Page 69 - Internal Auditing Standards

P. 69

Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 1—Core Concepts

Control Activities Comments
in Smaller Entities
Risks May be Certain types of control activities may not be relevant because of controls applied by
Mitigated by senior management. For example, management's approval of signifi cant transactions
the Control can provide strong control over important account balances and transactions,
Environment lessening or removing the need for more detailed control activities. Some
(See Volume 1, transactional misstatements (usually addressed by control activities in larger entities)
Chapter 5.3) could be mitigated by:
• A corporate culture that emphasizes the importance of control;
• Employing highly competent staff ;
• Monitoring revenues and expenditures against an established budget;
• Requiring senior management’s approval of all major transactions;
• Monitoring of key performance indicators; and
• Assigning responsibilities among staff so as to maximize the segregation of

duties.

Control activities, relevant to the audit, would potentially mitigate risks such as:

• Signifi cant risks

Identified and assessed risks of material misstatement that, in the auditor’s judgment, require special
audit consideration. (Refer to Volume 2, Chapter 10.)
• Risks that cannot easily be addressed by substantive procedures
These are identified and assessed risks of material misstatement for which substantive procedures alone

would not provide sufficient appropriate audit evidence.

• Other risks of material misstatement
The auditor’s judgment about whether a control activity is relevant to the audit is infl uenced by:

• Knowledge about the presence/absence of control activities identified in other components of internal

control. If a particular risk has already been adequately addressed (such as by the control environment,
information system, etc.), there is no need to identify any additional controls that may exist.

• The existence of multiple control activities that achieve the same objective. It is unnecessary to obtain
an understanding of each of the control activities related to such an objective.

• Increased audit efficiency that will be gained from testing the operating effectiveness of certain key

controls. This could occur when:
– Obtaining audit evidence through a test of the operating effectiveness of controls may be more

cost efficient than performing substantive procedures. Tests of controls typically result in smaller
sample sizes than substantive tests. If the controls are automated, a sample size of just one item
(assuming good general IT controls) may be all that is required. In addition, if the control system
and personnel involved have not changed from previous years, it may be possible (under certain

conditions) to limit the test of operating effectiveness of controls to once every three years. (See
Volume 2, Chapter 17.)
– Substantive procedures alone would not provide sufficient appropriate audit evidence at the

assertion level. For example, the completeness assertion for sales revenue can be diffi cult (and
sometimes impossible) to address by substantive procedures alone. In these situations, it would
be worthwhile to identify any internal controls that address the risk and assertion involved. If the

64 65 66 67 68 69 70 71 72 73 74