Annual Audit Manual

COPYRIGHT NOTICE — This document is intended for internal use. It cannot be distributed to or reproduced by third parties without prior written permission from the Copyright Coordinator for the Office of the Auditor General of Canada. This includes email, fax, mail and hand delivery, or use of any other method of distribution or reproduction. CPA Canada Handbook sections and excerpts are reproduced herein for your non-commercial use with the permission of The Chartered Professional Accountants of Canada (“CPA Canada”). These may not be modified, copied or distributed in any form as this would infringe CPA Canada’s copyright. Reproduced, with permission, from the CPA Canada Handbook, The Chartered Professional Accountants of Canada, Toronto, Canada.

5044 Perform overall evaluation
Sep-2022

In This Section

Evaluate audit evidence obtained from the risk assessment procedures

Revision of risk assessment

Evaluate audit evidence obtained from the risk assessment procedures

CAS Requirement

The auditor shall evaluate whether the audit evidence obtained from the risk assessment procedures provides an appropriate basis for the identification and assessment of the risks of material misstatement. If not, the auditor shall perform additional risk assessment procedures until audit evidence has been obtained to provide such a basis. In identifying and assessing the risks of material misstatement, the auditor shall take into account all audit evidence obtained from the risk assessment procedures, whether corroborative or contradictory to assertions made by management (CAS 315.35).

Based on the audit procedures performed and the audit evidence obtained, the auditor shall evaluate before the conclusion of the audit whether the assessments of the risks of material misstatement at the assertion level remain appropriate (CAS 330.25).

CAS Guidance

Audit evidence obtained from performing risk assessment procedures provides the basis for the identification and assessment of the risks of material misstatement. This provides the basis for the auditor’s design of the nature, timing and extent of further audit procedures responsive to the assessed risks of material misstatement, at the assertion level, in accordance with CAS 330. Accordingly, the audit evidence obtained from the risk assessment procedures provides a basis for the identification and assessment of risks of material misstatement whether due to fraud or error, at the financial statement and assertion levels (CAS 315.A230).

Audit evidence from risk assessment procedures comprises both information that supports and corroborates management’s assertions, and any information that contradicts such assertions (CAS 315.A231).

In evaluating the audit evidence from the risk assessment procedures, the auditor considers whether sufficient understanding about the entity and its environment, the applicable financial reporting framework and the entity’s system of internal control has been obtained to be able to identify the risks of material misstatement, as well as whether there is any evidence that is contradictory that may indicate a risk of material misstatement (CAS 315.A232).

OAG Guidance

CAS 315.35 requires us to evaluate whether our risk assessment procedures provide an appropriate basis for identification and assessment of the risks of material misstatement and to consider both contradictory and corroborating evidence when forming this conclusion. If we determine that our procedures do not provide such a basis, we would need to perform further risk assessment procedures, as appropriate in the engagement circumstances.

It is important to perform appropriate risk assessment procedures to identify and assess the risks of material misstatement at the financial statement and FSLI assertion level, as our risk assessment will form the basis for our further procedures, including controls and substantive testing. We need to identify and assess entity specific risks at a sufficiently granular level so that our further audit procedures can be appropriately targeted at the assessed risks and reduce the risk to an appropriately low level. If we do not identify risks of material misstatement that are present on the engagement, or inappropriately assess the level of inherent risks, this may lead to ineffective or inefficient testing strategy.

As part of our overall evaluation, we also consider if we obtained a sufficient understanding of the:

  • Entity and its environment

  • Applicable financial reporting framework

  • Entity’s system of internal control

  • Risks arising from IT and entity’s ITGCs that address such risks

  • Any other risks of material misstatement identified as a result of understanding procedures required by CASs other than CAS 315

We need to timely consider if our risk assessment provides a sufficient basis for developing an effective and efficient testing strategy. Our overall evaluation would typically be conducted as part of planning, after we have performed our risk assessment procedures, but before the planning sign-off. It is important that the team manager and engagement leader are sufficiently involved in the overall evaluation and related team discussions to assess the sufficiency and appropriateness of the overall risk assessment.

The OAG Risk Assessment Process (OAG Audit 5011) recognizes the iterative nature of our risk assessment. We need to remain alert to the changes that occur during the engagement. These changes may affect our risk assessment and further risk assessment procedures may need to be performed. For example, during the execution phase of the engagement, we may identify some changes in the entity and its environment that could have an impact on the inherent risk factors associated with specific FSLIs. In this case, we may need to perform further evaluation of the related inherent risk factors and update our risk assessment documentation. We may also identify changes in the entity’s system of internal control that would require further procedures to understand the controls within a related business process and may result in changes to our risk assessment and/or planned level of controls reliance.

As part of our completion procedures, we are specifically required by CAS 330.25-26 to evaluate whether our risk assessment at the assertion level remains appropriate and to conclude whether sufficient appropriate audit evidence has been obtained when forming an opinion. Therefore, during the completion phase of the engagement we consider whether our overall risk assessment conclusions remain appropriate.

Professional skepticism and contradictory audit evidence

In performing our overall evaluation, we maintain an attitude of professional skepticism, recognizing that audit evidence includes not only evidence that corroborates our expectations and/or the explanations and assertions made by management, but also evidence that contradicts it. Such evidence may be identified when evidence is obtained from different sources, for example when explanations obtained from management and internal audit appear to contradict each other (see CAS 500.A68).

As part of our overall evaluation, consider if some evidence that was obtained as part of our risk assessment procedures contradicts our risk assessment conclusions. When such evidence is identified, we need to determine if any further investigation may be necessary to determine potential impact on our risk assessment and planned further audit procedures. It is important that senior members of the engagement team are sufficiently involved in the related team discussions. For example, when we identify some unusual fluctuations as part of our risk assessment analytics, which are inconsistent with the explanations provided by management regarding industry trends and the entity’s performance, we may need to obtain further evidence supporting management’s explanations and evaluate whether this information impacts any further risk assessment procedures we may need to perform.

Where evidence obtained from one source contradicts evidence obtained from another, we consider whether this gives rise to doubts over the reliability of information to be used as audit evidence and perform appropriate procedures to address these concerns, considering the impact on other aspects of the audit, including the auditor’s report. Where we have reason to believe that information provided to us by management has been falsified or presented in such a way as to intentionally mislead us, we consider whether this is indicative of fraud, evaluate the impact on our assessment of the risk of material misstatement due to fraud and consider what procedures are necessary to respond to this (as set out in OAG Audit 5510).

Revision of risk assessment

CAS Requirement

If the auditor obtains new information which is inconsistent with the audit evidence on which the auditor originally based the identification or assessments of the risks of material misstatement, the auditor shall revise the identification or assessment (CAS 315.37).

CAS Guidance

During the audit, new or other information may come to the auditor’s attention that differs significantly from the information on which the risk assessment was based (CAS 315.A236).

Example:

The entity’s risk assessment may be based on an expectation that certain controls are operating effectively. In performing tests of those controls, the auditor may obtain audit evidence that they were not operating effectively at relevant times during the audit. Similarly, in performing substantive procedures the auditor may detect misstatements in amounts or frequency greater than is consistent with the auditor’s risk assessments. In such circumstances, the risk assessment may not appropriately reflect the true circumstances of the entity and the further planned audit procedures may not be effective in detecting material misstatements. Paragraphs 16 and 17 of CAS 330 provide further guidance about evaluating the operating effectiveness of controls.

OAG Guidance

The OAG Risk Assessment Process (OAG Audit 5011) recognizes that risk assessment is a continuous, dynamic process of gathering, updating and analyzing information throughout the audit. While we complete our risk assessment procedures as part of planning in order to develop our audit strategy, we remain alert as the audit progresses and consider new information or information that differs from that obtained during planning which may indicate a need to consider whether our original conclusions reached in our risk assessment remain appropriate.

For example, new information may come to our attention when testing controls, performing substantive tests and evaluating subsequent events that suggest that risks originally identified are not complete or that our assessment of such risks was not appropriate (i.e., a risk was assessed as normal but more recent information suggests a higher likelihood and/or magnitude of potential misstatement). If such information indicates an inappropriate conclusion in our risk assessment, revisit that risk assessment and make appropriate changes to our risk assessment and planned audit responses and document the changes in the audit file.

If revisions to our risk assessment represent significant changes to strategy and plan (e.g., a new risk is identified that requires significant changes to our testing strategy), document them in accordance with OAG Audit 4051.