that could adversely affect an entity's ability to achieve its objectives and execute its strategies, or resulting from the setting of inappropriate objectives and strategies.
Internal control. A process effected by those charged with governance, management, and other personnel that is designed to provide reasonable assurance about the achievement of the entity's objectives with regard to the reliability of financial reporting, effectiveness and efficiency of operations, and compliance with applicable laws and regulations. Internal control over safeguarding of assets against unauthorized acquisition, use, or disposition may include controls relating to financial reporting and operations objectives.
Relevant assertion. A financial statement assertion that has a reasonable possibility of containing a misstatement or misstatements that would cause the financial statements to be materially misstated. The determination of whether an assertion is a relevant assertion is made without regard to the effect of internal controls.
Risk assessment procedures. The audit procedures performed to obtain an understanding of the entity and its environment (including the entity's internal control) to identify and assess the risks of material misstatement, whether due to fraud or to error, at the financial statement and relevant assertion levels.
Significant risk. An identified and assessed risk of material misstatement that, in the auditor's professional judgment, requires special audit consideration.
Objectives of AU-C Section 315
AU-C Section 315.03 states that:
…the objective of the auditor is to identify and assess the risks of material misstatement, whether due to fraud or error, at the financial statement and relevant assertion levels through understanding the entity and its environment, including the entity's internal control, thereby providing a basis for designing and implementing responses to the assessed risks of material misstatement.
Overview
The audit risk model describes audit risk as:
where AR is audit risk, RMM is the risk of material misstatement, and DR is detection risk. The risk of material misstatement is a combination of inherent and control risk. Although the standard describes a combined risk assessment, the auditor may perform separate assessments of inherent and control risks.
Section 315 describes how the auditor should identify and assess the risk of material misstatement, which provides a basis for designing further audit procedures. These further audit procedures (which consist of tests of controls and substantive tests) must be clearly linked and responsive to assessed risks.
Section 315 also includes the concept of significant risks, which are risks that require special audit consideration. (See “Definitions of Terms.”) One or more significant risks arise on all audits.
The following is an overview of how the process is described in Section 315:
1. Perform risk assessment procedures to gather information and gain an understanding of the entity and its environment, including internal control.
2. Based on this understanding, identify risks of material misstatement, which may exist at either the financial statement or the relevant assertion level.
3. Assess the risk of material misstatement, which requires the auditor to:
● Identify the risk of material misstatement.
● Describe the identified risks in terms of what can go wrong in specific assertions.
● Consider the significance and likelihood of material misstatement for each identified risk.
NOTE: This process for assessing risk is consistent with the process for assessing the risk of material misstatement due to fraud. Essentially it is an information gathering, assessment, and response process, in which the auditor gathers information about the entity, assimilates and synthesizes that information to make an assessment of risk, and then designs audit procedures that are responsive to those risks.
The assessment of the risk of material misstatement enables the auditor to design appropriate further audit procedures, which are clearly linked and responsive to the assessed risks.
NOTE: Section 315 describes risks as existing at one of two levels: the financial statement level or the relevant assertion level. This distinction is important because the nature of the auditor's response differs depending on whether the risk is at the financial statement level or the assertion level.
● The risk of material misstatement at the financial statement level has a pervasive effect on the financial statements and affects many assertions. The control environment is an example of a financial-statement-level risk. In addition to developing assertion-specific responses, financial-statement-level risks may require the auditor to develop an overall response, such as assigning more experienced team members.
● Assertion-level risks pertain to a single assertion or related group of assertions. Assertion-level risks will require the auditor to design and perform specific further audit procedures such as tests of controls and/or substantive procedures that are directly responsive to the assessed risk.
Section 330 provides guidance on the design and performance of further audit procedures.
In all audits, the auditor must obtain a sufficient understanding of the entity and its environment, including its internal control, to assess the risk of material misstatement of the financial statements whether due to error or to fraud, and to design the nature, timing, and extent of further audit procedures.
This assessment of the risk of material misstatement becomes the basis for the proper design of further audit procedures.
NOTE: Obtaining an understanding of the entity and its environment also allows the auditor to make judgments about other audit matters, such as:
● Materiality
● Whether the entity's selection and application of accounting policies are appropriate and financial statement disclosures are adequate
● Areas where special audit consideration may be necessary – for example, related-party transactions
● The expectation of recorded amounts used for performing analytical procedures
● The evaluation of audit evidence
Even if the auditor plans a purely substantive audit, he or she still is required to obtain an understanding of internal control. Such an understanding is necessary to:
● Identify missing or ineffective controls.
● Evaluate identified control deficiencies.
● Confirm that substantive procedures alone are sufficient to design and perform an appropriate audit strategy and provide sufficient appropriate audit evidence to support the audit opinion.
Requirements
Risk Assessment Procedures
The auditor should perform risk assessment procedures to provide a basis for the assessment of material misstatement. (AU-C 315.05) Risk assessment procedures include:
1. Inquiries
