SA 315 – Identifying and Assessing the Risk of Material Misstatement through understanding the Entity and its Environment (Effective 01/04/2008)

The objective of the auditor is to identify and assess the risks of material misstatement, whether due to fraud or error, at the financial statement and assertion levels, through understanding the entity and its environment, including the entity’s internal control, thereby providing a basis for designing and implementing responses to the assessed risks of material misstatement.

Risk-based audit (RBA) is an approach to audit that analyzes audit risks, sets materiality thresholds based on audit risk analysis and develops audit programmes that allocate a larger portion of audit resources to high-risk areas.

Audit risk is the risk of expressing an inappropriate audit opinion on financial statements this can be in two ways:-

1. Financial statements has material misstatements but auditor gives opinion that there are no material misstatements in financial statements – This will affect the effectiveness of audit
2. Financial statements doesnot have any material misstatements but the auditor gives the opinion that financial statements are materially misstated – This will affect the efficiency of audit

There are 3 Components of Audit Risk

1. Inherent Risk :- Susceptibility of an assertion to a misstatement that could be material, individually or when aggregated with other misstatements, assuming that there are no related controls.
2. Control Risk :- Risk that the entity’s internal control system will not prevent, or detect and correct on a timely basis, a misstatement that could be material, individually or when aggregated with other misstatements.
3. Detection Risk:- This is the risk that the auditor will not detect a misstatement that exists in an assertion that could be material, either individually or when aggregated with other misstatements. The acceptable level of detection risk for a given level of audit risk bears an inverse relationship to the risks of material misstatement at the assertion level

Mathematically Audit Risk (AR) can be expressed as a product of Inherent Risk (IR), Control Risk (CR) and Detection Risk (DR), i.e.    

Audit Risk                                 = Inherent Risk x Control Risk x Detection Risk

Risk of material Misstatement  = Inherent risk X Control risk

Thereby Audit Risk = Risk of Material Misstatement X Detection Risk

Assertions are the representations by management, explicit or otherwise, that are embodied in the financial statements, as used by the auditor to consider the different types of potential misstatements that may occur. Assertions can be classified in to following catagories

Assertions about classes of transactions and events for the period under audit:

1. Occurrence— transactions and events that have been recorded have occurred and pertain to the entity.
2. Completeness— all transactions and events that should have been recorded have been recorded
3. Accuracy— amounts and other data relating to recorded transactions and events have been recorded appropriately.
4. Cut-off— transactions and events have been recorded in the correct accounting period
5. Classification- transactions and events have been recorded in the proper accounts.

Assertions about account balances at the period end:

1. Existence— assets, liabilities, and equity interests exist.
2. Rights and Obligations – the entity holds or controls the rights to assets and liabilities are the obligations of the entity
3. Completeness – All Assets, liabilities and equity interest have been recorded completely
4. Valuation & Allocation- Assets, liabilities and equity interest are included in the FS at appropriate amounts any resulting valuation or allocation adjustments are appropriately recorded.

Assertions about presentation and disclouser:-

1. Occurrence and rights and obligations — disclosed events, transactions, and other matters have occurred and pertain to the entity.
2. Completeness— all disclosures that should have been included in the financial statements have been included.
3. Classification and understandability— financial information is appropriately presented and described, and disclosures are clearly expressed.
4. Accuracy and valuation— financial and other information are disclosed fairly and at appropriate amounts.

The auditor shall obtain an understanding of the following:

1. Relevant industry, regulatory, and other external factors including the applicable financial reporting framework. 
2. The nature of the entity, including:

• its operations;
• its ownership and governance structures;
• the types of investments that the entity is making and plans to make, including investments in special-purpose entities; and
• the way that the entity is structured and how it is financed; to enable the auditor to understand the classes of transactions, account balances, and disclosures to be expected in the financial statements.

3. The entity’s selection and application of accounting policies, including the reasons for changes thereto. The auditor shall evaluate whether the entity’s accounting policies are appropriate for its business and consistent with the applicable financial reporting framework and accounting policies used in the relevant industry. 
4. The entity’s objectives and strategies, and those related business risks that may result in risks of material misstatement. 
5. The measurement and review of the entity’s financial performance.

The auditor shall perform risk assessment procedures to provide a basis for the identification and assessment of risks of material misstatement at the financial statement and assertion levels. The risk assessment procedures shall include the following:

1. Inquiries of management and of others within the entity who in the auditor’s judgment may have information that is likely to assist in identifying risks of material misstatement due to fraud or error.
2. Analytical procedures. 
3. Observation and inspection.

Auditor should also consider wether following would be useful in identifying ROMM

• information obtained from the auditor’s client acceptance or continuance process
• information obtained in other engagements conducted by engagement partner to the entity
• When the auditor intends to use information obtained from the auditor’s previous experience with the entity and from audit procedures performed in previous audits, the auditor shall determine whether changes have occurred since the previous audit that may affect its relevance to the current audit

1. Internal Control System” means all the policies and procedures (internal controls) adopted by the management of an entity to assist in achieving management’s objective of ensuring, as far as practicable, the orderly and efficient conduct of its business, including adherence to management policies, the safeguarding of assets, the prevention and detection of fraud and error, the accuracy and completeness of the accounting records, and the timely preparation of reliable financial information.
2. It is thus, a primary responsibility of every management to create and maintain an adequate system of internal control appropriate to the size and nature of the business entity.
3. The auditor shall obtain an understanding of internal control relevant to the audit. Although most controls relevant to the audit are likely to relate to financial reporting, not all controls that relate to financial reporting are relevant to the audit. It is a matter of the auditor’s professional judgment whether a control, individually or in combination with others, is relevant to the audit.

1. Transactions are executed through general or specific management authorization
2. All transactions are promptly recorded in an appropriate manner to permit the preparation of financial information and to maintain accountability of assets
3. Assets and records are safeguarded from unauthorized access, use or disposition
4. Assets are verified at reasonable intervals and appropriate action is taken with regard to the discrepancies.
5. The basic accounting control objectives which are sought to be achieved by any accounting control system is to ensure that all transactions are 

• Recorded
• Real
• Properly valued
• Recorded timely
• Properly posted
• Properly classified and disclosed
• Properly summaraized

The objective of the audit is to reduce this audit risk to an acceptably low level. This may be achieved by performing procedures that respond to the assessed risks

Internal control, no matter how effective, can provide an entity with only reasonable assurance and not absolute assurance due to following inherent limitations 

1. Management’s consideration that the cost of an internal control does not exceed the expected benefits to be derived.
2. The fact that most internal controls do not tend to be directed at transactions of unusual nature. The potential for human error, such as, due to carelessness, distraction, mistakes of judgement and misunderstanding of instructions.
3. The possibility of circumvention of internal controls through collusion with employees or with parties outside the entity.
4. The possibility that a person responsible for exercising an internal control could abuse that responsibility, for example, a member of management overriding an internal control.
5. Manipulations by management with respect to transactions or estimates and judgements required in the preparation of financial statements.

In order to achieve the objectives of internal controls, it is necessary to establish adequate control policies and procedures. Most of these policies and procedures cover:

1. Segregation of duties:- Transaction processing are allocated to different persons in such a manner that no one person can carry through the completion of a transaction from start to finish or the work of one person is made complimentary to the work of another person.
2. Authorization of Transaction – Delegation of authority to different levels and to particular persons are required to establish by the management for controlling the execution of transaction in accordance with prescribed conditions.
3. Adequacy of Records and Documents 
4. Accountability and Safeguarding of Assets – The process of accountability of assets commences from acquisitions of assets its use and final disposal. Safeguarding of assets requires appropriate maintenance of records, their periodic reconciliation with the related assets
5. Independent Checks – Independent verification of the control systems, designed and implemented by the management, involves periodic or regular review by independent persons to ascertain whether the control procedures are operating effectively or not.

The auditor shall identify and assess the risks of material misstatement at:

1. the financial statement level; and 
2. the assertion level for classes of transactions, account balances, and disclosures; 

to provide a basis for designing and performing further audit procedures. For this purpose, the auditor shall:

• Identify risks throughout the process of obtaining an understanding of the entity and its environment, including relevant controls that relate to the risks, and by considering the classes of transactions, account balances, and disclosures in the financial statements; 
• Assess the identified risks, and evaluate whether they relate more pervasively to the financial statements as a whole and potentially affect many assertions;
• Relate the identified risks to what can go wrong at the assertion level, taking account of relevant controls that the auditor intends to test; and 
• Consider the likelihood of misstatement, including the possibility of multiple misstatements, and whether the potential misstatement is of a magnitude that could result in a material misstatement.

As part of the risk assessment, the auditor shall determine whether any of the risks identified are, in the auditor’s judgment, a significant risk. In exercising this judgment, the auditor shall exclude the effects of identified controls related to the risk.

In exercising judgment as to which risks are significant risks, the auditor shall consider at least the following:

1. Whether the risk is a risk of fraud;
2. Whether the risk is related to recent significant economic, accounting, or other developments like changes in regulatory environment, etc., and, therefore, requires specific attention;
3. The complexity of transactions;
4. Whether the risk involves significant transactions with related parties;
5. The degree of subjectivity in the measurement of financial information related to the risk, especially those measurements involving a wide range of measurement uncertainty; and
6. Whether the risk involves significant transactions that are outside the normal course of business for the entity, or that otherwise appear to be unusual. 

The auditor’s assessment of the risks of material misstatement at the assertion level may change during the course of the audit as additional audit evidence is obtained. In circumstances where the auditor obtains audit evidence from performing further audit procedures, or if new information is obtained, either of which is inconsistent with the audit evidence on which the auditor originally based the assessment, the auditor shall revise the assessment and modify the further planned audit procedures accordingly.

To get detailed understanding of the concept you can consider purchasing our Audit classes from here – https://lecturepedia.in/product/ca-final-audit-fastrack-classes-for-nov-2023-onward-exams-by-ca-balakrishna-kovuru/