Page 61 - Internal Auditing Standards
P. 61
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 1—Core Concepts
Control Element The Key Question Possible Controls
Human Resources What standards are • Management establishes/enforces standards for hiring
Policies and in place to ensure: the most qualifi ed individuals.
Practices • Recruiting practices include employment interviews,
Recruitment of the
most competent background checks, and communication of values,
and trustworthy expected behaviors, and management’s operating style.
people? • Job performance is periodically evaluated, the results
reviewed with each employee, and appropriate action
Training is provided
taken.
to ensure people
can perform their • Training policies address prospective roles and
responsibilities, expected levels of performance, and
jobs?
evolving needs.
Promotions
are driven by
performance
appraisals?
5.4 Risk Assessment
Paragraph # Relevant Extracts from ISAs
315.15 The auditor shall obtain an understanding of whether the entity has a process for:
(a) Identifying business risks relevant to financial reporting objectives;
(b) Estimating the significance of the risks;
(c) Assessing the likelihood of their occurrence; and
(d) Deciding about actions to address those risks. (Ref: Para. A79)
315.16 If the entity has established such a process (referred to hereafter as the “entity’s risk
assessment process”), the auditor shall obtain an understanding of it, and the results thereof.
If the auditor identifies risks of material misstatement that management failed to identify, the
auditor shall evaluate whether there was an underlying risk of a kind that the auditor expects
would have been identified by the entity’s risk assessment process. If there is such a risk, the
auditor shall obtain an understanding of why that process failed to identify it, and evaluate
whether the process is appropriate to its circumstances or determine if there is a signifi cant
deficiency in internal control with regard to the entity’s risk assessment process.
315.17 If the entity has not established such a process or has an ad hoc process, the auditor shall
discuss with management whether business risks relevant to financial reporting objectives
have been identified and how they have been addressed. The auditor shall evaluate whether
the absence of a documented risk assessment process is appropriate in the circumstances, or
determine whether it represents a signifi cant deficiency in internal control. (Ref: Para. A80)
59
