SA 315 deals with the responsibility of auditor in identifying and assessing the risk of material misstatement through understanding the entity and its environment
1. Effective Date
SA 315 is effective for audits of financial statements for the period beginning on or after April 1, 2008.
The objective of the auditor is to identify and assess the risk of material misstatement in an entity’s financial statement and implement appropriate responses (Refer SA 330) & procedures which will reduce such risk to an acceptably low level.
“Representations by the management, explicit or otherwise, that are embodied in the financial statements, as used by the auditor to consider the different types of potential misstatements that may occur”
II. Business risk
“A risk resulting from significant conditions, events, circumstances, actions or inactions that could adversely affect an entity’s ability to achieve its objectives and excludes strategies, or from the settling of inappropriate objectives”
III. Significant risk
“An identified or assessed risk of material misstatements that, in the auditor’s judgment requires special audit consideration”
I. Risk assessment procedure is only a basis to identify and assess the risk and do not provide appropriate audit evidence to form an opinion. It includes the following:
(i) Inquire persons within the entity for information in assisting identifying the risk of material misstatement due to fraud or error
(ii) Analytical procedure (Refer SA 520)
(iii) Observation and inspection of entity’s operations, documents and reports
II. Consider relevant information obtained from the auditor’s client acceptance or continuance process
III. Engagement partner to consider relevant information from the other engagements for the entity
IV. If information from the previous audits/experience is considered, then the auditor should determine if there are any changes that affect the relevance of the current audit
V. Partner and members of the engagement teams to discuss the susceptibility of any misstatement in the financial statements and application of financial reporting framework
5. Entity’s Environment
The auditor should obtain an understanding of the following:
6. Entity’s Internal Control
The auditor should understand the relevant internal control for the audit. Professional judgment is to be applied by the auditor to identify such relevant controls (individually or combined):
7. Entity’s Risk Process
The auditor should obtain an understanding of whether the entity has a process of:
a. Identifying business risk relevant to financial reporting
b. Estimating the significance of the risks
c. Assessing the likelihood of their occurrence
d. Actions to address such risk
When understanding the entity’s risk assessment process, if the auditor identifies any new risk then it has to be evaluated whether there was an underlying risk of a kind that would have been identified by the entity’s risk assessment process.
If there is such a risk, then the reason for the non-identification by risk assessment process should be understood and evaluate the process is appropriate or determine if there is a significant deficiency in internal control.
If there is no such process, the auditor has to discuss with the management whether business risk relevant to financial reporting objectives have been identified and addressed. Auditor has to evaluate whether an absence of a documented risk assessment process is appropriate or determine whether it represents a significant deficiency in internal control.
8. Information System Activities
Auditor to obtain an understanding of how the entity communicates financial reporting roles & responsibilities including:
(i) Communication between management and those charged with governance
(ii) External communications with regulatory authorities
9. Control Activities
Auditor to understand the control activities relevant to the audit through which the risk at the assertion level can be assessed and design further audit procedures responsive to assessed risk.
Only those control activities related to the significant class of transactions, account balance and disclosure in the financial statements relevant to the assessed risk:
I. Understand how the entity has responded to risk arising from Information Technology
II. Understand the major activities used to monitor internal control over financial reporting and remedial actions for control deficiencies
III. If the entity has an internal audit function relevant to the audit, auditor to determine:
a. Nature of the internal audit function’s responsibilities
b. It’s fit in the entity’s organizational structure
c. Activities performed or to be performed
Auditor to obtain an understanding of the sources of information used in the entity’s monitoring activities and the basis for it to be reliable for the purpose.
10. Identifying and Assessing the Risk of Material Misstatement
In order to provide a basis for designing and performing further audit procedures, the auditor has to identify and assess the risk of material misstatement at:
(i) Financial statements level
(ii) Assertion level for the class of transaction, account balance and disclosures
11. The risk that requires Special Audit Considerations
In Auditor’s opinion, if any of the identified risks is a significant risk, the auditor has to obtain an understanding of the entity’s control, including control activities relevant to that risk.
Following are to be considered to identify a risk as significant:
(i) Risk of fraud
(ii) Relates to recent significant economic, accounting or other developments like regulatory environment changes etc
(iii) Complexity of transactions
(iv) Significant transactions with related parties
(v) The degree of subjectivity in the measurement of financial information related to the risk
(vi) Significant transactions outside the normal course of business or unusual transactions
12. Revision of Risk Assessment
During an audit, if the auditor obtains additional audit evidence or new information which changes the level of risk assessed then auditor should revise the assessment and modify the further planned audit procedures accordingly
(i) Discussion among engagement team covering all significant decisions taken
(ii) Key elements of the understanding of the entity and its environment including sources of such information
(iii) Internal control components
(iv) Identified and assessed the risk of material misstatement at the financial statements level and at the assertion level
(v) Risk identified and related controls