Annual Audit Manual
COPYRIGHT NOTICE — This document is intended for internal use. It cannot be distributed to or reproduced by third parties without prior written permission from the Copyright Coordinator for the Office of the Auditor General of Canada. This includes email, fax, mail and hand delivery, or use of any other method of distribution or reproduction. CPA Canada Handbook sections and excerpts are reproduced herein for your non-commercial use with the permission of The Chartered Professional Accountants of Canada (“CPA Canada”). These may not be modified, copied or distributed in any form as this would infringe CPA Canada’s copyright. Reproduced, with permission, from the CPA Canada Handbook, The Chartered Professional Accountants of Canada, Toronto, Canada.
5043.3 Assess risks at the FSLI assertion level
Sep-2022
In This Section
Evaluate inherent risk factors
Determine the level of inherent risk
Risks where substantive procedures alone cannot provide sufficient evidence
CAS Requirement
For identified risks of material misstatement at the assertion level, the auditor shall assess inherent risk by assessing the likelihood and magnitude of misstatement. In doing so, the auditor shall take into account how, and the degree to which (CAS 315.31):
- Inherent risk factors affect the susceptibility of relevant assertions to misstatement; and
- The risks of material misstatement at the financial statement level affect the assessment of inherent risk for risks of material misstatement at the assertion level.
CAS Guidance
This appendix provides further explanation about the inherent risk factors, as well as matters that the auditor may consider in understanding and applying the inherent risk factors in identifying and assessing the risks of material misstatement at the assertion level (CAS 315.Appendix 2).
The Inherent Risk Factors
Inherent risk factors are characteristics of events or conditions that affect susceptibility of an assertion about a class of transactions, account balance or disclosure, to misstatement, whether due to fraud or error, and before consideration of controls. Such factors may be qualitative or quantitative, and include complexity, subjectivity, change, uncertainty or susceptibility to misstatement due to management bias or other fraud risk factors insofar as they affect inherent risk. In obtaining the understanding of the entity and its environment, and the applicable financial reporting framework and the entity’s accounting policies, in accordance with paragraphs 19(a)-(b), the auditor also understands how inherent risk factors affect susceptibility of assertions to misstatement in the preparation of the financial statements (CAS 315.Appendix 2.1).
Inherent risk factors relating to the preparation of information required by the applicable financial reporting framework (referred to in this paragraph as “required information”) include (CAS 315.Appendix 2.2):
- Complexity—arises either from the nature of the information or in the way that the required information is prepared, including when such preparation processes are more inherently difficult to apply. For example, complexity may arise:
- In calculating supplier rebate provisions because it may be necessary to take into account different commercial terms with many different suppliers, or many interrelated commercial terms that are all relevant in calculating the rebates due; or
- When there are many potential data sources, with different characteristics used in making an accounting estimate, the processing of that data involves many interrelated steps, and the data is therefore inherently more difficult to identify, capture, access, understand or process.
- Subjectivity—arises from inherent limitations in the ability to prepare required information in an objective manner, due to limitations in the availability of knowledge or information, such that management may need to make an election or subjective judgment about the appropriate approach to take and about the resulting information to include in the financial statements. Because of different approaches to preparing the required information, different outcomes could result from appropriately applying the requirements of the applicable financial reporting framework. As limitations in knowledge or data increase, the subjectivity in the judgments that could be made by reasonably knowledgeable and independent individuals, and the diversity in possible outcomes of those judgments, will also increase.
- Change—results from events or conditions that, over time, affect the entity’s business or the economic, accounting, regulatory, industry or other aspects of the environment in which it operates, when the effects of those events or conditions are reflected in the required information. Such events or conditions may occur during, or between, financial reporting periods. For example, change may result from developments in the requirements of the applicable financial reporting framework, or in the entity and its business model, or in the environment in which the entity operates. Such change may affect management’s assumptions and judgments, including as they relate to management’s selection of accounting policies or how accounting estimates are made or related disclosures are determined.
- Uncertainty—arises when the required information cannot be prepared based only on sufficiently precise and comprehensive data that is verifiable through direct observation. In these circumstances, an approach may need to be taken that applies the available knowledge to prepare the information using sufficiently precise and comprehensive observable data, to the extent available, and reasonable assumptions supported by the most appropriate available data, when it is not. Constraints on the availability of knowledge or data, which are not within the control of management (subject to cost constraints where applicable) are sources of uncertainty and their effect on the preparation of the required information cannot be eliminated. For example, estimation uncertainty arises when the required monetary amount cannot be determined with precision and the outcome of the estimate is not known before the date the financial statements are finalized.
- Susceptibility to misstatement due to management bias or other fraud risk factors insofar as they affect inherent risk—susceptibility to management bias results from conditions that create susceptibility to intentional or unintentional failure by management to maintain neutrality in preparing the information. Management bias is often associated with certain conditions that have the potential to give rise to management not maintaining neutrality in exercising judgment (indicators of potential management bias), which could lead to a material misstatement of the information that would be fraudulent if intentional. Such indicators include incentives or pressures insofar as they affect inherent risk (for example, as a result of motivation to achieve a desired result, such as a desired profit target or capital ratio), and opportunity, not to maintain neutrality. Factors relevant to the susceptibility to misstatement due to fraud in the form of fraudulent financial reporting or misappropriation of assets are described in paragraphs A1 to A5 of CAS 240.
When complexity is an inherent risk factor, there may be an inherent need for more complex processes in preparing the information, and such processes may be inherently more difficult to apply. As a result, applying them may require specialized skills or knowledge, and may require the use of a management’s expert (CAS 315.Appendix 2.3).
When management judgment is more subjective, the susceptibility to misstatement due to management bias, whether unintentional or intentional, may also increase. For example, significant management judgment may be involved in making accounting estimates that have been identified as having high estimation uncertainty, and conclusions regarding methods, data and assumptions may reflect unintentional or intentional management bias (CAS 315.Appendix 2.4).
Examples of Events or Conditions that May Give Rise to the Existence of Risks of Material Misstatement
The following are examples of events (including transactions) and conditions that may indicate the existence of risks of material misstatement in the financial statements, at the financial statement level or the assertion level. The examples provided by inherent risk factor cover a broad range of events and conditions; however, not all events and conditions are relevant to every audit engagement and the list of examples is not necessarily complete. The events and conditions have been categorized by the inherent risk factor that may have the greatest effect in the circumstances. Importantly, due to the interrelationships among inherent risk factors, the example events and conditions also are likely to be subject to, or affected by, other inherent risk factors to varying degrees (CAS 315.Appendix 2.5).
Relevant Inherent Risk Factor: | Examples of Events or Conditions That May Indicate the Existence of Risks of Material Misstatement at the Assertion Level: |
---|---|
Complexity |
Regulatory:
Business model:
Applicable financial reporting framework:
Transactions:
|
Subjectivity |
Applicable financial reporting framework:
|
Change |
Economic conditions:
Markets:
Customer loss:
Industry model:
Business model:
Geography:
Entity structure:
Human resources competence:
IT:
Applicable financial reporting framework:
Capital:
Regulatory:
|
Uncertainty |
Reporting:
|
Susceptibility to misstatement due to management bias or other fraud risk factors insofar as they affect inherent risk |
Reporting:
Transactions:
|
Other events or conditions that may indicate risks of material misstatement at the financial statement level:
- Lack of personnel with appropriate accounting and financial reporting skills.
- Control deficiencies – particularly in the control environment, risk assessment process and process for monitoring, and especially those not addressed by management.
- Past misstatements, history of errors or a significant amount of adjustments at period end.
OAG Guidance
When assessing risks of material misstatement, CAS 315.31 requires us to take into account the degree to which inherent risk factors affect the susceptibility of relevant assertions to misstatement.
Put simply, inherent risk factors are the characteristics of certain events and conditions relevant to the entity we are auditing that can affect the susceptibility of an assertion to misstatement due to fraud or error. We utilize the information we gathered during the Understand phase of the OAG Risk Assessment Process to assess the degree to which the inherent risk factors impact the susceptibility of relevant assertions to misstatement whether due to error or fraud. The degree to which relevant assertions are affected by the inherent risk factors, individually and in combination, forms the basis for our assessment of the level of inherent risk.
When assessing whether there is a risk of material misstatement at the assertion level for an FSLI, we evaluate the likelihood of a misstatement occurring and the magnitude of the potential misstatement if it were to occur. Inherent risk factors will typically be the primary considerations for our evaluation of the likelihood of a misstatement occurring. Inherent risk factors can also be important to our evaluation of the potential magnitude of a misstatement, if it were to occur, but size of the FSLI and qualitative factors are also important considerations. The following graphic illustrates the typical role of inherent risk factors in assessing likelihood and magnitude of risks of potential misstatements.
The level of inherent risk on the spectrum of risk (i.e., normal, elevated or significant) is affected by the extent to which the significant FSLI is affected by the inherent risk factors. Where inherent risk factors are assessed as having a higher degree of impact on a significant FSLI, the likelihood of a misstatement is greater, and this indicates a higher level of inherent risk.
Assessment of inherent risk factors will inform our conclusion regarding the level of an inherent risk. For example, if we have identified susceptibility to management bias related to an estimated termination benefit accrual, there may be a risk of material misstatement either at the assertion or financial statement level. If we determine that this heightened risk of possible management bias represents a risk of material misstatement due to fraud (either at the assertion or financial statement level), we would assess it as a significant risk in accordance with CAS 240.28.
When assessing the magnitude of a potential misstatement, we consider quantitative materiality and relevant qualitative factors. However, the size of the related account balance relative to materiality is not the only relevant consideration in determining the magnitude of a potential misstatement. For example, a recognized provision for litigation may itself be immaterial, but could be materially understated.
We document our evaluation of the inherent risk factors for significant FSLIs in the audit working paper software. We are not required to provide separate explanatory documentation of our rationale for assessing inherent risk factors as low. However, we do document the rationale for assessing inherent risk factors as moderate or high. This documentation supports our risk assessment conclusions and describes our rationale for judgments made when assessing the risk. When we document the reasons for our assessment of the inherent risk factors, we document the specific events and conditions that led to a higher assessment of the specific inherent risk factors and relevant considerations that were evaluated as part of our risk assessment procedures. Our documentation needs to be sufficient to enable an experienced auditor to understand the results of our procedures, conclusions reached and related professional judgments made in reaching those conclusions.
Refer to the CAS Guidance section above for examples of events and conditions that may indicate the existence of risks of material misstatement at the assertion level. Further OAG Audit guidance and examples that may be considered in addition to the CAS guidance are provided below:
Inherent Risk Factor | Comments | Examples |
---|---|---|
Complexity |
Complexity may increase the inherent risk because management’s reliance on a complex process increases the likelihood that the underlying information used to determine the account balance will be misidentified, misunderstood or misapplied. Therefore, in such cases the FSLI may be more likely to be misstated. Where we identify that the FSLI is subject to significant complexity, we consider whether it is necessary for us to engage a specialist in accounting or auditing or an auditor’s expert to assist with identifying and/or responding to the assessed risks of material misstatement. Consider whether management’s use of its own expert indicates complexity and may therefore be a factor to consider when deciding, at the planning stage, whether the engagement team requires specialized skills or knowledge. |
The accuracy assertion of a revenue transaction that involves a stated number of items at a set price is less likely to be misstated than the same assertion for gain on the sale of a loan that requires present value calculations of variable cash flow streams. Entities may use complex modelling and engage a management’s expert to determine the value in use estimate of property, plant and equipment. The use of complex modelling and use of a management’s expert would indicate higher complexity and may require involvement of an internal expert. |
Subjectivity |
Subjectivity may increase the inherent risk because it increases the likelihood of potential misstatements caused by inappropriate selection of the approach and judgments made by the entity. Where the applicable financial reporting framework allows the use of a range of measurement criteria or techniques, management will need to exercise judgment in selecting those criteria or techniques to determine and recognize the account balance and the related disclosures in the financial statements. This gives rise to subjectivity because the exercise of judgment is likely to be based on management’s experiences, preferences and opinions. This may, in turn, give rise to opportunities for management to introduce bias. If the applicable financial reporting framework prescribes specific approaches or techniques to be used this may reduce the degree of subjectivity. It is therefore important for us to understand the requirements of the financial reporting framework when assessing the risk of material misstatement. |
The entity uses a discounted cash flow model as part of their evaluation of recoverable amount of property, plant and equipment, which includes a number of significant assumptions (e.g., discount rate, revenue growth). Some of the significant assumptions are subject to a high degree of subjectivity and therefore may indicate a higher inherent risk for valuation of property, plant and equipment. The applicable financial reporting framework may include specific depreciation rates that need to be used for each specific type of fixed assets, which reduces the degree of subjectivity and may indicate a lower inherent risk for valuation of property, plant and equipment. |
Change | Significant changes affecting the entity’s environment or specific FSLIs recognized in the financial statements may increase the likelihood of potential misstatements, as the change may affect management’s assumptions and judgments, selection of accounting policies or processes to determine the underlying FSLI amounts or make appropriate disclosures in the financial statements. |
Technological developments, changes in processes, or regulatory actions might make a particular product obsolete, thereby increasing the inherent risk related to the valuation assertion of inventory. Operations in countries with significant currency devaluation or highly inflationary economies may increase the inherent risk related to accuracy of reported revenues and cost of sales. Loss of significant customers may increase the risk related to business viability and indicate a higher inherent going concern risk. |
Uncertainty | Uncertainty stems from lack of precise and comprehensive observable data, which means that financial information may not be directly based on verifiable data and needs to include assumptions, which may increase the likelihood of potential misstatements. |
The valuation assertion related to office furniture with a 3 year useful estimated life is less likely to be materially misstated than the valuation assertion for inventory that may become obsolete due to changes in technology. Similarly, investments that rely significantly on assumptions or models that cannot be correlated to established market information are more likely to be materially misstated than investments that trade frequently in established markets. |
Susceptibility to bias or other fraud risk factors, insofar as they affect inherent risk |
Susceptibility to bias increases the inherent risk, as it increases the likelihood of potential misstatements caused by management not maintaining neutrality in exercising judgment. Certain FSLIs may be more susceptible to bias than others, either because of their inherent subjectivity or because of other fraud risk factors identified in our risk assessment (see OAG Audit 5502. We consider whether this bias may be conscious or unconscious. Conscious bias might indicate an intention to mislead, which is fraudulent in nature and would need to be taken into account in our fraud risk assessment under CAS 240. Where we identify a risk of material misstatement due to fraud, CAS 240 requires that it be assessed as a significant risk. |
The occurrence assertion related to revenue is more likely to be materially misstated as a result of recording fictitious transactions than the occurrence assertion for raw materials. The existence assertion related to an office building is less likely to be materially misstated because of theft than the existence of inventory items that are small and easily transportable, such as microprocessors. The valuation assertion for property, plant and equipment that is based on management’s estimate of the recoverable amount of property, plant and equipment which comprises a number of significant assumptions that are susceptible to management bias, is more likely to be materially misstated than valuation of inventory that for which the rate of turnover is high. |
Interrelationships between inherent risk factors
When assessing risks of material misstatement for an FSLI, typically events or conditions at the entity will give rise to relevance of more than one inherent risk factor to our inherent risk assessment. Where the FSLI is significantly affected by a combination of inherent risk factors (e.g., where we identify a higher degree of complexity and subjectivity), the assessed level of inherent risk is likely to be higher. Consider how inherent risk factors interact with each other when assessing inherent risks.
The relationships between the inherent risk factors will likely vary from engagement to engagement and may in practice be difficult to define. However, the following are examples of relationships that are likely to exist between inherent risk factors:
- Uncertainty gives rise to subjectivity because of the inherent limitations in availability of knowledge or data associated with an FSLI. Consequently, as the degree to which an FSLI is subject to uncertainty increases, potentially so does the level of judgment and therefore subjectivity;
- Uncertainty may also increase where measurement techniques are subject to higher subjectivity, because this results in a wider range of possible outcomes and therefore inherently less ability to precisely estimate the outcome.
- The degree of subjectivity influences the susceptibility to management bias, such that where subjectivity is higher, the susceptibility to misstatement due to bias, whether unintentional or intentional, may also increase. Where bias is associated with an intention to mislead, it is fraudulent in nature.
- Where uncertainty, complexity, or change, are higher, the risk of, and opportunity for, management bias or fraud may be increased. Conversely, since management bias can, at least in principle, be eliminated from the process, it is a source of potential misstatement not uncertainty. As such, an FSLI could be affected by a high degree of inherent susceptibility to management bias, while still being subject to only a low degree of uncertainty.
- Where an entity has experienced a high level of change as a result of developments in the entity or its environment, or in the requirements of the applicable financial reporting framework, it is likely that uncertainty, subjectivity or complexity may have also increased.
We exercise professional judgement when identifying these, and other, inter-relationships that might exist between inherent risk factors, and consider their impact, on an individual and combined basis, on the assessment of inherent risk. We consider whether any of our assessed levels of susceptibility to misstatement due to inherent risk factors are incompatible based on engagement-specific circumstances. For example, the following combinations are potentially incompatible and would therefore warrant careful consideration of the rationale for our assessment. We document this rationale. The following examples of potentially incompatible inherent risk factor assessments are not intended to be an exhaustive list.
Examples
The table below illustrates evaluation of the inherent risk factors performed for different FSLIs. The assessments of inherent risk illustrated below will differ based on engagement-specific facts and circumstances and the illustrations are not intended to represent the audit documentation that would need to be prepared.
Background
The entity is a consumer goods manufacturer and has three production plants and a distribution center largely serving a local regional market. The financial statements are prepared in accordance with IFRS. The entity’s business has remained stable and profitable over the past several years. However, there were recent technological developments in the industry and new distinctive competing products were released to the market by other entities that have the potential to render the entity’s products less attractive to consumers and eventually obsolete over a period of three years. In the short term, management expects to retain market share by offering a lower price than required for the new competing products while also continuing development of its own products using the latest technology. No other significant changes in the entity’s business or operating environment were identified as part of obtaining an understanding of the entity and its environment.
The entity records property, plant and equipment at cost and uses a straight-line depreciation basis. The entity uses standard costing and calculates a provision to value finished goods inventory at lower of cost or net realizable value.
No indicators of management bias or other fraud risk factors were identified as part of the initial risk assessment procedures, including risk assessment analytics. The PP&E balance as of the end of the reporting period is $150 million; the finished goods balance is $40 million. Performance materiality is $10 million. Each of these FSLIs were determined to be significant FSLIs with the following relevant assertions – Completeness, Accuracy, Existence/Occurrence, Valuation, Rights & Obligations, Presentation & Disclosure.
Evaluation of Inherent Risk Factors
We determined that the factors of change and uncertainty will be assessed as Moderate for the property, plant and equipment FSLI as a result of the recent technological developments that might result in potential impairment of the PP&E and/or early replacement as new products begin to be produced but not in the short term as positive cash flows from product sales are expected to continue. All other inherent risk factors are assessed as Low. We assess inherent risk as Normal for all relevant assertions, and we document this as an assumed RoMM for the PP&E FSLI, as summarized in the table below.
We determined that the complexity associated with the finished goods FSLI is Low based on our understanding of the production and inventory business process and costing system used. We determined that the factors of change and uncertainty have a Moderate impact on the risk of misstatement of valuation of the finished goods as a result of the recent developments and new competing products released to the market. We also determined that the impact of subjectivity on the risk of misstatement related to the valuation of finished goods, including the entity’s measurement of net realizable value is Moderate, because of the judgments involved and a wide range of significant assumptions used. The inherent risk for the Valuation assertion was assessed Elevated, based on the evaluation of the inherent risk factors and magnitude of potential misstatement. We document a specific elevated risk for the valuation assertion for finished goods and document our risk assessment, including our assessment of the level of impact of the inherent risk factors, as summarized below. We assess the inherent risk for all other relevant assertions as Normal and document this as an assumed RoMM for the finished goods FSLI.
For further guidance as to how we document our risk assessment, refer to OAG Audit 5011.
Inherent Risk Factor | PP&E—Assumed RoMM | Finished Goods—Assumed RoMM | Finished Goods—Valuation |
---|---|---|---|
Complexity | Low | Low | Low |
Subjectivity | Low | Low | Moderate |
Change | Moderate | Low | Moderate |
Uncertainty | Moderate | Low | Moderate |
Susceptibility to bias or other fraud risk factors, insofar as they affect inherent risk | Low | Low | Low |
Assessed Level of Inherent Risk for relevant assertions | Normal | Normal | Elevated – Risk that the effect of competitor products reduces future demand and selling prices, impacting NRV of finished goods |
Relevant Assertions | Completeness, Accuracy, Existence/Occurrence, Valuation, Rights & Obligations, Presentation & Disclosure | Completeness, Accuracy, Existence/ Occurrence, Rights & Obligations, Presentation & Disclosure | Valuation |
CAS Requirement
The auditor shall include in the audit documentation (CAS 315.38):
- The discussion among the engagement team and the significant decisions reached;
- Key elements of the auditor’s understanding in accordance with paragraphs 19, 21, 22, 24 and 25; the sources of information from which the auditor’s understanding was obtained; and the risk assessment procedures performed;
- The evaluation of the design of identified controls, and determination whether such controls have been implemented, in accordance with the requirements in paragraph 26; and
- The identified and assessed risks of material misstatement at the financial statement level and at the assertion level, including significant risks and risks for which substantive procedures alone cannot provide sufficient appropriate audit evidence, and the rationale for the significant judgments made.
In designing the further audit procedures to be performed, the auditor shall (CAS 330.7):
- Consider the reasons for the assessment given to the risk of material misstatement at the assertion level for each significant class of transactions, account balance, and disclosure, including:
- The likelihood and magnitude of misstatement due to the particular characteristics of the significant class of transactions, account balance, or disclosure (that is, the inherent risk); and
CAS Guidance
Why the auditor assesses likelihood and magnitude of misstatement
The auditor assesses the likelihood and magnitude of misstatement for identified risks of material misstatement because the significance of the combination of the likelihood of a misstatement occurring and the magnitude of the potential misstatement were the misstatement to occur determines where on the spectrum of inherent risk the identified risk is assessed, which informs the auditor’s design of further audit procedures to address the risk (CAS 315.A205).
Assessing the inherent risk of identified risks of material misstatement also assists the auditor in determining significant risks. The auditor determines significant risks because specific responses to significant risks are required in accordance with CAS 330 and other CASs (CAS 315.A206).
Inherent risk factors influence the auditor’s assessment of the likelihood and magnitude of misstatement for the identified risks of material misstatement at the assertion level. The greater the degree to which a class of transactions, account balance or disclosure is susceptible to material misstatement, the higher the inherent risk assessment is likely to be. Considering the degree to which inherent risk factors affect the susceptibility of an assertion to misstatement assists the auditor in appropriately assessing inherent risk for risks of material misstatement at the assertion level and in designing a more precise response to such a risk (CAS 315.A207).
Spectrum of inherent risk
In assessing inherent risk, the auditor uses professional judgment in determining the significance of the combination of the likelihood and magnitude of a misstatement (CAS 315.A208).
The assessed inherent risk relating to a particular risk of material misstatement at the assertion level represents a judgment within a range, from lower to higher, on the spectrum of inherent risk. The judgment about where in the range inherent risk is assessed may vary based on the nature, size and complexity of the entity, and takes into account the assessed likelihood and magnitude of the misstatement and inherent risk factors (CAS 315.A209).
In considering the likelihood of a misstatement, the auditor considers the possibility that a misstatement may occur, based on consideration of the inherent risk factors (CAS 315.A210).
In considering the magnitude of a misstatement, the auditor considers the qualitative and quantitative aspects of the possible misstatement (i.e., misstatements in assertions about classes of transactions, account balances or disclosures may be judged to be material due to size, nature or circumstances) (CAS 315.A211).
The auditor uses the significance of the combination of the likelihood and magnitude of a possible misstatement in determining where on the spectrum of inherent risk (i.e., the range) inherent risk is assessed. The higher the combination of likelihood and magnitude, the higher the assessment of inherent risk; the lower the combination of likelihood and magnitude, the lower the assessment of inherent risk (CAS 315.A212).
For a risk to be assessed as higher on the spectrum of inherent risk, it does not mean that both the magnitude and likelihood need to be assessed as high. Rather, it is the intersection of the magnitude and likelihood of the material misstatement on the spectrum of inherent risk that will determine whether the assessed inherent risk is higher or lower on the spectrum of inherent risk. A higher inherent risk assessment may also arise from different combinations of likelihood and magnitude, for example a higher inherent risk assessment could result from a lower likelihood but a very high magnitude (CAS 315.A213).
In order to develop appropriate strategies for responding to risks of material misstatement, the auditor may designate risks of material misstatement within categories along the spectrum of inherent risk, based on their assessment of inherent risk. These categories may be described in different ways. Regardless of the method of categorization used, the auditor’s assessment of inherent risk is appropriate when the design and implementation of further audit procedures to address the identified risks of material misstatement at the assertion level is appropriately responsive to the assessment of inherent risk and the reasons for that assessment (CAS 315.A214).
Pervasive Risks of Material Misstatement at the Assertion Level
In assessing the identified risks of material misstatement at the assertion level, the auditor may conclude that some risks of material misstatement relate more pervasively to the financial statements as a whole and potentially affect many assertions, in which case the auditor may update the identification of risks of material misstatement at the financial statement level (CAS 315.A215).
In circumstances in which risks of material misstatement are identified as financial statement level risks due to their pervasive effect on a number of assertions, and are identifiable with specific assertions, the auditor is required to take into account those risks when assessing inherent risk for risks of material misstatement at the assertion level (CAS 315.A216).
OAG Guidance
The assessed inherent risk relating to a particular risk of material misstatement at the assertion level represents a judgment within a range, from lower to higher, on the spectrum of inherent risk. When applying the OAG Risk Assessment Process, we document our conclusion as to the level of inherent risk using a range that we describe as a “normal,” “elevated” or “significant” level of inherent risk. Inherent risk is assessed without considering the effect of the entity’s internal controls. Instead, our assessment of the effectiveness of the design and operation of the entity’s internal controls impacts our separate assessment of control risk (and our determination of expected controls reliance). For guidance on control risk assessment, refer to the block Assess control risk below.
The judgment about where in the range inherent risk is assessed may vary based on the nature, size and complexity of the entity, and takes into account the assessed likelihood and magnitude of the misstatement and inherent risk factors.
When assessing the level of inherent risks, consider the following contributing factors:
Contributing Factor | Relevant Considerations |
---|---|
What is the likelihood of a misstatement occurring due to this risk (without considering control risk)? |
Where inherent risk factors are assessed as having a higher degree of impact on a significant FSLI, the likelihood of a misstatement is greater. Consider whether the entity has a history of audit adjustments relating to particular FSLIs or business processes that may influence our assessment of the likelihood of a material misstatement occurring. |
What is the magnitude of a potential misstatement if it were to occur due to this risk? |
When considering the magnitude of a potential misstatement, consider both the qualitative and quantitative aspects of the misstatement were it to occur. In other words, the determination of magnitude would not be based solely on the amount of the FSLI relative to materiality and may be judged to be material due to size, nature or circumstances Consider the impact of inherent risk factors on the magnitude of the potential misstatements, for example, if the FSLI is subject to a high degree of subjectivity, this may indicate a higher magnitude of the potential misstatement because subjectivity of judgments may result in significantly different measurements of the FSLI amount. |
The combination of the likelihood and magnitude of the potential misstatement determines where on the spectrum of inherent risk the identified risk is assessed. It is important that we consider all of the above elements in combination rather than focusing on a single element. For example, a risk with a high likelihood of giving rise to a misstatement is not necessarily assessed as elevated or significant if the magnitude of such a misstatement would be immaterial. As explained in CAS 315.A213, for a risk to be assessed as elevated or significant, it does not mean that both the magnitude and likelihood need to be assessed as high. Rather, it is the intersection of the magnitude and likelihood that will determine whether the assessed inherent risk is normal, elevated or significant. A higher inherent risk assessment may arise from different combinations of likelihood and magnitude (e.g., a higher inherent risk assessment could result from a lower likelihood but a very high magnitude).
The following diagram illustrates how we consider likelihood and magnitude in combination, as we assess the level of inherent risk along the spectrum:
We use professional judgment to evaluate the combination of the likelihood and magnitude of a misstatement and assess the inherent risk by determining its level on the spectrum of inherent risk. When doing this for risks of material misstatement at the assertion level we consider inherent risk factors for each risk, including the degree to which we believe each inherent risk factor affects the susceptibility of the relevant assertions to misstatement. We document this assessment of the impact of each inherent risk factor using a range that we describe as “low”, “moderate” or “high”. We consider where inherent risks fall on the spectrum of risk and determine the inherent risk level as one of the following:
Inherent Risk Level | Comments |
---|---|
Significant |
Significant risks are identified risks of material misstatement for which the assessed inherent risk is close to the upper end of the inherent risk spectrum, due to the degree to which inherent risk factors affect the combination of the likelihood of a misstatement occurring and the magnitude of the potential misstatement should that misstatement occur (including the possibility that the risk may give rise to multiple misstatements). Note that some CASs require certain types of identified risks to be assessed as significant. For example, CAS 240 requires all material fraud risks to be considered significant risks. Refer to the block Significant risks below for further guidance on significant risks. |
Elevated |
Elevated risks represent risks that that are higher on the inherent risk spectrum than normal risks and therefore require additional audit consideration beyond what would be required for a normal risk, but do not rise to the level of a significant risk because of the likelihood of the misstatement occurring or magnitude of the potential misstatement if it were to occur. For example, a specific risk relating to the valuation assertion may be identified for property, plant and equipment as indicators of PP&E impairment are present. We may consider the likelihood of an error being made in the estimate of the recoverable amount of PP&E to be higher because the entity has not had past impairment indicators and therefore management does not have past experience with measuring the recoverable amount of PP&E. However, we may conclude that the magnitude of a misstatement of recoverable amount, if it were to occur, is low as the entire PP&E balance is twice performance materiality. Based on the evaluation of the combination of likelihood and magnitude we might determine that the inherent risk for the valuation assertion is Elevated. Elevated risks frequently will be risks that we will discuss with management and those charged with governance of the entity, but that do not rise to the level of a significant risk. We may also evaluate if elevated risks may be considered Key Audit Matters in accordance with CAS 701 and OAG Audit 8015. |
Normal | Normal risks are risks assessed at the lower end of the inherent risk spectrum based on our evaluation of the likelihood and magnitude of potential misstatements. They may relate to a range of situations, including routine transactions subject to systematic processing, as well as more complex transactions where judgment is required. Normal risks do not rise to the level of a significant or elevated risk because of either the likelihood of the misstatement occurring or magnitude of potential misstatements that could result from the risk. |
All risks of material misstatement, whether at the overall financial statement level or at the assertion level, and whether due to fraud or error, are documented in the Audit Planning Template. For risks at the FSLI assertion level we also document the results of our evaluation of inherent risk factors.
Examples
Below are examples of the thought process followed in determining whether an inherent risk is normal, elevated or significant for an FSLI that was determined to be significant (i.e., a FSLI that includes a reasonably possible risk of material misstatement at the assertion level).
Scenario 1: Normal risk—Property, plant and equipment
ABC Company is an automobile manufacturer that regularly invests in new manufacturing equipment. During the year the entity made significant additions (in excess of performance materiality) to one of its main assembly plants to facilitate increased production of its most popular automobile. Disposals during the period are clearly immaterial, and there were no unusual transactions identified in property, plant and equipment as part of our other risk assessment procedures. No impairment indicators were identified. The aggregate balance of property, plant and equipment, net of accumulated depreciation, at the period end is approximately five times performance materiality.
Additions and depreciation recorded during the period appear to have lower inherent risk associated with accuracy, completeness and valuation, as they represent routine transactions which are part of the normal course of ABC’s business. No indicators of management bias or other fraud risk factors have been identified.
Likelihood of the misstatement occurring
No matters were identified as part of our understanding of the entity and PP&E business process that would indicate an increased likelihood of error. In particular, there were no technological developments or other changes in the entity’s environment, which would indicate higher degree of change or uncertainty associated with the FSLI. The business process is non-complex and the degree of subjectivity involved in management’s judgments related to PP&E accounting policies is considered low.
Further, based on our previous audits, ABC has historically appropriately accounted for their property, plant and equipment.
Additions and disposals before and after the period end are clearly immaterial and are not considered to represent a risk of material misstatement for the cut-off assertion.
Magnitude of the potential misstatement
The magnitude of additions and depreciation for the period, as well as the net book value at period end, meant that there was the potential for material misstatement.
Conclusion
As a result of the assessment reflected above, including the assessment of inherent risk factors as summarized below, we concluded that there is a normal risk associated with the property, plant and equipment and documented this as an assumed RoMM for the PP&E FSLI (the following assertions are considered relevant—A, E/O, C, V, R&O, P&D):
Inherent Risk Factor | |
---|---|
Complexity | Low |
Subjectivity | Low |
Change | Low |
Uncertainty | Low |
Susceptibility to bias or other fraud risk factors | Low |
Assessed Level of Inherent Risk | Normal |
Scenario 2: Elevated risk—Valuation of accounts receivable
Company ABC Company recognizes a loss allowance for expected credit losses in accounts receivable.
Accounts receivable valuation involves significant judgment related to determining an appropriate loss allowance for expected credit losses. No specific bias indicators or fraud risk factors have been identified.
Risk assessment of the valuation assertion for the accounts receivable FSLI and related estimate of the loss allowance for expected credit losses:
Likelihood of the misstatement occurring
Several key customers are experiencing financial difficulties thereby indicating a moderate susceptibility to misstatement due to of change and uncertainty inherent risk factors, and increasing the likelihood of write-offs in the current year or the next year. To assist some long-standing customers experiencing financial difficulties, ABC has granted them extended payment terms. However, most of ABC’s customers are not experiencing these difficulties (i.e., not a pervasive trend for all customers). The determination of the loss allowance for expected credit losses is based on a complex model, requires significant judgment by management and is subject to a wide range of assumptions, which indicates a higher degree of complexity and subjectivity. The accounting personnel at the entity have experience in determining the loss allowance for expected credit losses and our prior audit experience indicates that the actual write-offs were generally in line with the recorded loss allowance.
Magnitude of the potential misstatement
Accounts receivable is a significant FSLI that is approximately seven times performance materiality at the end of the reporting period. Write-offs of accounts receivable have been material in previous years. The magnitude of the amounts involved indicates the potential for material misstatement.
Conclusion
As a result of the above facts and circumstances and based on evaluation of the inherent risk factors, we determine that there is an elevated risk for the valuation assertion for the accounts receivable. We would add a specific elevated risk for the valuation of accounts receivable in the Audit Planning Template (the risk that the allowance for credit losses is not complete or accurate) and document our risk assessment, including evaluation of the inherent risk factors as summarized below. Our assessment and documentation of the inherent risk related to the valuation of accounts receivable would also facilitate appropriate inherent risk assessment, including evaluation of the inherent risk factors related to the accounting estimate for ABC’s loss allowance for the purposes of both CAS 315 and CAS 540.
Inherent Risk Factor | |
---|---|
Complexity | Moderate |
Subjectivity | Moderate |
Change | Moderate |
Uncertainty | Moderate |
Susceptibility to bias or other fraud risk factors | Low |
Assessed Level of Inherent Risk | Elevated |
In this scenario, our assessment of the risk as elevated rather than normal or significant is further influenced by the following considerations:
- As the entity sells to its customers on credit, there is always a risk that some of the amounts owed to it will not be recovered, that is, at least a normal risk will almost always be present. If no factors had been present to indicate a heightened risk relating to the recoverability of the accounts receivable balances, an assessment of normal risk may have been justified.
- In the current year, the entity is experiencing an increased risk of uncollectible accounts receivable balances, as some customers have been experiencing financial difficulties and some of them have been granted extended payment terms. There is, therefore, a heightened risk relating to the recoverability of these balances. However, it appears the difficulties are confined to a limited subset of ABC’s customers rather than being a more pervasive risk.
- If the increased risk had been due to other, wider-ranging reasons, for example, a general downturn in the global economy or specific industry, and therefore introduced collectability risk more broadly, it is more likely that the valuation assertion may have been assessed to be a significant risk. Also, an increase in the potential breadth of collectability issues for ABC might also lead us to expand the relevant risks to include, for example risks relating to the occurrence of revenue, completeness of expenses and appropriateness of the going concern basis of accounting.
Scenario 3: Significant risk
ABC Company recognized a material impairment of PP&E in one of its plants which assembled an older model automobile which has been scheduled for discontinuance because the features and technology of this particular model have not kept pace with consumer expectations in the market. The net book value of the PP&E at the plant under consideration is five times performance materiality.
Assessment in relation to the PP&E valuation assertion and, in particular ABC’s estimate of the PP&E recoverable amount:
Impairment tests have higher inherent risk of error, as they have been infrequent in occurrence for ABC and can require complex and subjective judgments, and are susceptible to management bias (possibly including a bias to overstate or accelerate the impairment recognition). Measurement and recognition also requires specialized accounting knowledge not frequently or recently applied by management.
Likelihood of the misstatement occurring
There is a higher likelihood of a misstatement in the amount of the impairment, due to the complexity and subjectivity of the model used and judgments to be made, specialized accounting and due to the specific circumstances of ABC. As a result, we assess the inherent risk factors of complexity and subjectivity as high. The company has limited prior experience assessing, measuring or recognizing impairment of property, plant and equipment, which increases the likelihood of the risk of error. The company already made a decision to stop production of the car model, however there is still some uncertainty associated with the number of already produced cars that will be sold and at what prices in the future, which may affect the significant assumptions underlying the estimate of PP&E recoverable amount. Therefore, we assess the inherent risk factors of change and uncertainty as moderate.
Magnitude of the potential misstatement
The magnitude of the amounts involved (i.e., the net PP&E balance is five times planning materiality) means that there is the potential for material misstatement of the estimated recoverable amount.
Conclusion
Given these facts the risk associated with the valuation assertion for PP&E and related accounting estimate of the PP&E recoverable amount is considered a significant risk. We need to perform appropriate procedures that would be responsive to this risk, including designing specific procedures to test the recoverable amount estimate in line with the guidance in OAG Audit 7070. We would add a specific significant risk for the valuation of PP&E in the Audit Planning Template (the risk that method, significant assumptions and data used to estimate PP&E impairments are not appropriate) and document our risk assessment, including evaluation of the inherent risk factors as summarized below. Our assessment and documentation of the inherent risk related to the valuation of PP&E would also facilitate appropriate inherent risk assessment, including evaluation of the inherent risk factors related to ABC’s estimate of the recoverable amount for the purposes of both CAS 315 and CAS 540.
Inherent Risk Factor | |
---|---|
Complexity | High |
Subjectivity | High |
Change | Moderate |
Uncertainty | Moderate |
Susceptibility to bias or other fraud risk factors | High |
Assessed Level of Inherent Risk | Significant |
CAS Requirement
If the auditor plans to test the operating effectiveness of controls, the auditor shall assess control risk. If the auditor does not plan to test the operating effectiveness of controls, the auditor’s assessment of control risk shall be such that the assessment of the risk of material misstatement is the same as the assessment of inherent risk (CAS 315.34).
CAS Guidance
The auditor’s plans to test the operating effectiveness of controls is based on the expectation that controls are operating effectively, and this will form the basis of the auditor’s assessment of control risk. The initial expectation of the operating effectiveness of controls is based on the auditor’s evaluation of the design, and the determination of implementation, of the identified controls in the control activities component. Once the auditor has tested the operating effectiveness of the controls in accordance with CAS 330, the auditor will be able to confirm the initial expectation about the operating effectiveness of controls. If the controls are not operating effectively as expected, then the auditor will need to revise the control risk assessment in accordance with paragraph 37 (CAS 315.A226).
The auditor’s assessment of control risk may be performed in different ways depending on preferred audit techniques or methodologies, and may be expressed in different ways (CAS 315.A227).
If the auditor plans to test the operating effectiveness of controls, it may be necessary to test a combination of controls to confirm the auditor’s expectation that the controls are operating effectively. The auditor may plan to test both direct and indirect controls, including general IT controls, and, if so, take into account the combined expected effect of the controls when assessing control risk. To the extent that the control to be tested does not fully address the assessed inherent risk, the auditor determines the implications on the design of further audit procedures to reduce audit risk to an acceptably low level (CAS 315.A228).
When the auditor plans to test the operating effectiveness of an automated control, the auditor may also plan to test the operating effectiveness of the relevant general IT controls that support the continued functioning of that automated control to address the risks arising from the use of IT, and to provide a basis for the auditor’s expectation that the automated control operated effectively throughout the period. When the auditor expects related general IT controls to be ineffective, this determination may affect the auditor’s assessment of control risk at the assertion level and the auditor’s further audit procedures may need to include substantive procedures to address the applicable risks arising from the use of IT. Further guidance about the procedures that the auditor may perform in these circumstances is provided in CAS 330 (CAS 315.A229).
OAG Guidance
CAS 315.34 requires us to assess the control risk if we plan to test operating effectiveness of controls. If we do not plan to test the operating effectiveness of controls, our assessment of the risk of material misstatement is the same as our assessed level of inherent risk. In other words, if we plan to reduce the level of control risk considered within our assessment of the risk of material misstatement, we need to test the operating effectiveness of controls. If we test controls addressing the risk of material misstatement and find them to be operating effectively, we would typically require less audit evidence from substantive procedures in response to the risk.
Control risk and control reliance have an inverse relationship. If we are not relying on controls, the control risk is assessed at the maximum. If we are placing reliance on controls, control risk is assessed to be below the maximum. The following diagram illustrates the inverse relationship between control risk and control reliance:
We do not separately document our assessment of control risk for the purpose of assessing the risk of material misstatement. Instead, we document our Expected Controls Reliance recognizing that we do not reduce control risk unless we test the operating effectiveness of controls. By combining control risk and control reliance into a single concept, we are able to simplify the risk assessment and documentation process while reducing the risk that we consider control risk below the maximum without testing the operating effectiveness of relevant controls.
CAS Requirement
The auditor shall determine whether any of the assessed risks of material misstatement are significant risks (CAS 315.32).
CAS Guidance
Significant risk—An identified risk of material misstatement (CAS 315.12(l)):
- For which the assessment of inherent risk is close to the upper end of the spectrum of inherent risk due to the degree to which inherent risk factors affect the combination of the likelihood of a misstatement occurring and the magnitude of the potential misstatement should that misstatement occur; or
- That is to be treated as a significant risk in accordance with the requirements of other CASs.
The determination of significant risks allows for the auditor to focus more attention on those risks that are on the upper end of the spectrum of inherent risk, through the performance of certain required responses, including (CAS 315.A218):
- Controls that address significant risks are required to be identified in accordance with paragraph 26(a)(i), with a requirement to evaluate whether the control has been designed effectively and implemented in accordance with paragraph 26(d).
- CAS 330 requires controls that address significant risks to be tested in the current period (when the auditor intends to rely on the operating effectiveness of such controls) and substantive procedures to be planned and performed that are specifically responsive to the identified significant risk.
- CAS 330 requires the auditor to obtain more persuasive audit evidence the higher the auditor’s assessment of risk.
- CAS 260 requires communicating with those charged with governance about the significant risks identified by the auditor.
- CAS 701 requires the auditor to take into account significant risks when determining those matters that required significant auditor attention, which are matters that may be key audit matters.
- Timely review of audit documentation by the engagement partner at the appropriate stages during the audit allows significant matters, including significant risks, to be resolved on a timely basis to the engagement partner’s satisfaction on or before the date of the auditor’s report.
- CAS 600 requires more involvement by the group engagement partner if the significant risk relates to a component in a group audit and for the group engagement team to direct the work required at the component by the component auditor.
In determining significant risks, the auditor may first identify those assessed risks of material misstatement that have been assessed higher on the spectrum of inherent risk to form the basis for considering which risks may be close to the upper end. Being close to the upper end of the spectrum of inherent risk will differ from entity to entity, and will not necessarily be the same for an entity period on period. It may depend on the nature and circumstances of the entity for which the risk is being assessed (CAS 315.A219).
The determination of which of the assessed risks of material misstatement are close to the upper end of the spectrum of inherent risk, and are therefore significant risks, is a matter of professional judgment, unless the risk is of a type specified to be treated as a significant risk in accordance with the requirements of another CAS. CAS 240 provides further requirements and guidance in relation to the identification and assessment of the risks of material misstatement due to fraud (CAS 315.A220).
Examples:
|
The auditor also takes into account the relative effects of inherent risk factors when assessing inherent risk. The lower the effect of inherent risk factors, the lower the assessed risk is likely to be. Risks of material misstatement that may be assessed as having higher inherent risk and may therefore be determined to be a significant risk, may arise from matters such as the following (CAS 315.A221):
- Transactions for which there are multiple acceptable accounting treatments such that subjectivity is involved.
- Accounting estimates that have high estimation uncertainty or complex models.
- Complexity in data collection and processing to support account balances.
- Account balances or quantitative disclosures that involve complex calculations.
- Accounting principles that may be subject to differing interpretation.
Changes in the entity’s business that involve changes in accounting, for example, mergers and acquisitions.
OAG Guidance
Careful assessment as to whether an assertion level risk for a significant FSLI is a significant risk is important because:
- As described in CAS 315.A218, certain required procedures, communications and audit reporting considerations are linked to risks identified as significant;
- Significant risks require an increased level of audit evidence to respond to the risk. Assessing a risk as significant when it is not may result in an inefficient audit response, whereas not assessing a risk as significant when it is one may result in an audit response that does not reduce detection risk to an appropriately low level.
Significant risks may be identified at any stage of the audit, although they may initially be identified during the Acceptance and Continuance (A&C) or while performing other planning procedures.
Example: If we believe that there is a risk that group management does not appropriately or adequately monitor operating units and some operating units have significant revenue generated from contracts containing bespoke and complex terms, this might indicate there is a risk that the contract terms are not sufficiently understood by group management when making revenue recognition decisions and therefore this may give rise to a significant risk, based on our evaluation of the inherent risk factors and assessment of the likelihood and magnitude of potential misstatements. |
When we identify a significant risk(s) for an FSLI, we also identify the specific risks at the assertion level so we may tailor the nature, timing and extent of tests of controls and substantive tests to respond to the risk(s). We need to avoid defining risks too broadly as this can result in ineffective or inefficient audit responses that may not sufficiently address the specific assessed risks.
We need to consider our combined assessment of the likelihood and magnitude when determining if the risk is significant. For example, as explained in CAS 315.A220, cash at a retail supermarket would ordinarily have a high likelihood of potential misstatement (due to the risk of cash being misappropriated), however the magnitude would typically be very low due to the small amount of cash actually handled at the store. Therefore, we would likely not consider the cash FSLI at a retail supermarket to represent a significant risk.
Financial statement level risks would, due to their pervasiveness, ordinarily be considered a significant risk. Significant risks at the assertion level normally represent a small subset of inherent risks related to all significant FSLIs that, based on their nature, we believe have a higher likelihood and magnitude of misstatement:
Given the importance of appropriate identification of significant risks and the often heightened level of professional judgment involved in assessing these risks and developing related audit responses, it is important for the team manager and engagement leader to be involved in the determination of any significant risks.
CAS Requirement
The auditor shall determine whether substantive procedures alone cannot provide sufficient appropriate audit evidence for any of the risks of material misstatement at the assertion level (CAS 315.33).
The auditor shall include in the audit documentation (CAS 315.38):
- The identified and assessed risks of material misstatement at the financial statement level and at the assertion level, including significant risks and risks for which substantive procedures alone cannot provide sufficient appropriate audit evidence, and the rationale for the significant judgments made.
CAS Guidance
Due to the nature of a risk of material misstatement, and the control activities that address that risk, in some circumstances the only way to obtain sufficient appropriate audit evidence is to test the operating effectiveness of controls. Accordingly, there is a requirement for the auditor to identify any such risks because of the implications for the design and performance of further audit procedures in accordance with CAS 330 to address risks of material misstatement at the assertion level (CAS 315.A222).
Paragraph 26(a)(iii) also requires the identification of controls that address risks for which substantive procedures alone cannot provide sufficient appropriate audit evidence because the auditor is required, in accordance with CAS 330, to design and perform tests of such controls (CAS 315.A223).
Where routine business transactions are subject to highly automated processing with little or no manual intervention, it may not be possible to perform only substantive procedures in relation to the risk. This may be the case in circumstances where a significant amount of an entity’s information is initiated, recorded, processed, or reported only in electronic form such as in an information system that involves a high degree of integration across its IT applications. In such cases (CAS 315.A224):
- Audit evidence may be available only in electronic form, and its sufficiency and appropriateness usually depend on the effectiveness of controls over its accuracy and completeness.
- The potential for improper initiation or alteration of information to occur and not be detected may be greater if appropriate controls are not operating effectively.
Example: It is typically not possible to obtain sufficient appropriate audit evidence relating to revenue for a telecommunications entity based on substantive procedures alone. This is because the evidence of call or data activity does not exist in a form that is observable. Instead, substantial controls testing is typically performed to determine that the origination and completion of calls, and data activity is correctly captured (e.g., minutes of a call or volume of a download) and recorded correctly in the entity’s billing system. |
CAS 540 provides further guidance related to accounting estimates about risks for which substantive procedures alone do not provide sufficient appropriate audit evidence. In relation to accounting estimates this may not be limited to automated processing, but may also be applicable to complex models (CAS 315.A225).
OAG Guidance
We may identify risks of material misstatement that we are not able to address solely by substantive procedures and therefore need to obtain some level of controls reliance as part of our plan for addressing such risks. This would generally be a result of the nature of the risk and specifics of the related business process and controls.
Examples of situations where substantive procedures alone would not be sufficient include:
- An entity electronically initiates orders for the purchase and delivery of goods based on predetermined rules of what to order and in what quantities, and the related accounts payable is paid based on systems-generated decisions initiated on confirmed receipt of goods and terms of payment. No other documentation of orders placed or goods received is produced or maintained, other than through the system.
- An entity provides services to customers through the internet and electronically logs the services provided to its customers, initiates and processes its billings for the services and automatically records such amounts in electronic accounting records that are part of the system used to produce the entity’s financial statements.
- A banking entity is using a service organization to buy, sell and provide custody for its investments, and the entity relies on the service organization to accurately and completely process and report the related transactions.
In circumstances like these, we design our audit approach to include an appropriate combination of evidence from controls reliance and substantive procedures. For those controls that we are planning to test, we are required to evaluate their design and determine whether they are implemented (CAS 315.26(a)).
Scalability
CAS Guidance
The manner in which the requirements of paragraph 38 are documented is for the auditor to determine using professional judgment (CAS 315.A239).
More detailed documentation, that is sufficient to enable an experienced auditor, having no previous experience with the audit, to understand the nature, timing and extent of the audit procedures performed, may be required to support the rationale for difficult judgments made (CAS 315.A240).