| A124. | Although risks relating to significant non-routine or judgmental matters are often less likely to be subject to routine controls, management may have other responses intended to deal with such risks. Accordingly, the auditor's understanding of whether the entity has designed and implemented controls for significant risks arising from non-routine or judgmental matters includes whether and how management responds to the risks. Such responses might include: |
| Control activities such as a review of assumptions by senior management or experts. |
| Documented processes for estimations. |
| Approval by those charged with governance. |
| A125. | For example, where there are one-off events such as the receipt of notice of a significant lawsuit, consideration of the entity's response may include such matters as whether it has been referred to appropriate experts (such as internal or external legal counsel), whether an assessment has been made of the potential effect, and how it is proposed that the circumstances are to be disclosed in the financial statements. |
| A126. | In some cases, management may not have appropriately responded to significant risks of material misstatement by implementing controls over these significant risks. Failure by management to implement such controls is an indicator of a significant deficiency in internal control.15 Risks for Which Substantive Procedures Alone Do Not Provide Sufficient Appropriate Audit Evidence (Ref: Para. 30) |
| A127. | Risks of material misstatement may relate directly to the recording of routine classes of transactions or account balances, and the preparation of reliable financial statements. Such risks may include risks of inaccurate or incomplete processing for routine and significant classes of transactions such as an entity's revenue, purchases, and cash receipts or cash payments. |
| A128. | Where such routine business transactions are subject to highly automated processing with little or no manual intervention, it may not be possible to perform only substantive procedures in relation to the risk. For example, the auditor may consider this to be the case in circumstances where a significant amount of an entity's information is initiated, recorded, processed, or reported only in electronic form such as in an integrated system. In such cases: |
| Audit evidence may be available only in electronic form, and its sufficiency and appropriateness usually depend on the effectiveness of controls over its accuracy and completeness. |
| The potential for improper initiation or alteration of information to occur and not be detected may be greater if appropriate controls are not operating effectively. |
| A129. | The consequences for further audit procedures of identifying such risks are described in ISA (UK and Ireland) 330.16 |
| 15 ISA (UK and Ireland) 265, "Communicating Deficiencies in Internal Control to Those Charged with Governance and Management," paragraph A7. |
| 16 ISA (UK and Ireland) 330, paragraph 8. |
 |
Licence and copyright | © 2018, LexisNexis Group a division of Reed Elsevier (UK) Ltd. All rights reserved. |