ISA (NZ) 315 (Revised 2019) starts with a series of key concepts. These are useful to get the drift of the standard. Most of these are basic auditing but they provide great revision and help to break risk assessment down in a way that hopefully makes sense.
Paragraph 2 of the new standard references the requirement in ISA (NZ) 200 that audit risk be reduced to an acceptably low level by obtaining sufficient appropriate audit evidence.
Audit risk sounds simple at first glance but can quickly turn nasty once we start trying to define and understand how it actually works. This is where we must start using some acronyms and abbreviations (much as I hate them).
Audit Risk (AR) is described as a function of Risk of Material Misstatement (RoMM) and Detection Risk (DR). RoMM may exist on two levels – the financial statement level and the assertion level. RoMM consists of two components: Inherent Risk and Control Risk (para 4). The whole objective of the audit (per para 11) is to identify and assess the RoMM, so that we can use this as a basis for designing and implementing responses to the assessed RoMM.
If you are like me, it's easy to go a bit like this around this point:
The key is to understand the meaning behind AR = RoMM x DR.
AR must be reduced to an “acceptably low” level. So let’s break down the rest of this.
First, what is material misstatement? ISA (NZ) 320 (2) says: “Misstatements, including omissions, are considered to be material if they, individually or in the aggregate, could reasonably be expected to influence the economic decisions of users taken on the basis of the financial statements.”
You could say in the context of the audit material things are what we care about; things that make the financial statements not just wrong but misleadingly so.
So, 'risk of material misstatement' (RoMM) is a weak point that could lead to us missing something big and important in our work and so failing in our task.
We identify a weak point, we think about the likelihood of it being wrong or producing wrong results, and we consider the potential impact on the financial statements if the worst-case scenario were to emerge. We identify, describe and assess the RoMM.
Second, what about the Financial Statement level and Assertion level? This is easily enough understood as either that which will impact the financial statements as a whole (financial statement level) or that which is more granular, relating to classes of transactions, account balances and disclosures (assertion level).
In plain English, an assertion is defined as:
“A confident and forceful statement of fact or belief” (Oxford Dictionary).
The Collins English dictionary goes further and says:
“A positive statement, usually made without an attempt at furnishing evidence.”
Paragraph A190 lists assertions as things like
- Rights and Obligations,
- Valuation, and
Our job is to assess whether the assertion being made is important (i.e. material) enough for us to look for evidence that it is actually true.
For example, if the preparers of the financial statements are confidently and forcefully stating that say, certain inventory is owned by them, exists and is valued at a certain amount, we as auditors are required to assess whether the balance (or potential for error) is material and if it is, whether their confidence and force in making these claims are justified by looking for evidence using suitable procedures that respond to the risk.
We will consider how these responses work later.
Making Audit Risk (AR) acceptable is like us saying whether it is possible, given the RoMMs we have identified, to design suitable audit responses to be comfortable that we have found evidence to support the assertions.
If we can’t do that we should either not accept the engagement at all, disclaim the audit report if it is too late, or modify the report if we can ring-fence the uncertainty to certain categories.
NOTE: ISA (NZ) 315 (Revised 2019) applies for audits of financial statements for periods beginning on or after 15 December 2021.