Importance of risk assessment as required in auditing standard

CA Amrita Chattopadhyay 
on 31 May 2019


Developments in business, regulation, corporate governance and user expectations drive change in auditing standards and methodologies, as do changes to the content of financial statements. Auditing standards have developed in two ways to tackle uncertainty attaching to financial statements and the range of possible outcomes they reflect. Firstly, there is the increasing focus on audit risk, so that more work is done during audit planning to assess those areas that require most attention. Secondly, auditing standard setters have developed new auditing standards and provided more detailed guidance on specific aspects of financial reporting. The importance of risk assessment in the auditing cannot be underestimated in the auditing of financial statement.

Following are the auditing standards, the documentation requirements and the documents which are needed to be maintained to comply with the Auditing Standard.

General Principals and responsibilities of Auditor


Auditing Standard

Documentation Requirement

Templates (which can be used)

SA 240 – The Auditor’s responsibilities relating to Fraud in an Audit of Financial Statements

  1. Identified and assessed risk of material misstatement due to fraud at financial statement level & assertion level
  2. Audit procedure applied on identification of fraud risk
  3.  Decision reached on performance of the audit procedures and the discussion with the engagement team
  4. Communication of fraud to management / Those Charged with Governance
  5. If revenue recognition is not subjected to fraud, the reason for the sam
  1. Risk assessment template / Fraud risk assessment template

SA 250 – Considerations of Laws and Regulations in an Audit of Financial Statements

  1. Details of the suspected non-compliance
  2. Minutes of discussion with management regarding non-compliance
  1. Risk assessment template
  2. Minutes of meeting with management

SA 260 – Communication with Those Charged With Governance

Includes all the matters as discussed in the individual Auditing Standard

  1. All the minutes of meeting with management

SA 265 – Communicating Deficiencies in Internal Control to Those Charged with Governance & Management

  1. Communicating through writing / minutes of meeting in fulfilling the overall responsibilities
  2. Impact of the deficiencies in the financial statement.
  3. Impact on the legal or regulatory requirements regarding specific type of deficiencies
  1. Minutes of meeting with management
  2. Final observation sheet

Note: Documents to be used for reporting of “Key Audit Matters” as per SA 701


Risk assessment and response to assessed risk


Auditing Standard

Documentation Requirement

Templates (which can be used)

SA 300 Planning an Audit of Financial Statement

  1. Overall scope, timing and Conduct of audit
  2. Audit plan containing the risk assessment procedure / Standard audit program
  3. Any significant changes made to the overall audit strategy or the audit plan
  1. Audit planning document
  2. Risk assessment template

SA 315 Identifying and Assessing the risks of material misstatement through understanding the entity & its environment

  1. Significant decisions taken during the discussion with engagement team
  2. Risk assessment at the financial statement level & assertion level and the audit procedure performed

Note: Depending on the complexity of the audit, documentation requirement of SA 300 & SA 315 can be combined

  1. Audit planning document
  2. Risk assessment template

Note: Documents to be used for reporting of “Key Audit Matters” as per SA 701

SA 320 Materiality in Planning & Performing an Audit

  1. Materiality of financial statement as a whole
  2. Materiality levels for particular classes of transactions, account balance or disclosures
  3. Performance materiality based on the risk of material misstatement
  1. Materiality template

Note: Documents to be used for reporting of “Key Audit Matters” as per SA 701

SA 330 The Auditor’s response to Assessed Risk

  1. Audit procedures adopted to address the risk
  2. Linking of procedures with the risk identified at the assertion level
  3. Results of audit procedure including the conclusions where these are otherwise not clear.
  1. Risk assessment template

SA 402 Audit considerations Relating to an Entity Using a Service Organization

  1. Obtaining understanding of service provided by service organization
  2. Responding to the assessed risk of material misstatement
  1. Risk assessment template

SA 450 Evaluation of misstatements Identified during the Audit

  1. The amount below which misstatements would be regarded as clearly trivial
  2.  All misstatements accumulated during the audit and whether they have been corrected
  3. Conclusion whether uncorrected misstatements are material
  1. Materiality template
  2. Final observation sheet with management comments

Audit Evidence


Auditing Standard

Documentation Requirement

Templates (which can be used)

SA 505 External Confirmations

  1. Details of external confirmation sent & received
  2. Reconciliation of confirmation with books of accounts
  1. Template for external confirmation

SA 570 (Revised) Going Concern

  1. Risk assessment procedure
  2. Additional audit procedure when events / conditions are identified
  1. Risk assessment template

SA 600 Using work of Another Auditor

SA 610 (Revised) Using work of Internal Auditors

SA 620 Using work of an Auditor’s expert

  1. Conclusion regarding adequacy of work and reliance
  2. Audit procedure performed by external auditor
  1. Details of observation and audit procedure followed
  2. Observations can be included in Risk assessment template

Risk Assessment Template

The risk assessment template consists of:

  1. The audit areas and the assertions to be evaluated
  2. For each audit area, the risk has to be assessed and record the risk (high, medium or low)
  3. Risk which can be categorized into inherent risk, analytical risk and control risks

Inherent risk = misstatement assuming that there are no related internal control

Analytical risk = Analytical procedure adopted as substantive procedure fail to detect material misstatement

Control risk = The risk cannot be prevented, detected and corrected on timely basis by entity’s internal control.

  1. After analyzing the risk, the audit approach / audit program to mitigate the risk has to be stated (The risk and procedure has to be specified in reporting Key Audit Matters as per SA 701 – Communicating Key Audit Matters in Independent Auditor’s report).

Format of risk assessment template


Audit area / Assertions

Inherent risk

Analytical risk

Control risk

Sample taken

Audit procedure

Property, Plant & Equipment

  1. Existence
  1. Rights & obligation
  1. Completeness
  1. Valuation & Allocation
  1. Classification

The risk assessment can be done based on the “Risk Control matrix” prepared by the management as per S.134 and Rule 8(5)(vii) of Companies Act, 2013. The Risk Control Matrix would be generally prepared in the following format. However, it may differ as per the nature and size of the company. Risk assessment would be done by testing of controls for each assertion level.

Format of Risk Control Matrix


Process / sub-process

Risk description

Key controls

Control No.

Manual/ automatic/ semi-automatic

Operational / financial/ compliance

Property, Plant & Equipment

Capitalization accounting & process

The process of capitalization may not be adequate for different categories of fixed asset

a. Building will be capitalized on receipts of completion/possession certificate from the departments concerned

b. Equipment will similarly be capitalized on receipt of commissioning/ completion certificate from the departments concerned.

c. Furniture, office equipment and vehicles will be capitalized on receipt of certificates for the assets having been put to use.

C_FA_01

Semi-automatic

Operational & financial


The author has helped many service and manufacturing organizations in risk analysis and risk assessment by checking the design and operating effectiveness of the controls. She can be contacted at amritac80@gmail.com 


Recommended Read




Category Audit
Other Articles by - CA Amrita Chattopadhyay 







Popular Articles



CCI Articles

submit article

Stay updated with latest Articles!




Grant Thornton

CA Final FR

Advanced Auditing



close
CA Learning