Professional Documents
Culture Documents
1.3 Understanding the Entity and its Environment including its Internal Control and Assessing the Risks of Material
Misstatement
1.3.1 Industry, regulatory and other external factors, including the applicable financial reporting framework
1.3.1.1 Nature of the entity
1.3.1.2 Objectives and strategies and related business risks
1.3.1.3 Measurement and review of the entity’s financial performance
1.3.2 Internal Control
1.3.2.1 Basic concepts and elements of internal control
1.3.2.2 Consideration of accounting and internal control systems
1.3.2.2.1 Understanding and documentation
1.3.2.2.2 Assessment of control risks
1.3.2.2.2.1 Test of controls
1.3.2.2.2.2 Documentation
1.3.3 Assessing the risks of material misstatement
1.3.3.1 Fraud and errors
1.3.3.2 Risk assessment procedures
1.3.3.3 Discussion among the engagement team
1.3.3.4 Significant risks that require special audit consideration
1.3.3.5 Risks for which substantive procedures alone do not provide sufficient appropriate audit
evidence
1.3.3.6 Revision of risk assessment
1.3.4 Communicating with those charged with governance and management
PSA 315
IDENTIFYING AND ASSESSING THE RISKS OF MATERIAL
MISSTATEMENT THROUGH UNDERSTANDING THE
ENTITY AND ITS ENVIRONMENT
FOCUS NOTES:
Objective: The auditor should obtain an understanding of the entity and its environment, including its internal
control:
in order to identify and assess the risks of material misstatement of the financial statements;
thereby providing a basis for designing and implementing responses to the assessed risks of material
misstatement.
Definitions
Assertions – Representations by management, explicit or otherwise, that are embodied in the financial
statements, as used by the auditor to consider the different types of potential misstatements that may occur.
Business risk – A risk resulting from significant conditions, events, circumstances, actions or inactions that could
adversely affect an entity’s ability to achieve its objectives and execute its strategies, or from the setting of
inappropriate objectives and strategies.
Internal control – The process designed, implemented and maintained by those charged with governance,
management and other personnel to provide reasonable assurance about the achievement of an entity’s
objectives with regard to reliability of financial reporting, effectiveness and efficiency of operations, and
compliance with applicable laws and regulations. The term “controls” refers to any aspects of one or more of the
components of internal control.
Risk assessment procedures – The audit procedures performed to obtain an understanding of the entity and its
environment, including the entity’s internal control, to identify and assess the risks of material misstatement,
whether due to fraud or error, at the financial statement and assertion levels.
Significant risk – An identified and assessed risk of material misstatement that, in the auditor’s judgment, requires
special audit consideration.
Requirements:
UL Refresher Course in Accountancy
Auditing – Module 1.3
The auditor shall perform risk assessment procedures to provide a basis for the identification and assessment of
risks of material misstatement at the financial statement and assertion levels.
The risk assessment procedures shall include the following:
a. Inquiries of management, of appropriate individuals within the internal audit function (if the function exists),
and of others within the entity who in the auditor’s judgment may have information that is likely to assist in
identifying risks of material misstatement due to fraud or error.
b. Analytical procedures.
c. Observation and inspection.
The auditor shall consider whether information obtained from the auditor’s client acceptance or continuance
process is relevant to identifying risks of material misstatement.
If the engagement partner has performed other engagements for the entity, the engagement partner shall consider
whether information obtained is relevant to identifying risks of material misstatement.
Where the auditor intends to use information obtained from the auditor’s previous experience with the entity and
from audit procedures performed in previous audits, the auditor shall determine whether changes have occurred
since the previous audit that may affect its relevance to the current audit.
The engagement partner and other key engagement team members shall discuss the susceptibility of the entity’s
financial statements to material misstatement, and the application of the applicable financial reporting framework
to the entity’s facts and circumstances. The engagement partner shall determine which matters are to be
communicated to engagement team members not involved in the discussion.
The auditor shall obtain understanding of the entity and its environment by understanding of the following
aspects:
a. Industry, regulatory, and other external factors, including the applicable financial reporting framework;
b. Nature of the entity:
i. its operations;
ii. its ownership and governance structures;
iii. the types of investments that the entity is making and plans to make, including investments in special-
purpose entities; and
iv. the way that the entity is structured and how it is financed,
to enable the auditor to understand the classes of transactions, account balances, and disclosures to be
expected in the financial statements;
c. Entity’s selection and application of accounting policies, including reasons for changes thereto;
d. Objectives and strategies and the related business risks that may result in a material misstatement of the
financial statements; and
e. Measurement and review of the entity’s financial performance.
The auditor shall obtain an understanding of Internal Control
Those relevant to audit; mostly financial reporting controls but not necessarily all financial reporting controls;
as to which is relevant, auditor uses professional judgment.
Obtaining understanding of internal control means evaluating the design and determining whether they have
been implemented
auditor uses the understanding of internal control to
a. identify types of potential misstatements;
b. consider factors that affect the risks of material misstatement; and
c. design the nature, timing, and extent of further audit procedures.
Internal control is the process designed and effected by those charged with governance, management, and
other personnel to provide reasonable assurance about the achievement of the entity’s objectives with regard
to
a. reliability of financial reporting;
b. effectiveness and efficiency of operations; and
c. compliance with applicable laws and regulations.
Internal control, as discussed in this PSA, consists of the following components:
a. The control environment.
b. The entity’s risk assessment process.
c. The information system, including the related business processes, relevant to financial reporting, and
communication.
d. Control activities.
UL Refresher Course in Accountancy
Auditing – Module 1.3
e. Monitoring of controls.
Obtaining an understanding of internal control involves evaluating the design of a control and determining
whether it has been implemented.
Evaluating the design of a control involves considering whether the control, individually or in combination with
other controls, is capable of effectively preventing, or detecting and correcting, material misstatements
Implementation of a control means that the control exists and that the entity is using it.
Identifying and Assessing the Risks of Material Misstatement (RMM)
a. at the financial statement level; and
b. at the assertion level for classes of transactions, account balances, and disclosures
Assessment of RMM - basis for designing and performing further audit procedures.
Risks that Require Special Audit Consideration. As part of the risk assessment, the auditor shall
determine whether any of the risks identified are, in the auditor’s judgment, a significant risk. In exercising
this judgment, the auditor shall exclude the effects of identified controls related to the risk. In exercising
judgment as to which risks are significant risks, the auditor shall consider at least the following:
If the auditor has determined that a significant risk exists, the auditor shall obtain an understanding of the
entity’s controls, including control activities, relevant to that risk.
Risks for Which Substantive Procedures Alone Do Not Provide Sufficient Appropriate Audit
Evidence. In respect of some risks, the auditor may judge that it is not possible or practicable to obtain
sufficient appropriate audit evidence only from substantive procedures. Such risks may relate to the
inaccurate or incomplete recording of routine and significant classes of transactions or account balances, the
characteristics of which often permit highly automated processing with little or no manual intervention. In such
cases, the entity’s controls over such risks are relevant to the audit and the auditor shall obtain an
understanding of them.
Nature and Extent of the Understanding of Relevant Controls (Evaluating the design of control and whether
control is implemented)
Evaluating the design of a control involves considering whether the control, individually or in combination with
other controls, is capable of effectively preventing, or detecting and correcting, material misstatements.
Implementation of a control means that the control exists and that the entity is using it.
There is little point in assessing the implementation of a control that is not effective, and so the design of a
control is considered first. An improperly designed control may represent a significant deficiency in internal
control.
Risk assessment procedures to obtain audit evidence about the design and implementation of relevant controls
may include:
Inquiring of entity personnel.
Observing the application of specific controls.
Inspecting documents and reports.
Tracing transactions through the information system relevant to financial reporting.
Note: Inquiry alone is not sufficient for such purposes. Obtaining an understanding of an entity’s controls is not
sufficient to test their operating effectiveness, unless there is some automation that provides for the consistent
operation of the controls.
PART 2 – TESTS OF CONTROLS (this will be covered in PSA 330, the next module)
________________________________________________________________________________________________
PLANNING
INTERNAL CONTROL
FOCUS NOTES:
- Generally, control activities that may be relevant to an audit may be categorized as policies and procedures that
pertain to the following:
Performance reviews.
Information processing.
Physical controls.
Segregation of duties.
Monitoring of controls
- a process to assess the quality of internal control performance over time.
- it involves assessing the design and operation of controls on a timely basis and taking necessary corrective
actions.
- Monitoring is done to ensure that controls continue to operate effectively. For example, if the timeliness and
accuracy of bank reconciliations are not monitored, personnel are likely to stop preparing them.
- Monitoring of controls is accomplished through ongoing monitoring activities, separate evaluations, or a
combination of the two.
Document understanding
Internal control memorandum
- Advantage-rigor of analysis
- Disadvantage-difficult for reviewer to follow
Internal control questionnaire and/or checklist
- Advantage-easy to complete and covers all points
- Disadvantage-tendency toward cursory review given ease of completion.
Internal control flowchart
- Advantage-easy to review given graphic representation; strengths and weaknesses highlighted
- Disadvantage-lacks detail
Combination of the above forms of documentation is preferred by most auditors
MULTIPLE CHOICE
1. Which of the following is NOT a required understanding by the auditor in an audit of financial statements?
a. Relevant industry, regulatory, and other external factors, including the applicable financial reporting framework.
b. Nature of the entity, its operations, ownership and governance structures, the types of investments that the entity
is making and plans to make, including investments in special-purpose entities and the way that the entity is
structured and how it is financed.
c. Entity’s selection and application of accounting policies, including reasons for changes thereto.
d. Objectives and strategies and the related business risks that may result in a material misstatement of the financial
statements.
e. Measurement and review of the entity’s financial performance.
f. All controls pertaining to financial reporting.
2. Which of the following is the reason why auditors obtain understanding of the nature of the entity’s operations,
ownership and governance structures, the types of investments that the entity is making and plans to make, including
investments in special-purpose entities and the way that the entity is structured and how it is financed?
a. Obtain understanding of the entity and its environment including its internal control.
b. Perform procedures regarding the continuance of the client relationship and the specific audit
engagement.
c. Design and perform further audit procedures.
d. Identify and assess the risks of material misstatement of the financial statement
a. ABCD
b. BADC
c. DCBA
d. CBAD
4. The procedures used by the auditor to obtain understanding of the entity and its environment including its internal
control are called:
a. tests of controls
b. substantive procedures
c. analytical procedures
d. risks assessment procedures
5. All of the following procedures are risk assessment procedures except one. Which is it?
a. inquiries
b. observation and inspection
c. analytical procedures
d. test of details of transaction
7. It sets the tone of an organization influencing the control consciousness of its people. It is the foundation for
effective internal control.
a. control activities
b. control environment
c. accounting system
d. internal control
8. It refers to the overall attitude, awareness and actions of directors and management regarding the internal control
and its importance in the entity.
a. control activities
b. control environment
c. accounting system
d. internal control
9. The entity’s process for identifying business risks relevant to financial reporting objectives and deciding about
actions to address those risks and the results thereof.
10. Consists of the procedures and records established to initiate, record, process and report entity transactions and to
maintain accountability for the related assets, liabilities and equity. It encompasses the accounting system. This
element of internal control is:
11. Policies and procedures that help ensure that management directives are carried out.
12. The process to assess the effectiveness of internal control performance over time. It involves assessing the design
and operation of controls on a timely basis and taking necessary corrective actions modified for changes in
conditions.
13. After obtaining an understanding of the client’s accounting and internal control systems, the auditor makes a
preliminary assessment of control risk. If the auditor wants to reduce the preliminary assessment of control risk to
less than high, the auditor should:
14. For an audit in accordance with PSA, which of the following is a required documentation?
UL Refresher Course in Accountancy
Auditing – Module 1.3
a. Effectiveness of the design and operation of the internal controls throughout the period.
b. Nature, timing and extent of audit procedures.
c. Appropriateness of the materiality level.
d. All of the above.
16. Evidence of the effectiveness of the design and operation of internal control is used by the auditor to:
18. Which of the following techniques could an auditor use to obtain evidence of the effectiveness of the design and
operation of internal control?
a. inquiry
b. observation
c. inspection
d. reperformance
e. all of the choices.
19. Which of the following is the correct order for performing the auditing procedures A through C below?
A = Tests of controls.
B = Preparation of a flowchart depicting the client's internal control structure.
C = Substantive tests.
a. ABC.
b. BAC.
c. ACB.
d. BCA.
21. The primary purpose of the auditor's consideration of internal control is to provide a basis for
a. Determining whether procedures and records that are concerned with the safeguarding of assets are reliable.
b. Constructive suggestions to clients concerning deficiencies in internal control.
c. Determining the nature, timing, and extent of audit tests to be applied.
UL Refresher Course in Accountancy
Auditing – Module 1.3
22. In obtaining an understanding of an entity’s internal controls that are relevant to audit planning, an auditor is required
to obtain knowledge about the:
a. Design of relevant internal controls pertaining to financial reporting in each of the five internal control components.
b. Effectiveness of the internal controls that have been place in operation.
c. Consistency with which the internal controls are currently being applied.
d. Controls related to each principal transaction class and account balances.
24. Which of the following elements is not a part of an entity's internal controls?
a. Control risk.
b. The accounting system.
c. Control activities.
d. The control environment.
28. When obtaining understanding of an entity’s control environment, an auditor should concentrate on the substance of
management’s policies and procedures rather than their form because:
a. The auditor may believe that the policies and procedures are inappropriate for that particular entity.
b. The board of directors may not be aware of management’s attitude toward the control environment.
c. Management may establish appropriate policies and procedures but not act on them.
d. The policies and procedures may be so weak that no reliance is contemplated by the auditor.
29. The auditor is studying internal control policies and procedures within the sales, shipping, and billing subset of the
revenue cycle. Which of the following conditions suggests a need for additional testing of controls?
a. Internal control is found to be weak with regard to shipping and billing.
b. Internal control over sales, billing, and shipping appears strong, but 80% of the sales revenue is attributable to
three major customers.
c. Internal control over billing and shipping is thought to be strong and the auditor considers additional testing of
selected controls will result in a major reduction in substantive testing.
d. Internal control over the recording of sales is found to be weak and the sales are evenly divided among a large
number of customers.
31. When considering internal control, an auditor must be aware of the concept of reasonable assurance which
recognizes that:
a. The employment of competent personnel provides assurance that the objectives of the internal control will be
achieved.
b. The establishment and maintenance of a system of internal control is an important responsibility of the
management and not of the auditor.
c. The cost of internal control should not exceed the benefits expected to be derived from internal control.
d. The segregation of incompatible functions is necessary to obtain assurance that the internal control is effective.
32. Flowcharting as a means of internal control evaluation provides the following advantage over the use of
questionnaires and descriptive narratives:
a. Ease of preparation. c. Simplicity.
b. Comprehensive coverage of controls. d. Ease in following information flow.
33. Which of the following statements is correct concerning the understanding of internal control needed by auditors?
a. The auditors must understand the information system, not the accounting system
b. The auditors must understand monitoring and all preliminary accounting controls
c. The auditors must have a sufficient understanding to assess the risks of material misstatement
d. The auditors must understand the control environment, risk assessment, and all control activities
35. On financial statement audits, it is required that the auditors obtain an understanding of internal control, including:
a. Its operating effectiveness
b. Whether it has been implemented (placed in operation)
c. Performing tests of controls for all material controls
d. Its ability to provide reasonable assurance
36. Which of the following is most likely to be considered a risk assessment procedure relating to internal control?
a. Confirm accounts receivable
b. Perform a test of a control relating to payroll
c. Take test counts of the year-end inventory
d. Trace a transaction through the information system relevant to financial reporting
37. Which statement is correct concerning the relevance of various types of controls to a financial statement audit?
a. An auditor may ordinarily ignore the consideration of controls when a substantive audit approach is used
b. Controls over the reliability of financial reporting are ordinarily most directly relevant to an audit, but other controls
may also be relevant
c. Controls over safeguarding assets and liabilities are of primary importance, while controls over the reliability of
financial reporting may also be relevant
d. All controls are ordinarily relevant to an audit
38. Which of the following is an advantage of describing internal control through the use of a standardized
questionnaire?
a. Questionnaires highlight weaknesses in the system
b. Questionnaires are more flexible than other methods of describing internal control
c. Questionnaires usually identify situations in which internal control weaknesses are compensated for by other
strengths in the system
d. Questionnaires provide a clearer and more specific portrayal of a client's system than other methods of describing
internal control
UL Refresher Course in Accountancy
Auditing – Module 1.3
39. Which of the following is not a factor that is considered a part of the client's overall control environment?
a. The organizational structure
b. The information system
c. Management philosophy and operating style
d. Board of directors
40. After documenting the client's prescribed internal control, the auditors will often perform a walk-through of each
transaction cycle. An objective of a walk-through is to:
a. Verify that the controls have been implemented (placed in operation)
b. Replace tests of controls
c. Evaluate the major strengths and weaknesses in the client's internal control
d. Identify weaknesses to be communicated to management in the management letter
12