ENTITY’S RISK ASSESSMENT PROCESS
Auditors should assess whether the entity has a process to identify the business risks relevant to financial reporting objectives, estimate the significance of them, assess the likelihood of the risks occurrence, and decide actions to address the risks. If auditors have identified such risks, then auditors should evaluate the reasons why the risk assessment process failed to identify the risks, determine whether there is significant deficiency in internal controls in identifying the risks, and discuss with the management.
THE INFORMATION SYSTEM, INCLUDING THE RELEVANT BUSINESS PROCESSES, RELEVANT TO FINANCIAL REPORTING AND COMMUNICATION
Auditors should also obtain an understanding of the information system, including the related business processes, relevant to financial reporting, including the following areas:
The classes of transactions in the entity’s operations that are significant to the financial statements. The procedures that transactions are initiated, recorded, processed, corrected as necessary, transferred to the general ledger and reported in the financial statements.
How the information system captures events and conditions that are significant to the financial statements.
The financial reporting process used to prepare the entity’s financial statements.
Controls surrounding journal entries.
Understand how the entity communicates financial reporting roles, responsibilities and significant matters to those charged with governance and external - regulatory authorities.
CONTROL ACTIVITIES RELEVANT TO THE AUDIT
Auditors should obtain a sufficient understanding of control activities relevant to the audit in order to assess the risks of material misstatement at the assertion level, and to design further audit procedures to respond to those risks. Control activities, such as proper authorisation of transactions and activities, performance reviews, information processing, physical control over assets and records, and segregation of duties, are policies and procedures that address the risks to achieve the management directives are carried out.
MONITORING OF CONTROLS
In addition, auditors should obtain an understanding of major types of activities that the entity uses to monitor internal controls relevant to financial reporting and how the entity initiates corrective actions to its controls. For instance, auditors should obtain an understanding of the sources and reliability of the information that the entity used in monitoring the activities. Sources of information include internal auditor report, and report from regulators.
LIMITATIONS OF INTERNAL CONTROL SYSTEMS
Effective internal control systems can only provide reasonable, not absolute, assurance to achieve the entity’s financial reporting objective due to the inherent limitations of internal control - for example, management override of internal controls. Therefore, auditors should identify and assess the risks of material misstatement at the financial statement level and assertion level for classes of transactions, account balances and disclosures.
As internal auditors have better understanding of the organisation and expertise in its risk and control, the proposed requirement for the external auditors to make enquiries of internal audit function in ISA 315 (Revised) will enhance the effectiveness and efficiency of audit engagements. External auditors should pay attention to the components of internal control mentioned above in order to make effective and
efficient enquiries. An increase in the work of internal audit functions is also expected because of such proposed requirement.
Raymond Wong, School of Accountancy, The Chinese University of Hong Kong, and Dr Helen Wong, Hong Kong Community College, Hong Kong Polytechnic University
Reference ISA 315 (Revised), Identifying and Assessing the Risks of Material Misstatement Through Understanding the Entity and Its Environment