AU-C 315 Exposure Draft Issued by AICPA

By Charles Hall | Accounting and Auditing

Feb 16

The AICPA issued its AU-C 315 exposure draft in August 2020. AU-C 315, Understanding the Entity and its Environment and Assessing the Risks of Material Misstatements, has been with us several years. Now the AICPA is updating it. 

Conceptually the exposure draft is not that different from the extant standard, but the details introduce some interesting changes. The proposed standard, if adopted, will have a significant impact on future audits. 

AU-C 315

Risk Assessment: The Early Years

Risk assessment provides the foundation for planning an audit. So it's critical that an auditor understand the entity and its environment, including controls, prior to assessing the risk of material misstatement. 

The Auditing Standards Board (ASB) issued its original risk assessment standards in 2006 with SAS 109 being a part of that suite. Since that time auditors have done a much better job of understanding the entities they audit prior to planning. Even so, auditors continue to struggle with understanding internal controls. Additionally, some find it difficult to use that information in risk assessment and planning. 

Risk Assessment Confusion

Since the issuance of SAS 109, auditors have asked questions such as:

  • Why do I need to understand the system of internal controls if I am using a substantive approach?
  • What risk assessment procedures are required?
  • When are controls relevant to my audit (in other words, what controls should I pay attention to)?
  • How do I assess the risk of material misstatement?
  • Why is risk assessment not more scalable?
  • When is an account balance, transaction cycle, or disclosure significant (in other words, what accounts balances, transaction cycles, and disclosures should I pay attention to)?
  • What makes an assertion inherently risky?
  • What is a significant risk?

These questions (and related misunderstandings) manifested themselves in peer reviews. 

Peer Review Information

Firms are receiving peer review feedback saying there is a lack of documented understandings of the entity and its controls. Moreover, peer reviewers have found that auditors are, in some cases, not using the information--even when control understandings are documented--as a basis for risk assessment or planning. 

So, the AICPA is, in this update, trying to lend a helping hand. 

Exposure Draft Goals

The ASB is addressing the following with this exposure draft:

  1. The auditor's work to understand an entity's system of internal control
  2. Modernize the standard, particularly in regard to IT
  3. Assist the auditor in determining risks of material misstatements, including significant risks

Risk Assessment Upgrade

This ASB has received feedback from practitioners and firms since the exposure draft was issued. 

One of the things I see in the draft proposal is clarification regarding what's important in an audit (and how certain elements are defined), such as:

  • The reporting framework
  • Relevant assertions
  • Significant account balances, transaction cycles, disclosures
  • Significant risks

As I was reading the draft proposal, I kept thinking, this makes sense. I think you will too. 

Effective Date

The effective date, if the standard is issued, is for periods ending on or after December 15, 2023. 


About the Author

Charles Hall is a practicing CPA and Certified Fraud Examiner. For the last thirty years, he has primarily audited governments, nonprofits, and small businesses. He is the author of The Little Book of Local Government Fraud Prevention and Preparation of Financial Statements & Compilation Engagements. He frequently speaks at continuing education events. Charles is the quality control partner for McNair, McLemore, Middlebrooks & Co. where he provides daily audit and accounting assistance to over 65 CPAs. In addition, he consults with other CPA firms, assisting them with auditing and accounting issues.