The next concept, expressed in paragraph 8 of ISA 315, is a reminder that our audit work must be framed in terms of responses to risks of material misstatement (RoMM). This is not new, but it is critical to making our audit file “sing”.
The first part of paragraph 8 states that:
ISA 330 requires the auditor to design and implement overall responses to address the assessed risks of material misstatement at the financial statement level.
Remember that risks at the financial statement level affect the financial statements as a whole and so potentially affect many assertions. So, these are major issues but hopefully rare. It makes sense that if say, there is a major fraud that impacts going concern then we would send most of our auditing fire engines to that particular fire.
The second part of the paragraph states that:
...the auditor’s assessment of the risks of material misstatement at the financial statement level, and the auditor’s overall responses, is affected by the auditor’s understanding of the control environment.
Paragraph A2 of ISA 330 says:
An effective control environment may allow the auditor to have more confidence in internal control and the reliability of audit evidence generated internally within the entity and thus, for example, allow the auditor to conduct some audit procedures at an interim date rather than at the period end.
This is a standard practice of course. We consider the control environment, assess whether it is robust enough for us to consider relying upon it and if we think it might be we test the key controls. If all is well, we can reduce our reliance on substantive testing.
The third part quotes ISA 330 paragraph 6 which requires the auditor to also:
…design and perform further audit procedures whose nature, timing and extent are based on and are responsive to the assessed risks of material misstatement at the assertion level.
Note we are talking about assertion-level (granular) risks here. In most jobs, this will be where our focus rests – assertion level RoMM.
Just like striking one string in a piano sets off harmonics in other strings, so should the identification of a RoMM set off harmonic thoughts in the auditor’s brain. The risks that we assess as of potential magnitude and the likelihood of occurrence should resonate throughout the whole audit file.
Para 13 (b) sums it up succinctly:
The auditor shall design and perform risk assessment procedures to obtain audit evidence that provides an appropriate basis for… The design of further audit procedures in accordance with ISA 330.
What are these risk assessment procedures?
Paragraph 14 summarises these as enquiry, analytical procedures, and observation and inspection. This evidence may also be gathered during the acceptance and continuance process, from other engagements performed for the entity (para 15), or from previous audit experience (para 16). This must of course be evaluated for relevance and reliability. The audit team meeting will also be a source of information about potential risks (para 17).
Of course, a thorough understanding of the entity and environment will alert us to inherent risks, and understanding the entity’s use of IT is essential to assessing possible control risks, plus consideration of reporting framework and accounting policies (para 19-20).
Understanding the components of the control system and how that is monitored will be required to identify control risks (para 21-26).
At the end of this process we will have a clear description of the risk:
- whether it is at the assertion or financial statement level;
- if at the assertion level, what assertions it relates to;
- whether it is an inherent, control or audit risk;
- the potential financial impact;
- the likelihood of occurrence;
- any related controls;
- from this an assessment of how significant the risk is.
Once we have done a good analysis the response should be obvious. A significant risk will demand higher audit resources. Our toolkit of audit responses will depend on the assertion and level of risk.
If there is material inventory for instance, and we have assessed controls as poor, we have a higher likelihood of overstatement with high potential impact. Assertions like existence, accuracy, valuation, ownership, and cut-off all become relevant. We likely have a significant control risk at the assertion level. What do we do? We design tests like stocktake attendance, review for redundant goods, valuation tests, ownership testing and cut-off testing back to accounts receivable and payable, obtaining representations from management and enquiry and observation.
In the end, we have an Audit file that plays a clear song without discordant notes. Like a good piece of music, it is concise, focused, clear and internally consistent.