PROFE04- AUDITING AND ASSURANCE_PRINCIPLES AND SPECIALIZED INDUSTRIES

CHAPTER 2 RISK ASSESSMENTS AND INTERNAL CONTROL

LEARNING OBJECTIVES:
Understand the concept of planning an audit of financial statements.
Understanding the entity and its environment and assessing the risks of
material misstatement.
Explain the auditor’s procedures in response to assessed risks.
Explain audit materiality (amended by PSA 240 [revised 2005])
Determine the analytical procedures.
Discuss the related parties.
Learn considering the work of internal audit.
Understand the risk using the work of an expert.

PSA 300 (Revised) PLANNING AN AUDIT OF FINANCIAL STATEMENTS

1. Planning an audit involves:

 establishing the overall audit strategy for the engagement and
 developing an audit plan,
 In order to reduce audit risk to an acceptably low level.

Preliminary Engagement Activities

2. The auditor should perform the following activities at the beginning of the current
audit engagement:
 Perform procedures regarding the continuance of the client relationship and
the specific audit engagement.
 Evaluate compliance with ethical requirements, including independence.
 Establish an understanding of the terms of the engagement.

Planning Activities
3. The auditor should establish the overall audit strategy for the audit. The overall
audit strategy sets the scope, timing and direction of the audit, and guides the
development of the more detailed audit plan

1
 PROFE04- AUDITING AND ASSURANCE_PRINCIPLES AND SPECIALIZED INDUSTRIES

4. The establishment of the overall audit strategy involves:

a.) Determining the characteristics of the engagement that define its scope;
b.) Ascertaining the reporting objectives of the engagement to plan the timing of the
audit and the nature of the communication required; and
c.) Considering the important factors that will determine the focus of the
engagement team’s efforts.
5. The auditor should develop an audit plan for the audit in order to reduce audit risk
to an acceptably low level.
6. The audit plan is more detailed than the overall audit strategy and includes the
nature, timing and extent of audit procedures to be performed by engagement team
members in order to obtain sufficient appropriate audit evidence to reduce audit risk
to an acceptably low level.
7. The audit plan includes:
 A description of the nature, timing and extent of planned risk assessment
procedures sufficient to assess the risks of material misstatement as determined
under PSA 315, “Understanding the Entity and its Environment and Assessing
the Risks of Material Misstatement.”;
 A description of the nature, timing and extent of planned further audit
procedures at the assertion level for each material class of transactions, account
balance, and disclosure, as determined under PSA 330, “The Auditor’s
Procedures in Response to Assessed Risks,”; and
 Such other procedures required to be carried out for the engagement in order to
comply with PSAs

Changes to Planning Decisions during the Course of the Audit

The overall audit strategy and the audit plan should be updated and changed as
necessary during the course of the audit.

Direction, Supervision and Review

1. The auditor should plan the nature, timing and extent of direction and supervision of
engagement team members and review their work.

2. The nature, timing and extent of the direction and supervision of engagement team
members and review of their work vary depending on many factors, including:
 The size and complexity of the entity;
 The area of audit;
 The risks of material misstatement; and
 The capabilities and competence of personnel performing the audit work.

3. The auditor plans the nature, timing and extent of direction and supervision of
engagement team members based on the assessed risk of material misstatement.

2
 PROFE04- AUDITING AND ASSURANCE_PRINCIPLES AND SPECIALIZED INDUSTRIES

Documentation

The auditor should document the overall audit strategy and the audit plan, including any
significant changes made during the audit engagement.

Communications with Those Charged with Governance and Management

1. The auditor may discuss elements of planning with those charged with governance
and the entity’s management.
2. Discussions with those charged with governance ordinarily include the overall audit
strategy and timing of the audit, including any limitations thereon, or any additional
requirements.
3. When discussion of matters included in the overall audit strategy or audit plan
occur, care is required in order not to compromise the effectiveness of the audit.

Additional Considerations in Initial Audit Engagements

The auditor should perform the following activities prior to starting an initial audit:
1. Perform procedures regarding the acceptance of the client relationship and the
specific audit engagement.
2. Communicate with the previous auditor, where there has been a change of
auditors, in compliance with relevant ethical requirements.

PSA 315 UNDERSTANDING THE ENTITY AND ITS ENVIRONMENT AND

ASSESSING THE RISKS OF MATERIAL MISSTATEMENT

3
 PROFE04- AUDITING AND ASSURANCE_PRINCIPLES AND SPECIALIZED INDUSTRIES

1. The auditor should obtain an understanding of the entity and its environment,
including its internal control, sufficient to identify and assess the risks of material
misstatement of the financial statements whether due to fraud or error, and
sufficient to design and perform further audit procedures.

2. The auditor should perform the following risk assessment procedures to obtain an
understanding of the entity and its environment, including its internal control:

a.) Industry, regulatory, and other external factors, including the applicable financial
reporting framework.
b.) Nature of the entity, including the entity’s selection and application of accounting
policies.
c.) Objectives and strategies and the related business risks that may result in a
material misstatement of the financial statements.
d.) Measurement and review of the entity’s financial performance.
e.) Internal control.

INTERNAL CONTROL

1. Internal control is the process designed and effected by those charged with
governance, management, and other personnel to provide reasonable assurance
about the achievement of the entity’s objectives with regard to:
 Reliability of financial reporting;
 Effectiveness and efficiency of operations; and
 Compliance with applicable laws and regulations.

2. The auditor uses the understanding of internal control to:

 Identify types of potential misstatements;
 Consider factors that affect the risks of material misstatement; and
 Design the nature, timing and extent of further audit procedures.

3. Internal control consists of the following components:

1.) The control environment.

4
PROFE04- AUDITING AND ASSURANCE_PRINCIPLES AND SPECIALIZED INDUSTRIES

2.) The entity’s risk assessment process.

3.) The information system, including the related business processes, relevant to
financial reporting, and communication.
4.) Control activities.
5.) Monitoring of controls.

The control environment includes the governance and management functions and
the attitudes, awareness, and actions of those charged with governance and
management concerning the entity’s internal control and its importance in the entity.

Elements of control environment:

a) Communication of enforcement of integrity and ethical values.
b) Commitment to competence.
c) Participation by those charged with governance.
d) Management’s philosophy and operating style.
e) Organizational structure.
f) Assignments of authority and responsibility.
g) Human resource policies and practices.

The auditor should obtain an understanding of the entity’s risk assessment

process, i.e., the entity’ process for identifying business risks relevant to financial
reporting objectives and deciding about actions to address those risks, and the
results thereof.

The auditor should obtain an understanding of the information system, including

the related business processes, relevant to financial reporting, including the
following areas:

 The classes of transactions in the entity’s operations that is significant to the

financial statements.

 The procedures, within both IT and manual systems, by which those

transactions are initiated, recorded, processed and reported in the financial
statements.

 The related accounting records, whether electronic or manual, supporting

information, and specific accounts in the financial statements, in respect of
initiating, recording, processing and reporting transactions.

 How the information system captures events and conditions, other than
classes of transactions that are significant to the financial statements.

5
 PROFE04- AUDITING AND ASSURANCE_PRINCIPLES AND SPECIALIZED INDUSTRIES

 The financial reporting process used to prepare the entity’s financial

statements, including significant accounting estimates and disclosures.

Control activities are the policies and procedures to help ensure that management
directives are carried out. Examples of control activities include those relating to the
following:
 Authorization
 Performance reviews.
 Information processing.
 Physical controls.
 Segregation of duties.

Monitoring of controls involves assessing the design and operation of controls on

a timely basis and taking the necessary corrective actions modified for changes in
conditions.

4. Obtaining an understanding of internal control involves:

a) Evaluating the design of a control; and
b) Determining whether it has been implemented.

ASSESSING THE RISKS OF MAERIAL MISSTATEMENT

1. The auditor should identify and assess the risks of material misstatement at the
financial statements level, and at the assertion level for classes of transactions,
account balances, and disclosures.

2. The auditor:
 Identifies risks throughout the process of obtaining an understanding of the
entity and its environment, including relevant controls that relate to the risks,
and by considering the classes of transactions, account balances, and
disclosures in the financial statements;
 Relates the identified risks to what can go wrong at the assertion level;

6
 PROFE04- AUDITING AND ASSURANCE_PRINCIPLES AND SPECIALIZED INDUSTRIES

 Considers whether the risks are of a magnitude that could result in a material
misstatement of the financial statements; and
 Considers the likelihood that the risks could result in a material misstatement
of the financial statements.

PSA 330 THE AUDITOR’S PROCEDURES IN REPONSE TO ASSESSED RISKS

Overall responses
1. The auditor should determine overall responses to address the risks of material
misstatement at the financial statement level. Such responses may include:
 Emphasizing to the audit team the need to maintain professional
skepticism n gathering and evaluating audit evidence
 Assigning more experienced staff or those with special skills or
using experts
 Providing more supervision
 Incorporating additional elements of unpredictability in the selection
of further audit procedures to be performed
 Making general changes to the nature, timing or extent of audit
procedures

Audit Procedures Responsive to Risks of Material Misstatement at the Assertion

Level
1. In designing further audit procedures, the auditor considers the following:
 The significance of the risk
 The likelihood that the material misstatement will occur
 The characteristics of the class transactions, account balance, or
disclosure involved.
 The nature of the specific controls used by the entity and in
particular whether they are manual or automated
 Whether the auditor expects to obtain audit evidence to determine if
the entity’s controls are effective n preventing, or detecting and
correcting, material misstatements

7
PROFE04- AUDITING AND ASSURANCE_PRINCIPLES AND SPECIALIZED INDUSTRIES

2. Considering the nature, timing and extent of further audit procedures

The nature of further audit procedures refers to their:

a. Purpose- tests of controls or substantive procedures
b. Type - inspection, observation, inquiry, confirmation, recalculation,
reperformance, or analytical procedures.

Timing refers to when audit procedures are performed or the period or date to
which the audit evidence applies.

Extent includes the quantity of a specific audit procedure to be performed.

TESTS OF CONTROLS

1. The auditor is required to perform tests of controls when:

a. The auditor’s risk assessment includes an expectation of the operating
effectiveness of controls; or
b. When the substantive procedures alone do not provide sufficient
appropriate audit evidence at the assertion level

2. Tests of the operating effectiveness of controls are performed only on those

controls that the auditor has determined are suitably designed to prevent, or
detect and correct, a material misstatement in an assertion
3. Testing the operating effectiveness of controls includes obtaining evidence
about:
a. How controls were applied at relevant times during the period under
audit;
b. The consistency with which they were applied; and
c. By whom or by what means they were applied.

SUBSTANTIVE PROCEDURES
1. Substantive test procedures are performed in order to detect material
misstatements at the assertion level, and include:

8
 PROFE04- AUDITING AND ASSURANCE_PRINCIPLES AND SPECIALIZED INDUSTRIES

 Tests of details of classes of transactions, account balances, and

disclosures; and
 Substantive analytical procedures
2. The auditor’s substantive procedures should include the following audit
procedures related to the financial statement closing process:
 Agreeing or reconciling the financial statements with accounting
records; and
 Examining material journal entries and other adjustments made
during the course of preparing the financial statements
3. The auditor should perform audit procedures to evaluate whether the overall
presentation of the financial statements, including the related disclosures, are in
accordance with the applicable financial reporting framework.

Evaluating the sufficiency and appropriateness of audit evidence obtained

1. Based on the audit procedures performed and the audit evidence obtained, the
auditor should evaluate whether the assessments of the risks of material
misstatement at the assertion level remain appropriate.
2. The auditor should conclude whether the assessments of the risks of material
misstatement in the financial statements.
3. If the auditor has not obtained sufficient appropriate audit evidence as to a
material financial statement assertion, the auditor should attempt to obtain further
audit evidence. If the auditor is unable to obtain further audit evidence, the
auditor should express a qualified opinion or a disclaimer of opinion.

Documentation
1. The auditor should document:
 The overall responses to address the assessed risks of material
misstatement at the financial statement level and the nature, timing,
and extent of the further audit procedures;
 The linkage of those procedures with the assessed risks at the
assertion level; and
 The results of the audit procedures
2. If the auditor plans to use audit evidence about the operating effectiveness of
controls obtained in prior audits, the auditor should document the conclusions
reached with regard to relying on such controls that were tested in a prior audit.
3. The auditor’s documentation should demonstrate that the financial statements
agree or reconcile with the underlying accounting records.

9
 PROFE04- AUDITING AND ASSURANCE_PRINCIPLES AND SPECIALIZED INDUSTRIES

PSA 320 AUDIT MATERIALITY

1. Materiality should be considered by the auditor when:

 Determining the nature, timing and extent of audit procedures; and
 Evaluating the effect of misstatements
2. There is an inverse relationship between materiality and the level of audit risk
3. In evaluating whether the financial statements are prepared, in all material
respects, in accordance with an applicable financial reporting framework, the
auditor should assess whether the aggregate of uncorrected misstatements that
have been identified during the audit is material.
4. If the auditor concludes that the aggregate of uncorrected misstatements may be
material, the auditor needs to consider:
 Reducing audit risk by extending audit procedures; or
 requesting management to adjust the financial statements for the
misstatements identified
5. If management refuses to adjust the financial statements and the results of
extended audit procedures do not enable the auditor to conclude that the
aggregate of uncorrected misstatements is not material, the auditor should
consider the appropriate modification to the auditor’s report.
6. If the auditor has identified a material misstatement resulting from error, the
auditor should communicate the misstatements to the appropriate level of
management on a timely basis, and consider the need to report it to those
charged with governance.

10
PROFE04- AUDITING AND ASSURANCE_PRINCIPLES AND SPECIALIZED INDUSTRIES

PSA 520 ANALYTICAL PROCEDURES

1. “Analytical procedures” means the analysis of significant ratios and trends

including the resulting investigation of fluctuations and relationships that are
inconsistent with other relevant information or which deviate from predicted
amounts.
2. Analytical procedures also include consideration of comparisons of the entity’s
financial statements:
a. Comparable information for prior periods
b. Anticipated results of the entity, such as budgets or forecasts, or
expectations of the auditor, such as an estimation of depreciation
c. Similar industry information
3. Analytical procedures also include consideration of relationships:
a. Among elements of financial information that would be expected to
conform to a predictable patter based on the entity’s experience, such
as gross margin percentages.
b. Between financial information and relevant no-financial information,
such as payroll costs to numbers and employees
4. The auditor should apply analytical procedures at the planning stage to assist in
understanding the business and in identifying areas of potential risk. Analytical
procedures in planning the use both financial and non-financial information.
5. The auditor should apply analytical procedures at or near the end of the audit
when performing an overall conclusion as to whether the financial statements as
a whole are consistent with the auditor’s knowledge of the business.
6. The application of analytical procedures is based on the expectation that
relationships among data exist and continue in the absence of known conditions
to the contrary. The presence of these relationships provides audit evidence as
to the completeness, accuracy and validity of the data produced by the
accounting system
7. The extent of reliance that the auditor places on the results of analytical
procedures depends on the following factors:
a. Materiality of the items involved
b. Other audit procedures directed toward the same audit objectives

11
PROFE04- AUDITING AND ASSURANCE_PRINCIPLES AND SPECIALIZED INDUSTRIES

c. Accuracy with which the expected results of analytical procedures can

be predicted.
8. When analytical procedures identify significant fluctuations or relationships that
are inconsistent with other relevant information or that deviate from predicted
amounts, the auditor should investigate and obtain adequate explanations and
appropriate corroborative evidence.
9. The investigation of unusual fluctuations and relationships ordinarily begins with
inquiries of management, followed by:
a. Corroboration of management responses; and
b. Consideration of the need to apply other audit procedures based on
the results of such inquiries, if management is unable to provide an
explanation or if the explanation is not considered adequate.

PSA 550 RELATED PARTIES

1. Management is responsible for the identification and disclosure of related parties

and transactions with such parties.
2. The auditor should perform audit procedures designed to obtain sufficient
appropriate audit evidence regarding the identification and disclosure by
management of related parties and the effect of related party transactions that
are material to the financial statements. However, an audit cannot be expected to
detect all related party transactions.
3. The auditor needs to have a sufficient understanding of the entity and its
environment to enable identification of the events, transactions and practices that
may result in a risk of material misstatement regarding related parties and
transactions with such parties.
4. When obtaining an understanding of the entity’s internal control, the auditor
should consider the adequacy of control activities over the authorization and
recording of related party transactions.

12
PROFE04- AUDITING AND ASSURANCE_PRINCIPLES AND SPECIALIZED INDUSTRIES

5. In examining the identified related party transactions, the auditor should obtain
sufficient appropriate audit evidence as to whether these transactions have been
properly recorded and disclosed.
6. The auditor should obtain a written representation from management concerning:
a. The completeness of information provided regarding the identification
of related parties; and
b. The adequacy of related party disclosures in the financial statements
7. The auditor is unable to obtain sufficient appropriate audit evidence concerning
related parties and transactions with such parties or concludes that their
disclosure in the financial statements is not adequate; the auditor should modify
the audit report appropriately.

PSA 610 CONSIDERING THE WORK OF INTERNAL AUDIT

1. The external auditor should obtain a sufficient understanding of internal audit

activities to identify and assess the risks of material misstatement of the financial
statements and to design and perform further audit procedures.
2. The external auditor should perform an assessment of the internal audit function
when internal auditing is relevant to the external auditor’s risk assessment.
3. When obtaining an understanding and performing a preliminary assessment of
the internal audit function, the important criteria are:
a. Organizational status
b. Scope of the function
c. Technical competence
d. Due professional care
4. When planning to use the work of internal auditing, the external auditor will need
to consider internal auditing’s tentative plan for the period and discuss it as early
a stage as possible.
5. Where the work of internal auditing is to be a factor in determining the nature,
timing and extent of the external auditor’s procedures, it is desirable to agree in
advance the timing of such work, the extent of audit coverage, materiality levels
and proposed methods of sample selection, documentation of the work
performed and review and reporting procedures.

13
PROFE04- AUDITING AND ASSURANCE_PRINCIPLES AND SPECIALIZED INDUSTRIES

6. A liaison with internal auditing is more effective when meetings are held at
appropriate intervals during the period.
7. When the external auditor intends to use specific work of internal auditing, the
external auditor should evaluate and perform audit procedures on that work to
confirm its adequacy for the external auditor’s purposes.
8. The evaluation of specific work of internal auditing involves consideration of the
adequacy of the scope of the work and related programs and whether the
preliminary assessment of the internal auditing remains appropriate.
9. The nature, timing and extent of audit procedures performed on the specific work
of internal auditing will depend on:
 The external auditor’s judgment as to the risk of material
misstatement of the area concerned;
 The assessment of internal auditing; and
 The evaluation of the specific work by internal auditing.
10. The external auditor would record conclusions regarding the specific internal
auditing work that has been evaluated and the audit procedures performed on
the internal auditor’s work.

PSA 620 USING THE WORK OF AN EXPERT

1. “Expert’ means a person or firm possessing special skill, knowledge and
experience in a particular filed other than accounting and auditing.
2. An expert may be:
a. Contracted by the entity;
b. Contracted by the auditor;
c. Employed by the entity; or
d. Employed by the auditor.
3. When determining the need to use the work of an expert, the auditor would
consider:
a. The materiality of the financial statement item being considered;
b. The risk of misstatement based on the nature and complexity of the
matter being considered; and
c. The quantity and quality of other audit evidence available
4. When planning t use the work of an expert, the auditor should evaluate the
professional competence and objectivity of the expert.
5. The risk that an expert’s objectivity will be impaired increases when the expert is:
a. Employed by the entity; or
b. Related in some other manner to the entity.
6. The auditor should obtain sufficient appropriate audit evidence that the scope of
the expert’s work is adequate for the purposes of the audit. Audit evidence may
be obtained through a review of the terms of reference which are often set out in
written instructions from the entity to the expert.

14
PROFE04- AUDITING AND ASSURANCE_PRINCIPLES AND SPECIALIZED INDUSTRIES

Such instructions to the expert may cover matters such as:

a. The objectives and scope of the expert’s work
b. A general outline as to the specific matters the auditor expects the
expert’s report to cover
c. The intended use by the auditor of the expert’s work, including the
possible communication to third parties of the expert’s identity and
extent f involvement
d. The extent of the expert’s access to appropriate records and files
e. Clarification of the expert’s relationship with the entity, if any.
f. Confidentiality of the entity’s information
g. Information regarding the assumptions and methods intended to be
used by the expert and their consistency with those used in prior
periods.
7. The auditor should evaluate the appropriateness of the expert’s work as audit
evidence regarding the financial statement assertion being considered. This will
involve assessment of whether the substance of the expert’s findings is properly
reflected in the financial statements or supports the financial statement
assertions, and consideration of:
a. Source data used.
b. Assumptions and methods used and their consistency with prior
periods
c. Results of the expert’s work in the light of the auditor’s overall
knowledge of the business and of the results of other audit procedures.
8. When considering whether the expert has used source data which is appropriate
in the circumstances, the auditor would consider the following procedures:
a. Making inquiries regarding any procedures undertaken by the expert to
establish whether the source data is sufficient, relevant and reliable.
b. Reviewing or testing the data used by the expert
9. If the results of the expert’s work do not provide sufficient audit evidence or if the
results are not consistent with other audit evidence, the auditor should resolve
the matter. This may involve:
a. Discussions with the entity and the expert
b. Applying additional audit procedures
c. Including possibly engaging another expert; or
d. Modifying the auditor’s report
10. When issuing an unmodified auditor’s report, the auditor should not refer to the
work of an expert. Such a reference might be misunderstood to be a qualification
of the auditor’s opinion or a division of responsibility, neither of which is intended.
11. If as a result of the work of an expert, the auditor decides to issue a modified
auditor’s report, in some circumstances it may be appropriate, in explaining the
nature of the modification, to refer to or describe the work o the expert (including

15
 PROFE04- AUDITING AND ASSURANCE_PRINCIPLES AND SPECIALIZED INDUSTRIES

the identity of the expert and the extent of the expert’s involvement). In these
circumstances, the auditor would obtain the permission of the expert before
making such a reference. If permission is refused and the auditor believes a
reference is necessary, the auditor may need to seek legal advice.

Reference:
Compilation of Lecture Notes by Dean Rene Boy R. Bacay, CPA, MBA, FRIAcc

For further discussion please refer to the link provided:

Audit Process: Overview- https://www.youtube.com/watch?v=y5mHaEufEws

Audit Materiality- https://www.youtube.com/watch?v=oDd3hnBDd8I

PSA 550 Related Parties- https://www.youtube.com/watch?v=1yiydvzq4ck

16