● The risk of material misstatement at the financial statement level has a pervasive effect on the financial statements and affects many assertions. The control environment is an example of a financial-statement-level risk. In addition to developing assertion-specific responses, financial-statement-level risks may require the auditor to develop an overall response, such as assigning more experienced team members.
● Assertion-level risks pertain to a single assertion or related group of assertions. Assertion-level risks will require the auditor to design and perform specific further audit procedures such as tests of controls and/or substantive procedures that are directly responsive to the assessed risk.
Section 330 provides guidance on the design and performance of further audit procedures.
In all audits, the auditor must obtain a sufficient understanding of the entity and its environment, including its internal control, to assess the risk of material misstatement of the financial statements whether due to error or to fraud, and to design the nature, timing, and extent of further audit procedures.
This assessment of the risk of material misstatement becomes the basis for the proper design of further audit procedures.
NOTE: Obtaining an understanding of the entity and its environment also allows the auditor to make judgments about other audit matters, such as:
● Materiality
● Whether the entity's selection and application of accounting policies are appropriate and financial statement disclosures are adequate
● Areas where special audit consideration may be necessary – for example, related-party transactions
● The expectation of recorded amounts used for performing analytical procedures
● The evaluation of audit evidence
Even if the auditor plans a purely substantive audit, he or she still is required to obtain an understanding of internal control. Such an understanding is necessary to:
● Identify missing or ineffective controls.
● Evaluate identified control deficiencies.
● Confirm that substantive procedures alone are sufficient to design and perform an appropriate audit strategy and provide sufficient appropriate audit evidence to support the audit opinion.
Requirements
Risk Assessment Procedures
The auditor should perform risk assessment procedures to provide a basis for the assessment of material misstatement. (AU-C 315.05) Risk assessment procedures include:
1. Inquiries of management, individuals in the internal audit function, and others at the client
2. Analytical procedures
3. Observation and inspection
(AU-C 315.06)
The auditor's risk assessment procedures provide the audit evidence necessary to support the auditor's risk assessments, which in turn support the determination of the nature, timing, and extent of further audit procedures. Thus, the results of the auditor's risk assessment procedures are an integral part of the audit evidence obtained to support the opinion on the financial statements.
NOTE: Under the previous auditing standards, it was common for auditors to declare control risk to be maximum simply for audit efficiency, without any basis for making that assessment. Section 315 eliminates that practice by requiring auditors to document their rationale for assessing control risk. This rationale should be based on the information gathered from the performance of risk assessment procedures. The elimination of the auditor's ability to default to maximum control risk without justification is a significant change from previous practice.
A Mix of Procedures
Except for the five components of internal control, the auditor is not required to perform all the procedures for each of the five aspects of the client and its environment listed in the upcoming subsection, “The Entity and Its Environment.” However, in the course of gathering information about the client, the auditor should perform all the risk assessment procedures.
Other procedures may provide relevant information about the entity. For example:
● When relevant to the audit, the auditor should consider other information, which may include:
● Information obtained from the client acceptance or continuance process (AU-C 315.07)
● Experience gained on other engagements performed for the entity (AU-C 315.08)
● Some of the procedures the auditor performs to assess the risks of material misstatement due to fraud also may help gather information about the entity and its environment, particularly its internal control. (AU-C 315.09)
NOTE: Because of the close connection between the assessment of the risk of material misstatement and the procedures performed to assess fraud risk, the auditor will want to:
● Coordinate the procedures he or she performs to assess the risk of material misstatement due to fraud with the other risk assessment procedures.
● Consider the results of his or her assessment of fraud risk when identifying the risk of material misstatement.
Updating Information from Prior Periods
If certain conditions are met, the auditor may use information obtained in prior periods as audit evidence in the current period audit. However, when the auditor intends to use information from prior periods in the current period audit, the auditor should determine whether changes have occurred that may affect the relevance of the information for the current audit. (AU-C 315.10) To make this determination, the auditor should make inquiries and perform other appropriate audit procedures, such as walk-throughs of systems. (AU-C 315.A20)
Discussion by the Audit Team
The members of the audit team should discuss the susceptibility of the client's financial statements to material misstatement. (AU-C 315.11) This discussion will allow team members to exchange information and create a shared understanding of the client and its environment, which in turn will enable each team member to:
● Share his or her knowledge.
● Gain a better understanding of the potential for material misstatement resulting from fraud or error in the assertions that are relevant to the areas assigned to them.
● Exchange information about business risks.
● Understand how the results of the audit procedures that they perform may affect other aspects of the audit.
This “brainstorming session” of the audit team could be held at the same time as the team's discussion related to fraud, which is required by Section 240. (AU-C 315.A21)
Understanding the Entity and Its Environment, Including Internal Control
The Entity and Its Environment
The auditor should obtain an understanding of the following five elements of the entity and its environment:
1. External factors, including:
● Industry factors, such as the competitive environment, supplier and customer relationships, and technological developments.
● The regulatory environment, which includes the applicable financial reporting framework, the legal and political environment, and environmental requirements that affect the industry.
● Other matters, such as general economic conditions
2. Nature of the client, which includes its operations, its ownership, governance, the types of investments it makes and plans to make, how it is financed, and how it is structured.
3. Accounting policies, including the entity's selection and application of accounting policies, the reasons for any changes, and whether the entity's accounting policies