STANDARD 400
RISK ASSESSMENTS AND INTERNAL CONTROL
(Issued in pursuance of the Minister of Finance Decision No. 143/2001/QD-BTC
dated 21 December 2001)
GENERAL
01. The purpose of this Vietnamese Standard on Auditing (VSA) is to establish standards and fundamental procedures and provide guidance on obtaining an understanding of the accounting and internal control systems and on assessing audit risk and its components: inherent risk, control risk and detection risk during an audit of financial statements.
02. The auditor should obtain an understanding of the accounting and internal control systems sufficient to prepare an overall audit plan and develop an effective, appropriate audit approach. The auditor should use professional judgment to assess audit risk and to design audit procedures to ensure it is reduced to an acceptably low level.
03. This VSA applies to audits of financial statements and also applies to audits of other financial information and related services rendered by the audit firm.
The auditor and the audit firm should comply with this VSA in conducting an audit of financial statements and rendering related services
It is expected that the client entity and users of the audit report should possess essential knowledge as to the principles set out in this VSA in working with the auditor and the audit firm, and dealing with the relations maintained during the audit.
In this VSA, the following terms have the meaning attributed below:
04. Inherent risk is the susceptibility of an account balance or class of transactions to misstatement that could be material individually or when aggregated with misstatements in other balances or classes, assuming that there were no related-internal controls.
05. Control risk is the risk that a misstatement, that could occur in an account balance or class of transactions and that could be material individually or when aggregated with misstatement in other balances or classes, will not be prevented or detected and corrected on a timely basis by the accounting and internal control systems.
06. Detection risk is the risk that misstatement exists in an account balance or class of transactions that could be material individually or when aggregated with misstatements in other balances or classes that the auditor and the audit firm fail to detect.
07. Audit risk means the risk that the auditor and the audit firm give an inappropriate audit opinion when the financial statements are materially misstated. Audit risk has three components: inherent risk, control risk and detection risk.
08. Audit risk assessment is the work carried out by the auditor and audit firm to assess the degree in which audit risks may occur, which include the assessment of inherent risk, control risk and detection risk. Audit risk is assessed before the planning stage and before audit performance.
09. Materiality is a term which denotes the importance of information or a disclosure in the financial statements.
Information is material if its omission or misstatement could influence the economic decisions of users taken on the basis of the financial statements. Materiality depends on the size of the item or error judged in the particular circumstances of its omission or misstatement. Thus, materiality should be viewed in respect of both quantitative and qualitative characteristics.
10. Internal control system means all the policies and procedures designed and adopted by an entity to assist compliance with the provisions of law and relevant regulations for prevention and detection of fraud and error, preparation of financial statements that give a true and fair view, and effective safeguarding, management and use of its assets. The internal control comprises the control environment, accounting system, and control procedures.
11. Accounting system means the series of policies and procedures of an entity by which records are maintained and financial statements prepared.
12. Control environment means the understanding, attitude, awareness and actions of members of the boards of Management and Directors regarding the internal control system and its importance in the entity.
The control environment has an effect on the effectiveness of the specific control procedures. A strong control environment can significantly complement specific control procedures. However, a strong environment is not synonymous with a strong internal control system. Such environment does not, by itself, ensure the effectiveness of the internal control system.
13. Control procedures are those policies and procedures which management has established to achieve the entity’s specific objectives.
CONTENTS OF THE VSA
14. When developing the audit approach, the auditor considers the preliminary assessment of inherent risk and control risk to determine the appropriate detection risk to accept for the financial statement assertions and to determine the nature, timing and extent of substantive procedures for such assertions.
Inherent Risk
15. In developing the audit plan, the auditor and the audit firm should assess inherent risk at the financial statement level. In developing the audit program, the auditor should relate such assessment to material account balances and classes of transactions at the assertion level, or otherwise assume that inherent risk is high for the assertion. Based on the assessment on the inherent risk, the auditor estimates the work to conduct and procedures to follow for material balances and transactions in the financial statements, or balances and transactions for which, in the auditor’s judgment, inherent risk is high (see Appendix 01).
16. To assess inherent risk, the auditor uses professional judgment to evaluate the following major factors:
+ At the Financial Statement Level
- The integrity, experience and knowledge of management and changes in management during the period;
- The experience and competence of the chief accountant, key accounting personnel and internal audit staff and changes (if any) with them;
- Unusual pressures on management and the chief accountant, in particular circumstances that might predispose management and the chief accountant to misstate the financial statements;
- The nature of the entity’s business, for example, technological designs, capital structure, the number of locations, geographical spread and seasonal feature of production;
- Factors affecting the industry in which the entity operates, for example, changes in economic and competitive conditions, in purchasing and selling market and in accounting practices common to the industry.
+ At the Account Balance and Class of Transactions Level
- Financial statement accounts likely to be susceptible to misstatement, for example, accounts which required adjustment in the prior period or which involve a high degree of estimation; or changes in accounting practice which took place during the period;
- Measurement of account balances and business transactions, such as balances of provision accounts, transactions with extra-ordinary repairs either expensed or added to the cost of fixed assets.
- Susceptibility of assets to loss or misappropriation, for example, numerous receipts and expenditures in cash, cash advanced in large amounts and over a long time,…
- The complexity of underlying transactions and other events which might require using the work of an expert, for example litigations or thefts…
- The completion of unusual and complex transactions, particularly at or near period end;
- Other unusual financial and business transactions.
Accounting and Internal Control Systems
17. Internal controls relating to the accounting system are maintained to ensure:
- Transactions are executed in accordance with the authorization of relevant personnel;
- All transactions are promptly recorded in the correct amount, in the appropriate accounts and in the proper accounting period so as to permit preparation of financial statements in accordance with the prevailing accounting regulations;
- Access to assets and records is permitted only in accordance with management’s authorization;
- Recorded assets are compared with the existing assets counted at reasonable intervals and appropriate action is taken regarding any differences.
Inherent Limitations of Internal Controls
18. Accounting and internal control systems cannot provide management with conclusive evidence that objectives are reached because of inherent limitations, such as:
- Management’s usual requirement that the cost of an internal control does not exceed the expected benefits to be derived;
- Most internal controls tend to be directed at routine transactions rather than non-routine transactions;
- The potential for human error due to carelessness, distraction, mistakes of judgment and the misunderstanding of instructions;
- The possibility of circumvention of internal controls through the collusion of a member of management or an employee with parties outside or inside the entity;
- The possibility that a person responsible for exercising an internal control could abuse that responsibility;
- The possibility that procedures may become inadequate due to changes in the existing mechanism and management requirement and compliance with procedures may deteriorate.
Understanding the Accounting and Internal Control Systems
19. Within the scope of a financial statement audit, the auditor is mainly concerned with the accounting and internal control policies and procedures pertaining to assertions in the financial statements.
Understanding of the accounting and internal control systems of the entity under audit and the assessment of inherent risk and control risk would assist the auditor in:
- Locating the audit scope required for material misstatements likely to exist in the financial statements;
- Reviewing factors which may result in material misstatements; and,
- Designing relevant audit procedures.
20. When obtaining an understanding of the accounting and internal control systems to develop an audit plan, the auditor obtains a knowledge of the design of the accounting and internal control systems and their operation. This would enable the auditor measure the quantity of transactions to be audited and design necessary testing procedures.
21. The nature, timing and extent of the procedures performed by the auditor to obtain an understanding of the accounting and internal control systems will vary with, among other things:
- The size and complexity of the entity and of its computer system, for example wholly or party computerized application; computers operated separately or in a network,…)
- Materiality considerations by the auditor and the audit firm;
- The type of internal controls involved (for example control of purchases, sales or cash,…);
- The entity’s regulation on respective control procedures (for example, procedures of purchases, sales, and those on goods received and dispatched);
- The number of transactions and the entity’s documentation of specific internal controls;
- The auditor’s assessment of inherent risk as high or low.
22. Ordinarily, the auditor’s understanding of the accounting and internal control systems is obtained through:
- previous experience with the entity and its operations;
- inquiries of appropriate management, supervisory and other personnel at various organizational levels within the entity, together with reference to documentation;
- inspection of documents and records produced by the accounting and internal control systems; and
- observation of the entity’s activities and operations, including observation of the organization of computer operations, management personnel, internal controls and the nature of internal transaction processing.
23. Internal control includes control environment, accounting system and control procedures.
Control Environment
24. The auditor should obtain an understanding of the control environment of the entity in evaluating the Boards of Management and Director’s attitudes, awareness and actions regarding the internal controls.
Key factors reflected in the control environment include:
- The function of the Boards of Management and Directors and their committees and divisions;
- The Boards of Management and Director’s philosophy and operating style;
- The entity’s organizational structure and the authority and responsibility of the components thereof;
- Management’s control system including the managing and control structure, internal audit function, personnel policies and procedures segregation of duties;
- External impacts, such as Government policies, and higher levels and professional bodies’ instruction.
Accounting System
25. The auditor should obtain an understanding of the accounting system sufficient to identify and understand:
- Major classes of transactions in the entity’s operations;
- How such transactions are initiated;
- Organization of the accounting mechanism;
- Organization of the accounting practice, including accounting documents, chart of accounts, accounting books and financial reporting; and
- The accounting for significant transactions and other events, from their initiation to inclusion in the financial statements.
Control Procedures
26. The auditor should obtain an understanding of the control procedures sufficient to develop the audit plan and program. The auditor would consider knowledge of the control environment to define the control procedures in place and those absent that require application (for example in understanding accounting for cash in bank, the auditor would consider whether reconciliation procedures are available and properly performed).
Major control procedures are:
- drawing up, verifying, reconciling and approving of data and relevant documents;
- testing the accuracy of data;
- reviewing computerized programs and environment;
- comparing data between control account ledgers and sub-ledgers
- reviewing and approving of accounting documents;
- comparing data between control account ledgers and sub-ledgers;
- reviewing and approving of accounting documents;
- comparing internal documents to external documents;
- reconciling count results to book figures;
- limits of access to assets and accounting documents;
- comparing actuality to accounting estimates and budgets.
When reviewing the control procedures, the auditor should consider whether they have been established upon fundamental principles, such as leadership regime, work assignment, duty segregation, authorization and approval.
Control Risks
Preliminary Assessment of Control Risks
27. The preliminary assessment of control risk is the process of evaluating the effectiveness of an entity’s accounting and internal control systems in preventing or detecting and correcting material misstatements. There will always be some control risk because of the inherent limitations of any accounting and internal control system.
28. After obtaining an understanding of the accounting and internal control systems, the auditor and the audit firm should make a preliminary assessment of control risk, at the assertion level, for each material account balance or class of transactions.
29. The auditor ordinarily assesses control risk at a high level for some or all assertions when:
- the entity’s accounting and internal control systems are not adequate;
- the entity’s accounting and internal control systems would not be efficient;
- the auditor is not provided with an adequate basis for evaluation of the adequacy and effectiveness of the accounting and internal control systems of the client entity.
30. The assessment of control risk for a financial statement assertion should normally be at less than high if the auditor:
- is able to identify internal controls relevant to the assertion which are likely to prevent or detect and correct a material misstatement; and
- plans to perform tests of control to support the assessment of control risk.
Documentation of Assessment of Control Risks
31. The auditor should document in the audit working papers:
- the understanding obtained of the entity’s accounting and internal control systems; and
- the assessment of control risk. When control risk is assessed at less than high, the auditor would also document the basis for the conclusions.
32. Different techniques may be used to document information relating to accounting and internal control systems. The form and extent of this documentation is influenced by the size and complexity of the entity and the nature of the entity’s accounting and internal control systems (for example, the more complex the entity’s accounting and internal control systems and the more extensive the auditor’s procedures, the more extensive the auditor’s documentation will need to be).
Tests of Control
33. Tests of control are performed to obtain audit evidence about the effectiveness of the accounting and internal control systems in respect of:
- design of the accounting and internal control systems, that is, whether they are suitably designed to prevent or detect and correct material misstatements; and
- operation of the accounting and internal control systems throughout the period.
34. Apart from tests of control, the auditor may perform other audit procedures to obtain audit evidence about the effectiveness of the design and operation of the accounting and internal control systems, such as evidence collected through inquiry and observation.
35. When the auditor concludes that procedures provide audit evidence about the effectiveness of the accounting and internal control systems relevant to a particular financial statement assertion, the auditor may use that audit evidence to support a control risk assessment at a low and medium level.
36. Tests of control may include:
- Inspection of documents supporting transactions and other events to gain audit evidence that the accounting and internal control systems have operated properly, for example, verifying that payment related documents have been authorized;
- Inquiries about, and observation of, the performance of those who carry out internal control assignments to determine whether any audit trails are left;
- Reperformance of internal controls, for example, reconciliation of bank accounts, petty cash and inventory count minutes and accounts receivable and payable, to ensure they were correctly performed by the entity.
37. The auditor should obtain audit evidence through tests of control support any assessment of control risk which is less than high. The lower the assessment of control risk, the more support the auditor should obtain that accounting and internal control systems are suitably designed and operating effectively.
38. When obtaining audit evidence about the effective operation of internal controls, the auditor considers how they were applied, the consistency with which they were applied during the period and by whom they were applied. The concept of effective operation recognizes that some deviations may have occurred due to changes in key personnel, significant seasonal fluctuations in volume of transactions and human error. When deviations are detected the auditor makes specific inquiries regarding these matters, particularly the timing of staff changes in key internal control personnel. The auditor then ensures that the tests of control appropriately cover such a period of change or fluctuation.
39. In a computer information systems environment, the objectives of tests of control do not change from those in a manual environment; however, some audit procedures may change. In case the accounting work and internal auditing is performed using computers the auditor may find it necessary, or may prefer, to use computer-assisted audit techniques to collect evidence about the effectiveness of the internal controls.
40. Based on the results of the tests of control, the auditor should evaluate whether the internal controls are designed and operating as contemplated in the preliminary assessment of control risk. The evaluation of deviations may result in the auditor concluding that the assessed level of control risk needs to be revised, thus to modify the nature, timing and extent of planned substantive procedures.
Final Assessment of Control Risk
41. Before the conclusion of the audit, based on the results of substantive procedures and other audit evidence obtained by the auditor should consider whether the assessment of control risk is confirmed.
Relationship Between the Assessments of Inherent and Control Risks
42. Inherent risk and control risk are highly interrelated; and therefore the auditor should assess inherent and control risks together.
Detection Risks
43. The level of detection risk relates directly to the auditor’s substantive procedures.
The auditor’s control risk assessment, together with the inherent risk assessment, influences the nature, timing and extent of substantive procedures to be performed to reduce detection risk, and therefore audit risk, to an acceptably low level.
To reduce audit risk to an acceptably low level, the auditor would consider:
- nature of substantive procedures, for example, using tests directed toward independent parties outside the entity rather than tests directed toward parties or documentation within the entity, or using tests of details for a particular audit objective in addition to analytical procedures;
- the timing of substantive procedures, for example, performing inventory procedures at period end rather than at an earlier date with adjustment; and
- the extent of substantive procedures, for example, using a larger sample size.
It is impossible however to entirely eliminate the detection risk even when the auditor has checked all the transactions and account balances
44. There is an inverse relationship between detection risk and the combined level of inherent and control risks. For example, when inherent and control risks are high, acceptable detection risk needs to be low to reduce audit risk to an acceptably low level. On the other hand, when inherent and control risks are low, an auditor can accept a higher detection risk and still reduce audit risk to an acceptably low level (see Appendix 01)
45. While tests of control and substantive procedures are distinguishable as to their purpose, the results of either type of procedure may contribute to the purpose of the other regarding assessment of inherent risk and control risk. For example misstatements discovered in conducting substantive procedures may cause the auditor to modify the previous assessment of control risk (see Appendix 01).
46. Regardless of the assessed levels of inherent and control risks, the auditor should perform some substantive procedures for material account balances and classes of transactions.
47. The auditor’s assessment of the components of audit risk may change during the course of an audit, for example, information may come to the auditor’s attention when performing substantive procedures that differs significantly from the information on which the auditor originally assessed inherent and control risks. In such cases, the auditor would modify the planned substantive procedures based on a revision of the assessed levels of inherent and control risks.
48. The higher the assessment of inherent and control risk, the more audit evidence the auditor should obtain from the performance of substantive procedures. When the auditor determines that detection risk regarding a financial statement assertion for a material account balance or class of transactions can not be reduced to an acceptable level, the auditor should express a qualified opinion or a disclaimer of opinion.
Audit Risk in the Small Business
49. The auditor needs to obtain the same level of assurance in order to express an unqualified opinion on the financial statements of both small and large entities. However, many internal controls which would be relevant to large entities are not practical in the small business. (For example, in large businesses, those involved in the supervisory controls are separate from the accounting staff while in small businesses, accounting procedures may be performed by a few persons. Accountants may take charge of the supervisory controls, and thus the internal controls are impaired). In circumstances where internal controls are limited due to the absence of segregation of duties, the audit evidence necessary to support the auditor’s opinion on the financial statements may have to be obtained entirely through the performance of substantive procedures.
Communication of Weaknesses
50. As a result of obtaining an understanding of the accounting and internal control systems and tests of control, the auditor may become aware of weaknesses in the systems. The auditor should make management aware, as soon as practical and at an appropriate level of responsibility, of material weaknesses in the design or operation of the accounting and internal control systems.
Such communication would ordinarily be in writing. However, if oral communication is found appropriate, the communication would be documented in the audit working papers.
APPENDIX 01
Interrelationship of the Components of Audit Risk
The following table shows how the acceptable level of detection risk may vary based on assessment of inherent and control risks.
Auditor’s assessment of control risk
High Medium Low
Auditor’s assessment of inherent risk High Lowest Lower Medium
Medium Lower Medium Higher
Low Medium Higher Highest
Notes:
- Both inherent risk and control risk are set at three levels: higher, medium and lower.
- The shaded areas relate to detection risk.
- Detection risk is set at five levels: highest, higher, medium, lower and lowest.
There is an inverse relationship between detection risk and the combined level of inherent control risks. For example when inherent risk is assessed as high and control risk is low, acceptable levels of detection risk need to be medium to reduce audit risk to an acceptable low level. On the other hand, when inherent risk is low and control risk is medium, the auditor can accept detection risk as higher and still reduce audit risk to an acceptably low level.
RISK ASSESSMENTS AND INTERNAL CONTROL
(Issued in pursuance of the Minister of Finance Decision No. 143/2001/QD-BTC
dated 21 December 2001)
GENERAL
01. The purpose of this Vietnamese Standard on Auditing (VSA) is to establish standards and fundamental procedures and provide guidance on obtaining an understanding of the accounting and internal control systems and on assessing audit risk and its components: inherent risk, control risk and detection risk during an audit of financial statements.
02. The auditor should obtain an understanding of the accounting and internal control systems sufficient to prepare an overall audit plan and develop an effective, appropriate audit approach. The auditor should use professional judgment to assess audit risk and to design audit procedures to ensure it is reduced to an acceptably low level.
03. This VSA applies to audits of financial statements and also applies to audits of other financial information and related services rendered by the audit firm.
The auditor and the audit firm should comply with this VSA in conducting an audit of financial statements and rendering related services
It is expected that the client entity and users of the audit report should possess essential knowledge as to the principles set out in this VSA in working with the auditor and the audit firm, and dealing with the relations maintained during the audit.
In this VSA, the following terms have the meaning attributed below:
04. Inherent risk is the susceptibility of an account balance or class of transactions to misstatement that could be material individually or when aggregated with misstatements in other balances or classes, assuming that there were no related-internal controls.
05. Control risk is the risk that a misstatement, that could occur in an account balance or class of transactions and that could be material individually or when aggregated with misstatement in other balances or classes, will not be prevented or detected and corrected on a timely basis by the accounting and internal control systems.
06. Detection risk is the risk that misstatement exists in an account balance or class of transactions that could be material individually or when aggregated with misstatements in other balances or classes that the auditor and the audit firm fail to detect.
07. Audit risk means the risk that the auditor and the audit firm give an inappropriate audit opinion when the financial statements are materially misstated. Audit risk has three components: inherent risk, control risk and detection risk.
08. Audit risk assessment is the work carried out by the auditor and audit firm to assess the degree in which audit risks may occur, which include the assessment of inherent risk, control risk and detection risk. Audit risk is assessed before the planning stage and before audit performance.
09. Materiality is a term which denotes the importance of information or a disclosure in the financial statements.
Information is material if its omission or misstatement could influence the economic decisions of users taken on the basis of the financial statements. Materiality depends on the size of the item or error judged in the particular circumstances of its omission or misstatement. Thus, materiality should be viewed in respect of both quantitative and qualitative characteristics.
10. Internal control system means all the policies and procedures designed and adopted by an entity to assist compliance with the provisions of law and relevant regulations for prevention and detection of fraud and error, preparation of financial statements that give a true and fair view, and effective safeguarding, management and use of its assets. The internal control comprises the control environment, accounting system, and control procedures.
11. Accounting system means the series of policies and procedures of an entity by which records are maintained and financial statements prepared.
12. Control environment means the understanding, attitude, awareness and actions of members of the boards of Management and Directors regarding the internal control system and its importance in the entity.
The control environment has an effect on the effectiveness of the specific control procedures. A strong control environment can significantly complement specific control procedures. However, a strong environment is not synonymous with a strong internal control system. Such environment does not, by itself, ensure the effectiveness of the internal control system.
13. Control procedures are those policies and procedures which management has established to achieve the entity’s specific objectives.
CONTENTS OF THE VSA
14. When developing the audit approach, the auditor considers the preliminary assessment of inherent risk and control risk to determine the appropriate detection risk to accept for the financial statement assertions and to determine the nature, timing and extent of substantive procedures for such assertions.
Inherent Risk
15. In developing the audit plan, the auditor and the audit firm should assess inherent risk at the financial statement level. In developing the audit program, the auditor should relate such assessment to material account balances and classes of transactions at the assertion level, or otherwise assume that inherent risk is high for the assertion. Based on the assessment on the inherent risk, the auditor estimates the work to conduct and procedures to follow for material balances and transactions in the financial statements, or balances and transactions for which, in the auditor’s judgment, inherent risk is high (see Appendix 01).
16. To assess inherent risk, the auditor uses professional judgment to evaluate the following major factors:
+ At the Financial Statement Level
- The integrity, experience and knowledge of management and changes in management during the period;
- The experience and competence of the chief accountant, key accounting personnel and internal audit staff and changes (if any) with them;
- Unusual pressures on management and the chief accountant, in particular circumstances that might predispose management and the chief accountant to misstate the financial statements;
- The nature of the entity’s business, for example, technological designs, capital structure, the number of locations, geographical spread and seasonal feature of production;
- Factors affecting the industry in which the entity operates, for example, changes in economic and competitive conditions, in purchasing and selling market and in accounting practices common to the industry.
+ At the Account Balance and Class of Transactions Level
- Financial statement accounts likely to be susceptible to misstatement, for example, accounts which required adjustment in the prior period or which involve a high degree of estimation; or changes in accounting practice which took place during the period;
- Measurement of account balances and business transactions, such as balances of provision accounts, transactions with extra-ordinary repairs either expensed or added to the cost of fixed assets.
- Susceptibility of assets to loss or misappropriation, for example, numerous receipts and expenditures in cash, cash advanced in large amounts and over a long time,…
- The complexity of underlying transactions and other events which might require using the work of an expert, for example litigations or thefts…
- The completion of unusual and complex transactions, particularly at or near period end;
- Other unusual financial and business transactions.
Accounting and Internal Control Systems
17. Internal controls relating to the accounting system are maintained to ensure:
- Transactions are executed in accordance with the authorization of relevant personnel;
- All transactions are promptly recorded in the correct amount, in the appropriate accounts and in the proper accounting period so as to permit preparation of financial statements in accordance with the prevailing accounting regulations;
- Access to assets and records is permitted only in accordance with management’s authorization;
- Recorded assets are compared with the existing assets counted at reasonable intervals and appropriate action is taken regarding any differences.
Inherent Limitations of Internal Controls
18. Accounting and internal control systems cannot provide management with conclusive evidence that objectives are reached because of inherent limitations, such as:
- Management’s usual requirement that the cost of an internal control does not exceed the expected benefits to be derived;
- Most internal controls tend to be directed at routine transactions rather than non-routine transactions;
- The potential for human error due to carelessness, distraction, mistakes of judgment and the misunderstanding of instructions;
- The possibility of circumvention of internal controls through the collusion of a member of management or an employee with parties outside or inside the entity;
- The possibility that a person responsible for exercising an internal control could abuse that responsibility;
- The possibility that procedures may become inadequate due to changes in the existing mechanism and management requirement and compliance with procedures may deteriorate.
Understanding the Accounting and Internal Control Systems
19. Within the scope of a financial statement audit, the auditor is mainly concerned with the accounting and internal control policies and procedures pertaining to assertions in the financial statements.
Understanding of the accounting and internal control systems of the entity under audit and the assessment of inherent risk and control risk would assist the auditor in:
- Locating the audit scope required for material misstatements likely to exist in the financial statements;
- Reviewing factors which may result in material misstatements; and,
- Designing relevant audit procedures.
20. When obtaining an understanding of the accounting and internal control systems to develop an audit plan, the auditor obtains a knowledge of the design of the accounting and internal control systems and their operation. This would enable the auditor measure the quantity of transactions to be audited and design necessary testing procedures.
21. The nature, timing and extent of the procedures performed by the auditor to obtain an understanding of the accounting and internal control systems will vary with, among other things:
- The size and complexity of the entity and of its computer system, for example wholly or party computerized application; computers operated separately or in a network,…)
- Materiality considerations by the auditor and the audit firm;
- The type of internal controls involved (for example control of purchases, sales or cash,…);
- The entity’s regulation on respective control procedures (for example, procedures of purchases, sales, and those on goods received and dispatched);
- The number of transactions and the entity’s documentation of specific internal controls;
- The auditor’s assessment of inherent risk as high or low.
22. Ordinarily, the auditor’s understanding of the accounting and internal control systems is obtained through:
- previous experience with the entity and its operations;
- inquiries of appropriate management, supervisory and other personnel at various organizational levels within the entity, together with reference to documentation;
- inspection of documents and records produced by the accounting and internal control systems; and
- observation of the entity’s activities and operations, including observation of the organization of computer operations, management personnel, internal controls and the nature of internal transaction processing.
23. Internal control includes control environment, accounting system and control procedures.
Control Environment
24. The auditor should obtain an understanding of the control environment of the entity in evaluating the Boards of Management and Director’s attitudes, awareness and actions regarding the internal controls.
Key factors reflected in the control environment include:
- The function of the Boards of Management and Directors and their committees and divisions;
- The Boards of Management and Director’s philosophy and operating style;
- The entity’s organizational structure and the authority and responsibility of the components thereof;
- Management’s control system including the managing and control structure, internal audit function, personnel policies and procedures segregation of duties;
- External impacts, such as Government policies, and higher levels and professional bodies’ instruction.
Accounting System
25. The auditor should obtain an understanding of the accounting system sufficient to identify and understand:
- Major classes of transactions in the entity’s operations;
- How such transactions are initiated;
- Organization of the accounting mechanism;
- Organization of the accounting practice, including accounting documents, chart of accounts, accounting books and financial reporting; and
- The accounting for significant transactions and other events, from their initiation to inclusion in the financial statements.
Control Procedures
26. The auditor should obtain an understanding of the control procedures sufficient to develop the audit plan and program. The auditor would consider knowledge of the control environment to define the control procedures in place and those absent that require application (for example in understanding accounting for cash in bank, the auditor would consider whether reconciliation procedures are available and properly performed).
Major control procedures are:
- drawing up, verifying, reconciling and approving of data and relevant documents;
- testing the accuracy of data;
- reviewing computerized programs and environment;
- comparing data between control account ledgers and sub-ledgers
- reviewing and approving of accounting documents;
- comparing data between control account ledgers and sub-ledgers;
- reviewing and approving of accounting documents;
- comparing internal documents to external documents;
- reconciling count results to book figures;
- limits of access to assets and accounting documents;
- comparing actuality to accounting estimates and budgets.
When reviewing the control procedures, the auditor should consider whether they have been established upon fundamental principles, such as leadership regime, work assignment, duty segregation, authorization and approval.
Control Risks
Preliminary Assessment of Control Risks
27. The preliminary assessment of control risk is the process of evaluating the effectiveness of an entity’s accounting and internal control systems in preventing or detecting and correcting material misstatements. There will always be some control risk because of the inherent limitations of any accounting and internal control system.
28. After obtaining an understanding of the accounting and internal control systems, the auditor and the audit firm should make a preliminary assessment of control risk, at the assertion level, for each material account balance or class of transactions.
29. The auditor ordinarily assesses control risk at a high level for some or all assertions when:
- the entity’s accounting and internal control systems are not adequate;
- the entity’s accounting and internal control systems would not be efficient;
- the auditor is not provided with an adequate basis for evaluation of the adequacy and effectiveness of the accounting and internal control systems of the client entity.
30. The assessment of control risk for a financial statement assertion should normally be at less than high if the auditor:
- is able to identify internal controls relevant to the assertion which are likely to prevent or detect and correct a material misstatement; and
- plans to perform tests of control to support the assessment of control risk.
Documentation of Assessment of Control Risks
31. The auditor should document in the audit working papers:
- the understanding obtained of the entity’s accounting and internal control systems; and
- the assessment of control risk. When control risk is assessed at less than high, the auditor would also document the basis for the conclusions.
32. Different techniques may be used to document information relating to accounting and internal control systems. The form and extent of this documentation is influenced by the size and complexity of the entity and the nature of the entity’s accounting and internal control systems (for example, the more complex the entity’s accounting and internal control systems and the more extensive the auditor’s procedures, the more extensive the auditor’s documentation will need to be).
Tests of Control
33. Tests of control are performed to obtain audit evidence about the effectiveness of the accounting and internal control systems in respect of:
- design of the accounting and internal control systems, that is, whether they are suitably designed to prevent or detect and correct material misstatements; and
- operation of the accounting and internal control systems throughout the period.
34. Apart from tests of control, the auditor may perform other audit procedures to obtain audit evidence about the effectiveness of the design and operation of the accounting and internal control systems, such as evidence collected through inquiry and observation.
35. When the auditor concludes that procedures provide audit evidence about the effectiveness of the accounting and internal control systems relevant to a particular financial statement assertion, the auditor may use that audit evidence to support a control risk assessment at a low and medium level.
36. Tests of control may include:
- Inspection of documents supporting transactions and other events to gain audit evidence that the accounting and internal control systems have operated properly, for example, verifying that payment related documents have been authorized;
- Inquiries about, and observation of, the performance of those who carry out internal control assignments to determine whether any audit trails are left;
- Reperformance of internal controls, for example, reconciliation of bank accounts, petty cash and inventory count minutes and accounts receivable and payable, to ensure they were correctly performed by the entity.
37. The auditor should obtain audit evidence through tests of control support any assessment of control risk which is less than high. The lower the assessment of control risk, the more support the auditor should obtain that accounting and internal control systems are suitably designed and operating effectively.
38. When obtaining audit evidence about the effective operation of internal controls, the auditor considers how they were applied, the consistency with which they were applied during the period and by whom they were applied. The concept of effective operation recognizes that some deviations may have occurred due to changes in key personnel, significant seasonal fluctuations in volume of transactions and human error. When deviations are detected the auditor makes specific inquiries regarding these matters, particularly the timing of staff changes in key internal control personnel. The auditor then ensures that the tests of control appropriately cover such a period of change or fluctuation.
39. In a computer information systems environment, the objectives of tests of control do not change from those in a manual environment; however, some audit procedures may change. In case the accounting work and internal auditing is performed using computers the auditor may find it necessary, or may prefer, to use computer-assisted audit techniques to collect evidence about the effectiveness of the internal controls.
40. Based on the results of the tests of control, the auditor should evaluate whether the internal controls are designed and operating as contemplated in the preliminary assessment of control risk. The evaluation of deviations may result in the auditor concluding that the assessed level of control risk needs to be revised, thus to modify the nature, timing and extent of planned substantive procedures.
Final Assessment of Control Risk
41. Before the conclusion of the audit, based on the results of substantive procedures and other audit evidence obtained by the auditor should consider whether the assessment of control risk is confirmed.
Relationship Between the Assessments of Inherent and Control Risks
42. Inherent risk and control risk are highly interrelated; and therefore the auditor should assess inherent and control risks together.
Detection Risks
43. The level of detection risk relates directly to the auditor’s substantive procedures.
The auditor’s control risk assessment, together with the inherent risk assessment, influences the nature, timing and extent of substantive procedures to be performed to reduce detection risk, and therefore audit risk, to an acceptably low level.
To reduce audit risk to an acceptably low level, the auditor would consider:
- nature of substantive procedures, for example, using tests directed toward independent parties outside the entity rather than tests directed toward parties or documentation within the entity, or using tests of details for a particular audit objective in addition to analytical procedures;
- the timing of substantive procedures, for example, performing inventory procedures at period end rather than at an earlier date with adjustment; and
- the extent of substantive procedures, for example, using a larger sample size.
It is impossible however to entirely eliminate the detection risk even when the auditor has checked all the transactions and account balances
44. There is an inverse relationship between detection risk and the combined level of inherent and control risks. For example, when inherent and control risks are high, acceptable detection risk needs to be low to reduce audit risk to an acceptably low level. On the other hand, when inherent and control risks are low, an auditor can accept a higher detection risk and still reduce audit risk to an acceptably low level (see Appendix 01)
45. While tests of control and substantive procedures are distinguishable as to their purpose, the results of either type of procedure may contribute to the purpose of the other regarding assessment of inherent risk and control risk. For example misstatements discovered in conducting substantive procedures may cause the auditor to modify the previous assessment of control risk (see Appendix 01).
46. Regardless of the assessed levels of inherent and control risks, the auditor should perform some substantive procedures for material account balances and classes of transactions.
47. The auditor’s assessment of the components of audit risk may change during the course of an audit, for example, information may come to the auditor’s attention when performing substantive procedures that differs significantly from the information on which the auditor originally assessed inherent and control risks. In such cases, the auditor would modify the planned substantive procedures based on a revision of the assessed levels of inherent and control risks.
48. The higher the assessment of inherent and control risk, the more audit evidence the auditor should obtain from the performance of substantive procedures. When the auditor determines that detection risk regarding a financial statement assertion for a material account balance or class of transactions can not be reduced to an acceptable level, the auditor should express a qualified opinion or a disclaimer of opinion.
Audit Risk in the Small Business
49. The auditor needs to obtain the same level of assurance in order to express an unqualified opinion on the financial statements of both small and large entities. However, many internal controls which would be relevant to large entities are not practical in the small business. (For example, in large businesses, those involved in the supervisory controls are separate from the accounting staff while in small businesses, accounting procedures may be performed by a few persons. Accountants may take charge of the supervisory controls, and thus the internal controls are impaired). In circumstances where internal controls are limited due to the absence of segregation of duties, the audit evidence necessary to support the auditor’s opinion on the financial statements may have to be obtained entirely through the performance of substantive procedures.
Communication of Weaknesses
50. As a result of obtaining an understanding of the accounting and internal control systems and tests of control, the auditor may become aware of weaknesses in the systems. The auditor should make management aware, as soon as practical and at an appropriate level of responsibility, of material weaknesses in the design or operation of the accounting and internal control systems.
Such communication would ordinarily be in writing. However, if oral communication is found appropriate, the communication would be documented in the audit working papers.
APPENDIX 01
Interrelationship of the Components of Audit Risk
The following table shows how the acceptable level of detection risk may vary based on assessment of inherent and control risks.
Auditor’s assessment of control risk
High Medium Low
Auditor’s assessment of inherent risk High Lowest Lower Medium
Medium Lower Medium Higher
Low Medium Higher Highest
Notes:
- Both inherent risk and control risk are set at three levels: higher, medium and lower.
- The shaded areas relate to detection risk.
- Detection risk is set at five levels: highest, higher, medium, lower and lowest.
There is an inverse relationship between detection risk and the combined level of inherent control risks. For example when inherent risk is assessed as high and control risk is low, acceptable levels of detection risk need to be medium to reduce audit risk to an acceptable low level. On the other hand, when inherent risk is low and control risk is medium, the auditor can accept detection risk as higher and still reduce audit risk to an acceptably low level.
