Skip To Main Content
Business person adding a wooden block to a partially completed wall.

CAS 315: Preparing for the new risk identification and assessment standard

Now is the time. Learn about significant revisions to Canadian Auditing Standard (CAS) 315 that promote a more effective risk identification and assessment – your audit depends on it.

Identifying and assessing the risks of material misstatement is the foundation to every financial statement audit. For this reason, it is vital that you, as an auditor, understand the changes to CAS 315, Identifying and Assessing the Risks of Material Misstatement, and how these changes will impact your audit engagements.

This blog covers:

  • when the standard is effective
  • the objectives of the revision
  • what has changed
  • tips and resources to prepare for implementation
Haven't signed up yet? Subscribe now to join our growing audience of over 10,000 professionals who receive updates on the latest audit quality blogs as well as resources and professional development opportunities.SIGN ME UP

When is the revised standard effective?

This revised CAS is effective for audits of financial statements for periods beginning on or after December 15, 2021. Depending on your clients’ year-end, you may already be applying the revised standard and be aware of the change. If not – now’s the time! While the risk identification and assessment process is an iterative one, it starts during the planning phase of the audit. Now that the extant standard no longer applies, it’s important that your firm has revisited its approach to risk identification and assessment, and that you are well equipped going into your 2022 audits.

Objectives of the revision

The standard has been significantly enhanced to evolve with the increasingly complex nature of the economic, technological and regulatory aspects of the markets and environments in which entities and audit firms operate. However, the audit risk model remains unchanged. As well, the objective is still to identify and assess the risks of material misstatement, whether due to fraud or error, at the financial statement and assertion levels. This risk identification and assessment is so important because it provides the basis for designing and implementing the responses to those risks and affects the nature, timing and extent of your audit procedures.

Through revising, reorganizing and enhancing the extant standard, the changes intend to:

  • promote consistency in application of procedures for risk identification and assessment
  • make the standard more scalable through revised principles-based requirements
  • reduce the complexity and make the standard more usable by auditors of all entities, whatever the nature of complexity
  • encourage a more robust risk assessment and therefore more focused responses to those identified risks
  • support auditors using the standard by incorporating guidance material that recognizes the evolving environment, including in relation to information technology

Key revisions and enhancements

New requirements

The following list provides a summary of new requirements, as compared with the extant standard, to help you understand key changes that will affect your risk identification and assessment approach moving forward.

1. Clarifying which controls to identify for purposes of evaluating the design of a control, and determining whether the control has been implemented (D&I)

To allow for more consistency and less interpretation in practice, revised CAS 315 brings together the specific areas in which the auditor is required to identify controls to obtain an understanding of the control activities component. These include:

  • controls that address a significant risk
  • controls over journal entries
  • controls for which you plan to test operating effectiveness
  • other controls that you consider appropriate
  • general information technology (IT) controls that address risks arising from the entity's use of IT

2. A separate assessment of inherent risk

The extant standard permits a combined assessment of inherent and control risk; many auditors were separately assessing inherent risk and control risk. With that said, if your firm’s audit methodology under extant CAS 315 had a combined assessment, this change will apply to you. A separate assessment of inherent risk enhances the quality of your risk assessment process by avoiding, for example, making inappropriately lower risk assessments based on assumptions or inadvertent reliance that controls are operating effectively, without having evaluated the design and tested the operating effectiveness of those controls.

3. Concepts and definitions: “inherent risk factors,” “likelihood and magnitude of misstatement” and “spectrum of inherent risk”

These concepts help provide you with more focus and quality in your risk assessment process. As a result, your response to the identified and assessed risks are also more focused on the identified and assessed risks, contributing to a quality audit.

Inherent risk factors include complexity, subjectivity, change, uncertainty, or susceptibility to misstatement due to management bias or other fraud risk factors insofar as they affect inherent risk. These inherent risk factors represent events or conditions that can affect an assertion's susceptibility to misstatement, whether due to fraud or error. By understanding the inherent risk factors, it helps you find where the possible risks of misstatement are. Then you understand the degree to which the inherent risk factors affect this susceptibility to narrow the risks of misstatements down to identified risks of material misstatement.

For each identified risk of material misstatement at the assertion level, you assess inherent risk by assessing the likelihood and magnitude of misstatement, taking into account how, and the degree to which, those inherent risk factors affect the susceptibility of those relevant assertions to misstatement.

The degree to which inherent risk varies is referred to as the spectrum of inherent risk. It’s the combination of likelihood and magnitude that will determine where inherent risk is assessed on the spectrum of inherent risk. You exercise professional judgement to determine the significance of the combination of the likelihood and magnitude of a misstatement, which may vary based on the nature, size and complexity of the entity. Those identified risks of material misstatement for which inherent risk is assessed as close to the upper end of the spectrum of inherent risk are significant risks. A higher inherent risk assessment may also arise from different combinations of likelihood and magnitude, for example a higher inherent risk assessment could result from a lower likelihood but a very high magnitude.

4. Risk assessment stand-back

Risk assessment is an iterative process. A risk assessment stand-back is intended to drive an evaluation of the completeness of the identified risks of material misstatement by requiring you to evaluate whether your risk assessment remains appropriate.

New information may come to light, which may:

  • change the identified risks of material misstatement because this information is inconsistent with the audit evidence on which you originally base your identification, or
  • cause the identification of a new risk of material misstatement

This could have significant implications for the nature, timing, and extent of procedures you perform in responding to those identified risks of material misstatement.

Notable enhancements

1. More guidance on IT, particularly IT general controls

The standard has been modernized and enhanced to include auditor considerations in relation to IT, including new and updated appendices for understanding IT and IT general controls. The appendices set out considerations relevant to software of different complexities, ranging from non-complex commercial software to complex IT applications and give examples of different areas that may help the audit teams’ understanding of the entity’s IT environment and controls. Automated tools and techniques (ATT) are given greater prominence in the new standard as well, with paragraphs that provide explanations on how auditors may use ATT in performing risk assessment procedures. Our recent blog post on ATT provides a summary of resources available to help you learn more.

2. Scalability

The revised standard incorporates application material paragraphs (including examples) that highlight proportionality and scalability under separate headings. These paragraphs provide you with context for how to apply the requirements of CAS 315 to all types of entities – from those entities that are less complex to those that are complex – and support the exercise of professional judgment in determining the audit procedures you perform.

3. Enhanced requirements relating to exercising professional skepticism

Professional skepticism is an attitude applied when making professional judgments, which then provides the basis for one’s actions. When designing and performing risk assessment procedures, you do so in a way that is not biased toward obtaining audit evidence that may be corroborative or toward excluding audit evidence that may be contradictory. You may exercise professional skepticism by:

  • questioning contradictory information and the reliability of documents
  • considering responses to inquiries and other information obtained from management and those charged with governance
  • being alert to conditions that may indicate possible misstatement due to fraud or error
  • considering whether audit evidence obtained supports your identification and assessment of the risks of material misstatement in light of the entity’s nature and circumstances

For further guidance on the above changes and enhancements, explanations of why some of the requirements exist, and additional guidance on certain other requirements in CAS 315 where you may run into implementation challenges, check out our CAS 315 tool.

Preparing for implementation

How can I prepare and what resources are available to help?

  • The revised standard has doubled in length. You will notice that the requirements have become more granular, the application materials contain additional examples and there are six new appendices with more detailed guidance. The purpose of this is to explain how the new and enhanced standard will work in practice. Familiarize yourself with the key concepts, new definitions, and all requirements by reading the entirety of CAS 315 to develop an understanding of the standard and its practical implications.
  • If you are reliant on a provider for your audit methodology, check in early to ensure the methodology has been revised to reflect the revised standard.
  • Start your engagement team discussions. Open and robust team discussions assist in the sharing of information to enhance the risk assessment and allow for the consideration of contradictory information based on each team member’s understanding of the entity. Remember, audit file documentation needs to sufficiently reflect the discussions held and the use of professional skepticism.
  • Consider the extent to which prior year risk assessment working papers can or cannot be rolled forward as a starting point for the current year risk assessment working papers.
  • Consider how the revised standard will affect your interactions with, and requests of, members of entity management involved in the audit process, as well as those charged with governance.
  • Access our suite of resources:

Keep the conversation going

Have you started implementing the new risk assessment standard? What other questions do you have about the standard and its implementation? We are interested in hearing your feedback on the guidance we publish and what you are seeing in practice. Post a comment below or email us directly.

Disclaimer

The views and opinions expressed in this article are those of the author and do not necessarily reflect that of CPA Canada.