2332 Risk assessment at the group level
Sep-2022

The Risk Assessment

CAS Requirement

The auditor shall design and perform risk assessment procedures to obtain audit evidence that provides an appropriate basis for (CAS 315.13):

a) The identification and assessment of risks of material misstatement, whether due to fraud or error, at the financial statement and assertion levels; and

b) The design of further audit procedures in accordance with CAS 330.

The auditor shall design and perform risk assessment procedures in a manner that is not biased towards obtaining audit evidence that may be corroborative or towards excluding audit evidence that may be contradictory.

CAS Guidance

Obtaining an understanding of the entity and its environment, the applicable financial reporting framework and the entity’s system of internal control is a dynamic and iterative process of gathering, updating and analyzing information and continues throughout the audit. Therefore, the auditor’s expectations may change as new information is obtained (CAS 315.A48).

The group engagement team’s assessment at group level of the risks of material misstatement of the group financial statements is based on information such as the following (CAS 600.A31):

  • Information obtained from the understanding of the group, its components, and their environments, and of the consolidation process, including audit evidence obtained in evaluating the design and implementation of group‑wide controls and controls that are relevant to the consolidation.

  • Information obtained from the component auditors.

OAG Guidance

As noted in CAS 600.A31, the approach to obtaining an understanding of the entity and its environment, the applicable financial reporting framework and the entity’s system of internal control that the group engagement team uses as the basis for its group level risk assessment may differ in some respects when compared to the approach taken for the audit of a standalone entity. For example, for significant components where a component auditor is to perform an audit of the financial information, CAS 600.30 requires the group engagement team to be involved in the component auditor’s risk assessment to identify significant risks of material misstatement of the group financial statements.

Group engagement teams utilize the understanding obtained from the various sources of information, including the information obtained from component auditors, and apply the guidance in OAG Audit 5040 to identify and assess risks of material misstatement of the group financial statements, including:

  • Identifying the significant FSLIs in the group financial statements, and any FSLIs not determined to be significant but that are material; and

  • Identifying and assessing risks of material misstatement of the group financial statements, both at the financial statement level and at the assertion level, including, for assertion level risks, identifying relevant assertions and assessing the degree to which inherent risk factors affect the susceptibility of relevant assertions to misstatement.

The group engagement team’s determination of significant FSLIs and assessment of risks of material misstatement of the group financial statements, including significant risks, is an important consideration in developing the overall group audit strategy and plan, including identifying significant components (see OAG Audit 2323) and determining the type of work to be performed on the financial information of components (see OAG Audit 2335).

Significant Risk Considerations

CAS Requirement

If significant risks of material misstatement of the group financial statements have been identified in a component on which a component auditor performs the work, the group engagement team shall evaluate the appropriateness of the further audit procedures to be performed to respond to the identified significant risks of material misstatement of the group financial statements. Based on its understanding of the component auditor, the group engagement team shall determine whether it is necessary to be involved in the further audit procedures (CAS 600.31).

OAG Guidance

Determining significant risks is an important element of assessing the risk of material misstatement to the financial statements, as required by CAS 315. The group engagement team needs to identify and respond to significant risks at the group level and inform the component auditors of such risks that are relevant to the work of component auditors (see OAG Audit 2341, OAG Audit 2343, and OAG Audit 5043). If any elevated risks at the group level are identified as relevant to the work of component auditors, the group engagement team may elect to also communicate them to the component auditors. Separately, the component auditor needs to report to the group engagement team any significant risks that have been identified at the component that could affect the group financial statements, the component auditor’s responses to the risks and the results thereof (see guidance on communications in OAG Audit 2341, OAG Audit 2342, and OAG Audit 2343).

Significant Components

CAS Requirement

If a component auditor performs an audit of the financial information of a significant component, the group engagement team shall be involved in the component auditor’s risk assessment to identify significant risks of material misstatement of the group financial statements. The nature, timing and extent of this involvement are affected by the group engagement team’s understanding of the component auditor, but at a minimum shall include (CAS 600.30):

(a)   discussing with the component auditor or component management those of the component’s business activities that are significant to the group;

(b)   discussing with the component auditor the susceptibility of the component to material misstatement of the financial information due to fraud or error; and

(c)   reviewing the component auditor’s documentation of identified significant risks of material misstatement of the group financial statements. Such documentation may take the form of a memorandum that reflects the component auditor’s conclusion with regard to the identified significant risks.

Audit Risk and Response

CAS Guidance

The auditor is required to identify and assess the risks of material misstatement of the financial statements due to fraud, and to design and implement appropriate responses to the assessed risks. Information used to identify the risks of material misstatement of the group financial statements due to fraud may include the following (CAS 600.A27):

  • Group management’s assessment of the risks that the group financial statements may be materially misstated as a result of fraud.

  • Group management’s process for identifying and responding to the risks of fraud in the group, including any specific fraud risks identified by group management, or account balances, classes of transactions, or disclosures for which a risk of fraud is likely.

  • Whether there are particular components for which a risk of fraud is likely.

  • How those charged with governance of the group monitor group management’s processes for identifying and responding to the risks of fraud in the group, and the controls group management has established to mitigate these risks.

  • Responses of those charged with governance of the group, group management, appropriate individuals within the internal audit function (and if considered appropriate, component management, the component auditors, and others) to the group engagement team’s inquiry whether they have knowledge of any actual, suspected, or alleged fraud affecting a component or the group.

OAG Guidance

Significant risks may be group-wide or specific to components or groups of components. All significant risks of material misstatement of the consolidated financial statements that are identified by the group or component engagement teams are documented by the group engagement team (see documentation guidance in block The Risk Assessment). Documentation of the audit response for each risk may be prepared for individual components, groups of components, or the entire group depending on the circumstances of the group audit.

The group engagement team needs to document all significant risks and responses for the group audit. The group engagement team’s documentation of the audit response for significant risks that are addressed by component auditors may be less detailed than for the FSLIs and risks for which the group engagement team is responsible for performing audit work (e.g., FSLIs audited at the head office) since such documentation is maintained by the component auditor, and summarized in the component auditor’s communication to the group engagement team (OAG Audit 2343). For example, for significant risks that are addressed by component auditors, the group engagement team’s documentation of the planned audit response is typically included in the communication of significant risks relevant to component auditors. The understanding of the proposed audit response to the significant risk is typically obtained by the group engagement team when evaluating the appropriateness of the further audit procedures to be performed by the component engagement team as required by CAS 600.31.

The group auditor, in instructions to components, requests the component auditors to provide documentation of any significant risks that may affect the group audit, which include management’s controls in place to address the risk, the procedures performed by the component auditor and the results of the procedures. The instructions also include details on the required documentation of risks and response to ensure that the component auditors have documentation of the audit response for the significant risks for which they are responsible.

Detailed guidance relating to fraud risk is included in OAG Audit 5500. This section provides additional guidance for group audits.

Examples of Risks of Material Misstatement of the Group Financial Statements

CAS Guidance

Appendix 3 sets out examples of conditions or events that, individually or together, may indicate risks of material misstatement of the group financial statements, including risks due to fraud (CAS 600.A30).

The examples provided cover a broad range of conditions or events; however, not all conditions or events are relevant to every group audit engagement and the list of examples is not necessarily complete (CAS 600 appendix 3).

  • A complex group structure, especially where there are frequent acquisitions, disposals or reorganizations.

  • Poor corporate governance structures, including decision‑making processes, that are not transparent.

  • Non-existent or ineffective group‑wide controls, including inadequate group management information on monitoring of components’ operations and their results.

  • Components operating in foreign jurisdictions that may be exposed to factors such as unusual government intervention in areas such as trade and fiscal policy, and restrictions on currency and dividend movements; and fluctuations in exchange rates.

  • Business activities of components that involve high risk, such as long‑term contracts or trading in innovative or complex financial instruments.

  • Uncertainties regarding which components’ financial information require incorporation in the group financial statements in accordance with the applicable financial reporting framework, for example, whether any special‑purpose entities or non‑trading entities exist and require incorporation.

  • Unusual related party relationships and transactions.

  • Prior occurrences of intra‑group account balances that did not balance or reconcile on consolidation.

  • The existence of complex transactions that are accounted for in more than one component.

  • Components’ application of accounting policies that differ from those applied to the group financial statements.

  • Components with different financial year‑ends, which may be utilized to manipulate the timing of transactions.

  • Prior occurrences of unauthorized or incomplete consolidation adjustments.

  • Aggressive tax planning within the group, or large cash transactions with entities in tax havens.

  • Frequent changes of auditors engaged to audit the financial statements of components.

OAG Guidance

Some additional examples may be:

  • divided management responsibilities for stewardship of results of operations reported in one single component;

  • ineffective controls over, or prior issues with, shared service centres, joint ventures, and/or unconsolidated subsidiaries;

  • extensive use of Shared Service Centres that process data across multiple geographies and components; and

  • history of non-compliance with authorities.

Discussion of Risk of Material Misstatement Among Group and Component Personnel, Including Fraud

CAS Guidance

The key members of the engagement team are required to discuss the susceptibility of an entity to material misstatement of the financial statements due to fraud or error, specifically emphasizing the risks due to fraud. In a group audit, these discussions may also include the component auditors. The group engagement partner’s determination of who to include in the discussions, how and when they occur, and their extent, is affected by factors such as prior experience with the group (CAS 600.A28).

The discussions provide an opportunity to (CAS 600.A29):

  • share knowledge of the components and their environments, including group‑wide controls;

  • exchange information about the business risks of the components or the group;

  • exchange ideas about how and where the group financial statements may be susceptible to material misstatement due to fraud or error, how group management and component management could perpetrate and conceal fraudulent financial reporting, and how assets of the components could be misappropriated;

  • identify practices followed by group or component management that may be biased or designed to manage earnings that could lead to fraudulent financial reporting, for example, revenue recognition practices that do not comply with the applicable financial reporting framework;

  • consider known external and internal factors affecting the group that may create an incentive or pressure for group management, component management, or others to commit fraud, provide the opportunity for fraud to be perpetrated, or indicate a culture or environment that enables group management, component management, or others to rationalize committing fraud;

  • consider the risk that group or component management may override controls;

  • consider whether uniform accounting policies are used to prepare the financial information of the components for the group financial statements and, where not, how differences in accounting policies are identified and adjusted (where required by the applicable financial reporting framework);

  • discuss fraud that has been identified in components, or information that indicates existence of a fraud in a component; and

  • share information that may indicate non‑compliance with national laws or regulations, for example, payments of bribes and improper transfer pricing practices.

OAG Guidance

CAS 315 and CAS 240 require the key members of the engagement team to discuss the susceptibility of an entity to material misstatement of the financial statements due to fraud or error, specifically emphasizing the risks due to fraud (also see OAG Audit 5503). All component teams carrying out work for the group audit need to hold individual team discussions. Documentation of the group discussion of risks relevant to the components, or at least its conclusions, is to be shared with the component teams. Similarly, documentation of the component teams’ discussions of risks relevant to the group, or at least its conclusions, is to be shared with the group engagement team.

Refer to OAG Audit 2344 for guidance on reporting and communication relating to fraud identified or suspected.

Responding to Fraud Risk

OAG Guidance

The group engagement team has overall responsibility for (i) responding to the risk of material misstatement due to fraud and (ii) scoping appropriate audit procedures over journal entries and other adjustments at the component level. The group engagement team is responsible for performing the group fraud risk assessment, identifying group‑wide fraud risks relevant for each component, and determining the overall response to fraud, including determining which component auditors, if any, will be responsible for performing procedures over journal entries.

The group engagement team considers the need to select journal entries from components based on factors such as:

  • nature and amount of assets and transactions executed at the component;
  • degree of centralization of records or information processing;
  • effectiveness of the control environment;
  • frequency, timing and scope of monitoring activities at the component;
  • judgments about materiality of the component; and
  • risks associated with the component, such as political or economic instability.

The group engagement team needs to provide instructions or outline the expectations for testing journal entries and other adjustments for each component auditor. When drafting interoffice instructions to a component auditor, the group engagement team considers the following:

  • A listing of the group‑wide fraud risks identified including risks relating to journal entries and other adjustments that are considered relevant for the component

  • A summary of the group engagement team’s understanding of the financial reporting processes and related controls and the controls over journal entries and other adjustments that are considered relevant for the component, including instructions for the component auditors to update their understanding of these processes and related controls at the component level

  • Specific populations or characteristics of journal entries to be selected, and the types of analysis and/or testing to be performed by the component auditor for the selected populations, including the components and general ledger system(s) to be tested. If selections are made by the group engagement team, the group engagement team needs to provide a list of journal entries to test

  • Instructions for how completeness of the journal entry populations is to be evaluated

  • Instructions for the component auditors to communicate to the group engagement team any additional fraud risks identified related to journal entries and other adjustments, the planned response to the additional risks identified, and the results of the procedures performed

  • A contact for fraud related questions on the group engagement team.

In those situations where the group engagement team is not communicating the specific nature, timing and extent of journal entry testing to be performed at the component level, the group engagement team needs to consider including details in the interoffice instructions to ensure that the component auditors document the approach and rationale for journal entries and other adjustments selected for testing as well as how the team plans to assess the completeness of the population(s) subject to testing.