Auditor needs to perform risk assessment procedures (includes inquiries of management (those charged with governance, employees etc), analytical procedures, observation and inspection of documents and reports) for the identification and assessment of ROMM at the FS and assertion levels.
Audit partner needs to discuss the susceptibility of the entity’s FS to MM and communicate with the team members not involved in the discussion.
Understanding the entity includes operations, governance structures, type of investments and how the entity is structured. For relevant controls relating to financial reporting, the auditor needs to evaluate the design and effectiveness of these controls. For the control environment, determine whether management has a culture of honest and ethical behaviour. If possible, auditor should obtain management assessment of business risks etc.
Basically, matters relating to financial reporting must be examined. In addition, it is important to understand risks relating to IT.
The auditor needs to understand the nature of IA function’s responsibilities, organisational status and the activities performed. If necessary, audit reports relating to findings on financial reporting should be read and understood. However, some IA do not focus on controls over financial reporting and hence, their reports may not be directly relevant. If IA looks at financial reporting areas, the auditor may want to modify the nature and timing and extent of their testing. If so, please apply SSA 610.
The auditor needs to identify risks and evaluate whether they concern the FS level or affect many assertions. The auditor needs to assess which are significant risks as well. There is a need to include planning matters as audit documentation.
The auditor might want to perform substantive procedures or test of controls to assess ROMM.
Analytical procedures can also be performed to examine trends between financial and non-financial information. However, such broad evidence may be inconclusive and the auditor might need to collaborate with other information.
Auditor needs to understand the information from prior audit periods and see whether it’s still applicable in the current period. By performing walkthroughs, one can get a better sense of whether there are any changes.
It Is necessary to understand industry factors like suppliers, the competitive environment, suppliers and customer relationships etc. The auditor can understand regulatory factors as well.
Understanding the entity includes understanding the business operations, investment activities, financing activities, financial reporting practices etc, entity’s selection and application of accounting policies.
Not all business risks give rise to material misstatements, but business risks might have financial consequences and increase the likelihood of identifying ROMM. This FRS covers issues and events that may indicate ROMM. Understanding the financial performance indicators can help the auditor understand the pressure management faces. Industry related information might also serve as useful trends.
There are limitations to internal control, which the auditor needs to understand. Controls can be override by management as well. The SSA divides internal control into 5 components: control environment (influence the effectiveness of internal controls and the auditor’s assessment of ROMM); risk assessment process; information system and related business process; control activities and monitoring of controls.
There are both manual and automated controls. However, the use of IT automated controls present risks such as inaccurate processing of data, unauthorised access to data, changes to master files, failure to make changes. Manuals controls are more suitable when judgment is involved. They are less suitable for voluminous transactions etc.
Some information required in the FS may not be stored in IT systems. Non-standard journal entries must be examined by the auditor. The auditor should understand how transactions are originated.
It is possible for the auditor to test the operating effectiveness of the control in determining the extent of substantive testing required. The auditor could focus activities for areas with higher ROMM. Main transaction cycle could include things like revenue, purchases and employment expenses.
Auditors need to understand both general and application controls in relation to financial systems for financial reporting. They also need to question the source of information from control monitoring activities and whether they are accurate.
SSA 705 talks about the issuance of a qualified opinion.
Some assertions for transactions could be occurrence, completeness, accuracy, cut-off, classification, presentation etc.
Some assertions for balances are existence, rights and obligations, completeness, accuracy valuation and allocation, classification, and presentation.