Page 97 - Internal Auditing Standards
P. 97
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 1—Core Concepts
Paragraph # Relevant Extracts from ISAs
315.11 The auditor shall obtain an understanding of the following:
(a) Relevant industry, regulatory, and other external factors including the applicable fi nancial
reporting framework. (Ref: Para. A17-A22)
(b) The nature of the entity, including:
(i) its operations;
(ii) its ownership and governance structures;
(iii) the types of investments that the entity is making and plans to make, including
investments in special-purpose entities; and
(iv) the way that the entity is structured and how it is financed to enable the auditor
to understand the classes of transactions, account balances, and disclosures to be
expected in the financial statements. (Ref: Para. A23-A27)
(c) The entity’s selection and application of accounting policies, including the reasons for
changes thereto. The auditor shall evaluate whether the entity’s accounting policies
are appropriate for its business and consistent with the applicable fi nancial reporting
framework and accounting policies used in the relevant industry. (Ref: Para. A28)
(d) The entity’s objectives and strategies, and those related business risks that may result in
risks of material misstatement. (Ref: Para. A29-A35)
(e) The measurement and review of the entity’s financial performance. (Ref: Para. A36-A41)
315.12 The auditor shall obtain an understanding of internal control relevant to the audit. Although
most controls relevant to the audit are likely to relate to financial reporting, not all controls that
relate to financial reporting are relevant to the audit. It is a matter of the auditor’s professional
judgment whether a control, individually or in combination with others, is relevant to the
audit. (Ref: Para. A42-A65)
8.1 Overview
The purpose of risk assessment procedures is to identify and assess risks of material misstatement. This is
achieved through understanding the entity and its environment, including internal control. Information may
be obtained from external sources, such as the Internet and trade publications, and from internal sources
such as discussions with key personnel. This understanding of the entity becomes a continuous, dynamic
process of gathering, updating and analyzing information throughout the audit.
8.2 Audit Evidence
Risk assessment procedures provide audit evidence to support the assessment of risks at the fi nancial
statement and assertion levels. However, this evidence does not stand alone. Evidence obtained from risk
assessment procedures is supplemented by further audit procedures (that respond to the risks identifi ed)
such as tests of controls and/or substantive procedures.
Required Procedures
The auditor uses professional judgment to determine the risk assessment procedures to be performed, and the
scope or depth of understanding of the entity that is required. In the first year that the auditor conducts the
audit for an entity, the work required to obtain and document this information will often require a signifi cant
amount of time. However, if the information obtained is well documented in the first year, the time required to
update the information in subsequent years should be considerably less than that required in the fi rst year.
95
