Candidates will be tasked with a question set at the planning stage of an engagement in section A. This will require candidates to evaluate risks relevant to an audit or assurance engagement. This article is intended to help candidates to achieve both the technical and professional marks usually associated with these types of requirements.
ISA315 (Revised), Identifying and Assessing the Risks of Material Misstatement gives extensive guidance on the need to understand the client’s business, controls and operating environment in order to assess the risks on the engagement. Audit risk arises through these risks of material misstatement but also assess the risk that these may not be detected during the audit process. Candidates are tested on their skills in identifying and evaluating these risks
ISA315 (Revised) explains that understanding the entity’s objectives, strategy and business model helps the auditor to understand the entity at a strategic level, and to understand the business risks the entity takes and faces. An understanding of the business risks that have an effect on the financial statements assists the auditor in identifying risks of material misstatement, since most business risks will eventually have financial consequences and, therefore, an effect on the financial statements.
ISA315 (Revised) defines business risk as a risk resulting from significant conditions, events, circumstances, actions or inactions that could adversely affect an entity’s ability to achieve its objectives and execute its strategies, or from the setting of inappropriate objectives and strategies.
A typical requirement in section A with a focus on business risk would be 'Using the exhibits provided, evaluate the significant business risks facing the company/group'. The key elements to consider for this requirement to note are as follows:
• Using the exhibits
Candidates are not required to have any industry specific knowledge. There will be sufficient detail in the scenario to allow candidates to identify the key risks which should be evaluated. Candidates should focus on the risks arising from the information provided and not speculate on additional risks which might arise.
In order to evaluate effectively, Candidates will initially need to identify the risk arising from the information provided and illustrate the impacts of the risk on the client. Candidates should make use of specific points that are relevant to the client in the question rather than be discussed in a generic context.
Candidates should then expand on this issue in order to fully evaluate a point. There needs to be an assessment of the scale of the risk in the context of the scenario. For example, an illustration of why this risk is particularly significant for this client or discussing how the impact may be increased in the light of other risks and information relevant to the scenario.
In the context of the AAA exam, it is essential that candidates assess the significant business risks within the scenario. These should be assessed as those issues which are a medium to high likelihood of occurrence and impact, after consideration of any mitigation which is described in the scenario.
Business risks, in the context of the AAA exam, are areas of uncertain occurrence and outcome, not factual statements of something which has already happened and, therefore, is already fully quantified in the scenario.
Consider the example below from the September 2022 published question Winberry Co, a listed food delivery company whose sales are made entirely online.
In this question, there are several different related risks which a candidate might identify. This topic will only be treated as one risk regardless of which of those are developed and marks will be available for many alternative development points.
Examples of risks and evaluation are provided below.
|Identification of the risk||Initial development||Further evaluation|
|Data breach may become public knowledge||The company will suffer reputational damage and lose customers
Customers will no longer trust Winberry Co to protect their online data.
|The fact that the company did not report the breach themselves may increase the reputational damage which would have occurred had this been disclosed immediately (considering severity in the context of the delay to reporting described in the scenario)
The lack of trust in the website if customers do not trust Winberry to protect their data is a significant problem as Winberry Co only operates online and has no physical stores or outlets (considering severity in the context of the specific business model)
|The company might be fined for data breaches||This will put pressures on cash flow and reduce profits||These may be higher as a result of Winberry Co not reporting the breach themselves (considering severity in the context of the delay to reporting described in the scenario)
The fall in profit may result in the breach of banking covenants (Linking to impact on other specific risks in the scenario)
|Further data weaknesses may exist and have not yet been identified||These may be more serious breaches where customer credit card or identity details are lost||These will lead to more severe fines and bad publicity if this is the case. (considering severity)|
These examples are indicative not exhaustive, and candidates will be awarded credit for valid evaluation points which relate to the scenario.
In most cases, the professional marks available for the evaluation of business risk will be commercial acumen. These will be awarded in addition to the technical marks. Candidates will be awarded credit for professional skills when answers demonstrate an awareness of potential commercial.
Examples where commercial acumen could be demonstrated in response to the above scenario
It is possible to evaluate a risk severity in relation to the scenario without demonstrating commercial acumen and it is also possible to demonstrate acumen in a risk not considered fully evaluated. Where a single response does provide evaluation and demonstrate commercial acumen, credit will be awarded for both. The professional marks are additional to, rather than, in place of technical marks.
Candidates should also note the following will not obtain marks for the identification and development of a risk.
Facts given in the question – there has been a data breach/credit card details may be lost – these are known and therefore, not a risk. The risk is something uncertain as a result of the event or an uncertain event.
Risks which are flagged as mitigated in the scenario In the case of Winberry Co, the scenario was clear that specialised staff were employed to ensure food safety legislation was complied with as part of the company risk management strategy. These are likely to be easily replaceable given the ubiquitous nature of food. This might be different in a particularly niche industry where experts are less readily available.
Extreme outcomes which are not likely – for example, 'the data breach will mean fines the company cannot afford to pay and it will be bankrupt'. Whilst worst case scenarios exist, if this is not likely in the context of the specific scenario, then it’s not necessarily a significant risk or an appropriate evaluation in this case. This outcome might be valid in a different scenario, perhaps where the company has a history of severe data protection breaches, with total disregard for data protection, and the company was already loss making, and experiencing cash flow issues. Candidates are expected to tailor their answers to the specific scenario in the question. This is a demonstration of professional judgement which is an important skill for auditors.
Candidates preparing for the AAA exam should be mindful that they will be required to evaluate risks in the context of specific information provided in a scenario in the exam. The examining team are looking for depth of evaluation of significant risks, rather than brief and untailored answers covering large numbers of risks. Candidates are recommended to use past published questions to practice evaluation skills. Exam question practice is essential, but candidates should remain mindful that they should not try and apply rote learnt or generic responses in the real exam. They should ensure that their answer in the actual exam is tailored to the specific information provided in the question, otherwise little credit will be awarded. Well prepared candidates using good technique often achieve full marks in risk questions and this is often indicative of those candidates demonstrating the requisite professional skills of an auditor.