1. Risk scoping

Many auditors are still grappling with applying the principles of ISA 315 (Revised 2019) when performing risk assessment and audit scoping. The standard requires the auditor to identify relevant assertions based on risks identified. An assertion is regarded as relevant where there is a reasonable possibility of a material misstatement. Assertions that have no risks attached to them may be scoped out for audit testing, provided that the auditor documents adequate reasons, in support of the risk assessment. For material balances with no relevant assertions, i.e. no identified risks linked to the assertions, the auditor simply needs to identify and test the assertion that is most likely to be misstated.

The purpose of these principles is to ensure that identified risks receive adequate audit focus to identify possible misstatements, rather than spending unnecessary time on areas that carry no risk of material misstatement. However, many auditors still perform testing on all assertions, which may detract from placing enough audit attention on the assertions where risks are identified, and may result in an inefficient audit. If the auditor is uncomfortable about leaving out certain assertions, it may indicate that the risk assessment was not robust enough and, therefore, not all relevant assertions were identified in the first place.

2. Inadequate consideration of IT

Audit regulators commonly find deficiencies relating to IT on matters affecting the audit approach, such as reliance on controls that include information technology general controls (ITGC) and application controls. The use of IT-generated information, without testing the reliability of the system-generated reports or obtaining reliance on ITGCs for audit purposes, is also a key factor.

Auditors are cautioned to obtain and document an adequate understanding of IT processes and the effectiveness of IT controls in the financial system, in order to sufficiently assess IT risks and conclude on their impact on the audit approach. When reliance is placed on information obtained from the systems for audit testing, the completeness and accuracy of system-generated source information must be tested. Where reliance is placed on IT general controls for the completeness and accuracy of system-generated source information, IT general-controls testing must be performed first, and conclusions drawn on the reliability of the results.