SA 315 Identifying and Assessing the Risk of Material Misstatement Through Understanding the Entity and Its Environment

SA 315 deals with the responsibility of auditor in identifying and assessing the risk of material misstatement through understanding the entity and its environment

Effective Date

SA 315 is effective for audits of financial statements for the period beginning on or after April 1, 2008.

Objective

The objective of the auditor is to identify and assess the risk of material misstatement in an entity’s financial statement and implement appropriate responses (Refer SA 330) & procedures which will reduce such risk to an acceptably low level.

Definitions

Assertions

“Representations by the management, explicit or otherwise, that are embodied in the financial statements, as used by the auditor to consider the different types of potential misstatements that may occur”

Business risk

“A risk resulting from significant conditions, events, circumstances, actions or inactions that could adversely affect an entity’s ability to achieve its objectives and excludes strategies, or from the settling of inappropriate objectives”

Significant risk

“An identified or assessed risk of material misstatements that, in the auditor’s judgment requires special audit consideration”

Requirements

• Risk assessment procedure is only a basis to identify and assess the risk and do not provide appropriate audit evidence to form an opinion. It includes the following:
  • Inquire persons within the entity for information in assisting identifying the risk of material misstatement due to fraud or error
  • Analytical procedure (Refer SA 520)
  • Observation and inspection  of entity’s operations, documents and reports
• Consider relevant information obtained from the auditor’s client acceptance or continuance process
• Engagement partner to consider relevant information from the other engagements for the entity
• If information from the previous audits/experience is considered, then the auditor should determine if there are any changes that affect the relevance of the current audit
• Partner and members of the engagement teams to discuss the susceptibility of any misstatement in the financial statements and application of financial reporting framework

Entity’s Environment

The auditor should obtain an understanding of the following:

Entity’s Internal Control

The auditor should understand the relevant internal control for the audit. Professional judgment is to be applied by the auditor to identify such relevant controls (individually or combined):

Entity’s Risk Process

The auditor should obtain an understanding of whether the entity has a process of:

• Identifying business risk relevant to financial reporting
• Estimating the significance of the risks
• Assessing the likelihood of their occurrence
• Actions to address such risk

When understanding the entity’s risk assessment process, if the auditor identifies any new risk then it has to be evaluated whether there was an underlying risk of a kind that would have been identified by the entity’s risk assessment process. If there is such a risk, then the reason for the non-identification by risk assessment process should be understood and evaluate the process is appropriate or determine if there is a significant deficiency in internal control.

If there is no such process, the auditor has to discuss with the management whether business risk relevant to financial reporting objectives have been identified and addressed. Auditor has to evaluate whether an absence of a documented risk assessment process is appropriate or determine whether it represents a significant deficiency in internal control.

Information System Activities

Auditor to obtain an understanding of how the entity communicates financial reporting roles & responsibilities including:

• Communication between management and those charged with governance
• External communications with regulatory authorities

Control Activities

Auditor to understand the control activities relevant to the audit through which the risk at the assertion level can be assessed and design further audit procedures responsive to assessed risk. Only those control activities related to the significant class of transactions, account balance and disclosure in the financial statements relevant to the assessed risk:

• Understand how the entity has responded to risk arising from Information Technology
• Understand the major activities used to monitor internal control over financial reporting and remedial actions for control deficiencies
• If the entity has an internal audit function relevant to the audit, auditor to determine:
  • Nature of the internal audit function’s responsibilities
  • It’s fit in the entity’s organizational structure
  • Activities performed or to be performed Auditor to obtain an understanding of the sources of information used in the entity’s monitoring activities and the basis for it to be reliable for the purpose.

Identifying and Assessing the Risk of Material Misstatement

In order to provide a basis for designing and performing further audit procedures, the auditor has to identify and assess the risk of material misstatement at:

• Financial statements level
• Assertion level for the class of transaction, account balance and disclosures

The risk that requires Special Audit Considerations

In Auditor’s opinion, if any of the identified risks is a significant risk, the auditor has to obtain an understanding of the entity’s control, including control activities relevant to that risk. Following are to be considered to identify a risk as significant:

• Risk of fraud
• Relates to recent significant economic, accounting or other developments like regulatory environment changes etc
• Complexity of transactions
• Significant transactions with related parties
• The degree of subjectivity in the measurement of financial information related to the risk
• Significant transactions outside the normal course of business or unusual transactions

Revision of Risk Assessment

During an audit, if the auditor obtains additional audit evidence or new information which changes the level of risk assessed then auditor should revise the assessment and modify the further planned audit procedures accordingly

Documentation

• Discussion among engagement team covering all significant decisions taken
• Key elements of the understanding of the entity and its environment including sources of such information
• Internal control components
• Identified and assessed the risk of material misstatement at the financial statements level and at the assertion level
• Risk identified and related controls