Professional Documents
Culture Documents
Contents
Paragraphs
Introduction
112
Inherent risk
1315
1623
2425
26
Control risk
2748
Detection risk
4956
Communication of weaknesses
Compliance with International Standards on Auditing
Effective date
57
5859
60
157
Introduction
The purpose of this SAS is to establish standards and provide guidance on audit risk
and its components: inherent risk, control risk and detection risk, and also on the
auditors approach to obtaining an understanding of the accounting and internal
control systems. In some circumstances specific legislation and regulations require
auditors to undertake procedures additional to those set out in this SAS.
Auditors should:
Control risk is the risk that a misstatement that could occur in an account balance
or class of transactions and that could be material, either individually or when
aggregated with misstatements in other balances or classes, would not be prevented,
or detected and corrected on a timely basis, by the accounting and internal control
systems.
Detection risk is the risk that auditors substantive procedures (tests of details of
transactions and balances or analytical procedures) do not detect a misstatement
that exists in an account balance or class of transactions that could be material, either
individually or when aggregated with misstatements in other balances or classes.
Accounting system means the series of tasks and records of an entity by which
transactions are processed as a means of maintaining financial records. Such systems
identify, assemble, analyse, calculate, classify, record, summarise and report transactions and other events.
159
Internal control system comprises the control environment and control procedures.
It includes all the policies and procedures (internal controls) adopted by the
directors and management of an entity to assist in achieving their objective of
ensuring, as far as practicable, the orderly and efficient conduct of its business,
including adherence to internal policies, the safeguarding of assets, the prevention
and detection of fraud and error, the accuracy and completeness of the accounting
records, and the timely preparation of reliable financial information. Internal
controls may be incorporated within computerised accounting systems. However,
the internal control system extends beyond those matters which relate directly to the
accounting system.
Control environment means the overall attitude, awareness and actions of directors
and management regarding internal controls and their importance in the entity. The
control environment encompasses the management style, and corporate culture and
values shared by all employees. It provides the background against which the various
other controls are operated. However, a strong control environment does not, by
itself, ensure the effectiveness of the overall internal control system. Factors reflected in the control environment include:
10
Control procedures are those policies and procedures in addition to the control
environment which are established to achieve the entitys specific objectives. They
include in particular procedures designed to prevent or to detect and correct errors.
The latter may be a particular focus of high level controls in small or owner-managed
entities. Specific control procedures include:
11
Auditors are only concerned with those policies and procedures within the accounting and internal control systems that are relevant to the financial statement
assertions. The understanding of relevant aspects of the accounting and internal
control systems, together with the inherent and control risk assessments, enables
auditors to:
160
assess the adequacy of the accounting system as a basis for preparing the
financial statements;
identify the types of potential misstatements that could occur in the financial
statements;
consider factors that affect the risk of misstatements; and
When planning their audit, auditors consider the likelihood of error in the light of
inherent risk and the system of internal control (control risk) in order to determine
the extent of work (and hence the level of detection risk) required to satisfy
themselves that the risk of error in the financial statements is sufficiently low.
12
Inherent risk
In developing their audit approach and detailed procedures, auditors should assess
inherent risk in relation to financial statement assertions about material account
balances and classes of transactions, taking account of factors relevant both to the
entity as a whole and to the specific assertions. (SAS 300.2)
13
In the absence of knowledge or information to enable auditors to make an assessment of inherent risk for a specific account balance or class of transactions they
assume that inherent risk is high. However, when an assessment is made and
inherent risk is not considered to be high, they document the reasons for their
assessment and are able to reduce the work they would otherwise carry out.
14
To assess inherent risk, auditors use their professional judgment to evaluate numerous factors, having regard to their experience of the entity from previous audits, any
controls established by management to compensate for a high level of inherent risk
(as described in paragraph 32 below), and their knowledge of any significant changes
which have taken place. Examples of relevant factors are:
15
161
In planning the audit, auditors should obtain and document an understanding of the
accounting system and control environment sufficient to determine their audit
approach. (SAS 300.3)
17
18
19
20
21
162
22
materiality considerations;
the size and complexity of the entity;
their assessment of inherent risk;
the complexity of the entitys computer systems;
the type of internal controls involved; and
the nature of the entitys documentation of specific internal controls.
23
(a) enquiries of appropriate supervisory and other personnel at various organisational levels within the entity, together with reference to documentation such as
procedures manuals, job descriptions and systems descriptions;
(b) inspection of relevant documents and records produced by the systems; and
(c) observation of the entitys activities and operations, including the information
technology functions organisation, personnel performing control procedures
and the nature of transaction processing.
An internal control system can only provide the directors with reasonable confidence that their objectives are reached because of inherent limitations such as;
24
the usual requirement that the cost of an internal control is not disproportionate
to the potential loss which may result from its absence;
most systematic internal controls tend to be directed at routine transactions
rather than non-routine transactions;
the potential for human error due to carelessness, distraction, mistakes of
judgment and the misunderstanding of instructions;
the possibility of circumvention of internal controls through collusion with
parties outside or inside the entity;
the possibility that a person responsible for exercising an internal control could
abuse that responsibility, for example by overriding an internal control; and
the possibility that procedures may become inadequate due to changes in
conditions or that compliance with procedures may deteriorate over time.
These factors indicate why auditors cannot obtain all their evidence from tests of the
system of internal control.
163
25
Auditors obtain an appropriate level of audit evidence to support their audit opinion
regardless of the size of the entity. However, many internal controls relevant to large
entities are not practical in the small business; for example, in small businesses
accounting procedures may be performed by few persons who may have both
operating and custodial responsibilities and, consequently, segregation of duties
may be severely limited. Inadequate segregation of duties may, in some cases, be
offset by other control procedures and close involvement of an owner or manager in
strong supervisory controls where they have direct personal knowledge of the entity
and involvement in transactions though this in itself may introduce other risks. In
circumstances where segregation of duties is limited and evidence of supervisory
controls is lacking, the audit evidence necessary to support the auditors opinion on
the financial statements may have to be obtained entirely through the performance
of substantive procedures and any audit work carried out in the course of preparing
the financial statements. What follows is to be read with this in mind.
Control risk
27
28
If, as a result of their work on the accounting system and control environment,
auditors decide it is likely to be inefficient or impossible to rely on any assessment of
control risk to reduce their substantive procedures, no such assessment is necessary
and control risk is assumed to be high.
Preliminary assessment of control risk
29
The preliminary assessment of control risk is the process of evaluating the likely
effectiveness of an entitys accounting and internal control systems in preventing and
correcting material misstatements. This entails consideration of the design of the
accounting and internal control systems to assess their likely effectiveness. There is,
however, always some control risk because of the inherent limitations of any internal
control system.
30
The more effective the entitys accounting and internal control systems are assessed
to be, the lower the auditors assessment of control risk. Where auditors obtain
satisfactory audit evidence from tests of control as to the effectiveness of the
accounting and internal control systems, the extent of substantive procedures may
be reduced.
31
Auditors may conclude that the accounting and internal control systems are not
effective, or they may decide that it is likely to be inefficient to adopt an audit
approach which relies on tests of control. In these circumstances they plan the audit
approach on the basis that sufficient appropriate audit evidence needs to be
obtained entirely from substantive procedures and from any audit work carried out
in the preparation of the financial statements.
164
32
33
34
Tests of control
Tests of control are performed to obtain audit evidence about the effective operation of the accounting and internal control systems that is, that properly designed
controls identified in the preliminary assessment exist in fact and have operated
effectively throughout the relevant period. They include tests of elements of the
control environment where strengths in the control environment are used by
auditors to reduce control risk assessments.
35
36
37
38
165
39
When obtaining evidence about the effective operation of internal controls, relevant
factors for auditors to consider are how they were applied, the consistency with
which they were applied during the period and by whom they were applied. The
concept of effective operation recognises that some deviations may have occurred.
Deviations from prescribed controls may be caused by such factors as changes in key
personnel, significant seasonal fluctuations in volume of transactions and human
error. In particular, staff changes in key internal control functions may increase
control risk. If there have been such changes in the period under review, auditors
may need to modify their tests of control to confirm effective operation during and
after the period of change.
40
If substantially different controls are used at different times during the period,
auditors consider each separately. A breakdown in internal controls for a specific
portion of the period requires separate consideration of the nature, timing and
extent of the audit procedures to be applied to the transactions and other events of
that period.
41
42
As described in SAS 400 Audit evidence, certain types of audit evidence obtained
by auditors are more reliable than others. Usually, auditors observations provide
more reliable audit evidence than merely making enquiries, for example they might
obtain audit evidence about the proper segregation of duties by observing the
individual who applies a control procedure or by making enquiries of appropriate
personnel. Audit evidence obtained by some tests of control, such as observation,
pertains only to the point in time at which the procedure was applied. Auditors may
decide, therefore, to supplement these procedures with other tests of control capable
of providing audit evidence about other periods of time before or after that point.
43
44
Auditors may decide to perform some tests of control at an interim audit visit in
advance of the period end. However, they cannot rely on the results of such tests
166
45
46
47
If the evaluation of deviations results in auditors concluding that the assessed level
of control risk needs to be revised, they modify the nature, timing and extent of their
planned substantive procedures.
48
Detection risk
Auditors should consider the assessed levels of inherent and control risk in
determining the nature, timing and extent of substantive procedures required to
reduce audit risk to an acceptable level. (SAS 300.7)
49
The level of detection risk relates to the auditors substantive procedures (tests of
details of transactions and balances and analytical procedures). It is primarily the
consequence of the fact that auditors do not, and cannot, examine all available
evidence; auditors seek reasonable confidence and so do not examine all items, nor
all evidence concerning any item that is examined. Moreover, as audit evidence is
generally persuasive rather than conclusive, some detection risk is usually present
50
167
To form their audit opinion, auditors obtain sufficient appropriate audit evidence as
to whether the financial statements are free of material misstatement. Internal
controls, even if fairly simple and unsophisticated, may contribute to this evidence.
The auditors control risk assessment, together with the inherent risk assessment,
influences the nature, timing and extent of substantive procedures to be performed
to reduce detection risk, and therefore audit risk, to an acceptably low level.
52
53
Regardless of the assessed levels of inherent and control risks, auditors should
perform some substantive procedures for financial statement assertions of material
account balances and transaction classes. (SAS 300.8)
54
The assessed levels of inherent and control risks cannot be sufficiently low to
eliminate the need for auditors to perform any substantive procedures for material
account balances and transaction classes. However, these substantive procedures
may comprise only analytical procedures where such procedures provide sufficient
appropriate evidence.
55
The auditors assessment of the components of audit risk may change during the
course of an audit, for example information may come to their attention when
performing substantive procedures that differs significantly from the information on
which they originally assessed inherent and control risks. In such cases, they modify
the planned substantive procedures based on a revision of the assessed levels of
inherent and control risks for the relevant financial statement assertions.
56
When both inherent and control risks are assessed as high, auditors consider
whether substantive procedures can provide sufficient appropriate audit evidence to
reduce detection risk, and therefore audit risk, to an acceptably low level. For
example, they may not be able to obtain sufficient evidence about the completeness
of income in the absence of some internal controls. When auditors determine that
detection risk regarding a material financial statement assertion cannot be reduced
to an acceptably low level, they consider the implications for their report.
Communication of weaknesses
57
168
169
With the explanations noted in paragraph 58, compliance with this SAS ensures
compliance in all material respects with International Standard on Auditing 400
Risk Assessments and Internal Control.
Effective date
60
Auditors are required to comply with the Auditing Standards contained in this SAS
in respect of audits of financial statements for periods ending on or after 23
December 1995.
170
NOTICE TO READERS
The Accountancy Foundation Limited
This document has been obtained from the website of The Accountancy Foundation Limited
and its subsidiary companies (The Review Board Limited, The Auditing Practices Board
Limited, The Ethics Standards Board Limited, The Investigation and Discipline Board
Limited). Use of the website is subject to the WEBSITE TERMS OF USE, which may be
viewed at http://www.accountancyfoundation.com/terms.
Readers should be aware
that, although The Accountancy Foundation Limited and its subsidiary companies seek to
ensure the accuracy of information on the website, no guarantee or warranty is given or
implied that such information is free from error or suitable for any given purpose: the
published hard copy of the document alone constitutes the definitive text.