5041 Identify risks of material misstatement

Sep-2022

OAG Guidance

Identifying and assessing the risks of material misstatement form part of the Identify and Assess elements of the OAG Risk Assessment Process. We use our understanding of the entity and its environment, our understanding of the entity’s system of internal control, the applicable financial reporting framework and information gathered from other risk assessment procedures performed in previous phases of the OAG Risk Assessment Process to inform a targeted and specific identification and assessment of the risks of material misstatement at the financial statement and FSLI assertion level.

Our detailed understanding of the entity and business processes helps us identify significant classes of transactions, account balances and disclosures (significant FSLIs) that represent a risk of material misstatement at the assertion level and informs our assessment of the identified risks. We also use our understanding of the applicable financial reporting framework and financial statement areas that may be more susceptible to material misstatement, and consider the results of related team discussions to identify and assess risks that would be specific to the entity. In turn, identification and assessment of risks specific to the entity facilitates the development of audit responses tailored to effectively and efficiently address the assessed risks unique to the entity.

 OAG Audit 5040 provides guidance on Identify and Assess elements of the OAG Risk Assessment Process:

We identify and assess the entity specific risks, through research and analysis regarding:

• Understanding the entity and its environment, including the financial reporting framework (OAG Audit 5020)

• Understanding and evaluation of internal control (OAG Audit 5030)

• Other risk assessment procedures, including:

  • Performing client and engagement acceptance & continuance procedures (OAG Audit 3010)
  • Considering the risk of material misstatement due to fraud (OAG Audit 5504 and OAG Audit 5505)
  • Identifying instances of non-compliance with laws and regulations (OAG Audit 7510)
  • Evaluating the appropriateness of management’s use of going concern basis of accounting (OAG Audit 7520)
  • Understanding the nature of related party transactions and balances (OAG Audit 7530)
  • Auditing accounting estimates and related disclosures (OAG Audit 7070)

We use our understanding and risk assessment procedures referred to above to identify entity specific risks of material misstatement, including risks of fraud and error. As part of gathering information to support our understanding, it may be useful to consider business risks identified by the entity, as they may help us identify risks of material misstatement and might have some implications for our audit.

We then consider whether identified risks represent a risk of material misstatement to the entity’s financial statements. Risks of material misstatement need to be considered at two levels: at the financial statement level, as well as at the assertion level within a class of transactions, account balance, or a disclosure.

When identifying and assessing the risks of material misstatement at the assertion level, we identify the classes of transactions, account balances and disclosures, and the assertions that represent a risk of material misstatement. OAG Audit guidance refers to classes of transactions, account balances and disclosures as financial statement line items (FSLIs). FSLIs for which we identify a risk of material misstatement at the assertion level are referred to as ’significant FSLIs’. OAG Audit 5042 provides guidance on determining relevant assertions and significant FSLIs.

Once we have identified the risks of material misstatement at the financial statement and FSLI assertion level, we assess those risks and follow the guidance in OAG Audit 5043 that provides further details on the procedures we perform to assess the level of inherent risk associated with each identified risk of material misstatement. The following chart illustrates the overall process of FSLI scoping and assessment of inherent risk at the assertion level:

Finally, we perform an overall evaluation of all risk assessment activities performed to determine if they provide an appropriate basis for our risk assessment and further audit procedures developed to address the assessed risks. This includes evaluation of material FSLIs that were not considered significant FSLIs, i.e., where we determine that a material FSLI does not include a risk of material misstatement at the assertion level. Refer to guidance in OAG Audit 5044 for further details.

OAG Guidance

Risks of material misstatement need to be considered at two levels:

• the financial statement level and
• the assertion level within a class of transactions, account balance, or a disclosure for a particular financial statement line item (“FSLI”).

Because financial statement level risks relate pervasively to the entity’s financial statements as a whole and potentially affect many assertions, when assessing such potential risks we consider pervasive risks, including external factors such as an economic downturn and we also consider entity-specific factors such as poor operating results and cash flows that may impact the entity’s continued use of the going concern basis of accounting. When seeking to identify financial statement level risks, it may be useful to consider the entity’s business risks identified through our procedures performed to understand the entity and its environment (see OAG Audit 5021) as well as any fraud risks identified through our procedures performed to identify and assess the risks of material misstatement due to fraud, including evaluating any identified fraud risk factors (see OAG Audit 5504). We also consider whether our evaluation of the entity’s internal control components may indicate financial statement level risks. For example, if we determine that the control environment does not provide an appropriate foundation for the other components of internal control, or we determine that other internal control components (e.g., entity’s risk assessment process or the entity’s process to monitor the system of internal control) are not appropriate to the entity’s circumstances, this may indicate a risk of material misstatement at the financial statement level, which we would need to assess.

If we identify financial statement level risks of material misstatement, we need to consider if they affect our assessment of risks at the assertion level for FSLIs. In some cases we may determine that identified financial statement level risks affect specific FSLIs and associated assertions, and this would affect our risk assessment at the assertion level (e.g., we may determine that the risk associated with the related party transactions affects accuracy of revenue and this would be considered when assessing the inherent risk for the revenue FSLI, and when developing appropriate responses to the assessed risk).

Examples of financial statement level risks due to fraud or error include, but are not limited to, the following:

• Risk of management override of controls.

• Concerns regarding the integrity or conduct of the entity’s directors, senior management or managers.

• Significant unusual transactions outside of the normal course of business.

• Unusually aggressive or creative accounting policies or practices.

• Lack of segregation between personal and business transactions.

• Fraud risk due to a lack of segregation of duties.

• Doubt regarding the entity’s ability to continue as a going concern.

• Related party transactions may not be appropriately accounted for and disclosed.

• Instances of non-compliance with laws and regulations may exist.

• Limited oversight of management.

• The financial statements are significantly affected by estimates that involve significant judgments or uncertainties.

• Accounting personnel may be ineffective or the financial reporting process dominated by non-financial management or unqualified accountants.

• Indicators of potential management bias in making accounting estimates.

Some of the more significant overall implications for the audit that we might identify, in addition to the matters in the OAG Audit guidance, may include:

• Deficiencies in the controls over information systems and technology or that could prevent us from relying on management information.

• Indications of fundamental problems with the quality of management information that could undermine reliance on controls, and thus prevent us from relying on management information.

• Indicators of material fraud risk at the financial statement level

Refer to OAG Audit 4024 for guidance on developing a testing strategy, including overall responses to the identified risks of material misstatement at the financial statement level. 

OAG Guidance

We identify risks of material misstatement at the assertion level that have a reasonable possibility of occurring and being material to the financial statements as a whole. The classes of transactions, account balances and disclosures (i.e., FSLIs) that represent risks of material misstatement are considered significant (referred to in OAG Audit as a “significant FSLI”).

We identify significant FSLIs and relevant assertions by considering quantitative and qualitative factors and the likelihood that the potential misstatements could cause the financial statements to be materially misstated. For detailed guidance on identifying significant FSLIs and relevant assertions, refer to OAG Audit 5042.

An effective way to identify sources of potential misstatements is to consider “what could go wrong” in the entity’s business processes related to a given FSLI. This determination depends on the specific engagement circumstances and may change based on our updated understanding of the entity, our evaluation of quantitative and qualitative risk factors, or other changes.

We identify which of these potential misstatements could result in a material misstatement to the financial statements, either individually or in combination with others. Identifying the potential misstatements allows us to focus our audit procedures on the specific risks at the assertion level which, in turn, allows us to tailor the nature and extent of our audit procedures to obtain the audit evidence sufficient to reduce the risk to an acceptably low level.

We consider whether potential misstatements, individually or in combination with others, present at least a reasonable possibility of material misstatement to the financial statements. This is important because there could be multiple risks that together present a reasonable possibility of material misstatement. Further guidance on identifying risks of material misstatement at the FSLI assertion level and what constitutes a reasonable possibility of material misstatement is provided in OAG Audit 5042

It is the Office’s view that we should be including “compliance with authorities” work in all annual audit work, regardless of whether or not our auditor’s report includes a separate opinion on compliance with authorities. In developing the audit plan, an assessment should be made of the risk of significant non-compliance with the identified governing authorities. Risk assessment procedures for compliance with authorities are integrated with the risk assessment procedures of material misstatements in the financial statements. For further guidance, see OAG Audit 11012 Identify and assess risks of non-compliance with authorities.

Parliamentarians expect the Office to have a comprehensive knowledge of the operations of any entity we audit—an expectation that can extend beyond the knowledge level necessary to complete a traditional annual audit. The Financial Administration Act, the Auditor General Act and professional auditing standards collectively permit the Auditor General to bring to the attention of Parliament any “other matter” he believes parliamentarians should be made aware of. During the planning phase of the annual audit, the auditor should identify issues that may have the potential to be of significance and/or of a nature that they should be brought to the attention of Parliament. Such matters have not been defined in legislation; they are left to the judgment of the auditor(s). For further guidance, see OAG Audit 11020

In addition, based on risk assessment of the entity, the Office may perform audit work on senior executive and board compensation, and travel, hospitality, conferences and events. Audit teams may assess the risk of abuse by board members and senior executives that could result in personal benefit and that could indicate lapses in values or ethics, weak governance, and/or inadequate oversight and control. For further guidance, see OAG Audit 11031.