and others at the client
2. Analytical procedures
3. Observation and inspection
(AU-C 315.06)
The auditor's risk assessment procedures provide the audit evidence necessary to support the auditor's risk assessments, which in turn support the determination of the nature, timing, and extent of further audit procedures. Thus, the results of the auditor's risk assessment procedures are an integral part of the audit evidence obtained to support the opinion on the financial statements.
NOTE: Under the previous auditing standards, it was common for auditors to declare control risk to be maximum simply for audit efficiency, without any basis for making that assessment. Section 315 eliminates that practice by requiring auditors to document their rationale for assessing control risk. This rationale should be based on the information gathered from the performance of risk assessment procedures. The elimination of the auditor's ability to default to maximum control risk without justification is a significant change from previous practice.
A Mix of Procedures
Except for the five components of internal control, the auditor is not required to perform all the procedures for each of the five aspects of the client and its environment listed in the upcoming subsection, “The Entity and Its Environment.” However, in the course of gathering information about the client, the auditor should perform all the risk assessment procedures.
Other procedures may provide relevant information about the entity. For example:
● When relevant to the audit, the auditor should consider other information, which may include:
● Information obtained from the client acceptance or continuance process (AU-C 315.07)
● Experience gained on other engagements performed for the entity (AU-C 315.08)
● Some of the procedures the auditor performs to assess the risks of material misstatement due to fraud also may help gather information about the entity and its environment, particularly its internal control. (AU-C 315.09)
NOTE: Because of the close connection between the assessment of the risk of material misstatement and the procedures performed to assess fraud risk, the auditor will want to:
● Coordinate the procedures he or she performs to assess the risk of material misstatement due to fraud with the other risk assessment procedures.
● Consider the results of his or her assessment of fraud risk when identifying the risk of material misstatement.
Updating Information from Prior Periods
If certain conditions are met, the auditor may use information obtained in prior periods as audit evidence in the current period audit. However, when the auditor intends to use information from prior periods in the current period audit, the auditor should determine whether changes have occurred that may affect the relevance of the information for the current audit. (AU-C 315.10) To make this determination, the auditor should make inquiries and perform other appropriate audit procedures, such as walk-throughs of systems. (AU-C 315.A20)
Discussion by the Audit Team
The members of the audit team should discuss the susceptibility of the client's financial statements to material misstatement. (AU-C 315.11) This discussion will allow team members to exchange information and create a shared understanding of the client and its environment, which in turn will enable each team member to:
● Share his or her knowledge.
● Gain a better understanding of the potential for material misstatement resulting from fraud or error in the assertions that are relevant to the areas assigned to them.
● Exchange information about business risks.
● Understand how the results of the audit procedures that they perform may affect other aspects of the audit.
This “brainstorming session” of the audit team could be held at the same time as the team's discussion related to fraud, which is required by Section 240. (AU-C 315.A21)
Understanding the Entity and Its Environment, Including Internal Control
The Entity and Its Environment
The auditor should obtain an understanding of the following five elements of the entity and its environment:
1. External factors, including:
● Industry factors, such as the competitive environment, supplier and customer relationships, and technological developments.
● The regulatory environment, which includes the applicable financial reporting framework, the legal and political environment, and environmental requirements that affect the industry.
● Other matters, such as general economic conditions
2. Nature of the client, which includes its operations, its ownership, governance, the types of investments it makes and plans to make, how it is financed, and how it is structured.
3. Accounting policies, including the entity's selection and application of accounting policies, the reasons for any changes, and whether the entity's accounting policies are appropriate for its business and consistent with the applicable financial reporting framework and accounting policies used in the relevant industry.
4. Objectives and strategies and related business risks, which may result in material misstatement of the financial statements taken as a whole or as individual assertions.
5. Measurement and review of the client's financial performance, which tell the auditor which aspects of the client's performance management considers important.
(AU-C 315.12)
NOTE: The purpose of understanding the entity and its environment is to help identify and assess risk. For example:
● Information about the client's industry may allow the auditor to identify characteristics of the industry that could give rise to specific misstatements.
● Information about the ownership of the client, how it is structured, and other elements of its nature will help identify related-party transactions that, if not properly accounted for and adequately disclosed, could lead to a material misstatement.
● The auditor's identification and understanding of the business risks facing the entity increase the chance of identifying financial reporting risks.
● Information about the performance measures used by the entity may lead the auditor to identify pressures or incentives that could motivate entity personnel to misstate the financial statements.
● Information about the design and implementation of internal control may identify deficiencies in control design, which increase the risk of material misstatement.
Evaluating the Design of Internal Control
On every audit, the auditor should obtain an understanding of internal control that is of sufficient depth to enable the auditor to:
1. Assess the risks of material misstatement of the financial statements, whether due to error or to fraud.
2. Design
