Our new risk tool is a sophisticated software rendering of the requirements of ISA 315 (revised 2019) and the equivalent requirements of the LCE standard. It includes structured, curated libraries in the background for risks, controls, risk responses and management letter points.
The starting point is risk identification. A risk may be identified from many places. Many risks become obvious from the first client interview, so the auditor may start documenting risk from anywhere in the planning area: entity and environment, systems questionnaire, items required for audit page, team meeting, from the Trial Balance or directly on the Risk Identification page at the end of the A section.
Adding a risk from any page may be done from the "Annotation" box:
Or it may be accessed from a right-click:
On the TB page level risks may be added at the section (e.g. Grants Received) level, sub-group level (Government Grants), or at the individual account level:
The risk tool first prompts for the selection of financial statement level risk versus assertion level risk:
Selecting Financial Statement level looks like this (FS level risk is pervasive or global level risk that impacts most or all assertions):
Assertion level (non-pervasive - affecting one or up to several assertions) looks like this:
The Selector defaults to the appropriate risks from the library, a default description that may be changed or fine-tuned to suit the situation, as may the target workpaper, and the assertions. This example is from the Governance checklist:
Risks at the assertion level are more likely to be related to specific balances or groups. In this case related to sales revenue the risk is identified from our library:
The risk tool completes basic details which the auditor then may fine-tune - including pointing to what the related process is in the B section (in this case Sales and Debtors system). This will determine whether this system represents a Significant Class of Transactions (SCOT) requiring documentation and walkthrough. Systems that are not SCOT are not required to have additional work done. This step triggers the generation of pages in B section for system documentation, walkthroughs and controls testing if applicable.
The auditor may then assess inherent risk factors (complexity, size and volume etc). Potential financial impact, and likelihood of occurence are assessed which calculates the inherent risk to an appropriate level. A very high risk as also flagged as signficant. If the risk is fraud risk the risk will also be flagged as significant. Saving the risk sends the risk to the summary risk sidentification page at the end of the A section. The accumulated risk are also expressed graphically on this page.
Risks may also be viewed by account, now shown by Account/Trial balance category:
Assuming materiality has been set, the system will now flag whether each section includes significant accounts (items flagged as risks), material amounts (no risks assigned but still material which still require work to be done), and not material sections, where work may be limited to high level analytical review.
Risks can be marked as reviewed by the partner here (but not required). This can be done later when a risk assessment is performed (tick box at right of each risk). Hovering over the tick indicates who has reviewed/approved this risk.
If a risk is marked as reviewed it can still be edited (until the E1 Risk Assessment page is concluded), but doing so will remove the reviewer ‘sign off.’