5013 Determine the Competencies and Capabilities Required to Perform Risk Assessment Activities

Sep-2022

OAG Guidance

Appropriate composition of the engagement team and assignment of roles and responsibilities are important to the performance of an effective risk assessment. This section provides guidance on considering the appropriate competence and capabilities that are necessary to perform an effective risk assessment and also provides guidance on identifying the areas of the audit where specialized skills and knowledge may be needed to address risks of material misstatement.

Why is this important?

Risk assessment procedures are effective when they obtain audit evidence that provides an appropriate basis for the identification and assessment of the risks of material misstatement. In order to be effective, the procedures need to be performed by engagement team members possessing appropriate competence and capabilities, and there may be areas of risk assessment where specialized skills and knowledge are needed to support the understanding obtained and conclusions reached.

In addition, in order to plan effective risk assessment procedures, the roles and responsibilities of each engagement team member need to be properly assigned and communicated and we need to foster a culture of knowledge sharing and communication such that the risk assessment conclusions appropriately reflect the understanding obtained across the engagement team.

The composition of the engagement team and the proper assignment of roles and responsibilities are essential to the performance of an effective audit, which needs to be planned and executed with the foundation of a sufficiently granular risk assessment. Every entity is different, and the engagement team is structured to meet those entity‑specific circumstances.

OAG Risk Assessment Process

Within this section, we discuss in more detail the Set roles and responsibilities element of the OAG Risk Assessment Process illustrated below.

  
Assignment and structure of engagement team

As noted in OAG Audit 3060 the engagement leader has overall responsibility for the engagement, its performance and the audit report to be issued. A key element of this responsibility is properly assessing the assignment and structure of the engagement team, including specialists in accounting or auditing and auditor’s internal experts, for the purposes of performing effective risk assessment procedures.

Competence refers to a combination of knowledge, skills and abilities whereas capability can be described as a combination of these competency qualities used effectively and appropriately in response to varied, familiar and unfamiliar circumstances. We consider both competence and capabilities when assessing the assignment and structure of the engagement team. For example, in addition to understanding the qualification(s) and number of years of experience of a team member (indicators of competence) we would also consider whether their recent experience includes any specialized industry or other knowledge considered necessary for the purposes of the engagement (indicators of capability).

In considering the appropriate composition of the engagement team for this phase of the audit, we utilize our knowledge of the entity and its environment from previous audit periods, if applicable, and also the understanding obtained through other initial activities such as performance of acceptance and continuance procedures, procedures performed to evaluate our compliance with ethical standards (i.e., independence) and the initial procedures performed to understand the entity and its environment.

Similar to the iterative nature of risk assessment as a whole, our preliminary consideration of matters related to the assigned engagement team may need to evolve as we progress through the risk assessment phase and other phases of the audit, for example if we identify areas of potential risk where we need specialized skills and knowledge to supplement our understanding and provide input into our risk assessment conclusions. This can include identifying a need to involve a specialist in accounting or auditing or an auditor’s expert in the risk assessment procedures but subsequently concluding, with their input, whether there is or is not a need for them to be involved in the planned further audit procedures to be performed in executing the remaining phases of the audit, and if so, agreeing the nature, timing and extent of their involvement. For example, for complex accounting estimates that we expect to have high estimation uncertainty, complexity or subjectivity and therefore requiring specialized knowledge, we may consider it appropriate to use specialists in accounting or auditing or auditor’s experts when performing risk assessment procedures. A specialist or auditor’s expert can help us to obtain further understanding of the entity and its environment, understand industry trends and practices relevant to the estimates and assist with assessing the risks of material misstatement. In addition, specialists and experts can also assist with designing and/or executing further audit procedures to address the assessed risks of material misstatement.

When considering involving specialists or experts, we consider whether OAG Policy requires the involvement of Audit Services or other specialists. In some instances, this determination may be part of an iterative process. For example, if we involve IT Audit in the assessment of the complexity of an entity’s IT environment, we may identify applications or other aspects of the IT environment that are non‑complex and therefore further involvement of IT Audit is not required by OAG Policy for those applications or aspects if we conclude other members of the engagement team have the knowledge and skills necessary to assess the risks of material misstatement.

Refer to OAG Audit 3092 for examples of the different areas of an audit where auditor’s internal experts or specialists in accounting or auditing might be involved in performing risk assessment procedures. Although auditor’s external experts are not considered part of the engagement team, the engagement leader also needs to decide whether it is appropriate to engage experts in order to obtain sufficient appropriate audit evidence. This may include engaging an expert as part of performing risk assessment procedures, particularly in areas where an entity has used a management’s expert in preparing the financial statements. Refer to OAG Audit 3090 for guidance on the use of auditor’s experts.

Importance of clear roles and responsibilities

In order to plan and execute effective risk assessment procedures to obtain audit evidence that provides an appropriate basis for the identification and assessment of the risks of material misstatement, it is essential that the assigned engagement team have a clear understanding of their roles and responsibilities for contributing to the engagement and that clear communication across engagement team members occurs throughout the engagement.

Guidance related to assigning roles and responsibilities, setting objectives and monitoring progress is available as follows:

• OAG Audit 2010 – Project Management
• OAG Audit 3060 – Engagement Team
• OAG Audit 3090 – Use of Auditor’s Experts
• OAG Audit 3100 – Specialists in Accounting or Auditing