ISA 315 gives an overview of the procedures that the auditor should follow in order to obtain an understanding sufficient to assess audit risks, and these risks must then be considered when designing the audit plan. ISA 315 goes on to require that the auditor shall perform risk assessment procedures to provide a basis for the identification and assessment of risks of material misstatement at the financial statement and assertion levels. ISA 315 goes on to identify the following three risk assessment procedures:
Making inquiries of management and others within the entity
Auditors must have discussions with the client’s management about its objectives and expectations, and its plans for achieving those goals.
Analytical procedures
Analytical procedures performed as risk assessment procedures should help the auditor in identifying unusual transactions or positions. They may identify aspects of the entity of which the auditor was unaware, and may assist in assessing the risks of material misstatement in order to provide a basis for designing and implementing responses to the assessed risks.
Observation and inspection
Observation and inspection may also provide information about the entity and its environment. Examples of such audit procedures can potentially cover a very broad area, including observation or inspection of the entity’s operations, documents, and reports prepared by management, and of the entity’s premises and plant facilities.
ISA 315 requires that risk assessment procedures should, at a minimum, comprise a combination of the above three procedures, and the standard also requires that the engagement partner and other key engagement team members should discuss the susceptibility of the entity’s financial statements to material misstatement. Key risks can be identified at any stage of the audit process, and ISA 315 requires that the engagement partner should also determine which matters are to be communicated to those engagement team members not involved in the discussion.
2. 理解一個實體
ISA 315 gives detailed guidance about the understanding required of the entity and its environment by auditors, including the entity’s internal control systems. Understanding of the entity and its environment is important for the auditor in order to help identify the risks of material misstatement, to provide a basis for designing and implementing responses to assessed risk (see reference below to ISA 330, The Auditor’s Responses to Assessed Risks), and to ensure that sufficient appropriate audit evidence is collected. Given that the focus of this article is audit risk, however, students should ensure that they also make themselves familiar with the concept of internal control, and the components of internal control systems.
3. 定義和評估重要風險和可能導致重大誤報的風險
In exercising judgement as to which risks are significant risks, the auditor is required to consider the following:
Whether the risk is a risk of fraud.
Whether the risk is related to recent significant economic, accounting or other developments, and therefore requires specific attention.
The complexity of transactions.
Whether the risk involves significant transactions with related parties.
The degree of subjectivity in the measurement of financial information related to the risk, especially those measurements involving a wide range of measurement uncertainty.
Whether the risk involves significant transactions that are outside the normal course of business for the entity, or that otherwise appear to be unusual.
4. ISA 330 和風險的反饋
The requirements of ISA 330, The Auditor’s Responses to Assessed Risks, will be covered in a future article, but essentially ISA 330 gives guidance about the nature and extent of the testing required, based on the risk assessment findings.
