5012.2 Use of risk assessment analytical procedures
Sep-2022

Objectives, types and performance of analytical procedures

CAS Requirement

The auditor shall design and perform risk assessment procedures to obtain audit evidence that provides an appropriate basis for (CAS 315.13):

a) The identification and assessment of risks of material misstatement, whether due to fraud or error, at the financial statement and assertion levels; and

b) The design of further audit procedures in accordance with CAS 330.

The auditor shall design and perform risk assessment procedures in a manner that is not biased towards obtaining audit evidence that may be corroborative or towards excluding audit evidence that may be contradictory.

The risk assessment procedures shall include the following (CAS 315.14):

a) Inquiries of management and of other appropriate individuals within the entity, including individuals within the internal audit function (if the function exists).

b) Analytical procedures.

c) Observation and inspection.

CAS Guidance

For purposes of the CASs, the term "analytical procedures" means evaluations of financial information through analysis of plausible relationships among both financial and non‑financial data. Analytical procedures also encompass such investigation as is necessary of identified fluctuations or relationships that are inconsistent with other relevant information or that differ from expected values by a significant amount (CAS 520.4).

Types of Analytical Procedures

This CAS deals with the auditor’s use of analytical procedures as risk assessment procedures. CAS 520 deals with the auditor’s use of analytical procedures as substantive procedures ("substantive analytical procedures") and the auditor’s responsibility to perform analytical procedures near the end of the audit. Accordingly, analytical procedures performed as risk assessment procedures are not required to be performed in accordance with the requirements of CAS 520. However, the requirements and application material in CAS 520 may provide useful guidance to the auditor when performing analytical procedures as part of the risk assessment procedures (CAS 315.A30).

Automated tools and techniques

Analytical procedures can be performed using a number of tools or techniques, which may be automated. Applying automated analytical procedures to the data may be referred to as data analytics (CAS 315.A31).

Example:

The auditor may use a spreadsheet to perform a comparison of actual recorded amounts to budgeted amounts, or may perform a more advanced procedure by extracting data from the entity’s information system, and further analyzing this data using visualization techniques to identify classes of transactions, account balances or disclosures for which further specific risk assessment procedures may be warranted.

OAG Guidance

Analytical procedures are used throughout the audit process and are divided into:

  • Risk assessment analytical procedures (see further in this subsection).
  • Substantive analytical procedures (see OAG Audit 7030).
  • Overall conclusion analytical procedures (see OAG Audit 9021).

Risk assessment analytical procedures are generally performed early in the audit to assist in planning the nature, timing and extent of audit procedures that will be used to obtain sufficient appropriate audit evidence for significant accounts or classes of transactions. Analytical procedures used in planning generally use data aggregated at a high level, although we consider whether the data is at a sufficiently disaggregated level to assist with the identification of unusual or unexpected relationships relevant to our risk assessment. Substantive analytical procedures are generally conducted during substantive testing. However, risk assessment and substantive analytical procedures can be used throughout the audit. Also, analytical procedures performed with one purpose in mind may be combined with other procedures to serve another purpose. For example, in performing risk assessment analytical procedures, we may conclude that a significant difference identified was probably caused by the commercial impact of a new contract the entity agreed to during the current period. Corroboration that the difference is attributable to the new contract is generally not necessary at this stage of the audit, unless it will help our understanding of the entity and risk assessment. However, we may decide it is more efficient to gain assurance during the planning phase of the audit, by reading the contract terms and quantifying the impact as a means of corroborating our initial conclusion as to the cause of the difference while also completing substantive procedures that would have otherwise been necessary later in the audit (for further guidance on reviewing significant contracts see OAG Audit 7570).

Before conducting an analytical procedure, consider what we are trying to accomplish with the procedure and determine the objectives of the procedure by considering:

  • The purpose of the analytical procedure (e.g., to assess risk or to obtain assurance).

  • The nature and reliability of the information that will be the basis for the analytical procedure.

  • The amount of assurance desired from the analytical procedure (as appropriate).

  • The suitability of the proposed analytical procedure to provide that level of assurance.

  • The materiality of the account.

  • The phase of the audit in which the analytical procedure is being deployed.

  • The associated inherent and audit risks.

  • Our understanding of the entity and prior audit experience.

  • The financial statement assertions that the analytical procedure will address and how much evidence needs to be achieved on each.

  • Our history of performing analytical procedures and the possibility of enhancing them to provide greater evidence.

The objectives of the analytical procedure will also dictate the type of analytical procedure used and the techniques involved in investigating a significant difference. For a detailed discussion of the types of analytical procedures see OAG Audit 7032.

When performing analytical procedures during planning, the primary focus is to identify unexpected changes or the absence of expected changes that may indicate a risk of material misstatement. The purpose of those procedures is to identify and appropriately assess the risks of material misstatement to assist in determining the nature, timing, and extent of further audit procedures. As a result, the expectations can be less precise. In contrast, when performing substantive analytical procedures, the expectations of the recorded amounts are more precise, because the procedures performed are to provide direct substantive audit evidence over the FSLI(s) being tested.

For a more detailed discussion of the types of analytical procedures see OAG Audit 7032 .The 4‑step process (see OAG Audit 7033) which is designed to standardize how we perform substantive analytical procedures and improve their quality, may also be helpful when performing risk assessment procedures, though it is not required.

Analytical procedures to identify and assess the risks of material misstatement

CAS Guidance

Analytical procedures help identify inconsistencies, unusual transactions or events, and amounts, ratios, and trends that might indicate matters that may have audit implications. Unusual or unexpected relationships that are identified may assist the auditor in identifying risks of material misstatement, especially risks of material misstatement due to fraud (CAS 315.A27).

Analytical procedures performed as risk assessment procedures may therefore assist in identifying and assessing the risks of material misstatement by identifying aspects of the entity of which the auditor was unaware or understanding how inherent risk factors, such as change, affect susceptibility of assertions to misstatement (CAS 315.A28).

Analytical procedures performed as risk assessment procedures may (CAS 315.A29):

  • Include both financial and non‑financial information, for example, the relationship between sales and square footage of selling space or volume of goods sold (non‑financial).

  • Use data aggregated at a high level. Accordingly, the results of those analytical procedures may provide a broad initial indication about the likelihood of a material misstatement.

Example:

In the audit of many entities, including those with less complex business models and processes, and a less complex information system, the auditor may perform a simple comparison of information, such as the change in interim or monthly account balances from balances in prior periods, to obtain an indication of potentially higher risk areas.

OAG Guidance

Performing risk assessment analytical procedures

We perform risk assessment analytical procedures to deepen our understanding of the business in a way that helps us to direct our attention to potential indicators of risks of material misstatement, assess those risks and to design audit procedures focused on potential material misstatement. As described in OAG Audit 5011, subsequent to the planning process we may also plan or opt to perform additional risk assessment analytical procedures during the audit to continue to refine the nature, timing, and extent of our further audit procedures.

Risk assessment analytical procedures assist us in the risk assessment process and can help support informed, well‑reasoned judgments related to the following:

  • Identification of risks of material misstatement (OAG Audit 5041)

  • Identification of significant classes of transactions, account balances and disclosures and relevant assertions (OAG Audit 5042)

  • Evaluation of inherent risk factors (OAG Audit 5043.3)

  • Identification of significant assumptions within accounting estimates (OAG Audit 7073.1)

  • Identification and selections of populations to test (OAG Audit 7044.1)

  • Evaluation of the untested balances after performing targeted testing (OAG Audit 7042)

In performing analytical procedures as risk assessment procedures, develop expectations about plausible relationships that we would expect to exist based on our knowledge of the business and industry, general economic conditions and prior audit experience. This involves quantitative and/or qualitative analysis of the recorded information to assess whether it is consistent with our own understanding of the entity and its environment. The expectation we develop for risk assessment analytics differs from the “independent expectation” that we are required to develop when performing a substantive analytical procedure where we typically independently establish a precise, quantitative expectation. Perform the analysis at an aggregated or sufficiently disaggregated level to assist with the identification of unusual or unexpected relationships relevant to our risk assessment.

Understanding the entity and its environment

In accordance with CAS 315.19, to understand the entity and its environment, we understand areas such as the entity’s objectives, strategy and business model and relevant industry and other external factors, which in turn drive our expectations used in risk assessment analytics. Understanding key financial indicators in the industry can help us develop expectations used in performing risk assessment analytics.

We can obtain information about the entity’s strategy and key industry indicators from management, their financial statements, the prior‑year audit workpapers, industry publications, or other third‑party sources and typically do this when obtaining an understanding of the entity and its environment in line with OAG Audit 5011.

Note: An understanding of the example areas listed below may have already been obtained and documented from the procedures (e.g., inquiry and inspection) performed to obtain an understanding of the entity and its environment.

The following list provides examples of the types of questions that we might consider when conducting risk assessment analytical procedures:

  • What are the trends in the entity’s markets, and through the use of benchmarking (see OAG Audit 7035), how does the entity compare with its peers or competitors and with industry averages?

  • How are the entity’s business strategies (e.g., a particular product’s revenue growth) reflected in the financial statement trends and relationships?

  • What are the key business drivers at the entity?

  • What are the key financial ratios that management and industry analysts focus on? Why are those ratios considered key? How do the entity’s ratios compare with previous years and with the industry?

  • What are the trends in the entity’s financial ratios measuring liquidity, solvency, leverage, and operating results? Through benchmarking, how do these analyses compare to industry averages and competitors and/or peers?

  • How has the internal structure of the financial statements changed (e.g., changes in the presentation and/or financial statement line items)?

  • Through benchmarking, how do these changes compare to industry averages and competitors and/or peers? Consider questions such as:

    • Has there been an increasing gap between the entity’s reported income and its cash flow from operations?

    • Have there been any unusual changes in important account relationships (e.g., accounts receivable or inventory in relation to changes in sales)?

    • Has the entity’s off‑balance sheet financing (e.g., operating leases) changed from prior years? If so, what effect will it have on key ratios (e.g., debt to equity ratio if there is a change in financing policy)? How does it relate to the industry norm?

    • Has the entity changed accounting policies or estimates? Have there been unexpected large asset write‑offs? How do the entity’s accounting policies compare with industry norms? How do these items affect key ratios?

The effectiveness of risk assessment analytics depends on our understanding of the entity and its environment and the use of professional judgment. Therefore involve suitably experienced members of the team in designing and performing risk assessment analytics so that they can provide their insights into the entity and the environment in which it operates.

Considering which risk assessment analytics to perform

The two most common types of analytical procedures used for risk assessment analytical procedures are trend analysis and ratio analysis (see OAG Audit 7032). It is also common to combine these methods and perform trend analysis of ratios. Determining which type of risk assessment analytical procedure to use is a matter of professional judgment. We select the most appropriate procedure by considering the nature of the account and the purpose of the procedure (i.e., to better understand the business or focus audit testing), and desired precision of the expectation.

Developing an expectation

When performing risk assessment analytical procedures, a quantitative expectation does not need to be developed for each account on the face of the financial statements. Qualitative aspects of key business drivers (e.g., revenue growth) can be documented with our judgment on whether each current year balance is expected or unexpected in relation to the key business driver.

Considering the account balances, classes of transactions, or performance measures to include in our expectation

When performing risk assessment analytical procedures, determining which account balance, classes of transactions, or performance measures to include in our expectation is a matter of professional judgment. When exercising this judgement, we select the appropriate items by considering the nature of the account, purpose of the procedure (i.e., understanding of the business to determine the nature, timing, and extent of testing), and the desired precision of the analytical procedure.

For risk assessment analytical procedures, we consider combining the analysis of account balances and classes of transactions with performance measures as performance measures may provide insight into relationships beyond that provided by performing analytical procedures on account balances and/or classes of transactions alone. For example, analyzing revenue and accounts receivable accounts individually will provide relevant information. However, incorporating a performance measure (such as “days sales outstanding” or “debtors days”) that contemplates the relationship between these two accounts will enhance the information derived from the risk assessment analytical procedure as it provides a better understanding of the business and relationship between the account balances.

Typical performance measures to consider incorporating into the risk assessment analytical procedures include:

Income statement analysis

  • Sales trends and/or sales growth
  • Gross margin/COGS as percent of revenue
  • Total operating expenses as percent of revenue
  • Operating income as percent of revenue
  • Return on net investment

Balance sheet analysis

  • Working capital ratio
  • Days sales outstanding or receivables turnover
  • Days sales in inventory or Inventory turnover
  • Days payable outstanding or payables turnover
  • Capital expenditures as percent of revenue
  • Total debt to equity ratio

Identifying the level at which we will perform the risk assessment analytics

The level at which we perform risk assessment analytical procedures will vary based on the nature of the entity and our understanding of the environment in which it operates. Some examples of other factors to consider may include the composition of revenues, specific attributes of revenue transactions and unique industry considerations.

Example:

For a less complex entity operating in a relatively stable environment (e.g., a retail bakery with one location), the analytics could likely be performed at a more aggregated level. Alternatively, the more complex the entity or the more change it is experiencing (e.g., a bakery that expands its locations primarily through franchising arrangements), the more disaggregated the analytics may need to be in order to appropriately identify and assess the risk of a material misstatement.

When assessing the level at which to perform a risk assessment analytic, we typically consider which of the following levels of operating and financial information will be the most appropriate to the circumstances. However, we do not limit our consideration to this list of options because the chosen information is most effective when it is aligned to our understanding of the business and often aligns to how management monitors their business performance and risks.

  • Consolidated report level
  • Statutory/component entity level
  • Segment level
  • Business unit level
  • Location level

In designing and performing risk assessment analytics, we consider what will provide the most useful information in identifying risk of material misstatements. When determining the scope and levels at which risk assessment analytics are to be performed, consider the following:

  • Misstatements may result from fraud and we therefore perform analytical procedures related to revenue accounts with the objective of identifying unusual or unexpected relationships that may indicate risks of material misstatement due to fraudulent financial reporting, such as fictitious sales or significant returns from customers that might indicate undisclosed terms (“side agreements”). Although it is not required, these revenue analytics could be performed at a disaggregated level (e.g. monthly or quarterly time period, line of business, location, product or account). They may help identify the existence of unusual transactions, events, amounts, ratios and trends that might indicate misstatements or matters that have financial statement and audit implications. For further guidance on misstatements due to fraud see OAG Audit 5500.

  • Risk assessment analytics performed only at the consolidated reporting level may not be sufficient to properly identify and assess risks of material misstatement. Determine at what level of the organization the risk assessment analytics will be performed. For group audits disaggregation to a component level may be appropriate.

In a group audit engagement, for components that are not significant components, where the group engagement team performs analytical procedures at the group level, disaggregation to a business, geographic or component level, may be appropriate. Typically, these procedures are performed as part of the group engagement team’s required risk assessment analytics and again in the completion phase as a part of the overall conclusion analytics. Depending on the circumstances of the engagement, the financial information of the components used by the group engagement team in these circumstances may be aggregated at the component level or disaggregated further.

Data used for risk assessment analytical procedures

Risk assessment analytical procedures are usually based on interim financial information, budgets and/or management accounts (i.e., internal financial reports used by management). They may also use nonfinancial information, for example, the relationship between sales and square footage of selling space or volume of goods sold.

When we use data to inform our risk assessment, including as part of risk assessment analytics, we assess the reliability of that data. The extent of procedures necessary to assess the reliability of the data depends on the nature and source of the data, the conditions under which it was gathered, and other knowledge we have about it. The following factors may influence our considerations:

  • Whether the data was obtained from independent sources outside the entity or from sources within the entity
  • Whether sources within the entity were independent of those who are responsible for the amount being evaluated
  • Whether the data was developed under a reliable system with adequate controls
  • Whether the data was subjected to audit testing in the current or prior year
  • Whether the procedures were performed using data from a variety of sources

We identify the data that will be used in our risk assessment procedures, and understand the underlying processes used to gather the data. Examples of the ways we can assess the reliability of data include agreeing the financial information to the general ledger, or agreeing budgeted amounts to the entity’s budget and assessing management’s past ability to develop a reliable and achievable budget based on our knowledge and experience from prior audits. We can use the entity’s budget to help identify plausible relationships and help us form our own expectations.

Regardless of the rigor with which the entity prepares their analytical data we cannot substitute the entity’s work for our own.

For best practices to overcome potential pitfalls in applying analytical procedures see OAG Audit 7034.

Data obtained from external sources such as competitor or industry data can be used to benchmark client data to identify unusual trends or relationships. External or internal data produced from systems and records that are separate and distinct from the accounting records or that are not subject to manipulation by persons in a position to influence accounting activities (e.g., headcount, retail store square footage, customer service records) is generally considered less likely to be subject to management bias or manipulation than internal accounting data for purposes of this assessment. Also, the procedures we perform to assess the reliability of data used for risk assessment may be performed elsewhere in the audit and leveraged for this purpose.

Defining unusual or unexpected differences

When performing risk assessment analytical procedures, the threshold for what we consider to be an unexpected or unusual difference, warranting further evaluation, is sufficiently low to enable us to identify areas with a higher risk of material misstatement, either individually or when aggregated with other misstatements. Since risk assessment analytical procedures are not designed as a principal source of audit evidence and may not need to be performed at the same level of precision and disaggregation as substantive analytics, the threshold is generally higher than the threshold used for substantive analytics and commonly will be established at performance materiality. However, the threshold may be established at a lower threshold if, in our judgement, such a threshold is better suited to identify unexpected or unusual trends or differences, including where we have opted to perform the risk assessment analytics at a more disaggregated level.

At the time we conduct risk assessment analytical procedures we may still be in the process of assessing materiality and performing other risk assessment procedures. In these situations, we use professional judgment to establish the threshold after considering factors such as prior‑year materiality, experience with similar entities, prior audit experience, and importance and size of the account(s).

The purpose of establishing a threshold is to identify areas that warrant investigation. For risk assessment analytical procedures, the consideration of the threshold prior to performing the analysis need not be explicit. It can be documented by the addition of a column titled “Unusual or Unexpected” to our documentation that evidences the decision as to whether the actual result is in line with our expectation or not. The threshold may be judgmentally assessed and is implied by the designation of a difference as unusual or unexpected in relation to our expectations. The explanation of the unusual or unexpected item needs to be sufficient to enable an experienced auditor independent of the audit to understand the basis for our conclusion. For instance, in our expectation we indicate that we expect revenues to increase 10 percent from the prior period. Consequently, we compare the prior year revenue plus 10 percent to the actual results of the current period. If the actual results differ from our expectation and we deem the difference to be unusual or unexpected, the explanation of the difference will reinforce what our threshold was and why we concluded there was a difference which was investigated.

Evaluation of unusual or unexpected differences

To enhance the effectiveness of risk assessment analytical procedures, the computation of differences is done after the development of an expectation and determining a threshold for what is considered unusual or unexpected. The computed differences may be documented as a monetary difference or a percentage difference. Where multiple measures are used for a threshold, such as monetary value change and percentage change, the threshold is defined as CU X “OR” Y percent so that both measures do not need to be exceeded to trigger investigation. Using “AND” could result in material differences not being investigated.

When our risk assessment analytical procedures identify an unusual or unexpected difference, we obtain management’s explanation and assess its plausibility (i.e., does it make sense). After assessing the plausibility of management’s explanation, we consider whether the unusual or unexpected difference may be indicative of a condition that potentially gives rise to risks of material misstatement. It is not necessary to corroborate the explanation (i.e., is there evidence to support it) as part of risk assessment analytics. Instead, we determine whether further audit procedures in our audit plan are necessary to address differences initially identified as unexpected or unusual.

Our evaluation of unusual or unexpected differences will be more effective if we understand the various relationships in the financial and non-financial data we are using and develop our own potential explanations based on factors such as our updated understanding of the entity and its operating environment, prior audit experience, industry knowledge, and we discuss the difference with the broader engagement team, before we obtain the entity’s explanation.

We consider the potential risks of material misstatement identified from risk assessment analytical procedures and then design and perform audit procedures whose nature, timing and extent are based on and are responsive to the assessed risks of material misstatement. Our response to an identified risk may be to increase planned tests of controls or detailed substantive testing, or to design specific substantive procedures to test the sufficiency of the explanation, or we may determine that the existing audit plan sufficiently addresses the risk. While we do not need to test the sufficiency of an explanation during planning, there is nothing to preclude us from doing so through quantification and corroboration. For example, obtaining evidence during the risk assessment phase may be efficient in circumstances where we already plan to perform corroborative substantive procedures later in the audit.

Considerations specific to less complex entities

CAS Guidance

Types of Analytical Procedures

Analytical procedures performed as risk assessment procedures may (CAS 315.A29):

  • Include both financial and non-financial information, for example, the relationship between sales and square footage of selling space or volume of goods sold (non-financial).

  • Use data aggregated at a high level. Accordingly, the results of those analytical procedures may provide a broad initial indication about the likelihood of a material misstatement.

Example:

In the audit of many entities, including those with less complex business models and processes, and a less complex information system, the auditor may perform a simple comparison of information, such as the change in interim or monthly account balances from balances in prior periods, to obtain an indication of potentially higher risk areas.

OAG Guidance

Some less complex entities (i.e., very small, owner-managed entities) may not have interim or monthly financial information that can be used for purposes of analytical procedures. In these circumstances, although the auditor may be able to perform limited analytical procedures for purposes of planning the audit or obtain some information through inquiry, the auditor may need to plan to perform analytical procedures to identify and assess the risks of material misstatement when an early draft of the entity’s financial statements is available.

In some circumstances, it may be appropriate to perform risk assessment and overall conclusion analytics as part of the same exercise. For example, we may opt to do this in the following circumstances:

  • Where the timing of the audit supports risk assessment analytics being performed on period-end balances; and

  • The format of the financial statements used for risk assessment analytics is consistent with that used for the overall conclusion analytics.

Where risk assessment and overall conclusion analytics are performed as part of the same exercise we still perform and document the analytics in a manner that is consistent with the different purposes, objectives and OAG Audit guidance for each type of analytics. To illustrate, when assessing whether the analytics reflect unusual or unexpected differences our basis of comparison will differ for the purposes of risk assessment analytics (e.g., by comparing to budgeted performance in light of the defined threshold) and overall conclusion analytics (e.g., by considering whether consistent with the results of other audit procedures).

Documentation

OAG Guidance

Although the form of the documentation prepared for risk assessment analytics may vary based on the engagement facts and circumstances, when performing risk assessment analytical procedures, we document:

  • Our assessment of the reliability of the data used for the risk assessment analytics.

  • The quantitative or qualitative analysis of the recorded amounts, trends and ratios that we consider relevant, including our basis for identifying unusual or unexpected relationships. This might include, for example, the rationale for our expectation of movements in key business drivers and related accounts and how this compares to the actual amounts/relevant ratios.

  • The unusual or unexpected relationships identified which we believe are significant for our risk assessment. If the basis on which we developed our expectation and threshold for assessing whether the relationship is unusual or unexpected is not otherwise apparent, it is appropriate to document such information in support of the explanation.

  • The impact on the audit plan, including what further explanation/investigation is necessary.

Risk Assessment Analytics Planning procedure is available to document Risk Assessment Analytics.