Risk assessment is a crucial step during any audit, and involves a great deal of judgment by the auditor, especially when it comes to determining which of the risks identified are significant. Many auditors grapple with this, and end up simply including the presumed significant risks of revenue recognition and management override of controls, per ISA 315 and 240, instead of truly applying their mind to the circumstances of each audit client and adequately justifying the risk assessment on file. This article attempts to break this important assessment down into simple terms to assist auditors in practice.
What the standards require
ISA 315 (Revised) para. 26 stipulates that the auditor identify risks based on the understanding obtained of the entity and its environment, including internal control. This is accomplished through observation and inspection, enquiries of management and analytical procedures.
Para. 28 sets out factors to be considered when evaluating possible significant risks:
(a) Fraud risk
(b) Significant economic, accounting or other developments
(c) Complexity of transactions
(d) Significant transactions with related parties
(e) Estimation uncertainty
(f) Transactions that are outside the normal course of business for the entity.
After identifying all the relevant risks, the auditor needs to assess each risk to determine whether it is a pervasive financial statement level risk or not. Next, the identified risks need to be related to what can go wrong at assertion level. Lastly, the auditor needs to evaluate the impact or magnitude and the probability or likelihood of error or fraud related to each risk.
Based on the assessment of the magnitude and likelihood of risk, the auditor needs to determine which of the risks are significant, with due consideration of ISA 315 (Revised) para. 28; the presumed significant risk of fraud by management override of controls, per ISA 240; and potential related-party significant risks, due to transactions outside the normal course of business, per ISA 550.
This is the easier part of the risk assessment, as evaluating the magnitude simply means considering whether the risk could result in a material misstatement, should it materialise, based on the size or extent of the potential misstatement. Potential misstatements in individual statements and disclosures may be judged to be material, due to:
• Size: individually or in aggregate exceeding materiality (quantitatively material)
• Nature: fraud, error, non-compliance (qualitatively material)
• Circumstances: e.g. could contribute to entity not being a going concern (qualitatively material).
Both qualitative and quantitative material misstatements would influence the decisions of the users of the financial statements.
Evaluating likelihood means considering the probability of the risk occurring in the specific circumstances of the audit client. Many factors may impact the assessment of likelihood, including:
• Frequency, e.g. non-routine vs. routine transactions involved
• The level of judgment and potential management bias involved, e.g. significant management judgment involved in developing accounting estimates
• Complexity of underlying processes and transactions, e.g. complex accounting requirements involving multiple accounting entries vs. simple transactions
• Previous misstatements, e.g. the risks that materialised in prior years, resulting in a qualification.
You can only evaluate the likelihood of identified risk if you have a proper and thorough understanding of the business of the audit client. Do not attempt risk assessment without it.
Response to identified risks:
The standard is not clear regarding the exact required response to significant risks identified. However, it does entail performing enough procedures to obtain more credible evidence to reduce the remaining risk of misstatement to an acceptable level, through a combination of substantive analytical procedures, internal control compliance tests and substantive tests of detail.
When each risk identified is evaluated in adequate detail for its magnitude and likelihood, it is easy to identify the significant risks that require specific audit focus, justify the judgments made during the risk assessment, and determine the most appropriate audit approach.
REMEMBER: If it is not documented, it never happened (as per the IRBA).
LEAF stands ready to assist through providing practical advice and performing thorough file reviews. Contact LEAF for peace of mind!
1. IAASB: ISA 315 (Revised), Identifying and assessing the risks of material misstatement through understanding the entity and its environment
2. IAASB: ISA 240, The auditor’s responsibilities relating to fraud in an audit of financial statements
3. IAASB: ISA 550, Related parties