Annual Audit Manual

COPYRIGHT NOTICE — This document is intended for internal use. It cannot be distributed to or reproduced by third parties without prior written permission from the Copyright Coordinator for the Office of the Auditor General of Canada. This includes email, fax, mail and hand delivery, or use of any other method of distribution or reproduction. CPA Canada Handbook sections and excerpts are reproduced herein for your non-commercial use with the permission of The Chartered Professional Accountants of Canada (“CPA Canada”). These may not be modified, copied or distributed in any form as this would infringe CPA Canada’s copyright. Reproduced, with permission, from the CPA Canada Handbook, The Chartered Professional Accountants of Canada, Toronto, Canada.

5033 Components of internal control—The entity’s risk assessment process
Sep-2022

In This Section

Understanding of the entity’s risk assessment process

Evaluation of the entity’s risk assessment process

Scalability

Understanding of the entity’s risk assessment process

CAS Requirement

The auditor shall obtain an understanding of the entity’s risk assessment process relevant to the preparation of the financial statements, through performing risk assessment procedures, by (CAS 315.22):

  1. Understanding the entity’s process for:

    1. Identifying business risks relevant to financial reporting objectives;
    2. Assessing the significance of those risks, including the likelihood of their occurrence; and
    3. Addressing those risks;

If the auditor identifies risks of material misstatement that management failed to identify, the auditor shall (CAS 315.23):

  1. Determine whether any such risks are of a kind that the auditor expects would have been identified by the entity's risk assessment process and, if so, obtain an understanding of why the entity's risk assessment process failed to identify such risks of material misstatement; and

  2. Consider the implications for the auditor's evaluation in paragraph 22(b).

CAS Guidance

Not all aspects of the business model are relevant to the auditor’s understanding. Business risks are broader than the risks of material misstatement of the financial statements, although business risks include the latter. The auditor does not have a responsibility to understand or identify all business risks because not all business risks give rise to risks of material misstatement (CAS 315.A62).

As explained in paragraph A62, not all business risks give rise to risks of material misstatement. In understanding how management and those charged with governance have identified business risks relevant to the preparation of the financial statements, and decided about actions to address those risks, matters the auditor may consider include how management or, as appropriate, those charged with governance, has (CAS 315.A109):

  • Specified the entity’s objectives with sufficient precision and clarity to enable the identification and assessment of the risks relating to the objectives;

  • Identified the risks to achieving the entity’s objectives and analyzed the risks as a basis for determining how the risks should be managed; and

  • Considered the potential for fraud when considering the risks to achieving the entity’s objectives.

The auditor may consider the implications of such business risks for the preparation of the entity’s financial statements and other aspects of its system of internal control (CAS 315.A110).

The entity’s risk assessment process is an iterative process for identifying and analyzing risks to achieving the entity’s objectives, and forms the basis for how management or those charged with governance determine the risks to be managed (CAS 315.Appendix 3.7).

For financial reporting purposes, the entity’s risk assessment process includes how management identifies business risks relevant to the preparation of financial statements in accordance with the entity’s applicable financial reporting framework, estimates their significance, assesses the likelihood of their occurrence, and decides upon actions to manage them and the results thereof. For example, the entity’s risk assessment process may address how the entity considers the possibility of unrecorded transactions or identifies and analyzes significant estimates recorded in the financial statements (CAS 315.Appendix 3.8).

Risks relevant to reliable financial reporting include external and internal events, transactions or circumstances that may occur and adversely affect an entity’s ability to initiate, record, process, and report financial information consistent with the assertions of management in the financial statements. Management may initiate plans, programs, or actions to address specific risks or it may decide to assume a risk because of cost or other considerations. Risks can arise or change due to circumstances such as the following (CAS 315.Appendix 3.9):

  • Changes in operating environment. Changes in the regulatory, economic or operating environment can result in changes in competitive pressures and significantly different risks.

  • New personnel. New personnel may have a different focus on or understanding of the entity’s system of internal control.

  • New or revamped information system. Significant and rapid changes in the information system can change the risk relating to the entity’s system of internal control.

  • Rapid growth. Significant and rapid expansion of operations can strain controls and increase the risk of a breakdown in controls.

  • New technology. Incorporating new technologies into production processes or the information system may change the risk associated with the entity’s system of internal control.

  • New business models, products, or activities. Entering into business areas or transactions with which an entity has little experience may introduce new risks associated with the entity’s system of internal control.

  • Corporate restructurings. Restructurings may be accompanied by staff reductions and changes in supervision and segregation of duties that may change the risk associated with the entity’s system {of} internal control.

  • Expanded foreign operations. The expansion or acquisition of foreign operations carries new and often unique risks that may affect internal control, for example, additional or changed risks from foreign currency transactions.

  • New accounting pronouncements. Adoption of new accounting principles or changing accounting principles may affect risks in preparing financial statements.

  • Use of IT. Risks relating to:

    • Maintaining the integrity of data and information processing;
    • Risks to the entity business strategy that arise if the entity’s IT strategy does not effectively support the entity’s business strategy; or
    • Changes or interruptions in the entity’s IT environment or turnover of IT personnel or when the entity does not make necessary updates to the IT environment or such updates are not timely

OAG Guidance

Setting objectives

The objective of the entity’s risk assessment, which is often broader than our audit risk assessment, is to identify, analyze, and manage risks that affect the achievement of the entity’s objectives (including financial reporting objectives). The entity’s risk assessment process, while addressing broadly to business risk, can assist the entity and us in identifying risks of material misstatement of the financial statements. This process forms the basis for how the entity determines the risks to be managed. Consequently, our emphasis on understanding the risk assessment process is focused on those business risks that may result in material misstatement of the financial statements.

Identifying and analyzing risks

The entity’s process of identifying and analyzing risks is an ongoing iterative process and is a critical component of an effective internal control system. The entity’s process considers business, inherent and fraud risks at the entity and subsidiary/management unit levels as well as at a process, transaction or account level. In the narrower context of financial reporting objectives, risk assessment includes how the entity identifies business risks relevant to the preparation of financial statements in accordance with the entity’s applicable financial reporting framework, estimates their significance, assesses the likelihood of their occurrence, and decides upon actions to manage them. Risk assessment for financial reporting includes the identification of risks of material misstatement in the significant classes of transactions, account balances and disclosures at the assertion level and implementing controls to prevent or detect material misstatements.

Evaluation of the entity’s risk assessment process

CAS Requirement

The auditor shall obtain an understanding of the entity’s risk assessment process relevant to the preparation of the financial statements, through performing risk assessment procedures, by (CAS 315.22):

  1. Evaluating whether the entity’s risk assessment process is appropriate to the entity’s circumstances considering the nature and complexity of the entity.

 CAS Guidance

The auditor’s evaluation of the entity’s risk assessment process may assist the auditor in understanding where the entity has identified risks that may occur, and how the entity has responded to those risks. The auditor’s evaluation of how the entity identifies its business risks, and how it assesses and addresses those risks assists the auditor in understanding whether the risks faced by the entity have been identified, assessed and addressed as appropriate to the nature and complexity of the entity. This evaluation may also assist the auditor with identifying and assessing financial statement level and assertion level risks of material misstatement (CAS 315.A111).

The auditor’s evaluation of the appropriateness of the entity’s risk assessment process is based on the understanding obtained in accordance with paragraph 22(a) (CAS 315.A112).

OAG Guidance

Our evaluation of management’s risk assessment process, including the outcomes/outputs of that process can provide insightful information about the nature and potential magnitude of risks from the perspective of the entity’s management and Those Charged with Governance. As explained by CAS 315.A11, the risk assessment process implemented by management highlights the areas where the entity has identified risks and how they responded to those risks. The analysis performed by management can lead us to identifying and assessing risks of material misstatement in the financial statements subject to our audit. Even though the management’s risk assessment process can provide insight into the areas where potential risks of material misstatement can occur it is not a substitute for our independent risk assessment.

Our evaluation of the entity’s risk assessment process component considers whether the process is appropriate to the entity’s circumstances given the nature and complexity of the entity. Due to the nature of an entity’s risk assessment process, our procedures will primarily be inquiry, observation and inspection. The nature and extent of work performed to evaluate the entity’s risk assessment process is based on the professional judgment of the engagement team and is dependent on the size and complexity of the entity, and other relevant factors. Even though not required by CAS 315 in some cases when evaluating the entity’s risk assessment process component, we may decide to evaluate the design and implementation of the individual controls identified within this process. This detailed evaluation of design and implementation can give us a better insight into the entity’s process to identify business risks which helps us to identify risks of material misstatement at a more granular level. This would typically be the case when auditing larger and more complex entities as many of the less complex entities, especially owner-managed entities, may lack formality around this process. We would also evaluate the design and implementation of controls identified within this process if we decide to perform testing of operating effectiveness of those controls. See OAG Audit 5035.1 for further guidance on the controls we select for testing.

If the risk assessment process is ineffective (i.e., fails to identify risks of material misstatements identified by us), we determine the impact, including any identified deficiencies, on the identification and assessment of financial statement and assertion level risks of material misstatement. OAG Audit 5037 provides additional guidance on the impact of our determination that a component within the entity’s system of internal control is not appropriate to the nature and circumstances of the entity. It also covers the impact of identified control deficiencies on the design of further audit procedures in accordance with CAS 330.

Scalability

CAS Guidance

Whether the entity’s risk assessment process is appropriate to the entity’s circumstances considering the nature and complexity of the entity is a matter of the auditor’s professional judgment (CAS 315.A113).

 OAG Guidance

All entities, regardless of size and complexity encounter risks. In less complex entities, and particularly owner-managed entities, the risk assessment process may not include the level of formality and consistency in their processes and systems that more complex entities would implement. Likewise, a less complex entity may include formality and structure in its risk assessment processes or systems but may be less formal about documentation of processes and outcomes since those involved in the process are also the business owners. When such systems and processes lack formality, we may still be able to obtain an understanding and evaluate the entity’s risk assessment process and, where we choose to do so, evaluate the design and implementation of specific risk assessment controls through observation and inquiry.