International Standard on Auditing (ISA) 315 (Revised), Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and its Environment (ISA 315 (Revised 2019)), was issued by the International Auditing and Assurance Standards Board (IAASB) in December 2019 and is effective for audits of financial statements for periods beginning on or after 15 December 2021. This article is a follow-on to the article titled ‘Identifying and assessing the risks of material misstatement: an introduction’ in the March issue of Accountancy SA and contains an overview of the revised requirements.
ISA 315 (Revised 2019) is a foundational standard to auditing in that it contains the requirements relating to the process for identifying and assessing the risks of material misstatement (RoMM). The main purpose of performing risk assessment procedures is for the auditor to obtain sufficient appropriate audit evidence to form the basis of and support the identification and assessment of RoMM. This in turn forms the basis for the auditor’s design and performance of further audit procedures.
In revising ISA 315 (Revised 2019), the aim was for the auditor to achieve a more robust risk identification and assessment process, thereby promoting a more effective response to the identified risks. ISA 315 (Revised 2019) has been structured in such a way that the revised requirements address ‘what’ the auditor needs to do, and the application material addresses the questions around ‘why’ and ‘how’. In relation to achieving a more effective audit response, conforming amendments to ISA 330, The Auditor’s Responses to Assessed Risks (ISA 330) have also been made in completing the IAASB’s ISA 315 project.
The ‘what’ question answered
Before we go into the detail of the requirements, it is important to highlight that ISA 315 (Revised 2019) is iterative in nature in that many requirements are interrelated and therefore often not performed by auditors in a linear manner. Furthermore, the auditor is required to exercise professional judgement in determining the nature and extent of the work effort carried out.
The starting point for the auditor is to obtain an understanding of the client’s business, specifically in relation to:
- The entity’s system of internal control
- The entity and its environment, and
- The application of the financial reporting framework
Overall, the requirements in relation to obtaining an understanding have been enhanced and clarified to ensure that a well-informed risk assessment is performed. A significant change seen here to extant ISA 315 (Revised) relates to escalating the requirements to obtain an understanding of the applicable financial reporting framework out of the understanding the entity and its environment to encourage an increased focus on the entity’s financial reporting requirement (ISA 315 (Revised 2019).19(b)).
Based on the auditor’s understanding of the client’s business, the auditor must then identify and assess the RoMM at both financial statement and assertion level. In doing so, the auditor is required to identify the relevant assertions and the related significant classes of transactions, account balances and disclosures. To understand the requirements, the auditor needs to understand what is meant by a relevant assertion and significant class of transactions, account balance and disclosure.
This process is best explained through the use of an example: Based on the auditor’s understanding of the business, completeness of inventory has an identified RoMM. The relevant assertion would therefore be completeness and the significant account balance would be inventory. Another important point to note is that the determination of a relevant assertion is made before considering any controls that the client may have implemented to mitigate the risk.
Once the RoMM has been identified by the auditor, this need to be assessed. In doing so, the auditor must take cognisance of the requirement to assess inherent and control risk separately.
Assessment of inherent risk
For identified RoMM at the assertion level, the auditor shall assess inherent risk by assessing the likelihood and magnitude of misstatements. In doing so, the auditor shall take into account how, and the degree to which:
Inherent risk factors affect the susceptibility of relevant assertions to misstatement, and
The RoMM at the financial statement level affect the assessment of inherent risk for RoMM at the assertion level (ISA 315 (Revised 2019).31)
To assist the auditor in assessing the likelihood and magnitude of misstatements, ISA 315 (Revised 2019) contains the concept of the spectrum of inherent risk. In order to understand the assessment of inherent risk, the auditor needs to understand what is meant by inherent risk factors.
Inherent risk factors, individually or in combination, increase the inherent risk to varying degrees. The inherent risk may be higher for some assertions than for others and the degree to which inherent risk varies is referred to as the spectrum of inherent risk (ISA 315 (Revised 2019).5). The relative degrees of the likelihood and magnitude of a possible misstatement determine where on the spectrum the risk of misstatement is assessed. The higher the combination of likelihood and magnitude, the higher the inherent risk and vice versa. A higher inherent risk assessment may also arise from different combinations of likelihood and magnitude, for example a higher risk assessment could result from a lower likelihood but a very high magnitude.
In assessing inherent risk, the auditor shall determine whether any of the assessed RoMMs are significant risks (ISA 315 (Revised 2019).32), as well as instances where substantive procedures alone cannot provide sufficient appropriate audit evidence for any of the RoMM at assertion level (ISA 315 (Revised 2019).33).
Assessment of control risk
ISA 315 (Revised 2019) indicates that the auditor is only required to assess control risk if there are plans to test the operating effectiveness of controls. The standard continues to state that if the auditor does not plan to test the operating effectiveness of controls, the auditor’s assessment of control risk shall be such that the assessment of the RoMM is the same as the assessment of inherent risk (ISA 315 (2019 Revised).34). This paragraph may come across as contradictory in initially stating that no assessment of control risk is required and then requiring the assessment to be at a specific level. The bottom line is that when control risk is not assessed, the level of risk assessment assigned to control risk cannot be lower than that assigned to the level of inherent risk.
Once the auditor has obtained the required understanding, identified and assessed the RoMM and in turn identified the significant classes of transactions, account balances and disclosures, the focus then turns to the material classes of transactions, account balances and disclosures that have not been determined as significant. This assessment is referred to as the ‘stand-back provision’. This new stand-back provision has been introduced to prompt the auditor to confirm the completeness of the identified risks. In essence, the auditor is required to make sure that the audit evidence obtained confirms that there are in fact no RoMM relating to the material classes of transactions, account balances and disclosures that should have been identified. This is an important determination to be made because it drives the auditor’s design and performance of further audit procedures.
Audit responses
ISA 330 has been updated in line with the revised requirements contained in ISA 315 (Revised 2019), as follows.
In line with ISA 315 (Revised 2019), ISA 330 now makes reference to a significant class of transactions, account balance and disclosure in designing and performing further audit procedures (ISA 330.7).
With respect to material classes of transactions, account balances and disclosures, the application material now makes it clear that not all assertions within the material classes of transactions, account balances and disclosures are required to be tested (ISA 330.A42a). Rather, the auditor is required to identify the most appropriate assertion when designing substantive audit procedures. During the comment period, questions were raised around whether this requirement does create a circular link back to ISA 315 (Revised 2019) in requiring the auditor to effectively identify a relevant assertion. No change was, however, made in this regard in finalising the ISA 315 (Revised 2019), leaving auditors to apply professional judgement in navigating how to comply with this conforming amendment.
These amendments clarify that the auditor is only required to design and perform further audit procedures on significant classes of transactions, account balances and disclosures (ISA 330.7) and material classes of transactions, account balances and disclosures (ISA 330.18). The further audit procedures to be performed must be responsive to the assessed risk, taking into account the reasons for the assessment given and ensuring that more persuasive audit evidence is obtained where a higher RoMM has been determined.
Way forward
The risk-based audit approach as auditors know it has not changed. The requirements of ISA 315 (Revised 2019) have, however, been enhanced and clarified to assist auditors in applying the risk-based approach in a more effective and consistent manner. Although a few practical challenges lie ahead in implementing the revised requirements, overall the revised requirements are seen as a positive step towards achieving a more robust and consistent risk assessment. The IAASB recognises that the revisions to ISA 315 (Revised 2019) are significant and in line with calls from the public has set out an implementation plan to assist auditors in implementing the revised requirements, which is due to commence in 2020.
AUTHOR | Hayley Barker Hoogwerf CA(SA), Project Director: Assurance at SAICA