AU-C Section 315: Identifying and Assessing Risk

Auditing standards guide auditors in forming an opinion on whether a company’s financial statements are presented fairly. AU-C Section 315 is a standard that directs how auditors gain an understanding of a company and its internal controls. This understanding is used to identify and assess the risks that could cause a material misstatement in the company’s financial statements. This standard was amended by Statement on Auditing Standards (SAS) No. 145, which modernizes the approach to risk assessment.

This standard requires auditors to look at the company holistically, considering both internal and external factors that could impact its financial reporting. By systematically gathering and evaluating this information, auditors can tailor their audit procedures to address the specific risks present in each company. This risk-based approach is fundamental to performing an effective and efficient audit.

Core Objective and Key Definitions

The objective of AU-C Section 315 is for the auditor to identify and assess the risks of material misstatement, whether due to error or fraud, at the financial statement and assertion levels. This is achieved by developing an understanding of the entity, its environment, and its system of internal control. This understanding provides a basis for designing audit procedures responsive to the assessed risks.

Assertions are representations by management, explicit or otherwise, that are embodied in the financial statements. These include claims about the occurrence of transactions, the completeness of recorded information, and the valuation of assets and liabilities. The auditor uses these assertions to consider the different types of potential misstatements that may occur.

The risk of material misstatement (RMM) is the risk that the financial statements are materially misstated prior to the audit. The standard requires the auditor to separately assess two components of this risk: inherent risk and control risk. Inherent risk is the susceptibility of an assertion to a misstatement that could be material, assuming there are no related controls.

Control risk is the risk that a misstatement that could occur in an assertion and that could be material will not be prevented, or detected and corrected, on a timely basis by the entity’s internal control. The separate assessment of inherent risk and control risk shapes the entire audit strategy.

Understanding the Entity and Its Environment

AU-C Section 315 requires auditors to obtain an understanding of the entity and its environment to assess risks. This process involves looking beyond the accounting records to grasp the broader context in which the company operates, including relevant industry, regulatory, and other external factors. Auditors must understand the competitive landscape, market demand, and any laws that could impact the company’s financial reporting.

The auditor must also understand the nature of the entity itself, including its operations, products, services, and locations. This also includes its ownership and governance structure, how it is financed, and the types of investments it makes. Another element is the entity’s selection and application of accounting policies. The auditor evaluates whether these policies are appropriate for the business and consistent with the applicable financial reporting framework.

The entity’s objectives, strategies, and related business risks are also a focus. Business risks are conditions or events that could adversely affect the entity’s ability to achieve its objectives. Auditors must understand those business risks that could lead to a material misstatement. Finally, the auditor examines how the entity measures and reviews its financial performance, such as by looking at key performance indicators, budgets, and variance analyses. Understanding these metrics can reveal pressures on management that might create an incentive to misstate financial results.

Evaluating the System of Internal Control

An auditor must obtain a thorough understanding of the entity’s system of internal control. This system consists of processes designed by management to provide reasonable assurance about objectives related to financial reporting, operations, and compliance. The standard requires the auditor to evaluate five interrelated components of internal control.

Control Environment

The control environment sets the tone of the organization, encompassing the governance and management functions and the attitudes of those in charge concerning internal control. The auditor seeks to understand management’s philosophy, its commitment to integrity and ethical values, and the assignment of authority and responsibility.

The Entity’s Risk Assessment Process

This is how management identifies business risks relevant to financial reporting, estimates their significance, and decides on actions to manage them. The auditor obtains an understanding of this process to see how the company identifies and responds to risks.

Control Activities

Control activities are the policies and procedures that help ensure management’s directives are carried out. These are the specific actions taken to address risks and include activities like authorizations, performance reviews, information processing controls, physical controls, and segregation of duties.

Information and Communication

The auditor needs to understand the information system relevant to financial reporting, including the classes of transactions significant to the financial statements and the procedures by which those transactions are initiated, recorded, and reported. Communication involves providing an understanding of individual roles and responsibilities pertaining to internal control.

Monitoring of Controls

This is the process that assesses the effectiveness of internal control performance over time. Management’s monitoring activities may include using information from internal and external auditors or reviewing whether controls are operating as intended. Understanding this component helps the auditor determine if the internal control system is effective.

Executing Risk Assessment Procedures

To gather the information needed to understand the entity and its internal controls, auditors perform specific risk assessment procedures. The standard outlines three primary types of procedures that must be performed.

The first procedure is inquiry. Auditors conduct inquiries of management, individuals within the internal audit function, and others within the entity who may have relevant information. These inquiries can range from formal written questions to informal oral discussions to obtain information about the company’s operations, strategies, and known risks.

The second procedure involves performing analytical procedures. These procedures consist of evaluations of financial information through analysis of plausible relationships among both financial and non-financial data. For example, an auditor might analyze trends in revenue over time or compare financial ratios to industry averages, as unexpected fluctuations can signal potential risks.

The third procedure is observation and inspection. Observation involves looking at a process or procedure being performed by others, such as watching staff take a physical inventory count. Inspection involves examining records, documents, or physically examining an asset to corroborate information obtained through other procedures.

Identifying and Assessing Financial Statement Risks

After gathering information through risk assessment procedures, the auditor identifies and assesses risks. This step requires professional judgment to synthesize the collected evidence and pinpoint where material misstatements are most likely to occur. The assessment is conducted at two distinct levels.

The first level of assessment is for risks that relate pervasively to the financial statements as a whole, often referred to as overall financial statement level risks. These can affect many different assertions and include risks related to a weak control environment or concerns about management’s integrity. These risks often require an overarching response from the auditor, such as assigning more experienced staff to the engagement.

The second level of assessment is more granular, focusing on risks at the relevant assertion level for specific classes of transactions, account balances, and disclosures. For each significant account, the auditor considers what could go wrong and links those potential misstatements to specific financial statement assertions. This detailed assessment allows the auditor to design targeted audit procedures that directly address the identified risks.

Within this assessment, the auditor must identify any “significant risks.” A significant risk is an identified risk of material misstatement for which the assessment of inherent risk is high. Factors that may lead to this classification include the risk of fraud, the complexity of transactions, or the degree of subjectivity in financial measurements. Identifying a risk as significant triggers specific required responses, such as gaining a more in-depth understanding of the related controls.