Annual Audit Manual
COPYRIGHT NOTICE — This document is intended for internal use. It cannot be distributed to or reproduced by third parties without prior written permission from the Copyright Coordinator for the Office of the Auditor General of Canada. This includes email, fax, mail and hand delivery, or use of any other method of distribution or reproduction. CPA Canada Handbook sections and excerpts are reproduced herein for your non-commercial use with the permission of The Chartered Professional Accountants of Canada (“CPA Canada”). These may not be modified, copied or distributed in any form as this would infringe CPA Canada’s copyright. Reproduced, with permission, from the CPA Canada Handbook, The Chartered Professional Accountants of Canada, Toronto, Canada.
5041 Identify risks of material misstatement
Sep-2022
In This Section
Identify risks at the financial statement level
OAG Guidance
Identifying and assessing the risks of material misstatement form part of the Identify and Assess elements of the OAG Risk Assessment Process. We use our understanding of the entity and its environment, our understanding of the entity’s system of internal control, the applicable financial reporting framework and information gathered from other risk assessment procedures performed in previous phases of the OAG Risk Assessment Process to inform a targeted and specific identification and assessment of the risks of material misstatement at the financial statement and FSLI assertion level.
Our detailed understanding of the entity and business processes helps us identify significant classes of transactions, account balances and disclosures (significant FSLIs) that represent a risk of material misstatement at the assertion level and informs our assessment of the identified risks. We also use our understanding of the applicable financial reporting framework and financial statement areas that may be more susceptible to material misstatement, and consider the results of related team discussions to identify and assess risks that would be specific to the entity. In turn, identification and assessment of risks specific to the entity facilitates the development of audit responses tailored to effectively and efficiently address the assessed risks unique to the entity.
Why is this important? | |
---|---|
The process of identifying and assessing the risks of material misstatement represents the final outcome of our risk assessment procedures that will drive our design of further procedures. Appropriate identification and assessment of risks forms the basis for designing and implementing responses tailored to the assessed risks of material misstatement. It is important to identify the risks specific to the entity and appropriately assess the level of inherent risk of material misstatement in order to design the most effective and efficient audit strategy and plan. Identifying risks too broadly or that do not represent a risk of material misstatement in the entity’s circumstances could result in performing unnecessary work whereas failing to identify risks of material misstatement could result in not performing sufficient audit procedures. We get our risk assessment “right” by aggregating our detailed understanding of the entity, business processes and internal controls, as well as information gathered from our other risk assessment procedures, to form the basis for our identification and assessment of the risks of material misstatement specific to the entity, which allows us to focus our audit procedures on the specific risks at the assertion level which, in turn, allows us to tailor the nature and extent of our audit procedures to effectively and efficiently obtain audit evidence responsive to the risks. |
OAG Audit 5040 provides guidance on Identify and Assess elements of the OAG Risk Assessment Process:
We identify and assess the entity specific risks, through research and analysis regarding:
-
Understanding the entity and its environment, including the financial reporting framework (OAG Audit 5020)
-
Understanding and evaluation of internal control (OAG Audit 5030)
-
Other risk assessment procedures, including:
- Performing client and engagement acceptance & continuance procedures (OAG Audit 3010)
- Considering the risk of material misstatement due to fraud (OAG Audit 5504 and OAG Audit 5505)
- Identifying instances of non-compliance with laws and regulations (OAG Audit 7510)
- Evaluating the appropriateness of management’s use of going concern basis of accounting (OAG Audit 7520)
- Understanding the nature of related party transactions and balances (OAG Audit 7530)
- Auditing accounting estimates and related disclosures (OAG Audit 7070)
We use our understanding and risk assessment procedures referred to above to identify entity specific risks of material misstatement, including risks of fraud and error. As part of gathering information to support our understanding, it may be useful to consider business risks identified by the entity, as they may help us identify risks of material misstatement and might have some implications for our audit.
We then consider whether identified risks represent a risk of material misstatement to the entity’s financial statements. Risks of material misstatement need to be considered at two levels: at the financial statement level, as well as at the assertion level within a class of transactions, account balance, or a disclosure.
When identifying and assessing the risks of material misstatement at the assertion level, we identify the classes of transactions, account balances and disclosures, and the assertions that represent a risk of material misstatement. OAG Audit guidance refers to classes of transactions, account balances and disclosures as financial statement line items (FSLIs). FSLIs for which we identify a risk of material misstatement at the assertion level are referred to as ’significant FSLIs’. OAG Audit 5042 provides guidance on determining relevant assertions and significant FSLIs.
Once we have identified the risks of material misstatement at the financial statement and FSLI assertion level, we assess those risks and follow the guidance in OAG Audit 5043 that provides further details on the procedures we perform to assess the level of inherent risk associated with each identified risk of material misstatement. The following chart illustrates the overall process of FSLI scoping and assessment of inherent risk at the assertion level:
Finally, we perform an overall evaluation of all risk assessment activities performed to determine if they provide an appropriate basis for our risk assessment and further audit procedures developed to address the assessed risks. This includes evaluation of material FSLIs that were not considered significant FSLIs, i.e., where we determine that a material FSLI does not include a risk of material misstatement at the assertion level. Refer to guidance in OAG Audit 5044 for further details.
Identify risks at the financial statement level
CAS Requirement
The auditor shall identify the risks of material misstatement and determine whether they exist at the financial statement level (CAS 315.28(a)).
CAS Guidance
The risks of material misstatement may exist at two levels (CAS 200.A37):
- The overall financial statement level; and
- The assertion level for classes of transactions, account balances, and disclosures.
Identifying Risks at the Overall Financial Statement Level
Risks of material misstatement at the overall financial statement level refer to risks of material misstatement that relate pervasively to the financial statements as a whole and potentially affect many assertions (CAS 200.A38).
Why the Auditor Identifies and Assesses Risks of Material Misstatement at the Financial Statement Level
The auditor identifies risks of material misstatement at the financial statement level to determine whether the risks have a pervasive effect on the financial statements, and would therefore require an overall response in accordance with CAS 330 (CAS 315.A193).
In addition, risks of material misstatement at the financial statement level may also affect individual assertions, and identifying these risks may assist the auditor in assessing risks of material misstatement at the assertion level, and in designing further audit procedures to address the identified risks (CAS 315.A194).
Identifying and Assessing Risks of Material Misstatement at the Financial Statement Level
Risks of material misstatement at the financial statement level refer to risks that relate pervasively to the financial statements as a whole, and potentially affect many assertions. Risks of this nature are not necessarily risks identifiable with specific assertions at the class of transactions, account balance or disclosure level (e.g., risk of management override of controls). Rather, they represent circumstances that may pervasively increase the risks of material misstatement at the assertion level. The auditor’s evaluation of whether risks identified relate pervasively to the financial statements supports the auditor’s assessment of the risks of material misstatement at the financial statement level. In other cases, a number of assertions may also be identified as susceptible to the risk, and may therefore affect the auditor’s risk identification and assessment of risks of material misstatement at the assertion level (CAS 315.A195).
Example: The entity faces operating losses and liquidity issues and is reliant on funding that has not yet been secured. In such a circumstance, the auditor may determine that the going concern basis of accounting gives rise to a risk of material misstatement at the financial statement level. In this situation, the accounting framework may need to be applied using a liquidation basis, which would likely affect all assertions pervasively. |
The auditor’s identification and assessment of risks of material misstatement at the financial statement level is influenced by the auditor’s understanding of the entity’s system of internal control, in particular the auditor’s understanding of the control environment, the entity’s risk assessment process and the entity’s process to monitor the system of internal control, and (CAS 315.A196):
- The outcome of the related evaluations required by paragraphs 21(b), 22(b), 24(c) and 25(c); and
- Any control deficiencies identified in accordance with paragraph 27.
In particular, risks at the financial statement level may arise from deficiencies in the control environment or from external events or conditions such as declining economic conditions.
OAG Guidance
Risks of material misstatement need to be considered at two levels:
- the financial statement level and
- the assertion level within a class of transactions, account balance, or a disclosure for a particular financial statement line item (“FSLI”).
Because financial statement level risks relate pervasively to the entity’s financial statements as a whole and potentially affect many assertions, when assessing such potential risks we consider pervasive risks, including external factors such as an economic downturn and we also consider entity-specific factors such as poor operating results and cash flows that may impact the entity’s continued use of the going concern basis of accounting. When seeking to identify financial statement level risks, it may be useful to consider the entity’s business risks identified through our procedures performed to understand the entity and its environment (see OAG Audit 5021) as well as any fraud risks identified through our procedures performed to identify and assess the risks of material misstatement due to fraud, including evaluating any identified fraud risk factors (see OAG Audit 5504). We also consider whether our evaluation of the entity’s internal control components may indicate financial statement level risks. For example, if we determine that the control environment does not provide an appropriate foundation for the other components of internal control, or we determine that other internal control components (e.g., entity’s risk assessment process or the entity’s process to monitor the system of internal control) are not appropriate to the entity’s circumstances, this may indicate a risk of material misstatement at the financial statement level, which we would need to assess.
If we identify financial statement level risks of material misstatement, we need to consider if they affect our assessment of risks at the assertion level for FSLIs. In some cases we may determine that identified financial statement level risks affect specific FSLIs and associated assertions, and this would affect our risk assessment at the assertion level (e.g., we may determine that the risk associated with the related party transactions affects accuracy of revenue and this would be considered when assessing the inherent risk for the revenue FSLI, and when developing appropriate responses to the assessed risk).
Examples of financial statement level risks due to fraud or error include, but are not limited to, the following:
-
Risk of management override of controls.
-
Concerns regarding the integrity or conduct of the entity’s directors, senior management or managers.
-
Significant unusual transactions outside of the normal course of business.
-
Unusually aggressive or creative accounting policies or practices.
-
Lack of segregation between personal and business transactions.
-
Fraud risk due to a lack of segregation of duties.
-
Doubt regarding the entity’s ability to continue as a going concern.
-
Related party transactions may not be appropriately accounted for and disclosed.
-
Instances of non-compliance with laws and regulations may exist.
-
Limited oversight of management.
-
The financial statements are significantly affected by estimates that involve significant judgments or uncertainties.
-
Accounting personnel may be ineffective or the financial reporting process dominated by non-financial management or unqualified accountants.
-
Indicators of potential management bias in making accounting estimates.
Some of the more significant overall implications for the audit that we might identify, in addition to the matters in the OAG Audit guidance, may include:
-
Deficiencies in the controls over information systems and technology or that could prevent us from relying on management information.
-
Indications of fundamental problems with the quality of management information that could undermine reliance on controls, and thus prevent us from relying on management information.
-
Indicators of material fraud risk at the financial statement level
Refer to OAG Audit 4024 for guidance on developing a testing strategy, including overall responses to the identified risks of material misstatement at the financial statement level.
Identify risks at the FSLI assertion level
CAS Requirement
The auditor shall identify the risks of material misstatement and determine whether they exist at the assertion level for classes of transactions, account balances and disclosures (CAS 315.28(b)).
CAS Guidance
The identification of risks of material misstatement is performed before consideration of any related controls (i.e., the inherent risk), and is based on the auditor’s preliminary consideration of misstatements that have a reasonable possibility of both occurring, and being material if they were to occur (CAS 315.A186).
Identifying the risks of material misstatement also provides the basis for the auditor’s determination of relevant assertions, which assists the auditor’s determination of the significant classes of transactions, account balances and disclosures (CAS 315.A187).
Risks of material misstatements that do not relate pervasively to the financial statements are risks of material misstatement at the assertion level (CAS 315.A201).
Risks of material misstatement at the assertion level are assessed in order to determine the nature, timing and extent of further audit procedures necessary to obtain sufficient appropriate audit evidence. This evidence enables the auditor to express an opinion on the financial statements at an acceptably low level of audit risk. Auditors use various approaches to accomplish the objective of assessing the risks of material misstatement. For example, the auditor may make use of a model that expresses the general relationship of the components of audit risk in mathematical terms to arrive at an acceptable level of detection risk. Some auditors find such a model to be useful when planning audit procedures (CAS 200.A39).
OAG Guidance
We identify risks of material misstatement at the assertion level that have a reasonable possibility of occurring and being material to the financial statements as a whole. The classes of transactions, account balances and disclosures (i.e., FSLIs) that represent risks of material misstatement are considered significant (referred to in OAG Audit as a “significant FSLI”).
We identify significant FSLIs and relevant assertions by considering quantitative and qualitative factors and the likelihood that the potential misstatements could cause the financial statements to be materially misstated. For detailed guidance on identifying significant FSLIs and relevant assertions, refer to OAG Audit 5042.
An effective way to identify sources of potential misstatements is to consider “what could go wrong” in the entity’s business processes related to a given FSLI. This determination depends on the specific engagement circumstances and may change based on our updated understanding of the entity, our evaluation of quantitative and qualitative risk factors, or other changes.
We identify which of these potential misstatements could result in a material misstatement to the financial statements, either individually or in combination with others. Identifying the potential misstatements allows us to focus our audit procedures on the specific risks at the assertion level which, in turn, allows us to tailor the nature and extent of our audit procedures to obtain the audit evidence sufficient to reduce the risk to an acceptably low level.
We consider whether potential misstatements, individually or in combination with others, present at least a reasonable possibility of material misstatement to the financial statements. This is important because there could be multiple risks that together present a reasonable possibility of material misstatement. Further guidance on identifying risks of material misstatement at the FSLI assertion level and what constitutes a reasonable possibility of material misstatement is provided in OAG Audit 5042
Guidance specific to Legislative Auditors
OAG Guidance
It is the Office’s view that we should be including “compliance with authorities” work in all annual audit work, regardless of whether or not our auditor’s report includes a separate opinion on compliance with authorities. In developing the audit plan, an assessment should be made of the risk of significant non-compliance with the identified governing authorities. Risk assessment procedures for compliance with authorities are integrated with the risk assessment procedures of material misstatements in the financial statements. For further guidance, see OAG Audit 11012 Identify and assess risks of non-compliance with authorities.
Parliamentarians expect the Office to have a comprehensive knowledge of the operations of any entity we audit—an expectation that can extend beyond the knowledge level necessary to complete a traditional annual audit. The Financial Administration Act, the Auditor General Act and professional auditing standards collectively permit the Auditor General to bring to the attention of Parliament any “other matter” he believes parliamentarians should be made aware of. During the planning phase of the annual audit, the auditor should identify issues that may have the potential to be of significance and/or of a nature that they should be brought to the attention of Parliament. Such matters have not been defined in legislation; they are left to the judgment of the auditor(s). For further guidance, see OAG Audit 11020
In addition, based on risk assessment of the entity, the Office may perform audit work on senior executive and board compensation, and travel, hospitality, conferences and events. Audit teams may assess the risk of abuse by board members and senior executives that could result in personal benefit and that could indicate lapses in values or ethics, weak governance, and/or inadequate oversight and control. For further guidance, see OAG Audit 11031.