SAS No. 32 Risk Assessments and Internal Control 　 　

Status

Issued by Auditing Standards Committee in Taiwan on 22 December, 1998.

Summary

Internal control is a process designed to provide reasonable assurance about the achievement of the entity's objectives with regard to the reliability of financial reporting, effectiveness and efficiency of operations, and compliance with applicable laws and regulations.

The auditor should obtain an understanding of internal control based on experiences gained from prior audits and understanding of the client, taken into account the following:

• The types of potential material misstatements.
• The possibility of material misstatement that could occur.
• Other factors that could affect the design of substantive procedures.
• The evaluation of inherent risks.
• The determination of level of materiality.
• The complexity of the client’s operation and system.

Internal control consists of five interrelated components:

• Control environment sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure.
• Entity's risk assessment is the entity's identification and analysis of relevant risks to achievement of its objectives, forming a basis for determining how the risks should be managed.
• Information and communication systems support the identification, capture, and exchange of information in a form and time frame that enable people to carry out their responsibilities.
• Control activities are the policies and procedures that help ensure that management directives are carried out.
• Monitoring is a process that assesses the quality of internal control performance over time.

The auditor should consider the circumstances, the applicable component, and factors such as the following, in evaluating the design of the entity's related controls:

• The size of the entity.
• The nature of the entity's business, including its organization and ownership characteristics.
• The diversity and complexity of the entity's operations.
• Applicable legal and regulatory requirements.
• The nature and complexity of the systems that are part of the entity's internal control.

Internal control, no matter how well designed and operated, can provide an entity with reasonable, but not absolute, assurance about achieving an entity's objectives. The likelihood of achievement is affected by limitations inherent to internal control. These include the realities that human judgment in decision making can be faulty and that breakdowns in internal control can occur because of human failures such as simple errors or mistakes.

Additionally, controls, whether manual or automated, can be circumvented by the collusion of two or more people or inappropriate management override of internal control.　 　

As part of the risk assessment, the auditor should evaluate the design and determine the implementation of the entity's controls, including relevant control activities, over those risks for which, in the auditor's judgment, it is not possible or practicable to reduce detection risk at the relevant assertion level to an acceptably low level with audit evidence obtained only from substantive procedures. 　

The risk of material misstatement in financial statement assertions consist of inherent risk, control risk, and detection risk. At the account balance, class of transactions, relevant assertion, or disclosure level, audit risk consists of the risk that the relevant assertions related to balances, classes, or disclosures contain misstatements that could be material to the financial statements when aggregated with misstatements in other relevant assertions related to balances, classes, or disclosures and the risk that the auditor will not detect such misstatements. The way the auditor should consider these component risks and combines them involves professional judgment and depends on the auditor's approach or methodology. 　

In determining the nature, timing, and extent of audit procedures to be applied to a specific account balance, class of transactions, or disclosure, the auditor should design audit procedures to obtain reasonable assurance of detecting misstatements that the auditor believes, based on the judgment about materiality, could be material, when aggregated with misstatements in other balances, classes, or disclosures, to the financial statements taken as a whole. Auditors use various methods to design audit procedures to detect such misstatements.　

The auditor should consider audit risk at the individual account balance, class of transactions, or disclosure level because such consideration directly assists in determining the nature, timing, and extent of further audit procedures for the relevant assertions related to balances, classes, or disclosures. The auditor should seek to reduce audit risk at the individual balance, class, or disclosure level in such a way that will enable the auditor, at the completion of the audit, to express an opinion on the financial statements taken as a whole at an appropriately low level of audit risk. Auditors use various approaches to accomplish that objective.

Effective date

This Statement is effective for audit of financial statements with fiscal years ending on or after 31 December, 1999.