Under the revised ISA 315, Identifying and Assessing the risk of material misstatement, auditor is responsible to identify and assess the risks of material misstatement, whether due to fraud or error, at the financial statement and assertion levels thereby providing a basis for designing and implementing responses to the assessed risks of material misstatement.
Below is the summary of the key changes of the revised ISA 315.
1. Five new inherent risk factors introduced to aid in risk assessment:
- Subjectivity
- Complexity
- Uncertainty
- Change; and
- Susceptibility to misstatement due to management bias or fraud
2. A new spectrum of inherent risk, at the higher end of which lie significant risks.
3. Requiring “sufficient, appropriate” evidence to be obtained from risk assessment procedures as the basis for the risk assessment.
4. A great deal more on IT, particularly general IT controls.
5. More on controls relevant to the audit and on the design and implementation work required for these controls.
6. “Scalability Considerations” as a separate category of paragraph.
[The revised standard focuses on complexity rather than size (i.e., ‘less complex entities’ rather than ‘smaller entities’ in line with the IAASB’s approach to such entities)].
Scalability has been illustrated through the use of contrasting examples throughout the standard (i.e., illustrating both ends of the complexity spectrum) rather than only focusing on ‘smaller entities.’]
7. Other changes including:
- separate assessment required to assess inherent and control risk (the extant standard permits a combined assessment);
[This separate assessment was introduced into the revised ISA 315 so as to maintain consistency with ISA 330, The Auditor’s Responses to Assessed Risks which also requires the auditor to consider inherent risk and control risk separately in order to respond appropriately to assessed risks of material misstatement at the assertion level.]
- distinguishing between direct and indirect control components; and
- a new stand-back requiring reconsideration, when material classes of transactions, account balance and disclosure are not assessed as significant.
[Once the auditor has obtained the required level of understanding and has identified the significant classes of transactions, account balances and disclosures, the auditor must ‘stand back’ and evaluate the audit evidence arising from their risk assessment procedures.
Once this understanding has been obtained (and throughout the audit process) the auditor must apply professional skepticism in critically evaluating the audit evidence and knowledge.
For material classes of transactions, account balances or disclosures that have not been determined as significant, the auditor is required to assess, using professional judgement, whether this determination still remains appropriate.
This requirement has been introduced into the revised ISA 315 to prompt the auditor to confirm the COMPLETENESS of the identified risks. In other words, requiring the auditor to focus their attention on material classes of transactions, account balances and disclosures that HAVE NOT been determined as significant and to assess whether this remains the case on evaluating all of the evidence obtained from the risk assessment procedures which have been performed.]
Inherent risk is described as the susceptibility of an assertion about a class of transaction, account balance or disclosure to a misstatement that could be material. This is before the consideration of the client’s internal controls.
- For example, the inherent risk could be potentially higher for the valuation assertion of accounts that require in-depth technical calculation or rely on an accountant’s best estimate.
How to identify & assess inherent risk?
(a) Inherent risk factors
Factors may be qualitative and quantitative and affect the susceptibility of assertions to misstatement. Auditors may consider the following 5 factors when identifying assessing the inherent risks:
- Complexity (arises either from the nature of the information or in the way that the required information is prepared)
For example, complex accounting or reporting requirements such as the audit of a large, multi-national insurance group.
- Subjectivity (arises from inherent limitations in the ability to prepare required information in an objective manner, due to limitations in the availability of knowledge or information, such that management may need to make subjective judgment)
For example, choice of valuation methodology or basis for accounting estimations.
- Change (results from events or conditions that affect the entity’s business or the economic, accounting, regulatory, industry or other aspects of the environment in which it operates)
For example, customer change or geographical expansion.
- Uncertainty (arises when the required information cannot be prepared based only on sufficiently precise and comprehensive data that is verifiable through direct observation)
For example, contingent liabilities or uncertainly over key issues – environmental, legal or financial – such as the audit of a company with ongoing litigation issues (requiring provisions and estimations of liability).
- Susceptibility to misstatement due to management bias or other fraud risk (certain conditions that have the potential to give rise to management not maintaining neutrality in exercising judgment)
For example, transactions with related parties, the use of manual adjustments, bonus schemes dependent on financial results.
(b) Spectrum of inherent risk
The concept of the spectrum of inherent risk is to assists the auditors in making a judgement based on the likelihood and magnitude of a possible risk.
Control risk is described as the risk that a misstatement that could occur in an assertion about a class of transaction, account balance or disclosure and that could be material and not be properly identified and corrected by the client’s internal controls.
- For example, control risk would be higher for the valuation assertion of their accounts receivables if the client fails to conduct an independent review and official verification of the calculations and estimates made by the client’s accounting staff.
How to identify & assessing control risk?
(a) 5 components of internal control system
The entity’s system of internal control refers to the whole system that made up of the 5 components. Controls are the policies and procedures embedded within the components of the entity’s system of internal control. The 5 components are as follows:
- Control Environment (includes the management functions, attitudes, and concern on the entity’s system of internal control. It sets the tone of an organization, influencing the consciousness of people, and provides the overall foundation for the operation of the other components of internal control)
- Risk assessment process (iterative process for identifying and analyzing risks to achieving the entity’s objectives, and forms the basis for how management determine the risks to be managed)
- Monitoring process (is a continual process to evaluate the effectiveness of the entity’s system of internal control, and to take necessary remedial actions on a timely basis)
- Information system and communication (relevant to the preparation of accounts, records of transactions, resolve incorrect transactions, capture, and process information)
- Control activities (include information processing controls and general IT controls such as authorization, approval, verifications, segregation of duties and etc)
The 5 components have been split into 2 types which are indirect control and direct control:
(a) General IT controls
ISA 315 (Revised 2019) enhanced auditor’s considerations in relation to the entity’s use of information technology and how it affects the audit and include considerations for using automated tools and techniques.
General IT controls refer to controls over the entity’s IT processes that support the operation of the IT environment, including the effective of information processing controls and the integrity of information (eg: the completeness, accuracy, and validity of information) in the entity’s information system.
Auditors are required to understand the IT environment, IT process and IT controls of the entity in place. From this, the auditor is then required to identify the related risks arising from the use of IT and the entity’s general IT controls that address such risks.
The auditor needs to understand how the entity processes information, and how this data is used throughout the business. There should be an understanding of the accounting records, how the information is captured and controlled and how these flow into the accounts in the financial statements.
(b) Information Processing controls
Controls relating to the processing of information in IT applications or manual information processes in the entity’s information system that directly address risks to the integrity of information (eg: the completeness, accuracy and validity of transactions and other information).
