ISA 315 – Identifying and assessing risks of material misstatement

through understanding the entity and its environment

Understanding the entity and its environment

Internal Controls

Risk of material misstatement

ISA 315 – Identifying and assessing risks of material misstatement
through understanding the entity and its environment

Risk Assessment procedures does not provide sufficient

appropriate audit evidence

Inquiries from Management & internal audit staff

Analytical Procedures

Observation and Inspection

 ISA 300 –Planning an Audit of Financial Statements

Industry information
Financial Reporting Framework
Nature of Entity / Operations
Ownership structure
Organogram
Nature of investments
Financing
 ISA 300 –Planning an Audit of Financial Statements

Accounting Policies
Entity’s objectives
Business Risks
Financial Performance

Internal Controls
 CONTROL FRAMEWORK
• U.S. companies use Committee of Sponsoring
Organizations of the Treadway Commission (COSO)
Internal Control—Integrated Framework
• Canada’s Guidance on Assessing Control (known as
“CoCo”)
• United Kingdom’s Internal Control: Guidance for
Directors on the Combined Code (known as the
Turnbull Report)
• ISO 31000
 Control Environment
Information &
Risk Assessment Control Activities Monitoring
Communication

COSO Framework gives the following components:

1. Control environment
2. Risk assessment
3. Control activities
4. Information and communication
5. Monitoring
 Control Environment
• Control environment includes the governance and
management functions and the attitudes, awareness
and actions of those charged with governance and
management concerning the entity's internal control and
its importance in the entity.
• A strong control environment does not ensure
effectiveness of internal controls
 Control Environment
Information &
Risk Assessment Control Activities Monitoring
Communication

COSO Framework gives the following components:

1. Control environment
2. Risk assessment
3. Control activities
4. Information and communication
5. Monitoring
 Entity’s risk assessment process
The entity should have a process for:
1. Identifying business risks relevant to financial reporting
objectives;
2. Estimating the significance of the risks; (Impact)
3. Assessing the likelihood of their occurrence
(Probability); and
4. Deciding about actions to address those risks (Take
Risk, Transfer Risk, Reduce Risk, or avoid).
Risk can arise or change due to following:
a) changes in the entity’s operating environment
b) new personnel
c) new or revamped information systems
d) rapid growth
e) new technology
f) new business models, products or activities
g) corporate restructurings
h) expanded foreign operations
i) new accounting pronouncements.
 Control Environment
Information &
Risk Assessment Control Activities Monitoring
Communication

COSO Framework gives the following components:

1. Control environment
2. Risk assessment
3. Control activities
4. Information and communication
5. Monitoring
 Examples of Control Activities
• Segregation of Duties (functions, steps, and operations)
• Approval of documents (managers – give limits)
• Controls over computerized applications
• Maintaining control accounts
• Reconciliations (bank, stock, debtors)
• Physical observation of cash, inventory counts
• Limiting physical access to assets and records
 Control Environment
Information &
Risk Assessment Control Activities Monitoring
Communication

COSO Framework gives the following components:

1. Control environment
2. Risk assessment
3. Control activities
4. Information and communication
5. Monitoring
 Information System

Risk Reporting
• What risks does the board need to understand?
• How often does it need to review them?
• What should be reviewed by the various committees
(e.g. investment, audit, HR)?
• For what purpose is the management asking the board
to consider these risks?
 Control Environment
Information &
Risk Assessment Control Activities Monitoring
Communication

COSO Framework gives the following components:

1. Control environment
2. Risk assessment
3. Control activities
4. Information and communication
5. Monitoring
 Monitoring
It is a process to assess the effectiveness of internal
control performance over time. It includes:
a) Assessing the design and operation of controls on a
timely basis
b) Taking necessary corrective actions modified for
changes in conditions.

The nature of responsibilities of the Internal Audit function,

its organizational status, and the activities performed.
 ISA 315 – Identifying and Assessing the Risk of Material
Misstatements through Understanding the Entity & its Environment
 MANAGEMENT LETTER
• Auditor must communicate significant deficiencies
and material weaknesses in writing to those charged
with governance (BOD)
• Addressed to the audit committee
• ML is not mandatory, it is value added service
• Less significant internal control-related issues, as well
as opportunities for the client to make operational
improvements are also included.
 AUDIT RISK
• Acceptable Audit Risk = Inherent x Control x Detection
• Detection Risk = AAR / (IR x CR)

Industry & Environment

Business Operations
Understanding Client’s
Business Management & Governance

Objectives & Strategies

Assess Risk
Hummingbird Scents Co (Hummingbird) manufactures and sells
luxury toiletries; they have been trading for over 20 years 30
September 2014 year end. Hummingbird sells products to trade
customers via its own website; this represents 60% of revenue.
Remaining revenue is generated by contracts to supply toiletries to
hotels.

Hotel revenue: The hotel revenue is made up of four key customers.

Hummingbird has one sales clerk, Brenda, who maintains all aspects
of this revenue stream; Brenda receives customer orders, raises
sales invoices and processes payments. In raising invoices, the sales
system automatically inserts the online trade customer prices for
products. However, each hotel customer has contracted prices which
are lower than the online prices and hence Brenda manually edits the
invoices prior to dispatch.
Online revenue: New trade customers are set up in the sales
ledger master file upon passing suitable credit checks, and a
credit limit is set at this stage by the finance director. Customers
place online orders up to their pre-set credit limit; they receive an
email confirmation and the sales order interfaces into the
dispatch system.

The order number is linked to the customer account number.

Goods are dispatched daily with a goods dispatched note which
is referenced to the sales order number but are not sequentially
numbered. Hummingbird used to dispatch goods via a reliable
national courier company. However, to reduce costs they have
changed to a cheaper local courier and some orders have been
delivered to customers late.
Trade customers’ sales invoices are automatically generated by
the system on the day the online order is placed. The prices are
inserted in accordance with the website rates. Occasionally
Hummingbird makes special offers or discounts sales; when this
occurs the master file data has to be amended to ensure that the
correct prices are used on invoices. This task is usually performed
by a senior sales ledger clerk.

Revenue and receivables records: On a monthly basis statements

are sent to the hotel customers; a number of trade customers have
been requesting monthly statements and Hummingbird is
considering this request. The company only reconciles the sales
ledger control account at the end of September in order to verify
the year-end balance.
Lack of Segregation of Duties
Contracted prices – manually
updated in invoice
Credit limits not reviewed – they
are once fed in the system only.
No sequential numbers on GDN
Late delivery by new courier –
chance of lost sales due to being
late
Invoice printed with orders - Early
revenue recognition
Raising order, invoicing should be
done by a different person than
the one processing payments
Amending the system – or some
other employee checking input
Regular review of credit limits
All documents to be sequenced
Review delivery schedules, and if
consistently late, change courier
Invoices only to be sent after
dispatch of goods
Master file amended for discounts
by clerk – incorrect amendment
Master file should not be
amended by a clerk – access
restriction
Monthly statements not sent to
customers – increased errors
Sales ledger control account only
reconciled at year end – errors
identified late
Each change to checked by an
responsible senior person
Senior management should be
responsible for Master file
Monthly statements for customers
(both hotel and others)
Must be reconciled at least
quarterly.
 Revenue Cycle Payroll Cycle
Inherent Risk Medium Low
Control Risk Low Low
Acceptable Audit Risk Low Low
Detection Risk Medium Low
Purchase Inventory
Inherent Risk High High
Control Risk Low High
Acceptable Audit Risk Low Low
Detection Risk Medium High