AU-C 315: Risk Assessment in a Financial Audit

Auditing standards provide a roadmap for auditors to form an opinion on a company’s financial statements. AU-C 315, issued by the American Institute of Certified Public Accountants (AICPA) for non-public entities, establishes the framework for identifying and assessing the risks of material misstatement. The standard guides auditors in understanding a company and its internal controls to pinpoint risks. This risk-based approach allows auditors to design subsequent procedures that directly address potential problem areas.

Recent updates, codified in Statement on Auditing Standards (SAS) No. 145, have modernized this risk assessment process. These changes, effective for audits of financial statements for periods ending on or after December 15, 2023, aim to improve the clarity and application of risk assessment procedures.

Required Understanding of the Entity and Its Environment

AU-C 315 requires auditors to develop a comprehensive understanding of the company and its operating context. This understanding forms the basis for identifying potential risks of material misstatement. Auditors perform specific risk assessment procedures, including inquiring of management, performing analytical procedures, and using observation and inspection.

Industry and Regulatory Factors

Auditors must understand the company’s position within its industry and its interaction with external factors. This includes analyzing the competitive landscape, market demand, technological developments, and general economic conditions. They also examine the applicable financial reporting framework and any laws or industry-specific regulations that affect the company’s accounting or operations.

Nature of the Entity

The auditor must gain an understanding of the nature of the entity itself. This involves learning about its core operations, products, and revenue streams, as well as its ownership and governance structure. The auditor also examines the company’s investments and how the entity is structured, whether as a single location or a complex organization.

Objectives and Strategies

Auditors must understand the entity’s objectives, strategies, and related business risks. Reviewing the company’s strategic plan helps identify business risks that could create pressures leading to material misstatement. While auditors are not responsible for identifying all business risks, they must consider those that could impact financial reporting.

Financial Performance Measurement

The auditor must understand how the company measures and reviews its financial performance. This involves examining key performance indicators (KPIs) that management uses to track progress. Auditors review internal documents like budgets and forecasts, as well as external measures like analyst reports, to understand the pressures the company faces to meet performance targets.

Required Understanding of the Internal Control System

A significant part of the risk assessment process involves understanding the entity’s system of internal control. Auditors must evaluate the design of relevant controls and determine if they have been implemented. This is done to identify areas where risks of material misstatement might exist, not to express an opinion on the controls’ effectiveness. The analysis is based on the five components of internal control from the Committee of Sponsoring Organizations of the Treadway Commission (COSO).

The control environment sets the tone of an organization, influencing the control consciousness of its people. Auditors evaluate management’s integrity and ethical values, their commitment to competence, and the participation of those charged with governance. They also assess the organizational structure and human resource policies. A weak control environment can undermine other control procedures.

The entity’s own risk assessment process concerns how the company identifies business risks relevant to financial reporting, estimates their significance, and decides on actions to manage them. This is distinct from the auditor’s risk assessment. The auditor examines the process management uses to identify risks arising from changes in the operating environment, new personnel, or rapid growth.

The information system and communication component focuses on the systems and processes pertinent to financial reporting. The auditor must understand the classes of transactions significant to the financial statements. This includes the procedures by which transactions are initiated, recorded, processed, and reported, and how roles and responsibilities are communicated.

Control activities are the policies and procedures that help ensure management directives are carried out to address risks. Auditors identify control activities relevant to the audit, which may include performance reviews, information processing controls, physical controls, and segregation of duties. Examples include requiring authorization for transactions or performing regular reconciliations.

Monitoring of controls is the process that assesses the effectiveness of internal control performance over time. Management’s monitoring may include ongoing activities or separate evaluations. Auditors need to understand how the company monitors its controls to ensure they are operating as intended and how it takes corrective action for any identified deficiencies.

Identifying and Assessing Risks of Material Misstatement

After gathering information about the entity, its environment, and its internal control, the auditor identifies and assesses the risks of material misstatement. This process requires professional judgment to determine where errors or fraud could cause the financial statements to be materially incorrect. The assessment is conducted at two distinct levels.

A key change introduced by SAS No. 145 is the requirement for the auditor to assess inherent risk and control risk separately. This separate assessment provides a more granular basis for designing and performing further audit procedures to respond to the risks of material misstatement.

The first level of assessment is for risks at the financial statement level. These are risks that relate pervasively to the financial statements as a whole and could potentially affect many assertions. Examples include a weak control environment, concerns about management’s integrity, or going concern issues. Such risks often require an overall response from the auditor, such as assigning more experienced staff or increasing professional skepticism.

The second level is the assessment of risks at the assertion level. Assertions are management’s representations embodied in the financial statements, such as the existence of inventory or the valuation of accounts receivable. The auditor identifies risks for specific transaction classes, account balances, and disclosures. For instance, the risk of inventory obsolescence relates directly to the valuation assertion for the inventory account balance.

SAS No. 145 introduced five inherent risk factors to help evaluate the susceptibility of an assertion to misstatement:

• Complexity
• Subjectivity
• Change
• Uncertainty
• Susceptibility to misstatement due to management bias

A transaction involving a complex derivative would have a high inherent risk due to complexity, while an accounting estimate for a legal contingency would have high risk due to subjectivity and uncertainty.

The standard requires the auditor to determine if any of the identified risks are a “significant risk.” A significant risk is an identified risk of material misstatement for which the assessment of inherent risk is close to the upper end of the spectrum. These risks require special audit consideration. Factors that often lead to this determination include the risk of fraud, significant accounting estimates, and complex transactions with related parties.

SAS No. 145 also introduces a “stand-back” requirement. This provision requires the auditor to pause and evaluate the completeness of their work, reflecting on all evidence obtained. The auditor must consider whether their determination of significant classes of transactions, account balances, and disclosures remains appropriate, ensuring the risk assessment is comprehensive.

Documentation Requirements

The final step is to document the work performed and conclusions reached. This documentation provides evidence that the audit was adequately planned and that the risk assessment supports further audit procedures. The documentation must be sufficient for an experienced auditor with no prior connection to the engagement to understand the work performed.

Key documentation requirements include:

• The discussion among the engagement team about the financial statements’ susceptibility to material misstatement, including who participated and the decisions reached.
• The understanding obtained regarding the entity, its environment, and its internal control system, including information sources and procedures performed.
• The identified and assessed risks of material misstatement at both the financial statement and assertion levels, linking risks to the assertions they affect.
• The rationale for the risk assessment, including the basis for identifying any “significant risks” and why they require special audit consideration.