A new approach to risk assessment
Alex Russell, Technical Manager, Audit Practice & Regulation at the Audit & Assurance Faculty explains why auditors will need to start thinking about risk differently.
Audit firms of all sizes will need to revise their approach to risk assessment for all audits of financial statements for periods beginning on or after 15 December 2021. This is some time away, but the scale of the changes and the practical challenges of preparation should not be underestimated.
The revised auditing standard, Identifying and Assessing the Risks of Material Misstatement Through Understanding of the Entity and Its Environment (ISA 315 (Revised)), introduces major changes in approach to risk identification and assessment, which are intended to drive a more focused response from auditors to identified risks.
The key changes are introduced in our September 2020 webinar by Jenny Reed of Baker Tilly and Phil Lenton of Deloitte. This article shares some of the practical challenges and areas of focus for auditors, to help prepare you for implementation.
Reading the standard
The first thing that auditors should note is the size of the standard. It is considerably longer than its predecessor. Reed points out that the first challenge may be finding the time to read it. Some of this increase is down to the greater volume of application material. The benefits of this, says Lenton, include a number of practical examples.
The standard also includes six appendices with detailed guidance on areas such as inherent risks, IT controls and internal audit. There is greater focus on the IT environment, risks arising from the use of IT, and general IT controls.
Auditors need to understand the new and updated definitions in the standard, including inherent risk factors. Those who are already getting to grips with ISA (UK) 540 (Revised) on auditing estimates will be familiar with a new layout and some of the new definitions.
Spectrum of risk
One of the important new concepts in ISA 315, and the subject of several questions from members during the webinar, is the idea of ‘inherent risk factors’. As a reminder, inherent risk is the susceptibility of an assertion about transactions, balances or disclosures to a potentially material misstatement, either individually or in aggregate, before consideration of related controls.
The ‘inherent risk spectrum’ involves a more granular consideration of risks, which plots the potential magnitude of misstatement on one axis against its likelihood on the other, to determine where on the spectrum an inherent risk sits. The intention is to drive more focused responses to different risks.
Inherent risk factors help determine where a risk sits on the inherent risk spectrum. They include: complexity; subjectivity; change; uncertainty; management bias; other fraud risk factors; and other events or conditions, such as the entity’s past history of misstatements and control deficiencies, or lack of personnel with appropriate financial reporting skills.
A ‘significant’ risk is one close to the upper end of the spectrum of inherent risk, or one that has to be treated as a significant risk under other ISAs. Determining which risks are at the upper end depends on the nature and circumstances of the entity, and of course the auditor’s judgement. To be identified as a significant risk, the inherent risk will not necessarily need to be high up on both axes of likelihood and magnitude – one will do.
Audit programmes may need to be flexed to cater for this more granular risk assessment, and auditors will need to consider how to do this. If you rely on methodology providers and software, initiate an early conversation with your provider to ascertain whether they have given this due consideration. “For those of you who either write your own methodology from scratch, or who heavily customise an off-the-shelf one: if you haven’t already started thinking about how to update it, you need to start now. The two years remaining until roll-out will go very quickly indeed,” says Reed.
The revised ISA brings together the specific areas in which the auditor is required to obtain an understanding of the control activities. These include controls that address a significant risk, controls over journal entries, controls for which the auditor plans to test operating effectiveness, and other controls that the auditor considers appropriate. Virtually all entities use journals, so it is not possible to avoid controls altogether.
If you plan to test the operating effectiveness of controls, you will be required to assess control risk as well as understand control activities. Auditors are also required to carry out a separate assessment of inherent risk and control risk.
The revised ISA has more on the IT environment and controls. Auditors will have to gain an understanding of information processing activities and identify risks arising from the use of IT. They will also need to understand the entity’s general IT controls that address such risks, including risks arising from use of IT applications.
There is a new stand-back requirement. For material classes of transactions, balances and disclosures that have not been assessed as ‘significant’, the auditor will evaluate whether that determination remains appropriate. In terms of documenting this on the audit file, Reed suggests that auditors may need to identify those risks that were identified on the ‘first pass’ of the risk assessment, and those, if any, that were identified on the ‘second pass’ mandated by the stand-back requirement.
To help with scalability, the application material incorporates specific considerations and examples relating to both less and more complex entities, and how the ISA requirements might apply differentially to entities of different complexity.
The need to consider the likelihood and magnitude of potential misstatements is mentioned in the extant standard, but only briefly, and it is often not explicitly documented on audit files. In the revised ISA, likelihood and magnitude drive the inherent risk assessment at the assertion level, using the new inherent risk factors. Thought processes, methodology and documentation will need to reflect this.
Auditors will of course need to identify all risks first before assessing their likelihood and magnitude.
The initial use of the new inherent risk spectrum may result in less consistency across different audits, as there will be more scope for professional judgements to diverge. This may become an increasingly important area of audit quality for firms to monitor, especially when new quality management standards come into force (learn more about proposed adoption in the UK here and internationally.
So, what can auditors do now? Reed and Lenton encourage you to read the new standard and familiarise yourself with the key concepts, new definitions and the inherent risk spectrum, and have early conversations about how your methodology will incorporate the changes and the training that will follow.
1. The introduction of five new inherent risk factors to aid in risk assessment: subjectivity, complexity, uncertainty, change, and susceptibility to misstatement due to management bias or fraud.
2. A new spectrum of risk, at the higher end of which lie significant risks.
3. Requiring “sufficient, appropriate” evidence to be obtained from risk assessment procedures as the basis for the risk assessment.
4. A great deal more on IT, particularly IT general controls.
5. More on controls relevant to the audit and on the design and implementation work required for these controls.
6. Removal of considerations specific to smaller entities as a separate category of paragraph, inclusion of that material within the main body of the text and the addition of new material.
7. Other changes including:
- requiring inherent and control risk to be assessed separately (the extant standard permits a combined assessment);
- distinguishing between direct and indirect control components; and
- a new stand-back requiring reconsideration, when material classes of transactions, account balance and disclosure are not assessed as significant.
The revisions aim to drive better quality and more consistent risk assessments, as well as promote the exercise of professional scepticism.
Understanding the nature and extent of the changes required will be a significant task for those performing ISA audits.
ISA 315 – questions and answers
What key areas for small entity audits are expected to be most challenging?
If you are reliant on a provider for your methodology, checking early on that the programme can cater for the inherent risks is important. The higher level of focus on IT controls may mean you will need to spend more time understanding the new requirements. You will also need to consider the extent to which prior year risk assessment working papers can be rolled forward.
How is ‘likelihood’ expected to be measured and quantified in the inherent risk spectrum?
‘Likelihood’ is ultimately an area for professional judgement based on consideration of the inherent risk factors and their effect on the possibility that a material misstatement will occur. For example, you might expect the risk of misappropriation of cash to have a higher likelihood in a supermarket using tills than in an online business.
ISA 315 resources
An ICAEW summary on the revised ISA 315 and resources to assist auditors to prepare for implementation.
The faculty webinar Identifying and assessing risks under ISA 315 (Revised) (This is restricted to Audit and Assurance Faculty members)