The operative date for ASA 315 is for financial reporting periods commencing on or after 15 December 2021, which means it is effective as follows:
ASA 315 has been significantly enhanced to require a more robust risk assessment process and to promote consistency in application. There has been lots of change including new definitions, more detailed requirements and new concepts. The audit risk model has not changed i.e. still consists of inherent risk and control risk. However, ASA 315 will help auditors in applying the audit risk model when identifying and assessing the risks of material misstatement.
New concepts and definitions introduced:
Refer also to the IAASB’s Introduction to ISA 315.
The auditor’s risk identification and assessment process is iterative and dynamic. The auditor’s understanding of the entity and its environment, the applicable financial reporting framework, and the entity’s system of internal control are interdependent with concepts within the requirements to identify and assess the risks of material misstatement.
In obtaining the required understanding, initial expectations of risks are developed, which are further refined as the auditor progresses through the risk identification and assessment process. The auditor identifies and assesses risk of material misstatement based on inherent risk and the impact of inherent risk factors. Based on this the auditor assesses where inherent risks sit on the spectrum of inherent risk and identify significant risks.
The auditor assesses control risk if they plan to test the operating effectiveness of controls. If the auditor does not plan to test the operating effectiveness of controls, the assessment of control risk is the same as the assessment of inherent risk.
In addition, ASA 315 includes a new stand back requirement to confirm the risk assessment and revise this if based on audit evidence obtained from performing further audit procedures, or if new information is obtained.
This understanding is required to assist the auditor to be able to identify and assess risks of material misstatement. Without this understanding the auditor may not identify all risks of material misstatement, appropriately assess these, and appropriately respond when designing and performing further audit procedures.
ASA 315 paragraph 27 requires the auditor to consider based on their evaluation of each of the components of the entity’s system of internal control, whether one or more control deficiencies have been identified. If yes, the auditor considers the impact on the design of further audit procedures (ASA 330) and if they are significant deficiencies and therefore are required to communicate to those charged with governance (ASA 265).
Extant ASA 315 requires the auditor to obtain an understanding of internal control “relevant to the audit”. The new ASA 315 is more prescriptive and the auditor is required to identify controls that address risks of material misstatement at the assertion level which include:
ASA 315 also has more on IT environment, applications, and controls. Auditors will have to gain an understanding of information processing activities, and identify risks arising from the use of IT, then identify general IT controls that address such risks, including risks arising from use of IT applications.
For each of the controls identified above, the auditor is required to evaluate whether the control, individually or in combination with other controls, is designed effectively to prevent, or detect and / or correct, material misstatements (i.e., the control objective). The auditor determines the implementation of an identified control by establishing that the control exists and that it is operating. Note that enquiry alone is not sufficient.
If the auditor concludes that these controls are not designed effectively or have not been implemented, they are required to determine whether individually or in combination, the deficiencies constitute a significant deficiency in accordance with ASA 265, and to consider the design of further audit procedures in accordance with ASA 330.
An important enhancement to ASA 315 is the introduction of inherent risk factors (IRFs) and the spectrum of inherent risk. These are a framework to identify and assess inherent risk, risks of material misstatement, and significant risks.
Firstly, inherent risk is the susceptibility of an assertion about a class of transactions, account balance or disclosure (COTABD) to a potential misstatement, either individually or in aggregate, before consideration of controls. IRFs are factors which increases the susceptibility of an assertion about a COTABD to risk. IRF may be qualitative or quantitative and include complexity, subjectivity, change, uncertainty, or susceptibility to misstatement due to management bias or other fraud risk factors as they affect inherent risk.
The IRFs are used throughout the audit to identify risk of material misstatement, to assess the likelihood and magnitude of inherent risk, and to assess where a risk of material misstatement sits on the spectrum of inherent risk. In assessing an identified inherent risk, the auditor uses professional judgement considering the likelihood of a misstatement occurring, and the potential magnitude if the misstatement was to occur. In considering the likelihood, the auditor considers the inherent risk factors.
The significance of the combination of likelihood and magnitude determines where on the spectrum of inherent risk the identified inherent risk resides. Where an inherent risk resides on the spectrum of inherent risk will determine the extent of audit procedures that need to be performed. Ultimately the higher on the spectrum the risk falls, the more persuasive the audit evidence needs to be.
The assessment is based on judgement within a range from higher to lower on the spectrum of inherent risk. The higher the combination of likelihood and magnitude, the higher the assessment of inherent risk; the lower the combination of likelihood and magnitude, the lower the assessment of inherent risk. For a risk to be assessed as higher on the spectrum of inherent risk, it does not mean that both the magnitude and likelihood need to be assessed as high. Rather, it is the intersection of the magnitude and likelihood of the material misstatement on the spectrum of inherent risk that will determine whether the assessed inherent risk is higher or lower on the spectrum of inherent risk. A higher inherent risk assessment may also arise from different combinations of likelihood and magnitude, for example a higher inherent risk assessment could result from a lower likelihood but a very high magnitude.
The auditor may categorise risks of material misstatement based on where they reside on the spectrum of inherent risk to assist in developing appropriate responses to the assessment of inherent risk and the reasons for that assessment.
Inherent risks assessed as close to the upper end of the spectrum of inherent risk are identified as significant risks.
Relevant requirements and guidance in ASA 315:
For the identified risks of material misstatement at the assertion level, a separate assessment of inherent risk and control risk is required. If the auditor plans to test the operating effectiveness of controls, they are required to assess control risk. The auditor’s plans to test the operating effectiveness of controls is based on the initial expectation that controls are operating effectively, and this will form the basis of the auditor’s assessment of control risk. The initial expectation of the operating effectiveness of controls is based on the auditor’s evaluation of the design, and the determination of implementation, of the identified controls in the control activities component. This assessment is confirmed once the auditor has tested the operating effectiveness of the controls. If the control is not operating effectively as expected, the auditor revises the control risk assessment.
If the auditor does not plan to test the operating effectiveness of controls, the control risk is assessed such that the assessment of the risk of material misstatement is the same as the assessment of inherent risk.
ASA 315 paragraph 36 includes a new stand-back requirement which is for material classes of transactions, balances and disclosures (COTABD) that have not been assessed as ‘significant’ (i.e. no relevant assertion with an identified risk of material misstatement), the auditor shall evaluate whether that determination remains appropriate. This is intended to drive the completeness of the identification of the risks of material misstatement by evaluating the completeness of the significant COTABD identified by the auditor. Significant COTABD are those for which there is a relevant assertion as there has been an identified risk of material misstatement. This requirement in ASA 315 is to ensure the auditor confirms that their initial assessment that there are no identified risks of material misstatement in those COTABD, is still appropriate.
The auditor may consider the following when performing the risk assessment stand-back:
This requirement in ASA 315 is in addition to ASA 330 paragraph 18 which requires that irrespective of the assessed risks of material misstatement, the auditor shall design and perform substantive procedures for each material COTABD. As part of the revision to ASA 315 an amendment has been made to ASA 330 explanatory material which states that not all assertions within a material class of transactions, account balance or disclosure are required to be tested. Rather in designing the substantive procedures to be performed, the auditor’s consideration of the assertion(s) in which, if a misstatement were to occur, there is a reasonable possibility of the misstatement being material, may assist in identifying the appropriate nature, timing and extent of the procedures to be performed.
Therefore, the auditor considers the most appropriate assertions when designing substantive procedures.
ASA 315 paragraph 38 includes additional disclosure requirements to those in ASA 230 Audit Documentation which are:
ASA 230 paragraph A7 notes that, among other considerations, although there may be no single way in which the auditor’s exercise of professional scepticism is documented, the audit documentation may nevertheless provide evidence of the auditor’s exercise of professional scepticism. ASA 315 paragraph A238 provides examples of other requirements for which documentation may provide evidence of the exercise of professional scepticism by the auditor.