AU-C Section 315: Understanding the Entity and its Environment and Assessing the Risks of Material Misstatement

"Scope of This Section

.01 This section addresses the auditor's responsibility to identify and assess the risks of material misstatement in the financial statements through understanding the entity and its environment, including the entity's internal control.

Effective Date

.02 This section is effective for audits of financial statements for periods ending on or after December 15, 2012.

Objective

.03 The objective of the auditor is to identify and assess the risks of material misstatement, whether due to fraud or error, at the financial statement and relevant assertion levels through understanding the entity and its environment, including the entity's internal control, thereby providing a basis for designing and implementing responses to the assessed risks of material misstatement."

".05 The auditor should perform risk assessment procedures to provide a basis for the identification and assessment of risks of material misstatement at the financial statement and relevant assertion levels. Risk assessment procedures by themselves, however, do not provide sufficient appropriate audit evidence on which to base the audit opinion. (Ref: par. .A1–.A5)"

".06 The risk assessment procedures should include the following:

a. Inquiries of management, appropriate individuals within the internal audit function (if such function exists), others within the entity who, in the auditor's professional judgment, may have information that is likely to assist in identifying risks of material misstatement due to fraud or error (Ref: par. .A6–.A13)"

".06 The risk assessment procedures should include the following ...

b. Analytical procedures (Ref: par. .A14–.A17)"

".06 The risk assessment procedures should include the following...

c. Observation and inspection (Ref: par. .A18)"

".07 The auditor should consider whether information obtained from the auditor's client acceptance or continuance process is relevant to identifying risks of material misstatement.

.08 If the engagement partner has performed other engagements for the entity, the engagement partner should consider whether information obtained is relevant to identifying risks of material misstatement.

.09 During planning, the auditor should consider the results of the assessment of the risk of material misstatement due to fraud along with other information gathered in the process of identifying the risks of material misstatements.

.10 When the auditor intends to use information obtained from the auditor's previous experience with the entity and from audit procedures performed in previous audits, the auditor should determine whether changes have occurred since the previous audit that may affect its relevance to the current audit. (Ref: par. .A19–.A20)

.11 The engagement partner and other key engagement team members should discuss the susceptibility of the entity's financial statements to material misstatement and the application of the applicable financial reporting framework to the entity's facts and circumstances. The engagement partner should determine which matters are to be communicated to engagement team members not involved in the discussion. (Ref: par. .A21–.A23)"

".12 The auditor should obtain an understanding of the following:

a. Relevant industry, regulatory, and other external factors, including the applicable financial reporting framework. (Ref: : par. .A25–.A29)"

".12 The auditor should obtain an understanding of the following:...

b. The nature of the entity, including

i. its operations;

ii. its ownership and governance structures;

iii. the types of investments that the entity is making and plans to make, including investments in entities formed to accomplish specific objectives; and

iv. theway that the entity is structured and how it is financed, to enable the auditor to understand the classes of transactions, account balances, and disclosures to be expected in the financial statements. (Ref: par. .A30–.A34)"

".12 The auditor should obtain an understanding of the following:...

c. The entity's selection and application of accounting policies, including the reasons for changes thereto. The auditor should evaluate whether the entity's accounting policies are appropriate for its business and consistent with the applicable financial reporting framework and accounting policies used in the relevant industry.(Ref: par. .A35) "

".12 The auditor should obtain an understanding of the following:...

d. The entity's objectives and strategies and those related business risks that may result in risks of material misstatement. (Ref: par. .A36–.A42)"

".12 The auditor should obtain an understanding of the following:...

e. The measurement and review of the entity's financial performance. (Ref: par. .A43–.A48)"

"13. The auditor should obtain an understanding of internal control relevant to the audit. Although most controls relevant to the audit are likely to relate to financial reporting, not all controls that relate to financial reporting are relevant to the audit. It is a matter of the auditor's professional judgment whether a control, individually or in combination with others, is relevant to the audit. (Ref: par. .A49–.A74)"

".14 When obtaining an understanding of controls that are relevant to the audit, the auditor should evaluate the design of those controls and determine whether they have been implemented by performing procedures in addition to inquiry of the entity's personnel. (Ref: par. .A75–.A77)"

".15 Control environment. The auditor should obtain an understanding of the control environment. As part of obtaining this understanding, the auditor should evaluate whether

a. management, with the oversight of those charged with governance, has created and maintained a culture of honesty and ethical behavior and

b. the strengths in the control environment elements collectively provide an appropriate foundation for the other components of internal control and whether those other components are not undermined by deficiencies in the control environment. (Ref: par. .A79–.A89) "

".16 The entity's risk assessment process. The auditor should obtain an understanding of whether the entity has a process for

a. identifying business risks relevant to financial reporting objectives,

b. estimating the significance of the risks,

c. assessing the likelihood of their occurrence, and

d. deciding about actions to address those risks. (Ref: par. .A90–.A91)

.17 If the entity has established a risk assessment process (referred to hereafter as the entity's risk assessment process), the auditor should obtain an understanding of it and the results thereof. If the auditor identifies risks of material misstatement that management failed to identify, the auditor should evaluate whether an underlying risk existed that the auditor expects would have been identified by the entity's risk assessment process. If such a risk exists, the auditor should obtain an understanding of why that process failed to identify it and evaluate whether the process is appropriate to its circumstances or determine if a significant deficiency or material weakness exists in internal control regarding the entity's risk assessment process.

.18 If the entity has not established such a process or has an ad hoc process, the auditor should discuss with management whether business risks relevant to financial reporting objectives have been identified and how they have been addressed. The auditor should evaluate whether the absence of a documented risk assessment process is appropriate in the circumstances or determine whether it represents a significant deficiency or material weakness in the entity's internal control. (Ref: par. .A92)"

".19 The information system, including the related business processes relevant to financial reporting and communication. The auditor should obtain an understanding of the information system, including the related business processes relevant to financial reporting, including the following areas:

a. The classes of transactions in the entity's operations that are significant to the financial statements.

b. The procedures within both IT and manual systems by which those transactions are initiated, authorized, recorded, processed, corrected as necessary, transferred to the general ledger, and reported in the financial statements.

c. The related accounting records supporting information and specific accounts in the financial statements that are used to initiate, authorize, record, process, and report transactions. This includes the correction of incorrect information and how information is transferred to the general ledger. The records may be in either manual or electronic form.

d. How the information system captures events and conditions, other than transactions, that are significant to the financial statements.

e. The financial reporting process used to prepare the entity's financial statements, including significant accounting estimates and disclosures.

f. Controls surrounding journal entries, including nonstandard journal entries used to record nonrecurring, unusual transactions, or adjustments.

This understanding of the information system relevant to financial reporting should include relevant aspects of that system relating to information disclosed in the financial statements that is obtained from within or outside of the general and subsidiary ledgers. (Ref: par. .A93–.A99) [As amended, effective for audits of financial statements for periods ending on or after December 15, 2021, by SAS No. 134.] "

".21 Control activities relevant to the audit. The auditor should obtain an understanding of control activities relevant to the audit, which are those control activities the auditor judges it necessary to understand in order to assess the risks of material misstatement at the assertion level and design further audit procedures responsive to assessed risks. An audit does not require an understanding of all the control activities related to each significant class of transactions, account balance, and disclosure in the financial statements or to every assertion relevant to them. However, the auditor should obtain an understanding of the process of reconciling detailed records to the general ledger for material account balances. (Ref: par. .A102–.A109)

.22 In understanding the entity's control activities, the auditor should obtain an understanding of how the entity has responded to risks arising from IT. (Ref: par. .A110–.A113) "

".23 Monitoring of controls. The auditor should obtain an understanding of the major activities that the entity uses to monitor internal control over financial reporting, including those related to those control activities relevant to the audit, and how the entity initiates remedial actions to deficiencies in its controls. (Ref: par. .A114–.A115)

.24 If the entity has an internal audit function,3 the auditor should obtain an understanding of the nature of the internal audit function's responsibilities how the internal audit function fits in the entity's organizational structure, and the activities performed or to be performed. (Ref: par. .A117–.A124) [As amended, effective for audits of financial statements for periods ending on or after December 15, 2014, by SAS No. 128.]

.25 The auditor should obtain an understanding of the sources of the information used in the entity's monitoring activities and the basis upon which management considers the information to be sufficiently reliable for the purpose. (Ref: par. .A125)"

".26 To provide a basis for designing and performing further audit procedures, the auditor should identify and assess the risks of material misstatement at

a. the financial statement level and (Ref: par. .A126–.A129) "

".26 To provide a basis for designing and performing further audit procedures, the auditor should identify and assess the risks of material misstatement at...

b. the relevant assertion level for classes of transactions, account balances, and disclosures. (Ref: par. .A130–.A138)"