What are the inherent risk factors that ISA 540 Revised requires the auditor to take into account when identifying risks of material misstatement and assessing inherent risk?

Inherent risk and control risk

Inherent risk and control risk are not new concepts for auditors. As a reminder:

• Inherent risk is described as the susceptibility of an assertion about a class of transaction, account balance or disclosure to a misstatement that could be material, either individually or when aggregated with other misstatements, before consideration of any related controls.
• Control risk is described as the risk that a misstatement that could occur in an assertion about a class of transaction, account balance or disclosure and that could be material, either individually or when aggregated with other misstatements, will not be prevented, or detected and corrected, on a timely basis by the entity’s system of internal control.

The revised ISA clarifies that the auditor should perform a separate assessment of inherent risk and control risk. As a clarifying amendment, it’s likely some auditors would already have been undertaking separate assessments. Those that haven’t should nevertheless already be familiar with the requirement for separate assessments though, since ISA (UK) 540 Auditing Accounting Estimates and Related Disclosures introduced it for accounting estimates for periods commencing on or after 15 December 2019.

Spectrum of inherent risk

The revised ISA introduces the concept of a spectrum of inherent risk to be used for both the assessment of inherent risk and the assessment or risk of material misstatement at the assertion level.

Whilst the standard does not set out the spectrum to be used (instead, leaving this for auditors and their methodology providers to establish), it does make clear that the higher on the spectrum of inherent risk a risk is assessed, the more persuasive the audit evidence needs to be.

Where on the spectrum a particular risk lies is a matter of professional judgement and is based on the significance of the combination of the likelihood and magnitude of a possible misstatement.

In considering the likelihood of a misstatement, consideration is given to the inherent risk factors (e.g. complexity, subjectivity, change, uncertainty and susceptibility to misstatement due to management bias or other fraud risk factors insofar as they affect inherent risk).

Whilst the concept of a spectrum of inherent risk does represent a significant change to risk assessment overall, which will take a bit of getting used to, it’s worth noting that the concept should once again already be familiar to auditors in the context of auditing estimates, given it was introduced into ISA (UK) 540 for periods commencing on or after 15 December 2019.

IT environment

The revisions to ISA (UK) 315 introduce more requirements in relation to gaining an understanding of the entity’s IT environment, including requirements to identify and assess risks of material misstatement arising from the use of IT related to the IT applications and other aspects of the entity’s IT environment.

For those auditors who have previously taken a controls-based approach to audits and relied upon automated controls, these revisions may not have a significant practical impact.  

For those auditors who have previously adopted a fully substantive approach, the revisions represent a much more significant change - one which would benefit from early consideration. We consider this area in more detail in our blog Revised ISA 315 – General IT Controls.

Professional scepticism

Another headline change to ISA (UK) 315 is the enhanced use of professional scepticism throughout the risk assessment process, including highlighting the need not to bias work towards obtaining evidence that is corroborative or excluding evidence that is contradictory.  

Professional scepticism should already be at the forefront of auditors’ minds having long been required in an audit context. Its greater emphasis within the revised ISA is likely to have little practical effect for auditors already giving it due concern, although it perhaps serves as a useful reminder to maintain such focus, especially given its greater prominence within the revised versions of ISA (UK) 540 and ISA (UK) 240 The Auditor's Responsibilities Relating to Fraud in an Audit of Financial Statements too.

Are you ready for ISQM?

The ISQM applies to all firms performing audits, reviews of financial statements or other assurance or related services engagements. If your firm practices any of the above services, then you need to meet the Quality Management Standards of ISQM by the 15th December 2022.

ISQM ▶

Overview

ISA 315 (Re­vised) deals with the au­di­tor’s re­spon­si­bil­ity to iden­tify and as­sess the risks of ma­te­r­ial mis­state­ment in the fi­nan­cial state­ments, through un­der­stand­ing the en­tity and its en­vi­ron­ment, in­clud­ing the en­tity’s in­ter­nal con­trol.

In July 2018, the IAASB is­sued for pub­lic com­ment an Ex­po­sure Draft of pro­posed re­vi­sions to ISA 315 (Re­vised), Iden­ti­fy­ing and As­sess­ing the Risks of Ma­te­r­ial Mis­state­ment, in or­der to ad­vance au­dit qual­ity. The IAASB is propos­ing more ro­bust re­quire­ments and im­proved guid­ance to: (i) drive con­sis­tent and ef­fec­tive iden­ti­fi­ca­tion and as­sess­ment of risks of ma­te­r­ial mis­state­ment; (ii) mod­ern­ize ISA 315 to meet evolv­ing busi­ness needs, in­clud­ing in­for­ma­tion tech­nol­ogy, and how au­di­tors use au­to­mated tools and tech­niques, in­clud­ing data an­a­lyt­ics, to per­form au­dit pro­ce­dures; (iii) im­prove the stan­dard’s ap­plic­a­bil­ity to en­ti­ties across a wide spec­trum of cir­cum­stances and com­plex­i­ties; and (iv) fo­cus au­di­tors on ex­er­cis­ing pro­fes­sional skep­ti­cism through­out the risk iden­ti­fi­ca­tion and as­sess­ment process.

In December 2019, the IAASB finalized and issued its revisions to ISA 315. Subsequently, the AASB approved the corresponding changes to CSA 315 and issued these revisions to the CPA Canada Handbook – Assurance in May 2020.

The revisions to CAS 315: (i) distinguish the nature and extent of work needed for indirect and direct controls in the system of internal control; (ii) clarify which controls need to be identified for evaluating the design of a control, and determining whether the control has been implemented; (iii) highlight scalability of the standard by keeping the principles-based requirements focused on what needs to be done, and using separate headings in the application material to illustrate scaling up for more complex situations and scaling down for less complex situations; (iv) clarify the definition of "significant risk" and explicitly introduce the concept of spectrum of inherent risk to assist the auditor in making a judgment, based on the likelihood and magnitude of a possible misstatement, on a range from higher to lower, when assessing risks of material misstatement; (v) introduce the concept of inherent risk factors, including complexity, subjectivity, change, uncertainty or susceptibility to misstatement due to management bias or other fraud risk factors insofar as they affect inherent risk; (vi) introduce the concepts of "significant classes of transactions, account balances and disclosures" and relevant assertions" to assist with the identification and assessment of the risk of material misstatement; (vii) separate the assessment of inherent and control risk; (viii) enhance the auditor's considerations in relation to the entity's use of information technology and how it affects the audit, and include considerations for using automated tools and techniques in the application material; (ix) introduce a requirement to "stand back" to evaluate the completeness of the significant classes of transactions, account balances and disclosures at the end of the risk assessment process; (x) use more explicit language and enhance requirements and application material to reinforce the importance of exercising professional skepticism when performing risk assessment procedures; and (xi) clarify the threshold for identifying possible risks of material misstatement in CAS 200, Overall Objectives of the Independent Auditor and the Conduct of an Audit in Accordance with Canadian Auditing Standards.

Revised CAS 315 is effective for audits of financial statements for periods beginning on or after December 15, 2021. Earlier application is permitted.

As a result of issuing revised CAS 315, requirements in the following standards have been amended to articulate more clearly the auditor's responsibilities regarding identifying and assessing the risks of material misstatement:

• CAS 240, The Auditor's Responsibilities Relating to Fraud in an Audit of Financial Statements, paragraphs 17, 21, 28 and 45;
• CAS 330, The Auditor's Responses to Assessed Risks, paragraphs 7-8, 10, 13-17 and 27;
• CAS 402, Audit Considerations Relating to an Entity Using a Service Organization, paragraphs 10-12 and 14; and
• CAS 540, Auditing Accounting Estimates and Related Disclosures, paragraphs 13, 16-17 and 19.

Other developments

May 2020

On May 4, 2020, the AASB released the Basis for Conclusions, which summarizes the process the AASB followed in revising CAS 315, Identifying and Assessing the Risks of Material Misstatement.

On May 1, 2020, the AASB issued to revisions to CSA 315 to the CPA Canada Handbook – Assurance.

December 2019

On December 19, 2019, the IAASB released International Standard on Auditing (ISA) 315 (Revised 2019), its revised standard for identifying and assessing risks of material misstatement.

July 2019

In July 2019, the AASB staff updated this project to note that the Board expects to finalize the Handbook material in Q1/2020.

January 2019

On January 31, 2019, the AASB issued a supplement to the September 2018 Exposure Draft, “Identifying and Assessing the Risks of Material Misstatement” (ED-CAS 315), to explain and illustrate the proposed conforming amendments to revised CAS 540, and paragraph A42 of CAS 200, arising from ED-CAS 315. Comments are requested by May 1, 2019.

September 2018

On September 6, 2018, the AASB issued an Exposure Draft proposing the adoption of ISA 315 (Revised), with appropriate Canadian amendments, if any. Stakeholders are invited to comment until November 2, 2018.

July 2018

On July 16, 2018, the IAASB issued for public comment an Exposure Draft of proposed revisions to ISA 315 (Revised).  Comments are requested by November 2, 2018.

June 2018

In June 2018, the AASB staff updated this project to indicate that the AASB expects to issue an exposure draft in Q4/2018.

November 2017

In November 2017, the AASB staff updated this project to indicate that the AASB expects to issue an Exposure Draft for comment in Q3/2018.

October 2016

In October 2016, the AASB staff updated this project to advise that the AASB expects to issue an Exposure Draft in respect of this project in Q1/2018.

July 2016

On July 21, 2016, CPA Canada issued an article written by Eric Turner, Director, Auditing and Assurance Standards of CPA Canada, alerting readers to the fact that the IAASB is currently reviewing ISA 315 and the audit risk model with a view to making a number of improvements.

Does ISA 540 Revised require separate inherent risk and control risk assessments at the assertion level?

What is inherent risk ISA?

What are the factors that are relevant to the assessment of the risk of material misstatement?

What is the factors that will influence the assessment of auditor regarding inherent risk?