Risks can occur because of the following:
1. Changes in operating environment
2. New personnel
3. New or revamped information systems
4. Rapid growth
5. New technology
6. New business models, products, or activities
7. Corporate restructurings
8. Expanded foreign operations
9. New accounting pronouncements
10. Changes in economic conditions
(AU-C 315.A90)
NOTE: The auditor's assessment of inherent and control risks is a separate consideration and not part of the entity's risk assessment.
Information and Communication
The auditor should obtain sufficient knowledge of the accounting information system to understand:
1. The classes of transactions that are significant to the financial statements
2. The procedures, both automated and manual, by which those transactions are initiated, recorded, processed, and reported from their occurrence to inclusion in the financial statements
3. The related accounting records, whether electronic or manual, supporting information, and specific accounts involved in initiating, recording, processing, and reporting transactions
4. How the information system captures other events and conditions that are significant to the financial statements
5. The financial reporting process
6. Controls surrounding journal entries, including nonstandard journal entries used to record nonrecurring, unusual transactions, or adjustments
(AU-C 315.19)
The auditor should understand the automated and manual procedures used to prepare financial statements and related disclosures, and how misstatements may occur. Such procedures include:
1. The procedures used to enter transaction totals into the general ledger
NOTE: The auditor should be aware that when information technology (IT) is used to automatically transfer information from transaction processing systems to general ledger or financial reporting systems, there may be little or no visible evidence of intervention in the information systems (e.g., an individual may inappropriately override automated processes by changing the amounts being automatically passed to the general ledger or financial reporting system).
2. The procedures used to initiate, record, and process standard (e.g., monthly sales and purchase transactions) and nonstandard (e.g., business combinations or disposals, or a nonrecurring accounting estimate) journal entries in the general ledger
NOTE: Auditors should be aware that:
● When IT is used to maintain the general ledger and prepare financial statements, such nonstandard entries may exist only in electronic form and may be more difficult to identify through physical inspection of printed documents.
● Financial statement misstatements are often perpetrated by using nonstandard entries to record fictitious transactions or other events and circumstances, particularly near the end of the reporting period.
3. Other procedures used to record recurring and nonrecurring adjustments (e.g., consolidating adjustments and reclassifications that are not made by formal journal entries)
The auditor should also obtain sufficient knowledge of the means the entity uses to communicate financial reporting roles and responsibilities and significant matters about financial reporting. (AU-C 315.20)
Control Activities
The auditor should obtain an understanding of those control activities that are relevant to the audit. (AU-C 315.21) Control activities are relevant to the audit if they are related to significant risks, as discussed later in this section. Examples of specific control activities include:
1. Authorization
2. Performance reviews
3. Information processing
4. Physical controls
5. Segregation of duties (e.g., assigning different people the responsibility for authorizing transactions, recording transactions, and maintaining custody of assets)
(AU-C 315.A99)
The auditor should also obtain an understanding of the process of reconciling detail to the general ledger for significant accounts. (AU-C 315.21)
Monitoring
The auditor should obtain sufficient knowledge of the major types of activities that the entity uses to monitor internal control over financial reporting, including the internal audit function – how it works, its responsibilities, and how it fits into the organization. (Section 610)
NOTE: Section 315 requires the auditor to gain an understanding of some controls that previously did not have to be addressed, including the following:
● How the incorrect processing of significant transactions is resolved
● The process of reconciling detail to the general ledger for significant accounts
● Control activities related to “significant risks,” as defined in the standard
Assessing the Risk of Material Misstatement
The auditor's understanding of the entity and its environment – which includes an evaluation of the design and implementation of internal control – is used to assess the risk of material misstatement. To assess the risk of material misstatement, the auditor should:
1. Identify risks throughout the process of obtaining an understanding of the entity, its internal control, and its environment.
2. Relate the identified risks to what can go wrong at the relevant assertion level.
3. Consider whether the risks could result in a material misstatement to the financial statements.
4. Consider the likelihood that the risks could result in a material misstatement of the financial statements.
(AU-C 315.27)
Financial-statement-level and assertion-level risks. The auditor should identify and assess the risks of material misstatement at both the financial statement level and the relevant assertion level. (AU-C 315.26)
1. Financial-statement-level risks. Some risks of material misstatement relate pervasively to the financial statements taken as a whole and potentially affect many relevant assertions. These risks at the financial statement level may be identifiable with specific assertions at the class of transaction, account balance, or disclosure level. (AU-C 315.122)
2. Assertion-level risks. Other risks of material misstatement relate to specific classes of transactions, account balances, and disclosures at the assertion level. The auditor's assessment of risks at the assertion level provides a basis for considering the appropriate audit approach for designing and performing further audit procedures. (AU-C 315.A126)
Risks that exist at the financial statement level – for example, those that pertain to a weak control environment or to management's process for making significant accounting estimates – should be related to specific assertions. In other instances, it may not be possible to relate financial-statement-level risks to a particular assertion or group of assertions. (AU-C 315.A123-.A124) Financial-statement-level assertions that cannot be related to specific assertions will require an overall response, such as the way in which the audit is staffed or supervised. Section 330 provides additional guidance on the auditor's overall responses to financial-statement-level risks.
How to consider internal control when assessing risks. When making risk assessments, the auditor should identify the controls that are likely to either prevent or detect