Вы находитесь на странице: 1из 21




Learning Objectives After studying this chapter, you should be able to:

 Describe the concept of materiality as applied to audit.

 Enumerate the levels of materiality.
 Understand how to establish materiality and its relationship
to audit risk.
 Know the need for and what to cover in a conference among
engagement team members.
 Enumerate activities involved in the Performance of Risk
Assessment Procedures.
 Know how to apply the PSAs in following:

(a) identification of risks;

(b) understanding and evaluating relevant internal control;
(c) concluding the risk assessment phase.


Determining and Using Materiality

Application of the Concept of Materiality to Audit

Information is material if its omission or misstatement could influence the economic

decisions of users taken on the basis of the financial statements.

Materiality provides a quantitative threshold or cut-off point, rather than being primary
qualitative characteristic, which information must have if it is to be useful. The auditor
establishes, materiality level based on his professional judgment so as quantitatively

When establishing overall audit strategy, the auditor shall determine materiality for the
financial statements as a whole. If, in the specific circumstances of an entity, there is no more
particular classes of transactions, account balances of disclosures for which material
misstatements of lesser amounts that the materiality for the financial statements as a whole
could be reasonably expected to influence the economic decisions of users taken on the basis
of the financial misstatements, the auditor shall also determine the materiality level (s) to be
applied to those particular classes of transactions, account balances or disclosures.

PSA 320 “Materiality in Planning and Performing an Audit” establishes standards and deals
with the auditor’s responsibility to apply the concept of materiality in planning and
performing an audit of financial statements.

To reiterate the importance of the concept of materiality to audit, the definition of materiality
in accordance with the FRSC’s Framework for the Preparation and Presentation of
Financial Statements” follows:

“Information is material if it its omission or misstatement could influence the economic

decisions of users taken on the basis of the financial statements. Materiality depends on
the size of the item or error judges in the particular circumstances of its omission or
misstatement. Thus, materiality provides a threshold or cut-off point rather than being a
primary qualitative characteristics which information must have if it is to be useful.

This definition emphasizes the importance of materiality to reasonable users who rely on
the statements to make decisions. Auditors, therefore, must have knowledge of the likely
uses of their client’s statements and the decisions that are being made.

In planning the audit, materiality, should be considered by the auditor when:

(a) determining the nature, timing and extent of audit procedures;

(b) identifying and assessing the risks of material misstatements; and
(c) determining the nature, timing and extent of further audit.

The auditor’s determination of materiality is a matter of professional judgment, and is

affected by the auditor’s perception of the financial information needs of users of the
financial statements. In this context, it is reasonable for the auditor to assume that users:

(a) Have a reasonable knowledge of business and economic activities and

accounting and a willingness to study the information in the financial statement
with reasonable diligence;
(b) Understand that financial statements are prepared, presented and audited to
levels of materiality;
(c) Recognize the uncertainties inherent in the measurement of amount based on
the use of estimates, judgment and the consideration of future events; and
(d) make reasonable economic decisions on the basis of the information in the
financial statements.

Levels of Materiality

The auditor assesses materiality at two levels:

 First is the overall materiality (or materiality level for the financial statements as
a whole)

 Second is the specific materiality (or materiality level for particular classes of
transactions, account balances or disclosures)

The auditor considers materiality at both that overall financial statements level and in
relation to individual account balances, classes of transactions and disclosures.
Materiality may be influenced by considerations such as legal and regulatory
requirements ad consideration relating to individual financial statement account
balances and relationships. This process may result in different materiality levels
depending on the aspect of the financial statements being considered.

1. Overall materiality

Materiality for the financial statement as a whole (overall materiality) is based on

the auditor’s professional judgment as to the highest amount of the
misstatement(s) that could be included in the financial statements without
affecting the economic decision taken by a financial statement user. If the amount
of uncorrected misstatements, either individually or in the aggregate, is higher
than the overall materiality established for the engagement, it would mean that the
financial statements are materially misstated.

Overall materiality is based on the common financial information needs of the

various users as a group. consequently, the possible effect of misstatements on a
specific individual users, whose needs may vary widely, is not considered.

2. Specific materiality

In some cases, there may be a need to identify misstatements of lesser amounts

than overall materiality that would affect the economic decisions of financial
statement users. This could be relate sensitive areas such as particular note
disclosures (i.e., management remuneration or industry-specific data), compliance
with legislation or certain terms in a contract, or transactions upon which bonuses
are based. It could also relate the nature of a potential misstatement.

PSA 320 likewise that performance materiality be set.

Performance Materiality

Performance Materiality is used by the auditor to reduce the risk to an appropriate low
level that the accumulation of uncorrected and unidentified misstatements exceeds
materiality for the financial statements as a whole (overall materiality), or materiality
levels established for particular classes of transactions, account balances, or disclosures
(specific materiality).

Performance materiality is set at a lower amount (or amounts) than overall specific
materiality. The objective is to perform more audit work than would be required by the
overall or a specific materiality to:

 Ensure that misstatements less than overall specific materiality are detected, so as
appropriately reduce the probability that the aggregate of uncorrected errors and
undetected misstatements exceed materiality for the financial statements as a
whole; and thus
 Provide a margin or buffer for possible undetected misstatements. This buffer is
between detected but uncorrected misstatements in the aggregate and the overall
or specific materiality.

The margin provides some assurance for the auditor that undetected misstatements, along
with all uncorrected misstatements, will not likely accumulate to reach an amount that
would cause the financial statements to be materially misstated.

Performance materiality is set in relation to overall materiality or specific materiality. For

example, a specific performance materiality can be set at a lower amount than overall
performance materiality for testing repairs and maintenance expenses if there is a higher
risk of assets not being capitalized. Specific performance materiality may also be used to
perform additional work in areas that may be sensitive due to the nature of potential
misstatements and their occurrence, rather than their monetary size.

For example, if overall materiality was set at P200,000 and the audit procedures were
planned to detect all errors in excess of P200,000, it is quite possible that an error of say
P80,000 would go undetected. If there such errors existed totaling to P240,000, the
financial statements would be materially misstated. If performance materiality was set at
P120, 000, it would be much more likely that at least one or all of the P80,000 errors
would be detected. Even if only one of the three errors is identified and corrected, the
remaining P160, 000 misstatement would still be less than P20,000 and the financial
statements as a whole would not be materially misstated.

How to Determine Materiality

Auditors make a preliminary assessment of materiality of the financial statements as a

whole by determining the amount by which the believe the financial statements could be
misstated without affecting user’s decisions. This amount is called “Preliminary judgment
about materiality” or “planning materiality”. This judgment need not be quantified but
often is. It is called a preliminary judgment about materiality because it is a professional
judgment and may change during the engagement if circumstances change. The reason for
determining “planning materiality” is to help the auditor plan the appropriate evidence to
accumulate. If the auditor set a low peso amount, more evidence is required than for a
high amount.

In establishing planning materiality or preliminary judgment about materiality, an auditor

must also consider any potential effect a misstatement might have which may be greater
than the peso amount involved. A misstatement which may not be material based on
quantitative factors but does not allow a client to meet a condition in a contractual
obligation or expectations of a financial statement user may be considered material. In

these instances, amount of planning materiality based on the users expectations of income
or alter those working on the engagement to the potential for these types of material

Rules of Thumb (For Use as a Starting Point)

Overall Specific Performance

Materiality is a matter of Establish a lower, specific No specific guidance is
professional judgment rather materiality amount (based provided in the PSAs.
than a mechanical existence. on professional judgment) Percentages range from
As a result, no specific for the audit of specific or 60% (of overall or specific
guidance is provided in the sensitive financial materiality), where there is
PSA. However, profit from statement areas. a higher risk of material
continuing operations (3% to misstatement, up to 85%
7%) is often used in practice where assessed risk of
as having the greatest material misstatement is
significance to financial less.
statement user. If this is not a
useful measure (such as for a
not-for-profit entity or where
profit is not a stable base),
then consider other bases
such as:

 Revenues or
expenditures – 1% to
 Assets – 1% to 3%
 Equity – 3% to 5%

Other Considerations

 When accepting new audit engagement, inquire about the overall materiality used
by the previous auditor. If available, this would help in determining whether
further audit procedures may be required on the opening asset and liability
 Ensure that any experts employed by the entity (to assist the entity in preparing
the financial statements) or used by the audit team are instructed to use an
appropriate materiality level in relation to the work they perform.

Relationship Between Materiality and Audit Risk

When planning the audit, the auditor considers what would make the financial statements
materially misstated. The auditor’s assessment of materiality, related to specific account
balances and classes of transactions, helps the auditor decide such questions as what
items to examine and whether to use sampling and analytical procedures. This enables the
auditor to select audit procedures that, in combination, can be expected to reduce audit
risk to an acceptably low level.

There is an inverse relationship between materiality and the level of audit risk, that is, the
higher the materiality level, the lower the audit risk and vice versa. The auditor takes the
inverse relationship between materiality and audit risk into account when determining the
nature, timing and extent of audit procedures, the auditor determines that the acceptable
materiality level is lower, audit risk is increased. The auditor would compensate for this
by either:

(a) reducing the assessed low level of control risk, where this is possible, and
supporting the reduced level by carrying out extended or additional tests of
control: or
(b) reducing detection risk by modifying the nature, timing and extent of planned
substantive procedures.

Figure 3.1 shows an illustration of a memo on determining and using materiality.

Figure 3.1 Illustrative Memo on Determining and Using materiality

Client: XYZ Company

Materiality Assessment

The main users of the financial statement are the bank and the shareholders. The materiality
number used in the last period was P80, 000.

Using our professional judgment, we decided to base our materiality on 5% of the profit
before tax. Other bases of materiality, such as revenues, were also considered but it was felt
that profit before tax was the most meaningful amount in relation to the identified financial
statement users.

For this period, the pan is to use P100, 000 as the overall materiality. The concept of
materiality and its use in the audit has been discussed I general two terms with the client.

Using professional judgment, and the types of misstatements identified in previous audits,
overall performance materiality has been set at P75, 000.

A specific materiality for the local sales taxes paid has been set at P10,000 as we are required
to audit and report on his amount to the local government.

Prepared by ____________________ Date: _______________

Reviewed by: ___________________ Date: _______________

SEC Requirements Relative to Materiality (Amended SRC Rule 68)

 On test of materiality, in case of a disclosure deficiency or inconsistency,

information is material if it involves a transaction, amount or account that represents
10% or more of the total of related accounts or transactions in the financial
statements. The test to be used shall be 5% for companies under groups A & B
 In case of a misstatement or error, it shall be material if the amount of misstatement
or error represents 5% or more of the total of related accounts or transactions in the
financial statements. The test to be used shall be 2% for companies under groups A
& B categories.
 Relative accounts shall be determined based on the classification ad aggregation on
the face of financial statements such as current assets, non-current assets, current
liabilities, non-current liabilities, equity items, revenues, cost of sales, cost of
service, administrative expenses or operating expenses, as the case may be.

SEC Requirements for Independent Auditors of Regulated Entities

 The SEC requires the following regulated entities to be audited by independent

auditors by the Commission under the appropriate category:

Group A

(1) Issuers of registered securities which have sold a class of securities pursuant to s
registration under Section 12 of the Securities Regulation Code (SRC) except those
issuers of registered timeshares proprietary and non-proprietary membership
certificates which are covered in Group B;

(2) Issuers with a class of securities listed for trading in an Exchange;

(3) Public companies or those which have total assets of at least Fifty million pesos
(P50, 000, 000.00) or such other amount as the Commission shall prescribe, and
having two hundred (200) or more holders each holding at least One hundred (100)
shares of a class of its equity securities.

Group B

(1) Issuers of registered timeshares, proprietary and non-proprietary membership


(2) investment Houses;

(3) Brokers and Dealers of securities;

(4) Investment companies;

(5) Government Securities Eligible Dealers (GSEDs);

(6) Universal Banks Registered as Underwriters of Securities;

(7) Investment Company Advisers;

(8) Clearing Agency and Clearing Agency as Depository;

(9) Stock and Securities Exchange/s;

(10) Special Purpose Vehicles registered under the Special Purpose Vehicle Act of
2002 and it’s implementing rules;

(11) Special Purpose Corporations registered under the Securitization Act of 2004
and its implementing rules;

(12) Such other corporations which may be required by law to be supervised by the

Group C

(1) Financing Companies;

(2) Lending companies;

(3) Transfer Agents;

(4) Foundations and other non-stock non-profit organizations which solicit or receive
donations or contributions or with fund balance aggregating to more than P10
million at any given year; and

(5) Large corporations or those with total assets of more than P350 million or total
liabilities of more than P250 million.

Group D

(1) Companies not included above but are mandated by other regulatory agencies to
have an independent auditor accredited by the Commission.

 For Groups A and B, both the independent auditor and auditing firms (if applicable)
shall be accredited by the Commission.
 For Group C, the accreditation of the auditing firms shall be sufficient. However, an
individual independent auditor shall be accredited by the Commission as such.
 Accreditation under Group A shall be considered a general accreditation which shall
allow the independent auditor to also audit companies under Group B, C and D.

Independent auditors with Group B accreditation can likewise audit companies
under Groups C and D. Accordingly, Group C accredited independent auditors are
allowed to audit Group D companies.

Engagement Team Conference

PSA 315 requires a discussion among the engagement team members and a determination
by the engagement by the engagement partner of which matters are to be communicated to
those team members not involved in the discussion. This discussion shall place particular
emphasis on how and where the entity’s financial statements may be susceptible to material
misstatement due to fraud, including how fraud might occur. The discussion shall occur
setting aside belief’s that the engagement team members may have that management and
those charged with governance are honest and have integrity.

The auditor shall include the following in the audit documentation of the auditor’s
understanding of the entity and its environment and the assessment of the risks of material

(a) The significant decisions reached during the discussion among the engagement team
regarding the susceptibility of the entity’s financial statements to material misstatement
due to fraud: and
(b) The identified and assessed risks of material due to fraud at the financial statement
level and at the assertion level.

The engagement partner and other key engagement team members shall discuss the
susceptibility of the entity’s financial statements to material misstatement, and the
application of the applicable financial reporting framework to the entity’s facts and
circumstances. The engagement partner shall determine which mattes are to be
communicated to engagement team members not involved in the discussion.

Key Areas to Address During the Engagement Team Planning Meeting

Key Areas to Purpose: To have an open discussion

Share insight on the The Entity:
entity, such as the  History and business objectives.
people, operations  The corporate culture.
and objectives  Changes in operations, personnel, or systems.
 application of the applicable financial reporting framework to the
entity’s facts and circumstances.
 The nature/structure of the entity and management.
 The attitude toward internal control.
 Incentives to commit fraud.
 Unexplained changes in the behavior or lifestyle of key employees.
 Any indications of management bias.

Known Risk Factors
 Experience from previous audit engagements.
 Significant business risk factors.
 Opportunity for fraud to be perpetrated.
Key Areas to Purpose: To brainstorm ideas and possible audit
Address approaches
Brainstorm Potential for Errors and Fraud
 Which financial statement areas may be susceptible to material
misstatement (fraud and error)? This step is a requirement on all
 How could management perpetrate and conceal fraudulent financial
reporting? It may be helpful to develop various fraud scenarios or,
where possible, use the services of a forensic accountant. Consider
journal entries, management bias in estimates/provisions, changes in
accounting policies, etc.
 How could assets be misappropriated or misused for personal
 Are there non-selfish incentives (such as to maintain a funding
source for a not-for-profit entity) to manipulate the financial

Response to Risks
 What possible audit procedures/approaches might be considered to
respond to the risks identified above?
 Consider whether an element of unpredictability will be incorporated
into the nature, timing and extent of the audit procedures to be
Key Areas to Purpose: To Provide direction
Audit Planning Specific Areas to Address
 Ensure that the specific requirements of all PSAs relevant to the
audit are appropriately addressed in the audit plan. PSAs that include
specific procedures to be performed include:
 PSA 240 The Auditor’s Responsibilities Relating to Fraud in an
Audit of Financial Statements
 PSA 402 Audit Considerations Relating to an Entity Using a
Service Organization
 PSA 540 Auditing Accounting Estimates, Including Fair Value
Accounting Estimates, and Related Disclosures.
 PSA 550 Related Parties
 PSA 600 Audits of Group Financial Statements (Including the
Work of Component Auditors)

 Provide Direction to the audit team:

 Determine materiality levels.
 Assign roles and responsibilities.
 Provides staff with an overview of the audit sections they are
responsible for completing. Address the approach required,
special considerations, timing, documentation required, the
extent of supervision provided, file review, and any other

 Stress the importance of maintaining professional skepticism the

Figure 3.2 shows an illustration of a memo on audit team discussions.

Figure 3.2 Illustrative Memo on Audit Team Discussions

Client: XYZ Company

Date of Meeting: December 10, 2014


1. Materiality and significant account balances.

2. Timing, key dates, and availability of client personnel.
3. What can we learn from past experience such as issues/events that
caused delays and areas of over-/under-auditing?
4. Any new concerns about management integrity, going concern,
litigation, etc.?
5. Changes this period in business operations and/or financial condition,
industry regulations, accounting policies used, and people.
6. Susceptibility of the financial statements to fraud. In what possible ways
could the entity be defrauded? Develop some possible scenarios, and
then plan procedures that would confirm or dispel any suspicions.
7. Significant risks that require special attention.
8. Appropriate audit responses to the risks identified.
9. Consider the need for specialized skills or consultants, testing internal
control vs. substantive procedures, the need to introduce
unpredictability in some audit tests, and work that could be completed
by the client.
10. Audit team roles, scheduling, and file reviews.

Prepared by: _____________ Date: _____________

Reviewed by: _____________ Date: _____________


This stage involves the identification and assessment of the risk of material misstatements
whether due to fraud or error at the financial statement and assertion levels, through
understanding the entity and its environment, including the entity’s internal control, thereby
providing a basis for designing and implementing responses to the assessed risks of material

The following are the activities involve in the performance of risk assessment procedures:

A. Identification of Inherent Risks (Business and Fraud Risks) and Significant Risks
B. Understanding the Design /Implementation of Relevant Internal Controls

C. Concluding the Risk Assessment Phase

Identification of Inherent Risk (Business and Fraud Risks) and Significant Risks

The following steps may be followed in the risk identification process:

1. Gather basic information about the entity

The starting point is to obtain a basic understanding or frame of reference for designing
the risk assessment procedures to be performed. The auditor will use a variety tools to
understand the client’s business and its business risk. The auditor will obtain (or update)
the document relevant basic information about the entity, its objectives, culture,
operations, key personnel and the internal organization and control.

Documentation could include:

 Client-prepared information (e.g. Strategic plans, its analysis of industry trends,
management style, documented policies and procedures)
 External data (e.g., industry reports)
 Relevant correspondence (e.g., legal, regulatory & government agencies, consultant’s
 Client’s key business procedures.

2. Design performance and document risk assessment procedures.

Risk assessment procedures are performed so that (1) the sources of risks of materials
misstatement are identified; (2) as appropriate understanding of entity is obtained and (3)
the necessary supporting audit evidence is obtained.

Inquires of management can help identify and manage risk factors (particularly fraud).
Also discussions, among the audit team regarding the susceptibility if the entity’s
financial statements of material misstatement caused by error or fraud.

3. Relate the risks identified to material financial statement areas.

For each risk factor identified, identify the specific misstatements that could occur in the
financial statements as a result effect or persuasive risks help in assessing risks at the
financial statement level.

Relate the risks identified to the specific financial statement areas disclosures and
assertions affected.

Illustrative: Documentation of Risk Identification and Implications to Financial Statements

Client: XYZ Company

Business Risks
Implication of the
Risk Event/Sources Risk Factor to FS Assertions

1. Downturn in economy a. Receivable may be V

difficult to collect
b. Inventory write-down V
may be required due to
c. Breach of debt covenants P
2. New sales being a. Foreign exchange risks A
sought in other receivables
3. General IT controls a. Data integrity may be P
are weak in a number compromised or data may
of areas even be lost
4. Inventory clerk known a. Inventory balance may be CAEV
to make error misstated

Fraud Risks

Implication of the
Risk Event/Sources Risk Factor to FS Assertions

1. Minimize tax burden a. Management bias in CAV
estimates (such as valuation
of inventory to reduce income.
b. Unauthorized journal entries P
or manipulation of financial
2. Bonus to salesman Inflated sales to meet threshold. E
based on sales above
certain thresholds
3. Giving bribes to Damage to reputation, CAE
facilitate service or to overstatement of expenses,
obtain contracts unaccrued fines.
4. Rapid growth putting Financial statement manipulation P
pressure on financing to avoid violation of bank covenant.


1. High incidence of cash Good/Cash stolen E

2. Transactions with Sales/Purchase may not be P
related parties valid, nor properly valued or
disclosed in the financial
3. High volume, easily Good stolen from inventory E
transportable items
of inventory

Key: P= Persuasive (all assertions) C= Completeness, A= Accuracy,

E= Existence, V= Valuation

Understanding the Design and Implementation of Relevant

Internal Controls

PAS 315.12 requires that the auditor shall obtain an understanding of internal control relevant to
the audit. Although most controls relevant to the audit are likely to relate to financial reporting,
not all controls that relate to financial reporting are relevant to the audit. It is a matter of the
auditor’s professional judgment whether a control, individually or in combination with others is
relevant to the audit.

Specifically the auditor is required to obtain an understanding of the following:

A. Control Environment

The auditor shall obtain an understanding of the control environment. As part of

obtaining this understanding, the auditor shall evaluate whether:

(a) Management with the oversight of those charged with governance, has created
and maintain a culture of honesty and ethical behavior; and
(b) The strengths in the control environment elements collectively provide an
appropriate foundation for the other components of internal control, and whether
those other components are not undermined by deficiencies in the control
B Risk Assessment

The auditor shall obtain an understanding of whether the entity has a process for:

(a) Identifying business risks relevant to financial reporting objectives;

(b) Estimating the significance of the risks;
(c) Assessing the likelihood of their occurrence; and
(d) Deciding about actions to address those risks.

C. Information System

The auditor shall obtain an understanding of the information system, including the related
business processes, relevant to financial reporting, including the following areas:

(a) The classes of transactions in the entity’s operations that are significant to the
financial statements;

(b) The procedures, within both information technology (IT) and manual systems, by
which those transactions are initiated, recorded, processed, corrected as necessary,
transferred to the general ledger and reported in the financial statements;

(c) The related accounting records, supporting information and specific accounts in the
financial statements that are used to initiate, record, process and report transactions: this
includes the correction of incorrect information and how information is transferred to the
general ledger. The records may be either manual or electronic form;

(d) How the information system captures events and conditions, other than transactions,
that are significant to the financial statements;

(e) The financial reporting process used to prepare the entity’s financial statement,
including significant accounting estimates and disclosures; and

(f) Controls surrounding journal entries, including non-standard journal entries used to
record non-recurring, unusual transactions or adjustments.

D. Control Activities

The auditor shall obtain an understanding of control activities relevant to the audit, being
those the auditor judge, it necessary to understand in order to assess the risks of material
misstatement at the assertion level and design further audit procedures responsive to
assessed risks. An audit does not require an understanding of all the control activities
related to each significant class of transactions, account balance, and disclosure in the
financial statements or to every assertion relevant to them.

In understanding the entity’s control activities, the auditor shall obtain an understanding
of how the entity has responded to risks arising from IT.

E. Monitoring

The auditor shall obtain an understanding of the major activities that the entity uses to
monitor internal control over financial reporting, including those related to those control
activities relevant to the audit, and how the entity initiates remedial actions ,to
deficiencies in its controls.

Evaluating Internal Control Design and Implementation

The four steps in evaluating control design and implementation are shown in Figure 3.3

Figure 3.3 Four steps in Evaluating Control Design and


1. Risk Identification
What risks, if not mitigated by
internal controls, could result in
material misstatements in the
financial statements?

2. Evaluate Control Design

Are there controls capable of
effectively preventing, or detecting
and correcting the material
misstatements identified in step 1?

3&4 Evaluate Control

Implementation and
Documentation Operation
Do the controls exist and is the
entity using them?

No Report significant
deficiencies in control to
manage and those charged
with governance

Document the results and conclusions reached

Illustrative Documentation of Identification and evaluation of Relevant

Internal control

Step 1: Risk Identification

This is the first and most important steps in evaluating internal control. This requires
identification of the risks which need to be mitigated by internal control. The
question this step seeks to find answer to is:

“What risks, if not mitigated by internal control could result in material

misstatement in the financial statements?”

The risk could be identified as a result of obtaining understanding of the entity with
persuasive risk factors and the used transactional risk factors associated with
business procedures such as sales purchasing and payroll. Examples are:

1. Risk 1 No emphasis is placed on need for integrity and ethical values:

2. Risk 2 Incompetent employees may be hired or retained.

3. Risk 3 Management has a poor attitude toward internal control and/or

managing business risk

Step 2: Control Design

This step involves inquiry about controls and evaluation of controls that
management has put in place to address the risks that have been identified in Step 1

The question answered in this step is:

“Are there controls capable of effectively preventing or detecting and correcting

the material misstatements identified in Step 1.

In relation to the three risks identified in Step 1, the following possible controls may
be inquired about and evaluated.

Risk 1 No emphasis is placed on need for integrity and ethical values.

Possible Controls

a) Management continually demonstrates through words and actions, a

commitment to high ethical standards.
b) Management removes or reduces incentives that might cause personnel to
engage in dishonest or ethical acts.
c) Adoption of a Code of Conduct that sets out expected standards of ethical and
moral behavior.
d) Employees are always disciplined for improper behavior.

Risk 2 Incompetent employees may hired or retained

Possible Controls

a) Management specific required knowledge and skills for employee positions.

b) Job descriptions exist and are effectively used
c) Management provides personnel with access to training and professional
development programs on relevant topics
d) Staff are compensated and rewarded for good performance.

Risk 3 Management has a poor attitude toward internal control and/or managing business

Possible Controls

a) Management demonstrates positive attitudes and actions toward the

establishment and maintenance of sound internal control over financial
b) Management emphasizes appropriate behavior to operating personnel.
c) Management has established procedures to prevent unauthorized access to or
destruction of assets, documents and records.

Step 3: Control Implementation

The third step is to determine whether the controls exist and are in use by the entity
through inquiry and testing.

The question answered in this step is:

“Do the controls exist and is the entity using them?

If this question is answered yes, the auditor then proceeds to Step 4. Where the
auditor documents the result and conclusions reached.

If the question is answered no, the auditor then reports significant deficiencies in
control to manage and those charged with governance. The auditor then documents
the results and conclusion reached.

Step 4: Control Documentation

If the auditor determines, through inquiry and testing, that the company has strong
risk management and control processes in place, the auditor may be able to focus the
audit program on testing internal controls and developing corroborative evidence
based on more limited direct tests of account balances. On the other hand, if the
company does not have an effective risk management process in place, the auditor
will identify areas where account balances are more likely to be misstated and
concrete direct tests of account balances in those areas.

Based on the foregoing, the auditor develops expectations and makes an assessment
of the risk that a particular account balance may be misstated. If the auditor has a
sound basis to believe the risk of misstatements low, the auditor may be able to gain
satisfaction regarding the account balance without directly testing it. Other
techniques, such as using substantive analytical procedures or analyzing the quality
of the control system, may yield persuasive evidence about the correctness of an
account balance. This is not meant to imply that an auditor can perform a complete
audit without ever directly testing some account balances; it means that the amount
of testing can be minimized if risks are adequately addressed. However, if there is a
big risk that an account balance may be misstated, the auditor should direct more
attention to the audit of that account

Illustrative Document of Control Deficiencies and Impact on Audit Response

Example 1

Risk, factor/Assertion affected Management has not considered or

assessed the risks of fraud occurring.
Auditor’s Thought Process
a) Deficiency identified Members of the management team
trust each other and are reluctant to
introduce costly policies, etc. that
address the risk of fraud.

b) Potential effect on the financial Management control override

statement controls and materially manipulate
the financial statement

c) Is deficiency considered significant? YES

d) Audit response Review the specific procedures

performed on journal entries,
related parties and revenue

Example 2

Risk factor/Assertion affected Sales/services recorded in wrong

accounting period.

Auditor’s Thought process

a) Deficiency identified No controls existing to prevent this

from occurring a number of cutoff
errors have been found in
conducting the test of details.

b) Potential effect on the financial Revenues could be materially

statements misstated in the financial statements.

c) Is deficiency considered significant? YES

d) Audit response Additional audit procedure should

be performed relating to cutoff.

Example 3

Risk factor/Assertion affected Poor documentation to support the

preparation of estimates.

Auditor’s Thought Process

a) Deficiency identified Client does not provide back-up

documents to support their estimates.

b) Potential effect on the financial Considering the size of the estimates

statements estimates, an error could result in a
material error in financial statement.

c) Is deficiency considered significant? YES

d) Audit response Obtain evidence to support the
assumption and per re-calculation.

Practical Pointers

 The auditor’s testing of the internal audit work can be limited but should be sufficient to
formulate an opinion on whether internal audit’s conclusions are supported by
independent evidence on the operation of controls.
 To obtain evidence about whether a control is effective, the auditor must directly test
control. The auditor cannot inter the effectiveness of a control from the absence of
misstatements in the financial statements.
 The external auditor must perform enough work to make an independent decision about
the quality of the client’s internal controls.
 The more material the account is, the more evidence about internal controls should be
gathered independently by the external auditor.
 Auditors are required to asses control risk for each relevant assertion and for important
classes of transactions and account balances as a basis for planning the audit.
 Not all controls need to be tested. Further, controls for all assertions need not be tested if
the auditor believes that a misstatement related to a particular assertion would not be
 Once the significant accounts and their relevant assertions, as well the process related to
those accounts, have been identified, the auditor determines the important controls, such
as those shown in the immediately preceding table, that need to be tested. The nature of
the testing will vary with the nature of the process, the materiality of the account balance,
and the control.

Concluding the Risk Assessment Phase

From the audit risk model-we know that companies with strong internal controls should
require less substantive testing of account balances. We also know that greater
computerization of processes increases the likelihood of consistent processing throughout the
year. The fundamental questions that the auditor must address to determine the optimal
amount of audit work are as follows:

1. How much assurance can be obtained regarding audit risk when internal control is
present and working?
2. If control activities within major processes are working properly throughout the year,
what is the residual risk that remains an account balance can still be misstated?
3. What is the risk that the auditor’s evaluation of internal controls might be incorrect?
4. Which account balances contain more than an acceptable amount of risk that a material
misstatement could occur?
5. How would a misstatement in a material account balance most likely occur?
6. What are the most effective substantive tests of account balances to determine whether
there is a misstatement in the account balance

The auditor must answer these six important questions to plan an effective integrated audit.
There is no one right answer-all of the questions are interrelated. For example, the residual risk
of a material misstatement is dependent on the joint answer to the first three questions. The
remaining three questions address the identification of accounts that might be misstated, how a
misstatement could occur, and how the auditor would most effectively determine if a
misstatement did occur.