overall and performance materiality still appropriate
in the context of the entitys actual fnancial results?
If a lower overall materiality (for the fnancial statements as a whole) than that initially
determined is appropriate, the auditor is required to determine:
Whether it is necessary to revise performance materiality; and
Whether the nature timing and extent of the further audit procedures remain
appropriate.
Risk
In light of the audit fndings, are assessments of risks of material misstatement at the
assertion level still appropriate? If not, the risk assessments would be revised and
further planned audit procedures modifed.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
270
Misstatements
Has the efect on the audit of identifed misstatements and uncorrected
misstatements been considered?
Has the reason for misstatements/deviations been considered? They may indicate an
unidentifed risk or a signifcant defciency in internal control.
Does the overall audit strategy and audit plan need to be revised? This would apply when:
The nature of identifed misstatements and the circumstances of their
occurrence indicate that other misstatements may exist that, when aggregated
with misstatements accumulated during the audit, could be material; or
The aggregate of misstatements accumulated during the audit approaches
materiality.
Have additional audit procedures been performed to determine whether
misstatements remain (in classes of transactions, account balance, or disclosures)
where management was asked to correct misstatements?
Fraud
Does information obtained from performing other risk assessment procedures and
related activities indicate that one or more fraud risk factors are present?
Did the analytical procedures performed near the end of the audit indicate a
previously unrecognized risk of material misstatement due to fraud?
Have identifed misstatements been evaluated to determine whether such a
misstatement is indicative of fraud?
If so, evaluate the implications of the misstatement in relation to other aspects of the
audit, particularly the reliability of management representations. An instance of fraud
is unlikely to be an isolated occurrence.
Is there any reason to believe that management could be involved in the identifed
misstatements whether material or not, as a result of fraud?
If so, re-evaluate the assessment of the risks of material misstatement due to fraud
and its resulting impact on the nature, timing and extent of audit procedures to
respond to the assessed risks. Also consider whether circumstances or conditions
indicate possible collusion involving employees, management, or third parties when
reconsidering the reliability of evidence previously obtained.
If fraud risks have been identifed, it is possible to confrm that the fnancial
statements are not materially misstated as a result of fraud. If not possible, determine
the implications for the audit, including whether it brings into question the ability to
continue performing the audit.
Evidence
Has suf cient appropriate evidence been obtained to reduce the risks of material
misstatement in the fnancial statements to an acceptably low level? Consider the
need for further procedures to be performed.
Analytical
Procedures
Did the analytical procedures performed at the fnal review stage of the audit:
Corroborate the audit fndings; or
Identify previously unrecognized risks of material misstatement?
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
271
21.2 Reassess Materiality
Paragraph # Relevant Extracts from ISAs
450.10 Prior to evaluating the efect of uncorrected misstatements, the auditor shall reassess
materiality determined in accordance with ISA 320 to confrm whether it remains appropriate
in the context of the entitys actual fnancial results. (Ref: Para. A11-A12)
Before the auditor evaluates the results of performing procedures and any misstatements arising therefrom,
the frst step is to reassess the amounts established for overall and performance materiality. This is necessary
because the initial determination of materiality will often be based on estimates of the entitys fnancial
results, and the actual results may be diferent. Factors that would lead to a change include:
Initial determination of materiality is no longer appropriate in the context of the entitys actual fnancial results;
New information becomes available (such as user expectations) that would have caused the auditor to
determine a diferent amount (or amounts) initially; and
Unexpected misstatements that may cause the materiality amount for that particular class of
transactions, account balance, or disclosure to be exceeded.
Whenever a revision is necessary, the auditor is required to consider and document the impact on the
assessed risks and the nature, timing, and extent of further audit procedures required.
If a lower materiality is required for the fnancial statements as a whole, also determine if it is necessary to
revise performance materiality. If so, determine whether the nature, timing, and extent of the further audit
procedures remain appropriate.
CONSIDER POINT
If materiality has to be revised, do not wait until the end of the audit to make the change. If materiality
is lowered, it may well require changes in risk assessments and the performance of additional or further
audit procedures.
21.3 Changes in Risk Assessments
Paragraph # Relevant Extracts from ISAs
330.25 Based on the audit procedures performed and the audit evidence obtained, the auditor shall
evaluate before the conclusion of the audit whether the assessments of the risks of material
misstatement at the assertion level remain appropriate. (Ref: Para. A60-A61)
The assessment of risk at the assertion level will often be based on audit evidence available before performing
further audit procedures. During the time these procedures are being performed, new information may be
obtained that will require the original risk assessment to be modifed.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
272
For example, in the audit of inventories, the assessed level of risk for the completeness assertion may be low,
based on an expectation that internal control is operating efectively. If a test of controls fnds that internal
control is not efective, the risk assessment would need to change and further audit procedures performed
to reduce the risk to an acceptably low level. The same is true for any audit procedures performed where the
results do not match the expectations.
Some points to consider in determining whether the original assessment of risk has changed or not are
outlined in the exhibit below.
Exhibit 21.3-1
Internal Control
Tests of controls
Do the results of performing tests of controls support the planned level of risk
reduction based on their operating efectiveness?
Management override
Is there any evidence of management override of existing internal control?
Control defciencies
Does a potential misstatement(s) result from a defciency in internal control that
should be immediately brought to managements attention?
Nature of
Audit Evidence
Obtained
New risk factors
Does the evidence identify any new business risks, fraud risk factors, or
management override?
Contradictory evidence
Does the evidence obtained contradict other sources of information available?
Conficting evidence
Does the evidence obtained confict with the current understanding of the entity?
Accounting policies
Is there evidence that the entitys accounting policies are not always
consistently applied?
Unpredictable relationships
Does the evidence substantiate the relationships among fnancial and non-
fnancial data?
Fraud
Is there evidence of any patterns, oddities, exceptions, or deviations found
in performing tests that could be indicative of possible fraud (including
management override) occurring?
Reliability of representations
Is there evidence that questions the reliability of representations made by
management or those charged with governance?
Nature of
Misstatements
Bias in estimates
Could misstatements found in accounting estimates and fair value
measurements indicate a possible pattern of bias by management?
Misstatements
Do misstatements, either individually or combined with all other uncorrected
misstatements, constitute a material misstatement in the fnancial statements
taken as a whole?
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
273
Where the original assessment of risk has changed, the details should be documented and a revised
assessment of risk determined. There should also be details of how the detailed audit plan has been changed
to address the revised risk assessment. This may be a modifcation to the nature, timing, or extent of other
planned audit procedures or performance of further audit procedures.
CONSIDER POINT
Allocate time in the audit budget for the audit engagement team to discuss their fndings (as a group)
immediately after the work is completed. The matters outlined in the above exhibit could form the
agenda. Remember that the detection of fraud often comes from piecing together information about
small and seemingly insignifcant matters.
21.4 Evaluating the Efect of Misstatements
Paragraph # ISA Objective(s)
450.3 The objective of the auditor is to evaluate:
(a) The efect of identifed misstatements on the audit; and
(b) The efect of uncorrected misstatements, if any, on the fnancial statements.
Paragraph # Relevant Extracts from ISAs
450.5 The auditor shall accumulate misstatements identifed during the audit, other than those that
are clearly trivial. (Ref: Para. A2-A3)
450.6 The auditor shall determine whether the overall audit strategy and audit plan need to be
revised if:
(a) The nature of identifed misstatements and the circumstances of their occurrence
indicate that other misstatements may exist that, when aggregated with misstatements
accumulated during the audit, could be material; or (Ref: Para. A4)
(b) The aggregate of misstatements accumulated during the audit approaches materiality
determined in accordance with ISA 320. (Ref: Para. A5)
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
274
Paragraph # Relevant Extracts from ISAs
450.7 If, at the auditors request, management has examined a class of transactions, account balance
or disclosure and corrected misstatements that were detected, the auditor shall perform
additional audit procedures to determine whether misstatements remain. (Ref: Para. A6)
450.8 The auditor shall communicate on a timely basis all misstatements accumulated during the
audit with the appropriate level of management, unless prohibited by law or regulation. The
auditor shall request management to correct those misstatements. (Ref: Para. A7-A9)
450.9 If management refuses to correct some or all of the misstatements communicated by the
auditor, the auditor shall obtain an understanding of managements reasons for not making
the corrections and shall take that understanding into account when evaluating whether the
fnancial statements as a whole are free from material misstatement. (Ref: Para. A10)
450.11 The auditor shall determine whether uncorrected misstatements are material, individually or in
aggregate. In making this determination, the auditor shall consider:
(a) The size and nature of the misstatements, both in relation to particular classes of
transactions, account balances or disclosures and the fnancial statements as a whole, and
the particular circumstances of their occurrence; and (Ref: Para. A13-A17, A19-A20)
(b) The efect of uncorrected misstatements related to prior periods on the relevant classes
of transactions, account balances or disclosures, and the fnancial statements as a whole.
(Ref: Para. A18)
450.12 The auditor shall communicate with those charged with governance uncorrected
misstatements and the efect that they, individually or in aggregate, may have on the opinion
in the auditors report, unless prohibited by law or regulation. The auditors communication
shall identify material uncorrected misstatements individually. The auditor shall request that
uncorrected misstatements be corrected. (Ref: Para. A21-A23)
450.13 The auditor shall also communicate with those charged with governance the efect of
uncorrected misstatements related to prior periods on the relevant classes of transactions,
account balances or disclosures, and the fnancial statements as a whole.
450.14 The auditor shall request a written representation from management and, where
appropriate, those charged with governance whether they believe the efects of uncorrected
misstatements are immaterial, individually and in aggregate, to the fnancial statements as a
whole. A summary of such items shall be included in or attached to the written representation.
(Ref: Para. A24)
540.18 The auditor shall evaluate, based on the audit evidence, whether the accounting estimates
in the fnancial statements are either reasonable in the context of the applicable fnancial
reporting framework, or are misstated. (Ref: Para. A116-A119)
The objective of evaluating misstatements is to determine the efect on the audit and whether there is a need
to perform additional audit procedures.
Revisions to the audit strategy and detailed audit plans may be required when:
The nature or circumstances of identifed misstatements indicate that other misstatement(s) may exist
that, when aggregated with known misstatements, could exceed performance materiality; or
The aggregate of identifed and uncorrected misstatements comes close to or exceeds performance
materiality.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
275
CONSIDER POINT
Remember that there will always be a risk of undetected misstatements in the fnancial statements. This
is because of the inherent limitations of an audit outlined in Volume 1, Chapter 3.1 of this Guide.
Misstatements can arise in areas set out in the exhibit below.
Exhibit 21.4-1
Source Description
Inaccuracies or
Fraud
Mistakes may be made by the entitys personnel in gathering or processing data
upon which the fnancial statements are prepared. This would also include errors
made in cut of at the period end. In addition to identifying specifc misstatements,
the auditor may also:
Quantify the mistakes in a particular population (such as sales) through
monetary sampling. A likely aggregate of misstatements can be projected when
a representative sample is used; and
Consider the nature of identifed misstatements. If there are numerous
misstatements afecting a particular balance or business location, it may be
indicative of a risk of material misstatement due to fraud.
Omissions or
Fraud
Some transactions may not be recorded, either by mistake or deliberately, the latter
of which would constitute fraud.
Signifcant
Transactions
A lack of business rationale for signifcant transactions (unusual or outside the normal
course of business) could be intended to manipulate the fnancial statements or to
conceal misappropriation of assets.
Journal Entries
Inappropriate or unauthorized journal entries may have occurred throughout the
period or at period end. These could be used to manipulate amounts reported in the
fnancial statements.
Errors in Estimates
Management estimates may calculate incorrectly, overlook or misinterpret certain
facts, use faulty assumptions, or contain some element of bias if the entitys estimate
falls outside an acceptable range. Estimates could also be deliberately misstated to
manipulate fnancial statement results.
Errors in Fair
Values
There may be disagreements with managements judgments with respect to the fair
value of certain assets, liabilities, and components of equity required to be measured
or disclosed at fair values in accordance with the fnancial framework.
Selection and
Application of
Accounting Policies
There may be disagreements with management with regard to the selection and use
of certain accounting policies.
Uncorrected
Misstatements in
Opening Equity
Uncorrected misstatements from prior periods would be refected in opening equity.
If not adjusted, they may also cause a misstatement in the current period fnancial
statements.
Revenue
Recognition
Overstatement or understatement of revenues (e.g., premature revenue recognition,
recording fctitious revenues, or improperly shifting revenues to a later period).
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
276
Source Description
Internal Control
Weaknesses
Misstatements could result from unexpected defciencies in internal control. These
would be discussed or reported to management, and consideration would be given
to performing additional work to identify other misstatements that may exist.
Financial Statement
Presentation or
Disclosures
Certain fnancial statement disclosures required by the accounting framework may be
omitted, incomplete, or inaccurate.
Aggregating Identifed Misstatements
Misstatements identifed during the audit, other than those that are clearly trivial, should be aggregated.
They can also be distinguished between factual misstatements, judgmental misstatements, and projected
misstatements.
CONSIDER POINT
Most quantitative misstatements can be aggregated so that the overall impact on the fnancial
statements can be evaluated. However, some misstatements (such as incomplete or inaccurate fnancial
statement disclosures) and qualitative fndings (such as the possible existence of fraud) cannot be
aggregated. These misstatements should be documented and evaluated on an individual basis.
To enable the aggregate efect of uncorrected misstatements to be evaluated, they can be documented on a
centrally maintained working paper. This will provide a summary of all non-trivial uncorrected misstatements
that have been identifed.
There are a number of stages in the aggregation process where the impact of aggregated misstatements can
be considered, as follows.
Exhibit 21.4-2
Impact of Aggregated Misstatements
Consider Impact
of Uncorrected
Misstatements o:
Each particular account balance or class of transactions
Total current assets and current liabilities
Total assets and liabilities
Total revenues and expenses (pre-tax income)
Net income
A possible approach to the aggregation of misstatements is illustrated in the following exhibit.
Note: The level of misstatements (100) has been deemed trivial and will therefore not be accumulated.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
277
Exhibit 21.4-3
Summary of Identifed Misstatements
Amount of Over (Under) Statement
Description
Circumstances of
Occurrence
WP
Ref. Assets Liabilities
Pre-tax
Income Equity Corrected?
Failure to accrue for rent
liability
FactualResulting from
oversight
(5,500) 5,500 4,125 Yes
Unrecorded sales Projection from
representative sample
(12,500) (12,500) (9,375) Yes
Receivables netted with
payables
FactualClassifcation error (5,500) (5,500) Yes
Capital equipment expensed JudgmentError in
applying accounting policy
(13,500) (13,500) (10,125) Yes
Total of identifed misstatements during the audit (31,500) (11,000) (20,500) (15,375)
Misstatements corrected by management 31500 11000 20500 15,375
Total uncorrected misstatements 0 0 0 0
Identifed misstatements are to be discussed with management on a timely basis along with the request to
correct them. Corrections could afect fnancial statement balances or rectify inadequate fnancial statement
disclosures.The steps involved in addressing identifed misstatements are set out below.
Exhibit 21.4-4
Addressing Identifed Misstatements
Re-evaluate
Materiality
Consider whether it may be necessary to revise the overall materiality prior to evaluating
the efect of uncorrected misstatements, based on the actual fnancial results.
Consider the
Reasons and
Impact on Audit
Plan
Consider the reasons for the misstatements identifed during the audit. This includes:
Potential indicators of fraud;
Possible existence of other misstatements;
Existence of an unidentifed risk; or
A signifcant defciency in internal control.
In light of the fndings above, determine whether the overall audit strategy and audit
plan need to be revised. This would be necessary when:
Other misstatements may exist that, when aggregated with misstatements
accumulated during the audit, could be material; or
The aggregate of misstatements accumulated during the audit approaches
materiality.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
278
Addressing Identifed Misstatements
Request
Management to
Make Corrections
Ask management to correct all identifed misstatements, other than those that are
clearly trivial.
Ask Management
to Perform
Additional
Procedures
If the precise amount of misstatement in a population is not known (such as in a
projection of misstatements identifed in an audit sample), ask management to
perform procedures to determine the amount of the actual misstatement, and then
to make appropriate adjustments to the fnancial statements. Where this occurs,
some additional audit procedures will be necessary by the auditor to determine
whether any misstatements remain.
Management
Refuses to Correct
Some or All
Misstatements
If management refuses to correct some or all of the misstatements:
Obtain an understanding of managements reasons for not making the
corrections, and take this understanding into account when evaluating whether
the fnancial statements are materially misstated;
Communicate uncorrected misstatements with those charged with governance,
including their efect on the opinion in the auditors report (unless prohibited
by law or regulation); and
Request that those charged with governance correct the misstatements that
remain uncorrected by management.
In forming a conclusion as to whether the uncorrected misstatements (individually or in aggregate) would
cause the fnancial statements as a whole to be materially misstated, the auditor would consider the factors
listed in the exhibit below.
Exhibit 21.4-5
Consider
Is There a Material
Misstatement?
The size and nature of misstatements, in relation to:
The fnancial statements as a whole;
Particular classes of transactions, account balances, and disclosures; and
The particular circumstances of their occurrence.
The limitations inherent in judgmental or statistical testing. There is always the
possibility that some misstatements may not be found.
How close is the likely level of aggregate uncorrected misstatement to materiality
level(s)? The risks of material misstatement increase as the likely aggregate
misstatement approaches the materiality threshold.
Quantitative considerations or the possibility of fraud where misstatements of a
relatively small amount could have a material efect on the fnancial statements.
The efect of uncorrected misstatements related to prior periods.
It is managements responsibility to adjust the fnancial statements to correct material misstatements
(including inadequate disclosures) and to implement any other actions required.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
279
Qualitative Considerations
Some misstatements may be evaluated as material (individually or when considered together with other
misstatements accumulated during the audit), even if they are lower than overall materiality. Examples of such
matters are set out below.
Exhibit 21.4-56
Misstatements that: Description
Afect Compliance
Non-compliance with regulatory requirements, debt covenants, or other
contractual requirements.
Mask Changes
For example, change in earnings or other trends, especially in the context of
general economic and industry conditions.
Increase
Management
Compensation
Misstatement that would ensure that the requirements for bonuses or other
compensation incentives is satisfed.
Impact Other Parties
For example, external and related parties.
Afect Users
Understanding
Omission of information (not specifcally required) but in the judgment of the
auditor is important to the users understanding of the fnancial position, fnancial
performance, or cash fows of the entity.
Are Immaterial Now
But Signifcant in
Future
Incorrect selection or application of an accounting policy that has an immaterial
efect on the current periods fnancial statements, but is likely to have a material
efect on future periods fnancial statements.
Bank Covenants
A relatively small amount could be highly material to the entity if it resulted in the
breach of a banking or loan covenant.
Afects Performance
Ratios
Afects ratios used to evaluate the entitys fnancial position, results of operations,
or cash fows.
Written Representations
Managements responsibility is to be evidenced by obtaining a written representation from management.
This representation will state that any uncorrected misstatements (attach or include a list) are, in
managements opinion, immaterial both individually and in the aggregate. If management disagrees with the
assessment of misstatements, it may add to its written representation words such as:
We do not agree that items...and...constitute misstatements because [description of reasons].
Note: When the auditor communicates fndings with those charged with governance, there is a requirement
to identify material uncorrected misstatements individually.
Where uncorrected misstatements by management are reported to those charged with governance and
corrections are still not made, the auditor is required to obtain a similar representation. This would state that
those charged with governance also believe that the efects of uncorrected misstatements are immaterial,
individually and in aggregate, to the fnancial statements as a whole. A summary of such items is also to be
included in or attached to the written representation.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
280
21.5 Suf cient Appropriate Audit Evidence
Paragraph # Relevant Extracts from ISAs
330.26 The auditor shall conclude whether suf cient appropriate audit evidence has been obtained.
In forming an opinion, the auditor shall consider all relevant audit evidence, regardless of
whether it appears to corroborate or to contradict the assertions in the fnancial statements.
(Ref: Para. A62)
330.27 If the auditor has not obtained suf cient appropriate audit evidence as to a material fnancial
statement assertion, the auditor shall attempt to obtain further audit evidence. If the auditor
is unable to obtain suf cient appropriate audit evidence, the auditor shall express a qualifed
opinion or disclaim an opinion on the fnancial statements.
The overall objective is to obtain suf cient appropriate evidence to reduce the risks of material misstatement
in the fnancial statements to an acceptably low level.
What constitutes suf cient appropriate audit evidence is ultimately a matter of professional judgment. It will be
primarily based on the satisfactory performance of further audit procedures designed to address the assessed
risks of material misstatement. This includes any additional or modifed procedures that were performed to
address changes identifed in the original assessment of risk. Some of the factors to consider in evaluating the
suf ciency and appropriateness of audit evidence include the factors outlined in the exhibit below.
Exhibit 21.5-1
Evaluating the Suf ciency and Appropriateness of Audit Evidence
Factors to
Consider
Materiality of misstatements
How signifcant is a misstatement in the assertion being addressed, and what
is the likelihood of it having a material efect (individually or aggregated with
other potential misstatements) on the fnancial statements?
Management responses
How responsive is management to audit fndings, and how efective is the
internal control in addressing risk factors?
Previous experience
What has been the previous experience in performing similar procedures, and
were any misstatements identifed?
Results of performed audit procedures
Do the results of performed audit procedures support the objectives, and is
there any indication of fraud or error?
Quality of information
Are the source and reliability of the available information appropriate for
supporting the audit conclusions?
Persuasiveness
How persuasive (convincing) is the audit evidence?
Understanding the entity
Does the evidence obtained support or contradict the results of the risk
assessment procedures (which were performed to obtain an understanding of
the entity and its environment, including internal control)?
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
281
If it is not possible to obtain suf cient appropriate audit evidence, the auditor would express a qualifed
opinion or a disclaimer of opinion.
21.6 Final Analytical Procedures
Paragraph # Relevant Extracts from ISAs
520.6 The auditor shall design and perform analytical procedures near the end of the audit that assist
the auditor when forming an overall conclusion as to whether the fnancial statements are
consistent with the auditors understanding of the entity. (Ref:Para.A17-A19)
In addition to performing analytical procedures for the purposes of risk assessment and then later as a
substantive procedure, the auditor is required to apply analytical procedures at, or near the end of, the audit
when forming an overall conclusion (ISA 520).
The objectives for carrying out these fnal analytical procedures are to:
Identify a previously unrecognized risk of material misstatement;
Ensure that the conclusions formed during the audit on individual components or elements of the
fnancial statements can be corroborated; and
Assist in arriving at the overall conclusion as to the reasonableness of the fnancial statements.
If new risks or unexpected relationships between data are identifed, the auditor may need to re-evaluate the
audit procedures planned or performed.
21.7 Signifcant Findings and Issues
The fnal step in the evaluation process is to record all the signifcant fndings or issues in an engagement
completion document. This document may include:
All information necessary to understand the signifcant fndings or issues; or
Cross-references, as appropriate, to other available supporting audit documentation.
This document would also include conclusions about information the auditor has identifed relating to
signifcant matters that are inconsistent with or contradict the auditors fnal conclusions. However, this
requirement does not extend to retention of documentation that is incorrect or superseded, such as drafts of
fnancial statements that may have been incomplete.
21.8 Case StudiesEvaluating Audit Evidence
For details of the case studies, refer to Volume 2, Chapter 2Introduction to the Case Studies.
As a result of performing the planned audit procedures, the following unadjusted misstatements and matters
were noted.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
282
Case Study ADephta Furniture, Inc.
February 18, 20x3
Extract from the Summary of Possible Adjustments Dephta
Amount of Over (Under) Statement
Description
Circumstances of
Occurrence
WP
Ref. Assets Liabilities
Pre-tax
Income Equity Corrected?
Errors in inventory valuation
calculation.
New clerk made some
mistakes.
D.300 (19,000) (19,000) (15,200) Yes
Personal expenses paid
through Dephta and not
added to shareholder account.
Found during expense
testing. This prompted some
additional work to fnd similar
items.
550.8 (4,800) (4,800) (3840) Yes
Customer account over 90
days and no subsequent
payments received.
Review of aging and
subsequent payments.
C.305 12,000 12,000 9,600 Yes
Total of identifed misstatements during the audit (7,000) (4,800) (11,800) (9.440)
Misstatements corrected by management (7,000) (4,800) (11,800) (9,440)
Total uncorrected misstatements 0 0 0 0
A cross-reference would also be provided in the listing above to where additional work has been performed
to ensure other similar misstatements do not exist or that the misstatement is not indicative of a more serious
issue such as management override.
Extract from the Memo to File Regarding Evaluation of Audit Evidence
Audit Finding Planned Response
A number of clerical errors in the inventory valuation
resulted in an understatement of 19,000 worth of
inventory.
The nature of the errors should be reviewed to identify any
area of weakness in internal control.
Additional work should be performed to ensure that all
signifcant errors have now been discovered.
Include comment in management letter.
During expense testing, it was discovered that 4,800 of
equipment maintenance expenses were related to the
service costs of Surajs personal Mercedes-Benz SUV.
Additional work should be performed to identify any
other unidentifed transactions that relate to personal
use. If others are found, consider whether this is a lapse in
managements integrity and an indicator of possible fraud.
During the accounts receivable testing, we noted that some
accounts were greater than 90 days and no payments
had been received on these accounts during our accounts
receivable testing. Although Suraj assured us these
accounts are collectable (since the customer has confrmed
the balance), collection seems unlikely. Recorded as an
unadjusted error.
Continue to monitor cash receipts to the date of the
subsequent events work. Review the collection history of the
clients in the past and try to obtain more information about
the companies.
Some of the tools and equipment in the accounting records
do not seem to be used anymore. Machines have been
purchased that do the same work in a fraction of the time.
Management still feels the assets have value, as they would
still be used in the event of a machine breakdown.
Inquire whether the tools and equipment were in fact used
in the past period.
Determine the capital cost of the tools and equipment and
whether a write-down is required.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
283
Case Study B Kumar & Co.
Extract from Memo on Summary of Possible Adjustments
Inventory
Inventory listing from our inventory count did not tie into the fnal listingunderstated inventory by 1,800
and income by 1,800; see WP D.108.
Audit Response
Error was caused by Ruby not using the fnal inventory listing. Our substantive procedures will be expanded to
ensure that all adjustments discussed at the count have been refected in the fnal listing.
Accounts Payable Cutof Error
Ruby did not accrue for a major repair and service to the lathe. Caught during subsequent payments testing.
See WP CC.110. Afects liabilities and pre-tax income by 900.
Audit Response
Should expand scope of our cutof testing, since it appears Ruby was too busy this period to keep a
listing of all expenses paid subsequent to period end that related to fscal 20X2. Threshold for testing
lowered to 400
Management has agreed to correct these misstatements.
Prepared by: FJ Date: February 24, 20X3
Reviewed by: LF Date: March 5, 20X3
284
22. Communicating With Those
Charged With Governance
Chapter Content Relevant ISAs
Guidance on how to promote an efective two-way communication
between the auditor and those charged with governance, and what
audit fndings and other matters are to be communicated.
260, 265, 450
Exhibit 22.0-1
R
e
p
o
r
t
i
n
g
Evaluate the audit
evidence obtained
Determine what
additional audit work
(if any) is required
Prepare the
auditors report
Form an opinion
based on audit
fndings
Signifcant decisions
Signed audit opinion
no
yes
Notes:
1. Refer to ISA 230 for a more complete list of documentation required.
2. Planning (ISA 300) is a continual and iterative process throughout the audit.
Is
additional
work
required?
New/revised risk factors
and audit procedures
Changes in materiality
Communications
on audit fndings
Conclusions on audit
procedures performed
Back
to risk
assessment
2
Activity Purpose Documentation
1
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
285
Paragraph # ISA Objective(s)
260.9 The objectives of the auditor are:
(a) To communicate clearly with those charged with governance the responsibilities of the
auditor in relation to the fnancial statement audit, and an overview of the planned scope
and timing of the audit;
(b) To obtain from those charged with governance information relevant to the audit;
(c) To provide those charged with governance with timely observations arising from the
audit that are signifcant and relevant to their responsibility to oversee the fnancial
reporting process; and
(d) To promote efective two-way communication between the auditor and those charged
with governance.
Paragraph # Relevant Extracts from ISAs
260.10 For purposes of the ISAs, the following terms have the meanings attributed below:
(a) Those charged with governanceThe person(s) or organization(s) (for example, a
corporate trustee) with responsibility for overseeing the strategic direction of the entity
and obligations related to the accountability of the entity. This includes overseeing the
fnancial reporting process. For some entities in some jurisdictions, those charged with
governance may include management personnel, for example, executive members of a
governance board of a private or public sector entity, or an owner-manager. For discussion
of the diversity of governance structures, see paragraphs A1-A8.
(b) ManagementThe person(s) with executive responsibility for the conduct of the entitys
operations. For some entities in some jurisdictions, management includes some or all of
those charged with governance, for example, executive members of a governance board,
or an owner-manager.
260.11 The auditor shall determine the appropriate person(s) within the entitys governance structure
with whom to communicate. (Ref: Para. A1-A4)
260.12 If the auditor communicates with a subgroup of those charged with governance, for example,
an audit committee, or an individual, the auditor shall determine whether the auditor also
needs to communicate with the governing body. (Ref: Para. A5-A7)
260.13 In some cases, all of those charged with governance are involved in managing the entity,
for example, a small business where a single owner manages the entity and no one else has
a governance role. In these cases, if matters required by this ISA are communicated with
person(s) with management responsibilities, and those person(s) also have governance
responsibilities, the matters need not be communicated again with those same person(s)
in their governance role. These matters are noted in paragraph 16(c). The auditor shall
nonetheless be satisfed that communication with person(s) with management responsibilities
adequately informs all of those with whom the auditor would otherwise communicate in their
governance capacity. (Ref: Para.A8)
260.14 The auditor shall communicate with those charged with governance the responsibilities of the
auditor in relation to the fnancial statement audit, including that:
(a) The auditor is responsible for forming and expressing an opinion on the fnancial
statements that have been prepared by management with the oversight of those charged
with governance; and
(b) The audit of the fnancial statements does not relieve management or those charged with
governance of their responsibilities. (Ref: Para. A9-A10)
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
286
Paragraph # Relevant Extracts from ISAs
260.15 The auditor shall communicate with those charged with governance an overview of the
planned scope and timing of the audit. (Ref: Para. A11-A15)
260.16 The auditor shall communicate with those charged with governance: (Ref: Para. A16)
(a) The auditors views about signifcant qualitative aspects of the entitys accounting
practices, including accounting policies, accounting estimates and fnancial statement
disclosures. When applicable, the auditor shall explain to those charged with governance
why the auditor considers a signifcant accounting practice, that is acceptable under the
applicable fnancial reporting framework, not to be most appropriate to the particular
circumstances of the entity; (Ref: Para. A17)
(b) Signifcant dif culties, if any, encountered during the audit; (Ref: Para. A18)
(c) Unless all of those charged with governance are involved in managing the entity:
(i) Signifcant matters, if any, arising from the audit that were discussed, or subject to
correspondence with management; and (Ref: Para. A19)
(ii) Written representations the auditor is requesting; and
(d) Other matters, if any, arising from the audit that, in the auditors professional judgment,
are signifcant to the oversight of the fnancial reporting process. (Ref: Para. A20)
260.18 The auditor shall communicate with those charged with governance the form, timing and
expected general content of communications. (Ref: Para. A28-A36)
260.19 The auditor shall communicate in writing with those charged with governance regarding
signifcant fndings from the audit if, in the auditors professional judgment, oral
communication would not be adequate. Written communications need not include all matters
that arose during the course of the audit. (Ref: Para. A37-A39)
260.21 The auditor shall communicate with those charged with governance on a timely basis. (Ref:
Para. A40-A41)
260.22 The auditor shall evaluate whether the two-way communication between the auditor and
those charged with governance has been adequate for the purpose of the audit. If it has not,
the auditor shall evaluate the efect, if any, on the auditors assessment of the risks of material
misstatement and ability to obtain suf cient appropriate audit evidence, and shall take
appropriate action. (Ref: Para. A42-A44)
260.23 Where matters required by this ISA to be communicated are communicated orally, the
auditor shall include them in the audit documentation, and when and to whom they were
communicated. Where matters have been communicated in writing, the auditor shall retain a
copy of the communication as part of the audit documentation. (Ref: Para. A45)
265.09 The auditor shall communicate in writing signifcant defciencies in internal control identifed
during the audit to those charged with governance on a timely basis. (Ref: Para. A12-A18, A27)
450.12 The auditor shall communicate with those charged with governance uncorrected
misstatements and the efect that they, individually or in aggregate, may have on the opinion
in the auditors report, unless prohibited by law or regulation. The auditors communication
shall identify material uncorrected misstatements individually. The auditor shall request that
uncorrected misstatements be corrected. (Ref: Para. A21-A23)
450.13 The auditor shall also communicate with those charged with governance the efect of
uncorrected misstatements related to prior periods on the relevant classes of transactions,
account balances or disclosures, and the fnancial statements as a whole.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
287
22.1 Overview
Efective two-way communication between the auditor and those charged with governance is an important
element of every audit. This enables:
The auditor to communicate required and other matters; and
Those charged with governance to provide the auditor with information that might not otherwise have
been available. This information could be helpful to the auditor in planning and evaluating the results.
22.2 Governance
Governance structures vary by jurisdiction and by entity, refecting infuences such as diferent cultural and
legal backgrounds, and size and ownership characteristics. In most entities, governance is the collective
responsibility of a governing body, such as a board of directors, a supervisory board, partners, proprietors, a
committee of management, a council of governors, trustees, or equivalent persons.
In smaller entities, one person may be charged with governancefor example, the owner-manager where
there are no other owners, or a sole trustee. In these cases, if matters are required to be communicated with
management, they need not be communicated again with those same person(s) in their governance role.
However, where there is more than one person charged with governance of the entity (such as other family
members), the auditor would take steps to ensure that every person is adequately informed.
In other entities, where governance is a collective responsibility, the auditors communications may be
directed to a subgroup of those charged with governance, such as an audit committee. In these cases, the
auditor would determine whether there is also a need to communicate with the entire governing body. This
determination would be based on:
The respective responsibilities of the subgroup and the governing body;
The nature of the matter to be communicated;
Relevant legal or regulatory requirements; and
Whether the subgroup has the authority to take action in relation to the information communicated,
and can provide further information and explanations the auditor may need.
Where the appropriate person(s) with whom to communicate may not be clearly identifable from the
applicable legal framework or other engagement circumstances, the auditor may need to discuss and
agree with the engaging party the relevant person(s) with whom to communicate. In deciding with whom
to communicate, the auditors understanding of an entitys governance structure and processes would be
relevant. The appropriate person(s) with whom to communicate may also vary depending on the matter to be
communicated.
When the entity is a component of a group, the appropriate person(s) with whom the component auditor
communicates depends on the engagement circumstances and the matter to be communicated. In some
cases, a number of components may be conducting the same businesses within the same system of
internal control and using the same accounting practices. Where those charged with governance of those
components are the same (e.g., common board of directors), duplication may be avoided by dealing with
these components concurrently for the purpose of communication.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
288
Auditors Responsibilities
Those charged with governance are to be informed about signifcant matters relevant to their role of
overseeing the fnancial reporting process. This includes communicating that:
The audit of the fnancial statements does not relieve management or those charged with governance
of their responsibilities; and
The auditors responsibilities include:
Forming and expressing an opinion on the fnancial statements that have been prepared by
management with the oversight of those charged with governance, and
Communicating signifcant matters arising from the audit of the fnancial statements.
This requirement can often be met by providing those charged with governance with a copy of the audit
engagement letter. This will inform those charged with governance about the matters set out below.
Exhibit 22.3-1
Nature of Communication
Provide a Copy of
Audit Engagement
Letter
The auditors responsibility for performing the audit in accordance with ISAs.
The ISA requirements that signifcant matters arising from the audit, relevant to those
charged with governance in overseeing the fnancial reporting, will be communicated.
ISAs do not require the auditor to design procedures for the purpose of identifying
supplementary matters to communicate with those charged with governance.
The auditors responsibility (where applicable) for communicating particular matters
required by law or regulation, by agreement with the entity, or by additional
requirements applicable to the engagement (e.g., the standards of a national
professional accountancy body).
22.3 Matters to be Communicated
Audit matters of governance interest include:
Auditors responsibilities in relation to the fnancial statement audit;
Planned scope and timing of the audit; and
Signifcant fndings arising from the audit.
The auditor is not required to design audit procedures for the specifc purpose of identifying matters of
governance interest, unless specifcally requested or required by country-specifc auditing standards or by
legislation.
In some cases, local requirements, laws, or regulations may impose obligations of confdentiality that restrict
the auditors communications. Reference would be made to such requirement before communicating with
those charged with governance.
CONSIDER POINT
Take the time to develop constructive working relationships with those charged with governance.
This will help to improve the efectiveness of communications between the parties.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
289
Planned Scope and Timing of the Audit
The purpose of discussing audit planning is to promote two-way communication between the auditor and
those charged with governance. However, care must be taken not to provide detailed information (such as the
nature and timing of specifc audit procedures) that could compromise the efectiveness of the audit. This is of
particular concern where some or all of those charged with governance are involved in managing the entity.
Matters to be discussed would include those set out below.
Exhibit 22.3-2
Description
The Audit Plan
General details of the audit plan, scope, and timing.
The application of the concept of materiality in the audit.
How signifcant risks of material misstatement, whether due to fraud or error, will be
addressed.
Approach to internal control relevant to the audit.
Signifcant changes in accounting standards and the likely impact.
Obtain Input from
Those Charged
With Governance
(That May Impact
Audit Plans)
Discussion about the entitys objectives and strategies, any signifcant
communications with regulators, and the related business risks that may result in
material misstatements.
Description of the oversight exercised over:
Adequacy of internal control, including the risks of fraud;
Competency and integrity of management; and
Responses to previous communications with the auditor.
Matters that warrant particular attention during the audit.
Requests for the auditor to undertake additional procedures.
Other matters that may infuence the audit of the fnancial statements.
Signifcant Findings from the Audit
Except where a matter relates to managements competence or integrity, the auditor would initially discuss
audit matters of governance interest with management. These initial discussions serve to clarify the facts and
issues, and give management an opportunity to provide further information.
An appendix to ISA 260 (reproduced below) provides a list of specifc matters requiring communication with
those charged with governance. These requirements have been addressed in other parts of the Guide.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
290
Exhibit 22.3-3
ISA # Specifc Communication Requirements Paragraph
ISQC 1 Quality Controls for Firms that Perform Audits and Reviews of Financial Statements,
and Other Assurance and Related Services Engagements
30(a)
ISA 240 The Auditors Responsibilities Relating to Fraud in an Audit of Financial Statements 21, 38(c)(i),
40-42
ISA 250 Consideration of Laws and Regulations in an Audit of Financial Statements 14, 19, 22-24
ISA 265 Communicating Defciencies in Internal Control to Those Charged With Governance
and Management
9
ISA 450 Evaluation of Misstatements Identifed during the Audit 12-13
ISA 505 External Confrmations 9
ISA 510 Initial Audit EngagementsOpening Balances 7
ISA 550 Related Parties 27
ISA 560 Subsequent Events 7(b)-(c), 9,
10(a), 13(b),
14(a), 17
ISA 570 Going Concern 23
ISA 600 Special ConsiderationsAudits of Group Financial Statements (Including the Work of
Component Auditors)
49
ISA 705 Modifcations to the Opinion in the Independent Auditors Report 12, 14, 19(a),
28
ISA 706 Emphasis of Matter and Other Matter Paragraphs in the Independent Auditors
Report
9
ISA 710 Comparative InformationCorresponding Figures and Comparative Financial
Statements
18
ISA 720 The Auditors Responsibilities Relating to Other Information in Documents Containing
Audited Financial Statements
10, 13, 16
Some of the more common matters of governance interest that may be communicated (preferably in writing)
are outlined in the following exhibit.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
291
Exhibit 22.3-4
Audit Matters Communication Considerations
Accounting
Policies
The selection of (or changes in) signifcant accounting policies and practices that have
or could have a material efect on the entitys fnancial statements.
Prior Period
Communications
Matters of governance interest previously communicated that could have an efect
on the current periods fnancial statements.
Risks of Material
Misstatement
The potential efect on the fnancial statements of any material risks (such as pending
litigation) that require disclosure in the fnancial statements.
Material
Uncertainties
Material uncertainties related to events and conditions that may cast signifcant
doubt on the entitys ability to continue as a going concern.
Concerns
Business conditions afecting the entity and its business plans and strategies that may
afect the risks of material misstatement.
Concerns about managements consultations with other accountants on accounting
or auditing matters.
Signifcant
Dif culties
Encountered
This could include:
Resolution of dif cult accounting or audit issues;
Unavailable documents required for the audit;
Personnel unable to answer questions;
Scope limitations and how they were resolved; and
Disagreements with management about matters that, individually or in
aggregate, could be signifcant to the entitys fnancial statements or the
auditors report.
Comments
on Entity
Management
Questions regarding managements competence:
Signifcant defciencies in internal control;
Questions regarding managements integrity;
Signifcant transactions with related parties;
Illegal acts; and
Fraud involving management.
Audit Adjustments
Uncorrected audit adjustments that have or could have a material efect on the
entitys fnancial statements.
Uncorrected
Misstatements
Uncorrected misstatements that were determined by management to be immaterial
(other than trivial amounts), both individually and in the aggregate, to the fnancial
statements taken as a whole.
The Auditors
Report
Outline the reasons for any expected modifcations to the auditors report.
Agreed-Upon
Matters
Any other matters agreed upon in the terms of the audit engagement.
Other Matters
Other matters, if any, arising from the audit that, in the auditors professional
judgment, are signifcant to the oversight of the fnancial reporting process.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
292
CONSIDER POINT
Communicate signifcant matters in writing where possible. A letter or report provides a document
shared by both parties that outlines the matters to be communicated. If the required matters are
communicated verbally, take minutes of the meeting that can be shared with the entity to form an
appropriate record that the communication took place.
Documentation
Where matters required to be communicated by an ISA are communicated orally, prepare notes for the fle
describing when and to whom these matters were communicated. Where matters have been communicated
in writing, retain a copy of the communication as part of the audit documentation.
Timeliness
Ensure that audit matters of interest are communicated on a timely basis so that those charged with
governance can take appropriate action.
22.4 Case StudiesCommunicating with Those Charged With Governance
For details of the case studies, refer to Volume 2, Chapter 2Introduction to the Case Studies.
Case Study ADephta Furniture, Inc.
Audit Matters of Governance Interest
The following is an extract from the letter sent to management and those charged with governance.

Jamel, Woodwind & Wing LLP
55 Kingston St., Cabetown, United Territories 123-53004
March 15, 20X3
Mr. Suraj Dephta, Managing Director
Dephta Furniture
2255 West Street
North Cabetown
United Territories
123-50214
Dear Mr. Dephta,
The matters raised in this report arise from our fnancial statement audit and relate to matters that we
believe need to be brought to your attention.
We have substantially completed our audit of Dephta Furnitures fnancial statements in accordance
with professional standards. We expect to release our audit report dated March 20, 20X3 as soon as we
obtain the signed letter of representation.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
293
Our audit is performed to obtain reasonable assurance whether the fnancial statements are free of material
misstatements. Absolute assurance is not possible due to the inherent limitations of an audit and of internal
control, resulting in the unavoidable risk that some material misstatements may not be detected.
In planning our audit, we consider internal control over fnancial reporting to determine the nature,
extent, and timing of audit procedures. However, a fnancial statement audit does not provide assurance
on the efective operation of internal control at Dephta Furniture. However, if in the course of our audit,
certain defciencies in internal control come to our attention, these will be reported to you. Please refer
to Appendix A to this letter (not included).
Because fraud is deliberate, there are always risks that material misstatements, fraud, and other illegal
acts may exist and not be detected by our audit of the fnancial statements.
The following is a summary of fndings resulting from the performance of the audit.
1. We did not identify any material matters (other than the identifed misstatements already
discussed with you and have now been corrected) that need to brought to your attention.
2. We received good cooperation from management and employees during our audit. To the best of
our knowledge, we also had complete access to the accounting records and other documents that
we needed in order to carry out our audit. We did not have any disagreements with management,
and we have resolved all auditing, accounting, and disclosure issues to our satisfaction.
We would also like to draw the following matters to your attention:
Changes during the period in professional pronouncements. See Appendix B. (not included)
Other matters identifed that may be of interest to management. See Appendix C. (not
included)
Please note that international auditing standards do not require us to design procedures for the
purpose of identifying supplementary matters to communicate with those charged with governance.
Accordingly, an audit would not usually identify all such matters.
This communication is prepared solely for the information of management and is not intended for any
other purpose. We accept no responsibility to a third party who uses this communication.
Yours truly,

Sang Jun Lee
Jamel, Woodwind & Wing LLP
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
294
Case Study BKumar & Co.
MEMO TO FILE: Communication to those Charged with Governance
Audit Adjustments and Findings
We discussed the adjustments to the inventory balance and the accounts payable accruals with Raj.
He indicated that because of his family issues, he had not spent as much time supervising Ruby and
approving transactions this period, so he was not surprised that things were missed. He did promise to
ensure that Ruby tracks accounts paid subsequent to the period end for accrual purposes better next
period.
We indicated that except for the adjustments found, we had not found any other material issues during
our audit and that Ruby had been very helpful.
Other Recommendations
During our IT control discussion, we had become aware that Ruby has never tested the back-up for the
accounting package and recommended that Raj test the back-up to make sure that the accounting
records could be backed up. In the event of a crash, a loss of accounting records would have a signifcant
impact on our ability to perform an audit.
Prepared by: SL Date: March 16, 20X3
295
23. Modifcations to the Auditors Report
Chapter Content Relevant ISA
Guidance on how to express an appropriately modifed opinion on
fnancial statements when necessary.
705
Exhibit 23.0-1
R
e
p
o
r
t
i
n
g
Evaluate the audit
evidence obtained
Determine what
additional audit work
(if any) is required
Prepare the
auditors report
Form an opinion
based on audit
fndings
Signifcant decisions
Signed audit opinion
no
yes
Notes:
1. Refer to ISA 230 for a more complete list of documentation required.
2. Planning (ISA 300) is a continual and iterative process throughout the audit.
Is
additional
work
required?
New/revised risk factors
and audit procedures
Changes in materiality
Communications
on audit fndings
Conclusions on audit
procedures performed
Back
to risk
assessment
2
Activity Purpose Documentation
1
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
296
Paragraph # ISA Objective(s)
705.4 The objective of the auditor is to express clearly an appropriately modifed opinion on the fnancial
statements that is necessary when:
(a) The auditor concludes, based on the audit evidence obtained, that the fnancial statements as a
whole are not free from material misstatement; or
(b) The auditor is unable to obtain suf cient appropriate audit evidence to conclude that the fnancial
statements as a whole are free from material misstatement.
Paragraph # Relevant Extracts from ISAs
705.5 For purposes of the ISAs, the following terms have the meanings attributed below:
(a) PervasiveA term used, in the context of misstatements, to describe the efects on the
fnancial statements of misstatements or the possible efects on the fnancial statements
of misstatements, if any, that are undetected due to an inability to obtain suf cient
appropriate audit evidence. Pervasive efects on the fnancial statements are those that, in
the auditors judgment:
(i) Are not confned to specifc elements, accounts or items of the fnancial statements;
(ii) If so confned, represent or could represent a substantial proportion of the fnancial
statements; or
(iii) In relation to disclosures, are fundamental to users understanding of the fnancial
statements.
(b) Modifed opinionA qualifed opinion, an adverse opinion or a disclaimer of opin ion.
705.6 The auditor shall modify the opinion in the auditors report when:
(a) The auditor concludes that, based on the audit evidence obtained, the fnancial
statements as a whole are not free from material misstatement; or (Ref: Para. A2-A7)
(b) The auditor is unable to obtain suf cient appropriate audit evidence to conclude that the
fnancial statements as a whole are free from material misstatement. (Ref: Para. A8-A12)
705.7 The auditor shall express a qualifed opinion when:
(a) The auditor, having obtained suf cient appropriate audit evidence, concludes that
misstatements, individually or in the aggregate, are material, but not pervasive, to the
fnancial statements; or
(b) The auditor is unable to obtain suf cient appropriate audit evidence on which to
base the opinion, but the auditor concludes that the possible efects on the fnancial
statements of undetected misstatements, if any, could be material but not pervasive.
705.8 The auditor shall express an adverse opinion when the auditor, having obtained suf cient
appropriate audit evidence, concludes that misstatements, individually or in the aggregate, are
both material and pervasive to the fnancial statements.
705.9 The auditor shall disclaim an opinion when the auditor is unable to obtain suf cient
appropriate audit evidence on which to base the opinion, and the auditor concludes that the
possible efects on the fnancial statements of undetected misstatements, if any, could be both
material and pervasive.
705.10 The auditor shall disclaim an opinion when, in extremely rare circumstances involving
multiple uncertainties, the auditor concludes that, notwithstanding having obtained suf cient
appropriate audit evidence regarding each of the individual uncertainties, it is not possible
to form an opinion on the fnancial statements due to the potential interaction of the
uncertainties and their possible cumulative efect on the fnancial statements.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
297
Paragraph # Relevant Extracts from ISAs
705.11 If, after accepting the engagement, the auditor becomes aware that management has imposed
a limitation on the scope of the audit that the auditor considers likely to result in the need to
express a qualifed opinion or to disclaim an opinion on the fnancial statements, the auditor
shall request that management remove the limitation.
705.12 If management refuses to remove the limitation referred to in paragraph 11, the auditor shall
communicate the matter to those charged with governance, unless all of those charged with
governance are involved in managing the entity, and determine whether it is possible to
perform alternative procedures to obtain suf cient appropriate audit evidence.
705.13 If the auditor is unable to obtain suf cient appropriate audit evidence, the auditor shall
determine the implications as follows:
(a) If the auditor concludes that the possible efects on the fnancial statements of undetected
misstatements, if any, could be material but not pervasive, the auditor shall qualify the
opinion; or
(b) If the auditor concludes that the possible efects on the fnancial statements of undetected
misstatements, if any, could be both material and pervasive so that a qualifcation of the
opinion would be inadequate to communicate the gravity of the situation, the auditor
shall:
(i) Withdraw from the audit, where practicable and possible under applicable law or
regulation; or (Ref: Para. A13-A14)
(ii) If withdrawal from the audit before issuing the auditors report is not practicable or
possible, disclaim an opinion on the fnancial statements.
705.14 If the auditor withdraws as contemplated by paragraph 13(b)(i), before withdrawing, the
auditor shall communicate to those charged with governance any matters regarding
misstatements identifed during the audit that would have given rise to a modifcation of the
opinion. (Ref: Para. A15)
705.15 When the auditor considers it necessary to express an adverse opinion or disclaim an
opinion on the fnancial statements as a whole, the auditors report shall not also include
an unmodifed opinion with respect to the same fnancial reporting framework on a single
fnancial statement or one or more specifc elements, accounts or items of a fnancial
statement. To include such an unmodifed opinion in the same report in these circumstances
would contradict the auditors adverse opinion or disclaimer of opinion on the fnancial
statements as a whole. (Ref: Para. A16)
705.16 When the auditor modifes the opinion on the fnancial statements, the auditor shall, in
addition to the specifc elements required by ISA 700, include a paragraph in the auditors
report that provides a description of the matter giving rise to the modifcation. The auditor
shall place this paragraph immediately before the opinion paragraph in the auditors report
and use the heading Basis for Qualifed Opinion, Basis for Adverse Opinion, or Basis for
Disclaimer of Opinion, as appropriate. (Ref: Para. A17)
705.17 If there is a material misstatement of the fnancial statements that relates to specifc amounts
in the fnancial statements (including quantitative disclosures), the auditor shall include in the
basis for modifcation paragraph a description and quantifcation of the fnancial efects of the
misstatement, unless impracticable. If it is not practicable to quantify the fnancial efects, the
auditor shall so state in the basis for modifcation paragraph. (Ref: Para. A18)
705.18 If there is a material misstatement of the fnancial statements that relates to narrative
disclosures, the auditor shall include in the basis for modifcation paragraph an explanation of
how the disclosures are misstated.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
298
Paragraph # Relevant Extracts from ISAs
705.19 If there is a material misstatement of the fnancial statements that relates to the non-disclosure
of information required to be disclosed, the auditor shall:
(a) Discuss the non-disclosure with those charged with governance;
(b) Describe in the basis for modifcation paragraph the nature of the omitted information; and
(c) Unless prohibited by law or regulation, include the omitted disclosures, provided it is
practicable to do so and the auditor has obtained suf cient appropriate audit evidence
about the omitted information. (Ref: Para. A19)
705.20 If the modifcation results from an inability to obtain suf cient appropriate audit evidence, the
auditor shall include in the basis for modifcation paragraph the reasons for that inability.
705.21 Even if the auditor has expressed an adverse opinion or disclaimed an opinion on the fnancial
statements, the auditor shall describe in the basis for modifcation paragraph the reasons for
any other matters of which the auditor is aware that would have required a modifcation to the
opinion, and the efects thereof. (Ref: Para. A20)
23.1 Overview
The auditor is required to clearly express an appropriately modifed opinion on fnancial statements in
situations such as those set out below.
Exhibit 23.1-1
Situations
Modifed Report
Necessary
(Qualifed, Adverse,
or Disclaimer of
Opinion)
Financial Statements Are Materially Misstated
Based on the audit evidence obtained, the fnancial statements as a whole are not
free from material misstatement. This would include uncorrected misstatements that
are material, the appropriateness or application of accounting principles, and the
failure to disclose information that results in a material misstatement.
Inability To Obtain Suf cient Appropriate Audit Evidence
Unable to obtain suf cient appropriate audit evidence to conclude that the fnancial
statements as a whole are free from material misstatement. This could include:
Circumstances beyond the control of the entity, such as a fre that damaged
accounting records;
Circumstances relating to the nature or timing of the auditors work, such as an
inability to attend an inventory count; or
Limitations imposed by management, such as management not allowing the
auditor to obtain an external confrmation of certain receivables.
23.2 Modifcations to the Audit Opinion
A modifed audit opinion is required where the auditor concludes that:
Based on the audit evidence obtained, the fnancial statements as a whole are not free from material
misstatement; or
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
299
It is not possible to obtain suf cient appropriate audit evidence that the fnancial statements as a whole
are free from material misstatement.
There are three types of modifed opinions. These are qualifed, adverse, and a disclaimer of opinion.
The exhibit below (reproduced from ISA 705.A1) illustrates how the type of opinion to be expressed is afected
by the auditors judgment about:
The nature of the matter giving rise to the modifcation; and
The pervasiveness of its efects or possible efects on the fnancial statements.
Exhibit 23.2-1
Nature of Matter Giving Rise
to the Modifcation
Auditors Judgment about the Pervasiveness of the
Efects or Possible Efects on the Financial Statements
Material but NOT Pervasive Material AND Pervasive
Financial statements are materially
misstated
Qualifed opinion Adverse opinion
Inability to obtain suf cient
appropriate audit evidence
Qualifed opinion Disclaimer of opinion
The appropriate use of the three types of modifcations is described in the exhibit below.
Exhibit 23.2-2
Type Applicability
Qualifed Opinion
When the efect is not material and pervasive enough to require an adverse or
disclaimer of opinion. This applies where:
Suf cient appropriate audit evidence was obtained, but the auditor concludes
that misstatements exist, individually or in the aggregate, that are material but
not pervasive to the fnancial statements; or
The auditor is unable to obtain suf cient appropriate audit evidence on which
to base the opinion. The auditor concludes that the possible efects on the
fnancial statements of undetected misstatements, if any, could be material but
not pervasive.
Worded as:
Except for the efects (or the possible efects) of the matter described in the Basis for
Qualifed Opinion paragraph
Adverse Opinion
When the efects of misstatements are both material and pervasive. This applies
where suf cient appropriate audit evidence was obtained, but the auditor concludes
that misstatements, individually or in the aggregate, are both material and pervasive
to the fnancial statements.
Worded as:
In our opinion, because of the signifcance of the matter discussed in the Basis for
Adverse Opinion paragraph...the fnancial statements do not present fairly
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
300
Type Applicability
Disclaimer of
Opinion
When the possible efect of undetected misstatements, if any, could be both material
and pervasive. This applies where the auditor is unable to obtain suf cient appropriate
audit evidence on which to base the opinion, and concludes that the possible efects of
undetected misstatements, if any, could be both material and pervasive.
This also applies to extremely rare circumstances where it is not possible to form an
opinion due to the potential interaction of multiple uncertainties and their possible
cumulative efect on the fnancial statements. This applies even where the auditor has
obtained suf cient audit evidence regarding each of the individual uncertainties.
Worded as:
Because of the signifcance of the matter described in the Basis for Disclaimer of
Opinion paragraph, we have not been able to obtain suf cient appropriate audit
evidence to provide a basis for an audit opinion. Accordingly, we do not express an
opinion on the fnancial statements.
The only alternative to issuing an adverse or disclaimer of opinion would be withdrawing from the audit
altogether (where permissible) and not issuing an opinion.
When a modifcation is required, the details would be provided in a basis for modifcation as paragraph
described below.
Exhibit 23.2-3
Basis for
Modifcation
Paragraph
Purpose
Sets out details of the modifcation in a separate paragraph (uniformly worded to
the extent possible) preceding the opinion or disclaimer of opinion on the fnancial
statements. The paragraph would be headed Basis for Qualifed Opinion, Basis for
Adverse Opinion, or Basis for Disclaimer of Opinion.
Wording
The paragraph would include:
The substantive reasons for qualifcation;
Unless impracticable, quantifcation of the possible efect(s) on the fnancial
statements of modifcations involving specifc amounts in the fnancial
statements (including quantitative disclosures). This would include quantifcation
of the efects on the account balances, classes of transactions and disclosures
afected, plus the efect on income before taxes, net income, and equity;
When applicable, a statement that it is not practical to quantify the fnancial efects;
Where the material misstatement relates to narrative disclosures, an explanation
of how the disclosures are misstated;
Nature of omitted information unless disclosures are not readily available, not
prepared by management, or would be unduly voluminous in the report; and
A description of all identifed matters that would have required a modifcation
of the auditors opinion. An adverse or disclaimer of opinion relating to one
specifc matter does not justify the omission of other matters that would have
required a modifed auditors report.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
301
Notes to the
Financial
Statements
The auditors report may make reference to a more extensive discussion in a note to
the fnancial statements.
23.3 Financial Statements Are Materially Misstated
Paragraph # Relevant Extracts from ISAs
450.4 For purposes of the ISAs, the following terms have the meanings attributed below:
(a) MisstatementA diference between the amount, classifcation, presentation, or disclosure
of a reported fnancial statement item and the amount, classifcation, presentation or
disclosure that is required for the item to be in accordance with the applicable fnancial
reporting framework. Misstatements can arise from error or fraud. (Ref: Para. A1)
When the auditor expresses an opinion on whether the fnancial statements are presented
fairly, in all material respects, or give a true and fair view, misstatements also include those
adjustments of amounts, classifcations, presentation, or disclosures that, in the auditors
judgment, are necessary for the fnancial statements to be presented fairly in all material
respects, or to give a true and fair view.
(b) Uncorrected misstatementsMisstatements that the auditor has accumulated during the
audit and that have not been corrected.
This applies where suf cient appropriate audit evidence has been obtained, but the auditor concludes that
misstatements, individually or in the aggregate, are material (requiring a qualifed opinion) or material and
pervasive (requiring an adverse opinion) to the fnancial statements.
This could result from:
The auditors evaluation of uncorrected misstatements;
The appropriateness of the selected accounting policies;
The application of the selected accounting policies; or
The appropriateness or adequacy of disclosures in the fnancial statements.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
302
Examples of material misstatements are set out below.
Exhibit 23.3-1
Inappropriate Selection of Accounting Policies
Evaluation = Material but not pervasive
Response = Qualifed opinion
Framework = International Financial Reporting Standards
INDEPENDENT AUDITORS REPORT
[Appropriate Addressee]
We have audited...
Managements Responsibility for the Financial Statements
Management is responsible for
Auditors Responsibility
Our responsibility is to
Basis for Qualifed Opinion
As discussed in Note X to the fnancial statements, no depreciation has been provided in the fnancial
statements, which practice, in our opinion, is not in accordance with International Financial Reporting
Standards. The provision for the period ended December 31, 20X1, should be xxx, based on the straight-
line method of depreciation, using annual rates of 5% for the building and 20% for the equipment.
Accordingly, the property, plant, and equipment should be reduced by accumulated depreciation of xxx,
and the loss for the period and accumulated defcit should be increased by xxx and xxx, respectively.
Qualifed Opinion
In our opinion, except for the efects of the matter described in the Basis for Qualifed Opinion
paragraph, the fnancial statements present fairly, in all material respects (or give a true and fair view
of), the fnancial position of ABC Company as at December 31, 20X1, and (of) its fnancial performance
and its cash fows for the period then ended, in accordance with International Financial Reporting
Standards.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
303
Exhibit 23.3-2
Inadequate Disclosure of a Financial Instrument
Evaluation = Material but not pervasive
Response = Qualifed opinion
Framework = International Financial Reporting Standards
INDEPENDENT AUDITORS REPORT
[Appropriate Addressee]
We have audited...
Managements Responsibility for the Financial Statements
Management is responsible for
Auditors Responsibility
Our responsibility is to
Basis for Qualifed Opinion
On January 15, 20XX, the Company issued debentures in the amount of xxx for the purpose of fnancing
plant expansion. The debenture agreement restricts the payment of future cash dividends to earnings
after December 31, 20XX. In our opinion, disclosure of this information is required by...
Qualifed Opinion
In our opinion, except for the efects of the matter described in the Basis for Qualifed Opinion
paragraph, the fnancial statements present fairly, in all material respects (or give a true and fair view
of) the fnancial position of ABC Company as at
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
304
Exhibit 23.3-3
Non-Consolidation of a Subsidiary
Evaluation = Material and pervasive
Response = Adverse opinion
Framework = International Financial Reporting Standards
INDEPENDENT AUDITORS REPORT
[Appropriate Addressee]
We have audited...
Managements Responsibility for the Financial Statements
Management is responsible for
Auditors Responsibility
Our responsibility is to
Basis for Adverse Opinion
As explained in Note X, the company has not consolidated the fnancial statements of subsidiary XYZ
Company it acquired during 20X1, because it has not yet been able to ascertain the fair values of certain
of the subsidiarys material assets and liabilities at the acquisition date. This investment is therefore
accounted for on a cost basis. Under International Financial Reporting Standards, the subsidiary should
have been consolidated, because it is controlled by the company. Had XYZ been consolidated, many
elements in the accompanying fnancial statements would have been materially afected. The efects on
the fnancial statements of the failure to consolidate have not been determined.
Adverse Opinion
In our opinion, because of the signifcance of the matter discussed in the Basis for Adverse Opinion
paragraph, the consolidated fnancial statements do not present fairly (or do not give a true and fair
view of) the fnancial position of ABC Company and its subsidiaries as at December 31, 20X1, and (of)
their fnancial performance and cash fows for the period then ended in accordance with International
Financial Reporting Standards.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
305
Exhibit 23.3-4
Inadequate Disclosure of Material Uncertainty
Evaluation = Material and pervasive
Response = Adverse opinion
Framework = International Financial Reporting Standards
INDEPENDENT AUDITORS REPORT
[Appropriate Addressee]
We have audited...
Managements Responsibility for the Financial Statements
Management is responsible for
Auditors Responsibility
Our responsibility is to
Basis for Adverse Opinion
The Companys fnancing arrangements expired and the amount outstanding was payable on
December 31, 20X1. The Company has been unable to renegotiate or obtain replacement fnancing
and is considering fling for bankruptcy. These events indicate a material uncertainty that may cast
signifcant doubt on the Companys ability to continue as a going concern, and therefore it may be
unable to realize its assets and discharge its liabilities in the normal course of business. The fnancial
statements (and notes thereto) do not disclose this fact.
Adverse Opinion
In our opinion, because of the omission of the information mentioned in the Basis for Adverse Opinion
paragraph, the fnancial statements do not present fairly (or give a true and fair view of) the fnancial
position of the Company as at December 31, 20X1, and of its fnancial performance and its cash fows for
the period then ended in accordance with
23.4 Inability To Obtain Suf cient Appropriate Audit Evidence
This applies when the auditor is unable to obtain suf cient appropriate audit evidence on which to base the
opinion, and concludes that the possible efects on the fnancial statements of undetected misstatements, if
any, could be material (qualifed opinion) or material and pervasive (disclaimer of opinion).
The auditors inability to obtain suf cient appropriate audit evidence (also referred to as a limitation on the
scope of the audit) may arise from:
Circumstances beyond the control of the entity, such as when the entitys accounting records have been
destroyed (such as through fre, water, theft, or computer-data loss) or seized by a government authority;
Circumstances relating to the nature or timing of the auditors work. This could occur where the auditors
appointment is such that the auditor is unable to observe the counting of the physical inventories, the
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
306
accounting records are not complete at the time of the audit, or where the auditor determines that
performing substantive procedures alone is not suf cient but the entitys controls are not efective; or
Limitations imposed by management, such as not allowing external confrmation of certain receivables
or restricting access to key personnel, accounting records, or operating locations. Where this occurs,
there may be other audit implications, such as the assessment of fraud risks and whether to continue
with the engagement. If the limitation is known before the engagement is accepted, the auditor would
ordinarily not accept such a limited engagement.
Before concluding that a modifed opinion is required, the auditor would:
Attempt to obtain suf cient appropriate audit evidence by performing alternative procedures; and
Discuss the matter with management and those charged with governance to determine if the issue can
be resolved. If the matter cannot be resolved, the auditor would then communicate the intention to
modify the audit opinion and the proposed wording.
Exhibit 23.4-1
Limitation on Scope, Unable to Observe the Counting of Inventories
Evaluation = Material but not pervasive
Response = Qualifed opinion
Framework = International Financial Reporting Standards
INDEPENDENT AUDITORS REPORT
[Appropriate Addressee]
We have audited...
Managements Responsibility for the Financial Statements
Management is responsible for
Auditors Responsibility
Our responsibility is to
Basis for Qualifed Opinion
We did not observe the counting of the physical inventories as of December 31, 20XX, since that date
was prior to the time we were initially engaged as auditors for the Company. Owing to the nature of
the Companys records, we were unable to satisfy ourselves as to physical inventory quantities by other
audit procedures. Accordingly, we were unable to determine whether any adjustments might have
been found necessary in inventory, income statement, statement of changes in equity, and cash-fow
statement balances.
Qualifed Opinion
In our opinion, except for the possible efects of the matter described in the Basis for Qualifed Opinion
paragraph, the fnancial statements present fairly, in all material respects (or give a true and fair view
of), the fnancial position of ABC Company as at
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
307
Exhibit 23.4-2
Limitation on Scope Management, Placed Limitations on Scope of Audit Work
Evaluation = Material and pervasive
Response = Disclaimer of opinion
Framework = International Financial Reporting Standards
INDEPENDENT AUDITORS REPORT
[Appropriate Addressee]
We have audited...
Managements Responsibility for the Financial Statements
Management is responsible for
Auditors Responsibility
Our responsibility is to express an opinion on these fnancial statements based on conducting the audit
in accordance with International Standards on Auditing. Because of the matter described in the Basis
for Disclaimer of Opinion paragraph, however, we were not able to obtain suf cient appropriate audit
evidence to provide a basis for an audit opinion.
Basis for Disclaimer of Opinion
We were not able to observe all physical inventories and confrm accounts receivable due to limitations
placed on the scope of our work by the Company. We were unable to satisfy ourselves by alternative
means concerning the inventory quantities and accounts receivable held at December 31, 20XX, which
are stated in the balance sheet at xxx and xxx respectively. As a result of these matters, we were unable
to determine whether any adjustments might have been found necessary in respect of recorded or
unrecorded inventories and accounts receivable, and the elements making up the income statement,
statement of changes in equity, and cash-fow statement balance.
Disclaimer of Opinion
Because of the signifcance of the matters described in the Basis for Disclaimer of Opinion paragraph,
we have not been able to obtain suf cient appropriate audit evidence to provide a basis for an audit
opinion. Accordingly, we do not express an opinion on the fnancial statements.
308
24. Emphasis of Matter and
Other Matter Paragraphs
Chapter Content Relevant ISA
Guidance on additional communication in the auditors report to
draw fnancial statement users attention to certain matters.
706
Exhibit 24.0-1
R
e
p
o
r
t
i
n
g
Evaluate the audit
evidence obtained
Determine what
additional audit work
(if any) is required
Prepare the
auditors report
Form an opinion
based on audit
fndings
Signifcant decisions
Signed audit opinion
no
yes
Notes:
1. Refer to ISA 230 for a more complete list of documentation required.
2. Planning (ISA 300) is a continual and iterative process throughout the audit.
Is
additional
work
required?
New/revised risk factors
and audit procedures
Changes in materiality
Communications
on audit fndings
Conclusions on audit
procedures performed
Back
to risk
assessment
2
Activity Purpose Documentation
1
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
309
Paragraph # ISA Objective(s)
706.4 The objective of the auditor, having formed an opinion on the fnancial statements, is to
draw users attention, when in the auditors judgment it is necessary to do so, by way of clear
additional communication in the auditors report, to:
(a) A matter, although appropriately presented or disclosed in the fnancial statements,
that is of such importance that it is fundamental to users understanding of the fnancial
statements; or
(b) As appropriate, any other matter that is relevant to users understanding of the audit, the
auditors responsibilities or the auditors report.
Paragraph # Relevant Extracts from ISAs
706.5 For the purposes of the ISAs, the following terms have the meanings attributed below:
(a) Emphasis of Matter paragraphA paragraph included in the auditors report that refers
to a matter appropriately presented or disclosed in the fnancial statements that, in the
auditors judgment, is of such importance that it is fundamental to users understanding of
the fnancial statements.
(b) Other Matter paragraphA paragraph included in the auditors report that refers to
a matter other than those presented or disclosed in the fnancial statements that, in
the auditors judgment, is relevant to users understanding of the audit, the auditors
responsibilities or the auditors report.
706.6 If the auditor considers it necessary to draw users attention to a matter presented or disclosed
in the fnancial statements that, in the auditors judgment, is of such importance that it is
fundamental to users understanding of the fnancial statements, the auditor shall include
an Emphasis of Matter paragraph in the auditors report provided the auditor has obtained
suf cient appropriate audit evidence that the matter is not materially misstated in the fnancial
statements. Such a paragraph shall refer only to information presented or discussed in the
fnancial statements. (Ref: Para. A1-A2)
706.7 When the auditor includes an Emphasis of Matter paragraph in the auditors report, the auditor
shall:
(a) Include it immediately after the Opinion paragraph in the auditors report;
(b) Use the heading Emphasis of Matter, or other appropriate heading;
(c) Include in the paragraph a clear reference to the matter being emphasized and to where
relevant disclosures that fully describe the matter can be found in the fnancial statements;
and
(d) Indicate that the auditors opinion is not modifed in respect of the matter emphasized.
(Ref: Para. A3-A4)
706.8 If the auditor considers it necessary to communicate a matter other than those that are
presented or disclosed in the fnancial statements that, in the auditors judgment, is relevant to
users understanding of the audit, the auditors responsibilities or the auditors report and this
is not prohibited by law or regulation, the auditor shall do so in a paragraph in the auditors
report, with the heading Other Matter, or other appropriate heading. The auditor shall
include this paragraph immediately after the Opinion paragraph and any Emphasis of Matter
paragraph, or elsewhere in the auditors report if the content of the Other Matter paragraph is
relevant to the Other Reporting Responsibilities section. (Ref: Para. A5-A11)
706.9 If the auditor expects to include an Emphasis of Matter or an Other Matter paragraph in the
auditors report, the auditor shall communicate with those charged with governance regarding
this expectation and the proposed wording of this paragraph. (Ref: Para. A12)
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
310
24.1 Overview
In certain situations, the auditor may want to draw the users attention to certain matters in the auditors
report that are fundamental to the users understanding of the fnancial statements, or of the audit itself and
the auditors responsibilities. This can be achieved by adding an extra paragraph to the auditors report.
The two types of paragraph that can be added are outlined below.
Exhibit 24.1-1
Paragraph Applicability
Emphasis of
Matter
Attention is drawn to important matters relating to the fnancial statements
already disclosed in the fnancial statements.
Matter(s) presented/disclosed in the fnancial statements that are of such importance
that they are fundamental to users understanding of the fnancial statements.
Examples
Uncertainty relating to exceptional litigation or regulatory action, subsequent events,
a major catastrophe, other signifcant uncertainties and inconsistencies, and early
application (where permitted) of a new accounting standard.
Other Matters
Matters relevant to users understanding of the audit function but not disclosed
in the fnancial statements
Any matter(s) (other than those presented or disclosed in the fnancial statements)
that are relevant to the users understanding of the audit, the auditors
responsibilities, and/or the auditors report.
Examples
Inability of the auditor to withdraw from the engagement, additional responsibilities
of the auditor, and any restrictions on the distribution of the auditors report.
An Emphasis of Matter paragraph is not a substitute for:
Modifying the audit opinion when required; or
Management making required disclosures in the fnancial statements.
When the auditor expects to include an Emphasis of Matter or an Other Matter paragraph, the auditor would
communicate with management and those charged with governance on:
The need for the paragraph; and
The proposed wording.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
311
24.2 Emphasis of Matter Paragraph
An Emphasis of Matter paragraph is intended to highlight important matters (already disclosed in the
fnancial statements) that will enhance the users understanding of the fnancial statements.
The key requirements for using an Emphasis of Matter paragraph are set out below.
Exhibit 24.2-1
Conditions Comments
Matter is Already
Fully Disclosed
in the Financial
Statements
The Emphasis of Matter paragraph refers to matters already presented or disclosed
in the fnancial statements and is not a substitute for such disclosure. The paragraph
would not include more detail than is already presented in the fnancial statements.
No Material
Misstatement
Exists
The auditor has to obtain suf cient appropriate audit evidence that the matter is not
materially misstated in the fnancial statements.
Placed
Immediately after
the Audit Opinion
The paragraph follows the auditors opinion paragraph, but comes before the section
on any other reporting responsibilities. The paragraph is headed Emphasis of
Matter or other appropriate heading.
Is Not a
Modifcation to
Opinion
The paragraph indicates that the auditors opinion is not modifed in respect of the
matter emphasized.
The following ISAs require the auditor, under specifed circumstances, to include an Emphasis of Matter
paragraph in the auditors report.
Exhibit 24.2-2
ISA Title Paragraph
210 Agreeing the Terms of Audit Engagements 19(b)
560 Subsequent Events 12(b), 16
570 Going Concern 19
800 Special ConsiderationsAudits of Financial Statements Prepared in Accordance
with Special Purpose Frameworks
14
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
312
Sample wording is set out below.
Exhibit 24.2-3
Material UncertaintyGoing Concern
Assuming the adequacy of the note disclosure in the fnancial statements, the wording of the paragraph
could be as follows:
Emphasis of Matter
Without qualifying our opinion, we draw attention to Note X in the fnancial statements, which indicates
that the Company incurred a net loss of ZZZ during the period ended December 31, 20X6 and, as of that
date, the Companys current liabilities exceeded its total assets by YYY. These conditions, along with
other matters as set forth in Note X, indicate the existence of a material uncertainty, which may cast
signifcant doubt about the Companys ability to continue as a going concern.
Other Signifcant UncertaintiesA Lawsuit
Assuming the adequacy of the note disclosure in the fnancial statements, the wording of the paragraph
could be as follows:
Emphasis of Matter
Without qualifying our opinion, we draw attention to Note X to the fnancial statements. The Company
is the defendant in a lawsuit alleging infringement of certain patent rights and claiming royalties and
punitive damages. The Company has fled a counter action, and preliminary hearings and discovery
proceedings on both actions are in progress. The outcome of the matter cannot presently be
determined, and no provision for any liability that may result has been made in the fnancial statements.
24.3 Other Matter Paragraph
An Other Matter paragraph may be necessary to highlight matters not already disclosed in the fnancial
statements that would be relevant to the users understanding of the audit, the auditors responsibilities, and/
or the auditors report.
Other Matter paragraphs can be used to highlight matters such as:
Restriction on distribution of the auditors reportSince fnancial statements (using a general purpose
framework) are sometimes prepared for a specifc purpose, an Other Matter paragraph could state that
the auditors report is intended solely for the intended users and should not be distributed to or used by
other parties;
Highlight additional responsibilitiesSpecifc law, regulation, or generally accepted practice in a
jurisdiction may require or permit the auditor to elaborate on the auditors responsibilities; and
Inability to withdraw from the engagementIf the auditor is unable to withdraw or resign, an Other
Matter paragraph could explain why it is not possible.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
313
The following conditions apply when using an Other Matter paragraph.
Exhibit 24.3-1
Conditions Comments
Matter is Not
Already Disclosed
in the Financial
Statements
Refers to a matter other than those already presented or disclosed in the fnancial
statements. In addition, an Other Matter paragraph would not include information
required to be provided by management.
Disclosure is Not
Prohibited
The disclosure would not be prohibited by law, regulation, or other professional
standards such as standards relating to confdentiality of information.
Disclosure
Relevant to Users
The disclosure is relevant to the fnancial statement users understanding of the
audit, the auditors responsibilities, or the auditors report.
No Contradictions
The information presented would not contradict the opinion or items disclosed or
presented in the fnancial statements. The Other Matter paragraph does not afect
the auditors opinion.
Placed
Immediately After
the Audit Opinion
The paragraph would immediately follow after the Opinion paragraph and any
Emphasis of Matter paragraph, or elsewhere in the auditors report if the content of the
Other Matter paragraph is relevant to the Other Reporting Responsibilities section.
State that Such
Disclosure Not
Required
The content of an Other Matter paragraph would indicate that the matter is not
required to be presented and disclosed in the fnancial statements.
The following ISAs refer to situations where an Other Matter paragraph may be included.
Exhibit 24.3-2
ISA Title Paragraphs
560 Subsequent Events 12(b), 16
710 Comparative InformationCorresponding Figures and Comparative Financial
Statements
13-14, 16-17,
19
314
25. Comparative Information
Chapter Content Relevant ISA
Guidance on obtaining suf cient appropriate audit evidence on
comparative information, and the auditors reporting responsibilities.
710
Exhibit 25.0-1
R
e
p
o
r
t
i
n
g
Evaluate the audit
evidence obtained
Determine what
additional audit work
(if any) is required
Prepare the
auditors report
Form an opinion
based on audit
fndings
Signifcant decisions
Signed audit opinion
no
yes
Notes:
1. Refer to ISA 230 for a more complete list of documentation required.
2. Planning (ISA 300) is a continual and iterative process throughout the audit.
Is
additional
work
required?
New/revised risk factors
and audit procedures
Changes in materiality
Communications
on audit fndings
Conclusions on audit
procedures performed
Back
to risk
assessment
2
Activity Purpose Documentation
1
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
315
Paragraph # ISA Objective(s)
710.5 The objectives of the auditor are:
(a) To obtain suf cient appropriate audit evidence about whether the comparative
information included in the fnancial statements has been presented, in all material
respects, in accordance with the requirements for comparative information in the
applicable fnancial reporting framework; and
(b) To report in accordance with the auditors reporting responsibilities.
Paragraph # Relevant Extracts from ISAs
710.6 For purposes of the ISAs, the following terms have the meanings attributed below:
(a) Comparative informationThe amounts and disclosures included in the fnancial
statements in respect of one or more prior periods in accordance with the applicable
fnancial reporting framework.
(b) Corresponding fguresComparative information where amounts and other disclosures
for the prior period are included as an integral part of the current period fnancial
statements, and are intended to be read only in relation to the amounts and other
disclosures relating to the current period (referred to as current period fgures). The level
of detail presented in the corresponding amounts and disclosures is dictated primarily by
its relevance to the current period fgures.
(c) Comparative fnancial statementsComparative information where amounts and other
disclosures for the prior period are included for comparison with the fnancial statements
of the current period but, if audited, are referred to in the auditors opinion. The level of
information included in those comparative fnancial statements is comparable with that of
the fnancial statements of the current period.
For purposes of this ISA, references to prior period should be read as prior periods when
the comparative information includes amounts and disclosures for more than one period.
710.7 The auditor shall determine whether the fnancial statements include the comparative
information required by the applicable fnancial reporting framework and whether such
information is appropriately classifed. For this purpose, the auditor shall evaluate whether:
(a) The comparative information agrees with the amounts and other disclosures presented in
the prior period or, when appropriate, have been restated; and
(b) The accounting policies refected in the comparative information are consistent with
those applied in the current period or, if there have been changes in accounting policies,
whether those changes have been properly accounted for and adequately presented and
disclosed.
710.8 If the auditor becomes aware of a possible material misstatement in the comparative
information while performing the current period audit, the auditor shall perform such
additional audit procedures as are necessary in the circumstances to obtain suf cient
appropriate audit evidence to determine whether a material misstatement exists. If the auditor
had audited the prior periods fnancial statements, the auditor shall also follow the relevant
requirements of ISA 560. If the prior period fnancial statements are amended, the auditor shall
determine that the comparative information agrees with the amended fnancial statements.
710.9 As required by ISA 580, the auditor shall request written representations for all periods referred
to in the auditors opinion. The auditor shall also obtain a specifc written representation
regarding any restatement made to correct a material misstatement in prior period fnancial
statements that afect the comparative information. (Ref: Para.A1)
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
316
Paragraph # Relevant Extracts from ISAs
710.10 When corresponding fgures are presented, the auditors opinion shall not refer to the
corresponding fgures except in the circumstances described in paragraphs 11, 12, and 14. (Ref:
Para. A2)
710.11 If the auditors report on the prior period, as previously issued, included a qualifed opinion,
a disclaimer of opinion, or an adverse opinion and the matter which gave rise to the
modifcation is unresolved, the auditor shall modify the auditors opinion on the current
periods fnancial statements. In the Basis for Modifcation paragraph in the auditors report,
the auditor shall either:
(a) Refer to both the current periods fgures and the corresponding fgures in the description
of the matter giving rise to the modifcation when the efects or possible efects of the
matter on the current periods fgures are material; or
(b) In other cases, explain that the audit opinion has been modifed because of the efects
or possible efects of the unresolved matter on the comparability of the current periods
fgures and the corresponding fgures. (Ref: Para. A3-A5)
710.12 If the auditor obtains audit evidence that a material misstatement exists in the prior period
fnancial statements on which an unmodifed opinion has been previously issued, and the
corresponding fgures have not been properly restated or appropriate disclosures have not
been made, the auditor shall express a qualifed opinion or an adverse opinion in the auditors
report on the current period fnancial statements, modifed with respect to the corresponding
fgures included therein. (Ref: Para. A6)
710.13 If the fnancial statements of the prior period were audited by a predecessor auditor and the
auditor is not prohibited by law or regulation from referring to the predecessor auditors report
on the corresponding fgures and decides to do so, the auditor shall state in an Other Matter
paragraph in the auditors report:
(a) That the fnancial statements of the prior period were audited by the predecessor auditor;
(b) The type of opinion expressed by the predecessor auditor and, if the opinion was
modifed, the reasons therefore; and
(c) The date of that report. (Ref: Para. A7)
710.14 If the prior period fnancial statements were not audited, the auditor shall state in an Other
Matter paragraph in the auditors report that the corresponding fgures are unaudited. Such
a statement does not, however, relieve the auditor of the requirement to obtain suf cient
appropriate audit evidence that the opening balances do not contain misstatements that
materially afect the current periods fnancial statements.
710.15 When comparative fnancial statements are presented, the auditors opinion shall refer to
each period for which fnancial statements are presented and on which an audit opinion is
expressed. (Ref: Para. A8-A9)
710.16 When reporting on prior period fnancial statements in connection with the current periods
audit, if the auditors opinion on such prior period fnancial statements difers from the opinion
the auditor previously expressed, the auditor shall disclose the substantive reasons for the
diferent opinion in an Other Matter paragraph in accordance with ISA 706. (Ref: Para. A10)
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
317
Paragraph # Relevant Extracts from ISAs
710.17 If the fnancial statements of the prior period were audited by a predecessor auditor, in
addition to expressing an opinion on the current periods fnancial statements, the auditor
shall state in an Other Matter paragraph:
(a) That the fnancial statements of the prior period were audited by a predecessor auditor;
(b) The type of opinion expressed by the predecessor auditor and, if the opinion was
modifed, the reasons therefore; and
(c) The date of that report,
unless the predecessor auditors report on the prior periods fnancial statements is reissued
with the fnancial statements.
710.18 If the auditor concludes that a material misstatement exists that afects the prior period
fnancial statements on which the predecessor auditor had previously reported without
modifcation, the auditor shall communicate the misstatement with the appropriate level of
management and, unless all of those charged with governance are involved in managing the
entity, those charged with governance and request that the predecessor auditor be informed.
If the prior period fnancial statements are amended, and the predecessor auditor agrees to
issue a new auditors report on the amended fnancial statements of the prior period, the
auditor shall report only on the current period. (Ref: Para. A11)
710.19 If the prior period fnancial statements were not audited, the auditor shall state in an Other
Matter paragraph that the comparative fnancial statements are unaudited. Such a statement
does not, however, relieve the auditor of the requirement to obtain suf cient appropriate audit
evidence that the opening balances do not contain misstatements that materially afect the
current periods fnancial statements.
25.1 Overview
The nature of comparative information presented in an entitys fnancial statements will depend on the
requirements of the applicable fnancial reporting framework. The auditors reporting responsibilities
will be based on the adopted approach to the comparative information presented as established by law,
regulation, and by the terms of the engagement.
There are two broad approaches taken with respect to comparative information. These are illustrated
below.
Exhibit 25.1-1
Approach Comments
Corresponding
Figures
Amounts and other disclosures for the prior period are included as an integral part of
the current period fnancial statements, and are intended to be read only in relation
to the amounts and other disclosures relating to the current period.
The auditors opinion would refer to the current period only.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
318
Approach Comments
Comparative
Financial
Statements
Amounts and other disclosures for the prior period are included for comparison with
the fnancial statements of the current period but, if audited, are referred to separately
in the auditors opinion. The level of information included in the comparative fnancial
statements is comparable with that of the fnancial statements of the current period.
The auditors opinion would refer to each period for which fnancial statements are
presented.
25.2 Audit Procedures
Exhibit 25.2-1
Task Procedures
Obtain Necessary
Audit Evidence
Obtain suf cient appropriate audit evidence that the comparative information meets
the requirements of the applicable fnancial reporting framework, and whether such
information is appropriately classifed.
This involves evaluating whether:
Accounting policies refected in the comparative information are consistent
with those applied in the current period or, if there have been changes in
accounting policies, whether those changes have been properly accounted for
and adequately presented; and
Comparative information agrees with the amounts and other disclosures
presented in the prior period or, when appropriate, have been restated.
Identify Any
Potential
Misstatements
If possible, material misstatement in the comparative information is identifed while
performing the current period audit, and the auditor would:
Perform such additional audit procedures as are necessary in the circumstances
to determine whether a material misstatement exists; and
Where the prior period fnancial statements are amended, determine that the
comparative information agrees with the amended fnancial statements.
If the auditor had audited the prior periods fnancial statements, the auditor would
also address the relevant requirements of ISA 560 on subsequent events. These are
discussed in Volume 1, Chapter 13.
Obtain Written
Representations
Request written representations for all periods referred to in the auditors opinion.
This would include specifc written representation regarding any restatement made
to correct a material misstatement in prior period fnancial statements.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
319
25.3 Corresponding Figures
The reporting responsibilities are set out below.
Exhibit 25.3-1
Procedures
No Reference
Made to
Comparatives in
Auditors Opinion
The auditors opinion would not refer to the corresponding fgures except when the
auditors report on the prior period included an unresolved modifcation. The auditor
would modify the current periods opinion by:
Referring to both the current periods fgures and the corresponding fgures
when the efects or possible efects of the matter on the current periods fgures
are material; or
Explaining that the current audit opinion has been modifed because of the
efects or possible efects of the unresolved matter on the comparability of the
current periods fgures and the corresponding fgures.
Any Re-
Statements
Required?
A qualifed or adverse opinion on the current period fnancial statements is required
where a material misstatement exists in the prior period fnancial statements on which:
An unmodifed opinion has been previously issued; and
The corresponding fgures have not been properly restated or appropriate
disclosures have not been made.
Prior Period
Figures Audited
by Another Firm
If the auditor is not prohibited by law/regulation from referring to the predecessor
auditors report and decides to make such a reference, the auditor would state in an
Other Matter paragraph in the auditors report:
That the fnancial statements of the prior period were audited by the
predecessor auditor;
The type of opinion expressed by the predecessor auditor and, if the opinion
was modifed, the reasons therefore; and
The date of that report.
Prior Period
Figures Not
Audited
State in an Other Matter paragraph in the auditors report that the corresponding
fgures are unaudited.
However, this does not relieve the auditor of the requirement to obtain suf cient
appropriate audit evidence that the opening balances do not contain material
misstatements that afect the current periods fnancial statements. If a material
misstatement is identifed, the corresponding fgures would require restating, and
appropriate disclosures made.
If such a restatement or disclosure is not possible, the audit opinion would be
modifed in respect of any corresponding fgures included.
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 2 Practical Guidance
320
25.4 Comparative Financial Statements
The reporting responsibilities are set out below.
Exhibit 25.4-1
Procedures
Make Reference
to Each Period
Presented
The auditors opinion would refer to each period for which fnancial statements are
presented and on which an audit opinion is expressed.
Any Changes
Required in
Previous Opinion
Provided
If the auditors opinion on prior period fnancial statements difers from the opinion
previously expressed, disclose the substantive reasons for the diferent opinion in an
Other Matter paragraph.
Prior Period
Figures Audited
by Another Firm
In addition to expressing an opinion on the current periods fnancial statements,
state in an Other Matter paragraph (unless the predecessor auditors report is
reissued with the fnancial statements):
That the fnancial statements of the prior period were audited by a predecessor
auditor;
The type of opinion expressed by the predecessor auditor and, if the opinion
was modifed, the reasons therefore; and
The date of that report.
Any Restatements
Required in
Comparative
Financial
Statements?
If a material misstatement exists that afects the prior periods fnancial statements on
which the predecessor auditor had previously reported without modifcation:
Communicate the misstatement with the appropriate level of management and
those charged with governance; and
Request that the predecessor auditor be informed.
If the prior periods fnancial statements are amended and the predecessor auditor
agrees to issue a new auditors report on the amended fnancial statements of the
prior period, the auditor would report only on the current period.
Prior Period
Figures Not
Audited
State in an Other Matter paragraph in the auditors report that the corresponding
fgures are unaudited.
However, this does not relieve the auditor of the requirement to obtain suf cient
appropriate audit evidence that the opening balances do not contain material
misstatements that afect the current periods fnancial statements. If a material
misstatement is identifed, the corresponding fgures would require restating and
appropriate disclosures made.
If such a restatement or disclosure is not possible, the audit opinion would be
modifed with respect to any corresponding fgures included.