According to ISA 330, an auditor designs and implements responses to risks of material misstatement that they have identified and assessed.
Many auditors have great difficulty applying ISAs to small audits because they don’t understand how to evaluate risks of material misstatement or due to the strict requirements in the ISAs.
Risk Assessment Challenges
All financial statement audits mainly focus on risk assessment. Auditing employs a risk-based approach. An auditor focuses on areas that have the highest risk of material misstatement. Therefore, an auditor’s primary goal is to identify risks and ways to avoid those risks.
For example, tools like risk intellect can be used by auditors to gain insight into an entity’s cyber risk posture. Auditors can use such tools to determine a company’s compliance control assessments to cyber risk. As a result, an auditor can identify cyber risks and controls with the greatest chance of reducing risk.
Therefore, when performing an audit, the auditor determines the areas of risk and to what extent the threat of material misstatement is linked to these risks. As a result, the auditor will choose the appropriate measures to respond to the risk assessed.
Auditors and regulators typically experience problems applying the right auditing standards. The main risk assessment issues include:
- The link between risk assessment and response
- The need to show how professional judgment was applied
- The definition and determination of significant risk according to ISAs standards
Internal controls are crucial when adopting a complete audit approach. Many auditors find it challenging to understand and document internal control.
In small companies, internal controls are informal and undocumented. These controls are compromised because there is no segregation of duties. For example, the owner/manager is involved in all the daily running activities of the business.
When performing a fully substantive audit, auditors need to determine whether they have:
- Identified controls that are relevant to the audit
- Verified that these controls are designed to achieve their objectives
- Gathered evidence of the implementation of these controls
The Concept Of Materiality
Materiality is crucial to the audit. ISAs require auditors to provide assurance that financial statements don’t have material misstatements. The materiality concept arises at the planning stage when performing an audit and evaluating the impact of misstatements on the audit and uncorrected misstatements on the financial statements.
Materiality is a financial reporting concept. It applies to the preparation and presentation of financial statements. Therefore, any issue of materiality applies to the financial reporting framework.
Data Analytics In External Audits
Data analytics involves monitoring and tracking metrics and KPIs for business decisions through tools that quickly obtain, validate, and analyze data. These tools are used for complete transactions or full data sets for business decisions. Auditors use data analytics to justify their arguments, draw a conclusion, and provide guidance for further investigation. However, no auditing standards lay out the rules for applying data analytics for external audits.
In many cases, data in all forms such as structured and unstructured data are used consistently and at large in sizable firms. However, small firms should acknowledge the importance of data analytics in transforming smaller audits.
Addressing The Risk Of Management Override
Management override is when those in management or leadership positions manipulate accounting records and compile fraudulent financial statements by overriding controls. This practice occurs even when the controls seem to be working effectively.
ISA 240 outlines the auditor’s duties in response to fraud in financial statements. An auditor should assess the risk of material misstatement from management override of controls as a high risk that needs specific documentation and impacts the auditor’s response. The risk of management override varies depending on the entity in question. However, this practice is prevalent in all entities.
Communications With Those In Authority
A successful audit of financial statements is hinged on identifying those in authority and ensuring you communicate with them, and showing this on the audit file. ISA 260 requires auditors to communicate with those in charge regarding specific matters.
For example, communicating significant issues in internal controls identified during an audit. Communication between the auditor and those in governance can improve an audit’s quality and cost-effectiveness regardless of the entity’s size.
Communication shouldn’t be done because ISAs require it, but it is something you should be willing to do to improve the quality of an audit. Many audit files demonstrate effective communication with those in governance at the last stages.
However, ISA 260 requires auditors to establish effective communication during the audit process. Therefore, the audit file should show a consistent flow of communication between auditors and top management throughout the audit.
ISA is a set of rules and regulations that govern auditors‘ responsibilities. Auditors are required to perform their jobs in accordance with the ISA standards. Understanding risk assessment, internal controls, materiality, and data analytics is part of an auditor’s job description.
Additionally, auditors are required to address the risk of management override. Most importantly, an auditor should liaise with top management to execute their duties.