In recognition that all risks are not equal, the revised ISA 540 introduces the concept of the spectrum of inherent risk when auditing accounting estimates.
While auditors will be familiar with the idea of risk assessment and may incorporate the concept of low, medium and high risk into their methodologies, the revised standard requires a more granular approach to risk assessment.
The spectrum of inherent risk is one of the key drivers of scalability in the revised standard because where the assessed risk falls on the spectrum will determine what further audit procedures the auditor will need to perform. The auditors’ assessment of inherent risk will depend on the degree to which the inherent risk factors affect the likelihood or the magnitude of misstatement.
The standard describes the inherent risk factors that need to be considered to help determine where a risk sits on the spectrum. These include the degree to which the accounting estimate is subject to estimation uncertainty and the degree to which the selection and application of methods, data and assumptions in making the estimate or the selection of the management’s point estimate and related disclosures are affected by subjectivity, complexity or other inherent risk factors. Management bias is not specifically identified in the requirements as an inherent risk factor but the application material refers to its link to subjectivity.
If inherent risk factors either individually or in combination affect estimates to a lesser degree auditors may therefore identify fewer risks and assess inherent risk at the lower end of the spectrum. The higher on the spectrum the risk falls, the more work auditors will need to do to ensure they obtain sufficient appropriate audit evidence and the more persuasive the audit evidence needs to be. This is where exercising and demonstrating professional scepticism is particularly relevant. There is no one size fits all approach and auditors need to use their professional judgement to assess where on the spectrum the risk falls.
Risks closer to the upper end of the inherent risk spectrum may be considered as significant risks. This will depend on the auditor’s professional judgement as well as the nature, size and complexity of the entity but a risk does not require both the magnitude and likelihood of misstatement to be high to be classed as significant. If the auditor assesses a risk as significant then the auditor needs to understand the entities internal controls and control activities relevant to that risk.
A practical problem for audit firms is how to apply the concept routinely and consistently across all audits. Staff training is key, because the use of narrative notes to document the risk assessment is the most flexible way to set out where the various risks are on the spectrum for different accounting estimates. However, auditors will also need to consider how this will affect sampling models to ensure a more focused response to the risk is designed.