Risk and understanding the entity

ISA 315 (Revised 2019), Identifying and Assessing the Risks of Material Misstatement

Candidates studying Audit and Assurance (AA) and Advanced Audit and Assurance (AAA) are often presented with questions that focus on the planning stage of the audit.

Extracts from the AA syllabus (B) Planning and risk assessment
 

B3 Assessing audit risks

  • Describe the audit risks in the financial statements and explain the auditor’s response to each risk

B4 Understanding the entity and its environment and the applicable financial reporting framework

  • Explain how auditors obtain an initial understanding of the entity and its environment and the applicable financial reporting framework
  • Describe and explain the nature, and purpose of, analytical procedures in planning, and
  • Compute and interpret key ratios used in analytical procedures

Extracts from the AAA syllabus (D) Planning and conducting an audit of historical financial information
 

D1 Planning, materiality and assessing the risk of material misstatement

  • Evaluate and prioritise business risks, audit risks and risks of material misstatement for a given assignment
  • Interpret the results of analytical procedures, in an unbiased manner and apply professional scepticism to support the identification of contradictory information and assessment of risks of material misstatement
  • Evaluate the results of planning and risk assessment procedures to determine the relevant audit strategy, including the auditor’s responses, and
  • Discuss the importance of the auditor gaining an understanding of the entity including the applicable financial reporting framework, its accounting policies, significant classes of transactions, balances and disclosures and the entity’s system of internal control and recommend additional information which may be required in gaining that understanding.

Candidates will therefore need a sound understanding of ISA 315 (Revised 2019), Identifying and Assessing the Risks of Material Misstatement which becomes an examinable document from the September 2021 exam session for both AA and AAA. The central theme throughout ISA 315 (Revised) is the assessment of risk. Questions involving risk assessment are highly examinable at both AA and AAA, it is vital that candidates have studied this part of the syllabus thoroughly.

A word on assertions
The auditor needs to obtain sufficient appropriate audit evidence to support the assertions and disclosures in the financial statements made by management. These assertions are used by the auditor when assessing the risks of misstatement on an engagement.

Objective of the audit and the assessment of risk

The objective of the auditor is to identify and assess the risks of material misstatement, whether due to fraud or error, at the financial statement and assertion levels thereby providing a basis for designing and implementing responses to the assessed risks of material misstatement1.

ISA 315 (Revised) states the reasons ‘why’ risk assessment procedures should be carried out but provides further guidance with ‘what’ needs to be tested and ‘how’ it can be tested. Candidates are strongly encouraged to review the appendices to the revised standard for examples of the ‘what’ and ‘how’.

ISA 200, Overall objectives of the Independent Auditor and the Conduct of an Audit in Accordance with International Standards on Auditing states that audit risk is the risk that the auditor expresses an inappropriate opinion when the financial statements are materiality misstated.

It should be noted that the fundamentals of the audit risk model which candidates will often come across during their studies has not been affected by ISA 315 (Revised) and remains as follows:

risk-entity-1

However, there have been some changes as to how risks are evaluated. ISA 315 (Revised) enhances the requirement for the auditor to understand the audit risk of the client by obtaining an understanding of the entity and its environment, the applicable financial reporting standards and the entity’s system of internal control.

Using the risk model above, these can be considered as follows:

Inherent risk

  • Understanding the entity and its environment
  • Understanding the applicable financial reporting framework

Control risk

  • Understanding the entity’s system of internal control.

Inherent risk

Inherent risk is described as the susceptibility of an assertion about a class of transaction, account balance or disclosure to a misstatement that could be material, either individually or when aggregated with other misstatements, before consideration of any related controls2.

Understanding the entity and its environment

ISA 315 (Revised) has explicitly defined inherent risk factors as being qualitative or quantitative, and include:
 

Defined inherent risk factors

Explanation and Example

Complexity

Arises because of the nature of the information or the way that it is prepared – for example, complex accounting or reporting requirements such as the audit of a large, multi-national insurance group.

Subjectivity

Results from inherent limitations in the ability to prepare the information objectively – for example, choice of valuation methodology or basis for accounting estimations.

Change

Events or conditions which affect the entity’s business, industry, regulatory or economic environment. – for example, customer change or geographical expansion.

Uncertainty

Arises when the required information cannot be prepared based on sufficiently precise and comprehensive data. – for example, contingent liabilities or uncertainly over key issues - environmental, legal or financial – such as the audit of a company with ongoing litigation issues (requiring provisions and estimations of liability).

Susceptibility to misstatement due to management bias or other fraud risk factors

Conditions which create susceptibility for intentional or unintentional failure by management to maintain neutrality – for example, transactions with related parties, the use of manual adjustments, bonus schemes dependent on financial results.

Inherent risk is considered by the auditor before they consider any related controls. Inherent risk and control risk are both elements of the risk of material misstatement at the assertion level.

Understanding the applicable financial reporting framework

Auditors must consider the impact of the accounting policies and financial reporting requirements, including industry specific requirements, when assessing the risk of material misstatement.

There are several financial reporting standards which can be subject to misapplication, either deliberate or accidental, such as IFRS® 15 Revenue from Contracts with Customers or IAS® 37, Provisions, Contingent Liabilities and Contingent Assets. Foreign currency adjustments or complex financial instruments can further complicate the reporting (and regulatory) requirements.

New or emerging accounting issues, such as cryptocurrencies or environmental reporting may be affected by the subjectivity of management. In the case of technological changes, a lack of definitive accounting standards may result in inconsistent or incorrect valuations or disclosures.

Evaluating the financial reporting policies of the entity is part of the overall assessment of inherent risk.

Spectrum of inherent risk

For the identified risks of material misstatement at the assertion level, the auditor is required to carry out a separate assessment of inherent risk and control risk. This separate assessment was introduced into ISA 315 (Revised) so as to maintain consistency with ISA 330, The Auditor’s Responses to Assessed Risks which also requires the auditor to consider inherent risk and control risk separately in order to respond appropriately to assessed risks of material misstatement at the assertion level.

Inherent risk will be higher for some assertions and related classes of transactions, account balances and disclosures than for others and this will require the exercise of professional judgement. The degree to which inherent risk varies is referred to in ISA 315 (Revised) as the spectrum of inherent risk.

The spectrum of inherent risk helps to determine whether an identified risk is a significant risk. ISA 315 (Revised) introduces the concept of a significant risk, which is an identified risk of material misstatement for which the assessment of inherent risk is close to the upper end of the spectrum of inherent risk. This is due to the degree to which inherent risk factors affect the combination of the likelihood and the magnitude of a potential misstatement.

When the auditor is planning responses to identified risks, risks may need to be prioritised as the auditor needs to plan to obtain more evidence in relation to significant risks. The higher on the spectrum of inherent risk a risk is assessed, the more persuasive the audit evidence needs to be. This is a particularly important skill when answering questions at the AAA level, and good practice for practical audit work too. In addition, the controls that address significant risks are required to be identified by ISA 315 (Revised), and the auditor is required to evaluate whether the control has been designed effectively and implemented.

Control risk

Understanding the entity’s system of internal control

Control risk is the risk that the entity’s system of internal control will not prevent or detect and correct a misstatement on a timely basis. This can be due to weak or absent internal controls. ISA 315 (Revised) sets out the components of the entity’s system of internal control. Candidates need to be familiar with the components set out in ISA 315 as AA exam questions may ask candidates to describe or explain the components of the entity’s system of internal control.
 

Components of the entity’s system of internal control under ISA 315 (Revised 2019) (para.20)

Predominant type of control

Control environment

Indirect control

Auditor’s understanding of these control components, are likely to affect the risk of material misstatement at the financial statement level.

The entity’s risk assessment process

The entity’s process to monitor the system of internal control

Information system and communication

Direct controls

Auditor’s understanding of these control components, are likely to affect the risk of material misstatement at the assertion level

Control activities

For further details on the components of an entity’s system of internal control refer to Appendix 3 included in ISA 315 (Revised 2019).

At the planning stage of the audit, the auditor will consider whether the audit procedures will include planned reliance on the operating effectiveness of controls. Reliance on an entity’s system of internal control can reduce the level of substantive procedures the auditor performs. If the auditor does plan to test the effectiveness of the entity’s controls, this is based on the expectation that the controls are operatively effectively.

ISA 315 (Revised) stresses that the auditor’s assessment of the risks is affected by their understanding of each of the components of the entity’s system of internal control.  This understanding of how management identify and assess the business risks of the entity would be gained at the planning stage by discussions with management or inspecting reports or procedures.  

If the auditor does not plan to test the operating effectiveness of the entity’s internal controls, ISA 315 (Revised) states that in this case, the risk of material misstatement is the same as the assessment of inherent risk. In other words, if the auditor is not planning on testing the controls, they assume there are no controls present in their risk assessment. Further information on the testing of controls is covered in ISA 330.

Direct/indirect controls

Direct controls are specific controls which are precise enough to address the risk of material misstatement at the assertion level, for example, performing a monthly reconciliation of the bank account which is reviewed, and all differences are resolved. This is an example of a direct control as it ensures the existence and accuracy of the asset (bank) at the period end.

Indirect controls, such as general IT controls,  are those which are not sufficiently precise to prevent, detect or correct material misstatement at the assertion level. However indirect controls may support direct controls and therefore have an indirect effect on the likelihood that a misstatement can be detected or prevented.

Controls over the IT environment

ISA 315 (Revised) includes enhanced auditor considerations relating to IT, including new and updated material for understanding IT and general IT controls.  The auditor needs to understand how the entity processes information, and how this data is used throughout the business. There should be an understanding of the accounting records, how the information is captured and controlled and how these flow into the accounts in the financial statements.

The internal control of an entity generally benefits from the use of an IT system, for example by:

  • Applying consistent business rules
  • Performing complex or repetitive bulk calculations
  • Facilitating analysis of information
  • Improving timeliness, availability and accuracy of information
  • Reducing the risk that controls can be avoided and enhancing the segregation of duties.

An IT system will only be as good as the controls which support it; therefore, it is imperative that an assessment is made of the related risks of using IT and the entity’s general IT controls. General IT controls alone are not adequate, and an assessment should be made to understand how management monitor the IT controls, permissions, errors or control deficiencies across the IT environment.

Larger businesses may have fully integrated and possibly bespoke ERP systems (Enterprise Resource Planning), whereas smaller entities are likely to have less complex, commercial software. ISA 315 (Revised) provides examples of potential issues and possible tests in Appendix 5 and 6. The need to obtain an understanding of the IT environment within an entity remains important when assessing the risk and designing the relevant audit procedures.

Manual and automation

An entity’s system of internal control will usually contain manual elements (such as authorising a purchase invoice) and automated elements (such as password-protected applications).

Automated controls are generally considered to be more reliable than manual controls because they are not easily bypassed, ignored or overridden. For example, logging into the online banking system will require a password which cannot be ignored or if the password entered is incorrect, the system will prevent access. Similarly, if a customer has not paid their invoices on time, an automated sales order processing system will prevent them from ordering further goods until they pay the overdue balance. 

Detection risk

The last element of the audit risk model  is detection risk which is the risk that the procedures performed by the auditor to reduce audit risk to an acceptably low level will fail to detect a misstatement which exists that could be material. Candidates should keep in mind that detection risk is the only risk under the control of the auditor. Also remember that detection risk is not part of the risk of material misstatement.

Stand-back requirement

Once the auditor has obtained the required level of understanding and has identified the significant classes of transactions, account balances and disclosures, the auditor must ‘stand back’ and evaluate the audit evidence arising from their risk assessment procedures.

Once this understanding has been obtained (and throughout the audit process) the auditor must apply professional scepticism in critically evaluating the audit evidence and knowledge.

For material classes of transactions, account balances or disclosures that have not been determined as significant, the auditor is required to assess, using professional judgement, whether this determination still remains appropriate.

This requirement has been introduced into ISA 315 (Revised) to prompt the auditor to confirm the completeness of the identified risks. In other words, requiring the auditor to focus their attention on material classes of transactions, account balances and disclosures that have not been determined as significant and to assess whether this remains the case on evaluating all of the evidence obtained from the risk assessment procedures which have been performed.

Scalability

The requirements introduced by ISA 315 (Revised) are extensive and will impact the audits of larger or more complex entities. However, there are provisions throughout the standard which allow for scalability, whereby smaller or less complex entities will involve less onerous assessments. Auditors can apply the principles in ISA 315 (Revised) to entities of different sizes and different levels of complexity within the control systems, including the IT environment.

Conclusion

Candidates must ensure that they are using up-to-date study materials which reflect the provisions of ISA 315 (Revised 2019) from the September 2021 exam session. There are a number of revisions to the standard which could be examined, and it is important that candidates have a sound awareness of the changes reflected in the revised ISA.

References:

(1) ISA 315 (Revised 2019), Identifying and Assessing the Risks of Material Misstatement, para.11
(2) ISA 315 (Revised), para.4

Written by a member of the Advanced Audit and Assurance examining team