• The Standard requires the auditor to document overall audit strategy and audit plan, including the significant changes made subsequently therein with reasons thereof.

• Documentation of Audit strategy could be in the form of a memorandum that contains key decisions regarding the overall scope, timing and conduct of the audit.

• For documentation of Audit plan, the Standard permits use of standard audit programmes or audit completion checklists, tailored as needed to reflect the particular engagement circumstances.

• Audit strategy: It need not be a complex or time-consuming exercise; it varies according to the size and complexity of the audit, and the size of the engagement team. A brief memorandum prepared at the completion of the previous audit, based on a review of the working papers and highlighting issues identified in the audit just completed, updated in the current period based on discussions with the owner-manager, can serve as the documented audit strategy for the current audit engagement, if it covers the matters noted in paragraph 7 of the Standard.

• When an audit is carried out entirely by a sole practitioner and a complex or unusual issues are involved, it may be desirable to consult with other suitably-experienced auditors.

Scope:

It deals with the auditor’s responsibility to identify and assess the risks of material misstatement in the financial statements, through understanding the entity and its environment, including the entity’s internal control. Its objective is in providing a basis for designing and implementing responses to the assessed risks of material misstatement thereby assist the auditor to reduce the risk of material misstatement to an acceptably low level.

• Requirements:

Risk Assessment Procedures and Related Activities:

• The auditor shall perform risk assessment procedures which shall include:

• Inquiries of management, and of others within the entity who may have information that is likely to assist in identifying risks of material misstatement;

• Analytical procedures;

• Observation and inspection;

• Consideration whether information obtained from the auditor’s client acceptance or continuance process is relevant to identifying risks of material misstatement;

• Where the engagement partner has performed other engagements for the entity, to consider the relevance of the said information to identifying risks of material misstatement;

• In addition the auditor may perform other procedures like reviewing information obtained from external sources such as trade and economic journals; reports by analysts, banks, or rating agencies; or regulatory or financial publications or making inquiries of the entity’s external legal counsel or of valuation experts that the entity has used.

• When the auditor uses information obtained from his previous experience with the entity and from audit procedures performed in previous audits, determine whether changes have occurred since the previous audit that may affect its relevance to the current audit.

• The engagement partner and other key engagement team members to discuss the susceptibility of the material misstatement, and the application of the applicable financial reporting framework to the entity’s facts and circumstances.

• The Standard recognises that it is not always necessary or practical for the discussion to include all members in a single discussion nor is it necessary for all of the members of the engagement team to be informed of all of the decisions reached in the discussion. The engagement partner may discuss matters with only the key members of the engagement team while delegating discussion with others.

• Understanding of the entity and its environment:

• The auditor shall obtain an understanding of the followings:

• Relevant industry in which the entity operates;

• The regulatory, and other external factors including the financial reporting framework, applicable to the entity ;

• The nature of the entity, including its operations, ownership and governance structures, investments, investment activities and financing and financing activities;

• Selection and application of accounting policies by the entity, including the reasons for changes, if any thereto. Also to evaluate if accounting policies are appropriate for its business and consistent with the applicable financial reporting framework and accounting policies used in the relevant industry;

• The entity’s objectives and strategies, and the related business risks that may result in risks of material misstatement;

• The measurement and review of the entity’s financial performance; i.e., the things the management regards it as important;

• Qua the industry factors examples of matters, the auditor may consider include:

• The market and competition, including demand, capacity, and price competition;

• Cyclical or seasonal activity;

• Product technology relating to the entity’s products;

• Energy supply and cost.

• With reference to regulatory frameworks examples of matters, the auditor may consider include:

• Accounting principles and industry specific practices;

• Regulatory framework for a regulated industry;

• Legislation and regulation that significantly affect the entity’s operations, including direct supervisory activities;

• Taxation;

• Government policies currently affecting the conduct of the entity’s business, such as monetary, including foreign exchange controls, fiscal, financial incentives (for example, government aid programmes), and tariffs or trade restrictions policies;

• Environmental requirements affecting the industry and the entity’s business.

• An understanding of the entity’s selection and application of accounting policies may encompass such matters as:

• The methods the entity uses to account for significant and unusual transactions;

• The effect of significant accounting policies in controversial or emerging areas for which there is a lack of authoritative guidance or consensus;

• Changes in the entity’s accounting policies;

• Financial reporting standards and laws and regulations that are new to the entity and when and how the entity will adopt such requirements.

• With reference to business risks the auditor does not have a responsibility to identify or assess all business risks because not all business risks give rise to risks of material misstatement. Examples of matters that the auditor may consider include:

• Industry developments;

• New products and services;

• Expansion of the business;

• New accounting requirements;

• Regulatory requirements;

• Current and prospective financing requirements;

• Use of IT;

• The effects of implementing a strategy, particularly any effects that will lead to new accounting requirements.

Appendix 2 to the Standard provides examples of conditions and events that may indicate risks of material misstatement.

• Performance measures, whether external or internal, create pressures on the entity in turn, may motivate management to take action to improve the business performance or to misstate the financial statements. Information used by management for measuring and reviewing financial performance, and which the auditor may consider, include:

• Key performance indicators and key ratios, trends and operating statistics;

• Period-on-period financial performance analyses;

• Budgets, forecasts, variance analyses, segment information and divisional, departmental or other level performance reports;

• Employee performance measures and incentive compensation policies;

• Comparisons of an entity’s performance with that of competitors.

Besides, external information such as analysts’ reports and credit rating agency reports may represent useful information for the auditor.

• Examples of other external factors include the general economic conditions, interest rates and availability of financing, and inflation or currency revaluation.

• The understanding establishes a frame of reference within which the auditor plans the audit and exercises professional judgment throughout the audit.

• The auditor shall obtain an understanding of internal control relevant to the audit. Though it is a matter of the auditor’s professional judgment whether a control, individually or in combination with others, is relevant to the audit, the factors to determine relevance to the audit may include such matters as the following:

• Materiality;

• Significance of the related risk;

• Size of the entity;

• Nature of the entity’s business, including its organization and ownership characteristics;

• Diversity and complexity of the entity’s operations;

• Applicable legal and regulatory requirements;

• Circumstances and the applicable component of internal control;

• Nature and complexity of the systems that are part of the entity’s internal control, including the use of service organizations;

• Whether, and how, a specific control, individually or in combination with others, prevents, or detects and corrects, material misstatement.

• The auditor shall evaluate the design of internal controls and determine whether they have been implemented, by performing procedures, which may include:

• Inquiring of entity personnel;

• Observing the application of specific controls;

• Inspecting documents and reports;

• Tracing transactions through the information system relevant to financial reporting.

It is emphasized that inquiry alone is not sufficient for such purposes.

• To provide a useful framework for auditors to consider how different aspects of an entity’s internal control may affect the audit, for the purpose of the Standards, internal control has been divided into the following five components:

• Control environment;

• Entity’s risk assessment process;

• Information system, including the related business processes, relevant to financial reporting, and communication (‘Information System’);

• Control activities; and

• Monitoring of controls.

It is expected that the auditor addresses its effect on the audit.

• Appendix 1 to the Standard provides further explanation of these components of internal control.

• Entity’s Risk Assessment Process:

• To provide a basis for designing and performing further audit procedures, the auditor shall identify and assess the risks of material misstatement at:

• the financial statement level; and

• the assertion level for classes of transactions, account balances, and disclosures.

• The auditor shall determine whether any of the risks identified are, in the auditor’s judgment, a significant risk, considering the followings:

• Is the risk a risk of fraud;

• Whether the risk is related to recent significant economic, accounting or other developments and, therefore, requires specific attention;

• Complexity of transactions;

• Whether the risk involves significant transactions with related parties;

• Degree of subjectivity in the measurement of financial information related to the risk, especially those measurements involving a wide range of measurement uncertainty; and

• Whether the risk involves significant transactions that are outside the normal course of business for the entity, or that otherwise appear to be unusual.

• Where a significant risk exists, the auditor shall obtain an understanding of the entity’s controls, including control activities.

Where the auditor has identified a material weakness in the design, implementation or maintenance of internal control, he shall communicate material weaknesses in internal control identified during the audit on a timely basis to management at an appropriate level of responsibility, and with those charged with governance.

The auditor shall document:

• Minutes of the discussion among the engagement team and the significant decisions reached;

• Key elements of the understanding obtained regarding each of the aspect of:

• the entity and its environment specified in paragraph 11 of the Standard; and

• the internal control components specified in paragraphs 14-23 of the Standard.

• The sources of information from which the understanding was obtained;

• The risk assessment procedures performed;

• The identified and assessed risks of material misstatement at the financial statement level and at the assertion level; and

• The risks identified, and related controls about which the auditor has obtained an understanding, as a result of the requirements in paragraphs 26-29.

• Where audits are carried out entirely by the engagement partner - sole practitioner, he having personally conducted the planning of the audit, would be responsible for considering the susceptibility of the entity’s financial statements to material misstatement due to fraud or error.

• The owner-manager may be able to exercise more effective oversight than in a larger entity, which may compensate for the generally more limited opportunities for segregation of duties. However, in the circumstances, the owner-manager may be more able to override controls because the system of internal control is less structured. This is taken into account by the auditor when identifying the risks of material misstatement due to fraud.

• Audit evidence for elements of the control environment in smaller entities may not be available in documentary form. Consequently, the attitudes, awareness and actions of the owner-manager is of particular importance to the auditor’s understanding of a smaller entity’s control environment.

• Information systems and related business processes relevant to financial reporting in small entities are likely to be less sophisticated than in larger entities. Understanding the entity’s systems and processes may therefore be easier in an audit of smaller entities, and may be more dependent on inquiry than on review of documentation. The need to obtain an understanding, however, remains important.

Note: The date this standard (along with SA 330) becomes effective, the existing AAS 6, ‘Risk Assessment and Internal Control’, AAS 20, ‘Knowledge of the Business’ and AAS 29, ‘Auditing in a Computer Information Systems Environment’ would stand withdrawn.

Scope:

It deals with the auditor’s responsibility to design and implement responses to the risks of material misstatement identified and assessed by him in accordance with SA 315 in a financial statement audit.

• Tests of Controls