● Preliminary identification of areas in which there may be a higher risk of material misstatement
● The effect of the assessed risk of material misstatement at the overall financial statement level on direction, supervision, and review
● The manner in which the auditor emphasizes to engagement team members the need to maintain a questioning mind and exercise professional skepticism in gathering and evaluating audit evidence
● Results of previous audits that involved evaluating the operating effectiveness of internal control, including the nature of identified deficiencies and action taken to address them
● The discussion of matters that may affect the audit with firm personnel responsible for performing other services to the entity
● Evidence of management's commitment to the design, implementation, and maintenance of sound internal control, including evidence of appropriate documentation of such internal control
● Volume of transactions, which may determine whether it is more efficient for the auditor to rely on internal control
● Importance attached to internal control throughout the entity to the successful operation of the business
● Significant business developments affecting the entity, including changes in IT and business processes; changes in key management; and acquisitions, mergers, and divestments
● Significant industry developments, such as changes in industry regulations and new reporting requirements
● Significant changes in the financial reporting framework, such as changes in accounting standards
● Other significant relevant developments, such as changes in the legal environment affecting the entity
Nature, Timing, and Extent of Resources
The following examples illustrate the nature, timing, and extent of resources:
● The selection of the engagement team (including, when necessary, the engagement quality control reviewer; see AU-C Section 220, Quality Control for an Engagement Conducted in Accordance with Generally Accepted Auditing Standards) and the assignment of audit work to the team members, including the assignment of appropriately experienced team members to areas in which there may be higher risks of material misstatement.
● Engagement budgeting, including considering the appropriate amount of time to set aside for areas in which there may be higher risks of material misstatement.
AU-C 315 UNDERSTANDING THE ENTITY AND ITS ENVIRONMENT AND ASSESSING THE RISKS OF MATERIAL MISSTATEMENT
AU-C Original Pronouncements
Technical Alert
In October 2015, the Auditing Standards Board (ASB) issued Statement on Auditing Standards (SAS) No. 130. SAS No. 130 contains amendments to this section. Any relevant changes are incorporated into the information that follows.
Definitions of Terms
Source: AU-C 315.04
Assertions. Representations by management, explicit or otherwise, that are embodied in the financial statements as used by the auditor to consider the different types of potential misstatements that may occur.
Business risk. A risk resulting from significant conditions, events, circumstances, actions, or inactions that could adversely affect an entity's ability to achieve its objectives and execute its strategies, or resulting from the setting of inappropriate objectives and strategies.
Internal control. A process effected by those charged with governance, management, and other personnel that is designed to provide reasonable assurance about the achievement of the entity's objectives with regard to the reliability of financial reporting, effectiveness and efficiency of operations, and compliance with applicable laws and regulations. Internal control over safeguarding of assets against unauthorized acquisition, use, or disposition may include controls relating to financial reporting and operations objectives.
Relevant assertion. A financial statement assertion that has a reasonable possibility of containing a misstatement or misstatements that would cause the financial statements to be materially misstated. The determination of whether an assertion is a relevant assertion is made without regard to the effect of internal controls.
Risk assessment procedures. The audit procedures performed to obtain an understanding of the entity and its environment (including the entity's internal control) to identify and assess the risks of material misstatement, whether due to fraud or to error, at the financial statement and relevant assertion levels.
Significant risk. An identified and assessed risk of material misstatement that, in the auditor's professional judgment, requires special audit consideration.
Objectives of AU-C Section 315
AU-C Section 315.03 states that:
…the objective of the auditor is to identify and assess the risks of material misstatement, whether due to fraud or error, at the financial statement and relevant assertion levels through understanding the entity and its environment, including the entity's internal control, thereby providing a basis for designing and implementing responses to the assessed risks of material misstatement.
Overview
The audit risk model describes audit risk as:
where AR is audit risk, RMM is the risk of material misstatement, and DR is detection risk. The risk of material misstatement is a combination of inherent and control risk. Although the standard describes a combined risk assessment, the auditor may perform separate assessments of inherent and control risks.
Section 315 describes how the auditor should identify and assess the risk of material misstatement, which provides a basis for designing further audit procedures. These further audit procedures (which consist of tests of controls and substantive tests) must be clearly linked and responsive to assessed risks.
Section 315 also includes the concept of significant risks, which are risks that require special audit consideration. (See “Definitions of Terms.”) One or more significant risks arise on all audits.
The following is an overview of how the process is described in Section 315:
1. Perform risk assessment procedures to gather information and gain an understanding of the entity and its environment, including internal control.
2. Based on this understanding, identify risks of material misstatement, which may exist at either the financial statement or the relevant assertion level.
3. Assess the risk of material misstatement, which requires the auditor to:
● Identify the risk of material misstatement.
● Describe the identified risks in terms of what can go wrong in specific assertions.
● Consider the significance and likelihood of material misstatement for each identified risk.
NOTE: This process for assessing risk is consistent with the process for assessing the risk of material misstatement due to fraud. Essentially it is an information gathering, assessment, and response process, in which the auditor gathers information about the entity, assimilates and synthesizes that information to make an assessment of risk, and then designs audit procedures that are responsive to those risks.
The assessment of the risk of material misstatement enables the auditor to design appropriate further audit procedures, which are clearly linked and responsive to the assessed risks.
NOTE: Section 315 describes risks as existing at one of two levels: the financial