Joanne M. Flood - Wiley Practitioner's Guide to GAAS 2020

Some of the procedures the auditor performs to assess the risks of material misstatement due to fraud also may help gather information about the entity and its environment, particularly its internal control. (AU-C 315.09)

NOTE: Because of the close connection between the assessment of the risk of material misstatement and the procedures performed to assess fraud risk, the auditor will want to:

Coordinate the procedures he or she performs to assess the risk of material misstatement due to fraud with the other risk assessment procedures.

Consider the results of his or her assessment of fraud risk when identifying the risk of material misstatement.

If certain conditions are met, the auditor may use information obtained in prior periods as audit evidence in the current period audit. However, when the auditor intends to use information from prior periods in the current period audit, the auditor should determine whether changes have occurred that may affect the relevance of the information for the current audit. (AU-C 315.10) To make this determination, the auditor should make inquiries and perform other appropriate audit procedures, such as walk-throughs of systems. (AU-C 315.A20)

The members of the audit team should discuss the susceptibility of the client’s financial statements to material misstatement. (AU-C 315.11) This discussion will allow team members to exchange information and create a shared understanding of the client and its environment, which in turn will enable each team member to:

Share his or her knowledge.

Gain a better understanding of the potential for material misstatement resulting from fraud or error in the assertions that are relevant to the areas assigned to them.

Exchange information about business risks.

Understand how the results of the audit procedures that they perform may affect other aspects of the audit.

This “brainstorming session” of the audit team could be held at the same time as the team’s discussion related to fraud, which is required by Section 240. (AU-C 315.A21)

The auditor should obtain an understanding of the following five elements of the entity and its environment:

1 External factors, including:Industry factors, such as the competitive environment, supplier and customer relationships, and technological developments.The regulatory environment, which includes the applicable financial reporting framework, the legal and political environment, and environmental requirements that affect the industry.Other matters, such as general economic conditions.

2 Nature of the client, which includes its operations, its ownership, governance, the types of investments it makes and plans to make, how it is financed, and how it is structured.

3 Accounting policies, including the entity’s selection and application of accounting policies, the reasons for any changes, and whether the entity’s accounting policies are appropriate for its business and consistent with the applicable financial reporting framework and accounting policies used in the relevant industry.

4 Objectives and strategies and related business risks, which may result in material misstatement of the financial statements taken as a whole or as individual assertions.

5 Measurement and review of the client’s financial performance, which tell the auditor which aspects of the client’s performance management considers important.

(AU-C 315.12)

NOTE: The purpose of understanding the entity and its environment is to help identify and assess risk. For example:

Information about the client’s industry may allow the auditor to identify characteristics of the industry that could give rise to specific misstatements.

Information about the ownership of the client, how it is structured, and other elements of its nature will help identify related-party transactions that, if not properly accounted for and adequately disclosed, could lead to a material misstatement.

The auditor’s identification and understanding of the business risks facing the entity increase the chance of identifying financial reporting risks.

Information about the performance measures used by the entity may lead the auditor to identify pressures or incentives that could motivate entity personnel to misstate the financial statements.

Information about the design and implementation of internal control may identify deficiencies in control design, which increase the risk of material misstatement.

NOTE: Obtaining an understanding of the entity and its environment also allows the auditor to make judgments about other audit matters, such as:

Materiality

Whether the entity’s selection and application of accounting policies are appropriate and financial statement disclosures are adequate

Areas where special audit consideration may be necessary—for example, related-party transactions

The expectation of recorded amounts used for performing analytical procedures

The evaluation of audit evidence

On every audit, the auditor should obtain an understanding of internal control that is of sufficient depth to enable the auditor to:

Assess the risks of material misstatement of the financial statements, whether due to error or to fraud.

Design the nature, timing, and extent of further audit procedures.

To meet these requirements, the auditor should:

Evaluate the design of controls that are relevant to the audit and determine whether the control—either individually or in combination—is capable of effectively preventing or detecting and correcting material misstatements.

Determine that the control has been implemented—that is, that the control exists and that the entity is using it.

(AU-C 315.13–.14)

The auditor’s evaluation of internal control design and the determination of whether controls have been implemented are critical to the assessment of the risks of material misstatement. Remember that even if the auditor’s overall audit strategy contemplates performing only substantive procedures for all relevant assertions related to material transactions, account balances, and disclosures, the auditor still needs to evaluate the design of the client’s internal control.

NOTE: In evaluating control design, it is helpful to consider:

Whether control objectives that are specific to the unique circumstances of the client have been considered for all relevant assertions for all significant accounts and disclosures

Whether the control or combination of controls would—if operated as designed—meet the control objective

Whether all controls necessary to meet the control objective are in place

NOTE: To evaluate the design and implementation of internal controls relevant to the audit, the auditor should perform procedures such as:

Inquiry

Observation

Inspection of documentation

Walk-throughs—tracing transactions through the information systems

When obtaining an understanding about the design of internal controls and determining whether those controls have been implemented, inquiry alone is not sufficient. Thus, for these purposes, the auditor should supplement inquiries with other risk assessment procedures. (AU-C 315.14)

(AU-C 315.A76)

Obtaining an understanding of the design and implementation of internal controls is different from testing their operating effectiveness.

Understanding the design and implementation is required on every audit as part of the process of assessing the risks of material misstatement.