5043.1 Risk assessment framework
Sep-2022

Risk assessment framework

CAS Requirement

To obtain reasonable assurance, the auditor shall obtain sufficient appropriate audit evidence to reduce audit risk to an acceptably low level and thereby enable the auditor to draw reasonable conclusions on which to base the auditor’s opinion (CAS 200.17).

The auditor shall design and perform risk assessment procedures to obtain audit evidence that provides an appropriate basis for (CAS 315.13):

(a) The identification and assessment of risks of material misstatement, whether due to fraud or error, at the financial statement and assertion levels; and

(b) The design of further audit procedures in accordance with CAS 330.

The auditor shall design and perform risk assessment procedures in a manner that is not biased towards obtaining audit evidence that may be corroborative or towards excluding audit evidence that may be contradictory.

The risk assessment procedures shall include the following (CAS 315.14):

(a) Inquiries of management and of other appropriate individuals within the entity, including individuals within the internal audit function (if the function exists).

(b) Analytical procedures.

(c) Observation and inspection.

In obtaining audit evidence in accordance with paragraph 13, the auditor shall consider information from (CAS 315.15):

(a) The auditor’s procedures regarding acceptance or continuance of the client relationship or the audit engagement; and

(b) When applicable, other engagements performed by the engagement partner for the entity.

When the auditor intends to use information obtained from the auditor’s previous experience with the entity and from audit procedures performed in previous audits, the auditor shall evaluate whether such information remains relevant and reliable as audit evidence for the current audit (CAS 315.16).

CAS Guidance

For the purposes of the CASs, a risk of material misstatement exists when there is a reasonable possibility of (CAS 200.A16):

(a) A misstatement occurring (i.e., its likelihood); and

(b) Being material if it were to occur (i.e., its magnitude).

Audit risk is a function of the risks of material misstatement and detection risk. The assessment of risks is based on audit procedures to obtain information necessary for that purpose and evidence obtained throughout the audit. The assessment of risks is a matter of professional judgment, rather than a matter capable of precise measurement (CAS 200.A35).

For purposes of the CASs, audit risk does not include the risk that the auditor might express an opinion that the financial statements are materially misstated when they are not. This risk is ordinarily insignificant. Further, audit risk is a technical term related to the process of auditing; it does not refer to the auditor’s business risks such as loss from litigation, adverse publicity, or other events arising in connection with the audit of financial statements (CAS 200.A36).

The risks of material misstatement at the assertion level consist of two components: inherent risk and control risk. Inherent risk and control risk are the entity’s risks; they exist independently of the audit of the financial statements (CAS 200.A40).

Inherent risk is influenced by inherent risk factors. Depending on the degree to which the inherent risk factors affect the susceptibility to misstatement of an assertion, the level of inherent risk varies on a scale that is referred to as the spectrum of inherent risk. The auditor determines significant classes of transactions, account balances and disclosures, and their relevant assertions, as part of the process of identifying and assessing the risks of material misstatement. For example, account balances consisting of amounts derived from accounting estimates that are subject to significant estimation uncertainty may be identified as significant account balances, and the auditor’s assessment of inherent risk for the related risks at the assertion level may be higher because of the high estimation uncertainty. (CAS 200.A41).

External circumstances giving rise to business risks may also influence inherent risk. For example, technological developments might make a particular product obsolete, thereby causing inventory to be more susceptible to overstatement. Factors in the entity and its environment that relate to several or all of the classes of transactions, account balances, or disclosures may also influence the inherent risk related to a specific assertion. Such factors may include, for example, a lack of sufficient working capital to continue operations or a declining industry characterized by a large number of business failures (CAS 200.A42).

Control risk is a function of the effectiveness of the design, implementation and maintenance of controls by management to address identified risks that threaten the achievement of the entity’s objectives relevant to preparation of the entity’s financial statements. However, internal control, no matter how well designed and operated, can only reduce, but not eliminate, risks of material misstatement in the financial statements, because of the inherent limitations of controls. These include, for example, the possibility of human errors or mistakes, or of controls being circumvented by collusion or inappropriate management override. Accordingly, some control risk will always exist. The CASs provide the conditions under which the auditor is required to, or may choose to, test the operating effectiveness of controls in determining the nature, timing and extent of substantive procedures to be performed (CAS 200.A43).

The assessment of the risks of material misstatement may be expressed in quantitative terms, such as in percentages, or in non quantitative terms. In any case, the need for the auditor to make appropriate risk assessments is more important than the different approaches by which they may be made. The CASs typically refer to the "risks of material misstatement" rather than to inherent risk and control risk separately. However, CAS 315 requires an inherent risk to be assessed separately from control risk to provide a basis for designing and performing further audit procedures to respond to the assessed risks of material misstatement at the assertion level in accordance with CAS 330. (CAS 200.A44).

CAS 315 establishes requirements and provides guidance on identifying and assessing the risks of material misstatement at the financial statement and assertion levels (CAS 200.A45).

Risks of material misstatement are assessed at the assertion level in order to determine the nature, timing and extent of further audit procedures necessary to obtain sufficient appropriate audit evidence (CAS 200.A46).

Detection Risk

For a given level of audit risk, the acceptable level of detection risk bears an inverse relationship to the assessed risks of material misstatement at the assertion level. For example, the greater the risks of material misstatement the auditor believes exists, the less the detection risk that can be accepted and, accordingly, the more persuasive the audit evidence required by the auditor (CAS 200.A47).

Detection risk relates to the nature, timing and extent of the auditor’s procedures that are determined by the auditor to reduce audit risk to an acceptably low level. It is therefore a function of the effectiveness of an audit procedure and of its application by the auditor. Matters such as (CAS 200.A48):

  • adequate planning;

  • proper assignment of personnel to the engagement team;

  • the application of professional skepticism; and

  • supervision and review of the audit work performed,

  • assist to enhance the effectiveness of an audit procedure and of its application and reduce the possibility that an auditor might select an inappropriate audit procedure, misapply an appropriate audit procedure, or misinterpret the audit results.

CAS 300 and CAS 330 establish requirements and provide guidance on planning an audit of financial statements and the auditor’s responses to assessed risks. Detection risk, however, can only be reduced, not eliminated, because of the inherent limitations of an audit. Accordingly, some detection risk will always exist (CAS 200.A49).

Key Concepts

CAS 200 deals with the overall objectives of the auditor in conducting an audit of the financial statements, including to obtain sufficient appropriate audit evidence to reduce audit risk to an acceptably low level. Audit risk is a function of the risks of material misstatement and detection risk. CAS 200 explains that the risks of material misstatement may exist at two levels: the overall financial statement level; and the assertion level for classes of transactions, account balances and disclosures (CAS 315.2).

CAS 200 requires the auditor to exercise professional judgment in planning and performing an audit, and to plan and perform an audit with professional skepticism recognizing that circumstances may exist that cause the financial statements to be materially misstated (CAS 315.3).

Risks at the financial statement level relate pervasively to the financial statements as a whole and potentially affect many assertions. Risks of material misstatement at the assertion level consist of two components, inherent and control risk (CAS 315.4):

  • Inherent risk is described as the susceptibility of an assertion about a class of transaction, account balance or disclosure to a misstatement that could be material, either individually or when aggregated with other misstatements, before consideration of any related controls.

  • Control risk is described as the risk that a misstatement that could occur in an assertion about a class of transactions, account balance or disclosure and that could be material, either individually or when aggregated with other misstatements, will not be prevented, or detected and corrected, on a timely basis by the entity’s controls.

CAS 200 explains that risks of material misstatement are assessed at the assertion level in order to determine the nature, timing and extent of further audit procedures necessary to obtain sufficient appropriate audit evidence. For the identified risks of material misstatement at the assertion level, a separate assessment of inherent risk and control risk is required by this CAS. The degree to which inherent risk varies is referred to in this CAS as the ’spectrum of inherent risk.’ (CAS 315.5)

Risks of material misstatement identified and assessed by the auditor include both those due to error and those due to fraud. Although both are addressed by this CAS, the significance of fraud is such that further requirements and guidance are included in CAS 240 in relation to risk assessment procedures and related activities to obtain information that is used to identify, assess and respond to the risks of material misstatement due to fraud (CAS 315.6).

OAG Guidance

Refer to OAG Audit 5011 for detailed guidance on OAG Risk Assessment Process illustrated in the chart below. The OAG Risk Assessment Process is aligned with the requirements of CAS 315 and promotes consistency of execution, documentation and effective review:

Once we identify risks of material misstatement at the financial statement and assertion levels following the guidance in OAG Audit 5042, we assess these risks and based on that assessment develop an audit plan that is tailored to address them.

Audit risk is a function of the risks of material misstatement and detection risk. Detection risk is the risk that our audit procedures will not identify the material misstatements. We need to reduce detection risk to an appropriately low level by planning and performing audit procedures, the nature, timing and extent of which are responsive to the identified risks of material misstatement. The acceptable level of detection risk has an inverse relationship to the assessed risks of material misstatement at the assertion level. In other words, the higher the assessed risk of material misstatement, the less the detection risk that we would find acceptable and, accordingly, the more persuasive audit evidence we would need to obtain.

Risk of material misstatement at the assertion level consists of two components– inherent risk and control risk:

Inherent risk represents the susceptibility of an account balance or class of transactions or disclosure to misstatement, before consideration of any related controls. Control risk is the risk that a material misstatement could occur, be material individually or when aggregated with other misstatements, and not be prevented or detected and corrected, on a timely basis, by the entity’s internal controls.

The OAG Risk Assessment Process includes a separate assessment of inherent risk and control risk. We assess the level of inherent risk on the spectrum of risk (i.e., normal, elevated or significant). As part of determining the level of inherent risk, we assess the likelihood and magnitude of the potential misstatements, which includes an assessment of the degree to which the inherent risk factors affect the susceptibility of a financial statement assertion to misstatement.

If we wish to reduce control risk considered within our assessment of the risk of material misstatement, we test the operating effectiveness controls addressing the related assertions. For further guidance on assessing the control risk, refer to OAG Audit 5043.3.

Document risks in the audit file

CAS Requirement

The auditor shall include in the audit documentation the identified and assessed risks of material misstatement at the financial statement level and at the assertion level, including significant risks and risks for which substantive procedures alone cannot provide sufficient appropriate audit evidence, and the rationale for the significant judgments made (CAS 315.38(d)).

OAG Policy

All risks of material misstatement at the financial statement level and at the assertion level, including significant risks and risks for which substantive procedures alone cannot provide sufficient appropriate audit evidence, and the rationale for the significant judgments made shall be documented in the audit working paper software. [Sept-2022]

OAG Guidance

All risks of material misstatement, whether at the overall financial statement level or at the assertion level, and whether due to fraud or error, are documented in the audit working paper software.

The following risks are automatically created in the APT as required by CASs:

  • Revenues, as it relates to fraud, unless presumption is not applicable (CAS 240.27)—See OAG Audit 5505 for further guidance.

  • Management override of controls (CAS 240.32)—See OAG Audit 5508 for further guidance.

  • Significant related party transactions outside the normal course of business (CAS 550.18)—See OAG Audit 7532 for further guidance.

For each of these risks listed above, the inherent risk assessment is automatically determined as significant. These assessments cannot be changed except when the engagement team is able to overcome the presumption that there are risks of fraud in revenue recognition, then they can change the risk assessment and document their rationale.

The engagement team document risks at the financial statement level (OAG Audit 5043) and at the assertion level (OAG Audit 5044). For risks at the assertion level, the team identifies all the related FSLIs affected by that risk. FSLIs can be associated to more than one risk. For each risks at the financial statement level and for each related FSLI, the team determines whether the risk is normal, elevated or significant for every assertion.