4027 Strategy in relation to significant risks
Sep-2022

Strategy in relation to significant risks

CAS Requirement

The auditor shall determine whether any of the assessed risks of material misstatement are significant risks (CAS 315.32).

The auditor shall include in the audit documentation (CAS 315.38):

(a)     The discussion among the engagement team and the significant decisions reached;

(b)     Key elements of the auditor's understanding in accordance with paragraphs 19, 21, 22, 24 and 25; the sources of information from which the auditor's understanding was obtained; and the risk assessment procedures performed;

(c)     The evaluation of the design of identified controls, and determination whether such controls have been implemented, in accordance with the requirements in paragraph 26; and

(d)     The identified and assessed risks of material misstatement at the financial statement level and at the assertion level, including significant risks and risks for which substantive procedures alone cannot provide sufficient appropriate audit evidence, and the rationale for the significant judgments made.

If the auditor intends to rely on controls over a risk the auditor has determined to be a significant risk, the auditor shall test those controls in the current period (CAS 330.15).

If the auditor has determined that an assessed risk of material misstatement at the assertion level is a significant risk, the auditor shall perform substantive procedures that are specifically responsive to that risk. When the approach to a significant risk consists only of substantive procedures, those procedures shall include tests of details (CAS 330.21).

For a significant risk relating to an accounting estimate, the auditor's further audit procedures shall include tests of controls in the current period if the auditor plans to rely on those controls. When the approach to a significant risk consists only of substantive procedures, those procedures shall include tests of details (CAS 540.20).

CAS Guidance

Regardless of whether the auditor plans to test the operating effectiveness of controls that address significant risks, the understanding obtained about management’s approach to addressing those risks may provide a basis for the design and performance of substantive procedures responsive to significant risks as required by CAS 330. Although risks relating to significant non‑routine or judgmental matters are often less likely to be subject to routine controls, management may have other responses intended to deal with such risks. Accordingly, the auditor’s understanding of whether the entity has designed and implemented controls for significant risks arising from non-routine or judgmental matters may include whether and how management responds to the risks. Such responses may include (CAS 315.A158):

  • Controls, such as a review of assumptions by senior management or experts.
  • Documented processes for accounting estimations.
  • Approval by those charged with governance.

Example:

Where there are one-off events such as the receipt of a notice of a significant lawsuit, consideration of the entity’s response may include such matters as whether it has been referred to appropriate experts (such as internal or external legal counsel), whether an assessment has been made of the potential effect, and how it is proposed that the circumstances are to be disclosed in the financial statements.

CAS 240 requires the auditor to understand controls related to assessed risks of material misstatement due to fraud (which are treated as significant risks), and further explains that it is important for the auditor to obtain an understanding of the controls that management has designed, implemented and maintained to prevent and detect fraud (CAS 315.A159).

Paragraph 21 of this CAS requires the auditor to perform substantive procedures that are specifically responsive to risks the auditor has determined to be significant risks. Audit evidence in the form of external confirmations received directly by the auditor from appropriate confirming parties may assist the auditor in obtaining audit evidence with the high level of reliability that the auditor requires to respond to significant risks of material misstatement, whether due to fraud or error. For example, if the auditor identifies that management is under pressure to meet earnings expectations, there may be a risk that management is inflating sales by improperly recognizing revenue related to sales agreements with terms that preclude revenue recognition or by invoicing sales before shipment. In these circumstances, the auditor may, for example, design external confirmation procedures not only to confirm outstanding amounts, but also to confirm the details of the sales agreements, including date, any rights of return and delivery terms. In addition, the auditor may find it effective to supplement such external confirmation procedures with inquiries of non-financial personnel in the entity regarding any changes in sales agreements and delivery terms. (CAS 330.A55)

OAG Guidance

In summary, our approach to significant risks is:

Planning to obtain evidence from combination of controls and substantive testing

Planning to obtain evidence from substantive procedures only

  • Evaluate design of entity’s controls and determine whether they have been implemented.
  • Perform all tests of controls in the current period. Do not rely on audit evidence obtained in prior periods.
  • N/A
  • Perform substantive procedures that respond specifically to the risk.
  • Use our judgment as to the mix of substantive procedures. However, it is unlikely that audit evidence obtained from testing controls and performing substantive analytical procedures alone will be enough, and some tests of details responding specifically to the significant risk are likely to be necessary.
  • Substantive procedures include tests of details i.e., either a combination of substantive analytical procedures and tests of details, or tests of details alone.

Related Guidance

For guidance on the assessment of risks, see OAG Audit 5043.

.