Add to collection(s) Add to saved
  1. Business
  2. Accounting
  3. Managerial Accounting

ISA 315 Understanding the entity and its environment and John Zarb

advertisement 
ISA 315
Understanding the entity and its environment and
assessing the risks of material misstatement
John Zarb
Partner - PricewaterhouseCoopers
22 January 2004
Introduction

Auditors cannot approach their work with a fixed audit
program which they expect will work in all circumstances

They must understand their client, identify and assess
audit risk, and plan their work accordingly

ISA 315 deals with understanding and assessing risk

Followed by ISA 330, dealing with responding to risk
2
Nothing new in all this



Has long been a fundamental principle (eg., ISA 200
– Objective and general principles)
But has obviously become a source of additional
concern, as the quality of audits is being questioned
And key questions arise:
– Can an auditor do away with not looking at controls at all?
– Are auditors really understanding their clients’ businesses?
– Are they focusing hard enough on misstatement risk?
Equally hard questions are being asked about
whether substantive testing is exhaustive enough,
but that is not the subject of ISA 315
3
An overview of ISA 315





Explains the procedures to be followed, and sources of
information. Makes team discussions mandatory.
Defines what level of understanding is required – a key
section of the standard
Requires an assessment of the risks which can impact
the audit at financial statement or assertion level
Requires identification of significant risks requiring
special emphasis or risks for which substantive tests
alone do not suffice (important concept)
Also deals with communication and documentation
4
ISA 315 - The process
Perform procedures, hold internal team discussions. Consider:
Industry,
external
factors
Nature
of the
entity
Objectives,
strategies,
risks
Financial
perform.
measures
Internal
control
measures
Assess the risks of material misstatements
Identify special risks, risk where substantive tests do not suffice
Document and report
RESPOND TO RISK – ISA 330
5
1





Procedures to be performed
No surprises here – enquiries, analytical procedures,
observation and inspection
To be applied as appropriate
Enquiries may need to extend beyond those charged
with governance or accounting (eg., to sales or
production management, internal audit, etc)
The process is continuous, dynamic – may be linked
with other aspects of the audit
Must be linked to discussion among the engagement
team
6
Discussion among the audit team




The members of the team should discuss the
susceptibility … to material misstatements
Disseminate information, share insights
Particular emphasis to be given to fraud risk (ISA 240)
Judgement is required in deciding what is informed on
what – must be linked to roles, responsibilities
Discussion will emphasise the need to maintain
professional scepticism throughout the engagement
7
2
Understanding the entity

By far the most voluminous part of the standard
Supported by appendices with examples
Considers the topic under five discrete headings:


–
–
–
–
Industry, regulatory and other external factors
Nature of the entity
Objectives and strategies and related business riskss
Measurement and review of the entity’s financial
performance
– Internal control – a topic explored in some detail
8
Industry, regulatory, external factors


The starting point – what is the environment in which
the client operates?
Sources of information:
–
–
–
–
–
The client
Trade journals
News media
Regulatory updates
IFRS updates
We need to know enough about
a business to enable us to
understand where risks which
could result in misstatements
could come from
9
External risks - examples
Audit impact
A bank audit – liberalisation
leads to new banks being set
up, and to increased
competition
for corporate customers
A communications company –
in a fast moving industry,
technological advances which
reduce the cost of capital
infrastructure are common
Could lead to lowering
of credit controls and
to a higher risk of bad
debts
Issues such as
impairment testing on
fixed assets assume
added importance
10
Nature of the entity

‘Nature of the entity’ refers to:
– The entity’s operations
– Its ownership and governance
– The types of investments it makes,
or plans to make
– The way the entity is structured
– How the entity is financed

Examples in ISA 315
Full awareness of all
related parties?
Complex structures give
rise to risk – allocation of
goodwill, impairment,
SPE’s, extent of
consolidation, etc
Auditor should understand and consider the
appropriateness of the entity’s accounting policies
11
Objectives and strategies …
… and the related business risks
Again, an obvious point, already a feature of a good
audit, eg:
An importer of motor cars
embarks on an aggressive
growth programme,
supported by low cost HP
facilities
Nothing improper or unwise,
but could lead to the risk of
a higher incidence of credit
losses, and this must be
addressed
12
Measurement and review

An auditor should understand how performance is
measured or reviewed within a company
– To improve his own understanding, and the quality of his
analytical review processes
– To understand the pressures which may result in management
actions which increase the risk of misstatements

The understanding must include external influences
(eg., the expectations of banks, market analysts)
 Watch out for performance-based bonus or incentive
remuneration
13
Coming to the crucial point …
…
internal controls

To what extent is the auditor required, in all
circumstances, to understand or test internal controls?
 Short answers:
– ISA 315 does not deal at all with testing – there is no
suggestion that testing controls is a must
– ISA 315 gives guidance re the onus on the auditor to consider
controls risk The auditor should obtain an understanding of
internal control relevant to the audit
– The lesser needs of small companies are frequently
mentioned; this standard is not impractical
14
Internal controls
We have a definition:
Internal control is the process designed and effected by
[management] to provide reasonable assurance about the
achievement of the entity’s objectives with regard to:
– reliability of financial reporting
– effectiveness and efficiency of operations, and
– compliance with applicable laws and regulations.
15
Internal control components

ISA 315 sets out five components:
– The control environment
– The entity’s risk assessment process
– The information system, including the
related business processes, relevant to
financial reporting and communication
– Control activities
– Monitoring controls


Introducing
the elements
of the COSO
framework,
which is new
The standard sets out what we have to do in relation
to each of these components
Plus a 6 page appendix going into controls in more
detail
16
Controls relevant to the audit



Usually, those controls which pertain to the entity’s
objective of preparing financial statements
Subject to the requirements of the ISA, a matter of
professional judgement
Size of entity and materiality are clearly indicated as
matters affecting this judgement
This standard does not do away with the judgements we
make today, even in small companies where consideration
of controls may be futile, but some minimum rules apply
17
Control environment


The auditor should obtain an understanding of the
control environment
A mandatory step already in ISA 400
ISA 315 gives more guidance on the control
environment, but does not change the principles at
stake
18
Entity’s risk assessment processes



The auditor should obtain an understanding of the
entity’s process for identifying business risks relevant
to financial reporting objectives and deciding about
actions to address those risks, and the results thereof
A new step – risk assessment processes were not
previously mentioned
Entails judgement – what is material and relevant
The logical conclusion is that it must be linked to the
auditor’s prior understanding of external factors,
nature of entity, objectives and strategies, etc
19
The information system


The auditor should obtain an understanding of the
information system, including the related business
processes, relevant to financial reporting, including …
A long existing requirement
Even in the smallest business, where no reliance
whatsoever is placed on controls, we need to
demonstrate an understanding of how the entity’s
accounting processes work (eg., types of
transactions, capturing data, books of account,
posting sources, main systems and data files, etc)
20
Control activities


The auditor should obtain a sufficient understanding
of control activities to assess the risks of material
misstatement at the assertion level and to design
further audit procedures responsive to assessed risks
Auditor is not required to understand all control
activities related to each significant class of
transactions, account balance, disclosure, etc
The emphasis must be on controls in those areas
where material misstatements are more likely
As now, except for a mandatory understanding required
on IT risks, auditor must exercise judgement ….
21
… but needs to be consistent
Example:

Review of external
environment
Indicates sharp increase in market
competition in a slow economy

Review of business
objectives and
strategies
Indicates aggressive campaign based
on low interest credit terms

Understanding
controls over HP
debtors becomes
necessary.
Indicates aggressive campaign based
on low interest credit terms
22
ISA 315 - The process
Perform procedures, hold internal team discussions. Consider:
Industry,
external
factors
Nature
of the
entity
Objectives,
strategies,
risks
Financial
perform.
measures
Internal
control
measures
Assess the risks of material misstatements
Identify special risks, risk where substantive tests do not suffice
Document and report
RESPOND TO RISK – ISA 330
23
Assessing risk
The auditor should identify and assess the risks of
material misstatement at the financial statement level,
and at the assertion level for classes of transactions,
account balances and disclosures
We are required to:
– Relate identified risks to what can go wrong at assertion level
– Consider potential magnitude of the risks in the context of the
financial statements
– Consider the likelihood that the risks could result in a material
misstatement of the financial statements
24
This is the nub of this standard


It is not enough, for a very small client, to sidestep
this assessment and simply adopt a ‘high risks
approach’ audit
An assessment of risk is required in all cases:
– Even if this is a very brief record of the auditor’s thought
processes, client discussions and the outcome
– Clients, even small ones, will differ in the risks they present
25
Examples of risks given
Operations in unstable regions
Operations in volatile markets
Complex regulation
Going concern, liquidity issues
Capital, credit constraints
Industry changes
Changes in the supply chain
New products and services
New lines of business
Expanding into new locations
Acquisitions, reorganisations
Businesses likely to be sold
Complex alliances, JV’s
Off B/S finance, SPE’s, offshore
Related party transactions
Lack of qualified personnel
Changes in key personnel
Dominant leader
Weak internal conrols
Changes in IT environment
Non-routine transactions
Aggressive accounting policies
26
Evaluating risk



How does one measure potential impact and likelihood?
IAS 315 does not define a detailed process for this,
which must be a matter of professional judgement
The standard however gives some warnings:
– A weak control environment is likely to affect a number of
assertions and may impact the financial statements as a whole
– Concerns about the integrity of management may lead the
auditor to conclude that the risks are such that an audit cannot
be concluded
– Leading to a qualification or disclaimer, or to withdrawing from
the engagement
27
Significant risks


The auditor should determine which of the risks
identified are, in the auditor’s judgement, risks that
require special audit consideration
Significant risks ‘arise on most audits’
Particular attention required on:
– Risks of material fraud
– Complex or related party transactions
– Information involving a wide range of measurement
uncertainty
– Transactions outside the normal course of business
28
Significant risks (continued)
For significant risks, to the extent that the auditor has
not already done so, the auditor should evaluate the
design of the entity’s related controls, including
relevant control activities, and determine whether they
have been implemented
29
Significant risks (continued)

Significant risks often apply to non-routine items

But management can still put in place ad-hoc
procedures (eg, management review of projections on
sales potential of a new product)

Before rushing into substantive testing, the auditor
needs to understand what management itself has done
30
Risks for which substantive …
… procedures alone do not provide
sufficient appropriate audit evidence
The auditor should evaluate the design and determine
the implementation of the entity’s controls …

The end requirement is the same as for significant
risks. The key question is – when do such
circumstances arise?
31
Typical example given

When processing is highly automated, and the audit
trail less easy to follow, such that an auditor has no
option but to understand and test the proper operation
of the system concerned
To which one could add another:
 When substantive testing is likely to focus on what
transactions are reported, rather than omitted
Substantive testing usually emphasises the balance
sheet approach. Will it pick up material frauds
impacting the profit and loss account?
32
Communicating, documenting


Both obviously are mandatory steps
Documentation should cover:
–
–
–
–
–
–
–
The discussion among the engagement team
Key elements of the understanding obtained
The sources of information
The risk assessment process
The identified and assessed risks
Significant risks evaluated
Risks evaluated for which substantive procedures alone …
33
Applicability of the standard




Audits of financial statements for periods beginning
on or after December 15, 2004
Standard seen as applicable to all companies, large
or otherwise
A particular mention on small companies is in fact
encountered throughout the ISA
Apart from the guidance given in Practice Statement
1005
34
‘Small company’ references






Para 34 – small entities have less formal objectives and
strategies; we need to observe, and enquire with management
Para 40 – same for measuring performance, but management
will always have some key indicators
Para 48 – when judging relevance of controls, size of entity is a
valid consideration
Para 66 – controls are more limited, and more easily overridden,
in small entities
Para 79 – in small companies, risk assessment processes are
less formal
The message is clear – this standard
Etc
conveys principles applicable to all audits
35
ISA 315 - The process
Perform procedures, hold internal team discussions. Consider:
Industry,
external
factors
Nature
of the
entity
Objectives,
strategies,
risks
Financial
perform.
measures
Internal
control
measures
Assess the risks of material misstatements
Identify special risks, risk where substantive tests do not suffice
Document and report
RESPOND TO RISK – ISA 330
36
Related documents
INTERNAL CONTROL - NOTES 1 1. Definition of Internal Control
INTERNAL CONTROL - NOTES 1 1. Definition of Internal Control
Chapter 9—Understanding Internal Controls Definition of Internal Control
Chapter 9—Understanding Internal Controls Definition of Internal Control
Substantive procedures summary
Substantive procedures summary
NORTH PENN SCHOOL DISTRICT School Board Policy
NORTH PENN SCHOOL DISTRICT School Board Policy
Auditor Reporting ppt
Auditor Reporting ppt
Board of Trustees Report to the Audit Committee February 13, 2014
Board of Trustees Report to the Audit Committee February 13, 2014
Download
advertisement