AUDIT AND ASSURANCE PRINCIPLES

◈ Assurance Engagement
- an engagement in which a practitioner expresses a conclusion designed to enhance the degree
of confidence of the intended users other than the responsible party about the outcome of the
evaluation or measurement of a subject matter against criteria.

Two Types of assurance engagements

1. Reasonable assurance – positive form of assurance - AUDIT
2. Limited assurance – negative form of assurance – REVIEW

◈ Assertion VS. Reporting

o Assertion-based Engagements –an assertion by the responsible party that is made available to
intended users.
Example: the assertion of client management about fair presentation of its financial statements.
o Direct Reporting Engagements – subject matter information is provided to the intended user in
the assurance report.
Example: operating effectiveness of internal control where management did not provide assertion.

Elements of Assurance Engagement (TESSA)

◈ Three-Party Relationship
a. Practitioner – CPA in public practice who performs the assurance engagement
The term practitioner is broader than the term ―auditor
b. Responsible party – person/s who is responsible for the subject matter or the assertion (subject
matter information) For example, an entity‘s management is responsible for the preparation and
presentation of financial statements or the establishment and implementation of internal control.
c. Intended user/s – person, persons or class of persons for whom the practitioner prepares the
assurance report; they are the users to whom the practitioner usually addresses the report .

◈ Appropriate Subject Matter

- Financial or non-financial performance, physical characteristics, systems and processes or
behaviors to be evaluated or measured against the criteria.
a. Identifiable
b. Capable of consistent evaluation and measurement against suitable criteria

◈ Appropriate Subject Matter

Subject matter information means the evaluation or measurement of a subject matter.
Can be subjected to procedure to form a conclusion
Subject matter – Assertion

◈ Criteria
- standard or benchmark used to evaluate or measure the subject matter of an assurance
engagement,
a. May be formal such as PFRS, COSO’s Internal Control-Integrated Framework, Laws and
regulations (established criteria)
b. Or less formal such as internally developed code, rules and regulations and policies
(specifically developed criteria)
◈ Criteria
Suitable Criteria
• Relevance – contribute to conclusions that assist decision-making by the intended users
• Completeness –relevant factors that could affect the conclusions in the context of the
engagement circumstances are not omitted.
• Reliability – consistent evaluation or measurement of the subject matter when used in similar
circumstances by similarly qualified practitioners
• Neutrality – conclusions that are free from bias
• Understandability – clear, comprehensive, and not subject to significantly different
interpretations

◈ Sufficient Appropriate Evidence

• Professional skepticism – questioning mind and a critical assessment of evidence (free from
material misstatements)
• Professional judgment – application of relevant training, professional knowledge, skills and
experience in decision making.·
• Sufficiency – the measure of the quantity of evidence ·
• Appropriateness –measure of the quality of evidence (relevance and reliability)

◈ Sufficient Appropriate Evidence

Practitioner is not trained or expected to be an expert in authentication.
More reliable if:
a. Independent source
b. Controls are effective
c. Directly obtained
d. In documentary form
e. Original documents

◈ Sufficient Appropriate Evidence

• Other considerations in gathering evidence
• Different sources of nature
• Cost-benefit is considered
• Materiality
• Engagement risk
a. Risk of Material Misstatement - (Inherent Risk and Control Risk)
b. Detection Risk
• Nature, Timing and Extent

◈ Assurance Report
Audit – positive form of assurance
• Unqualified – “presented fairly in all material aspects”
• Qualified – “ presented fairly except for”
(material misstatements or scope limitation or uncertainty)
• Adverse – “do not present fairly”
(material and pervasive misstatements)
• Disclaimer – “do not express and opinion”
( high degree of scope limitation and uncertainty)
 ◈ Assurance Report
Review - negative form of assurance
“nothing has come to our attention that causes us to believe that the financial statements is not
presented fairly in all material respects”

Engagement Acceptance

◈ Acceptance
• Relevant Ethical Requirements will be satisfied:
• Engagement exhibits the following:
a. Subject matter is appropriate
b. Criteria are suitable and available
c. Has access to sufficient appropriate evidence
d. Conclusion to be contained in written report
e. There is a rational purpose for the engagement

◈ Acceptance
• Client’s Management does not lack integrity:
• Client agrees to the terms of the engagement
Engagement Letter
Management Representation Letter
• Rejected? – engaging party may request a non-assurance engagement.

Introduction to Auditing
◈ Auditing
◈ According to American Accounting Association (AAA), auditing defined is
• a systematic process of
• objectively obtaining and evaluating evidence
• regarding assertions about economic actions and events
• to ascertain the degree of correspondence between those assertions and established criteria
and
• communicating the result to interested users”.
◈ Auditing encompasses two processes: investigative process and a reporting process.
◈ Investigation involves the systematic gathering and evaluation of evidence as a basis for
determining whether assertions or representations made by responsible person in a company’s
financial statements, correspond with the established financial reporting criteria, such as
generally accepted accounting principles (GAAP).
• Forms of evidence: Transaction data; Communications with outsiders;
Observations; Client Testimony
• Auditors must obtain sufficient and appropriate audit evidence to satisfy the
purpose of audit.
◈ Reporting involves communicating an evaluation or opinion in audit report to interested users.

Types of Audit according to nature or assertion being audited

◈ Types of Audit according to types of auditor being audited
◈ External Audits – performed by CPAs who are also known as independent auditors or external
auditors.
◈ Internal Audits – an independent appraisal function established within an organization to
examine and evaluate its activities as a service to the organization. Internal audits are not
independent in the same sense as external auditors.
◈ Government Audits – involves the determination of whether government funds are being
handled properly and in compliance with existing laws and whether the government programs a
particular agency are being conducted efficiently and economically. Government audit (or State
Audit) has been classified into three main divisions:
• Compliance audit
• Financial audit
• Performance audit
• Economy and efficiency audit
• Effectiveness audit
◈ The Independent Financial Audit
◈ Objective: to enable the auditor to express an opinion whether the financial statements are
prepared, in all material aspects, in accordance with the applicable financial reporting
framework.
• Responsibility for the financial statements
• Assurance provided by the auditor
◈ Audit report
◈ Why not absolute assurance?
• Inherent Limitations
• The nature of financial reporting
• Judgment
• The nature of audit procedures
• Selective Testing
• Nature of Audit Evidence Available
• Most evidence are persuasive rather than conclusive
• Timeliness of Financial Reporting
◈ Economic Demand for Auditing
◈ Information risk is the risk that information is misstated or misleading. It reflects the possibility
that the information upon which a business decision made was inaccurate.
◈ Auditing of financial information reduces information risk to the users of financial information.
• Information risk
◈ Causes of information risk
• Remoteness of information
• Biases and Motives of the Provider
• Voluminous Data
• Complex Exchange Transactions
◈ How to reduce information risk
• Allow users to verify information – the user may go to the business establishment
• User shares information risk with management –If inaccurate information is provided,
management may be held responsible in a lawsuit.
• Have the financial statements audited – External auditors are engaged to provide
assurance that the financial statements are reliable
The Risk-based Financial Statement Audit
Client Acceptance, Audit Planning, Supervision and Monitoring

Risk-based Audit Process

Audit
An audit is a systematic process of objectively obtaining and evaluating evidence regarding assertions
about economic actions and events to ascertain the degree of correspondence between these
assertions and established criteria and communicating the results thereof.

Audit Process
1. Audit Planning
2. Pre-engagement
3. Evidence gathering / Substantive testing
4. Issuance of the audit report
5. Consideration of internal controls
6. Post-audit responsibilities
7. Completing the audit

Pre-engagement activities

01 Evaluate preconditions for an audit

02 Evaluate auditability of the prospective client
03 Investigate the integrity of the client’s management
04 Evaluate compliance
05 Evaluate of the firm’s ability to serve the prospective client
06 Obtain a preliminary knowledge of the client’s business and industry
07 Agree and prepare

Agreeing the Terms of Audit Engagements

a. Auditor’s acceptance and engagement
b. Objective and scope of the audit
c. Extent of auditor’s responsibilities to the client
d. Form of any reports

Contents of engagement letter

a. The presence of audit risk
b. Unrestricted access to whatever record
c. The financial reporting framework used
d. Objective of the audit
e. The form of any reports or other communication
f. Management’s responsibility
g. The scope of the audit

The auditor may also wish to include in the letter

a. Basis in which fees are computed and any billing arrangements
b. Expectation of receiving representation of terms of agreement
 c. Acknowledgement of management of terms of agreement
d. Arrangements regarding the planning of the audit
e. Description of any other letters or reports

When relevant, the following points could also be made

1. Arrangements concerning the involvement of other auditors and experts in some aspects of the
audit
2. Arrangements concerning the involvement of internal auditors and other staffs
3. Arrangement to be made with the predecessor auditor, if any, in the case of initial audit
engagement
4. Any restriction of the auditor’s liability when such possibility exists
5. A reference to any further agreements between the auditor and the client

Audit of Components
a. Who appoints the component auditor
b. Legal requirements in a relation to audit appointments
c. Degree of ownership by parent
d. Whether a separate auditor’s report is to be issued on the components
e. Degree of independence of the component’s management from the parent entity

Recurring Audits
1. Any indication that the client misunderstands the objective and scope of the audit
2. Any revised or special terms of the engagement
3. A recent change of top level management or board of directors
4. A significant change in ownership
5. A significant change in nature or size of the client’s business
6. A change in legal or regulatory requirements
7. A change in financial reporting framework adopted in the preparation of the financial
statements
8. A change in other reporting requirements

Acceptance of a Change in Engagement

YES
a. STOP performing
b. STOP referring
c. START performing
d. ISSUE a report
NO
e. CONTINUE
f. WITHDRAW

Audit Planning
Establish the overall audit strategy for the engagement and developing and audit plan.

Benefits of Adequate Planning in Financial Statements

a. Appropriate attention is devoted to important areas
b. Potential problems are identified and resolved on a timely basis
 c. Proper organization and management of the audit engagement leading to an effective and
efficient performance
d. Work are properly assigned to appropriate engagement team members
e. Assistance in coordinating work done by other auditors and experts
f. Assistance in facilitating direction, supervision and review

Nature and extent of planning activities

01 Size and complexity of the entity

02 Previous Experience entity of the key engagement team members
03 Changes in circumstances
04 Timing of the Appointment of the independent auditor

The Essential Planning Procedures

● Identifying and assessing risk of material misstatements through understanding the entity and
its environment
● Establishing the overall audit strategy
● Developing an audit plan
● Direction, supervision , and review
● Other planning considerations

Identifying and assessing ROMMs, through UE&E

• Obtain an understanding of the entity and its environment including its internal control through
inquiry, observation, inspection, and analytical procedures
• Consider materiality
• Identify and assess risks of material misstatements
• Determine the acceptable level of audit risk
• Identify detection risk to determine the nature, timing and extent of further audit procedures

Establishing the overall audit strategy

• Characteristics of the engagement
• Reporting objectives, including the timing and communications required
• Factors in directing the engagement team’s effort
• Consideration of results of preliminary engagement activities
• Nature, timing and extent of resources

Developing an audit plan

• Audit plan
• Audit program
• Documentation of overall audit strategy and audit plan
• Communication during planning phase

Direction, supervision, and review

The auditor shall plan the nature, timing and extent of direction and supervision of engagement team
members and the review of their work.

Other planning procedures

• Determining the need if an auditor’s expert
 ⮚ Selecting and expert
⮚ Obtaining an understanding of the field of expertise of the expert
⮚ Considering the nature, timing and extent of audit procedures
• Additional consideration in initial audit engagements
⮚ Preliminary engagement activities
⮚ Establishing overall audit strategy and audit plan

Knowledge of the business

a. Industry, regulatory, and other external factors, including financial reporting framework;
b. Nature of the entity, including entity’s selection and application of accounting policies;
c. Objectives and strategies and the related business risks that may result in a material
misstatement of the financial statements;
d. Measurement and review of the entity’s performance, and
e. Internal control.

Preliminary analytical procedures

01. Analytical procedures
02. Steps in applying analytical procedures
03. Uses of analytical procedures

Analytical procedures
Involves analysis of significant ratios and trends, including the resulting investigation of fluctuations
and relationships that are consistent with other relevant information or deviate from predicted
amounts.
PSA requires the auditor to use analytical procedures in the planning and overall review stages of the
audit.

Analytical procedure may be done thru:

● Horizon trend analysis
Horizontal analysis, or trend analysis, is a method where financial statements are compared to reveal
financial performance over a specific period of time.
● Vertical analysis
Vertical analysis is a method of financial statement analysis in which each line item is listed as a
percentage of a base figure within the statement.
● Ratio analysis
Ratio analysis is a quantitative method of gaining insight into a company's liquidity, operational
efficiency, and profitability by studying its financial statements such as the balance sheet and income
statement.

Steps in applying analytical procedures

Step 1 Develop expectations regarding financial statements using
a. Prior years’ financial statements
b. Anticipated results such as budgets or forecasts
c. Industry averages or financial statements of other entities operating within the same industry
d. Non-financial information relevant to the financial statements
e. Typical relationship among financial statement account balances

Step 2 Compare the expectations with the financial statements under audit
Step 3 Define and investigate significant differences
If there are unusual fluctuations and relationships, the auditor ordinarily begins with inquiries of
management followed by:
● Corroboration of management’s responses
● Consideration of the need to apply other audit procedures based on the results of management
inquiries

MATERIALITY
Auditing

"Information is material if its omission or misstatement could influence the economic decision of users
taken on the basis of the financial statements.“
In designing an audit plan, PSA 320 requires the auditor to make a preliminary estimate of materiality
for use during the examination.

MATERIALITY
Auditing

Materiality may be viewed as:

● The largest amount of misstatement that the auditor could tolerate in the financial statements;
● Or the smallest aggregate amount that could misstate any one of the financial statements.

MATERIALITY
Materiality involves both quantitative and qualitative considerations.
Quantitative considerations - it is necessary to relate the peso amount of the error to the FS under
examination.
Qualitative considerations - relate to the causes of misstatement.

Importance of Materiality
● The auditors should make a preliminary estimate of materiality to assist them in determining the
amount of evidence needed to support their opinion.
● There is an inverse relationship between materiality and the audit evidence.

MATERIALITY LEVEL
Step 1: Determine the overall materiality – Financial Statement Level
The auditor should determine the amount of misstatement that could be material to the
financial statements taken as a whole.
For example: The auditor believes that misstatements aggregating P100,000 would have a material
effect on the client's income statement and that these misstatements would have to aggregate
P200,000 to materially affect the statement of financial position.

Step 2: Determine the tolerable misstatement – Account Balance Level

Once the overall materiality has been established, the auditor determines materiality at the
account balance level. This is done by allocating the overall materiality to the financial statement
account balances.
Step 3: Compare the aggregate amount of uncorrected misstatements with the overall materiality.
After performing audit procedures, the auditor will have to compare the aggregate uncorrected
misstatements with the overall materiality.

BASES THAT CAN BE USED TO DETERMINE THE MATERIALITY LEVEL

Annualized interim financial statements
Prior year financial statements;
Budgeted financial statements of the current year

AUDIT RISK
The audit of financial statements is not a guarantee that all material misstatements in the
financial statements are detected. Due to the inherent limitations of the audit, there is always a risk that
the auditor may not be able detect material misstatements in the financial statements.

AUDIT RISK

Audit risk refers to the risk that the auditor might give an inappropriate audit opinion on the financial
statements.
The auditor's judgment about the acceptable level of audit risk is influenced by the type of client.
These three issues are the preliminary basis for the development of the audit risk model:
Audit risk = Inherent Risk * Control Risk * Detection Risk

INHERENT RISK
Inherent risk is the susceptibility of an account balance or class of transactions to a material
misstatement assuming that there were no related internal controls. This concept recognizes that some
account balances, by nature, are more susceptible to misstatement than others.

Factors that may influence the auditor's assessment of the risk of misstatement at the financial
statement level include:
01. The management integrity
02. Operating characteristics
03. Management characteristics
04. Industry characteristics

CONTROL RISK
Control risk is the risk that a material misstatement that could occur in an account balance or
class of transactions will not be prevented or detected, and corrected in a timely manner by accounting
and internal control systems.

DETECTION RISK
Detection risk is the risk that an auditor may not detect a material misstatement that exists in
an assertion. As regard to minimizing this risk, the auditor relies primarily on substantive tests. The
more effective the substantive tests are, the lower the detection risk will be.

STEPS IN USING THE AUDIT RISK MODEL

01 Set the Acceptable Level of Audit Risk
02 Assess the level of inherent risk
03 Assess the level of control risk
04 Determine the acceptable level of detection risk
Acceptable Level of Detection Risk = Acceptable Level of Audit Risk
Inherent Risk x Control Risk
05 Design Substantive Tests

AUDIT PLAN
Audit plan contains the overview of the engagement , outlining the nature and characteristics
of the client’s business operations and the overall audit strategy.

AUDIT PLAN
An audit plan should be made regarding
● how much evidence to accumulate;
● what are the procedures to be performed;
● and when should the procedures be performed.

AUDIT PLAN
The ff. Info are included in a typical audit plan:
● Description of the client company
● Audit objectives
● Description of the nature and extent of other services such as tax returns preparation
● Timetable of the audit work, etc.

AUDIT PROGRAM
Audit program serves as a set of instructions to assistants involved in the audit plan and as a
means to control and record the proper execution of the work; also contains the objectives for each
area and a time budget.
Working papers:
1. Audit plans
2. Audit programs
3. Time budget
Understanding the Entity and its Environment including its Internal Control and
Assessing the Risks of Material Misstatement

Overview
Risk assessment procedures and sources of information about the entity and its environment,
including its internal control.
This explains the audit procedures that the auditor is required to perform to obtain the
understanding of the entity and its environment, including its internal control (risk assessment
procedures). It also requires discussion among the engagement team about the susceptibility of the
entity’s financial statements to material misstatement.

Understanding the entity and its environment, including its internal control.
This requires the auditor to understand specified aspects of the entity and its environment, and
components of its internal control, in order to identify and assess the risks of material misstatement.

Assessing the risks of material misstatement.

This requires the auditor to identify and assess the risks of material misstatement at the
financial statement and assertion levels. The auditor is required to evaluate the design of the entity’s
controls, including relevant control activities, over such risks and determine whether they have been
implemented.

Communicating with those charged with governance and management.

This deals with matters relating to internal control that the auditor communicates to those
charged with governance and management.

Documentation.
This establishes related documentation requirements.

The auditor uses professional judgment to determine the extent of the understanding required
of the entity and its environment, including its internal control. The auditor’s primary consideration is
whether the understanding that has been obtained is sufficient to assess the risks of material
misstatement of the financial statements and to design and perform further audit procedures.

1.3.1 Describe and discuss the industry, regulatory and other external factors, including the applicable
financial reporting framework

Understanding the Entity and Its Environment, Including Its Internal Control
The auditor’s understanding of the entity and its environment consists of an understanding of
the following aspects:

(a) Industry, regulatory, and other external factors, including the applicable financial reporting
framework.
(b) Nature of the entity, including the entity’s selection and application of accounting policies.
(c) Objectives and strategies and the related business risks that may result in a material misstatement of
the financial statements.
(d) Measurement and review of the entity’s financial performance.
(e) Internal control.

The nature, timing, and extent of the risk assessment procedures performed depend on the
circumstances of the engagement such as the size and complexity of the entity and the auditor’s
experience with it. In addition, identifying significant changes in any of the above aspects of the entity
from prior periods is particularly important in gaining a sufficient understanding of the entity to identify
and assess risks of material misstatement.

Industry, regulatory and other external factors, including the applicable financial reporting framework

The auditor should obtain an understanding of relevant industry, regulatory, and other external
factors including the applicable financial reporting framework. These factors include industry conditions
such as the competitive environment, supplier and customer relationships, and technological
developments; the regulatory environment encompassing, among other matters, the applicable
financial reporting framework, the legal and political environment, and environmental requirements
affecting the industry and the entity; and other external factors such as general economic conditions.

The industry in which the entity operates may give rise to specific risks of material misstatement
arising from the nature of the business or the degree of regulation.Legislative and regulatory
requirements often determine the applicable financial reporting framework to be used by management
in preparing the entity’s financial statements. In most cases, the applicable financial reporting
framework will be that of the jurisdiction in which the entity is registered or operates and the auditor is
based, and the auditor and the entity will have a common understanding of that framework. In some
cases there may be no local financial reporting framework, in which case the entity’s choice will be
governed by local practice, industry practice, user needs, or other factors. The auditor considers
whether local regulations specify certain financial reporting requirements for the industry in which the
entity operates, since the financial statements may be materially misstated in the context of the
applicable financial reporting framework if management fails to prepare the financial statements in
accordance with such regulations.

1.3.1.1 Describe the nature of the entity

Nature of the Entity

The auditor should obtain an understanding of the nature of the entity. The nature of an entity
refers to the entity’s operations, its ownership and governance, the types of investments that it is
making and plans to make, the way that the entity is structured and how it is financed. An
understanding of the nature of an entity enables the auditor to understand the classes of transactions,
account balances, and disclosures to be expected in the financial statements.

The entity may have a complex structure with subsidiaries or other components in multiple
locations. An understanding of the ownership and relations between owners and other people or
entities is also important in determining whether related party transactions have been identified and
accounted for appropriately.

The auditor should obtain an understanding of the entity’s selection and application of
accounting policies and consider whether they are appropriate for its business and consistent with the
applicable financial reporting framework and accounting polices used in the relevant industry. The
auditor also identifies financial reporting standards and regulations that are new to the entity and
considers when and how the entity will adopt such requirements. Where the entity has changed its
selection of or method of applying a significant accounting policy, the auditor considers the reasons for
the change and whether it is appropriate and consistent with the requirements of the applicable
financial reporting framework.

The presentation of financial statements in conformity with the applicable financial reporting
framework includes adequate disclosure of material matters. The auditor considers whether the entity
has disclosed a particular matter appropriately in light of the circumstances and facts of which the
auditor is aware at the time.

1.3.1.2 Discuss the objectives and strategies and related business risks

Objectives and Strategies and Related Business Risks

The auditor should obtain an understanding of the entity’s objectives and strategies, and the
related business risks that may result in material misstatement of the financial statements. The entity
conducts its business in the context of industry, regulatory and other internal and external factors. To
respond to these factors, the entity’s management or those charged with governance define objectives,
which are the overall plans for the entity.Business risks result from significant conditions, events,
circumstances, actions or inactions that could adversely affect the entity’s ability to achieve its
objectives and execute its strategies, or through the setting of inappropriate objectives and strategies.

Business risk is broader than the risk of material misstatement of the financial statements,
though it includes the latter. Business risk particularly may arise from change or complexity, though a
failure to recognize the need for change may also give rise to risk. An understanding of business risks
increases the likelihood of identifying risks of material misstatement. However, the auditor does not
have a responsibility to identify or assess all business risks.

Most business risks will eventually have financial consequences and, therefore, an effect on the
financial statements. However, not all business risks give rise to risks of material misstatement. A
business risk may have an immediate consequence for the risk of misstatement for classes of
transactions, account balances, and disclosures at the assertion level or the financial statements as a
whole. The auditor’s consideration of whether a business risk may result in material misstatement is,
therefore, made in light of the entity’s circumstances.

1.3.1.3 Describe and discuss the measurement and review of the entity’s financial performance

Measurement and Review of The Entity’s Financial Performance

The auditor should obtain an understanding of the measurement and review of the entity’s
financial performance. Performance measures and their review indicate to the auditor aspects of the
entity’s performance that management and others consider to be of importance. Performance
measures, whether external or internal, create pressures on the entity that, in turn, may motivate
management to take action to improve the business performance or to misstate the financial
statements. Obtaining an understanding of the entity’s performance measures assists the auditor in
considering whether such pressures result in management actions that may have increased the risks of
material misstatement.
 The measurement and review of performance is directed at whether business performance is
meeting the objectives set by management (or third parties), but in some cases performance indicators
also provide information that enables management to identify deficiencies in internal control.

Internal measures may highlight unexpected results or trends requiring management’s inquiry
of others in order to determine their cause and take corrective action (including, in some cases, the
detection and correction of misstatements on a timely basis). Performance measures may also indicate
to the auditor a risk of misstatement of related financial statement information.

Much of the information used in performance measurement may be produced by the entity’s
information system. If management assumes that data used for reviewing the entity’s performance are
accurate without having a basis for that assumption, errors may exist in the information, potentially
leading management to incorrect conclusions about performance. When the auditor intends to make
use of the performance measures for the purpose of the audit, the auditor considers whether the
information related to management’s review of the entity’s performance provides a reliable basis and is
sufficiently precise for such a purpose. If making use of performance measures, the auditor considers
whether they are precise enough to detect material misstatements.

Introduction

PSA 315 provides that the auditor shall obtain an understanding of internal control relevant to
the audit. The objectives of the auditor in obtaining an understanding of the internal control are to:

1. Identify types of potential misstatements in the financial statements.

2. Identify factors that affect the risk of material misstatements in the financial statements.
3. Design the nature, extent, and timing of further audit procedures (tests of controls and
substantive tests)

1.3.2 Discuss and explain Internal Control.

Committee of Sponsoring Organizations of the Treadway Commission (COSO) Definition of Internal

Control

Internal Control is the process designed and effected by those charged with governance,
management, and other personnel to provide reasonable assurance about the achievement of the
entity’s objectives with regard to reliability of financial reporting, effectiveness and efficiency of
operations and compliance with applicable laws and regulations.

Internal Control System means all the policies and procedures adopted by the management of
an entity to assist in achieving management’s objective of ensuring, as far as practicable, the orderly and
efficient conduct of its business, including adherence to management policies, the safeguarding of
assets, the prevention and detection of fraud and error, the accuracy and completeness of the
accounting records, and the timely preparation of reliable financial information.
1.3.2.1 Identify and explain the basic concepts and elements of internal control.

Elements of Internal Control

There are five interrelated components of the entity’s internal control, namely:

 Control environment.
 Risk assessment.
 Information and communication systems.
 Control Activities, and
 Monitoring

Control Environment

The control environment includes the attitudes, awareness, and actions of management and
those charged with governance concerning the entity’s internal control and its importance in the entity.
The control environment also includes the governance and management functions and sets the tone of
an organization, influencing the control consciousness of its people. It is the foundation for effective
internal control, providing discipline and structure.

The control environment encompasses the following elements:

(a) Communication and enforcement of integrity and ethical values.

Integrity and ethical values are essential elements of the control environment which influence
the effectiveness of the design, administration, and monitoring of other components of internal control.
They include management’s actions to remove or reduce incentives and temptations that might prompt
personnel to engage in dishonest, illegal, or unethical acts. They also include the communication of
entity values and behavioral standards to personnel through policy statements and codes of conduct
and by example.

(b) Commitment to competence.

Competence is the knowledge and skills necessary to accomplish tasks that define the
individual’s job. Commitment to competence includes management’s consideration of the competence
levels for particular jobs and how those levels translate into requisite skills and knowledge.

(c) Participation by those charged with governance.

Attributes of those charged with governance include independence from management, their
experience and stature, the extent of their involvement and scrutiny of activities, the appropriateness of
their actions, the information they receive, the degree to which difficult questions are raised and
pursued with management, and their interaction with internal and external auditors. Other
responsibilities of those charged with governance include oversight of the design and effective
operation of whistle blower procedures and the process for reviewing the effectiveness of the entity’s
internal control.

(d) Management’s philosophy and operating style.

Management’s philosophy and operating style encompass a broad range of characteristics. Such
characteristics may include the following: management’s approach to taking and monitoring business
risks; management’s attitudes and actions toward financial reporting (conservative or aggressive
selection from available alternative accounting principles, and conscientiousness and conservatism with
which accounting estimates are developed); and management’s attitudes toward information processing
and accounting functions and personnel.

(e) Organizational structure.

An entity’s organizational structure provides the framework within which its activities for
achieving entity-wide objectives are planned, executed, controlled, and reviewed. Establishing a
relevant organizational structure includes considering key areas of authority and responsibility and
appropriate lines of reporting. An entity develops an organizational structure suited to its needs. The
appropriateness of an entity’s organizational structure depends, in part, on its size and the nature of its
activities.

(f) Assignment of authority and responsibility.

This factor includes how authority and responsibility for operating activities are assigned and
how reporting relationships and authorization hierarchies are established. It also includes policies
relating to appropriate business practices, knowledge and experience of key personnel, and resources
provided for carrying out duties. In addition, it includes policies and communications directed at
ensuring that all personnel understand the entity’s objectives, know how their individual actions
interrelate and contribute to those objectives, and recognize how and for what they will be held
accountable.

(g) Human resource policies and practices.

Human resource policies and practices relate to recruitment, orientation, training, evaluating,
counseling, promoting, compensating, and remedial actions. Training policies that communicate
prospective roles and responsibilities and include practices such as training schools and seminars
illustrate expected levels of performance and behavior. Promotions driven by periodic performance
appraisals demonstrate the entity’s commitment to the advancement of qualified personnel to higher
levels of responsibility.

Application to Small Entities

Small entities may implement the control environment elements differently than larger entities.
For example, small entities might not have a written code of conduct but, instead, develop a culture that
emphasizes the importance of integrity and ethical behavior through oral communication and by
management example. Similarly, those charged with governance in small entities may not include an
independent or outside member.

Risk Assessment

Risk assessment is the “identification, analysis, and management of risks pertaining to the
preparation of financial statements”. For audit purposes, the auditor is concerned only with those risks
that are relevant to the preparation of reliable financial statements.

An entity’s risk assessment process is its process for identifying and responding to business risks
and the results thereof. For financial reporting purposes, the entity’s risk assessment process includes
how management identifies risks relevant to the preparation of financial statements that are presented
fairly, in all material respects in accordance with the entity’s applicable financial reporting framework,
estimates their significance, assesses the likelihood of their occurrence, and decides upon actions to
manage them. Risks relevant to reliable financial reporting also relate to specific events or transactions.
These include external and internal events and circumstances that may occur and adversely affect an
entity’s ability to initiate, record, process, and report financial data consistent with the assertions of
management in the financial statements.

Risks can arise or change due to circumstances such as the following:

 Changes in operating environment

 New personnel
 New or revamped information systems
 Rapid growth
 New technology
 New business models, products, or activities
 Corporate restructurings
 Expanded foreign operations
 New accounting pronouncement

Application to Small Entities

 The basic concepts of the entity’s risk assessment process are relevant to every entity,
regardless of size, but the risk assessment process is likely to be less formal and less structured in small
entities than in larger ones. All entities should have established financial reporting objectives, but they
may be recognized implicitly rather than explicitly in small entities. Management may be aware of risks
related to these objectives without the use of a formal process but through direct personal involvement
with employees and outside parties.

Information and Communication Systems

An information system consists of infrastructure (physical and hardware components), software,

people, procedures, and data. Infrastructure and software will be absent, or have less significance, in
systems that are exclusively or primarily manual. Many information systems make extensive use of IT.

The information system relevant to financial reporting objectives, which includes the financial
reporting system, consists of the procedures and records established to initiate, record, process, and
report entity transactions (as well as events and conditions) and to maintain accountability for the
related assets, liabilities, and equity
Accordingly, an information system encompasses methods and records that:

 Identify and record all valid transactions.

 Describe on a timely basis the transactions in sufficient detail to permit proper classification of
transactions for financial reporting.
 Measure the value of transactions in a manner that permits recording their proper monetary
value in the financial statements.
 Determine the time period in which transactions occurred to permit recording of transactions in
the proper accounting period.
 Present properly the transactions and related disclosures in the financial statements.

Communication involves providing an understanding of individual roles and responsibilities

pertaining to internal control over financial reporting. It includes the extent to which personnel
understand how their activities in the financial reporting information system relate to the work of others
and the means of reporting exceptions to an appropriate higher level within the entity. Open
communication channels help ensure that exceptions are reported and acted on. Communication takes
such forms as policy manuals, accounting and financial reporting manuals, and memoranda.
Communication also can be made electronically, orally, and through the actions of management.

Application to Small Entities

Information systems and related business processes relevant to financial reporting in small
entities are likely to be less formal than in larger entities, but their role is just as significant. Small
entities with active management involvement may not need extensive descriptions of accounting
procedures, sophisticated accounting records, or written policies. Communication may be less formal
and easier to achieve in a small entity than in a larger entity due to the small entity’s size and fewer
levels as well as management’s greater visibility and availability.

Control Activities

Control activities are the policies and procedures that help ensure that management directives
are carried out. Specific control procedures that are relevant to financial statement audit include:

 Performance reviews

These control activities include reviews and analyses of actual performance versus budgets,
forecasts, and prior period performance; relating different sets of data – operating or financial – to one
another, together with analyses of the relationships and investigative and corrective actions; comparing
internal data with external sources of information; and review of functional or activity performance,
such as a bank’s consumer loan manager’s review of reports by branch, region, and loan type for loan
approvals and collections.
  Information processing

A variety of controls are performed to check accuracy, completeness, and authorization of

transactions. The two broad groupings of information systems control activities are application controls
and general IT-controls.

o Application controls apply to the processing of individual applications.

o General IT-controls are policies and procedures that relate to many
applications and support the effective functioning of application controls by
helping to ensure the continued proper operation of information systems.

 Physical controls

These activities encompass the physical security of assets, including adequate safeguards such
as secured facilities over access to assets and records; authorization for access to computer programs
and data files; and periodic counting and comparison with amounts shown on control records.

 Segregation of duties

Assigning different people the responsibilities of authorizing transactions, recording

transactions, and maintaining custody of assets is intended to reduce the opportunities to allow any
person to be in a position to both perpetrate and conceal errors or fraud in the normal course of the
person’s duties.

Application to Small Entities

The concepts underlying control activities in small entities are likely to be similar to those in
larger entities, but the formality with which they operate varies. Further, small entities may find that
certain types of control activities are not relevant because of controls applied by management. An
appropriate segregation of duties often appears to present difficulties in small entities.

Monitoring of Controls

Monitoring is a process of assessing the quality of internal control performance over time. It is
done to ensure that controls continue to operate effectively. Monitoring of controls is accomplished
through ongoing monitoring activities, separate evaluations, or a combination of the two.

o Ongoing monitoring activities are built into the normal recurring activities of an entity and
include regular management and supervisory activities.
o Separate evaluations are monitoring activities that are performed on a non-routine basis, such
as functions performed by internal auditors.

Application to Small Entities

 Ongoing monitoring activities of small entities are more likely to be informal and are typically
performed as a part of the overall management of the entity’s operations. Management’s close
involvement in operations often will identify significant variances from expectations and inaccuracies in
financial data leading to corrective action to the control.

Inherent Limitations of Internal Control

Internal control can provide only reasonable assurance that management’s objectives are
reached because of inherent limitations such as:

1. Management usual requirement that a control be cost effective.

2. The fact that most controls tend to be directed at anticipated types of transactions and not at
unusual transactions, the potential for human error due to carelessness, distraction, mistakes of
judgment or the misunderstanding of instructions.
3. The possibility of circumvention of controls through collusion with parties outside the entity or
with employees of the entity
4. The possibility that a person reasonable for exercising control could abuse that responsibility
5. The possibility that procedures may become inadequate due to changes in condition and
compliance with procedures may deteriorate.

Relevance of Controls to the Audit

It is a matter of the auditor’s professional judgment, whether a control, individually or in

combination with others, is relevant to the auditor’s considerations in assessing the risk of material
misstatement and designing and performing further procedures in response to assessed risk.

1.3.2.2 Identify and discuss consideration of accounting and internal control systems

Consideration of Accounting and Internal Control Systems

Set Desired Assess Assess Determine

Level of Audit Inherent Risk Control Risk Acceptable
Level of
Detection
Risk

Audit Planning Consideration of Performing Substantive

Internal Control Tests
 Although establishing and maintaining an entity’s accounting and internal controls systems is a
responsibility of the entity’s management, auditors should give adequate consideration to these
controls because the condition of the entity’s internal control systems can have a significant impact on
the audit. These considerations involve the following steps:

1. Obtaining understanding of the internal control.

2. Assessing the level of control risk.
3. Performing test controls.
4. Reassessing level of control risk, and
5. Documenting the assessed level of control risks

1.3.2.2.1 Understanding and documentation

Understanding Internal Control

The auditor should obtain sufficient understanding of the components of the entity’s internal
control relevant to the audit. Obtaining an understanding of internal control involves

o Performing a preliminary review

o Identifying transaction cycles
o Documenting the system
o Performing a transaction walkthrough
o Identifying controls that are potentially reliable

An initial understanding of the design of the entity’s internal control system is ordinarily obtained by:

o Making inquiries of appropriate individuals

o Inspecting documents and record; and
o Observing of entity’s activities and operations.

Documenting the auditor’s understanding of internal control

The auditor is required to document his understanding of accounting and internal control
systems after obtaining sufficient knowledge about the design and implementation of the internal
controls.

Some commonly used forms of documentation include:

o Narrative description
o Flowchart
o Internal control questionnaire
o Combination
Comparison of the Methods of Documenting the Understanding of the Internal Control Structure

Advantages Disadvantages

Narrative It can be tailor-made for It may become very long and

engagement. time consuming.

Internal Control Questionnaire Easy to complete, and strengths Questions may not fit client’s
and weaknesses can be easily internal control structure
identified. adequately.

Flowcharting It shows a visual representation It could be time consuming.

of internal controls.

The auditor’s understanding of internal control should be adequate enough to:

o Identify types of potential misstatement that can occur;

o Consider factors that affect the risk of material misstatements; and
o Design the nature , timing, and extent audit procedures to be performed.

1.3.2.2.2 Assessment of control risks

Assessment of Control risk

The auditor should make a preliminary assessment of control risk, at the assertion level, for each
material account balance or class transactions. This may be at a high level (100%) or less than high level.

High Control Risk Assessment

The auditor may assess control risk as HIGH or at the MAXIMUM LEVEL when there is high
likelihood that significant misstatements exist in the financial statements because internal controls are
inadequate and cannot be relied upon, for all certain audit objectives. Auditor will rely primarily on
substantive tests.

Less than High Level Risk Assessment

In order to assess control risk at LESS THAN HIGH or BELOW THE MAXIMUM LEVEL, the auditor
must be able to identify specific control structure policies and procedures that are in place and are likely
to prevent or detect material misstatements in specific financial statement assertions, and must test
whether those policies and procedures are designed and operating effectively.

After the preliminary assessment of control risk, the auditor must determine the appropriate
response to the risk assessment.
Auditor’s Responses at the Assertion Level

Preliminary Effect on
Control Risk Acceptable Audit Approach Tests of Controls? Substantive Tests?
Assessment Detection Risk

High/Maximum Decrease No reliance No Yes

Less than High or Increase Reliance* Yes Yes

Below the
Maximum

*Pending the results of Test of Controls

1.3.2.2.2.1 Test controls

Performing Tests of Controls

The auditor must test the internal controls before relying on them irrespective of how effective
these controls may appear to be in preventing material misstatements to obtain evidence that they are
working effectively as the preliminary assessment suggests.

Test of Controls are performed to obtain evidence about the effectiveness of the:

 Design of the accounting and internal control systems; or

 Operation of the internal controls throughout the period.

According to PSA, the auditor should obtain audit evidence through test of controls to support
any assessment of control risk at less than high level. The lower the assessment of control risk, the more
support the auditor should obtain that the internal control is suitably designed and operating effectively.
Thus, the greater the reliance the auditor plans to place on internal control, the more extensive the tests
of those controls that need to be performed.

Tests of Controls

Tests of controls are used to test either the effectiveness of the design or operation of a client’s
internal control policy or procedure in support of a “less than high” control risk assessment.

Nature of Tests of Control

Tests of controls generally consist of one, or a combination of, the following procedures:

1. Inquiry of client personnel

2. Observation of the application of policies and procedures
 3. Inspection (i.e., examination of documents)
4. Reperformance or recalculation

Timing of Tests of Controls

The timing of tests of controls depends on the auditor’s objective and determines the period of
reliance on those controls. If the auditor tests controls at a particular time, the auditor only obtains
audit evidence that the controls operated effectively at that time. However, if the auditor tests controls
throughout a period he obtains audit evidence of the effectiveness of the operation of the controls
during that period.

When the auditor perform tests of controls during an interim period, the auditor should
determine what additional audit evidence should be obtained for the remaining period. Another
important timing matter is how much to rely on tests of prior periods as evidence that controls are
effectively designed and continue to operate effectively during the current audit period.

Extent of Tests of Controls

The auditor cannot possibly examine all transactions related to certain control procedures. In an
audit, the auditor should determine the size of a sample sufficient to support the assessed level of
control risk.

The more the auditor relies on the operating effectiveness of controls in the assessment of risk,
the greater is the extent of the auditor’s tests of controls. In addition, as the rate of expected deviation
from a control increases, the auditor increases the extent of testing of control.

Reassessment Level of Control Risk

The auditor should evaluate whether the internal controls are designed and operating as
contemplated in the preliminary assessment of control risk. The auditor uses the assessed level of
control risk (together with the inherent risk) to determine the acceptable level of detection risk. There is
an inverse relationship between detection risks and the combined level of inherent and control risks. In
this regard, the auditor may consider modifying:

 The nature of substantive tests from less effective to more effective procedures;
 The timing of substantive tests by performing them at year-end rather than at interim; or
 The extent of substantive tests from smaller to larger sample size.

Effect of the Reassessment of Control Risk on the Audit Approach

Reassessment of Control Risk Audit Approach Effect on Substantive Tests

Audit Program
Remains at Less than High or Reliance Approach Less effective procedures
 Below Maximum Interim testing may be
appropriate
Lower sample sizes
Changed to High or Maximum Switch to No-Reliance Approach More effective procedures
Tests moved to nearer or at the
year-end
Larger sample sizes

1.3.2.2.2.2 Documentation

Documenting the Assessed Level of Control Risks

Documentation requirements depend mainly on the control risk assessment. If the assessment
is high or at the maximum level, the understanding of internal controls and the control risk assessment
must be documented. If the assessment is less than high or below the maximum level, the basis for the
control risk assessment must be documented, in addition to the documentation of the understanding of
internal controls and the control risk assessment.

Documentation Requirements

Control risk at High Control Risk at Less

Level than High Level
Understanding of Internal Control Required Required
Conclusion Required Required
Basis for the Conclusion Required Not Required

Communication of Significant Deficiencies in Internal Control

As a result of the auditor’s consideration of the accounting and internal control systems, the
auditor may become aware of significant deficiencies in the entity’s internal control systems. In this
regard, the auditor is required to report to the appropriate level of management and those charged with
governance, any significant deficiencies in the internal control systems, which have come to the
auditor’s attention. This communication should be in writing and can be done either before or after the
auditor’s report on the financial statements is issued.

These internal control deficiencies, together with other matters of concern, are ordinarily
communicated to the client in a formal report called management letter.

1.3.3 Identify, discuss, and assess the risks of material misstatement.

Auditor’s Responsibility
“The Auditor is responsible for obtaining reasonable assurance that the financial statements as a
whole are free from material misstatements.”
 Therefore, the responsibility is to design an audit that will detect these material misstatements.
Auditors are also not expected to detect all misstatement done in the financial statements, only those
material.
The term material is a concept in accounting concerned with relevant information or item in the
financial statements that if omitted or misstated will affect the decision making of users. Determination
of materiality involves relevant sizes and nature of information or acts.

1.3.3.1 Fraud and errors

Fraud
According to the Philippine Standards for Auditing (PSA), fraud is defined as an intentional act by
one or more individuals among the management, those charged with governance, employees, or third
parties, involving the use of deception to obtain an unjust or illegal advantage.

Error
Error is another form of misstatement in the financial statements. It is the unintentional
misstatements which may include omission of an amount or a disclosure such as:
- Mathematical or clerical mistakes in the underlying records and accounting data
- Incorrect accounting estimates arising from oversight or misinterpretation of facts.
- Mistakes in the application of accounting policies.

Responsibility of the Management and those Charged with Governance.

The management and those charged with governance are responsible for prevention and
detection of fraud and error. PSA 240 requires:
 The Management to establish a control environment and to implement internal control
policies and procedures designed to ensure the detection and prevention of fraud and error.
 The Individuals charged with governance to ensure the integrity of an entity’s accounting
and financial reporting systems, and that appropriate controls are in place.

Auditors are not and cannot be held responsible for the prevention of fraud and error, because
the management and those charged with governance is responsible and accountable for the prevention.
Auditors are only responsible for detection of material misstatements.

Types of Fraud Related to Audit

The concept of fraud is broad and can happen in any form, the concern of auditors is those fraud
relating to misstatements in the financial statements. This concept is classified into two types relevant
to auditing.
 Misappropriation of Asset – this involves the theft of an entity’s asset committed by the
entity’s employees, a reason why it is also known as defalcation or employee fraud. It is
often done by those in the rank-and-file level of employees since they are more susceptible
to commit this type of fraud, but it does not mean that those with higher rank employees
will not be part of misappropriation of asset. This may include:
- Embezzlement of receipts
- Stealing of entity’s assets such as cash, marketable securities, supplies, and other
inventories.
- Stealing intellectual properties
 - Lapping of accounts receivable
- Using entity’s asset for personal use

 Fraudulent Financial Reporting – involves intentional misstatements or omissions of

amounts or disclosures in the financial statements to deceive the users of information. It is
also known as the management fraud because the management and those charged with
governance can manipulate the financial statements to be reported.
- Manipulation, falsification or alteration of records or documents.
- Fictitious journal entries
- Recording of transaction without substance
- Intentional misapplication of accounting policies

Fraud Triangle
Fraud Triangle is the diagram that shows the elements or factors found in an entity that may
indicate the existence of fraud. These are considered red flags used for detection of fraud.

 Pressures or Incentives to commit

fraud.
-Personal Factors such as
financial difficulties
-Addiction to gambling or drugs
-Management compensation
schemes

 Opportunity to commit fraud.

-Lack or weak internal controls
-Complexities associated with
transactions

 Rationalizing the fraud.

-Everybody cheats on Financial Statements
-Just a little amount, it will not hurt
-Altering earnings to avoid disinvestments

Detection Risk Regarding Fraud

There are risks that auditor may not detect material misstatements including fraud and error.
 The risk of not detecting material misstatements due to fraud are higher than due to error.
Misstatements due to fraud involve concealment of the act which makes it harder for
auditors to detect or discover than errors.
 The risk of not detecting material misstatements due to management fraud is higher than
employee fraud.
Normally the management has the power to manipulate and override internal controls
in place, and conceal fraudulent acts than a normal rank-and-file employee.

Audit Objective Regarding Fraud

 Identify and assess the risk of material misstatement due to fraud.
  Obtain sufficient appropriate evidence through designing and implementing appropriate
responses.
 Respond appropriately to identified or suspected fraud.

Professional Skepticism
Auditors are expected to exercise professional skepticism in performing audits. It is the attitude
of havinga questioning mind and critical assessment that fraud exist in the management. Normally, this
can be applied through:
-Management is neither honest nor dishonest.

-Records and documents are presume genuine

Unless the auditor has reason to believe the contrary, the auditor may accept records
and documents as genuine. If conditions identified during the audit cause the auditor to
believe that a document may not be authentic or that terms in a document have been modified but not
disclosed to the auditor, the auditor should investigate further.

-Unsatisfactory or inconsistent response in inquiries

When responses to inquiries of management, those charged with governance, or others
are inconsistent or otherwise unsatisfactory (for example, vague or implausible), the auditor
should further investigate the inconsistencies or unsatisfactory responses.

1.3.3.2 Risks assessment procedures

 Inquiries of Management
The auditor should make inquiries of management regarding:
a. Management's assessment of the risk that the financial statements may be materially
misstated due to fraud, including the nature, extent, and frequency of such assessments.
This also involve asking if there are alleged or suspected fraud in the entity that the
management knows.
b. Management's process for identifying, responding to, and monitoring the risks of fraud in
the entity, including any specific risks of fraud that management has identified or that have
been brought to its attention, or classes of transactions, account balances, or disclosures for
which a risk of fraud is likely to exist.
c. Management's communication, if any, to those charged with governance regarding its
processes for identifying and responding to the risks of fraud in the entity
d. Management's communication, if any, to employees regarding its views on business
practices and ethical behavior; and e. whether the entity has entered into any significant
unusual transactions and, if so, the nature, terms, and business purpose (or the lack thereof)
of those transactions and whether such transactions involved related parties.

 Inquiries of those Charged with Governance and Internal Auditor

Inquiries to those charged with governance is similar to the inquiries made to the
management. Normally, the emphasize is on obtaining an understanding of how those charged
with governance exercise oversight of management's processes for identifying and responding
to the risks of fraud in the entity and the internal control that management has established to
mitigate these risks.
  Analytical Procedures
The auditor should evaluate whether unusual or unexpected relationships that have
been identified indicate risks of material misstatement due to fraud. To the extent not already
included, the analytical procedures, and evaluation thereof, should include procedures relating
to revenue accounts.

 Evaluate of Fraud Risk Factors

The auditor should evaluate whether the information obtained from the risk assessment
procedures and related activities performed indicates that one or more fraud risk factors are
present. Although fraud risk factors may not necessarily indicate the existence of fraud, they
have often been present in circumstances in which frauds have occurred and, therefore, may
indicate risks of material misstatement due to fraud.

Identification and Assessment of Risk of Material Misstatements Due to Fraud

 Material misstatements at the financial statements level and at the assertion level of
transaction, account balances and disclosure.
- This involves setting up materiality which is the threshold to identify whether items or
information obtain is a material misstatement in both levels. The auditor's risk assessment
should be ongoing throughout the audit, following the initial assessment.

 Risk of fraud of revenue recognition

-When identifying and assessing the risks of material misstatement due to fraud, the
auditor should consider evaluating the revenue recognition of the entity including types of
revenue, revenue transactions, or assertions give rise to such risks. The presumption is: there is
fraud of overstating revenue.

 Understanding the Entity’s Control

-Auditors should obtain understanding of the controls in place related to fraud, whether
such controls have been suitably designed and implemented to mitigate such fraud risks.

Auditor’s Responses to Assessed Risk

 Overall Responses
After the identification and assessment of risk, determination of the overall responses is
to be done to address the risks of material misstatement due to fraud, the auditor should:
a. Assign and supervise personnel, considering the knowledge, skill, and ability of the
individuals to be given significant engagement responsibilities and the auditor's
assessment of the risks of material misstatement due to fraud for the engagement. The
higher risk associated with the audit, the higher competence if personnel should be
assigned to do the audit.
b. Evaluate whether the selection and application of accounting policies by the entity,
particularly those related to subjective measurements and complex transactions, may
be indicative of fraudulent financial reporting resulting from management's effort to
manage earnings, or a bias that may create a material misstatement.
c. Incorporate an element of unpredictability in the selection of the nature, timing, and
extent of audit procedures. This gives the auditor a chance to observe the entity in an
unannounced audit, therefore not giving the entity a chance to prepare and conceal
 fraud.

 Responses to Risk at the Assertion Level

The auditor should design and perform further audit procedures whose nature, timing,
and extent are responsive to the assessed risks of material misstatement due to fraud at the
assertion level. The higher level of risk found in the material misstatements in the financial
statements, the more extensive procedures should be in place.
This involves changing the nature, timing and extent of procedures.
-Nature refers to what kind of procedure to be done. (observation, recalculation,
inquiry)
-Timing refers to when to conduct procedures. (interim, near the financial statement
date or at the financial statement date)
-Extent refers to the quantity of evidence begin tested. (sample size being tested)

 Response to Risk Management Control Override.

Management is in a unique position to perpetrate fraud because of management's
ability to manipulate accounting records and prepare fraudulent financial statements by
overriding controls that otherwise appear to be operating effectively.
The auditor should address the risk of management override of controls by designing
and performing audit procedures to:
a. test the appropriateness of journal entries recorded in the general ledger and other
adjustments made in the preparation of the financial statements, including entries
posted directly to financial statement drafts. In designing and performing audit
procedures for such tests, the auditor should
i. Obtain an understanding of the entity's financial reporting process and
controls over journal entries and other adjustments,12 and the
suitability of design and implementation of such controls.
ii. Make inquiries of individuals involved in the financial reporting process
about inappropriate or unusual activity relating to the processing of
journal entries and other adjustments.
iii. Consider fraud risk indicators, the nature and complexity of accounts,
and unusual entries processed.
iv. Select journal entries and other adjustments made at the end of a
reporting period; and v. consider the need to test journal entries and
other adjustments throughout the period.
b review accounting estimates for biases and evaluate whether the circumstances
producing the bias, if any, represent a risk of material misstatement due to fraud. In
performing this review, the auditor should
i. evaluate whether the judgments and decisions made by management in
making the accounting estimates included in the financial statements,
even if they are individually reasonable, indicate a possible bias on the
part of the entity's management that may represent a risk of material
misstatement due to fraud. If so, the auditor should reevaluate the
accounting estimates taken as a whole, and
ii. perform a retrospective review of management judgments and
assumptions related to significant accounting estimates reflected in the
financial statements of the prior year. Estimates selected for review
 should include those that are based on highly sensitive assumptions or
are otherwise significantly affected by judgments made by management.
c Evaluate, given the auditor's understanding of the entity and its environment and
other information obtained during the audit, whether the business purpose (or the
lack thereof) of significant unusual transactions suggests that they may have been
entered into to engage in fraudulent financial reporting or to conceal
misappropriation of assets. The procedures should include the following:
i. Reading the underlying documentation and evaluating whether the
terms and other information about the transaction are consistent with
explanations from inquiries and other audit evidence about the business
purpose (or the lack thereof) of the transaction.
ii. Determining whether the transaction has been authorized and approved
in accordance with the entity's established policies and procedures iii.
Evaluating whether significant unusual transactions that the auditor has
identified have been properly accounted for and disclosed in the
financial statements.

Evaluation of Audit Evidence in Relation to Fraud

 The results of analytical procedures should be consistent to the understanding of the auditor.
The auditor should evaluate, at or near the end of the audit, whether the accumulated
results of auditing procedures (including analytical procedures that were performed as
substantive tests or when forming an overall conclusion) affect the assessment of the risks of
material misstatement due to fraud made earlier in the audit or indicate a previously
unrecognized risk of material misstatement due to fraud. If not already performed when
forming an overall conclusion, the analytical procedures relating to revenue, should be
performed through the end of the reporting period.

 Determine whether misstatements involves fraud.

If the auditor identifies a misstatement, the auditor should evaluate whether such a
misstatement is indicative of fraud. If such an indication exists, the auditor should evaluate the
implications of the misstatement with regard to other aspects of the audit, particularly the
auditor's evaluation of materiality, management and employee integrity, and the reliability of
management representations, recognizing that an instance of fraud is unlikely to be an isolated
occurrence.

 Reevaluate risk assessment.

If the auditor identifies a misstatement, whether material or not, and the auditor has
reason to believe that it is, or may be, the result of fraud and that management (in particular,
senior management) is involved, the auditor should reevaluate the assessment of the risks of
material misstatement due to fraud and its resulting effect on the nature, timing, and extent of
audit procedures to respond to the assessed risks. The auditor should also consider whether
circumstances or conditions indicate possible collusion involving employees, management, or
third parties when reconsidering the reliability of evidence previously obtained.

 Evaluate implications of audit.

 If the auditor concludes that, or is unable to conclude whether, the financial statements
are materially misstated as a result of fraud, the auditor should evaluate the implications for the
audit.

Withdrawal from Engagement Due to Fraud

The presence of identified or suspected fraud may hinder the audit and pose a question about
the ability of the auditor to continue performing the audit. In such circumstances, auditors should:
 Determine professional and legal responsibility.
- Determine the professional and legal responsibilities applicable in the circumstances,
including whether a requirement exists for the auditor to report to the person or
persons who engaged the auditor or, in some cases, to regulatory authorities.
 Consider whether withdrawal is appropriate and legally permitted.
-Consider whether it is appropriate to withdraw from the engagement when withdrawal
is possible under applicable law or regulation.

If the auditor withdraws

i. discuss with the appropriate level of management and those charged with governance
the auditor's withdrawal from the engagement and the reasons for the withdrawal, and
ii. determine whether a professional or legal requirement exists to report to the person or
persons who engaged the auditor or, in some cases, to regulatory authorities, the
auditor's withdrawal from the engagement and the reasons for the withdrawal.

1.3.3.3 Discussion among the engagement team

Discussion among the Engagement Team and Key Audit Members
The standard requires the discussion among the engagement team and key audit members. This
involves the matters to be communicated which is determined to be vital in performing the audit of the
entity. This discussion should include an exchange of ideas or brainstorming among the engagement
team members related to:
 Susceptibility to material misstatement due to fraud
 Perpetration and concealment of fraudulent financial reporting,
 Asset misappropriation
 External and internal fraud risk factors.
Known external and internal factors affecting the entity that may create an incentive or
pressure for management or others to commit fraud, provide the opportunity for fraud to be
perpetrated, and indicate a culture or environment that enables management or others to
rationalize committing fraud.
 The risk of management override of controls.
 Indications of earnings management.
Consideration of circumstances that might be indicative of earnings management or
manipulation of other financial measures and the practices that might be followed by
management to manage earnings or other financial measures that could lead to fraudulent
financial reporting.
 Maintaining professional skepticism
 Audit Procedures
 How the auditor might respond to the susceptibility of the entity's financial statements
to material misstatement due to fraud.

Communication among the engagement team members about the risks of material
misstatement due to fraud should continue throughout the audit, particularly upon discovery of new
facts during the audit.

1.3.3.4 Significant risks that require special audit consideration.

In Auditor’s opinion, if any of the identified risks is a significant risk, the auditor has to obtain an
understanding of the entity’s control, including control activities relevant to that risk.

Following are to be considered to identify a risk as significant:

 Risk of fraud
 Relates to recent significant economic, accounting or other developments like regulatory
environment changes.
 Complexity of transactions
 Significant transactions with related parties
 The degree of subjectivity in the measurement of financial information related to the risk.
 Significant transactions outside the normal course of business or unusual transactions

1.3.3.5 Risks for which substantive procedures alone do not provide sufficient appropriate
audit evidence.

In respect of some risks, the auditor may judge that it is not possible or practicable to obtain
sufficient appropriate audit evidence only from substantive procedures. Such risks may relate to the
inaccurate or incomplete recording of routine and significant classes of transactions or account
balances, the characteristics of which often permit highly automated processing with little or no manual
intervention such as an entity’s revenue, purchases, and cash receipts or cash payments. In such cases,
the entity’s controls over such risks are relevant to the audit and the auditor shall obtain an
understanding of them.

Where such routine business transactions are subject to highly automated processing with little
or no manual intervention, it may not be possible to perform only substantive procedures in relation to
the risk.

For example, the auditor may consider this to be the case in circumstances where a significant
amount of an entity’s information is initiated, recorded, processed, or reported only in electronic form
such as in an integrated system. In such cases:

 Audit evidence may be available only in electronic form, and its sufficiency and appropriateness
usually depend on the effectiveness of controls over its accuracy and completeness.
  The potential for improper initiation or alteration of information to occur and not be detected
may be greater if appropriate controls are not operating effectively.

1.3.3.6 Revision of risk assessment.

The auditor’s assessment of the risks of material misstatement at the assertion level may change
during the course of the audit as additional audit evidence is obtained. In circumstances where the
auditor obtains audit evidence from performing further audit procedures, or if new information is
obtained, either of which is inconsistent with the audit evidence on which the auditor originally based
the assessment, the auditor shall revise the assessment and modify the further planned audit
procedures accordingly.

1.3.4 Discuss and communicate the risks of material misstatement with those charged with
governance and management.

Communication to Management and those Charged with Governance.

If the auditor has identified a fraud or has obtained information that indicates that a fraud may
exist, the auditor should communicate these matters on a timely basis to the appropriate level of
management in order to inform those with primary responsibility for the prevention and detection of
fraud of matters relevant to their responsibilities.
Unless all of those charged with governance are involved in managing the entity, if the auditor
has identified or suspects fraud involving:
a. management,
b. employees who have significant roles in internal control, or
c. others, when the fraud results in a material misstatement in the financial statements,

The auditor should communicate these matters to those charged with governance on a timely
basis. If the auditor suspects fraud involving management, the auditor should communicate these
suspicions to those charged with governance and discuss with them the nature, timing, and extent of
audit procedures necessary to complete the audit. The auditor should communicate with those charged
with governance any other matters related to fraud that are, in the auditor's professional judgment,
relevant to their responsibilities.

As a rule, communication of information regarding to discovery or suspicion of fraud, it should be

reported at least one rank higher to those involved in the act.

Communication to Regulatory and Enforcement Authorities

If the auditor has identified or suspects a fraud, the auditor should determine whether the
auditor has a responsibility to report the occurrence or suspicion to a party outside the entity. Although
the auditor's professional duty to maintain the confidentiality of client information may preclude such
reporting, the auditor's legal responsibilities may override the duty of confidentiality in some
circumstances.
Documentation in Relation to Fraud

 Understanding of the Entity and Its Environment

The auditor should include in the audit documentation of the auditor's understanding of
the entity and its environment and the assessment of the risks of material misstatement
required by section 315 the following:
a. The significant decisions reached during the discussion among the engagement team
regarding the susceptibility of the entity's financial statements to material misstatement
due to fraud, and how and when the discussion occurred and the audit team members
who participated.
b. The identified and assessed risks of material misstatement due to fraud at the financial
statement level and at the assertion level.

 Responses
The auditor should include in the audit documentation of the auditor's responses to the
assessed risks of material misstatement required by section 330 the following:
a. The overall responses to the assessed risks of material misstatement due to fraud at the
financial statement level and the nature, timing, and extent of audit procedures, and the
linkage of those procedures with the assessed risks of material misstatement due to
fraud at the assertion level
b. The results of the audit procedures, including those designed to address the risk of
management override of controls.

 Fraud
The auditor should include in the audit documentation communications about fraud
made to management, those charged with governance, regulators, and others.

 Risk of fraud of Revenue Recognition

If the auditor has concluded that the presumption that there is a risk of material
misstatement due to fraud related to revenue recognition is overcomes in the circumstances of
the engagement, the audit documentation the reasons for that conclusion.