While planning an audit of financial statements, the auditor identifies risks of material misstatement both at the financial statement level and at the assertion level. The objective of the auditor is to obtain sufficient and appropriate audit evidence to address this risk and he does so by designing and implementing appropriate responses to such risks. How the auditor designs these responses will be influenced by the auditor’s assessment of the risk of material misstatement at the assertion level for each class of transactions, account balances and disclosures including:
- the likelihood of material misstatement due to the particular characteristics of the relevant class of transactions, account balances, or disclosures (i.e., inherent risk); and
- the existence and operation of relevant controls (i.e., control risk), thereby requiring the auditor to obtain audit evidence to determine whether the controls are operating effectively and whether reliance can be placed on their operating effectiveness in determining the nature, timing and extent of substantive procedures.
Let us break the auditor’s responses to assessed risks into two parts and look at each one of them independently and in conjunction, bearing in mind the auditor’s objectives while performing an audit of financial statements:
1) Overall response to the risks identified at financial statement level
2) Audit procedures which are responsive to assessed risks of material misstatements at the assertion level.
Overall response to the risks identified at financial statement level
Guilelessly put, risk of material misstatements at the financial statement level is the risk that the financial statements as a whole may not reflect a true and fair view. Risk of material misstatement as we know is a function of inherent risk and control risk. To address this risk, the auditor may include the following responses while planning the audit of financial statement:
- Incorporating additional elements of unpredictability in the selection of further audit procedures to be performed (like varying the timing of audit procedures, selecting items for testing that have lower amounts or are otherwise outside customary selection parameters, etc.)
- Making generic changes to the nature, timing or extent of audit procedures, for example: performing substantive procedures at the period end instead of at an interim date; or modifying the nature of audit procedures to obtain more persuasive audit evidence.
- Emphasising to the audit team the need to maintain professional skepticism.
- Assigning more experienced staff or those with special skill sets or using experts and providing increased levels of supervision
The auditor’s assessment of the financial statement level risks, and thereby his overall responses, are affected by his understanding of the control environment. An effective control environment may allow him to have more confidence in internal controls and the reliability of audit evidence generated internally within the entity. The overall response by an auditor to the financial statement risks generally has a noteworthy bearing on the auditor’s general approach towards an audit. Hence it is important that these responses are evaluated and implemented by the auditor in the planning stage of an audit.
Audit procedures which are responsive to assessed risks of material misstatements at the assertion level
The nature, timing and extent of audit procedures are based on the assessment of risk of material misstatement at the assertion level of financial statement captions by the auditor and the auditors’ approach to address a specific risk may vary. For example:
- He may choose to perform only test of operating effectiveness of controls if he feels that he may achieve an effective response to the risk of material misstatement for a particular assertion.
- He may choose to perform only substantive procedures if he concludes that there are no effective controls relevant to that particular assertion.
- He may choose to have a combined approach using both test of controls and substantive procedures.
The design of further audit procedures to be performed by the auditor is generally based on:
1) The auditor’s assessment of inherent risk and control risk assigned to an assertion, and
2) Persuasiveness of audit evidence required to address the degree of risk identified.
Let us consider a case study to understand the above concepts.
Case study
Addressing risks at the financial statement level
Background
KKM and Company (‘KKM’) is a financial institution operating in a highly regulated environment. Based on the following scenarios, let us examine the approach that the auditors of KKM, M/s. ALB and Associates would need to adopt to address the risk of material misstatement at financial statement level.
1. Based on the experience obtained during the past audits, management inquiries conducted and the results obtained while evaluating the design and implementation of higher level controls, the auditors have assessed the control environment to be effective.
2. The engagement team is comparatively new and is undertaking the audit of this company for the very first time.
3. The management of the company is well aware of the audit procedures performed by the audit team on a year on year basis. They are ready with all the information required by the audit team at the commencement of the audit. All the information required to be given to the auditors is entirely reviewed by the management to identify any errors and changes and any identified changes are duly incorporated in the information sent to auditors for audit.
4. As per the policy in place at ALB and Associates, based on the risk grading assigned to KKM while performing the engagement acceptance formalities, the audit team is required to have at least two managers reviewing the work done by the engagement team. However, the engagement partner is of the belief that one manager is sufficient to review the audit.
Evaluation
As per SA 330, the auditor is required to address the risk of material misstatement at financial statement level. He may do so by changing the nature, timing and extent of his audit procedures.
1. In this scenario, the auditor has concluded that the control environment of the entity is effective. Based on the efficacy of the control environment and existence and operation of internal controls, the reliability of the audit evidence generated internally by the entity increases. This may help the auditor to reduce the nature, timing and extent of audit procedures to be performed by him. Such a reliance on internal controls may help him to place less emphasis on substantive procedures and elect to have a controls based approach towards audit. Such an approach would also help the auditor save time and resources.
2. In such a scenario where the engagement team is relatively new to the client, the engagement manager/ partner need to ensure that the team is appropriately trained and guided to apply professional skepticism during the course of the audit. The audit team may also find it useful to engage the work of experts wherever required. The audit team should also be made to attend trainings on audit methodology and procedures so as to equip them with the requisite knowledge about the client and the industry. The audit team should familiarise themselves with the client and the industry in which it operates by perusing the previous year’s work papers to obtain an understanding of the issues which were identified in the prior year audit as well as to address any carried forward issues from the previous year’s audit.
3. In the current scenario, the audit team has been performing identical audit procedures over a period of time due to which the client is well aware of these procedures. In such a scenario, the audit team should include surprise procedures so as to eliminate the consistency of audit procedures so as to incorporate an element of unpredictability in the procedures applied. This surprise element will also help the audit team to address the fraud risk, if any, for certain classes of transactions. For example the audit team may perform a surprise visit for one of the branches of the company for verification of cash balances, select certain low value debtors or debtors with credit balances for balance circularisation etc.
4. The engagement partner is deviating from the policy followed by the firm while performing the audit of this entity. In the given scenario, based on the risk grade assigned to the entity, at least two managers are to be assigned to this engagement. Hence the engagement partner should increase the number of managers on the job to two. This would increase the supervision on engagement, thus also helping the auditors to address the risk of material misstatement at the financial statement level.
Closing Remarks
Assessing risk lies at the core of the audit process and this article has introduced and explained some of the terminology used by SA 330, giving guidance to auditors on how to respond to assessed risks. In general, tests of control are short, quick audit tests, whereas substantive procedures will require more detailed audit work. SA 330 requires that, irrespective of the assessed risks of material misstatement, the auditor would need to design and perform substantive procedures for each class of transactions, account balance and disclosures. We will discuss the concept of assessing risks at the assertion level in our next article.
