According to the International Auditing and Assurance Standards Board (IAASB), International Standard on Auditing 315 (Revised 2019), Identifying and Assessing the Risks of Material Misstatement (ISA 315 (Revised 2019), has been revised to promote robust and consistent risk identification and assessment
After reviewing the changes to ISA 315, I agree that the changes have clarified the requirements of the standard and the application material has been improved. Ultimately the changes support ISA 330, The Auditor’s Responses to Assessed Risks, to allow for more focused responses to the identified and assessed risks.
According to the IAASB, it had the following four objectives in mind revising the standard:
- Consistent and effective identification and assessment of risks of material misstatement
- Modernising the standard
- Improving the scalability of the standard
- Focusing auditors’ attention on exercising professional scepticism throughout the risk identification and assessment process
I will use these four objectives to point out major changes in the standard.
Consistent and effective identification and assessment of risks of material misstatement
- The standard clarifies the risk assessment process by breaking it down into performing risk assessment procedures to obtain audit evidence that provides an appropriate basis not only for the identification and assessment of risks of material misstatement but also the design of further audit procedures, identifying risks of material misstatement, and assessing identified risks of material misstatement.
- The auditor shall still design and perform risk assessment procedures to obtain audit evidence to base its identification and risk assessment on. However, the standard now requires an understanding of three separate focus areas, namely the entity and its environment, the applicable financial reporting framework, and the components of the entity’s system of internal control. Obtaining an understanding of the applicable financial reporting framework is now identified separately.
- The standard now differentiates between direct and indirect controls. Direct controls are defined as controls that address risks of material misstatement at the assertion level, while indirect controls support direct controls. In addition to defining direct and indirect controls, the standard clarifies the extent of work needed on each.
- The standard requires that the auditor obtains an understanding of the entity’s control environment, the risk assessment process, the process for monitoring the system of internal control and information system and communication relevant to the preparation of the financial statements.
- The standard clarifies that controls should be identified that address significant risks, journal entries, controls for which the auditor plans to test operating effectiveness, other controls the auditor considers appropriate and general IT controls that address risks arising from the use of IT. For these identified controls the auditor shall evaluate whether the controls are effectively designed to address risks of material misstatement at the assertion level and determine whether the controls have been implemented by performing procedures in addition to inquiry.
- The standard requires a separate assessment of inherent risk and control risk. In addition, control risk is only assessed if the auditor plans to test the operating effectiveness of controls, or else the assessment for risk of material misstatement should be set at the same level as the assessed inherent risk.
- The standard lists five ‘inherent risk factors’, namely subjectivity, complexity, uncertainty, change and susceptibility to misstatement due to management bias or fraud. Inherent risk factors are defined as characteristics or events or conditions that affect the susceptibility to misstatement, whether due to fraud or error.
- The standard introduces a spectrum of risk which considers the combination of the likelihood of a misstatement occurring and the magnitude of the potential misstatement should the misstatement occur. Significant risk is then defined as the assessment of inherent risk close to the upper end of this spectrum of risk.
- The standard requires a stand-back after identifying and assessing risks of material misstatement to evaluate for material classes of transactions, account balances and disclosures that have not been determined to be significant to consider whether the determination remains appropriate. A class of transactions, account balances or disclosures are significant when there are one or more relevant assertions for the line item. An assertion is relevant when it has an identified risk of material misstatement.
Modernising the standard
- The standard focuses on IT, particularly IT general controls.
- Automated tools and techniques are included in the application material and the IAASB’s Technology Working Group issued a Q&A on automated tools and techniques.
Improving the scalability of the standard
The principle-based requirements and application material makes scalability possible. Therefore, the considerations for smaller entities paragraphs have been removed.
Focusing auditors’ attention on exercising professional scepticism throughout the risk identification and assessment process
The standard emphasises that ISA 200, Overall Objectives of the Independent Auditor and the Conduct of an Audit in Accordance with International Standards on Auditing, requires the auditor to exercise professional judgment and professional scepticism when performing an audit. This is further accentuated by ISA 315 (Revised 2019) requiring that the auditor shall not be biased towards obtaining audit evidence.
From the information above it is evident that the changes are major, and due to the importance of ISA 315 (Revised 2019), it is of utmost importance for auditors to understand and implement the changes, as it will require major changes to risk identification, risk assessment and responding to risks identified.
The revised standard will be effective for audits of financial statements for periods beginning on or after 15 December 2021.
Author: Jana Lamprecht CA(SA), MA, Senior Lecturer in Auditing, University of the Free State