How are risks rated?
ISA (NZ) 200, A42 says:
'The assessment of the risks of material misstatement may be expressed in quantitative
terms, such as in percentages, or in non-quantitative terms. In any case, the need for the
auditor to make appropriate risk assessments is more important than the different
approaches by which they may be made.'
Audit Assistant requires the auditor to identify the risks related to relevant assertions in non-quantitative terms using four levels, Low, Medium, High and Significant, then assess total risk based on the risks associated with specific assertions (total risk will be at least as high as the highest assertion risk). The terms Low, Medium, High and Significant are not specific to the ISAs. Some firms use Key Risks rather than Significant. The use of the rating of risks is described in ISA (NZ) 200, A31:
'The quantity of audit evidence needed is affected by the auditor’s assessment of the risks of misstatement (the higher the assessed risks, the more audit evidence is likely to be required) and also by the quality of such audit evidence (the higher the quality, the less may be required).'
Identified risks are also assessed by risk type, in terms of Inherent, Control or Audit risks.
This is obviously not an overall assessment of risk, but just applies to the specific item identified, to help tease out the potential problem.
- An inherent risk in this context is an environmental risk, outside of the control environment, perhaps inherent to the nature of the entity, the industry it is in, or other external factors.
- A control risk refers to a potential failure or weakness in the control environment.
- Audit risk is another name for detection risk and in this context it is the risk that a material misstatement in this balance may not be detected by the auditor - an unauditable risk.
Potential Financial Impact and Likelihood of Occurrence are two more helpful "best practice" ways of analysing the risk (required under ISA (NZ) 315 (Revised 2019)). Both have a range of options. Key assertions are also identified as part of the analysis of the identified risk.