1. This standard establishes requirements regarding the process of identifying and assessing risks of material misstatement1/ of the financial statements. Show
2. Paragraphs 4-58 of this standard discuss the auditor's responsibilities for performing risk assessment procedures.2/ Paragraphs 59–73 of this standard discuss identifying and assessing the risks of material misstatement using information obtained from performing risk assessment procedures. Objective3. The objective of the auditor is to identify and appropriately assess the risks of material misstatement, thereby providing a basis for designing and implementing responses to the risks of material misstatement. Performing Risk Assessment Procedures4. The auditor should perform risk assessment procedures that are sufficient to provide a reasonable basis for identifying and assessing the risks of material misstatement, whether due to error or fraud,3/ and designing further audit procedures.4/ 5. Risks of material misstatement can arise from a variety of sources, including external factors, such as conditions in the company's industry and environment, and company-specific factors, such as the nature of the company, its activities, and internal control over financial reporting. For example, external or company-specific factors can affect the judgments involved in determining accounting estimates or create pressures to manipulate the financial statements to achieve certain financial targets. Also, risks of material misstatement may relate to, e.g., personnel who lack the necessary financial reporting competencies, information systems that fail to accurately capture business transactions, or financial reporting processes that are not adequately aligned with the requirements in the applicable financial reporting framework. Thus, the audit procedures that are necessary to identify and appropriately assess the risks of material misstatement include consideration of both external factors and company-specific factors. This standard discusses the following risk assessment procedures:
6. In an integrated audit, the risks of material misstatement of the financial statements are the same for both the audit of internal control over financial reporting and the audit of financial statements. The auditor's risk assessment procedures should apply to both the audit of internal control over financial reporting and the audit of financial statements. Obtaining an Understanding of the Company and Its Environment7. The auditor should obtain an understanding of the company and its environment ("understanding of the company") to understand the events, conditions, and company activities that might reasonably be expected to have a significant effect on the risks of material misstatement. Obtaining an understanding of the company includes understanding:
8. In obtaining an understanding of the company, the auditor should evaluate whether significant changes in the company from prior periods, including changes in its internal control over financial reporting, affect the risks of material misstatement. Industry, Regulatory, and Other External Factors9. Obtaining an understanding of relevant industry, regulatory, and other external factors encompasses industry factors, including the competitive environment and technological developments; the regulatory environment, including the applicable financial reporting framework6/ and the legal and political environment;7/ and external factors, including general economic conditions. Nature of the Company10. Obtaining an understanding of the nature of the company includes understanding:
[Note deleted, effective for audits of fiscal years beginning on or after December 15, 2014. See PCAOB Release No. 2014-002. For audits of fiscal years beginning before December 15, 2014, click here.] 10A. To assist in obtaining information for identifying and assessing risks of material misstatement of the financial statements associated with a company's financial relationships and transactions with its executive officers (e.g., executive compensation, including perquisites, and any other arrangements), the auditor should perform procedures to obtain an understanding of the company's financial relationships and transactions with its executive officers. The procedures should be designed to identify risks of material misstatement and should include, but not be limited to (1) reading the employment and compensation contracts between the company and its executive officers and (2) reading the proxy statements and other relevant company filings with the Securities and Exchange Commission and other regulatory agencies that relate to the company's financial relationships and transactions with its executive officers. 11. As part of obtaining an understanding of the company as required by paragraph 7, the auditor should consider performing the following procedures and the extent to which the procedures should be performed:
Selection and Application of Accounting Principles, Including Related Disclosures12. As part of obtaining an understanding of the company's selection and application of accounting principles, including related disclosures, the auditor should evaluate whether the company's selection and application of accounting principles are appropriate for its business and consistent with the applicable financial reporting framework and accounting principles used in the relevant industry. Also, to identify and assess risks of material misstatement related to omitted, incomplete, or inaccurate disclosures, the auditor should develop expectations about the disclosures that are necessary for the company's financial statements to be presented fairly in conformity with the applicable financial reporting framework. 13. The following matters, if present, are relevant to the necessary understanding of the company's selection and application of accounting principles, including related disclosures:
Company Objectives, Strategies, and Related Business Risks14. The purpose of obtaining an understanding of the company's objectives, strategies, and related business risks is to identify business risks that could reasonably be expected to result in material misstatement of the financial statements.
15. The following are examples of situations in which business risks might result in material misstatement of the financial statements:
Company Performance Measures16. The purpose of obtaining an understanding of the company's performance measures is to identify performance measures, whether external or internal, that affect the risks of material misstatement. 17. The following are examples of performance measures that might affect the risks of material misstatement:
Obtaining an Understanding of Internal Control Over Financial Reporting18. The auditor should obtain a sufficient understanding of each component8/ of internal control over financial reporting ("understanding of internal control") to (a) identify the types of potential misstatements, (b) assess the factors that affect the risks of material misstatement, and (c) design further audit procedures. 19. The nature, timing, and extent of procedures that are necessary to obtain an understanding of internal control depend on the size and complexity of the company;9/ the auditor's existing knowledge of the company's internal control over financial reporting; the nature of the company's controls, including the company's use of IT; the nature and extent of changes in systems and operations; and the nature of the company's documentation of its internal control over financial reporting.
20. Obtaining an understanding of internal control includes evaluating the design of controls that are relevant to the audit and determining whether the controls have been implemented.
21. Internal control over financial reporting can be described as consisting of the following components:11/
22. Management might use an internal control framework with components that differ from the components identified in the preceding paragraph when establishing and maintaining the company's internal control over financial reporting. In evaluating the design of controls and determining whether they have been implemented in an audit of financial statements only, the auditor may use the framework used by management or another suitable, recognized framework. 12/ For integrated audits, Auditing Standard No. 5, states, "The auditor should use the same suitable, recognized control framework to perform his or her audit of internal control over financial reporting as management uses for its annual evaluation of the effectiveness of the company's internal control over financial reporting."13/ If the auditor uses a suitable, recognized internal control framework with components that differ from those listed in the preceding paragraph, the auditor should adapt the requirements in paragraphs 23–36 of this standard to conform to the components in the framework used. Control Environment23. The auditor should obtain an understanding of the company's control environment, including the policies and actions of management, the board, and the audit committee concerning the company's control environment. 24. Obtaining an understanding of the control environment includes assessing:
25. If the auditor identifies a control deficiency15/ in the company's control environment, the auditor should evaluate the extent to which this control deficiency is indicative of a fraud risk factor, as discussed in paragraphs 65-66 of this standard. The Company's Risk Assessment Process26. The auditor should obtain an understanding of management's process for:
27. Obtaining an understanding of the company's risk assessment process includes obtaining an understanding of the risks of material misstatement identified and assessed by management and the actions taken to address those risks. Information and Communication28. Information System Relevant to Financial Reporting. The auditor should obtain an understanding of the information system, including the related business processes, relevant to financial reporting, including:
29. The auditor also should obtain an understanding of how IT affects the company's flow of transactions. (See Appendix B.)
30. A company's business processes are the activities designed to:
31. Obtaining an understanding of the company's business processes assists the auditor in obtaining an understanding of how transactions are initiated, authorized, processed, and recorded. 32. A company's period-end financial reporting process, as referred to in paragraph 28.e., includes the following:
33. Communication. The auditor should obtain an understanding of how the company communicates financial reporting roles and responsibilities and significant matters relating to financial reporting to relevant company personnel and others, including:
Control Activities34. The auditor should obtain an understanding of control activities that is sufficient to assess the factors that affect the risks of material misstatement and to design further audit procedures, as described in paragraph 18 of this standard.18/ As the auditor obtains an understanding of the other components of internal control over financial reporting, he or she is also likely to obtain knowledge about some control activities. The auditor should use his or her knowledge about the presence or absence of control activities obtained from the understanding of the other components of internal control over financial reporting in determining the extent to which it is necessary to devote additional attention to obtaining an understanding of control activities to assess the factors that affect the risks of material misstatement and to design further audit procedures.
Monitoring of Controls35. The auditor should obtain an understanding of the major types of activities that the company uses to monitor the effectiveness of its internal control over financial reporting and how the company initiates corrective actions related to its controls.19/ 36. An understanding of the company's monitoring activities includes understanding the source of the information used in the monitoring activities. Performing Walkthroughs37. As discussed in paragraph 20, the auditor may perform walkthroughs as part of obtaining an understanding of internal control over financial reporting. For example, the auditor may perform walkthroughs in connection with understanding the flow of transactions in the information system relevant to financial reporting, evaluating the design of controls relevant to the audit, and determining whether those controls have been implemented. In performing a walkthrough, the auditor follows a transaction from origination through the company's processes, including information systems, until it is reflected in the company's financial records, using the same documents and IT that company personnel use. Walkthrough procedures usually include a combination of inquiry, observation, inspection of relevant documentation, and re-performance of controls.
38. In performing a walkthrough, at the points at which important processing procedures occur, the auditor questions the company's personnel about their understanding of what is required by the company's prescribed procedures and controls. These probing questions, combined with the other walkthrough procedures, allow the auditor to gain a sufficient understanding of the process and to be able to identify important points at which a necessary control is missing or not designed effectively. Additionally, probing questions that go beyond a narrow focus on the single transaction used as the basis for the walkthrough allow the auditor to gain an understanding of the different types of significant transactions handled by the process. Relationship of Understanding of Internal Control to Tests of Controls39. The objective of obtaining an understanding of internal control, as discussed in paragraph 18 of this standard, is different from testing controls for the purpose of assessing control risk21/ or for the purpose of expressing an opinion on internal control over financial reporting in the audit of internal control over financial reporting.22/ The auditor may obtain an understanding of internal control concurrently with performing tests of controls if he or she obtains sufficient appropriate evidence to achieve the objectives of both procedures. Also, the auditor should take into account the evidence obtained from understanding internal control when assessing control risk and, in the audit of internal control over financial reporting, forming an opinion about the effectiveness of internal control over financial reporting. 40. Relationship of Understanding of Internal Control to Evaluating Entity-Level Controls in an Audit of Internal Control Over Financial Reporting. Auditing Standard No. 5 states, "The auditor must test those entity-level controls that are important to the auditor's conclusion about whether the company has effective internal control over financial reporting."23/ The procedures performed to obtain an understanding of certain components of internal control in accordance with this standard, e.g., the control environment, the company's risk assessment process, information and communication, and monitoring of controls, might provide evidence that is relevant to the auditor's evaluation of entity-level controls.24/ The auditor should take into account the evidence obtained from understanding internal control when determining the nature, timing, and extent of procedures necessary to support the auditor's conclusions about the effectiveness of entity-level controls in the audit of internal control over financial reporting. Considering Information from the Client Acceptance and Retention Evaluation, Audit Planning Activities, Past Audits, and Other Engagements41. Client Acceptance and Retention and Audit Planning Activities. The auditor should evaluate whether information obtained from the client acceptance and retention evaluation process or audit planning activities is relevant to identifying risks of material misstatement. Risks of material misstatement identified during those activities should be assessed as discussed beginning in paragraph 59 of this standard. 42. Past Audits. In subsequent years, the auditor should incorporate knowledge obtained during past audits into the auditor's process for identifying risks of material misstatement, including when identifying significant ongoing matters that affect the risks of material misstatement or determining how changes in the company or its environment affect the risks of material misstatement, as discussed in paragraph 8 of this standard. 43. If the auditor plans to limit the nature, timing, or extent of his or her risk assessment procedures by relying on information from past audits, the auditor should evaluate whether the prior years' information remains relevant and reliable. 44. Other Engagements. When the auditor has performed a review of interim financial information in accordance with AU sec. 722, Interim Financial Information, the auditor should evaluate whether information obtained during the review is relevant to identifying risks of material misstatement in the year-end audit. 45. The auditor should obtain an understanding of the nature of the services that have been performed for the company by the auditor or affiliates of the firm25/ and should take into account relevant information obtained from those engagements in identifying risks of material misstatement.26/ Performing Analytical Procedures46. The auditor should perform analytical procedures that are designed to:
47. In applying analytical procedures as risk assessment procedures, the auditor should perform analytical procedures relating to revenue with the objective of identifying unusual or unexpected relationships involving revenue accounts that might indicate a material misstatement, including material misstatement due to fraud. Also, when the auditor has performed a review of interim financial information in accordance with AU sec. 722, he or she should take into account the analytical procedures applied in that review when designing and applying analytical procedures as risk assessment procedures. 48. When performing an analytical procedure, the auditor should use his or her understanding of the company to develop expectations about plausible relationships among the data to be used in the procedure.27/ When comparison of those expectations with relationships derived from recorded amounts yields unusual or unexpected results, the auditor should take into account those results in identifying the risks of material misstatement.
Conducting a Discussion among Engagement Team Members Regarding Risks of Material Misstatement49. The key engagement team members should discuss (1) the company's selection and application of accounting principles, including related disclosure requirements, and (2) the susceptibility of the company's financial statements to material misstatement due to error or fraud.
50. Key engagement team members include all engagement team members who have significant engagement responsibilities, including the engagement partner. The manner in which the discussion is conducted depends on the individuals involved and the circumstances of the engagement. For example, if the audit involves more than one location, there could be multiple discussions with team members in differing locations. The engagement partner or other key engagement team members should communicate the important matters from the discussion to engagement team members who are not involved in the discussion.
51. Communication among the engagement team members about significant matters affecting the risks of material misstatement should continue throughout the audit, including when conditions change.29/ Discussion of the Potential for Material Misstatement Due to Fraud52. The discussion among the key engagement team members about the potential for material misstatement due to fraud should occur with an attitude that includes a questioning mind, and the key engagement team members should set aside any prior beliefs they might have that management is honest and has integrity. The discussion among the key engagement team members should include:
53. The auditor should emphasize the following matters to all engagement team members:
Inquiring of the Audit Committee, Management, and Others within the Company about the Risks of Material Misstatement54. The auditor should inquire of the audit committee, or equivalent (or its chair), management, the internal audit function, and others within the company who might reasonably be expected to have information that is important to the identification and assessment of risks of material misstatement. Note: The auditor's inquiries about risks of material misstatement should include inquiries regarding fraud risks. 55. The auditor should use his or her knowledge of the company and its environment, as well as information from other risk assessment procedures, to determine the nature of the inquiries about risks of material misstatement. Inquiries Regarding Fraud Risks[The following paragraph is effective for audits of fiscal years beginning on or after December 15, 2014. See PCAOB Release No. 2014-002. For audits of fiscal years beginning before December 15, 2014, click here.] 56. The auditor's inquiries regarding fraud risks should include the following:
57. In addition to the inquiries outlined in the preceding paragraph, the auditor should inquire of others within the company about their views regarding fraud risks, including, in particular, whether they have knowledge of fraud, alleged fraud, or suspected fraud. The auditor should identify other individuals within the company to whom inquiries should be directed and determine the extent of such inquiries by considering whether others in the company might have additional knowledge about fraud, alleged fraud, or suspected fraud or might be able to corroborate fraud risks identified in discussions with management or the audit committee. Examples of other individuals within the company to whom inquiries might be directed include:
58. When evaluating management's responses to inquiries about fraud risks and determining when it is necessary to corroborate management's responses, the auditor should take into account the fact that management is often in the best position to commit fraud. Also, the auditor should obtain evidence to address inconsistencies in responses to the inquiries. Identifying and Assessing the Risks of Material Misstatement59. The auditor should identify and assess the risks of material misstatement at the financial statement level and the assertion level. In identifying and assessing risks of material misstatement, the auditor should:
Identifying Significant Accounts and Disclosures and Their Relevant Assertions60. To identify significant accounts and disclosures and their relevant assertions in accordance with paragraph 59.e., the auditor should evaluate the qualitative and quantitative risk factors related to the financial statement line items and disclosures. Risk factors relevant to the identification of significant accounts and disclosures and their relevant assertions include:
61. As part of identifying significant accounts and disclosures and their relevant assertions, the auditor also should determine the likely sources of potential misstatements that would cause the financial statements to be materially misstated. The auditor might determine the likely sources of potential misstatements by asking himself or herself "what could go wrong?" within a given significant account or disclosure. 62. The risk factors that the auditor should evaluate in the identification of significant accounts and disclosures and their relevant assertions are the same in the audit of internal control over financial reporting as in the audit of the financial statements; accordingly, significant accounts and disclosures and their relevant assertions are the same for both audits.
63. The components of a potential significant account or disclosure might be subject to significantly differing risks. 64. When a company has multiple locations or business units, the auditor should identify significant accounts and disclosures and their relevant assertions based on the consolidated financial statements. Factors Relevant to Identifying Fraud Risks65. The auditor should evaluate whether the information gathered from the risk assessment procedures indicates that one or more fraud risk factors are present and should be taken into account in identifying and assessing fraud risks. Fraud risk factors are events or conditions that indicate (1) an incentive or pressure to perpetrate fraud, (2) an opportunity to carry out the fraud, or (3) an attitude or rationalization that justifies the fraudulent action. Fraud risk factors do not necessarily indicate the existence of fraud; however, they often are present in circumstances in which fraud exists. Examples of fraud risk factors related to fraudulent financial reporting and misappropriation of assets are listed in AU sec. 316.85. These illustrative risk factors are classified based on the three conditions discussed in this paragraph, which generally are present when fraud exists.
66. All three conditions discussed in the preceding paragraph are not required to be observed or evident to conclude that a fraud risk exists. The auditor might conclude that a fraud risk exists even when only one of these three conditions is present. 67. Consideration of the Risk of Omitted, Incomplete, or Inaccurate Disclosures. The auditor's evaluation of fraud risk factors in accordance with paragraph 65 should include evaluation of how fraud could be perpetrated or concealed by presenting incomplete or inaccurate disclosures or by omitting disclosures that are necessary for the financial statements to be presented fairly in conformity with the applicable financial reporting framework. 68. Presumption of Fraud Risk Involving Improper Revenue Recognition. The auditor should presume that there is a fraud risk involving improper revenue recognition and evaluate which types of revenue, revenue transactions, or assertions may give rise to such risks. 69. Consideration of the Risk of Management Override of Controls. The auditor's identification of fraud risks should include the risk of management override of controls.
Factors Relevant to Identifying Significant Risks70. To determine whether an identified and assessed risk is a significant risk, the auditor should evaluate whether the risk requires special audit consideration because of the nature of the risk or the likelihood and potential magnitude of misstatement related to the risk.
71. Factors that should be evaluated in determining which risks are significant risks include:
[The following subparagraph g. is effective for audits of fiscal years beginning on or after December 15, 2014. See PCAOB Release No. 2014-002. For audits of fiscal years beginning before December 15, 2014, click here.] Further Consideration of Controls72. When the auditor has determined that a significant risk, including a fraud risk, exists, the auditor should evaluate the design of the company's controls that are intended to address fraud risks and other significant risks and determine whether those controls have been implemented, if the auditor has not already done so when obtaining an understanding of internal control, as described in paragraphs 18-40 of this standard.36/ 73. Controls that address fraud risks include (a) specific controls designed to mitigate specific risks of fraud, e.g., controls to address risks of intentional misstatement of specific accounts and (b) controls designed to prevent, deter, and detect fraud, e.g., controls to promote a culture of honesty and ethical behavior.37/ Such controls also include those that address the risk of management override of other controls. 73A. The auditor should obtain an understanding of the controls that management has established to identify, authorize and approve, and account for and disclose significant unusual transactions in the financial statements, if the auditor has not already done so when obtaining an understanding of internal control, as described in paragraphs 18–40 and 72–73 of this standard. Revision of Risk Assessment74. The auditor's assessment of the risks of material misstatement, including fraud risks, should continue throughout the audit. When the auditor obtains audit evidence during the course of the audit that contradicts the audit evidence on which the auditor originally based his or her risk assessment, the auditor should revise the risk assessment and modify planned audit procedures or perform additional procedures in response to the revised risk assessments. 38/ |