This article first appeared on the MHA Moore and Smalley website.
The risk landscape in which auditors work received an update. Numerous amendments to the International Standards of Auditing (ISAs), specifically ISA 315:Identifying and Assessing the Risks of Material Misstatement Through Understanding of the Entity and Its Environment. This standard now requires auditors to review the identification of the audit risk on a ‘risk spectrum’.
These are major changes to the approach of risk identification and assessment and are intended to drive a more focused audit response to the higher-risk areas of financial statements.
This standard came into use for periods commencing on or after 15 December 2021. Your auditors will need to take the new requirements into account for periods ended 31 December 2022 and onwards.
What is the risk spectrum?
Derived within ISA 315 is a new concept of a ‘risk spectrum’. Auditors will have to consider the new idea of inherent risks in an audit, where there is a risk that transactions, balances or disclosures within the financial statements are susceptible to material misstatement. The inherent risk factors to be considered are subjectivity, complexity, uncertainty, change and management bias.
This spectrum can be pictured on a graph, where auditors can plot the magnitude or size of the misstatement against the likelihood of the misstatement.
What will qualify as a greater risk?
Risks that would sit at the higher level of either likelihood or size would be significant risks; it is not a requirement for a specific risk to be high on both axes of likelihood and size.
Auditors’ will need to change their approach to this more specific assessment of risks and in turn, the consequent audit work may also need to be changed.
Other changes to the standard will bring into scope the understanding of controls in certain areas, but more specifically will require auditors to gain an understanding of the IT controls in place within a company. Auditors will need to gain an understanding of the way your company uses general IT controls in the processing of financial information, including any IT applications which feed into the main process and identify any risks arising from the use of IT as part of the risk spectrum analysis.
Auditors may therefore need to ask you more or different questions at the planning stage of the audit, on IT controls as well as for other areas of the audit, and they may also need to obtain different information and audit evidence to support their work than in previous years. When the time comes, they will explain to you why their approach has changed in more detail when this is applicable to do so.