Source: AU-C 315.04. For definitions related to this standard, see Appendix A, “Definitions of Terms”: Assertions, Business risk, Internal control, Relevant assertion, Risk assessment procedures, Significant risk.
OBJECTIVE OF AU-C SECTION 315
The objective of the auditor is to identify and assess the risks of material misstatement, whether due to fraud or error, at the financial statement and relevant assertion levels through understanding the entity and its environment, including the entity’s internal control, thereby providing a basis for designing and implementing responses to the assessed risks of material misstatement.
(AU-C Section 315.03)
OVERVIEW
The audit risk model describes audit risk as:
AR = RMM × DR
where AR is audit risk, RMM is the risk of material misstatement, and DR is detection risk. The risk of material misstatement is a combination of inherent and control risk. Although GAAS describes a combined risk assessment, the auditor may perform separate assessments of inherent and control risks.
AU-C 315 describes how the auditor should identify and assess the risk of material misstatement, which, in turn, provides a basis for designing further audit procedures. These further audit procedures (which consist of tests of controls and substantive tests) must be clearly linked and responsive to assessed risks.
AU-C 315 also includes the concept of significant risks, which are risks that require special audit consideration. (See “Definitions of Terms.”) One or more significant risks arise on all audits.
The following is an overview of how the process is described in AU-C 315:
Step 1. Perform risk assessment procedures to gather information and gain an understanding of the entity and its environment, including internal control.
Step 2. Based on this understanding, identify risks of material misstatement, which may exist at either the financial statement or the relevant assertion level.
Step 3. Assess the risk of material misstatement, which requires the auditor to:Identify the risk of material misstatement.Describe the identified risks in terms of what can go wrong in specific assertions.Consider the significance and likelihood of material misstatement for each identified risk.
AU-C 330 provides guidance on the design and performance of further audit procedures. In all audits, the auditor must obtain a sufficient understanding of the entity and its environment, including its internal control, to assess the risk of material misstatement of the financial statements whether due to error or to fraud, and to design the nature, timing, and extent of further audit procedures. (AU-C 315.12)
This assessment of the risk of material misstatement becomes the basis for the proper design of further audit procedures.
Even if the auditor plans a purely substantive audit, he or she still is required to obtain an understanding of internal control. Such an understanding is necessary to:
Identify missing or ineffective controls.
Evaluate identified control deficiencies.
Confirm that substantive procedures alone are sufficient to design and perform an appropriate audit strategy and provide sufficient appropriate audit evidence to support the audit opinion.
REQUIREMENTS
Step 1. Perform Risk Assessment Procedures
The auditor should perform risk assessment procedures to provide a basis for the identification and assessment of material misstatement at the financial statement and relevant assertion level. (AU-C 315.05) Risk assessment procedures include:
Inquiries of management, individuals in the internal audit function, and others at the client
Analytical procedures
Observation and inspection
(AU-C 315.06)
The auditor’s risk assessment procedures provide the audit evidence necessary to support the auditor’s risk assessments, which in turn support the determination of the nature, timing, and extent of further audit procedures. Thus, the results of the auditor’s risk assessment procedures are an integral part of the audit evidence obtained to support the opinion on the financial statements.
In the course of gathering information about the client, the auditor should perform all the risk assessment procedures.
Other procedures may provide relevant information about the entity. For example:
When relevant to the audit, the auditor should consider other information, which may include:Information obtained from the client acceptance or continuance process (AU-C 315.07)Experience and knowledge gained on other engagements performed for the entity (AU-C 315.08)
Some of the procedures the auditor performs to assess the risks of material misstatement due to fraud also may help gather information about the entity and its environment, particularly its internal control. (AU-C 315.09)
NOTE: Because of the close connection between the assessment of the risk of material misstatement and the procedures performed to assess fraud risk, the auditor will want to:
Coordinate the procedures he or she performs to assess the risk of material misstatement due to fraud with the other risk assessment procedures.
Consider the results of his or her assessment of fraud risk when identifying the risk of material misstatement.
Updating Information from Prior Periods
If certain conditions are met, the auditor may use information obtained in prior periods as audit evidence in the current period audit. However, when the auditor intends to use information from prior periods in the current period audit, the auditor should determine whether changes have occurred that may affect the relevance of the information for the current audit. (AU-C 315.10) To make this determination, the auditor should make inquiries and perform other appropriate audit procedures, such as walk-throughs of systems. (AU-C 315.A20)
Discussion by the Audit Team
The members of the audit team should discuss the susceptibility of the client’s financial statements to material misstatement. (AU-C 315.11) This discussion will allow team members to exchange information and create a shared understanding of the client and its environment, which in turn will enable each team member to:
Share his or her knowledge.
Gain a better understanding of the potential for material misstatement resulting from fraud or error in the assertions that are relevant to the areas assigned to them.
Exchange information about business risks.
Understand how the results of the audit procedures that they perform may affect other aspects of the audit.
This “brainstorming session” of the audit team could be held at the same time as the team’s discussion related to fraud, which is required by Section 240. (AU-C 315.A21)
Understanding the Entity and Its Environment
The auditor should obtain an understanding of the following five elements of the entity and its environment:
1 External