SOCPA, represented by Audit Standards Committee, approves updates introduced by the IASB to ISA No. 315 "Identifying and Assessing the Risks of Material Misstatement" and consequential amendments arising from updates to this standard and other standards. Such approval was preceded by an examination of IASB’s updates, as well as satisfaction of SOCPA’s procedures to follow developments of international standards, and respond to inquiries and issues that are not addressed by international standards.
Accordingly, the committee decided to approve the revised ISA No. 315 "Identifying and Assessing the Risks of Material Misstatement" for application in Saudi Arabia as issued by IASB.
Amendments on ISA 315 include:
Majority of amendments made to the standard are improves and expands its requirements, providing a robust and consistent basis to identify and assess risks of material misstatement by establishing applicable requirements to understand the entity and its environment, including its internal control, with greater coverage of risks of information technology and in light of the changing environment.
A Summary of updates made to the standard:
1- The title of the standard has been amended to "Identifying and Assessing the Risks of Material Misstatement".
2- The scope of the standard remained the same with amendments made to its wording.
3. The objective of the standard remained the same with amendments made to its wording.
4- The standard did not significantly change its previous requirements, but rather rearranged a number of requirements, separated certain paragraphs, set sub-paragraphs to facilitate understanding of standard's requirements, and linked said requirements to the applied paragraphs attached thereto. For example:
· Risk assessment procedures remained unchanged.
· The requirements for the use of information from other sources remained unchanged.
· The requirements for discussion with the members of the review team remained unchanged.
· The requirements for reviewing the auditor's risk assessment remained unchanged.
5- An understanding of the applicable financial reporting framework has been added to the required understanding of the entity and its environment. It was also stressed that the required understanding of the entity and its environment included an understanding of how inherent risk factors affect susceptibility of assertions to misstatement in the preparation of the financial statements in accordance with by the applicable financial reporting framework.
6- Inclusion or further clarification of additional terms stated in the standard such as:
Policies or procedures that an entity establishes to achieve the control objectives Including definitions of policies and procedures.
significant classes of transactions, account balances, and disclosures; having one or more of relevant disclosures referred to above. Such transactions, account balances, and disclosures may be of relative importance, but not considered significant for the purposes of this standard if they do not have one or more relevant disclosures.
Relevant disclosures, which assertions regarding any classes of transactions, account balances, and disclosures have specific risks of material misrepresentation.
7- New concepts have been introduced within the standard similar to those in the revised Standard No. 540, such as:
Develop the concept of “inherent risk factors”; such factors may be qualitative or quantitative, and include complexity, subjectivity, change, uncertainty or susceptibility to misstatement due to management bias or other fraud risk factors.
degree of significant risks; the degree to which, inherent risk factors affect the combination of the likelihood of a misstatement occurring and the magnitude of the potential misstatement should a misstatement occur.
Direct controls and indirect controls; direct controls are precise enough to address risks of material misstatement at the assertion level. Indirect controls are controls that support direct controls. Examples were provided on such concepts in various internal control systems.
The revised standard expanded its definition of significant risk to include an identified risk of material misstatement; as the assessment of inherent risk is close to the upper end of the spectrum of inherent risk due to the degree to which inherent risk factors affect the combination of the likelihood of a misstatement occurring and the magnitude of the potential misstatement should that misstatement occur. It also to be treated as a significant risk in accordance with the requirements of other ISAs.
9- The revised standard has been more closely aligned with ISA No. 200, with reference to the requirements of Standard No. 200 more than 15 times in comparison to one reference in the previous version of the standard. This underscores the responsibility of the auditor to assess the risks of material misstatement and relevance to the overall objectives of the Auditor. It has also been linked to the ISA 240, as it has been referenced in the revised standard to highlight the importance of an additional assessment of risks of material misstatement due to fraud.
10 - A section was provided to demonstrate the key concepts used in the standard. It included:
· The necessity of assessing inherit risks and control risks independently to avoid material misstatements.
· Affirm that risk identification and assessment process is iterative and dynamic, as it requires the auditor to revise the risk assessments, and modify further overall responses and further audit procedures.
· The standard is linked with ISA 200, overall objectives of the Auditor; ISA 240, additional requirements in relation to the risks of fraud; ISA 330, The Auditor’s Reponses to Assessed Risks.
· The standard introduced scalability considerations which illustrate the application of the requirements to all entities regardless of whether their nature and circumstances are less complex or more complex , instead of the previous approach for setting requirements for smaller entities. The standard provides application materials that assist in implantation of the standard according to the circumstances of each facility.
11- The revised standard expanded the auditor's responsibilities to understand the system of internal controls, replacing the phrase "audit-related internal controls" with a broader interpretation, linking each component of the system of internal control to preparation of financial statements, rather than linking it auditing.
12- The standard expands on its requirements and application materials relating to the auditor's understanding of the system of internal control of an entity, including an explanation of the internal control which design and application must be evaluated. To facilitate understanding, a number of applied materials in the previous version of the standard have been reintroduced into requirements in the revised standard so as to understand each element of system of internal control in the form of a table.
13- The standard has developed requirements and applied materials for to address vulnerabilities discovered in the system of internal control, whether such vulnerabilities have a negative impact on the components of the system of internal control, and the impact of such vulnerabilities on the design of additional audit procedures in accordance with the requirements of ISA 330.
14.The standard set special requirements and application materials on the assessment of internal control risks if the auditor plans to test the operating effectiveness of controls.
15- The standard expands on its requirements and applied materials regarding the auditor's responsibility to assess whether audit evidence obtained provides an appropriate basis for the identification and assessment of the risks of material misstatement.
16- The newly updated standard required the auditor to understand how an entity uses information technology in its business, the risks associated with such use, and the system of internal control that addresses such risks.
17- The standard discussed the auditor's increased use of automation by auditors auditing, detailing in applied materials how such automation could be used.
18- The standard provided guidance to improve application of professional skepticism by identification of risks of material misstatement, it included:
· Highlighting the importance of applying professional skepticism.
· Establish a requirement to achieve a balance between efforts exerted by the auditor and in unbiased manner obtain persuasive or opposing evidence.
· The standard introduced a requirement that the auditor shall evaluate whether the audit evidence obtained from the risk assessment procedures provides an appropriate basis for the identification and assessment of the risks of material misstatement.
19- The standard discussed that the objective of the risk assessment procedures is to obtain audit evidence that provided an appropriate basis for identifying and assessing the risks of substantial distortion, and to design additional audit procedures in accordance with the requirements of Audit Standard 330.
20- The standard improved documentation in relation to assessment of internal control design and whether such tools are applied.
21- The standard has improved the attached applied materials by providing examples of areas that may be documented to assist the auditor in exercising professional skepticism.
22- The revised standard eliminated the requirements relating to considerations of significant risks; on the basis that the overall requirements of the revised standard include significant risks.
23- In general, the standard expanded on application materials, with 241 paragraphs in the revised standard in comparison to 147 paragraphs in the previous version of the standard, and provided multiple examples on the application of the standard requirements. Phrases such "for example" were stated more than 300 instances in the revised standard in comparison to just over 70 instances in the previous version of the standard.
24- The revised version included six appendices (as opposed to two appendices in the previous version of the standard) so as to clarify requirements and how they should be applied. Such appendices included:
· Considerations for Understanding the Entity and its Business Model
· Understanding Inherent Risk Factors (including content provided in the previous version of the standard which addressed risks of material misstatement)
· Understand the internal control system of the Enterprise (including content provided in the previous version of the standard which addressed control components).
· Considerations for Understanding an Entity’s Internal Audit Function (including material application provided in the previous version of the standard which addressed the same subject)
· Considerations for Understanding Information Technology (IT)
· Considerations for Understanding General IT Controls.
25 - The standard included following updates on relevant ISAs to ensure consistency with the revised terms contained therein, such standards are No. 200, 210, 230, 240, 250, 260, 265, 300, 330, 402, 501, 530, 540, 550, 600, 610, 620, 701, and 720.