Preparing for ISA 315 (Revised 2019)
Many auditors assume that ISA 315 (Revised 2019) is, in most instances, the same as the existing standard, which is not the case. This new standard, which comes into effect for audits of financial statements for periods beginning on or after 15 December 2021, not only expands on concepts in the existing standards, but also introduces new concepts in the risk assessment process. New concepts, such as ‘relevant assertions’ and ‘significant classes of transactions, account balances or disclosures’, explain the way auditors should consider and respond to the risk of material misstatement. It is critical for auditors to understand the concepts addressed in this new standard, and to amend their existing risk assessment processes and methodologies accordingly.
New concepts introduced
Firstly, the standard introduces the concept of ‘relevant assertions’. An assertion about a class of transactions, account balance or disclosure is relevant when it has an identified risk of material misstatement. The auditor determines the relevant assertions, before considering any related controls; therefore, this determination is based on the inherent risk.
Once the auditor has identified all relevant assertions, a ‘significant class of transactions, account balance or disclosure’ is determined as those classes of transactions, account balances or disclosures for which there is one or more relevant assertions.
When assessing inherent risk related to a particular risk of material misstatement, the auditor uses professional judgment to determine where the risk lies within a range, from lower to higher, on the ‘spectrum of inherent risk’. This judgment may vary based on the nature, size and complexity of the entity, and considers the assessed likelihood and magnitude of the misstatement and ‘inherent risk factors’.
The ‘inherent risk factors’ are characteristics of events or conditions that affect the susceptibility of assertions to misstatement, whether due to fraud or error, before consideration of controls. Such inherent risk factors may be qualitative or quantitative, and include complexity, subjectivity, change, uncertainty, or susceptibility to misstatement due to management bias or other fraud risk factors.
The risk assessment process
While employing risk assessment procedures, the auditor obtains an understanding of the entity’s system of internal control, the entity and its environment, and the applicable financial reporting framework. This facilitates the identification of risks of material misstatement.
For this identification of risks of material misstatement, the auditor has to determine whether the risks are present at the financial statement level or the assertion level. Based on the risks identified at assertion level, the auditor determines the relevant assertions and the related significant classes of transactions, account balances and disclosures.
Next, the auditor assesses the inherent risk of the identified risks of material misstatement at assertion level by assessing the likelihood and magnitude of misstatement, and considering the degree to which inherent risk factors affect the susceptibility of relevant assertions to misstatement and financial statement level risks affect the assessment of assertion level risks. Based on this assessment of inherent risk, the auditor identifies whether any of these risks are significant by considering those risks close to the upper end of the spectrum of inherent risk.
If the auditor plans to place reliance on controls, or the auditor identifies during this process that there are some identified risks of material misstatement for which substantive procedures alone cannot provide sufficient appropriate audit evidence, then the auditor proceeds to assess control risk. However, if there is no plan or requirement to test the operating effectiveness of controls, the auditor does not assess control risk and the assessment of the risk of material misstatement is purely based on the inherent risk assessment.
Amending existing processes and methodologies
Many auditors underestimate the potential impact of these new concepts and the revised risk assessment process on their existing methodologies. Firms using standard, off-the-shelf audit methodologies need to follow up with their service providers to ensure that their products are fully updated, and firms that have developed their own audit methodologies need to study the requirements closely to ensure that all aspects have been incorporated.
Auditors need to ensure that they are fully prepared for the new concepts and revised risk assessment process. LEAF can assist firms by reviewing methodologies, providing practical advice and training staff on the new requirements.
1. IAASB: ISA 315 (Revised 2019), Identifying and assessing the risks of material misstatement