1.1. Financial statement level risks

Financial statement level risks are risks that relate pervasively to the financial statements as a whole and potentially impact many relevant assertions.

1.2. Assertion level risks

Assertion level risks are risks that relate to specific transactions, account balances, or disclosures at the relevant assertion level.

1.3. Identifying significant risks

Significant risks are risks that require special audit consideration. The auditor uses professional judgment to determine whether a given risk of material misstatement is a  significant risk.

1.4. Assessing specific risks

For each identified risk, the auditor should consider:

• What could go wrong at the relevant assertion level.

• The significance and likelihood of potential material misstatements.

• Whether the risk is significant enough to require special audit consideration.

• Whether tests of controls are required because substantive tests alone are insufficient to reduce detection risk to an acceptably low level.

• Whether the risk relates to a specific relevant assertion or whether it has a more pervasive effect on the financial statements.

1.5. Required documentation

The auditor should document:

• The discussion among the audit team regarding risk assessment, including how and when it occurred, the participants, the subject matter discussed, and significant decisions reached.

• Key elements of the understanding of the entity and its environment (including each of the components of internal control), the sources of information used to develop the

• understanding, and the risk assessment procedures performed.

• The assessment of the risks of material misstatement (at both the financial statement and relevant assertion level) and the basis for the assessment.

• The identified risks and related controls evaluated by the auditor.

2.2. Response to risks at the relevant assertion level

The auditor should design audit procedures that address the risks of material misstatement for each relevant assertion of each significant account, balance, or disclosure.

Three elements of further audit procedures can be varied by the auditor:

1. Nature

2. Extent

3. Timing

The auditor's specific approach to identified risks at the relevant assertion level may consist of either a substantive approach only or a combined approach.

• Substantive approach

• Combined approach

• Dual purpose tests

3. Responding to RMM: Test of controls

3.1. When to perform tests of controls

In making risk assessments, the auditor should identify those controls that are likely to prevent or detect and correct material misstatements in specific relevant assertions.

3.2. Operating effectivness of controls

Some risk assessment procedures performed to obtain an understanding of internal control may provide evidence about operating effectiveness, even if they were not intended for that purpose.

3.3. Tests of design and operating effectiveness

When performing tests of controls, the auditor must obtain evidence that the controls selected for testing were both designed effectively and operated effectively during the period of reliance.

3.4. Results of tests of controls

After performing tests of controls, the auditor may conclude that audit evidence indicates that controls are either:

1. Operating effectively and can be relied upon. The auditor then proceeds to substantive procedures based on the assessed risks of material misstatement.

2. Not operating effectively, in which case the auditor can: 

• test alternative controls; or

• reassess control risk (i.e. reassess from low to high), thereby resulting in the need for more reliable and extensive substantive procedures.

4. Responding to RMM: Substantive procedures

• Substantive procedures are used to detect material misstatements at the relevant assertion level.

• The nature, extent, and timing (NET) of substantive procedures should be responsive to the assessed risks of material misstatement, including the results of tests of controls and the planned level of detection risk.

• Regardless of the assessed risks of material misstatement, substantive procedures are required for each material transaction class, account balance, or disclosure.

• The fact that a substantive procedure does not identify any material misstatements does not necessarily imply that the related control is operating effectively.

• Substantive procedures should include:

  • • Agreement of the financial statements, including disclosures, to the underlying accounting records.

    • Examination of material journal entries or adjustments made while preparing the financial statements.

    • Evaluation of the overall presentation of the financial statements, including disclosures, in accordance with the applicable financial reporting framework to ensure the appropriate classification, presentation, structure, and content.