Annual Audit Manual

COPYRIGHT NOTICE — This document is intended for internal use. It cannot be distributed to or reproduced by third parties without prior written permission from the Copyright Coordinator for the Office of the Auditor General of Canada. This includes email, fax, mail and hand delivery, or use of any other method of distribution or reproduction. CPA Canada Handbook sections and excerpts are reproduced herein for your non-commercial use with the permission of The Chartered Professional Accountants of Canada (“CPA Canada”). These may not be modified, copied or distributed in any form as this would infringe CPA Canada’s copyright. Reproduced, with permission, from the CPA Canada Handbook, The Chartered Professional Accountants of Canada, Toronto, Canada.

5011 Risk assessment procedures and related activities
Sep-2022

In This Section

OAG Risk assessment process

Inquiries of management and others

Observation and inspection

Use of information obtained from acceptance and continuance and from other engagements

Use of information obtained from prior periods

Engagement team discussions

Additional risk assessment procedures performed subsequent to planning sign‑off

Documentation

OAG risk assessment

CAS Requirement

The auditor shall design and perform risk assessment procedures to obtain audit evidence that provides an appropriate basis for (CAS 315.13):

  1. The identification and assessment of risks of material misstatement, whether due to fraud or error, at the financial statement and assertion levels; and
  2. The design of further audit procedures in accordance with CAS 330.

CAS Guidance

Professional skepticism is necessary for the critical assessment of audit evidence gathered when performing the risk assessment procedures, and assists the auditor in remaining alert to audit evidence that is not biased towards corroborating the existence of risks or that may be contradictory to the existence of risks. Professional skepticism is an attitude that is applied by the auditor when making professional judgments that then provides the basis for the auditor’s actions. The auditor applies professional judgment in determining when the auditor has audit evidence that provides an appropriate basis for risk assessment (CAS 315.A12).

The application of professional skepticism by the auditor may include (CAS 315.A13):

  • Questioning contradictory information and the reliability of documents;
  • Considering responses to inquiries and other information obtained from management and those charged with governance;
  • Being alert to conditions that may indicate possible misstatement due to fraud or error; and
  • Considering whether audit evidence obtained supports the auditor’s identification and assessment of the risks of material misstatement in light of the entity’s nature and circumstances.

Designing and performing risk assessment procedures to obtain audit evidence to support the identification and assessment of the risks of material misstatement in an unbiased manner may assist the auditor in identifying potentially contradictory information, which may assist the auditor in exercising professional skepticism in identifying and assessing the risks of material misstatement (CAS 315.A14).

Designing and performing risk assessment procedures to obtain audit evidence in an unbiased manner may involve obtaining evidence from multiple sources within and outside the entity. However, the auditor is not required to perform an exhaustive search to identify all possible sources of audit evidence. In addition to information from other sources, sources of information for risk assessment procedures may include (CAS 315.A15):

  • Interactions with management, those charged with governance, and other key entity personnel, such as internal auditors.
  • Certain external parties such as regulators, whether obtained directly or indirectly.
  • Publicly available information about the entity, for example entity‑issued press releases, materials for analysts or investor group meetings, analysts’ reports or information about trading activity.

Regardless of the source of information, the auditor considers the relevance and reliability of the information to be used as audit evidence in accordance with CAS 500.

The nature and extent of risk assessment procedures will vary based on the nature and circumstances of the entity (e.g., the formality of the entity’s policies and procedures, and processes and systems). The auditor uses professional judgment to determine the nature and extent of the risk assessment procedures to be performed to meet the requirements of this CAS (CAS 315.A16).

Although the extent to which an entity’s policies and procedures, and processes and systems are formalized may vary, the auditor is still required to obtain the understanding in accordance with paragraphs 19, 21, 22, 24, 25 and 26 (CAS 315.A17).

Examples:

Some entities, including less complex entities, and particularly owner‑managed entities, may not have established structured processes and systems (e.g., a risk assessment process or a process to monitor the system of internal control) or may have established processes or systems with limited documentation or a lack of consistency in how they are undertaken. When such systems and processes lack formality, the auditor may still be able to perform risk assessment procedures through observation and inquiry.

Other entities, typically more complex entities, are expected to have more formalized and documented policies and procedures. The auditor may use such documentation in performing risk assessment procedures.

The nature and extent of risk assessment procedures to be performed the first time an engagement is undertaken may be more extensive than procedures for a recurring engagement. In subsequent periods, the auditor may focus on changes that have occurred since the preceding period (CAS 315.A18).

OAG Guidance

CAS 315 establishes robust requirements and guidance to drive auditors to perform appropriate risk assessment procedures in a manner commensurate with the size and nature of the entity, thereby facilitating a more focused response to identified risks. It is focused on enhancing the auditor’s approach to understanding the entity, its environment (including its internal control) and risk assessment activities.

In response to the requirements of CAS 315 Identifying and Assessing the Risks of Material Misstatement, OAG’s Risk Assessment Process has been developed to promote consistency of execution, documentation, and effective review. OAG’s Risk Assessment Process is a dynamic and iterative process illustrated in the graphic below, to assist engagement teams in complying with the requirements of CAS 315 and certain other standards. These standards require engagement teams to obtain audit evidence that provides an appropriate basis to identify and assess the risks of material misstatement, whether due to fraud or error, at the financial statement and assertion levels, and design further audit procedures to obtain sufficient appropriate audit evidence to address the identified risks of material misstatement in accordance with CAS 330.

OAG’s Risk Assessment Process is aligned with the requirements of CAS 315 and is applicable to all types of entities, regardless of size or complexity and provides for scalability. OAG’s Risk Assessment Process is not a checklist of required procedures or a series of disconnected discrete steps; it is an iterative process focused on obtaining a fulsome understanding of the entity’s business and the environment in which it operates. It is through this robust process to understand the entity and its environment that engagement teams are better able to identify and assess risks of material misstatement specific to the entity. Identification and assessment of risks specific to the entity and its environment facilitates the development of audit responses that effectively and efficiently address the identified risks of material misstatement.

OAG Risk Assessment Process

The Understand phase of OAG’s Risk Assessment Process provides the basis for the identification of risks of material misstatement. During this phase, we gain an understanding of the entity, its environment (including how the entity has integrated IT into its business model), the applicable financial reporting framework, and the entity’s system of internal control. This understanding includes identifying events or conditions which may indicate a risk of material misstatement. The nature and/or complexity of the events or conditions identified may indicate that specialized skills are needed to assist with obtaining our understanding. As we develop our initial expectations about risks of material misstatement and significant classes of transactions, account balances and disclosure we also consider the requirements of other auditing standards (e.g., CAS 240, The Auditor’s Responsibilities Relating to Fraud in the Audit of Financial Statements) and we take into account our determined performance materiality.

During the Identify phase of OAG’s Risk Assessment Process, engagement leader led risk assessment discussions occur, where engagement leaders and other senior engagement team members share insights from their knowledge of the entity and its environment. Based on our understanding of the entity and its environment we determine the risks of material misstatement at the financial statement and assertion levels (including risks arising from the use of IT), including significant FSLIs and the associated relevant assertions. We also make our determinations regarding FSLIs that are not considered significant (i.e., there are no relevant assertions identified), but are material and the selected assertions to be tested as required by CAS 330.18. For certain controls, for example those that address significant risks, controls related to journal entries, and controls we plan to test, we are required to evaluate whether they are designed effectively and have been implemented. This allows us to identify design or implementation deficiencies in internal control during this phase.

The Assess phase of OAG’s Risk Assessment Process includes assessing the likelihood and magnitude of identified risks of material misstatement, taking into account the degree to which inherent risk factors affect the susceptibility of relevant assertions to misstatement. During this phase, we assess inherent risk (i.e., normal, elevated or significant) and assess control risk as documented by our determination of expected controls reliance (i.e., none, partial or high). An important aspect of this phase in the process is to step back and perform an overall evaluation of risk assessment activities by evaluating whether the audit evidence obtained from risk assessment procedures provides an appropriate basis for the identification and assessment of the risks of material misstatement. During the course of the audit, it is important to consider new information that comes to light which may be contradictory to the audit evidence on which we originally developed our risk assessment.

Risk Assessment Procedures

CAS 315 requires that risk assessment procedures include (CAS 315.14):

  • Inquiries of management and of other appropriate individuals within the entity, including individuals within the internal audit function (if the function exists)
  • Analytical procedures
  • Observation and inspection

OAG’s Risk Assessment Process makes use of all three of these types of procedures indicated by CAS 315. Other procedures may be helpful in identifying risks of material misstatement. Examples of such procedures may include making inquiries of the entity’s external legal counsel or external supervisors, or of valuation experts that the entity has used.

Overall Considerations

The following concepts underlie and apply throughout all three phases of OAG’s Risk Assessment Process.

Dynamic and Iterative OAG’s Risk Assessment Process is dynamic and iterative and not a linear process. Initial expectations of risks may be further refined, and assessments may need to be revised based on audit evidence or new information obtained.
Professional Skepticism We design and perform risk assessment procedures that are not biased towards obtaining audit evidence that may be corroborative or towards excluding audit evidence that may be contradictory to the existence of risks.
Consideration of Automated Tools and Techniques Where appropriate, consider how automated tools and techniques (e.g., data visualization, data automations, risk assessment analytics tools) may be used to inform and/or support our risk assessment procedures.
Consideration of Scalability Professional judgment is used to determine the nature and extent of risk assessment procedures necessary to identify and assess risks of material misstatement. The nature and extent of risk assessment procedures will vary based on the nature and circumstances of the entity (e.g., the size and complexity of the entity’s business or the formality of the entity’s policies, procedures, processes and systems).

The risk of material misstatement (at the financial statement and assertion level) consists of two components (inherent risk and control risk). It is important to have an appropriate basis for our assessment of inherent risk and control risk. This basis may be obtained, for example, through the use of questionnaires, checklists, instructions, or similar generalized materials and, in the case of control risk, the understanding of internal control and the performance of tests of controls. However, professional judgment is required in interpreting, adapting, or expanding such generalized material as appropriate in the circumstances.

Related Guidance

The table below provides a quick reference mapping of the phases and elements of the OAG Risk Assessment Process to the applicable OAG Audit guidance.

Understand Identify Assess
Understand the entity and its environment, and the applicable financial reporting framework (OAG Audit 5020) Identify risks, relevant assertions and significant FSLIs (OAG Audit 5041 and OAG Audit 5042) Assess the risks of material misstatement (OAG Audit 5043)
Determine materiality and consider other CASs materiality (OAG Audit 2100) Identify IT risks and ITGCs (OAG Audit 5035.2) Perform overall evaluation (OAG Audit 5044)
Set roles and responsibilities (OAG Audit 5013) Evaluate design and implementation of controls (OAG Audit 5035.5)
Develop initial expectations (OAG Audit 5012)
Understand the system of internal control, including IT environment (OAG Audit 5030)
Inquiries of management and others

CAS Requirement

The risk assessment procedures shall include the following (CAS 315.14):

  1. Inquiries of management and of other appropriate individuals within the entity, including individuals within the internal audit function (if the function exists).

CAS Guidance

Information obtained by the auditor to support an appropriate basis for the identification and assessment of risks, and the design of further audit procedures, may be obtained through inquiries of management and those responsible for financial reporting (CAS 315.A22).

Inquiries of management and those responsible for financial reporting and of other appropriate individuals within the entity and other employees with different levels of authority may offer the auditor varying perspectives when identifying and assessing risks of material misstatement (CAS 315.A23).

Example:

  • Inquiries directed towards those charged with governance may help the auditor understand the extent of oversight by those charged with governance over the preparation of the financial statements by management. CAS 260 identifies the importance of effective two‑way communication in assisting the auditor to obtain information from those charged with governance in this regard.
  • Inquiries of employees responsible for initiating, processing or recording complex or unusual transactions may help the auditor to evaluate the appropriateness of the selection and application of certain accounting policies.
  • Inquiries directed towards in‑house legal counsel may provide information about such matters as litigation, compliance with laws and regulations, knowledge of fraud or suspected fraud affecting the entity, warranties, post‑sales obligations, arrangements (such as joint ventures) with business partners and the meaning of contractual terms.
  • Inquiries directed towards marketing or sales personnel may provide information about changes in the entity’s marketing strategies, sales trends, or contractual arrangements with its customers.
  • Inquiries directed towards the risk management function (or inquiries of those performing such roles) may provide information about operational and regulatory risks that may affect financial reporting.
  • Inquiries directed towards IT personnel may provide information about system changes, system or control failures, or other IT‑related risks.

When making inquiries of those who may have information that is likely to assist in identifying risks of material misstatement, auditors of public sector entities may obtain information from additional sources such as from the auditors that are involved in performance or other audits related to the entity (CAS 315.A24).

If an entity has an internal audit function, inquiries of the appropriate individuals within the function may assist the auditor in understanding the entity and its environment, and the entity’s system of internal control, in the identification and assessment of risks (CAS 315.A25).

Auditors of public sector entities often have additional responsibilities with regard to internal control and compliance with applicable laws and regulations. Inquiries of appropriate individuals in the internal audit function may assist the auditors in identifying the risk of material non‑compliance with applicable laws and regulations and the risk of control deficiencies related to financial reporting (CAS 315.A26).

OAG Guidance

An effective and efficient way to obtain an understanding of the entity and its environment, the applicable financial reporting framework and the entity’s internal control components, excluding control activities, through inquiries is to plan and conduct initial meetings with management.

To enable us to identify the people whom we may need to interview as part of our understanding of the entity, we understand in more detail how the entity is organized and identify its components, as defined by products, processes, geography, functions or profit/cost centres.

Objectives of Initial Meetings with Management

The main purpose is to gather information about the entity and its environment, the applicable financial reporting framework and the entity’s system of internal control, and gain an understanding of what management believes are the risks impacting their business objectives and the procedures they have put in place to mitigate these risks.

Although understanding and evaluation of entity level controls may occur during initial meetings with the board and senior management, the gathering of evidence in order to test the operating effectiveness of the identified controls rarely happens during the initial meeting.

Planning of Initial Meetings

With thorough preparation and the application of effective interviewing techniques, meetings will be a more effective and efficient means for gathering information, understanding, identifying and evaluating controls.

Because the purpose of the inquiries is to gather information and assess risk, they take place during the planning phase of the audit. However, at each phase of the audit we consider whether it is appropriate to perform further inquiries. We determine whom we meet to carry out the inquiries, based on our understanding of the entity, prior experience with the entity and the extent of, and reliance on, other sources of information. In less complex entities, just one meeting with the most senior management could be sufficient, but for more complex entities more meetings with a range of individuals are likely to be necessary. Inquiries of both management responsible for financial reporting and others within the entity can provide relevant information.

Inquiries of Management

The information gathered at these meetings is shared with the broader engagement team during the team planning meeting to assist in evaluating management’s view of their business compared to our understanding of the business based upon both corroborative and contradictory evidence we may have obtained. This section contains examples of questions which may be useful during these discussions with management. These example questions are not intended to be exhaustive nor relevant to all engagements and therefore there may be additional questions to be asked of management and some of these questions may not be relevant to an engagement (i.e. this list of questions is not intended to be used as a standardized checklist).

Organizational structure
  • What is the organizational design of the entity and is it documented?
  • How heavily does the business rely on joint ventures, alliances and other partnering arrangements to create value and are the risk and financial implications properly understood by management and ourselves?
  • How does their organizational design compare to their peers?
  • How is the entity organized, by function, process, geography?
  • How does the operational structure of the firm support the ongoing strategy?
  • Are any changes anticipated in the near future?
  • What is the entity’s experience with regards to change (e.g., what has made previous entity changes successful or unsuccessful)?
  • Can management implement their desired strategic changes within the constraints of the entity’s current management, resources, funding and culture or are changes required in any of these elements?

Governance
  • Does the entity have clearly defined and documented corporate governance structures and processes to direct and manage the entity?
  • Are changes anticipated and what will their impact be on the entity’s organizational structure?
  • Are there clearly defined policies around independence of Non‑executive board members?
  • Does the entity have adequate succession planning?
  • Does the entity go through a formal risk assessment process and is there a process for managing identified risks?
  • Is the remuneration of corporate directors or supervisory board members and key management aligned to the interests of long‑term strategic goals (e.g., growth in shareholder value)?
  • How is this alignment affected (e.g., percentage of remuneration tied into shareholder value measures, such as Total Shareholder Return)?
  • What is the entity’s view towards transparency of reporting?
  • Is all corporate reporting (e.g., regulatory, analysts’ briefings, environmental and website) coordinated throughout the entity or do they operate in separate organizational “silos”?
  • Who are the entity’s key stakeholders and how is the entity’s relationship with these stakeholders monitored?
  • Does the entity actively engage with its stakeholders?
  • What are the entity’s stated strategies, values, relating to environmental, social and governance issues?
  • What information is maintained to measure and monitor environmental, social and governance issues?

Business Model – objectives and strategy
  • What is the entity’s stated strategy and/or long‑term goal?
  • Is the strategy documented and if so, how is this communicated and to whom?
  • What is the basis for reassessment of the strategy?
  • Are changes to the strategy documented and explained?
  • What performance measurement information does the Board receive and rely on in determining whether the business is on strategy (e.g., what are the short/medium term quantified objectives against which management and those charged with governance assess whether or not the entity is performing as required to achieve agreed long‑term goals)?
  • Does the entity compare itself to a peer group (e.g., has a peer group been defined and are short/ medium term quantified objectives reviewed against peer group performance)?

Business Model – risk profile
  • What industry-specific risks have been identified for each business unit?
  • What is the entity’s risk strategy and appetite for risk?
  • How are the identified risks managed?
  • How does the entity determine acceptable levels of risk?
  • How is risk incorporated into investment decisions?
  • How are non-financial risks (e.g., environmental, security risks) identified and managed?
  • Does the entity have a disaster recovery plan, and has it been tested?

Business Model – customers
  • How does the entity define and segment its customers?
  • What information is maintained to measure and monitor profitability of customer relationships over time, including costs of acquiring, serving and maintaining customers?
  • How are business channels relating to customer management changing?
  • How are customer complaints captured and managed?
  • What information is used to assess customer service performance against competitors and customer expectations?

Business Model – people
  • Does the entity consider human capital (i.e., highly skilled employees) a major driver of value in the business?
  • What people within the entity are most important to the entity’s success (e.g., sales, marketing, R&D)?
  • What are the greatest threats/risks to attracting and retaining critical human capital in the business?
  • What information is maintained to measure and monitor the performance of human capital?

Business Model – innovation
  • Is innovation a key driver of value in the entity’s business, and if it is in what way?
  • How are new ideas and innovation measured and monitored in the business?
  • How does the entity measure the effectiveness of spending on R&D ‑ ROI or some other measure?

Business Model – brands
  • How does the entity manage and measure the value of its brands?
  • What are the greatest risks to brand value and how does management address these?
  • How much does the entity spend on advertising to build its brand?
  • How does the entity measure the effectiveness of advertising spend?
  • What are the leading and lagging indicators of brand value that the entity focuses on?
  • Does the entity have an inventory of all the intellectual property of the entity (e.g., patents, trademarks)? If so, are these actively managed and by whom?
  • Is there intellectual property held by the entity that is no longer key to the entity’s strategy? If so, what are the plans and processes to realize value from these assets?

Business Model – supply chain
  • How important is the entity’s supply chain to the overall success of the entity’s strategy?
  • What are the critical aspects and relationships on which the supply chain is dependent?
  • What information is maintained to explain the value chain of the business and how often is it reviewed and subject to market testing?
  • What information is used to support decisions on outsourcing and partnering arrangements?
  • What information is available to monitor the value created from joint ventures, alliances and outsources activities?

Business model – use of IT
  • How does the entity’s business model rely on the use of IT (e.g., direct online sales, use of highly automated processes, use of emerging technologies)?
  • What is the extent to which the business relies on the use of IT (e.g., mainly manual operations with limited reliance, operations with reliance across the majority of the business)?
  • Does the entity have a process for IT governance and monitoring the effectiveness of ITGCs to support the business model?
  • What are the IT applications used to process transactions across the entity’s key business processes?
  • How is IT (e.g., interfaces, other technologies) integrated in the entity’s business model to interact with stakeholders (e.g., customers, suppliers)?
  • Are changes to the use of IT within the business model expected in the current year (e.g., level of reliance on IT, significant new or upgraded applications)?
  • Are significant changes expected in how IT is managed in the current year (e.g., change in senior IT roles, change in reporting structure)?

Relevant industry factors
  • What is management’s view as to the current condition and characteristics of the industry (e.g., number and nature of competitors, relationships with customers, suppliers, regulators and other stakeholders)? How does this compare to our understanding of the industry?
  • What major changes are anticipated in the condition and characteristics of the industry and is the entity prepared for them?
  • What is the life cycle of the typical product offering in the entity’s industry (e.g., highly competitive market with rapid product obsolescence)?
  • What is the entity’s short‑ and medium‑term view as to market growth potential?
  • What information is used by the entity to define their key markets and market share?
  • How does the entity monitor the activities of their competitors?
  • Is there a general balance of power among all competitors or are there one or a limited number of dominant entities that set the “agenda” for the industry?
  • With the continuing trend toward globalization of the marketplace, have new competitors emerged?
  • What, if any, are the barriers to entry to new entrants to the industry?

Relevant regulatory factors
  • Which current regulations are affecting the entity most (e.g., industry regulations, financial regulations, environmental regulations, health and safety regulations, tax regulations)?
  • Are major changes expected or anticipated in these regulations affecting the entity?
  • If major changes are expected or anticipated, what would the impact of these changes be and is the entity prepared for them?
  • What evidence of compliance with regulatory requirements does the entity produce (e.g., regulatory returns, government publications)?
  • Does the entity have a migration strategy to meet desired or required future reporting standards?
  • Are there non regulatory groups that exert significant pressures on the entity (e.g., Non-Governmental Organizations (NGOs) such as Greenpeace or Friends of the Earth)?
  • Has the entity publicly disclosed certain information or made public commitments to implement specific measures related to climate change impacts (e.g., a commitment to reach net zero carbon emissions by a specified date)?

Other external factors
  • What are management’s views on both the short‑ and medium‑term economic outlook?
  • How much is the entity affected by changing economic conditions (e.g., GDP growth, interest rate changes, inflation and unemployment rates)?
  • What are the key economic indicators the entity tracks and what is the source of this information?
  • Is the entity operating in geographies with political uncertainty ‑ what actions are taken to mitigate these risks?
  • Are the entity’s product life cycles affected by rapidly changing technology?
  • How is the entity affected by changing social trends in geographical locations in which they operate (e.g., increased acceptance of working from home, increased purchases of ready‑made meals)?

Measures used, internally and externally, to assess the entity’s financial performance
  • How does the entity assess its ability to create value (e.g., by monitoring an external and/or internal shareholder value measure)?
  • How does the entity incorporate differing risk levels in determining target returns and in assessing overall performance?
  • What is the process for setting the entity’s and business unit’s cost of capital and how often is it reassessed? Is it consistent with market expectations?
  • Does the entity compare their own performance against peer companies?

Assessing the entity’s financial position
  • How does the entity determine its funding strategy?
  • How often are cash flow forecasts prepared and for what period?
  • How does the entity assess if it has the correct funding arrangements?
  • Does the entity compare its financial condition measures to peer companies?
  • How does the entity assess the “value” of its tangible assets (e.g., value/state, age and quality of tangible assets versus historical accounting net book value)?
  • How are investment decisions made and what are the key elements of the approval process?

Assess segment/business unit performance
  • How has management segmented the business and is there a corporate management structure in place?
  • How much autonomy does each business unit have and how does the group exercise influence and control?
  • How does the entity determine if each of the individual businesses or operating units are creating or destroying value?
  • Is a different cost of capital allocated to each of the units to reflect each unit’s risk profile?
  • Are performance measures consistent across segments or business units?
  • Does each business or operating unit compare its own performance against other units and/or external peer entities?
  • How does the entity monitor contribution from individual products/services?

The applicable financial reporting framework and the entity’s selection and application of accounting policies
  • Compared to their peers, are their accounting policies and practices aggressive or conservative?
  • Are changes to accounting policies or practices expected during the current year in response to changes in the entity’s methods of doing business or changes in accounting or regulatory standards?
  • Are there any accounting standards that warrant special attention by the entity or by us because of changes in the client’s business or significant, unusual or nonrecurring transactions?
  • Does it appear that the accounting policies are the most appropriate?
  • What is the link between earnings and senior executive remuneration?

Other relevant factors
  • How important is the entity’s reputation to its long‑term value?
  • What activities are most important, both internally and externally, to the entity’s reputation and what information do management have pertaining to these activities?
  • What are the greatest risks to the entity’s reputation?
  • What information does management use to monitor these risks/threats?

Inquiries of Internal Audit

The objective of making inquiries of internal auditors is similar to initial meetings with management. The internal audit (or equivalent) function has insight into the entity’s operations and business risks, which may serve as input into our risk assessment and audit plan. If the entity has an internal audit function, its risk assessment of the entity and its control environment and results of their previous work may further enhance our understanding of the entity. Inquiries of internal audit are therefore made whether or not we expect to use the work of the internal audit function to modify the nature or timing, or reduce the extent, of audit procedures to be performed. See OAG Audit 6030 for guidance on using the work of the internal audit.

The timing of inquiries is during the planning phase of the audit. However, we do not necessarily limit these inquiries to the planning phase and consider during each phase of the audit whether it may be appropriate to perform further inquiries.

Based on our understanding of the entity’s internal audit function and our understanding of the business, we determine whom in the internal audit function it would be most appropriate to contact and arrange our inquiries. Typically, the head of the internal audit function is an appropriate individual to meet but there may be others in the function that have more direct knowledge of the topics we wish to discuss.

As part of planning for the inquiries with internal audit, we may consider the following matters:

  • internal audit’s risk assessment of the entity and its environment, the applicable financial reporting framework and the entity’s system of internal control,
  • audit findings and observations that internal auditors have raised to management from completed and ongoing audits, and
  • management’s response to internal audit’s findings.

Our preparation may also include reading selected strategy planning documents and audit reports prepared by the internal audit function.

Meetings with Management and Internal Auditors During the Audit

Throughout the audit, we may hold meetings with management, representatives of the internal audit (or equivalent) function, and others.

The information gathered at these meetings may be used to update our understanding of the entity and provide new information to enhance the risk assessment we perform at the planning stage.

As part of our meetings, we may consider the following:

  • Has new or other information come to our attention that differs significantly from the information on which the risk assessment was based?
  • Has management identified new risks in the business, including fraud risks?
  • Has information come to our attention during the audit that indicates controls may not be operating effectively or that there are misstatements within a significant class of transactions, account balance, or disclosures?
Observation and inspection

CAS Requirement

The risk assessment procedures shall include the following (CAS 315.14):

  1. Observation and inspection. 

CAS Guidance

Observation and inspection may support, corroborate or contradict inquiries of management and others, and may also provide information about the entity and its environment (CAS 315.A32).

Risk assessment procedures may include observation or inspection of the following (CAS 315.A34):

  • The entity’s operations.
  • Internal documents (such as business plans and strategies), records, and internal control manuals.
  • Reports prepared by management (such as quarterly management reports and interim financial statements) and those charged with governance (such as minutes of board of directors’ meetings).
  • The entity’s premises and plant facilities.
  • Information obtained from external sources such as trade and economic journals; reports by analysts, banks, or rating agencies; regulatory or financial publications; or other external documents about the entity’s financial performance (such as those referred to in paragraph A79).
  • The behaviours and actions of management or those charged with governance (such as the observation of an audit committee meeting).
Use of information obtained from acceptance and continuance and from other engagements

CAS Requirement

In obtaining audit evidence in accordance with paragraph 13, the auditor shall consider information from (CAS 315.15):

  1. The auditor’s procedures regarding acceptance or continuance of the client relationship or the audit engagement; and
  2. When applicable, other engagements performed by the engagement partner for the entity.

CAS Guidance

Information obtained from other sources may be relevant to the identification and assessment of the risks of material misstatement by providing information and insights about (CAS 315.A37):

  • The nature of the entity and its business risks, and what may have changed from previous periods.
  • The integrity and ethical values of management and those charged with governance, which may also be relevant to the auditor’s understanding of the control environment.
  • The applicable financial reporting framework and its application to the nature and circumstances of the entity.

Other relevant sources of information include (CAS 315.A38):

  • The auditor’s procedures regarding acceptance or continuance of the client relationship or the audit engagement in accordance with CAS 220, including the conclusions reached thereon
  • Other engagements performed for the entity by the engagement partner. The engagement partner may have obtained knowledge relevant to the audit, including about the entity and its environment, when performing other engagements for the entity. Such engagements may include agreed‑upon procedures engagements or other audit or assurance engagements, including engagements to address incremental reporting requirements in the jurisdiction.

OAG Guidance

Consider if information used to complete the A&C assessment and identified professional risks associated with the client and the engagement may assist us in identifying risks of material misstatement, including financial statement level risks which may be identified based on the understanding of an entity obtained when evaluating acceptance or continuance information.

See OAG Audit 3010 for further guidance on acceptance and continuance.

Our understanding of other engagements performed for the entity in which the engagement leader has been involved includes understanding the nature of services performed, and for multilocation engagements, services performed by other engagement teams.

Use of information obtained from prior periods

CAS Requirement

Where the auditor intends to use information obtained from the auditor’s previous experience with the entity and from audit procedures performed in previous audits, the auditor shall evaluate whether such information remains relevant and reliable as audit evidence for the current audit (CAS 315.16).

CAS Guidance

The auditor’s previous experience with the entity and from audit procedures performed in previous audits may provide the auditor with information that is relevant to the auditor’s determination of the nature and extent of risk assessment procedures, and the identification and assessment of risks of material misstatement (CAS 315.A39).

The auditor’s previous experience with the entity and audit procedures performed in previous audits may provide the auditor with information about such matters as (CAS 315.A40):

  • Past misstatements and whether they were corrected on a timely basis.
  • The nature of the entity and its environment, and the entity’s system of internal control (including control deficiencies).
  • Significant changes that the entity or its operations may have undergone since the prior financial period.
  • Those particular types of transactions and other events or account balances (and related disclosures) where the auditor experienced difficulty in performing the necessary audit procedures, for example, due to their complexity.

The auditor is required to determine whether information obtained from the auditor’s previous experience with the entity and from audit procedures performed in previous audits remains relevant and reliable, if the auditor intends to use that information for the purposes of the current audit. If the nature or circumstances of the entity have changed, or new information has been obtained, the information from prior periods may no longer be relevant or reliable for the current audit. To determine whether changes have occurred that may affect the relevance or reliability of such information, the auditor may make inquiries and perform other appropriate audit procedures, such as walk‑throughs of relevant systems. If the information is not reliable, the auditor may consider performing additional procedures that are appropriate in the circumstances (CAS 315.A41).

OAG Guidance

Consider if our prior audit experience is a relevant and reliable source of information for the current year risk assessment. Take into account what we learned from the prior year audit and the knowledge gained through ongoing management interactions and other engagements in the intervening period (engagements in which the engagement leader has been involved).

Where there is a significant change in the entity’s business activities, risks or IT environment, the understanding that we can derive from our prior audit experience is likely to be affected. Prior knowledge of unreliability of the entity’s accounting systems, controls or management’s judgments and estimates based on the results of the prior year audit may be impacted favorably where there are improvements in systems and controls, including changes in personnel (e.g., the recruitment of a new, experienced financial controller). Changes made by the entity may also adversely impact the relevance and reliability of prior year audit knowledge, particularly where management’s control over change may not be effective. In each case the impact of changes made by the entity needs to be taken into consideration when evaluating the relevance and reliability of our prior audit experience and we consider any impact the changes may have on our current period risk assessment. Some examples of areas of change that may impact our risk assessment include:

  • Changes in the entity’s business, industry and regulatory environment, unusual operational factors, strategy, control environment, management personnel or structure and related pressures, and the underlying risks, including the risk of fraud.
  • Changes in systems and technology, and the processes and controls management uses to get assurance.
Engagement team discussions

CAS Requirement

The engagement partner and other key engagement team members shall discuss the application of the applicable financial reporting framework and the susceptibility of the entity’s financial statements to material misstatement (CAS 315.17).

When there are engagement team members not involved in the engagement team discussion, the engagement partner shall determine which matters are to be communicated to those members (CAS 315.18).

CAS Guidance

The discussion among the engagement team about the application of the applicable financial reporting framework and the susceptibility of the entity’s financial statements to material misstatement (CAS 315.A42):

  • Provides an opportunity for more experienced engagement team members, including the engagement partner, to share their insights based on their knowledge of the entity. Sharing information contributes to an enhanced understanding by all engagement team members.
  • Allows the engagement team members to exchange information about the business risks to which the entity is subject, how inherent risk factors may affect the susceptibility to misstatement of classes of transactions, account balances and disclosures, and about how and where the financial statements might be susceptible to material misstatement due to fraud or error.
  • Assists the engagement team members to gain a better understanding of the potential for material misstatement of the financial statements in the specific areas assigned to them, and to understand how the results of the audit procedures that they perform may affect other aspects of the audit, including the decisions about the nature, timing and extent of further audit procedures. In particular, the discussion assists engagement team members in further considering contradictory information based on each member’s own understanding of the nature and circumstances of the entity.
  • Provides a basis upon which engagement team members communicate and share new information obtained throughout the audit that may affect the assessment of risks of material misstatement or the audit procedures performed to address these risks.

CAS 240 requires the engagement team discussion to place particular emphasis on how and where the entity’s financial statements may be susceptible to material misstatement due to fraud, including how fraud may occur.

Professional skepticism is necessary for the critical assessment of audit evidence, and a robust and open engagement team discussion, including for recurring audits, may lead to improved identification and assessment of the risks of material misstatement. Another outcome from the discussion may be that the auditor identifies specific areas of the audit for which exercising professional skepticism may be particularly important, and may lead to the involvement of more experienced members of the engagement team who are appropriately skilled to be involved in the performance of audit procedures related to those areas (CAS 315.A43).

As part of the discussion among the engagement team, consideration of the disclosure requirements of the applicable financial reporting framework assists in identifying early in the audit where there may be risks of material misstatement in relation to disclosures, even in circumstances where the applicable financial reporting framework only requires simplified disclosures. Matters the engagement team may discuss include (CAS 315.A46):

  • Changes in financial reporting requirements that may result in significant new or revised disclosures;
  • Changes in the entity’s environment, financial condition or activities that may result in significant new or revised disclosures, for example, a significant business combination in the period under audit;
  • Disclosures for which obtaining sufficient appropriate audit evidence may have been difficult in the past; and
  • Disclosures about complex matters, including those involving significant management judgment as to what information to disclose.

As part of the discussion among the engagement team by auditors of public sector entities, consideration may also be given to any additional broader objectives, and related risks, arising from the audit mandate or obligations for public sector entities (CAS 315.A47).

OAG Guidance

The engagement team discussion is an important element of the OAG Risk Assessment Process. The engagement leader and key engagement team members share their insights related to the identification and assessment of the risks of material misstatement based on their knowledge of the entity. Areas of discussion that assist with finalizing our initial risk assessment include, but are not limited to:

  • Engagement team’s understanding of the entity and its environment, including business risks to which the entity is subject
  • Results of risk assessment analytics
  • Results of the engagement team’s evaluation of the entity’s system of internal control
  • Materiality
  • The entity’s application of the applicable financial reporting framework, including disclosure requirements
  • How and where the entity’s financial statements might be susceptible to material misstatement due to fraud or error.
  • Significant FSLIs and relevant assertions
  • FSLIs determined not to be significant but that are material
  • Likelihood and magnitude of identified risks of material misstatement, including the degree to which inherent risk factors affect the susceptibility of relevant assertions to misstatement
  • Importance of professional skepticism
  • How new information obtained during the audit may impact risk assessment

The engagement leader uses professional judgment, prior experience with the entity and knowledge of current developments to determine which other members of the engagement team are included in the discussion.

The discussion could be a part of a team planning meeting or a separate meeting, but if the discussion forms part of a larger meeting, sufficient time is allowed for a proper discussion of the engagement team’s risk assessment.

For guidance on team planning meeting(s) see OAG Audit 4010 and for guidance on how and where the entity’s financial statements may be susceptible to material misstatement due to fraud, including how fraud may occur see OAG Audit 5505.

Additional risk assessment procedures performed subsequent to planning sign‑off

CAS Requirement

If the auditor obtains new information which is inconsistent with the audit evidence on which the auditor originally based the identification or assessments of the risks of material misstatement, the auditor shall revise the identification or assessment (CAS 315.37).

CAS Guidance

Obtaining an understanding of the entity and its environment, the applicable financial reporting framework and the entity’s system of internal control is a dynamic and iterative process of gathering, updating and analyzing information and continues throughout the audit. Therefore, the auditor’s expectations may change as new information is obtained (CAS 315.A48).

During the audit, new or other information may come to the auditor’s attention that differs significantly from the information on which the risk assessment was based (CAS 315.A236).

Example:

The entity’s risk assessment may be based on an expectation that certain controls are operating effectively. In performing tests of those controls, the auditor may obtain audit evidence that they were not operating effectively at relevant times during the audit. Similarly, in performing substantive procedures the auditor may detect misstatements in amounts or frequency greater than is consistent with the auditor’s risk assessments. In such circumstances, the risk assessment may not appropriately reflect the true circumstances of the entity and the further planned audit procedures may not be effective in detecting material misstatements. Paragraphs 16 and 17 of CAS 330 provide further guidance about evaluating the operating effectiveness of controls.

OAG Guidance

When executing the audit plan developed on the basis of the risk assessment procedures performed during the planning phase of an audit, it may be appropriate to perform additional risk assessment procedures during the execution phase, for example:

  • The documented audit plan may include performing additional risk assessment procedures, such as risk assessment analytics (e.g., trend or ratio analysis) planned as part of our approach to auditing income statements accounts other than revenue, or further inquiries of management or others (e.g., individuals within the internal audit function).
  • As described in OAG Audit 4025, in some limited circumstances we may plan to execute procedures after the point of Planning Sign‑off to determine whether controls within the control activities component have been implemented.
  • Information may come to our attention which, based on our professional judgment, merits the performance of additional risk assessment procedures (e.g., our discussions with management during the engagement may yield additional information about the entity which may result in us deciding to observe an additional aspect of an entity’s operations or inspect additional documents or records).

As with the risk assessment procedures performed when planning the audit, any additional risk assessment procedures performed contribute to our updated understanding of the entity and may contribute to audit evidence obtained but are not intended to be substantive procedures or controls tests and are not documented in a way that indicates that this is the case. When additional information regarding the entity and its environment is obtained, we consider if it is necessary to revise our initial risk assessment or to modify the nature, timing or extent of planned audit procedures.

For further guidance on changes to the audit strategy and plan see OAG Audit 4050. Consider documenting additional risk assessment procedures performed subsequent to Planning Sign‑Off within the optional procedure “Additional risk assessment procedures”.

Documentation

CAS Requirement

The auditor shall include in the audit documentation (CAS 315.38):

  1. The discussion among the engagement team and the significant decisions reached;
  2. Key elements of the auditor’s understanding in accordance with paragraphs 19, 21, 22, 24 and 25; the sources of information from which the auditor’s understanding was obtained; and the risk assessment procedures performed;
  3. The evaluation of the design of identified controls, and determination whether such controls have been implemented, in accordance with the requirements in paragraph 26; and
  4. The identified and assessed risks of material misstatement at the financial statement level and at the assertion level, including significant risks and risks for which substantive procedures alone cannot provide sufficient appropriate audit evidence, and the rationale for the significant judgments made.

CAS Guidance

For recurring audits, certain documentation may be carried forward, updated as necessary to reflect changes in the entity’s business or processes (CAS 315.A237).

CAS 230 notes that, among other considerations, although there may be no single way in which the auditor’s exercise of professional skepticism is documented, the audit documentation may nevertheless provide evidence of the auditor’s exercise of professional skepticism. For example, when the audit evidence obtained from risk assessment procedures includes evidence that both corroborates and contradicts management’s assertions, the documentation may include how the auditor evaluated that evidence, including the professional judgments made in evaluating whether the audit evidence provides an appropriate basis for the auditor’s identification and assessment of the risks of material misstatement. Examples of other requirements in this CAS for which documentation may provide evidence of the exercise of professional skepticism by the auditor include (CAS 315.A238):

  • Paragraph 13, which requires the auditor to design and perform risk assessment procedures in a manner that is not biased towards obtaining audit evidence that may corroborate the existence of risks or towards excluding audit evidence that may contradict the existence of risks;
  • Paragraph 17, which requires a discussion among key engagement team members of the application of the applicable financial reporting framework and the susceptibility of the entity’s financial statements to material misstatement;
  • Paragraphs 19(b) and 20, which require the auditor to obtain an understanding of the reasons for any changes to the entity’s accounting policies and to evaluate whether the entity’s accounting policies are appropriate and consistent with the applicable financial reporting framework;
  • Paragraphs 21(b), 22(b), 23(b), 24(c), 25(c), 26(d) and 27, which require the auditor to evaluate, based on the required understanding obtained, whether the components of the entity’s system of internal control are appropriate to the entity’s circumstances considering the nature and complexity of the entity, and to determine whether one of more control deficiencies have been identified;
  • Paragraph 35, which requires the auditor to take into account all audit evidence obtained from the risk assessment procedures, whether corroborative or contradictory to assertions made by management, and to evaluate whether the audit evidence obtained from the risk assessment procedures provides an appropriate basis for the identification and assessment of the risks of material misstatement; and
  • Paragraph 36, which requires the auditor to evaluate, when applicable, whether the auditor’s determination that there are no risks of material misstatement for a material class of transactions, account balance or disclosure remains appropriate.

The manner in which the requirements of paragraph 38 are documented is for the auditor to determine using professional judgment (CAS 315.A239).

More detailed documentation, that is sufficient to enable an experienced auditor, having no previous experience with the audit, to understand the nature, timing and extent of the audit procedures performed, may be required to support the rationale for difficult judgments made (CAS 315.A240).

For the audits of less complex entities, the form and extent of documentation may be simple and relatively brief. The form and extent of the auditor’s documentation is influenced by the nature, size and complexity of the entity and its system of internal control, availability of information from the entity and the audit methodology and technology used in the course of the audit. It is not necessary to document the entirety of the auditor’s understanding of the entity and matters related to it. Key elements of understanding documented by the auditor may include those on which the auditor based the assessment of the risks of material misstatement. However, the auditor is not required to document every inherent risk factor that was taken into account in identifying and assessing the risks of material misstatement at the assertion level (CAS 315.A241).

Example:

In audits of less complex entities audit documentation may be incorporated in the auditor’s documentation of the overall strategy and audit plan. Similarly, for example, the results of the risk assessment may be documented separately, or may be documented as part of the auditor’s documentation of further audit procedures.

OAG Guidance

Our risk assessment procedures and related activities are documented in procedures available in audit working paper software, which are structured according to the areas set out in CAS 315 and in accordance with the OAG Risk Assessment Process. In addition, we document the conclusions reached regarding the identification of significant FSLIs and related inherent risk assessment. For each risk identified for significant FSLIs, we document our evaluation of the degree of susceptibility to misstatement from each of the inherent risk factors in order to document the basis for our professional judgments when assessing risks of material misstatement. Refer to OAG Audit 5043.3 for guidance on evaluating inherent risk factors.

Based on factors such as the size and complexity of the entity, we use professional judgment to determine the extent of documentation necessary to record our understanding of the entity and its environment, as well as our understanding of the entity’s internal controls, focusing specifically on areas applicable to the entity.

Example:

For less complex or less developed business processes with a limited number of controls, our documentation might be limited to narrative description of the flow of transactions including details which identify the personnel, documents and reports observed. When obtaining our understanding we identified the control “general ledger account reconciliations are performed and reviewed” for which we plan to evaluate the design and implementation concurrent with our substantive test of the reconciliation at year end (i.e., our substantive testing may also evidence our understanding of this control).

For more complex or more developed business processes with many controls, our documentation may be more extensive and include flowcharts and/or narratives to document our understanding of the flow of transactions and identified controls as well as our evaluation of the design and implementation of multiple controls within the control activities component of the entity’s system of internal control.

In accordance with the guidance in OAG Audit 1141, we consider whether any matters arising in the course of assessing the risks of material misstatement are to be documented as Significant Matters.

Related guidance

See guidance on documenting professional skepticism at OAG Audit 1041 and guidance on audit documentation at OAG Audit 1100.

See guidance on revisions of risk assessment at OAG Audit 5044 and OAG Audit 4051.