Risk assessments are based on auditors’ understanding of the entity, its environment and internal control, and ISA 540 (Revised) includes enhanced risk assessment procedures to ensure that auditors have gained a good knowledge of the business with a specific requirement to document the key elements.
Understanding the entity and its environment
To provide a basis for the identification and assessment of the risks of material misstatement the first step in applying the standard is to obtain an understanding of the entity and its environment, including:
- transactions and other events/conditions that may give rise to the need for or changes in estimates to be recognised or disclosed;
- the requirements of the Financial Reporting framework relating to accounting estimates and how they apply in the context of the nature and circumstances of the entity and its environment, including how transactions or other events and conditions are subject to, or affected by, inherent risk factors;
- regulatory factors or frameworks relevant to the entity’s accounting estimates;
- the nature of the accounting estimates and disclosures (based on the understanding gained from the above procedures) that the auditor expects to see in the entity’s financial statements.
Understanding the control environment
The auditor also needs to understand the entity’s internal control which includes:
- the nature and extent of oversight and governance over management’s financial reporting process in relation to accounting estimates;
- how management identifies the need for, and applies specialised skills or knowledge related to accounting estimates, including with respect to the use of a management’s expert;
- how the entity’s risk assessment process identifies and addresses risks relating to accounting estimates; and
- the entity’s information system as it relates to accounting estimates.
A key scalability point is that the detailed information system understanding is only needed for estimates that arise from significant classes of transactions, account balances and disclosures.
The auditor needs to understand the relevant control activities over management’s process for making accounting estimates and how management reviews the outcomes of previous accounting estimates and responds to the results. The standard also includes a specific requirement to document the key elements of the auditor’s understanding of the entity, its environment and the entity’s internal control.
Prior period review
Another step in risk assessment is to revisit estimates used in the prior period or, where applicable, their subsequent re-estimation in the current period. This has always been a useful, if sometimes overlooked, requirement of ISA 540. By looking at the outcome of prior year accounting estimates, auditors can learn more about how the estimate is made and should be made, and it can contribute significantly to the risk assessment.
This is not designed to call into question previous judgements; rather, it assists in identifying current period risks. This is important as it helps auditors to make judgements about management’s track record in making estimates and assists in identifying and assessing the risks of material misstatement in the current period. This is often very useful and can enhance the auditor’s risk assessment considerably.
For example, an entity traditionally applies a sliding scale of percentages to provide for old inventory. If, in the current year, some types of inventory turn out to have been sold for both significantly higher and lower prices, this may indicate that the auditor needs to do more work to challenge management on whether such a simple technique is appropriate.
Conversely, if almost all old inventory is sold for an amount higher than the written down amount, it might indicate management bias and, at the very least, call into question whether the assumed percentages were the best estimates. At worst, it could indicate a deliberate attempt to defraud.
The auditor also needs to determine upfront whether the engagement team requires specialised skills to perform risk assessment procedures, identify or assess the risks of material misstatement, design and perform audit procedures to respond to those risks or evaluate the audit evidence obtained.