Scope
This ISA deals with the responsibility of the auditor to identify and assess the risks of material misstatement in the financial statements, through knowledge of the entity and its environment, including the entity's internal control.
identification-and-assessment-of-risks-in-the-auditobjective
Identify and assess the risks of material misstatement, due to fraud or error, both in the financial statements and in the statements, through knowledge of the entity and its environment, including its internal control, in order to provide a basis for the design and implementation of responses to assessed risks of material misstatement.
Definitions
a) Affirmations. Management statements, explicit or not, included in the financial statements and taken into account by the auditor when considering the different types of misstatements that may exist.
b) Business risk. Risk derived from significant conditions, events, circumstances, actions or omissions that could negatively affect the ability of an entity to achieve its objectives and execute its strategies or derived from the establishment of inappropriate objectives and strategies.
c) Internal control. Process designed, implemented and maintained by those responsible for the corporate governance of the entity, the management and other personnel, in order to provide reasonable assurance about the achievement of the entity's objectives regarding the reliability of financial information, the effectiveness and efficiency of operations, as well as compliance with applicable legal and regulatory provisions. The term "controls" refers to any aspect of one or more components of internal control.
d) Significant risk. Identified and assessed risk of material misstatement that, in the auditor's judgment, requires special consideration in the audit.
Affirmations - Explicit Manifestations
General Law of Government Accounting
Article 49.- The notes to the financial statements are an integral part thereof; they must reveal and provide additional and sufficient information to expand and give meaning to the data contained in the reports, and comply with the following:
I. Include the statement of responsibility for the fair presentation of the financial statements;
II. Indicate the technical bases on which the registration, recognition and presentation of budget, accounting and patrimonial information is based;
III. It should be noted that the information was prepared in accordance with the technical standards, criteria and principles issued by the board and the applicable legal provisions, obeying the best accounting practices;
Affirmations - Explicit Representations - Public Company
A111 (a) Statements about types of transactions and events:
Idea
The transactions and events that have been recorded are real and are related to the entity.
Integrity All transactions and events that should have been recorded have been recorded.
Accuracy The amount and other information related to the transactions and events recorded have been properly recorded.
Cut Transactions and events have been recorded in the corresponding accounting period.
Classification Transactions and events have been recorded in the appropriate accounting accounts.
A111 (b) Statements about book balances:
Existence
Assets, liabilities, and capital exist (they are real).
Rights and obligations The entity maintains or controls the rights to assets and liabilities are obligations of the entity.
Integrity All assets, liabilities and capital that should have been recorded have been recorded.
Valuation and accommodation Assets, liabilities and capital are included in the financial statements with the appropriate balances and any adjustments for valuation and accommodation are duly recorded.
A111 (c) Claims on Presentation and Disclosure:
Occurrence and rights and obligations: The disclosure of events, transactions and other matters have occurred and concern the entity.
Integrity: All disclosures that should be included in the financial statements have been included.
Classification and understanding: Financial information is appropriately presented and described, and disclosures are clearly stated.
Accuracy and valuation: Financial information and other information are disclosed appropriately and for the correct amounts.
P6. Risk assessment procedures:
a) Inquiries before the management and other persons of the entity * that, in the opinion of the auditor, may have information that may facilitate the identification of the risks of material misstatement, due to fraud or error (includes evaluation of fraud, accounting policies used, continuity of the entity as a going concern, transactions with affiliates).
(*) 1. Those responsible for financial information, 2. Those in charge of corporate governance, 3. Internal audit (if applicable), 4. Employees involved in the initiation, processing or recording of complex or unusual transactions and, 5. Other areas business (in-house attorneys, marketing staff, sales, etc.
P6. Risk assessment procedures:
b) Analytical procedures (financial and non-financial, eg simple reasons, unusual transaction identifications, trends).
c) Observation and inspection.
Likewise, the information on the acceptance and / or continuity process with the client and, where appropriate, the accumulated experience must be considered.
Audit team meeting
The engagement partner and other key members of the audit team should meet to discuss:
- The susceptibility of the financial statements of the entity to include material errors and
- To comment on the application of the provisions of the reference framework of the Financial Reporting Standards applicable to the entity.
The partner in charge of the engagement should determine what issues are to be communicated to team members who did not participate in the meeting.
The entity and its environment
Q11. The auditor's knowledge of the entity and its environment includes knowing information on the following five topics:
- Industry, regulatory and other external factors Nature of the entity Selection and application of accounting policies Objectives, strategies and risks related to the business Measurement and review of the financial performance of the entity
The entity and its environment
1. Industry, regulatory and other external factors.
Competitive environment, relationships with suppliers and customers, the market, competition, demand, capacity, prices, cyclical or seasonal activity, product technology, energy supply and cost, industry risks, experience and knowledge about it.
Industry accounting practices, legislation and regulation, taxes, policies, government restrictions and supports, and environmental requirements.
General economic conditions, interest rates or availability of financing, inflation and exchange rate.
The entity and its environment
2. Nature of the entity.
Business operations: sources of income, products or services, sales, production methods, alliances, joint ventures, outsourcing, segmentation, warehouses, offices, locations, customers, suppliers and unions
Investments and investing activities: acquisitions, securities and capital of job.
Financing and financing activities: associates, subsidiaries, debt, financing, derivatives and partners.
Financial information: accounting rules and industry practices (income, complex transactions).
The entity and its environment
3. Selection and application of accounting policies.
Record of important and unusual transactions.
Accounting policies in controversial or emerging areas where authorized guidelines or consensus are lacking.
Changes in accounting policies and financial reporting standards, laws and regulations that are new.
The entity and its environment 4. Business objectives, strategies and risks.
Industry developments, new products and services, business expansion, IT. Other conditions that may indicate the existence of a risk of material error are:
- Devaluation, inflation, volatile markets, complex regulation, governmental or regulatory bodies, non-routine / non-systematic transactions.
- Business in progress, capital and credit restrictions, refinancing, supply chain, new locations, reorganizations, departure of key executives.
- Deficiencies in internal control, past mistakes.
The entity and its environment
5. Measurement and review of financial performance.
Key performance indicators (financial and non-financial), proportions, trends and statistics.
Period-over-period analysis of financial performance.
Budgets, forecasts, analysis of variations, information of segments / divisions / departments, etc.
Incentive compensation policies and measures.
Comparisons of an entity's performance with that of its competitors.
Components of internal control:
- Control environment Risk assessment process Information systems Control activities Control monitoring
The Committee of Sponsoring Organizations of the Treadway Commission (COSO)
Control Environment
The auditor should obtain an understanding of the control environment. As part of this understanding, the auditor should evaluate whether:
a) Management, under the supervision of those charged with governance of the entity, has created and maintained a culture of honesty and ethical conduct; and
b) The strengths of the elements of the control environment provide, together, an adequate basis for the other components of the internal control, and whether those other components are adversely affected by weaknesses in the control environment.
Control environment (Annex 1)
The control environment includes the following elements:
a) Communication and monitoring of integrity and ethical values.
b) Commitment to competition.
c) Participation of those responsible for the governance of the entity.
d) Philosophy and operational style of the administration.
e) Organizational structure.
f) Assignment of authority and responsibility.
g) Human resources policies and practices.
Entity risk assessment process
The auditor should obtain an understanding of whether the entity has a process in place for:
a) Identify the relevant business risks for the achievement of financial reporting objectives;
b) Estimate the importance of risks.
c) Evaluate the probability of its occurrence.
d) Decide on the actions to face these risks.
Entity's risk assessment process (Annex 1)
Risks may arise or vary due to circumstances such as the following:
a) Changes in the operating environment.
b) New staff.
c) New or updated information systems.
d) Rapid growth.
e) New technology.
f) New business models, products or activities.
g) Corporate restructuring.
h) Expansion of operations abroad.
i) New accounting pronouncements.
Conditions and events that may indicate risks of material error (Annex 2)
The examples given cover a wide range of conditions and events; however, not all conditions and events are relevant to all audit jobs and the list of examples is not complete:
Operations in economically unstable regions, for example, countries with significant currency devaluation or highly inflationary economies.
Operations exposed to volatile markets, for example, futures trading.
Operations subject to a high degree of complex regulation.
Going business and liquidity issues including loss of important customers.
Restrictions on the availability of capital and credit.
Changes in the industry in which the entity operates.
Changes in the supply chain.
Conditions and events that may indicate risks of material error (Annex 2)
Development or offer of new products or services, or change to new lines of business.
Expansion to new locations.
Changes in the entity such as large acquisitions or reorganizations or other unusual events.
Entities or business segments likely to be sold.
The existence of complex alliances and joint ventures.
Use of off-balance sheet finance, special purpose entities, and other complex financing arrangements.
Major transactions with related parties.
Lack of staff with appropriate financial reporting and accounting skills.
Changes in key personnel including departure of key executives.
Weaknesses in internal control, especially those not addressed by the administration.
Conditions and events that may indicate risks of material error (Annex 2)
Inconsistencies between the entity's IT strategy and its business strategies.
Changes in the IT environment.
Installation of major new IT systems related to financial information.
Investigations of the operations or financial results of the entity, by regulatory or governmental bodies.
Past misstatements, history of errors, or a significant number of end-of-year adjustments.
Significant amount of non-routine or unsystematic transactions, including inter-company transactions and with high income at the end of the year
Transactions that are recorded based on management purposes, for example, debt refinancing, assets to sell and classification of marketable securities.
Conditions and events that may indicate risks of material error (Annex 2)
Application of new accounting pronouncements.
Accounting measurements that involve complex processes.
Events or transactions that imply a significant lack of certainty in the measurement, including accounting estimates.
Pending litigation and contingent obligations, for example, sales guarantees, financial guarantees and environmental remediation.
Information system, including related business processes, relevant for financial reporting and communication
The auditor should obtain an understanding of the information system, including those related to business processes, that are relevant to financial information, considering the following areas:
How the information system captures events and conditions other than transactions that are important to financial statements;
The financial reporting process used to prepare the entity's financial statements, including significant accounting estimates and disclosures; and
Controls over journal entries, including non-standard journal entries that are used to record non-recurring, or unusual transactions or adjustments.
Information system, including related business processes, relevant for financial information and communication (Annex 1)
It encompasses the methods and records that:
They identify and record all valid transactions.
They describe transactions in a timely manner in sufficient detail to allow proper classification of transactions for financial information.
They measure the value of transactions in a way that allows their appropriate monetary value to be recorded in the financial statements.
They determine the period of time in which the transactions occurred to allow recording of the transactions in the appropriate accounting period.
Control activities
The auditor must obtain an understanding of the control activities relevant to the audit, considering those that the auditor deems necessary to understand, to assess the risks of material error at the assertion level, and also design additional audit procedures that respond to the assessed risks.. An audit does not require an understanding of all the control activities related to each major class of transactions, account balance, and disclosure in the financial statements or with each assertion relevant to them.
Control activities
Control activities that may be relevant to an audit can be categorized as policies and procedures relevant to the following (Annex 1):
a) Reviews of results (budgets).
b) Information processing (application controls and general IT controls).
c) Physical controls (physical security of assets, safeguards, authorization for access to computer programs and files, periodic count and comparison vs. records).
d) Segregation of functions (Authorization of transactions, registration and custody of assets).
Control monitoring
The auditor should obtain an understanding of the main activities that the entity has in place to monitor internal control over financial information, including those related to control activities relevant to the audit, and how the entity initiates corrective actions for weaknesses in its controls.
Monitoring of controls (Annex 1)
Monitoring of controls may include activities such as management's review of whether bank reconciliations are prepared in a timely manner; If the timing and accuracy of bank reconciliations are not monitored, staff will likely stop preparing them.
Internal auditors or personnel performing similar functions can contribute to the monitoring of an entity's controls through separate evaluations.
Monitoring activities may include using information from external parties' communications that may indicate problems or highlight areas in need of improvement. Customers implicitly corroborate billing information when paying their bills or complaining about charges.
The internal control of the entity
The auditor should understand the aspects of internal control in force in the entity that are relevant to the audit. Not all controls that relate to such information are relevant to an audit. It is a matter of the auditor's professional judgment to consider whether a control, individually, or in combination with others, is relevant to the audit.
Once the auditor has understood and understood the controls that are relevant to the audit, the auditor must evaluate the design of those controls and determine and test whether they have been put into operation, for which he must apply the audit procedures that he considers appropriate in the circumstances, and should be complemented by questions asked to the entity's staff.
Design vs. Implementation
The evaluation of the design of a control considers taking into account whether the control, individually or in combination with other controls, is capable of effectively preventing, detecting and correcting important errors. The implementation of a control means that the control exists and that the entity is using it.
There is no point in evaluating the application of a control that is not effective, so the design of the control should be evaluated first. An improperly designed control may represent a material weakness of the entity's internal control.
Documentation:
- The work meetings held with the audit team in which the required points were discussed, as well as the important decisions taken The key elements of the understanding obtained with respect to each of the aspects of the entity and its environment and each of the internal control components; the sources of information from which it obtained its understanding and the risk assessment procedures performed. The identified and assessed risks of material misstatement at the financial statement level and at the assertion level
(validity, integrity, recording, cutoff, valuation and presentation). identified risks and related controls about which the auditor has obtained an understanding.
