The third key concept in ISA 315 (Revised 2019), summarised in paragraph 4, relates to understanding Inherent Risk (IR) and Control Risk (CR).
We discussed that risk at the financial statement level relates to the financial statements as a whole. It may potentially affect many assertions and may not affect one account more than another. For example, if the management of the company is involved in fraud, or if the overall level of competence is such that controls are ineffective, this will be a Risk of Material Misstatement (RoMM) at the more global level (i.e. the financial statement level).
RoMM at the more granular (assertion) level may be split into Inherent Risk (IR) and Control Risk (CR). These are familiar concepts but the new standard formulates these and makes them much more specific, which is a good thing. We are explicitly required to consider inherent risk and control risk separately.
Inherent risk
Inherent risk (IR) is a central concept of the standard, mentioned in 109 places, as compared to control risk, mentioned only 16 times.
IR focuses on the raw reality of the entity before we consider any controls. What would the susceptibility of an assertion to material misstatement be if there were no controls? This is to be considered individually or when aggregated with other misstatements.
The standard now requires IR is to be assessed on a spectrum. This spectrum is to be considered in terms of the likelihood of occurrence and the magnitude of the potential misstatement. These are to be considered in tandem.
For instance, it may be quite likely that a few pens may be taken from the stationery cupboard for private use, but the magnitude of misstatement should this occur is very low. Or there might be a volcano that destroys the city, which would be a high magnitude loss, but the likelihood of occurrence is low. In either case, these would not represent significant risks. The ideal way to display these IRs is graphically. For instance:
Any IR that is both likely to occur and with potential for high-magnitude impact must be regarded as a significant risk (para 12(l)). In the case above, we may identify the top five (circled) items as significant. This reflects good practice, but in the new standard, it is made crystal clear.
There is a new definition of Inherent risk factors in the standard (para 12(f)). This speaks of events or conditions that affect susceptibility to misstatement, whether due to fraud or error.
These may impact on an assertion about a class of transactions, an account balance or a disclosure. Such factors may be qualitative or quantitative and include considerations such as complexity, subjectivity, change, uncertainty or susceptibility to misstatement due to management bias or other fraud risk factors. All should be considered – generally just following common sense.
Why this emphasis on IR? It makes sense that we start with inherent risks, as these represent the fundamental potential for misstatement. Then considering these we may only really concern ourselves with controls that address those risks.
For instance, if we instead started with control risk, we may identify poor controls over cash. But cash does not represent a material part of the business. So if cash is not inherently a material risk is there any point concerning ourselves with the related controls? If we start with IR we will know this.
Control risk
Control risk (CR) describes a risk that a possible material misstatement (either individually or when aggregated with other misstatements) that could occur in an assertion, will not be prevented, or detected and corrected, on a timely basis by the entity’s system of internal control.
Paragraph 33 states: “If the auditor plans to test the operating effectiveness of controls, the auditor shall assess control risk. If the auditor does not plan to test the operating effectiveness of controls, the auditor’s assessment of control risk shall be such that the assessment of the risk of material misstatement is the same as the assessment of inherent risk.”
So, we are required to assess control risk (CR) only if we plan to test the operating effectiveness of controls or when substantive procedures alone will not provide sufficient appropriate audit evidence at the assertion level. Therefore, if we do not intend to rely on controls we do not need to test them, so CR effectively defaults back to our IR assessments.
This is a new concept. And it opens questions about how to respond in small entities that do not have many formal controls that we can test, but nevertheless, have a robust system of management and governance oversight which gives us considerable comfort. We shall return to these questions in a later post.