Requirements

Risk Assessment Procedures and Related Activities

13

The auditor shall design and perform risk assessment procedures to obtain audit evidence that provides an appropriate basis for: (Ref: Para. A11–A18)

  1. The identification and assessment of risks of material misstatement, whether due to fraud or error, at the financial report and assertion levels; and
  2. The design of further audit procedures in accordance with ASA 330.

The auditor shall design and perform risk assessment procedures in a manner that is not biased towards obtaining audit evidence that may be corroborative or towards excluding audit evidence that may be contradictory. (Ref: Para. A14)

14

The risk assessment procedures shall include the following: (Ref: Para. A19–A21)

  1. Enquiries of management and of other appropriate individuals within the entity, including individuals within the internal audit function (if the function exists). (Ref: Para. A22–A26)
  2. Analytical procedures. (Ref: Para. A27–A31)
  3. Observation and inspection. (Ref: Para. A32–A36)

Information from Other Sources

15

In obtaining audit evidence in accordance with paragraph 13, the auditor shall consider information from: (Ref: Para. A37‒A38)

  1. The auditor’s procedures regarding acceptance or continuance of the client relationship or the audit engagement; and
  2. When applicable, other engagements performed by the engagement partner for the entity.

16

When the auditor intends to use information obtained from the auditor’s previous experience with the entity and from audit procedures performed in previous audits, the auditor shall evaluate whether such information remains relevant and reliable as audit evidence for the current audit. (Ref: Para. A39‒A41)

Engagement Team Discussion

17

The engagement partner and other key engagement team members shall discuss the application of the applicable financial reporting framework and the susceptibility of the entity’s financial report to material misstatement.  (Ref: Para. A42–A47)

18

When there are engagement team members not involved in the engagement team discussion, the engagement partner shall determine which matters are to be communicated to those members.

Obtaining an Understanding of the Entity and Its Environment, the Applicable Financial Reporting Framework and the Entity’s System of Internal Control

(Ref: Para. A48‒A49)

Understanding the Entity and Its Environment, and the Applicable Financial Reporting Framework (Ref: Para. A50‒A55)

19

The auditor shall perform risk assessment procedures to obtain an understanding of:

  1. The following aspects of the entity and its environment:
    1. The entity’s organisational structure, ownership and governance, and its business model, including the extent to which the business model integrates the use of IT; (Ref: Para. A56‒A67)
    2. Industry, regulatory and other external factors; (Ref: Para. A68‒A73) and
    3. The measures used, internally and externally, to assess the entity’s financial performance; (Ref: Para. A74‒A81)
  2. The applicable financial reporting framework, and the entity’s accounting policies and the reasons for any changes thereto; (Ref: Para. A82‒A84) and
  3. How inherent risk factors affect susceptibility of assertions to misstatement and the degree to which they do so, in the preparation of the financial report in accordance with the applicable financial reporting framework, based on the understanding obtained in (a) and (b). (Ref: Para. A85‒A89)

20

The auditor shall evaluate whether the entity’s accounting policies are appropriate and consistent with the applicable financial reporting framework.

Understanding the Components of the Entity’s System of Internal Control (Ref: Para. A90–A95)

Control Environment, the Entity’s Risk Assessment Process and the Entity’s Process to Monitor the System of Internal Control (Ref: Para. A96‒A98)

Control environment

 

NOTE

The AUASB is currently trialling an alternative way of presenting the understanding and evaluating tables of paragraphs 21, 22, 24, 25 and  26. Paragraphs 21, 22, 24 and 25 are displayed using the trial method whilst paragraph 26 is shown using the table method in the issued ASA 315 PDF. 

Please provide any feedback to the AUASB via the feedback tab in the portal. 

 

21

The auditor shall obtain an understanding of the control environment relevant to the preparation of the financial report, through performing risk assessment procedures, by: (Ref: Para. A99–A100)

Understanding
  1. Understanding the set of controls, processes and structures that address: (Ref: Para. A101‒A102)
    1. How management’s oversight responsibilities are carried out, such as the entity’s culture and management’s commitment to integrity and ethical values;
    2. When those charged with governance are separate from management, the independence of, and oversight over the entity’s system of internal control by, those charged with governance;
    3. The entity’s assignment of authority and responsibility;
    4. How the entity attracts, develops, and retains competent individuals; and
    5. How the entity holds individuals accountable for their responsibilities in the pursuit of the objectives of the system of internal control;
Evaluating

and

  1. Evaluating whether: (Ref: Para. A103‒A108)
    1. Management, with the oversight of those charged with governance, has created and maintained a culture of honesty and ethical behaviour;
    2. The control environment provides an appropriate foundation for the other components of the entity’s system of internal control considering the nature and complexity of the entity; and
    3. Control deficiencies identified in the control environment undermine the other components of the entity’s system of internal control.

The entity’s risk assessment process

22

The auditor shall obtain an understanding of the entity’s risk assessment process relevant to the preparation of the financial report, through performing risk assessment procedures, by:

Understanding
  1. Understanding the entity’s process for: (Ref: Para. A109‒A110)
    1. Identifying business risks relevant to financial reporting objectives; (Ref: Para. A62)
    2. Assessing the significance of those risks, including the likelihood of their occurrence; and
    3. Addressing those risks;
Evaluating

and

  1. Evaluating whether the entity’s risk assessment process is appropriate to the entity’s circumstances considering the nature and complexity of the entity. (Ref: Para. A111‒A113)

23

If the auditor identifies risks of material misstatement that management failed to identify, the auditor shall:

  1. Determine whether any such risks are of a kind that the auditor expects would have been identified by the entity’s risk assessment process and, if so, obtain an understanding of why the entity’s risk assessment process failed to identify such risks of material misstatement; and
  2. Consider the implications for the auditor’s evaluation in paragraph 22(b).

The entity’s process to monitor the system of internal control

24

The auditor shall obtain an understanding of the entity’s process for monitoring the system of internal control relevant to the preparation of the financial report, through performing risk assessment procedures, by: (Ref: Para. A114–A115)

Understanding
  1. Understanding those aspects of the entity’s process that address:
    1. Ongoing and separate evaluations for monitoring the effectiveness of controls, and the identification and remediation of control deficiencies identified; (Ref: Para. A116‒A117) and
    2. The entity’s internal audit function, if any, including its nature, responsibilities and activities; (Ref: Para. A118)
  2. Understanding the sources of the information used in the entity’s process to monitor the system of internal control, and the basis upon which management considers the information to be sufficiently reliable for the purpose; (Ref: Para. A119‒A120)
Evaluating

and

  1. Evaluating whether the entity’s process for monitoring the system of internal control is appropriate to the entity’s circumstances considering the nature and complexity of the entity. (Ref: Para. A121‒A122)

Information System and Communication, and Control Activities (Ref: Para. A123–A130)

The information system and communication

25

The auditor shall obtain an understanding of the entity’s information system and communication relevant to the preparation of the financial report, through performing risk assessment procedures, by: (Ref: Para. A131)

Understanding
  1. Understanding the entity’s information processing activities, including its data and information, the resources to be used in such activities and the policies that define, for significant classes of transactions, account balances and disclosures: (Ref: Para. A132‒A143)
    1. How information flows through the entity’s information system, including how:
      1. Transactions are initiated, and how information about them is recorded, processed, corrected as necessary, incorporated in the general ledger and reported in the financial report; and
      2. Information about events and conditions, other than transactions, is captured, processed and disclosed in the financial report;
    2. The accounting records, specific accounts in the financial report and other supporting records relating to the flows of information in the information system;
    3. The financial reporting process used to prepare the entity’s financial report, including disclosures; and
    4. The entity’s resources, including the IT environment, relevant to (a)(i) to (a)(iii) above;
  2. Understanding how the entity communicates significant matters that support the preparation of the financial report and related reporting responsibilities in the information system and other components of the system of internal control: (Ref: Para. A144‒A145)
    1. Between people within the entity, including how financial reporting roles and responsibilities are communicated;
    2. Between management and those charged with governance; and
    3. With external parties, such as those with regulatory authorities;
Evaluating

and

  1. Evaluating whether the entity’s information system and communication appropriately support the preparation of the entity’s financial report in accordance with the applicable financial reporting framework. (Ref: Para. A146)

Control activities

26

The auditor shall obtain an understanding of the control activities component, through performing risk assessment procedures, by: (Ref: Para. A147–A157)
  1. Identifying controls that address risks of material misstatement at the assertion level in the control activities component as follows:
    1. Controls that address a risk that is determined to be a significant risk; (Ref: Para. A158‒A159)
    2. Controls over journal entries, including non-standard journal entries used to record non-recurring, unusual transactions or adjustments; (Ref: Para. A160‒A161)
    3. Controls for which the auditor plans to test operating effectiveness in determining the nature, timing and extent of substantive testing, which shall include controls that address risks for which substantive procedures alone do not provide sufficient appropriate audit evidence; and (Ref: Para. A162‒A164)
    4. Other controls that the auditor considers are appropriate to enable the auditor to meet the objectives of paragraph 13 with respect to risks at the assertion level, based on the auditor’s professional judgement; (Ref: Para. A165)
  2. Based on controls identified in (a), identifying the IT applications and the other aspects of the entity’s IT environment that are subject to risks arising from the use of IT; (Ref: Para. A166‒A172)
  3. For such IT applications and other aspects of the IT environment identified in (b), identifying: (Ref: Para. A173‒A174)
    1. The related risks arising from the use of IT; and
    2. The entity’s general IT controls that address such risks.
  1. For each control identified in (a) or (c)(ii): (Ref: Para. A175‒A181)
    1. Evaluating whether the control is designed effectively to address the risk of material misstatement at the assertion level, or effectively designed to support the operation of other controls; and
    2. Determining whether the control has been implemented by performing procedures in addition to enquiry of the entity’s personnel.

 

Control Deficiencies Within the Entity’s System of Internal Control

27

Based on the auditor’s evaluation of each of the components of the entity’s system of internal control, the auditor shall determine whether one or more control deficiencies have been identified. (Ref: Para. A182–A183)

Identifying and Assessing the Risks of Material Misstatement

Identifying Risks of Material Misstatement

28

The auditor shall identify the risks of material misstatement and determine whether they exist at: (Ref: Para. A186–A192)

  1. The financial report level; (Ref: Para. A193–A200) or
  2. The assertion level for classes of transactions, account balances and disclosures. (Ref: Para. A201)

29

The auditor shall determine the relevant assertions and the related significant classes of transactions, account balances and disclosures. (Ref: Para. A202–A204)

Assessing Risks of Material Misstatement at the Financial Report Level

30

For identified risks of material misstatement at the financial report level, the auditor shall assess the risks and: (Ref: Para. A193–A200)

  1. Determine whether such risks affect the assessment of risks at the assertion level; and
  2. Evaluate the nature and extent of their pervasive effect on the financial report.

Assessing Risks of Material Misstatement at the Assertion Level

Assessing Inherent Risk (Ref: Para. A205–A217)

31

For identified risks of material misstatement at the assertion level, the auditor shall assess inherent risk by assessing the likelihood and magnitude of misstatement. In doing so, the auditor shall take into account how, and the degree to which:

  1. Inherent risk factors affect the susceptibility of relevant assertions to misstatement; and
  2. The risks of material misstatement at the financial report level affect the assessment of inherent risk for risks of material misstatement at the assertion level. (Ref: Para. A215‒ A216)

32

The auditor shall determine whether any of the assessed risks of material misstatement are significant risks. (Ref: Para. A218–A221)

33

The auditor shall determine whether substantive procedures alone cannot provide sufficient appropriate audit evidence for any of the risks of material misstatement at the assertion level. (Ref: Para. A222–A225)

Assessing Control Risk

34

If the auditor plans to test the operating effectiveness of controls, the auditor shall assess control risk.  If the auditor does not plan to test the operating effectiveness of controls, the auditor’s assessment of control risk shall be such that the assessment of the risk of material misstatement is the same as the assessment of inherent risk. (Ref: Para. A226–A229)

Evaluating the Audit Evidence Obtained from the Risk Assessment Procedures

35

The auditor shall evaluate whether the audit evidence obtained from the risk assessment procedures provides an appropriate basis for the identification and assessment of the risks of material misstatement. If not, the auditor shall perform additional risk assessment procedures until audit evidence has been obtained to provide such a basis. In identifying and assessing the risks of material misstatement, the auditor shall take into account all audit evidence obtained from the risk assessment procedures, whether corroborative or contradictory to assertions made by management. (Ref: Para. A230–A232)

Classes of Transactions, Account Balances and Disclosures that Are Not Significant, but Which Are Material

36

For material classes of transactions, account balances or disclosures that have not been determined to be significant classes of transactions, account balances or disclosures, the auditor shall evaluate whether the auditor’s determination remains appropriate. (Ref: Para. A233–A235)

Revision of Risk Assessment

37

If the auditor obtains new information which is inconsistent with the audit evidence on which the auditor originally based the identification or assessments of the risks of material misstatement, the auditor shall revise the identification or assessment. (Ref: Para. A236)

Documentation

38

The auditor shall include in the audit documentation:[13]  (Ref: Para. A237–A241)

  1. The discussion among the engagement team and the significant decisions reached;
  2. Key elements of the auditor’s understanding in accordance with paragraphs 19, 21, 22, 24 and 25; the sources of information from which the auditor’s understanding was obtained; and the risk assessment procedures performed;
  3. The evaluation of the design of identified controls, and determination whether such controls have been implemented, in accordance with the requirements in paragraph 26; and
  4. The identified and assessed risks of material misstatement at the financial report level and at the assertion level, including significant risks and risks for which substantive procedures alone cannot provide sufficient appropriate audit evidence, and the rationale for the significant judgements made.

13

See ASA 230, Audit Documentation, paragraphs 8–11, and A6–A7.