ASA 2020-1 |
Auditing Standard ASA 2020-1
Amendments to Australian Auditing Standards
Issued by the Auditing and Assurance Standards Board
This Auditing Standard is available on the Auditing and Assurance Standards Board (AUASB) website: www.auasb.gov.au
Auditing and Assurance Standards Board Podium Level 14, 530 Collins Street Melbourne Victoria 3000 AUSTRALIA | Phone: (03) 8080 7400 E-mail: enquiries@auasb.gov.au Postal Address: PO Box 204, Collins Street West Melbourne Victoria 8007 AUSTRALIA |
© 2020 Commonwealth of Australia. The text, graphics and layout of this Auditing Standard are protected by Australian copyright law and the comparable law of other countries. Reproduction within Australia in unaltered form (retaining this notice) is permitted for personal and non‑commercial use subject to the inclusion of an acknowledgment of the source as being the Australian Auditing and Assurance Standards Board (AUASB).
Requests and enquiries concerning reproduction and rights for commercial purposes should be addressed to the Technical Director, Auditing and Assurance Standards Board, PO Box 204, Collins Street West, Melbourne, Victoria 8007 or sent to enquiries@auasb.gov.au. Otherwise, no part of this Auditing Standard may be reproduced, stored or transmitted in any form or by any means without the prior written permission of the AUASB except as permitted by law.
ISSN 1833-4393
PREFACE
AUTHORITY STATEMENT
CONFORMITY WITH INTERNATIONAL STANDARDS ON AUDITING
Paragraphs
Application...............................................................1-2
Operative Date..............................................................3
Introduction
Scope of this Auditing Standard..................................................4
Objective..................................................................5
Definition..................................................................6
Amendments to Auditing Standards............................................7-8
Amendments to ASA 200.....................................................9-28
Amendments to ASA 210....................................................29-30
Amendments to ASA 230....................................................31-34
Amendments to ASA 240....................................................35-55
Amendments to ASA 250....................................................56-57
Amendments to ASA 260....................................................58-60
Amendments to ASA 265....................................................61-64
Amendments to ASA 300....................................................65-66
Amendments to ASA 320....................................................67-68
Amendments to ASA 330...................................................69-108
Amendments to ASA 402..................................................109-125
Amendments to ASA 500..................................................126-128
Amendments to ASA 501.....................................................129
Amendments to ASA 505..................................................130-132
Amendments to ASA 520..................................................133-134
Amendments to ASA 530..................................................135-136
Amendments to ASA 540..................................................137-179
Amendments to ASA 550..................................................180-189
Amendments to ASA 570..................................................190-191
Amendments to ASA 600..................................................192-198
Amendments to ASA 610..................................................199-204
Amendments to ASA 620.....................................................205
Amendments to ASA 700.....................................................206
Amendments to ASA 701..................................................207-209
Amendments to ASA 720..................................................210-211
Amendments to ASA 800......................................................212
The AUASB issues Auditing Standard ASA 2020-1 Amendments to Australian Auditing Standards pursuant to the requirements of the legislative provisions and the Strategic Direction explained below.
The AUASB is a non corporate Commonwealth entity of the Australian Government established under section 227A of the Australian Securities and Investments Commission Act 2001, as amended (ASIC Act). Under section 336 of the Corporations Act 2001, the AUASB may make Auditing Standards for the purposes of the corporations legislation. These Auditing Standards are legislative instruments under the Legislation Act 2003.
Under the Strategic Direction given to the AUASB by the Financial Reporting Council (FRC), the AUASB is required, inter alia, to develop auditing standards that have a clear public interest focus and are of the highest quality.
This Auditing Standard makes amendments to the requirements and/or application and other explanatory material and/or appendices of the following Auditing Standards:
ASA 210 Agreeing the Terms of Audit Engagements (Issued October 2009 and amended to May 2017)
ASA 230 Audit Documentation (Issued October 2009 and amended to December 2018)
ASA 240 The Auditor's Responsibilities Relating to Fraud in an Audit of a Financial Report (Issued October 2009 and amended to December 2018)
ASA 250 Consideration of Laws and Regulations in an Audit of a Financial Report (Issued May 2017)
ASA 260 Communication With Those Charged with Governance (Issued December 2015 and amended to December 2018)
ASA 265 Communicating Deficiencies in Internal Control to Those Charged with Governance and Management (Issued October 2009 and amended to November 2013)
ASA 300 Planning an Audit of a Financial Report (Issued October 2009 and amended to December 2015)
ASA 320 Materiality in Planning and Performing an Audit (Issued October 2009 and amended to December 2015)
ASA 330 The Auditor's Responses to Assessed Risks (Issued October 2009 and amended to December 2015)
ASA 402 Auditing Considerations Relating to an Entity Using a Service Organisation (Issued October 2009 and amended to November 2013)
ASA 500 Audit Evidence (Issued October 2009 and amended to December 2018)
ASA 501 Audit Evidence—Specific Considerations for Inventory and Segment Information (Issued October 2009 and amended to July 2011)
ASA 505 External Confirmations (Issued October 2009 and amended to December 2018)
ASA 520 Analytical Procedures (Issued October 2009 and amended to December 2018)
ASA 530 Audit Sampling (Issued October 2009)
ASA 540 Auditing Accounting Estimates and Related Disclosures (Issued December 2018)
ASA 550 Related Parties (Issued October 2009 and amended to November 2013)
ASA 570 Going Concern (Issued December 2015)
ASA 600 Special Considerations-Audits of a Group Financial Report (Issued October 2009 and amended to December 2015)
ASA 610 Using the Work of Internal Auditors (Issued November 2013)
ASA 620 Using the Work of an Auditor's Expert (Issued October 2009)
ASA 700 Forming an Opinion and Reporting on a Financial Report (Issued December 2015 and amended to December 2018)
ASA 701 Communicating Key Audit Matters in the Independent Auditor’s Report (Issued December 2015 and amended to December 2018)
ASA 720 The Auditor's Responsibilities Relating to Other Information (Issued December 2015)
ASA 800 Special Considerations – Audits of Financial Reports Prepared in Accordance with Special Purpose Frameworks (Issued July 2016 and amended to May 2017)
The amendments arise from changes made by the International Auditing and Assurance Standards Board (IAASB) to ISA 315 (Revised) Identifying and Assessing the Risks of Material Misstatement. Under the Strategic Direction given to the AUASB by the Financial Reporting Council (FRC), the AUASB is required to have regard to any programme initiated by the IAASB for the revision and enhancement of the International Standards on Auditing (ISAs) and to make appropriate consequential amendments to the Australian Auditing Standards.
The Auditing and Assurance Standards Board (AUASB) makes this Auditing Standard ASA 2020-1 Amendments to Australian Auditing Standards pursuant to section 227B of the Australian Securities and Investments Commission Act 2001 and section 336 of the Corporations Act 2001.
Dated: 3 March 2020 R Simnett AO
Chair - AUASB
This Auditing Standard has been made for Australian legislative purposes and accordingly there is no equivalent International Standard on Auditing (ISA) issued by the International Auditing and Assurance Standards Board (IAASB), an independent standard‑setting board of the International Federation of Accountants (IFAC).
2. This Auditing Standard also applies, as appropriate, to an audit of other historical financial information.
3. This Auditing Standard is operative for financial reporting periods commencing on or after 15 December 2021, with early adoption, in conjunction with ASA 315 Identifying and Assessing the Risks of Material Misstatement permitted.
4. This Auditing Standard makes amendments to Australian Auditing Standards. The amendments arise from consequential and conforming changes arising from the issuance of ASA 315 Identifying and Assessing the Risks of Material Misstatement.
5. The objective of this Auditing Standard is to make amendments to the following Auditing Standards:
(b) ASA 210 Agreeing the Terms of Audit Engagements (Issued October 2009 and amended to May 2017)
(c) ASA 230 Audit Documentation (Issued October 2009 and amended to December 2018)
(d) ASA 240 The Auditor's Responsibilities Relating to Fraud in an Audit of a Financial Report (Issued October 2009 and amended to December 2018)
(e) ASA 250 Consideration of Laws and Regulations in an Audit of a Financial Report (Issued May 2017)
(f) ASA 260 Communication With Those Charged with Governance (Issued December 2015 and amended to December 2018)
(g) ASA 265 Communicating Deficiencies in Internal Control to Those Charged with Governance and Management (Issued October 2009 and amended to November 2013)
(h) ASA 300 Planning an Audit of a Financial Report (Issued October 2009 and amended to December 2015)
(i) ASA 320 Materiality in Planning and Performing an Audit (Issued October 2009 and amended to December 2015)
(j) ASA 330 The Auditor's Responses to Assessed Risks (Issued October 2009 and amended to December 2015)
(k) ASA 402 Auditing Considerations Relating to an Entity Using a Service Organisation (Issued October 2009 and amended to November 2013)
(l) ASA 500 Audit Evidence (Issued October 2009 and amended to December 2018)
(m) ASA 501 Audit Evidence—Specific Considerations for Inventory and Segment Information (Issued October 2009 and amended to July 2011)
(n) ASA 505 External Confirmations (Issued October 2009 and amended to December 2018)
(o) ASA 520 Analytical Procedures (Issued October 2009 and amended to December 2018)
(p) ASA 530 Audit Sampling (Issued October 2009)
(q) ASA 540 Auditing Accounting Estimates and Related Disclosures (Issued December 2018)
(r) ASA 550 Related Parties (Issued October 2009 and amended to November 2013)
(s) ASA 570 Going Concern (Issued December 2015)
(t) ASA 600 Special Considerations-Audits of a Group Financial Report (Issued October 2009 and amended to December 2015)
(u) ASA 610 Using the Work of Internal Auditors (Issued November 2013)
(v) ASA 620 Using the Work of an Auditor's Expert (Issued October 2009)
(w) ASA 700 Forming an Opinion and Reporting on a Financial Report (Issued December 2015 and amended to December 2018)
(x) ASA 701 Communicating Key Audit Matters in the Independent Auditor’s Report (Issued December 2015 and amended to December 2018)
(y) ASA 720 The Auditor's Responsibilities Relating to Other Information (Issued December 2015)
(z) ASA 800 Special Considerations – Audits of Financial Reports Prepared in Accordance with Special Purpose Frameworks (Issued July 2016 and amended to May 2017)
6. For the purposes of this Auditing Standard, the meanings of terms are set out in each Auditing Standard and in the AUASB Glossary.
8. Throughout the Australian Auditing Standards all references to the title of ASA 315 have been amended to ASA 315 Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and Its Environment. In addition to the Auditing Standards listed in paragraph 5, the following Auditing Standards follow the same amendment to the title of ASA 315.
(a) ASA 220 Quality Control for an Audit of a Financial Report and Other Historical Financial Information (Issued October 2009 and amended to May 2017)
(b) ASA 510 Initial Audit Engagements—Opening Balances (Issued October 2009 and amended to December 2015)
(c) ASRE 2410 Review of a Financial Report Performed by the Independent Auditor of the Entity (Issued October 2009 and amended to July 2013)
9. Existing paragraph 7 is amended to read follows:
The ASAs contain objectives, requirements and application and other explanatory material that are designed to support the auditor in obtaining reasonable assurance. The ASAs require that the auditor exercise professional judgement and maintain professional scepticism throughout the planning and performance of the audit and, among other things:
…
10. Existing paragraph 13 is amended to read as follows:
For purposes of the ASAs, the following terms have the meanings attributed below:
…
(n) Risk of material misstatement – The risk that the financial report is materially misstated prior to audit. This consists of two components, described as follows at the assertion level: (Ref: Para. A3)
(i) Inherent risk – The susceptibility of an assertion about a class of transaction, account balance or disclosure to a misstatement that could be material, either individually or when aggregated with other misstatements, before consideration of any related controls.
(ii) Control risk – The risk that a misstatement that could occur in an assertion about a class of transactions, account balance or disclosure and that could be material, either individually or when aggregated with other misstatements, will not be prevented, or detected and corrected, on a timely basis by the entity’s internal controls.
…
Risk of Material Misstatement (Ref: Para. 13(n))
12. Following the sub-heading inserted above, the following paragraph A3 is inserted:
For the purposes of the ASAs, a risk of material misstatement exists when there is a reasonable possibility of:
(a) A misstatement occurring (i.e., its likelihood); and
(b) Being material if it were to occur (i.e., its magnitude).
13. As a result of the insertion of the paragraph above, subsequent paragraphs of this Auditing Standard are re-numbered and references to these paragraphs are updated accordingly.
14. Existing footnote 17 in paragraph A30 is amended to read as follows:
See ASA 315 Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and Its Environment, paragraph 916.
15. Existing paragraph A40 is amended to read as follows:
Inherent risk is influenced by inherent risk factors. higher for some assertions and related classes of transactions, account balances, and disclosures than for others. Depending on the degree to which the inherent risk factors affect the susceptibility to misstatement of an assertion, the level of inherent risk varies on a scale that is referred to as the spectrum of inherent risk. The auditor determines significant classes of transactions, account balances and disclosures, and their relevant assertions, as part of the process of identifying and assessing the risks of material misstatement. For example, it may be higher for complex calculations or for accounts balances consisting of amounts derived from accounting estimates that are subject to significant estimation uncertainty may be identified as significant account balances, and the auditor’s assessment of inherent risk for the related risks at the assertion level may be higher because of the high estimation uncertainty.
16. The following paragraph A42 is inserted following the paragraph above:
External circumstances giving rise to business risks may also influence inherent risk. For example, technological developments might make a particular product obsolete, thereby causing inventory to be more susceptible to overstatement. Factors in the entity and its environment that relate to several or all of the classes of transactions, account balances, or disclosures may also influence the inherent risk related to a specific assertion. Such factors may include, for example, a lack of sufficient working capital to continue operations or a declining industry characterised by a large number of business failures.
17. As a result of the insertion of the paragraph above, subsequent paragraphs of this Auditing Standard are re-numbered and references to these paragraphs are updated accordingly.
18. Existing paragraph A41 is amended to read as follows:
Control risk is a function of the effectiveness of the design, implementation and maintenance of internal controls by management to address identified risks that threaten the achievement of the entity’s objectives relevant to preparation of the entity’s financial report. However, internal control, no matter how well designed and operated, can only reduce, but not eliminate, risks of material misstatement in the financial report, because of the inherent limitations of internal controls. These include, for example, the possibility of human errors or mistakes, or of controls being circumvented by collusion or inappropriate management override. Accordingly, some control risk will always exist. The ASAs provide the conditions under which the auditor is required to, or may choose to, test the operating effectiveness of controls in determining the nature, timing and extent of substantive procedures to be performed.18
19. Existing paragraph A42 is amended to read as follows:
The assessment of the risks of material misstatement may be expressed in quantitative terms, such as in percentages, or in non-quantitative terms. In any case, the need for the auditor to make appropriate risk assessments is more important than the different approaches by which they may be made. The Australian Auditing Standards typically refer to do not ordinarily refer to inherent risk and control risk separately, but rather to a combined assessment of the “risks of material misstatement.” rather than to inherent risk and control risk separately. However, ASA 540315[19] requires a separate assessment of inherent risk to be assessed separately from and control risk to provide a basis for designing and performing further audit procedures to respond to the assessed risks of material misstatement at the assertion level, including significant risks, for accounting estimates at the assertion level in accordance with ASA 330.20 In identifying and assessing risks of material misstatement for significant classes of transactions, account balances or disclosures other than accounting estimates, the auditor may make separate or combined assessments of inherent and control risk depending on preferred audit techniques or methodologies and practical considerations.
20. The following paragraph A46 is inserted following existing paragraph A43 of this Auditing Standard:
Risks of material misstatement are assessed at the assertion level in order to determine the nature, timing and extent of further audit procedures necessary to obtain sufficient appropriate audit evidence.21
21. As a result of the insertion of the paragraph above, subsequent paragraphs and footnotes of this Auditing Standard are re-numbered and references to these paragraphs and footnotes are updated accordingly.
22. Existing footnote 23 in paragraph A52 is amended to read as follows:
See ASA 315, paragraphs 5-1013-18.
23. Existing paragraph A61 is amended to read as follows:
Where necessary, the application and other explanatory material provides further explanation of the requirements of an ASA and guidance for carrying them out. In particular, it may:
…
Scalability considerations have been included in some ASAs (e.g., ASA 315), illustrating the application of the requirements to all entities regardless of whether their nature and circumstances are less complex or more complex. Less complex entities are entities for which the characteristics in paragraph A66 may apply.
25. Existing paragraph A67 is now moved to paragraph A70 and is amended to read as follows:
The “considerations specific to smaller entities” included in some the ASAs have been developed primarily with unlisted entities in mind. Some of the considerations, however, may be helpful in audits of smaller listed entities.
26. As a result of the changes above, subsequent paragraphs of this Auditing Standard are re-numbered and references to these paragraphs are updated accordingly.
27. Existing paragraph A66 is amended to read as follows:
For purposes of specifying additional considerations to audits of smaller entities, a “smaller entity” refers to an entity which typically possesses qualitative characteristics such as:
…
(b) One or more of the following:
…
(iv) Simpler systems of Few internal controls;
…
28. The sub-heading Considerations Specific to Automated Tools and Techniques is inserted following existing paragraph Aus A68.1 of this Auditing Standard. The following paragraph A72 is then inserted following this sub-heading.
The considerations specific to “automated tools and techniques” included in some ASAs (for example, ASA 315) have been developed to explain how the auditor may apply certain requirements when using automated tools and techniques in performing audit procedures.
29. Existing footnote 14 in paragraph A16 is amended to read as follows:
See ASA 315 Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and Its Environment, Appendix 3 paragraph 22paragraph A54.
30. Existing paragraph A18 is amended to read as follows:
It is for management to determine what internal control is necessary to enable the preparation of the financial report. The term “internal control” encompasses a wide range of activities within components of the system of internal control that may be described as the control environment; the entity’s risk assessment process; the entity’s process to monitor the system of internal control, the information system, including the related business processes relevant to financial reporting, and communication; and control activities; and monitoring of controls. This division, however, does not necessarily reflect how a particular entity may design, implement and maintain its internal control, or how it may classify any particular component.[15] An entity’s internal control (in particular, its accounting books and records, or accounting systems) will reflect the needs of management, the complexity of the business, the nature of the risks to which the entity is subject, and relevant laws or regulation.
31. Existing footnote 5 in paragraph A7 is amended to read as follows:
See ASA 315 Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and Its Environment, paragraph 1710.
32. Existing footnote 6 in paragraph A8 is amended to read as follows:
See ASA 315, paragraph 4(e)12(l).
33. Existing paragraph A17 is amended to read as follows:
When preparing audit documentation, the auditor of a smaller entity may also find it helpful and efficient to record various aspects of the audit together in a single document, with cross-references to supporting working papers as appropriate. Examples of matters that may be documented together in the audit of a smaller entity include the understanding of the entity and its environment, the applicable financial reporting framework, and the entity’s system of internal control, the overall audit strategy and audit plan, materiality determined in accordance with ASA 320,9 assessed risks, significant matters noted during the audit, and conclusions reached.
34. Existing Appendix 1 is amended to read as follows:
Specific Audit Documentation Requirements in Other Australian Auditing Standards
This appendix identifies paragraphs in other Australian Auditing Standards that contain specific documentation requirements. The list is not a substitute for considering the requirements and related application and other explanatory material in Australian Auditing Standards.
…
35. Existing paragraph 7 is amended to read as follows:
Furthermore, the risk of the auditor not detecting a material misstatement resulting from management fraud is greater than for employee fraud, because management is frequently in a position to directly or indirectly manipulate accounting records, present fraudulent financial information or override controls procedures designed to prevent similar frauds by other employees.
36. Existing footnote 6 in paragraph 16 is amended to read as follows:
See ASA 315, paragraph 17‒18 10
37. Existing paragraph 17 is amended to read as follows:
When performing risk assessment procedures and related activities to obtain an understanding of the entity and its environment, the applicable financial reporting framework and including the entity’s system of internal control, required by ASA 315,7 the auditor shall perform the procedures in paragraphs 2317–4324 to obtain information for use in identifying the risks of material misstatement due to fraud.
38. Existing paragraph 21 is amended to read as follows:
Unless all of those charged with governance are involved in managing the entity,8 the auditor shall obtain an understanding of how those charged with governance exercise oversight of management’s processes for identifying and responding to the risks of fraud in the entity and the internal controls that management has established to mitigate these risks. (Ref: Para. A20-A22)
39. Existing footnote 9 in paragraph 26 is amended to read as follows:
See ASA 315, paragraph 2825
40. Existing paragraph 28 is amended to read as follows:
The auditor shall treat those assessed risks of material misstatement due to fraud as significant risks and accordingly, to the extent not already done so, the auditor shall obtain an understanding of the entity’s related identify the entity’s controls, including control activities, relevant to that address such risks, and evaluate their design and determine whether they have been implemented).[10] (Ref: Para. A32-A33)
41. As a result of the footnote insertion above, subsequent footnotes of this Auditing Standard are re-numbered and references to these footnotes are updated accordingly.
42. Existing paragraph 45 is amended to read as follows:
The auditor shall include the following in the audit documentation12 of the auditor’s understanding of the entity and its environment and of the identification and the assessment of the risks of material misstatement required by ASA 315:[13]
(a) The significant decisions reached during the discussion among the engagement team regarding the susceptibility of the entity’s financial report to material misstatement due to fraud; and
(b) The identified and assessed risks of material misstatement due to fraud at the financial statement level and at the assertion level;. and
(c) Identified controls in the control activities component that address assessed risks of material misstatement due to fraud.
43. Existing paragraph A8 is amended to read as follows:
Maintaining professional scepticism requires an ongoing questioning of whether the information and audit evidence obtained suggests that a material misstatement due to fraud may exist. It includes considering the reliability of the information to be used as audit evidence and the identified controls in the control activities component, if any, over its preparation and maintenance. where relevant. Due to the characteristics of fraud, the auditor’s professional scepticism is particularly important when considering the risks of material misstatement due to fraud.
44. Existing footnote 17 of paragraph A19 is amended to read as follows:
See ASA 315, paragraphs 14(a) and 24(a)(ii)6 and 23, and ISA 610, Using the Work of Internal Auditors
45. Existing paragraph A20 is amended to read as follows:
Those charged with governance of an entity oversee the entity’s systems for monitoring risk, financial control and compliance with the law. In many countries, corporate governance practices are well developed and those charged with governance play an active role in oversight of the entity’s assessment of the risks of fraud and of the relevant internal control the controls that address such risks. Since the responsibilities of those charged with governance and management may vary by entity and by country, it is important that the auditor understands their respective responsibilities to enable the auditor to obtain an understanding of the oversight exercised by the appropriate individuals.[18]
46. Existing paragraph A21 is amended to read as follows:
An understanding of the oversight exercised by those charged with governance may provide insights regarding the susceptibility of the entity to management fraud, the adequacy of internal controls that address over risks of fraud, and the competency and integrity of management. The auditor may obtain this understanding in a number of ways, such as by attending meetings where such discussions take place, reading the minutes from such meetings or making enquiries of those charged with governance.
47. Existing paragraph A23 is amended to read as follows:
In addition to information obtained from applying analytical procedures, other information obtained about the entity and its environment, the applicable financial reporting framework and the entity’s system of internal control may be helpful in identifying the risks of material misstatement due to fraud. The discussion among team members may provide information that is helpful in identifying such risks. In addition, information obtained from the auditor’s client acceptance and retention processes, and experience gained on other engagements performed for the entity, for example, engagements to review interim financial information, may be relevant in the identification of the risks of material misstatement due to fraud.
48. Existing paragraph A26 is amended to read as follows:
Examples of fraud risk factors related to fraudulent financial reporting and misappropriation of assets are presented in Appendix 1. These illustrative risk factors are classified based on the three conditions that are generally present when fraud exists:
Fraud risk factors may relate to incentives, pressures or opportunities that arise from conditions that create susceptibility to misstatement, before consideration of controls. Fraud risk factors, which include intentional management bias, are, insofar as they affect inherent risk, inherent risk factors.[20] Fraud risk factors may also relate to conditions within the entity’s system of internal control that provide opportunity to commit fraud or that may affect management’s attitude or ability to rationalise fraudulent actions. Fraud rRisk factors reflective of an attitude that permits rationalisation of the fraudulent action may not be susceptible to observation by the auditor. Nevertheless, the auditor may become aware of the existence of such information through, for example, the required understanding of the entity’s control environment.[21] Although the fraud risk factors described in Appendix 1 cover a broad range of situations that may be faced by auditors, they are only examples and other risk factors may exist.
49. Existing footnote 19 in paragraph A32 is amended to read as follows:
See ASA 315, paragraph A48A75.
50. Existing paragraph A33 is amended to read as follows:
It is therefore important for the auditor to obtain an understanding of the controls that management has designed, implemented and maintained to prevent and detect fraud. In doing so, In identifying the controls that address the risks of material misstatement due to fraud, the auditor may learn, for example, that management has consciously chosen to accept the risks associated with a lack of segregation of duties. Information from obtaining this understanding identifying these controls, and evaluating their design and determining whether they have been implemented, may also be useful in identifying fraud risks factors that may affect the auditor’s assessment of the risks that the financial report may contain material misstatement due to fraud.
51. The following footnote 23, is inserted to paragraph A43 of this Auditing Standard, following the wording “Further, the auditor’s consideration of the risks of material misstatement associated with inappropriate override of controls over journal entries”.
See ASA 315, paragraph 26(a)(ii)
52. As a result of the footnote insertion above, subsequent footnotes of this Auditing Standard are re-numbered and references to these footnotes are updated accordingly.
53. Existing paragraph A44 is amended to read as follows:
When identifying and selecting journal entries and other adjustments for testing and determining the appropriate method of examining the underlying support for the items selected, the following matters are of relevance:
…
…
54. Existing Appendix 1 is amended to read as follows:
The fraud risk factors identified in this Appendix are examples of such factors that may be faced by auditors in a broad range of situations. Separately presented are examples relating to the two types of fraud relevant to the auditor’s consideration – that is, fraudulent financial reporting and misappropriation of assets. For each of these types of fraud, the risk factors are further classified based on the three conditions generally present when material misstatements due to fraud occur: (a) incentives/pressures, (b) opportunities, and (c) attitudes/rationalisations. Although the risk factors cover a broad range of situations, they are only examples and, accordingly, the auditor may identify additional or different risk factors. Not all of these examples are relevant in all circumstances, and some may be of greater or lesser significance in entities of different size or with different ownership characteristics or circumstances. Also, the order of the examples of risk factors provided is not intended to reflect their relative importance or frequency of occurrence.
Fraud risk factors may relate to incentives or pressures, or opportunities, that arise from conditions that create susceptibility to misstatement before consideration of controls (i.e., the inherent risk). Such factors are inherent risk factors, insofar as they affect inherent risk, and may be due to management bias. Fraud risk factors related to opportunities may also arise from other identified inherent risk factors (for example, complexity or uncertainty may create opportunities that result in susceptibility to misstatement due to fraud). Fraud risk factors related to opportunities may also relate to conditions within the entity’s system of internal control, such as limitations or deficiencies in the entity’s internal control that create such opportunities. Fraud risk factors related to attitudes or rationalisations may arise, in particular, from limitations or deficiencies in the entity’s control environment.
…
…
The nature of the industry or the entity’s operations provides opportunities to engage in fraudulent financial reporting that can arise from the following:
…
The monitoring of management is not effective as a result of the following:
…
There is a complex or unstable organisational structure, as evidenced by the following:
…
Internal control components are deficient Deficiencies in internal control as a result of the following:
…
…
…
…
Certain characteristics or circumstances may increase the susceptibility of assets to misappropriation. For example, opportunities to misappropriate assets increase when there are the following:
…
Inadequate internal controls over assets may increase the susceptibility of misappropriation of those assets. For example, misappropriation of assets may occur because there is the following:
…
Attitudes/Rationalisations
…
…
55. Existing Appendix 2 is amended to read as follows:
…
Consideration at the Assertion Level
…
The following are specific examples of responses:
…
56. Existing footnote 4 in paragraph 13 is amended to read as follows:
See ASA 315, Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and Its Environment, paragraph 1119.
57. Existing paragraph A23 is amended to read as follows:
As required by paragraph 22, the auditor evaluates the implications of identified or suspected non-compliance in relation to other aspects of the audit, including the auditor’s risk assessment and the reliability of written representations. The implications of particular identified or suspected non-compliance will depend on the relationship of the perpetration and concealment, if any, of the act to specific controls activities and the level of management or individuals working for, or under the direction of, the entity involved, especially implications arising from the involvement of the highest authority within the entity. As noted in paragraph 9, the auditor’s compliance with law, regulation or relevant ethical requirements may provide further information that is relevant to the auditor’s responsibilities in accordance with paragraph 22.
58. Existing paragraph A12 is amended to read as follows:
Communicating significant risks identified by the auditor helps those charged with governance understand those matters and why they were determined to be significant risks require special audit consideration. The communication about significant risks may assist those charged with governance in fulfilling their responsibility to oversee the financial reporting process.
59. Existing paragraph A13 is amended to read as follows:
Matters communicated may include:
…
…
60. Existing footnote 27 in paragraph A52 is amended to read as follows:
See ASA 315, paragraph A78 Appendix 3.
61. Existing paragraph 1 is amended to read as follows:
This Australian Standard on Auditing (ASA) deals with the auditor’s responsibility to communicate appropriately to those charged with governance and management deficiencies in internal control that the auditor has identified in an audit of financial report. This ASA does not impose additional responsibilities on the auditor regarding obtaining an understanding of the entity’s system of internal control and designing and performing tests of controls over and above the requirements of ASA 315[1] and ASA 330.2 ASA 2603 establishes further requirements and provides guidance regarding the auditor’s responsibility to communicate with those charged with governance in relation to the audit.
62. Existing paragraph 2 is amended to read as follows:
The auditor is required to obtain an understanding of the entity’s system of internal control relevant to the audit when identifying and assessing the risks of material misstatement.[4] In making those risk assessments, the auditor considers the entity’s system of internal control in order to design audit procedures that are appropriate in the circumstances, but not for the purpose of expressing an opinion on the effectiveness of internal control. The auditor may identify control deficiencies in internal control not only during this risk assessment process but also at any other stage of the audit. This ASA specifies which identified deficiencies the auditor is required to communicate to those charged with governance and management.
63. Existing paragraph A3 is amended to read as follows:
While the concepts underlying controls in the control activities component in smaller entities are likely to be similar to those in larger entities, the formality with which they operate will vary. Further, smaller entities may find that certain types of controls activities are not necessary because of controls applied by management. For example, management’s sole authority for granting credit to customers and approving significant purchases can provide effective control over important account balances and transactions, lessening or removing the need for more detailed controls activities.
64. Existing paragraph A8 is amended to read as follows:
Controls may be designed to operate individually or in combination to effectively prevent, or detect and correct, misstatements.[5] For example, controls over accounts receivable may consist of both automated and manual controls designed to operate together to prevent, or detect and correct, misstatements in the account balance. A deficiency in internal control on its own may not be sufficiently important to constitute a significant deficiency. However, a combination of deficiencies affecting the same account balance or disclosure, relevant assertion, or component of the entity’s system of internal control may increase the risks of misstatement to such an extent as to give rise to a significant deficiency.
65. Existing footnote 8 in paragraph A4 is amended to read as follows:
ASA 315, paragraph 1017, establishes requirements and provides guidance on the engagement team's discussion of the susceptibility of the entity to material misstatements of the financial report. ASA 240 The Auditor's Responsibilities Relating to Fraud in an Audit of a Financial Report, paragraph 1516, provides guidance on the emphasis given during this discussion to the susceptibility of the entity's financial report to material misstatement due to fraud.
66. Existing paragraph A21 is amended to read as follows:
As discussed in paragraph A11, a suitable, brief memorandum may serve as the documented strategy for the audit of a smaller entity. For the audit plan, standard audit programs or checklists (see paragraph A17) drawn up on the assumption of few relevant controls[11] activities, as is likely to be the case in a smaller entity, may be used provided that they are tailored to the circumstances of the engagement, including the auditor’s risk assessments.
67. Existing footnote 3 in paragraph 6 is amended to read as follows:
See ASA 315 Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and its Environment, paragraphs A129-A130A191-A192.
68. Existing footnote 13 in paragraph A2 is amended to read as follows:
See ASA 315, paragraph 2528, requires the auditor to identify and assess the risk of material misstatement at the financial statement and assertion level.
69. Existing footnote 1 of paragraph 1 is amended to read as follows:
See ASA 315, Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and Its Environment
70. Existing paragraph 6 is amended to read as follows:
The auditor shall design and perform further audit procedures whose nature, timing and extent are based on and are responsive to the assessed risks of material misstatement at the assertion level. (Ref: Para. A4–A8; A44-A55)
71. Existing paragraph 7 is amended to read as follows:
In designing the further audit procedures to be performed, the auditor shall:
(a) Consider the reasons for the assessment given to the risk of material misstatement at the assertion level for each significant class of transactions, account balance, and disclosure, including:
(i) The likelihood and magnitude of material misstatement due to the particular characteristics of the relevant significant class of transactions, account balance, or disclosure (that is, the inherent risk); and
(ii) Whether the risk assessment takes account of relevant controls that address the risk of material misstatement (that is, the control risk), thereby requiring the auditor to obtain audit evidence to determine whether the controls are operating effectively (that is, the auditor intends to rely onplans to test the operating effectiveness of controls in determining the nature, timing and extent of substantive procedures); and (Ref: Para. A9–A18)
(b) Obtain more persuasive audit evidence the higher the auditor’s assessment of risk. (Ref: Para. A19)
72. Existing paragraph 8 is amended to read as follows:
The auditor shall design and perform tests of controls to obtain sufficient appropriate audit evidence as to the operating effectiveness of relevant controls if:
(a) The auditor’s assessment of risks of material misstatement at the assertion level includes an expectation that the controls are operating effectively (that is, the auditor intends plans to test to rely on the operating effectiveness of controls in determining the nature, timing and extent of substantive procedures); or
(b) Substantive procedures alone cannot provide sufficient appropriate audit evidence at the assertion level. (Ref: Para. A20–A24)
73. Existing paragraph 10 is amended to read as follows:
In designing and performing tests of controls, the auditor shall:
(a) Perform other audit procedures in combination with enquiry to obtain audit evidence about the operating effectiveness of the controls, including:
(i) How the controls were applied at relevant times during the period under audit;
(ii) The consistency with which they were applied; and
(iii) By whom or by what means they were applied. (Ref: Para. A26–A30)
(b) To the extent not already addressed, dDetermine whether the controls to be tested depend upon other controls (indirect controls), and, if so, whether it is necessary to obtain audit evidence supporting the effective operation of those indirect controls. (Ref: Para. A32-A33)
74. Existing paragraph 13 is amended to read as follows:
In determining whether it is appropriate to use audit evidence about the operating effectiveness of controls obtained in previous audits, and, if so, the length of the time period that may elapse before retesting a control, the auditor shall consider the following:
(a) The effectiveness of other elements components of the entity’s system of internal control, including the control environment, the entity’s process to monitoring of the system of internal controls, and the entity’s risk assessment process;
…
75. Existing paragraph 14 is amended to read as follows:
If the auditor plans to use audit evidence from a previous audit about the operating effectiveness of specific controls, the auditor shall establish the continuing relevance and reliability of that evidence by obtaining audit evidence about whether significant changes in those controls have occurred subsequent to the previous audit. The auditor shall obtain this evidence by performing enquiry combined with observation or inspection, to confirm the understanding of those specific controls, and:
…
76. Existing paragraph 15 is amended to read as follows:
If the auditor plans intends to rely on controls over a risk the auditor has determined to be a significant risk, the auditor shall test those controls in the current period.
77. Existing paragraph 16 is amended to read as follows:
When evaluating the operating effectiveness of relevant controls upon which the auditor intends to rely, the auditor shall evaluate whether misstatements that have been detected by substantive procedures indicate that controls are not operating effectively. The absence of misstatements detected by substantive procedures, however, does not provide audit evidence that controls related to the assertion being tested are effective. (Ref: Para. A42)
78. Existing paragraph 17 is amended to read as follows:
If deviations from controls upon which the auditor intends to rely are detected, the auditor shall make specific enquiries to understand these matters and their potential consequences, and shall determine whether: (Ref: Para. A41A43)
…
(c) The potential risks of material misstatement need to be addressed using substantive procedures.
79. Existing paragraph 27 is amended to read as follows:
If the auditor has not obtained sufficient appropriate audit evidence as to related to a an material financial statement relevant assertion about a class of transactions, account balance or disclosure, the auditor shall attempt to obtain further audit evidence. If the auditor is unable to obtain sufficient appropriate audit evidence, the auditor shall express a qualified opinion or disclaim an opinion on the financial report.
80. Existing paragraph A1 is amended to read as follows:
Overall responses to address the assessed risks of material misstatement at the financial statement level may include:
81. Existing paragraph A4 is amended to read as follows:
The auditor’s assessment of the identified risks of material misstatement at the assertion level provides a basis for considering the appropriate audit approach for designing and performing further audit procedures. For example, the auditor may determine that:
(a) Only by performing tests of controls may the auditor achieve an effective response to the assessed risk of material misstatement for a particular assertion;
(b) Performing only substantive procedures is appropriate for particular assertions and, therefore, the auditor excludes the effect of controls from the relevant risk assessment of the risk of material misstatement. This may be because the auditor’s risk assessment procedures have not identified any effective controls relevant to the assertion, or because auditor has not identified a risk for which substantive procedures alone cannot provide sufficient appropriate audit evidence and therefore is not required to test the operating effectiveness of controls. testing controls would be inefficient and Ttherefore, the auditor does may not intend to rely on plan to test the operating effectiveness of controls in determining the nature, timing and extent of substantive procedures; or
(c) A combined approach using both tests of controls and substantive procedures is an effective approach.
The auditor need not design and perform further audit procedures where the assessment of the risk of material misstatement is below the acceptably low level. However, as required by paragraph 18, irrespective of the approach selected and the assessed risk of material misstatement, the auditor designs and performs substantive procedures for each material class of transactions, account balance, and disclosure.
82. Existing paragraph A7 is amended to read as follows:
Extent of an audit procedure refers to the quantity to be performed, for example, a sample size or the number of observations of a control activity.
83. Existing paragraph A9 is amended to read as follows and footnote 2 is inserted:
ASA 315 requires that the auditor’s assessment of the risks of material misstatement at the assertion level is performed by assessing inherent risk and control risk. The auditor assesses inherent risk by assessing the likelihood and magnitude of a misstatement taking into account how, and the degree to which the inherent risk factors affect the susceptibility to misstatement of relevant assertions.[2] The auditor’s assessed risks, including the reasons for those assessed risks, may affect both the types of audit procedures to be performed and their combination. For example, when an assessed risk is high, the auditor may confirm the completeness of the terms of a contract with the counterparty, in addition to inspecting the document. Further, certain audit procedures may be more appropriate for some assertions than others. For example, in relation to revenue, tests of controls may be most responsive to the assessed risk of material misstatement of the completeness assertion, whereas substantive procedures may be most responsive to the assessed risk of material misstatement of the occurrence assertion.
84. As a result of the footnote insertion above, subsequent footnotes of this Auditing Standard are re-numbered and references to these footnotes are updated accordingly.
85. Existing paragraph A10 is amended to read as follows:
The reasons for the assessment given to a risk are relevant in determining the nature of audit procedures. For example, if an assessed risk is lower because of the particular characteristics of a class of transactions without consideration of the related controls, then the auditor may determine that substantive analytical procedures alone provide sufficient appropriate audit evidence. On the other hand, if the assessed risk is lower because of internal the auditor plans to test the operating effectiveness of controls, and the auditor intends to base the substantive procedures on that low assessment, then the auditor performs tests of those controls, as required by paragraph 8(a). This may be the case, for example, for a class of transactions of reasonably uniform, non-complex characteristics that are routinely processed and controlled by the entity’s information system.
86. Existing paragraph A18 is amended to read as follows:
In the case of very small entities, there may not be many controls activities that could be identified by the auditor, or the extent to which their existence or operation have been documented by the entity may be limited. In such cases, it may be more efficient for the auditor to perform further audit procedures that are primarily substantive procedures. In some rare cases, however, the absence of controls activities or of other components of the system of internal control may make it impossible to obtain sufficient appropriate audit evidence.
87. Existing paragraph A20 is amended to read as follows:
Tests of controls are performed only on those controls that the auditor has determined are suitably designed to prevent, or detect and correct, a material misstatement in an relevant assertion, and the auditor plans to test those controls. If substantially different controls were used at different times during the period under audit, each is considered separately.
88. Existing paragraph A24 is amended to read as follows:
In some cases, the auditor may find it impossible to design effective substantive procedures that by themselves provide sufficient appropriate audit evidence at the assertion level.[4] This may occur when an entity conducts its business using IT and no documentation of transactions is produced or maintained, other than through the IT system. In such cases, paragraph 8(b) requires the auditor to perform tests of relevant controls that address the risk for which substantive procedures alone cannot provide sufficient appropriate audit evidence.
89. Existing paragraph A27 is amended to read as follows:
The nature of the particular control influences the type of procedure required to obtain audit evidence about whether the control was operating effectively. For example, if operating effectiveness is evidenced by documentation, the auditor may decide to inspect it to obtain audit evidence about operating effectiveness. For other controls, however, documentation may not be available or relevant. For example, documentation of operation may not exist for some factors in the control environment, such as assignment of authority and responsibility, or for some types of controls activities, such as automated controls activities performed by a computer. In such circumstances, audit evidence about operating effectiveness may be obtained through enquiry in combination with other audit procedures such as observation or the use of CAATs.
90. Existing paragraph A29 is amended to read as follows:
Because of the inherent consistency of IT processing, it may not be necessary to increase the extent of testing of an automated control. An automated controls can be expected to function consistently unless the program IT application (including the tables, files, or other permanent data used by the program IT application) is changed. Once the auditor determines that an automated control is functioning as intended (which could be done at the time the control is initially implemented or at some other date), the auditor may consider performing tests to determine that the control continues to function effectively. Such tests might may include testing the general IT controls related to the IT application. determining that:
Such tests also might include determining that changes to the programs have not been made, as may be the case when the entity uses packaged software applications without modifying or maintaining them. For example, the auditor may inspect the record of the administration of IT security to obtain audit evidence that unauthorised access has not occurred during the period.
91. The following paragraph A30 is inserted following existing paragraph A29 of this Auditing Standard:
Similarly, the auditor may perform tests of controls that address risks of material misstatement related to the integrity of the entity’s data, or the completeness and accuracy of the entity’s system-generated reports, or to address risks of material misstatement for which substantive procedures alone cannot provide sufficient appropriate audit evidence. These tests of controls may include tests of general IT controls that address the matters in paragraph 10(a). When this is the case, the auditor may not need to perform any further testing to obtain audit evidence about the matters in paragraph 10(a).
92. The following paragraph A31 has been inserted following the insertion of paragraph A30 above:
When the auditor determines that a general IT control is deficient, the auditor may consider the nature of the related risk(s) arising from the use of IT that were identified in accordance with ASA 315[5] to provide the basis for the design of the auditor’s additional procedures to address the assessed risk of material misstatement. Such procedures may address determining whether:
93. Existing paragraph A30 is amended to read as follows:
In some circumstances, it may be necessary to obtain audit evidence supporting the effective operation of indirect controls (e.g., general IT controls). As explained in paragraphs A29 to A29b, general IT controls may have been identified in accordance with ASA 315 because of their support of the operating effectiveness of automated controls or due to their support in maintaining the integrity of information used in the entity’s financial reporting, including system-generated reports. The requirement in paragraph 10(b) acknowledges that the auditor may have already tested certain indirect controls to address the matters in paragraph 10(a). For example, when the auditor decides to test the effectiveness of a user review of exception reports detailing sales in excess of authorised credit limits, the user review and related follow up is the control that is directly of relevance to the auditor. Controls over the accuracy of the information in the reports (for example, general IT controls) are described as “indirect” controls.
94. Existing paragraph A31 has been deleted.
95. Existing paragraph A32 has been amended to read as follows:
Audit evidence pertaining only to a point in time may be sufficient for the auditor’s purpose, for example, when testing controls over the entity’s physical inventory counting at the period end. If, on the other hand, the auditor intends to rely on a control over a period, tests that are capable of providing audit evidence that the control operated effectively at relevant times during that period are appropriate. Such tests may include tests of controls in the entity’s process to monitoring of the system of internal controls.
96. Existing paragraph A35 has been amended to read as follows:
In certain circumstances, audit evidence obtained from previous audits may provide audit evidence where the auditor performs audit procedures to establish its continuing relevance and reliability. For example, in performing a previous audit, the auditor may have determined that an automated control was functioning as intended. The auditor may obtain audit evidence to determine whether changes to the automated control have been made that affect its continued effective functioning through, for example, enquiries of management and the inspection of logs to indicate what controls have been changed. Consideration of audit evidence about these changes may support either increasing or decreasing the expected audit evidence to be obtained in the current period about the operating effectiveness of the controls.
97. Existing paragraph A36 has been amended to read as follows:
Changes may affect the relevance and reliability of the audit evidence obtained in previous audits such that there may no longer be a basis for continued reliance. For example, changes in a system that enable an entity to receive a new report from the system probably do not affect the relevance of audit evidence from a previous audit; however, a change that causes data to be accumulated or calculated differently does affect it.
98. Existing paragraph A38 is amended to read as follows:
In general, the higher the risk of material misstatement, or the greater the reliance on controls, the shorter the time period elapsed, if any, is likely to be. Factors that may decrease the period for retesting a control, or result in not relying on audit evidence obtained in previous audits at all, include the following:
…
…
99. Existing paragraph A42 and the title are amended to read as follows:
Substantive Procedures (Ref: Para. 6, 18)
Paragraph 18 requires the auditor to design and perform substantive procedures for each material class of transactions, account balance, and disclosure, irrespective of the assessed risks of material misstatement. For significant classes of transactions, account balances and disclosures, substantive procedures may have already been performed because paragraph 6 requires the auditor to design and perform further audit procedures that are responsive to the assessed risks of material misstatement at the assertion level. Accordingly, substantive procedures are required to be designed and performed in accordance with paragraph 18:
100. The following paragraph A45 is inserted following existing paragraph A42 of this Auditing Standard:
Not all assertions within a material class of transactions, account balance or disclosure are required to be tested. Rather, in designing the substantive procedures to be performed, the auditor’s consideration of the assertion(s) in which, if a misstatement were to occur, there is a reasonable possibility of the misstatement being material, may assist in identifying the appropriate nature, timing and extent of the procedures to be performed.
101. Existing paragraph A45 is amended to read as follows:
The nature assessment of the risk and or the nature of the assertion is relevant to the design of tests of details. For example, tests of details related to the existence or occurrence assertion may involve selecting from items contained in a financial statement amount and obtaining the relevant audit evidence. On the other hand, tests of details related to the completeness assertion may involve selecting from items that are expected to be included in the relevant financial statement amount and investigating whether they are included.
102. Existing paragraph A46 is amended to read as follows:
Because the assessment of the risk of material misstatement takes account of internal controls that the auditor plans to test, the extent of substantive procedures may need to be increased when the results from tests of controls are unsatisfactory. However, increasing the extent of an audit procedure is appropriate only if the audit procedure itself is relevant to the specific risk.
103. Existing paragraph A56 is amended to read as follows:
Performing substantive procedures at an interim date without undertaking additional procedures at a later date increases the risk that the auditor will not detect misstatements that may exist at the period end. This risk increases as the remaining period is lengthened. Factors such as the following may influence whether to perform substantive procedures at an interim date:
…
104. Existing paragraph A57 is amended to read as follows:
Factors such as the following may influence whether to perform substantive analytical procedures with respect to the period between the interim date and the period end:
…
…
105. Existing paragraph A60 is amended to read as follows:
An audit of financial report is a cumulative and iterative process. As the auditor performs planned audit procedures, the audit evidence obtained may cause the auditor to modify the nature, timing or extent of other planned audit procedures. Information may come to the auditor’s attention that differs significantly from the information on which the risk assessment was based. For example:
…
In such circumstances, the auditor may need to re-evaluate the planned audit procedures, based on the revised consideration of assessed risks of material misstatement for all or some of and the effect on the significant classes of transactions, account balances, or disclosures and related their relevant assertions. ASA 315 contains further guidance on revising the auditor’s risk assessment.[10]
106. Existing paragraph A62 is amended to read as follows:
The auditor’s judgement as to what constitutes sufficient appropriate audit evidence is influenced by such factors as the following:
…
107. Existing paragraph A63 is amended to read as follows:
The form and extent of audit documentation is a matter of professional judgement, and is influenced by the nature, size and complexity of the entity and its system of internal control, availability of information from the entity and the audit methodology and technology used in the audit.
108. As a result of the footnotes insertion above, all footnotes of this Auditing Standard are re-numbered and references to these footnotes are updated accordingly.
109. Existing paragraph 1 is amended to read as follows:
This Auditing Standard deals with the user auditor’s responsibility to obtain sufficient appropriate audit evidence when a user entity uses the services of one or more service organisations. Specifically, it expands on how the user auditor applies ASA 315[1] and ASA 3302 in obtaining an understanding of the user entity, including the entity’s system of internal control relevant to the preparation of the financial report relevant to the audit, sufficient to identify and assess the risks of material misstatement and in designing and performing further audit procedures responsive to those risks.
110. Existing paragraph 3 is amended to read as follows:
Services provided by a service organisation are relevant to the audit of a user entity’s financial report when those services, and the controls over them, are part of the user entity’s information system , including related business processes, relevant to financial reporting the preparation of the financial report. Although m Most controls at the service organisation are likely to relate to financial reporting be part of the user entity’s information system relevant to the preparation of the financial report, there may be other or related controls that may also be relevant to the audit, such as controls over the safeguarding of assets. A service organisation’s services are part of a user entity’s information system, including related business processes, relevant to financial reporting if these services affect any of the following:
(a) How information relating to significant classes of transactions, account balances and disclosures flows through the user entity’s information system, whether manually or using IT, and whether obtained from within or outside the general ledger and subsidiary ledgers. The classes of transactions in the user entity’s operations that are significant to the user entity’s financial report; This includes when the service organisation’s services affect how:
(i) (b) The procedures, within both information technology (IT) and manual systems, by which the user entity’s transactions are initiated, recorded, processed, corrected as necessary, transferred to the general ledger and reported in the financial report; Transactions of the user entity are initiated, and how information about them is recorded, processed, corrected as necessary, and incorporated in the general ledger and reported in the financial report; and
(ii) Information about events or conditions, other than transactions, is captured, processed and disclosed by the user entity in the financial report.
(b) (c) The related accounting records, either in electronic or manual form, supporting information and specific accounts in the user entity’s financial report and other supporting records relating to the flows of information in paragraph 3(a)that are used to initiate, record, process and report the user entity’s transactions; this includes the correction of incorrect information and how information is transferred to the general ledger;
(d) How the user entity’s information system captures events and conditions, other than transactions, that are significant to the financial report;
(ce) The financial reporting process used to prepare the user entity’s financial report from the records described in paragraph 3(b), including as it relates to disclosures and to accounting estimates relating to significant classes of transactions, account balances and disclosures accounting estimates and disclosures; and
(d) The entity’s IT environment relevant to (a) to (c) above.
(f) Controls surrounding journal entries, including non-standard journal entries used to record non-recurring, unusual transactions or adjustments.
…
111. Existing paragraph 7 is amended to read as follows:
The objectives of the user auditor, when the user entity uses the services of a service organisation, are:
(a) To obtain an understanding of the nature and significance of the services provided by the service organisation and their effect on the user entity’s system of internal control relevant to the audit, sufficient to provide an appropriate basis for the identification and assessment of identify and assess the risks of material misstatement; and
(b) To design and perform audit procedures responsive to those risks.
…
112. Footnote 3 in paragraph 9 is amended to read as follows:
See ASA 315, paragraph 1119.
113. Existing paragraph 10 is amended to read as follows:
When obtaining an understanding of the entity’s system of internal control relevant to the audit in accordance with ASA 315,4 the user auditor shall identify controls in the control activities component[4] evaluate the design and implementation of relevant controls at the user entity, from those that relate to the services provided by the service organisation, including those that are applied to the transactions processed by the service organisation, and evaluate their design and determine whether they have been implemented.[5] (Ref: Para. A12–A14)
114. As a result of the footnotes deletion and insertion above, subsequent footnotes of this Auditing Standard are re-numbered and references to these footnotes are updated accordingly.
115. Existing paragraph 11 is amended to read as follows:
The user auditor shall determine whether a sufficient understanding of the nature and significance of the services provided by the service organisation and their effect on the user entity’s system of internal control relevant to the audit has been obtained to provide an appropriate basis for the identification and assessment of the risks of material misstatement.
116. Existing paragraph 12 is amended to read as follows:
If the user auditor is unable to obtain a sufficient understanding from the user entity, the user auditor shall obtain that understanding from one or more of the following procedures:
…
(d) Using another auditor to perform procedures that will provide the necessary information about the relevant controls at the service organisation. (Ref: Para. A15–A20)
117. Existing paragraph 14 is amended to read as follows:
If the user auditor plans to use a type 1 or type 2 report as audit evidence to support the user auditor’s understanding about the design and implementation of controls at the service organisation, the user auditor shall:
…
(b) Evaluate the sufficiency and appropriateness of the evidence provided by the report for the understanding of the user entity’s internal controls at the service organisation relevant to the audit; and
118. Existing footnote 7 in paragraph A14 is amended to read as follows:
See ASA 315, paragraph 3026(a)(iii).
119. Existing paragraph A19 is amended to read as follows:
Another auditor may be used to perform procedures that will provide the necessary information about the relevant controls at the service organisation related to services provided to the user entity. If a type 1 or type 2 report has been issued, the user auditor may use the service auditor to perform these procedures as the service auditor has an existing relationship with the service organisation. The user auditor using the work of another auditor may find the guidance in ASA 600 useful as it relates to understanding another auditor (including that auditor’s independence and professional competence), involvement in the work of another auditor in planning the nature, timing and extent of such work, and in evaluating the sufficiency and appropriateness of the audit evidence obtained.
120. Existing paragraph A22 is amended to read as follows:
A type 1 or type 2 report, along with information about the user entity, may assist the user auditor in obtaining an understanding of:
…
A type 1 or type 2 report may assist the user auditor in obtaining a sufficient understanding to identify and assess the risks of material misstatement. A type 1 report, however, does not provide any evidence of the operating effectiveness of the relevant controls.
121. Existing paragraph A29 is amended to read as follows:
The user auditor is required by ASA 330 to design and perform tests of controls to obtain sufficient appropriate audit evidence as to the operating effectiveness of relevant controls in certain circumstances. In the context of a service organisation, this requirement applies when:
…
122. Existing paragraph A30 is amended to read as follows:
If a type 2 report is not available, a user auditor may contact the service organisation, through the user entity, to request that a service auditor be engaged to provide a type 2 report that includes tests of the operating effectiveness of the relevant controls or the user auditor may use another auditor to perform procedures at the service organisation that test the operating effectiveness of those controls. A user auditor may also visit the service organisation and perform tests of relevant controls if the service organisation agrees to it. The user auditor’s risk assessments are based on the combined evidence provided by the work of another auditor and the user auditor’s own procedures.
123. Existing paragraph A33 is amended to read as follows:
It may also be necessary for the user auditor to obtain additional evidence about significant changes to the relevant controls at the service organisation outside of the period covered by the type 2 report or determine additional audit procedures to be performed. Relevant factors in determining what additional audit evidence to obtain about controls at the service organisation that were operating outside of the period covered by the service auditor’s report may include:
…
124. Existing paragraph A34 is amended to read as follows:
Additional audit evidence may be obtained, for example, by extending tests of controls over the remaining period or testing the user entity’s process to monitor the system of internal control monitoring of controls.
125. Existing paragraph A39 is amended to read as follows:
The user auditor is required to communicate in writing significant deficiencies identified during the audit to both management and those charged with governance on a timely basis.11 The user auditor is also required to communicate to management at an appropriate level of responsibility on a timely basis other deficiencies in internal control identified during the audit that, in the user auditor’s professional judgement, are of sufficient importance to merit management’s attention.12 Matters that the user auditor may identify during the audit and may communicate to management and those charged with governance of the user entity include:
…
126. Existing paragraph A5 is amended to read as follows:
Audit evidence is necessary to support the auditor’s opinion and report. It is cumulative in nature and is primarily obtained from audit procedures performed during the course of the audit. It may, however, also include information obtained from other sources such as previous audits (provided the auditor has evaluated whether such information remains relevant and reliable as audit evidence for the current audit determined whether changes have occurred since the previous audit that may affect its relevance to the current audit) or a firm’s quality control procedures for client acceptance and continuance. In addition to other sources inside and outside the entity, the entity’s accounting records are an important source of audit evidence. Also, information that may be used as audit evidence may have been prepared using the work of a management’s expert. Audit evidence comprises both information that supports and corroborates management’s assertions, and any information that contradicts such assertions. In addition, in some cases the absence of information (for example, management’s refusal to provide a requested representation) is used by the auditor, and therefore, also constitutes audit evidence.
127. Existing footnote 9 in paragraph A5 is amended to read as follows:
See ASA 315, paragraph 916.
128. Existing paragraph A21 is amended to read as follows:
Observation consists of looking at a process or procedure being performed by others, for example, the auditor’s observation of inventory counting by the entity’s personnel, or of the performance of controls activities. Observation provides audit evidence about the performance of a process or procedure, but is limited to the point in time at which the observation takes place, and by the fact that the act of being observed may affect how the process or procedure is performed. See ASA 501 for further guidance on observation of the counting of inventory.
129. Existing paragraph A4 is amended to read as follows:
Matters relevant in evaluating management’s instructions and procedures for recording and controlling the physical inventory counting include whether they address, for example:
130. Existing footnote 14 in paragraph A9 is amended to read as follows:
See ASA 315 Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and Its Environment, paragraph 3137.
131. Existing footnote 18 in paragraph A17 is amended to read as follows:
See ASA 315, paragraph 3137.
132. Existing footnote 20 in paragraph A19 is amended to read as follows:
See ASA 315, paragraph 3137.
133. Existing footnote 1 in paragraph 1 is amended to read as follows:
See ASA 315 Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and Its Environment, paragraph 614(b).
134. Existing footnote 10 in paragraph A18 is amended to read as follows:
See ASA 315, paragraph 3137.
135. Existing paragraph A7 is amended to read as follows:
In considering the characteristics of a population, for tests of controls, the auditor makes an assessment of the expected rate of deviation based on the auditor’s understanding of the relevant controls or on the examination of a small number of items from the population. This assessment is made in order to design an audit sample and to determine sample size. For example, if the expected rate of deviation is unacceptably high, the auditor will ordinarily decide not to perform tests of controls. Similarly, for tests of details, the auditor makes an assessment of the expected misstatement in the population. If the expected misstatement is high, 100% examination or use of a large sample size may be appropriate when performing tests of details.
136. Existing Factor 1 of Appendix 2 is amended to read as follows:
An increase in the extent to which the auditor’s risk assessment takes into account relevant plans to test the operating effectiveness of controls
137. Existing paragraph 4 is amended to read as follows and footnote 5 is inserted:
This Auditing Standard requires a separate assessment of inherent risk for identified risks of material misstatement at the assertion level.[5] purposes of assessing the risks of material misstatement at the assertion level for accounting estimates. In the context of ASA 540 (Revised), and Ddepending on the nature of a particular accounting estimate, the susceptibility of an assertion to a misstatement that could be material may be subject to or affected by estimation uncertainty, complexity, subjectivity or other inherent risk factors, and the interrelationship among them. As explained in ASA 200,[6] inherent risk is higher for some assertions and related classes of transactions, account balances and disclosures than for others. Accordingly, the assessment of inherent risk depends on the degree to which the inherent risk factors affect the likelihood or magnitude of misstatement, and varies on a scale that is referred to in this ASA as the spectrum of inherent risk. (Ref: Para. A8–A9, A65–A66, Appendix 1)
138. As a result of the footnote insertion above, subsequent footnotes of this Auditing Standard are re-numbered and references to these footnotes are updated accordingly.
139. Existing paragraph 5 is amended to read as follows:
This ASA refers to relevant requirements in ASA 315 and ASA 330, and provides related guidance, to emphasise the importance of the auditor’s decisions about controls relating to accounting estimates, including decisions about whether:
140. Existing paragraph 6 is amended to read as follows:
This ASA 315 also requires a separate assessment of control risk when assessing the risks of material misstatement at the assertion level for accounting estimates. In assessing control risk, the auditor takes into account whether the auditor’s further audit procedures contemplate planned reliance on the operating effectiveness of controls. If the auditor does not perform plan to tests the operating effectiveness of controls, or does not intend to rely on the operating effectiveness of controls, the auditor’s assessment of the risk of material misstatement at the assertion level control risk cannot be reduced for the effective operation of controls with respect to the particular assertion is such that the assessment of the risk of material misstatement is the same as the assessment of inherent risk.6 (Ref: Para. A10)
141. Existing paragraph 8 is amended to read as follows:
The exercise of professional scepticism in relation to accounting estimates is affected by the auditor’s consideration of inherent risk factors, and its importance increases when accounting estimates are subject to a greater degree of estimation uncertainty or are affected to a greater degree by complexity, subjectivity or other inherent risk factors. Similarly, the exercise of professional scepticism is important when there is greater susceptibility to misstatement due to management bias or fraud other fraud risk factors insofar as they affect inherent risk. (Ref: Para. A11)
142. Existing paragraph 13 is amended to read as follows:
When obtaining an understanding of the entity and its environment, the applicable financial reporting framework and including the entity’s system of internal control, as required by ASA 315,[8] the auditor shall obtain an understanding of the following matters related to the entity’s accounting estimates. The auditor’s procedures to obtain the understanding shall be performed to the extent necessary to obtain audit evidence that provides an appropriate basis for the identification and assessment of risks of material misstatement at the financial statement and assertion levels. (Ref: Para. A19–A22)
(a) The entity’s transactions and other events orand conditions that may give rise to the need for, or changes in, accounting estimates to be recognised or disclosed in the financial report. (Ref: Para. A23)
(b) The requirements of the applicable financial reporting framework related to accounting estimates (including the recognition criteria, measurement bases, and the related presentation and disclosure requirements); and how they apply in the context of the nature and circumstances of the entity and its environment, including how transactions and other events or conditions are subject to, or affected by, the inherent risk factors affect susceptibility to misstatement of assertions. (Ref: Para. A24–A25)
…
…
(h) The entity’s information system as it relates to accounting estimates, including:
(i) How information relating to accounting estimates and related disclosures for significant classes of transactions, account balances or disclosures flows through the entity’s information system The classes of transactions, events and conditions, that are significant to the financial report and that give rise to the need for, or changes in, accounting estimates and related disclosures; and (Ref: Para. A34–A35)
…
(i) Identified controls in the control activities component[9] Control activities relevant to the audit over management’s process for making accounting estimates as described in paragraph 13(h)(ii). (Ref: Para. A50–A54)
…
143. Existing paragraph 16 is amended to read as follows:
In identifying and assessing the risks of material misstatement relating to an accounting estimate and related disclosures at the assertion level, including separately assessing inherent risk and control risk at the assertion level, as required by ASA 315,[10] the auditor shall separately assess inherent risk and control risk. The auditor shall take the following into account in identifying the risks of material misstatement and in assessing inherent risk: (Ref: Para. A64–A71)
…
144. Existing paragraph 17 is amended to read as follows:
The auditor shall determine whether any of the risks of material misstatement identified and assessed in accordance with paragraph 16 are, in the auditor’s judgement, a significant risk.[11] If the auditor has determined that a significant risk exists, the auditor shall identify controls that obtain an understanding of the entity’s controls, including control activities, relevant to address that risk,.[12] and evaluate whether such controls have been designed effectively, and determine whether they have been implemented.[13] (Ref: Para. A80)
145. Existing paragraph 19 is amended to read as follows:
As required by ASA 330,17 the auditor shall design and perform tests to obtain sufficient appropriate audit evidence as to the operating effectiveness of relevant controls, if:
146. Existing paragraph A8 is amended to read as follows:
Inherent risk factors are characteristics of conditions and events orand conditions that may affect the susceptibility of an assertion to misstatement, whether due to fraud or error, of an assertion about a class of transactions, account balance or disclosures, before consideration of controls.[32] Appendix 1 further explains the nature of these inherent risk factors, and their inter-relationships, in the context of making accounting estimates and their presentation in the financial report.
147. Existing paragraph A9 is amended to read as follows:
In addition to the inherent risk factors of estimation uncertainty, complexity or subjectivity, other inherent risk factors that the auditor may consider in identifying and When assessing the risks of material misstatement at the assertion level[33], in addition to estimation uncertainty, complexity, and subjectivity, the auditor also takes into account the degree may include the extent to which inherent risk factors included in ASA 315, (other than estimation uncertainty, complexity, and subjectivity), affect susceptibility to misstatement of assertions to misstatement about the accounting estimate. Such additional inherent risk factors include is subject to, or affected by:
148. Existing paragraph A10 is amended to read as follows:
An important consideration for the auditor iIn assessing control risk at the assertion level in accordance with ASA 315, the auditor takes into account is the effectiveness of the design of the controls that whether the auditor intends plans to rely test on the operating effectiveness of controls. and the extent to which the controls address the assessed inherent risks at the assertion level. When the auditor is considering whether to test the operating effectiveness of controls, Tthe auditor’s evaluation that controls are effectively designed and have been implemented supports an expectation, by the auditor, about the operating effectiveness of the controls in determining whether establishing the plan to test them.
149. Existing title under the section heading Risk Assessment Procedures and Related Activities is amended to read as follows:
Obtaining an Understanding of the Entity and Its Environment, the Applicable Financial Reporting Framework, and the Entity’s System of Internal Control (Ref: Para. 13)
150. Existing paragraph A19 is amended to read as follows:
Paragraphs 1911–2724 of ASA 315 require the auditor to obtain an understanding of certain matters about the entity and its environment, the applicable financial reporting framework and including the entity’s system of internal control. The requirements in paragraph 13 of this ASA relate more specifically to accounting estimates and build on the broader requirements in ASA 315.
151. Existing paragraph A20 is amended to read as follows:
The nature, timing, and extent of the auditor’s procedures to obtain the understanding of the entity and its environment, including the applicable financial reporting framework, and the entity’s system of internal control, related to the entity’s accounting estimates, may depend, to a greater or lesser degree, on the extent to which the individual matter(s) apply in the circumstances. For example, the entity may have few transactions or other events and or conditions that give rise to the need for accounting estimates, the applicable financial reporting requirements may be simple to apply, and there may be no relevant regulatory factors. Further, the accounting estimates may not require significant judgements, and the process for making the accounting estimates may be less complex. In these circumstances, the accounting estimates may be subject to, or affected by, estimation uncertainty, complexity, subjectivity, or other inherent risk factors to a lesser degree, and there may be fewer identified controls in the control activities component relevant to the audit. If so, the auditor’s risk identification and assessment procedures are likely to be less extensive and may be obtained primarily through enquiries of management with appropriate responsibilities for the financial report, such as and simple walk-throughs of management’s process for making the accounting estimate (including when evaluating whether identified controls in that process are designed effectively and when determining whether the control has been implemented).
152. Existing title under the section heading The Entity and Its Environment is amended to read as follows:
The entity’s transactions and other events and or conditions (Ref: Para. 13(a))
153. Existing paragraph A24 is amended to read as follows:
Obtaining an understanding of the requirements of the applicable financial reporting framework provides the auditor with a basis for discussion with management and, where applicable, those charged with governance about how management has applied theose requirements of the applicable financial reporting framework relevant to the accounting estimates, and about the auditor’s determination of whether they have been applied appropriately. This understanding also may assist the auditor in communicating with those charged with governance when the auditor considers a significant accounting practice that is acceptable under the applicable financial reporting framework, not to be the most appropriate in the circumstances of the entity.34
154. Existing section heading after paragraph A27 has been amended to read as The Entity’s System of Internal Control Relevant to the Audit
155. Existing paragraph A28 is amended to read as follows:
In applying ASA 315,[35] the auditor’s understanding of the nature and extent of oversight and governance that the entity has in place over management’s process for making accounting estimates may be important to the auditor’s required evaluation of as it relates to whether:
156. Existing paragraph A32 is amended to read as follows:
Understanding how the entity’s risk assessment process identifies and addresses risks relating to accounting estimates may assist the auditor in considering changes in:
…
…
157. Existing paragraph A34 is amended to read as follows:
The significant classes of transactions, events and conditions within the scope of paragraph 13(h) are the same as the significant classes of transactions, events and conditions relating to accounting estimates and related disclosures that are subject to paragraphs 25(a)18(a) and (d) of ASA 315. In obtaining the understanding of the entity’s information system as it relates to accounting estimates, the auditor may consider:
…
158. Existing paragraph A35 is amended to read as follows:
During the audit, the auditor may identify classes of transactions, events and or conditions that give rise to the need for accounting estimates and related disclosures that management failed to identify. ASA 315 deals with circumstances where the auditor identifies risks of material misstatement that management failed to identify, including determining whether there is a significant deficiency in internal control with regard to considering the implications for the auditor’s evaluation of the entity’s risk assessment process.[38]
159. Existing paragraph A39 is amended to read as follows:
Management may design and implement specific controls around models used for making accounting estimates, whether management’s own model or an external model. When the model itself has an increased level of complexity or subjectivity, such as an expected credit loss model or a fair value model using level 3 inputs, controls that address such complexity or subjectivity may be. When complexity in relation to models is present, controls over data integrity are also more likely to be identified controls in accordance with ASA 315 relevant to the audit. Factors that may be appropriate for the auditor to consider in obtaining an understanding of the model and of related identified controls activities relevant to the audit include the following:
…
160. Existing paragraph A44 is amended to read as follows:
Matters that the auditor may consider in obtaining an understanding of how management selects the data on which the accounting estimates are based include:
…
…
161. Existing section heading before paragraph A50 has been amended to read Identified Controls Activities Relevant to the Audit Over Management’s Process for Making Accounting Estimates (Ref: Para 13(i))
162. Existing paragraph A50 is amended to read as follows:
The auditor’s judgement in identifying controls relevant to the auditin the controls activities component, and therefore the need to evaluate the design of those controls and determine whether they have been implemented, relates to management’s process described in paragraph 13(h)(ii). The auditor may not identify relevant controls activities in relation to all the elements aspects of paragraph 13(h)(ii)., depending on the complexity associated with the accounting estimate.
163. Existing paragraph A51 is amended to read as follows:
As part of obtaining an understanding of identifying the controls activities relevant to the audit, and evaluating their design and determining whether they have been implemented, the auditor may consider:
…
164. Existing paragraph A52 is amended to read as follows:
When management makes extensive use of information technology in making an accounting estimate, identified controls relevant to the audit in the control activities component are likely to include general IT controls and application information processing controls. Such controls may address risks related to:
…
165. Existing paragraph A53 is amended to read as follows:
In some industries, such as banking or insurance, the term governance may be used to describe activities within the control environment, the entity’s process to monitor the system of internal control monitoring of controls, and other components of the system of internal control, as described in ASA 315.[40]
166. Existing paragraph A54 is amended to read as follows:
For entities with an internal audit function, its work may be particularly helpful to the auditor in obtaining an understanding of:
…
…
167. Existing paragraph A59 is amended to read as follows:
The measurement objective for fair value accounting estimates and other accounting estimates, based on current conditions at the measurement date, deals with perceptions about value at a point in time, which may change significantly and rapidly as the environment in which the entity operates changes. The auditor may therefore focus the review on obtaining information that may be relevant to identifying and assessing risks of material misstatement. For example, in some cases, obtaining an understanding of changes in marketplace participant assumptions that affected the outcome of a previous period’s fair value accounting estimates may be unlikely to provide relevant audit evidence. In this case, audit evidence may be obtained by understanding the outcomes of assumptions (such as a cash flow projections) and understanding the effectiveness of management’s prior estimation process that supports the identification and assessment of the risks of material misstatement in the current period.
168. Existing paragraph A60 is amended to read as follows:
A difference between the outcome of an accounting estimate and the amount recognised in the previous period’s financial report does not necessarily represent a misstatement of the previous period’s financial report. However, such a difference may represent a misstatement if, for example, the difference arises from information that was available to management when the previous period’s financial report were finalised, or that could reasonably be expected to have been obtained and taken into account in the context of the applicable financial reporting framework.38 Such a difference may call into question management’s process for taking information into account in making the accounting estimate. As a result, the auditor may reassess any plan to test related controls and the related assessment of control risk and or may determine that more persuasive audit evidence needs to be obtained about the matter. Many financial reporting frameworks contain guidance on distinguishing between changes in accounting estimates that constitute misstatements and changes that do not, and the accounting treatment required to be followed in each case.
169. Existing paragraph A65 is amended to read as follows:
Paragraph A42 of ASA 200 states that the ASAs do not ordinarily refer to inherent risk and control risk separately typically refer to the “risks of material misstatement” rather than to inherent risk and control risk separately. However, this ASA 315 Auditing Standard requires a separate assessment of inherent risk and control risk to provide a basis for designing and performing further audit procedures to respond to the risks of material misstatement at the assertion level,[45] including significant risks, at the assertion level for accounting estimates in accordance with ASA 330.46
170. Existing paragraph A66 is amended to read as follows:
In identifying the risks of material misstatement and in assessing inherent risk for accounting estimates in accordance with ASA 315,[47] the auditor is required to take into account the degree to which the accounting estimate is subject to, or affected by, the inherent risk factors that affect susceptibility to misstatement of assertions, and how they do so estimation uncertainty, complexity, subjectivity, or other inherent risk factors. The auditor’s consideration of the inherent risk factors may also provide information to be used in determining:
171. Existing paragraph A68 is amended to read as follows:
The relevance and significance of inherent risk factors may vary from one estimate to another. Accordingly, the inherent risk factors may, either individually or in combination, affect simple accounting estimates to a lesser degree and the auditor may identify fewer risks or assess inherent risk at close to the lower end of the spectrum of inherent risk.
172. Existing paragraph A70 is amended to read as follows:
Events occurring after the date of the financial report may provide additional information relevant to the auditor’s assessment of the risks of material misstatement at the assertion level. For example, the outcome of an accounting estimate may become known during the audit. In such cases, the auditor may assess or revise the assessment of the risks of material misstatement at the assertion level,[48] regardless of how the inherent risk factors affect susceptibility of assertions to misstatement relating to degree to which the accounting estimate. was subject to, or affected by, estimation uncertainty, complexity, subjectivity or other inherent risk factors. Events occurring after the date of the financial report also may influence the auditor’s selection of the approach to testing the accounting estimate in accordance with paragraph 18. For example, for a simple bonus accrual that is based on a straightforward percentage of compensation for selected employees, the auditor may conclude that there is relatively little complexity or subjectivity in making the accounting estimate, and therefore may assess inherent risk at the assertion level at close to the lower end of the spectrum of inherent risk. The payment of the bonuses subsequent to period end may provide sufficient appropriate audit evidence regarding the assessed risks of material misstatement at the assertion level.
173. Existing paragraph A79 is amended to read as follows:
The degree of subjectivity associated with an accounting estimate influences the susceptibility of the accounting estimate to misstatement due to management bias or fraud other fraud risk factors insofar as they affect inherent risk. For example, when an accounting estimate is subject to a high degree of subjectivity, the accounting estimate is likely to be more susceptible to misstatement due to management bias or fraud and this may result in a wide range of possible measurement outcomes. Management may select a point estimate from that range that is inappropriate in the circumstances, or that is inappropriately influenced by unintentional or intentional management bias, and that is therefore misstated. For continuing audits, indicators of possible management bias identified during the audit of preceding periods may influence the planning and risk assessment procedures in the current period.
174. Existing section heading before paragraph A85 has been amended to read as When the Auditor Intends to Rely on the Operating Effectiveness of Relevant Controls (Ref: Para: 19)
175. Existing paragraph A85 is amended to read as follows:
Testing the operating effectiveness of relevant controls may be appropriate when inherent risk is assessed as higher on the spectrum of inherent risk, including for significant risks. This may be the case when the accounting estimate is subject to or affected by a high degree of complexity. When the accounting estimate is affected by a high degree of subjectivity, and therefore requires significant judgement by management, inherent limitations in the effectiveness of the design of controls may lead the auditor to focus more on substantive procedures than on testing the operating effectiveness of controls.
176. As a result of the footnote insertion above, subsequent footnotes of this Auditing Standard are re-numbered and references to these footnotes are updated accordingly.
177. Existing footnote 49 in paragraph A104 is amended to read as follows:
See ASA 315, paragraph 816.
178. Existing footnote 58 in paragraph A137 is amended to read as follows:
See also ASA 315, paragraph 3137.
179. Existing footnote 65 in paragraph A149 is amended to read as follows:
See ASA 315, paragraphs 3238 and A152–A155A237–A241.
180. Existing footnote 7 in paragraph 11 is amended to read as follows:
See ASA 315, paragraph 513; and ASA 240, paragraph 1617.
181. Existing footnote 8 in paragraph 12 is amended to read as follows:
See ASA 315, paragraph 1017; and ASA 240, paragraph 1516.
182. Existing footnote 9 in paragraph 18 is amended to read as follows:
See ASA 315, paragraph 2528.
183. Existing footnote 18 in paragraph A7 is amended to read as follows:
See ASA 315, paragraphs A26-A27A68-A70, which provide guidance regarding the nature of a special-purpose entity.
184. Existing paragraph A9 is amended to read as follows:
Matters that may be addressed in the discussion among the engagement team include:
…
185. Existing paragraph A12 is amended to read as follows:
However, where the framework does not establish related party requirements, the entity may not have such information systems in place. Under such circumstances, it is possible that management may not be aware of the existence of all related parties. Nevertheless, the requirement to make the enquiries specified by paragraph 13 still applies because management may be aware of parties that meet the related party definition set out in this ASA. In such a case, however, the auditor’s enquiries regarding the identity of the entity’s related parties are likely to form part of the auditor’s risk assessment procedures and related activities performed in accordance with ASA 315to obtain information regarding the entity’s organisational structure, ownership, governance and business model.:
…
186. Existing footnote 21 in paragraph A17 is amended to read as follows:
See ASA 315, paragraph 1421.
187. Existing paragraph A20 is amended to read as follows:
Controls activities in smaller entities are likely to be less formal and smaller entities may have no documented processes for dealing with related party relationships and transactions. An owner-manager may mitigate some of the risks arising from related party transactions, or potentially increase those risks, through active involvement in all the main aspects of the transactions. For such entities, the auditor may obtain an understanding of the related party relationships and transactions, and any controls that may exist over these, through enquiry of management combined with other procedures, such as observation of management’s oversight and review activities, and inspection of available relevant documentation.
188. Existing paragraph A28 is amended to read as follows:
Relevant related party information that may be shared among the engagement team members includes, for example:
Significant or complex related party relationships or transactions that may be determined to be significant risks require special audit consideration, in particular transactions in which management or those charged with governance are financially involved.
189. Existing paragraph A34 is amended to read as follows:
Depending upon the results of the auditor’s risk assessment procedures, the auditor may consider it appropriate to obtain audit evidence without testing the entity’s controls over related party relationships and transactions. In some circumstances, however, it may not be possible to obtain sufficient appropriate audit evidence from substantive audit procedures alone in relation to the risks of material misstatement associated with related party relationships and transactions. For example, where intra-group transactions between the entity and its components are numerous and a significant amount of information regarding these transactions is initiated, recorded, processed or reported electronically in an integrated system, the auditor may determine that it is not possible to design effective substantive audit procedures that by themselves would reduce the risks of material misstatement associated with these transactions to an acceptably low level. In such a case, in meeting the ASA 330 requirement to obtain sufficient appropriate audit evidence as to the operating effectiveness of relevant controls,26 the auditor is required to test the entity’s controls over the completeness and accuracy of the recording of the related party relationships and transactions.
190. Existing footnote 3 in paragraph 10 is amended to read as follows:
See ASA 315 Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and Its Environment, paragraph 513.
191. Existing footnote 10 in paragraph A7 is amended to read as follows:
See ASA 315, paragraph 3137.
192. Existing paragraph 17 is amended to read as follows:
The auditor is required to identify and assess the risks of material misstatement through obtaining an understanding of the entity and its environment, the applicable financial reporting framework and the system of internal control.7 The group engagement team shall:
…
193. Existing paragraph A6 is amended to read as follows:
The group engagement team may also identify a component as likely to include significant risks of material misstatement of the group financial report due to its specific nature or circumstances. (that is, risks that require special audit consideration14). For example, a component could be responsible for foreign exchange trading and thus expose the group to a significant risk of material misstatement, even though the component is not otherwise of individual financial significance to the group.
194. Existing footnote 17 of paragraph A23 is amended to read as follows:
See ASA 315, paragraphs A17-A41A27–A73.
195. Existing footnote 19 of paragraph A28 is amended to read as follows:
See ASA 240, paragraph 1516; and ASA 315, paragraph 1017.
196. Existing paragraph 1 of Appendix 2 is amended to read as follows:
Group-wide controls may include a combination of the following:
…
…
197. Existing Appendix 5 is amended to read as follows:
Matters that are relevant to the planning of the work of the component auditor:
…
Matters that are relevant to the conduct of the work of the component auditor:
…
198. As a result of the footnote deletion above, subsequent footnotes of this Auditing Standard are re-numbered and references to these footnotes are updated accordingly.
199. Existing paragraph 7 is amended to read as follows:
ASA 315 addresses how the knowledge and experience of the internal audit function can inform the external auditor’s understanding of the entity and its environment, the applicable financial reporting framework and the entity’s system of internal control, and identification and assessment of risks of material misstatement. ASA 315 [3] also explains how effective communication between the internal and external auditors also creates an environment in which the external auditor can be informed of significant matters that may affect the external auditor’s work.
200. Existing paragraph A3 is amended to read as follows:
In addition, those in the entity with operational and managerial duties and responsibilities outside of the internal audit function would ordinarily face threats to their objectivity that would preclude them from being treated as part of an internal audit function for the purpose of this ASA, although they may perform controls activities that can be tested in accordance with ASA 330.12 For this reason, monitoring controls performed by an owner-manager would not be considered equivalent to an internal audit function.
201. Existing footnote 13 in paragraph A4 is amended to read as follows:
See ASA 315 (as amended), paragraph 614(a).
202. Existing paragraph A10 is amended to read as follows:
The application of a systematic and disciplined approach to planning, performing, supervising, reviewing and documenting its activities distinguishes the activities of the internal audit function from other monitoring controls activities that may be performed within the entity.
203. Existing paragraph A21 is amended to read as follows:
As explained in ASA 315,[22] significant risks require special audit consideration are risks assessed close to the upper end of the spectrum of inherent risk and therefore the external auditor’s ability to use the work of the internal audit function in relation to significant risks will be restricted to procedures that involve limited judgement. In addition, where the risks of material misstatement is other than low, the use of the work of the internal audit function alone is unlikely to reduce audit risk to an acceptably low level and eliminate the need for the external auditor to perform some tests directly.
204. Existing footnote 25 in paragraph A26 is amended to read as follows:
See ASA 315 (as amended), paragraph A116A118.
205. Existing paragraph A4 is amended to read as follows:
An auditor’s expert may be needed to assist the auditor in one or more of the following:
206. Existing footnote 35 in paragraph A47 is amended to read as follows:
See ASA 315 Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and Its Environment, paragraph 412(c).
207. Existing paragraph A20 is amended to read as follows:
ASA 315 defines a significant risk as an identified and assessed risk of material misstatement for which the assessment of inherent risk is close to the upper end of the spectrum of inherent risk due to the degree to which the inherent risk factors affect the combination of the likelihood of a misstatement occurring and the magnitude of the potential misstatement should that misstatement occur that, in the auditor’s judgement, requires special audit consideration.[24] Areas of significant management judgement and significant unusual transactions may often be identified as significant risks. Significant risks are therefore often areas that require significant auditor attention.
208. As a result of the footnote insertion above, subsequent footnotes of this Auditing Standard are re-numbered and references to these footnotes are updated accordingly.
209. Existing footnote 26 in paragraph A22 is amended to read as follows:
See ASA 315, paragraph 3137.
210. Existing paragraph A31 is amended to read as follows:
The auditor’s knowledge obtained in the audit includes the auditor’s understanding of the entity and its environment, the applicable financial reporting framework, and including the entity’s system of internal control, obtained in accordance with ASA 315.[11] ASA 315 sets out the auditor’s required understanding, which includes such matters as obtaining an understanding of:
(a) The entity’s organisational structure, ownership and governance, and its business model, including the extent to which the business model integrates the use of IT;
(b) The rRelevant industry, regulatory, and other external factors;
(c) The relevant measures used, internally and externally, to assess measurement and review of the entity’s financial performance; and
(e) The nature of the entity;
(f) The entity’s selection and application of accounting policies;
(g) The entity’s objectives and strategies;
211. Existing paragraph A51 is amended to read as follows:
In reading the other information, the auditor may become aware of new information that has implications for:
212. Existing footnote 5 in paragraph 10 is amended to read as follows:
See ASA 315 Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and Its Environment, paragraph 11(c)19(b).
For legal purposes, each provision of this instrument specified in column 1 of the table commences, or is taken to have commenced in accordance with column 2 of the table. Any other statement in column 2 has effect according to its terms.
Commencement information | ||
Column 1 | Column 2 | Column 3 |
Provisions | Commencement | Date/Details |
The whole of this instrument | 14 December 2021. | 14 December 2021. |
Note: This table relates only to the provisions of this instrument as originally made. It will not be amended to deal with any later amendments of this instrument.
[19] See ASA 540315 Auditing Accounting Estimates and Disclosures, paragraph 16 Identifying and Assessing the Risks of Material Misstatement
21 See ASA 330, paragraph 6
[15] See ASA 315, paragraph A9159 and Appendix 31
[10] See ASA 315, paragraph 26(a)(i) and 26(d)
[13] See ASA 315, paragraph 3832
[18] See ASA 260, paragraphs A1–A8, discuss with whom the auditor communicates when the entity’s governance structure is not well defined.
[20] See ASA 315, paragraph 12(f)
[21] See ASA 315, paragraph 21
[1] See ASA 315 Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and Its Environment,
paragraphs 412 and 1221.
[4] See ASA 315, paragraph 1221. Appendix 5Paragraphs A60-A65 provide guidance on controls relevant to the audit.
[5] See ASA 315, paragraph A66A175.
[11] See ASA 315, paragraph 26(a)
[2] See ASA 315, paragraphs 31 and 34
[4] See ASA 315, paragraph 3330
[5] See ASA 315, paragraph 26(c)(i)
[7] See ASA 315, paragraph 36
[10] See ASA 315, paragraph 5331
[1] See ASA 315 Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and Its Environment.
[4] See ASA 315, paragraphs 26(a)
[5] See ASA 315, paragraph 26(d)
[5] See ASA 315, paragraph 31
[6] See ASA 200, Overall Objectives of the Independent Auditor and the Conduct of an Audit in Accordance with International Standards on Auditing, paragraph A40
[8] See ASA 315, paragraphs 3, 5–6, 9, 11–12, 15-17, and 20-2119–27
[9] See ASA 315, paragraphs 26(a)(i)–(iv)
[10] See ASA 315, paragraph 25 and 2631 and 34
[11] See ASA 315, paragraph 3227
[12] See ASA 315, paragraph 26(a)(i)29
[13] See ASA 315, paragraph 26(a)
[32] See ASA 315, paragraph 12(f)
[33] See ASA 315, paragraph 31
[35] See ASA 315, paragraph 21(a)14
[38] See ASA 315, paragraph 22(b)17
[40] See ASA 315, Appendix 3 paragraph A77
[45] See ASA 315, paragraphs 31 and 34
[47] See ASA 315, paragraph 31(a)
[48] See ASA 315, paragraph 3731
[3] See ASA 315 (as amended), paragraph A116A118.
[22] See ASA 315, paragraph 124(l)(e)
[24] See ASA 315, paragraph 12(l)
[11] ASA 315, Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and Its Environment, paragraphs 1911–2712
[13] See ASA 315, paragraphs 1119, 3137, and A1A11.