Auditing Standards) and the assignment of audit work to the team members, including the assignment of appropriately experienced team members to areas in which there may be higher risks of material misstatement.
Engagement budgeting, including considering the appropriate amount of time to set aside for areas in which there may be higher risks of material misstatement.
10 AU-C 315 Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement
Step 1. Perform Risk Assessment Procedures
Step 2. Identification of Significant Risks
Step 3. Assessing the Risk of Material Misstatement
Examples of Matters to Consider When Obtaining an Understanding of the Entity and Its Environment
The Client’s Business: New Client
The Client’s Business: Continuing Client
Using a Risk-Based, Top-Down Approach to Evaluate Internal Control
Effect of IT on Internal Control
SCOPE
AU-C 315 provides guidance for the auditor to identify and assess the risks of material misstatements. The auditor does this by achieving an understanding the entity and its environment, including internal control. (AU-C 315.01)
TECHNICAL ALERT
Through the AICPA’s initiative on Enhancing Audit Quality (EAQ), data surfaced that indicated firms often fail to perform appropriate risk assessments and link those risk assessments to their audit procedures in compliance with AU-C Section 315 and AU-C Section 330. As a result, the AICPA Peer Review Board has developed stronger, more precise guidance. The Peer Review Board in its September 2018 Alert, as clarified in October 2018, announced an updated focus on risk assessment documentation and a new section in the Peer Review Manual, Evaluation of Non-Compliance with the Risk Assessment Standards. This new guidance is effective for peer reviews scheduled from October 2018 through September 2021.1
The Alert emphasizes that reviewers should be alert to these areas of common non-compliance:
Failure to gain an understanding of internal control
Improperly assessing control risk
Insufficient risk assessment
Failure to link procedures performed to the risk assessment
Failure to Gain an Understanding of Internal Control
According to the AICPA, 40% of identified issues related to failure to gain an understanding of internal control. Auditors must understand internal control in order to identify related risks and design proper responses. Auditors are reminded to:
Consider what could go wrong in financial statement preparation,
Identify the controls intended to mitigate identified risks, and
Evaluate the likelihood those controls can prevent, detect, and correct material misstatements.
Auditors are cautioned that it is incorrect to think that AU-C 315.14 does not apply to an engagement where the client has no controls. Similarly, auditors are reminded that even when they do not plan to rely on internal control, defaulting to setting control risk at the maximum level is not permitted.
Improperly Assessing Control Risk
Improperly assessing control risk as less than high without appropriately testing controls accounted for 13% of the violations. Auditors are reminded not to reduce control risk to less than high without appropriately testing the relevant controls. Reducing control risk to less than maximum can only be done if the auditors have tested controls and are comfortable relying on their operating effectiveness.
Insufficient Risk Assessment
This risk comprises 14% of identified issues related to risk assessment. Failure to assess risk can result in over-auditing or worse, a failure to obtain sufficient appropriate audit evidence. The alert reminds auditors that:
Regardless of the nature and extent of substantive procedures, they must:Identify the client’s risk of material misstatement through an understanding of its internal control,Assess the risk of material misstatement, andDesign or select procedures in response to those risks.
Failure to identify at least one significant risk is likely to mean the auditor has failed to comply with AU-C 315.28.Auditors are reminded of the presumption of fraud in revenue recognition and that should be treated as a significant risk. (AU-C 240.26–.27)
They must identify risk at both the financial statement and relevant assertion levels (AU-C 315.26)
It is not necessary to document the risk of material misstatement for every audit area. Some assertions are not relevant.
Failure to Link Procedures Performed to the Risk Assessment
Of the most common risk assessment violations, 24% related to not linking risk assessment to auditors’ responses. The Alert reminds auditors to be responsive to the financial statement and relevant assertion level risks and that the linkage is at the assertion, not account, level. The AICPA discovered that auditors are not designing procedures with regard to the results of their risk assessment. Therefore, the risk is not reduced to an appropriate level, and the standards are not complied with.
DEFINITIONS