Auditors play a critical role in ensuring that investors make informed decisions and have confidence in the quality of financial reports. Central to an audit is performing procedures to obtain sufficient and appropriate audit evidence to address the risks of material misstatement.
ISA 315 (Revised 2019) recognises the importance of a comprehensive risk identification and assessment process in driving an appropriate and effective response to the risks identified. Audit Committee members should challenge auditors to demonstrate that they have a sufficient understanding of the business, the industry and environment in which it operates, risk areas and key issues relevant to the financial report. Auditors should deliver to Audit Committee members a plan that sets out how they plan to respond appropriately to assessed risks.
The International Auditing and Assurance Standards Board (“IAASB”) has issued a revised International Standard on Auditing (“ISA”) 315, Identifying and assessing the risks of material misstatement. ISA 315 has been revised to require a more systematic risk identification and assessment process, which in turn promotes better responses to the risks identified.
Why is the standard being amended?
The standard has been amended to respond to challenges and issues with the previous ISA 315 standard by making changes to drive better quality and more effective risk assessments, as well as promote the exercise of professional scepticism.
Financial reporting frameworks and governance structures are becoming increasingly more complex while technology continues to play a more advanced role in the control environment of entities. These changes require risk identification and assessment to be a more enhanced and rigorous process. The previous standard also did not address automated tools and techniques. These are progressively being used by auditors to inform risk assessment. The revised standard introduces specific considerations relating to the auditors use of automated tools and techniques.
What is the aim of the new standard?
The new standard aims to:
- Enhance the auditors approach to understanding the entity, its environment and risk assessment activities to promote a more consistent and robust risk assessment process.
- Make the standard more scalable through revised principle-based requirements and the inclusion of specific considerations and examples in the application guidance relating to both less and more complex entities.
- Support auditors using the standard by enhancing the application guidance.
- The separate assessment of inherent risk and control risk and the introduction of five new inherent risk factors to aid in risk assessment; subjectivity, complexity, uncertainty, change and susceptibility to misstatement due to management bias or fraud.
- A new spectrum of risk, at the higher end of which lie significant risks. The intention being to drive more focused responses to risks identified.
- There is a greater focus on professional scepticism. In particular the requirement to consider all evidence obtained from performing risk assessment procedures whether corroborative or contradictory, to evaluate whether the audit evidence obtained from risk assessment procedures provides an appropriate basis for risk assessment. Documentation may include how the auditor evaluated the evidence.
- The standard is enhanced to include auditor considerations in relation to IT, including new and updated appendices for understanding IT and IT general controls. Auditors will have to gain an understanding of information processing activities and identify risks arising from the use of IT. The standard allows for an auditor to use automated tools to obtain direct access or digital downloads from entities information systems.
- The term internal control has been revised to the entity’s system of internal controls. These include controls that address a significant risk, controls over journal entries, controls for which the auditor plans to test operating effectiveness, and other controls that the auditor considers appropriate. An important management responsibility is to establish and maintain a system of internal controls. The auditor is required to consider the design of each control relevant to the audit and if it has been implemented correctly.
An integral step in any audit is a comprehensive risk identification and assessment process. The standard has been revised to focus on reducing complexity and improving understandability with enhancements and clarifications to encourage a more consistent and robust risk assessment. The standard seeks to enhance the responsibility of auditors to gather ‘sufficient and appropriate audit evidence’.
This standard will undoubtedly increase the procedures performed by audit teams.
Audit committees should seek to ensure that any risks highlighted by the auditor, including concerns about systems, processes or policies that could materially affect future financial reports, are considered and addressed.
The revised standard is effective for periods beginning on or after 15 December 2021.