5043.1 Risk assessment framework

Sep-2022

CAS Guidance

For the purposes of the CASs, a risk of material misstatement exists when there is a reasonable possibility of (CAS 200.A16):

(a) A misstatement occurring (i.e., its likelihood); and

(b) Being material if it were to occur (i.e., its magnitude).

Audit risk is a function of the risks of material misstatement and detection risk. The assessment of risks is based on audit procedures to obtain information necessary for that purpose and evidence obtained throughout the audit. The assessment of risks is a matter of professional judgment, rather than a matter capable of precise measurement (CAS 200.A35).

For purposes of the CASs, audit risk does not include the risk that the auditor might express an opinion that the financial statements are materially misstated when they are not. This risk is ordinarily insignificant. Further, audit risk is a technical term related to the process of auditing; it does not refer to the auditor’s business risks such as loss from litigation, adverse publicity, or other events arising in connection with the audit of financial statements (CAS 200.A36).

The risks of material misstatement at the assertion level consist of two components: inherent risk and control risk. Inherent risk and control risk are the entity’s risks; they exist independently of the audit of the financial statements (CAS 200.A40).

Inherent risk is influenced by inherent risk factors. Depending on the degree to which the inherent risk factors affect the susceptibility to misstatement of an assertion, the level of inherent risk varies on a scale that is referred to as the spectrum of inherent risk. The auditor determines significant classes of transactions, account balances and disclosures, and their relevant assertions, as part of the process of identifying and assessing the risks of material misstatement. For example, account balances consisting of amounts derived from accounting estimates that are subject to significant estimation uncertainty may be identified as significant account balances, and the auditor’s assessment of inherent risk for the related risks at the assertion level may be higher because of the high estimation uncertainty. (CAS 200.A41).

External circumstances giving rise to business risks may also influence inherent risk. For example, technological developments might make a particular product obsolete, thereby causing inventory to be more susceptible to overstatement. Factors in the entity and its environment that relate to several or all of the classes of transactions, account balances, or disclosures may also influence the inherent risk related to a specific assertion. Such factors may include, for example, a lack of sufficient working capital to continue operations or a declining industry characterized by a large number of business failures (CAS 200.A42).

Control risk is a function of the effectiveness of the design, implementation and maintenance of controls by management to address identified risks that threaten the achievement of the entity’s objectives relevant to preparation of the entity’s financial statements. However, internal control, no matter how well designed and operated, can only reduce, but not eliminate, risks of material misstatement in the financial statements, because of the inherent limitations of controls. These include, for example, the possibility of human errors or mistakes, or of controls being circumvented by collusion or inappropriate management override. Accordingly, some control risk will always exist. The CASs provide the conditions under which the auditor is required to, or may choose to, test the operating effectiveness of controls in determining the nature, timing and extent of substantive procedures to be performed (CAS 200.A43).

The assessment of the risks of material misstatement may be expressed in quantitative terms, such as in percentages, or in non quantitative terms. In any case, the need for the auditor to make appropriate risk assessments is more important than the different approaches by which they may be made. The CASs typically refer to the "risks of material misstatement" rather than to inherent risk and control risk separately. However, CAS 315 requires an inherent risk to be assessed separately from control risk to provide a basis for designing and performing further audit procedures to respond to the assessed risks of material misstatement at the assertion level in accordance with CAS 330. (CAS 200.A44).

CAS 315 establishes requirements and provides guidance on identifying and assessing the risks of material misstatement at the financial statement and assertion levels (CAS 200.A45).

Risks of material misstatement are assessed at the assertion level in order to determine the nature, timing and extent of further audit procedures necessary to obtain sufficient appropriate audit evidence (CAS 200.A46).

Detection Risk

For a given level of audit risk, the acceptable level of detection risk bears an inverse relationship to the assessed risks of material misstatement at the assertion level. For example, the greater the risks of material misstatement the auditor believes exists, the less the detection risk that can be accepted and, accordingly, the more persuasive the audit evidence required by the auditor (CAS 200.A47).

Detection risk relates to the nature, timing and extent of the auditor’s procedures that are determined by the auditor to reduce audit risk to an acceptably low level. It is therefore a function of the effectiveness of an audit procedure and of its application by the auditor. Matters such as (CAS 200.A48):

• adequate planning;

• proper assignment of personnel to the engagement team;

• the application of professional skepticism; and

• supervision and review of the audit work performed,

• assist to enhance the effectiveness of an audit procedure and of its application and reduce the possibility that an auditor might select an inappropriate audit procedure, misapply an appropriate audit procedure, or misinterpret the audit results.

CAS 300 and CAS 330 establish requirements and provide guidance on planning an audit of financial statements and the auditor’s responses to assessed risks. Detection risk, however, can only be reduced, not eliminated, because of the inherent limitations of an audit. Accordingly, some detection risk will always exist (CAS 200.A49).

Key Concepts

CAS 200 deals with the overall objectives of the auditor in conducting an audit of the financial statements, including to obtain sufficient appropriate audit evidence to reduce audit risk to an acceptably low level. Audit risk is a function of the risks of material misstatement and detection risk. CAS 200 explains that the risks of material misstatement may exist at two levels: the overall financial statement level; and the assertion level for classes of transactions, account balances and disclosures (CAS 315.2).

CAS 200 requires the auditor to exercise professional judgment in planning and performing an audit, and to plan and perform an audit with professional skepticism recognizing that circumstances may exist that cause the financial statements to be materially misstated (CAS 315.3).

Risks at the financial statement level relate pervasively to the financial statements as a whole and potentially affect many assertions. Risks of material misstatement at the assertion level consist of two components, inherent and control risk (CAS 315.4):

• Inherent risk is described as the susceptibility of an assertion about a class of transaction, account balance or disclosure to a misstatement that could be material, either individually or when aggregated with other misstatements, before consideration of any related controls.

• Control risk is described as the risk that a misstatement that could occur in an assertion about a class of transactions, account balance or disclosure and that could be material, either individually or when aggregated with other misstatements, will not be prevented, or detected and corrected, on a timely basis by the entity’s controls.

CAS 200 explains that risks of material misstatement are assessed at the assertion level in order to determine the nature, timing and extent of further audit procedures necessary to obtain sufficient appropriate audit evidence. For the identified risks of material misstatement at the assertion level, a separate assessment of inherent risk and control risk is required by this CAS. The degree to which inherent risk varies is referred to in this CAS as the ’spectrum of inherent risk.’ (CAS 315.5)

Risks of material misstatement identified and assessed by the auditor include both those due to error and those due to fraud. Although both are addressed by this CAS, the significance of fraud is such that further requirements and guidance are included in CAS 240 in relation to risk assessment procedures and related activities to obtain information that is used to identify, assess and respond to the risks of material misstatement due to fraud (CAS 315.6).