2012 Sri Lanka Auditing Standards 315

8/12/2019 2012 Sri Lanka Auditing Standards 315

http://slidepdf.com/reader/full/2012-sri-lanka-auditing-standards-315 1/22Page 1

Sri Lanka Auditing Standards 315Page 1

A Presentation on-

Sri Lanka Auditing Standards 315Understanding the Entity and itsEnvironment and Assessing the Risks ofMaterial Misstatement.

Obtain

Identify & Assess

Design &Implement

Risk of material misstatements of F/S dueto Fraud or Error at the F/S & assertionslevel

SLAuS 200- Objectives & General Principals GoverninganAudit of F/S ( Audit Risk)

SLAuS 240- The Auditor ’s Responsibil ity to Consider Fraud in andAudit of FinancialStatements.

Responses to the assessed risks of material misstatement.

SLAuS 500=Audit Evidence

Introduction

An understanding the entity and itsenvironment, including internal controls

SLAuS 315- Understanding the Entity and itsEnvi ronment and assessing the ri sks o f Mater ialMisstatement.

Sri Lanka Auditing Standards 315-Understanding the Entityand its Environment and Assessing t he Risks of MaterialMisstatement.



SLAuS 3 5 vs Clarified SLAuS 3 5

► There have not been any substantial changes to the requirements inSLAuS 315, but text relating to the description of key financialstatement assertions has been lifted from SLAuS 500 Audi t Evidenceinto the clarified SLAuS 315.

► Clarified SLAuS is expected to be effective from 1/1/2014.

► IFAC has issued a practical guide based on Clarified ISA. The

Presentation will be based on this guide, using the existingrequirements of SLAuS 315.


Requirements of SLAuS 3 5

► Risk assessment procedures andsources of information about the entityand its environment, including its internalcontrol. – Risk Identification

► Understanding the entity and itsenvironment, including its internalcontrol.- Understand the Risks

► Assessing the Risks of MaterialMisstatement.(RMM) - Risk Assessment

► Communicating with those charged withgovernance and management.

► Documentation.


This Implementation Guide was prepared by the Small and Medium Practices Committee of theInternational Federation of Accountants (IFAC). The committee represents the interests of professionalaccountants operating in small- and medium-sized practices and other professional accountants whoprovide services to small- and medium-sized entities.This publication may be downloaded free of charge f rom the IFAC website: www.ifac.org.The approved text is published in the English language.



Source- IFAC Guide to using ISA in the Audits of Small and Medium Sized Entities- Vol 2- Practical Guidance ( Based on Clarified ISA)


Risk Assessment – Overview.



Identify ing & Assessing the Risk of Material Misstatement .

Audit Risk= Inherent Risk x Control Risk x Detection Risk





Risk Assessment Phase- Major Steps



Risk assessment p rocedures and sources ofinformation




Source- IFAC Guide to using ISA in the Audits ofSmall and Medium Sized Entities- Vol 2-Practical Guidance ( Based on Clarified ISA)

Identification of risk is the foundation of the audit. Without a solid understanding ofthe entity, the auditor may miss certain risk factors. e.g increase in client’s saleswhen the industry sales have declined.Effective identification & assessment of risk provides the auditor with the informationneeded to direct audit effort to areas where the risk of material misstatement is thehighest, and away from less risky areas.

Risk assessment has two distinct parts:

• Risk identification (asking “what can go wrong”)

• Risk assessment (determining the significanceof each risk).

Risk Identification



Risk Identification – Types of Risks

There are two major classifications of risk:

Business riskFraud ri sk .

The difference between business risk and fraud risk is that fraud risk results froma person’s deliberate actions. In many instances, a risk can be both a businessand a fraud risk.

The business and fraud risks (inherent risks) are identified before anyconsideration of any internal controls that might mitigate such risks.

The introduction of a new accounting system creates uncertainty (errors could be made as personnellearn the new system) and would be classified as a business risk. However, it could also be classified asa fraud risk , because someone could take advantage of the uncertainty to misappropriate assets ormanipulate the financial statements.





Risk Identification -Types of Risks(contd.)

Business Risk Fraud Risk•significant conditions, events, circumstances,actions, or inactions that could adversely affectthe entity’s ability to achieve its objectives andexecute its strategies.•inappropriate objectives and strategies.•events that arise from change, complexity, orthe failure to recognize the need for change.

The development of new products that may fail; An inadequate market, even if new products aresuccessfully developed; or Flaws in the products that may result in liabilitiesand damage to the entity’s reputation.

Fraud risk relates to events orconditions that indicate an incentive orpressure to commit fraud or providean opportunity to commit fraud.

The auditor’s understanding of business and fraud risk factors increases the likelihood ofidentifying the risks of material misstatement. However, there is no responsibility for theauditor to identify or assess all of the possible business risks.


Source- IFAC Guide to using ISA in the Audits ofSmall and Medium Sized Entities- Vol 2- PracticalGuidance ( Based on Clarified ISA)

Inherent Risk Identification-Sources of Information

Inquiries Analyt ical Review Proc edur esObservations & InspectionsEngagement Team Discussions




Source- IFAC Guide to using ISA in the Audits of Small and MediumSized Entities- Vol 2- Practical Guidance ( Based on Clarified ISA)

Understand The Risks- TheKey Areas



Understand The Risks- The Key Areas Examples



CONSIDER POINTFor each risk factor identified, considerwhether it is a business risk, a fraudrisk, or both. Many sources of risk can result in both business andfraud risks. For example, a change inaccounting personnel can resultin errors being made (business risk), butmay also provide an opportunity forsomeone to commit a fraud.


Source- IFAC Guide to using ISA in the Audits of Small and Medium Sized Entities- Vol 2-Practical Guidance ( Based on Clarified ISA)

Fraud Risk- Characteristics of Fraud.The term “fraud” refers to an intentional act byone or more individuals among management,those chargedwith governance, employees, or third partiesinvolving the use of deception to obtain anunjust or illegal advantage.

Fraud involving one or more members ofmanagement or those charged with governanceis referred to as“ management fraud.”

Fraud involving only employees of the entity isreferred to as “employee fraud.”

In either case, there may be collusion within theentity or with third parties outside of the entity.

CONSIDER POINTFor each risk factor identified, considerwhether it is a business risk, a fraudrisk, or both. Many sources of risk can result in both business andfraud risks. For example, a change inaccounting personnel can resultin errors being made (business risk), butmay also provide an opportunity forsomeone to commit a fraud.


Source- IFAC Guide to using ISA in the Audits of Small and Medium Sized Entities- Vol 2-Practical Guidance ( Based on Clarified ISA)

Fraud Risk- Characteristics of Fraud.The term “fraud” refers to an intentional act byone or more individuals among management,those chargedwith governance, employees, or third partiesinvolving the use of deception to obtain anunjust or illegal advantage.

Fraud involving one or more members ofmanagement or those charged with governanceis referred to as“ management fraud.”

Fraud involving only employees of the entity isreferred to as “employee fraud.”

In either case, there may be collusion within theentity or with third parties outside of the entity.





Risk Identification Process



Risk Identification Process





Documenting the Risk Identification Process



Documenting th e Risk Identification Process -Example





Source- IFAC Guide to using ISA in the Audits of Small andMedium Sized Entities-Vol 2- Practical Guidance ( Based onClarified ISA)







Assessment of Inheren t Ris ks


The next step is to assess the identified risks and determine their significancefor the audit of the financial statements. Again, it is preferable to assess theinherent risks before considering any internal control that might mitigate suchrisks. Risk assessment involves consideration of two attributes about the risk:

• What is the likelihood of a misstatement occurring as a result of the risk?• What would be the magnitude (monetary impact) if the risk did occur?

Likelihood of a Misstatement OccurringWhat is the probability that the risk will occur? The auditor couldevaluate this probability simply as high,medium, or low, or could assign a numerical score, such as 1 to5. A numerical score provides a slightly more preciseassessment. The higher the score, the more likely the risk wouldoccur.

Magnitude (Monetary Impact) if the Risk Did Occur

If the risk occurred, what would be the monetary impact? This judgment needs to be assessed againsta specified monetary amount, such as performance materiality.This assessment can also be evaluated simply as high, medium,or low, or by assigning a numerical score, such as 1 to 5. Thehigher the score is, the higher the magnitude of the risk.


Assessment o f Inheren t Ris ks -Example






Understanding Internal Control


Understanding Internal Control


Audit Risk= Inherent Risk x Control Risk x Detection Risk




Understanding Internal Controls - Pervasive & Specific InternalControls


Pervasive and SpecificInternal Controls

Internal controls can bebroadly categorized aspervasive (or entity-level)controls that addresspervasive risks,and specific (transactional)controls that address specificrisks.


Understanding Internal Controls- 5 Elements of Internal Control


Each of these components is to be addressed by the auditor as:

Part of the understanding of the internal control (over financial reporting)

Information for considering how the different aspects of internal control may affectthe audit

CONSIDER POINTHow an entity actually designs andimplements its internal control will varywith an entity’s size and complexity. Insmaller entities, the owner-manager mayperform functions that address several ofthe components of internal control.




Internal Control s Relevant to the Audit (the scope of understanding)

Source- IFAC Guide to using ISA in the Audits of Small andMedium Sized Entities- Vol 2- Practical Guidance ( Based onClarified ISA)

Not all controls are relevant to the audit and require understanding. The auditor is onlyconcerned with understanding and evaluating those controls that would mitigate a riskof a material misstatement (due to fraud or error) in the financial statements. Thismeans that certain types of controls can be scoped out of theaudit altogether.

These are controls that:

• Do not drive financial reporting (suchas operational controls and controlsthat address compliance withregulations); and

• Even if non-existent, a materialmisstatement in the financialstatements would be unlikely.


Internal Controls Relevant to t he Audit -Example





Assessment of Internal Cont ro ls – 4 Step Process

Source- IFAC Guide to using ISA in the Audits of Small and Medium Sized Entities-Vol 2- Practical Guidance ( Based on ClarifiedISA)

Regardless of the whether tests ofcontrols will ultimately be performed togather audit evidence, it is stillnecessary for the auditor on everyengagement to evaluate control designand implementation. This involvesa four-step process.


Assessment of Internal Con trols – 4 Step Process


One-Risk-to-Many Contro lsUnder this approach, each risk factor is considered by itself. All thecontrols that address that particular riskfactor are identified. This approach is particularly useful for mappingthe pervasive (entity-level) risk factors to controls

Many-Risks-to-Many Contr olsFor specific c and transactional risks, the most common approach to evaluating designis through the use of what is sometimes called a “control design matrix.”




Assessment of Internal Con trols – 4 Step Process


One-Risk-to-Many Contro lsUnder this approach, each risk factor is considered by itself. All thecontrols that address that particular riskfactor are identified. This approach is particularly useful for mappingthe pervasive (entity-level) risk factors to controls

Many-Risks-to-Many Contr olsFor specific c and transactional risks, the most common approach to evaluating designis through the use of what is sometimes called a “control design matrix.”


Assessment of Internal Con trols – 4 Step Process (con td .)

Source- IFAC Guide to using ISA in the Audits of Small and Medium SizedEntities- Vol 2- Practical Guidance ( Based on Clarified ISA)

CONSIDER POINTFor smaller entities, there is an even simpler way of assessingtransactional controls. First, identify the risk factors (see Step 1above) and the assertion(s) affected. Then, instead of mappingidentified controls to each individual risk factor, identify controlsthat address the assertions affected by the risk.If no controls are identified for a particular assertion, asubstantive audit response would need to be developed. If thecontrols identified are expected to operate reliably, the auditresponse could include a test of relevant key controls. Forexample, the risk of unrecorded sales addresses thecompleteness assertion. Identification of relevant controls couldbe limited to those that address the completeness assertion ingeneral, rather than the one specific risk.

A summary of the overall control evaluation









The most common forms ofdocumentation prepared by

management or the auditor are:

Narrative descriptions ormemoranda;Flow charts;

A combination of flow charts andnarrative descriptionsQuestionnaires and checklists.





Assessment of Internal Con trol s –4 Step Process (con td .)



Regardless of how well a c ontrol is designed andimplemented, it can only provide reasonable assuranceabout the achievement of an entity’s objectives withregard to reliability of financial reporting due to c ertaininherent limitations.

Assessment of Internal Con trol s –4 Step Process (contd.)





Concluding the Risk Assessment Phase



Concluding the Risk Assessment Phase

The final step in the risk assessment phase of the audit is to review the results of the risk assessmentprocedures performed, and then assess (or, if already assessed, summarize) the risks of materialmisstatements at:

The financial statement level; andThe assertion level for classes of tr ansactions, account balances, and disclosures.

The resulting list of assessed riskswill form the foundation for the nextphase in the audit, which is todetermine how to respondappropriately to the assessed risksthrough the design of further audit

procedures.





Audi t Evidenc e Obtained to Date

The evidence obtained to date, by performing risk assessment procedures, consists of identificationand assessment of inherent risks, and the design and implementation of internal controls that addressthose risks.What is left is the risk of material misstatement. This is simply the remaining risk after taking intoaccount the effect of internal controls put in place to mitigate the inherent risks..



Summarizing the Various Risk AssessmentsThe purpose of assessing risks is to provide the foundation and a reference point for what is needed torespond appropriately with well-designed and efficient further audit procedures.

The summary of assessed risks brings together t he inherent risk factors identified and the evaluationof any internal control designed to mitigate such risks.

Note: There is a moderate level of riskat the financial statement level which ismitigated by good entity-level andpossibly other controls. The result is alow assessed risk at the financialstatement level.

The summary of assessed risks at the

assertion level is a combination of theassessment of inherent and controlrisks that apply t o individual financialstatement balances, transactions, anddisclosures. The inherent risks aremoderate, and there are no relevantinternal controls, so the control risk ishigh. The result is t herefore a moderateresidual risk for this particular assertion.


http://slidepdf.com/reader/full/2012-sri-lanka-auditing-standards-315 22/22

Special auditconsideration

Key elementsDiscussion

Documentation

Risks

Engagement Teamdiscussion and decisionreached

Identified & assessedrisks at F/S level andassertions level

Risk identified and related controlsabout special audit considerations

Understanding of entity and itsenvironment , including internal controlsand Risk assessment procedure s

Documentation

Sri Lanka Auditing Standards 315

Thank You

Sri Lanka Auditing Standards 315

Documents

2012 Sri Lanka Auditing Standards 315