Page 99 - Internal Auditing Standards
P. 99

Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 1—Core Concepts




        In smaller entities, the procedures required to identify these risks may be minimal, whereas in larger and more
        complex entities, the procedures could be extensive.


        8.3    The Three Risk Assessment Procedures

        Each of the three risk assessment procedures should be performed during the audit, but not necessarily for each
        aspect of the understanding required. In many situations, the results from performing one type of procedure
        may lead to performing another. For example, in an interview with the sales manager, an unusual but signifi cant

        sales contract might be identified. This could be followed up by an inspection of the actual sales contract and
        an analysis of the impact on sales margins. Alternatively, findings from performing analytical procedures on

        preliminary operating results may trigger some questions for management. The answers to these questions may
        then lead to requests to inspect certain documents or observe some activities.

        The nature and use of the three procedures are outlined below.


        8.4    Inquiries of Management and Others (including inquiries relating to fraud)







                                                       Inquiries of
                                                      Management
                                                       and Others










            Paragraph #           Relevant Extracts from ISAs

            240.17                The auditor shall make inquiries of management regarding:
                                  (a)   Management’s assessment of the risk that the financial statements may be materially

                                       misstated due to fraud, including the nature, extent and frequency of such assessments;
                                       (Ref: Para. A12-A13)
                                  (b)   Management’s process for identifying and responding to the risks of fraud in the entity,


                                       including any specific risks of fraud that management has identified or that have been
                                       brought to its attention, or classes of transactions, account balances, or disclosures for
                                       which a risk of fraud is likely to exist; (Ref: Para. A14)
                                  (c)   Management’s communication, if any, to those charged with governance regarding its
                                       processes for identifying and responding to the risks of fraud in the entity; and
                                  (d)   Management’s communication, if any, to employees regarding its views on business
                                       practices and ethical behavior.

            240.18                The auditor shall make inquiries of management, and others within the entity as appropriate,
                                  to determine whether they have knowledge of any actual, suspected or alleged fraud aff ecting
                                  the entity. (Ref: Para. A15-A17)








                                                                                                                   97
   94   95   96   97   98   99   100   101   102   103   104