It is worth highlighting a couple of these areas in more detail. First, the requirement to understand the applicable financial reporting framework would entail understanding not only the relevant financial reporting standards (IFRS or national standards) but also whether there are any relevant industry specific regulations. Note that under the requirements of ISA 210, Agreeing the Terms of Audit Engagements, the auditor should already have determined the acceptability of the financial reporting framework, as this is one of the preconditions of an audit.
Second, the requirement to obtain knowledge of the entity's objectives, strategies and business risks is a crucial step in audit planning. This is because according to the application guidance of ISA 315, 'business risk is broader than the risk of material misstatement, though it includes the latter'. (ISA 315.A30) Therefore, to successfully identify risks of material misstatement, the auditor should use a business risk approach. A simple example is that a company may face a business risk such as a fall in demand for its products. The associated risk of material misstatement lies in the valuation of inventory therefore there is a risk of misstatement at the assertion level. However, the fall in demand could also have a longer-term impact on the company's going concern status, leading to a potential risk of misstatement at the financial statement level. Appendix 2 of ISA 315 contains a useful list of examples of conditions and events that may indicate risks of material misstatement.
The key elements of the business understanding obtained regarding each of the aspects outlined above must be documented (ISA 315.32). However, the ISA does not stipulate a method or level of detail required for this documentation, leaving it to the auditor's judgment to determine the extent of documentation needed. In the audit of smaller entities, which often have a small range of products or services, operate from a limited number of locations and have a simple ownership structure, the documentation may be simple in form and relatively brief and it is not necessary to document the entirety of the auditor's understanding of the entity. Documentation may be prepared by using narrative notes or by completing a structured form. The notes may be maintained separately or incorporated in the documentation of the overall audit strategy.
It is a specific requirement of ISA 315 that the auditor obtains an understanding of the internal control relevant to the audit. This is a crucial step in assessing the risk of material misstatement, as one of the components of audit risk is control risk, defined as the risk that a misstatement that could occur will not be prevented, or detected and corrected, on a timely basis by the entity's internal control.
Internal control has five components, each of which must be understood and documented by the auditor:
(a) the control environment
(b) the entity's risk assessment procedure
(c) the information system, including the related business processes, relevant to financial reporting and communication
(d) control activities, and
(e) monitoring of controls.
This requirement appears onerous, and indeed for large and complex organisations the documentation of internal control can be laborious. But, it is important to remember that it is only required that the auditor understands and documents those elements of internal control which are relevant to the audit, in particular to the auditor's risk assessment, which is a matter of professional judgment.
In determining whether a control is relevant to the audit, matters such as the significance of the related risk, materiality, and the complexity of operations should be considered. In relation to control activities, the ISA specifically states that 'an audit does not require an understanding of all of the control activities related to each significant class of transaction, account balance and disclosure in the financial statements or to every assertion in them'. (ISA 315.20)
Therefore the documentation of internal control should be commensurate with the nature, size and complexity of the entity. The ISA also suggests that the extent of documentation should also be appropriate to the experience and capabilities of the audit engagement team, as less experienced members of the audit team may require more detailed documentation to assist them to obtain appropriate understanding of the entity and its controls.
In a smaller entity, the audit documentation on internal control is likely to be relatively simple, focusing on how sales and purchasing cycles operate and highlighting the risks of material misstatement that arise from the controls (or lack of) that are in place. It is tempting to think that in a simple system operating in a small company there is little risk of material misstatement, but of course there are specific risks associated with this type of company, especially the risks posed by opportunities for management override, and the limited scope for segregation of duty and authorisation controls. In a smaller company, the extent and nature of management's involvement in internal control is likely to be a key aspect in the documentation of internal control.
Remembering that the under-pinning concept of ISA 315 is risk assessment, it is not surprising that one of the elements of internal control that that auditor must understand and document is the entity's own risk assessment process. Most large organisations will have an internal risk management function, the effectiveness of which may be assessed by the auditor. Smaller entities will not have such a function, and risk assessment will be performed in an ad-hoc manner by the company's owners and / or managers. In this case, it is required that the auditor discusses with management whether business risks relevant to financial reporting have been identified and addressed, and should then consider whether this represents a significant deficiency in internal control. (ISA 315.17)
Assessing the risks of material misstatement
Having obtained and documented an understanding of the entity including its internal control, the auditor is now in a position to identify and assess the risks of material misstatement, which should be done at the financial statement level, and at the assertion level for classes of transactions, account balances and disclosures. The point of the risk assessment is to provide a basis for designing and performing further audit procedures.
Risk assessment procedures should include inquiries of management and other relevant individuals, analytical procedures, observation and enquiry. (ISA 315.6)