7. UNDERSTANDING THE ENTITY, ITS ACCOUNTING SYSTEMS AND CONTROLS, ITS RISKS AND THE AUDIT RESPONSE TO ASSESSED RISK

(INCORPORATING ISA 200, 315, 330 and 402)

7.1 Risk Assessment

The engagement team should obtain an understanding of the entity and its environment, including its internal controls, sufficient to identify and assess the risk of material misstatement of the financial statements whether due to fraud or error, and sufficient to design and perform further audit procedures. The audit procedures used to obtain an understanding of the of the entity and its environment, including its internal controls are referred to as risk assessment procedures ,as some of the information obtained by performing such procedures may be used by the engagement team as audit evidence to support assessment of the risks of material misstatement. The extent of the understanding required is a matter of professional judgement, and is based on the primary consideration on whether it is sufficient to assess the risk of material misstatement of the financial statements and to design and perform further audit procedures. The level of understanding required is however less than that required by the management in managing the entity.

In addition, in performing risk assessment procedures, the engagement team may obtain audit evidence about classes of transactions, account balances, or disclosures and assertions and about the operating effectiveness of controls, even though such audit procedures were not specifically planned as substantive procedures or test of controls. The engagement team may choose to perform substantive procedures or tests of controls concurrently with risk assessment procedures because it is efficient to do so.

7.2 Audit Risk and Reasonable Assurance

In conducting an audit, the engagement team obtains reasonable assurance that the financial statements taken as a whole are free from material misstatement, whether due to fraud or error. Reasonable assurance relates to the whole audit process, and is a concept relating to the accumulation of audit evidence necessary for the engagement team to conclude that there are no material misstatements in the financial statements taken as a whole. In the conduct of an audit, one cannot obtain absolute assurance because of inherent limitations in the audit process due to the following factors:

• .The use of testing.
• .The inherent limitations of internal controls due to possibility of management override or collusion.
• .The fact that most audit evidence is persuasive rather than conclusive.

Based on the above, an audit is not a guarantee that the financial statements are free from material misstatement, because absolute assurance is not attainable. In addition, an audit opinion does not assure the future viability of the entity nor the efficiency or effectiveness with which management has conducted the affairs of the entity.

Audit risk is the risk that the engagement team expresses an inappropriate audit opinion when the financial statements are materially misstated. This definition does not include the risk that the engagement team may erroneously express an opinion that the financial statements are materially misstated. The engagement team reduces audit risk by designing and performing audit procedures to obtain sufficient appropriate audit evidence to draw reasonable conclusion on which to base the audit opinion. Reasonable assurance is obtained when the audit risk is reduced to an acceptably low level.

Audit risk is the function of the risk of material misstatement that the financial statements are materially misstated prior to the audit (made up of inherent risk and control risk ) and the risk that the engagement team will not detect such misstatements ( detection risk ):

Inherent risk is the susceptibility of an assertion (representations by management, explicit or otherwise, that are embodied in the financial statements) to a material misstatement if there were no internal controls.

The assessment of inherent risk is a judgemental process.

Appendix I: Inherent Risk Considerations provides a list of factors that the engagement team may consider when assessing inherent risk.

Control risk is the risk that a material misstatement that could occur in an assertion will not be prevented or detected and corrected on a timely basis by the entity's accounting and internal control systems.

Control risk can only be assessed as low if the controls have been tested.

Detection risk is the risk that the engagement team's procedures will not detect a material misstatementthat exists in an assertion. A component of detection risk is Analytical Risk which is the risk that analytical procedures, used as substantive procedures, will fail to detect a material misstatement. Analytical risk is covered in detail in Section 14.7 of the Manual.

Whether the risk assessment is quantified or not, the engagement team has to assess how the estimation of the levels of risk affects the testing to be carried out:

• .A low inherent risk assessment will mean that less assurance needs to be gained from detailed audit tests than a high risk assessment.
• .Low control risk will mean more emphasis can be placed on tests of control, and substantive tests of detail would be of less importance.
• .Low analytical risk will mean more emphasis can be put on analytical review as substantive procedures, and detailed substantive tests of detail would be of less importance.
• .The higher the inherent risk, the higher level the level of assurance that is required for the test of control and from substantive procedures (including analytical procedures used as substantive procedures) and therefore the higher the sample size required.

The inverse relationship between inherent risk on the one hand and control and detection risks (including analytical risk as a component of detection risk) on the other, in order to achieve an acceptably low level of audit risk, is shown in below.

In the conduct of an audit in accordance with ISA's and to obtain sufficient and reliable audit evidence to enable the engagement team draw reasonable conclusions on which to base the audit opinion, the engagement team undertakes the following steps:

1. **(a)**Risk assessment procedures: These are used to obtain an understanding of the entity and its environment, including its internal control, to assess the risks of material misstatement at the financial statement and assertion levels. This includes the use of analytical procedures as risk assessment procedures at the planning stage. At the end of this stage the engagement team assesses the audit risk and develops audit procedures in response to the risk including the nature, extent and timing the of audit tests. These procedures are covered in detail in this section.
2. **(b)**Tests of controls: Based on the above and on the engagement team's assessment of internal control, the team may, together with substantive procedures, test the operating effectiveness of controls in preventing or detecting and correcting, material misstatements at the assertion level. These procedures are covered in detail in this section.
3. **(c)**Substantive procedures: The engagement team then plans the level of assurance that the team requires from substantive testing including the use of substantive analytical procedures. Substantive procedures are used to detect material misstatements at the assertion level and include tests of details of classes of transactions, account balances and disclosures. The extensive use of substantive procedures is commonly known as the substantive approach, while the approach to use the test of controls as well as substantive procedures in known as the combined approach. Substantive procedures are covered in Section 15 of the Manual, while analytical procedures are covered in Section 14 of the Manual.
4. **(d)**Audit evidence, completion and reporting: The engagement team obtains sufficient appropriate audit evidence to be able to draw reasonable conclusions on which to base the audit opinion. This includes the use of analytical review to ensure that the financial statements, taken as a whole, are consistent with the engagement team's understanding of the entity. Audit evidence, analytical review, completion and the audit report are covered in Sections 12, 14, 24 and 25 of the Manual respectively.

7.3 Risk Assessment Procedures at the Planning Stage

ISA 315 requires the engagement team to identify and assess the risk of misstatement at the financial statement level, and at the assertion level for classes of transactions, account balances, and disclosures. Obtaining an understanding of the entity and its environment establishes a frame of reference within which the engagement team plans the audit and exercises professional judgement about assessing risks of material misstatement and responding to those risks throughout the audit. The engagement team is also required to assess the risks of material misstatement due to fraud. This is covered in Section 8 of the Manual. The engagement team at the planning stage should summarise the key risks attaching to the entity and factors that may minimise or eliminate those risks.

The engagement team usually obtains an understanding of the entity and its environment, including internal control through:

• .Information obtained while performing the client acceptance and continuation procedures.
• .Inquiries of management and others within the entity including employees, internal audit and those charged with governance;
• .Analytical procedures;
• .Observation of the entity's activities and operations including visits to premises and plant facilities;
• .Inspection of documents such as business plans, internal control manuals, management and board and management minutes, management reports and interim financial statements;
• .Tracing transactions through the information systems relevant to financial reporting; and
• .External sources e.g. bank or rating agency reports, legal counsel, valuation experts, trade journals and regulatory and financial publications.

The table below summarises the type of information that could be obtained from inquiry:

Level of Inquiry	Type of Information That Could Be Obtained
Governance	Understanding of the environment in which the financial statements are prepared.
Management (usually the main source of information)	Assessment of the control environment. The entity's performance including an overall understanding of the entity and its internal control.
Internal audit	Design and effectiveness of internal control. Whether management has responded satisfactorily to finding from the internal audit function.
Employees	From those involved in initiating, processing or recording complex or unusual transactions: Evaluation of the appropriateness of the selection and application of certain accounting policies. Marketing or sales personnel: Changes in marketing strategies, sales trends and contractual arrangements with customers.
Legal counsel (both in-house and external)	Litigation. Compliance with laws and regulations. Knowledge of fraud or suspected fraud. Warranties and post-sales obligations. Arrangements with business partners including special arrangements, joint ventures, shareholders' agreements and any special commitments to buy or sell.

Information Obtained in Prior Periods

Where the engagement team intends to use information obtained in prior periods, the team should determine whether changes have occurred that may affect the relevance of such information in the current audit e.g. changes in the entity or its environment may render such information irrelevant. They should also make inquiry or perform other audit procedures such as walk through tests to determine whether changes have occurred that may affect the relevance of such information.

Discussions Amongst the Engagement Team

The engagement team should discuss the susceptibility of the entity's financial statements to material misstatement to gain a better understanding of the potential misstatements arising form fraud or error in the specific area assigned to them, and to understand how the results of the audit procedures they perform may affect other aspects of the audit including the decisions about the nature, timing and extent of further audit procedures.

Ordinarily only the key members of the engagement team are involved in the discussion. In certain cases it may be necessary to involve experts including professionals possessing specialist information technology or other skills required by the engagement team. The extent of the discussion is influenced by the roles, experience and the information needs of the engagement team. In case of very small partner led audits, such discussions may not be necessary, as the partner will usually lead the team on the field.

Understanding the Entity and its Environment, Including its Internal Controls

The engagement team should obtain an understanding of the following:

• . Relevant industry, regulatory, and other external factors, including the applicable financial reporting framework: The industry in which the entity operates gives rise to specific risks of material misstatement arising from the nature of the industry or the degree of regulation e.g. long term contracts may involve significant estimates of revenues and costs.
• . Nature of the entity, including the entity's selection and application of accounting policies: This enables the engagement team to understand the classes of transactions, account balances and disclosures expected in the financial statements, including the impact of significant and unusual transactions.
• . Objectives and strategies, and the related business risks that may result in material misstatement of the financial statements: In response to the industry, regulatory requirements and other internal and external factors, the management and those charged with governance define objectives, which are the overall plans for the entity, and the strategies, which are the operational approaches, by which the management intends to achieve its objectives. Business risks result from significant conditions, events, circumstances and actions or inactions that could adversely affect the entity's ability to achieve its objectives and execute its strategies. The engagement team needs to identify the business risks associated with the business as this increases the likelihood of identifying risks of material misstatements. In case of smaller entities, where plans and the risk management process may not usually be documented, the understanding is normally obtained through inquiries of management and observations of how the entity responds to such matters.
• . Measurement and review of the entity's financial performance: This understanding enables the engagement team to consider whether financial performance pressures can increase the chance of material misstatements.
• . Internal controls: The engagement team uses the understanding of internal controls to identify types of potential misstatements, consider factors that affect the risks of material misstatement, and design the nature, timing and extent of further audit procedures. The procedures to be used in obtaining an understanding of internal control are discussed in Section 7.4 below.

Appendix II: Factors to Consider in Understanding the Entity and its Environment , provides overall guidance on matters that the one may consider in understanding the nature of the entity, the industry and the regulatory environment in which the entity operates, the objectives and strategies and related business risks of the entity, and the measurement and review of the entity's financial performance.

Appendix III: Condition and Events that may Indicate Risk of Material Misstatement, provides guidance on potential indicators of material risk.

Assessing the Risk of Material Misstatement

The engagement team uses information gathered by performing risk assessment procedures, including the audit evidence obtained in evaluating the design of controls and determining whether they have been implemented, as audit evidence to support the risk assessment. The team uses the risk assessment to determine the nature, timing, and extent of further audit procedures to be performed.

In making risk assessments, the engagement team may identify the controls that are likely to prevent, or detect and correct, material misstatement in specific assertions. Generally, the team gains an understanding of controls and relates them to assertions in the context of processes and systems in which they exist. Doing so is useful because individual control activities often do not in themselves address a risk. Often only multiple control activities, together with other elements of internal control, will be sufficient to address a risk.

Significant Risks

As part of the risk assessment, the engagement team should determine which of the risks identified require special audit consideration. Such risks are defined as "significant risks". The determination of significant risks, which arise on most audits, is a matter for the engagement team's professional judgement. Significant risks often relate to non-routine transactions and judgemental matters. Non-routine transactions are transactions that are unusual, either due to their size or nature, and therefore occur infrequently. In exercising this judgement, the engagement team excludes the effect of identified controls related to the risk to determine whether the nature of the risk, the likely magnitude of the potential misstatement including the possibility that the risk may give rise to multiple misstatements, and the likelihood of the risk occurring are such that they require special audit consideration. Routine, non-complex transactions that are subject to systematic processing are less likely to give rise to significant risks because they have lower inherent risks. On the other hand, significant risks are often derived from business risks that may result in a material misstatement. In considering the nature of the risks, the engagement team considers a number of matters, including the following:

• .Whether the risk is a risk of fraud.
• .Whether the risk is related to recent significant economic, accounting or other developments and, therefore, requires specific attention.
• .The complexity of transactions.
• .Whether the risk involves significant transactions with related parties.
• .The degree of subjectivity in the measurement of financial information related to the risk especially those involving a wide range of measurement uncertainty.
• .Whether the risk involves significant transactions that are outside the normal course of business for the entity, or that otherwise appear to be unusual.

For significant risks, the engagement team should evaluate the design of the entity's related controls, including relevant control activities, and determine whether they have been implemented. An understanding of the entity's controls related to significant risks is required to provide the team with adequate information to develop an effective audit approach. Management ought to be aware of significant risks; however, risks relating to significant non-routine or judgemental matters are often less likely to be subject to routine controls. Therefore, the team understands whether the entity has designed and implemented controls for such significant risks.

Revision of Risk Assessment

The engagement team's assessment of the risks of material misstatement may change during the course of the audit as additional audit evidence is obtained. In particular, the risk assessment may be based on an expectation that controls are operating effectively. In performing tests of controls to obtain audit evidence about their operating effectiveness, the team may obtain audit evidence that controls are not operating effectively at relevant times during the audit. Similarly, in performing substantive procedures the team may detect misstatements in amounts or frequency greater than is consistent with their risk assessments. In circumstances where the engagement team obtains audit evidence from performing further audit procedures that tends to contradict the audit evidence on which the team originally based the assessment, the team should revise the assessment and modify the further planned audit procedures accordingly.

7.4 Internal Control

Internal control is the process designed and effected by those charged with governance, management and other personnel to provide reasonable assurance about the achievement of the entity's objectives with regard to reliability, of financial reporting, effectiveness and efficiency of operations and compliance with applicable laws and regulations. Internal control consists of the following components:

1. The control environment;
2. The entity's risk assessment process;
3. The information systems, including the related business processes, relevant to financial reporting, and communication;
4. Control activities; and
5. Monitoring of controls.

The division of internal control into five components provides a useful framework for the engagement team to consider how different aspects of the entity's internal control may affect the audit. The engagement team's primary concern is whether, and how, a specific control prevents, or detects and corrects material misstatements in classes of transactions, account balances, or disclosures, and their related assertions. It also enables an engagement team to:

• .Determine whether it is likely to produce a reliable system of accounting.
• .Consider management's ability to make the necessary judgements and estimates.
• .Assess whether the entity has fulfilled the legal requirement to keep proper accounting records.
• .Identify the incentives and opportunities for misrepresentation or distortion by management.
• .Assess whether management has sufficient reliable information for the effective control of the business.
• .Identify the key indicators and controls.

Appendix IV: Internal Control Components sets out detailed discussions of the internal control components as they relate to an audit of the financial statements.

7.4.1 Controls Relevant to an Audit

The entity's controls relate to financial reporting, operations and compliance controls. However, not all the controls are relevant to the engagement team's risk assessment. ISA 315 requires the team to evaluate, for significant risks, the design of the entity's related controls including relevant control activities, and determine whether they have been implemented. The engagement team should consider whether the control, individually or in combination with other controls, is capable of effectively preventing, or detecting and correcting, material misstatement. It also requires the engagement team to identify areas where controls cannot possibly or practicably reduce the risks of material misstatements at the assertion level to an acceptably low level, with the engagement team having to rely on substantive procedures to obtain the necessary audit evidence.

Usually the controls relevant to an audit are those relating to the entity's objective of preparing financial statements for external purposes that give a true and fair view in accordance with the applicable financial reporting framework and the management of risk that may give rise to a material misstatement.

Of great importance will be boundary controls , which are controls designed to ensure that all exchanges with third parties are properly recorded, and provide assurance on the completeness and accuracy of the initial recording of transactions and guard against the possibility that transactions are not recorded at all or are duplicated. The controls over completeness and accuracy of information may be relevant if the engagement team intends to make use of the information in designing and performing further audit procedures, while controls over safeguarding of assets against unauthorised acquisition, use or disposal may be relevant in relation to financial reporting.

Controls relating to operations and compliance may only be relevant if they pertain to the data the engagement team evaluates and uses in applying audit procedures. Examples of such controls could include statistical data of production, which the engagement team plans to use in analytical procedures, or controls designed to detect non-compliance with laws and regulations, including the tax legislation, which may have a material effect on the financial statements.

The following are some of the types of control the engagement team may need to evaluate:

Management controls

• .Management controls and reviews by independent persons are designed to detect errors. Examples include reviewing financial information, exception reports and reconciliations.
• .Management controls also include authorisation, which is the approving of all transactions by a responsible person. In smaller entities, each transaction may be individually authorised. In larger entities, the authorisation procedures may be more broadly based e.g. an approved budget within which the budget holder can authorise the expenditure, or an assistant authorising an order from customers within the authorised parameters of prices and quantities.

Safeguarding of assets

• .These controls are designed to ensure:
  • .Access to assets is limited to authorised personnel.
  • .Assets are safeguarded against the creation of documents that would authorise their use or disposal.
  • .Assets are safeguarded against theft.
• .Assets to be safeguarded include assets stated in the financial statements and information held on an IT system. Computerised data should be safeguarded by allowing authorised users to gain access only for the purpose of fulfilling their duties e.g. by a system of passwords and / or restriction of physical access. Computer controls should always include safeguards against catastrophe.

Segregation

• .The key aim of segregation of duties is that no one person should be in a position to control all stages of the processing of a transaction which include:
  • .Initiating transactions;
  • .Recording transactions;
  • .Handling cash receipts and payments; and
  • .Custody of assets.

Application controls

• .These are specific controls in automated or manual procedures that are preventive or detective in nature and are designed to ensure the integrity of the accounting records that all transactions are completely and accurately recorded. Such control are designed to:

  • .Ensure invalid items are rejected in processing, or
  • .Transferred to suspense files, or
  • .Reported to the user by means of an exception report.

• .When evaluating application controls, the engagement team should examine the procedures for resubmitting or otherwise dealing with rejected items and for preventing duplicate recording.

• .Application controls can be grouped under the following headings:

  • .Completeness controls.
  • .Accuracy controls.
  • .Maintenance controls.
  • Completeness controls

• .Completeness controls are designed to ensure all transactions are recorded. These are normally based on establishing an open item within the accounting system which cannot be cleared until all aspects of the transaction have been completed. For example, in a sales and receivables cycle, this includes ensuring that the sale is recorded, the inventory is updated and the receivable account is updated simultaneously.

• .Another more general example is a numerical sequence test such as sequential sales invoice numbering. Completeness procedures must be comprehensive such as covering customer claims for credit notes and claims on suppliers for faulty goods.

  Accuracy controls

• .Accuracy controls are designed to ensure entries within the accounting records are accurate. The system should cover data input and subsequent processing such as checking calculations, additions and analysis. In an automated environment this check is often carried out in conjunction with programmed procedures.

Maintenance controls

• .Maintenance controls are controls designed to ensure that files can only be altered by transactions processed through properly controlled procedures. With such controls e.g. the maintenance of a ledger control account under user control, users should be aware of unauthorised amendment. Maintenance controls should also ensure that the correct copy of a computer file is used when restoring from a back-up file.

A review of application controls should start either with the transaction or the originating document. The identification of detailed controls will often not be straightforward.

General IT controls

• .General controls governing IT operations need to be examined, so as to form a view on the overall integrity and the programs.
• .General controls are the controls which relate to the environment within which computer-based accounting systems are developed, maintained and operated. These include:
  • .Controls over the reliability of processing information.
  • .Controls over the integrity of data input and output.
  • .Controls over the integrity of programs used.
  • .Controls over computer system development and implementation.

7.4.2 The Depth of Understanding

Obtaining an understanding of an entity's controls is not sufficient to serve as testing the operating effectiveness of controls, unless there is some automation that provides for the consistent application of the operation of the control. For example, obtaining audit evidence about the implementation of a manually operated control at a point in time does not provide audit evidence about the operating effectiveness of the control at other times during the period under audit. However, IT enables an entity to process large volumes of data consistently and enhances the entity's ability to monitor the performance of control activities and to achieve effective segregation of duties by implementing security controls in applications, databases, and operating systems. Therefore, because of the inherent consistency of IT processing, performing audit procedures to determine whether an automated control has been implemented may serve as a test of that control's operating effectiveness, depending on the engagement team's assessment and testing of controls such as those over program changes.

7.4.3 Manual Verses Automated Controls

The extent and nature of the risks of internal control vary depending on the nature and characteristics of the entity's information system. Therefore in understanding internal control, the engagement team considers whether the entity has responded adequately to the risks arising from the use of IT or manual systems by establishing effective controls. An entity may use a combination of manual or automated controls. The use of manual or automated elements in internal control affects the manner in which transactions are initiated, recorded, processed, and reported.

Controls in a manual system may include such procedures as approvals and reviews of activities, and reconciliations and follow-up of reconciling items.

Automated procedures to initiate, record, process, and report transactions make use of electronic format which replace such paper documents as purchase orders, invoices, shipping documents, and related accounting records.

Controls in IT systems consist of a combination of automated controls i.e. those controls embedded in computer programs) and manual controls. Further, manual controls may be independent of IT, may use information produced by IT, or may be limited to monitoring the effective functioning of IT and of automated controls, and to handling exceptions. When IT is used to initiate, record, process or report transactions, or other financial data for inclusion in financial statements, the systems and programs may include controls related to the corresponding assertions for material accounts or may be critical to the effective functioning of manual controls that depend on IT. An entity's mix of manual and automated controls varies with the nature and complexity of the entity's use of IT.

Automated controls provide potential benefits of effectiveness and efficiency for an entity's internal control because it enables an entity to:

• .Consistently apply predefined business rules and perform complex calculations in processing large volumes of transactions or data;
• .Enhance the timeliness, availability, and accuracy of information;
• .Facilitate the additional analysis of information;
• .Enhance the ability to monitor the performance of the entity's activities and its policies and procedures; Reduce the risk that controls will be circumvented; and
• .Enhance the ability to achieve effective segregation of duties by implementing security controls in applications, databases, and operating systems.

Automated controls however pose specific risks to an entity's internal control, which including the following:

• .Reliance on systems or programs that are inaccurately processing data, processing inaccurate data, or both.
• .Unauthorised access to data that may result in destruction of data or improper changes to data, including the recording of unauthorised or non-existent transactions, or inaccurate recording of transactions. Particular risks may arise where multiple users access a common database.
• .The possibility of IT personnel gaining access privileges beyond those necessary to perform their assigned duties thereby breaking down segregation of duties.
• .Unauthorised changes to data in master files.
• .Unauthorised changes to systems or programs.
• .Failure to make necessary changes to systems or programs.
• .Inappropriate manual intervention.
• .Potential loss of data or inability to access data as required.

Manual controls are performed by people, and therefore pose specific risks to the entity's internal control. Manual controls may be less reliable than automated controls because they can be more easily bypassed, ignored, or overridden and they are also more prone to simple errors and mistakes. Consistency of application of a manual control element cannot therefore be assumed.

Manual aspects of systems may be more suitable where judgement and discretion are required such as for the following circumstances:

• .Large, unusual or non-recurring transactions.
• .Circumstances where errors are difficult to define, anticipate or predict.
• .In changing circumstances that require a control response outside the scope of an existing automated control.
• .In monitoring the effectiveness of automated controls.

Manual controls may be less suitable for the following:

• .High volume or recurring transactions, or in situations where errors that can be anticipated or predicted can be prevented or detected by control parameters that are automated.
• .Control activities where the specific ways to perform the control can be adequately designed and automated.

7.4.4 Limitations of Internal Control

Internal control, no matter how well designed and operated, can provide an entity with only reasonable assurance about achieving the entity's financial reporting objectives. The likelihood of achievement is affected by limitations inherent to internal control due to human failures, simple errors or mistakes. Additionally, controls can be circumvented by the collusion of two or more people or inappropriate management override of internal control.

Small entities often have fewer employees which may limit the extent to which segregation of duties is practicable. However, for key areas, even in a very small entity, it can be practicable to implement some degree of segregation of duties or other form of unsophisticated but effective controls. The potential for override of controls by the owner-manager depends to a great extent on the control environment and in particular, the owner-manager's attitudes about the importance of internal control.

7.4.5 Control Environment

ISA 315 requires the engagement team to obtain an understanding of the control environment. The control environment includes the governance and management functions and the attitudes, awareness, and actions of those charged with governance and management concerning the entity's internal control and its importance in the entity.

The control environment is the foundation for effective internal control, providing discipline and structure by setting the tone at the top influencing the control consciousness of the entity's personnel. The engagement team is required to understand how management and those charged with governance have created and maintained a culture of honesty and ethical behaviour, and established appropriate controls to prevent and detect fraud within the entity. Appendix IV Part A sets out the elements that should be incorporated in the entity's control environment. The engagement team also considers matters such as the independence of the directors and their ability to evaluate the actions of management. The engagement team also considers whether there is an audit committee which understands the entity's business transactions and evaluates whether the financial statements give a true and fair view.

The control environment in itself does not prevent, or detect and correct, a material misstatement in classes of transaction, account balances, and disclosures and related assertions and the engagement team should consider the control environment along with the effects of other internal control components when assessing the risk of material misstatement.

7.4.6 The Entity's Risk Assessment Process

ISA 315 requires the engagement team to obtain an understanding of the entity's process for identifying the business risks relevant to financial reporting objectives, and deciding about actions to address those risks and the results thereof. In evaluating the design and implementation of the entity's risk assessment process, the engagement team determines how management identifies the business risks relevant to financial reporting, estimates the significance of the risks, assesses the likelihood of their occurrence and decides upon action to manage them. Appendix IV Part B provides additional guidance on what the engagement team should consider in evaluating the entity's risk assessment procedures.

7.4.7 Information System, Including the Related Business Processes, Relevant to Financial Reporting, and Communication

The information system relevant to financial objectives, which includes the accounting system, consists of the procedures and records established to initiate, record, process, and report entity transactions and to maintain accountability for the related assets, liabilities, and equity.

ISA 315 requires the engagement team to obtain an understanding of the information system, including the related processes, relevant to financial reporting, including the following areas:

• .The classes of transactions in the entity's operations that are significant to the financial statements.
• .The procedures, within both IT and manual systems, by which those transactions are initiated, recorded, processed and reported in the financial statements.
• .The related accounting records, whether electronic or manual, supporting information, and specific accounts in the financial statements, in respect of initiating, recording, processing and reporting transactions.
• .How the information system captures events and conditions, other than classes of transactions that are significant to the financial statements.
• .The financial reporting process used to prepare the entity's financial statements, including significant accounting estimates and disclosures.

The engagement team should also understand how the entity communicates financial reporting roles and responsibilities and significant matters relating to financial reporting

Information transfer

In obtaining this understanding, the engagement team considers the procedures used to transfer information from transaction processing systems to general ledger or financial reporting systems. The engagement team also understands the entity's procedures to capture information relevant to financial reporting for events and conditions other than transactions, such as the depreciation and amortisation of assets and changes in the recoverability of accounts receivables. When IT is used to transfer information automatically, there may be little or no visible evidence of such intervention in the information systems.

Processing of transactions

The engagement team also understands how incorrect processing of transactions is resolved e.g. whether there is an automated suspense file and how it is used by the entity to ensure that suspense items are cleared out on a timely basis, and how system overrides or bypasses to controls are processed and accounted for. The engagement team also obtains an understanding of the entity's information system relevant to financial reporting in a manner that is appropriate to the entity's circumstances. This includes an understanding of how transactions originate within the entity's business processes.

An entity's business processes are the activities designed to develop, purchase, produce, sell and distribute an entity's products and services, ensuring compliance with laws and regulations; and record information, including accounting and financial reporting information.

Journal entries

An entity's information system typically includes the use of standard journal entries that are required on a recurring basis to record transactions such as sales, purchases, and cash disbursements in the general ledger, or to record accounting estimates that are periodically made by management, such as changes in the estimate of uncollectible accounts receivable.

An entity's financial reporting process also includes the use of non-standard journal entries to record non-recurring, unusual transactions or adjustments e.g. such entries include consolidating adjustments and entries for a business combination or disposal or non-recurring estimates such as an asset impairment. In manual, paper-based general ledger systems, non-standard journal entries may be identified through inspection of ledgers, journals, and supporting documentation. However, when automated procedures are used to maintain the general ledger and prepare financial statements, such entries may exist only in electronic form and may be more easily identified through the use of computer-assisted audit techniques.

In obtaining the understanding of the journal entries, the engagement team considers risks of material misstatement associated with inappropriate override of controls over journal entries and the controls surrounding non-standard journal entries. For example, automated processes and controls may reduce the risk of inadvertent error but do not overcome the risk that individuals may inappropriately override such automated processes, for example, by changing the amounts being automatically passed to the general ledger or financial reporting system.

Appendix IV Part C provides additional consideration in an IT environment.

7.4.8 Control Activities

ISA 315 requires the engagement team to obtain a sufficient understanding of control activates to assess the risks of material misstatements at the assertion level and to design audit procedures to assessed risk. Appendix IV Part D provides examples of specific control activities.

In obtaining an understanding of control activities, the engagement team's primary consideration is whether, and how, a specific control activity, individually or in combination with others, prevents, or detects and corrects, material misstatements in classes of transactions, account balances, or disclosures.

Control activities relevant to the audit are those for which the engagement team considers it necessary to obtain an understanding in order to assess risks of material misstatement at the assertion level and to design and perform further audit procedures responsive to the assessed risks. An audit does not require an understanding of all the control activities related to each significant class of transactions, account balance, and disclosure in the financial statements or to every assertion relevant to them. The engagement team's emphasis is on identifying and obtaining an understanding of control activities that address the areas where the engagement team considers that material misstatements are more likely to occur.

When multiple control activities achieve the same objective, it is unnecessary to obtain an understanding of each of the control activities related to such objective.

The engagement team should obtain an understanding of how the entity has responded to risks arising from IT. The use of IT affects the way that control activities are implemented. The engagement team considers whether the entity has responded adequately to the risks arising from IT by establishing effective general IT-controls and application controls. From the engagement team's perspective, controls over IT systems are effective when they maintain the integrity of information and the security of the data such systems process. General IT-controls are policies and procedures that relate to many applications and support the effective functioning of application controls by helping to ensure the continued proper operation of information systems. General IT-controls that maintain the integrity of information and security of data commonly include controls over the following:

• .Data centre and network operations.
• .System software acquisition, change and maintenance.
• .Access security.
• .Application system acquisition, development, and maintenance.

7.4.9 Monitoring of Controls

Monitoring of controls is a process to assess the effectiveness of internal control over time, and involves assessing the design and operations of controls on a timely basis and taking necessary corrective action modified for changes in conditions. ISA 315 requires the engagement team to obtain an understanding of the major types of activities that the entity uses to monitor internal control over financial reporting, including those related to those controls activities relevant to the audit, and how the entity initiates corrective actions to its controls.

Appendix IV Part E provides consideration that the engagement team may use in obtaining an understanding of how the entity monitors internal control.

7.5 Recording and Assessment of the Accounting and Information Systems

Entities which are subject to statute are usually required by their governing law to keep proper accounting records which reflect all the business transactions. Entities which are subject to taxes on profits need to keep accounting records sufficient to enable periodic financial statements to be prepared. Engagement teams of such entities are required to report to the members if, in their opinion, governing legislation has been complied with, and on whether proper accounting records have been kept. Part E - 04.03 of the Manual, provides a checklist on compliance with the Kenyan Companies Act.

The recording of the accounting system should identify the major transaction cycles, significant accounting records, the in-built controls and the financial reporting process.

An understanding of the accounting system, together with internal control in-built into the system, provides answers to the following questions:

• .Whether proper and reliable accounting records have been kept.
• .Whether there is a need to rely on management assurances.
• .Whether a recognisable control system is in operation.

Form 05.09 in Part E of the Manual provides a convenient way of summarising the reliance on the accounting and system of internal control. Appendix V: Guidance on Documenting the Accounting Systems provides guidance on documentation of the accounting systems.

Information Obtained in Prior Periods

Where the engagement team intends to use information obtained in prior periods, the engagement team should determine whether changes have occurred through inquiry and by carrying other audit procedures such as walk through tests and determine the relevance of such changes.

7.6 Inadequate Records or Systems

If the initial assessment indicates that the accounting records may be inadequate or the accounting systems may not be reliable, further audit assurance will be required from substantive procedures to support the audit opinion, e.g. if a business has no proper system for recording sales on a cash register, the record of cash sales is quite likely to be unreliable, unless there is alternative evidence, such as the aggregate selling value of goods purchased.

If the audit opinion has to be qualified on the basis of inadequacies in the accounting system and records, the qualification will need to be as specific as possible, giving details of where there are deficiencies. See section 25 of the manual on Auditor's Report.

ISA 315 requires that the engagement team should make those charged with governance or management aware, as soon as practicable, and at an appropriate level of responsibility, of material weaknesses in the design or implementation of internal controls which have come to the engagement team's attention. One of the avenues of communication is through a management letter. This is covered in detail in Section 27.5 of the Manual.

7.7 Engagement team's Response to Assessed Risk

ISA 330 requires that in order to reduce audit risk to an acceptably low level, the engagement team should determine the overall responses to assessed risks, including the risk of material misstatement due to fraud or error, at the financial statement level, and should design and perform further audit procedures whose nature, timing and extent are responsive to the assessed risk at the assertion level. In designing the audit approach, the engagement team should develop a clear linkage between the nature, timing and extent of further audit procedures and the risk assessment, taking onto consideration:

• .The significance of the risk.
• .The likelihood that a material misstatement will occur.
• .The characteristics of the class of transactions, account balance or disclosure involved.
• .The nature of the specific control used by the entity and in particular whether they are manual or automated.
• .Whether the engagement team expects to obtain audit evidence to determine if the entity's controls are effective in preventing or detecting and correcting material misstatements.

The nature, timing and extent of the audit procedures are a matter of the engagement team's professional judgement. In some cases, the engagement team may determine that only by performing tests of controls may the engagement team achieve an effective response to the assessed risk of material misstatement for a particular assertion. In other cases, the engagement team may determine that performing only substantive procedures is appropriate for specific assertions and, therefore, the engagement team excludes the effect of controls from the relevant risk assessment. This may be because the engagement team's risk assessment procedures have not identified any effective controls relevant to the assertion, or because testing the operating effectiveness of controls would be inefficient. However, the engagement team needs to be satisfied that performing only substantive procedures for the relevant assertion would be effective in reducing the risk of material misstatement to an acceptably low level. Often the engagement team may determine that a combined approach using both tests of the operating effectiveness of controls and substantive procedures is an effective approach. Irrespective of the approach selected the engagement team designs and performs substantive procedures for each material class of transactions, account balance and disclosure.

In the case of very small entities, there may not be many control activities that could be identified by the engagement team, the engagement team's further audit procedures are likely to be primarily substantive procedures. In such cases, the engagement team also considers whether in the absence of controls it is possible to obtain sufficient appropriate audit evidence.

Nature

The nature of further audit procedures refers to their purpose (tests of controls or substantive procedures) and their type, that is, inspection, observation, inquiry, confirmation, recalculation, re-performance, or analytical procedures. Certain audit procedures may be more appropriate for some assertions than others. The following are some examples of the audit procedures the engagement team may adopt in response to the assessed risk.

• .In relation to revenue, tests of controls may be most responsive to the assessed risk of misstatement of the completeness assertion, whereas substantive procedures may be most responsive to the assessed risk of misstatement of the occurrence assertion.
• .If the engagement team considers that there is a lower risk that a material misstatement may occur because of the particular characteristics of a class of transactions without consideration of the related controls, the engagement team may determine that substantive analytical procedures alone may provide sufficient appropriate audit evidence.
• .If the engagement team expects that there is a lower risk that a material misstatement may arise because an entity has effective controls and the engagement team intends to design substantive procedures based on the effective operation of those controls, then the engagement team performs tests of controls to obtain audit evidence about their operating effectiveness. This may be the case, for example, for a class of transactions of reasonably uniform, non-complex characteristics that are routinely processed and controlled by the entity's information system.
• .If the engagement team uses non-financial information or budget data produced by the entity's information system in performing audit procedures, such as substantive analytical procedures or tests of controls, the engagement team obtains audit evidence about the accuracy and completeness of such information.

Timing

Timing refers to when audit procedures are performed or the period or date to which the audit evidence applies. The engagement team may perform tests of controls or substantive procedures at an interim date or at period end. The higher the risk of material misstatement, the more likely it is that the engagement team may decide it is more effective to perform substantive procedures nearer to, or at, the period end rather than at an earlier date, or to perform audit procedures unannounced or at unpredictable times.

Performing audit procedures before the period end may assist the engagement team in identifying significant matters at an early stage of the audit, and consequently resolving them with the assistance of management or developing an effective audit approach to address such matters. If the engagement team performs tests of controls or substantive procedures prior to period end, the engagement team should consider the additional evidence required for the remaining period.

In considering when to perform audit procedures, the engagement team also considers such matters as:

• .The control environment.
• .When relevant information is available (for example, electronic files may subsequently be overwritten, or procedures to be observed may occur only at certain times).
• .The nature of the risk (for example, if there is a risk of inflated revenues to meet earnings expectations by subsequent creation of false sales agreements, the engagement team may wish to examine contracts available on the date of the period end).
• .The period or date to which the audit evidence relates.

Extent

Extent includes the quantity of a specific audit procedure to be performed, for example, a sample size or the number of observations of a control activity. The extent of an audit procedure is determined by the judgement of the engagement team after considering the materiality, the assessed risk, and the degree of assurance the engagement team plans to obtain. In particular, the engagement team ordinarily increases the extent of audit procedures as the risk of material misstatement increases. However, increasing the extent of an audit procedure is effective only if the audit procedure itself is relevant to the specific risk; therefore, the nature of the audit procedure is the most important consideration. The use of computer-assisted audit techniques (CAATs) may enable more extensive testing of electronic transactions and account files.

Valid conclusions may ordinarily be drawn using sampling approaches (This is covered in Section 16 of the manual). However, if the quantity of selections made from a population is too small, the sampling approach selected may not be appropriate to achieve the specific audit objective, or if exceptions are not appropriately followed up, there will be an unacceptable risk that the engagement team's conclusion based on a sample may be different from the conclusion reached if the entire population was subjected to the same audit procedure.

7.8 Tests of Controls

ISA 330 requires the engagement team to perform tests of controls when the engagement team's risk assessment includes an expectation of the operating effectiveness of controls or when substantive procedures alone do not provide sufficient appropriate audit evidence at the assertion level. The engagement team is required to obtain sufficient and reliable audit evidence that the controls were operating effectively at all relevant times during the audit. Testing the operating effectiveness of controls is performed only on those controls that the engagement team has determined are suitably designed to prevent, or detect and correct, a material misstatement in an assertion. In making the decision, the engagement team considers the following factors:

• .Key controls.
• .The degree of reliance required.
• .Which controls address similar assertions to substantive procedures.
• .How easily controls can be tested.
• .The evidence gained from previous years and the impact of any changes.
• .The IT environment.
• .Cost effectiveness and staff requirements.
• .Any specific legal or regulatory requirements.

In practice, most small and medium sized entities will not have any reliable system of internal control and therefore the engagement team may have to obtain audit evidence primarily from substantive procedures. Even where apparently reliable systems do exist, it will often not be cost effective for the engagement team to carry out tests on internal control, in the small to medium sized entities.

Where the engagement team has determined that it is not possible or practicable to reduce the risks of material misstatement at the assertion level to an acceptably low level with audit evidence obtained only from substantive procedures, the engagement team should perform tests of relevant controls to obtain audit evidence about their operating effectiveness. This may be the case where the engagement team finds it impossible to design effective substantive procedures that by themselves provide sufficient appropriate audit evidence at the assertion level e.g. where an entity conducts its business using IT and no documentation of transactions is produced or maintained, other than through the IT system.

Testing the operating effectiveness of controls is different from obtaining audit evidence that controls have been implemented. When obtaining audit evidence of implementation by performing risk assessment procedures, the engagement team determines that the relevant controls exist and that the entity is using them. When performing tests of the operating effectiveness of controls, the engagement team obtains audit evidence that controls operate effectively. This includes obtaining audit evidence about how controls were applied at relevant times during the period under audit, the consistency with which they were applied, and by whom or by what means they were applied. If substantially different controls were used at different times during the period under audit, the engagement team considers each separately. The engagement team may determine that testing the operating effectiveness of controls at the same time as evaluating their design and obtaining audit evidence of their implementation is efficient.

Framework for Assessing Controls

Test of Controls

Tests of control can be grouped under the following headings:

• .Tests by observation.
• .Tests by enquiry.
• .Tests involving inspection of documentary evidence.
• .Tests by re-performance.

These are covered in Section 12.4 of the manual. Those controls subject to testing by enquiry combined with inspection or re-performance provide more assurance that those subject solely to enquiry and observation. When examining programmed procedures in an IT environment, the following factors should be considered:

• .The reliability of general controls over program integrity.
• .The duration that the program has been in use (one-off or new programs should always be subject to a higher level of test).
• .Whether the size of transactions has gone beyond that expected when the program was originally designed.
• .The effect on the financial statements of an error in the programmed procedures.

Nature of Tests of Controls

The engagement team selects audit procedures to obtain assurance about the operating effectiveness of controls. In circumstances where it is not possible or practicable to obtain sufficient appropriate audit evidence only from substantive procedures or where the engagement team adopts an approach primarily consisting of test of controls, the engagement team ordinarily performs tests of controls to obtain a higher level of assurance about their operating effectiveness.

In testing the operating effectiveness of controls, the engagement team performs other audit procedures in combination with inquiry, since inquiry alone may not provide sufficient evidence. Those controls subject to testing by performing inquiry combined with inspection or re-performance ordinarily provide more assurance than those controls for which the audit evidence consists solely of inquiry and observation.

The absence of misstatements detected by a substantive procedure does not provide audit evidence that controls related to the assertion being tested are effective. However, misstatements detected by the engagement team when performing substantive procedures, is indicative of the existence of a material weakness in internal control.

Timing of Tests of Control

The timing of tests of controls depends on the engagement team's objectives and determines the period of reliance on those controls. If the engagement team tests controls at a particular time, the engagement team obtains audit evidence that the controls operated effectively at that time. If the engagement team wants to obtain the evidence of the effectiveness of the operations of controls throughout the period, then the engagement team should obtain evidence of their effectiveness by testing them at appropriate interval during the period.

Where the engagement team obtains evidence about the operating effectiveness of controls during an interim period, the engagement team should determine what additional audit evidence should be obtained for the remaining period taking into account any changes in the information systems, processes and personnel. In making this determination, the engagement team considers the:

• .Significance of assessed risk of material misstatement at the assertion level;
• .Specific controls that were tested during the interim period;
• .Degree to which audit evidence about the operating effectiveness of those controls was obtained; and
• .Length of the remaining period;
• .Control environment; and
• .Extent to which the engagement team intends to perform further substantive tests based on the reliance of controls.

Where the engagement team plans to rely on the operating effectiveness of controls obtained in the prior year, the engagement team should ascertain whether changes in those specific controls have taken place subsequently. However, in such cases the engagement team should test the operating effectiveness of controls at least once in every three audits. The required audit evidence is obtained by performing inquiry combined with observation or inspection. Where controls have changed, the engagement team should obtain audit evidence by testing the operating effectiveness of the controls.

Extent of Tests of Controls

As a general rule, the more the engagement team plans to rely on the operating effectiveness of controls, the greater the extent of the engagement team's test of controls. In considering the extent of tests, the engagement team considers the:

• .Frequency of the performance of the control by the entity during the period.
• .Length of time during the audit period that the engagement team is relying on the operating effectiveness of the controls.
• .Relevance and reliability of the audit evidence to be obtained in supporting that the control prevents, or detects and corrects material misstatements at the assertion levels.
• .Extent to which audit evidence is obtained from tests of other controls related to the assertion.
• .Extent to which the engagement team plans to rely on the operating effectiveness of the control in the assessment of audit risk.
• .Expected deviation from the control.

The higher the level of inherent and analytical risk, the greater assurance tests of control need to give, if they are to be worthwhile. The following is a guide to the minimum number of items to test a sample of transaction control, but levels may need to vary according to the particular circumstances. The sample selected should be chosen from the whole of the accounting period.

INHERENT	ANALYTICAL	KEY CONTROLS
High	High	25 - 35
High	Medium	20 - 30
High	Low	15 - 25
Medium	High	20 - 30
Medium	Medium	15 - 25
Medium	Low	10 - 20
Low	High	15 - 25
Low	Medium	10 - 20
Low	Low	8 - 10

A control is considered effective only if no exceptions are noted from the sample selected. If one to three exceptions are noted, a new sample is selected and tested. If one exception is noted in the second sample, the control is concluded not to be operating satisfactorily. If more than four exceptions are noted in the initial sample selected, the control is also concluded not to be operating satisfactorily.

Drawing Conclusions

If audit tests disclose no exceptions, reliance can be placed on the controls that have been tested. If audit tests reveal that the control was not operating properly, the reasons for not operating and the impact must be ascertained. Was the exception an isolated departure, or was it representative of other problems? If it is believed to be an isolated departure, the validity of the explanation should be confirmed by carrying out further tests. If these further tests fail, the control cannot be relied on and substantive tests may not be restricted unless alternative controls, that give sufficient comfort, can be identified.

On completion of the tests relating to each key question, a conclusion should be drawn on whether the controls are reliable. The reliability of controls relating to each key question should be taken, together with any relevant overall controls, for the purpose of assessing whether control risk is high, medium or low in relation to substantive tests linked with that key question. If the controls are working, control risk will be low, and hence the amount of substantive testing can be limited. Before the conclusion of the audit, based on the results of substantive procedures and other audit evidence obtained by the engagement team, the engagement team should consider whether the assessment of control risk is confirmed.

7.9 Substantive Procedures

The substantive procedures, other than Analytical Procedures are covered in Section 15 of the manual. Analytical Procedures are covered in Section 14.

7.10 Audit Considerations Relating to Entities Using Service Organisations

ISA 402 requires the engagement team to consider how a service organisation affects the entity's accounting and internal control systems, so as to plan the audit and develop an effective audit approach accordingly. The entity may use a service organisation to process its accounting data, and certain records, procedures and policies maintained by the organisation, may be relevant to the audit. If the services provided are limited to recording and processing data and the entity retains authorisation and maintenance of accountability, the entity could implement effective control procedures.

If the service organisation maintains accountability, the entity may rely on control procedures in place at the service organisation. The engagement team therefore needs to assess the significance of the service organisation's activities and its relevance to the audit, for example, by assessing the services provided, the terms of reference, the controls exercised over processing and the extent to which the client's systems interact with those at the services organisation. The engagement team may conclude that the risk attaching to this area is low and does not present any audit problem.

If the services provided are significant to the entity and relevant to the audit, the engagement team needs to obtain sufficient information to understand the systems at the service organisation, to properly assess the control risk involved. The team may ask the service organisation's engagement teams for assistance, for example, requesting a report on the operating effectiveness of the organisation's accounting and internal control systems for processing data relevant to the audit. The engagement team will have to consider the nature and content of any such report and make enquiries as to the professional competence of the service organisation's engagement team, before deciding whether to rely on it.

If the engagement team uses a report from the engagement team of a service organisation, no reference should be made to that report in the auditor's report.

APPENDIX I: NT RISK CONSIDERATIONS

Factors that normally indicate a high inherent risk:

1. Overall business factors

• .Going concern difficulties will mean that inherent risk for most audit areas will be high.

• .Certain factors connected with management can also mean inherent risk is assessed as high. These include:

• .A single individual dominating the board.

• .The finance function being headed by a non-financial person.

• .The board and management remuneration is influenced heavily by the results of the entity.

• .Information that creates doubt about management integrity.

2. Individual audit areas

• .The following factors are likely to imply that the assessment of inherent risk is high:

• .Any problems encountered in the previous audits, especially cut-off errors and fraud.

• .Complex areas which require the use of complex accounting techniques e.g. warranty provisions.

• .Balances derived from estimates.

• .Recent changes in accounting and control systems.

• .Recent changes in key personnel.

• .Assets easily susceptible to theft.

• .Alternatively, the existence of the following factors is likely to imply that the assessment of inherent risk is low:

• .A stable business environment.

• .Capable, long-serving staff.

• .Balances and transactions that can easily be accounted for.

• .No previous history of errors.

Inherent Risk - Factors Affecting the Business as a Whole

1. General business environment

• .Nature of the business.

• .The effect of the general economic climate/ the economic climate within the industrial sector in which the entity operates.

• .Changes in technology.

• .Whether there are an abnormal number of business failures in the sector.

• .Market stability (demand and prices) and patterns, or seasonal trends including:

• .The likelihood of adverse developments in the sector.

• .The risks associated with the entity's method of production or the provision of service.

• .Whether the entity takes account of changes in the economic climate and legal and regulatory environment.

• .The entity's relationships with regulatory authorities.

2. Position in the industry

• .Significant competitors and the entity's position in the market.
• .Key competitive advantages and the entity's exploitation of them.
• .Whether the entity's performance has differed significantly from the industry average without adequate reason.
• .Whether the entity's accounting policies differ from those generally adopted in the industry.

3. Ownership of the business

• .The identity and involvement of the owners in the business.
• .Significant changes in ownership or the likelihood of significant changes in the foreseeable future.
• .The relationships between the owners, those charged with governance and the management.

4. Management of the business

• .The expertise of management.

• .Significant changes in management or the likelihood of significant changes in the foreseeable future.

• .Whether a single individual dominates the management, in a manner which prevents other managers acting effectively.

• .The governance and:

• .Independence from executive management.

• .High turnover of those charged with governance.

• .Infrequent board and management meetings.

• .Whether the management has appropriate knowledge of the business and the environment in which the entity operates including new sectors that been developed and new businesses that have been acquired by the entity.

• .Personal interests of the management including:

• .Remuneration by commissions / bonuses based on performance.

• .Their interests in earnings per share / market value.

• .Conflicts of interest.

• .Their apparent personal financial status and standard of living beyond their earnings.

• .Any information (for example, a conviction or sanction by a regulatory body) that brings into doubt the integrity of management or raises a question as to the extent of reliance that can be placed on management representations.

• .Management's view of the business - does it appear prudent or over-confident? Consider whether management may be in difficulty through setting unrealistic targets, in particular, whether management takes high risks in respect of:

• .Sales through special arrangements, excessive discounting, bulk sale arrangements.

• .Capital projects.

• .Research and development.

• .Legal and contractual obligations.

• .General and long-term finance.

5. Going concern

• .A review of past results and industry averages including:

• .A high break-even point.

• .Tight margins.

• .Whether there are exceptionally good reasons for tolerating unprofitable sectors (if the reasons are unsatisfactory, consider the effect on the client's liquidity).

• .Product range:

• .Whether efforts are concentrated upon a few major profitable products or services lines.

• .The current phase of the "life cycle" (new, mature or declining) of the client's products or services and their expected future market.

• .Whether there is excessive dependence on a new product with uncertain potential.

• .Whether there is a dependence on very few customers or suppliers.

• .The capital structure taking into account the relationship with the client's bank and whether the client has significant debt from unusual sources or on unusual terms.

• .The entity's long-term planning taking into consideration:

• .Long-term budgets.

• .Future market potential.

• .Projected changes in demand.

• .Development of new products or services lines.

• .Future financial and capital strategy.

• .Whether the business appears to have overextended management and its administration.

Other signs of going concern problems

• .A history (or forecast) of serious operating losses or declining profitability.
• .A rapidly developing business, which may lead to cash flow problems and a lack of a suitable debt / equity structure.
• .Uneconomic long-term commitments, including substantial investment in a new product, or research and development which have not yet proved successful.
• .Persistently exceeding the overdraft limit and / or deterioration in relationship with bankers.
• .Insufficient working capital or liquidity problems (either current or forecast).
• .Long term assets being financed by short or medium term borrowings.
• .Having reached, or nearing current borrowing limits, with no sign of reduction.
• .External factors, such as the undue influence of a market dominant competitor; the political environment; frequent failures of enterprises in the same industry.
• .Debt collection problems.
• .Increasing dependence on short-term finance including suppliers' credit.
• .Failing to comply with borrowing agreements.
• .Major loan repayments being due in the near future.
• .Reduced or cancelled capital projects.
• .Non-replacement of property, plant and equipment or switching necessary capital expenditure to leasing agreements.
• .Deferring purchases, thereby reducing inventories to dangerously low levels.
• .Major litigation, legislation or regulatory sanctions which could affect operations.
• .Potential losses on long-term contracts.
• .Heavy dependence on the holding company for finance or trade (particularly if overseas).
• .Under-capitalisation, particularly if there is a deficiency of share capital and reserves and/or non-compliance with legal minimum capital requirements.
• .Dividends not being voted or in arrears.
• .Excessive or obsolete inventories.
• .Size and content of order book.
• .Work stoppages or other labour difficulties.

Inherent Risk - Factors Affecting Most Audit Areas

1. Previous history

• .Qualified audit reports.
• .Previous audits leading to significant adjustments in the financial statements.
• .Significant weaknesses and their resolution.
• .Any frauds, irregularities and errors found on previous audits.

2. The nature of account balances / classes of transactions

• .Complexity, technicality and sensitivity of the accounting area / item.

• .Whether the results or financial position depend on a small number of critical items.

• .Risks associated with the accounting process, new accounting systems and new accounting policies.

• .The availability of supporting documentation.

• .Account balances derived from estimates taking into account:

• .Prior experience.

• .The availability of relevant data and the adequacy of the system for collecting data.

• .The process used to develop the estimate.

• .Unsettled and settled transactions. Settled transactions are subject to a lower risk, since a third party has accepted the transaction and hence provided assurance as to its validity.

• .Unusual and complex transactions:

• .Normal procedures being over-ridden.

• .The skill of personnel dealing with them.

• .Off-balance sheet financing.

• .The possibility of related party transactions.

• .Unexpected balances (for example debit balances appearing on the purchase ledger).

• .Cut-off and accruals

• .Whether they are dealt with under time pressure.

• .The susceptibility to manipulation.

• .The extent of unexplained cash flows.

• .The reversal of transactions after the accounting year-end.

3. Assets susceptible to theft

• .Whether assets are easily convertible into cash.
• .Whether assets can be easily moved.
• .An unusual investment of funds.
• .Payments made for goods and assets not received or not required.
• .Disposal of goods or assets at less than fair value.
• .Assets used for private benefit.
• .The possibility of theft via the computer.

4. Staff

• .The identity and changes in key staff.

• .The strength of the organisational structure taking into account:

• .Lines of responsibility.

• .Definition of duties.

• .Co-ordination of activities.

• .The treatment of staff taking into account:

• .Pay and benefits including incentive plans.

• .Promotion.

• .Signs of excessive staff turnover or absenteeism.

• .Signs of excessive workload.

• .The position with industrial relations.

• .The skills and experience of the client's staff especially senior finance staff considering their:

• .Qualifications.

• .Experience.

• .Competence.

• .Training programmes.

• .The reliability of staff considering:

• .Checking of their references.

• .Any remuneration or performance judged by results.

• .Conflicts of interest.

• .Apparent personal financial position - any indication that staff are living beyond their earnings.

Inherent Risk - Factors Affecting Major Audit Areas

1. Property, plant and equipment

• .Existence of excess capacity in the industry and within the entity.
• .Changes expected in utilisation of production capacity.
• .Revaluations.
• .Significant disposals.
• .Level of unused property, plant and equipment.
• .Management estimates of useful lives.
• .Amount of capitalised internal production costs.
• .Leasing.
• .Research and development activity.
• .Restrictions on use of property, plant and equipment (for example legal or charges on assets).
• .Technological advances.

2. Investments

• .Nature and value of investments.

• .Diversity of investments made.

• .Risk level of investments.

• .Disposal prices of investments.

• .Indications of decrease in values.

• .Market value.

• .Default or bankruptcy of the entities invested in.

• .Restrictions or threatened restrictions on foreign investments.

• .The availability of information from investees'.

3. Inventories

• .Product characteristics.
• .The complexity of the production process.
• .Problems with the product.
• .Introduction of new products, technological advances.
• .Discontinuance of product lines.
• .Level of plant utilisation.
• .Level of activity near the accounting year-end.
• .Sales or purchases on unusual terms.
• .Long-term contracts involving quality standards commitments or penalties.
• .Disputes over long-term contracts.
• .Government regulations and restrictions.
• .The nature of the costing system.

4. Trade and Other Receivables

• .The number of new customers or customers lost.
• .Dependence on a small number of customers.
• .The level of activity in customers' industries.
• .The financial strength of the customer.
• .The seasonal nature of the business.
• .Changes in product or service lines.
• .Distribution channels used.
• .The rights of return.
• .Adverse sale commitments.
• .Long-term contractual commitments.
• .The accuracy of management estimates of levels of returns, discounts, allowances and impairment provisions.

5. Bank and cash

• .Changes in bank accounts and signatories.
• .The number of locations at which cash is received.
• .The existence of large or unusual receipts and payments, or bank transfers.
• .Significant cash transactions near to the accounting year-end.
• .Currency restrictions.

6. Trade and other payables

• .The nature of purchases.
• .The centralisation of purchase procedures.
• .Dependence on suppliers.
• .Changes in the conditions of supply.
• .Threats to supply.
• .Significant outstanding or onerous purchase commitments.
• .Threatened litigation.
• .Warranties.

7. Borrowings

• .Use of short-term borrowings.
• .Borrowings with related parties.
• .The complexity of the equity structure.
• .Borrowing in foreign currencies and fluctuation in the exchange rates.
• .Financing the activities of a subsidiary.

8. Taxation

• .Whether tax assessments are up-to-date.
• .Any disputes with or assessments from the tax authorities.
• .Tax loss situations.
• .Transactions with unusual tax implications.
• .Changes in tax legislation.
• .The extent of international operations.
• .Deferred tax implications.

9. Equity

• .Complex capital structures.
• .The complexity of the 'earnings per share' calculation.
• .Conditions on issues of shares.
• .Recent issues of options or warrants.
• .Client responsibility for maintenance of shareholder records, stock transfer and dividend payments.

10. Salaries and wages

• .The number of employees.
• .The nature of the salary structures.
• .Methods of payment.
• .Changes in terms of employment.
• .Unusual arrangements with employees.
• .Basis of allocating employee costs.
• .Arrangements for remunerating management.
• .The nature of any pension plans.
• .The funding of pension plans especially deficits.
• .Changes in terms of any pension plans.
• .Significant use of casual or seasonal labour.

Appendix II: FACTORS TO CONSIDER IN UNDERSTANDING THE ENTITY AND ITS ENVIRONMENT

1. Industry, Regulatory and Other External Factors, Including the Applicable Financial Reporting Framework

• .Industry conditions:

• .The market and competition, including demand, capacity, and price competition.

• .Cyclical or seasonal activity.

• .Product technology relating to the entity's products.

• .Energy supply and cost.

• .Regulatory environment:

• .Accounting principles and industry specific practices.

• .Regulatory framework for a regulated industry.

• .Legislation and regulation that significantly affect the entity's operations:

  • • .Regulatory requirements.
    • .Direct supervisory activities.

• .Taxation (corporate and other).

• .Government policies currently affecting the conduct of the entity's business:

  • • .Monetary, including foreign exchange controls.
    • .Fiscal.
    • .Financial incentives (for example, government aid programs).
    • .Tariffs, trade restrictions.
    • .Environmental requirements affecting the industry and the entity's business:

• .Other external factors currently affecting the entity's business:

• .General level of economic activity (for example, recession, growth).

• .Interest rates and availability of financing.

• .Inflation, currency revaluation.

1. Nature of the Entity

• .Nature of business operations:

• .Nature of revenue sources (for example, manufacturer, wholesaler, banking, insurance or other financial services, import/export trading, utility, transportation and technology products and services).

• .Products or services and markets (for example, major customers and contracts, terms of payment, profit margins, market share, competitors, exports, pricing policies, reputation of products, warranties, order book, trends, marketing strategy and objectives, manufacturing processes).

• .Conduct of operations (for example, stages and methods of production, business segments, delivery or products and services, details of declining or expanding operations).

• .Alliances, joint ventures, and outsourcing activities.

• .Involvement in electronic commerce, including Internet sales and marketing activities.

• .Geographic dispersion and industry segmentation.

• .Location of production facilities, warehouses, and offices.

• .Key customers.

• .Important suppliers of goods and services (for example, long-term contracts, stability of supply, terms of payment, imports, methods of delivery such as "just-in-time").

• .Employment (for example, by location, supply, wage levels, union contracts, pension and other post employment benefits, stock option or incentive bonus arrangements, and government regulation related to employment matters).

• .Research and development activities and expenditures.

• .Transactions with related parties.

• .Investments

• .Acquisitions, mergers or disposals of business activities (planned or recentlyexecuted).

• .Investments and dispositions of securities and loans.

• .Capital investment activities, including investments in plant and equipment and technology, and any recent or planned changes.

• .Investments in non-consolidated entities, including partnerships, joint ventures and special-purpose entities.

• .Financing

• .Group structure - major subsidiaries and associated entities, including consolidated and non-consolidated structures.

• .Debt structure, including covenants, restrictions, guarantees, and off-balance-sheet financing arrangements.

• .Leasing of property, plant or equipment for use in the business.

• .Beneficial owners (local, foreign, business reputation and experience).

• .Related parties.

• .Use of derivative financial instruments.

• .Financial reporting

• .Accounting principles and industry specific practices.

• .Revenue recognition practices.

• .Accounting for fair values.

• .Inventories (for example, locations, quantities).

• .Foreign currency assets, liabilities and transactions.

• .Industry-specific significant categories (for example, loans and investments for banks, accounts receivable and inventory for manufacturers, research and development for pharmaceuticals).

• .Accounting for unusual or complex transactions including those in controversial or emerging areas (for example, accounting for stock-based compensation).

• .Financial statement presentation and disclosure.

1. Objectives and Strategies and Related Business Risks

• .Existence of objectives (i.e. how the entity addresses industry, regulatory and other external factors) relating to, for example, the following:

• .Industry developments (a potential related business risk might be, for example, that the entity does not have the personnel or expertise to deal with the changes in the industry).

• .New products and services (a potential related business risk might be, for example, that there is increased product liability).

• .Expansion of the business (a potential related business risk might be, for example, that the demand has not been accurately estimated).

• .New accounting requirements (a potential related business risk might be, for example, incomplete or improper implementation, or increased costs).

• .Regulatory requirements (a potential related business risk might be, for example, that there is increased legal exposure).

• .Current and prospective financing requirements (a potential related business risk might be, for example, the loss of financing due to the entity's inability to meet requirements).

• .Use of IT (a potential related business risk might be, for example, that systems and processes are incompatible).

• .Effects of implementing a strategy, particularly any effects that will lead to new accounting requirements (a potential related business risk might be, for example, incomplete or improper implementation).

1. Measurement and Review of the Entity's Financial Performance

• .Key ratios and operating statistics.
• .Key performance indicators.
• .Employee performance measures and incentive compensation policies.
• .Trends.
• .Use of forecasts, budgets and variance analysis.
• .Analyst reports and credit rating reports.
• .Competitor analysis.
• .Period-on-period financial performance (revenue growth, profitability, leverage).

APPENDIX III: CONDITIONS AND EVENTS THAT MAY INDICATE RISKS OF MATERIAL MISSTATEMENT

• .Operations in regions that are economically unstable, for example, countries with significant currency devaluation or highly inflationary economies.
• .Operations exposed to volatile markets, for example, futures trading.
• .High degree of complex regulation.
• .Going concern and liquidity issues including loss of significant customers.
• .Constraints on the availability of capital and credit.
• .Changes in the industry in which the entity operates.
• .Changes in the supply chain.
• .Developing or offering new products or services, or moving into new lines of business.
• .Expanding into new locations.
• .Changes in the entity such as large acquisitions or reorganisations or other unusual events.
• .Entities or business segments likely to be sold.
• .Complex alliances and joint ventures.
• .Use of off-balance-sheet finance, special-purpose entities, and other complex financing arrangements.
• .Significant transactions with related parties.
• .Lack of personnel with appropriate accounting and financial reporting skills.
• .Changes in key personnel including departure of key executives.
• .Weaknesses in internal control, especially those not addressed by management.
• .Inconsistencies between the entity's IT strategy and its business strategies.
• .Changes in the IT environment.
• .Installation of significant new IT systems related to financial reporting.
• .Inquiries into the entity's operations or financial results by regulatory or government bodies.
• .Past misstatements, history of errors or a significant amount of adjustments at period end.
• .Significant amount of non-routine or non-systematic transactions including inter-company transactions and large revenue transactions at period end.
• .Transactions that are recorded based on management's intent, for example, debt refinancing, assets to be sold and classification of marketable securities.
• .Application of new accounting pronouncements.
• .Accounting measurements that involve complex processes.
• .Events or transactions that involve significant measurement uncertainty, including accounting estimates.
• .Pending litigation and contingent liabilities, for example, sales warranties, financial guarantees and environmental remediation.

APPENDIX IV: INTERNAL CONTROL COMPONENTS

A. Control Environment

The control environment encompasses the following elements:

• . Communication and enforcement of integrity and ethical values**.**

The effectiveness of controls cannot rise above the integrity and ethical values of the people who create, administer, and monitor them. Integrity and ethical values are essential elements of the control environment which influence the effectiveness of the design, administration, and monitoring of other components of internal control. Integrity and ethical behaviour are the product of the entity's ethical and behavioural standards, how they are communicated, and how they are reinforced in practice. They include management's actions to remove or reduce incentives and temptations that might prompt personnel to engage in dishonest, illegal, or unethical acts. They also include the communication of entity values and behavioural standards to personnel through policy statements and codes of conduct and by example.

• . Commitment to competence.

Competence is the knowledge and skills necessary to accomplish tasks that define the individual's job. Commitment to competence includes management's consideration of the competence levels for particular jobs and how those levels translate into requisite skills and knowledge.

• . Participation by those charged with governance**.**

An entity's control consciousness is influenced significantly by those charged with governance. Attributes of those charged with governance include independence from management, their experience and stature, the extent of their involvement and scrutiny of activities, the appropriateness of their actions, the information they receive, the degree to which difficult questions are raised and pursued with management, and their interaction with internal and external engagement teams. The importance of responsibilities of those charged with governance is recognised in codes of practice and other regulations or guidance produced for the benefit of those charged with governance. Other responsibilities of those charged with governance include oversight of the design and effective operation of whistle blower procedures and the process for reviewing the effectiveness of the entity's internal control. The following additional points may be considered:

• .The independence of the board.

• .The frequency of board meetings.

• .Domination by one person or a small group.

• .The qualifications, experience and competence of those charged with governance.

• .The turnover of board members.

• .The independence of an independent audit function and of the audit committee.

• .The speed at which any internal or external audit recommendations are responded to.

• . Management's philosophy and operating style**.**

Management's philosophy and operating style encompass a broad range of characteristics. Such characteristics may include the following:

• • .Short and long-term objectives;
  • .Managements philosophy and operating style;
  • .Approach to taking and monitoring business risks;
  • .Management's attitudes and actions toward financial reporting (conservative or aggressive selection from available alternative accounting principles, and conscientiousness and conservatism with which accounting estimates are developed); and
  • .Management's attitudes toward information processing and accounting functions and personnel.

• . Organisational structure**.**

An entity's organisational structure provides the framework within which its activities for achieving entity-wide objectives are planned, executed, controlled, and reviewed. Establishing a relevant organisational structure includes considering key areas of authority and responsibility and appropriate lines of reporting. An entity develops an organisational structure suited to its needs. The appropriateness of an entity's organisational structure depends, in part, on its size and the nature of its activities. The following additional factors may be considered:

• .The appropriateness of centralisation policies.

• .The responsibilities of divisional management.

• .The extent to which delegation is understood.

• .The systems of communication.

• .The work load.

• .Management harmony with lower grades of staff.

• . Assignment of authority and responsibility**.**

This factor includes how authority and responsibility for operating activities are assigned and how reporting relationships and authorisation hierarchies are established. It also includes policies relating to appropriate business practices, knowledge and experience of key personnel, and resources provided for carrying out duties. In addition, it includes policies and communications directed at ensuring that all personnel understand the entity's objectives, know how their individual actions interrelate and contribute to those objectives, and recognise how and for what they will be held accountable.

• . Human resource policies and practices**.**

Human resource policies and practices relate to recruitment, orientation, training, evaluating, counselling, promoting, compensating, and remedial actions. For example, standards for recruiting the most qualified individuals - with emphasis on educational background, prior work experience, past accomplishments, and evidence of integrity and ethical behaviour - demonstrate an entity's commitment to competent and trustworthy people. Training policies that communicate prospective roles and responsibilities and include practices such as training schools and seminars illustrate expected levels of performance and behaviour. Promotions driven by periodic performance appraisals demonstrate the entity's commitment to the advancement of qualified personnel to higher levels of responsibility.

Application to Small Entities

Small entities may implement the control environment elements differently than larger entities. For example, small entities might not have a written code of conduct but, instead, develop a culture that emphasises the importance of integrity and ethical behaviour through oral communication and by management example. Similarly, those charged with governance in small entities may not include an independent or outside member.

B. Entity's Risk Assessment Process

The entity's risk assessment process for financial reporting includes how management identifies risks relevant to the preparation of financial statements that give a true and fair view in accordance with the entity's applicable financial reporting framework, estimates their significance, assesses the likelihood of their occurrence, and decides upon actions to manage them. For example, the entity's risk assessment process may address how the entity considers the possibility of unrecorded transactions or identifies and analyses significant estimates recorded in the financial statements. Risks relevant to reliable financial reporting also relate to specific events or transactions.

Risks relevant to financial reporting include external and internal events and circumstances that may occur and adversely affect an entity's ability to initiate, record, process, and report financial data consistent with the assertions of management in the financial statements. Once risks are identified, management considers their significance, the likelihood of their occurrence, and how they should be managed. Management may initiate plans, programs, or actions to address specific risks or it may decide to accept a risk because of cost or other considerations. Risks can arise or change due to circumstances such as the following:

• . Changes in operating environment: Changes in the regulatory or operating environment can result in changes in competitive pressures and significantly different risks.
• . New personnel : ** New personnel may have a different focus on or understanding of internal control.
• . New or revamped information systems : Significant and rapid changes in information systems can change the risk relating to internal control.
• . Rapid growth: Significant and rapid expansion of operations can strain controls and increase the risk of a breakdown in controls.
• . New technology: Incorporating new technologies into production processes or information systems may change the risk associated with internal control.
• . New business models, products, or activities: Entering into business areas or transactions with which an entity has little experience may introduce new risks associated with internal control.
• . Corporate restructurings: Restructurings may be accompanied by staff reductions and changes in supervision and segregation of duties that may change the risk associated with internal control.
• . Expanded foreign operations: The expansion or acquisition of foreign operations carries new and often unique risks that may affect internal control, for example, additional or changed risks from foreign currency transactions.
• . New accounting pronouncements: Adoption of new accounting principles or changing accounting principles may affect risks in preparing financial statements.

Application to Small Entities

The basic concepts of the entity's risk assessment process are relevant to every entity, regardless of size, but the risk assessment process is likely to be less formal and less structured in small entities than in larger ones. All entities should have established financial reporting objectives, but they may be recognised implicitly rather than explicitly in small entities. Management may be aware of risks related to these objectives without the use of a formal process but through direct personal involvement with employees and outside parties.

1. C. Information Systems, Including the Related Business Processes, Relevant to Financial Reporting and Communication

An information system consists of infrastructure (physical and hardware components), software, people, procedures, and data. Infrastructure and software will be absent, or have less significance, in systems that are exclusively or primarily manual. Many information systems make extensive use of information technology (IT).

The** information system relevant to financial reporting objectives**, which includes the financial reporting system, consists of the procedures and records established to initiate, record, process, and report entity transactions (as well as events and conditions) and to maintain accountability for the related assets, liabilities, and equity. Transactions may be initiated manually or automatically by programmed procedures. Recording includes identifying and capturing the relevant information for transactions or events. Processing includes functions such as edit and validation, calculation, measurement, valuation, summarisation, and reconciliation, whether performed by automated or manual procedures. Reporting relates to the preparation of financial reports as well as other information, in electronic or printed format, that the entity uses in measuring and reviewing the entity's financial performance and in other functions. The quality of system-generated information affects management's ability to make appropriate decisions in managing and controlling the entity's activities and to prepare reliable financial reports. Accordingly, an information system encompasses methods and records that:

• .Identify and record all valid transactions.
• .Describe on a timely basis the transactions in sufficient detail to permit proper classification of transactions for financial reporting.
• .Measure the value of transactions in a manner that permits recording their proper monetary value in the financial statements.
• .Determine the time period in which transactions occurred to permit recording of transactions in the proper accounting period.
• .Present properly the transactions and related disclosures in the financial statements.

Communication involves providing an understanding of individual roles and responsibilities pertaining to internal control over financial reporting. It includes the extent to which personnel understand how their activities in the financial reporting information system relate to the work of others and the means of reporting exceptions to an appropriate higher level within the entity. Open communication channels help ensure that exceptions are reported and acted on.

Communication takes such forms as policy manuals, accounting and financial reporting manuals, and memoranda. Communication also can be made electronically, orally, and through the actions of management.

Application to Small Entities

Information systems and related business processes relevant to financial reporting in small entities are likely to be less formal than in larger entities, but their role is just as significant. Small entities with active management involvement may not need extensive descriptions of accounting procedures, sophisticated accounting records, or written policies. Communication may be less formal and easier to achieve in a small entity than in a larger entity due to the small entity's size and fewer levels as well as management's greater visibility and availability.

D. Control Activities

Control activities are the policies and procedures that help ensure that management directives are carried out, for example, that necessary actions are taken to address risks that threaten the achievement of the entity's objectives. Control activities, whether within IT or manual systems, have various objectives and are applied at various organisational and functional levels.

Generally, control activities that may be relevant to an audit may be categorised as policies and procedures that pertain to the following:

• . Performance reviews: These control activities include reviews and analyses of actual performance versus budgets, forecasts, and prior period performance; relating different sets of data - operating or financial - to one another, together with analyses of the relationships and investigative and corrective actions; comparing internal data with external sources of information; and review of functional or activity performance, such as a bank's consumer loan manager's review of reports by branch, region, and loan type for loan approvals and collections.

• . Information processing: A variety of controls are performed to check accuracy, completeness, and authorisation of transactions. The two broad groupings of information systems control activities are application controls and general IT-controls.

• . Application controls apply to the processing of individual applications. These controls help ensure that transactions occurred, are authorised, and are completely and accurately recorded and processed. Examples of application controls include checking the arithmetical accuracy of records, maintaining and reviewing accounts and trial balances, automated controls such as edit checks of input data and numerical sequence checks, and manual follow-up of exception reports.

• . General IT-controls are polices and procedures that relate to many applications and support the effective functioning of application controls by helping to ensure the continued proper operation f information systems. General IT-controls commonly include controls over data centre and network operations; system software acquisition, change and maintenance; access security; and application system acquisition, development, and maintenance. These controls apply to mainframe, miniframe, and end-user environments. Examples of such general IT-controls are program change controls, controls that restrict access to programs or data, controls over the implementation of new releases of packaged software applications, and controls over system software that restrict access to or monitor the use of system utilities that could change financial data or records without leaving an audit trail.

• . Physical controls: These activities encompass the physical security of assets, including adequate safeguards such as secured facilities over access to assets and records; authorisation for access to computer programs and data files; and periodic counting and comparison with amounts shown on control records (for example comparing the results of cash, security and inventory counts with accounting records). The extent to which physical controls intended to prevent theft of assets are relevant to the reliability of financial statement preparation, and therefore the audit, depends on circumstances such as when assets are highly susceptible to misappropriation. For example, these controls would ordinarily not be relevant when any inventory losses would be detected pursuant to periodic physical inspection and recorded in the financial statements. However, if for financial reporting purposes management relies solely on perpetual inventory records, the physical security controls would be relevant to the audit.

• . Segregation of duties: Assigning different people the responsibilities of authorising transactions, recording transactions, and maintaining custody of assets is intended to reduce the opportunities to allow any person to be in a position to both perpetrate and conceal errors or fraud in the normal course of the person's duties. Examples of segregation of duties include reporting, reviewing and approving reconciliations, and approval and control of documents.

Certain control activities may depend on the existence of appropriate higher level policies established by management or those charged with governance. For example, authorisation controls may be delegated under established guidelines, such as investment criteria set by those charged with governance; alternatively, non-routine transactions such as major acquisitions or divestments may require specific high level approval, including in some cases that of shareholders.

Application to Small Entities

The concepts underlying control activities in small entities are likely to be similar to those in larger entities, but the formality with which they operate varies. Further, small entities may find that certain types of control activities are not relevant because of controls applied by management. For example, management's retention of authority for approving credit sales, significant purchases, and draw-downs on lines of credit can provide strong control over those activities, lessening or removing the need for more detailed control activities. An appropriate segregation of duties often appears to present difficulties in small entities. Even companies that have only a few employees may be able to assign their responsibilities to achieve appropriate segregation or, if that is not possible, to use management oversight of the incompatible activities to achieve control objectives.

E. Monitoring of Controls

An important management responsibility is to establish and maintain internal control on an ongoing basis. Management's monitoring of controls includes considering whether they are operating as intended and that they are modified as appropriate for changes in conditions. Monitoring of controls may include activities such as management's review of whether bank reconciliations are being prepared on a timely basis, internal engagement teams' evaluation of sales personnel's compliance with the entity's policies on terms of sales contracts, and a legal department's oversight of compliance with the entity's ethical or business practice policies.

Monitoring of controls is a process to assess the quality of internal control performance over time. It involves assessing the design and operation of controls on a timely basis and taking necessary corrective actions. Monitoring is done to ensure that controls continue to operate effectively. For example, if the timeliness and accuracy of bank reconciliations are not monitored, personnel are likely to stop preparing them. Monitoring of controls is accomplished through ongoing monitoring activities, separate evaluations, or a combination of the two.

Ongoing monitoring activities are built into the normal recurring activities of an entity and include regular management and supervisory activities. Managers of sales, purchasing, and production at divisional and corporate levels are in touch with operations and may question reports that differ significantly from their knowledge of operations. In many entities, internal engagement teams or personnel performing similar functions contribute to the monitoring of an entity's controls through separate evaluations. They regularly provide information about the functioning of internal control, focusing considerable attention on evaluating the design and operation of internal control. They communicate information about strengths and weaknesses and recommendations for improving internal control.

Monitoring activities may include using information from communications from external parties that may indicate problems or highlight areas in need of improvement. Customers implicitly corroborate billing data by paying their invoices or complaining about their charges. In addition, regulators may communicate with the entity concerning matters that affect the functioning of internal control, for example, communications concerning examinations by bank regulatory agencies. Also, management may consider communications relating to internal control from external engagement teams in performing monitoring activities.

Application to Small Entities

Ongoing monitoring activities of small entities are more likely to be informal and are typically performed as a part of the overall management of the entity's operations. Management's close involvement in operations often will identify significant variances from expectations and inaccuracies in financial data leading to corrective action to the control.

APPENDIX V: GUIDANCE ON DOCUMENTING THE ACCOUNTING SYSTEMS

1. Flowcharting

A flowchart is a method of recording the stages in an accounting procedure. Flowcharts can be a useful tool, particularly for larger clients.

Advantages of flowcharting:

• .Easier to understand and assimilate than pure narrative notes.
• .Completion requires a full understanding of the system by the preparer.
• .Encourages a logical and objective audit approach.
• .Aids the completeness of systems records.
• .Gives a perspective to the system description.
• .Allows a rapid independent review.
• .Communication is made easier.
• .Easier to update than pure narrative notes.

Disadvantages of flowcharting:

• .Requires careful and laborious attention to detail.
• .Time consuming in preparation.
• .Time wasting if applied to very simple systems, or where no real system is in operation.

Flowcharting Conventions

• .Direction of flow

• • .Must be down the page or horizontally (either left or right) but never up the page.
  • .Diagonal flows must not be used.

• .Narrative

• • .Confined to the narrative column.
  • .Directly opposite the chart operation to which it relates.
  • .If not obvious from the chart, one should explain (briefly) what each operation is, who does it, and its purpose.

• .Numbering of operations

• • .Each and every operation should be numbered.
  • .Flow-lines

_______________________________ Document flow (vertical lines only).

---------------------------------------------------- Information flow (horizontal lines only).

• • .If two unrelated document lines must cross then a "bridge" or other symbol should be used.

• .Document description

• • .The name of a document should be shown either on the document symbol or by the side of it.

• .Placing of symbols

• • .All symbols should normally appear on a vertical flow line.

• .Merging or separating

• • .This should be shown on the chart by merging or separating the appropriate document flow lines.

• .Alternative procedures

• • .Depending on the complexity of alternatives, either:

(i) Detail both procedures on the main chart, if sufficiently simple; or

(ii) Draw a subsidiary chart.

Preparing a Flowchart

• .Obtain oral or written details of the system from the person exercising overall control. Information required includes:

• • .The nature and source of significant transactions.
  • .The key processes.
  • .The flow of significant transactions.
  • .Principal files supporting account balances.
  • .Principal files used for comparison.
  • .Output, its regularity and distribution.

• .Prepare a rough copy of the system.

• .Trace a transaction through the system by performing walk-through tests.

• .Complete the final version of the flowchart.

• .Review the completed charts to ensure all alternatives are charted and that all document flows have an end.

• .Review the completed charts with the person exercising overall responsibility, to ensure they are correct and to draw attention to any divergence's from the original description.

2. Narrative Notes

In case of smaller entities with less complicated transactions, narrative notes describing the process flows may be sufficient. Even in such cases it is important to carry out walk-through tests and confirm the recording with the person exercising overall responsibility, to ensure that the notes are correct.