Significant risks arise on most audits. When the auditor determines that a risk is a significant risk, the audit procedures should include (but not be limited to):
Obtaining an understanding of internal control, including relevant control activities, related specifically to those significant risks
Evaluating whether the controls have been designed and implemented to mitigate the risks
(AU-C 315.30)
Substantive procedures specifically designed to address the significant risk. Significant risks frequently arise from unusual, nonroutine transactions and from judgmental matters such as estimates. (AU-C 315.31) In addition, significant risks may relate to matters such as the following:
External circumstances. External circumstances giving rise to business risks influence the determination of whether the risk requires special audit attention. For example, technological developments might make a particular product obsolete, thereby causing inventory to be more susceptible to overstatement. Recent significant economic, accounting, or other developments also may require special attention.
Factors in the client and its environment. Factors in the client and its environment that relate to several or all of the classes of transactions, account balances, or disclosures may influence the relative significance of the risk. For example, a lack of sufficient working capital to continue operations or a declining industry characterized by a large number of business failures may have a pervasive effect on risk for several account balances, classes of transactions, or disclosures.
Recent developments. Recent significant economic, accounting, or other developments can affect the relative significance of a risk.
Complex calculations. Complex calculations are more likely to be misstated than are simple calculations.
Risk of fraud or theft. Revenue recognition is presumed to be a financial reporting fraud risk; cash is more susceptible to misappropriation than an inventory of coal.
Estimates. Accounts consisting of amounts derived from accounting estimates that are subject to significant measurement uncertainty pose greater risks than do accounts consisting of relatively routine, factual data.
Related-party transactions. Related-party transactions may create business risks that can result in a material misstatement of the financial statements.
Risks for Which Substantive Procedures Alone Do Not Provide Sufficient Appropriate Audit Evidence
For some risks it is not possible or practicable to reduce detection risk to an acceptably low level with audit evidence obtained only from substantive procedures. (AU-C 315.31) Examples of such situations include:
An entity that conducts its business using IT to initiate orders for the purchase and delivery of goods based on predetermined rules of what to order and in what quantities, and to pay the related accounts payable based on system-generated decisions initiated upon the confirmed receipt of goods and terms of payment.
An entity that provides services to customers via electronic media and uses IT to create a log of the services provided to its customers, to initiate and process its billings for the services, and to automatically record such amounts in the accounting records.
Step 3. Assessing the Risk of Material Misstatement
AU-C 315 describes risks as existing at one of two levels: the financial statement level or the relevant assertion level. This distinction is important because the nature of the auditor’s response differs depending on whether the risk is at the financial statement level or the assertion level.
Financial-statement-level risks. The risk of material misstatement at the financial statement level has a pervasive effect on the financial statements and affects many assertions. (AU-C 315.A122) The control environment is an example of a financial-statement-level risk. In some instances, it may not be possible to relate financial-statement-level risks to a specific assertion. (AU-C 315.A123–.A124) These risks should be related to assertion-specific responses. Financial-statement-level risks may require the auditor to develop an overall response, such as assigning more experienced team members.
Assertion-level risks. Assertion-level risks pertain to a single assertion or related group of assertions. Assertion-level risks will require the auditor to design and perform specific further audit procedures such as tests of controls and/or substantive procedures that are directly responsive to the assessed risk. (AU-C 315.A126)
(AU-C 315.26)
The auditor’s understanding of the entity and its environment—which includes an evaluation of the design and implementation of internal control—is used to assess the risk of material misstatement. To assess the risk of material misstatement, the auditor should:
Identify risks throughout the process of obtaining an understanding of the entity, its internal control, and its environment.
Relate the identified risks to what can go wrong at the relevant assertion level.
Consider whether the risks could result in a material misstatement to the financial statements.
Consider the likelihood that the risks could result in a material misstatement of the financial statements.
(AU-C 315.27)
NOTE: This process for assessing risk is consistent with the process for assessing the risk of material misstatement due to fraud. Essentially it is an information gathering, assessment, and response process, in which the auditor gathers information about the entity, assimilates and synthesizes that information to make an assessment of risk, and then designs audit procedures that are responsive to that risk.
The assessment of the risk of material misstatement enables the auditor to design appropriate further audit procedures, which are clearly linked and responsive to the assessed risk.
How to Consider Internal Control When Assessing Risks
When making risk assessments, the auditor should identify the controls that are likely to either prevent or detect and correct material misstatements in specific assertions.
Individual controls often do not address a risk completely in themselves. Often, only multiple control activities, together with other components of internal control (for example, the control environment, risk assessment, information and communication, or monitoring), will be sufficient to address a risk. For this reason, when determining whether identified controls are likely to prevent or detect and correct material misstatements, the auditor generally considers controls in relation to significant transactions and accounting processes (for example, sales, cash receipts, or payroll), rather than ledger accounts.
Revision of Risk Assessment
During the course of the audit, new information may surface that causes the auditor to change his or her assessment of the risk of material misstatements. If so, the auditor should revise the assessment and the planned audit procedures. (AU-C 315.32)
Documentation
The auditor should document the following:
The