Candidates will be tasked with a question set at the planning stage of an engagement in section A. This will require candidates to evaluate risks relevant to an audit or assurance engagement. This article is intended to help candidates to achieve both the technical and professional marks usually associated with these types of requirements.
ISA315 (Revised), Identifying and Assessing the Risks of Material Misstatement gives extensive guidance on the need to understand the client’s business, controls and operating environment in order to assess the risks on the engagement. Audit risk arises through these risks of material misstatement but also assess the risk that these may not be detected during the audit process. Candidates are tested on their skills in identifying and evaluating these risks
Business risk in audit planning questions
ISA315 (Revised) explains that understanding the entity’s objectives, strategy and business model helps the auditor to understand the entity at a strategic level, and to understand the business risks the entity takes and faces. An understanding of the business risks that have an effect on the financial statements assists the auditor in identifying risks of material misstatement, since most business risks will eventually have financial consequences and, therefore, an effect on the financial statements.
ISA315 (Revised) defines business risk as a risk resulting from significant conditions, events, circumstances, actions or inactions that could adversely affect an entity’s ability to achieve its objectives and execute its strategies, or from the setting of inappropriate objectives and strategies.
A typical requirement in section A with a focus on business risk would be 'Using the exhibits provided, evaluate the significant business risks facing the company/group'. The key elements to consider for this requirement to note are as follows:
• Using the exhibits
Candidates are not required to have any industry specific knowledge. There will be sufficient detail in the scenario to allow candidates to identify the key risks which should be evaluated. Candidates should focus on the risks arising from the information provided and not speculate on additional risks which might arise.
• Evaluate
In order to evaluate effectively, Candidates will initially need to identify the risk arising from the information provided and illustrate the impacts of the risk on the client. Candidates should make use of specific points that are relevant to the client in the question rather than be discussed in a generic context.
Candidates should then expand on this issue in order to fully evaluate a point. There needs to be an assessment of the scale of the risk in the context of the scenario. For example, an illustration of why this risk is particularly significant for this client or discussing how the impact may be increased in the light of other risks and information relevant to the scenario.
• Significant
In the context of the AAA exam, it is essential that candidates assess the significant business risks within the scenario. These should be assessed as those issues which are a medium to high likelihood of occurrence and impact, after consideration of any mitigation which is described in the scenario.
• Risk
Business risks, in the context of the AAA exam, are areas of uncertain occurrence and outcome, not factual statements of something which has already happened and, therefore, is already fully quantified in the scenario.
Consider the example below from the September 2022 published question Winberry Co, a listed food delivery company whose sales are made entirely online.