17 May 2022
The fourth concept recognised in the new ISA 315 (paragraph 5) builds on the emphasis on inherent risk (IR) discussed in the last article and the need for a separate assessment of inherent risk and control risk.
ISA 200 tells us that inherent risk is higher for some assertions and related classes of transactions, account balances and disclosures than for others. The degree to which inherent risk varies is referred to in ISA 315 as the ‘spectrum of inherent risk.’ The concepts of the spectrum of risk and separate assessment of inherent and control risks were introduced in the ISA 540 standard on the audit of estimates. It is now to be applied across the board in this updated standard.
Also, as we have seen, RoMM at the assertion level for inherent risk is assessed in terms of likelihood of occurrence and magnitude of potential impact. These two factors are always to be considered in tandem, and the combination of a higher likelihood of occurrence and high magnitude creates a significant risk – like nitro-meets-glycerine!
Explosive risks – handle with care
As in the case of handling something explosive, much more care is needed for significant risks. Paragraph A12 states that “The higher on the spectrum of inherent risk a risk is assessed, the more persuasive the audit evidence needs to be.” Thus we are to focus our time and energy on the potentially explosive risks.
In discussing the magnitude of a risk, paragraph A211 states that we are to consider “…the qualitative and quantitative aspects of the possible misstatement…” That is, more than just the dollars, but including the nature and circumstances of the risk.
Paragraph A214 state that the auditor may use different scales or ways of categorising the elements of inherent risk, however, the important thing is that the result will ensure that “…the design and implementation of further audit procedures to address the identified risks of material misstatement at the assertion level is appropriately responsive to the assessment of inherent risk and the reasons for that assessment.”
What about a low-risk audit?
What if the client has no items towards the higher end of the spectrum? What work is then required? The standard does not give much guidance in these cases, although A219 says: “Being close to the upper end of the spectrum of inherent risk will differ from entity to entity, and will not necessarily be the same for an entity period on period. It may depend on the nature and circumstances of the entity for which the risk is being assessed.”
A sensible approach is to assume that while an entity may have few or no significant risks, the risks that rank highest should be where the bulk of the work should be focussed.