The auditor’s risk assessment and response: understanding and applying the requirements
International Standard on Auditing (ISA) 315 (Revised) Identifying and assessing the risks of material misstatement through understanding the entity and its environment explains auditors’ responsibilities in relation to risk assessment and internal control.
The identification and assessment of the risks of material misstatement by the auditor provide the basis for designing and implementing responses to them, which is addressed by ISA 330 The Auditor’s responses to assessed risks. ISA 315 is the ISA from which all other ISAs flow, and all ISAs are risk-based. Many auditors struggle to apply ISAs to small, less complex audits. This maybe due to a lack of understanding or because of the requirements in the ISAs themselves.
Risk assessment challenges for auditors
Risk assessment is critical to the performance of all financial statement audits. The idea of a “risk-based” approach to auditing has been around for many years, and it is not a difficult concept: the approach focuses audit effort on those areas that are most at risk of material misstatement. So, when planning an audit, the audit team would therefore be asking themselves:
- What are the areas of risk?
- How big is the threat of material misstatement associated with these risks?
- What audit procedures need to be performed to respond to the levels of risk assessed?
But both auditors and regulators report problems in applying the relevant auditing standards consistently. Key risk assessment issues include:
- The quality of linkages between risk assessment and response;
- The need to demonstrate and document how professional judgement was applied; and
- The definition, determination and understanding of ‘significant risk’ under the ISAs.
Understanding, documenting and testing internal control
Internal control is an area in which auditors often need to improve their risk assessment processes. In particular, auditors need to remember that internal controls are still relevant where a fully substantive audit approach is adopted. Understanding internal control and documenting that understanding is a challenge for all audits, irrespective of the client’s size or complexity. In smaller, less complex entities controls are typically informal and undocumented, and potentially compromised by a lack of segregation of duties. The involvement of the owner-manager in the day-to-day running of the business can have a positive and a negative effect on the evaluation of risk.
Even where auditors adopt a fully substantive approach, they should ask themselves whether they have:
- identified those controls that are relevant to the audit, such as those relating to the key transaction streams;
- checked whether those controls are designed appropriately to achieve their objectives; and
- obtained evidence that these controls have been implemented, eg, by walkthrough tests.
- Visit our guide on understanding, documenting and testing internal controls and implications for smaller entity audits.
- Visit our guide on practical considerations and examples of the types of work to be performed when obtaining an understanding of the design and implementation of internal control components.
The new ISA 315 (Revised): changes for 2022
The International Audit and Assurance Standards Board (IAASB) approved major changes to ISA 315 in September 2019. The changes will be effective for audits of financial statements for periods beginning on or after 15 December 2021. The effects of the revisions will be far-reaching and will require firms of all sizes to revise their approach to risk assessments.
Determining and applying materiality
The concept of materiality is fundamental to the audit. As the basis for the auditor’s opinion, ISAs require auditors to obtain reasonable assurance about whether the financial statements as a whole are free from material misstatement. Materiality is applied by auditors at the planning stage, and when performing the audit and evaluating the effect of identified misstatements on the audit and of uncorrected misstatements, if any, on the financial statements.
ISA 320 Materiality in planning and performing an audit does not include a definition for materiality. This is because the principle of materiality is first and foremost a financial reporting, rather than an auditing, concept. Also, the interpretation may differ in different parts of the world.
Financial reporting frameworks often discuss the concept of materiality in the context of the preparation and presentation of financial statements. It is important therefore that auditors refer to any discussion of materiality in the financial reporting framework when determining materiality for the audit. Such a discussion, if present, provides auditors with a frame of reference.
Using data analytics in external audit
Auditor data analytics is about enhancing audit quality. Data analytics consists of tools that extract, validate and analyse large volumes of data, quickly. The tools are applied to complete populations, 100% of the transactions, ie, “full data sets”, and they can be used to support judgements, draw conclusions or provide direction for further investigation. Auditing standards do not specifically address the use of data analytics in external audit.
Data analytics may be more commonly used in larger firms and the mid-tier, but smaller firms need to be aware of the potential for data analytics to transform smaller audits.
Addressing the risk of management override
Management override refers to the ability of management and/or those charged with governance to manipulate accounting records and prepare fraudulent financial statements by overriding controls, even where the controls might otherwise appear to be operating effectively.
Under ISA 240 The auditor’s responsibilities relating to fraud in an audit of financial statements auditors are required to assess the risk of material misstatement from management override of controls as significant, which requires specific documentation and affects the response of the auditor to risk.
Although the level of risk of management override of controls will vary from entity to entity it is, nevertheless, present in all entities.
Communications with those charged with governance
Identifying who is charged with governance, ensuring appropriate communication takes place and demonstrating this on the audit file are vital to the success of the audit of financial statements. ISA 260 (Revised) Communication with those charged with governance provides an overarching framework for the auditor’s communication with those charged with governance and includes specific matters that need to be communicated to them. In addition, a further standard, ISA 265 Communicating deficiencies in internal control to those charged with governance and management includes specific requirements regarding communicating significant deficiencies in internal controls identified by the auditor in the course of the audit.
Communicating effectively throughout the audit can improve its technical quality and cost effectiveness for entities of all shapes and sizes. Communication is not something you just have to do because International Standards on Auditing (ISAs) require it; it is something you should want to do in order to improve the audit.
Many audit files give good evidence of communication with management at the completion stage, but ISA 260 requires the audit team to establish effective two-way communication throughout the audit process. This means that the audit file should demonstrate a consistent level of communication throughout the audit.